{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} {{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} {{- if not .Values.global.secretsBackend.vault.enabled }} # tls-init job generate Consul cluster CA and certificates for the Consul servers # and creates Kubernetes secrets for them. apiVersion: batch/v1 kind: Job metadata: name: {{ template "consul.fullname" . }}-tls-init namespace: {{ .Release.Namespace }} labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} component: tls-init {{- if .Values.global.extraLabels }} {{- toYaml .Values.global.extraLabels | nindent 4 }} {{- end }} annotations: "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-weight": "1" "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation spec: template: metadata: name: {{ template "consul.fullname" . }}-tls-init labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} release: {{ .Release.Name }} component: tls-init {{- if .Values.global.extraLabels }} {{- toYaml .Values.global.extraLabels | nindent 8 }} {{- end }} annotations: "consul.hashicorp.com/connect-inject": "false" spec: restartPolicy: Never serviceAccountName: {{ template "consul.fullname" . }}-tls-init {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} volumes: - name: consul-ca-cert secret: secretName: {{ .Values.global.tls.caCert.secretName }} items: - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} path: tls.crt - name: consul-ca-key secret: secretName: {{ .Values.global.tls.caKey.secretName }} items: - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} path: tls.key {{- end }} containers: - name: tls-init image: "{{ .Values.global.imageK8S }}" env: - name: NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace workingDir: /tmp command: - "/bin/sh" - "-ec" - | # Suppress globbing so we can interpolate the $NAMESPACE environment variable # and use * at the start of the dns name when setting -additional-dnsname. set -o noglob consul-k8s-control-plane tls-init \ -log-level={{ .Values.global.logLevel }} \ -log-json={{ .Values.global.logJSON }} \ -domain={{ .Values.global.domain }} \ -days=730 \ -name-prefix={{ template "consul.fullname" . }} \ -k8s-namespace=${NAMESPACE} \ {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} -ca=/consul/tls/ca/cert/tls.crt \ -key=/consul/tls/ca/key/tls.key \ {{- end }} -additional-dnsname="{{ template "consul.fullname" . }}-server" \ -additional-dnsname="*.{{ template "consul.fullname" . }}-server" \ -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ -additional-dnsname="*.server.{{ .Values.global.datacenter }}.{{ .Values.global.domain }}" \ {{- range .Values.global.tls.serverAdditionalIPSANs }} -additional-ipaddress={{ . }} \ {{- end }} {{- range .Values.global.tls.serverAdditionalDNSSANs }} -additional-dnsname={{ . }} \ {{- end }} -dc={{ .Values.global.datacenter }} {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} volumeMounts: - name: consul-ca-cert mountPath: /consul/tls/ca/cert readOnly: true - name: consul-ca-key mountPath: /consul/tls/ca/key readOnly: true {{- end }} resources: requests: memory: "50Mi" cpu: "50m" limits: memory: "50Mi" cpu: "50m" {{- end }} {{- end }} {{- end }}