diff --git a/charts/dirk/scripts/generate_cert.sh b/charts/dirk/scripts/generate_cert.sh index c2f103bd0..669009566 100644 --- a/charts/dirk/scripts/generate_cert.sh +++ b/charts/dirk/scripts/generate_cert.sh @@ -9,6 +9,9 @@ generate_certs() { LOCATION=$1 CA_CERT_NAME=$2 CERT_NAME=$3 +DOMAIN=$4 + +echo "DOMAIN: ${DOMAIN}" mkdir -p "${LOCATION}" pushd "${LOCATION}" @@ -36,6 +39,11 @@ subjectAltName = @alt_names DNS.1 = "${CERT_NAME}" EOEXT +if [ -n "${DOMAIN}" ]; then echo "DNS.2 = \"${CERT_NAME}.${DOMAIN}\"" >> "${CERT_NAME}.ext"; fi + + +cat "${CERT_NAME}".ext + openssl genrsa -out "${CERT_NAME}.key" 4096 openssl req -out "${CERT_NAME}.csr" -key "${CERT_NAME}.key" -new -subj "/CN=${CERT_NAME}" -addext "subjectAltName=DNS:${CERT_NAME}" openssl x509 -req -in "${CERT_NAME}.csr" -CA "${CA_CERT_NAME}.crt" -CAkey "${CA_CERT_NAME}.key" -CAcreateserial -out "${CERT_NAME}.crt" -days 1825 -sha256 -extfile "${CERT_NAME}.ext" diff --git a/charts/dirk/templates/configmap.yaml b/charts/dirk/templates/configmap.yaml index 32463a033..634d86e5a 100644 --- a/charts/dirk/templates/configmap.yaml +++ b/charts/dirk/templates/configmap.yaml @@ -6,7 +6,15 @@ metadata: labels: {{- include "common.labels.standard" . | nindent 4 }} data: + {{- if .Values.dirk.peers }} + {{- $myVal := "_" -}} + {{- range $k, $v := .Values.dirk.peers }} + {{- $myVal = printf "%s,%s:%s" $myVal $k $v -}} + {{- end }} + PEERS: {{ $myVal | replace "_,1" "1" }} + {{- else }} PEERS: 1:{{ include "dirk.fullname" . }}-0.{{ include "dirk.fullname" . }}:{{ .Values.service.httpPort }},2:{{ include "dirk.fullname" . }}-1.{{ include "dirk.fullname" . }}:{{ .Values.service.httpPort }},3:{{ include "dirk.fullname" . }}-2.{{ include "dirk.fullname" . }}:{{ .Values.service.httpPort }} + {{- end }} --- apiVersion: v1 kind: ConfigMap @@ -34,9 +42,15 @@ data: type: filesystem location: /data/dirk/wallets peers: + {{- if .Values.dirk.peers }} + {{- range $k, $v := .Values.dirk.peers }} + {{ $k }}: {{ $v }} + {{- end }} + {{- else }} 1: {{ include "dirk.fullname" . }}-0.{{ include "dirk.fullname" . }}:{{ .Values.service.httpPort }} 2: {{ include "dirk.fullname" . }}-1.{{ include "dirk.fullname" . }}:{{ .Values.service.httpPort }} 3: {{ include "dirk.fullname" . }}-2.{{ include "dirk.fullname" . }}:{{ .Values.service.httpPort }} + {{- end }} permissions: {{ .Values.dirk.clientName }}: Validators: All diff --git a/charts/dirk/templates/statefulset.yaml b/charts/dirk/templates/statefulset.yaml index d9e8f12a7..403d358d3 100644 --- a/charts/dirk/templates/statefulset.yaml +++ b/charts/dirk/templates/statefulset.yaml @@ -5,11 +5,17 @@ metadata: name: {{ include "common.names.fullname" . }} labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.clusterIndex }} + apps.kubernetes.io/cluster-deployment-type: cluster + {{- end }} spec: replicas: {{ .Values.replicaCount }} selector: matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + {{- if .Values.clusterIndex }} + apps.kubernetes.io/cluster-deployment-type: cluster + {{- end }} serviceName: {{ include "common.names.fullname" . }} template: metadata: @@ -19,6 +25,9 @@ spec: {{- end }} labels: {{- include "common.labels.matchLabels" . | nindent 8 }} + {{- if .Values.clusterIndex }} + apps.kubernetes.io/cluster-deployment-type: cluster + {{- end }} spec: {{- with .Values.nodeSelector }} nodeSelector: @@ -58,12 +67,20 @@ spec: - > rm -f /data/dirk/dirty; mkdir -p /data/dirk/certs; + {{- if .Values.clusterIndex }} + export INDEX="{{ .Values.clusterIndex }}"; + {{- else }} export INDEX=$((${HOSTNAME##*-}+1)); + {{- end }} echo "$INDEX" > /data/dirk/index; envsubst < /config/dirk.yaml.tml > /data/dirk/dirk.yaml; printenv CA_CRT | base64 -d > /data/dirk/certs/ca.crt; printenv CA_KEY | base64 -d > /data/dirk/certs/ca.key; + {{- if .Values.clusterIndex }} + bash /scripts/generate_cert.sh /data/dirk/certs/ ca ${HOSTNAME}.{{ include "dirk.fullname" . }} {{ get .Values.clusterMapping .Values.clusterLabel }}; + {{- else }} bash /scripts/generate_cert.sh /data/dirk/certs/ ca ${HOSTNAME}.{{ include "dirk.fullname" . }}; + {{- end }} chown -R {{ .Values.global.podSecurityContext.runAsUser }}:{{ .Values.global.podSecurityContext.fsGroup }} /data/dirk; envFrom: - secretRef: @@ -184,6 +201,11 @@ spec: - name: scripts configMap: name: {{ include "common.names.fullname" . }}-scripts + {{- if .Values.dnsPolicy }} + dnsPolicy: {{ .Values.dnsPolicy }} + dnsConfig: + {{- toYaml .Values.dnsConfig | nindent 8 }} + {{- end }} minReadySeconds: {{ .Values.minReadySeconds }} volumeClaimTemplates: - metadata: diff --git a/charts/dirk/values.yaml b/charts/dirk/values.yaml index 35a781801..bd8230c86 100644 --- a/charts/dirk/values.yaml +++ b/charts/dirk/values.yaml @@ -22,6 +22,9 @@ global: - ALL replicaCount: 3 +clusterIndex: null +clusterMapping: {} +clusterLabel: "" image: repository: attestant/dirk @@ -60,6 +63,10 @@ dirk: tracing: fetchKeysExtraFlags: [] + peers: {} + +dnsPolicy: null +dnsConfig: {} imagePullSecrets: [] diff --git a/charts/vouch/templates/statefulset.yaml b/charts/vouch/templates/statefulset.yaml index 8f16ea5fe..c7b14c810 100644 --- a/charts/vouch/templates/statefulset.yaml +++ b/charts/vouch/templates/statefulset.yaml @@ -173,3 +173,8 @@ spec: emptyDir: medium: Memory sizeLimit: 128Mi + {{- if .Values.dnsPolicy }} + dnsPolicy: {{ .Values.dnsPolicy }} + dnsConfig: + {{- toYaml .Values.dnsConfig | nindent 8 }} + {{- end }} diff --git a/charts/vouch/values.yaml b/charts/vouch/values.yaml index 0be86e03a..20c97bb8c 100644 --- a/charts/vouch/values.yaml +++ b/charts/vouch/values.yaml @@ -85,6 +85,9 @@ vouch: relays: [] +dnsPolicy: null +dnsConfig: {} + imagePullSecrets: [] ## Provide a name in place of operator for `app:` labels