diff --git a/library/common-test/tests/cert/cert_test.yaml b/library/common-test/tests/cert/cert_test.yaml new file mode 100644 index 0000000000..1ca8367238 --- /dev/null +++ b/library/common-test/tests/cert/cert_test.yaml @@ -0,0 +1,150 @@ +suite: certificate dict test +templates: + - common.yaml +tests: + - it: should fail with no ixCertificates key + set: + scaleCerts: + cert_name: + id: 1 + asserts: + - failedTemplate: + errorMessage: Key does not exist + + - it: should fail with empty ixCertificates key + set: + scaleCerts: + cert_name: + id: 1 + # Simulating middleware injection + ixCertificates: {} + asserts: + - failedTemplate: + errorMessage: Key is empty + + - it: should fail with cert that don't exist + set: + scaleCerts: + cert_name: + id: 1 + # Simulating middleware injection + ixCertificates: + "2": + certificate: cert_content + asserts: + - failedTemplate: + errorMessage: Certificate (1) was not found. + + - it: should fail with expired cert + set: + scaleCerts: + cert_name: + id: 1 + # Simulating middleware injection + ixCertificates: + "1": + certificate: cert_content + expired: true + asserts: + - failedTemplate: + errorMessage: Certificate (1) is expired + + - it: should fail with revoked cert + set: + scaleCerts: + cert_name: + id: 1 + # Simulating middleware injection + ixCertificates: + "1": + certificate: cert_content + revoked: true + asserts: + - failedTemplate: + errorMessage: Certificate (1) has been revoked + + - it: should pass with 1 secret created + documentIndex: &secretDoc 0 + set: + scaleCerts: + cert_name: + id: 1 + # Simulating middleware injection + ixCertificates: + "1": + certificate: cert_content + privatekey: some_key + asserts: + - isKind: + of: Secret + - isAPIVersion: + of: v1 + - equal: + path: type + value: kubernetes.io/tls + - equal: + path: metadata.name + value: RELEASE-NAME-common-test-cert_name-ixcert-1-0 + - isNotEmpty: + path: data.tls\.crt + - isNotEmpty: + path: data.tls\.key + + - it: should pass with 1 secret created and revision increased + documentIndex: *secretDoc + release: + revision: 1 + set: + scaleCerts: + cert_name: + id: 1 + # Simulating middleware injection + ixCertificates: + "1": + certificate: cert_content + privatekey: some_key + asserts: + - isKind: + of: Secret + - isAPIVersion: + of: v1 + - equal: + path: type + value: kubernetes.io/tls + - equal: + path: metadata.name + value: RELEASE-NAME-common-test-cert_name-ixcert-1-1 + - isNotEmpty: + path: data.tls\.crt + - isNotEmpty: + path: data.tls\.key + + - it: should pass with 1 secret created and revision increased and name overriden + documentIndex: *secretDoc + release: + revision: 1 + set: + scaleCerts: + cert_name: + id: 1 + nameOverride: name_override + # Simulating middleware injection + ixCertificates: + "1": + certificate: cert_content + privatekey: some_key + asserts: + - isKind: + of: Secret + - isAPIVersion: + of: v1 + - equal: + path: type + value: kubernetes.io/tls + - equal: + path: metadata.name + value: RELEASE-NAME-common-test-name_override-ixcert-1-1 + - isNotEmpty: + path: data.tls\.crt + - isNotEmpty: + path: data.tls\.key diff --git a/library/common/1.0.0/templates/class/_certifcate.tpl b/library/common/1.0.0/templates/class/_certifcate.tpl index eb65fab995..6f7381e4a5 100644 --- a/library/common/1.0.0/templates/class/_certifcate.tpl +++ b/library/common/1.0.0/templates/class/_certifcate.tpl @@ -1,9 +1,35 @@ {{- define "ix.v1.common.class.certificate" -}} - {{- $secretName := .secretName -}} - {{- $certID := .certID -}} + {{- $cert := .cert -}} {{- $root := .root -}} - {{- if (include "ix.v1.common.certificate.exists" (dict "root" $root "certID" $certID)) }} + {{- if not (hasKey $cert "id") -}} + {{- fail (printf "Certificate (%s) has no key" $cert.nameOverride) -}} + {{- end -}} + {{- $certID := (toString $cert.id) -}} + + {{- if (include "ix.v1.common.certificate.exists" (dict "root" $root "certID" $certID)) -}} + {{/* Generate secret name here so we can pass it to persistence if needed */}} + {{- $secretName := include "ix.v1.common.names.fullname" $root -}} + {{- if $cert.nameOverride -}} + {{- $secretName = (printf "%v-%v-%v-%v" $secretName $cert.nameOverride "ixcert" $certID) -}} + {{- else -}} + {{- $secretName = (printf "%v-%v-%v" $secretName "ixcert" $certID) -}} + {{- end -}} + {{- $secretName = (printf "%v-%v" $secretName $root.Release.Revision) -}} + + {{- if (hasKey $cert "certPath") -}} + {{- if $cert.certPath -}} + {{/* FIXME: Create Volume + Volume Mount of the secret to the certPath */}} + {{/* Probably append to .Values.persistence? Also make sure to call this spawner before pod creation */}} + {{- end -}} + {{- end -}} + + {{- if (hasKey $cert "keyPath") -}} + {{- if $cert.keyPath -}} + {{/* FIXME: Create Volume + Volume Mount of the secret to the certPath */}} + {{/* Probably append to .Values.persistence? Also make sure to call this spawner before pod creation */}} + {{- end -}} + {{- end }} --- apiVersion: {{ include "ix.v1.common.capabilities.secret.apiVersion" . }} kind: Secret @@ -21,7 +47,7 @@ metadata: {{- . | nindent 4 }} {{- end }} data: - tls.crt: {{ include "ix.v1.common.certificate.get" (dict "root" $root "certID" $certID "key" "certificate") | toString | b64enc | quote }} - tls.key: {{ include "ix.v1.common.certificate.get" (dict "root" $root "certID" $certID "key" "privatekey") | toString | b64enc | quote }} + tls.crt: {{ include "ix.v1.common.certificate.get" (dict "root" $root "cert" $cert "key" "certificate") | toString | b64enc | quote }} + tls.key: {{ include "ix.v1.common.certificate.get" (dict "root" $root "cert" $cert "key" "privatekey") | toString | b64enc | quote }} {{- end -}} {{- end -}} diff --git a/library/common/1.0.0/templates/lib/certificate/_cert.tpl b/library/common/1.0.0/templates/lib/certificate/_cert.tpl index 07d3ba7a37..b0b36a27c0 100644 --- a/library/common/1.0.0/templates/lib/certificate/_cert.tpl +++ b/library/common/1.0.0/templates/lib/certificate/_cert.tpl @@ -23,21 +23,36 @@ Returns any key (based on the .key value) Example keys (certificate, privatekey, expired, revoked) */}} {{- define "ix.v1.common.certificate.get" -}} - {{- $certID := .certID -}} + {{- $cert := .cert -}} {{- $root := .root -}} {{- $key := .key -}} + {{- $certID := (toString $cert.id) -}} + {{- $useRevoked := $root.Values.global.defaults.useRevokedCerts -}} + {{- $useExpired := $root.Values.global.defaults.useExpiredCerts -}} + + {{- if not $key -}} + {{- fail "You need to provide a when calling this template (certificate.get)" -}} + {{- end -}} {{- if eq (include "ix.v1.common.certificate.exists" (dict "root" $root "certID" $certID)) "true" -}} {{- $certificate := (get $root.Values.ixCertificates (toString $certID)) -}} + {{- if (hasKey $cert "useRevoked") -}} + {{- $useRevoked = $cert.useRevoked -}} + {{- end -}} + + {{- if (hasKey $cert "useExpired") -}} + {{- $useExpired = $cert.useExpired -}} + {{- end -}} + {{- if (hasKey $certificate "revoked") -}} - {{- if eq (get $certificate "revoked") true -}} + {{- if and (not $useRevoked) (eq (get $certificate "revoked") true) -}} {{- fail (printf "Certificate (%s) has been revoked" $certID) -}} {{- end -}} {{- end -}} {{- if (hasKey $certificate "expired") -}} - {{- if eq (get $certificate "expired") true -}} + {{- if and (not $useExpired) (eq (get $certificate "expired") true) -}} {{- fail (printf "Certificate (%s) is expired" $certID) -}} {{- end -}} {{- end -}} @@ -49,6 +64,6 @@ Example keys (certificate, privatekey, expired, revoked) {{- end -}} {{- else -}} - {{- fail (printf "Certificate (%s) did not found." $certID) -}} + {{- fail (printf "Certificate (%s) was not found." $certID) -}} {{- end -}} {{- end -}} diff --git a/library/common/1.0.0/templates/spawner/_certificate.tpl b/library/common/1.0.0/templates/spawner/_certificate.tpl index 732af59d8d..2513146cf9 100644 --- a/library/common/1.0.0/templates/spawner/_certificate.tpl +++ b/library/common/1.0.0/templates/spawner/_certificate.tpl @@ -7,44 +7,27 @@ instead of creating a secret it will return you the value of that key (if exists) */}} {{- define "ix.v1.common.spawner.certificate" -}} - {{- $key := (default "" .key) -}} {{- $root := . -}} {{- range $name, $cert := .Values.scaleCerts -}} - {{- if not (hasKey $cert "id") -}} - {{- fail (printf "Certificate (%s) has no key" $name) -}} - {{- end -}} - {{- $certID := (toString $cert.id) -}} + {{- include "ix.v1.common.certificate.process" (dict "cert" $cert "name" $name "root" $root) -}} + {{- end -}} - {{/* Default to $name if there is not a nameOverride given */}} - {{- if not $cert.nameOverride -}} - {{- $_ := set $cert "nameOverride" $name -}} - {{- end -}} - - {{/* Generate secret name here so we can pass it to persistence if needed */}} - {{- $secretName := include "ix.v1.common.names.fullname" $root -}} - {{- if $cert.nameOverride -}} - {{- $secretName = (printf "%v-%v-%v-%v" $secretName $cert.nameOverride "ixcert" $certID) -}} - {{- else -}} - {{- $secretName = (printf "%v-%v-%v" $secretName "ixcert" $certID) -}} - {{- end -}} - {{- $secretName = (printf "%v-%v" $secretName $root.Release.Revision) -}} - - {{/* Create the secret */}} - {{- include "ix.v1.common.class.certificate" (dict "root" $root "certID" $certID "secretName" $secretName) -}} - - {{- if (hasKey $cert "certPath") -}} - {{- if $cert.certPath -}} - {{/* FIXME: Create Volume + Volume Mount of the secret to the certPath */}} - {{/* Probably append to .Values.persistence? Also make sure to call this spawner before pod creation */}} - {{- end -}} - {{- end -}} - - {{- if (hasKey $cert "keyPath") -}} - {{- if $cert.keyPath -}} - {{/* FIXME: Create Volume + Volume Mount of the secret to the certPath */}} - {{/* Probably append to .Values.persistence? Also make sure to call this spawner before pod creation */}} - {{- end -}} - {{- end -}} + {{- range $id, $cert := .Values.scaleCertsList -}} + {{- include "ix.v1.common.certificate.process" (dict "cert" $cert "name" (required "Name is required in scaleCertList" $cert.name) "root" $root) -}} {{- end -}} {{- end -}} + +{{- define "ix.v1.common.certificate.process" -}} + {{- $name := .name -}} + {{- $cert := .cert -}} + {{- $root := .root -}} + + {{/* Default to $name if there is not a nameOverride given */}} + {{- if not $cert.nameOverride -}} + {{- $_ := set $cert "nameOverride" $name -}} + {{- end -}} + + {{/* Create the secret */}} + {{- include "ix.v1.common.class.certificate" (dict "cert" $cert "root" $root) -}} +{{- end -}} diff --git a/library/common/1.0.0/values.yaml b/library/common/1.0.0/values.yaml index fc63763ab3..0042d0255b 100644 --- a/library/common/1.0.0/values.yaml +++ b/library/common/1.0.0/values.yaml @@ -117,9 +117,32 @@ ixExternalInterfacesConfigurationNames: [] # - Everything bellow needs documentation scaleCerts: {} + # some_cert_name: + # # Override Name + # nameOverride: name_override + # # ID Comes from the definitions on the GUI + # id: 1 + # # If populated, it will mount the certificate in the container in this path + # certPath: + # # If populated, it will mount the private key in the container in this path + # keyPath: + # useRevoked: false + # useExpired: false +scaleCertsList: [] + # - name: some_cert_name + # nameOverride: name_override + # id: 1 + # certPath: + # keyPath: + # useRevoked: false + # useExpired: false global: defaults: + # If not defined on the the cert item, assume this + useRevokedCerts: false + # If not defined on the the cert item, assume this + useExpiredCerts: false # If no restart Policy is defined, assume this defaultRestartPolicy: Always # If no probe Type is defined, assume this