diff --git a/bitnami/dokuwiki/Chart.yaml b/bitnami/dokuwiki/Chart.yaml index 339303343c..7cbebd3982 100644 --- a/bitnami/dokuwiki/Chart.yaml +++ b/bitnami/dokuwiki/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: dokuwiki -version: 6.0.18 +version: 6.1.0 appVersion: 0.20180422.202005011246 description: DokuWiki is a standards-compliant, simple to use wiki optimized for creating documentation. It is targeted at developer teams, workgroups, and small companies. diff --git a/bitnami/dokuwiki/README.md b/bitnami/dokuwiki/README.md index 5dae34e40f..6072b9dbd2 100644 --- a/bitnami/dokuwiki/README.md +++ b/bitnami/dokuwiki/README.md @@ -111,6 +111,19 @@ The following table lists the configurable parameters of the DokuWiki chart and | `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | | `metrics.podAnnotations` | Additional annotations for Metrics exporter pod | `{prometheus.io/scrape: "true", prometheus.io/port: "9117"}` | | `metrics.resources` | Exporter resource requests/limit | {} | +| `certificates.customCertificate.certificateSecret` | Secret containing the certificate and key to add | `""` | +| `certificates.customCertificate.chainSecret.name` | Name of the secret containing the certificate chain | `""` | +| `certificates.customCertificate.chainSecret.key` | Key of the certificate chain file inside the secret | `""` | +| `certificates.customCertificate.certificateLocation` | Location in the container to store the certificate | `/etc/ssl/certs/ssl-cert-snakeoil.pem` | +| `certificates.customCertificate.keyLocation` | Location in the container to store the private key | `/etc/ssl/private/ssl-cert-snakeoil.key` | +| `certificates.customCertificate.chainLocation` | Location in the container to store the certificate chain | `/etc/ssl/certs/chain.pem` | +| `certificates.customCA` | Defines a list of secrets to import into the container trust store | `[]` | +| `certificates.image.registry` | Container sidecar registry | `docker.io` | +| `certificates.image.repository` | Container sidecar image | `bitnami/minideb` | +| `certificates.image.tag` | Container sidecar image tag | `buster` | +| `certificates.image.pullPolicy` | Container sidecar image pull policy | `IfNotPresent` | +| `certificates.image.pullSecrets` | Container sidecar image pull secrets | `image.pullSecrets` | +| `certificates.extraEnvVars` | Container sidecar extra environment variables (eg proxy) | `[]` | The above parameters map to the env variables defined in [bitnami/dokuwiki](http://github.com/bitnami/bitnami-docker-dokuwiki). For more information please refer to the [bitnami/dokuwiki](http://github.com/bitnami/bitnami-docker-dokuwiki) image documentation. @@ -148,6 +161,55 @@ Persistent Volume Claims are used to keep the data across deployments. There is See the [Parameters](#parameters) section to configure the PVC or to disable persistence. +## Certificates + +### CA Certificates +Custom CA certificates not included in the base docker image can be added with +the following configuration. The secret must exist in the same namespace as the +deployment. Will load all certificates files it finds in the secret. + +```yaml +certificates: + customCAs: + - secret: my-ca-1 + - secret: my-ca-2 +``` + +#### Secret +Secret can be created with: + +```bash +kubectl create secret generic my-ca-1 --from-file my-ca-1.crt +``` + +### TLS Certificate +A web server TLS Certificate can be injected into the container with the +following configuration. The certificate will be stored at the location +specified in the certificateLocation value. + +```yaml +certificates: + customCertificate: + certificateSecret: my-secret + certificateLocation: /ssl/server.pem + keyLocation: /ssl/key.pem + chainSecret: + name: my-cert-chain-secret + key: chain.pem +``` + +#### Secret +The certificate tls secret can be created with: + +```bash +kubectl create secret tls my-secret --cert tls.crt --key tls.key +``` + +The certificate chain is created with: +```bash +kubectl create secret generic my-ca-1 --from-file my-ca-1.crt +``` + ## Upgrading ### To 6.0.0 diff --git a/bitnami/dokuwiki/templates/_certificates.tpl b/bitnami/dokuwiki/templates/_certificates.tpl new file mode 100644 index 0000000000..aed154a365 --- /dev/null +++ b/bitnami/dokuwiki/templates/_certificates.tpl @@ -0,0 +1,126 @@ +{{/* Templates for certificates injection */}} + +{{/* +Return the proper Redmine image name +*/}} +{{- define "certificates.image" -}} +{{- $registryName := default .Values.certificates.image.registry .Values.image.registry -}} +{{- $repositoryName := .Values.certificates.image.repository -}} +{{- $tag := .Values.certificates.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{- define "certificates.initContainer" -}} +{{- if .Values.certificates.customCAs }} +- name: certificates + image: {{ template "certificates.image" . }} + imagePullPolicy: {{ default .Values.image.pullPolicy .Values.certificates.image.pullPolicy }} + imagePullSecrets: + {{- range (default .Values.image.pullSecrets .Values.certificates.image.pullSecrets) }} + - name: {{ . }} + {{- end }} + command: + {{- if .Values.certificates.customCertificate.certificateSecret }} + - sh + - -c + - if command -v apk >/dev/null; then apk add --no-cache ca-certificates openssl && update-ca-certificates; + else apt-get update && apt-get install -y ca-certificates openssl; fi + {{- else }} + - sh + - -c + - if command -v apk >/dev/null; then apk add --no-cache ca-certificates openssl && update-ca-certificates; + else apt-get update && apt-get install -y ca-certificates openssl; fi + && openssl req -new -x509 -days 3650 -nodes -sha256 + -subj "/CN=$(hostname)" -addext "subjectAltName = DNS:$(hostname)" + -out /etc/ssl/certs/ssl-cert-snakeoil.pem + -keyout /etc/ssl/private/ssl-cert-snakeoil.key -extensions v3_req + {{- end }} + {{- if .Values.certificates.extraEnvVars }} + env: + {{- tpl (toYaml .Values.certificates.extraEnvVars) $ | nindent 2 }} + {{- end }} + volumeMounts: + - name: etc-ssl-certs + mountPath: /etc/ssl/certs + readOnly: false + - name: etc-ssl-private + mountPath: /etc/ssl/private + readOnly: false + - name: custom-ca-certificates + mountPath: /usr/local/share/ca-certificates + readOnly: true +{{- end }} +{{- end }} + +{{- define "certificates.volumes" -}} +{{- if .Values.certificates.customCAs }} +- name: etc-ssl-certs + emptyDir: + medium: "Memory" +- name: etc-ssl-private + emptyDir: + medium: "Memory" +- name: custom-ca-certificates + projected: + defaultMode: 0400 + sources: + {{- range $index, $customCA := .Values.certificates.customCAs }} + - secret: + name: {{ $customCA.secret }} + # items not specified, will mount all keys + {{- end }} +{{- end -}} +{{- if .Values.certificates.customCertificate.certificateSecret }} +- name: custom-certificate + secret: + secretName: {{ .Values.certificates.customCertificate.certificateSecret }} +{{- if .Values.certificates.customCertificate.chainSecret }} +- name: custom-certificate-chain + secret: + secretName: {{ .Values.certificates.customCertificate.chainSecret.name }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "certificates.volumeMount" -}} +{{- if .Values.certificates.customCAs }} +- name: etc-ssl-certs + mountPath: /etc/ssl/certs/ + readOnly: false +- name: etc-ssl-private + mountPath: /etc/ssl/private/ + readOnly: false +- name: custom-ca-certificates + mountPath: /usr/local/share/ca-certificates + readOnly: true +{{- end -}} +{{- if .Values.certificates.customCertificate.certificateSecret }} +- name: custom-certificate + mountPath: {{ .Values.certificates.customCertificate.certificateLocation }} + subPath: tls.crt + readOnly: true +- name: custom-certificate + mountPath: {{ .Values.certificates.customCertificate.keyLocation }} + subPath: tls.key + readOnly: true +{{- if .Values.certificates.customCertificate.chainSecret }} +- name: custom-certificate-chain + mountPath: {{ .Values.certificates.customCertificate.chainLocation }} + subPath: {{ .Values.certificates.customCertificate.chainSecret.key }} + readOnly: true +{{- end }} +{{- end -}} +{{- end -}} diff --git a/bitnami/dokuwiki/templates/deployment.yaml b/bitnami/dokuwiki/templates/deployment.yaml index ee6db2d08b..d255aeee62 100644 --- a/bitnami/dokuwiki/templates/deployment.yaml +++ b/bitnami/dokuwiki/templates/deployment.yaml @@ -45,6 +45,8 @@ spec: - ip: "127.0.0.1" hostnames: - "status.localhost" + initContainers: + {{- include "certificates.initContainer" . | indent 8 }} containers: - name: {{ template "dokuwiki.fullname" . }} image: {{ template "dokuwiki.image" . }} @@ -93,6 +95,7 @@ spec: resources: {{ toYaml .Values.resources | indent 10 }} volumeMounts: + {{- include "certificates.volumeMount" . | indent 8 }} - name: dokuwiki-data mountPath: /bitnami/dokuwiki {{- if .Values.metrics.enabled }} @@ -119,6 +122,7 @@ spec: {{ toYaml .Values.metrics.resources | indent 10 }} {{- end }} volumes: + {{- include "certificates.volumes" . | indent 6 }} - name: dokuwiki-data {{- if .Values.persistence.enabled }} persistentVolumeClaim: diff --git a/bitnami/dokuwiki/values.yaml b/bitnami/dokuwiki/values.yaml index e96b8d4850..b83688476e 100644 --- a/bitnami/dokuwiki/values.yaml +++ b/bitnami/dokuwiki/values.yaml @@ -209,3 +209,32 @@ metrics: ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ ## # resources: {} + +# Add custom certificates and certificate authorities to redmine container +certificates: + customCertificate: + certificateSecret: "" + chainSecret: {} + # name: secret-name + # key: secret-key + certificateLocation: /etc/ssl/certs/ssl-cert-snakeoil.pem + keyLocation: /etc/ssl/private/ssl-cert-snakeoil.key + chainLocation: /etc/ssl/certs/mychain.pem + customCA: [] + # - secret: custom-CA + # - secret: more-custom-CAs + image: + registry: docker.io + repository: bitnami/minideb + tag: buster + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + # pullPolicy: + # pullSecrets + # - myRegistryKeySecretName + extraEnvVars: [] + # - name: myvar + # value: myval