chore(libvirt): enable tls cert issuance
diff --git a/charts/libvirt/templates/bin/_cert-init.sh.tpl b/charts/libvirt/templates/bin/_cert-init.sh.tpl
new file mode 100644
index 0000000..1e4bec3
--- /dev/null
+++ b/charts/libvirt/templates/bin/_cert-init.sh.tpl
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+{{/*
+Copyright (c) 2023 VEXXHOST, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+cat <<EOF | kubectl apply -f -
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: ${POD_NAME}-${TYPE}
+ namespace: ${POD_NAMESPACE}
+ ownerReferences:
+ - apiVersion: v1
+ kind: Pod
+ name: ${POD_NAME}
+ uid: ${POD_UID}
+spec:
+ secretName: ${POD_NAME}-${TYPE}
+ usages:
+ - server auth
+ dnsNames:
+ - ${HOSTNAME}
+ ipAddresses:
+ - ${POD_IP}
+ issuerRef:
+ kind: Issuer
+ name: libvirt-${TYPE}
+EOF
+
+kubectl -n ${POD_NAMESPACE} wait --for=condition=Ready --timeout=300s \
+ certificate/${POD_NAME}-${TYPE}
diff --git a/charts/libvirt/templates/configmap-bin.yaml b/charts/libvirt/templates/configmap-bin.yaml
index 621e981..40bc463 100644
--- a/charts/libvirt/templates/configmap-bin.yaml
+++ b/charts/libvirt/templates/configmap-bin.yaml
@@ -26,6 +26,10 @@
{{- end }}
libvirt.sh: |
{{ tuple "bin/_libvirt.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- if or (eq .Values.conf.libvirt.listen_tls "1") (eq .Values.conf.qemu.vnc_tls "1") }}
+ cert-init.sh: |
+{{ tuple "bin/_cert-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
{{- if .Values.conf.ceph.enabled }}
ceph-keyring.sh: |
{{ tuple "bin/_ceph-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
diff --git a/charts/libvirt/templates/daemonset-libvirt.yaml b/charts/libvirt/templates/daemonset-libvirt.yaml
index 2c0ccda..71e3e3a 100644
--- a/charts/libvirt/templates/daemonset-libvirt.yaml
+++ b/charts/libvirt/templates/daemonset-libvirt.yaml
@@ -76,6 +76,60 @@
initContainers:
{{ tuple $envAll "pod_dependency" $mounts_libvirt_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
{{ dict "envAll" $envAll | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" | indent 8 }}
+{{- if eq .Values.conf.libvirt.listen_tls "1" }}
+ - name: cert-init-api
+{{ tuple $envAll "kubectl" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "libvirt" "container" "cert_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/cert-init.sh
+ env:
+ - name: TYPE
+ value: api
+ - name: POD_UID
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.uid
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE:
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ volumeMounts:
+ - name: libvirt-bin
+ mountPath: /tmp/cert-init.sh
+ subPath: cert-init.sh
+ readOnly: true
+{{- end }}
+{{- if eq .Values.conf.qemu.vnc_tls "1" }}
+ - name: cert-init-vnc
+{{ tuple $envAll "kubectl" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "libvirt" "container" "cert_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/cert-init.sh
+ env:
+ - name: TYPE
+ value: vnc
+ - name: POD_UID
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.uid
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE:
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ volumeMounts:
+ - name: libvirt-bin
+ mountPath: /tmp/cert-init.sh
+ subPath: cert-init.sh
+ readOnly: true
+{{- end }}
{{- if .Values.conf.ceph.enabled }}
{{- if empty .Values.conf.ceph.cinder.keyring }}
- name: ceph-admin-keyring-placement
@@ -227,10 +281,6 @@
{{- end }}
{{ if $mounts_libvirt.volumeMounts }}{{ toYaml $mounts_libvirt.volumeMounts | indent 12 }}{{ end }}
volumes:
- {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.client "name" "ssl-client" "path" "/etc/pki/libvirt" "certs" (tuple "clientcert.pem" "clientkey.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
- {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.server "name" "ssl-server-cert" "path" "/etc/pki/libvirt" "certs" (tuple "servercert.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
- {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.server "name" "ssl-server-key" "path" "/etc/pki/libvirt/private" "certs" (tuple "serverkey.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
- {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.server "name" "ssl-ca-cert" "path" "/etc/pki/CA" "certs" (tuple "cacert.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
- name: pod-tmp
emptyDir: {}
- name: libvirt-bin
diff --git a/charts/libvirt/values.yaml b/charts/libvirt/values.yaml
index b6cab8d..4c3f79b 100644
--- a/charts/libvirt/values.yaml
+++ b/charts/libvirt/values.yaml
@@ -26,6 +26,7 @@
images:
tags:
+ kubectl: docker.io/bitnami/kubectl:latest
libvirt: docker.io/openstackhelm/libvirt:latest-ubuntu_bionic
ceph_config_helper: 'docker.io/openstackhelm/ceph-config-helper:ubuntu_bionic-20200217'
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
@@ -214,6 +215,9 @@
job_image_repo_sync: true
network_policy: false
+tls:
+ enabled: false
+
secrets:
tls:
server: libvirt-tls-server