Add option to provide custom certificates or let Helm auto-generate them

Signed-off-by: Pato Arvizu <patoarvizu@gmail.com>
notaryproject · patoarvizu · Oct 8, 2019 · Oct 9, 2019 · Oct 9, 2019 · Oct 9, 2019
commit a161240b0e82ac0099ee3826519e6aad96c14fdb
@@ -4,26 +4,67 @@ metadata:
   name: notary-tls
 type: Opaque
 data:
+{{- if .Values.tls.custom }}
+{{- if .Values.tls.rootCACert }}
   root-ca.crt: |
-{{ .Files.Get "fixtures/root-ca.crt" | b64enc | indent 4 }}
+{{ .Values.tls.rootCACert | indent 4 }}
+{{- end }}
+{{- if and .Values.tls.server.cert .Values.tls.server.key }}
   notary-server.crt: |
-{{ .Files.Get "fixtures/notary-server.crt" | b64enc | indent 4 }}
+{{ .Values.tls.server.cert | indent 4 }}
   notary-server.key: |
-{{ .Files.Get "fixtures/notary-server.key" | b64enc | indent 4 }}
+{{ .Values.tls.server.key | indent 4 }}
+{{- end }}
+{{- if and .Values.tls.signer.cert .Values.tls.signer.key }}
   notary-signer.crt: |
-{{ .Files.Get "fixtures/notary-signer.crt" | b64enc | indent 4 }}
+{{ .Values.tls.signer.cert | indent 4 }}
   notary-signer.key: |
-{{ .Files.Get "fixtures/notary-signer.key" | b64enc | indent 4 }}
+{{ .Values.tls.signer.key | indent 4 }}
+{{- end }}
+{{- if .Values.tls.database.rootCACert }}
   database-ca.pem: |
-{{ .Files.Get "fixtures/database/ca.pem" | b64enc | indent 4 }}
+{{ .Values.tls.database.rootCACert | indent 4 }}
+{{- end }}
+{{ if and .Values.tls.database.server.cert .Values.tls.database.server.key }}
   notary-server.pem: |
-{{ .Files.Get "fixtures/database/notary-server.pem" | b64enc | indent 4 }}
+{{ .Values.tls.database.server.cert | indent 4 }}
   notary-server-key.pem: |
-{{ .Files.Get "fixtures/database/notary-server-key.pem" | b64enc | indent 4 }}
+{{ .Values.tls.database.server.key | indent 4 }}
+{{- end }}
+{{ if and .Values.tls.database.signer.cert .Values.tls.database.signer.key }}
   notary-signer.pem: |
-{{ .Files.Get "fixtures/database/notary-server.pem" | b64enc | indent 4 }}
+{{ .Values.tls.database.signer.cert | indent 4 }}
   notary-signer-key.pem: |
-{{ .Files.Get "fixtures/database/notary-server-key.pem" | b64enc | indent 4 }}
+{{ .Values.tls.database.signer.key | indent 4 }}
+{{- end }}
+{{- else }}
+{{- $rootCA := genCA "Notary Root CA" (int .Values.tls.generated.validityDays) }}
+{{- $serverCert := genSignedCert "notary-server" (list) .Values.tls.generated.server.dns (int .Values.tls.generated.validityDays) $rootCA }}
+{{- $signerCert := genSignedCert "notary-signer" (list) .Values.tls.generated.signer.dns (int .Values.tls.generated.validityDays) $rootCA }}
+  root-ca.crt: |
+{{ $rootCA.Cert | b64enc | indent 4 }}
+  notary-server.crt: |
+{{ $serverCert.Cert | b64enc | indent 4 }}
+  notary-server.key: |
+{{ $serverCert.Key | b64enc | indent 4 }}
+  notary-signer.crt: |
+{{ $signerCert.Cert | b64enc | indent 4 }}
+  notary-signer.key: |
+{{ $signerCert.Key | b64enc | indent 4 }}
+{{- $databaseRootCA := genCA "Notary Database Root CA" (int .Values.tls.generated.validityDays) }}
+{{- $serverDBCert := genSignedCert "notary-server-db" (list) .Values.tls.generated.database.server.dns (int .Values.tls.generated.validityDays) $databaseRootCA }}
+{{- $signerDBCert := genSignedCert "notary-signer-db" (list) .Values.tls.generated.database.signer.dns (int .Values.tls.generated.validityDays) $databaseRootCA }}
+  database-ca.pem: |
+{{ $databaseRootCA.Cert | b64enc | indent 4 }}
+  notary-server.pem: |
+{{ $serverDBCert.Cert | b64enc | indent 4 }}
+  notary-server-key.pem: |
+{{ $serverDBCert.Key | b64enc | indent 4 }}
+  notary-signer.pem: |
+{{ $signerDBCert.Cert | b64enc | indent 4 }}
+  notary-signer-key.pem: |
+{{ $signerDBCert.Key | b64enc | indent 4 }}
+{{- end }}
 
 ---
 

@@ -57,6 +57,7 @@ server:
   - "docker.io/"
   - "mydomain.com/"
 
+
   # Set 'trust: local' if you don't want to spin up a signer instance. Otherwise, the remote signer service is made
   # available at the 'hostname' and 'port' specified here.
   trust:
@@ -82,4 +83,76 @@ signer:
 
 logging:
   # The logging level to set the 'logging.level' field in both the notary and signer config files.
-  level: debug
+  level: debug
+
+tls:
+  # If this is set to true, the template will use the certificates and keys provided, otherwise it will automatically
+  # generate self-signed certificates based on the parameters passed to the 'generated' map.
+  # If using custom certificates, they should be base64-encoded. And both the public certificate and the private key
+  # must be provided.
+  custom: false
+
+  # The CA that signed the server/signer certificates. It's assumed that the same CA is used for bother server
+  # and signer certificates.
+  # It doesn't need to strictly be a root CA, it can be an intermediate one.
+  rootCACert: null
+
+  # The public certificate and corresponding private key for the server.
+  server:
+    cert: null
+    key: null
+
+  # The public certificate and corresponding private key for the signer.
+  signer:
+    cert: null
+    key: null
+
+  # The CA that signed the server/signer database certificates. It's assumed that the same CA is used for bother server
+  # and signer database certificates.
+  # It doesn't need to strictly be a root CA, it can be an intermediate one.
+  database:
+    rootCACert: null
+
+    # The public certificate and corresponding private key for the server database.
+    server:
+      cert: null
+      key: null
+
+    # The public certificate and corresponding private key for the signer database.
+    signer:
+      cert: null
+      key: null
+
+  # If Helm auto-generates the certificates, it'll create a self-signed CA and sign certificates off that CA.
+  # The key of that root CA is thrown away, and only the public certificate is stored as a Kubernetes secret.
+  generated:
+
+    # The validity in days for the generated certificates.
+    # Note that rotating the certificates is outside of the scope of this chart!
+    validityDays: 365
+
+    server:
+      # The list of valid DNS host names that the server certificate will accept
+      dns:
+      - notary-server
+      - notaryserver
+
+    signer:
+      # The list of valid DNS host names that the signer certificate will accept
+      dns:
+      - notary-signer
+      - notarysigner
+
+    database:
+
+      server:
+        # The list of valid DNS host names that the server database certificate will accept
+        dns:
+        - postgresql
+        - mysql
+
+      signer:
+        # The list of valid DNS host names that the signer database certificate will accept
+        dns:
+        - postgresql
+        - mysql