Merge pull request #53 from ronaldmiranda/helm/add-cert-manager

mlbiam · web-flow · commit e24311ee69cf · 2024-09-15T10:42:58.000-04:00
[Helm] Add Possibility to handle cert-manager certificates
diff --git a/deploy/charts/kube-oidc-proxy/templates/secret_tls.yaml b/deploy/charts/kube-oidc-proxy/templates/secret_tls.yaml
@@ -1,9 +1,44 @@
-{{- if (not .Values.tls.secretName) }}
 {{ $fullname := include "kube-oidc-proxy.fullname" . }}
 {{ $ca := genCA (printf "%s-ca" $fullname) 3650 }}
 {{ $cn := printf "%s.%s.svc.cluster.local" $fullname .Release.Namespace }}
-{{ $server := genSignedCert $cn nil nil 365 $ca }}
+{{ $in := printf "%s-issuer" $fullname }}
 
+{{ if .Values.tls.certManager }}
+{{ if .Values.tls.selfSigned }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ template "kube-oidc-proxy.fullname" . }}-issuer
+spec:
+  selfSigned: {}
+---
+{{ end }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "kube-oidc-proxy.fullname" . }}-tls
+spec:
+  commonName: {{ template "kube-oidc-proxy.fullname" . }}-tls
+  dnsNames:
+    - {{ $cn }}
+  secretName: {{ template "kube-oidc-proxy.fullname" . }}-tls
+  issuerRef:
+    group: cert-manager.io
+    kind: Issuer
+    name: {{ .Values.tls.issuerName | default $in }}
+{{ if .Values.tls.selfSigned }}
+  duration: 3650h0m0s
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS8
+    size: 2048
+  renewBefore: 24h0m0s
+  usages:
+    - server auth
+{{ end }}
+{{ else }}
+{{- if (not .Values.tls.secretName) }}
+{{ $server := genSignedCert $cn nil nil 365 $ca }}
 apiVersion: v1
 kind: Secret
 type: kubernetes.io/tls
@@ -15,3 +50,4 @@ data:
   tls.crt: {{ b64enc $server.Cert }}
   tls.key: {{ b64enc $server.Key }}
 {{ end }}
+{{ end }}
diff --git a/deploy/charts/kube-oidc-proxy/values.yaml b/deploy/charts/kube-oidc-proxy/values.yaml
@@ -28,6 +28,12 @@ tls:
   # `secretName` must be a name of Secret of TLS type. If not provided a
   # self-signed certificate will get generated.
   secretName:
+  # `certManager` if you have cert-manager in your cluster and dont want to manage manually
+  certManager: false
+  # `selfSigned` if you have cert-manager and perfer or not to use use default issuer or generate by using other issuer
+  selfSigned: true
+  # `issuerName` if `selfSigned` is false, you should add your own Issuer
+  issuerName:
 
 # These values needs to be set in overrides in order to get kube-oidc-proxy
 # working.
