Merge pull request #140 from DVPE-cloud/dvpe-deployment-gloo/new-card…

…s-certs change certificate to use CARDS API
DVPE-cloud · Apr 18, 2024 · 349b760 · 349b760
2 parents cefa419 + 3fdd800
commit 349b760
Show file tree

Hide file tree

Showing 6 changed files with 189 additions and 126 deletions.
diff --git a/charts/dvpe-deployment-gloo/CHANGELOG.md b/charts/dvpe-deployment-gloo/CHANGELOG.md
@@ -5,9 +5,36 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 ## [Unreleased]
+
+## [5.0.0]
+### **Breaking Changes**
+The section in helm the helm values concerning certificates has been changed due to changes in the upstream API (migration from CLCM to CARDS).
+The new minimal configuration looks like this:
+```yaml
+...
+certificate:
+  cardsParameters:
+    userId: # User ID of the person requesting the certificate. Can also be a technical user.
+    userEmail: # User Email of the person requesting the certificate. Can be the same as teamEmail. Used to send notifications about the certificate to.
+    teamEmail: # Team Email. Used to send notifications about the certificate to.
+    appdId: # Application Deployment ID. It's the one that starts with `APPD-`.
+    itsmService: # ITSM Service. Used to identify the ITSM service the issued certificate belongs to.
+    department: # Department. Used to identify the department the issued certificate belongs to.
+    caType: # CA Type. Possible values are `Internal` for internal certificates or `External` for global public certificates. `External` induces additional costs.
+```
+As before, the domains to be used as common name and SANs are defined in the `gloo.virtualservice.spec.virtualHost.domains` array.
+_Unfortunately all the cardsParameters have to be set, they are required by CARDS API._
+
+For the full config (rarely needed) see the [README.md](./README.md).
+
+## Changed
+- Decommission of CLCM forces to use a new way to create Certificates via the new CARDS API. Since the CARDS API needs a
+  different set of parameters, we also have to change our API.
+
+
 ## [4.9.2]
 ### Changed
-* Changed nothing. This version change is a workaround to fix the pipeline.
+- Changed nothing. This version change is a workaround to fix the pipeline.
 
 ## [4.9.1]
 ### Added
@@ -432,3 +459,5 @@ The ExternalSecretStore reference will be generated on Namespace generation by W
 [4.8.0]: https://github.com/DVPE-cloud/dvpe-helm/tree/dvpe-deployment-gloo-4.8.0/charts/dvpe-deployment-gloo
 [4.9.0]: https://github.com/DVPE-cloud/dvpe-helm/tree/dvpe-deployment-gloo-4.9.0/charts/dvpe-deployment-gloo
 [4.9.1]: https://github.com/DVPE-cloud/dvpe-helm/tree/dvpe-deployment-gloo-4.9.1/charts/dvpe-deployment-gloo
+[4.9.2]: https://github.com/DVPE-cloud/dvpe-helm/tree/dvpe-deployment-gloo-4.9.2/charts/dvpe-deployment-gloo
+[5.0.0]: https://github.com/DVPE-cloud/dvpe-helm/tree/dvpe-deployment-gloo-5.0.0/charts/dvpe-deployment-gloo
diff --git a/charts/dvpe-deployment-gloo/Chart.yaml b/charts/dvpe-deployment-gloo/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: "1.1"
 description: Helm chart for installing microservices as gloo enabled VirtualService definitions.
 name: dvpe-deployment-gloo
-version: 4.9.2
+version: 5.0.0
 home: https://github.com/dvpe-cloud/dvpe-helm
 keywords:
   - dvpe-helm

diff --git a/charts/dvpe-deployment-gloo/README.md b/charts/dvpe-deployment-gloo/README.md
@@ -1,6 +1,6 @@
 # dvpe-deployment-gloo
 
-![Version: 4.9.2](https://img.shields.io/badge/Version-4.9.2-informational?style=flat-square)
+![Version: 5.0.0](https://img.shields.io/badge/Version-5.0.0-informational?style=flat-square)
 
 Helm chart for installing microservices as gloo enabled VirtualService definitions.
 
@@ -194,18 +194,18 @@ The following table lists the configurable parameters of the chart and its defau
 | autoscaling.metrics.resource.cpu.targetAverageUtilization | int | `100` | Defines cpu utilization threshold in % for the HPA to scale up new pods. |
 | autoscaling.metrics.resource.memory.targetAverageUtilization | string | `nil` | Defines memory utilization threshold in % for the HPA to scale up new pods. |
 | autoscaling.minReplicas | int | `1` | Defines `minReplicas` of Pods scaled automatically by Horizontal Pod Autoscaler (HPA). |
-| certificate | object | `{"countries":[],"customIssuer":"intranet","customIssuerSelector":{"name":null},"dnsNames":[],"emailAddresses":[],"localities":[],"organizationalUnits":[],"organizations":[],"provinces":[],"useCustomIssuer":true}` | -----------------------------------# |
-| certificate.countries | list | `[]` | list of countries listed in created certificate details |
-| certificate.customIssuer | string | `"intranet"` | custom issuer; allowed values: internet, intranet, other (requires `customIssuerSelector`), none |
-| certificate.customIssuerSelector | object | `{"name":null}` | other custom issuer selector; ignored if `customIssuer` different from "other" |
-| certificate.customIssuerSelector.name | string | `nil` | name of the custom issuer to be used |
-| certificate.dnsNames | list | `[]` | list of dnsNames listed in created certificate details |
-| certificate.emailAddresses | list | `[]` | list of emailAddresses listed in created certificate details |
-| certificate.localities | list | `[]` | list of localities listed in created certificate details |
-| certificate.organizationalUnits | list | `[]` | list of organizationalUnits listed in created certificate details |
-| certificate.organizations | list | `[]` | list of organization listed in created certificate details |
-| certificate.provinces | list | `[]` | list of provinces listed in created certificate details |
-| certificate.useCustomIssuer | bool | `true` | DEPRECATED; use `customIssuer: none` instead of `useCustomIssuer: false` |
+| certificate | object | `{"cardsParameters":{"appdId":null,"caType":null,"department":null,"itsmService":null,"teamEmail":null,"userEmail":null,"userId":null},"create":true,"issuerRef":{"kind":"ClusterIssuer","name":"wadtfy-cluster-issuer"}}` | Defines details about the certificate. The domains for which the certificate will be issued are defined in the `gloo.virtualservice.spec.virtualHost.domains` field. |
+| certificate.cardsParameters | object | `{"appdId":null,"caType":null,"department":null,"itsmService":null,"teamEmail":null,"userEmail":null,"userId":null}` | Parameters needed by CARDS API for certificate creation. They may be optional if specified in the referenced Issuer. |
+| certificate.cardsParameters.appdId | string | `nil` | Application Deployment ID. It's the one that starts with `APPD-`. |
+| certificate.cardsParameters.caType | string | `nil` | CA Type. Possible values are `Internal` for internal certificates or `External` for global public certificates. |
+| certificate.cardsParameters.department | string | `nil` | Department. Used to identify the department the issued certificate belongs to. |
+| certificate.cardsParameters.itsmService | string | `nil` | ITSM Service. Used to identify the ITSM service the issued certificate belongs to. |
+| certificate.cardsParameters.teamEmail | string | `nil` | Team Email. Used to send notifications about the certificate to. |
+| certificate.cardsParameters.userEmail | string | `nil` | User Email of the person requesting the certificate. Can be the same as teamEmail. Used to send notifications about the certificate to. |
+| certificate.cardsParameters.userId | string | `nil` | User ID of the person requesting the certificate. Can also be a technical user. |
+| certificate.issuerRef | object | `{"kind":"ClusterIssuer","name":"wadtfy-cluster-issuer"}` | Reference to issuer to use for certificate creation. Defaults to wadtfy-cluster-issuer ClusterIssuer which does not define any default values. |
+| certificate.issuerRef.kind | string | `"ClusterIssuer"` | Kind of the issuer to use for certificate creation. Usually "Issuer" or "ClusterIssuer". |
+| certificate.issuerRef.name | string | `"wadtfy-cluster-issuer"` | Name of the issuer to use for certificate creation. |
 | datadog | object | `{"enabled":true,"env":"none","logProcessingRules":null,"source":null,"team":null,"version":null}` | -----------------------------------# |
 | datadog.enabled | bool | `true` | When set to true Datadog is enabled and all logs, metrics and traces will be sent to Datadog. |
 | datadog.env | string | `"none"` | Label in Datadog for the target environment - e.g. test, int, prod or an abbreviated k8s cluster name. |

diff --git a/charts/dvpe-deployment-gloo/templates/certificate.yaml b/charts/dvpe-deployment-gloo/templates/certificate.yaml
@@ -1,61 +1,82 @@
-### only creates a certificate resource if custom issuer is different from "none" and a domain is provided
-{{- if and .Values.certificate.useCustomIssuer (ne .Values.certificate.customIssuer "none") .Values.gloo.virtualservice.spec.virtualHost.domains }}
+{{- /* only creates a certificate resource if a domain is provided and certificate.create is true */}}
+{{- if and .Values.certificate.create .Values.gloo.virtualservice.spec.virtualHost.domains }}
 
 {{- $serviceName := include "service.name" . -}}
 {{- $domains := include "gloo.virtualservice.spec.virtualHost.domains.as.list" . -}}
 {{- $firstDomain := include "gloo.virtualservice.spec.virtualHost.domains.first" . -}}
 
----
 {{- with .Values.certificate }}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: {{$serviceName}}-certificate-by-issuer
-spec:
-  commonName: {{$firstDomain}}
-  secretName: {{$serviceName}}-private-tls-by-issuer
-  issuerRef:
-    group: controller-manager.dvpe-cloud.github.io
-    {{- if eq .customIssuer "intranet" }}
-    name: wadtfy-intranet-cluster-issuer
-    kind: ClusterIssuer
-    {{- else if eq .customIssuer "internet" }}
-    name: wadtfy-internet-cluster-issuer
-    kind: ClusterIssuer
-    {{- else if eq .customIssuer "other" }}
-    name: {{ .customIssuerSelector.name }}
-    kind: Issuer
+  namespace: {{ $.Release.Namespace}}
+  labels:
+    app.kubernetes.io/name: {{ $serviceName }}
+    app.kubernetes.io/component: ingress
+    app.kubernetes.io/part-of: {{ $.Release.Name }}
+  {{- with .cardsParameters }}
+  annotations:
+    {{- if .userId }}
+    cert-manager.pki.bmwgroup.net/userId: {{ .userId | quote }}
     {{- end }}
-  subject:
-    organizations:
-    {{- range .organizations }}
-      - {{ . }}
+    {{- if .userEmail }}
+    cert-manager.pki.bmwgroup.net/userEmail: {{ .userEmail | quote }}
     {{- end }}
-    countries:
-    {{- range .countries }}
-      - {{ . }}
+    {{- if .teamEmail }}
+    cert-manager.pki.bmwgroup.net/teamEmail: {{ .teamEmail | quote }}
     {{- end }}
-    localities:
-    {{- range .localities }}
-      - {{ . }}
+    {{- if .appdId }}
+    cert-manager.pki.bmwgroup.net/appdId: {{ .appdId | quote }}
     {{- end }}
-    provinces:
-    {{- range .provinces }}
-      - {{ . }}
+    {{- if .itsmService }}
+    cert-manager.pki.bmwgroup.net/itsmService: {{ .itsmService | quote }}
     {{- end }}
-    organizationalUnits:
-    {{- range .organizationalUnits }}
-      - {{ . }}
-    {{- end }}
-  dnsNames:
-    {{-  $domains  -}}
-    {{- range .dnsNames }}
-      - {{ . }}
+    {{- if .department }}
+    cert-manager.pki.bmwgroup.net/department: {{ .department | quote }}
     {{- end }}
-  emailAddresses:
-    {{- range .emailAddresses }}
-      - {{ . }}
+    {{- if .caType }}
+    cert-manager.pki.bmwgroup.net/caType: {{ .caType | quote }}
     {{- end }}
-
+  {{- end }}
+spec:
+  issuerRef:
+    group: cert-manager.pki.bmwgroup.net {{- /* we only support our own issuers, no need to make this configurable */}}
+    name: {{ .issuerRef.name }}
+    kind: {{ .issuerRef.kind }}
+  commonName: {{ $firstDomain }}
+  dnsNames:
+    {{- $domains }}
+  secretName: {{ $serviceName }}-private-tls-by-issuer
+  secretTemplate:
+    annotations:
+      cert-manager.io/issuer: {{ .issuerRef.name }}
+      {{- with .cardsParameters }}
+      {{- if .userId }}
+      cert-manager.pki.bmwgroup.net/userId: {{ .userId | quote }}
+      {{- end }}
+      {{- if .userEmail }}
+      cert-manager.pki.bmwgroup.net/userEmail: {{ .userEmail | quote }}
+      {{- end }}
+      {{- if .teamEmail }}
+      cert-manager.pki.bmwgroup.net/teamEmail: {{ .teamEmail | quote }}
+      {{- end }}
+      {{- if .appdId }}
+      cert-manager.pki.bmwgroup.net/appdId: {{ .appdId | quote }}
+      {{- end }}
+      {{- if .itsmService }}
+      cert-manager.pki.bmwgroup.net/itsmService: {{ .itsmService | quote }}
+      {{- end }}
+      {{- if .department }}
+      cert-manager.pki.bmwgroup.net/department: {{ .department | quote }}
+      {{- end }}
+      {{- if .caType }}
+      cert-manager.pki.bmwgroup.net/caType: {{ .caType | quote }}
+      {{- end }}
+      {{- end }}
+    labels:
+      app.kubernetes.io/name: {{ $serviceName }}
+      app.kubernetes.io/component: ingress
+      app.kubernetes.io/part-of: {{ $.Release.Name }}
 {{- end }}
 {{- end }}
diff --git a/charts/dvpe-deployment-gloo/values.schema.json b/charts/dvpe-deployment-gloo/values.schema.json
@@ -1,5 +1,8 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema",
+  "title": "DVPE Deployment",
+  "description": "Deployment of an application into WADTFY",
+  "type": "object",
   "required": [
     "gloo"
   ],
@@ -29,61 +32,69 @@
       }
     },
     "certificate": {
-      "anyOf": [
-        {
+      "type": "object",
+      "required": [
+        "create"
+      ],
+      "properties": {
+        "create": {
+          "type": "boolean"
+        },
+        "cardsParameters": {
           "type": "object",
           "properties": {
-            "customIssuer": {
-              "enum": [
-                "internet",
-                "intranet",
-                "other",
-                "none"
-              ]
-            }
-          },
-          "required": [
-            "customIssuer"
-          ],
-          "if": {
-            "properties": {
-              "customIssuer": {
-                "const": "other"
-              }
+            "userId": {
+              "type": "string"
+            },
+            "userEmail": {
+              "type": "string"
+            },
+            "teamEmail": {
+              "type": "string"
+            },
+            "appdId": {
+              "type": "string"
             },
+            "itsmService": {
+              "type": "string"
+            },
+            "department": {
+              "type": "string"
+            },
+            "caType": {
+              "type": "string"
+            }
+          }
+        }
+      },
+      "if": {
+        "properties": {
+          "create": {
+            "const": true
+          }
+        }
+      },
+      "then": {
+        "required": [
+          "issuerRef"
+        ],
+        "properties": {
+          "issuerRef": {
+            "type": "object",
             "required": [
-              "customIssuer"
-            ]
-          },
-          "then": {
+              "name", "kind"
+            ],
             "properties": {
-              "customIssuerSelector": {
-                "type": "object",
-                "properties": {
-                  "name": {
-                    "type": "string"
-                  }
-                },
-                "required": [
-                  "name"
-                ]
+              "name": {
+                "type": "string"
+              },
+              "kind": {
+                "type": "string"
               }
-            },
-            "required": [
-              "customIssuerSelector"
-            ]
-          }
-        },
-        {
-          "type": "object",
-          "properties": {
-            "useCustomIssuer": {
-              "enum": [false]
             }
-          },
-          "required": ["useCustomIssuer"]
+          }
         }
-      ]
+      }
     }
   }
 }
diff --git a/charts/dvpe-deployment-gloo/values.yaml b/charts/dvpe-deployment-gloo/values.yaml
@@ -360,26 +360,28 @@ istio:
 # -------------------------------------#
 # Certificate value section            #
 # -------------------------------------#
+# certificate -- Defines details about the certificate. The domains for which the certificate will be issued are defined in the `gloo.virtualservice.spec.virtualHost.domains` field.
 certificate:
-      # certificate.useCustomIssuer -- DEPRECATED; use `customIssuer: none` instead of `useCustomIssuer: false`
-      useCustomIssuer: true
-      # certificate.customIssuer -- custom issuer; allowed values: internet, intranet, other (requires `customIssuerSelector`), none
-      customIssuer: intranet
-      # certificate.customIssuerSelector -- other custom issuer selector; ignored if `customIssuer` different from "other"
-      customIssuerSelector:
-        # certificate.customIssuerSelector.name -- name of the custom issuer to be used
-        name:
-      # certificate.organizations -- list of organization listed in created certificate details
-      organizations: []
-      # certificate.countries -- list of countries listed in created certificate details
-      countries: []
-       # certificate.localities -- list of localities listed in created certificate details
-      localities: []
-       # certificate.provinces -- list of provinces listed in created certificate details
-      provinces: []
-       # certificate.organizationalUnits -- list of organizationalUnits listed in created certificate details
-      organizationalUnits: []
-       # certificate.emailAddresses -- list of emailAddresses listed in created certificate details
-      emailAddresses: []
-       # certificate.dnsNames -- list of dnsNames listed in created certificate details
-      dnsNames: []
+  create: true
+  # certificate.issuerRef -- Reference to issuer to use for certificate creation. Defaults to wadtfy-cluster-issuer ClusterIssuer which does not define any default values.
+  issuerRef:
+    # certificate.issuerRef.name -- Name of the issuer to use for certificate creation.
+    name: wadtfy-cluster-issuer
+    # certificate.issuerRef.kind -- Kind of the issuer to use for certificate creation. Usually "Issuer" or "ClusterIssuer".
+    kind: ClusterIssuer
+  # certificate.cardsParameters -- Parameters needed by CARDS API for certificate creation. They may be optional if specified in the referenced Issuer.
+  cardsParameters:
+    # certificate.cardsParameters.userId -- User ID of the person requesting the certificate. Can also be a technical user.
+    userId:
+    # certificate.cardsParameters.userEmail -- User Email of the person requesting the certificate. Can be the same as teamEmail. Used to send notifications about the certificate to.
+    userEmail:
+    # certificate.cardsParameters.teamEmail -- Team Email. Used to send notifications about the certificate to.
+    teamEmail:
+    # certificate.cardsParameters.appdId -- Application Deployment ID. It's the one that starts with `APPD-`.
+    appdId:
+    # certificate.cardsParameters.itsmService -- ITSM Service. Used to identify the ITSM service the issued certificate belongs to.
+    itsmService:
+    # certificate.cardsParameters.department -- Department. Used to identify the department the issued certificate belongs to.
+    department:
+    # certificate.cardsParameters.caType -- CA Type. Possible values are `Internal` for internal certificates or `External` for global public certificates.
+    caType: