Allow external secret for istio TLS certificates
This adopts the feature already available for the ingress for istio.
Change-Id: I776d59199686608f1ef8a2cfdc9b81bd9ee1074d
diff --git a/helm-charts/gerrit-replica/README.md b/helm-charts/gerrit-replica/README.md
index 38e1c0a..246ddce 100644
--- a/helm-charts/gerrit-replica/README.md
+++ b/helm-charts/gerrit-replica/README.md
@@ -179,14 +179,16 @@
In the case istio is used, all configuration for ingresses in the chart will be
ignored.
-| Parameter | Description | Default |
-|---------------------|---------------------------------------------------------------------------|-----------------------------------|
-| `istio.enabled` | Whether istio should be used (requires istio to be installed) | `false` |
-| `istio.host` | Hostname (CNAME must point to istio ingress gateway loadbalancer service) | `nil` |
-| `istio.tls.enabled` | Whether to enable TLS | `false` |
-| `istio.tls.cert` | TLS certificate | `-----BEGIN CERTIFICATE-----` |
-| `istio.tls.key` | TLS key | `-----BEGIN RSA PRIVATE KEY-----` |
-| `istio.ssh.enabled` | Whether to enable SSH | `false` |
+| Parameter | Description | Default |
+|---------------------------|---------------------------------------------------------------------------|-----------------------------------|
+| `istio.enabled` | Whether istio should be used (requires istio to be installed) | `false` |
+| `istio.host` | Hostname (CNAME must point to istio ingress gateway loadbalancer service) | `nil` |
+| `istio.tls.enabled` | Whether to enable TLS | `false` |
+| `istio.tls.secret.create` | Whether to create TLS certificate secret | `true` |
+| `istio.tls.secret.name` | Name of external secret containing TLS certificates | `nil` |
+| `istio.tls.cert` | TLS certificate | `-----BEGIN CERTIFICATE-----` |
+| `istio.tls.key` | TLS key | `-----BEGIN RSA PRIVATE KEY-----` |
+| `istio.ssh.enabled` | Whether to enable SSH | `false` |
### Promtail Sidecar
diff --git a/helm-charts/gerrit-replica/templates/istio.ingressgateway.yaml b/helm-charts/gerrit-replica/templates/istio.ingressgateway.yaml
index 9a55e8b..1b8a631 100644
--- a/helm-charts/gerrit-replica/templates/istio.ingressgateway.yaml
+++ b/helm-charts/gerrit-replica/templates/istio.ingressgateway.yaml
@@ -1,5 +1,5 @@
{{ if .Values.istio.enabled -}}
-{{ if .Values.istio.tls.enabled }}
+{{ if and .Values.istio.tls.enabled .Values.istio.tls.secret.create }}
apiVersion: v1
kind: Secret
metadata:
@@ -48,7 +48,11 @@
- {{ .Values.istio.host }}
tls:
mode: SIMPLE
+ {{ if .Values.istio.tls.secret.create }}
credentialName: {{ .Release.Name }}-istio-tls-secret
+ {{- else }}
+ credentialName: {{ .Values.istio.tls.secret.name }}
+ {{- end }}
{{- end }}
{{ if .Values.istio.ssh.enabled }}
- port:
diff --git a/helm-charts/gerrit-replica/values.yaml b/helm-charts/gerrit-replica/values.yaml
index 262b984..d2df1e0 100644
--- a/helm-charts/gerrit-replica/values.yaml
+++ b/helm-charts/gerrit-replica/values.yaml
@@ -66,6 +66,16 @@
host:
tls:
enabled: false
+ secret:
+ # If using an external secret, make sure to name the keys `tls.crt`
+ # and `tls.key`, respectively.
+ create: true
+ # `name` will only be used, if `create` is set to false to bind an
+ # existing secret. Otherwise the name will be automatically generated to
+ # avoid conflicts between multiple chart installations.
+ name:
+ # `cert`and `key` will only be used, if the secret will be created by
+ # this chart.
cert: |-
-----BEGIN CERTIFICATE-----
