X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=blobdiff_plain;f=helm%2Finfrastructure%2Fsubcharts%2Fkong%2Ftemplates%2Fservice-kong-admin.yaml;fp=helm%2Finfrastructure%2Fsubcharts%2Fkong%2Ftemplates%2Fservice-kong-admin.yaml;h=d005016530f46e9dd493b6c52c6a81cb6cc2d033;hb=75c0de3cae4b58e001f7ec715f13f82ded10e678;hp=6e561494e249e7048c0ec860d863f3033b54b471;hpb=7799f9c20d56ceaab38178b7083ed66e63312a0c;p=ric-plt%2Fric-dep.git diff --git a/helm/infrastructure/subcharts/kong/templates/service-kong-admin.yaml b/helm/infrastructure/subcharts/kong/templates/service-kong-admin.yaml index 6e56149..d005016 100644 --- a/helm/infrastructure/subcharts/kong/templates/service-kong-admin.yaml +++ b/helm/infrastructure/subcharts/kong/templates/service-kong-admin.yaml @@ -1,35 +1,113 @@ -{{- if .Values.admin.enabled -}} +{{- if .Values.deployment.kong.enabled }} +{{- if and .Values.admin.enabled (or .Values.admin.http.enabled .Values.admin.tls.enabled) -}} +{{- $serviceConfig := dict -}} +{{- $serviceConfig := merge $serviceConfig .Values.admin -}} +{{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}} +{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}} +{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}} +{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}} +{{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}} +{{- $_ := set $serviceConfig "serviceName" "admin" -}} +{{- include "kong.service" $serviceConfig }} +{{ if .Values.admin.ingress.enabled }} +--- +{{ include "kong.ingress" $serviceConfig }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "adminApiService.certSecretName" -}} + {{- default (printf "%s-admin-api-keypair" (include "kong.fullname" .)) .Values.ingressController.adminApi.tls.client.secretName -}} +{{- end -}} + +{{- define "adminApiService.caSecretName" -}} + {{- default (printf "%s-admin-api-ca-keypair" (include "kong.fullname" .)) .Values.ingressController.adminApi.tls.client.caSecretName -}} +{{- end -}} + +{{- $clientVerifyEnabled := .Values.ingressController.adminApi.tls.client.enabled -}} +{{- $clientCertProvided := .Values.ingressController.adminApi.tls.client.certProvided -}} + +{{/* If the client verification is enabled but no secret was provided by the user, let's generate certificates. */ -}} +{{- if and $clientVerifyEnabled (not $clientCertProvided) }} +{{- $certCert := "" -}} +{{- $certKey := "" -}} + +{{- $cn := printf "admin.%s.svc" ( include "kong.namespace" . ) -}} +{{- $ca := genCA "admin-api-ca" 3650 -}} +{{- $cert := genSignedCert $cn nil (list $cn) 3650 $ca -}} + +{{- $certCert = $cert.Cert -}} +{{- $certKey = $cert.Key -}} +{{/* Verify whether a secret with a given name already exists. If it does, let's use its cert and key data. */}} +{{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (include "adminApiService.certSecretName" .)) -}} +{{- if $certSecret }} +{{- $certCert = (b64dec (get $certSecret.data "tls.crt")) -}} +{{- $certKey = (b64dec (get $certSecret.data "tls.key")) -}} +{{- end }} + +{{- $caCert := $ca.Cert -}} +{{- $caKey := $ca.Key -}} +{{/* Verify whether a secret with a given name already exists. If it does, let's use its cert and key data. */ -}} +{{- $caSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (include "adminApiService.caSecretName" .))}} +{{- if $caSecret }} +{{- $caCert = (b64dec (get $caSecret.data "tls.crt")) -}} +{{- $caKey = (b64dec (get $caSecret.data "tls.key")) -}} +{{- end }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "adminApiService.certSecretName" . }} + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ b64enc $certCert }} + tls.key: {{ b64enc $certKey }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "adminApiService.caSecretName" . }} + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ b64enc $caCert }} + tls.key: {{ b64enc $caKey }} +{{- end }} + +{{- /* Create a CA ConfigMap for Kong. */ -}} +{{- $secretProvided := $.Values.admin.tls.client.secretName -}} +{{- $bundleProvided := $.Values.admin.tls.client.caBundle -}} + +{{- if or $secretProvided $bundleProvided -}} +{{- $cert := "" -}} + +{{- if $secretProvided -}} +{{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) $.Values.admin.tls.client.secretName) -}} +{{- if $certSecret }} +{{- $cert = (b64dec (get $certSecret.data "tls.crt")) -}} +{{- else -}} +{{- fail (printf "%s/%s secret not found" (include "kong.namespace" .) $.Values.admin.tls.client.secretName) -}} +{{- end }} +{{- end }} + +{{- if $bundleProvided -}} +{{- $cert = $.Values.admin.tls.client.caBundle -}} +{{- end }} + +--- apiVersion: v1 -kind: Service +kind: ConfigMap metadata: - name: {{ template "kong.fullname" . }}-admin - annotations: - {{- range $key, $value := .Values.admin.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} + name: {{ template "kong.fullname" . }}-admin-client-ca + namespace: {{ template "kong.namespace" . }} labels: {{- include "kong.metaLabels" . | nindent 4 }} -spec: - type: {{ .Values.admin.type }} - {{- if eq .Values.admin.type "LoadBalancer" }} - {{- if .Values.admin.loadBalancerIP }} - loadBalancerIP: {{ .Values.admin.loadBalancerIP }} - {{- end }} - {{- if .Values.admin.loadBalancerSourceRanges }} - loadBalancerSourceRanges: - {{- range $cidr := .Values.admin.loadBalancerSourceRanges }} - - {{ $cidr }} - {{- end }} - {{- end }} - {{- end }} - ports: - - name: kong-admin - port: {{ .Values.admin.servicePort }} - targetPort: {{ .Values.admin.containerPort }} - {{- if (and (eq .Values.admin.type "NodePort") (not (empty .Values.admin.nodePort))) }} - nodePort: {{ .Values.admin.nodePort }} - {{- end }} - protocol: TCP - selector: - {{- include "kong.selectorLabels" . | nindent 4 }} +data: + tls.crt: {{ $cert | quote }} {{- end -}}