From ca6493faf3d3f8c15ef73b94dd7632d58efbc29f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20Iwi=C5=84ski?= Date: Wed, 20 May 2020 13:20:18 +0200 Subject: [PATCH] Adding secretName variable to customCert (#22453) Adding possibility to expose certificate and its key via k8s secret/tls. Since secret/tls keeps cert under tls.crt and key under tls.key modified default values for customCert.certName and customCert.keyName to be more compatible with k8s native way of storing certificates. Signed-off-by: Marcin Iwinski --- charts/unifi/Chart.yaml | 2 +- charts/unifi/README.md | 5 +++-- charts/unifi/templates/deployment.yaml | 25 +++++++++++++++++-------- charts/unifi/values.yaml | 7 +++++-- 4 files changed, 26 insertions(+), 13 deletions(-) diff --git a/charts/unifi/Chart.yaml b/charts/unifi/Chart.yaml index a3384c87..3bbc68b1 100644 --- a/charts/unifi/Chart.yaml +++ b/charts/unifi/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v1 appVersion: 5.12.35 description: Ubiquiti Network's Unifi Controller name: unifi -version: 0.8.0 +version: 0.8.1 keywords: - ubiquiti - unifi diff --git a/charts/unifi/README.md b/charts/unifi/README.md index 804fb605..45a6bf0f 100644 --- a/charts/unifi/README.md +++ b/charts/unifi/README.md @@ -102,8 +102,9 @@ The following tables lists the configurable parameters of the Unifi chart and th | `GID` | `999` | Run the controller as group GID | | `customCert.enabled` | `false` | Define whether you are using s custom certificate | | `customCert.isChain` | `false` | If you are using a Let's Encrypt certificate which already includes the full chain set this to `true` | -| `customCert.certName` | `cert.pem` | Name of the the certificate file in `/cert` | -| `customCert.keyName` | `privkey.pem` | Name of the the private key file in `/cert` | +| `customCert.certName` | `tls.crt` | Name of the the certificate file in `/cert` | +| `customCert.keyName` | `tls.key` | Name of the the private key file in `/cert` | +| `customCert.secretName` | `unifi-tls` | Name of the the k8s tls secret where the certificate and its key are stored. | | `mongodb.enabled` | `false` | Use external MongoDB for data storage | | `mongodb.dbUri` | `mongodb://mongo/unifi` | external MongoDB URI | | `mongodb.statDbUri` | `mongodb://mongo/unifi_stat` | external MongoDB statdb URI | diff --git a/charts/unifi/templates/deployment.yaml b/charts/unifi/templates/deployment.yaml index 496624fc..37727c42 100644 --- a/charts/unifi/templates/deployment.yaml +++ b/charts/unifi/templates/deployment.yaml @@ -101,6 +101,14 @@ spec: - name: DB_NAME value: "{{ .Values.mongodb.databaseName }}" {{- end }} + {{- if and .Values.customCert .Values.customCert.enabled }} + - name: CERT_IS_CHAIN + value: "{{ .Values.customCert.isChain }}" + - name: CERTNAME + value: "{{ .Values.customCert.certName }}" + - name: CERT_PRIVATE_NAME + value: "{{ .Values.customCert.keyName }}" + {{- end }} volumeMounts: - mountPath: /unifi/data name: unifi-data @@ -109,8 +117,12 @@ spec: name: unifi-data subPath: {{ ternary "log" (printf "%s/%s" .Values.persistence.subPath "log") (empty .Values.persistence.subPath) }} - mountPath: /unifi/cert + {{- if and .Values.customCert .Values.customCert.enabled .Values.customCert.certSecret }} + name: unifi-cert-secret + {{- else }} name: unifi-data subPath: {{ ternary "cert" (printf "%s/%s" .Values.persistence.subPath "cert") (empty .Values.persistence.subPath) }} + {{- end }} - mountPath: /unifi/init.d name: unifi-data subPath: {{ ternary "init.d" (printf "%s/%s" .Values.persistence.subPath "init.d") (empty .Values.persistence.subPath) }} @@ -118,14 +130,6 @@ spec: - name: extra-config mountPath: /configmap {{- end }} - {{- if and .Values.customCert .Values.customCert.enabled }} - - name: CERT_IS_CHAIN - value: "{{ .Values.customCert.isChain }}" - - name: CERTNAME - value: "{{ .Values.customCert.certName }}" - - name: CERT_PRIVATE_NAME - value: "{{ .Values.customCert.keyName }}" - {{- end }} resources: {{ toYaml .Values.resources | indent 12 }} volumes: @@ -141,6 +145,11 @@ spec: configMap: name: {{ template "unifi.fullname" . }} {{- end }} + {{- if and .Values.customCert .Values.customCert.enabled .Values.customCert.certSecret }} + - name: unifi-cert-secret + secret: + secretName: "{{ .Values.customCert.certSecret }}" + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{ toYaml . | indent 8 }} diff --git a/charts/unifi/values.yaml b/charts/unifi/values.yaml index 9edb427a..6813e604 100644 --- a/charts/unifi/values.yaml +++ b/charts/unifi/values.yaml @@ -185,8 +185,11 @@ GID: 999 customCert: enabled: false isChain: false - certName: cert.pem - keyName: privkey.pem + certName: tls.crt + keyName: tls.key + # If you want to store certificate and its key as a Kubernetes tls secret + # you can pass the name of that secret using certSecret variable + # certSecret: unifi-tls # define an external mongoDB instead of using the built-in mongodb mongodb: