diff --git a/versions/kruise-game/next/templates/cert-manager/okg-issuer.yaml b/versions/kruise-game/next/templates/cert-manager/okg-issuer.yaml new file mode 100644 index 0000000..efeb542 --- /dev/null +++ b/versions/kruise-game/next/templates/cert-manager/okg-issuer.yaml @@ -0,0 +1,10 @@ +{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.issuer.generate }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ .Values.kruiseGame.fullname }}-issuer + namespace: {{ .Values.installation.namespace }} +spec: + ca: + secretName: {{ .Values.certificates.certManager.caSecretName }} +{{- end }} diff --git a/versions/kruise-game/next/templates/cert-manager/okg-tls-certificate.yaml b/versions/kruise-game/next/templates/cert-manager/okg-tls-certificate.yaml new file mode 100644 index 0000000..1a84754 --- /dev/null +++ b/versions/kruise-game/next/templates/cert-manager/okg-tls-certificate.yaml @@ -0,0 +1,38 @@ +{{- if .Values.certificates.certManager.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.kruiseGame.fullname }}-tls-certificates + namespace: {{ .Values.installation.namespace }} +spec: + commonName: {{ .Values.kruiseGame.fullname }} + dnsNames: + - {{ ..Values.kruiseGame.webhook.serviceName }}.{{ .Values.installation.namespace }} + - {{ ..Values.kruiseGame.webhook.serviceName }}.{{ .Values.installation.namespace }}.svc + - {{ ..Values.kruiseGame.webhook.serviceName }}.{{ .Values.installation.namespace }}.svc.{{ .Values.clusterDomain }} + secretName: {{ .Values.certificates.secretName }} + usages: + - server auth + - client auth + privateKey: + algorithm: RSA + size: 2048 + duration: {{ .Values.certificates.certManager.duration }} + renewBefore: {{ .Values.certificates.certManager.renewBefore }} + issuerRef: + {{- if .Values.certificates.certManager.issuer.generate }} + name: {{ .Values.kruiseGame.fullname }}-issuer + kind: Issuer + group: cert-manager.io + {{- else }} + {{- if .Values.certificates.certManager.issuer.name }} + name: {{ .Values.certificates.certManager.issuer.name }} + {{- end }} + {{- if .Values.certificates.certManager.issuer.kind }} + kind: {{ .Values.certificates.certManager.issuer.kind }} + {{- end }} + {{- if .Values.certificates.certManager.issuer.group }} + group: {{ .Values.certificates.certManager.issuer.group }} + {{- end }} + {{- end }} +{{- end }} diff --git a/versions/kruise-game/next/templates/cert-manager/self-ca.yaml b/versions/kruise-game/next/templates/cert-manager/self-ca.yaml new file mode 100644 index 0000000..4639ab9 --- /dev/null +++ b/versions/kruise-game/next/templates/cert-manager/self-ca.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.generateCA .Values.certificates.certManager.issuer.generate }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.kruiseGame.fullname }}-ca + namespace: {{ .Values.installation.namespace }} +spec: + isCA: true + commonName: {{ .Values.kruiseGame.fullname }} + secretName: {{ .Values.certificates.certManager.caSecretName }} + privateKey: + algorithm: RSA + size: 2048 + duration: 8760h0m0s # 1 year + renewBefore: 720h0m0s # 1 month + issuerRef: + name: {{ .Values.operator.name }}-selfsigned-issuer + kind: Issuer + group: cert-manager.io +{{- end }} diff --git a/versions/kruise-game/next/templates/cert-manager/self-issuer.yaml b/versions/kruise-game/next/templates/cert-manager/self-issuer.yaml new file mode 100644 index 0000000..d6e1904 --- /dev/null +++ b/versions/kruise-game/next/templates/cert-manager/self-issuer.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.generateCA .Values.certificates.certManager.issuer.generate }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ .Values.kruiseGame.fullname }}-selfsigned-issuer + namespace: {{ .Values.installation.namespace }} +spec: + selfSigned: {} +{{- end }} diff --git a/versions/kruise-game/next/templates/webhook_service.yaml b/versions/kruise-game/next/templates/webhook_service.yaml index c8d6178..9a334f6 100644 --- a/versions/kruise-game/next/templates/webhook_service.yaml +++ b/versions/kruise-game/next/templates/webhook_service.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: - name: kruise-game-webhook-service + name: {{ .Values.kruiseGame.webhook.serviceName }} namespace: {{ .Values.installation.namespace }} spec: ports: diff --git a/versions/kruise-game/next/values.yaml b/versions/kruise-game/next/values.yaml index 296c01a..9537c91 100644 --- a/versions/kruise-game/next/values.yaml +++ b/versions/kruise-game/next/values.yaml @@ -11,6 +11,7 @@ kruiseGame: fullname: kruise-game-controller-manager healthBindPort: "8082" webhook: + serviceName: kruise-game-webhook-service port: 443 targetPort: 9876 apiServerQps: 5 @@ -28,6 +29,9 @@ serviceAccount: # Annotations to add to the service account annotations: {} +# Kubernetes cluster domain +clusterDomain: cluster.local + service: port: 8443 @@ -53,6 +57,7 @@ prometheus: enabled: false monitorService: port: 8080 + scale: service: port: 6000 @@ -63,4 +68,27 @@ network: probeIntervalTime: 5 cloudProvider: - installCRD: true \ No newline at end of file + installCRD: true + +certificates: + autoGenerated: true + secretName: kruise-game-certs + mountPath: /tmp/webhook-certs/ + certManager: + enabled: false + duration: 8760h0m0s # 1 year + renewBefore: 5840h0m0s # 8 months + generateCA: true + caSecretName: "kruise-game-ca" + secretTemplate: {} + # annotations: + # my-secret-annotation-1: "foo" + # my-secret-annotation-2: "bar" + # labels: + # my-secret-label: foo + # -- Reference to custom Issuer. If issuer.generate is false, then issuer.group, issuer.kind and issuer.name are required + issuer: + generate: true + name: kruise-ca + kind: ClusterIssuer + group: cert-manager.io \ No newline at end of file