Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-04-06 01:07:07 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/ejbca] Make Ingress compatible with k8s 1.20 (#4963)

Browse Source
This commit is contained in:
Javier J. Salmerón-García
2021-01-13 10:03:33 +01:00
committed by GitHub
parent 136b3b2f4a
commit e148b314fc
11 changed files with 138 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
bitnami/ejbca/Chart.lock
View File

@@ -4,6 +4,6 @@ dependencies:
version: 1.2.3
- name: mariadb
repository: https://charts.bitnami.com/bitnami
version: 9.2.1
digest: sha256:c83ab15b43724672c34ebf7d2825c62b7a6ac3ee04a076821faa5c369a795c26
generated: "2021-01-11T04:39:26.413751254Z"
version: 9.2.2
digest: sha256:be239b44d6cd6728d556521ecd0cb9c14c9f28520469c623cebfd2dabfc48b4a
generated: "2021-01-12T14:30:19.554346+01:00"

2
bitnami/ejbca/Chart.yaml
View File

@@ -30,4 +30,4 @@ name: ejbca
sources:
- https://github.com/bitnami/bitnami-docker-ejbca
- https://www.ejbca.org/
version: 2.0.4
version: 2.1.0

24
bitnami/ejbca/README.md
View File

@@ -88,6 +88,7 @@ The following table lists the configurable parameters of the EJBCA chart and the
| `persistence.existingClaim` | Name of an existing PVC to reuse | `nil` |
| `persistence.accessMode` | PVC Access Mode (RWO, ROX, RWX) | `ReadWriteOnce` |
| `persistence.size` | Size of the PVC to request | `2Gi` |
| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `nil` |
### Service parameters
@@ -118,7 +119,7 @@ The following table lists the configurable parameters of the EJBCA chart and the
| `ejbcaKeystoreExistingSecret` | Existing Secret containing a Keystore to be imported by EBJCA | `nil` |
| `extraEnvVars` | An array to add extra env vars | `[]` (evaluated as a template) |
| `command` | Custom command to override image cmd | `nil` (evaluated as a template) |
| `args` | Custom args for the custom command | `nil` (evaluated as a template) |
| `args` | Custom args for the custom command | `nil` (evaluated as a template) |
| `extraVolumeMounts` | Additional volume mounts (used along with `extraVolumes`) | `[]` (evaluated as a template) |
| `resources` | EJBCA container's resource requests and limits | `{}` |
| `podSecurityContext.enabled` | Enable security context for EJBCA container | `true` |
@@ -144,11 +145,22 @@ The following table lists the configurable parameters of the EJBCA chart and the
### Ingress parameters
| Parameter | Description | Default |
|-----------------------|---------------------------------------|--------------------------------|
| `ingress.enabled` | Enable ingress controller resource | `false` |
| `ingress.hostname` | Default host for the ingress resource | `ejbca.local` |
| `ingress.annotations` | Ingress annotations | `[]` (evaluated as a template) |
| Parameter | Description | Default |
|----------------------------------|----------------------------------------------------------|--------------------------------|
| `ingress.enabled` | Enable ingress controller resource | `false` |
| `ingress.certManager` | Add annotations for cert-manager | `false` |
| `ingress.hostname` | Default host for the ingress resource | `ejbca.local` |
| `ingress.path` | Default path for the ingress resource | `/` |
| `ingress.tls` | Create TLS Secret | `false` |
| `ingress.annotations` | Ingress annotations | `[]` (evaluated as a template) |
| `ingress.extraHosts[0].name` | Additional hostnames to be covered | `nil` |
| `ingress.extraHosts[0].path` | Additional hostnames to be covered | `nil` |
| `ingress.extraPaths` | Additional arbitrary path/backend objects | `nil` |
| `ingress.extraTls[0].hosts[0]` | TLS configuration for additional hostnames to be covered | `nil` |
| `ingress.extraTls[0].secretName` | TLS configuration for additional hostnames to be covered | `nil` |
| `ingress.secrets[0].name` | TLS Secret Name | `nil` |
| `ingress.secrets[0].certificate` | TLS Secret Certificate | `nil` |
| `ingress.secrets[0].key` | TLS Secret Key | `nil` |
### Database parameters

8
bitnami/ejbca/templates/NOTES.txt
View File

@@ -11,7 +11,7 @@ To access your EJBCA site from outside the cluster follow the steps below:
{{- if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[1].nodePort}" services {{ template "ejbca.fullname" . }})
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[1].nodePort}" services {{ template "common.names.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo "EJBCA Public URL: https://$NODE_IP:$NODE_PORT/ejbca"
echo "EJBCA Admin URL: https://$NODE_IP:$NODE_PORT/ejbca/adminweb"
@@ -20,16 +20,16 @@ To access your EJBCA site from outside the cluster follow the steps below:
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "ejbca.fullname" . }}'
Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "common.names.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "ejbca.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "common.names.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo "EJBCA Public URL: https://$SERVICE_IP{{- if ne $port "80" }}:{{ .Values.service.httpsPort }}{{ end }}/ejbca"
echo "EJBCA Admin URL: https://$SERVICE_IP{{- if ne $port "80" }}:{{ .Values.service.httpsPort }}{{ end }}/ejbca/adminweb"
echo "EJBCA Enrol URL: https://$SERVICE_IP{{- if ne $port "80" }}:{{ .Values.service.httpsPort }}{{ end }}/ejbca/enrol/keystore.jsp"
{{- else if contains "ClusterIP" .Values.service.type }}
kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "ejbca.fullname" . }} {{ .Values.service.httpsPort }}:{{ .Values.service.httpsPort }} &
kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "common.names.fullname" . }} {{ .Values.service.httpsPort }}:{{ .Values.service.httpsPort }} &
echo "EJBCA Public URL: https://127.0.0.1{{- if ne $port "80" }}:{{ .Values.service.httpsPort }}{{ end }}/ejbca"
echo "EJBCA Admin URL: https://127.0.0.1{{- if ne $port "80" }}:{{ .Values.service.httpsPort }}{{ end }}/ejbca/adminweb"
echo "EJBCA Enrol URL: https://127.0.0.1{{- if ne $port "80" }}:{{ .Values.service.httpsPort }}{{ end }}/ejbca/enrol/keystore.jsp"

54
bitnami/ejbca/templates/_helpers.tpl
View File

@@ -1,25 +1,3 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "ejbca.name" -}}
{{- include "common.names.name" . -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "ejbca.fullname" -}}
{{- include "common.names.fullname" . -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "ejbca.chart" -}}
{{- include "common.names.chart" . -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
@@ -46,35 +24,7 @@ Return the proper Docker Image Registry Secret Names
Return the proper Storage Class
*/}}
{{- define "ejbca.storageClass" -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic.
*/}}
{{- if .Values.global -}}
{{- if .Values.global.storageClass -}}
{{- if (eq "-" .Values.global.storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" .Values.global.storageClass -}}
{{- end -}}
{{- else -}}
{{- if .Values.persistence.storageClass -}}
{{- if (eq "-" .Values.persistence.storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" .Values.persistence.storageClass -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- else -}}
{{- if .Values.persistence.storageClass -}}
{{- if (eq "-" .Values.persistence.storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" .Values.persistence.storageClass -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) -}}
{{- end -}}
{{/*
@@ -84,7 +34,7 @@ Return the correct EJBCA secret.
{{- if .Values.existingSecret -}}
{{- printf "%s" .Values.existingSecret -}}
{{- else -}}
{{- printf "%s" (include "ejbca.fullname" .) -}}
{{- printf "%s" (include "common.names.fullname" .) -}}
{{- end -}}
{{- end -}}

4
bitnami/ejbca/templates/deployment.yaml
View File

@@ -1,7 +1,7 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "ejbca.fullname" . }}
name: {{ include "common.names.fullname" . }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
@@ -177,7 +177,7 @@ spec:
- name: ejbca-data
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ .Values.persistence.existingClaim | default (include "ejbca.fullname" .) }}
claimName: {{ .Values.persistence.existingClaim | default (include "common.names.fullname" .) }}
{{- else }}
emptyDir: {}
{{ end }}

45
bitnami/ejbca/templates/ingress.yaml
View File

@@ -1,20 +1,23 @@
{{- if .Values.ingress.enabled }}
apiVersion: {{ template "ejbca.ingress.apiVersion" . }}
apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
kind: Ingress
metadata:
name: {{ template "ejbca.fullname" . }}
name: {{ include "common.names.fullname" . }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "ejbca.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
annotations:
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
{{- if .Values.ingress.certManager }}
kubernetes.io/tls-acme: "true"
{{- end }}
{{- if .Values.ingress.annotations }}
{{- include "ejbca.tplValue" (dict "value" .Values.ingress.annotations "context" $) | nindent 4 }}
{{- include "common.tplvalues.render" (dict "value" .Values.ingress.annotations "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
{{- include "ejbca.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
rules:
@@ -22,8 +25,34 @@ spec:
- host: {{ .Values.ingress.hostname }}
http:
paths:
- backend:
serviceName: {{ template "ejbca.fullname" . }}
servicePort: https
{{- if .Values.ingress.extraPaths }}
{{- toYaml .Values.ingress.extraPaths | nindent 10 }}
{{- end }}
- path: {{ .Values.ingress.path }}
{{- if eq "true" (include "common.ingress.supportsPathType" .) }}
pathType: {{ .Values.ingress.pathType }}
{{- end }}
backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" "https" "context" $) | nindent 14 }}
{{- end }}
{{- range .Values.ingress.extraHosts }}
- host: {{ .name | quote }}
http:
paths:
- path: {{ default "/" .path }}
{{- if eq "true" (include "common.ingress.supportsPathType" $) }}
pathType: {{ default "ImplementationSpecific" .pathType }}
{{- end }}
backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" "https" "context" $) | nindent 14 }}
{{- end }}
{{- if or .Values.ingress.tls .Values.ingress.extraTls }}
tls:
{{- if .Values.ingress.tls }}
- hosts:
- {{ .Values.ingress.hostname }}
secretName: {{ printf "%s-tls" .Values.ingress.hostname }}
{{- end }}
{{- if .Values.ingress.extraTls }}
{{- include "common.tplvalues.render" ( dict "value" .Values.ingress.extraTls "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

2
bitnami/ejbca/templates/pvc.yaml
View File

@@ -2,7 +2,7 @@
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ template "ejbca.fullname" . }}
name: {{ include "common.names.fullname" . }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}

2
bitnami/ejbca/templates/secrets.yaml
View File

@@ -1,7 +1,7 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ template "ejbca.fullname" . }}
name: {{ include "common.names.fullname" . }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}

2
bitnami/ejbca/templates/svc.yaml
View File

@@ -1,7 +1,7 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "ejbca.fullname" . }}
name: {{ include "common.names.fullname" . }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}

69
bitnami/ejbca/values.yaml
View File

@@ -29,6 +29,10 @@ image:
## Set to true if you would like to see extra information on logs
##
## Force target Kubernetes version (using Helm capabilites if not set)
##
kubeVersion:
## String to partially override ebjca.fullname template (will maintain the release name)
##
# nameOverride:
@@ -282,7 +286,7 @@ service:
# extraPorts:
## Configure the ingress resource that allows you to access the
## WordPress installation. Set up the URL
## EJBCA installation. Set up the URL
## ref: http://kubernetes.io/docs/user-guide/ingress/
##
ingress:
@@ -290,10 +294,27 @@ ingress:
##
enabled: false
## Set this to true in order to add the corresponding annotations for cert-manager
##
certManager: false
## Ingress Path type
##
pathType: ImplementationSpecific
## Override API Version (automatically detected if not set)
##
apiVersion:
## When the ingress is enabled, a host pointing to this will be created
##
hostname: ejbca.local
## The Path to EJBCA. You may need to set this to '/*' in order to use this
## with ALB ingress controllers.
##
path: /
## Ingress annotations done as key:value pairs
## For a full list of possible ingress annotations, please see
## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md
@@ -302,6 +323,52 @@ ingress:
##
annotations: {}
## Enable TLS configuration for the hostname defined at ingress.hostname parameter
## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }}
## You can use the ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it
##
tls: false
## The list of additional hostnames to be covered with this ingress record.
## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array
## extraHosts:
## - name: ejbca.local
## path: /
##
## Any additional arbitrary paths that may need to be added to the ingress under the main host.
## For example: The ALB ingress controller requires a special rule for handling SSL redirection.
## extraPaths:
## - path: /*
## backend:
## serviceName: ssl-redirect
## servicePort: use-annotation
##
## The tls configuration for additional hostnames to be covered with this ingress record.
## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
## extraTls:
## - hosts:
## - ejbca.local
## secretName: ejbca.local-tls
##
## If you're providing your own certificates, please use this to add the certificates as secrets
## key and certificate should start with -----BEGIN CERTIFICATE----- or
## -----BEGIN RSA PRIVATE KEY-----
##
## name should line up with a tlsSecret set further up
## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set
##
## It is also possible to create and manage the certificates outside of this helm chart
## Please see README.md for more information
##
secrets: []
## - name: ejbca.local-tls
## key:
## certificate:
##
## Enable persistence using Persistent Volume Claims
## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
##