-{{- if .Values.admin.enabled -}}
+{{- if .Values.deployment.kong.enabled }}
+{{- if and .Values.admin.enabled (or .Values.admin.http.enabled .Values.admin.tls.enabled) -}}
+{{- $serviceConfig := dict -}}
+{{- $serviceConfig := merge $serviceConfig .Values.admin -}}
+{{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}}
+{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}}
+{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}}
+{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}}
+{{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}}
+{{- $_ := set $serviceConfig "serviceName" "admin" -}}
+{{- include "kong.service" $serviceConfig }}
+{{ if .Values.admin.ingress.enabled }}
+---
+{{ include "kong.ingress" $serviceConfig }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "adminApiService.certSecretName" -}}
+ {{- default (printf "%s-admin-api-keypair" (include "kong.fullname" .)) .Values.ingressController.adminApi.tls.client.secretName -}}
+{{- end -}}
+
+{{- define "adminApiService.caSecretName" -}}
+ {{- default (printf "%s-admin-api-ca-keypair" (include "kong.fullname" .)) .Values.ingressController.adminApi.tls.client.caSecretName -}}
+{{- end -}}
+
+{{- $clientVerifyEnabled := .Values.ingressController.adminApi.tls.client.enabled -}}
+{{- $clientCertProvided := .Values.ingressController.adminApi.tls.client.certProvided -}}
+
+{{/* If the client verification is enabled but no secret was provided by the user, let's generate certificates. */ -}}
+{{- if and $clientVerifyEnabled (not $clientCertProvided) }}
+{{- $certCert := "" -}}
+{{- $certKey := "" -}}
+
+{{- $cn := printf "admin.%s.svc" ( include "kong.namespace" . ) -}}
+{{- $ca := genCA "admin-api-ca" 3650 -}}
+{{- $cert := genSignedCert $cn nil (list $cn) 3650 $ca -}}
+
+{{- $certCert = $cert.Cert -}}
+{{- $certKey = $cert.Key -}}
+{{/* Verify whether a secret with a given name already exists. If it does, let's use its cert and key data. */}}
+{{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (include "adminApiService.certSecretName" .)) -}}
+{{- if $certSecret }}
+{{- $certCert = (b64dec (get $certSecret.data "tls.crt")) -}}
+{{- $certKey = (b64dec (get $certSecret.data "tls.key")) -}}
+{{- end }}
+
+{{- $caCert := $ca.Cert -}}
+{{- $caKey := $ca.Key -}}
+{{/* Verify whether a secret with a given name already exists. If it does, let's use its cert and key data. */ -}}
+{{- $caSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (include "adminApiService.caSecretName" .))}}
+{{- if $caSecret }}
+{{- $caCert = (b64dec (get $caSecret.data "tls.crt")) -}}
+{{- $caKey = (b64dec (get $caSecret.data "tls.key")) -}}
+{{- end }}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ template "adminApiService.certSecretName" . }}
+ namespace: {{ template "kong.namespace" . }}
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+type: kubernetes.io/tls
+data:
+ tls.crt: {{ b64enc $certCert }}
+ tls.key: {{ b64enc $certKey }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ template "adminApiService.caSecretName" . }}
+ namespace: {{ template "kong.namespace" . }}
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+type: kubernetes.io/tls
+data:
+ tls.crt: {{ b64enc $caCert }}
+ tls.key: {{ b64enc $caKey }}
+{{- end }}
+
+{{- /* Create a CA ConfigMap for Kong. */ -}}
+{{- $secretProvided := $.Values.admin.tls.client.secretName -}}
+{{- $bundleProvided := $.Values.admin.tls.client.caBundle -}}
+
+{{- if or $secretProvided $bundleProvided -}}
+{{- $cert := "" -}}
+
+{{- if $secretProvided -}}
+{{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) $.Values.admin.tls.client.secretName) -}}
+{{- if $certSecret }}
+{{- $cert = (b64dec (get $certSecret.data "tls.crt")) -}}
+{{- else -}}
+{{- fail (printf "%s/%s secret not found" (include "kong.namespace" .) $.Values.admin.tls.client.secretName) -}}
+{{- end }}
+{{- end }}
+
+{{- if $bundleProvided -}}
+{{- $cert = $.Values.admin.tls.client.caBundle -}}
+{{- end }}
+
+---
apiVersion: v1
-kind: Service
+kind: ConfigMap
metadata:
- name: {{ template "kong.fullname" . }}-admin
- annotations:
- {{- range $key, $value := .Values.admin.annotations }}
- {{ $key }}: {{ $value | quote }}
- {{- end }}
+ name: {{ template "kong.fullname" . }}-admin-client-ca
+ namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
-spec:
- type: {{ .Values.admin.type }}
- {{- if eq .Values.admin.type "LoadBalancer" }}
- {{- if .Values.admin.loadBalancerIP }}
- loadBalancerIP: {{ .Values.admin.loadBalancerIP }}
- {{- end }}
- {{- if .Values.admin.loadBalancerSourceRanges }}
- loadBalancerSourceRanges:
- {{- range $cidr := .Values.admin.loadBalancerSourceRanges }}
- - {{ $cidr }}
- {{- end }}
- {{- end }}
- {{- end }}
- ports:
- - name: kong-admin
- port: {{ .Values.admin.servicePort }}
- targetPort: {{ .Values.admin.containerPort }}
- {{- if (and (eq .Values.admin.type "NodePort") (not (empty .Values.admin.nodePort))) }}
- nodePort: {{ .Values.admin.nodePort }}
- {{- end }}
- protocol: TCP
- selector:
- {{- include "kong.selectorLabels" . | nindent 4 }}
+data:
+ tls.crt: {{ $cert | quote }}
{{- end -}}
Code Review / ric-plt / ric-dep.git / blobdiff