diff --git a/charts/core/Chart.yaml b/charts/core/Chart.yaml index 77aa00c..6857325 100644 --- a/charts/core/Chart.yaml +++ b/charts/core/Chart.yaml @@ -4,8 +4,8 @@ description: A Helm chart for deploying Unikorn Core type: application -version: v0.1.74 -appVersion: v0.1.74 +version: v0.1.75 +appVersion: v0.1.75 icon: https://assets.unikorn-cloud.org/images/logos/dark-on-light/icon.svg diff --git a/charts/core/templates/client-certificate.yaml b/charts/core/templates/client-ca/certificate.yaml similarity index 76% rename from charts/core/templates/client-certificate.yaml rename to charts/core/templates/client-ca/certificate.yaml index 8472923..8e06564 100644 --- a/charts/core/templates/client-certificate.yaml +++ b/charts/core/templates/client-ca/certificate.yaml @@ -1,4 +1,3 @@ -{{- if (and .Values.clientCA .Values.clientCA.enabled .Values.clientCA.generate) }} apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -10,7 +9,7 @@ spec: issuerRef: group: cert-manager.io kind: Issuer - name: unikorn-self-signed-issuer + name: unikorn-self-signed-client-issuer privateKey: algorithm: RSA encoding: PKCS8 @@ -19,4 +18,3 @@ spec: isCA: true commonName: Unikorn Client CA duration: 87600h -{{- end }} diff --git a/charts/core/templates/client-clusterissuer.yaml b/charts/core/templates/client-ca/clusterissuer.yaml similarity index 77% rename from charts/core/templates/client-clusterissuer.yaml rename to charts/core/templates/client-ca/clusterissuer.yaml index 7241650..9e92eee 100644 --- a/charts/core/templates/client-clusterissuer.yaml +++ b/charts/core/templates/client-ca/clusterissuer.yaml @@ -1,4 +1,3 @@ -{{- if (and .Values.ca .Values.ca.enabled) }} apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: @@ -8,4 +7,3 @@ metadata: spec: ca: secretName: unikorn-client-ca -{{- end }} diff --git a/charts/core/templates/client-ca/issuer.yaml b/charts/core/templates/client-ca/issuer.yaml new file mode 100644 index 0000000..1f6f630 --- /dev/null +++ b/charts/core/templates/client-ca/issuer.yaml @@ -0,0 +1,9 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: unikorn-self-signed-client-issuer + namespace: {{ .Values.certManager.namespace }} + labels: + {{- include "unikorn.labels" . | nindent 4 }} +spec: + selfSigned: {} diff --git a/charts/core/templates/certificate.yaml b/charts/core/templates/server-ca/certificate.yaml similarity index 100% rename from charts/core/templates/certificate.yaml rename to charts/core/templates/server-ca/certificate.yaml diff --git a/charts/core/templates/clusterissuer.yaml b/charts/core/templates/server-ca/clusterissuer.yaml similarity index 100% rename from charts/core/templates/clusterissuer.yaml rename to charts/core/templates/server-ca/clusterissuer.yaml diff --git a/charts/core/templates/issuer.yaml b/charts/core/templates/server-ca/issuer.yaml similarity index 100% rename from charts/core/templates/issuer.yaml rename to charts/core/templates/server-ca/issuer.yaml diff --git a/charts/core/templates/secret.yaml b/charts/core/templates/server-ca/secret.yaml similarity index 100% rename from charts/core/templates/secret.yaml rename to charts/core/templates/server-ca/secret.yaml diff --git a/charts/core/values.yaml b/charts/core/values.yaml index ee4b45c..0bed9f4 100644 --- a/charts/core/values.yaml +++ b/charts/core/values.yaml @@ -21,16 +21,3 @@ ca: # These must be base64 encoded strings. # certificate: SSBhbSBjb21wbGV0ZSBub25zZW5zZS4gIFRoYW5rIHlvdSBmb3IgcmVhZGluZyB0aGlzLiAgR2V0IGEgbGlmZSE= # privateKey: SSBhbSBjb21wbGV0ZSBub25zZW5zZS4gIFRoYW5rIHlvdSBmb3IgcmVhZGluZyB0aGlzLiAgR2V0IGEgbGlmZSE= - -# Unikorn uses mTLS for credentialless authentication between componets. This is -# only used in asynchronous controllers where a user access token is not availabile. -clientCA: - # Enable CA and issuer creation. - enabled: true - - # Generate a self signed CA. - # This is typically used at a single site to act as the trust root. - # You will need to (somehow) distribute this to other sites so that services - # can issue certificates as the CA is rotated. The other option is to just - # issue them here at the root and distribute then to the services themselves. - generate: true