Add support customized IPSans and DNSSans for server-tls server cert for vault #1020
Conversation
|
|
jmurret
changed the title
NicoletaPopoviciu
requested review from
kschoche,
a team and
t-eckert
and removed request for
a team
There was a problem hiding this comment.
I think this looks great, assuming that you get the manual test working and confirmed I think it's good to merge after.
One comment on my way :
Is there any way you could roll the new templating logic into a helper function? It is really a lot of text to all inline. Thoughts?
charts/consul/templates/_helpers.tpl
Outdated
| {{ "{{" }}- .Data.certificate -{{ "}}" }} | ||
| {{ "{{" }}- end -{{ "}}" }} | ||
| {{- end -}} | ||
|
|
||
| {{- define "consul.serverTLSKeyTemplate" -}} | ||
| | | ||
| {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" | ||
| "ttl=1h" "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1" -{{ "}}" }} | ||
| "ttl=1h" "alt_names={{ include "consul.serverTLSAltNames" . }}{{- if .Values.server.tls -}}{{- if .Values.server.tls.serverAdditionalDNSSANs -}}{{- range $san := .Values.server.tls.serverAdditionalDNSSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}}" "ip_sans=127.0.0.1{{- if .Values.server.tls -}}{{- if .Values.server.tls.serverAdditionalIPSANs -}}{{- range $ipsan := .Values.server.tls.serverAdditionalIPSANs }},{{ $ipsan }} {{- end -}}{{- end -}}{{- end -}}" -{{ "}}" }} |
There was a problem hiding this comment.
drive-by comment: these values should come from .Values.global.tls not .Values.server.tls. The goal I think is to re-use existing values:
consul-k8s/charts/consul/values.yaml
Line 282 in 216fbda
| echo "Expected: ${expected}" | ||
| echo "Actual: ${actual}" |
There was a problem hiding this comment.
Did you mean to keep these here or was it for debugging?
|
@kschoche great call on the helper function! will add |
jmurret
force-pushed
the
jm/vault-sans-ips
branch
from
d4682eb to
ce5486a
Compare
| {{ "{{" }}- .Data.private_key -{{ "}}" }} | ||
| {{ "{{" }}- end -{{ "}}" }} | ||
| {{- end -}} | ||
|
|
||
| {{- define "consul.serverTLSAltNames" -}} | ||
| {{- $name := include "consul.fullname" . -}} | ||
| {{- $ns := .Release.Namespace -}} | ||
| {{ printf "localhost,%s-server,*.%s-server,*.%s-server.%s,*.%s-server.%s.svc,*.server.%s.%s" $name $name $name $ns $name $ns (.Values.global.datacenter ) (.Values.global.domain) }} | ||
| {{ printf "localhost,%s-server,*.%s-server,*.%s-server.%s,*.%s-server.%s.svc,*.server.%s.%s" $name $name $name $ns $name $ns (.Values.global.datacenter ) (.Values.global.domain) }}{{ include "consul.serverAdditionalDNSSANs" . }} |
There was a problem hiding this comment.
This looks so much better, great work. I totally missed the typos that Iryna pointed out bc it was all one giant line of text and my brain wasnt up to the task. Much better!
Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
|
Verified DNS SANs and IP SANs flowing through to servercert. Going to merge. |
Changes proposed in this PR:
How I've tested this PR:
How I expect reviewers to test this PR:
manual verification in a consul/vault/k8s environment
Checklist: