volker.raschek/athens-proxy-charts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(certificates): support certificates
All checks were successful
Generate README / generate-parameters (push) Successful in 10s
Details
Helm / helm-lint (push) Successful in 14s
Details
Helm / helm-unittest (push) Successful in 7s
Details
Markdown linter / markdown-lint (push) Successful in 15s
Details
Markdown linter / markdown-link-checker (push) Successful in 32s
Details
Release / publish-chart (push) Successful in 19s
Details

Browse Source 
The following patch enables you to generate certificates using cert-manager or,
alternatively, to mount a secret with TLS certificates.

The HTTP server is then automatically configured to use the TLS certificates to
encrypt HTTP traffic.

If an ingress controller is also used, such as the nginx-ingress controller, the
necessary annotations must still be set to inform the nginx-ingress controller
that the HTTP upstream server communicates via HTTPS.
This commit is contained in:
Markus Pesch
2025-10-14 22:56:25 +02:00
parent be923ed95f
commit 4102fc9014
8 changed files with 634 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
README.md
View File

@@ -181,6 +181,36 @@ annotations with the prefix `checksum`.
| `nameOverride` | Individual release name suffix. | `""` | | `nameOverride` | Individual release name suffix. | `""` |
| `fullnameOverride` | Override the complete release name logic. | `""` | | `fullnameOverride` | Override the complete release name logic. | `""` |
### Certificate
| Name | Description | Value |
| --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- |
| `certificate.enabled` | Issue a TLS certificate via cert-manager. If enabled, the environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` will be automatically added. | `false` |
| `certificate.existingSecret.enabled` | Use an existing secret of the type `kubernetes.io/tls`. | `false` |
| `certificate.existingSecret.secretName` | Name of the secret containing the TLS certificate and private key. | `""` |
| `certificate.new.annotations` | Additional certificate annotations. | `{}` |
| `certificate.new.labels` | Additional certificate labels. | `{}` |
| `certificate.new.duration` | Duration of the TLS certificate. | `744h` |
| `certificate.new.renewBefore` | Renew TLS certificate before expiring. | `672h` |
| `certificate.new.dnsNames` | Overwrites the default of the subject alternative DNS names. | `[]` |
| `certificate.new.ipAddresses` | Overwrites the default of the subject alternative IP addresses. | `[]` |
| `certificate.new.issuerRef.kind` | Issuer kind. Can be `Issuer` or `ClusterIssuer`. | `""` |
| `certificate.new.issuerRef.name` | Name of the `Issuer` or `ClusterIssuer`. | `""` |
| `certificate.new.privateKey.algorithm` | Algorithm of the private TLS key. | `RSA` |
| `certificate.new.privateKey.rotationPolicy` | Rotation of the private TLS key. | `Never` |
| `certificate.new.privateKey.size` | Size of the private TLS key. | `4096` |
| `certificate.new.secretTemplate.annotations` | Additional annotation of the created secret. | `{}` |
| `certificate.new.secretTemplate.labels` | Additional labels of the created secret. | `{}` |
| `certificate.new.subject.countries` | List of countries. | `[]` |
| `certificate.new.subject.localities` | List of localities. | `[]` |
| `certificate.new.subject.organizationalUnits` | List of organizationalUnits. | `[]` |
| `certificate.new.subject.organizations` | List of organizations. | `[]` |
| `certificate.new.subject.postalCodes` | List of postalCodes. | `[]` |
| `certificate.new.subject.provinces` | List of provinces. | `[]` |
| `certificate.new.subject.serialNumber` | Serial number. | `""` |
| `certificate.new.subject.streetAddresses` | List of streetAddresses. | `[]` |
| `certificate.new.usages` | Define the usage of the TLS key. | `["client auth","server auth"]` |
### Configuration ### Configuration
| Name | Description | Value | | Name | Description | Value |
@@ -292,9 +322,15 @@ annotations with the prefix `checksum`.
| `persistence.data.persistentVolumeClaim.annotations` | Additional persistent volume claim annotations. | `{}` | | `persistence.data.persistentVolumeClaim.annotations` | Additional persistent volume claim annotations. | `{}` |
| `persistence.data.persistentVolumeClaim.labels` | Additional persistent volume claim labels. | `{}` | | `persistence.data.persistentVolumeClaim.labels` | Additional persistent volume claim labels. | `{}` |
| `persistence.data.persistentVolumeClaim.accessModes` | Access modes of the persistent volume claim. | `["ReadWriteMany"]` | | `persistence.data.persistentVolumeClaim.accessModes` | Access modes of the persistent volume claim. | `["ReadWriteMany"]` |
| `persistence.data.persistentVolumeClaim.storageClass` | Storage class of the persistent volume claim. | `""` | | `persistence.data.persistentVolumeClaim.storageClassName` | Storage class of the persistent volume claim. | `""` |
| `persistence.data.persistentVolumeClaim.storageSize` | Size of the persistent volume claim. | `5Gi` | | `persistence.data.persistentVolumeClaim.storageSize` | Size of the persistent volume claim. | `5Gi` |
### Network
| Name | Description | Value |
| --------------- | ------------------------------------------------------------------------ | --------------- |
| `clusterDomain` | Domain of the Cluster. Domain is part of internally issued certificates. | `cluster.local` |
### Network Policy ### Network Policy
| Name | Description | Value | | Name | Description | Value |

25
templates/_certificate.tpl Normal file
View File

@@ -0,0 +1,25 @@
{{/* vim: set filetype=mustache: */}}
{{/* annotations */}}
{{- define "athens-proxy.certificates.server.annotations" -}}
{{ include "athens-proxy.annotations" . }}
{{- if .Values.certificate.new.annotations }}
{{ toYaml .Values.certificate.new.annotations }}
{{- end }}
{{- end }}
{{/* labels */}}
{{- define "athens-proxy.certificates.server.labels" -}}
{{ include "athens-proxy.labels" . }}
{{- if .Values.certificate.new.labels }}
{{ toYaml .Values.certificate.new.labels }}
{{- end }}
{{- end }}
{{/* names */}}
{{- define "athens-proxy.certificates.server.name" -}}
{{ include "athens-proxy.fullname" . }}-tls
{{- end -}}

23
templates/_deployment.tpl
View File

@@ -26,6 +26,13 @@
{{- $env = concat $env (list (dict "name" "GOMAXPROCS" "valueFrom" (dict "resourceFieldRef" (dict "divisor" "1" "resource" "limits.cpu")))) }} {{- $env = concat $env (list (dict "name" "GOMAXPROCS" "valueFrom" (dict "resourceFieldRef" (dict "divisor" "1" "resource" "limits.cpu")))) }}
{{- end }} {{- end }}
{{- if .Values.certificate.enabled }}
{{- $env = concat $env (list
(dict "name" "ATHENS_TLSCERT_FILE" "value" "/etc/athens-proxy/tls/tls.crt")
(dict "name" "ATHENS_TLSKEY_FILE" "value" "/etc/athens-proxy/tls/tls.key")
) }}
{{- end }}
{{ toYaml (dict "env" $env) }} {{ toYaml (dict "env" $env) }}
{{- end -}} {{- end -}}
@@ -124,6 +131,12 @@
{{- end }} {{- end }}
{{/* volumeMounts (tls) */}}
{{- if .Values.certificate.enabled }}
{{- $volumeMounts = concat $volumeMounts (list (dict "name" "tls" "mountPath" "/etc/athens-proxy/tls" )) }}
{{- end }}
{{ toYaml (dict "volumeMounts" $volumeMounts) }} {{ toYaml (dict "volumeMounts" $volumeMounts) }}
{{- end -}} {{- end -}}
@@ -252,5 +265,15 @@
{{- $volumes = concat $volumes (list $projectedSecretVolume) }} {{- $volumes = concat $volumes (list $projectedSecretVolume) }}
{{- end }} {{- end }}
{{/* volumes (tls) */}}
{{- if .Values.certificate.enabled }}
{{- $secretName := include "athens-proxy.certificates.server.name" $ }}
{{- if .Values.certificate.existingSecret.enabled }}
{{- $secretName := .Values.certificate.existingSecret.secretName }}
{{- end }}
{{- $volumes = concat $volumes (list (dict "name" "tls" "secret" (dict "secretName" $secretName))) }}
{{- end }}
{{ toYaml (dict "volumes" $volumes) }} {{ toYaml (dict "volumes" $volumes) }}
{{- end -}} {{- end -}}

87
templates/certificate.yaml Normal file
View File

@@ -0,0 +1,87 @@
{{- if and .Values.certificate.enabled (not .Values.certificate.existingSecret.enabled) -}}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
{{- with (include "athens-proxy.certificates.server.annotations" . | fromYaml) }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with (include "athens-proxy.certificates.server.labels" . | fromYaml) }}
labels:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "athens-proxy.certificates.server.name" . }}
namespace: {{ .Release.Namespace }}
spec:
commonName: {{ include "athens-proxy.fullname" . }}
{{- if empty .Values.certificate.new.dnsNames }}
dnsNames:
- {{ include "athens-proxy.fullname" . }}
- {{ include "athens-proxy.fullname" . }}.{{ .Release.Namespace }}
- {{ include "athens-proxy.fullname" . }}.{{ .Release.Namespace }}.svc
- {{ include "athens-proxy.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}
{{- else }}
dnsNames:
{{- range .Values.certificate.new.dnsNames }}
- {{ . }}
{{- end }}
{{- end }}
duration: {{ .Values.certificate.new.duration }}
{{- if not (empty .Values.certificate.new.ipAddresses) }}
ipAddresses:
{{- range .Values.certificate.new.ipAddresses }}
- {{ . }}
{{- end }}
{{- end }}
isCA: false
issuerRef:
kind: {{ required "No certificate issuer kind defined!" .Values.certificate.new.issuerRef.kind }}
name: {{ required "No certificate issuer name defined!" .Values.certificate.new.issuerRef.name }}
privateKey:
algorithm: {{ .Values.certificate.new.privateKey.algorithm }}
rotationPolicy: {{ .Values.certificate.new.privateKey.rotationPolicy }}
size: {{ .Values.certificate.new.privateKey.size }}
renewBefore: {{ .Values.certificate.new.renewBefore }}
secretName: {{ include "athens-proxy.certificates.server.name" . }}
{{- with .Values.certificate.new.secretTemplate }}
secretTemplate:
{{- toYaml . | nindent 4 }}
{{- end }}
subject:
{{- with .Values.certificate.new.subject.countries }}
countries:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.certificate.new.subject.localities }}
localities:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.certificate.new.subject.organizationalUnits }}
organizationalUnits:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.certificate.new.subject.organizations }}
organizations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.certificate.new.subject.postalCodes }}
postalCodes:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.certificate.new.subject.provinces }}
provinces:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if .Values.certificate.new.subject.serialNumber }}
serialNumber: {{ .Values.certificate.new.subject.serialNumber }}
{{- end }}
{{- with .Values.certificate.new.subject.streetAddresses }}
streetAddresses:
{{- toYaml . | nindent 4 }}
{{- end }}
usages:
{{- range .Values.certificate.new.usages }}
- {{ . }}
{{- end }}
{{- end }}

16
templates/deployment.yaml
View File

@@ -50,16 +50,24 @@ spec:
image: {{ include "athens-proxy.deployment.images.athens-proxy.fqin" . | quote }} image: {{ include "athens-proxy.deployment.images.athens-proxy.fqin" . | quote }}
imagePullPolicy: {{ .Values.deployment.athensProxy.image.pullPolicy }} imagePullPolicy: {{ .Values.deployment.athensProxy.image.pullPolicy }}
livenessProbe: livenessProbe:
tcpSocket: exec:
port: http {{- if not .Values.certificate.enabled }}
command: [ "wget", "-T", "3", "-O", "/dev/null", "http://localhost:3000" ]
{{- else }}
command: [ "wget", "--no-check-certificate", "-T", "3", "-O", "/dev/null", "https://localhost:3000" ]
{{- end }}
failureThreshold: 3 failureThreshold: 3
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 60 periodSeconds: 60
successThreshold: 1 successThreshold: 1
timeoutSeconds: 3 timeoutSeconds: 3
readinessProbe: readinessProbe:
tcpSocket: exec:
port: http {{- if not .Values.certificate.enabled }}
command: [ "wget", "-T", "3", "-O", "/dev/null", "http://localhost:3000" ]
{{- else }}
command: [ "wget", "--no-check-certificate", "-T", "3", "-O", "/dev/null", "https://localhost:3000" ]
{{- end }}
failureThreshold: 3 failureThreshold: 3
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 15 periodSeconds: 15

300
unittests/certificates/certificate.yaml Normal file
View File

@@ -0,0 +1,300 @@
chart:
appVersion: 0.1.0
version: 0.1.0
suite: Certificate athens-proxy template
release:
name: athens-proxy-unittest
namespace: testing
templates:
- templates/certificate.yaml
tests:
- it: Skip rendering by default.
asserts:
- hasDocuments:
count: 0
- it: Skip rendering for existing certificate
set:
certificate.enabled: true
certificate.existingSecret.enabled: true
asserts:
- hasDocuments:
count: 0
- it: Throw error when issuerKind and IssuerName is not defined
set:
certificate.enabled: true
asserts:
- failedTemplate:
errorMessage: "No certificate issuer kind defined!"
- it: Throw error when issuerKind and IssuerName is not defined
set:
certificate.enabled: true
asserts:
- failedTemplate: {}
- it: Throw error when issuerKind not defined
set:
certificate.enabled: true
certificate.new.issuerRef.name: "my-issuer"
asserts:
- failedTemplate:
errorMessage: "No certificate issuer kind defined!"
- it: Throw error when issuerName not defined
set:
certificate.enabled: true
certificate.new.issuerRef.kind: "ClusterIssuer"
asserts:
- failedTemplate:
errorMessage: "No certificate issuer name defined!"
- it: Rendering Certificate object when certificate.enabled=true (default)
set:
certificate.enabled: true
certificate.new.issuerRef.kind: ClusterIssuer
certificate.new.issuerRef.name: my-issuer
asserts:
- hasDocuments:
count: 1
- containsDocument:
apiVersion: cert-manager.io/v1
kind: Certificate
name: athens-proxy-unittest-tls
namespace: testing
- equal:
path: spec.commonName
value: athens-proxy-unittest
- equal:
path: spec.duration
value: 744h
- equal:
path: spec.dnsNames
value: [ "athens-proxy-unittest", "athens-proxy-unittest.testing", "athens-proxy-unittest.testing.svc", "athens-proxy-unittest.testing.svc.cluster.local" ]
- notExists:
path: spec.ipAddresses
- equal:
path: spec.isCA
value: false
- equal:
path: spec.issuerRef.kind
value: ClusterIssuer
- equal:
path: spec.issuerRef.name
value: my-issuer
- equal:
path: spec.privateKey.algorithm
value: RSA
- equal:
path: spec.privateKey.size
value: 4096
- equal:
path: spec.privateKey.rotationPolicy
value: Never
- equal:
path: spec.secretName
value: athens-proxy-unittest-tls
- exists:
path: spec.secretTemplate.annotations
- exists:
path: spec.secretTemplate.labels
- exists:
path: spec.subject
- notExists:
path: spec.subject.countries
- notExists:
path: spec.subject.localities
- notExists:
path: spec.subject.organizationalUnits
- notExists:
path: spec.subject.organizations
- notExists:
path: spec.subject.postalCodes
- notExists:
path: spec.subject.provinces
- notExists:
path: spec.subject.serialNumber
- notExists:
path: spec.subject.streetAddresses
- equal:
path: spec.renewBefore
value: 672h
- equal:
path: spec.usages
value: [ "client auth", "server auth" ]
# metadata.annotations
- it: Rendering Certificate object with additional annotations and labels
set:
certificate.enabled: true
certificate.new.issuerRef.kind: ClusterIssuer
certificate.new.issuerRef.name: my-issuer
certificate.new.annotations:
foo: bar
certificate.new.labels:
bar: foo
asserts:
- isSubset:
path: metadata.annotations
content:
foo: bar
- isSubset:
path: metadata.labels
content:
bar: foo
# spec.duration
- it: Rendering Certificate object with custom `.Values.certificate.new.duration`.
set:
certificate.enabled: true
certificate.new.issuerRef.kind: ClusterIssuer
certificate.new.issuerRef.name: my-issuer
certificate.new.duration: 3000h
asserts:
- equal:
path: spec.duration
value: 3000h
# spec.dnsNames
- it: Rendering Certificate object with custom `.Values.certificate.new.dnsNames`.
set:
certificate.enabled: true
certificate.new.issuerRef.kind: ClusterIssuer
certificate.new.issuerRef.name: my-issuer
certificate.new.dnsNames: [ "app", "app.example.local" ]
asserts:
- equal:
path: spec.dnsNames
value: [ "app", "app.example.local" ]
# spec.dnsNames
- it: Rendering Certificate object with custom `.Values.clusterDomain` as domain.
set:
certificate.enabled: true
certificate.new.issuerRef.kind: ClusterIssuer
certificate.new.issuerRef.name: my-issuer
clusterDomain: k8s.example.local
asserts:
- contains:
path: spec.dnsNames
content:
athens-proxy-unittest.testing.svc.k8s.example.local
count: 1
# spec.ipAddresses
- it: RRendering Certificate object with custom `.Values.certificate.new.ipAddresses`.
set:
certificate.enabled: true
certificate.new.issuerRef.kind: ClusterIssuer
certificate.new.issuerRef.name: my-issuer
certificate.new.ipAddresses: [ "10.11.12.13", "fe00:xxyy:xxyy" ]
asserts:
- equal:
path: spec.ipAddresses
value: [ "10.11.12.13", "fe00:xxyy:xxyy" ]
# spec.privateKey
- it: Rendering Certificate object with custom `.Values.certificate.new.privateKey` values.
set:
certificate.enabled: true
certificate.new.issuerRef.kind: ClusterIssuer
certificate.new.issuerRef.name: my-issuer
certificate.new.privateKey.algorithm: ED25519
certificate.new.privateKey.rotationPolicy: Never
certificate.new.privateKey.size: 512
asserts:
- equal:
path: spec.privateKey.algorithm
value: ED25519
- equal:
path: spec.privateKey.rotationPolicy
value: Never
- equal:
path: spec.privateKey.size
value: 512
# spec.renewBefore
- it: Rendering Certificate object with custom `.Values.certificate.new.renewBefore`.
set:
certificate.enabled: true
certificate.new.issuerRef.kind: ClusterIssuer
certificate.new.issuerRef.name: my-issuer
certificate.new.renewBefore: 2000h
asserts:
- equal:
path: spec.renewBefore
value: 2000h
# spec.secretTemplate
- it: Rendering Certificate object with custom `.Values.certificate.new.secretTemplate` values.
set:
certificate.enabled: true
certificate.new.issuerRef.kind: ClusterIssuer
certificate.new.issuerRef.name: my-issuer
certificate.new.secretTemplate:
annotations:
foo: bar
labels:
bar: foo
asserts:
- equal:
path: spec.secretTemplate.annotations
value:
foo: bar
- equal:
path: spec.secretTemplate.labels
value:
bar: foo
# spec.secretTemplate
- it: Rendering Certificate object with custom `.Values.certificate.new.subject` values.
set:
certificate.enabled: true
certificate.new.issuerRef.kind: ClusterIssuer
certificate.new.issuerRef.name: my-issuer
certificate.new.subject.countries: [ "Country" ]
certificate.new.subject.localities: [ "City" ]
certificate.new.subject.organizationalUnits: [ "IT department" ]
certificate.new.subject.organizations: [ "My organization" ]
certificate.new.subject.postalCodes: [ "AB12345", "12345AB" ]
certificate.new.subject.provinces: [ "Provinces" ]
certificate.new.subject.serialNumber: "MyNumber"
certificate.new.subject.streetAddresses: [ "ExampleStreet 1", "StreetExample 2" ]
asserts:
- equal:
path: spec.subject.countries
value: [ "Country" ]
- equal:
path: spec.subject.localities
value: [ "City" ]
- equal:
path: spec.subject.organizationalUnits
value: [ "IT department" ]
- equal:
path: spec.subject.organizations
value: [ "My organization" ]
- equal:
path: spec.subject.postalCodes
value: [ "AB12345", "12345AB" ]
- equal:
path: spec.subject.provinces
value: [ "Provinces" ]
- equal:
path: spec.subject.serialNumber
value: "MyNumber"
- equal:
path: spec.subject.streetAddresses
value: [ "ExampleStreet 1", "StreetExample 2" ]
# spec.usages
- it: Rendering Certificate object with custom `.Values.certificate.new.usages`.
set:
certificate.enabled: true
certificate.new.issuerRef.kind: ClusterIssuer
certificate.new.issuerRef.name: my-issuer
certificate.new.usages: [ "client auth" ]
asserts:
- equal:
path: spec.usages
value: [ "client auth" ]

73
unittests/deployment/certificate.yaml Normal file
View File

@@ -0,0 +1,73 @@
chart:
appVersion: 0.1.0
version: 0.1.0
suite: Deployment template
release:
name: athens-proxy-unittest
namespace: testing
templates:
- templates/configMapDownloadMode.yaml
- templates/configMapGitConfig.yaml
- templates/deployment.yaml
- templates/secretNetRC.yaml
- templates/secretSSH.yaml
tests:
- it: Rendering default without tls config
asserts:
- notContains:
path: spec.template.spec.containers[0].env
content:
name: ATHENS_TLSCERT_FILE
value: /etc/athens-proxy/tls/tls.crt
template: templates/deployment.yaml
- notContains:
path: spec.template.spec.containers[0].env
content:
name: ATHENS_TLSKEY_FILE
value: /etc/athens-proxy/tls/tls.key
template: templates/deployment.yaml
- notContains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: tls
mountPath: /etc/athens-proxy/tls
template: templates/deployment.yaml
- notContains:
path: spec.template.spec.volumes
content:
name: tls
secretRef:
name: athens-proxy-unittest-tls
template: templates/deployment.yaml
- it: Rendering with tls config
set:
certificate.enabled: true
certificate.new.issuerRef.kind: ClusterIssuer
certificate.new.issuerRef.name: MyIssuer
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: ATHENS_TLSCERT_FILE
value: /etc/athens-proxy/tls/tls.crt
template: templates/deployment.yaml
- contains:
path: spec.template.spec.containers[0].env
content:
name: ATHENS_TLSKEY_FILE
value: /etc/athens-proxy/tls/tls.key
template: templates/deployment.yaml
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: tls
mountPath: /etc/athens-proxy/tls
template: templates/deployment.yaml
- contains:
path: spec.template.spec.volumes
content:
name: tls
secret:
secretName: athens-proxy-unittest-tls
template: templates/deployment.yaml

81
values.yaml
View File

@@ -5,6 +5,77 @@
nameOverride: "" nameOverride: ""
fullnameOverride: "" fullnameOverride: ""
## @section Certificate
certificate:
## @param certificate.enabled Issue a TLS certificate via cert-manager. If enabled, the environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` will be automatically added.
enabled: false
## @param certificate.existingSecret.enabled Use an existing secret of the type `kubernetes.io/tls`.
## @param certificate.existingSecret.secretName Name of the secret containing the TLS certificate and private key.
existingSecret:
enabled: false
secretName: ""
## @param certificate.new.annotations Additional certificate annotations.
## @param certificate.new.labels Additional certificate labels.
## @param certificate.new.duration Duration of the TLS certificate.
## @param certificate.new.renewBefore Renew TLS certificate before expiring.
## @param certificate.new.dnsNames Overwrites the default of the subject alternative DNS names.
## @param certificate.new.ipAddresses Overwrites the default of the subject alternative IP addresses.
## @param certificate.new.issuerRef.kind Issuer kind. Can be `Issuer` or `ClusterIssuer`.
## @param certificate.new.issuerRef.name Name of the `Issuer` or `ClusterIssuer`.
## @param certificate.new.privateKey.algorithm Algorithm of the private TLS key.
## @param certificate.new.privateKey.rotationPolicy Rotation of the private TLS key.
## @param certificate.new.privateKey.size Size of the private TLS key.
## @param certificate.new.secretTemplate.annotations Additional annotation of the created secret.
## @param certificate.new.secretTemplate.labels Additional labels of the created secret.
## @param certificate.new.subject.countries List of countries.
## @param certificate.new.subject.localities List of localities.
## @param certificate.new.subject.organizationalUnits List of organizationalUnits.
## @param certificate.new.subject.organizations List of organizations.
## @param certificate.new.subject.postalCodes List of postalCodes.
## @param certificate.new.subject.provinces List of provinces.
## @param certificate.new.subject.serialNumber Serial number.
## @param certificate.new.subject.streetAddresses List of streetAddresses.
## @param certificate.new.usages Define the usage of the TLS key.
new:
annotations: {}
labels: {}
duration: "744h" # 31 days
renewBefore: "672h" # 28 days
dnsNames: []
# The following DNS names are already part of the SAN's and serves only as example.
# - "athens-proxy"
# - "athens-proxy.svc"
# - "athens-proxy.svc.namespace"
# - "athens-proxy.svc.namespace.cluster.local"
ipAddresses: []
# The following IP addresses serves only as example.
# - "10.92.1.10"
# - "2001:0db8:85a3:08d3:1319:8a2e:0370:7344"
issuerRef:
kind: ""
name: ""
privateKey:
algorithm: "RSA"
rotationPolicy: "Never"
size: 4096
secretTemplate:
annotations: {}
labels: {}
subject:
countries: []
localities: []
organizationalUnits: []
organizations: []
postalCodes: []
provinces: []
serialNumber: ""
streetAddresses: []
usages:
- "client auth"
- "server auth"
## @section Configuration ## @section Configuration
config: config:
env: env:
@@ -78,8 +149,6 @@ config:
# ATHENS_STORAGE_GCP_JSON_KEY: # ATHENS_STORAGE_GCP_JSON_KEY:
# ATHENS_SUM_DBS: # ATHENS_SUM_DBS:
# ATHENS_TIMEOUT: # ATHENS_TIMEOUT:
# ATHENS_TLSCERT_FILE:
# ATHENS_TLSKEY_FILE:
# ATHENS_TRACE_EXPORTER_URL: # ATHENS_TRACE_EXPORTER_URL:
# ATHENS_TRACE_EXPORTER: # ATHENS_TRACE_EXPORTER:
# AWS_ACCESS_KEY_ID: # AWS_ACCESS_KEY_ID:
@@ -490,16 +559,20 @@ persistence:
## @param persistence.data.persistentVolumeClaim.annotations Additional persistent volume claim annotations. ## @param persistence.data.persistentVolumeClaim.annotations Additional persistent volume claim annotations.
## @param persistence.data.persistentVolumeClaim.labels Additional persistent volume claim labels. ## @param persistence.data.persistentVolumeClaim.labels Additional persistent volume claim labels.
## @param persistence.data.persistentVolumeClaim.accessModes Access modes of the persistent volume claim. ## @param persistence.data.persistentVolumeClaim.accessModes Access modes of the persistent volume claim.
## @param persistence.data.persistentVolumeClaim.storageClass Storage class of the persistent volume claim. ## @param persistence.data.persistentVolumeClaim.storageClassName Storage class of the persistent volume claim.
## @param persistence.data.persistentVolumeClaim.storageSize Size of the persistent volume claim. ## @param persistence.data.persistentVolumeClaim.storageSize Size of the persistent volume claim.
persistentVolumeClaim: persistentVolumeClaim:
annotations: {} annotations: {}
labels: {} labels: {}
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
storageClass: "" storageClassName: ""
storageSize: "5Gi" storageSize: "5Gi"
## @section Network
## @param clusterDomain Domain of the Cluster. Domain is part of internally issued certificates.
clusterDomain: "cluster.local"
## @section Network Policy ## @section Network Policy
networkPolicy: networkPolicy:
## @param networkPolicy.enabled Enable network policies in general. ## @param networkPolicy.enabled Enable network policies in general.