Skip to content

Commit

Permalink
value renamed, ca in secret, logic moved to _helper
Browse files Browse the repository at this point in the history
  • Loading branch information
tomplus committed Nov 3, 2023
1 parent 6a9de44 commit 98bbb0b
Show file tree
Hide file tree
Showing 4 changed files with 46 additions and 28 deletions.
36 changes: 36 additions & 0 deletions charts/opentelemetry-operator/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -79,3 +79,39 @@ Create an ordered name of the MutatingWebhookConfiguration
{{- define "opentelemetry-operator.MutatingWebhookName" -}}
{{- printf "%s-%s" (.Values.admissionWebhooks.namePrefix | toString) (include "opentelemetry-operator.fullname" .) | trimPrefix "-" }}
{{- end }}

{{/*
Return certificate and CA for Webhooks.
It handles variants when a cert has to be generated by Helm,
a cert is loaded from an existing secret or is provided via `.Values`
*/}}
{{- define "opentelemetry-operator.WebhookCert" -}}
{{- $caCertEnc := "" }}
{{- $certCrtEnc := "" }}
{{- $certKeyEnc := "" }}
{{- if .Values.admissionWebhooks.autoGenerateCert.enabled }}
{{- $prevSecret := (lookup "v1" "Secret" .Release.Namespace (default (printf "%s-controller-manager-service-cert" (include "opentelemetry-operator.fullname" .)) .Values.admissionWebhooks.secretName )) }}
{{- if and (not .Values.admissionWebhooks.autoGenerateCert.recreate) $prevSecret }}
{{- $certCrtEnc = index $prevSecret "data" "tls.crt" }}
{{- $certKeyEnc = index $prevSecret "data" "tls.key" }}
{{- $caCertEnc = index $prevSecret "data" "ca.crt" }}
{{- if not $caCertEnc }}
{{- $prevHook := (lookup "admissionregistration.k8s.io/v1" "MutatingWebhookConfiguration" .Release.Namespace (print (include "opentelemetry-operator.MutatingWebhookName" . ) "-mutation")) }}
{{- $caCertEnc = (first $prevHook.webhooks).clientConfig.caBundle }}
{{- end }}
{{- else }}
{{- $altNames := list ( printf "%s-webhook.%s" (include "opentelemetry-operator.fullname" .) .Release.Namespace ) ( printf "%s-webhook.%s.svc" (include "opentelemetry-operator.fullname" .) .Release.Namespace ) -}}
{{- $ca := genCA "opentelemetry-operator-operator-ca" 365 }}
{{- $cert := genSignedCert (include "opentelemetry-operator.fullname" .) nil $altNames 365 $ca }}
{{- $certCrtEnc = b64enc $cert.Cert }}
{{- $certKeyEnc = b64enc $cert.Key }}
{{- $caCertEnc = b64enc $ca.Cert }}
{{- end }}
{{- else }}
{{- $certCrtEnc = b64enc .Values.admissionWebhooks.cert_file }}
{{- $certKeyEnc = b64enc .Values.admissionWebhooks.key_file }}
{{- $caCertEnc = b64enc .Values.admissionWebhooks.ca_file }}
{{- end }}
{{- $result := dict "crt" $certCrtEnc "key" $certKeyEnc "ca" $caCertEnc }}
{{- $result | toYaml }}
{{- end }}
Original file line number Diff line number Diff line change
@@ -1,27 +1,8 @@
{{- if and (.Values.admissionWebhooks.create) (not .Values.admissionWebhooks.certManager.enabled) }}
{{- $altNames := list ( printf "%s-webhook.%s" (include "opentelemetry-operator.fullname" .) .Release.Namespace ) ( printf "%s-webhook.%s.svc" (include "opentelemetry-operator.fullname" .) .Release.Namespace ) -}}
{{- $caCertEnc := "" }}
{{- $certCrtEnc := "" }}
{{- $certKeyEnc := "" }}
{{- if .Values.admissionWebhooks.autoGenerateCert.enabled }}
{{- $prevSecret := (lookup "v1" "Secret" .Release.Namespace (default (printf "%s-controller-manager-service-cert" (include "opentelemetry-operator.fullname" .)) .Values.admissionWebhooks.secretName )) }}
{{- $prevHook := (lookup "admissionregistration.k8s.io/v1" "MutatingWebhookConfiguration" .Release.Namespace (print (include "opentelemetry-operator.MutatingWebhookName" . ) "-mutation")) }}
{{- if and .Values.admissionWebhooks.autoGenerateCert.ifNotExists $prevSecret $prevHook }}
{{- $certCrtEnc = index $prevSecret "data" "tls.crt" }}
{{- $certKeyEnc = index $prevSecret "data" "tls.key" }}
{{- $caCertEnc = (first $prevHook.webhooks).clientConfig.caBundle }}
{{- else }}
{{- $ca := genCA "opentelemetry-operator-operator-ca" 365 }}
{{- $cert := genSignedCert (include "opentelemetry-operator.fullname" .) nil $altNames 365 $ca }}
{{- $certCrtEnc = b64enc $cert.Cert }}
{{- $certKeyEnc = b64enc $cert.Key }}
{{- $caCertEnc = b64enc $ca.Cert }}
{{- end }}
{{- else }}
{{- $certCrtEnc = b64enc .Values.admissionWebhooks.cert_file }}
{{- $certKeyEnc = b64enc .Values.admissionWebhooks.key_file }}
{{- $caCertEnc = b64enc .Values.admissionWebhooks.ca_file }}
{{- end }}
{{- $cert := fromYaml (include "opentelemetry-operator.WebhookCert" .) }}
{{- $caCertEnc := $cert.ca }}
{{- $certCrtEnc := $cert.crt }}
{{- $certKeyEnc := $cert.key }}
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
Expand All @@ -43,6 +24,7 @@ metadata:
data:
tls.crt: {{ $certCrtEnc }}
tls.key: {{ $certKeyEnc }}
ca.crt: {{ $caCertEnc }}
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
Expand Down
6 changes: 3 additions & 3 deletions charts/opentelemetry-operator/values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -1341,7 +1341,7 @@
"title": "The autoGenerateCert Schema",
"required": [
"enabled",
"ifNotExists"
"recreate"
],
"properties": {
"enabled": {
Expand All @@ -1352,10 +1352,10 @@
true
]
},
"ifNotExists": {
"recreate": {
"type": "boolean",
"default": true,
"title": "The ifNotExists Schema",
"title": "The recreate Schema",
"examples": [
true
]
Expand Down
4 changes: 2 additions & 2 deletions charts/opentelemetry-operator/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -223,8 +223,8 @@ admissionWebhooks:
## If true and certManager.enabled is false, Helm will automatically create a self-signd cert and secret for you.
autoGenerateCert:
enabled: true
# true means generate cert if cert not exists only
ifNotExists: true
# If set to true, new webhook key/certificate is generated on helm upgrade.
recreate: false

## TLS Certificate Option 3: Use your own self-signed certificate.
## certManager and autoGenerateCert must be disabled and cert_file, key_file, and ca_file must be set.
Expand Down

0 comments on commit 98bbb0b

Please sign in to comment.