From abef448c518249d0e3b8042fc6ce8059e7004e5f Mon Sep 17 00:00:00 2001 From: Andrew Garrett Date: Tue, 6 Jun 2023 05:38:49 +1000 Subject: [PATCH] Fix Helm chart enableSecurity flag (#4537) Fix Helm chart enableSecurity flag: - Add parameter for whether to use v1alpha cert-manager CRDs, default off. - Use self-signed Issuer only for the initial CA certificates, create a new Issuer that uses the generated CA certificate and use that for all the others --- k8s/charts/seaweedfs/templates/ca-cert.yaml | 2 +- k8s/charts/seaweedfs/templates/cert-caissuer.yaml | 10 ++++++++++ .../seaweedfs/templates/cert-clusterissuer.yaml | 2 +- k8s/charts/seaweedfs/templates/client-cert.yaml | 14 ++++++++------ k8s/charts/seaweedfs/templates/filer-cert.yaml | 14 ++++++++------ k8s/charts/seaweedfs/templates/master-cert.yaml | 14 ++++++++------ k8s/charts/seaweedfs/templates/volume-cert.yaml | 14 ++++++++------ k8s/charts/seaweedfs/values.yaml | 2 ++ 8 files changed, 46 insertions(+), 26 deletions(-) create mode 100644 k8s/charts/seaweedfs/templates/cert-caissuer.yaml diff --git a/k8s/charts/seaweedfs/templates/ca-cert.yaml b/k8s/charts/seaweedfs/templates/ca-cert.yaml index 056f01502..9b74db0b1 100644 --- a/k8s/charts/seaweedfs/templates/ca-cert.yaml +++ b/k8s/charts/seaweedfs/templates/ca-cert.yaml @@ -1,5 +1,5 @@ {{- if .Values.global.enableSecurity }} -apiVersion: certmanager.k8s.io/v1alpha1 +apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }} kind: Certificate metadata: name: {{ template "seaweedfs.name" . }}-ca-cert diff --git a/k8s/charts/seaweedfs/templates/cert-caissuer.yaml b/k8s/charts/seaweedfs/templates/cert-caissuer.yaml new file mode 100644 index 000000000..864652393 --- /dev/null +++ b/k8s/charts/seaweedfs/templates/cert-caissuer.yaml @@ -0,0 +1,10 @@ +{{- if .Values.global.enableSecurity }} +apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }} +kind: Issuer +metadata: + name: {{ template "seaweedfs.name" . }}-ca-issuer + namespace: {{ .Release.Namespace }} +spec: + ca: + secretName: {{ template "seaweedfs.name" . }}-ca-cert +{{- end }} diff --git a/k8s/charts/seaweedfs/templates/cert-clusterissuer.yaml b/k8s/charts/seaweedfs/templates/cert-clusterissuer.yaml index d0bd42593..2604927db 100644 --- a/k8s/charts/seaweedfs/templates/cert-clusterissuer.yaml +++ b/k8s/charts/seaweedfs/templates/cert-clusterissuer.yaml @@ -1,5 +1,5 @@ {{- if .Values.global.enableSecurity }} -apiVersion: certmanager.k8s.io/v1alpha1 +apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }} kind: ClusterIssuer metadata: name: {{ template "seaweedfs.name" . }}-clusterissuer diff --git a/k8s/charts/seaweedfs/templates/client-cert.yaml b/k8s/charts/seaweedfs/templates/client-cert.yaml index 4d27b5659..7960c3f8d 100644 --- a/k8s/charts/seaweedfs/templates/client-cert.yaml +++ b/k8s/charts/seaweedfs/templates/client-cert.yaml @@ -1,5 +1,5 @@ {{- if .Values.global.enableSecurity }} -apiVersion: certmanager.k8s.io/v1alpha1 +apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }} kind: Certificate metadata: name: {{ template "seaweedfs.name" . }}-client-cert @@ -7,10 +7,11 @@ metadata: spec: secretName: {{ template "seaweedfs.name" . }}-client-cert issuerRef: - name: {{ template "seaweedfs.name" . }}-clusterissuer - kind: ClusterIssuer + name: {{ template "seaweedfs.name" . }}-ca-issuer + kind: Issuer commonName: {{ .Values.certificates.commonName }} - organization: + subject: + organizations: - "SeaweedFS CA" dnsNames: - '*.{{ .Release.Namespace }}' @@ -26,8 +27,9 @@ spec: - {{ . }} {{- end }} {{- end }} - keyAlgorithm: {{ .Values.certificates.keyAlgorithm }} - keySize: {{ .Values.certificates.keySize }} + privateKey: + algorithm: {{ .Values.certificates.keyAlgorithm }} + size: {{ .Values.certificates.keySize }} duration: {{ .Values.certificates.duration }} renewBefore: {{ .Values.certificates.renewBefore }} {{- end }} diff --git a/k8s/charts/seaweedfs/templates/filer-cert.yaml b/k8s/charts/seaweedfs/templates/filer-cert.yaml index 855183c54..3c3565d33 100644 --- a/k8s/charts/seaweedfs/templates/filer-cert.yaml +++ b/k8s/charts/seaweedfs/templates/filer-cert.yaml @@ -1,5 +1,5 @@ {{- if .Values.global.enableSecurity }} -apiVersion: certmanager.k8s.io/v1alpha1 +apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }} kind: Certificate metadata: name: {{ template "seaweedfs.name" . }}-filer-cert @@ -7,10 +7,11 @@ metadata: spec: secretName: {{ template "seaweedfs.name" . }}-filer-cert issuerRef: - name: {{ template "seaweedfs.name" . }}-clusterissuer - kind: ClusterIssuer + name: {{ template "seaweedfs.name" . }}-ca-issuer + kind: Issuer commonName: {{ .Values.certificates.commonName }} - organization: + subject: + organizations: - "SeaweedFS CA" dnsNames: - '*.{{ .Release.Namespace }}' @@ -26,8 +27,9 @@ spec: - {{ . }} {{- end }} {{- end }} - keyAlgorithm: {{ .Values.certificates.keyAlgorithm }} - keySize: {{ .Values.certificates.keySize }} + privateKey: + algorithm: {{ .Values.certificates.keyAlgorithm }} + size: {{ .Values.certificates.keySize }} duration: {{ .Values.certificates.duration }} renewBefore: {{ .Values.certificates.renewBefore }} {{- end }} diff --git a/k8s/charts/seaweedfs/templates/master-cert.yaml b/k8s/charts/seaweedfs/templates/master-cert.yaml index a8b0fc1d1..1377ccda4 100644 --- a/k8s/charts/seaweedfs/templates/master-cert.yaml +++ b/k8s/charts/seaweedfs/templates/master-cert.yaml @@ -1,5 +1,5 @@ {{- if .Values.global.enableSecurity }} -apiVersion: certmanager.k8s.io/v1alpha1 +apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }} kind: Certificate metadata: name: {{ template "seaweedfs.name" . }}-master-cert @@ -7,10 +7,11 @@ metadata: spec: secretName: {{ template "seaweedfs.name" . }}-master-cert issuerRef: - name: {{ template "seaweedfs.name" . }}-clusterissuer - kind: ClusterIssuer + name: {{ template "seaweedfs.name" . }}-ca-issuer + kind: Issuer commonName: {{ .Values.certificates.commonName }} - organization: + subject: + organizations: - "SeaweedFS CA" dnsNames: - '*.{{ .Release.Namespace }}' @@ -26,8 +27,9 @@ spec: - {{ . }} {{- end }} {{- end }} - keyAlgorithm: {{ .Values.certificates.keyAlgorithm }} - keySize: {{ .Values.certificates.keySize }} + privateKey: + algorithm: {{ .Values.certificates.keyAlgorithm }} + size: {{ .Values.certificates.keySize }} duration: {{ .Values.certificates.duration }} renewBefore: {{ .Values.certificates.renewBefore }} {{- end }} diff --git a/k8s/charts/seaweedfs/templates/volume-cert.yaml b/k8s/charts/seaweedfs/templates/volume-cert.yaml index 72c62a0f5..4167867b1 100644 --- a/k8s/charts/seaweedfs/templates/volume-cert.yaml +++ b/k8s/charts/seaweedfs/templates/volume-cert.yaml @@ -1,5 +1,5 @@ {{- if .Values.global.enableSecurity }} -apiVersion: certmanager.k8s.io/v1alpha1 +apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }} kind: Certificate metadata: name: {{ template "seaweedfs.name" . }}-volume-cert @@ -7,10 +7,11 @@ metadata: spec: secretName: {{ template "seaweedfs.name" . }}-volume-cert issuerRef: - name: {{ template "seaweedfs.name" . }}-clusterissuer - kind: ClusterIssuer + name: {{ template "seaweedfs.name" . }}-ca-issuer + kind: Issuer commonName: {{ .Values.certificates.commonName }} - organization: + subject: + organizations: - "SeaweedFS CA" dnsNames: - '*.{{ .Release.Namespace }}' @@ -26,8 +27,9 @@ spec: - {{ . }} {{- end }} {{- end }} - keyAlgorithm: {{ .Values.certificates.keyAlgorithm }} - keySize: {{ .Values.certificates.keySize }} + privateKey: + algorithm: {{ .Values.certificates.keyAlgorithm }} + size: {{ .Values.certificates.keySize }} duration: {{ .Values.certificates.duration }} renewBefore: {{ .Values.certificates.renewBefore }} {{- end }} diff --git a/k8s/charts/seaweedfs/values.yaml b/k8s/charts/seaweedfs/values.yaml index 4a9638d31..05bdf4f69 100644 --- a/k8s/charts/seaweedfs/values.yaml +++ b/k8s/charts/seaweedfs/values.yaml @@ -9,6 +9,8 @@ global: restartPolicy: Always loggingLevel: 1 enableSecurity: false + certificates: + alphacrds: false monitoring: enabled: false gatewayHost: null