110 lines
4.5 KiB
YAML
110 lines
4.5 KiB
YAML
|
{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
|
||
|
{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }}
|
||
|
{{- if not .Values.global.secretsBackend.vault.enabled }}
|
||
|
# tls-init job generate Consul cluster CA and certificates for the Consul servers
|
||
|
# and creates Kubernetes secrets for them.
|
||
|
apiVersion: batch/v1
|
||
|
kind: Job
|
||
|
metadata:
|
||
|
name: {{ template "consul.fullname" . }}-tls-init
|
||
|
namespace: {{ .Release.Namespace }}
|
||
|
labels:
|
||
|
app: {{ template "consul.name" . }}
|
||
|
chart: {{ template "consul.chart" . }}
|
||
|
heritage: {{ .Release.Service }}
|
||
|
release: {{ .Release.Name }}
|
||
|
component: tls-init
|
||
|
annotations:
|
||
|
"helm.sh/hook": pre-install,pre-upgrade
|
||
|
"helm.sh/hook-weight": "1"
|
||
|
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
|
||
|
spec:
|
||
|
template:
|
||
|
metadata:
|
||
|
name: {{ template "consul.fullname" . }}-tls-init
|
||
|
labels:
|
||
|
app: {{ template "consul.name" . }}
|
||
|
chart: {{ template "consul.chart" . }}
|
||
|
release: {{ .Release.Name }}
|
||
|
component: tls-init
|
||
|
annotations:
|
||
|
"consul.hashicorp.com/connect-inject": "false"
|
||
|
spec:
|
||
|
restartPolicy: Never
|
||
|
serviceAccountName: {{ template "consul.fullname" . }}-tls-init
|
||
|
{{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }}
|
||
|
volumes:
|
||
|
- name: consul-ca-cert
|
||
|
secret:
|
||
|
secretName: {{ .Values.global.tls.caCert.secretName }}
|
||
|
items:
|
||
|
- key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
|
||
|
path: tls.crt
|
||
|
- name: consul-ca-key
|
||
|
secret:
|
||
|
secretName: {{ .Values.global.tls.caKey.secretName }}
|
||
|
items:
|
||
|
- key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }}
|
||
|
path: tls.key
|
||
|
{{- end }}
|
||
|
containers:
|
||
|
- name: tls-init
|
||
|
image: "{{ .Values.global.imageK8S }}"
|
||
|
env:
|
||
|
- name: NAMESPACE
|
||
|
valueFrom:
|
||
|
fieldRef:
|
||
|
fieldPath: metadata.namespace
|
||
|
workingDir: /tmp
|
||
|
command:
|
||
|
- "/bin/sh"
|
||
|
- "-ec"
|
||
|
- |
|
||
|
# Suppress globbing so we can interpolate the $NAMESPACE environment variable
|
||
|
# and use * at the start of the dns name when setting -additional-dnsname.
|
||
|
set -o noglob
|
||
|
consul-k8s-control-plane tls-init \
|
||
|
-log-level={{ .Values.global.logLevel }} \
|
||
|
-log-json={{ .Values.global.logJSON }} \
|
||
|
-domain={{ .Values.global.domain }} \
|
||
|
-days=730 \
|
||
|
-name-prefix={{ template "consul.fullname" . }} \
|
||
|
-k8s-namespace=${NAMESPACE} \
|
||
|
{{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }}
|
||
|
-ca=/consul/tls/ca/cert/tls.crt \
|
||
|
-key=/consul/tls/ca/key/tls.key \
|
||
|
{{- end }}
|
||
|
-additional-dnsname="{{ template "consul.fullname" . }}-server" \
|
||
|
-additional-dnsname="*.{{ template "consul.fullname" . }}-server" \
|
||
|
-additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}" \
|
||
|
-additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}" \
|
||
|
-additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \
|
||
|
-additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \
|
||
|
-additional-dnsname="*.server.{{ .Values.global.datacenter }}.{{ .Values.global.domain }}" \
|
||
|
{{- range .Values.global.tls.serverAdditionalIPSANs }}
|
||
|
-additional-ipaddress={{ . }} \
|
||
|
{{- end }}
|
||
|
{{- range .Values.global.tls.serverAdditionalDNSSANs }}
|
||
|
-additional-dnsname={{ . }} \
|
||
|
{{- end }}
|
||
|
-dc={{ .Values.global.datacenter }}
|
||
|
{{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }}
|
||
|
volumeMounts:
|
||
|
- name: consul-ca-cert
|
||
|
mountPath: /consul/tls/ca/cert
|
||
|
readOnly: true
|
||
|
- name: consul-ca-key
|
||
|
mountPath: /consul/tls/ca/key
|
||
|
readOnly: true
|
||
|
{{- end }}
|
||
|
resources:
|
||
|
requests:
|
||
|
memory: "50Mi"
|
||
|
cpu: "50m"
|
||
|
limits:
|
||
|
memory: "50Mi"
|
||
|
cpu: "50m"
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
{{- end }}
|