You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@datalab.apache.org by my...@apache.org on 2020/10/27 07:16:42 UTC
[incubator-datalab] branch DATALAB-2102 updated: [DLAB-2102]:
step-ca fixed
This is an automated email from the ASF dual-hosted git repository.
mykolabodnar pushed a commit to branch DATALAB-2102
in repository https://gitbox.apache.org/repos/asf/incubator-datalab.git
The following commit(s) were added to refs/heads/DATALAB-2102 by this push:
new 5904888 [DLAB-2102]: step-ca fixed
5904888 is described below
commit 5904888510abda2e949013a3d33255adb07143ad
Author: bodnarmykola <bo...@gmail.com>
AuthorDate: Tue Oct 27 09:14:07 2020 +0200
[DLAB-2102]: step-ca fixed
---
.../terraform/gcp/ssn-gke/main/main.tf | 1 +
.../datalab-billing-chart/templates/service.yaml | 42 ++--
.../gcp/ssn-gke/main/modules/helm_charts/main.tf | 4 +-
.../modules/helm_charts/step-ca-chart/Chart.yaml | 53 +++---
.../step-ca-chart/templates/bootstrap.yaml | 36 ++--
.../helm_charts/step-ca-chart/templates/ca.yaml | 212 +++++++++++----------
.../step-ca-chart/templates/configmaps.yaml | 166 +++++++---------
.../step-ca-chart/templates/ingress.yaml | 87 ++++-----
.../helm_charts/step-ca-chart/templates/rbac.yaml | 16 +-
.../step-ca-chart/templates/secrets.yaml | 8 +-
.../step-ca-chart/templates/service.yaml | 15 +-
.../templates/tests/test-connection.yaml | 6 +-
.../modules/helm_charts/step-ca-chart/values.yaml | 15 +-
13 files changed, 328 insertions(+), 333 deletions(-)
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/main.tf b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/main.tf
index 6521774..5d8ed9b 100644
--- a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/main.tf
+++ b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/main.tf
@@ -20,6 +20,7 @@
# ******************************************************************************
provider "google" {
+ version = "3.3.0"
credentials = file(var.credentials_file_path)
project = var.project_id
region = var.region
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/datalab-billing-chart/templates/service.yaml b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/datalab-billing-chart/templates/service.yaml
index c840f1d..dbd35e1 100644
--- a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/datalab-billing-chart/templates/service.yaml
+++ b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/datalab-billing-chart/templates/service.yaml
@@ -1,25 +1,25 @@
{{- /*
- # *****************************************************************************
- #
- # Licensed to the Apache Software Foundation (ASF) under one
- # or more contributor license agreements. See the NOTICE file
- # distributed with this work for additional information
- # regarding copyright ownership. The ASF licenses this file
- # to you under the Apache License, Version 2.0 (the
- # "License"); you may not use this file except in compliance
- # with the License. You may obtain a copy of the License at
- #
- # http://www.apache.org/licenses/LICENSE-2.0
- #
- # Unless required by applicable law or agreed to in writing,
- # software distributed under the License is distributed on an
- # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- # KIND, either express or implied. See the License for the
- # specific language governing permissions and limitations
- # under the License.
- #
- # ******************************************************************************
- */ -}}
+# *****************************************************************************
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+# ******************************************************************************
+*/ -}}
apiVersion: v1
kind: Service
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/main.tf b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/main.tf
index e52fb06..6742ccd 100644
--- a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/main.tf
+++ b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/main.tf
@@ -28,6 +28,7 @@ data "google_container_cluster" "ssn_k8s_gke_cluster" {
data "google_client_config" "current" {}
provider "helm" {
+ version = "0.10"
kubernetes {
host = data.google_container_cluster.ssn_k8s_gke_cluster.endpoint
@@ -36,12 +37,13 @@ provider "helm" {
client_key = base64decode(data.google_container_cluster.ssn_k8s_gke_cluster.master_auth.0.client_key)
cluster_ca_certificate = base64decode(data.google_container_cluster.ssn_k8s_gke_cluster.master_auth.0.cluster_ca_certificate)
}
- version = "~> 0.10.5"
+
install_tiller = true
service_account = kubernetes_service_account.tiller_sa.metadata.0.name
}
provider "kubernetes" {
+ version = "1.10.0"
load_config_file = false
host = data.google_container_cluster.ssn_k8s_gke_cluster.endpoint
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/Chart.yaml b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/Chart.yaml
index d133831..d7e6eab 100644
--- a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/Chart.yaml
+++ b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/Chart.yaml
@@ -20,33 +20,32 @@
# ******************************************************************************
apiVersion: v1
-appVersion: 0.13.2
-description: An online certificate authority and related tools for secure automated
- certificate management, so you can use TLS everywhere.
-engine: gotpl
+name: step-certificates
+version: 1.15.5
+appVersion: 0.15.5
+description: An online certificate authority and related tools for secure automated certificate management, so you can use TLS everywhere.
+keywords:
+ - acme
+ - authority
+ - ca
+ - certificate
+ - certificates
+ - certificate-authority
+ - kubernetes
+ - pki
+ - security
+ - security-tools
+ - smallstep
+ - ssh
+ - step
+ - step-ca
+ - tls
+ - x509
home: https://smallstep.com
icon: https://raw.githubusercontent.com/smallstep/certificates/master/icon.png
-keywords:
- - acme
-- authority
-- ca
-- certificate
-- certificates
-- certificate-authority
-- kubernetes
-- pki
-- security
-- security-tools
-- smallstep
-- ssh
-- step
-- step-ca
-- tls
-- x509
-maintainers:
-- email: mariano@smallstep.com
- name: Mariano Cano
-name: step-certificates
sources:
-- https://github.com/smallstep/certificates
-version: 1.13.2
\ No newline at end of file
+ - https://github.com/smallstep/certificates
+maintainers:
+ - name: Mariano Cano
+ email: mariano@smallstep.com
+engine: gotpl
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/bootstrap.yaml b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/bootstrap.yaml
index 3e67b22..e671910 100644
--- a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/bootstrap.yaml
+++ b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/bootstrap.yaml
@@ -19,25 +19,25 @@
#
# ******************************************************************************
- {{- if .Release.IsInstall -}}
+{{- if .Release.IsInstall -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "step-certificates.fullname" . }}-config
- namespace: {{.Release.Namespace}}
+ namespace: {{ .Release.Namespace }}
labels:
- {{ include "step-certificates.labels" . | indent 4 }}
+ {{- include "step-certificates.labels" . | nindent 4 }}
---
apiVersion: batch/v1
kind: Job
metadata:
- name: "{{.Release.Name}}"
+ name: "{{ .Release.Name }}"
labels:
-{{ include "step-certificates.labels" . | indent 4 }}
+ {{- include "step-certificates.labels" . | nindent 4 }}
spec:
template:
metadata:
- name: "{{.Release.Name}}"
+ name: "{{ .Release.Name }}"
labels:
app.kubernetes.io/name: {{ include "step-certificates.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
@@ -45,16 +45,16 @@ spec:
serviceAccountName: {{ include "step-certificates.fullname" . }}-config
restartPolicy: Never
volumes:
- - name: bootstrap
- configMap:
- name: {{ include "step-certificates.fullname" . }}-bootstrap
+ - name: bootstrap
+ configMap:
+ name: {{ include "step-certificates.fullname" . }}-bootstrap
containers:
- - name: config
- image: "{{ .Values.bootstrapImage.repository }}:{{ .Values.bootstrapImage.tag }}"
- imagePullPolicy: {{ .Values.bootstrapImage.pullPolicy }}
- command: ["/bin/sh", "/home/step/bootstrap/bootstrap.sh"]
- volumeMounts:
- - name: bootstrap
- mountPath: /home/step/bootstrap
- readOnly: true
-{{- end -}}
\ No newline at end of file
+ - name: config
+ image: "{{ .Values.bootstrapImage.repository }}:{{ .Values.bootstrapImage.tag }}"
+ imagePullPolicy: {{ .Values.bootstrapImage.pullPolicy }}
+ command: ["/bin/sh", "/home/step/bootstrap/bootstrap.sh"]
+ volumeMounts:
+ - name: bootstrap
+ mountPath: /home/step/bootstrap
+ readOnly: true
+{{- end }}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/ca.yaml b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/ca.yaml
index 14e5f75..e0c01b3 100644
--- a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/ca.yaml
+++ b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/ca.yaml
@@ -24,7 +24,7 @@ kind: StatefulSet
metadata:
name: {{ include "step-certificates.fullname" . }}
labels:
- {{ include "step-certificates.labels" . | indent 4 }}
+ {{- include "step-certificates.labels" . | nindent 4 }}
spec:
# Only one replica is supported at this moment
# Requested {{ .Values.replicaCount }}
@@ -39,102 +39,106 @@ spec:
labels:
app.kubernetes.io/name: {{ include "step-certificates.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
- app: {{ include "step-certificates.fullname" . }}
spec:
-{{- if .Release.IsInstall }}
-initContainers:
- - name: {{ .Chart.Name }}-init
- image: busybox:latest
- imagePullPolicy: {{ .Values.image.pullPolicy }}
- command: ["sleep", "20"]
-{{- end }}
-securityContext:
- {{- if .Values.ca.runAsRoot }}
- runAsUser: 0
- {{- else }}
- runAsUser: 1000
- runAsNonRoot: true
- runAsGroup: 1000
- fsGroup: 1000
- allowPrivilegeEscalation: false
- {{- end }}
-containers:
- - name: {{ .Chart.Name }}
- image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
- imagePullPolicy: {{ .Values.image.pullPolicy }}
- command: ["/usr/local/bin/step-ca",
- "--password-file", "/home/step/secrets/passwords/password",
- "/home/step/config/ca.json"]
- env:
- - name: NAMESPACE
- value: "{{ .Release.Namespace }}"
- ports:
- - name: https
- containerPort: {{ .Values.service.targetPort }}
- protocol: TCP
- livenessProbe:
- initialDelaySeconds: 5
- httpGet:
- path: /health
- port: {{ .Values.service.targetPort }}
- scheme: HTTPS
- readinessProbe:
- initialDelaySeconds: 5
- httpGet:
- path: /health
- port: {{ .Values.service.targetPort }}
- scheme: HTTPS
- resources:
- {{- toYaml .Values.resources | nindent 12 }}
- volumeMounts:
+ {{- if .Release.IsInstall }}
+ initContainers:
+ - name: {{ .Chart.Name }}-init
+ image: busybox:latest
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ command: ["sleep", "20"]
+ {{- end }}
+ securityContext:
+ {{- if .Values.ca.runAsRoot }}
+ runAsUser: 0
+ {{- else }}
+ runAsUser: 1000
+ runAsNonRoot: true
+ runAsGroup: 1000
+ fsGroup: 1000
+ {{- end }}
+ containers:
+ - name: {{ .Chart.Name }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ command: [
+ "/usr/local/bin/step-ca",
+ "--password-file", "/home/step/secrets/passwords/password",
+ "/home/step/config/ca.json"
+ ]
+ env:
+ - name: NAMESPACE
+ value: "{{ .Release.Namespace }}"
+ ports:
+ - name: https
+ containerPort: {{ .Values.service.targetPort }}
+ protocol: TCP
+ livenessProbe:
+ initialDelaySeconds: 5
+ httpGet:
+ path: /health
+ port: {{ .Values.service.targetPort }}
+ scheme: HTTPS
+ readinessProbe:
+ initialDelaySeconds: 5
+ httpGet:
+ path: /health
+ port: {{ .Values.service.targetPort }}
+ scheme: HTTPS
+ resources:
+ {{- toYaml .Values.resources | nindent 12 }}
+ {{- if not .Values.ca.runAsRoot }}
+ securityContext:
+ allowPrivilegeEscalation: false
+ {{- end }}
+ volumeMounts:
+ - name: certs
+ mountPath: /home/step/certs
+ readOnly: true
+ - name: config
+ mountPath: /home/step/config
+ readOnly: true
+ - name: secrets
+ mountPath: /home/step/secrets
+ readOnly: true
+ - name: ca-password
+ mountPath: /home/step/secrets/passwords
+ readOnly: true
+ {{- if .Values.ca.db.enabled }}
+ - name: database
+ mountPath: /home/step/db
+ readOnly: false
+ {{- end }}
+ volumes:
- name: certs
- mountPath: /home/step/certs
- readOnly: true
+ configMap:
+ name: {{ include "step-certificates.fullname" . }}-certs
- name: config
- mountPath: /home/step/config
- readOnly: true
+ configMap:
+ name: {{ include "step-certificates.fullname" . }}-config
- name: secrets
- mountPath: /home/step/secrets
- readOnly: true
+ configMap:
+ name: {{ include "step-certificates.fullname" . }}-secrets
- name: ca-password
- mountPath: /home/step/secrets/passwords
- readOnly: true
- {{- if .Values.ca.db.enabled }}
- - name: database
- mountPath: /home/step/db
- readOnly: false
- {{- end }}
-volumes:
- - name: certs
- configMap:
- name: {{ include "step-certificates.fullname" . }}-certs
- - name: config
-configMap:
- name: {{ include "step-certificates.fullname" . }}-config
- - name: secrets
-configMap:
- name: {{ include "step-certificates.fullname" . }}-secrets
- - name: ca-password
-secret:
- secretName: {{ include "step-certificates.fullname" . }}-ca-password
- {{- if and .Values.ca.db.enabled (not .Values.ca.db.persistent) }}
- - name: database
-emptyDir: {}
- {{- end }}
- {{- with .Values.nodeSelector }}
-nodeSelector:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- {{- with .Values.affinity }}
-affinity:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- {{- with .Values.tolerations }}
-tolerations:
- {{- toYaml . | nindent 8 }}
- {{- end }}
-{{- if and .Values.ca.db.enabled .Values.ca.db.persistent }}
-volumeClaimTemplates:
+ secret:
+ secretName: {{ include "step-certificates.fullname" . }}-ca-password
+ {{- if and .Values.ca.db.enabled (not .Values.ca.db.persistent) }}
+ - name: database
+ emptyDir: {}
+ {{- end }}
+ {{- with .Values.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- if and .Values.ca.db.enabled .Values.ca.db.persistent }}
+ volumeClaimTemplates:
- metadata:
name: database
labels:
@@ -144,16 +148,22 @@ volumeClaimTemplates:
spec:
accessModes:
{{- range .Values.ca.db.accessModes }}
- - {{ . | quote }}
+ - {{ . | quote }}
{{- end }}
resources:
requests:
storage: {{ .Values.ca.db.size | quote }}
- {{- if .Values.ca.db.storageClass }}
- {{- if (eq "-" .Values.ca.db.storageClass) }}
- storageClassName: ""
- {{- else }}
- storageClassName: {{ .Values.ca.db.storageClass | quote }}
- {{- end }}
- {{- end }}
-{{- end }}
\ No newline at end of file
+ {{ if .Values.ca.db.existingClaim }}
+ selector:
+ matchLabels:
+ name: {{ .Values.ca.db.existingClaim | quote }}
+ {{- else }}
+ {{- if .Values.ca.db.storageClass }}
+ {{- if (eq "-" .Values.ca.db.storageClass) }}
+ storageClassName: ""
+ {{- else }}
+ storageClassName: {{ .Values.ca.db.storageClass | quote }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/configmaps.yaml b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/configmaps.yaml
index dc15383..e06c987 100644
--- a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/configmaps.yaml
+++ b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/configmaps.yaml
@@ -27,141 +27,123 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "step-certificates.fullname" . }}-config
- namespace: {{.Release.Namespace}}
+ namespace: {{ .Release.Namespace }}
labels:
-{{ include "step-certificates.labels" . | indent 4 }}
+ {{- include "step-certificates.labels" . | nindent 4 }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "step-certificates.fullname" . }}-certs
- namespace: {{.Release.Namespace}}
+ namespace: {{ .Release.Namespace }}
labels:
-{{ include "step-certificates.labels" . | indent 4 }}
+ {{- include "step-certificates.labels" . | nindent 4 }}
---
apiVersion: v1
-data:
- intermediate_ca_key: ""
- root_ca_key: ""
kind: ConfigMap
metadata:
name: {{ include "step-certificates.fullname" . }}-secrets
- namespace: {{.Release.Namespace}}
+ namespace: {{ .Release.Namespace }}
labels:
-{{ include "step-certificates.labels" . | indent 4 }}
+ {{- include "step-certificates.labels" . | nindent 4 }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "step-certificates.fullname" . }}-bootstrap
- namespace: {{.Release.Namespace}}
+ namespace: {{ .Release.Namespace }}
labels:
-{{ include "step-certificates.labels" . | indent 4 }}
+ {{- include "step-certificates.labels" . | nindent 4 }}
data:
bootstrap.sh: |-
#!/bin/sh
STEPPATH=/home/step
echo -e "\e[1mWelcome to Step Certificates configuration.\e[0m\n"
-
function permission_error () {
echo -e "\033[0;31mPERMISSION ERROR:\033[0m $1\n"
exit 1
}
-
function kbreplace() {
kubectl $@ -o yaml --dry-run | kubectl replace -f -
}
-
echo -e "\e[1mConfiguring kubctl with service account...\e[0m"
# Use the service account context
kubectl config set-cluster cfc --server=https://kubernetes.default --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
kubectl config set-credentials bootstrap --token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
kubectl config set-context cfc --cluster=cfc --user=bootstrap
kubectl config use-context cfc
-
echo -e "\n\e[1mChecking cluster permissions...\e[0m"
- echo -n "Checking for permission to create configmaps in {{.Release.Namespace}} namespace: "
- kubectl auth can-i create configmaps --namespace {{.Release.Namespace}}
+ echo -n "Checking for permission to create configmaps in {{ .Release.Namespace }} namespace: "
+ kubectl auth can-i create configmaps --namespace {{ .Release.Namespace }}
if [ $? -ne 0 ]; then
permission_error "create configmaps"
fi
-
- echo -n "Checking for permission to create secrets in {{.Release.Namespace}} namespace: "
- kubectl auth can-i create secrets --namespace {{.Release.Namespace}}
+ echo -n "Checking for permission to create secrets in {{ .Release.Namespace }} namespace: "
+ kubectl auth can-i create secrets --namespace {{ .Release.Namespace }}
if [ $? -ne 0 ]; then
permission_error "create secrets"
fi
-{{ if .Values.autocert.enabled }}
-echo -n "Checking for permission to create mutatingwebhookconfiguration in {{.Release.Namespace}} namespace: "
- kubectl auth can-i create mutatingwebhookconfiguration --namespace {{.Release.Namespace}}
+ {{- if .Values.autocert.enabled }}
+ echo -n "Checking for permission to create mutatingwebhookconfiguration in {{ .Release.Namespace }} namespace: "
+ kubectl auth can-i create mutatingwebhookconfiguration --namespace {{ .Release.Namespace }}
if [ $? -ne 0 ]; then
permission_error "create mutatingwebhookconfiguration"
- fi
-{{- end }}
-
-# Setting this here on purpose, after the above section which explicitly checks
-# for and handles exit errors.
- set -e
-
- echo -e "\n\e[1mInitializating the CA...\e[0m"
-
-# CA password
-{{- if .Values.ca.password }}
- CA_PASSWORD={{ quote .Values.ca.password }}
-{{- else }}
- CA_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32 ; echo '')
-{{- end }}
-# Provisioner password
-{{- if .Values.ca.provisioner.password }}
- CA_PROVISIONER_PASSWORD={{ quote .Values.ca.provisioner.password }}
-{{- else }}
- CA_PROVISIONER_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32 ; echo '')
-{{- end }}
-
- TMP_CA_PASSWORD=$(mktemp /tmp/autocert.XXXXXX)
- TMP_CA_PROVISIONER_PASSWORD=$(mktemp /tmp/autocert.XXXXXX)
-
- echo $CA_PASSWORD > $TMP_CA_PASSWORD
- echo $CA_PROVISIONER_PASSWORD > $TMP_CA_PROVISIONER_PASSWORD
-
- step ca init \
- --name "{{.Values.ca.name}}" \
- --dns "{{include "step-certificates.dns" .}}" \
- --address "{{.Values.ca.address}}" \
- --provisioner "{{.Values.ca.provisioner.name}}" \
- --with-ca-url "{{include "step-certificates.url" .}}" \
- --password-file "$TMP_CA_PASSWORD" \
- --provisioner-password-file "$TMP_CA_PROVISIONER_PASSWORD" {{ if not .Values.ca.db.enabled }}--no-db{{ end }}
-
- rm -f $TMP_CA_PASSWORD $TMP_CA_PROVISIONER_PASSWORD
-
- echo -e "\n\e[1mCreating configmaps and secrets in {{.Release.Namespace}} namespace ...\e[0m"
-
- # Replace secrets created on helm install
- # It allows to properly remove them on helm delete
- kbreplace -n {{.Release.Namespace}} create configmap {{ include "step-certificates.fullname" . }}-config --from-file $(step path)/config
- kbreplace -n {{.Release.Namespace}} create configmap {{ include "step-certificates.fullname" . }}-certs --from-file $(step path)/certs
- kbreplace -n {{.Release.Namespace}} create configmap {{ include "step-certificates.fullname" . }}-secrets --from-file $(step path)/secrets
-
- kbreplace -n {{.Release.Namespace}} create secret generic {{ include "step-certificates.fullname" . }}-ca-password --from-literal "password=${CA_PASSWORD}"
- kbreplace -n {{.Release.Namespace}} create secret generic {{ include "step-certificates.fullname" . }}-provisioner-password --from-literal "password=${CA_PROVISIONER_PASSWORD}"
-
-# Label all configmaps and secrets
-kubectl -n {{.Release.Namespace}} label configmap {{ include "step-certificates.fullname" . }}-config {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
-kubectl -n {{.Release.Namespace}} label configmap {{ include "step-certificates.fullname" . }}-certs {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
-kubectl -n {{.Release.Namespace}} label configmap {{ include "step-certificates.fullname" . }}-secrets {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
-kubectl -n {{.Release.Namespace}} label secret {{ include "step-certificates.fullname" . }}-ca-password {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
-kubectl -n {{.Release.Namespace}} label secret {{ include "step-certificates.fullname" . }}-provisioner-password {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
-
-# Patch webhook if autocert is enabled
-{{ if .Values.autocert.enabled }}
- CA_BUNDLE=$(cat $(step path)/certs/root_ca.crt | base64 | tr -d '\n')
- kubectl patch mutatingwebhookconfigurations {{ .Release.Name }}-autocert-webhook-config \
- --type json -p="[{\"op\":\"replace\",\"path\":\"/webhooks/0/clientConfig/caBundle\",\"value\":\"$CA_BUNDLE\"}]"
-{{- end }}
-
- echo -e "\n\e[1mStep Certificates installed!\e[0m"
- echo
-echo "CA URL: {{include "step-certificates.url" .}}"
-echo "CA Fingerprint: $(step certificate fingerprint $(step path)/certs/root_ca.crt)"
- echo
\ No newline at end of file
+ fi
+ {{- end }}
+ # Setting this here on purpose, after the above section which explicitly checks
+ # for and handles exit errors.
+ set -e
+ echo -e "\n\e[1mInitializating the CA...\e[0m"
+ # CA password
+ {{- if .Values.ca.password }}
+ CA_PASSWORD={{ quote .Values.ca.password }}
+ {{- else }}
+ CA_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32 ; echo '')
+ {{- end }}
+ # Provisioner password
+ {{- if .Values.ca.provisioner.password }}
+ CA_PROVISIONER_PASSWORD={{ quote .Values.ca.provisioner.password }}
+ {{- else }}
+ CA_PROVISIONER_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32 ; echo '')
+ {{- end }}
+ TMP_CA_PASSWORD=$(mktemp /tmp/autocert.XXXXXX)
+ TMP_CA_PROVISIONER_PASSWORD=$(mktemp /tmp/autocert.XXXXXX)
+ echo $CA_PASSWORD > $TMP_CA_PASSWORD
+ echo $CA_PROVISIONER_PASSWORD > $TMP_CA_PROVISIONER_PASSWORD
+ step ca init \
+ --name "{{.Values.ca.name}}" \
+ --dns "{{include "step-certificates.dns" .}}" \
+ --address "{{.Values.ca.address}}" \
+ --provisioner "{{.Values.ca.provisioner.name}}" \
+ --with-ca-url "{{include "step-certificates.url" .}}" \
+ --password-file "$TMP_CA_PASSWORD" \
+ --provisioner-password-file "$TMP_CA_PROVISIONER_PASSWORD" {{ if not .Values.ca.db.enabled }}--no-db{{ end }}
+ rm -f $TMP_CA_PASSWORD $TMP_CA_PROVISIONER_PASSWORD
+ {{- if .Values.ca.bootstrap.postInitHook }}
+ {{ .Values.ca.bootstrap.postInitHook | nindent 4 }}
+ {{- end }}
+ echo -e "\n\e[1mCreating configmaps and secrets in {{ .Release.Namespace }} namespace ...\e[0m"
+ # Replace secrets created on helm install
+ # It allows to properly remove them on helm delete
+ kbreplace -n {{ .Release.Namespace }} create configmap {{ include "step-certificates.fullname" . }}-config --from-file $(step path)/config
+ kbreplace -n {{ .Release.Namespace }} create configmap {{ include "step-certificates.fullname" . }}-certs --from-file $(step path)/certs
+ kbreplace -n {{ .Release.Namespace }} create configmap {{ include "step-certificates.fullname" . }}-secrets --from-file $(step path)/secrets
+ kbreplace -n {{ .Release.Namespace }} create secret generic {{ include "step-certificates.fullname" . }}-ca-password --from-literal "password=${CA_PASSWORD}"
+ kbreplace -n {{ .Release.Namespace }} create secret generic {{ include "step-certificates.fullname" . }}-provisioner-password --from-literal "password=${CA_PROVISIONER_PASSWORD}"
+ # Label all configmaps and secrets
+ kubectl -n {{ .Release.Namespace }} label configmap {{ include "step-certificates.fullname" . }}-config {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
+ kubectl -n {{ .Release.Namespace }} label configmap {{ include "step-certificates.fullname" . }}-certs {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
+ kubectl -n {{ .Release.Namespace }} label configmap {{ include "step-certificates.fullname" . }}-secrets {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
+ kubectl -n {{ .Release.Namespace }} label secret {{ include "step-certificates.fullname" . }}-ca-password {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
+ kubectl -n {{ .Release.Namespace }} label secret {{ include "step-certificates.fullname" . }}-provisioner-password {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
+ # Patch webhook if autocert is enabled
+ {{- if .Values.autocert.enabled }}
+ CA_BUNDLE=$(cat $(step path)/certs/root_ca.crt | base64 | tr -d '\n')
+ kubectl patch mutatingwebhookconfigurations {{ .Release.Name }}-autocert-webhook-config \
+ --type json -p="[{\"op\":\"replace\",\"path\":\"/webhooks/0/clientConfig/caBundle\",\"value\":\"$CA_BUNDLE\"}]"
+ {{- end }}
+ echo -e "\n\e[1mStep Certificates installed!\e[0m"
+ echo
+ echo "CA URL: {{include "step-certificates.url" .}}"
+ echo "CA Fingerprint: $(step certificate fingerprint $(step path)/certs/root_ca.crt)"
+ echo
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/ingress.yaml b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/ingress.yaml
index 7f5403a..3fd9e96 100644
--- a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/ingress.yaml
+++ b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/ingress.yaml
@@ -1,56 +1,57 @@
# *****************************************************************************
#
- # Licensed to the Apache Software Foundation (ASF) under one
- # or more contributor license agreements. See the NOTICE file
- # distributed with this work for additional information
- # regarding copyright ownership. The ASF licenses this file
- # to you under the Apache License, Version 2.0 (the
- # "License"); you may not use this file except in compliance
- # with the License. You may obtain a copy of the License at
- #
- # http://www.apache.org/licenses/LICENSE-2.0
- #
- # Unless required by applicable law or agreed to in writing,
- # software distributed under the License is distributed on an
- # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- # KIND, either express or implied. See the License for the
- # specific language governing permissions and limitations
- # under the License.
- #
- # ******************************************************************************
- {{- if .Values.ingress.enabled -}}
- {{- $fullName := include "step-certificates.fullname" . -}}
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+# ******************************************************************************
+
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "step-certificates.fullname" . -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
- {{ include "step-certificates.labels" . | indent 4 }}
+ {{- include "step-certificates.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
-annotations:
- {{- toYaml . | nindent 4 }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
{{- end }}
spec:
-{{- if .Values.ingress.tls }}
-tls:
- {{- range .Values.ingress.tls }}
-- hosts:
- {{- range .hosts }}
- - {{ . | quote }}
- {{- end }}
- secretName: {{ .secretName }}
- {{- end }}
-{{- end }}
-rules:
- {{- range .Values.ingress.hosts }}
-- host: {{ .host | quote }}
- http:
- paths:
- {{- range .paths }}
- - path: {{ . }}
- backend:
- serviceName: {{ $fullName }}
- servicePort: http
+ {{- if .Values.ingress.tls }}
+ tls:
+ {{- range .Values.ingress.tls }}
+ - hosts:
+ {{- range .hosts }}
+ - {{ . | quote }}
+ {{- end }}
+ secretName: {{ .secretName }}
{{- end }}
{{- end }}
+ rules:
+ {{- range .Values.ingress.hosts }}
+ - host: {{ .host | quote }}
+ http:
+ paths:
+ {{- range .paths }}
+ - path: {{ . }}
+ backend:
+ serviceName: {{ $fullName }}
+ servicePort: https
+ {{- end }}
+ {{- end }}
{{- end }}
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/rbac.yaml b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/rbac.yaml
index ebab8c4..992f0bd 100644
--- a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/rbac.yaml
+++ b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/rbac.yaml
@@ -19,12 +19,12 @@
#
# ******************************************************************************
- {{- if .Release.IsInstall -}}
+{{- if .Release.IsInstall -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "step-certificates.fullname" . }}-config
- namespace: {{.Release.Namespace}}
+ namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "step-certificates.chart" . }}
app.kubernetes.io/name: {{ include "step-certificates.name" . }}
@@ -40,7 +40,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "step-certificates.fullname" . }}-config
- namespace: {{.Release.Namespace}}
+ namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "step-certificates.chart" . }}
app.kubernetes.io/name: {{ include "step-certificates.name" . }}
@@ -50,12 +50,13 @@ metadata:
subjects:
- kind: ServiceAccount
name: {{ include "step-certificates.fullname" . }}-config
- namespace: {{.Release.Namespace}}
+ namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: {{ include "step-certificates.fullname" . }}-config
apiGroup: rbac.authorization.k8s.io
---
+{{ if .Values.autocert.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
@@ -75,7 +76,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "step-certificates.fullname" . }}-config
- namespace: {{.Release.Namespace}}
+ namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ include "step-certificates.chart" . }}
app.kubernetes.io/name: {{ include "step-certificates.name" . }}
@@ -85,9 +86,10 @@ metadata:
subjects:
- kind: ServiceAccount
name: {{ include "step-certificates.fullname" . }}-config
- namespace: {{.Release.Namespace}}
+ namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: {{ include "step-certificates.fullname" . }}-config
apiGroup: rbac.authorization.k8s.io
-{{- end -}}
\ No newline at end of file
+{{- end }} # if .Values.autocert.enabled
+{{- end }}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/secrets.yaml b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/secrets.yaml
index 64f8b9b..113d575 100644
--- a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/secrets.yaml
+++ b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/secrets.yaml
@@ -23,17 +23,13 @@
# 1. CA keys password.
# 2. Provisioner password.
apiVersion: v1
-data:
- password: ""
kind: Secret
metadata:
name: {{ include "step-certificates.fullname" . }}-ca-password
- namespace: {{.Release.Namespace}}
+ namespace: {{ .Release.Namespace }}
---
apiVersion: v1
-data:
- password: ""
kind: Secret
metadata:
name: {{ include "step-certificates.fullname" . }}-provisioner-password
- namespace: {{.Release.Namespace}}
\ No newline at end of file
+ namespace: {{ .Release.Namespace }}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/service.yaml b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/service.yaml
index fb17ab1..c31139b 100644
--- a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/service.yaml
+++ b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/service.yaml
@@ -24,17 +24,14 @@ kind: Service
metadata:
name: {{ include "step-certificates.fullname" . }}
labels:
- {{ include "step-certificates.labels" . | indent 4 }}
+ {{- include "step-certificates.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: {{ .Values.service.targetPort }}
-{{- if .Values.service.nodePort }}
-nodePort: {{ .Values.service.nodePort }}
-{{- end }}
-protocol: TCP
-name: https
-selector:
- app.kubernetes.io/name: {{ include "step-certificates.name" . }}
- app.kubernetes.io/instance: {{ .Release.Name }}
\ No newline at end of file
+ protocol: TCP
+ name: https
+ selector:
+ app.kubernetes.io/name: {{ include "step-certificates.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/tests/test-connection.yaml b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/tests/test-connection.yaml
index 19375d9..8b2901d 100644
--- a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/tests/test-connection.yaml
+++ b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/tests/test-connection.yaml
@@ -24,9 +24,9 @@ kind: Pod
metadata:
name: "{{ include "step-certificates.fullname" . }}-test-connection"
labels:
- {{ include "step-certificates.labels" . | indent 4 }}
-annotations:
- "helm.sh/hook": test-success
+ {{- include "step-certificates.labels" . | nindent 4 }}
+ annotations:
+ "helm.sh/hook": test-success
spec:
containers:
- name: wget
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/values.yaml b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/values.yaml
index a363f1d..aa26ec4 100644
--- a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/values.yaml
+++ b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/values.yaml
@@ -33,7 +33,7 @@ fullnameOverride: ""
# image contains the docker image for step-certificates.
image:
repository: smallstep/step-ca
- tag: 0.13.2
+ tag: 0.15.5
pullPolicy: IfNotPresent
# bootstrapImage contains the docker image for the bootstrap of the configuration.
@@ -57,11 +57,9 @@ ca:
# dns is the comma separated dns names to use. Leave it empty to use the format:
# {include "step-certificates.fullname" .}.{ .Release.Namespace}.svc.cluster.local,127.0.0.1
dns: ${step_chart_name}.${namespace}.svc.cluster.local,${step_ca_host}
- # ${step_ca_host}
# url is the http url where step-certificates will listen at. Leave it empty to use the format
# https://{{ include "step-certificates.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
url: https://${step_chart_name}.${namespace}.svc.cluster.local
- #${step_ca_host}
# password is the password used to encrypt the keys. Leave it empty to generate a random one.
password: ${step_ca_password}
# provisioner contains the step-certificates provisioner configuration.
@@ -82,14 +80,21 @@ ca:
# If undefined or set to null, no storageClassName spec is set, choosing the
# default provisioner (gp2 on AWS, standard on GKE, AWS & OpenStack).
storageClass: standard
+ ## Persistent Volume existing claim name
+ ## Requires ca.db.persistent: true
+ ## If defined, PVC must be created manually before volume will be bound
+ # existingClaim: ""
# accessModes defines the Persistent Volume Access Mode.
accessModes:
- - ReadWriteOnce
+ - ReadWriteOnce
# size is the Persistent Volume size.
size: 10Gi
# runAsRoot runs the ca as root instead of the step user. This is required in
# some storage provisioners.
runAsRoot: false
+ bootstrap:
+ # Add script snippets here to be executed after the step ca init has been run
+ postInitHook: ""
# autocert is used to configure the autocert chart that depends on step-certificates.
autocert:
@@ -113,7 +118,7 @@ resources: {}
# memory: 128Mi
# requests:
# cpu: 100m
-# memory: 128Mi
+ # memory: 128Mi
# nodeSelector contains the node labels for pod assignment.
nodeSelector: {}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@datalab.apache.org
For additional commands, e-mail: commits-help@datalab.apache.org