Add option to specify certificates

appuio · Jan 10, 2022 · 90a5bd8 · 90a5bd8
1 parent 4ee7c23
commit 90a5bd8
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 8 deletions.
diff --git a/class/defaults.yml b/class/defaults.yml
@@ -7,6 +7,15 @@ parameters:
     cluster_admin_impersonation:
       oidc_administrator_role: admin
 
+    apiserver:
+      apiservice:
+        insecureSkipTLSVerify: false
+        caBundle: "?{vaultkv:${customer:name}/${cluster:name}/${_instance}/apiserver-cert}"
+      tls:
+        certSecretName: control-api-tls
+        serverCert: "?{vaultkv:${customer:name}/${cluster:name}/${_instance}/apiserver-cert}"
+        serverKey: "?{vaultkv:${customer:name}/${cluster:name}/${_instance}/apiserver-key}"
+
     images:
       control-api:
         registry: ghcr.io

diff --git a/component/api-server.jsonnet b/component/api-server.jsonnet
@@ -19,6 +19,21 @@ local serviceAccount = loadManifest('service_account.yaml') {
 
 local role = loadManifest('role.yaml');
 
+local certSecret =
+  if (params.apiserver.tls.serverCert != '' && params.apiserver.tls.serverKey != '') then
+    kube.Secret(params.apiserver.tls.certSecretName) {
+      metadata+: {
+        namespace: params.namespace,
+      },
+      stringData: {
+        'tls.key': params.apiserver.tls.serverKey,
+        'tls.crt': params.apiserver.tls.serverCert,
+      },
+    }
+  else
+    null;
+
+
 local deployment = loadManifest('deployment.yaml') {
   metadata+: {
     namespace: params.namespace,
@@ -36,11 +51,32 @@ local deployment = loadManifest('deployment.yaml') {
             c
           for c in super.containers
         ],
-      },
+      } + if certSecret != null then
+        {
+          volumes: [
+            {
+              name: 'apiserver-certs',
+              secret: {
+                secretName: certSecret.metadata.name,
+              },
+            },
+          ],
+        }
+      else {},
     },
   },
 };
 
+local service = loadManifest('service.yaml') {
+  metadata+: {
+    namespace: params.namespace,
+  },
+  spec+: {
+    selector: deployment.spec.selector.matchLabels,
+  },
+};
+
+
 {
   '01_role': role,
   '01_role_binding': kube.ClusterRoleBinding(role.metadata.name) {
@@ -68,13 +104,14 @@ local deployment = loadManifest('deployment.yaml') {
   },
   '01_service_account': serviceAccount,
   '02_deployment': deployment,
-  '02_service': loadManifest('service.yaml') {
-    metadata+: {
-      namespace: params.namespace,
-    },
+  [if certSecret != null then '02_certs']: certSecret,
+  '02_service': service,
+  '02_apiservice': loadManifest('apiservice.yaml') {
     spec+: {
-      selector: deployment.spec.selector.matchLabels,
-    },
+      service: {
+        name: service.metadata.name,
+        namespace: service.metadata.namespace,
+      },
+    } + params.apiserver.apiservice,
   },
-  '02_apiservice': loadManifest('apiservice.yaml'),
 }