gitlab-com-seaweedfs/seaweedfs
1
0
Fork 0
mirror of https://github.com/seaweedfs/seaweedfs.git synced 2024-01-19 02:48:24 +00:00
Code Issues Projects Releases Wiki Activity

Fix Helm chart enableSecurity flag (#4537)

Browse source 
Fix Helm chart enableSecurity flag:

- Add parameter for whether to use v1alpha cert-manager CRDs, default off.
- Use self-signed Issuer only for the initial CA certificates, create a new
  Issuer that uses the generated CA certificate and use that for all the others
This commit is contained in:
Andrew Garrett 2023-06-06 05:38:49 +10:00 committed by GitHub
parent 65b4dc6448
commit abef448c51
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 46 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
k8s/charts/seaweedfs/templates/ca-cert.yaml
View file

@ -1,5 +1,5 @@
{{- if .Values.global.enableSecurity }}
apiVersion: certmanager.k8s.io/v1alpha1
apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
kind: Certificate
metadata:
name: {{ template "seaweedfs.name" . }}-ca-cert

10
k8s/charts/seaweedfs/templates/cert-caissuer.yaml Normal file
View file

@ -0,0 +1,10 @@
{{- if .Values.global.enableSecurity }}
apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
kind: Issuer
metadata:
name: {{ template "seaweedfs.name" . }}-ca-issuer
namespace: {{ .Release.Namespace }}
spec:
ca:
secretName: {{ template "seaweedfs.name" . }}-ca-cert
{{- end }}

2
k8s/charts/seaweedfs/templates/cert-clusterissuer.yaml
View file

@ -1,5 +1,5 @@
{{- if .Values.global.enableSecurity }}
apiVersion: certmanager.k8s.io/v1alpha1
apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
kind: ClusterIssuer
metadata:
name: {{ template "seaweedfs.name" . }}-clusterissuer

14
k8s/charts/seaweedfs/templates/client-cert.yaml
View file

@ -1,5 +1,5 @@
{{- if .Values.global.enableSecurity }}
apiVersion: certmanager.k8s.io/v1alpha1
apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
kind: Certificate
metadata:
name: {{ template "seaweedfs.name" . }}-client-cert
@ -7,10 +7,11 @@ metadata:
spec:
secretName: {{ template "seaweedfs.name" . }}-client-cert
issuerRef:
name: {{ template "seaweedfs.name" . }}-clusterissuer
kind: ClusterIssuer
name: {{ template "seaweedfs.name" . }}-ca-issuer
kind: Issuer
commonName: {{ .Values.certificates.commonName }}
organization:
subject:
organizations:
- "SeaweedFS CA"
dnsNames:
- '*.{{ .Release.Namespace }}'
@ -26,8 +27,9 @@ spec:
- {{ . }}
{{- end }}
{{- end }}
keyAlgorithm: {{ .Values.certificates.keyAlgorithm }}
keySize: {{ .Values.certificates.keySize }}
privateKey:
algorithm: {{ .Values.certificates.keyAlgorithm }}
size: {{ .Values.certificates.keySize }}
duration: {{ .Values.certificates.duration }}
renewBefore: {{ .Values.certificates.renewBefore }}
{{- end }}

14
k8s/charts/seaweedfs/templates/filer-cert.yaml
View file

@ -1,5 +1,5 @@
{{- if .Values.global.enableSecurity }}
apiVersion: certmanager.k8s.io/v1alpha1
apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
kind: Certificate
metadata:
name: {{ template "seaweedfs.name" . }}-filer-cert
@ -7,10 +7,11 @@ metadata:
spec:
secretName: {{ template "seaweedfs.name" . }}-filer-cert
issuerRef:
name: {{ template "seaweedfs.name" . }}-clusterissuer
kind: ClusterIssuer
name: {{ template "seaweedfs.name" . }}-ca-issuer
kind: Issuer
commonName: {{ .Values.certificates.commonName }}
organization:
subject:
organizations:
- "SeaweedFS CA"
dnsNames:
- '*.{{ .Release.Namespace }}'
@ -26,8 +27,9 @@ spec:
- {{ . }}
{{- end }}
{{- end }}
keyAlgorithm: {{ .Values.certificates.keyAlgorithm }}
keySize: {{ .Values.certificates.keySize }}
privateKey:
algorithm: {{ .Values.certificates.keyAlgorithm }}
size: {{ .Values.certificates.keySize }}
duration: {{ .Values.certificates.duration }}
renewBefore: {{ .Values.certificates.renewBefore }}
{{- end }}

14
k8s/charts/seaweedfs/templates/master-cert.yaml
View file

@ -1,5 +1,5 @@
{{- if .Values.global.enableSecurity }}
apiVersion: certmanager.k8s.io/v1alpha1
apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
kind: Certificate
metadata:
name: {{ template "seaweedfs.name" . }}-master-cert
@ -7,10 +7,11 @@ metadata:
spec:
secretName: {{ template "seaweedfs.name" . }}-master-cert
issuerRef:
name: {{ template "seaweedfs.name" . }}-clusterissuer
kind: ClusterIssuer
name: {{ template "seaweedfs.name" . }}-ca-issuer
kind: Issuer
commonName: {{ .Values.certificates.commonName }}
organization:
subject:
organizations:
- "SeaweedFS CA"
dnsNames:
- '*.{{ .Release.Namespace }}'
@ -26,8 +27,9 @@ spec:
- {{ . }}
{{- end }}
{{- end }}
keyAlgorithm: {{ .Values.certificates.keyAlgorithm }}
keySize: {{ .Values.certificates.keySize }}
privateKey:
algorithm: {{ .Values.certificates.keyAlgorithm }}
size: {{ .Values.certificates.keySize }}
duration: {{ .Values.certificates.duration }}
renewBefore: {{ .Values.certificates.renewBefore }}
{{- end }}

14
k8s/charts/seaweedfs/templates/volume-cert.yaml
View file

@ -1,5 +1,5 @@
{{- if .Values.global.enableSecurity }}
apiVersion: certmanager.k8s.io/v1alpha1
apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
kind: Certificate
metadata:
name: {{ template "seaweedfs.name" . }}-volume-cert
@ -7,10 +7,11 @@ metadata:
spec:
secretName: {{ template "seaweedfs.name" . }}-volume-cert
issuerRef:
name: {{ template "seaweedfs.name" . }}-clusterissuer
kind: ClusterIssuer
name: {{ template "seaweedfs.name" . }}-ca-issuer
kind: Issuer
commonName: {{ .Values.certificates.commonName }}
organization:
subject:
organizations:
- "SeaweedFS CA"
dnsNames:
- '*.{{ .Release.Namespace }}'
@ -26,8 +27,9 @@ spec:
- {{ . }}
{{- end }}
{{- end }}
keyAlgorithm: {{ .Values.certificates.keyAlgorithm }}
keySize: {{ .Values.certificates.keySize }}
privateKey:
algorithm: {{ .Values.certificates.keyAlgorithm }}
size: {{ .Values.certificates.keySize }}
duration: {{ .Values.certificates.duration }}
renewBefore: {{ .Values.certificates.renewBefore }}
{{- end }}

2
k8s/charts/seaweedfs/values.yaml
View file

@ -9,6 +9,8 @@ global:
restartPolicy: Always
loggingLevel: 1
enableSecurity: false
certificates:
alphacrds: false
monitoring:
enabled: false
gatewayHost: null