[apisix-helm-chart] branch master updated: feat: add certs for decoupled-mode (#464)

Tue, 07 Feb 2023 23:38:08 -0800 

This is an automated email from the ASF dual-hosted git repository.

juzhiyuan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix-helm-chart.git


The following commit(s) were added to refs/heads/master by this push:
     new f2a273f  feat: add certs for decoupled-mode (#464)
f2a273f is described below

commit f2a273fcbefd69da7de70dbb84b7d04cff342267
Author: Jintao Zhang <[email protected]>
AuthorDate: Wed Feb 8 15:37:55 2023 +0800

    feat: add certs for decoupled-mode (#464)
    
    Signed-off-by: Jintao Zhang <[email protected]>
---
 charts/apisix/README.md                |  9 +++++++--
 charts/apisix/templates/_pod.tpl       | 26 ++++++++++++++++++++++++--
 charts/apisix/templates/configmap.yaml | 16 ++++++++++++++--
 charts/apisix/values.yaml              | 16 ++++++++++++++--
 4 files changed, 59 insertions(+), 8 deletions(-)

diff --git a/charts/apisix/README.md b/charts/apisix/README.md
index 515594d..a12df56 100644
--- a/charts/apisix/README.md
+++ b/charts/apisix/README.md
@@ -101,11 +101,16 @@ The command removes all the Kubernetes components 
associated with the chart and
 | customPlugins.plugins[0].configMap | object | 
`{"mounts":[{"key":"","path":""},{"key":"","path":""}],"name":""}` | plugin 
codes can be saved inside configmap object. |
 | customPlugins.plugins[0].configMap.mounts | list | 
`[{"key":"","path":""},{"key":"","path":""}]` | since keys in configmap is 
flat, mountPath allows to define the mount path, so that plugin codes can be 
mounted hierarchically. |
 | customPlugins.plugins[0].configMap.name | string | `""` | name of configmap. 
|
-| deployment.controlPlane | object | 
`{"cert":"","certKey":"","certsSecret":"","clientCACert":"","confServerPort":"9280"}`
 | used for control_plane deployment mode |
+| deployment.certs | object | 
`{"cert":"","cert_key":"","certsSecret":"","mTLSCACert":"","mTLSCACertSecret":""}`
 | certs used for certificates in decoupled mode |
+| deployment.certs.cert | string | `""` | cert name in certsSecret |
+| deployment.certs.cert_key | string | `""` | cert key in certsSecret |
+| deployment.certs.certsSecret | string | `""` | secret name used for 
decoupled mode |
+| deployment.certs.mTLSCACert | string | `""` | mTLS CA cert filename in 
mTLSCACertSecret |
+| deployment.certs.mTLSCACertSecret | string | `""` | trusted_ca_cert name in 
certsSecret |
+| deployment.controlPlane | object | 
`{"cert":"","certKey":"","certsSecret":"","confServerPort":"9280"}` | used for 
control_plane deployment mode |
 | deployment.controlPlane.cert | string | `""` | conf Server CA cert name in 
certsSecret |
 | deployment.controlPlane.certKey | string | `""` | conf Server cert key name 
in certsSecret |
 | deployment.controlPlane.certsSecret | string | `""` | secret name used by 
conf Server |
-| deployment.controlPlane.clientCACert | string | `""` | conf Server mTLS cert 
name in certsSecret |
 | deployment.controlPlane.confServerPort | string | `"9280"` | conf Server 
address |
 | deployment.dataPlane | object | 
`{"controlPlane":{"host":[],"prefix":"/apisix","timeout":30}}` | used for 
data_plane deployment mode |
 | deployment.dataPlane.controlPlane.host | list | `[]` | The hosts of the 
control_plane used by the data_plane |
diff --git a/charts/apisix/templates/_pod.tpl b/charts/apisix/templates/_pod.tpl
index 9561fc6..4f816b3 100644
--- a/charts/apisix/templates/_pod.tpl
+++ b/charts/apisix/templates/_pod.tpl
@@ -112,11 +112,21 @@ spec:
           subPath: {{ .Values.gateway.tls.certCAFilename }}
       {{- end }}
 
-      {{- if eq .Values.deployment.role "control_plane" }}
+      {{- if and (eq .Values.deployment.role "control_plane") 
.Values.deployment.controlPlane.certsSecret }}
         - mountPath: /conf-server-ssl
           name: conf-server-ssl
       {{- end }}
 
+      {{- if and (eq .Values.deployment.mode "decoupled") 
.Values.deployment.certs.mTLSCACertSecret }}
+        - mountPath: /conf-ca-ssl
+          name: conf-ca-ssl
+      {{- end }}
+
+      {{- if and (eq .Values.deployment.mode "decoupled") 
.Values.deployment.certs.certsSecret }}
+        - mountPath: /conf-client-ssl
+          name: conf-client-ssl
+      {{- end }}
+
       {{- if .Values.etcd.auth.tls.enabled }}
         - mountPath: /etcd-ssl
           name: etcd-ssl
@@ -174,11 +184,23 @@ spec:
         secretName: {{ .Values.etcd.auth.tls.existingSecret | quote }}
       name: etcd-ssl
     {{- end }}
-    {{- if eq .Values.deployment.role "control_plane" }}
+    {{- if and (eq .Values.deployment.role "control_plane") 
.Values.deployment.controlPlane.certsSecret }}
     - secret:
         secretName: {{ .Values.deployment.controlPlane.certsSecret | quote }}
       name: conf-server-ssl
     {{- end }}
+
+    {{- if and (eq .Values.deployment.mode "decoupled") 
.Values.deployment.certs.mTLSCACertSecret }}
+    - secret:
+        secretName: {{ .Values.deployment.certs.mTLSCACertSecret | quote }}
+      name: conf-ca-ssl
+    {{- end }}
+
+    {{- if and (eq .Values.deployment.mode "decoupled") 
.Values.deployment.certs.certsSecret }}
+    - secret:
+        secretName: {{ .Values.deployment.certs.certsSecret | quote }}
+      name: conf-client-ssl
+    {{- end }}
     {{- if .Values.apisix.setIDFromPodUID }}
     - downwardAPI:
         items:
diff --git a/charts/apisix/templates/configmap.yaml 
b/charts/apisix/templates/configmap.yaml
index 39ba9d7..b6078a2 100644
--- a/charts/apisix/templates/configmap.yaml
+++ b/charts/apisix/templates/configmap.yaml
@@ -267,8 +267,8 @@ data:
           listen: 0.0.0.0:{{ .Values.deployment.controlPlane.confServerPort }}
           cert: "/conf-server-ssl/{{ .Values.deployment.controlPlane.cert }}"
           cert_key: "/conf-server-ssl/{{ 
.Values.deployment.controlPlane.certKey }}"
-          {{- if .Values.deployment.controlPlane.clientCACert }}
-          client_ca_cert: "/conf-server-ssl/{{ 
.Values.deployment.controlPlane.clientCACert }}"
+          {{- if .Values.deployment.certs.mTLSCACertSecret }}
+          client_ca_cert: "/conf-ca-ssl/{{ .Values.deployment.certs.mTLSCACert 
}}"
           {{- end }}
       {{- end }}
 
@@ -347,4 +347,16 @@ data:
           prefix: {{ .Values.deployment.dataPlane.controlPlane.prefix }}
           timeout: {{ .Values.deployment.dataPlane.controlPlane.timeout }}
       {{- end }}
+
+      {{- if eq .Values.deployment.mode "decoupled"}}
+      {{- if .Values.deployment.certs.certsSecret }}
+      certs:
+        cert: "/conf-client-ssl/{{ .Values.deployment.certs.cert }}"
+        cert_key: "/conf-client-ssl/{{ .Values.deployment.certs.cert_key }}"
+        {{- if .Values.deployment.certs.mTLSCACertSecret }}
+        trusted_ca_cert: "/conf-ca-ssl/{{ .Values.deployment.certs.mTLSCACert 
}}"
+        {{- end }}
+      {{- end }}
+      {{- end }}
+
 {{- end }}
diff --git a/charts/apisix/values.yaml b/charts/apisix/values.yaml
index c7544c5..af6155a 100644
--- a/charts/apisix/values.yaml
+++ b/charts/apisix/values.yaml
@@ -191,8 +191,6 @@ deployment:
     cert: ""
     # -- conf Server cert key name in certsSecret
     certKey: ""
-    # -- conf Server mTLS cert name in certsSecret
-    clientCACert: ""
 
   # -- used for data_plane deployment mode
   dataPlane:
@@ -204,6 +202,20 @@ deployment:
       # -- Timeout when the data plane connects to the control plane
       timeout: 30
 
+  # -- certs used for certificates in decoupled mode
+  certs:
+    # -- secret name used for decoupled mode
+    certsSecret: ""
+    # -- cert name in certsSecret
+    cert: ""
+    # -- cert key in certsSecret
+    cert_key: ""
+
+    # -- trusted_ca_cert name in certsSecret
+    mTLSCACertSecret: ""
+    # -- mTLS CA cert filename in mTLSCACertSecret
+    mTLSCACert: ""
+
 gateway:
   # -- Apache APISIX service type for user access itself
   type: NodePort

Reply via email to