Add option for custom certificates

suse-edge · Nov 27, 2023 · 83d9295 · 83d9295
1 parent 7dc75c8
commit 83d9295
Show file tree

Hide file tree

Showing 14 changed files with 62 additions and 15 deletions.
diff --git a/assets/metal3/metal3-0.1.0.tgz b/assets/metal3/metal3-0.1.0.tgz
diff --git a/assets/metal3/metal3-0.2.0.tgz b/assets/metal3/metal3-0.2.0.tgz
diff --git a/charts/metal3/0.1.0/charts/ironic/templates/configmap.yaml b/charts/metal3/0.1.0/charts/ironic/templates/configmap.yaml
@@ -36,7 +36,6 @@ data:
   {{ end }}
   IRONIC_API_BASE_URL: {{ $protocol }}://{{ $ironicApiHost }}
   IRONIC_API_HOST: {{ $ironicApiHost }}
-  IRONIC_EXTERNAL_HTTP_URL: {{ $protocol }}://{{ .Values.global.ironicIP }}:6180
   IRONIC_API_HTTPD_SERVER_NAME: {{ $ironicApiHost }}
   IRONIC_BOOT_BASE_URL: {{ $protocol }}://{{ $ironicBootHost }}
   IRONIC_ENDPOINT: {{ $protocol }}://{{ $ironicApiHost }}/v1/
@@ -59,8 +58,14 @@ data:
   IRONIC_REVERSE_PROXY_SETUP: "false"
   IRONIC_USE_MARIADB: "true"
   LISTEN_ALL_INTERFACES: "true"
+  {{- if  ( .Values.global.enable_tls ) }}
+  RESTART_CONTAINER_CERTIFICATE_UPDATED: "true"
+  IRONIC_KERNEL_PARAMS: console=ttyS0 suse.cafile={{ $protocol }}://{{ $ironicBootHost }}/tstcerts/ca.crt
+  IPA_INSECURE: "0"
+  {{- else }}
   RESTART_CONTAINER_CERTIFICATE_UPDATED: "false"
   IRONIC_KERNEL_PARAMS: console=ttyS0
   IPA_INSECURE: "1"
+  {{- end }}
   DATABASE_HOST: {{ .Values.global.database_clusterIP }}
   #DATABASE_HOST: "127.0.0.1"
diff --git a/charts/metal3/0.2.0/charts/ironic/templates/certificates.yaml b/charts/metal3/0.2.0/charts/ironic/templates/certificates.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.global.enable_tls }}
+{{- if and (.Values.global.enable_ironic) (.Values.global.enable_tls) -}}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:

diff --git a/charts/metal3/0.2.0/charts/ironic/templates/issuers.yaml b/charts/metal3/0.2.0/charts/ironic/templates/issuers.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.global.enable_tls }}
+{{- if and (.Values.global.enable_ironic) (.Values.global.enable_tls) -}}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:

diff --git a/charts/metal3/0.2.0/charts/ironic/templates/secret-tls.yaml b/charts/metal3/0.2.0/charts/ironic/templates/secret-tls.yaml
@@ -0,0 +1,16 @@
+{{- if and .Values.global.enable_ironic .Values.global.enable_tls
+           (ne .Values.tlscerts.crt "") 
+           (ne .Values.tlscerts.key "") 
+           (ne .Values.tlscerts.cacert "") -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ironic-cacert
+  labels:
+    {{- include "ironic.labels" . | nindent 4 }}
+type: Opaque 
+data:
+  tls.crt: {{ .Values.tlscerts.crt | toString | b64enc }}
+  tls.key: {{ .Values.tlscerts.key | toString | b64enc }}
+  ca.crt: {{ .Values.tlscerts.cacert | toString | b64enc }}  
+{{- end }}
diff --git a/charts/metal3/0.2.0/charts/ironic/values.yaml b/charts/metal3/0.2.0/charts/ironic/values.yaml
@@ -125,7 +125,10 @@ baremetaloperator:
 debug:
   ironicRamdiskSshKey: ""
 
-tlscerts: {}
+tlscerts:
+  cacert: ""
+  key: ""
+  crt: ""
 
 persistence:
   ironic:

diff --git a/charts/metal3/0.2.0/values.yaml b/charts/metal3/0.2.0/values.yaml
@@ -6,8 +6,6 @@ global:
   # IP on which the Ironic services will be exposed
   ironicIP: ""
 
-  vmediaTLSPort: 6185
-
   # whether to enable media server.
   enable_metal3_media_server: false
 
@@ -24,8 +22,12 @@ global:
   # enabled.
   enable_ironic: true
 
+  # whether to enable tls
   enable_tls: true
 
+  # Will be used when tls is enabled
+  vmediaTLSPort: 6185
+
   # IP address of the router associated with the specified DHCP
   # address range
   dnsmasqDefaultRouter: ""

diff --git a/index.yaml b/index.yaml
@@ -66,7 +66,7 @@ entries:
   metal3:
   - apiVersion: v2
     appVersion: 1.16.0
-    created: "2023-11-23T14:21:28.421429+02:00"
+    created: "2023-11-24T12:46:10.349158+02:00"
     dependencies:
     - alias: metal3-baremetal-operator
       name: baremetal-operator
@@ -86,7 +86,7 @@ entries:
       repository: file://./charts/media
       version: 0.2.0
     description: A Helm chart that installs all of the dependencies needed for Metal3
-    digest: 5f0538f591d1f1c1832baf56c877f6dccb14a5e5272ecb211166900c17df0ca1
+    digest: e7e1c405fc02b796f5619d4ff36944f402bea1b5e7e52f90b788939c0981707a
     icon: https://github.com/cncf/artwork/raw/master/projects/metal3/icon/color/metal3-icon-color.svg
     name: metal3
     type: application
@@ -95,7 +95,7 @@ entries:
     version: 0.2.0
   - apiVersion: v2
     appVersion: 1.16.0
-    created: "2023-10-17T12:18:02.553438+03:00"
+    created: "2023-11-27T16:17:13.332203+02:00"
     dependencies:
     - alias: metal3-baremetal-operator
       name: baremetal-operator
@@ -135,7 +135,7 @@ entries:
       repository: file://./charts/powerdns
       version: 0.1.0
     description: A Helm chart that installs all of the dependencies needed for Metal3
-    digest: 2795a01e9f4a943eebd692ae6ea580620b023ffbf1591a261dd257f6fe7983e6
+    digest: 5180dab1485fcb185bf71118d52191d9b67cca19bdf3f10afd5c7e7af691ad13
     icon: https://github.com/cncf/artwork/raw/master/projects/metal3/icon/color/metal3-icon-color.svg
     name: metal3
     type: application

diff --git a/packages/ironic/charts/templates/certificates.yaml b/packages/ironic/charts/templates/certificates.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.global.enable_tls }}
+{{- if and (.Values.global.enable_ironic) (.Values.global.enable_tls) -}}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:

diff --git a/packages/ironic/charts/templates/issuers.yaml b/packages/ironic/charts/templates/issuers.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.global.enable_tls }}
+{{- if and (.Values.global.enable_ironic) (.Values.global.enable_tls) -}}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:

diff --git a/packages/ironic/charts/templates/secret-tls.yaml b/packages/ironic/charts/templates/secret-tls.yaml
@@ -0,0 +1,16 @@
+{{- if and .Values.global.enable_ironic .Values.global.enable_tls
+           (ne .Values.tlscerts.crt "") 
+           (ne .Values.tlscerts.key "") 
+           (ne .Values.tlscerts.cacert "") -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ironic-cacert
+  labels:
+    {{- include "ironic.labels" . | nindent 4 }}
+type: Opaque 
+data:
+  tls.crt: {{ .Values.tlscerts.crt | toString | b64enc }}
+  tls.key: {{ .Values.tlscerts.key | toString | b64enc }}
+  ca.crt: {{ .Values.tlscerts.cacert | toString | b64enc }}  
+{{- end }}
diff --git a/packages/ironic/charts/values.yaml b/packages/ironic/charts/values.yaml
@@ -125,7 +125,10 @@ baremetaloperator:
 debug:
   ironicRamdiskSshKey: ""
 
-tlscerts: {}
+tlscerts:
+  cacert: ""
+  key: ""
+  crt: ""
 
 persistence:
   ironic:

diff --git a/packages/metal3/charts/values.yaml b/packages/metal3/charts/values.yaml
@@ -6,8 +6,6 @@ global:
   # IP on which the Ironic services will be exposed
   ironicIP: ""
 
-  vmediaTLSPort: 6185
-
   # whether to enable media server.
   enable_metal3_media_server: false
 
@@ -24,8 +22,12 @@ global:
   # enabled.
   enable_ironic: true
 
+  # whether to enable tls
   enable_tls: true
 
+  # Will be used when tls is enabled
+  vmediaTLSPort: 6185
+
   # IP address of the router associated with the specified DHCP
   # address range
   dnsmasqDefaultRouter: ""