Adding secretName variable to customCert (#22453)

Adding possibility to expose certificate and its key via k8s secret/tls.
Since secret/tls keeps cert under tls.crt and key under tls.key modified
default values for customCert.certName and customCert.keyName to be
more compatible with k8s native way of storing certificates.

Signed-off-by: Marcin Iwinski <marcin.iwinski@gmail.com>

charts/unifi/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: 5.12.35
 description: Ubiquiti Network's Unifi Controller
 name: unifi
-version: 0.8.0
+version: 0.8.1
 keywords:
   - ubiquiti
   - unifi

charts/unifi/README.md

@@ -102,8 +102,9 @@ The following tables lists the configurable parameters of the Unifi chart and th
 | `GID`                                           | `999`                        | Run the controller as group GID                                                                                        |
 | `customCert.enabled`                            | `false`                      | Define whether you are using s custom certificate                                                                      |
 | `customCert.isChain`                            | `false`                      | If you are using a Let's Encrypt certificate which already includes the full chain set this to `true`                  |
-| `customCert.certName`                           | `cert.pem`                   | Name of the the certificate file in `<unifi-data>/cert`                                                                |
-| `customCert.keyName`                            | `privkey.pem`                | Name of the the private key file in `<unifi-data>/cert`                                                                |
+| `customCert.certName`                           | `tls.crt`                    | Name of the the certificate file in `<unifi-data>/cert`                                                                |
+| `customCert.keyName`                            | `tls.key`                    | Name of the the private key file in `<unifi-data>/cert`                                                                |
+| `customCert.secretName`                         | `unifi-tls`                  | Name of the the k8s tls secret where the certificate and its key are stored.                                           |
 | `mongodb.enabled`                               | `false`                      | Use external MongoDB for data storage                                                                                  |
 | `mongodb.dbUri`                                 | `mongodb://mongo/unifi`      | external MongoDB URI                                                                                                   |
 | `mongodb.statDbUri`                             | `mongodb://mongo/unifi_stat` | external MongoDB statdb URI                                                                                            |

charts/unifi/templates/deployment.yaml

@@ -101,6 +101,14 @@ spec:
             - name: DB_NAME
               value: "{{ .Values.mongodb.databaseName }}"
             {{- end }}
+            {{- if and .Values.customCert .Values.customCert.enabled }}
+            - name: CERT_IS_CHAIN
+              value: "{{ .Values.customCert.isChain }}"
+            - name: CERTNAME
+              value: "{{ .Values.customCert.certName }}"
+            - name: CERT_PRIVATE_NAME
+              value: "{{ .Values.customCert.keyName }}"
+            {{- end }}
           volumeMounts:
             - mountPath: /unifi/data
               name: unifi-data
@@ -109,8 +117,12 @@ spec:
               name: unifi-data
               subPath: {{ ternary "log" (printf "%s/%s" .Values.persistence.subPath "log") (empty .Values.persistence.subPath) }}
             - mountPath: /unifi/cert
+              {{- if and .Values.customCert .Values.customCert.enabled .Values.customCert.certSecret }}
+              name: unifi-cert-secret
+              {{- else }}
               name: unifi-data
               subPath: {{ ternary "cert" (printf "%s/%s" .Values.persistence.subPath "cert") (empty .Values.persistence.subPath) }}
+              {{- end }}
             - mountPath: /unifi/init.d
               name: unifi-data
               subPath: {{ ternary "init.d" (printf "%s/%s" .Values.persistence.subPath "init.d") (empty .Values.persistence.subPath) }}
@@ -118,14 +130,6 @@ spec:
             - name: extra-config
               mountPath: /configmap
             {{- end }}
-            {{- if and .Values.customCert .Values.customCert.enabled }}
-            - name: CERT_IS_CHAIN
-              value: "{{ .Values.customCert.isChain }}"
-            - name: CERTNAME
-              value: "{{ .Values.customCert.certName }}"
-            - name: CERT_PRIVATE_NAME
-              value: "{{ .Values.customCert.keyName }}"
-            {{- end }}
           resources:
 {{ toYaml .Values.resources | indent 12 }}
       volumes:
@@ -141,6 +145,11 @@ spec:
           configMap:
             name: {{ template "unifi.fullname" . }}
         {{- end }}
+        {{- if and .Values.customCert .Values.customCert.enabled .Values.customCert.certSecret }}
+        - name: unifi-cert-secret
+          secret:
+            secretName: "{{ .Values.customCert.certSecret }}"
+        {{- end }}
     {{- with .Values.nodeSelector }}
       nodeSelector:
 {{ toYaml . | indent 8 }}

charts/unifi/values.yaml

@@ -185,8 +185,11 @@ GID: 999
 customCert:
   enabled: false
   isChain: false
-  certName: cert.pem
-  keyName: privkey.pem
+  certName: tls.crt
+  keyName: tls.key
+  # If you want to store certificate and its key as a Kubernetes tls secret
+  # you can pass the name of that secret using certSecret variable
+  # certSecret: unifi-tls
 
 # define an external mongoDB instead of using the built-in mongodb
 mongodb: