diff --git a/charts/ziti-controller/Chart.yaml b/charts/ziti-controller/Chart.yaml index 2c3ff047..eb68ae58 100644 --- a/charts/ziti-controller/Chart.yaml +++ b/charts/ziti-controller/Chart.yaml @@ -16,4 +16,4 @@ dependencies: description: Host an OpenZiti controller in Kubernetes name: ziti-controller type: application -version: 1.1.2 +version: 1.1.3 diff --git a/charts/ziti-controller/README.md b/charts/ziti-controller/README.md index c68e43ed..d60d302c 100644 --- a/charts/ziti-controller/README.md +++ b/charts/ziti-controller/README.md @@ -2,7 +2,7 @@ # ziti-controller -![Version: 1.1.2](https://img.shields.io/badge/Version-1.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.15](https://img.shields.io/badge/AppVersion-1.1.15-informational?style=flat-square) +![Version: 1.1.3](https://img.shields.io/badge/Version-1.1.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.15](https://img.shields.io/badge/AppVersion-1.1.15-informational?style=flat-square) Host an OpenZiti controller in Kubernetes @@ -237,6 +237,7 @@ For more information, please check [here](https://openziti.io/docs/learn/core-co | ctrlPlane.service.enabled | bool | `true` | create a separate cluster service for the ctrl plane; enabling this requires you to also set the host and port for a separate ctrl plane TLS listener | | ctrlPlane.service.type | string | `"ClusterIP"` | expose the service as a ClusterIP, NodePort, or LoadBalancer | | ctrlPlaneCasBundle.namespaceSelector | object | `{}` | namespaces where trust-manager will create the Bundle resource containing Ziti's trusted CA certs (default: empty means all namespaces) | +| customAdminSecretName | string | `""` | set the admin user and password from a custom secret The custom admin secret must be of the following format: apiVersion: v1 kind: Secret metadata: name: myCustomAdminSecret type: Opaque data: admin-user: admin-password: | | dbFile | string | `"ctrl.db"` | name of the BoltDB file | | edgeSignerPki.admin_client_cert.duration | string | `"8760h"` | admin client certificate duration as Go time.Duration | | edgeSignerPki.admin_client_cert.renewBefore | string | `"720h"` | renew admin client certificate before expiry as Go time.Duration | @@ -334,6 +335,7 @@ For more information, please check [here](https://openziti.io/docs/learn/core-co | trust-manager.crds.enabled | bool | `false` | CRDs must be applied in advance of installing the parent chart | | trust-manager.enabled | bool | `false` | install the trust-manager subchart | | trustDomain | string | `""` | permanent SPIFFE ID to use for this controller's trust domain (default: random, fixed for the life of the chart release) | +| useCustomAdminSecret | bool | `false` | allow for using a custom admin secret, which has to be created beforehand if enabled, the admin secret will not be generated by this Helm chart | | webBindingPki.altServerCerts | list | `[]` | | | webBindingPki.enabled | bool | `true` | generate a separate PKI root of trust for web bindings, i.e., client, management, and prometheus APIs | diff --git a/charts/ziti-controller/templates/deployment.yaml b/charts/ziti-controller/templates/deployment.yaml index 3116b05e..276e0b6d 100644 --- a/charts/ziti-controller/templates/deployment.yaml +++ b/charts/ziti-controller/templates/deployment.yaml @@ -41,12 +41,20 @@ spec: - name: ZITI_ADMIN_USER valueFrom: secretKeyRef: - name: {{ include "ziti-controller.fullname" . }}-admin-secret + {{- if .Values.useCustomAdminSecret }} + name: {{ .Values.customAdminSecretName }} + {{- else }} + name: {{ include "ziti-controller.fullname" . }}-admin-secret + {{- end }} key: admin-user - name: ZITI_ADMIN_PASSWORD valueFrom: secretKeyRef: - name: {{ include "ziti-controller.fullname" . }}-admin-secret + {{- if .Values.useCustomAdminSecret }} + name: {{ .Values.customAdminSecretName }} + {{- else }} + name: {{ include "ziti-controller.fullname" . }}-admin-secret + {{- end }} key: admin-password - name: ZITI_TRUST_DOMAIN valueFrom: @@ -146,12 +154,20 @@ spec: - name: ZITI_ADMIN_USER valueFrom: secretKeyRef: - name: {{ include "ziti-controller.fullname" . }}-admin-secret + {{- if .Values.useCustomAdminSecret }} + name: {{ .Values.customAdminSecretName }} + {{- else }} + name: {{ include "ziti-controller.fullname" . }}-admin-secret + {{- end }} key: admin-user - name: ZITI_ADMIN_PASSWORD valueFrom: secretKeyRef: - name: {{ include "ziti-controller.fullname" . }}-admin-secret + {{- if .Values.useCustomAdminSecret }} + name: {{ .Values.customAdminSecretName }} + {{- else }} + name: {{ include "ziti-controller.fullname" . }}-admin-secret + {{- end }} key: admin-password - name: ZITI_TRUST_DOMAIN valueFrom: diff --git a/charts/ziti-controller/templates/secrets.yaml b/charts/ziti-controller/templates/secrets.yaml index b03eb97c..e35526ae 100644 --- a/charts/ziti-controller/templates/secrets.yaml +++ b/charts/ziti-controller/templates/secrets.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.useCustomAdminSecret }} --- apiVersion: v1 kind: Secret @@ -18,6 +19,7 @@ data: # set the secret values.. admin-password: {{ $adminPassword | quote }} admin-user: {{ $adminUser | quote }} +{{- end }} --- apiVersion: v1 diff --git a/charts/ziti-controller/values.yaml b/charts/ziti-controller/values.yaml index 60e7a752..b510bcf0 100644 --- a/charts/ziti-controller/values.yaml +++ b/charts/ziti-controller/values.yaml @@ -130,6 +130,23 @@ envSecrets: {} # name: some-secret # key: some_secret_key + +# -- allow for using a custom admin secret, which has to be created beforehand +# if enabled, the admin secret will not be generated by this Helm chart +useCustomAdminSecret: false + +# -- set the admin user and password from a custom secret +# The custom admin secret must be of the following format: +# apiVersion: v1 +# kind: Secret +# metadata: +# name: myCustomAdminSecret +# type: Opaque +# data: +# admin-user: +# admin-password: +customAdminSecretName: "" + prometheus: # -- cluster service target port on the container containerPort: 9090