Only use a single secret for git-backend TLS
Two separate secrets to manage the TLS certificates for the service
and ingress of the apache-git-http-backend were used. However, there
is no reason to use different certificates.
This change merges the two secrets. This should also make it easier
to use TLS-certificate forwarding from the ingress to the service.
However, this has to be configured manually, since this is different
between ingress controllers.
Change-Id: Id0e1dca75b611b2d62114b89ee5e88dc57502814
diff --git a/helm-charts/gerrit-replica/README.md b/helm-charts/gerrit-replica/README.md
index 5651c90..df0ca91 100644
--- a/helm-charts/gerrit-replica/README.md
+++ b/helm-charts/gerrit-replica/README.md
@@ -146,24 +146,20 @@
| `gitBackend.credentials.htpasswd` | `.htpasswd`-file containing username/password-credentials for accessing git | `git:$apr1$O/LbLKC7$Q60GWE7OcqSEMSfe/K8xU.` (user: git, password: secret) |
| `gitBackend.logging.persistence.enabled` | Whether to persist logs | `true` |
| `gitBackend.logging.persistence.size` | Storage size for persisted logs | `1Gi` |
+| `gitBackend.tls.secret.create` | Whether to create a TLS-secret | `true` |
+| `gitBackend.tls.secret.name` | Name of an external secret that will be used as a TLS-secret | `nil` |
+| `gitBackend.tls.cert` | Public SSL server certificate | `-----BEGIN CERTIFICATE-----` |
+| `gitBackend.tls.key` | Private SSL server certificate | `-----BEGIN RSA PRIVATE KEY-----` |
| `gitBackend.service.type` | Which kind of Service to deploy | `LoadBalancer` |
| `gitBackend.service.http.enabled` | Whether to serve HTTP-requests (needed for Ingress) | `true` |
| `gitBackend.service.http.port` | Port over which to expose HTTP | `80` |
| `gitBackend.service.https.enabled` | Whether to serve HTTPS-requests | `false` |
| `gitBackend.service.https.port` | Port over which to expose HTTPS | `443` |
-| `gitBackend.service.https.secret.create` | Whether to create a TLS-secret | `true` |
-| `gitBackend.service.https.secret.name` | Name of an external secret that will be used as a TLS-secret | `nil` |
-| `gitBackend.service.https.secret.cert` | Public SSL server certificate | `-----BEGIN CERTIFICATE-----` |
-| `gitBackend.service.https.secret.key` | Private SSL server certificate | `-----BEGIN RSA PRIVATE KEY-----` |
| `gitBackend.ingress.enabled` | Whether to deploy an Ingress | `false` |
| `gitBackend.ingress.host` | Host name to use for the Ingress (required for Ingress) | `nil` |
| `gitBackend.ingress.maxBodySize` | Maximum request body size allowed (Set to 0 for an unlimited request body size) | `50m` |
| `gitBackend.ingress.additionalAnnotations` | Additional annotations for the Ingress | `nil` |
| `gitBackend.ingress.tls.enabled` | Whether to enable TLS termination in the Ingress | `false` |
-| `gitBackend.ingress.tls.secret.create` | Whether to create a TLS-secret | `true` |
-| `gitBackend.ingress.tls.secret.name` | Name of an external secret that will be used as a TLS-secret | `nil` |
-| `gitBackend.ingress.tls.secret.cert` | Public SSL server certificate | `-----BEGIN CERTIFICATE-----` |
-| `gitBackend.ingress.tls.secret.key` | Private SSL server certificate | `-----BEGIN RSA PRIVATE KEY-----` |
***note
At least one endpoint (HTTP and/or HTTPS) has to be enabled in the service!
diff --git a/helm-charts/gerrit-replica/templates/git-backend.deployment.yaml b/helm-charts/gerrit-replica/templates/git-backend.deployment.yaml
index 20d1afe..9d3e323 100644
--- a/helm-charts/gerrit-replica/templates/git-backend.deployment.yaml
+++ b/helm-charts/gerrit-replica/templates/git-backend.deployment.yaml
@@ -76,10 +76,10 @@
{{ if and .Values.gitBackend.service.https.enabled -}}
- name: git-backend-tls-secret
secret:
- {{ if .Values.gitBackend.service.https.secret.create -}}
- secretName: {{ .Release.Name }}-git-backend-service-tls-secret
+ {{ if .Values.gitBackend.tls.secret.create -}}
+ secretName: {{ .Release.Name }}-git-backend-tls-secret
{{- else }}
- secretName: {{ .Values.gitBackend.service.https.secret.name }}
+ secretName: {{ .Values.gitBackend.tls.secret.name }}
{{- end }}
{{ end }}
- name: apache-logs
diff --git a/helm-charts/gerrit-replica/templates/git-backend.ingress.yaml b/helm-charts/gerrit-replica/templates/git-backend.ingress.yaml
index 7c28a9c..6c98102 100644
--- a/helm-charts/gerrit-replica/templates/git-backend.ingress.yaml
+++ b/helm-charts/gerrit-replica/templates/git-backend.ingress.yaml
@@ -18,10 +18,10 @@
tls:
- hosts:
- {{ .Values.gitBackend.ingress.host }}
- {{ if .Values.gitBackend.ingress.tls.secret.create -}}
+ {{ if .Values.gitBackend.tls.secret.create -}}
secretName: {{ .Release.Name }}-git-backend-tls-secret
{{- else }}
- secretName: {{ .Values.gitBackend.ingress.tls.secret.name }}
+ secretName: {{ .Values.gitBackend.tls.secret.name }}
{{- end }}
{{- end }}
rules:
diff --git a/helm-charts/gerrit-replica/templates/git-backend.secrets.yaml b/helm-charts/gerrit-replica/templates/git-backend.secrets.yaml
index df37523..cac30f7 100644
--- a/helm-charts/gerrit-replica/templates/git-backend.secrets.yaml
+++ b/helm-charts/gerrit-replica/templates/git-backend.secrets.yaml
@@ -11,29 +11,11 @@
.htpasswd: {{ required "A .htpasswd-file is required for the git backend." .Values.gitBackend.credentials.htpasswd | b64enc }}
type: Opaque
---
-{{ if and .Values.gitBackend.service.https.enabled .Values.gitBackend.service.https.secret.create -}}
+{{ if and .Values.gitBackend.tls.secret.create (or .Values.gitBackend.ingress.tls.enabled .Values.gitBackend.service.https.enabled) -}}
apiVersion: v1
kind: Secret
metadata:
- name: {{ .Release.Name }}-git-backend-service-tls-secret
- labels:
- app: git-backend
- chart: {{ template "gerrit-slave.chart" . }}
- heritage: {{ .Release.Service }}
- release: {{ .Release.Name }}
-type: kubernetes.io/tls
-data:
- {{ with .Values.gitBackend -}}
- tls.crt: {{ required "A SSL certificate is required, if HTTPS is enabled for the git backend service." .service.https.secret.cert | b64enc }}
- tls.key: {{ required "A SSL key is required, if HTTPS is enabled for the git backend service." .service.https.secret.key | b64enc }}
- {{- end }}
-{{- end }}
----
-{{ if and .Values.gitBackend.ingress.enabled .Values.gitBackend.ingress.tls.enabled .Values.gitBackend.ingress.tls.secret.create -}}
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ .Release.Name }}-git-backend-tls-secret
+ name: {{ .Release.Name }}-git-backend-tls-secret
labels:
app: git-backend
chart: {{ template "gerrit-replica.chart" . }}
@@ -41,7 +23,7 @@
release: {{ .Release.Name }}
type: kubernetes.io/tls
data:
- {{ with .Values.gitBackend.ingress.tls.secret -}}
+ {{ with .Values.gitBackend.tls -}}
tls.crt: {{ .cert | b64enc }}
tls.key: {{ .key | b64enc }}
{{- end }}
diff --git a/helm-charts/gerrit-replica/values.yaml b/helm-charts/gerrit-replica/values.yaml
index 32d16c1..5564ceb 100644
--- a/helm-charts/gerrit-replica/values.yaml
+++ b/helm-charts/gerrit-replica/values.yaml
@@ -68,6 +68,26 @@
enabled: true
size: 1Gi
+ tls:
+ secret:
+ # If using an external secret, make sure to name the keys `tls.crt`
+ # and `tls.key`, respectively.
+ create: true
+ # `name` will only be used, if `create` is set to false to bind an
+ # existing secret. Otherwise the name will be automatically generated to
+ # avoid conflicts between multiple chart installations.
+ name:
+ # `cert`and `key` will only be used, if the secret will be created by
+ # this chart.
+ cert: |-
+ -----BEGIN CERTIFICATE-----
+
+ -----END CERTIFICATE-----
+ key: |-
+ -----BEGIN RSA PRIVATE KEY-----
+
+ -----END RSA PRIVATE KEY-----
+
service:
type: LoadBalancer
# At least one endpoint (HTTP and/or HTTPS) has to be enabled in the service!
@@ -77,24 +97,6 @@
https:
enabled: false
port: 443
- secret:
- # If using an external secret, make sure to name the keys `tls.crt`
- # and `tls.key`, respectively.
- create: true
- # `name` will only be used, if `create` is set to false to bind an
- # existing secret. Otherwise the name will be automatically generated to
- # avoid conflicts between multiple chart installations.
- name:
- # `cert`and `key` will only be used, if the secret will be created by
- # this chart.
- cert: |-
- -----BEGIN CERTIFICATE-----
-
- -----END CERTIFICATE-----
- key: |-
- -----BEGIN RSA PRIVATE KEY-----
-
- -----END RSA PRIVATE KEY-----
ingress:
enabled: false
@@ -107,22 +109,6 @@
# nginx.ingress.kubernetes.io/whitelist-source-range: xxx.xxx.xxx.xxx
tls:
enabled: false
- secret:
- create: true
- # `name` will only be used, if `create` is set to false to bind an
- # existing secret. Otherwise the name will be automatically generated to
- # avoid conflicts between multiple chart installations.
- name:
- # `cert`and `key` will only be used, if the secret will be created by
- # this chart.
- cert: |-
- -----BEGIN CERTIFICATE-----
-
- -----END CERTIFICATE-----
- key: |-
- -----BEGIN RSA PRIVATE KEY-----
-
- -----END RSA PRIVATE KEY-----
credentials:
# example: user: 'git'; password: 'secret'