mtls support for capten agent helm chart (#59)

* Agged mtls support * Secrets creation added * Secrets creation added
kube-tarian · Feb 12, 2023 · 1333ade · 1333ade
1 parent 41469d0
commit 1333ade
Show file tree

Hide file tree

Showing 6 changed files with 46 additions and 2 deletions.
diff --git a/charts/kad/Chart.yaml b/charts/kad/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.13
+version: 0.1.14
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/charts/kad/templates/ingress_route.yaml b/charts/kad/templates/ingress_route.yaml
@@ -14,4 +14,10 @@ spec:
     - name: kad-agent
       port: {{ .Values.service.port }}
       scheme: h2c
+{{- if .Values.ingressroute.mtls.enabled }}
+  tls:
+    options:
+      name: {{ include "kad.fullname" . }}-mtls-auth
+    secretName: {{ include "kad.fullname" . }}-server-cert
+{{- end }}
 {{- end }}
diff --git a/charts/kad/templates/rootSecret.yaml b/charts/kad/templates/rootSecret.yaml
@@ -0,0 +1,9 @@
+{{- if and .Values.ingressroute.enabled .Values.ingressroute.mtls.enabled }}
+apiVersion: v1
+data:
+  ca.crt: {{ .Values.ingressroute.mtls.caCrt }}
+kind: Secret
+metadata:
+  name: {{ include "kad.fullname" . }}-root-ca
+type: Opaque
+{{- end }}
diff --git a/charts/kad/templates/serverSecret.yaml b/charts/kad/templates/serverSecret.yaml
@@ -0,0 +1,10 @@
+{{- if and .Values.ingressroute.enabled .Values.ingressroute.mtls.enabled }}
+apiVersion: v1
+data:
+  tls.crt: {{ .Values.ingressroute.mtls.tlsCrt }}
+  tls.key: {{ .Values.ingressroute.mtls.tlsKey }}
+kind: Secret
+metadata:
+  name: {{ include "kad.fullname" . }}-server-cert
+type: kubernetes.io/tls
+{{- end }}
diff --git a/charts/kad/templates/tlsoption.yaml b/charts/kad/templates/tlsoption.yaml
@@ -0,0 +1,14 @@
+{{- if and .Values.ingressroute.enabled .Values.ingressroute.mtls.enabled }}
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: {{ include "kad.fullname" . }}-mtls-auth
+spec:
+  clientAuth:
+    clientAuthType: RequireAndVerifyClientCert
+    secretNames:
+    - {{ include "kad.fullname" . }}-root-ca
+  maxVersion: VersionTLS13
+  minVersion: VersionTLS12
+  sniStrict: true
+{{- end }}
diff --git a/charts/kad/values.yaml b/charts/kad/values.yaml
@@ -39,6 +39,11 @@ service:
 
 ingressroute:
   enabled: true
+  mtls:
+    enabled: false
+    caCrt: ""
+    tlsCrt: ""
+    tlsKey: ""
   host: "captenagent.dev.optimizor.app"
 
 ingress:
@@ -96,4 +101,4 @@ cassandra:
   secretName: "temporal-default-store"
   serviceURL: "temporal-cassandra"
   keyspaceName: "capten"
-  tableName: "tools"
+  tableName: "tools"