Add option to store TLS-certificates in external secrets
The TLS-certificates were stored in secrets managed by the helm charts.
This also required to store the certificate in the values.yaml file.
For some use cases it would be advantageous to manage the certificates
independently of helm, e.g. to not expose them in the values.yaml file
or to update them independently of helm.
This change adds an option to the gerrit and gerrit-replica helm
charts to give a name of an external secret containing the certificates
and to use this secret instead of creating one. The default continues to
be secrets created by helm.
Change-Id: I189550dea1edf737d32818a763f69a8e16ccb424
diff --git a/helm-charts/gerrit-replica/README.md b/helm-charts/gerrit-replica/README.md
index 14fa35f..5651c90 100644
--- a/helm-charts/gerrit-replica/README.md
+++ b/helm-charts/gerrit-replica/README.md
@@ -151,15 +151,19 @@
| `gitBackend.service.http.port` | Port over which to expose HTTP | `80` |
| `gitBackend.service.https.enabled` | Whether to serve HTTPS-requests | `false` |
| `gitBackend.service.https.port` | Port over which to expose HTTPS | `443` |
-| `gitBackend.service.https.cert` | Public SSL server certificate | `-----BEGIN CERTIFICATE-----` |
-| `gitBackend.service.https.key` | Private SSL server certificate | `-----BEGIN RSA PRIVATE KEY-----` |
+| `gitBackend.service.https.secret.create` | Whether to create a TLS-secret | `true` |
+| `gitBackend.service.https.secret.name` | Name of an external secret that will be used as a TLS-secret | `nil` |
+| `gitBackend.service.https.secret.cert` | Public SSL server certificate | `-----BEGIN CERTIFICATE-----` |
+| `gitBackend.service.https.secret.key` | Private SSL server certificate | `-----BEGIN RSA PRIVATE KEY-----` |
| `gitBackend.ingress.enabled` | Whether to deploy an Ingress | `false` |
| `gitBackend.ingress.host` | Host name to use for the Ingress (required for Ingress) | `nil` |
| `gitBackend.ingress.maxBodySize` | Maximum request body size allowed (Set to 0 for an unlimited request body size) | `50m` |
| `gitBackend.ingress.additionalAnnotations` | Additional annotations for the Ingress | `nil` |
| `gitBackend.ingress.tls.enabled` | Whether to enable TLS termination in the Ingress | `false` |
-| `gitBackend.ingress.tls.cert` | Public SSL server certificate | `-----BEGIN CERTIFICATE-----` |
-| `gitBackend.ingress.tls.key` | Private SSL server certificate | `-----BEGIN RSA PRIVATE KEY-----` |
+| `gitBackend.ingress.tls.secret.create` | Whether to create a TLS-secret | `true` |
+| `gitBackend.ingress.tls.secret.name` | Name of an external secret that will be used as a TLS-secret | `nil` |
+| `gitBackend.ingress.tls.secret.cert` | Public SSL server certificate | `-----BEGIN CERTIFICATE-----` |
+| `gitBackend.ingress.tls.secret.key` | Private SSL server certificate | `-----BEGIN RSA PRIVATE KEY-----` |
***note
At least one endpoint (HTTP and/or HTTPS) has to be enabled in the service!
@@ -212,8 +216,10 @@
| `gerritReplica.ingress.host` | REQUIRED: Host name to use for the Ingress (required for Ingress) | `nil` |
| `gerritReplica.ingress.additionalAnnotations` | Additional annotations for the Ingress | `nil` |
| `gerritReplica.ingress.tls.enabled` | Whether to enable TLS termination in the Ingress | `false` |
-| `gerritReplica.ingress.tls.cert` | Public SSL server certificate | `-----BEGIN CERTIFICATE-----` |
-| `gerritReplica.ingress.tls.key` | Private SSL server certificate | `-----BEGIN RSA PRIVATE KEY-----` |
+| `gerritReplica.ingress.tls.secret.create` | Whether to create a TLS-secret | `true` |
+| `gerritReplica.ingress.tls.secret.name` | Name of an external secret that will be used as a TLS-secret | `nil` |
+| `gerritReplica.ingress.tls.secret.cert` | Public SSL server certificate | `-----BEGIN CERTIFICATE-----` |
+| `gerritReplica.ingress.tls.secret.key` | Private SSL server certificate | `-----BEGIN RSA PRIVATE KEY-----` |
| `gerritReplica.keystore` | base64-encoded Java keystore (`cat keystore.jks | base64`) to be used by Gerrit, when using SSL | `nil` |
| `gerritReplica.config.gerrit` | The contents of the gerrit.config | [see here](#Gerrit-config-files) |
| `gerritReplica.config.secure` | The contents of the secure.config | [see here](#Gerrit-config-files) |
diff --git a/helm-charts/gerrit-replica/templates/gerrit-replica.ingress.yaml b/helm-charts/gerrit-replica/templates/gerrit-replica.ingress.yaml
index 325265e..61331dc 100644
--- a/helm-charts/gerrit-replica/templates/gerrit-replica.ingress.yaml
+++ b/helm-charts/gerrit-replica/templates/gerrit-replica.ingress.yaml
@@ -16,7 +16,11 @@
tls:
- hosts:
- {{ .Values.gerritReplica.ingress.host }}
+ {{ if .Values.gerritReplica.ingress.tls.secret.create -}}
secretName: {{ .Release.Name }}-gerrit-replica-tls-secret
+ {{- else }}
+ secretName: {{ .Values.gerritReplica.ingress.tls.secret.name }}
+ {{- end }}
{{- end }}
rules:
- host: {{required "A host URL is required for the Gerrit replica Ingress. Please set 'gerritReplica.ingress.host'" .Values.gerritReplica.ingress.host }}
diff --git a/helm-charts/gerrit-replica/templates/gerrit-replica.secrets.yaml b/helm-charts/gerrit-replica/templates/gerrit-replica.secrets.yaml
index a021161..2ac0586 100644
--- a/helm-charts/gerrit-replica/templates/gerrit-replica.secrets.yaml
+++ b/helm-charts/gerrit-replica/templates/gerrit-replica.secrets.yaml
@@ -14,7 +14,7 @@
secure.config: {{ .Values.gerritReplica.config.secure | b64enc }}
type: Opaque
---
-{{ if .Values.gerritReplica.ingress.tls.enabled -}}
+{{ if and .Values.gerritReplica.ingress.tls.enabled .Values.gerritReplica.ingress.tls.secret.create -}}
apiVersion: v1
kind: Secret
metadata:
@@ -26,7 +26,7 @@
release: {{ .Release.Name }}
type: kubernetes.io/tls
data:
- {{ with .Values.gerritReplica.ingress.tls -}}
+ {{ with .Values.gerritReplica.ingress.tls.secret -}}
tls.crt: {{ .cert | b64enc }}
tls.key: {{ .key | b64enc }}
{{- end }}
diff --git a/helm-charts/gerrit-replica/templates/git-backend.deployment.yaml b/helm-charts/gerrit-replica/templates/git-backend.deployment.yaml
index b5231a8..a4b6721 100644
--- a/helm-charts/gerrit-replica/templates/git-backend.deployment.yaml
+++ b/helm-charts/gerrit-replica/templates/git-backend.deployment.yaml
@@ -52,7 +52,18 @@
mountPath: "/var/gerrit/git"
- name: git-backend-secret
readOnly: true
- mountPath: "/var/apache/credentials"
+ subPath: .htpasswd
+ mountPath: "/var/apache/credentials/.htpasswd"
+ {{ if .Values.gitBackend.service.https.enabled -}}
+ - name: git-backend-tls-secret
+ readOnly: true
+ subPath: server.key
+ mountPath: "/var/apache/credentials/server.key"
+ - name: git-backend-tls-secret
+ readOnly: true
+ subPath: server.crt
+ mountPath: "/var/apache/credentials/server.crt"
+ {{ end }}
- name: apache-logs
mountPath: "/var/log/apache2"
volumes:
@@ -62,6 +73,15 @@
- name: git-backend-secret
secret:
secretName: {{ .Release.Name }}-git-backend-secret
+ {{ if and .Values.gitBackend.service.https.enabled -}}
+ - name: git-backend-tls-secret
+ secret:
+ {{ if .Values.gitBackend.service.https.secret.create -}}
+ secretName: {{ .Release.Name }}-git-backend-secret
+ {{- else }}
+ secretName: {{ .Values.gitBackend.service.https.secret.name }}
+ {{- end }}
+ {{ end }}
- name: apache-logs
{{ if .Values.gitBackend.logging.persistence.enabled -}}
persistentVolumeClaim:
diff --git a/helm-charts/gerrit-replica/templates/git-backend.ingress.yaml b/helm-charts/gerrit-replica/templates/git-backend.ingress.yaml
index 2a74a4a..7c28a9c 100644
--- a/helm-charts/gerrit-replica/templates/git-backend.ingress.yaml
+++ b/helm-charts/gerrit-replica/templates/git-backend.ingress.yaml
@@ -18,7 +18,11 @@
tls:
- hosts:
- {{ .Values.gitBackend.ingress.host }}
+ {{ if .Values.gitBackend.ingress.tls.secret.create -}}
secretName: {{ .Release.Name }}-git-backend-tls-secret
+ {{- else }}
+ secretName: {{ .Values.gitBackend.ingress.tls.secret.name }}
+ {{- end }}
{{- end }}
rules:
- host: {{ .Values.gitBackend.ingress.host }}
diff --git a/helm-charts/gerrit-replica/templates/git-backend.secrets.yaml b/helm-charts/gerrit-replica/templates/git-backend.secrets.yaml
index 15c8681..75eee1d 100644
--- a/helm-charts/gerrit-replica/templates/git-backend.secrets.yaml
+++ b/helm-charts/gerrit-replica/templates/git-backend.secrets.yaml
@@ -10,14 +10,14 @@
data:
{{ with .Values.gitBackend -}}
.htpasswd: {{ required "A .htpasswd-file is required for the git backend." .credentials.htpasswd | b64enc }}
- {{ if .service.https.enabled -}}
- server.key: {{ required "A SSL key is required, if HTTPS is enabled for the git backend service." .service.https.key | b64enc }}
- server.crt: {{ required "A SSL certificate is required, if HTTPS is enabled for the git backend service." .service.https.cert | b64enc }}
+ {{ if and .service.https.enabled .service.https.secret.create -}}
+ server.key: {{ required "A SSL key is required, if HTTPS is enabled for the git backend service." .service.https.secret.key | b64enc }}
+ server.crt: {{ required "A SSL certificate is required, if HTTPS is enabled for the git backend service." .service.https.secret.cert | b64enc }}
{{- end }}
{{- end }}
type: Opaque
---
-{{ if and .Values.gitBackend.ingress.enabled .Values.gitBackend.ingress.tls.enabled -}}
+{{ if and .Values.gitBackend.ingress.enabled .Values.gitBackend.ingress.tls.enabled .Values.gitBackend.ingress.tls.secret.create -}}
apiVersion: v1
kind: Secret
metadata:
@@ -29,7 +29,7 @@
release: {{ .Release.Name }}
type: kubernetes.io/tls
data:
- {{ with .Values.gitBackend.ingress.tls -}}
+ {{ with .Values.gitBackend.ingress.tls.secret -}}
tls.crt: {{ .cert | b64enc }}
tls.key: {{ .key | b64enc }}
{{- end }}
diff --git a/helm-charts/gerrit-replica/values.yaml b/helm-charts/gerrit-replica/values.yaml
index f5fb802..5344e26 100644
--- a/helm-charts/gerrit-replica/values.yaml
+++ b/helm-charts/gerrit-replica/values.yaml
@@ -77,14 +77,24 @@
https:
enabled: false
port: 443
- cert: |-
- -----BEGIN CERTIFICATE-----
+ secret:
+ # If using an external secret, make sure to name the keys `server.crt`
+ # and `server.key`, respectively.
+ create: true
+ # `name` will only be used, if `create` is set to false to bind an
+ # existing secret. Otherwise the name will be automatically generated to
+ # avoid conflicts between multiple chart installations.
+ name:
+ # `cert`and `key` will only be used, if the secret will be created by
+ # this chart.
+ cert: |-
+ -----BEGIN CERTIFICATE-----
- -----END CERTIFICATE-----
- key: |-
- -----BEGIN RSA PRIVATE KEY-----
+ -----END CERTIFICATE-----
+ key: |-
+ -----BEGIN RSA PRIVATE KEY-----
- -----END RSA PRIVATE KEY-----
+ -----END RSA PRIVATE KEY-----
ingress:
enabled: false
@@ -97,14 +107,22 @@
# nginx.ingress.kubernetes.io/whitelist-source-range: xxx.xxx.xxx.xxx
tls:
enabled: false
- cert: |-
- -----BEGIN CERTIFICATE-----
+ secret:
+ create: true
+ # `name` will only be used, if `create` is set to false to bind an
+ # existing secret. Otherwise the name will be automatically generated to
+ # avoid conflicts between multiple chart installations.
+ name:
+ # `cert`and `key` will only be used, if the secret will be created by
+ # this chart.
+ cert: |-
+ -----BEGIN CERTIFICATE-----
- -----END CERTIFICATE-----
- key: |-
- -----BEGIN RSA PRIVATE KEY-----
+ -----END CERTIFICATE-----
+ key: |-
+ -----BEGIN RSA PRIVATE KEY-----
- -----END RSA PRIVATE KEY-----
+ -----END RSA PRIVATE KEY-----
credentials:
# example: user: 'git'; password: 'secret'
@@ -177,14 +195,22 @@
# nginx.ingress.kubernetes.io/whitelist-source-range: xxx.xxx.xxx.xxx
tls:
enabled: false
- cert: |-
- -----BEGIN CERTIFICATE-----
+ secret:
+ create: true
+ # `name` will only be used, if `create` is set to false to bind an
+ # existing secret. Otherwise the name will be automatically generated to
+ # avoid conflicts between multiple chart installations.
+ name:
+ # `cert`and `key` will only be used, if the secret will be created by
+ # this chart.
+ cert: |-
+ -----BEGIN CERTIFICATE-----
- -----END CERTIFICATE-----
- key: |-
- -----BEGIN RSA PRIVATE KEY-----
+ -----END CERTIFICATE-----
+ key: |-
+ -----BEGIN RSA PRIVATE KEY-----
- -----END RSA PRIVATE KEY-----
+ -----END RSA PRIVATE KEY-----
# `gerritReplica.keystore` expects a base64-encoded Java-keystore
# Since Java keystores are binary files, adding the unencoded content and
diff --git a/helm-charts/gerrit/README.md b/helm-charts/gerrit/README.md
index 0df1817..f843f1b 100644
--- a/helm-charts/gerrit/README.md
+++ b/helm-charts/gerrit/README.md
@@ -163,8 +163,10 @@
| `gerrit.ingress.host` | REQUIRED: Host name to use for the Ingress (required for Ingress) | `nil` |
| `gerrit.ingress.additionalAnnotations` | Additional annotations for the Ingress | `nil` |
| `gerrit.ingress.tls.enabled` | Whether to enable TLS termination in the Ingress | `false` |
-| `gerrit.ingress.tls.cert` | Public SSL server certificate | `-----BEGIN CERTIFICATE-----` |
-| `gerrit.ingress.tls.key` | Private SSL server certificate | `-----BEGIN RSA PRIVATE KEY-----` |
+| `gerrit.ingress.tls.secret.create` | Whether to create a TLS-secret | `true` |
+| `gerrit.ingress.tls.secret.name` | Name of an external secret that will be used as a TLS-secret | `nil` |
+| `gerrit.ingress.tls.secret.cert` | Public SSL server certificate | `-----BEGIN CERTIFICATE-----` |
+| `gerrit.ingress.tls.secret.key` | Private SSL server certificate | `-----BEGIN RSA PRIVATE KEY-----` |
| `gerrit.keystore` | base64-encoded Java keystore (`cat keystore.jks | base64`) to be used by Gerrit, when using SSL | `nil` |
| `gerrit.plugins.packaged` | List of Gerrit plugins that are packaged into the Gerrit-war-file to install | `["commit-message-length-validator", "download-commands", "replication", "reviewnotes"]` |
| `gerrit.plugins.downloaded` | List of Gerrit plugins that will be downloaded | `nil` |
diff --git a/helm-charts/gerrit/templates/gerrit.ingress.yaml b/helm-charts/gerrit/templates/gerrit.ingress.yaml
index 645a47c..c0dae05 100644
--- a/helm-charts/gerrit/templates/gerrit.ingress.yaml
+++ b/helm-charts/gerrit/templates/gerrit.ingress.yaml
@@ -17,7 +17,11 @@
tls:
- hosts:
- {{ .Values.gerrit.ingress.host }}
+ {{ if .Values.gerrit.ingress.tls.secret.create -}}
secretName: {{ .Release.Name }}-gerrit-tls-secret
+ {{- else }}
+ secretName: {{ .Values.gerrit.ingress.tls.secret.name }}
+ {{- end }}
{{- end }}
rules:
- host: {{required "A host URL is required for the Gerrit Ingress. Please set 'gerrit.ingress.host'" .Values.gerrit.ingress.host }}
diff --git a/helm-charts/gerrit/templates/gerrit.secrets.yaml b/helm-charts/gerrit/templates/gerrit.secrets.yaml
index c9707d2..897c8a9 100644
--- a/helm-charts/gerrit/templates/gerrit.secrets.yaml
+++ b/helm-charts/gerrit/templates/gerrit.secrets.yaml
@@ -14,7 +14,7 @@
secure.config: {{ .Values.gerrit.config.secure | b64enc }}
type: Opaque
---
-{{ if .Values.gerrit.ingress.tls.enabled -}}
+{{ if and .Values.gerrit.ingress.tls.enabled .Values.gerrit.ingress.tls.secret.create -}}
apiVersion: v1
kind: Secret
metadata:
@@ -26,7 +26,7 @@
release: {{ .Release.Name }}
type: kubernetes.io/tls
data:
- {{ with .Values.gerrit.ingress.tls -}}
+ {{ with .Values.gerrit.ingress.tls.secret -}}
tls.crt: {{ .cert | b64enc }}
tls.key: {{ .key | b64enc }}
{{- end }}
diff --git a/helm-charts/gerrit/values.yaml b/helm-charts/gerrit/values.yaml
index 76947e0..5504833 100644
--- a/helm-charts/gerrit/values.yaml
+++ b/helm-charts/gerrit/values.yaml
@@ -112,14 +112,22 @@
# nginx.ingress.kubernetes.io/whitelist-source-range: xxx.xxx.xxx.xxx
tls:
enabled: false
- cert: |-
- -----BEGIN CERTIFICATE-----
+ secret:
+ create: true
+ # `name` will only be used, if `create` is set to false to bind an
+ # existing secret. Otherwise the name will be automatically generated to
+ # avoid conflicts between multiple chart installations.
+ name:
+ # `cert`and `key` will only be used, if the secret will be created by
+ # this chart.
+ cert: |-
+ -----BEGIN CERTIFICATE-----
- -----END CERTIFICATE-----
- key: |-
- -----BEGIN RSA PRIVATE KEY-----
+ -----END CERTIFICATE-----
+ key: |-
+ -----BEGIN RSA PRIVATE KEY-----
- -----END RSA PRIVATE KEY-----
+ -----END RSA PRIVATE KEY-----
# `gerrit.keystore` expects a base64-encoded Java-keystore
# Since Java keystores are binary files, adding the unencoded content and
