Browse Source
Fix Helm chart enableSecurity flag (#4537 )
Fix Helm chart enableSecurity flag:
- Add parameter for whether to use v1alpha cert-manager CRDs, default off.
- Use self-signed Issuer only for the initial CA certificates, create a new
Issuer that uses the generated CA certificate and use that for all the others
pull/4550/head
Andrew Garrett
2 years ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with
46 additions and
26 deletions
k8s/charts/seaweedfs/templates/ca-cert.yaml
k8s/charts/seaweedfs/templates/cert-caissuer.yaml
k8s/charts/seaweedfs/templates/cert-clusterissuer.yaml
k8s/charts/seaweedfs/templates/client-cert.yaml
k8s/charts/seaweedfs/templates/filer-cert.yaml
k8s/charts/seaweedfs/templates/master-cert.yaml
k8s/charts/seaweedfs/templates/volume-cert.yaml
k8s/charts/seaweedfs/values.yaml
@ -1,5 +1,5 @@
{{- if .Values.global.enableSecurity }}
{{- if .Values.global.enableSecurity }}
apiVersion : certmanager.k8s. io/v1alpha1
apiVersion : cert- manager.io/v1{{ if .Values.global.certificates.alphacrds }} alpha1{{ end }}
kind : Certificate
kind : Certificate
metadata:
metadata:
name : {{ template "seaweedfs.name" . }}-ca-cert
name : {{ template "seaweedfs.name" . }}-ca-cert
@ -0,0 +1,10 @@
{{- if .Values.global.enableSecurity }}
apiVersion : cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
kind : Issuer
metadata:
name : {{ template "seaweedfs.name" . }}-ca-issuer
namespace : {{ .Release.Namespace }}
spec:
ca:
secretName : {{ template "seaweedfs.name" . }}-ca-cert
{{- end }}
@ -1,5 +1,5 @@
{{- if .Values.global.enableSecurity }}
{{- if .Values.global.enableSecurity }}
apiVersion : certmanager.k8s. io/v1alpha1
apiVersion : cert- manager.io/v1{{ if .Values.global.certificates.alphacrds }} alpha1{{ end }}
kind : ClusterIssuer
kind : ClusterIssuer
metadata:
metadata:
name : {{ template "seaweedfs.name" . }}-clusterissuer
name : {{ template "seaweedfs.name" . }}-clusterissuer
@ -1,5 +1,5 @@
{{- if .Values.global.enableSecurity }}
{{- if .Values.global.enableSecurity }}
apiVersion : certmanager.k8s. io/v1alpha1
apiVersion : cert- manager.io/v1{{ if .Values.global.certificates.alphacrds }} alpha1{{ end }}
kind : Certificate
kind : Certificate
metadata:
metadata:
name : {{ template "seaweedfs.name" . }}-client-cert
name : {{ template "seaweedfs.name" . }}-client-cert
@ -7,10 +7,11 @@ metadata:
spec:
spec:
secretName : {{ template "seaweedfs.name" . }}-client-cert
secretName : {{ template "seaweedfs.name" . }}-client-cert
issuerRef:
issuerRef:
name : {{ template "seaweedfs.name" . }}-cluster issuer
kind : Cluster Issuer
name : {{ template "seaweedfs.name" . }}-ca- issuer
kind : Issuer
commonName : {{ .Values.certificates.commonName }}
commonName : {{ .Values.certificates.commonName }}
organization:
subject:
organizations:
- "SeaweedFS CA"
- "SeaweedFS CA"
dnsNames:
dnsNames:
- '*.{{ .Release.Namespace }}'
- '*.{{ .Release.Namespace }}'
@ -26,8 +27,9 @@ spec:
- {{ . }}
- {{ . }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
keyAlgorithm : {{ .Values.certificates.keyAlgorithm }}
keySize : {{ .Values.certificates.keySize }}
privateKey:
algorithm : {{ .Values.certificates.keyAlgorithm }}
size : {{ .Values.certificates.keySize }}
duration : {{ .Values.certificates.duration }}
duration : {{ .Values.certificates.duration }}
renewBefore : {{ .Values.certificates.renewBefore }}
renewBefore : {{ .Values.certificates.renewBefore }}
{{- end }}
{{- end }}
@ -1,5 +1,5 @@
{{- if .Values.global.enableSecurity }}
{{- if .Values.global.enableSecurity }}
apiVersion : certmanager.k8s. io/v1alpha1
apiVersion : cert- manager.io/v1{{ if .Values.global.certificates.alphacrds }} alpha1{{ end }}
kind : Certificate
kind : Certificate
metadata:
metadata:
name : {{ template "seaweedfs.name" . }}-filer-cert
name : {{ template "seaweedfs.name" . }}-filer-cert
@ -7,10 +7,11 @@ metadata:
spec:
spec:
secretName : {{ template "seaweedfs.name" . }}-filer-cert
secretName : {{ template "seaweedfs.name" . }}-filer-cert
issuerRef:
issuerRef:
name : {{ template "seaweedfs.name" . }}-cluster issuer
kind : Cluster Issuer
name : {{ template "seaweedfs.name" . }}-ca- issuer
kind : Issuer
commonName : {{ .Values.certificates.commonName }}
commonName : {{ .Values.certificates.commonName }}
organization:
subject:
organizations:
- "SeaweedFS CA"
- "SeaweedFS CA"
dnsNames:
dnsNames:
- '*.{{ .Release.Namespace }}'
- '*.{{ .Release.Namespace }}'
@ -26,8 +27,9 @@ spec:
- {{ . }}
- {{ . }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
keyAlgorithm : {{ .Values.certificates.keyAlgorithm }}
keySize : {{ .Values.certificates.keySize }}
privateKey:
algorithm : {{ .Values.certificates.keyAlgorithm }}
size : {{ .Values.certificates.keySize }}
duration : {{ .Values.certificates.duration }}
duration : {{ .Values.certificates.duration }}
renewBefore : {{ .Values.certificates.renewBefore }}
renewBefore : {{ .Values.certificates.renewBefore }}
{{- end }}
{{- end }}
@ -1,5 +1,5 @@
{{- if .Values.global.enableSecurity }}
{{- if .Values.global.enableSecurity }}
apiVersion : certmanager.k8s. io/v1alpha1
apiVersion : cert- manager.io/v1{{ if .Values.global.certificates.alphacrds }} alpha1{{ end }}
kind : Certificate
kind : Certificate
metadata:
metadata:
name : {{ template "seaweedfs.name" . }}-master-cert
name : {{ template "seaweedfs.name" . }}-master-cert
@ -7,10 +7,11 @@ metadata:
spec:
spec:
secretName : {{ template "seaweedfs.name" . }}-master-cert
secretName : {{ template "seaweedfs.name" . }}-master-cert
issuerRef:
issuerRef:
name : {{ template "seaweedfs.name" . }}-cluster issuer
kind : Cluster Issuer
name : {{ template "seaweedfs.name" . }}-ca- issuer
kind : Issuer
commonName : {{ .Values.certificates.commonName }}
commonName : {{ .Values.certificates.commonName }}
organization:
subject:
organizations:
- "SeaweedFS CA"
- "SeaweedFS CA"
dnsNames:
dnsNames:
- '*.{{ .Release.Namespace }}'
- '*.{{ .Release.Namespace }}'
@ -26,8 +27,9 @@ spec:
- {{ . }}
- {{ . }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
keyAlgorithm : {{ .Values.certificates.keyAlgorithm }}
keySize : {{ .Values.certificates.keySize }}
privateKey:
algorithm : {{ .Values.certificates.keyAlgorithm }}
size : {{ .Values.certificates.keySize }}
duration : {{ .Values.certificates.duration }}
duration : {{ .Values.certificates.duration }}
renewBefore : {{ .Values.certificates.renewBefore }}
renewBefore : {{ .Values.certificates.renewBefore }}
{{- end }}
{{- end }}
@ -1,5 +1,5 @@
{{- if .Values.global.enableSecurity }}
{{- if .Values.global.enableSecurity }}
apiVersion : certmanager.k8s. io/v1alpha1
apiVersion : cert- manager.io/v1{{ if .Values.global.certificates.alphacrds }} alpha1{{ end }}
kind : Certificate
kind : Certificate
metadata:
metadata:
name : {{ template "seaweedfs.name" . }}-volume-cert
name : {{ template "seaweedfs.name" . }}-volume-cert
@ -7,10 +7,11 @@ metadata:
spec:
spec:
secretName : {{ template "seaweedfs.name" . }}-volume-cert
secretName : {{ template "seaweedfs.name" . }}-volume-cert
issuerRef:
issuerRef:
name : {{ template "seaweedfs.name" . }}-cluster issuer
kind : Cluster Issuer
name : {{ template "seaweedfs.name" . }}-ca- issuer
kind : Issuer
commonName : {{ .Values.certificates.commonName }}
commonName : {{ .Values.certificates.commonName }}
organization:
subject:
organizations:
- "SeaweedFS CA"
- "SeaweedFS CA"
dnsNames:
dnsNames:
- '*.{{ .Release.Namespace }}'
- '*.{{ .Release.Namespace }}'
@ -26,8 +27,9 @@ spec:
- {{ . }}
- {{ . }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
keyAlgorithm : {{ .Values.certificates.keyAlgorithm }}
keySize : {{ .Values.certificates.keySize }}
privateKey:
algorithm : {{ .Values.certificates.keyAlgorithm }}
size : {{ .Values.certificates.keySize }}
duration : {{ .Values.certificates.duration }}
duration : {{ .Values.certificates.duration }}
renewBefore : {{ .Values.certificates.renewBefore }}
renewBefore : {{ .Values.certificates.renewBefore }}
{{- end }}
{{- end }}
@ -9,6 +9,8 @@ global:
restartPolicy : Always
restartPolicy : Always
loggingLevel : 1
loggingLevel : 1
enableSecurity : false
enableSecurity : false
certificates:
alphacrds : false
monitoring:
monitoring:
enabled : false
enabled : false
gatewayHost : null
gatewayHost : null