docker_auth chart

charts/docker_auth/Chart.yaml

@@ -28,10 +28,10 @@ appVersion: "1.12.0"
 version: 0.1.0
 type: application
 home: https://github.com/cesanta/docker_auth
-name: docker_auth
+name: docker-auth
 keywords:
-  - docker-auth
-  - docker-registry
+  - authentication
+  - cncf-distribution
 maintainers:
   - name: Noelware, LLC.
     email: [email protected]

charts/docker_auth/templates/_helpers.tpl

@@ -108,8 +108,9 @@ Example:
         {{- include "registry.auth.annotations" (dict "external" $annotations "context" .) }}
 */}}
 {{- define "registry.auth.annotations" -}}
-k8s.noelware.cloud/component: http-proxy
-k8s.noelware.cloud/product: Hazel
+k8s.noelware.cloud/component: authentication
+k8s.noelware.cloud/product: docker-auth
+k8s.noelware.cloud/part-of: cncf-distribution
 {{- if .context.Chart.AppVersion }}
 k8s.noelware.cloud/version: {{ .context.Chart.AppVersion | quote }}
 {{- end }}

charts/docker_auth/templates/_pod.tpl

@@ -45,7 +45,17 @@ dnsConfig:
 volumes:
     - name: config
       configMap:
-        name: {{ default (printf "%s-config" (include "registry.auth.fullname" .)) .Values.config.existingMap }}
+        name: {{ default (printf "%s-config" (include "registry.auth.fullname" .)) .Values.deployment.existingConfigMap }}
+    {{- if .Values.tls.enabled }}
+    - name: rootbundle-tls
+      secret:
+        secretName: "docker-auth-rootbundle-tls"
+    {{- end }}
+    {{- if and .Values.ingress.tls .Values.ingress.selfSigned }}
+    - name: server-tls
+      secret:
+        secretName: {{ printf "%s-server-tls" .Values.ingress.host }}
+    {{- end }}
 {{- with .Values.global.initContainers }}
 initContainers:
     {{- . | toYaml }}
@@ -64,6 +74,16 @@ containers:
         - name: config
           mountPath: /data/config.yaml
           subPath: config.yaml
+        {{- if .Values.tls.enabled }}
+        - name: rootbundle-tls
+          mountPath: /rootbundle/certs
+          readOnly: true
+        {{- end }}
+        {{- if and .Values.ingress.tls .Values.ingress.selfSigned }}
+        - name: server-tls
+          mountPath: /server/certs
+          readOnly: true
+        {{- end }}
       ports:
         - name: http
           containerPort: {{ .Values.service.port }}

charts/docker_auth/templates/configmap.yaml

@@ -21,11 +21,11 @@
 ~ SOFTWARE.
 */}}
 
-{{- if not .Values.config.existingMap }}
+{{- if not .Values.deployment.existingConfigMap }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
-    name: {{ printf "%s-data" (include "registry.auth.fullname" .) }}
+    name: {{ printf "%s-config" (include "registry.auth.fullname" .) }}
     namespace: {{ .Release.Namespace }}
     annotations:
         {{- include "registry.auth.annotations" (dict "context" .) | nindent 8 }}

charts/docker_auth/templates/ingress.yaml

@@ -25,14 +25,15 @@
 {{- fail "`service.enabled` must be set to `true` to include an ingress record" }}
 {{- end }}
 {{- if .Values.ingress.enabled }}
+{{- $mergedAnnotations := include "common.tplvalues.merge" (dict "values" (list .Values.global.annotations .Values.ingress.annotations) "context" .) | fromYaml -}}
+{{- $isCertManagerRequest := include "common.ingress.certManagerRequest" (dict "annotations" $mergedAnnotations) -}}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
     name: {{ include "registry.auth.fullname" . }}
     namespace: {{ .Release.Namespace }}
     annotations:
-        {{- $annotations := include "registry.auth.annotations" (dict "external" .Values.ingress.annotations "context" .) }}
-        {{- $annotations | nindent 8 }}
+        {{- include "registry.auth.annotations" (dict "external" .Values.ingress.annotations "context" .) | nindent 8 }}
 spec:
     {{- if .Values.ingress.className }}
     ingressClassName: {{ .Values.ingress.className }}
@@ -53,8 +54,16 @@ spec:
     {{- if .Values.ingress.extraRules }}
     {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraRules "context" $) | nindent 4 }}
     {{- end }}
-    {{- if .Values.ingress.extraTLS }}
+
+    {{- if or (and .Values.ingress.tls (or $isCertManagerRequest)) .Values.ingress.selfSigned .Values.ingress.extraTLS }}
     tls:
-    {{- include "common.tplvalues.render" (dict "values" .Values.ingress.extraTLS "context" $) | nindent 4 }}
+    {{- if or (and .Values.ingress.tls .Values.ingress.selfSigned) $isCertManagerRequest }}
+    - hosts:
+        - {{ .Values.ingress.host | quote }}
+      secretName: {{ printf "%s-tls" .Values.ingress.host }}
+    {{- end }}
+    {{- if .Values.ingress.extraTLS }}
+    {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraTLS "context" $) | nindent 4 }}
+    {{- end }}
     {{- end }}
 {{- end }}

charts/docker_auth/templates/secrets/rootbundle-tls.yaml

@@ -0,0 +1,92 @@
+{{/*
+~ 🐻‍❄️🔮 Noelware's Helm Charts: Curated catalog of Noelware's Helm charts.
+~ Copyright (c) 2022-2024 Noelware, LLC. <[email protected]>
+~
+~ Permission is hereby granted, free of charge, to any person obtaining a copy
+~ of this software and associated documentation files (the "Software"), to deal
+~ in the Software without restriction, including without limitation the rights
+~ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+~ copies of the Software, and to permit persons to whom the Software is
+~ furnished to do so, subject to the following conditions:
+~
+~ The above copyright notice and this permission notice shall be included in all
+~ copies or substantial portions of the Software.
+~
+~ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+~ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+~ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+~ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+~ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+~ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+~ SOFTWARE.
+*/}}
+
+{{- $name := "docker-auth-rootbundle-tls" }}
+{{- if and .Values.tls.enabled .Values.tls.selfSigned }}
+{{- $ca := genCA "docker-auth-registry-ca" 365 }}
+{{- $cert := genSignedCert .Values.ingress.host nil (list .Values.ingress.host) 365 $ca }}
+apiVersion: v1
+kind: Secret
+metadata:
+    name: {{ $name }}
+    namespace: {{ .Release.Namespace }}
+    annotations:
+        {{- include "registry.auth.annotations" (dict "context" .) | nindent 8 }}
+    labels:
+        {{- include "registry.auth.labels" . | nindent 8 }}
+type: kubernetes.io/tls
+data:
+    tls.crt: {{ include "common.secrets.lookup" (dict "secret" $name "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
+    tls.key: {{ include "common.secrets.lookup" (dict "secret" $name "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
+    ca.crt: {{ include "common.secrets.lookup" (dict "secret" $name "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
+{{- else if and .Values.tls.enabled .Values.tls.certManager.enabled -}}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+    name: {{ $name }}
+    namespace: {{ .Release.Namespace }}
+    annotations:
+        {{- include "registry.auth.annotations" (dict "context" .) | nindent 8 }}
+    labels:
+        {{- include "registry.auth.labels" . | nindent 8 }}
+spec:
+    secretName: {{ printf "%s-crt" $name }}
+    commonName: {{ printf "%s.%s.svc.%s" (include "registry.auth.fullname" .) .Release.Namespace .Values.global.clusterDomain }}
+    issuerRef:
+        name: {{ coalesce .Values.tls.certManager.issuer .Values.tls.certManager.clusterIssuer }}
+        kind: {{ ternary "Issuer" "ClusterIssuer" (not (empty .Values.tls.certManager.issuer)) }}
+        group: {{ .Values.tls.certManager.group }}
+    {{- with .Values.tls.certManager.organizations }}
+    subject:
+        organizations:
+            {{ toYaml . | nindent 8 }}
+    {{- end }}
+    dnsNames:
+        - "*.{{ .Release.Namespace }}"
+        - "*.{{ .Release.Namespace }}.svc"
+        - "*.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
+        - "*.{{ include "registry.auth.fullname" . }}"
+        - "*.{{ include "registry.auth.fullname" . }}.{{ .Release.Namespace }}"
+        - "*.{{ include "registry.auth.fullname" . }}.{{ .Release.Namespace }}.svc"
+        - "*.{{ include "registry.auth.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
+    privateKey:
+        algorithm: {{ .Values.tls.certManager.privateKey.algorithm }}
+        size: {{ .Values.tls.certManager.privateKey.size | int }}
+    duration: {{ .Values.tls.certManager.duration }}
+    renewBefore: {{ .Values.tls.certManager.renewBefore }}
+{{- else -}}
+apiVersion: v1
+kind: Secret
+metadata:
+    name: {{ $name }}
+    namespace: {{ .Release.Namespace }}
+    annotations:
+        {{- include "registry.auth.annotations" (dict "context" .) | nindent 8 }}
+    labels:
+        {{- include "registry.auth.labels" . | nindent 8 }}
+type: kubernetes.io/tls
+data:
+    tls.crt: {{ .Values.tls.secret.tlsCrt | b64enc }}
+    tls.key: {{ .Values.tls.secret.tlsKey | b64enc }}
+    ca.crt: {{ .Values.tls.secret.caCrt | b64enc }}
+{{- end }}

charts/docker_auth/templates/registry-tls-secrets.yaml → charts/docker_auth/templates/secrets/server-tls.yaml

@@ -21,8 +21,8 @@
 ~ SOFTWARE.
 */}}
 
-{{- if and .Values.tls.enabled .Values.tls.selfSigned }}
-{{- $name := printf "%s-ingress-tls" .Values.ingress.host }}
+{{- $name := printf "%s-tls" .Values.ingress.host }}
+{{- if and .Values.ingress.tls .Values.ingress.selfSigned }}
 {{- $ca := genCA "docker-auth-registry-ca" 365 }}
 {{- $cert := genSignedCert .Values.ingress.host nil (list .Values.ingress.host) 365 $ca }}
 apiVersion: v1
@@ -39,4 +39,4 @@ data:
     tls.crt: {{ include "common.secrets.lookup" (dict "secret" $name "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
     tls.key: {{ include "common.secrets.lookup" (dict "secret" $name "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
     ca.crt: {{ include "common.secrets.lookup" (dict "secret" $name "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
-{{- end }}
+{{- end -}}

charts/docker_auth/values.yaml

@@ -166,16 +166,38 @@ ingress:
 ##
 ## @param tls.enabled whether or not if TLS is enabled.
 ## @param tls.selfSigned whether or not to create a self-signed certidicate via Helm's [`genCA`](https://helm.sh/docs/chart_template_guide/function_list/#genca) Go template function.
+## @param tls.certManager.enabled whether to create certificates from `cert-manager`
+## @param tls.certManager.clusterIssuer If this is set, then this references the cluster issuer. This cannot clash with `tls.certManager.issuer`
+## @param tls.certManager.issuer If this is set, then this references the namespaced issuer. This cannot clash with `tls.certManager.clusterIssuer`
+## @param tls.certManager.group for external issuers, this will be the issuerRef's group.
+## @param tls.certManager.organizations List of organizations to use for the subject
+## @param tls.certManager.renewBefore Duration before the certificate should be renewed
+## @param tls.certManager.duration Duration for the certificate
+## @param tls.certManager.privateKey.algorithm Algorithm for the private cert key
+## @param tls.certManager.privateKey.size Key size for the private cert key
 ## @param tls.secret.existingSecret reference to an existing `Secret` that has `ca.crt` and `ca.key` data pairs.
-## @param tls.secret.crt the `ca.crt` value to use
-## @param tls.secret.key the `ca.key` value to use.
+## @param tls.secret.tlsCrt Value for `tls.crt`
+## @param tls.secret.tlsKey Value for `tls.key`
+## @param tls.secret.caCrt Value for `ca.crt`
 tls:
   enabled: true
   selfSigned: false
+  certManager:
+    enabled: false
+    clusterIssuer: ""
+    issuer: ""
+    group: cert-manager.io
+    organizations: []
+    renewBefore: 360h
+    duration: 2160h
+    privateKey:
+      algorithm: RSA
+      size: 2048
   secret:
     existingSecret: ""
-    crt: ""
-    key: ""
+    tlsCrt: ""
+    tlsKey: ""
+    caCrt: ""
 
 ## @param Deployment Parameters
 ## @skip deployment.config
@@ -202,25 +224,34 @@ tls:
 ## @param deployment.livenessProbe.failureThreshold Minimum consecutive failures for the probe to considered successful.
 deployment:
   existingConfigMap: ""
-  strategy: {}
   logLevel: 2
+  strategy: {}
+
   # example:
   #
   # type: RollingUpdate
   # rollingUpdate:
   #   maxSurge: 1
   #   maxUnavailable: 0
+
   config: |-
     server:
       addr: ":5001"
-      {{- if .Values.tls.enabled }}
-      certificate: "/certs/auth.crt"
-      key: "/certs/auth.key"
+      {{- if and .Values.tls.enabled (not .Values.ingress.tls) }}
+      certificate: "/rootbundle/certs/tls.crt"
+      key: "/rootbundle/certs/tls.key"
+      {{- else if and .Values.ingress.tls .Values.ingress.selfSigned }}
+      certificate: "/server/certs/tls.crt"
+      key: "/server/certs/tls.key"
       {{- end }}
     token:
       # this must match the issuer in the `distribution/distribution` configuration file
       issuer: "Acme auth server"
       expiration: 900
+      {{- if and .Values.tls.enabled .Values.ingress.tls }}
+      certificate: "/rootbundle/certs/tls.crt"
+      key: "/rootbundle/certs/tls.key"
+      {{- end }}
     users:
       # Password is specified as a BCrypt hash. Use `htpasswd -nB USERNAME` to generate.
       "admin":