Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / a5902dd42117b273cec41ef1be2e12d0279ff817 / . / charts / cilium / templates / _helpers.tpl
blob: 73de1dfca4ca7a6e420996cf3b76181d063abe8c [file] [log] [blame]
Mohammed Naser9ad0d462023-01-15 20:36:37 -0500[diff] [blame]1{{/*
2Create chart name and version as used by the chart label.
3*/}}
4{{- define "cilium.chart" -}}
5{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
6{{- end }}
7
8{{/*
9Return the appropriate apiVersion for ingress.
10*/}}
11{{- define "ingress.apiVersion" -}}
12{{- if semverCompare ">=1.16-0, <1.19-0" .Capabilities.KubeVersion.Version -}}
13{{- print "networking.k8s.io/v1beta1" -}}
14{{- else if semverCompare "^1.19-0" .Capabilities.KubeVersion.Version -}}
15{{- print "networking.k8s.io/v1" -}}
16{{- end -}}
17{{- end -}}
18
19{{/*
20Return the appropriate backend for Hubble UI ingress.
21*/}}
22{{- define "ingress.paths" -}}
23{{ if semverCompare ">=1.4-0, <1.19-0" .Capabilities.KubeVersion.Version -}}
24backend:
25 serviceName: hubble-ui
26 servicePort: http
27{{- else if semverCompare "^1.19-0" .Capabilities.KubeVersion.Version -}}
28pathType: Prefix
29backend:
30 service:
31 name: hubble-ui
32 port:
33 name: http
34{{- end -}}
35{{- end -}}
36
37
38{{/*
39Generate TLS certificates for Hubble Server and Hubble Relay.
40
41Note: these 2 lines, that are repeated several times below, are a trick to
42ensure the CA certs are generated only once:
43
44 $ca := .ca | default (genCA "hubble-ca.cilium.io" (.Values.hubble.tls.auto.certValidityDuration | int))
45 $_ := set . "ca" $ca
46
47Please, don't try to "simplify" them as without this trick, every generated
48certificate would be signed by a different CA.
49*/}}
50{{- define "hubble.ca.gen-cert-only" }}
51{{- $ca := .ca | default (genCA "hubble-ca.cilium.io" (.Values.hubble.tls.auto.certValidityDuration | int)) -}}
52{{- $_ := set . "ca" $ca -}}
53ca.crt: |-
54{{ $ca.Cert | indent 2 -}}
55{{- end }}
56{{- define "hubble.server.gen-certs" }}
57{{- $ca := .ca | default (genCA "hubble-ca.cilium.io" (.Values.hubble.tls.auto.certValidityDuration | int)) -}}
58{{- $_ := set . "ca" $ca -}}
59{{- $cn := list "*" (.Values.cluster.name | replace "." "-") "hubble-grpc.cilium.io" | join "." }}
60{{- $cert := genSignedCert $cn nil (list $cn) (.Values.hubble.tls.auto.certValidityDuration | int) $ca -}}
61ca.crt: {{ $ca.Cert | b64enc }}
62tls.crt: {{ $cert.Cert | b64enc }}
63tls.key: {{ $cert.Key | b64enc }}
64{{- end }}
65{{- define "hubble.relay.gen-certs" }}
66{{- $ca := .ca | default (genCA "hubble-ca.cilium.io" (.Values.hubble.tls.auto.certValidityDuration | int)) -}}
67{{- $_ := set . "ca" $ca -}}
68{{- $cert := genSignedCert "*.hubble-relay.cilium.io" nil (list "*.hubble-relay.cilium.io") (.Values.hubble.tls.auto.certValidityDuration | int) $ca -}}
69ca.crt: {{ $ca.Cert | b64enc }}
70tls.crt: {{ $cert.Cert | b64enc }}
71tls.key: {{ $cert.Key | b64enc }}
72{{- end }}
73
74{{/* Generate CA "vmca" for clustermesh-apiserver in the global dict. */}}
75{{- define "clustermesh.apiserver.generate.ca" }}
76{{- $ca := .cmca | default (genCA "clustermesh-apiserver-ca.cilium.io" (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int)) -}}
77{{- $_ := set . "cmca" $ca -}}
78{{- end }}
79
80{{/* Generate CA certificate clustermesh-apiserver. */}}
81{{- define "clustermesh.apiserver.ca.gen-cert" }}
82{{- template "clustermesh.apiserver.generate.ca" . -}}
83ca.crt: {{ .cmca.Cert | b64enc }}
84ca.key: {{ .cmca.Key | b64enc }}
85{{- end }}
86
87{{/* Generate server certificate clustermesh-apiserver. */}}
88{{- define "clustermesh.apiserver.server.gen-cert" }}
89{{- template "clustermesh.apiserver.generate.ca" . }}
90{{- $CN := "clustermesh-apiserver.cilium.io" }}
91{{- $IPs := (list "127.0.0.1") }}
92{{- $SANs := (list $CN "*.mesh.cilium.io") }}
93{{- $cert := genSignedCert $CN $IPs $SANs (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .cmca -}}
94ca.crt: {{ .cmca.Cert | b64enc }}
95tls.crt: {{ $cert.Cert | b64enc }}
96tls.key: {{ $cert.Key | b64enc }}
97{{- end }}
98
99{{/* Generate admin certificate clustermesh-apiserver. */}}
100{{- define "clustermesh.apiserver.admin.gen-cert" }}
101{{- template "clustermesh.apiserver.generate.ca" . }}
102{{- $CN := "root" }}
103{{- $SANs := (list "localhost") }}
104{{- $cert := genSignedCert $CN nil $SANs (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .cmca -}}
105ca.crt: {{ .cmca.Cert | b64enc }}
106tls.crt: {{ $cert.Cert | b64enc }}
107tls.key: {{ $cert.Key | b64enc }}
108{{- end }}
109
110{{/* Generate client certificate clustermesh-apiserver. */}}
111{{- define "clustermesh.apiserver.client.gen-cert" }}
112{{- template "clustermesh.apiserver.generate.ca" . }}
113{{- $CN := "externalworkload" }}
114{{- $cert := genSignedCert $CN nil nil (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .cmca -}}
115ca.crt: {{ .cmca.Cert | b64enc }}
116tls.crt: {{ $cert.Cert | b64enc }}
117tls.key: {{ $cert.Key | b64enc }}
118{{- end }}
119
120{{/* Generate remote certificate clustermesh-apiserver. */}}
121{{- define "clustermesh.apiserver.remote.gen-cert" }}
122{{- template "clustermesh.apiserver.generate.ca" . }}
123{{- $CN := "remote" }}
124{{- $cert := genSignedCert $CN nil nil (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .cmca -}}
125ca.crt: {{ .cmca.Cert | b64enc }}
126tls.crt: {{ $cert.Cert | b64enc }}
127tls.key: {{ $cert.Key | b64enc }}
128{{- end }}