mirror of
https://github.com/seaweedfs/seaweedfs.git
synced 2024-01-19 02:48:24 +00:00
Fix Helm chart enableSecurity flag (#4537)
Fix Helm chart enableSecurity flag: - Add parameter for whether to use v1alpha cert-manager CRDs, default off. - Use self-signed Issuer only for the initial CA certificates, create a new Issuer that uses the generated CA certificate and use that for all the others
This commit is contained in:
parent
65b4dc6448
commit
abef448c51
|
@ -1,5 +1,5 @@
|
||||||
{{- if .Values.global.enableSecurity }}
|
{{- if .Values.global.enableSecurity }}
|
||||||
apiVersion: certmanager.k8s.io/v1alpha1
|
apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
|
||||||
kind: Certificate
|
kind: Certificate
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ template "seaweedfs.name" . }}-ca-cert
|
name: {{ template "seaweedfs.name" . }}-ca-cert
|
||||||
|
|
10
k8s/charts/seaweedfs/templates/cert-caissuer.yaml
Normal file
10
k8s/charts/seaweedfs/templates/cert-caissuer.yaml
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
{{- if .Values.global.enableSecurity }}
|
||||||
|
apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
|
||||||
|
kind: Issuer
|
||||||
|
metadata:
|
||||||
|
name: {{ template "seaweedfs.name" . }}-ca-issuer
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
spec:
|
||||||
|
ca:
|
||||||
|
secretName: {{ template "seaweedfs.name" . }}-ca-cert
|
||||||
|
{{- end }}
|
|
@ -1,5 +1,5 @@
|
||||||
{{- if .Values.global.enableSecurity }}
|
{{- if .Values.global.enableSecurity }}
|
||||||
apiVersion: certmanager.k8s.io/v1alpha1
|
apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
|
||||||
kind: ClusterIssuer
|
kind: ClusterIssuer
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ template "seaweedfs.name" . }}-clusterissuer
|
name: {{ template "seaweedfs.name" . }}-clusterissuer
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
{{- if .Values.global.enableSecurity }}
|
{{- if .Values.global.enableSecurity }}
|
||||||
apiVersion: certmanager.k8s.io/v1alpha1
|
apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
|
||||||
kind: Certificate
|
kind: Certificate
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ template "seaweedfs.name" . }}-client-cert
|
name: {{ template "seaweedfs.name" . }}-client-cert
|
||||||
|
@ -7,10 +7,11 @@ metadata:
|
||||||
spec:
|
spec:
|
||||||
secretName: {{ template "seaweedfs.name" . }}-client-cert
|
secretName: {{ template "seaweedfs.name" . }}-client-cert
|
||||||
issuerRef:
|
issuerRef:
|
||||||
name: {{ template "seaweedfs.name" . }}-clusterissuer
|
name: {{ template "seaweedfs.name" . }}-ca-issuer
|
||||||
kind: ClusterIssuer
|
kind: Issuer
|
||||||
commonName: {{ .Values.certificates.commonName }}
|
commonName: {{ .Values.certificates.commonName }}
|
||||||
organization:
|
subject:
|
||||||
|
organizations:
|
||||||
- "SeaweedFS CA"
|
- "SeaweedFS CA"
|
||||||
dnsNames:
|
dnsNames:
|
||||||
- '*.{{ .Release.Namespace }}'
|
- '*.{{ .Release.Namespace }}'
|
||||||
|
@ -26,8 +27,9 @@ spec:
|
||||||
- {{ . }}
|
- {{ . }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
keyAlgorithm: {{ .Values.certificates.keyAlgorithm }}
|
privateKey:
|
||||||
keySize: {{ .Values.certificates.keySize }}
|
algorithm: {{ .Values.certificates.keyAlgorithm }}
|
||||||
|
size: {{ .Values.certificates.keySize }}
|
||||||
duration: {{ .Values.certificates.duration }}
|
duration: {{ .Values.certificates.duration }}
|
||||||
renewBefore: {{ .Values.certificates.renewBefore }}
|
renewBefore: {{ .Values.certificates.renewBefore }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
{{- if .Values.global.enableSecurity }}
|
{{- if .Values.global.enableSecurity }}
|
||||||
apiVersion: certmanager.k8s.io/v1alpha1
|
apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
|
||||||
kind: Certificate
|
kind: Certificate
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ template "seaweedfs.name" . }}-filer-cert
|
name: {{ template "seaweedfs.name" . }}-filer-cert
|
||||||
|
@ -7,10 +7,11 @@ metadata:
|
||||||
spec:
|
spec:
|
||||||
secretName: {{ template "seaweedfs.name" . }}-filer-cert
|
secretName: {{ template "seaweedfs.name" . }}-filer-cert
|
||||||
issuerRef:
|
issuerRef:
|
||||||
name: {{ template "seaweedfs.name" . }}-clusterissuer
|
name: {{ template "seaweedfs.name" . }}-ca-issuer
|
||||||
kind: ClusterIssuer
|
kind: Issuer
|
||||||
commonName: {{ .Values.certificates.commonName }}
|
commonName: {{ .Values.certificates.commonName }}
|
||||||
organization:
|
subject:
|
||||||
|
organizations:
|
||||||
- "SeaweedFS CA"
|
- "SeaweedFS CA"
|
||||||
dnsNames:
|
dnsNames:
|
||||||
- '*.{{ .Release.Namespace }}'
|
- '*.{{ .Release.Namespace }}'
|
||||||
|
@ -26,8 +27,9 @@ spec:
|
||||||
- {{ . }}
|
- {{ . }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
keyAlgorithm: {{ .Values.certificates.keyAlgorithm }}
|
privateKey:
|
||||||
keySize: {{ .Values.certificates.keySize }}
|
algorithm: {{ .Values.certificates.keyAlgorithm }}
|
||||||
|
size: {{ .Values.certificates.keySize }}
|
||||||
duration: {{ .Values.certificates.duration }}
|
duration: {{ .Values.certificates.duration }}
|
||||||
renewBefore: {{ .Values.certificates.renewBefore }}
|
renewBefore: {{ .Values.certificates.renewBefore }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
{{- if .Values.global.enableSecurity }}
|
{{- if .Values.global.enableSecurity }}
|
||||||
apiVersion: certmanager.k8s.io/v1alpha1
|
apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
|
||||||
kind: Certificate
|
kind: Certificate
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ template "seaweedfs.name" . }}-master-cert
|
name: {{ template "seaweedfs.name" . }}-master-cert
|
||||||
|
@ -7,10 +7,11 @@ metadata:
|
||||||
spec:
|
spec:
|
||||||
secretName: {{ template "seaweedfs.name" . }}-master-cert
|
secretName: {{ template "seaweedfs.name" . }}-master-cert
|
||||||
issuerRef:
|
issuerRef:
|
||||||
name: {{ template "seaweedfs.name" . }}-clusterissuer
|
name: {{ template "seaweedfs.name" . }}-ca-issuer
|
||||||
kind: ClusterIssuer
|
kind: Issuer
|
||||||
commonName: {{ .Values.certificates.commonName }}
|
commonName: {{ .Values.certificates.commonName }}
|
||||||
organization:
|
subject:
|
||||||
|
organizations:
|
||||||
- "SeaweedFS CA"
|
- "SeaweedFS CA"
|
||||||
dnsNames:
|
dnsNames:
|
||||||
- '*.{{ .Release.Namespace }}'
|
- '*.{{ .Release.Namespace }}'
|
||||||
|
@ -26,8 +27,9 @@ spec:
|
||||||
- {{ . }}
|
- {{ . }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
keyAlgorithm: {{ .Values.certificates.keyAlgorithm }}
|
privateKey:
|
||||||
keySize: {{ .Values.certificates.keySize }}
|
algorithm: {{ .Values.certificates.keyAlgorithm }}
|
||||||
|
size: {{ .Values.certificates.keySize }}
|
||||||
duration: {{ .Values.certificates.duration }}
|
duration: {{ .Values.certificates.duration }}
|
||||||
renewBefore: {{ .Values.certificates.renewBefore }}
|
renewBefore: {{ .Values.certificates.renewBefore }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
{{- if .Values.global.enableSecurity }}
|
{{- if .Values.global.enableSecurity }}
|
||||||
apiVersion: certmanager.k8s.io/v1alpha1
|
apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
|
||||||
kind: Certificate
|
kind: Certificate
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ template "seaweedfs.name" . }}-volume-cert
|
name: {{ template "seaweedfs.name" . }}-volume-cert
|
||||||
|
@ -7,10 +7,11 @@ metadata:
|
||||||
spec:
|
spec:
|
||||||
secretName: {{ template "seaweedfs.name" . }}-volume-cert
|
secretName: {{ template "seaweedfs.name" . }}-volume-cert
|
||||||
issuerRef:
|
issuerRef:
|
||||||
name: {{ template "seaweedfs.name" . }}-clusterissuer
|
name: {{ template "seaweedfs.name" . }}-ca-issuer
|
||||||
kind: ClusterIssuer
|
kind: Issuer
|
||||||
commonName: {{ .Values.certificates.commonName }}
|
commonName: {{ .Values.certificates.commonName }}
|
||||||
organization:
|
subject:
|
||||||
|
organizations:
|
||||||
- "SeaweedFS CA"
|
- "SeaweedFS CA"
|
||||||
dnsNames:
|
dnsNames:
|
||||||
- '*.{{ .Release.Namespace }}'
|
- '*.{{ .Release.Namespace }}'
|
||||||
|
@ -26,8 +27,9 @@ spec:
|
||||||
- {{ . }}
|
- {{ . }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
keyAlgorithm: {{ .Values.certificates.keyAlgorithm }}
|
privateKey:
|
||||||
keySize: {{ .Values.certificates.keySize }}
|
algorithm: {{ .Values.certificates.keyAlgorithm }}
|
||||||
|
size: {{ .Values.certificates.keySize }}
|
||||||
duration: {{ .Values.certificates.duration }}
|
duration: {{ .Values.certificates.duration }}
|
||||||
renewBefore: {{ .Values.certificates.renewBefore }}
|
renewBefore: {{ .Values.certificates.renewBefore }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
|
@ -9,6 +9,8 @@ global:
|
||||||
restartPolicy: Always
|
restartPolicy: Always
|
||||||
loggingLevel: 1
|
loggingLevel: 1
|
||||||
enableSecurity: false
|
enableSecurity: false
|
||||||
|
certificates:
|
||||||
|
alphacrds: false
|
||||||
monitoring:
|
monitoring:
|
||||||
enabled: false
|
enabled: false
|
||||||
gatewayHost: null
|
gatewayHost: null
|
||||||
|
|
Loading…
Reference in a new issue