From f9f440f2b80eac6a47d925f1c014a1b317dc8e6e Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Sat, 6 Jul 2024 06:59:22 -0700 Subject: [PATCH] Handle external server certs for jks Signed-off-by: Tamal Saha --- apis/installer/v1alpha1/ace_ace_types.go | 10 +++++- .../v1alpha1/zz_generated.deepcopy.go | 32 +++++++++++++++++-- charts/ace/README.md | 4 ++- charts/ace/templates/ingress/secret.yaml | 8 +++++ charts/ace/values.openapiv3_schema.yaml | 17 ++++++++-- charts/ace/values.yaml | 5 ++- charts/s3proxy/templates/issuer.yaml | 2 +- charts/service-gateway-presets/README.md | 4 ++- .../templates/gateway-tls/secret.yaml | 8 +++++ .../values.openapiv3_schema.yaml | 17 ++++++++-- charts/service-gateway-presets/values.yaml | 5 ++- charts/service-vault/README.md | 4 ++- .../values.openapiv3_schema.yaml | 17 ++++++++-- charts/service-vault/values.yaml | 5 ++- .../ace-options/values.openapiv3_schema.yaml | 17 ++++++++-- 15 files changed, 132 insertions(+), 23 deletions(-) diff --git a/apis/installer/v1alpha1/ace_ace_types.go b/apis/installer/v1alpha1/ace_ace_types.go index cc8bcb8e1..ee02bc120 100644 --- a/apis/installer/v1alpha1/ace_ace_types.go +++ b/apis/installer/v1alpha1/ace_ace_types.go @@ -255,7 +255,7 @@ type InfraTLS struct { CA TLSData `json:"ca"` Acme TLSIssuerAcme `json:"acme"` Certificate TLSData `json:"certificate"` - JKSPassword string `json:"jksPassword"` + JKS Keystore `json:"jks"` } type TLSData struct { @@ -265,6 +265,14 @@ type TLSData struct { Key string `json:"key"` } +type Keystore struct { + // +optional + Truststore []byte `json:"truststore"` + // +optional + Keystore []byte `json:"keystore"` + Password string `json:"password"` +} + type TLSIssuerAcme struct { Email string `json:"email"` } diff --git a/apis/installer/v1alpha1/zz_generated.deepcopy.go b/apis/installer/v1alpha1/zz_generated.deepcopy.go index 12097d046..30c2c6200 100644 --- a/apis/installer/v1alpha1/zz_generated.deepcopy.go +++ b/apis/installer/v1alpha1/zz_generated.deepcopy.go @@ -953,7 +953,7 @@ func (in *AceOptionsPlatformInfra) DeepCopyInto(out *AceOptionsPlatformInfra) { *out = *in out.StorageClass = in.StorageClass out.KubeStash = in.KubeStash - out.TLS = in.TLS + in.TLS.DeepCopyInto(&out.TLS) in.DNS.DeepCopyInto(&out.DNS) in.CloudServices.DeepCopyInto(&out.CloudServices) } @@ -3703,6 +3703,7 @@ func (in *InfraTLS) DeepCopyInto(out *InfraTLS) { out.CA = in.CA out.Acme = in.Acme out.Certificate = in.Certificate + in.JKS.DeepCopyInto(&out.JKS) } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InfraTLS. @@ -4235,6 +4236,31 @@ func (in *JetstreamSpec) DeepCopy() *JetstreamSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Keystore) DeepCopyInto(out *Keystore) { + *out = *in + if in.Truststore != nil { + in, out := &in.Truststore, &out.Truststore + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.Keystore != nil { + in, out := &in.Keystore, &out.Keystore + *out = make([]byte, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Keystore. +func (in *Keystore) DeepCopy() *Keystore { + if in == nil { + return nil + } + out := new(Keystore) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KubeStashBackend) DeepCopyInto(out *KubeStashBackend) { *out = *in @@ -7341,7 +7367,7 @@ func (in *PlatformApiSpec) DeepCopy() *PlatformApiSpec { func (in *PlatformInfra) DeepCopyInto(out *PlatformInfra) { *out = *in out.StorageClass = in.StorageClass - out.TLS = in.TLS + in.TLS.DeepCopyInto(&out.TLS) in.DNS.DeepCopyInto(&out.DNS) in.Objstore.DeepCopyInto(&out.Objstore) out.Kubestash = in.Kubestash @@ -9070,7 +9096,7 @@ func (in *ServiceProviderCluster) DeepCopy() *ServiceProviderCluster { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ServiceProviderInfra) DeepCopyInto(out *ServiceProviderInfra) { *out = *in - out.TLS = in.TLS + in.TLS.DeepCopyInto(&out.TLS) in.DNS.DeepCopyInto(&out.DNS) } diff --git a/charts/ace/README.md b/charts/ace/README.md index 27c2f167e..9f7e9f8b3 100644 --- a/charts/ace/README.md +++ b/charts/ace/README.md @@ -87,7 +87,9 @@ The following table lists the configurable parameters of the `ace` chart and the | global.infra.tls.acme.email | | ops@appscode.com | | global.infra.tls.certificate.cert | | "" | | global.infra.tls.certificate.key | | "" | -| global.infra.tls.jksPassword | | "" | +| global.infra.tls.jks.keystore | | | +| global.infra.tls.jks.truststore | | | +| global.infra.tls.jks.password | | "" | | global.infra.dns.targetIPs | | [] | | global.infra.dns.provider | | "external" # external,cloudflare,route53,cloudDNS | | global.infra.dns.auth | | {} | diff --git a/charts/ace/templates/ingress/secret.yaml b/charts/ace/templates/ingress/secret.yaml index db2030f18..874305617 100644 --- a/charts/ace/templates/ingress/secret.yaml +++ b/charts/ace/templates/ingress/secret.yaml @@ -17,4 +17,12 @@ metadata: {{- include "ace.labels" . | nindent 4 }} type: kubernetes.io/tls stringData: {{ $data | toJson }} +data: +{{- with .Values.global.infra.tls.jks.keystore }} + "keystore.jks": {{ . }} +{{- end }} +{{- with .Values.global.infra.tls.jks.truststore }} + "truststore.jks": {{ . }} +{{- end }} + {{- end }} diff --git a/charts/ace/values.openapiv3_schema.yaml b/charts/ace/values.openapiv3_schema.yaml index 5a34b254d..17c5aa232 100644 --- a/charts/ace/values.openapiv3_schema.yaml +++ b/charts/ace/values.openapiv3_schema.yaml @@ -3768,14 +3768,25 @@ properties: - letsencrypt-staging - external type: string - jksPassword: - type: string + jks: + properties: + keystore: + format: byte + type: string + password: + type: string + truststore: + format: byte + type: string + required: + - password + type: object required: - acme - ca - certificate - issuer - - jksPassword + - jks type: object required: - badger diff --git a/charts/ace/values.yaml b/charts/ace/values.yaml index b1443de37..a97c99042 100644 --- a/charts/ace/values.yaml +++ b/charts/ace/values.yaml @@ -137,7 +137,10 @@ global: certificate: cert: "" key: "" - jksPassword: "" + jks: + keystore: + truststore: + password: "" dns: targetIPs: [] provider: "external" # external,cloudflare,route53,cloudDNS diff --git a/charts/s3proxy/templates/issuer.yaml b/charts/s3proxy/templates/issuer.yaml index 96895f217..947f4e28a 100644 --- a/charts/s3proxy/templates/issuer.yaml +++ b/charts/s3proxy/templates/issuer.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.s3proxy.tls.enable .Values.s3proxy.tls.mount (not .Values.s3proxy.tls.secret.name) }} +{{- if and .Values.s3proxy.tls.enable .Values.s3proxy.tls.jksPasswordSecretRef.name (not .Values.s3proxy.tls.secret.name) }} {{- if not .Values.s3proxy.tls.issuer.name }} diff --git a/charts/service-gateway-presets/README.md b/charts/service-gateway-presets/README.md index 9d24b4b38..3d3c04062 100644 --- a/charts/service-gateway-presets/README.md +++ b/charts/service-gateway-presets/README.md @@ -57,7 +57,9 @@ The following table lists the configurable parameters of the `service-gateway-pr | infra.tls.acme.email | | ops@appscode.com | | infra.tls.certificate.cert | | "" | | infra.tls.certificate.key | | "" | -| infra.tls.jksPassword | | "" | +| infra.tls.jks.keystore | | | +| infra.tls.jks.truststore | | | +| infra.tls.jks.password | | "" | | infra.dns.provider | | "external" # external,cloudflare,route53,cloudDNS | | infra.dns.auth | | {} | | gateway-dns.enabled | | false | diff --git a/charts/service-gateway-presets/templates/gateway-tls/secret.yaml b/charts/service-gateway-presets/templates/gateway-tls/secret.yaml index a3cd9c297..dd2deb47b 100644 --- a/charts/service-gateway-presets/templates/gateway-tls/secret.yaml +++ b/charts/service-gateway-presets/templates/gateway-tls/secret.yaml @@ -17,4 +17,12 @@ metadata: {{- include "service-gateway-presets.labels" . | nindent 4 }} type: kubernetes.io/tls stringData: {{ $data | toJson }} +data: +{{- with .Values.infra.tls.jks.keystore }} + "keystore.jks": {{ . }} +{{- end }} +{{- with .Values.infra.tls.jks.truststore }} + "truststore.jks": {{ . }} +{{- end }} + {{- end }} diff --git a/charts/service-gateway-presets/values.openapiv3_schema.yaml b/charts/service-gateway-presets/values.openapiv3_schema.yaml index d4cbf5691..03d59dded 100644 --- a/charts/service-gateway-presets/values.openapiv3_schema.yaml +++ b/charts/service-gateway-presets/values.openapiv3_schema.yaml @@ -361,14 +361,25 @@ properties: - letsencrypt-staging - external type: string - jksPassword: - type: string + jks: + properties: + keystore: + format: byte + type: string + password: + type: string + truststore: + format: byte + type: string + required: + - password + type: object required: - acme - ca - certificate - issuer - - jksPassword + - jks type: object required: - clusterName diff --git a/charts/service-gateway-presets/values.yaml b/charts/service-gateway-presets/values.yaml index 8b8de8ffe..deda1d644 100644 --- a/charts/service-gateway-presets/values.yaml +++ b/charts/service-gateway-presets/values.yaml @@ -20,7 +20,10 @@ infra: certificate: cert: "" key: "" - jksPassword: "" + jks: + keystore: + truststore: + password: "" dns: provider: "external" # external,cloudflare,route53,cloudDNS auth: {} diff --git a/charts/service-vault/README.md b/charts/service-vault/README.md index e3fea6eef..83677188b 100644 --- a/charts/service-vault/README.md +++ b/charts/service-vault/README.md @@ -57,7 +57,9 @@ The following table lists the configurable parameters of the `service-vault` cha | infra.tls.acme.email | | ops@appscode.com | | infra.tls.certificate.cert | | "" | | infra.tls.certificate.key | | "" | -| infra.tls.jksPassword | | "" | +| infra.tls.jks.keystore | | | +| infra.tls.jks.truststore | | | +| infra.tls.jks.password | | "" | | infra.dns.provider | | "external" # external,cloudflare,route53,cloudDNS | | infra.dns.auth | | {} | | gateway-dns.enabled | | false | diff --git a/charts/service-vault/values.openapiv3_schema.yaml b/charts/service-vault/values.openapiv3_schema.yaml index 0046684db..926f1957b 100644 --- a/charts/service-vault/values.openapiv3_schema.yaml +++ b/charts/service-vault/values.openapiv3_schema.yaml @@ -339,14 +339,25 @@ properties: - letsencrypt-staging - external type: string - jksPassword: - type: string + jks: + properties: + keystore: + format: byte + type: string + password: + type: string + truststore: + format: byte + type: string + required: + - password + type: object required: - acme - ca - certificate - issuer - - jksPassword + - jks type: object required: - clusterName diff --git a/charts/service-vault/values.yaml b/charts/service-vault/values.yaml index f45cf69b7..136b1facc 100644 --- a/charts/service-vault/values.yaml +++ b/charts/service-vault/values.yaml @@ -20,7 +20,10 @@ infra: certificate: cert: "" key: "" - jksPassword: "" + jks: + keystore: + truststore: + password: "" dns: provider: "external" # external,cloudflare,route53,cloudDNS auth: {} diff --git a/schema/ace-options/values.openapiv3_schema.yaml b/schema/ace-options/values.openapiv3_schema.yaml index 8cc1942d8..c1f218501 100644 --- a/schema/ace-options/values.openapiv3_schema.yaml +++ b/schema/ace-options/values.openapiv3_schema.yaml @@ -788,14 +788,25 @@ properties: - letsencrypt-staging - external type: string - jksPassword: - type: string + jks: + properties: + keystore: + format: byte + type: string + password: + type: string + truststore: + format: byte + type: string + required: + - password + type: object required: - acme - ca - certificate - issuer - - jksPassword + - jks type: object required: - cloudServices