116 lines
4.7 KiB
Smarty
116 lines
4.7 KiB
Smarty
{{- define "clustermesh-apiserver-generate-certs.job.spec" }}
|
|
{{- $certValidityStr := printf "%dh" (mul .Values.clustermesh.apiserver.tls.auto.certValidityDuration 24) -}}
|
|
spec:
|
|
template:
|
|
metadata:
|
|
labels:
|
|
k8s-app: clustermesh-apiserver-generate-certs
|
|
{{- with .Values.clustermesh.apiserver.podLabels }}
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
spec:
|
|
containers:
|
|
- name: certgen
|
|
image: {{ include "cilium.image" .Values.certgen.image | quote }}
|
|
imagePullPolicy: {{ .Values.certgen.image.pullPolicy }}
|
|
command:
|
|
- "/usr/bin/cilium-certgen"
|
|
args:
|
|
{{- if .Values.debug.enabled }}
|
|
- "--debug"
|
|
{{- end }}
|
|
- "--ca-generate"
|
|
- "--ca-reuse-secret"
|
|
- "--ca-secret-namespace={{ .Release.Namespace }}"
|
|
- "--ca-secret-name=cilium-ca"
|
|
- "--ca-common-name=Cilium CA"
|
|
env:
|
|
- name: CILIUM_CERTGEN_CONFIG
|
|
value: |
|
|
certs:
|
|
- name: clustermesh-apiserver-server-cert
|
|
namespace: {{ .Release.Namespace }}
|
|
commonName: "clustermesh-apiserver.cilium.io"
|
|
hosts:
|
|
- "clustermesh-apiserver.cilium.io"
|
|
- "*.mesh.cilium.io"
|
|
- "clustermesh-apiserver.{{ .Release.Namespace }}.svc"
|
|
{{- range $dns := .Values.clustermesh.apiserver.tls.server.extraDnsNames }}
|
|
- {{ $dns | quote }}
|
|
{{- end }}
|
|
- "127.0.0.1"
|
|
- "::1"
|
|
{{- range $ip := .Values.clustermesh.apiserver.tls.server.extraIpAddresses }}
|
|
- {{ $ip | quote }}
|
|
{{- end }}
|
|
usage:
|
|
- signing
|
|
- key encipherment
|
|
- server auth
|
|
validity: {{ $certValidityStr }}
|
|
- name: clustermesh-apiserver-admin-cert
|
|
namespace: {{ .Release.Namespace }}
|
|
commonName: {{ include "clustermesh-apiserver-generate-certs.admin-common-name" . | quote }}
|
|
usage:
|
|
- signing
|
|
- key encipherment
|
|
- client auth
|
|
validity: {{ $certValidityStr }}
|
|
{{- if .Values.clustermesh.useAPIServer }}
|
|
- name: clustermesh-apiserver-remote-cert
|
|
namespace: {{ .Release.Namespace }}
|
|
commonName: {{ include "clustermesh-apiserver-generate-certs.remote-common-name" . | quote }}
|
|
usage:
|
|
- signing
|
|
- key encipherment
|
|
- client auth
|
|
validity: {{ $certValidityStr }}
|
|
{{- end }}
|
|
{{- if and .Values.clustermesh.useAPIServer .Values.clustermesh.apiserver.kvstoremesh.enabled }}
|
|
- name: clustermesh-apiserver-local-cert
|
|
namespace: {{ .Release.Namespace }}
|
|
commonName: {{ include "clustermesh-apiserver-generate-certs.local-common-name" . | quote }}
|
|
usage:
|
|
- signing
|
|
- key encipherment
|
|
- client auth
|
|
validity: {{ $certValidityStr }}
|
|
{{- end }}
|
|
{{- if .Values.externalWorkloads.enabled }}
|
|
- name: clustermesh-apiserver-client-cert
|
|
namespace: {{ .Release.Namespace }}
|
|
commonName: "externalworkload"
|
|
usage:
|
|
- signing
|
|
- key encipherment
|
|
- client auth
|
|
validity: {{ $certValidityStr }}
|
|
{{- end }}
|
|
{{- with .Values.certgen.extraVolumeMounts }}
|
|
volumeMounts:
|
|
{{- toYaml . | nindent 10 }}
|
|
{{- end }}
|
|
hostNetwork: true
|
|
{{- with .Values.certgen.tolerations }}
|
|
tolerations:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
serviceAccount: {{ .Values.serviceAccounts.clustermeshcertgen.name | quote }}
|
|
serviceAccountName: {{ .Values.serviceAccounts.clustermeshcertgen.name | quote }}
|
|
automountServiceAccountToken: {{ .Values.serviceAccounts.clustermeshcertgen.automount }}
|
|
{{- with .Values.imagePullSecrets }}
|
|
imagePullSecrets:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
restartPolicy: OnFailure
|
|
{{- with .Values.certgen.extraVolumes }}
|
|
volumes:
|
|
{{- toYaml . | nindent 6 }}
|
|
{{- end }}
|
|
affinity:
|
|
{{- with .Values.certgen.affinity }}
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
ttlSecondsAfterFinished: {{ .Values.certgen.ttlSecondsAfterFinished }}
|
|
{{- end }}
|