diff --git a/charts/site-manager/templates/crd-sitemanager.yaml b/charts/site-manager/templates/crd-sitemanager.yaml index eea811d7..bebdaee7 100644 --- a/charts/site-manager/templates/crd-sitemanager.yaml +++ b/charts/site-manager/templates/crd-sitemanager.yaml @@ -6,14 +6,6 @@ metadata: annotations: helm.sh/resource-policy: keep controller-gen.kubebuilder.io/version: v0.18.0 - {{- if .Values.tls.generateCerts.enabled }} - {{- if eq .Values.tls.generateCerts.executor "cert-manager" }} - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/site-manager-tls-certificate - {{- else if eq .Values.tls.generateCerts.executor "openshift" }} - service.alpha.openshift.io/inject-cabundle: "true" # for openshift 3.X - service.beta.openshift.io/inject-cabundle: "true" # for openshift 4.X - {{- end }} - {{- end }} name: sitemanagers.qubership.org spec: group: qubership.org @@ -125,7 +117,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: site-manager-qubership-validating-webhook-configuration - {{- if .Values.tls.generateCerts.enabled }} + {{- if not .Values.tls.ca }} annotations: {{- if eq .Values.tls.generateCerts.executor "cert-manager" }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/site-manager-tls-certificate diff --git a/charts/site-manager/templates/legacy-crd-sitemanager.yaml b/charts/site-manager/templates/legacy-crd-sitemanager.yaml index 1cc0bb44..b0ef14c1 100644 --- a/charts/site-manager/templates/legacy-crd-sitemanager.yaml +++ b/charts/site-manager/templates/legacy-crd-sitemanager.yaml @@ -5,7 +5,7 @@ metadata: name: {{ printf "%ss" (lower .Values.env.SM_KIND) }}.{{ .Values.env.SM_GROUP }} annotations: helm.sh/resource-policy: keep - {{- if .Values.tls.generateCerts.enabled }} + {{- if not .Values.tls.ca }} {{- if eq .Values.tls.generateCerts.executor "cert-manager" }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/site-manager-tls-certificate {{- else if eq .Values.tls.generateCerts.executor "openshift" }} @@ -277,7 +277,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: "site-manager-crd-validating-webhook-configuration" - {{- if .Values.tls.generateCerts.enabled }} + {{- if not .Values.tls.ca }} annotations: {{- if eq .Values.tls.generateCerts.executor "cert-manager" }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/site-manager-tls-certificate diff --git a/charts/site-manager/templates/service.yaml b/charts/site-manager/templates/service.yaml index e899af4e..504565ec 100644 --- a/charts/site-manager/templates/service.yaml +++ b/charts/site-manager/templates/service.yaml @@ -7,7 +7,7 @@ metadata: labels: app: site-manager annotations: - {{- if and .Values.tls.generateCerts.enabled ( eq .Values.tls.generateCerts.executor "openshift" ) }} + {{- if and (not .Values.tls.ca) ( eq .Values.tls.generateCerts.executor "openshift" ) }} service.alpha.openshift.io/serving-cert-secret-name: "sm-certs" # for openshift 3.X service.beta.openshift.io/serving-cert-secret-name: "sm-certs" # for openshift 4.X {{- end }} diff --git a/charts/site-manager/templates/tls-certificate.yaml b/charts/site-manager/templates/tls-certificate.yaml index 15be23ee..5cb9f7f4 100644 --- a/charts/site-manager/templates/tls-certificate.yaml +++ b/charts/site-manager/templates/tls-certificate.yaml @@ -1,4 +1,5 @@ -{{- if and .Values.tls.generateCerts.enabled ( eq .Values.tls.generateCerts.executor "cert-manager" ) }} +{{- $cert_manager_used := and (not (and .Values.tls.crt .Values.tls.key)) (eq .Values.tls.generateCerts.executor "cert-manager") }} +{{- if $cert_manager_used }} apiVersion: cert-manager.io/v1 kind: Certificate metadata: diff --git a/charts/site-manager/templates/tls-issuer.yaml b/charts/site-manager/templates/tls-issuer.yaml index fc55e2d6..a9b67a80 100644 --- a/charts/site-manager/templates/tls-issuer.yaml +++ b/charts/site-manager/templates/tls-issuer.yaml @@ -1,4 +1,5 @@ -{{- if and ( and .Values.tls.generateCerts.enabled ( eq .Values.tls.generateCerts.executor "cert-manager" ) ) (not .Values.tls.generateCerts.clusterIssuerName) }} +{{- $cert_manager_used := and (not (and .Values.tls.crt .Values.tls.key)) (eq .Values.tls.generateCerts.executor "cert-manager") }} +{{- if and $cert_manager_used (not .Values.tls.generateCerts.clusterIssuerName) }} apiVersion: cert-manager.io/v1 kind: Issuer metadata: diff --git a/charts/site-manager/values.yaml b/charts/site-manager/values.yaml index 42e2bb7a..60c5f44e 100644 --- a/charts/site-manager/values.yaml +++ b/charts/site-manager/values.yaml @@ -78,13 +78,17 @@ requests: affinity: {} tls: + # This enables/disables HTTPS only for main site-manager endpoint. + # NOTE: setting "enabled: false" does not affect webhooks, they still require TLS, so certs are ALWAYS required. enabled: true + # Below fields allow to provide custom crt/key/ca certificates. + # If you decide to use custom certificates, all three must be provided. + # Otherwise, certificates will be generated using cert-manager (or openshift if you customize executor). crt: "" key: "" ca: "" defaultIngressTls: false generateCerts: - enabled: false executor: cert-manager clusterIssuerName: "" duration: 365 diff --git a/documentation/public/installation.md b/documentation/public/installation.md index c66cb4ad..596f4462 100644 --- a/documentation/public/installation.md +++ b/documentation/public/installation.md @@ -132,8 +132,7 @@ you can do one of following solutions: | tls.ca | CA tls certificate (content of `ca.crt` file after [prerequisites](#prerequisites) step 2). Required, if integration with cert-manager is disabled | "" | | tls.crt | SM public tls certificate (content of `site-manager-tls.crt` file after [prerequisites](#prerequisites) step 2). Required, if integration with cert-manager is disabled | "" | | tls.key | SM private tls certificate (content of `site-manager-tls.key` file after [prerequisites](#prerequisites) step 2). Required, if integration with cert-manager is disabled | "" | -| tls.generateCerts.enabled | Enable/disable certificates generation using cert-manager or OpenShift services serving certificates mechanism. | false | -| tls.generateCerts.executor | Choose executor for certificates generation. Possible values: "cert-manager" and "openshift" | cert-manager | +| tls.generateCerts.executor | Choose executor for certificates generation. Certificate generation is enabled automatically if custom crt/key/ca are not provided. Possible values: "cert-manager" and "openshift" | cert-manager | | tls.generateCerts.clusterIssuerName | In case of cert-manager integration, define the cluster name issuer if required (if empty, it is created by a self-signed issuer). | "" | | tls.generateCerts.duration | In case of cert-manager integration, define the duration (days) of created certificate using cert-manager. | 365 | | tls.generateCerts.subjectAlternativeName.additionalDnsNames | In case of cert-manager integration, additional trusted DNS names in the certificate. | [] |