feat(helm): prepare certificate refactor (#87)

ixxeL2097 · Frederic Spiers · web-flow · commit a316e53c9f21 · 2025-11-25T09:01:59.000+01:00
* feat(helm): prepare certificate refactor

* feat(helm): prepare certificate refactor

---------

Co-authored-by: Frederic Spiers &lt;frederic.spiers@gitguardian.com&gt;
diff --git a/helm/ggbridge/README.md b/helm/ggbridge/README.md
@@ -227,6 +227,11 @@ A Helm chart for installing ggbridge
 | terminationGracePeriodSeconds | int | `300` |  |
 | tls.autoGenerated | bool | `false` | Generate automatically self-signed TLS certificates |
 | tls.caCrt | string | `""` | CA certificate in PEM format |
+| tls.certManager.certificate | object | `{"algorithm":"RSA","duration":"17520h","renewBefore":"360h","size":4096}` | certificate configuration |
+| tls.certManager.certificate.algorithm | string | `"RSA"` | certificate algorithm for private key |
+| tls.certManager.certificate.duration | string | `"17520h"` | certificate total duration time |
+| tls.certManager.certificate.renewBefore | string | `"360h"` | certificate renewal time |
+| tls.certManager.certificate.size | int | `4096` | certificate size for private key |
 | tls.certManager.enabled | bool | `false` | Manage certifcates with cert-manager |
 | tls.certManager.issuer.kind | string | `"Issuer"` | Issuer kind ("Issuer" or "ClusterIssuer") |
 | tls.certManager.issuer.name | string | `""` | Set Issuer to use |
diff --git a/helm/ggbridge/templates/_helpers.tpl b/helm/ggbridge/templates/_helpers.tpl
@@ -566,9 +566,17 @@ Returns cert-manager issuer spec for TLS config
 {{- $fullname := include "ggbridge.fullname" . -}}
 {{- $spec := dict -}}
 {{- if hasKey .Values.tls.certManager.issuer.spec "vault" -}}
-  {{- $spec = dict "vault" (dict "auth" (dict "kubernetes" (dict "secretRef" (dict "name" (printf "%s-issuer-token" $fullname) "key" "token")))) -}}
+  {{- $userKubernetesAuth := dig "vault" "auth" "kubernetes" dict .Values.tls.certManager.issuer.spec -}}
+  {{- $kubernetesAuth := dict -}}
+  
+  {{/* Only add secretRef if user hasn't provided secretRef OR serviceAccountRef */}}
+  {{- if and (not (hasKey $userKubernetesAuth "secretRef")) (not (hasKey $userKubernetesAuth "serviceAccountRef")) -}}
+    {{- $_ := set $kubernetesAuth "secretRef" (dict "name" (printf "%s-issuer-token" $fullname) "key" "token") -}}
+  {{- end -}}
+  
+  {{- $spec = dict "vault" (dict "auth" (dict "kubernetes" $kubernetesAuth)) -}}
 {{- end -}}
-{{- $spec = include "ggbridge.tplvalues.merge" ( dict "values" ( list .Values.tls.certManager.issuer.spec $spec ) "context" . ) | fromYaml -}}
+{{- $spec = include "ggbridge.tplvalues.merge" ( dict "values" ( list $spec .Values.tls.certManager.issuer.spec ) "context" . ) | fromYaml -}}
 {{ include "ggbridge.tplvalues.render" ( dict "value" $spec "context" .) }}
 {{- end -}}
 
diff --git a/helm/ggbridge/templates/cert-manager.yaml b/helm/ggbridge/templates/cert-manager.yaml
@@ -1,6 +1,6 @@
-{{- if .Values.tls.certManager.enabled -}}
-  {{- $fullname := include "ggbridge.fullname" . -}}
-  {{- $namespace := ternary (default .Release.Namespace .Values.server.istio.gateway.namespace) .Release.Namespace .Values.server.istio.enabled -}}
+{{- $fullname := include "ggbridge.fullname" . -}}
+{{- $namespace := ternary (default .Release.Namespace .Values.server.istio.gateway.namespace) .Release.Namespace .Values.server.istio.enabled -}}
+{{- if and .Values.tls.certManager.enabled (not (hasKey .Values.tls.certManager.issuer.spec "vault")) -}}
   {{- if .Values.tls.certManager.issuer.spec }}
     {{- if hasKey .Values.tls.certManager.issuer.spec "selfSigned" -}}
 ---
@@ -69,3 +69,18 @@ spec:
     {{- end }}
   {{- end }}
 {{- end }}
+{{- if hasKey .Values.tls.certManager.issuer.spec "vault" }}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ printf "%s-issuer" $fullname }}
+  namespace: {{ $namespace }}
+  labels:
+    {{- include "ggbridge.labels" $ | nindent 4 }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "ggbridge.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  {{- include "ggbridge.certManager.issuer.spec" . | nindent 2 }}
+{{- end }}
diff --git a/helm/ggbridge/templates/client/cert-manager.yaml b/helm/ggbridge/templates/client/cert-manager.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.tls.certManager.enabled -}}
+{{- if and .Values.tls.certManager.enabled (and (not (empty .Values.tls.certManager.issuer.spec)) (not (hasKey .Values.tls.certManager.issuer.spec "vault"))) -}}
   {{- $fullname := include "ggbridge.fullname" . -}}
   {{- $namespace := ternary (default .Release.Namespace .Values.server.istio.gateway.namespace) .Release.Namespace .Values.server.istio.enabled -}}
   {{- $clientFullname := include "ggbridge.client.fullname" $ -}}
@@ -16,10 +16,11 @@ metadata:
   {{- end }}
 spec:
   secretName: {{ printf "%s-crt" $clientFullname }}
-  duration: 17520h # 2 years
+  duration: {{ .Values.tls.certManager.certificate.duration }}
+  renewBefore: {{ .Values.tls.certManager.certificate.renewBefore }}
   privateKey:
-    algorithm: RSA
-    size: 4096
+    algorithm: {{ .Values.tls.certManager.certificate.algorithm }}
+    size: {{ .Values.tls.certManager.certificate.size }}
   commonName: {{ include "ggbridge.hostname" . }}
   usages:
     - client auth
diff --git a/helm/ggbridge/templates/proxy/networkpolicy.yaml b/helm/ggbridge/templates/proxy/networkpolicy.yaml
@@ -1,4 +1,5 @@
-{{- if and (eq .Values.mode "server") .Values.proxy.networkPolicy.enabled -}}
+{{- $deploymentCount := int (default 0 .Values.deploymentCount) -}}
+{{- if and (eq .Values.mode "server") .Values.proxy.networkPolicy.enabled (gt $deploymentCount 0) -}}
   {{- $fullname := include "ggbridge.proxy.fullname" . }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
diff --git a/helm/ggbridge/templates/proxy/service.yaml b/helm/ggbridge/templates/proxy/service.yaml
@@ -1,4 +1,5 @@
-{{- if (eq (include "ggbridge.proxy.enabled" .) "true") -}}
+{{- $deploymentCount := int (default 0 .Values.deploymentCount) -}}
+{{- if and (eq (include "ggbridge.proxy.enabled" .) "true") (gt $deploymentCount 0) -}}
   {{- $proxyFullname := include "ggbridge.proxy.fullname" . }}
   {{- $ports := include "ggbridge.proxy.service.ports" . | fromYaml -}}
   {{- if $ports -}}
diff --git a/helm/ggbridge/templates/rbac.yaml b/helm/ggbridge/templates/rbac.yaml
@@ -45,7 +45,21 @@ metadata:
   annotations:
     kubernetes.io/service-account.name: {{ printf "%s-issuer" $fullname }}
 type: kubernetes.io/service-account-token
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ printf "%s-issuer" $fullname }}-token-reviewer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - kind: ServiceAccount
+    name: {{ printf "%s-issuer" $fullname }}
+    namespace: {{ .Release.Namespace }}
   {{- end }}
+  {{- if .Values.tls.certManager.rbac.subjects }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -79,7 +93,6 @@ rules:
       - 'list'
       - 'watch'
       - 'create'
-  {{- if .Values.tls.certManager.rbac.subjects }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/helm/ggbridge/templates/server/cert-manager.yaml b/helm/ggbridge/templates/server/cert-manager.yaml
@@ -1,4 +1,5 @@
-{{- if and (eq .Values.mode "server") .Values.tls.certManager.enabled -}}
+{{- $deploymentCount := int (default 0 .Values.deploymentCount) -}}
+{{- if and (eq .Values.mode "server") .Values.tls.certManager.enabled (gt $deploymentCount 0) -}}
   {{- $fullname := include "ggbridge.fullname" . -}}
   {{- $serverFullname := include "ggbridge.server.fullname" . }}
   {{- $namespace := ternary (default .Release.Namespace .Values.server.istio.gateway.namespace) .Release.Namespace .Values.server.istio.enabled -}}
@@ -16,10 +17,11 @@ metadata:
   {{- end }}
 spec:
   secretName: {{ printf "%s-crt" $serverFullname }}
-  duration: 17520h # 2 years
+  duration: {{ .Values.tls.certManager.certificate.duration }}
+  renewBefore: {{ .Values.tls.certManager.certificate.renewBefore }}
   privateKey:
-    algorithm: RSA
-    size: 4096
+    algorithm: {{ .Values.tls.certManager.certificate.algorithm }}
+    size: {{ .Values.tls.certManager.certificate.size }}
   commonName: {{ include "ggbridge.hostname" . }}
   dnsNames:
     - {{ include "ggbridge.hostname" . }}
diff --git a/helm/ggbridge/templates/server/configmap.yaml b/helm/ggbridge/templates/server/configmap.yaml
@@ -1,4 +1,5 @@
-{{- if (eq .Values.mode "server") -}}
+{{- $deploymentCount := int (default 0 .Values.deploymentCount) -}}
+{{- if and (eq .Values.mode "server") (gt $deploymentCount 0) -}}
   {{- $serverFullname := include "ggbridge.server.fullname" . }}
 ---
 apiVersion: v1
diff --git a/helm/ggbridge/templates/server/gateway.yaml b/helm/ggbridge/templates/server/gateway.yaml
@@ -1,4 +1,5 @@
-{{- if and (eq .Values.mode "server") .Values.server.gateway.enabled }}
+{{- $deploymentCount := int (default 0 .Values.deploymentCount) -}}
+{{- if and (eq .Values.mode "server") .Values.server.gateway.enabled (gt $deploymentCount 0) }}
   {{- $serverFullname := include "ggbridge.server.fullname" . }}
   {{- if .Values.server.gateway.gateway.create }}
 ---
diff --git a/helm/ggbridge/templates/server/ingress.yaml b/helm/ggbridge/templates/server/ingress.yaml
@@ -1,4 +1,5 @@
-{{- if and (eq .Values.mode "server") .Values.server.ingress.enabled }}
+{{- $deploymentCount := int (default 0 .Values.deploymentCount) -}}
+{{- if and (eq .Values.mode "server") .Values.server.ingress.enabled (gt $deploymentCount 0) }}
   {{- $serverFullname := include "ggbridge.server.fullname" . }}
 
   {{- if and (eq .Values.server.ingress.controller "traefik") .Values.tls.enabled }}
diff --git a/helm/ggbridge/templates/server/istio.yaml b/helm/ggbridge/templates/server/istio.yaml
@@ -1,4 +1,5 @@
-{{- if and (eq .Values.mode "server") .Values.server.istio.enabled }}
+{{- $deploymentCount := int (default 0 .Values.deploymentCount) -}}
+{{- if and (eq .Values.mode "server") .Values.server.istio.enabled (gt $deploymentCount 0) }}
   {{- $serverFullname := include "ggbridge.server.fullname" . }}
 
 {{- if .Values.server.istio.gateway.create }}
diff --git a/helm/ggbridge/templates/server/networkpolicy.yaml b/helm/ggbridge/templates/server/networkpolicy.yaml
@@ -1,4 +1,5 @@
-{{- if and (eq .Values.mode "server") .Values.networkPolicy.enabled }}
+{{- $deploymentCount := int (default 0 .Values.deploymentCount) -}}
+{{- if and (eq .Values.mode "server") .Values.networkPolicy.enabled (gt $deploymentCount 0) }}
   {{- $fullname := include "ggbridge.server.fullname" . }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
diff --git a/helm/ggbridge/templates/server/pdb.yaml b/helm/ggbridge/templates/server/pdb.yaml
@@ -1,4 +1,5 @@
-{{- if and (eq .Values.mode "server") .Values.pdb.create }}
+{{- $deploymentCount := int (default 0 .Values.deploymentCount) -}}
+{{- if and (eq .Values.mode "server") .Values.pdb.create (gt $deploymentCount 0) }}
   {{- range $index := until (int .Values.deploymentCount) }}
     {{- $fullname := include "ggbridge.fullname" $ }}
     {{- $serverFullname := include "ggbridge.server.fullname" $ }}
diff --git a/helm/ggbridge/templates/server/service.yaml b/helm/ggbridge/templates/server/service.yaml
@@ -1,4 +1,5 @@
-{{- if (eq .Values.mode "server") -}}
+{{- $deploymentCount := int (default 0 .Values.deploymentCount) -}}
+{{- if and (eq .Values.mode "server") (gt $deploymentCount 0) -}}
   {{- $fullname := include "ggbridge.fullname" $ }}
   {{- $serverFullname := include "ggbridge.server.fullname" $ }}
 ---
diff --git a/helm/ggbridge/templates/serviceaccount.yaml b/helm/ggbridge/templates/serviceaccount.yaml
@@ -21,7 +21,7 @@ rules:
   - apiGroups:
       - ''
     resources:
-      - 'configmpas'
+      - 'configmaps'
       - 'secrets'
     verbs:
       - 'get'
diff --git a/helm/ggbridge/values.yaml b/helm/ggbridge/values.yaml
@@ -180,6 +180,16 @@ tls:
       ##     name: gim
       ##     namespace: gim
       subjects: []
+    # -- certificate configuration
+    certificate:
+      # -- certificate total duration time
+      duration: 17520h
+      # -- certificate renewal time
+      renewBefore: 360h
+      # -- certificate algorithm for private key
+      algorithm: RSA
+      # -- certificate size for private key
+      size: 4096
     issuer:
       # -- Set Issuer to use
       name: ""
