1 {{- if .Values.deployment.kong.enabled }}
2 {{- if and .Values.admin.enabled (or .Values.admin.http.enabled .Values.admin.tls.enabled) -}}
3 {{- $serviceConfig := dict -}}
4 {{- $serviceConfig := merge $serviceConfig .Values.admin -}}
5 {{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}}
6 {{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}}
7 {{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}}
8 {{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}}
9 {{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}}
10 {{- $_ := set $serviceConfig "serviceName" "admin" -}}
11 {{- include "kong.service" $serviceConfig }}
12 {{ if .Values.admin.ingress.enabled }}
14 {{ include "kong.ingress" $serviceConfig }}
19 {{- define "adminApiService.certSecretName" -}}
20 {{- default (printf "%s-admin-api-keypair" (include "kong.fullname" .)) .Values.ingressController.adminApi.tls.client.secretName -}}
23 {{- define "adminApiService.caSecretName" -}}
24 {{- default (printf "%s-admin-api-ca-keypair" (include "kong.fullname" .)) .Values.ingressController.adminApi.tls.client.caSecretName -}}
27 {{- $clientVerifyEnabled := .Values.ingressController.adminApi.tls.client.enabled -}}
28 {{- $clientCertProvided := .Values.ingressController.adminApi.tls.client.certProvided -}}
30 {{/* If the client verification is enabled but no secret was provided by the user, let's generate certificates. */ -}}
31 {{- if and $clientVerifyEnabled (not $clientCertProvided) }}
32 {{- $certCert := "" -}}
33 {{- $certKey := "" -}}
35 {{- $cn := printf "admin.%s.svc" ( include "kong.namespace" . ) -}}
36 {{- $ca := genCA "admin-api-ca" 3650 -}}
37 {{- $cert := genSignedCert $cn nil (list $cn) 3650 $ca -}}
39 {{- $certCert = $cert.Cert -}}
40 {{- $certKey = $cert.Key -}}
41 {{/* Verify whether a secret with a given name already exists. If it does, let's use its cert and key data. */}}
42 {{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (include "adminApiService.certSecretName" .)) -}}
44 {{- $certCert = (b64dec (get $certSecret.data "tls.crt")) -}}
45 {{- $certKey = (b64dec (get $certSecret.data "tls.key")) -}}
48 {{- $caCert := $ca.Cert -}}
49 {{- $caKey := $ca.Key -}}
50 {{/* Verify whether a secret with a given name already exists. If it does, let's use its cert and key data. */ -}}
51 {{- $caSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (include "adminApiService.caSecretName" .))}}
53 {{- $caCert = (b64dec (get $caSecret.data "tls.crt")) -}}
54 {{- $caKey = (b64dec (get $caSecret.data "tls.key")) -}}
61 name: {{ template "adminApiService.certSecretName" . }}
62 namespace: {{ template "kong.namespace" . }}
64 {{- include "kong.metaLabels" . | nindent 4 }}
65 type: kubernetes.io/tls
67 tls.crt: {{ b64enc $certCert }}
68 tls.key: {{ b64enc $certKey }}
73 name: {{ template "adminApiService.caSecretName" . }}
74 namespace: {{ template "kong.namespace" . }}
76 {{- include "kong.metaLabels" . | nindent 4 }}
77 type: kubernetes.io/tls
79 tls.crt: {{ b64enc $caCert }}
80 tls.key: {{ b64enc $caKey }}
83 {{- /* Create a CA ConfigMap for Kong. */ -}}
84 {{- $secretProvided := $.Values.admin.tls.client.secretName -}}
85 {{- $bundleProvided := $.Values.admin.tls.client.caBundle -}}
87 {{- if or $secretProvided $bundleProvided -}}
90 {{- if $secretProvided -}}
91 {{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) $.Values.admin.tls.client.secretName) -}}
93 {{- $cert = (b64dec (get $certSecret.data "tls.crt")) -}}
95 {{- fail (printf "%s/%s secret not found" (include "kong.namespace" .) $.Values.admin.tls.client.secretName) -}}
99 {{- if $bundleProvided -}}
100 {{- $cert = $.Values.admin.tls.client.caBundle -}}
107 name: {{ template "kong.fullname" . }}-admin-client-ca
108 namespace: {{ template "kong.namespace" . }}
110 {{- include "kong.metaLabels" . | nindent 4 }}
112 tls.crt: {{ $cert | quote }}