github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-07-13 22:14:45 +03:00
Code Issues Packages Projects Releases Wiki Activity
openappsec/build_system/charts/open-appsec-kong/templates/service-kong-admin.yaml
Ned Wright 795d07bd41 Updating Kong helm chart
2023-06-01 16:15:31 +00:00

114 lines
4.2 KiB
YAML
Raw Blame History

{{- if .Values.deployment.kong.enabled }}
{{- if and .Values.admin.enabled (or .Values.admin.http.enabled .Values.admin.tls.enabled) -}}
{{- $serviceConfig := dict -}}
{{- $serviceConfig := merge $serviceConfig .Values.admin -}}
{{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}}
{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}}
{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}}
{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}}
{{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}}
{{- $_ := set $serviceConfig "serviceName" "admin" -}}
{{- include "kong.service" $serviceConfig }}
{{ if .Values.admin.ingress.enabled }}
---
{{ include "kong.ingress" $serviceConfig }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "adminApiService.certSecretName" -}}
{{- default (printf "%s-admin-api-keypair" (include "kong.fullname" .)) .Values.ingressController.adminApi.tls.client.secretName -}}
{{- end -}}
{{- define "adminApiService.caSecretName" -}}
{{- default (printf "%s-admin-api-ca-keypair" (include "kong.fullname" .)) .Values.ingressController.adminApi.tls.client.caSecretName -}}
{{- end -}}
{{- $clientVerifyEnabled := .Values.ingressController.adminApi.tls.client.enabled -}}
{{- $clientCertProvided := .Values.ingressController.adminApi.tls.client.certProvided -}}
{{/* If the client verification is enabled but no secret was provided by the user, let's generate certificates. */ -}}
{{- if and $clientVerifyEnabled (not $clientCertProvided) }}
{{- $certCert := "" -}}
{{- $certKey := "" -}}
{{- $cn := printf "admin.%s.svc" ( include "kong.namespace" . ) -}}
{{- $ca := genCA "admin-api-ca" 3650 -}}
{{- $cert := genSignedCert $cn nil (list $cn) 3650 $ca -}}
{{- $certCert = $cert.Cert -}}
{{- $certKey = $cert.Key -}}
{{/* Verify whether a secret with a given name already exists. If it does, let's use its cert and key data. */}}
{{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (include "adminApiService.certSecretName" .)) -}}
{{- if $certSecret }}
{{- $certCert = (b64dec (get $certSecret.data "tls.crt")) -}}
{{- $certKey = (b64dec (get $certSecret.data "tls.key")) -}}
{{- end }}
{{- $caCert := $ca.Cert -}}
{{- $caKey := $ca.Key -}}
{{/* Verify whether a secret with a given name already exists. If it does, let's use its cert and key data. */ -}}
{{- $caSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (include "adminApiService.caSecretName" .))}}
{{- if $caSecret }}
{{- $caCert = (b64dec (get $caSecret.data "tls.crt")) -}}
{{- $caKey = (b64dec (get $caSecret.data "tls.key")) -}}
{{- end }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ template "adminApiService.certSecretName" . }}
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
type: kubernetes.io/tls
data:
tls.crt: {{ b64enc $certCert }}
tls.key: {{ b64enc $certKey }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ template "adminApiService.caSecretName" . }}
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
type: kubernetes.io/tls
data:
tls.crt: {{ b64enc $caCert }}
tls.key: {{ b64enc $caKey }}
{{- end }}
{{- /* Create a CA ConfigMap for Kong. */ -}}
{{- $secretProvided := $.Values.admin.tls.client.secretName -}}
{{- $bundleProvided := $.Values.admin.tls.client.caBundle -}}
{{- if or $secretProvided $bundleProvided -}}
{{- $cert := "" -}}
{{- if $secretProvided -}}
{{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) $.Values.admin.tls.client.secretName) -}}
{{- if $certSecret }}
{{- $cert = (b64dec (get $certSecret.data "tls.crt")) -}}
{{- else -}}
{{- fail (printf "%s/%s secret not found" (include "kong.namespace" .) $.Values.admin.tls.client.secretName) -}}
{{- end }}
{{- end }}
{{- if $bundleProvided -}}
{{- $cert = $.Values.admin.tls.client.caBundle -}}
{{- end }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "kong.fullname" . }}-admin-client-ca
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
data:
tls.crt: {{ $cert | quote }}
{{- end -}}
Reference in New Issue View Git Blame Copy Permalink