setting up tls

2025-04-21 17:10:06 +01:00 · 2025-04-21 17:10:06 +01:00 · 66542d819d
commit 66542d819d
parent 1f01ea0b7f
2 changed files with 100 additions and 1 deletions
--- a/helm/uptime-karma/templates/certificate.yaml
+++ b/helm/uptime-karma/templates/certificate.yaml
@ -0,0 +1,78 @@
+{{- /* ================================================================== */ -}}
+{{- /* Cert-Manager Certificate Configuration                           */ -}}
+{{- /* ================================================================== */ -}}
+{{- /*
+    Creates a Certificate resource for cert-manager.
+    Prerequisites:
+    - cert-manager must be installed in the cluster.
+    - An Issuer or ClusterIssuer (referenced in values.yaml) must exist.
+    - ingress.enabled must be true.
+    - certManager.enabled must be true.
+    - At least one entry must exist in ingress.tls.
+*/}}
+{{- if and .Values.ingress.enabled .Values.certManager.enabled .Values.ingress.tls }}
+{{- $namespace := include "uptime-kuma.namespace" . -}}
+{{- $issuerName := .Values.certManager.issuer.name -}}
+{{- $issuerKind := .Values.certManager.issuer.kind -}}
+{{- if not $issuerName }}
+  {{- fail "ERROR: certManager.enabled is true but certManager.issuer.name is not set!" }}
+{{- end }}
+{{- if not $issuerKind }}
+  {{- fail "ERROR: certManager.enabled is true but certManager.issuer.kind is not set!" }}
+{{- end }}
+
+{{- /* Loop through each TLS entry defined in ingress.tls */}}
+{{- range .Values.ingress.tls }}
+{{- $secretName := .secretName }}
+{{- $hosts := .hosts }}
+{{- if not $secretName }}
+  {{- fail "ERROR: certManager.enabled is true but ingress.tls contains an entry without a 'secretName'." }}
+{{- end }}
+{{- if not $hosts }}
+  {{- fail (printf "ERROR: certManager.enabled is true but ingress.tls entry for secret '%s' contains no 'hosts'." $secretName) }}
+{{- end }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  # The name of the Certificate resource itself. Often matches the secretName for clarity.
+  name: {{ $secretName }}
+  namespace: istio-system # Change to the namespace where the Istio Gateway is deployed
+  labels:
+    {{- include "uptime-kuma.labels" $ | nindent 4 }}
+    {{- with $.Values.certManager.certificate.extraLabels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with $.Values.certManager.certificate.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  # secretName: The name of the Kubernetes Secret resource where the certificate
+  #             and key will be stored by cert-manager. This MUST match the
+  #             secretName used by the Istio Gateway's credentialName.
+  secretName: {{ $secretName }}
+
+  # issuerRef: Reference to the Issuer or ClusterIssuer that will sign the certificate.
+  issuerRef:
+    name: {{ $issuerName }}
+    kind: {{ $issuerKind }}
+    # group: cert-manager.io # group is usually implicit for core issuers
+
+  # List of DNS names the certificate will be valid for.
+  dnsNames:
+    {{- range $hosts }}
+    - {{ . | quote }}
+    {{- end }}
+
+  # Optional: Define Common Name (CN). Often derived from the first DNS name.
+  {{- $firstHost := first $hosts -}}
+  {{- if $firstHost }}
+  commonName: {{ $firstHost | quote }}
+  {{- end }}
+
+  # Optional: Add other cert-manager spec fields like duration, renewBefore, privateKey, usages etc.
+  # duration: 2160h # 90d
+  # renewBefore: 360h # 15d
+{{- end }} {{/* end range .Values.ingress.tls */}}
+{{- end }} {{/* end if certManager.enabled */}}
--- a/helm/uptime-karma/values.yaml
+++ b/helm/uptime-karma/values.yaml
@ -84,7 +84,9 @@ ingress:
          pathType: ImplementationSpecific

  tls:
-    []
+    - secretName: uptime-kuma-tls
+      hosts:
+        - uptime.james-mellors.com
    # - secretName: chart-example-tls
    #   hosts:
    #     - chart-example.local
@ -258,3 +260,22 @@ istio:
    # -- Add extra annotations to the Istio VirtualService resource
    annotations: {}
    # some-istio-annotation: value
+certManager:
+  # -- Enable automatic Certificate creation via cert-manager
+  enabled: true # Set to true to create Certificate resource
+
+  # -- Reference to the cert-manager Issuer or ClusterIssuer to use
+  issuer:
+    # -- Name of the Issuer or ClusterIssuer
+    name: "letsencrypt-cloudflare" # REQUIRED if certManager.enabled is true (e.g., "letsencrypt-prod")
+    # -- Kind of the issuer (Issuer or ClusterIssuer)
+    kind: ClusterIssuer # Or "Issuer" if using a namespaced Issuer
+
+  # -- Optional: Add extra labels to the Certificate resource
+  certificate:
+    extraLabels: {}
+    # my-cert-label: value
+
+    # -- Optional: Add extra annotations to the Certificate resource
+    annotations: {}
+    # cert-manager.io/issue-temporary-certificate: "true"