76 lines
2.8 KiB
YAML
76 lines
2.8 KiB
YAML
{{- /* ================================================================== */ -}}
|
|
{{- /* Cert-Manager Certificate Configuration for ntfy */ -}}
|
|
{{- /* ================================================================== */ -}}
|
|
{{- /*
|
|
Creates a Certificate resource for cert-manager.
|
|
Prerequisites:
|
|
- cert-manager installed in the cluster.
|
|
- An Issuer or ClusterIssuer (referenced in values.yaml) exists.
|
|
- ingress.enabled = true
|
|
- certManager.enabled = true
|
|
- At least one entry in ingress.tls with secretName and hosts.
|
|
*/}}
|
|
{{- if and .Values.ingress.enabled .Values.certManager.enabled .Values.ingress.tls }}
|
|
{{- $namespace := include "ntfy.namespace" . -}} {{/* Or use .Release.Namespace */}}
|
|
{{- $issuerName := .Values.certManager.issuer.name -}}
|
|
{{- $issuerKind := .Values.certManager.issuer.kind -}}
|
|
{{- if not $issuerName }}
|
|
{{- fail "ERROR: certManager.enabled is true but certManager.issuer.name is not set!" }}
|
|
{{- end }}
|
|
{{- if not $issuerKind }}
|
|
{{- fail "ERROR: certManager.enabled is true but certManager.issuer.kind is not set!" }}
|
|
{{- end }}
|
|
|
|
{{- /* Loop through each TLS entry defined in ingress.tls */}}
|
|
{{- range .Values.ingress.tls }}
|
|
{{- $secretName := .secretName }}
|
|
{{- $hosts := .hosts }}
|
|
{{- if not $secretName }}
|
|
{{- fail "ERROR: certManager.enabled is true but ingress.tls contains an entry without a 'secretName'." }}
|
|
{{- end }}
|
|
{{- if not $hosts }}
|
|
{{- fail (printf "ERROR: certManager.enabled is true but ingress.tls entry for secret '%s' contains no 'hosts'." $secretName) }}
|
|
{{- end }}
|
|
---
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
# Name the Certificate resource (often same as secretName)
|
|
name: {{ $secretName }}
|
|
namespace: istio-system
|
|
labels:
|
|
{{- include "ntfy.labels" $ | nindent 4 }}
|
|
{{- with $.Values.certManager.certificate.extraLabels }}
|
|
{{- toYaml . | nindent 4 }}
|
|
{{- end }}
|
|
{{- with $.Values.certManager.certificate.annotations }}
|
|
annotations:
|
|
{{- toYaml . | nindent 4 }}
|
|
{{- end }}
|
|
spec:
|
|
# secretName: Where cert-manager stores the Secret. MUST match Gateway's credentialName.
|
|
secretName: {{ $secretName }}
|
|
|
|
# issuerRef: Points to the Issuer/ClusterIssuer defined in values.yaml
|
|
issuerRef:
|
|
name: {{ $issuerName }}
|
|
kind: {{ $issuerKind }}
|
|
# group: cert-manager.io # Usually implicit
|
|
|
|
# dnsNames: Domains the certificate will be valid for.
|
|
dnsNames:
|
|
{{- range $hosts }}
|
|
- {{ . | quote }}
|
|
{{- end }}
|
|
|
|
# Optional: Set Common Name (CN)
|
|
{{- $firstHost := first $hosts -}}
|
|
{{- if $firstHost }}
|
|
commonName: {{ $firstHost | quote }}
|
|
{{- end }}
|
|
|
|
# Optional: Add other spec fields like duration, renewBefore etc.
|
|
# duration: 2160h # 90d
|
|
# renewBefore: 360h # 15d
|
|
{{- end }} {{/* end range .Values.ingress.tls */}}
|
|
{{- end }} {{/* end if certManager.enabled */}} |