diff --git a/library/common/1.0.0/templates/class/_certifcate.tpl b/library/common/1.0.0/templates/class/_certifcate.tpl deleted file mode 100644 index bc080c7380..0000000000 --- a/library/common/1.0.0/templates/class/_certifcate.tpl +++ /dev/null @@ -1,99 +0,0 @@ -{{- define "ix.v1.common.class.certificate" -}} - {{- $cert := .cert -}} - {{- $root := .root -}} - {{- $tlsCrtKey := "tls.crt" -}} - {{- $tlsPrivateKey := "tls.key" -}} - - {{- if not (hasKey $cert "id") -}} {{/* This is something that should not happen when using this library */}} - {{- fail (printf "Certificate (%s) has no key" $cert.nameOverride) -}} - {{- end -}} {{/* It can only happen when consuing this function within this library */}} - {{- $certID := (toString $cert.id) -}} - - {{- if (include "ix.v1.common.certificate.exists" (dict "root" $root "certID" $certID)) -}} - {{/* Generate secret name here so we can pass it to persistence if needed */}} - {{- $secretName := include "ix.v1.common.names.fullname" $root -}} - {{- if $cert.nameOverride -}} - {{- $secretName = (printf "%v-%v-%v-%v" $secretName $cert.nameOverride "ixcert" $certID) -}} - {{- else -}} - {{- $secretName = (printf "%v-%v-%v" $secretName "ixcert" $certID) -}} - {{- end -}} - {{- $secretName = (printf "%v-%v" $secretName $root.Release.Revision) -}} - - {{- if (hasKey $cert "cert") -}} - {{/* Create the dict */}} - {{- $persistenceDict := (dict "enabled" true "type" "secret" "objectName" $secretName) -}} - - {{/* If cert is enabled */}} - {{- if $cert.cert.enabled -}} - {{/* And has a path... */}} - {{- if $cert.cert.path -}} - - {{/* Append mountPath and subPath */}} - {{- $_ := set $persistenceDict "mountPath" (tpl $cert.cert.path $root) -}} - {{- $_ := set $persistenceDict "subPath" $tlsCrtKey -}} - - {{/* Append readOnly if defined. Actual content validation will be done when volume(Mount) is created */}} - {{- if (hasKey $cert.cert "readOnly") -}} - {{- $_ := set $persistenceDict "readOnly" $cert.cert.readOnly -}} - {{- end -}} - - {{/* Append defaultMode. Actual content validation will be done when volume(Mount) is created */}} - {{- if (hasKey $cert.cert "defaultMode") -}} - {{- $_ := set $persistenceDict "defaultMode" $cert.cert.defaultMode -}} - {{- end -}} - - {{/* Append into persistence, so it will create the volume and volumeMount. randAlhaNum is to avoid dupes */}} - {{- $_ := set $root.Values.persistence (printf "ix-certificate-cert-%s-%s" $certID (randAlphaNum 5 | lower)) $persistenceDict -}} - {{- end -}} - {{- end -}} - {{- end -}} - - {{- if (hasKey $cert "key") -}} - {{/* Create the dict */}} - {{- $persistenceDict := (dict "enabled" true "type" "secret" "objectName" $secretName) -}} - - {{/* If key is enabled */}} - {{- if $cert.key.enabled -}} - {{/* And has a path... */}} - {{- if $cert.key.path -}} - - {{/* Append mountPath and subPath */}} - {{- $_ := set $persistenceDict "mountPath" (tpl $cert.key.path $root) -}} - {{- $_ := set $persistenceDict "subPath" $tlsPrivateKey -}} - - {{/* Append readOnly if defined. Actual content validation will be done when volume(Mount) is created */}} - {{- if (hasKey $cert.key "readOnly") -}} - {{- $_ := set $persistenceDict "readOnly" $cert.key.readOnly -}} - {{- end -}} - - {{/* Append defaultMode if defined. Actual content validation will be done when volume(Mount) is created */}} - {{- if (hasKey $cert.key "defaultMode") -}} - {{- $_ := set $persistenceDict "defaultMode" $cert.key.defaultMode -}} - {{- end -}} - - {{/* Append into persistence, so it will create the volume and volumeMount. randAlhaNum is to avoid dupes */}} - {{- $_ := set $root.Values.persistence (printf "ix-certificate-key-%s-%s" $certID (randAlphaNum 5 | lower)) $persistenceDict -}} - {{- end -}} - {{- end -}} - {{- end }} ---- -apiVersion: {{ include "ix.v1.common.capabilities.secret.apiVersion" . }} -kind: Secret -type: {{ include "ix.v1.common.capabilities.secret.certificate.type" . }} -metadata: - name: {{ $secretName }} - {{- $labels := (default dict (include "ix.v1.common.labels" $root | fromYaml)) -}} - {{- with (include "ix.v1.common.util.labels.render" (dict "root" $root "labels" $labels) | trim) }} - labels: - {{- . | nindent 4 }} - {{- end -}} - {{- $annotations := (default dict (include "ix.v1.common.annotations" $root | fromYaml)) -}} - {{- with (include "ix.v1.common.util.annotations.render" (dict "root" $root "annotations" $annotations) | trim) }} - annotations: - {{- . | nindent 4 }} - {{- end }} -data: - {{ $tlsCrtKey }}: {{ include "ix.v1.common.certificate.get" (dict "root" $root "cert" $cert "key" "certificate") | toString | b64enc | quote }} - {{ $tlsPrivateKey }}: {{ include "ix.v1.common.certificate.get" (dict "root" $root "cert" $cert "key" "privatekey") | toString | b64enc | quote }} - {{- end -}} -{{- end -}} diff --git a/library/common/1.0.0/templates/class/_imagePullSecrets.tpl b/library/common/1.0.0/templates/class/_imagePullSecrets.tpl deleted file mode 100644 index 69190df4da..0000000000 --- a/library/common/1.0.0/templates/class/_imagePullSecrets.tpl +++ /dev/null @@ -1,59 +0,0 @@ -{{- define "ix.v1.common.class.imagePullSecret" -}} - {{- $imgPullCreds := .imgPullCreds -}} - {{- $root := .root -}} - - {{- if not $imgPullCreds.name -}} - {{- fail " is required for Image Pull Secrets Credentials" -}} - {{- end -}} - - {{- if not (mustRegexMatch "^[a-zA-Z0-9-]*$" $imgPullCreds.name) -}} - {{- fail (printf " (%s) can only container this alphanumerical characters (- a-z A-Z 0-9)" $imgPullCreds.name) -}} - {{- end -}} - - {{- $secretName := include "ix.v1.common.imagePullSecrets.name" (dict "root" $root "name" $imgPullCreds.name) -}} - {{- $registrySecret := dict -}} - - {{- if not $imgPullCreds.contents -}} - {{- fail (printf " is not defined in Image Pull Secrets Credential (%s)" $imgPullCreds.name) -}} - {{- end -}} - - {{- with $imgPullCreds.contents -}} - {{- if not .username -}} - {{- fail (printf " is not defined in Image Pull Secrets Credential (%s)" $imgPullCreds.name) -}} - {{- end -}} - {{- if not .password -}} - {{- fail (printf " is not defined in Image Pull Secrets Credential (%s)" $imgPullCreds.name) -}} - {{- end -}} - {{- if not .registry -}} - {{- fail (printf " is not defined in Image Pull Secrets Credential (%s)" $imgPullCreds.name) -}} - {{- end -}} - {{- if not .email -}} - {{- fail (printf " is not defined in Image Pull Secrets Credential (%s)" $imgPullCreds.name) -}} - {{- end -}} - - {{/* Auth is b64encoded and then the whole secret is b64encoded */}} - {{- $auth := printf "%s:%s" .username .password | b64enc -}} - {{- $registry := (dict "username" .username "password" .password "email" .email "auth" $auth) -}} - - {{- $_ := set $registrySecret "auths" dict -}} - {{- $_ := set $registrySecret.auths (printf "%s" .registry) $registry }} ---- -apiVersion: {{ include "ix.v1.common.capabilities.secret.apiVersion" $root }} -kind: Secret -metadata: - name: {{ $secretName }} - {{- $labels := include "ix.v1.common.labels" $root | fromYaml -}} - {{- with (include "ix.v1.common.util.labels.render" (dict "root" $root "labels" $labels) | trim) }} - labels: - {{- . | nindent 4 }} - {{- end }} - {{- $annotations := include "ix.v1.common.annotations" $root | fromYaml -}} - {{- with (include "ix.v1.common.util.annotations.render" (dict "root" $root "annotations" $annotations) | trim) }} - annotations: - {{- . | nindent 4 }} - {{- end }} -type: {{ include "ix.v1.common.capabilities.secret.imagePullSecret.type" $root }} -data: - .dockerconfigjson: {{ $registrySecret | toJson | b64enc }} - {{- end -}} -{{- end -}} diff --git a/library/common/1.0.0/templates/class/_portal.tpl b/library/common/1.0.0/templates/class/_portal.tpl index e6a70a0057..e7dc494a68 100644 --- a/library/common/1.0.0/templates/class/_portal.tpl +++ b/library/common/1.0.0/templates/class/_portal.tpl @@ -36,6 +36,7 @@ data: {{- end -}} {{- end -}} {{/* +TODO: Current "bugs", you can't disable per port portal, if port protocol is not HTTP or HTTPS, it will still create an HTTP portal. diff --git a/library/common/1.0.0/templates/class/_secret.tpl b/library/common/1.0.0/templates/class/_secret.tpl new file mode 100644 index 0000000000..eb348ebf58 --- /dev/null +++ b/library/common/1.0.0/templates/class/_secret.tpl @@ -0,0 +1,39 @@ +{{- define "ix.v1.common.class.secret" -}} + {{- $secretName := .secretName -}} + {{- $data := .data -}} + {{- $type := .type -}} + {{- $root := .root -}} + {{- $typeClass := "" -}} + + {{- if eq $type "certificate" -}} + {{- $typeClass = (include "ix.v1.common.capabilities.secret.certificate.type" $root) -}} + {{- else if eq $type "pullSecret" -}} + {{- $typeClass = (include "ix.v1.common.capabilities.secret.imagePullSecret.type" $root) -}} + {{- else -}} + {{- $typeClass = "Opaque" -}} + {{- end }} +--- +apiVersion: {{ include "ix.v1.common.capabilities.secret.apiVersion" $root }} +kind: Secret +type: {{ $typeClass }} +metadata: + name: {{ $secretName }} + {{- $labels := (default dict (include "ix.v1.common.labels" $root | fromYaml)) -}} + {{- with (include "ix.v1.common.util.labels.render" (dict "root" $root "labels" $labels) | trim) }} + labels: + {{- . | nindent 4 }} + {{- end -}} + {{- $annotations := (default dict (include "ix.v1.common.annotations" $root | fromYaml)) -}} + {{- with (include "ix.v1.common.util.annotations.render" (dict "root" $root "annotations" $annotations) | trim) }} + annotations: + {{- . | nindent 4 }} + {{- end }} +data: + {{- if eq $type "pullSecret" }} + .dockerconfigjson: {{ $data | toJson | b64enc }} + {{- else if eq $type "certificate" -}} + {{- range $k, $v := $data }} + {{ $k }}: {{ $v | toString | b64enc }} + {{- end -}} + {{- end -}} +{{- end -}} diff --git a/library/common/1.0.0/templates/spawner/_certificate.tpl b/library/common/1.0.0/templates/spawner/_certificate.tpl index 2513146cf9..ecbcacc64a 100644 --- a/library/common/1.0.0/templates/spawner/_certificate.tpl +++ b/library/common/1.0.0/templates/spawner/_certificate.tpl @@ -1,11 +1,3 @@ -{{/* -Call this from other templates to create a Secret/k8s.tls. -Pass a "root" object and the "certID" -(certID comes from Scale's GUI definitions) -If you also pass a "key" when calling this spawner, -instead of creating a secret it will return you the value -of that key (if exists) -*/}} {{- define "ix.v1.common.spawner.certificate" -}} {{- $root := . -}} @@ -22,12 +14,91 @@ of that key (if exists) {{- $name := .name -}} {{- $cert := .cert -}} {{- $root := .root -}} + {{- $tlsCrtKey := "tls.crt" -}} + {{- $tlsPrivateKey := "tls.key" -}} {{/* Default to $name if there is not a nameOverride given */}} {{- if not $cert.nameOverride -}} {{- $_ := set $cert "nameOverride" $name -}} {{- end -}} - {{/* Create the secret */}} - {{- include "ix.v1.common.class.certificate" (dict "cert" $cert "root" $root) -}} + {{- if not (hasKey $cert "id") -}} {{/* This is something that should not happen when using this library */}} + {{- fail (printf "Certificate (%s) has no key" $cert.nameOverride) -}} + {{- end -}} {{/* It can only happen when consuing this function within this library */}} + {{- $certID := (toString $cert.id) -}} + + {{- if (include "ix.v1.common.certificate.exists" (dict "root" $root "certID" $certID)) -}} + {{/* Generate secret name here so we can pass it to persistence if needed */}} + {{- $secretName := include "ix.v1.common.names.fullname" $root -}} + {{- if $cert.nameOverride -}} + {{- $secretName = (printf "%v-%v-%v-%v" $secretName $cert.nameOverride "ixcert" $certID) -}} + {{- else -}} + {{- $secretName = (printf "%v-%v-%v" $secretName "ixcert" $certID) -}} + {{- end -}} + {{- $secretName = (printf "%v-%v" $secretName $root.Release.Revision) -}} + + {{- if (hasKey $cert "cert") -}} + {{/* Create the dict */}} + {{- $persistenceDict := (dict "enabled" true "type" "secret" "objectName" $secretName) -}} + + {{/* If cert is enabled */}} + {{- if $cert.cert.enabled -}} + {{/* And has a path... */}} + {{- if $cert.cert.path -}} + + {{/* Append mountPath and subPath */}} + {{- $_ := set $persistenceDict "mountPath" (tpl $cert.cert.path $root) -}} + {{- $_ := set $persistenceDict "subPath" $tlsCrtKey -}} + + {{/* Append readOnly if defined. Actual content validation will be done when volume(Mount) is created */}} + {{- if (hasKey $cert.cert "readOnly") -}} + {{- $_ := set $persistenceDict "readOnly" $cert.cert.readOnly -}} + {{- end -}} + + {{/* Append defaultMode. Actual content validation will be done when volume(Mount) is created */}} + {{- if (hasKey $cert.cert "defaultMode") -}} + {{- $_ := set $persistenceDict "defaultMode" $cert.cert.defaultMode -}} + {{- end -}} + + {{/* Append into persistence, so it will create the volume and volumeMount. randAlhaNum is to avoid dupes */}} + {{- $_ := set $root.Values.persistence (printf "ix-certificate-cert-%s-%s" $certID (randAlphaNum 5 | lower)) $persistenceDict -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- if (hasKey $cert "key") -}} + {{/* Create the dict */}} + {{- $persistenceDict := (dict "enabled" true "type" "secret" "objectName" $secretName) -}} + + {{/* If key is enabled */}} + {{- if $cert.key.enabled -}} + {{/* And has a path... */}} + {{- if $cert.key.path -}} + + {{/* Append mountPath and subPath */}} + {{- $_ := set $persistenceDict "mountPath" (tpl $cert.key.path $root) -}} + {{- $_ := set $persistenceDict "subPath" $tlsPrivateKey -}} + + {{/* Append readOnly if defined. Actual content validation will be done when volume(Mount) is created */}} + {{- if (hasKey $cert.key "readOnly") -}} + {{- $_ := set $persistenceDict "readOnly" $cert.key.readOnly -}} + {{- end -}} + + {{/* Append defaultMode if defined. Actual content validation will be done when volume(Mount) is created */}} + {{- if (hasKey $cert.key "defaultMode") -}} + {{- $_ := set $persistenceDict "defaultMode" $cert.key.defaultMode -}} + {{- end -}} + + {{/* Append into persistence, so it will create the volume and volumeMount. randAlhaNum is to avoid dupes */}} + {{- $_ := set $root.Values.persistence (printf "ix-certificate-key-%s-%s" $certID (randAlphaNum 5 | lower)) $persistenceDict -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- $certData := dict -}} + {{- $_ := set $certData $tlsCrtKey (include "ix.v1.common.certificate.get" (dict "root" $root "cert" $cert "key" "certificate")) -}} + {{- $_ := set $certData $tlsPrivateKey (include "ix.v1.common.certificate.get" (dict "root" $root "cert" $cert "key" "privatekey")) -}} + + {{/* Create the secret */}} + {{- include "ix.v1.common.class.secret" (dict "root" $root "secretName" $secretName "data" $certData "type" "certificate") -}} + {{- end -}} {{- end -}} diff --git a/library/common/1.0.0/templates/spawner/_imagePullSecret.tpl b/library/common/1.0.0/templates/spawner/_imagePullSecret.tpl index 480971c074..9a180fce00 100644 --- a/library/common/1.0.0/templates/spawner/_imagePullSecret.tpl +++ b/library/common/1.0.0/templates/spawner/_imagePullSecret.tpl @@ -1,7 +1,46 @@ {{- define "ix.v1.common.spawner.imagePullSecret" -}} + {{- $root := . -}} {{- range $idx, $imgPullCreds := .Values.imagePullCredentials -}} {{- if $imgPullCreds.enabled -}} - {{- include "ix.v1.common.class.imagePullSecret" (dict "root" $ "imgPullCreds" $imgPullCreds ) -}} + + {{- if not $imgPullCreds.name -}} + {{- fail " is required for Image Pull Secrets Credentials" -}} + {{- end -}} + + {{- if not (mustRegexMatch "^[a-zA-Z0-9-]*$" $imgPullCreds.name) -}} + {{- fail (printf " (%s) can only container this alphanumerical characters (- a-z A-Z 0-9)" $imgPullCreds.name) -}} + {{- end -}} + + {{- $secretName := include "ix.v1.common.imagePullSecrets.name" (dict "root" $root "name" $imgPullCreds.name) -}} + {{- $registrySecret := dict -}} + + {{- if not $imgPullCreds.contents -}} + {{- fail (printf " is not defined in Image Pull Secrets Credential (%s)" $imgPullCreds.name) -}} + {{- end -}} + + {{- with $imgPullCreds.contents -}} + {{- if not .username -}} + {{- fail (printf " is not defined in Image Pull Secrets Credential (%s)" $imgPullCreds.name) -}} + {{- end -}} + {{- if not .password -}} + {{- fail (printf " is not defined in Image Pull Secrets Credential (%s)" $imgPullCreds.name) -}} + {{- end -}} + {{- if not .registry -}} + {{- fail (printf " is not defined in Image Pull Secrets Credential (%s)" $imgPullCreds.name) -}} + {{- end -}} + {{- if not .email -}} + {{- fail (printf " is not defined in Image Pull Secrets Credential (%s)" $imgPullCreds.name) -}} + {{- end -}} + + {{/* Auth is b64encoded and then the whole secret is b64encoded */}} + {{- $auth := printf "%s:%s" .username .password | b64enc -}} + {{- $registry := (dict "username" .username "password" .password "email" .email "auth" $auth) -}} + + {{- $_ := set $registrySecret "auths" dict -}} + {{- $_ := set $registrySecret.auths (printf "%s" .registry) $registry -}} + + {{- include "ix.v1.common.class.secret" (dict "root" $root "secretName" $secretName "data" $registrySecret "type" "pullSecret") -}} + {{- end -}} {{- end -}} {{- end -}} {{- end -}}