Browse Source

Fix Helm chart enableSecurity flag (#4537)

Fix Helm chart enableSecurity flag:

- Add parameter for whether to use v1alpha cert-manager CRDs, default off.
- Use self-signed Issuer only for the initial CA certificates, create a new
  Issuer that uses the generated CA certificate and use that for all the others
pull/4550/head
Andrew Garrett 2 years ago
committed by GitHub
parent
commit
abef448c51
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
  1. 2
      k8s/charts/seaweedfs/templates/ca-cert.yaml
  2. 10
      k8s/charts/seaweedfs/templates/cert-caissuer.yaml
  3. 2
      k8s/charts/seaweedfs/templates/cert-clusterissuer.yaml
  4. 14
      k8s/charts/seaweedfs/templates/client-cert.yaml
  5. 14
      k8s/charts/seaweedfs/templates/filer-cert.yaml
  6. 14
      k8s/charts/seaweedfs/templates/master-cert.yaml
  7. 14
      k8s/charts/seaweedfs/templates/volume-cert.yaml
  8. 2
      k8s/charts/seaweedfs/values.yaml

2
k8s/charts/seaweedfs/templates/ca-cert.yaml

@ -1,5 +1,5 @@
{{- if .Values.global.enableSecurity }} {{- if .Values.global.enableSecurity }}
apiVersion: certmanager.k8s.io/v1alpha1
apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
kind: Certificate kind: Certificate
metadata: metadata:
name: {{ template "seaweedfs.name" . }}-ca-cert name: {{ template "seaweedfs.name" . }}-ca-cert

10
k8s/charts/seaweedfs/templates/cert-caissuer.yaml

@ -0,0 +1,10 @@
{{- if .Values.global.enableSecurity }}
apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
kind: Issuer
metadata:
name: {{ template "seaweedfs.name" . }}-ca-issuer
namespace: {{ .Release.Namespace }}
spec:
ca:
secretName: {{ template "seaweedfs.name" . }}-ca-cert
{{- end }}

2
k8s/charts/seaweedfs/templates/cert-clusterissuer.yaml

@ -1,5 +1,5 @@
{{- if .Values.global.enableSecurity }} {{- if .Values.global.enableSecurity }}
apiVersion: certmanager.k8s.io/v1alpha1
apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
kind: ClusterIssuer kind: ClusterIssuer
metadata: metadata:
name: {{ template "seaweedfs.name" . }}-clusterissuer name: {{ template "seaweedfs.name" . }}-clusterissuer

14
k8s/charts/seaweedfs/templates/client-cert.yaml

@ -1,5 +1,5 @@
{{- if .Values.global.enableSecurity }} {{- if .Values.global.enableSecurity }}
apiVersion: certmanager.k8s.io/v1alpha1
apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
kind: Certificate kind: Certificate
metadata: metadata:
name: {{ template "seaweedfs.name" . }}-client-cert name: {{ template "seaweedfs.name" . }}-client-cert
@ -7,10 +7,11 @@ metadata:
spec: spec:
secretName: {{ template "seaweedfs.name" . }}-client-cert secretName: {{ template "seaweedfs.name" . }}-client-cert
issuerRef: issuerRef:
name: {{ template "seaweedfs.name" . }}-clusterissuer
kind: ClusterIssuer
name: {{ template "seaweedfs.name" . }}-ca-issuer
kind: Issuer
commonName: {{ .Values.certificates.commonName }} commonName: {{ .Values.certificates.commonName }}
organization:
subject:
organizations:
- "SeaweedFS CA" - "SeaweedFS CA"
dnsNames: dnsNames:
- '*.{{ .Release.Namespace }}' - '*.{{ .Release.Namespace }}'
@ -26,8 +27,9 @@ spec:
- {{ . }} - {{ . }}
{{- end }} {{- end }}
{{- end }} {{- end }}
keyAlgorithm: {{ .Values.certificates.keyAlgorithm }}
keySize: {{ .Values.certificates.keySize }}
privateKey:
algorithm: {{ .Values.certificates.keyAlgorithm }}
size: {{ .Values.certificates.keySize }}
duration: {{ .Values.certificates.duration }} duration: {{ .Values.certificates.duration }}
renewBefore: {{ .Values.certificates.renewBefore }} renewBefore: {{ .Values.certificates.renewBefore }}
{{- end }} {{- end }}

14
k8s/charts/seaweedfs/templates/filer-cert.yaml

@ -1,5 +1,5 @@
{{- if .Values.global.enableSecurity }} {{- if .Values.global.enableSecurity }}
apiVersion: certmanager.k8s.io/v1alpha1
apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
kind: Certificate kind: Certificate
metadata: metadata:
name: {{ template "seaweedfs.name" . }}-filer-cert name: {{ template "seaweedfs.name" . }}-filer-cert
@ -7,10 +7,11 @@ metadata:
spec: spec:
secretName: {{ template "seaweedfs.name" . }}-filer-cert secretName: {{ template "seaweedfs.name" . }}-filer-cert
issuerRef: issuerRef:
name: {{ template "seaweedfs.name" . }}-clusterissuer
kind: ClusterIssuer
name: {{ template "seaweedfs.name" . }}-ca-issuer
kind: Issuer
commonName: {{ .Values.certificates.commonName }} commonName: {{ .Values.certificates.commonName }}
organization:
subject:
organizations:
- "SeaweedFS CA" - "SeaweedFS CA"
dnsNames: dnsNames:
- '*.{{ .Release.Namespace }}' - '*.{{ .Release.Namespace }}'
@ -26,8 +27,9 @@ spec:
- {{ . }} - {{ . }}
{{- end }} {{- end }}
{{- end }} {{- end }}
keyAlgorithm: {{ .Values.certificates.keyAlgorithm }}
keySize: {{ .Values.certificates.keySize }}
privateKey:
algorithm: {{ .Values.certificates.keyAlgorithm }}
size: {{ .Values.certificates.keySize }}
duration: {{ .Values.certificates.duration }} duration: {{ .Values.certificates.duration }}
renewBefore: {{ .Values.certificates.renewBefore }} renewBefore: {{ .Values.certificates.renewBefore }}
{{- end }} {{- end }}

14
k8s/charts/seaweedfs/templates/master-cert.yaml

@ -1,5 +1,5 @@
{{- if .Values.global.enableSecurity }} {{- if .Values.global.enableSecurity }}
apiVersion: certmanager.k8s.io/v1alpha1
apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
kind: Certificate kind: Certificate
metadata: metadata:
name: {{ template "seaweedfs.name" . }}-master-cert name: {{ template "seaweedfs.name" . }}-master-cert
@ -7,10 +7,11 @@ metadata:
spec: spec:
secretName: {{ template "seaweedfs.name" . }}-master-cert secretName: {{ template "seaweedfs.name" . }}-master-cert
issuerRef: issuerRef:
name: {{ template "seaweedfs.name" . }}-clusterissuer
kind: ClusterIssuer
name: {{ template "seaweedfs.name" . }}-ca-issuer
kind: Issuer
commonName: {{ .Values.certificates.commonName }} commonName: {{ .Values.certificates.commonName }}
organization:
subject:
organizations:
- "SeaweedFS CA" - "SeaweedFS CA"
dnsNames: dnsNames:
- '*.{{ .Release.Namespace }}' - '*.{{ .Release.Namespace }}'
@ -26,8 +27,9 @@ spec:
- {{ . }} - {{ . }}
{{- end }} {{- end }}
{{- end }} {{- end }}
keyAlgorithm: {{ .Values.certificates.keyAlgorithm }}
keySize: {{ .Values.certificates.keySize }}
privateKey:
algorithm: {{ .Values.certificates.keyAlgorithm }}
size: {{ .Values.certificates.keySize }}
duration: {{ .Values.certificates.duration }} duration: {{ .Values.certificates.duration }}
renewBefore: {{ .Values.certificates.renewBefore }} renewBefore: {{ .Values.certificates.renewBefore }}
{{- end }} {{- end }}

14
k8s/charts/seaweedfs/templates/volume-cert.yaml

@ -1,5 +1,5 @@
{{- if .Values.global.enableSecurity }} {{- if .Values.global.enableSecurity }}
apiVersion: certmanager.k8s.io/v1alpha1
apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
kind: Certificate kind: Certificate
metadata: metadata:
name: {{ template "seaweedfs.name" . }}-volume-cert name: {{ template "seaweedfs.name" . }}-volume-cert
@ -7,10 +7,11 @@ metadata:
spec: spec:
secretName: {{ template "seaweedfs.name" . }}-volume-cert secretName: {{ template "seaweedfs.name" . }}-volume-cert
issuerRef: issuerRef:
name: {{ template "seaweedfs.name" . }}-clusterissuer
kind: ClusterIssuer
name: {{ template "seaweedfs.name" . }}-ca-issuer
kind: Issuer
commonName: {{ .Values.certificates.commonName }} commonName: {{ .Values.certificates.commonName }}
organization:
subject:
organizations:
- "SeaweedFS CA" - "SeaweedFS CA"
dnsNames: dnsNames:
- '*.{{ .Release.Namespace }}' - '*.{{ .Release.Namespace }}'
@ -26,8 +27,9 @@ spec:
- {{ . }} - {{ . }}
{{- end }} {{- end }}
{{- end }} {{- end }}
keyAlgorithm: {{ .Values.certificates.keyAlgorithm }}
keySize: {{ .Values.certificates.keySize }}
privateKey:
algorithm: {{ .Values.certificates.keyAlgorithm }}
size: {{ .Values.certificates.keySize }}
duration: {{ .Values.certificates.duration }} duration: {{ .Values.certificates.duration }}
renewBefore: {{ .Values.certificates.renewBefore }} renewBefore: {{ .Values.certificates.renewBefore }}
{{- end }} {{- end }}

2
k8s/charts/seaweedfs/values.yaml

@ -9,6 +9,8 @@ global:
restartPolicy: Always restartPolicy: Always
loggingLevel: 1 loggingLevel: 1
enableSecurity: false enableSecurity: false
certificates:
alphacrds: false
monitoring: monitoring:
enabled: false enabled: false
gatewayHost: null gatewayHost: null

Loading…
Cancel
Save