feat(helm): add subjects for cert-manager certificate (#346)

oliverbaehler · web-flow · commit 23332530f35f · 2023-12-08T09:32:55.000+01:00
* ci(helm): fix helm e2e installer

Signed-off-by: Oliver Bähler &lt;oliverbaehler@hotmail.com&gt;

* feat(chart): add cert subjects and bump app version 0.4.7

Signed-off-by: Oliver Bähler &lt;oliverbaehler@hotmail.com&gt;

---------

Signed-off-by: Oliver Bähler &lt;oliverbaehler@hotmail.com&gt;
diff --git a/Makefile b/Makefile
@@ -107,11 +107,16 @@ helm-test: helm-controller-version kind ct ko-build-all
 	@kind create cluster --wait=60s --name capsule-charts
 	@kind load docker-image --name capsule-charts $(CAPSULE_PROXY_IMG):$(VERSION)
 	@kubectl create ns capsule-system
-	@kubectl create -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
-	@kubectl create -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
+	@make helm-install
+
+helm-install:
+	@kubectl apply --server-side=true -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.yaml
+	@make install-capsule
+	@kubectl apply --server-side=true -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
 	@ct install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug
-	@kind delete cluster --name capsule-charts
 
+helm-destroy:
+	@kind delete cluster --name capsule-charts
 
 ####################
 # -- Testing
diff --git a/charts/capsule-proxy/Chart.yaml b/charts/capsule-proxy/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 0.4.6
+appVersion: 0.4.7
 description: Helm Chart for Capsule Proxy, addon for Capsule, the multi-tenant Operator
 name: capsule-proxy
 type: application
@@ -21,7 +21,7 @@ maintainers:
   - name: capsule-maintainers
     email: cncf-capsule-maintainers@lists.cncf.io
 annotations:
-  artifacthub.io/containsSecurityUpdates: "true"
+  artifacthub.io/containsSecurityUpdates: "false"
   artifacthub.io/operator: "true"
   artifacthub.io/prerelease: "false"
   artifacthub.io/category: security
@@ -34,6 +34,4 @@ annotations:
       url: https://capsule.clastix.io/
   artifacthub.io/changes: |
     - kind: added
-      description: artifacthub annotations
-    - kind: changed
-      description: maintainers contact
+      description: add subjects for cert-manager certificate
diff --git a/charts/capsule-proxy/README.md b/charts/capsule-proxy/README.md
@@ -61,6 +61,9 @@ If you only need to make minor customizations, you can specify them on the comma
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Set affinity rules for the capsule-proxy pod. |
+| certManager.certificate.dnsNames | list | `[]` | Additional DNS Names to include in certificate |
+| certManager.certificate.ipAddresses | list | `[]` | Additional IP Addresses to include in certificate |
+| certManager.certificate.uris | list | `[]` | Additional URIs to include in certificate |
 | certManager.externalCA.enabled | bool | `false` | Set if want cert manager to sign certificates with an external CA |
 | certManager.externalCA.secretName | string | `""` |  |
 | certManager.generateCertificates | bool | `false` | Set if the cert manager will generate SSL certificates (self-signed or CA-signed) |
diff --git a/charts/capsule-proxy/ci/cert-manager-values.yaml b/charts/capsule-proxy/ci/cert-manager-values.yaml
@@ -0,0 +1,12 @@
+options:
+  enableSSL: true
+  generateCertificates: false
+certManager:
+  generateCertificates: true
+  certificate:
+    dnsNames:
+      - "localhost"
+    ipAddresses:
+      - "127.0.0.1"
+    uris:
+      - "spiffe://cluster.local/ns/sandbox/sa/example"
diff --git a/charts/capsule-proxy/templates/certmanager.yaml b/charts/capsule-proxy/templates/certmanager.yaml
@@ -45,8 +45,23 @@ spec:
   - {{ $hosts.host }}
     {{- end }}
   {{- end }}
+  {{- range $dns := .Values.certManager.certificate.dnsNames }}
+  - {{ $dns }}
+  {{- end }}
   - {{ include "capsule-proxy.fullname" . }}
   - {{ include "capsule-proxy.fullname" . }}.{{ .Release.Namespace }}.svc
+  {{- with .Values.certManager.certificate.ipAddresses }}
+  ipAddresses:
+    {{- range $ip := . }}
+  - {{ $ip }}
+    {{- end }}
+  {{- end }}
+  {{- with .Values.certManager.certificate.uris }}
+  uris:
+    {{- range $uri := . }}
+  - {{ $uri }}
+    {{- end }}
+  {{- end }}
   issuerRef:
     kind: {{ .Values.certManager.issuer.kind }}
     name: {{ include "capsule-proxy.certManager.issuerName" . }}
diff --git a/charts/capsule-proxy/values.yaml b/charts/capsule-proxy/values.yaml
@@ -99,6 +99,13 @@ certManager:
     kind: Issuer # Issuer or ClusterIssuer
     # -- Set the name of the ClusterIssuer if issuer kind is ClusterIssuer and if cert manager will generate CA signed SSL certificates
     name: "" #  Name of the ClusterIssuer
+  certificate:
+    # -- Additional DNS Names to include in certificate
+    dnsNames: []
+    # -- Additional IP Addresses to include in certificate
+    ipAddresses: []
+    # -- Additional URIs to include in certificate
+    uris: []
 
 
 # ServiceAccount
