Use K8S TLS secrets for api tls feature

MaikuMori · Jun 21, 2024 · 07aeb17 · 07aeb17
1 parent 913e2fd
commit 07aeb17
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 10 deletions.
diff --git a/charts/gotenberg/README.md b/charts/gotenberg/README.md
@@ -56,8 +56,7 @@ helm upgrade my-release maikumori/gotenberg --install
 | api.port | int | `3000` | Set the port on which the API should listen (default 3000) |
 | api.rootPath | string | `""` | Set the root path of the API - for service discovery via URL paths (default "/") |
 | api.timeout | string | `""` | Set the time limit for requests (default 30s) |
-| api.tlsCertFile | string | `""` | Path to the TLS/SSL certificate file - for HTTPS support (default "") |
-| api.tlsKeyFile | string | `""` | Path to the TLS/SSL key file - for HTTPS support (default "") |
+| api.tlsSecretName | string | `""` | Enables TLS on the API server: K8S TLS secret name containing the TLS certificate and key (tls.crt, tls.key) |
 | api.traceHeader | string | `""` | Set the header name to use for identifying requests (default "Gotenberg-Trace") |
 | autoscaling.enabled | bool | `false` |  |
 | autoscaling.maxReplicas | int | `100` |  |

diff --git a/charts/gotenberg/templates/deployment.yaml b/charts/gotenberg/templates/deployment.yaml
@@ -44,11 +44,11 @@ spec:
           args:
           - gotenberg
           - --api-port={{ .Values.api.port }}
-          {{- if .Values.api.tlsCertFile }}
-          - --api-tls-cert-file={{ .Values.api.tlsCertFile }}
+          {{- if .Values.api.tlsSecretName }}
+          - --api-tls-cert-file=/tls/tls.crt
           {{- end }}
-          {{- if .Values.api.tlsKeyFile }}
-          - --api-tls-key-file={{ .Values.api.tlsKeyFile }}
+          {{- if .Values.api.tlsSecretName }}
+          - --api-tls-key-file=/tls/tls.key
           {{- end }}
           {{- if .Values.api.timeout }}
           - --api-timeout={{ .Values.api.timeout }}
@@ -218,6 +218,11 @@ spec:
             {{- toYaml .Values.resources | nindent 12 }}
           volumeMounts:
             {{- toYaml .Values.volumeMounts | nindent 12 }}
+            {{- if .Values.api.tlsSecretName }}
+            - name: tls
+              mountPath: /tls
+              readOnly: true
+            {{- end }}
       terminationGracePeriodSeconds: {{ .Values.gotenberg.gracefulShutdownDurationSec }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
@@ -238,4 +243,9 @@ spec:
       {{- with .Values.volumes }}
       volumes:
         {{- toYaml . | nindent 8 }}
+        {{- if .Values.api.tlsSecretName }}
+        - name: tls
+          secret:
+            secretName: {{ .Values.api.tlsSecretName }}
+        {{- end }}
       {{- end }}
diff --git a/charts/gotenberg/values.yaml b/charts/gotenberg/values.yaml
@@ -122,10 +122,8 @@ ingress:
 api:
   # -- Set the port on which the API should listen (default 3000)
   port: 3000
-  # -- Path to the TLS/SSL certificate file - for HTTPS support (default "")
-  tlsCertFile: ""
-  # -- Path to the TLS/SSL key file - for HTTPS support (default "")
-  tlsKeyFile: ""
+  # -- Enables TLS on the API server: K8S TLS secret name containing the TLS certificate and key (tls.crt, tls.key)
+  tlsSecretName: ""
   # -- Set the time limit for requests (default 30s)
   timeout: ""
   # -- Set the root path of the API - for service discovery via URL paths (default "/")