Merge pull request #19315 from asselitx/certificate-domains-hpcc-31872

HPCC-31872 Allow alternate certificate domains 

Reviewed-By: Anthony Fishbeck <[email protected]>
Reviewed-by: Gavin Halliday <[email protected]>
Merged-by: Gavin Halliday <[email protected]>

helm/hpcc/templates/_helpers.tpl

@@ -1894,6 +1894,7 @@ args:
       {{- end -}}
      {{- end -}}
      {{- $_ := set $local "dnsNames" (uniq $local.dnsNames ) -}}
+     {{- $_ := set $local "allDomains" (prepend (default list $issuer.alternativeDomains) $domain ) -}}
      {{- if $externalCert -}}
        {{- $_ := set $local "commonName" (mustFirst $local.dnsNames ) -}}
      {{- else -}}
@@ -1929,7 +1930,9 @@ spec:
      {{- end }}
   dnsNames:
      {{- range $dnsName := $local.dnsNames }}
-  - {{ (printf "%s.%s" $dnsName $domain) | quote }}
+     {{- range $altDomain := $local.allDomains }}
+  - {{ (printf "%s.%s" $dnsName $altDomain) | quote }}
+     {{- end }}
      {{- end }}
      {{- if $spiffe }}
   uris:

testing/helm/tests/multicertdomains.yaml

@@ -0,0 +1,102 @@
+global:
+  privileged: true
+  egress:
+    restricted: false
+certificates:
+  issuers:
+    remote:
+      name: hpcc-remote-issuer
+      domain: hpcc1
+      alternativeDomains:
+      - foo.hpcc1
+      - bar.hpcc1
+      ## set enabled to true if adding remoteClients for any components
+      enabled: true
+      ## kind can be changed to ClusterIssue to refer to a ClusterIssuer. https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.ClusterIssuer
+      kind: Issuer
+      spiffe: false
+      ## do not define spec (set spec: null), to reference an Issuer resource that already exists in the cluster
+      ## change spec if you'd like to change how certificates get issued... see ## https://cert-manager.io/docs/configuration/#supported-issuer-types
+      ## for information on what spec should contain.
+      spec:
+        ca:
+          secretName: hpcc-local-issuer-key-pair # real config would use hpcc-remote, but examples have hpcc-local instructions
+
+    signing: # intended to be used for signing/verification purposes only, e.g. by dafilesrv
+      name: hpcc-signing-issuer
+      ## kind can be changed to ClusterIssue to refer to a ClusterIssuer. https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.ClusterIssuer
+      kind: Issuer
+      ## do not define spec (set spec: null), to reference an Issuer resource that already exists in the cluster
+      ## change spec if you'd like to change how certificates get issued... see ## https://cert-manager.io/docs/configuration/#supported-issuer-types
+      ## for information on what spec should contain.
+      spec:
+        ca:
+          secretName: hpcc-signing-issuer-key-pair
+
+thor: null
+eclagent: null
+eclscheduler: null
+dafilesrv: null
+dfuserver: null
+
+sasha:
+  disabled: true
+  wu-archiver:
+    disabled: true
+  dfuwu-archiver:
+    disabled: true
+  dfurecovery-archiver:
+    disabled: true
+  file-expiry:
+    disabled: true
+
+esp:
+- name: eclwatch
+  application: eclwatch
+  auth: none
+  replicas: 1
+  service:
+    port: 8888
+    servicePort: 18010
+    visibility: local
+- name: eclqueries
+  application: eclqueries
+  auth: none
+  replicas: 1
+  service:
+    visibility: local
+    servicePort: 18002
+- name: eclservices
+  application: eclservices
+  auth: none
+  replicas: 1
+  service:
+    servicePort: 8010
+    visibility: cluster
+
+roxie:
+- name: roxie1
+  disabled: false
+  prefix: roxie1
+  services:
+  - name: roxie1
+    servicePort: 19876
+    listenQueue: 200
+    numThreads: 30
+    visibility: local
+    trustClients:
+    - commonName: roxie2.hpcc2
+  - name: roxie1backup
+    servicePort: 19877
+    listenQueue: 200
+    numThreads: 30
+    visibility: local
+    trustClients:
+    - commonName: roxie2.hpcc2
+  replicas: 1
+  numChannels: 1
+  serverReplicas: 0
+  localAgent: false
+  traceLevel: 1
+  topoServer:
+    replicas: 1