diff --git a/README.md b/README.md index 4052365..48e4236 100644 --- a/README.md +++ b/README.md @@ -181,6 +181,36 @@ annotations with the prefix `checksum`. | `nameOverride` | Individual release name suffix. | `""` | | `fullnameOverride` | Override the complete release name logic. | `""` | +### Certificate + +| Name | Description | Value | +| --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- | +| `certificate.enabled` | Issue a TLS certificate via cert-manager. If enabled, the environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` will be automatically added. | `false` | +| `certificate.existingSecret.enabled` | Use an existing secret of the type `kubernetes.io/tls`. | `false` | +| `certificate.existingSecret.secretName` | Name of the secret containing the TLS certificate and private key. | `""` | +| `certificate.new.annotations` | Additional certificate annotations. | `{}` | +| `certificate.new.labels` | Additional certificate labels. | `{}` | +| `certificate.new.duration` | Duration of the TLS certificate. | `744h` | +| `certificate.new.renewBefore` | Renew TLS certificate before expiring. | `672h` | +| `certificate.new.dnsNames` | Overwrites the default of the subject alternative DNS names. | `[]` | +| `certificate.new.ipAddresses` | Overwrites the default of the subject alternative IP addresses. | `[]` | +| `certificate.new.issuerRef.kind` | Issuer kind. Can be `Issuer` or `ClusterIssuer`. | `""` | +| `certificate.new.issuerRef.name` | Name of the `Issuer` or `ClusterIssuer`. | `""` | +| `certificate.new.privateKey.algorithm` | Algorithm of the private TLS key. | `RSA` | +| `certificate.new.privateKey.rotationPolicy` | Rotation of the private TLS key. | `Never` | +| `certificate.new.privateKey.size` | Size of the private TLS key. | `4096` | +| `certificate.new.secretTemplate.annotations` | Additional annotation of the created secret. | `{}` | +| `certificate.new.secretTemplate.labels` | Additional labels of the created secret. | `{}` | +| `certificate.new.subject.countries` | List of countries. | `[]` | +| `certificate.new.subject.localities` | List of localities. | `[]` | +| `certificate.new.subject.organizationalUnits` | List of organizationalUnits. | `[]` | +| `certificate.new.subject.organizations` | List of organizations. | `[]` | +| `certificate.new.subject.postalCodes` | List of postalCodes. | `[]` | +| `certificate.new.subject.provinces` | List of provinces. | `[]` | +| `certificate.new.subject.serialNumber` | Serial number. | `""` | +| `certificate.new.subject.streetAddresses` | List of streetAddresses. | `[]` | +| `certificate.new.usages` | Define the usage of the TLS key. | `["client auth","server auth"]` | + ### Configuration | Name | Description | Value | @@ -292,9 +322,15 @@ annotations with the prefix `checksum`. | `persistence.data.persistentVolumeClaim.annotations` | Additional persistent volume claim annotations. | `{}` | | `persistence.data.persistentVolumeClaim.labels` | Additional persistent volume claim labels. | `{}` | | `persistence.data.persistentVolumeClaim.accessModes` | Access modes of the persistent volume claim. | `["ReadWriteMany"]` | -| `persistence.data.persistentVolumeClaim.storageClass` | Storage class of the persistent volume claim. | `""` | +| `persistence.data.persistentVolumeClaim.storageClassName` | Storage class of the persistent volume claim. | `""` | | `persistence.data.persistentVolumeClaim.storageSize` | Size of the persistent volume claim. | `5Gi` | +### Network + +| Name | Description | Value | +| --------------- | ------------------------------------------------------------------------ | --------------- | +| `clusterDomain` | Domain of the Cluster. Domain is part of internally issued certificates. | `cluster.local` | + ### Network Policy | Name | Description | Value | diff --git a/templates/_certificate.tpl b/templates/_certificate.tpl new file mode 100644 index 0000000..a9e5e9d --- /dev/null +++ b/templates/_certificate.tpl @@ -0,0 +1,25 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* annotations */}} + +{{- define "athens-proxy.certificates.server.annotations" -}} +{{ include "athens-proxy.annotations" . }} +{{- if .Values.certificate.new.annotations }} +{{ toYaml .Values.certificate.new.annotations }} +{{- end }} +{{- end }} + +{{/* labels */}} + +{{- define "athens-proxy.certificates.server.labels" -}} +{{ include "athens-proxy.labels" . }} +{{- if .Values.certificate.new.labels }} +{{ toYaml .Values.certificate.new.labels }} +{{- end }} +{{- end }} + +{{/* names */}} + +{{- define "athens-proxy.certificates.server.name" -}} +{{ include "athens-proxy.fullname" . }}-tls +{{- end -}} \ No newline at end of file diff --git a/templates/_deployment.tpl b/templates/_deployment.tpl index 398c854..765d9b6 100644 --- a/templates/_deployment.tpl +++ b/templates/_deployment.tpl @@ -26,6 +26,13 @@ {{- $env = concat $env (list (dict "name" "GOMAXPROCS" "valueFrom" (dict "resourceFieldRef" (dict "divisor" "1" "resource" "limits.cpu")))) }} {{- end }} +{{- if .Values.certificate.enabled }} +{{- $env = concat $env (list + (dict "name" "ATHENS_TLSCERT_FILE" "value" "/etc/athens-proxy/tls/tls.crt") + (dict "name" "ATHENS_TLSKEY_FILE" "value" "/etc/athens-proxy/tls/tls.key") + ) }} +{{- end }} + {{ toYaml (dict "env" $env) }} {{- end -}} @@ -124,6 +131,12 @@ {{- end }} + +{{/* volumeMounts (tls) */}} +{{- if .Values.certificate.enabled }} +{{- $volumeMounts = concat $volumeMounts (list (dict "name" "tls" "mountPath" "/etc/athens-proxy/tls" )) }} +{{- end }} + {{ toYaml (dict "volumeMounts" $volumeMounts) }} {{- end -}} @@ -252,5 +265,15 @@ {{- $volumes = concat $volumes (list $projectedSecretVolume) }} {{- end }} +{{/* volumes (tls) */}} +{{- if .Values.certificate.enabled }} +{{- $secretName := include "athens-proxy.certificates.server.name" $ }} +{{- if .Values.certificate.existingSecret.enabled }} +{{- $secretName := .Values.certificate.existingSecret.secretName }} +{{- end }} +{{- $volumes = concat $volumes (list (dict "name" "tls" "secret" (dict "secretName" $secretName))) }} +{{- end }} + + {{ toYaml (dict "volumes" $volumes) }} {{- end -}} \ No newline at end of file diff --git a/templates/certificate.yaml b/templates/certificate.yaml new file mode 100644 index 0000000..382cf1d --- /dev/null +++ b/templates/certificate.yaml @@ -0,0 +1,87 @@ +{{- if and .Values.certificate.enabled (not .Values.certificate.existingSecret.enabled) -}} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + {{- with (include "athens-proxy.certificates.server.annotations" . | fromYaml) }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with (include "athens-proxy.certificates.server.labels" . | fromYaml) }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "athens-proxy.certificates.server.name" . }} + namespace: {{ .Release.Namespace }} +spec: + commonName: {{ include "athens-proxy.fullname" . }} + {{- if empty .Values.certificate.new.dnsNames }} + dnsNames: + - {{ include "athens-proxy.fullname" . }} + - {{ include "athens-proxy.fullname" . }}.{{ .Release.Namespace }} + - {{ include "athens-proxy.fullname" . }}.{{ .Release.Namespace }}.svc + - {{ include "athens-proxy.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + {{- else }} + dnsNames: + {{- range .Values.certificate.new.dnsNames }} + - {{ . }} + {{- end }} + {{- end }} + duration: {{ .Values.certificate.new.duration }} + {{- if not (empty .Values.certificate.new.ipAddresses) }} + ipAddresses: + {{- range .Values.certificate.new.ipAddresses }} + - {{ . }} + {{- end }} + {{- end }} + isCA: false + issuerRef: + kind: {{ required "No certificate issuer kind defined!" .Values.certificate.new.issuerRef.kind }} + name: {{ required "No certificate issuer name defined!" .Values.certificate.new.issuerRef.name }} + privateKey: + algorithm: {{ .Values.certificate.new.privateKey.algorithm }} + rotationPolicy: {{ .Values.certificate.new.privateKey.rotationPolicy }} + size: {{ .Values.certificate.new.privateKey.size }} + renewBefore: {{ .Values.certificate.new.renewBefore }} + secretName: {{ include "athens-proxy.certificates.server.name" . }} + {{- with .Values.certificate.new.secretTemplate }} + secretTemplate: + {{- toYaml . | nindent 4 }} + {{- end }} + subject: + {{- with .Values.certificate.new.subject.countries }} + countries: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.certificate.new.subject.localities }} + localities: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.certificate.new.subject.organizationalUnits }} + organizationalUnits: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.certificate.new.subject.organizations }} + organizations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.certificate.new.subject.postalCodes }} + postalCodes: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.certificate.new.subject.provinces }} + provinces: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if .Values.certificate.new.subject.serialNumber }} + serialNumber: {{ .Values.certificate.new.subject.serialNumber }} + {{- end }} + {{- with .Values.certificate.new.subject.streetAddresses }} + streetAddresses: + {{- toYaml . | nindent 4 }} + {{- end }} + usages: + {{- range .Values.certificate.new.usages }} + - {{ . }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/deployment.yaml b/templates/deployment.yaml index 37b835c..6f6e0f1 100644 --- a/templates/deployment.yaml +++ b/templates/deployment.yaml @@ -50,16 +50,24 @@ spec: image: {{ include "athens-proxy.deployment.images.athens-proxy.fqin" . | quote }} imagePullPolicy: {{ .Values.deployment.athensProxy.image.pullPolicy }} livenessProbe: - tcpSocket: - port: http + exec: + {{- if not .Values.certificate.enabled }} + command: [ "wget", "-T", "3", "-O", "/dev/null", "http://localhost:3000" ] + {{- else }} + command: [ "wget", "--no-check-certificate", "-T", "3", "-O", "/dev/null", "https://localhost:3000" ] + {{- end }} failureThreshold: 3 initialDelaySeconds: 5 periodSeconds: 60 successThreshold: 1 timeoutSeconds: 3 readinessProbe: - tcpSocket: - port: http + exec: + {{- if not .Values.certificate.enabled }} + command: [ "wget", "-T", "3", "-O", "/dev/null", "http://localhost:3000" ] + {{- else }} + command: [ "wget", "--no-check-certificate", "-T", "3", "-O", "/dev/null", "https://localhost:3000" ] + {{- end }} failureThreshold: 3 initialDelaySeconds: 5 periodSeconds: 15 diff --git a/unittests/certificates/certificate.yaml b/unittests/certificates/certificate.yaml new file mode 100644 index 0000000..c036cce --- /dev/null +++ b/unittests/certificates/certificate.yaml @@ -0,0 +1,300 @@ +chart: + appVersion: 0.1.0 + version: 0.1.0 +suite: Certificate athens-proxy template +release: + name: athens-proxy-unittest + namespace: testing +templates: +- templates/certificate.yaml +tests: +- it: Skip rendering by default. + asserts: + - hasDocuments: + count: 0 + +- it: Skip rendering for existing certificate + set: + certificate.enabled: true + certificate.existingSecret.enabled: true + asserts: + - hasDocuments: + count: 0 + +- it: Throw error when issuerKind and IssuerName is not defined + set: + certificate.enabled: true + asserts: + - failedTemplate: + errorMessage: "No certificate issuer kind defined!" + +- it: Throw error when issuerKind and IssuerName is not defined + set: + certificate.enabled: true + asserts: + - failedTemplate: {} + +- it: Throw error when issuerKind not defined + set: + certificate.enabled: true + certificate.new.issuerRef.name: "my-issuer" + asserts: + - failedTemplate: + errorMessage: "No certificate issuer kind defined!" + +- it: Throw error when issuerName not defined + set: + certificate.enabled: true + certificate.new.issuerRef.kind: "ClusterIssuer" + asserts: + - failedTemplate: + errorMessage: "No certificate issuer name defined!" + +- it: Rendering Certificate object when certificate.enabled=true (default) + set: + certificate.enabled: true + certificate.new.issuerRef.kind: ClusterIssuer + certificate.new.issuerRef.name: my-issuer + asserts: + - hasDocuments: + count: 1 + - containsDocument: + apiVersion: cert-manager.io/v1 + kind: Certificate + name: athens-proxy-unittest-tls + namespace: testing + - equal: + path: spec.commonName + value: athens-proxy-unittest + - equal: + path: spec.duration + value: 744h + - equal: + path: spec.dnsNames + value: [ "athens-proxy-unittest", "athens-proxy-unittest.testing", "athens-proxy-unittest.testing.svc", "athens-proxy-unittest.testing.svc.cluster.local" ] + - notExists: + path: spec.ipAddresses + - equal: + path: spec.isCA + value: false + - equal: + path: spec.issuerRef.kind + value: ClusterIssuer + - equal: + path: spec.issuerRef.name + value: my-issuer + - equal: + path: spec.privateKey.algorithm + value: RSA + - equal: + path: spec.privateKey.size + value: 4096 + - equal: + path: spec.privateKey.rotationPolicy + value: Never + - equal: + path: spec.secretName + value: athens-proxy-unittest-tls + - exists: + path: spec.secretTemplate.annotations + - exists: + path: spec.secretTemplate.labels + - exists: + path: spec.subject + - notExists: + path: spec.subject.countries + - notExists: + path: spec.subject.localities + - notExists: + path: spec.subject.organizationalUnits + - notExists: + path: spec.subject.organizations + - notExists: + path: spec.subject.postalCodes + - notExists: + path: spec.subject.provinces + - notExists: + path: spec.subject.serialNumber + - notExists: + path: spec.subject.streetAddresses + - equal: + path: spec.renewBefore + value: 672h + - equal: + path: spec.usages + value: [ "client auth", "server auth" ] + +# metadata.annotations +- it: Rendering Certificate object with additional annotations and labels + set: + certificate.enabled: true + certificate.new.issuerRef.kind: ClusterIssuer + certificate.new.issuerRef.name: my-issuer + certificate.new.annotations: + foo: bar + certificate.new.labels: + bar: foo + asserts: + - isSubset: + path: metadata.annotations + content: + foo: bar + - isSubset: + path: metadata.labels + content: + bar: foo + +# spec.duration +- it: Rendering Certificate object with custom `.Values.certificate.new.duration`. + set: + certificate.enabled: true + certificate.new.issuerRef.kind: ClusterIssuer + certificate.new.issuerRef.name: my-issuer + certificate.new.duration: 3000h + asserts: + - equal: + path: spec.duration + value: 3000h + +# spec.dnsNames +- it: Rendering Certificate object with custom `.Values.certificate.new.dnsNames`. + set: + certificate.enabled: true + certificate.new.issuerRef.kind: ClusterIssuer + certificate.new.issuerRef.name: my-issuer + certificate.new.dnsNames: [ "app", "app.example.local" ] + asserts: + - equal: + path: spec.dnsNames + value: [ "app", "app.example.local" ] + +# spec.dnsNames +- it: Rendering Certificate object with custom `.Values.clusterDomain` as domain. + set: + certificate.enabled: true + certificate.new.issuerRef.kind: ClusterIssuer + certificate.new.issuerRef.name: my-issuer + clusterDomain: k8s.example.local + asserts: + - contains: + path: spec.dnsNames + content: + athens-proxy-unittest.testing.svc.k8s.example.local + count: 1 + +# spec.ipAddresses +- it: RRendering Certificate object with custom `.Values.certificate.new.ipAddresses`. + set: + certificate.enabled: true + certificate.new.issuerRef.kind: ClusterIssuer + certificate.new.issuerRef.name: my-issuer + certificate.new.ipAddresses: [ "10.11.12.13", "fe00:xxyy:xxyy" ] + asserts: + - equal: + path: spec.ipAddresses + value: [ "10.11.12.13", "fe00:xxyy:xxyy" ] + +# spec.privateKey +- it: Rendering Certificate object with custom `.Values.certificate.new.privateKey` values. + set: + certificate.enabled: true + certificate.new.issuerRef.kind: ClusterIssuer + certificate.new.issuerRef.name: my-issuer + certificate.new.privateKey.algorithm: ED25519 + certificate.new.privateKey.rotationPolicy: Never + certificate.new.privateKey.size: 512 + asserts: + - equal: + path: spec.privateKey.algorithm + value: ED25519 + - equal: + path: spec.privateKey.rotationPolicy + value: Never + - equal: + path: spec.privateKey.size + value: 512 + +# spec.renewBefore +- it: Rendering Certificate object with custom `.Values.certificate.new.renewBefore`. + set: + certificate.enabled: true + certificate.new.issuerRef.kind: ClusterIssuer + certificate.new.issuerRef.name: my-issuer + certificate.new.renewBefore: 2000h + asserts: + - equal: + path: spec.renewBefore + value: 2000h + +# spec.secretTemplate +- it: Rendering Certificate object with custom `.Values.certificate.new.secretTemplate` values. + set: + certificate.enabled: true + certificate.new.issuerRef.kind: ClusterIssuer + certificate.new.issuerRef.name: my-issuer + certificate.new.secretTemplate: + annotations: + foo: bar + labels: + bar: foo + asserts: + - equal: + path: spec.secretTemplate.annotations + value: + foo: bar + - equal: + path: spec.secretTemplate.labels + value: + bar: foo + +# spec.secretTemplate +- it: Rendering Certificate object with custom `.Values.certificate.new.subject` values. + set: + certificate.enabled: true + certificate.new.issuerRef.kind: ClusterIssuer + certificate.new.issuerRef.name: my-issuer + certificate.new.subject.countries: [ "Country" ] + certificate.new.subject.localities: [ "City" ] + certificate.new.subject.organizationalUnits: [ "IT department" ] + certificate.new.subject.organizations: [ "My organization" ] + certificate.new.subject.postalCodes: [ "AB12345", "12345AB" ] + certificate.new.subject.provinces: [ "Provinces" ] + certificate.new.subject.serialNumber: "MyNumber" + certificate.new.subject.streetAddresses: [ "ExampleStreet 1", "StreetExample 2" ] + asserts: + - equal: + path: spec.subject.countries + value: [ "Country" ] + - equal: + path: spec.subject.localities + value: [ "City" ] + - equal: + path: spec.subject.organizationalUnits + value: [ "IT department" ] + - equal: + path: spec.subject.organizations + value: [ "My organization" ] + - equal: + path: spec.subject.postalCodes + value: [ "AB12345", "12345AB" ] + - equal: + path: spec.subject.provinces + value: [ "Provinces" ] + - equal: + path: spec.subject.serialNumber + value: "MyNumber" + - equal: + path: spec.subject.streetAddresses + value: [ "ExampleStreet 1", "StreetExample 2" ] + +# spec.usages +- it: Rendering Certificate object with custom `.Values.certificate.new.usages`. + set: + certificate.enabled: true + certificate.new.issuerRef.kind: ClusterIssuer + certificate.new.issuerRef.name: my-issuer + certificate.new.usages: [ "client auth" ] + asserts: + - equal: + path: spec.usages + value: [ "client auth" ] diff --git a/unittests/deployment/certificate.yaml b/unittests/deployment/certificate.yaml new file mode 100644 index 0000000..c6b15ab --- /dev/null +++ b/unittests/deployment/certificate.yaml @@ -0,0 +1,73 @@ +chart: + appVersion: 0.1.0 + version: 0.1.0 +suite: Deployment template +release: + name: athens-proxy-unittest + namespace: testing +templates: +- templates/configMapDownloadMode.yaml +- templates/configMapGitConfig.yaml +- templates/deployment.yaml +- templates/secretNetRC.yaml +- templates/secretSSH.yaml +tests: +- it: Rendering default without tls config + asserts: + - notContains: + path: spec.template.spec.containers[0].env + content: + name: ATHENS_TLSCERT_FILE + value: /etc/athens-proxy/tls/tls.crt + template: templates/deployment.yaml + - notContains: + path: spec.template.spec.containers[0].env + content: + name: ATHENS_TLSKEY_FILE + value: /etc/athens-proxy/tls/tls.key + template: templates/deployment.yaml + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: tls + mountPath: /etc/athens-proxy/tls + template: templates/deployment.yaml + - notContains: + path: spec.template.spec.volumes + content: + name: tls + secretRef: + name: athens-proxy-unittest-tls + template: templates/deployment.yaml + +- it: Rendering with tls config + set: + certificate.enabled: true + certificate.new.issuerRef.kind: ClusterIssuer + certificate.new.issuerRef.name: MyIssuer + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATHENS_TLSCERT_FILE + value: /etc/athens-proxy/tls/tls.crt + template: templates/deployment.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATHENS_TLSKEY_FILE + value: /etc/athens-proxy/tls/tls.key + template: templates/deployment.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: tls + mountPath: /etc/athens-proxy/tls + template: templates/deployment.yaml + - contains: + path: spec.template.spec.volumes + content: + name: tls + secret: + secretName: athens-proxy-unittest-tls + template: templates/deployment.yaml \ No newline at end of file diff --git a/values.yaml b/values.yaml index 7c1f1ff..428aee4 100644 --- a/values.yaml +++ b/values.yaml @@ -5,6 +5,77 @@ nameOverride: "" fullnameOverride: "" +## @section Certificate +certificate: + ## @param certificate.enabled Issue a TLS certificate via cert-manager. If enabled, the environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` will be automatically added. + enabled: false + + ## @param certificate.existingSecret.enabled Use an existing secret of the type `kubernetes.io/tls`. + ## @param certificate.existingSecret.secretName Name of the secret containing the TLS certificate and private key. + existingSecret: + enabled: false + secretName: "" + + ## @param certificate.new.annotations Additional certificate annotations. + ## @param certificate.new.labels Additional certificate labels. + ## @param certificate.new.duration Duration of the TLS certificate. + ## @param certificate.new.renewBefore Renew TLS certificate before expiring. + ## @param certificate.new.dnsNames Overwrites the default of the subject alternative DNS names. + ## @param certificate.new.ipAddresses Overwrites the default of the subject alternative IP addresses. + ## @param certificate.new.issuerRef.kind Issuer kind. Can be `Issuer` or `ClusterIssuer`. + ## @param certificate.new.issuerRef.name Name of the `Issuer` or `ClusterIssuer`. + ## @param certificate.new.privateKey.algorithm Algorithm of the private TLS key. + ## @param certificate.new.privateKey.rotationPolicy Rotation of the private TLS key. + ## @param certificate.new.privateKey.size Size of the private TLS key. + ## @param certificate.new.secretTemplate.annotations Additional annotation of the created secret. + ## @param certificate.new.secretTemplate.labels Additional labels of the created secret. + ## @param certificate.new.subject.countries List of countries. + ## @param certificate.new.subject.localities List of localities. + ## @param certificate.new.subject.organizationalUnits List of organizationalUnits. + ## @param certificate.new.subject.organizations List of organizations. + ## @param certificate.new.subject.postalCodes List of postalCodes. + ## @param certificate.new.subject.provinces List of provinces. + ## @param certificate.new.subject.serialNumber Serial number. + ## @param certificate.new.subject.streetAddresses List of streetAddresses. + ## @param certificate.new.usages Define the usage of the TLS key. + new: + annotations: {} + labels: {} + duration: "744h" # 31 days + renewBefore: "672h" # 28 days + dnsNames: [] + # The following DNS names are already part of the SAN's and serves only as example. + # - "athens-proxy" + # - "athens-proxy.svc" + # - "athens-proxy.svc.namespace" + # - "athens-proxy.svc.namespace.cluster.local" + ipAddresses: [] + # The following IP addresses serves only as example. + # - "10.92.1.10" + # - "2001:0db8:85a3:08d3:1319:8a2e:0370:7344" + issuerRef: + kind: "" + name: "" + privateKey: + algorithm: "RSA" + rotationPolicy: "Never" + size: 4096 + secretTemplate: + annotations: {} + labels: {} + subject: + countries: [] + localities: [] + organizationalUnits: [] + organizations: [] + postalCodes: [] + provinces: [] + serialNumber: "" + streetAddresses: [] + usages: + - "client auth" + - "server auth" + ## @section Configuration config: env: @@ -78,8 +149,6 @@ config: # ATHENS_STORAGE_GCP_JSON_KEY: # ATHENS_SUM_DBS: # ATHENS_TIMEOUT: - # ATHENS_TLSCERT_FILE: - # ATHENS_TLSKEY_FILE: # ATHENS_TRACE_EXPORTER_URL: # ATHENS_TRACE_EXPORTER: # AWS_ACCESS_KEY_ID: @@ -490,16 +559,20 @@ persistence: ## @param persistence.data.persistentVolumeClaim.annotations Additional persistent volume claim annotations. ## @param persistence.data.persistentVolumeClaim.labels Additional persistent volume claim labels. ## @param persistence.data.persistentVolumeClaim.accessModes Access modes of the persistent volume claim. - ## @param persistence.data.persistentVolumeClaim.storageClass Storage class of the persistent volume claim. + ## @param persistence.data.persistentVolumeClaim.storageClassName Storage class of the persistent volume claim. ## @param persistence.data.persistentVolumeClaim.storageSize Size of the persistent volume claim. persistentVolumeClaim: annotations: {} labels: {} accessModes: - ReadWriteMany - storageClass: "" + storageClassName: "" storageSize: "5Gi" +## @section Network +## @param clusterDomain Domain of the Cluster. Domain is part of internally issued certificates. +clusterDomain: "cluster.local" + ## @section Network Policy networkPolicy: ## @param networkPolicy.enabled Enable network policies in general.