helm consul toegevoegd ma nie als submodule?

2025-08-29 20:12:43 +00:00 · 2020-03-09 12:27:10 +01:00
parent 31368e50b2
commit 3432492589
157 changed files with 14508 additions and 0 deletions
--- a/consul-helm/templates/tls-init-job.yaml
+++ b/consul-helm/templates/tls-init-job.yaml
@@ -0,0 +1,113 @@
+# tls-init job generate Consul cluster CA and certificates for the Consul servers
+# and creates Kubernetes secrets for them.
+{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
+{{- if .Values.global.tls.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "consul.fullname" . }}-tls-init
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook-delete-policy":  hook-succeeded
+spec:
+  template:
+    metadata:
+      name: {{ template "consul.fullname" . }}-tls-init
+      labels:
+        app: {{ template "consul.name" . }}
+        chart: {{ template "consul.chart" . }}
+        release: {{ .Release.Name }}
+        component: tls-init
+      annotations:
+        "consul.hashicorp.com/connect-inject": "false"
+    spec:
+      restartPolicy: Never
+      serviceAccountName: {{ template "consul.fullname" . }}-tls-init
+      {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }}
+      volumes:
+      - name: consul-ca-cert
+        secret:
+          secretName: {{ .Values.global.tls.caCert.secretName }}
+          items:
+          - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
+            path: tls.crt
+      - name: consul-ca-key
+        secret:
+          secretName: {{ .Values.global.tls.caKey.secretName }}
+          items:
+          - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }}
+            path: tls.key
+      {{- end }}
+      containers:
+        - name: tls-init
+          image: "{{ .Values.global.image }}"
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          # We're using POST requests below to create secrets via Kubernetes API.
+          # Note that in the subsequent runs of the job, POST requests will
+          # return a 409 because these secrets would already exist;
+          # we are ignoring these response codes.
+          command:
+            - "/bin/sh"
+            - "-ec"
+            - |
+              {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }}
+              consul tls ca create \
+                -domain={{ .Values.global.domain }}
+              curl -s -X POST --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
+                https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets \
+                -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" \
+                -H "Content-Type: application/json" \
+                -H "Accept: application/json" \
+                -d "{ \"kind\": \"Secret\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"{{ template "consul.fullname" . }}-ca-cert\", \"namespace\": \"${NAMESPACE}\" }, \"type\": \"Opaque\", \"data\": { \"tls.crt\": \"$( cat {{ .Values.global.domain }}-agent-ca.pem | base64 | tr -d '\n' )\" }}" > /dev/null
+              curl -s -X POST --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
+                https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets \
+                -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" \
+                -H "Content-Type: application/json" \
+                -H "Accept: application/json" \
+                -d "{ \"kind\": \"Secret\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"{{ template "consul.fullname" . }}-ca-key\", \"namespace\": \"${NAMESPACE}\" }, \"type\": \"Opaque\", \"data\": { \"tls.key\": \"$( cat {{ .Values.global.domain }}-agent-ca-key.pem | base64 | tr -d '\n' )\" }}" > /dev/null
+              {{- end }}
+              consul tls cert create -server \
+                -days=730 \
+                {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }}
+                -ca=/consul/tls/ca/cert/tls.crt \
+                -key=/consul/tls/ca/key/tls.key \
+                {{- end }}
+                -additional-dnsname='{{ template "consul.fullname" . }}-server' \
+                -additional-dnsname='*.{{ template "consul.fullname" . }}-server' \
+                -additional-dnsname='*.{{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}' \
+                -additional-dnsname='*.{{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc' \
+                {{- range .Values.global.tls.serverAdditionalIPSANs }}
+                -additional-ipaddress={{ . }} \
+                {{- end }}
+                {{- range .Values.global.tls.serverAdditionalDNSSANs }}
+                 -additional-dnsname={{ . }} \
+                 {{- end }}
+                -dc={{ .Values.global.datacenter }} \
+                -domain={{ .Values.global.domain }}
+              curl -s -X POST --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
+                https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets \
+                -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" \
+                -H "Content-Type: application/json" \
+                -H "Accept: application/json" \
+                -d "{ \"kind\": \"Secret\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"{{ template "consul.fullname" . }}-server-cert\", \"namespace\": \"${NAMESPACE}\" }, \"type\": \"kubernetes.io/tls\", \"data\": { \"tls.crt\": \"$( cat {{ .Values.global.datacenter }}-server-{{ .Values.global.domain }}-0.pem | base64 | tr -d '\n' )\", \"tls.key\": \"$( cat {{ .Values.global.datacenter }}-server-{{ .Values.global.domain }}-0-key.pem | base64 | tr -d '\n' )\" } }" > /dev/null
+          {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }}
+          volumeMounts:
+            - name: consul-ca-cert
+              mountPath: /consul/tls/ca/cert
+              readOnly: true
+            - name: consul-ca-key
+              mountPath: /consul/tls/ca/key
+              readOnly: true
+          {{- end }}
+{{- end }}
+{{- end }}