Skip to content

Commit

Permalink
fix(helm): add custom CA option
Browse files Browse the repository at this point in the history 
add option to add a custom certificate authority when baking a manifest
  • Loading branch information
@error418
error418 committed Mar 12, 2020
1 parent bacd3cd commit 83b7638
Show file tree
Hide file tree
Showing 11 changed files with 123 additions and 44 deletions.
16 changes: 14 additions & 2 deletions helm/bake.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ Swingletree HELM template bake utility
--gh-keyfile Path to the GitHub App private key file
--gh-appid GitHub App Id
--redis-password Ask for redis password and set it. Omitting this will generate a password.
--custom-ca-file Set custom CA to trust in containers
-n | --namespace Sets the k8s target namespace
Expand All @@ -25,7 +26,7 @@ Swingletree HELM template bake utility
"""

TEMP=`getopt -o h,k,n: --long namespace:,gh-appid:,redis-password,configure,skip-update,gh-keyfile:,help -- "$@"`
TEMP=`getopt -o h,k,n: --long namespace:,gh-appid:,custom-ca-file:,redis-password,configure,skip-update,gh-keyfile:,help -- "$@"`

function printHelp {
echo "$HELP"
Expand All @@ -40,12 +41,21 @@ function applyTemplate {
echo
fi
echo " > baking your manifest into $TARGET"

EXTRA_PROPS=
if [ -z $CUSTOM_CA_FILE ]; then
echo " > skipping custom CA file import"
else
echo " > adding custom CA to deployment"
EXTRA_PROPS="--set-file certificates.ca.value=$CUSTOM_CA_FILE --set certificates.ca.enabled=true"
fi

helm template $BASEDIR/swingletree \
-n $NAMESPACE \
--set github.app.id=$GITHUB_APPID \
--set redis.password=$REDIS_PASS \
--set-file github_app_key=$GITHUB_KEYFILE \
> $TARGET
$EXTRA_PROPS > $TARGET
}

if [ $? != 0 ] ; then echo "missing arguments. terminating..." >&2 ; exit 1 ; fi
Expand All @@ -57,6 +67,7 @@ GITHUB_APPID=
NAMESPACE=default
SKIP_UPDATE=0
REDIS_PASS=$(pwgen 20 1)
CUSTOM_CA_FILE=

TARGET=$BASEDIR/swingletree-bake.yml

Expand All @@ -65,6 +76,7 @@ while true; do
--gh-keyfile ) GITHUB_KEYFILE="$2"; shift 2 ;;
--gh-appid ) GITHUB_APPID="$2"; shift 2 ;;
-n | --namespace ) NAMESPACE="$2"; shift 2 ;;
--custom-ca-file ) CUSTOM_CA_FILE="$2"; shift 2 ;;
--configure ) vi $VALUES_CONFIG; exit $?; shift ;;
-k | --skip-update ) SKIP_UPDATE=1; shift ;;
--redis-password ) REDIS_PASS=$(read -sp " > set redis password: "); shift ;;
Expand Down
17 changes: 12 additions & 5 deletions helm/swingletree/templates/deployment-deck.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,25 +23,32 @@ spec:
- name: config
secret:
secretName: swingletree-config
- name: appkey
secret:
secretName: swingletree-config
{{ if .Values.imagePullSecret }}
{{- if .Values.imagePullSecret }}
imagePullSecrets:
- name: {{ .Values.imagePullSecret }}
{{ end }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.registry }}{{ .Values.images.deck.repo }}:{{ .Values.images.deck.version }}"
imagePullPolicy: {{ .Values.pullPolicy }}
env:
- name: LOG_LEVEL
value: {{ .Values.log.level }}
{{- if .Values.certificates.ca.enabled }}
- name: NODE_EXTRA_CA_CERTS
value: /opt/cert/ca.pem
{{- end }}
volumeMounts:
- name: config
mountPath: /opt/deck/swingletree.conf.yaml
subPath: swingletree.conf.yaml
readOnly: true
{{- if .Values.certificates.ca.enabled }}
- name: config
mountPath: /opt/cert/ca.pem
subPath: ca
readOnly: true
{{- end }}
ports:
- name: http
containerPort: 3000
Expand Down
17 changes: 12 additions & 5 deletions helm/swingletree/templates/deployment-gate.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,25 +23,32 @@ spec:
- name: config
secret:
secretName: swingletree-config
- name: appkey
secret:
secretName: swingletree-config
{{ if .Values.imagePullSecret }}
{{- if .Values.imagePullSecret }}
imagePullSecrets:
- name: {{ .Values.imagePullSecret }}
{{ end }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.registry }}{{ .Values.images.gate.repo }}:{{ .Values.images.gate.version }}"
imagePullPolicy: {{ .Values.pullPolicy }}
env:
- name: LOG_LEVEL
value: {{ .Values.log.level }}
{{- if .Values.certificates.ca.enabled }}
- name: NODE_EXTRA_CA_CERTS
value: /opt/cert/ca.pem
{{- end }}
volumeMounts:
- name: config
mountPath: /opt/gate/swingletree.conf.yaml
subPath: swingletree.conf.yaml
readOnly: true
{{- if .Values.certificates.ca.enabled }}
- name: config
mountPath: /opt/cert/ca.pem
subPath: ca
readOnly: true
{{- end }}
ports:
- name: http
containerPort: 3000
Expand Down
17 changes: 12 additions & 5 deletions helm/swingletree/templates/deployment-plugin-nebula.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,25 +24,32 @@ spec:
- name: config
secret:
secretName: swingletree-config
- name: appkey
secret:
secretName: swingletree-config
{{ if .Values.imagePullSecret }}
{{- if .Values.imagePullSecret }}
imagePullSecrets:
- name: {{ .Values.imagePullSecret }}
{{ end }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ $pluginNebula := index .Values.images "plugin-nebula" }}{{ .Values.registry }}{{ $pluginNebula.repo }}:{{ $pluginNebula.version }}"
imagePullPolicy: {{ .Values.pullPolicy }}
env:
- name: LOG_LEVEL
value: {{ .Values.log.level }}
{{- if .Values.certificates.ca.enabled }}
- name: NODE_EXTRA_CA_CERTS
value: /opt/cert/ca.pem
{{- end }}
volumeMounts:
- name: config
mountPath: /opt/plugin-nebula/swingletree.conf.yaml
subPath: swingletree.conf.yaml
readOnly: true
{{- if .Values.certificates.ca.enabled }}
- name: config
mountPath: /opt/cert/ca.pem
subPath: ca
readOnly: true
{{- end }}
ports:
- name: http
containerPort: 3000
Expand Down
17 changes: 12 additions & 5 deletions helm/swingletree/templates/deployment-plugin-sonar.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,25 +24,32 @@ spec:
- name: config
secret:
secretName: swingletree-config
- name: appkey
secret:
secretName: swingletree-config
{{ if .Values.imagePullSecret }}
{{- if .Values.imagePullSecret }}
imagePullSecrets:
- name: {{ .Values.imagePullSecret }}
{{ end }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ $pluginSonarqube := index .Values.images "plugin-sonarqube" }}{{ .Values.registry }}{{ $pluginSonarqube.repo }}:{{ $pluginSonarqube.version }}"
imagePullPolicy: {{ .Values.pullPolicy }}
env:
- name: LOG_LEVEL
value: {{ .Values.log.level }}
{{- if .Values.certificates.ca.enabled }}
- name: NODE_EXTRA_CA_CERTS
value: /opt/cert/ca.pem
{{- end }}
volumeMounts:
- name: config
mountPath: /opt/plugin-sonarqube/swingletree.conf.yaml
subPath: swingletree.conf.yaml
readOnly: true
{{- if .Values.certificates.ca.enabled }}
- name: config
mountPath: /opt/cert/ca.pem
subPath: ca
readOnly: true
{{- end }}
ports:
- name: http
containerPort: 3000
Expand Down
17 changes: 12 additions & 5 deletions helm/swingletree/templates/deployment-plugin-testng.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,25 +24,32 @@ spec:
- name: config
secret:
secretName: swingletree-config
- name: appkey
secret:
secretName: swingletree-config
{{ if .Values.imagePullSecret }}
{{- if .Values.imagePullSecret }}
imagePullSecrets:
- name: {{ .Values.imagePullSecret }}
{{ end }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ $pluginTestng := index .Values.images "plugin-testng" }}{{ .Values.registry }}{{ $pluginTestng.repo }}:{{ $pluginTestng.version }}"
imagePullPolicy: {{ .Values.pullPolicy }}
env:
- name: LOG_LEVEL
value: {{ .Values.log.level }}
{{- if .Values.certificates.ca.enabled }}
- name: NODE_EXTRA_CA_CERTS
value: /opt/cert/ca.pem
{{- end }}
volumeMounts:
- name: config
mountPath: /opt/plugin-testng/swingletree.conf.yaml
subPath: swingletree.conf.yaml
readOnly: true
{{- if .Values.certificates.ca.enabled }}
- name: config
mountPath: /opt/cert/ca.pem
subPath: ca
readOnly: true
{{- end }}
ports:
- name: http
containerPort: 3000
Expand Down
17 changes: 12 additions & 5 deletions helm/swingletree/templates/deployment-plugin-twistlock.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,25 +24,32 @@ spec:
- name: config
secret:
secretName: swingletree-config
- name: appkey
secret:
secretName: swingletree-config
{{ if .Values.imagePullSecret }}
{{- if .Values.imagePullSecret }}
imagePullSecrets:
- name: {{ .Values.imagePullSecret }}
{{ end }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ $pluginTwistlock := index .Values.images "plugin-twistlock" }}{{ .Values.registry }}{{ $pluginTwistlock.repo }}:{{ $pluginTwistlock.version }}"
imagePullPolicy: {{ .Values.pullPolicy }}
env:
- name: LOG_LEVEL
value: {{ .Values.log.level }}
{{- if .Values.certificates.ca.enabled }}
- name: NODE_EXTRA_CA_CERTS
value: /opt/cert/ca.pem
{{- end }}
volumeMounts:
- name: config
mountPath: /opt/plugin-twistlock/swingletree.conf.yaml
subPath: swingletree.conf.yaml
readOnly: true
{{- if .Values.certificates.ca.enabled }}
- name: config
mountPath: /opt/cert/ca.pem
subPath: ca
readOnly: true
{{- end }}
ports:
- name: http
containerPort: 3000
Expand Down
17 changes: 12 additions & 5 deletions helm/swingletree/templates/deployment-plugin-zap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,25 +24,32 @@ spec:
- name: config
secret:
secretName: swingletree-config
- name: appkey
secret:
secretName: swingletree-config
{{ if .Values.imagePullSecret }}
{{- if .Values.imagePullSecret }}
imagePullSecrets:
- name: {{ .Values.imagePullSecret }}
{{ end }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ $pluginZap := index .Values.images "plugin-zap" }}{{ .Values.registry }}{{ $pluginZap.repo }}:{{ $pluginZap.version }}"
imagePullPolicy: {{ .Values.pullPolicy }}
env:
- name: LOG_LEVEL
value: {{ .Values.log.level }}
{{- if .Values.certificates.ca.enabled }}
- name: NODE_EXTRA_CA_CERTS
value: /opt/cert/ca.pem
{{- end }}
volumeMounts:
- name: config
mountPath: /opt/plugin-zap/swingletree.conf.yaml
subPath: swingletree.conf.yaml
readOnly: true
{{- if .Values.certificates.ca.enabled }}
- name: config
mountPath: /opt/cert/ca.pem
subPath: ca
readOnly: true
{{- end }}
ports:
- name: http
containerPort: 3000
Expand Down
19 changes: 13 additions & 6 deletions helm/swingletree/templates/deployment-scotty.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,26 +23,33 @@ spec:
- name: config
secret:
secretName: swingletree-config
- name: appkey
secret:
secretName: swingletree-config
{{ if .Values.imagePullSecret }}
{{- if .Values.imagePullSecret }}
imagePullSecrets:
- name: {{ .Values.imagePullSecret }}
{{ end }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.registry }}{{ .Values.images.scotty.repo }}:{{ .Values.images.scotty.version }}"
imagePullPolicy: {{ .Values.pullPolicy }}
env:
- name: LOG_LEVEL
value: {{ .Values.log.level }}
{{- if .Values.certificates.ca.enabled }}
- name: NODE_EXTRA_CA_CERTS
value: /opt/cert/ca.pem
{{- end }}
volumeMounts:
- name: config
mountPath: /opt/scotty/swingletree.conf.yaml
subPath: swingletree.conf.yaml
readOnly: true
- name: appkey
{{- if .Values.certificates.ca.enabled }}
- name: config
mountPath: /opt/cert/ca.pem
subPath: ca
readOnly: true
{{- end }}
- name: config
mountPath: /opt/scotty/gh-app.pem
subPath: gh-app.pem
ports:
Expand Down
4 changes: 3 additions & 1 deletion helm/swingletree/templates/secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,6 @@ type: Opaque
stringData:
swingletree.conf.yaml: {{ $config | quote }}
gh-app.pem: {{ .Values.github_app_key | quote }}

{{- if .Values.certificates.ca.enabled }}
ca: {{ .Values.certificates.ca.value | quote }}
{{ end }}
9 changes: 9 additions & 0 deletions helm/swingletree/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,13 @@ ingress:

replicaCount: 1

# Custom CA to trust
certificates:
ca:
enabled: false # use custom CA
value: # CA certificate contents (use bake.sh option --custom-ca-file to set this on bake)


# images to use for this deployment
images:
deck:
Expand Down Expand Up @@ -137,6 +144,8 @@ images:
version: 1.1.0 #plugin-testng_VERSION
pullPolicy: IfNotPresent
registry: docker.pkg.github.com/swingletree-oss/

# configure your image pull secret if you need to pull from a private registry
#imagePullSecret: regcred

# default service configuration
Expand Down

0 comments on commit 83b7638

Please sign in to comment.