Apply suggestions from code review

Co-authored-by: Chris <github.account@chrigel.net> Co-authored-by: Simon Gerber <simon.gerber@vshn.ch>
appuio · Jan 10, 2022 · c8f9340 · c8f9340
1 parent 6edf9e5
commit c8f9340
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 15 deletions.
diff --git a/component/api-server.jsonnet b/component/api-server.jsonnet
@@ -20,14 +20,9 @@ local serviceAccount = loadManifest('service_account.yaml') {
 local role = loadManifest('role.yaml');
 
 local certSecret =
-  if (
-    params.apiserver.tls.certSecretName != null
-    && params.apiserver.tls.certSecretName != ''
-    && params.apiserver.tls.serverCert != null
-    && params.apiserver.tls.serverCert != ''
-    && params.apiserver.tls.serverKey != null
-    && params.apiserver.tls.serverKey != ''
-  ) then
+  if params.apiserver.tls.certSecretName != null then
+    assert std.length(params.apiserver.tls.serverCert) > 0 : 'apiserver.tls.serverCert is required';
+    assert std.length(params.apiserver.tls.serverKey) > 0 : 'apiserver.tls.serverKey is required';
     kube.Secret(params.apiserver.tls.certSecretName) {
       metadata+: {
         namespace: params.namespace,
@@ -52,7 +47,7 @@ local deployment = loadManifest('deployment.yaml') {
         containers: [
           if c.name == 'apiserver' then
             c {
-              image: '%s/%s:%s' % [ image.registry, image.image, image.tag ],
+              image: '%(registry)s/%(image)s:%(tag)s' % image,
             }
           else
             c

diff --git a/docs/modules/ROOT/pages/how-tos/tls.adoc b/docs/modules/ROOT/pages/how-tos/tls.adoc
@@ -12,7 +12,7 @@ Requirements
 * `yq`
 ====
 
-. Compile the to be configured cluster
+. Compile the cluster
 +
 [source,bash]
 ----
@@ -50,9 +50,21 @@ yq eval -i ".parameter.control_api.apiserver.tls.serverCert = \"${apicert}\"" \
   inventory/classes/${TENANT_ID}/${CLUSTER_ID}.yml
 ----
 
+. Commit and push configuration change
++
+[source,bash]
+----
+cd inventory/classes/${TENANT_ID}
+git add ${CLUSTER_ID}.yml
+git commit -m "Configure Control API APIService certificate"
+git push origin master
+popd
+----
+
 . Remove temporary files
 +
 [source,bash]
 ----
 rm apiserver.{key,crt}
 ----
+
diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc
@@ -13,22 +13,22 @@ The namespace in which to deploy this component.
 == `apiserver.apiservice`
 type:: dict
 
-This key is applied directly as a `APIService` object.
+This key is applied directly as an `APIService` object.
 The `APIService` object instructs the Kubernetes API server to delegate requests to the aggregate API server.
 
 == `apiserver.tls`
 
-This key configures encryption of internal traffic, meaning from the Kubernetes API server to our aggregate API sever.
+This key configures encryption of internal traffic from the Kubernetes API server to the aggregate API sever.
 
 You have the option to provide a custom TLS key and certificate.
 
-If any of the following fields are set to `null` or empty string, the aggregate API server will generate its own certificates.
-In that case the connection is still encrypted, but you need to disable TLS verification by setting `insecureSkipTLSVerify` to `true` in the APIService.
-
 === `apiserver.tls.certSecretName`
 type:: string
 default:: `control-api-tls`
 
+If this field is set to `null`, the aggregate API server will generate its own certificates.
+In that case the connection is still encrypted, but you need to disable TLS verification by setting `insecureSkipTLSVerify` to `true` in the APIService.
+
 === `apiserver.tls.serverCert`
 type:: string
 default:: ""

diff --git a/tests/insecure.yml b/tests/insecure.yml
@@ -3,6 +3,8 @@ parameters:
     apiserver:
       apiservice:
         insecureSkipTLSVerify: true
+      tls:
+        certSecretName: null
 
     zones:
       example-zone-1: