refactor(charts/injector): improve self-signed certificate expiration…

… detection and recreation logic
DelineaXPM · Aug 10, 2024 · e0b51cf · e0b51cf
1 parent d562c08
commit e0b51cf
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 30 deletions.
diff --git a/charts/dsv-injector/Chart.yaml b/charts/dsv-injector/Chart.yaml
@@ -18,7 +18,7 @@ description: |
       --set image.tag=${IMAGE_TAG} \
       --atomic \
       --timeout "5m" \
-      --debug -v4 \ # optional --values ./myvaluesfile/values.yaml \
+      --debug -v4 \ # optional for local test iteration --values .cache/charts/dsv-injector/values.yaml \
       dsv-injector ./charts/dsv-injector
   ```
 

diff --git a/charts/dsv-injector/templates/NOTES.txt b/charts/dsv-injector/templates/NOTES.txt
@@ -3,7 +3,7 @@
 {{- $uri := trimAll "/" .Values.webhookUri -}}
 ✨ Deployed: {{ include "dsv.fullname" . }}
 
-📂 Namepsace: {{ .Release.Namespace }}
+📂 Namespace: {{ .Release.Namespace }}
 {{ if eq .Values.service.type "ExternalName" }}
 🔗 The cluster will call the webhook at {{ printf "https://%s:%d/%s" .Values.externalName $port $uri }}
 
@@ -28,13 +28,8 @@
 
 {{- $tlsSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-tls" (include "dsv.name" .)) -}}
 {{- $recreateSelfSignedCertThreshold := default 90 .Values.recreateSelfSignedCertThreshold | int -}}
-{{- $needsRecreate := false -}}
-{{- if $tlsSecret }}
-  {{- $cert := $tlsSecret.data.cert | b64dec | fromYaml -}}
-  {{- if and $cert (lt (now | date "2006-01-02") (dateModify (now | date "2006-01-02") (printf "+%dh" (mul $recreateSelfSignedCertThreshold 24)))) }}
-    {{- $needsRecreate = true -}}
-    ❗❗❗ Cert expiration shows expiring within threshold: [$recreateSelfSignedCertThreshold] days, so will be recreated.
-  {{- else -}}
-    ✔️ Cert shows expiration greater than threshold of [$recreateSelfSignedCertThreshold].
-  {{- end -}}
+{{- if eq .Values.service.type "ExternalName" }}
+ℹ️ ExternalName provided for service type, so no self signed cert will be used.
+{{- else -}}
+➕ Will generate a self signed cert with expiration of [{{ (default 365 .Values.webhookCertExpireDays | int) }}] days.
 {{- end -}}
diff --git a/charts/dsv-injector/templates/webhook.yaml b/charts/dsv-injector/templates/webhook.yaml
@@ -1,13 +1,6 @@
 {{- $tlsCert := genSelfSignedCert (include "dsv.dnsname" .) nil (list (include "dsv.dnsname" .) (include "dsv.name" .)) (default 365 .Values.webhookCertExpireDays | int) -}}
-{{- $tlsSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-tls" (include "dsv.name" .)) -}}
-{{- $recreateSelfSignedCertThreshold := default 90 .Values.recreateSelfSignedCertThreshold | int -}}
-{{- $needsRecreate := false -}}
-{{- if $tlsSecret }}
-  {{- $cert := $tlsSecret.data.cert | b64dec | fromYaml -}}
-  {{- if and $cert (lt (now | date "2006-01-02") (dateModify (now | date "2006-01-02") (printf "+%dh" (mul $recreateSelfSignedCertThreshold 24)))) }}
-    {{- $needsRecreate = true -}}
-  {{- end -}}
-{{- end -}}
+{{- $existingTlsSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-tls" (include "dsv.name" .)) -}}
+
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
@@ -27,8 +20,6 @@ webhooks:
     clientConfig:
 {{- if eq .Values.service.type "ExternalName" }}
       caBundle: {{ .Values.caBundle }}
-{{- else if and $tlsSecret (not $needsRecreate) }}
-      caBundle: {{ $tlsSecret.data.cert }}
 {{- else }}
       caBundle: {{ $tlsCert.Cert | b64enc }}
 {{- end }}
@@ -43,15 +34,24 @@ webhooks:
 ---
 apiVersion: v1
 kind: Secret
+metadata:
+  name: my-tls-secret
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ $tlsCert.Cert | b64enc }}
+  tls.key: {{ $tlsCert.Key | b64enc }}
+---
+apiVersion: v1
+kind: Secret
 metadata:
   name: {{ include "dsv.name" . }}-tls
+  annotations:
+    last-modified: {{ now | quote }}
 data:
-{{- if and $tlsSecret (not $needsRecreate) }}
-  cert.pem: {{ $tlsSecret.data.cert }}
-  key.pem: {{ $tlsSecret.data.key }}
-{{- else }}
   cert.pem: {{ $tlsCert.Cert | b64enc }}
   key.pem: {{ $tlsCert.Key | b64enc }}
-{{- end }}
 type: Opaque
 {{- end }}
diff --git a/charts/dsv-syncer/Chart.yaml b/charts/dsv-syncer/Chart.yaml
@@ -16,7 +16,7 @@ description: |
       --set image.tag=${IMAGE_TAG} \
       --atomic \
       --timeout "5m" \
-      --debug \ # optional --values ./myvaluesfile/values.yaml \
+      --debug \ # optional --values  --values .cache/charts/dsv-injector/values.yaml \
       dsv-syncer ./charts/dsv-syncer
   ```
 keywords:

diff --git a/charts/dsv-syncer/templates/NOTES.txt b/charts/dsv-syncer/templates/NOTES.txt
@@ -1,9 +1,9 @@
 ✨ Deployed: {{ include "dsv.fullname" . }}
 
-📂 Namepsace: {{ .Release.Namespace }}
+📂 Namespace: {{ .Release.Namespace }}
 
 {{- if .Values.configmap }}
 ⚙️ ConfigMap created: {{ include "dsv.fullname" . }}-configmap
 {{ else }}
 ➖ no configmap detected, defaults used for logging level and any other configmap values
-{{ end }}
+{{ end }}