diff --git a/charts/s3gw/templates/_helpers.tpl b/charts/s3gw/templates/_helpers.tpl index b6dc68a..2ba295b 100644 --- a/charts/s3gw/templates/_helpers.tpl +++ b/charts/s3gw/templates/_helpers.tpl @@ -239,3 +239,16 @@ COSI endpoint {{- $endpoint := default $defaultendpoint .Values.cosi.driver.endpoint }} {{- $endpoint }} {{- end }} + + +{{- define "s3gw.tlsIssuerName" -}} +{{- if .Values.customTlsIssuer }} +{{- printf "%s" .Values.customTlsIssuer }} +{{- else if eq .Values.tlsIssuer "s3gw-issuer" }} +{{- printf "%s-%s-self-signed-issuer" .Release.Name .Release.Namespace }} +{{- else if eq .Values.tlsIssuer "s3gw-letsencrypt-issuer" }} +{{- printf "%s-%s-letsencrypt-issuer" .Release.Name .Release.Namespace }} +{{- else }} +{{- printf "%s-%s-%s-issuer" .Release.Name .Release.Namespace .Values.tlsIssuer }} +{{- end }} +{{- end }} diff --git a/charts/s3gw/templates/certificate.yaml b/charts/s3gw/templates/certificate.yaml index aa0f796..7ec4d95 100644 --- a/charts/s3gw/templates/certificate.yaml +++ b/charts/s3gw/templates/certificate.yaml @@ -1,6 +1,8 @@ {{- if .Values.useCertManager }} --- # s3gw-ca root certificate +# This is the root certificate that will be used by the private ca issuer to +# issue a certificate for the cluster-internal connection apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -13,13 +15,14 @@ spec: isCA: true issuerRef: kind: ClusterIssuer - name: {{ .Release.Name }}-{{ .Release.Namespace }}-self-signed-issuer + name: {{ .Release.Name }}-{{ .Release.Namespace }}-private-issuer privateKey: algorithm: ECDSA size: 256 secretName: {{ .Release.Name }}-{{ .Release.Namespace }}-ca-root --- # s3gw internal service certificate (private domain) +# This is the certificate that is requested for the cluster internal connection apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -33,6 +36,6 @@ spec: - '*.{{ include "s3gw.serviceName" . }}.{{ .Release.Namespace }}.{{ .Values.privateDomain }}' issuerRef: kind: ClusterIssuer - name: {{ .Release.Name }}-{{ .Release.Namespace }}-issuer + name: {{ .Release.Name }}-{{ .Release.Namespace }}-private-issuer secretName: {{ .Release.Name }}-{{ .Release.Namespace }}-cluster-ip-tls {{- end }} diff --git a/charts/s3gw/templates/ingress-traefik.yaml b/charts/s3gw/templates/ingress-traefik.yaml index fff133c..ed9520c 100644 --- a/charts/s3gw/templates/ingress-traefik.yaml +++ b/charts/s3gw/templates/ingress-traefik.yaml @@ -12,7 +12,7 @@ metadata: traefik.ingress.kubernetes.io/router.tls: "true" traefik.ingress.kubernetes.io/router.middlewares: '{{ .Release.Namespace }}-{{ include "s3gw.CORSMiddlewareName" . }}@kubernetescrd' - cert-manager.io/cluster-issuer: {{ default .Values.tlsIssuer .Values.customTlsIssuer | quote }} + cert-manager.io/cluster-issuer: {{ include "s3gw.tlsIssuerName" . | quote }} spec: tls: - hosts: @@ -88,7 +88,7 @@ metadata: traefik.ingress.kubernetes.io/router.tls: "true" traefik.ingress.kubernetes.io/router.middlewares: '{{ .Release.Namespace }}-{{ include "s3gw.CORSMiddlewareName" . }}@kubernetescrd' - cert-manager.io/cluster-issuer: {{ default .Values.tlsIssuer .Values.customTlsIssuer | quote }} + cert-manager.io/cluster-issuer: {{ include "s3gw.tlsIssuerName" . | quote }} spec: tls: - hosts: diff --git a/charts/s3gw/templates/tls-issuer.yaml b/charts/s3gw/templates/tls-issuer.yaml index e9ae249..89d5816 100644 --- a/charts/s3gw/templates/tls-issuer.yaml +++ b/charts/s3gw/templates/tls-issuer.yaml @@ -1,36 +1,34 @@ {{- if .Values.useCertManager }} -{{- if eq .Values.tlsIssuer "s3gw-issuer" }} ---- -# Self-signed issuer -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: {{ .Release.Name }}-{{ .Release.Namespace }}-self-signed-issuer - labels: -{{ include "s3gw.labels" . | indent 4}} -spec: - selfSigned: {} --- # Private s3gw-ca issuer +# This issuer is needed in all cases to issue a certificate for the +# cluster-internal connection apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: - name: {{ .Release.Name }}-{{ .Release.Namespace }}-issuer + name: {{ .Release.Name }}-{{ .Release.Namespace }}-private-issuer labels: {{ include "s3gw.labels" . | indent 4}} spec: ca: secretName: {{ .Release.Name }}-{{ .Release.Namespace }}-ca-root -{{- else if eq .Values.tlsIssuer "s3gw-letsencrypt-issuer" }} +{{- if empty .Values.customTlsIssuer }} --- -# Let's encrypt production issuer +# This issuer is either using self-signed certificates or requesting +# certificates from Letsencrypt. This is used to issue certificates for the +# ingress, both for the S3 endpoint at the ingres as well as the UI. apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: - name: {{ .Release.Name }}-{{ .Release.Namespace }}-letsencrypt-issuer + name: {{ include "s3gw.tlsIssuerName" . | quote }} labels: {{ include "s3gw.labels" . | indent 4}} spec: +{{- if eq .Values.tlsIssuer "s3gw-issuer" }} + # Self-signed issuer + selfSigned: {} +{{- else if eq .Values.tlsIssuer "s3gw-letsencrypt-issuer" }} + # Let's encrypt production issuer acme: email: {{ .Values.email }} preferredChain: "" @@ -47,3 +45,4 @@ spec: traefik.ingress.kubernetes.io/router.tls: "true" {{- end }} {{- end }} +{{- end }} diff --git a/charts/s3gw/tests/certmanager_test.yaml b/charts/s3gw/tests/certmanager_test.yaml new file mode 100644 index 0000000..bb173da --- /dev/null +++ b/charts/s3gw/tests/certmanager_test.yaml @@ -0,0 +1,121 @@ +--- +suite: Certificate Manager +templates: + - ingress-traefik.yaml + - tls-issuer.yaml + - certificate.yaml +release: + name: s3gw-release + namespace: s3gw-system +set: + ingress.enabled: true + useCertManager: true + certManagerNamespace: "cert-manager-system" +tests: + + - it: Certificates + asserts: + + - hasDocuments: + count: 2 + template: certificate.yaml + + - containsDocument: + kind: Certificate + apiVersion: cert-manager.io/v1 + name: s3gw-release-s3gw-system-ca-cert + namespace: cert-manager-system + documentIndex: 0 + template: certificate.yaml + + - containsDocument: + kind: Certificate + apiVersion: cert-manager.io/v1 + name: s3gw-release-s3gw-system-cluster-ip-cert + namespace: s3gw-system + documentIndex: 1 + template: certificate.yaml + + - it: Custom TLS Issuer + set: + tlsIssuer: "s3gw-issuer" + customTlsIssuer: "my-tls-issuer" + asserts: + + - hasDocuments: + count: 1 + template: tls-issuer.yaml + + - containsDocument: + kind: ClusterIssuer + apiVersion: cert-manager.io/v1 + name: s3gw-release-s3gw-system-private-issuer + documentIndex: 0 + template: tls-issuer.yaml + + - isSubset: + path: metadata.annotations + content: + cert-manager.io/cluster-issuer: my-tls-issuer + documentIndex: 0 + template: ingress-traefik.yaml + + - it: Self Signed Issuer + set: + tlsIssuer: "s3gw-issuer" + asserts: + + - hasDocuments: + count: 2 + template: tls-issuer.yaml + + - containsDocument: + kind: ClusterIssuer + apiVersion: cert-manager.io/v1 + name: s3gw-release-s3gw-system-private-issuer + documentIndex: 0 + template: tls-issuer.yaml + + - containsDocument: + kind: ClusterIssuer + apiVersion: cert-manager.io/v1 + name: s3gw-release-s3gw-system-self-signed-issuer + documentIndex: 1 + template: tls-issuer.yaml + + - isSubset: + path: metadata.annotations + content: + cert-manager.io/cluster-issuer: s3gw-release-s3gw-system-self-signed-issuer + documentIndex: 0 + template: ingress-traefik.yaml + + - it: Letsencrypt Issuer + set: + tlsIssuer: "s3gw-letsencrypt-issuer" + asserts: + + - hasDocuments: + count: 2 + template: tls-issuer.yaml + + - containsDocument: + kind: ClusterIssuer + apiVersion: cert-manager.io/v1 + name: s3gw-release-s3gw-system-private-issuer + documentIndex: 0 + template: tls-issuer.yaml + + - containsDocument: + kind: ClusterIssuer + apiVersion: cert-manager.io/v1 + name: s3gw-release-s3gw-system-letsencrypt-issuer + documentIndex: 1 + template: tls-issuer.yaml + + - isSubset: + path: metadata.annotations + content: + cert-manager.io/cluster-issuer: s3gw-release-s3gw-system-letsencrypt-issuer + documentIndex: 0 + template: ingress-traefik.yaml diff --git a/charts/s3gw/tests/cosi_test.yaml b/charts/s3gw/tests/cosi_test.yaml index 44dc1ac..ae7c835 100644 --- a/charts/s3gw/tests/cosi_test.yaml +++ b/charts/s3gw/tests/cosi_test.yaml @@ -91,25 +91,27 @@ tests: count: 2 template: cosi-rbac.yaml + - isKind: + of: ClusterRole + documentIndex: 0 + template: cosi-rbac.yaml + - containsDocument: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 name: s3gw-name-s3gw-namespace-objectstorage-provisioner-role + documentIndex: 0 template: cosi-rbac.yaml - isKind: - of: ClusterRole - documentIndex: 0 + of: ClusterRoleBinding + documentIndex: 1 template: cosi-rbac.yaml - containsDocument: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 name: s3gw-name-s3gw-namespace-objectstorage-provisioner-role-binding - template: cosi-rbac.yaml - - - isKind: - of: ClusterRoleBinding documentIndex: 1 template: cosi-rbac.yaml diff --git a/charts/s3gw/values.yaml b/charts/s3gw/values.yaml index d8fdd0a..4a6bb95 100644 --- a/charts/s3gw/values.yaml +++ b/charts/s3gw/values.yaml @@ -11,6 +11,10 @@ certManagerNamespace: cert-manager # The name of the predefined TLS issuer to use (s3gw-issuer, # s3gw-letsencrypt-issuer). tlsIssuer: "s3gw-issuer" +# The customTlsIssuer overrides any other TLS issuer. It is otherwise completely +# independent from the provided config, but can be used for any configuration +# not possible with the letsencrypt issuer or the self-signed issuer +# customTlsIssuer: "" # The email address you are planning to use for getting notifications # about your certificates. Fill this if you are using the # 's3gw-letsencrypt-issuer'.