Skip to content

Commit 8583b14

Browse files
giorio94giorio94
committed
wip: adapt to the proposed certgen configuration
Signed-off-by: Marco Iorio <[email protected]>
1 parent bf74e87 commit 8583b14

File tree

2 files changed

+128
-36
lines changed

2 files changed

+128
-36
lines changed

install/kubernetes/cilium/templates/clustermesh-apiserver/tls-cronjob/_job-spec.tpl

Lines changed: 53 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,5 @@
11
{{- define "clustermesh-apiserver-generate-certs.job.spec" }}
2-
{{- $certValiditySecondsStr := printf "%ds" (mul .Values.clustermesh.apiserver.tls.auto.certValidityDuration 24 60 60) -}}
3-
{{- $clustermeshServerSANs := concat (list "*.mesh.cilium.io" (printf "clustermesh-apiserver.%s.svc" .Release.Namespace))
4-
.Values.clustermesh.apiserver.tls.server.extraDnsNames
5-
.Values.clustermesh.apiserver.tls.server.extraIpAddresses
6-
-}}
2+
{{- $certValidityStr := printf "%dh0m0s" (mul .Values.clustermesh.apiserver.tls.auto.certValidityDuration 24) -}}
73
spec:
84
template:
95
metadata:
@@ -29,21 +25,58 @@ spec:
2925
{{- if and .Values.tls.ca.cert .Values.tls.ca.key }}
3026
- "--ca-secret-name=cilium-ca"
3127
{{- end }}
32-
- "--clustermesh-apiserver-server-cert-generate"
33-
- "--clustermesh-apiserver-server-cert-validity-duration={{ $certValiditySecondsStr }}"
34-
- "--clustermesh-apiserver-server-cert-sans={{ join "," $clustermeshServerSANs }}"
35-
- "--clustermesh-apiserver-admin-cert-generate"
36-
- "--clustermesh-apiserver-admin-cert-validity-duration={{ $certValiditySecondsStr }}"
37-
- "--clustermesh-apiserver-admin-cert-common-name={{ include "clustermesh-apiserver-generate-certs.admin-common-name" . }}"
38-
{{- if .Values.externalWorkloads.enabled }}
39-
- "--clustermesh-apiserver-client-cert-generate"
40-
- "--clustermesh-apiserver-client-cert-validity-duration={{ $certValiditySecondsStr }}"
41-
{{- end }}
42-
{{- if .Values.clustermesh.useAPIServer }}
43-
- "--clustermesh-apiserver-remote-cert-generate"
44-
- "--clustermesh-apiserver-remote-cert-validity-duration={{ $certValiditySecondsStr }}"
45-
- "--clustermesh-apiserver-remote-cert-common-name={{ include "clustermesh-apiserver-generate-certs.remote-common-name" . }}"
46-
{{- end }}
28+
env:
29+
- name: CILIUM_CERTGEN_CONFIG
30+
value: |
31+
certs:
32+
- name: clustermesh-apiserver-server-cert
33+
namespace: {{ .Release.Namespace }}
34+
commonName: "clustermesh-apiserver.cilium.io"
35+
hosts:
36+
- "clustermesh-apiserver.cilium.io"
37+
- "*.mesh.cilium.io"
38+
- "clustermesh-apiserver.{{ .Release.Namespace }}.svc"
39+
{{- range $dns := .Values.clustermesh.apiserver.tls.server.extraDnsNames }}
40+
- {{ $dns | quote }}
41+
{{- end }}
42+
- "127.0.0.1"
43+
- "::1"
44+
{{- range $ip := .Values.clustermesh.apiserver.tls.server.extraIpAddresses }}
45+
- {{ $ip | quote }}
46+
{{- end }}
47+
usage:
48+
- signing
49+
- key encipherment
50+
- server auth
51+
validity: {{ $certValidityStr }}
52+
- name: clustermesh-apiserver-admin-cert
53+
namespace: {{ .Release.Namespace }}
54+
commonName: {{ include "clustermesh-apiserver-generate-certs.admin-common-name" . | quote }}
55+
usage:
56+
- signing
57+
- key encipherment
58+
- client auth
59+
validity: {{ $certValidityStr }}
60+
{{- if .Values.clustermesh.useAPIServer }}
61+
- name: clustermesh-apiserver-remote-cert
62+
namespace: {{ .Release.Namespace }}
63+
commonName: {{ include "clustermesh-apiserver-generate-certs.remote-common-name" . | quote }}
64+
usage:
65+
- signing
66+
- key encipherment
67+
- client auth
68+
validity: {{ $certValidityStr }}
69+
{{- end }}
70+
{{- if .Values.externalWorkloads.enabled }}
71+
- name: clustermesh-apiserver-client-cert
72+
namespace: {{ .Release.Namespace }}
73+
commonName: "externalworkload"
74+
usage:
75+
- signing
76+
- key encipherment
77+
- client auth
78+
validity: {{ $certValidityStr }}
79+
{{- end }}
4780
{{- with .Values.certgen.extraVolumeMounts }}
4881
volumeMounts:
4982
{{- toYaml . | nindent 10 }}

install/kubernetes/cilium/templates/hubble/tls-cronjob/_job-spec.tpl

Lines changed: 75 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
{{- define "hubble-generate-certs.job.spec" }}
2-
{{- $certValiditySecondsStr := printf "%ds" (mul .Values.hubble.tls.auto.certValidityDuration 24 60 60) -}}
2+
{{- $certValidityStr := printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) -}}
33
spec:
44
template:
55
metadata:
@@ -28,21 +28,80 @@ spec:
2828
{{- if and .Values.tls.ca.cert .Values.tls.ca.key }}
2929
- "--ca-secret-name=cilium-ca"
3030
{{- end }}
31-
- "--hubble-server-cert-generate"
32-
- "--hubble-server-cert-common-name={{ list "*" (.Values.cluster.name | replace "." "-") "hubble-grpc.cilium.io" | join "." }}"
33-
- "--hubble-server-cert-validity-duration={{ $certValiditySecondsStr }}"
34-
{{- if .Values.hubble.relay.enabled }}
35-
- "--hubble-relay-client-cert-generate"
36-
- "--hubble-relay-client-cert-validity-duration={{ $certValiditySecondsStr }}"
37-
{{- end }}
38-
{{- if and .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }}
39-
- "--hubble-relay-server-cert-generate"
40-
- "--hubble-relay-server-cert-validity-duration={{ $certValiditySecondsStr }}"
41-
{{- end }}
42-
{{- if and .Values.hubble.metrics.enabled .Values.hubble.metrics.tls.enabled }}
43-
- "--hubble-metrics-server-cert-generate"
44-
- "--hubble-metrics-server-cert-validity-duration={{ $certValiditySecondsStr }}"
45-
{{- end }}
31+
env:
32+
- name: CILIUM_CERTGEN_CONFIG
33+
value: |
34+
certs:
35+
- name: hubble-server-certs
36+
namespace: {{ .Release.Namespace }}
37+
commonName: {{ list "*" (.Values.cluster.name | replace "." "-") "hubble-grpc.cilium.io" | join "." | quote }}
38+
hosts:
39+
- {{ list "*" (.Values.cluster.name | replace "." "-") "hubble-grpc.cilium.io" | join "." | quote }}
40+
{{- range $dns := .Values.hubble.tls.server.extraDnsNames }}
41+
- {{ $dns | quote }}
42+
{{- end }}
43+
{{- range $ip := .Values.hubble.tls.server.extraIpAddresses }}
44+
- {{ $ip | quote }}
45+
{{- end }}
46+
usage:
47+
- signing
48+
- key encipherment
49+
- server auth
50+
validity: {{ $certValidityStr }}
51+
{{- if .Values.hubble.relay.enabled }}
52+
- name: hubble-relay-client-certs
53+
namespace: {{ .Release.Namespace }}
54+
commonName: "*.hubble-relay.cilium.io"
55+
hosts:
56+
- "*.hubble-relay.cilium.io"
57+
usage:
58+
- signing
59+
- key encipherment
60+
- client auth
61+
validity: {{ $certValidityStr }}
62+
{{- end }}
63+
{{- if and .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }}
64+
- name: hubble-relay-server-certs
65+
namespace: {{ .Release.Namespace }}
66+
commonName: "*.hubble-relay.cilium.io"
67+
hosts:
68+
- "*.hubble-relay.cilium.io"
69+
usage:
70+
- signing
71+
- key encipherment
72+
- server auth
73+
validity: {{ $certValidityStr }}
74+
{{- end }}
75+
{{- if and .Values.hubble.metrics.enabled .Values.hubble.metrics.tls.enabled }}
76+
- name: hubble-metrics-server-certs
77+
namespace: {{ .Release.Namespace }}
78+
commonName: {{ list (.Values.cluster.name | replace "." "-") "hubble-metrics.cilium.io" | join "." }} | quote }}
79+
hosts:
80+
- {{ list (.Values.cluster.name | replace "." "-") "hubble-metrics.cilium.io" | join "." }} | quote }}
81+
{{- range $dns := .Values.hubble.metrics.tls.server.extraDnsNames }}
82+
- {{ $dns | quote }}
83+
{{- end }}
84+
{{- range $ip := .Values.hubble.metrics.tls.server.extraIpAddresses }}
85+
- {{ $ip | quote }}
86+
{{- end }}
87+
usage:
88+
- signing
89+
- key encipherment
90+
- server auth
91+
validity: {{ $certValidityStr }}
92+
{{- end }}
93+
{{- if and .Values.hubble.ui.enabled .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }}
94+
- name: hubble-ui-client-certs
95+
namespace: {{ .Release.Namespace }}
96+
commonName: "*.hubble-ui.cilium.io"
97+
hosts:
98+
- "*.hubble-ui.cilium.io"
99+
usage:
100+
- signing
101+
- key encipherment
102+
- client auth
103+
validity: {{ $certValidityStr }}
104+
{{- end }}
46105
{{- with .Values.certgen.extraVolumeMounts }}
47106
volumeMounts:
48107
{{- toYaml . | nindent 10 }}

0 commit comments

Comments
 (0)