feat: added support for externally-managed-tls-secret (#1746)

Co-authored-by: Jehoszafat Zimnowoda <[email protected]>

Author: merll

bin/compare.sh

@@ -23,7 +23,8 @@ helmfile template $templateArgs --output-dir-template="../$targetDirA/{{.Release
 git checkout $branchB
 
 # order of arguments matters so new chanages are green color
-bin/dyff.sh $targetDirA $targetDirB
+echo "Comparing $targetDirB with $targetDirA"
+bin/dyff.sh $targetDirB $targetDirA
 
 echo "#########################################################"
 echo "#"

charts/team-ns/templates/_ingress.tpl

@@ -125,15 +125,11 @@ spec:
         - {{ $domain }}
           {{- if hasKey $secrets $domain }}
             {{- if ne (index $secrets $domain) "" }}
-{{/*If a team provides its own certificate in the team namespace then Otomi cornjob makes a copy of it*/}} 
+{{/*If a team provides its own certificate in the team namespace then Otomi cronjob makes a copy of it*/}} 
       secretName: copy-team-{{ $v.teamId }}-{{ index $secrets $domain }}
             {{- end }}
           {{- else }}
-            {{- if eq $cm.issuer "byo-wildcard-cert" }}
-      secretName: otomi-byo-wildcard-cert
-            {{- else }}
-      secretName: otomi-cert-manager-wildcard-cert
-            {{- end}}
+      secretName: {{ $v._derived.tlsSecretName }}
           {{- end }}
         {{- end }}
       {{- end }}

charts/team-ns/templates/ingress/harbor-public.yaml

@@ -5,7 +5,6 @@
 {{- $cm := index $v.apps "cert-manager" }}
 {{- $ingress :=  $v.ingress.platformClass }}
 {{- $name :=  printf "nginx-team-%s-platform-public-open-forward-harbor" $v.teamId }}
-{{- $secretName := ternary "otomi-byo-wildcard-cert" "otomi-cert-manager-wildcard-cert" (eq $cm.issuer "byo-wildcard-cert") }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@@ -68,6 +67,6 @@ spec:
   tls:
     - hosts:
         - {{ $domain }}
-      secretName: {{ $secretName }}
+      secretName: {{ $v._derived.tlsSecretName }}
 {{- end }}
 {{- end }}

helmfile.d/helmfile-60.teams.yaml

@@ -231,6 +231,8 @@ releases:
         domain: {{ $domain }}
         ingress: {{- $v.ingress | toYaml | nindent 10 }}
         dns: {{- $v.dns | toYaml | nindent 10 }}
+        _derived:
+          tlsSecretName: {{ $v._derived.tlsSecretName }}
       - {{- omit $team "apps" | toYaml | nindent 8 }}
         teamId: {{ $teamId }}
         teamIds: {{- toYaml (keys $v.teamConfig) | nindent 10 }}

helmfile.d/snippets/derived.gotmpl

@@ -29,6 +29,12 @@
 {{- $oidcWellKnownUrl := printf "%s/.well-known/openid-configuration" $oidcBaseUrl }}
 {{- $oidcBaseUrlBackchannel := "http://keycloak-http.keycloak/realms/otomi" }}
 {{- $oidcWellKnownBackchannel := printf "%s/.well-known/openid-configuration" $oidcBaseUrlBackchannel }}
+{{- $tlsSecretName := "otomi-cert-manager-wildcard-cert" }}
+{{- if eq $cm.issuer "externally-managed-tls-secret" }}
+  {{- $tlsSecretName = $cm.externallyManagedTlsSecretName }}
+{{- else if eq $cm.issuer "byo-wildcard-cert" }}
+  {{- $tlsSecretName = "byo-wildcard-cert" }}
+{{- end -}}
 
 {{- if and (not (env "CI")) (not (env "VALUES_INPUT")) (hasKey $v.cluster "k8sContext") }}
 helmDefaults:
@@ -150,6 +156,7 @@ environments:
           oidcWellKnownUrlBackchannel: {{ $oidcWellKnownBackchannel}}
           giteaDomain: {{ printf "gitea.%s" $domainSuffix }}
           keycloakDomain: {{ printf "keycloak.%s" $domainSuffix }}
+          tlsSecretName: {{ $tlsSecretName }}
         apps:
           argocd:
             enabled: true

tests/fixtures/env/apps/cert-manager.yaml

@@ -1,5 +1,11 @@
 apps:
     cert-manager:
-        issuer: letsencrypt
-        email: [email protected]
-        stage: staging
+        # issuer: letsencrypt
+        # email: [email protected]
+        # stage: staging
+        # issuer: custom-ca
+        issuer: externally-managed-tls-secret
+        externallyManagedTlsSecretName: mysecret
+        # issuer: byo-wildcard-cert
+        # byoWildcardCert: byoCert
+        # byoWildcardCertKey: byoCertKey

values-schema.yaml

@@ -1529,6 +1529,11 @@ properties:
             description: 'A certificate key corresponding to the byoWildcardCert.'
             type: string
             x-secret: ''
+          externallyManagedTlsSecretName:
+            description: |
+              The name of a custom secret in the istio-system namespace that contains a trusted certificate and private key.
+              To be used with issuer externally-managed-tls-secret.
+            type: string
           customRootCA:
             x-secret: ''
             type: string
@@ -1545,11 +1550,15 @@ properties:
               The custom-ca - cert-manager uses the customRootCA to generate wildcard certificate.
               The letsencrypt - cert-manager requests certificate from letsencrypt endpoint.
               The byo-wildcard-cert allows users to bring their own trusted wildcard certificate (cert-manager not involved)
+              through the values byoWildcardCert and byoWildcardCertKey.
+              The externally-managed-tls-secret is similar to byo-wildcard-cert, but assumes the certificate is already stored
+              in a secret (referenced by externallyManagedTlsSecretName) and not provided through the values.
             type: string
             enum:
               - custom-ca
               - letsencrypt
               - byo-wildcard-cert
+              - externally-managed-tls-secret
             default: custom-ca
           stage:
             type: string

values/oauth2-proxy/oauth2-proxy-raw.gotmpl

@@ -43,10 +43,6 @@ resources:
             path: /
             pathType: Prefix
       tls: 
-        {{- if eq $cm.issuer "byo-wildcard-cert" }}
-        - secretName: "otomi-byo-wildcard-cert"
-        {{- else }}
-        - secretName: otomi-cert-manager-wildcard-cert
-        {{- end }}
+        - secretName: {{ $v._derived.tlsSecretName }}
           hosts:
             - '{{ $domain }}'