Existing secret support for helm chart (#267)

* Enable use of existsing secret for server key/cert * type fix * Bump chart version * defaults for crt/key, conditional changed, Readme fixed
cesanta · Dec 8, 2019 · df57cca · df57cca
1 parent 65e063b
commit df57cca
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 3 deletions.
diff --git a/chart/docker-auth/Chart.yaml b/chart/docker-auth/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: "1.4.0"
 description: Docker Registry V2 authentication server
 name: docker-auth
-version: 1.0.0
+version: 1.0.1
 keywords:
 - docker
 - registry

diff --git a/chart/docker-auth/README.md b/chart/docker-auth/README.md
@@ -76,8 +76,11 @@ The following table lists the configurable parameters of the docker-auth chart a
 | Parameter                                                                   | Description                                                                                                                                                                                                                                                                                                                                     | Default                         |
 | --------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- |
 | **Secret**                                                             |
-| `secret.data.server.certificate`                                                               | Content of server.pem                                                                                                                                                                                                                                                                         |                        |
-| `secret.data.server.key`                                                        | Content of server.key                                                                                                                                                                                                                                                                                                                           |                           |
+| `secret.data.server.certificate`                                             | Content of server.pem  (mutually exclusive with secretName, keyName, certificateName)                                                                                                                                                                                                                                                                       |                        |
+| `secret.data.server.key`                                                     | Content of server.key  (mutually exclusive with secretName, keyName, certificateName)                                                                                                                                                                                                                                                                                                                        |                           |
+| `secret.secretName`                                                          | The name of the secret containing server key and certificate (mutually exclusive with secret.data.server.key/certificate)         | |
+| `secret.certificateFileName`                                                     | The name of the server certificate file (mutually exclusive with secret.data.server.key/certificate)                               | tls.crt |
+| `secret.keyFileName`                                                             | The name of the server key file (mutually exclusive with secret.data.server.key/certificate)                                       | tls.key |
 | **Configmap**                                                                  |
 | `configmap.data.token.issuer` | Must match issuer in the Registry config | `Acme auth server`                  |
 | `configmap.data.token.expiration`                                                     | Token Expiration                                                   | `900`                                |

diff --git a/chart/docker-auth/templates/configmap.yaml b/chart/docker-auth/templates/configmap.yaml
@@ -9,8 +9,13 @@ data:
     token:
       issuer: "{{ .Values.configmap.data.token.issuer }}"  # Must match issuer in the Registry config.
       expiration: {{ .Values.configmap.data.token.expiration }}
+{{- if .Values.secret.secretName }}
+      certificate: "/config/certs/{{ default "tls.crt" .Values.secret.certificateFileName }}"
+      key: "/config/certs/{{ default "tls.key" .Values.secret.keyFileName }}"
+{{- else }}
       certificate: "/config/certs/server.pem"
       key: "/config/certs/server.key"
+{{- end }}
     users:
       {{ .Values.configmap.data.users | toYaml | nindent 6 }}
     acl:

diff --git a/chart/docker-auth/templates/deployment.yaml b/chart/docker-auth/templates/deployment.yaml
@@ -48,7 +48,11 @@ spec:
             name: {{ include "docker-auth.name" . }}
         - name: {{ include "docker-auth.name" . }}-secret
           secret:
+{{- if .Values.secret.secretName }}
+            secretName: {{ .Values.secret.secretName }}
+{{- else }}
             secretName: {{ include "docker-auth.name" . }}
+{{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/chart/docker-auth/templates/secret.yaml b/chart/docker-auth/templates/secret.yaml
@@ -1,3 +1,5 @@
+{{- if not .Values.secret.secretName }}
+---
 apiVersion: v1
 kind: Secret
 metadata:
@@ -6,3 +8,4 @@ type: Opaque
 data:
   server.pem: {{ .Values.secret.data.server.certificate | b64enc | quote }}
   server.key: {{ .Values.secret.data.server.key | b64enc | quote }}
+{{- end }}
diff --git a/chart/docker-auth/values.yaml b/chart/docker-auth/values.yaml
@@ -18,6 +18,12 @@ secret:
       key: |+
         -----BEGIN RSA PRIVATE KEY-----
         -----END RSA PRIVATE KEY-----
+# For reusing an existing secret (e.g. generated by cert-manager), define secretName, certificateFileName and keyFileName
+# These settings are mutually exclusive with the values provided in secret.data. Once secretName is set the secret
+# generated with the values above will be not be used in the deployment.
+#  secretName:
+#  certificateFileName: tls.crt
+#  keyFileName: tls.key
 configmap:
   data:
     token: