From 03a5ae72108fcf89c8aab0381a47df1313d7e269 Mon Sep 17 00:00:00 2001
From: Tin Lam <tin@irrational.io>
Date: Wed, 27 May 2020 14:33:41 -0500
Subject: [PATCH] feat(tls): add certificate tooling

This patch set adds in a manifest method in helm toolkit to generate
certificates and places them into a secret.

Change-Id: I50300afb0fc0ab92169ad9dd9ba66a56454fbc46
Signed-off-by: Tin Lam <tin@irrational.io>
---
 .../templates/manifests/_certificates.tpl     | 103 ++++++++++++++++++
 1 file changed, 103 insertions(+)
 create mode 100644 helm-toolkit/templates/manifests/_certificates.tpl

diff --git a/helm-toolkit/templates/manifests/_certificates.tpl b/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 000000000..7a0bf84b4
--- /dev/null
+++ b/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,103 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a certificate using jetstack
+examples:
+  - values: |
+      endpoints:
+        dashboard:
+          certs:
+            horizon-internal-cert:
+              secretName: horizon-tls-apache
+              duration: 2160h
+              organization:
+                - ACME
+              commonName: horizon-int.openstack.svc.cluster.local
+              keySize: 2048
+              usages:
+                - server auth
+                - client auth
+              dnsNames:
+                - cluster.local
+              issuerRef:
+                name: ca-issuer
+                kind: Issuer
+    usage: |
+      {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" "certName" "horizon-internal-cert" -}}
+      {{ $opts | include "helm-toolkit.manifests.certificates" }}
+    return: |
+      ---
+      apiVersion: cert-manager.io/v1alpha3
+      kind: Certificate
+      metadata:
+        name: horizon_internal_cert
+        namespace: NAMESPACE
+      spec:
+        commonName: horizon-int.openstack.svc.cluster.local
+        dnsNames:
+        - cluster.local
+        duration: 2160h
+        issuerRef:
+          kind: Issuer
+          name: ca-issuer
+        keySize: 2048
+        organization:
+        - ACME
+        secretName: horizon-tls-apache
+        usages:
+        - server auth
+        - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $name := index . "certName" -}}
+{{- $slice := index $envAll.Values.endpoints $service "certs" $name -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+  This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "certs" $name) "dnsNames" -}}
+{{- end -}}
+{{/* Default keySize to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "keySize") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "certs" $name) "keySize" -}}
+{{- end -}}
+{{/* Default keySize to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "certs" $name) "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "certs" $name) "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "certs" $name) "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1alpha3
+kind: Certificate
+metadata:
+  name: {{ $name | replace "_" "-" }}
+  namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}