You've already forked athens-proxy-charts
Compare commits
6 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
4102fc9014
|
|||
| be923ed95f | |||
f07ff039ce
|
|||
|
a11be194cc
|
|||
|
7908de9313
|
|||
|
adfe40a9c7
|
@@ -19,6 +19,6 @@ keywords:
|
||||
- go-proxy
|
||||
|
||||
sources:
|
||||
- https://github.com/volker-raschek/athens-proxy-charts
|
||||
- https://git.cryptic.systems/volker.raschek/athens-proxy-charts
|
||||
- https://github.com/gomods/athens
|
||||
- https://hub.docker.com/r/gomods/athens
|
||||
|
||||
46
README.md
46
README.md
@@ -40,7 +40,7 @@ version of the chart must be in sync with the `values.yaml`. Newer *minor* versi
|
||||
versions can break something!
|
||||
|
||||
```bash
|
||||
CHART_VERSION=1.0.0
|
||||
CHART_VERSION=1.0.3
|
||||
helm show values volker.raschek/athens-proxy --version "${CHART_VERSION}" > values.yaml
|
||||
```
|
||||
|
||||
@@ -54,7 +54,7 @@ The helm chart also contains a persistent volume claim definition. It persistent
|
||||
Use the `--set` argument to persist your data.
|
||||
|
||||
```bash
|
||||
CHART_VERSION=1.0.0
|
||||
CHART_VERSION=1.0.3
|
||||
helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
|
||||
persistence.enabled=true
|
||||
```
|
||||
@@ -84,7 +84,7 @@ Further information about this topic can be found in one of Kanishk's blog
|
||||
> Please take care the a CPU limit < `1000m` can also lead to CPU throttling. Please read the linked documentation carefully.
|
||||
|
||||
```bash
|
||||
CHART_VERSION=1.0.0
|
||||
CHART_VERSION=1.0.3
|
||||
helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
|
||||
--set 'deployment.athensProxy.env.name=GOMAXPROCS' \
|
||||
--set 'deployment.athensProxy.env.valueFrom.resourceFieldRef.resource=limits.cpu' \
|
||||
@@ -181,6 +181,36 @@ annotations with the prefix `checksum`.
|
||||
| `nameOverride` | Individual release name suffix. | `""` |
|
||||
| `fullnameOverride` | Override the complete release name logic. | `""` |
|
||||
|
||||
### Certificate
|
||||
|
||||
| Name | Description | Value |
|
||||
| --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- |
|
||||
| `certificate.enabled` | Issue a TLS certificate via cert-manager. If enabled, the environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` will be automatically added. | `false` |
|
||||
| `certificate.existingSecret.enabled` | Use an existing secret of the type `kubernetes.io/tls`. | `false` |
|
||||
| `certificate.existingSecret.secretName` | Name of the secret containing the TLS certificate and private key. | `""` |
|
||||
| `certificate.new.annotations` | Additional certificate annotations. | `{}` |
|
||||
| `certificate.new.labels` | Additional certificate labels. | `{}` |
|
||||
| `certificate.new.duration` | Duration of the TLS certificate. | `744h` |
|
||||
| `certificate.new.renewBefore` | Renew TLS certificate before expiring. | `672h` |
|
||||
| `certificate.new.dnsNames` | Overwrites the default of the subject alternative DNS names. | `[]` |
|
||||
| `certificate.new.ipAddresses` | Overwrites the default of the subject alternative IP addresses. | `[]` |
|
||||
| `certificate.new.issuerRef.kind` | Issuer kind. Can be `Issuer` or `ClusterIssuer`. | `""` |
|
||||
| `certificate.new.issuerRef.name` | Name of the `Issuer` or `ClusterIssuer`. | `""` |
|
||||
| `certificate.new.privateKey.algorithm` | Algorithm of the private TLS key. | `RSA` |
|
||||
| `certificate.new.privateKey.rotationPolicy` | Rotation of the private TLS key. | `Never` |
|
||||
| `certificate.new.privateKey.size` | Size of the private TLS key. | `4096` |
|
||||
| `certificate.new.secretTemplate.annotations` | Additional annotation of the created secret. | `{}` |
|
||||
| `certificate.new.secretTemplate.labels` | Additional labels of the created secret. | `{}` |
|
||||
| `certificate.new.subject.countries` | List of countries. | `[]` |
|
||||
| `certificate.new.subject.localities` | List of localities. | `[]` |
|
||||
| `certificate.new.subject.organizationalUnits` | List of organizationalUnits. | `[]` |
|
||||
| `certificate.new.subject.organizations` | List of organizations. | `[]` |
|
||||
| `certificate.new.subject.postalCodes` | List of postalCodes. | `[]` |
|
||||
| `certificate.new.subject.provinces` | List of provinces. | `[]` |
|
||||
| `certificate.new.subject.serialNumber` | Serial number. | `""` |
|
||||
| `certificate.new.subject.streetAddresses` | List of streetAddresses. | `[]` |
|
||||
| `certificate.new.usages` | Define the usage of the TLS key. | `["client auth","server auth"]` |
|
||||
|
||||
### Configuration
|
||||
|
||||
| Name | Description | Value |
|
||||
@@ -257,7 +287,7 @@ annotations with the prefix `checksum`.
|
||||
| `deployment.terminationGracePeriodSeconds` | How long to wait until forcefully kill the pod. | `60` |
|
||||
| `deployment.tolerations` | Tolerations of the athens-proxy deployment. | `[]` |
|
||||
| `deployment.topologySpreadConstraints` | TopologySpreadConstraints of the athens-proxy deployment. | `[]` |
|
||||
| `deployment.volumes` | Additional volumes to mount into the pods of the prometheus-exporter deployment. | `[]` |
|
||||
| `deployment.volumes` | Additional volumes to mount into the pods of the athens-proxy deployment. | `[]` |
|
||||
|
||||
### Horizontal Pod Autoscaler (HPA)
|
||||
|
||||
@@ -292,9 +322,15 @@ annotations with the prefix `checksum`.
|
||||
| `persistence.data.persistentVolumeClaim.annotations` | Additional persistent volume claim annotations. | `{}` |
|
||||
| `persistence.data.persistentVolumeClaim.labels` | Additional persistent volume claim labels. | `{}` |
|
||||
| `persistence.data.persistentVolumeClaim.accessModes` | Access modes of the persistent volume claim. | `["ReadWriteMany"]` |
|
||||
| `persistence.data.persistentVolumeClaim.storageClass` | Storage class of the persistent volume claim. | `""` |
|
||||
| `persistence.data.persistentVolumeClaim.storageClassName` | Storage class of the persistent volume claim. | `""` |
|
||||
| `persistence.data.persistentVolumeClaim.storageSize` | Size of the persistent volume claim. | `5Gi` |
|
||||
|
||||
### Network
|
||||
|
||||
| Name | Description | Value |
|
||||
| --------------- | ------------------------------------------------------------------------ | --------------- |
|
||||
| `clusterDomain` | Domain of the Cluster. Domain is part of internally issued certificates. | `cluster.local` |
|
||||
|
||||
### Network Policy
|
||||
|
||||
| Name | Description | Value |
|
||||
|
||||
25
templates/_certificate.tpl
Normal file
25
templates/_certificate.tpl
Normal file
@@ -0,0 +1,25 @@
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
|
||||
{{/* annotations */}}
|
||||
|
||||
{{- define "athens-proxy.certificates.server.annotations" -}}
|
||||
{{ include "athens-proxy.annotations" . }}
|
||||
{{- if .Values.certificate.new.annotations }}
|
||||
{{ toYaml .Values.certificate.new.annotations }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/* labels */}}
|
||||
|
||||
{{- define "athens-proxy.certificates.server.labels" -}}
|
||||
{{ include "athens-proxy.labels" . }}
|
||||
{{- if .Values.certificate.new.labels }}
|
||||
{{ toYaml .Values.certificate.new.labels }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/* names */}}
|
||||
|
||||
{{- define "athens-proxy.certificates.server.name" -}}
|
||||
{{ include "athens-proxy.fullname" . }}-tls
|
||||
{{- end -}}
|
||||
@@ -26,6 +26,13 @@
|
||||
{{- $env = concat $env (list (dict "name" "GOMAXPROCS" "valueFrom" (dict "resourceFieldRef" (dict "divisor" "1" "resource" "limits.cpu")))) }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.certificate.enabled }}
|
||||
{{- $env = concat $env (list
|
||||
(dict "name" "ATHENS_TLSCERT_FILE" "value" "/etc/athens-proxy/tls/tls.crt")
|
||||
(dict "name" "ATHENS_TLSKEY_FILE" "value" "/etc/athens-proxy/tls/tls.key")
|
||||
) }}
|
||||
{{- end }}
|
||||
|
||||
{{ toYaml (dict "env" $env) }}
|
||||
|
||||
{{- end -}}
|
||||
@@ -124,6 +131,12 @@
|
||||
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{/* volumeMounts (tls) */}}
|
||||
{{- if .Values.certificate.enabled }}
|
||||
{{- $volumeMounts = concat $volumeMounts (list (dict "name" "tls" "mountPath" "/etc/athens-proxy/tls" )) }}
|
||||
{{- end }}
|
||||
|
||||
{{ toYaml (dict "volumeMounts" $volumeMounts) }}
|
||||
{{- end -}}
|
||||
|
||||
@@ -252,5 +265,15 @@
|
||||
{{- $volumes = concat $volumes (list $projectedSecretVolume) }}
|
||||
{{- end }}
|
||||
|
||||
{{/* volumes (tls) */}}
|
||||
{{- if .Values.certificate.enabled }}
|
||||
{{- $secretName := include "athens-proxy.certificates.server.name" $ }}
|
||||
{{- if .Values.certificate.existingSecret.enabled }}
|
||||
{{- $secretName := .Values.certificate.existingSecret.secretName }}
|
||||
{{- end }}
|
||||
{{- $volumes = concat $volumes (list (dict "name" "tls" "secret" (dict "secretName" $secretName))) }}
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{ toYaml (dict "volumes" $volumes) }}
|
||||
{{- end -}}
|
||||
87
templates/certificate.yaml
Normal file
87
templates/certificate.yaml
Normal file
@@ -0,0 +1,87 @@
|
||||
{{- if and .Values.certificate.enabled (not .Values.certificate.existingSecret.enabled) -}}
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
{{- with (include "athens-proxy.certificates.server.annotations" . | fromYaml) }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with (include "athens-proxy.certificates.server.labels" . | fromYaml) }}
|
||||
labels:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
name: {{ include "athens-proxy.certificates.server.name" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
commonName: {{ include "athens-proxy.fullname" . }}
|
||||
{{- if empty .Values.certificate.new.dnsNames }}
|
||||
dnsNames:
|
||||
- {{ include "athens-proxy.fullname" . }}
|
||||
- {{ include "athens-proxy.fullname" . }}.{{ .Release.Namespace }}
|
||||
- {{ include "athens-proxy.fullname" . }}.{{ .Release.Namespace }}.svc
|
||||
- {{ include "athens-proxy.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}
|
||||
{{- else }}
|
||||
dnsNames:
|
||||
{{- range .Values.certificate.new.dnsNames }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
duration: {{ .Values.certificate.new.duration }}
|
||||
{{- if not (empty .Values.certificate.new.ipAddresses) }}
|
||||
ipAddresses:
|
||||
{{- range .Values.certificate.new.ipAddresses }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
isCA: false
|
||||
issuerRef:
|
||||
kind: {{ required "No certificate issuer kind defined!" .Values.certificate.new.issuerRef.kind }}
|
||||
name: {{ required "No certificate issuer name defined!" .Values.certificate.new.issuerRef.name }}
|
||||
privateKey:
|
||||
algorithm: {{ .Values.certificate.new.privateKey.algorithm }}
|
||||
rotationPolicy: {{ .Values.certificate.new.privateKey.rotationPolicy }}
|
||||
size: {{ .Values.certificate.new.privateKey.size }}
|
||||
renewBefore: {{ .Values.certificate.new.renewBefore }}
|
||||
secretName: {{ include "athens-proxy.certificates.server.name" . }}
|
||||
{{- with .Values.certificate.new.secretTemplate }}
|
||||
secretTemplate:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
subject:
|
||||
{{- with .Values.certificate.new.subject.countries }}
|
||||
countries:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with .Values.certificate.new.subject.localities }}
|
||||
localities:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with .Values.certificate.new.subject.organizationalUnits }}
|
||||
organizationalUnits:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with .Values.certificate.new.subject.organizations }}
|
||||
organizations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with .Values.certificate.new.subject.postalCodes }}
|
||||
postalCodes:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with .Values.certificate.new.subject.provinces }}
|
||||
provinces:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.certificate.new.subject.serialNumber }}
|
||||
serialNumber: {{ .Values.certificate.new.subject.serialNumber }}
|
||||
{{- end }}
|
||||
{{- with .Values.certificate.new.subject.streetAddresses }}
|
||||
streetAddresses:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
usages:
|
||||
{{- range .Values.certificate.new.usages }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -50,16 +50,24 @@ spec:
|
||||
image: {{ include "athens-proxy.deployment.images.athens-proxy.fqin" . | quote }}
|
||||
imagePullPolicy: {{ .Values.deployment.athensProxy.image.pullPolicy }}
|
||||
livenessProbe:
|
||||
tcpSocket:
|
||||
port: http
|
||||
exec:
|
||||
{{- if not .Values.certificate.enabled }}
|
||||
command: [ "wget", "-T", "3", "-O", "/dev/null", "http://localhost:3000" ]
|
||||
{{- else }}
|
||||
command: [ "wget", "--no-check-certificate", "-T", "3", "-O", "/dev/null", "https://localhost:3000" ]
|
||||
{{- end }}
|
||||
failureThreshold: 3
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 60
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 3
|
||||
readinessProbe:
|
||||
tcpSocket:
|
||||
port: http
|
||||
exec:
|
||||
{{- if not .Values.certificate.enabled }}
|
||||
command: [ "wget", "-T", "3", "-O", "/dev/null", "http://localhost:3000" ]
|
||||
{{- else }}
|
||||
command: [ "wget", "--no-check-certificate", "-T", "3", "-O", "/dev/null", "https://localhost:3000" ]
|
||||
{{- end }}
|
||||
failureThreshold: 3
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 15
|
||||
|
||||
300
unittests/certificates/certificate.yaml
Normal file
300
unittests/certificates/certificate.yaml
Normal file
@@ -0,0 +1,300 @@
|
||||
chart:
|
||||
appVersion: 0.1.0
|
||||
version: 0.1.0
|
||||
suite: Certificate athens-proxy template
|
||||
release:
|
||||
name: athens-proxy-unittest
|
||||
namespace: testing
|
||||
templates:
|
||||
- templates/certificate.yaml
|
||||
tests:
|
||||
- it: Skip rendering by default.
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 0
|
||||
|
||||
- it: Skip rendering for existing certificate
|
||||
set:
|
||||
certificate.enabled: true
|
||||
certificate.existingSecret.enabled: true
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 0
|
||||
|
||||
- it: Throw error when issuerKind and IssuerName is not defined
|
||||
set:
|
||||
certificate.enabled: true
|
||||
asserts:
|
||||
- failedTemplate:
|
||||
errorMessage: "No certificate issuer kind defined!"
|
||||
|
||||
- it: Throw error when issuerKind and IssuerName is not defined
|
||||
set:
|
||||
certificate.enabled: true
|
||||
asserts:
|
||||
- failedTemplate: {}
|
||||
|
||||
- it: Throw error when issuerKind not defined
|
||||
set:
|
||||
certificate.enabled: true
|
||||
certificate.new.issuerRef.name: "my-issuer"
|
||||
asserts:
|
||||
- failedTemplate:
|
||||
errorMessage: "No certificate issuer kind defined!"
|
||||
|
||||
- it: Throw error when issuerName not defined
|
||||
set:
|
||||
certificate.enabled: true
|
||||
certificate.new.issuerRef.kind: "ClusterIssuer"
|
||||
asserts:
|
||||
- failedTemplate:
|
||||
errorMessage: "No certificate issuer name defined!"
|
||||
|
||||
- it: Rendering Certificate object when certificate.enabled=true (default)
|
||||
set:
|
||||
certificate.enabled: true
|
||||
certificate.new.issuerRef.kind: ClusterIssuer
|
||||
certificate.new.issuerRef.name: my-issuer
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 1
|
||||
- containsDocument:
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
name: athens-proxy-unittest-tls
|
||||
namespace: testing
|
||||
- equal:
|
||||
path: spec.commonName
|
||||
value: athens-proxy-unittest
|
||||
- equal:
|
||||
path: spec.duration
|
||||
value: 744h
|
||||
- equal:
|
||||
path: spec.dnsNames
|
||||
value: [ "athens-proxy-unittest", "athens-proxy-unittest.testing", "athens-proxy-unittest.testing.svc", "athens-proxy-unittest.testing.svc.cluster.local" ]
|
||||
- notExists:
|
||||
path: spec.ipAddresses
|
||||
- equal:
|
||||
path: spec.isCA
|
||||
value: false
|
||||
- equal:
|
||||
path: spec.issuerRef.kind
|
||||
value: ClusterIssuer
|
||||
- equal:
|
||||
path: spec.issuerRef.name
|
||||
value: my-issuer
|
||||
- equal:
|
||||
path: spec.privateKey.algorithm
|
||||
value: RSA
|
||||
- equal:
|
||||
path: spec.privateKey.size
|
||||
value: 4096
|
||||
- equal:
|
||||
path: spec.privateKey.rotationPolicy
|
||||
value: Never
|
||||
- equal:
|
||||
path: spec.secretName
|
||||
value: athens-proxy-unittest-tls
|
||||
- exists:
|
||||
path: spec.secretTemplate.annotations
|
||||
- exists:
|
||||
path: spec.secretTemplate.labels
|
||||
- exists:
|
||||
path: spec.subject
|
||||
- notExists:
|
||||
path: spec.subject.countries
|
||||
- notExists:
|
||||
path: spec.subject.localities
|
||||
- notExists:
|
||||
path: spec.subject.organizationalUnits
|
||||
- notExists:
|
||||
path: spec.subject.organizations
|
||||
- notExists:
|
||||
path: spec.subject.postalCodes
|
||||
- notExists:
|
||||
path: spec.subject.provinces
|
||||
- notExists:
|
||||
path: spec.subject.serialNumber
|
||||
- notExists:
|
||||
path: spec.subject.streetAddresses
|
||||
- equal:
|
||||
path: spec.renewBefore
|
||||
value: 672h
|
||||
- equal:
|
||||
path: spec.usages
|
||||
value: [ "client auth", "server auth" ]
|
||||
|
||||
# metadata.annotations
|
||||
- it: Rendering Certificate object with additional annotations and labels
|
||||
set:
|
||||
certificate.enabled: true
|
||||
certificate.new.issuerRef.kind: ClusterIssuer
|
||||
certificate.new.issuerRef.name: my-issuer
|
||||
certificate.new.annotations:
|
||||
foo: bar
|
||||
certificate.new.labels:
|
||||
bar: foo
|
||||
asserts:
|
||||
- isSubset:
|
||||
path: metadata.annotations
|
||||
content:
|
||||
foo: bar
|
||||
- isSubset:
|
||||
path: metadata.labels
|
||||
content:
|
||||
bar: foo
|
||||
|
||||
# spec.duration
|
||||
- it: Rendering Certificate object with custom `.Values.certificate.new.duration`.
|
||||
set:
|
||||
certificate.enabled: true
|
||||
certificate.new.issuerRef.kind: ClusterIssuer
|
||||
certificate.new.issuerRef.name: my-issuer
|
||||
certificate.new.duration: 3000h
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.duration
|
||||
value: 3000h
|
||||
|
||||
# spec.dnsNames
|
||||
- it: Rendering Certificate object with custom `.Values.certificate.new.dnsNames`.
|
||||
set:
|
||||
certificate.enabled: true
|
||||
certificate.new.issuerRef.kind: ClusterIssuer
|
||||
certificate.new.issuerRef.name: my-issuer
|
||||
certificate.new.dnsNames: [ "app", "app.example.local" ]
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.dnsNames
|
||||
value: [ "app", "app.example.local" ]
|
||||
|
||||
# spec.dnsNames
|
||||
- it: Rendering Certificate object with custom `.Values.clusterDomain` as domain.
|
||||
set:
|
||||
certificate.enabled: true
|
||||
certificate.new.issuerRef.kind: ClusterIssuer
|
||||
certificate.new.issuerRef.name: my-issuer
|
||||
clusterDomain: k8s.example.local
|
||||
asserts:
|
||||
- contains:
|
||||
path: spec.dnsNames
|
||||
content:
|
||||
athens-proxy-unittest.testing.svc.k8s.example.local
|
||||
count: 1
|
||||
|
||||
# spec.ipAddresses
|
||||
- it: RRendering Certificate object with custom `.Values.certificate.new.ipAddresses`.
|
||||
set:
|
||||
certificate.enabled: true
|
||||
certificate.new.issuerRef.kind: ClusterIssuer
|
||||
certificate.new.issuerRef.name: my-issuer
|
||||
certificate.new.ipAddresses: [ "10.11.12.13", "fe00:xxyy:xxyy" ]
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.ipAddresses
|
||||
value: [ "10.11.12.13", "fe00:xxyy:xxyy" ]
|
||||
|
||||
# spec.privateKey
|
||||
- it: Rendering Certificate object with custom `.Values.certificate.new.privateKey` values.
|
||||
set:
|
||||
certificate.enabled: true
|
||||
certificate.new.issuerRef.kind: ClusterIssuer
|
||||
certificate.new.issuerRef.name: my-issuer
|
||||
certificate.new.privateKey.algorithm: ED25519
|
||||
certificate.new.privateKey.rotationPolicy: Never
|
||||
certificate.new.privateKey.size: 512
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.privateKey.algorithm
|
||||
value: ED25519
|
||||
- equal:
|
||||
path: spec.privateKey.rotationPolicy
|
||||
value: Never
|
||||
- equal:
|
||||
path: spec.privateKey.size
|
||||
value: 512
|
||||
|
||||
# spec.renewBefore
|
||||
- it: Rendering Certificate object with custom `.Values.certificate.new.renewBefore`.
|
||||
set:
|
||||
certificate.enabled: true
|
||||
certificate.new.issuerRef.kind: ClusterIssuer
|
||||
certificate.new.issuerRef.name: my-issuer
|
||||
certificate.new.renewBefore: 2000h
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.renewBefore
|
||||
value: 2000h
|
||||
|
||||
# spec.secretTemplate
|
||||
- it: Rendering Certificate object with custom `.Values.certificate.new.secretTemplate` values.
|
||||
set:
|
||||
certificate.enabled: true
|
||||
certificate.new.issuerRef.kind: ClusterIssuer
|
||||
certificate.new.issuerRef.name: my-issuer
|
||||
certificate.new.secretTemplate:
|
||||
annotations:
|
||||
foo: bar
|
||||
labels:
|
||||
bar: foo
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.secretTemplate.annotations
|
||||
value:
|
||||
foo: bar
|
||||
- equal:
|
||||
path: spec.secretTemplate.labels
|
||||
value:
|
||||
bar: foo
|
||||
|
||||
# spec.secretTemplate
|
||||
- it: Rendering Certificate object with custom `.Values.certificate.new.subject` values.
|
||||
set:
|
||||
certificate.enabled: true
|
||||
certificate.new.issuerRef.kind: ClusterIssuer
|
||||
certificate.new.issuerRef.name: my-issuer
|
||||
certificate.new.subject.countries: [ "Country" ]
|
||||
certificate.new.subject.localities: [ "City" ]
|
||||
certificate.new.subject.organizationalUnits: [ "IT department" ]
|
||||
certificate.new.subject.organizations: [ "My organization" ]
|
||||
certificate.new.subject.postalCodes: [ "AB12345", "12345AB" ]
|
||||
certificate.new.subject.provinces: [ "Provinces" ]
|
||||
certificate.new.subject.serialNumber: "MyNumber"
|
||||
certificate.new.subject.streetAddresses: [ "ExampleStreet 1", "StreetExample 2" ]
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.subject.countries
|
||||
value: [ "Country" ]
|
||||
- equal:
|
||||
path: spec.subject.localities
|
||||
value: [ "City" ]
|
||||
- equal:
|
||||
path: spec.subject.organizationalUnits
|
||||
value: [ "IT department" ]
|
||||
- equal:
|
||||
path: spec.subject.organizations
|
||||
value: [ "My organization" ]
|
||||
- equal:
|
||||
path: spec.subject.postalCodes
|
||||
value: [ "AB12345", "12345AB" ]
|
||||
- equal:
|
||||
path: spec.subject.provinces
|
||||
value: [ "Provinces" ]
|
||||
- equal:
|
||||
path: spec.subject.serialNumber
|
||||
value: "MyNumber"
|
||||
- equal:
|
||||
path: spec.subject.streetAddresses
|
||||
value: [ "ExampleStreet 1", "StreetExample 2" ]
|
||||
|
||||
# spec.usages
|
||||
- it: Rendering Certificate object with custom `.Values.certificate.new.usages`.
|
||||
set:
|
||||
certificate.enabled: true
|
||||
certificate.new.issuerRef.kind: ClusterIssuer
|
||||
certificate.new.issuerRef.name: my-issuer
|
||||
certificate.new.usages: [ "client auth" ]
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.usages
|
||||
value: [ "client auth" ]
|
||||
73
unittests/deployment/certificate.yaml
Normal file
73
unittests/deployment/certificate.yaml
Normal file
@@ -0,0 +1,73 @@
|
||||
chart:
|
||||
appVersion: 0.1.0
|
||||
version: 0.1.0
|
||||
suite: Deployment template
|
||||
release:
|
||||
name: athens-proxy-unittest
|
||||
namespace: testing
|
||||
templates:
|
||||
- templates/configMapDownloadMode.yaml
|
||||
- templates/configMapGitConfig.yaml
|
||||
- templates/deployment.yaml
|
||||
- templates/secretNetRC.yaml
|
||||
- templates/secretSSH.yaml
|
||||
tests:
|
||||
- it: Rendering default without tls config
|
||||
asserts:
|
||||
- notContains:
|
||||
path: spec.template.spec.containers[0].env
|
||||
content:
|
||||
name: ATHENS_TLSCERT_FILE
|
||||
value: /etc/athens-proxy/tls/tls.crt
|
||||
template: templates/deployment.yaml
|
||||
- notContains:
|
||||
path: spec.template.spec.containers[0].env
|
||||
content:
|
||||
name: ATHENS_TLSKEY_FILE
|
||||
value: /etc/athens-proxy/tls/tls.key
|
||||
template: templates/deployment.yaml
|
||||
- notContains:
|
||||
path: spec.template.spec.containers[0].volumeMounts
|
||||
content:
|
||||
name: tls
|
||||
mountPath: /etc/athens-proxy/tls
|
||||
template: templates/deployment.yaml
|
||||
- notContains:
|
||||
path: spec.template.spec.volumes
|
||||
content:
|
||||
name: tls
|
||||
secretRef:
|
||||
name: athens-proxy-unittest-tls
|
||||
template: templates/deployment.yaml
|
||||
|
||||
- it: Rendering with tls config
|
||||
set:
|
||||
certificate.enabled: true
|
||||
certificate.new.issuerRef.kind: ClusterIssuer
|
||||
certificate.new.issuerRef.name: MyIssuer
|
||||
asserts:
|
||||
- contains:
|
||||
path: spec.template.spec.containers[0].env
|
||||
content:
|
||||
name: ATHENS_TLSCERT_FILE
|
||||
value: /etc/athens-proxy/tls/tls.crt
|
||||
template: templates/deployment.yaml
|
||||
- contains:
|
||||
path: spec.template.spec.containers[0].env
|
||||
content:
|
||||
name: ATHENS_TLSKEY_FILE
|
||||
value: /etc/athens-proxy/tls/tls.key
|
||||
template: templates/deployment.yaml
|
||||
- contains:
|
||||
path: spec.template.spec.containers[0].volumeMounts
|
||||
content:
|
||||
name: tls
|
||||
mountPath: /etc/athens-proxy/tls
|
||||
template: templates/deployment.yaml
|
||||
- contains:
|
||||
path: spec.template.spec.volumes
|
||||
content:
|
||||
name: tls
|
||||
secret:
|
||||
secretName: athens-proxy-unittest-tls
|
||||
template: templates/deployment.yaml
|
||||
94
values.yaml
94
values.yaml
@@ -5,6 +5,77 @@
|
||||
nameOverride: ""
|
||||
fullnameOverride: ""
|
||||
|
||||
## @section Certificate
|
||||
certificate:
|
||||
## @param certificate.enabled Issue a TLS certificate via cert-manager. If enabled, the environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` will be automatically added.
|
||||
enabled: false
|
||||
|
||||
## @param certificate.existingSecret.enabled Use an existing secret of the type `kubernetes.io/tls`.
|
||||
## @param certificate.existingSecret.secretName Name of the secret containing the TLS certificate and private key.
|
||||
existingSecret:
|
||||
enabled: false
|
||||
secretName: ""
|
||||
|
||||
## @param certificate.new.annotations Additional certificate annotations.
|
||||
## @param certificate.new.labels Additional certificate labels.
|
||||
## @param certificate.new.duration Duration of the TLS certificate.
|
||||
## @param certificate.new.renewBefore Renew TLS certificate before expiring.
|
||||
## @param certificate.new.dnsNames Overwrites the default of the subject alternative DNS names.
|
||||
## @param certificate.new.ipAddresses Overwrites the default of the subject alternative IP addresses.
|
||||
## @param certificate.new.issuerRef.kind Issuer kind. Can be `Issuer` or `ClusterIssuer`.
|
||||
## @param certificate.new.issuerRef.name Name of the `Issuer` or `ClusterIssuer`.
|
||||
## @param certificate.new.privateKey.algorithm Algorithm of the private TLS key.
|
||||
## @param certificate.new.privateKey.rotationPolicy Rotation of the private TLS key.
|
||||
## @param certificate.new.privateKey.size Size of the private TLS key.
|
||||
## @param certificate.new.secretTemplate.annotations Additional annotation of the created secret.
|
||||
## @param certificate.new.secretTemplate.labels Additional labels of the created secret.
|
||||
## @param certificate.new.subject.countries List of countries.
|
||||
## @param certificate.new.subject.localities List of localities.
|
||||
## @param certificate.new.subject.organizationalUnits List of organizationalUnits.
|
||||
## @param certificate.new.subject.organizations List of organizations.
|
||||
## @param certificate.new.subject.postalCodes List of postalCodes.
|
||||
## @param certificate.new.subject.provinces List of provinces.
|
||||
## @param certificate.new.subject.serialNumber Serial number.
|
||||
## @param certificate.new.subject.streetAddresses List of streetAddresses.
|
||||
## @param certificate.new.usages Define the usage of the TLS key.
|
||||
new:
|
||||
annotations: {}
|
||||
labels: {}
|
||||
duration: "744h" # 31 days
|
||||
renewBefore: "672h" # 28 days
|
||||
dnsNames: []
|
||||
# The following DNS names are already part of the SAN's and serves only as example.
|
||||
# - "athens-proxy"
|
||||
# - "athens-proxy.svc"
|
||||
# - "athens-proxy.svc.namespace"
|
||||
# - "athens-proxy.svc.namespace.cluster.local"
|
||||
ipAddresses: []
|
||||
# The following IP addresses serves only as example.
|
||||
# - "10.92.1.10"
|
||||
# - "2001:0db8:85a3:08d3:1319:8a2e:0370:7344"
|
||||
issuerRef:
|
||||
kind: ""
|
||||
name: ""
|
||||
privateKey:
|
||||
algorithm: "RSA"
|
||||
rotationPolicy: "Never"
|
||||
size: 4096
|
||||
secretTemplate:
|
||||
annotations: {}
|
||||
labels: {}
|
||||
subject:
|
||||
countries: []
|
||||
localities: []
|
||||
organizationalUnits: []
|
||||
organizations: []
|
||||
postalCodes: []
|
||||
provinces: []
|
||||
serialNumber: ""
|
||||
streetAddresses: []
|
||||
usages:
|
||||
- "client auth"
|
||||
- "server auth"
|
||||
|
||||
## @section Configuration
|
||||
config:
|
||||
env:
|
||||
@@ -78,8 +149,6 @@ config:
|
||||
# ATHENS_STORAGE_GCP_JSON_KEY:
|
||||
# ATHENS_SUM_DBS:
|
||||
# ATHENS_TIMEOUT:
|
||||
# ATHENS_TLSCERT_FILE:
|
||||
# ATHENS_TLSKEY_FILE:
|
||||
# ATHENS_TRACE_EXPORTER_URL:
|
||||
# ATHENS_TRACE_EXPORTER:
|
||||
# AWS_ACCESS_KEY_ID:
|
||||
@@ -404,9 +473,9 @@ deployment:
|
||||
# whenUnsatisfiable: DoNotSchedule
|
||||
# labelSelector:
|
||||
# matchLabels:
|
||||
# app.kubernetes.io/instance: prometheus-athens-proxy
|
||||
# app.kubernetes.io/instance: athens-proxy
|
||||
|
||||
## @param deployment.volumes Additional volumes to mount into the pods of the prometheus-exporter deployment.
|
||||
## @param deployment.volumes Additional volumes to mount into the pods of the athens-proxy deployment.
|
||||
volumes: []
|
||||
# - name: my-configmap-volume
|
||||
# config:
|
||||
@@ -490,16 +559,20 @@ persistence:
|
||||
## @param persistence.data.persistentVolumeClaim.annotations Additional persistent volume claim annotations.
|
||||
## @param persistence.data.persistentVolumeClaim.labels Additional persistent volume claim labels.
|
||||
## @param persistence.data.persistentVolumeClaim.accessModes Access modes of the persistent volume claim.
|
||||
## @param persistence.data.persistentVolumeClaim.storageClass Storage class of the persistent volume claim.
|
||||
## @param persistence.data.persistentVolumeClaim.storageClassName Storage class of the persistent volume claim.
|
||||
## @param persistence.data.persistentVolumeClaim.storageSize Size of the persistent volume claim.
|
||||
persistentVolumeClaim:
|
||||
annotations: {}
|
||||
labels: {}
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
storageClass: ""
|
||||
storageClassName: ""
|
||||
storageSize: "5Gi"
|
||||
|
||||
## @section Network
|
||||
## @param clusterDomain Domain of the Cluster. Domain is part of internally issued certificates.
|
||||
clusterDomain: "cluster.local"
|
||||
|
||||
## @section Network Policy
|
||||
networkPolicy:
|
||||
## @param networkPolicy.enabled Enable network policies in general.
|
||||
@@ -517,13 +590,10 @@ networkPolicy:
|
||||
# - Egress
|
||||
# - Ingress
|
||||
egress: []
|
||||
# Allow outgoing traffic to database host
|
||||
# Allow outgoing HTTPS traffic to external go module servers
|
||||
#
|
||||
# - to:
|
||||
# - ipBlock:
|
||||
# cidr: 192.168.179.1/32
|
||||
# ports:
|
||||
# - port: 5432
|
||||
# - ports:
|
||||
# - port: 443
|
||||
# protocol: TCP
|
||||
|
||||
# Allow outgoing DNS traffic to the internal running DNS-Server. For example core-dns.
|
||||
|
||||
Reference in New Issue
Block a user