From 7e11f6463c9e03ddd45df5e81d8ffc9b1a77c432 Mon Sep 17 00:00:00 2001 From: MarkKharitonov Date: Mon, 2 Sep 2024 07:16:26 -0400 Subject: [PATCH] Minor fixes in certificates to make them ArgoCD friendly (#4482) * Minor fixes in certificates to make them ArgoCD friendly * chore: update changelog Signed-off-by: Yue Yang --------- Signed-off-by: Yue Yang Co-authored-by: Mark Kharitonov Co-authored-by: Yue Yang --- CHANGELOG.md | 1 + helm/chaos-mesh/templates/_certs.tpl | 4 ++-- helm/chaos-mesh/templates/cert-manager-certs.yaml | 11 ++++------- 3 files changed, 7 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 500ef253cc..58e4c5f633 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -68,6 +68,7 @@ For more information and how-to, see [RFC: Keep A Changelog](https://github.com/ - Fix dashboard panic while replacing query namespace with targetNamespace in namespace scoped mode [#4409](https://github.com/chaos-mesh/chaos-mesh/issues/4409) - Fix incorrect mmap args for IOChaos [#3680](https://github.com/chaos-mesh/chaos-mesh/issues/3680) - Fix chaos controller can't find daemonIP over 1000 nodes using endpoints [#4421](https://github.com/chaos-mesh/chaos-mesh/pull/4421) +- Minor fixes in certificates to make them ArgoCD friendly [#4482](https://github.com/chaos-mesh/chaos-mesh/pull/4482) ### Security diff --git a/helm/chaos-mesh/templates/_certs.tpl b/helm/chaos-mesh/templates/_certs.tpl index 5a15822d72..4796eecb62 100644 --- a/helm/chaos-mesh/templates/_certs.tpl +++ b/helm/chaos-mesh/templates/_certs.tpl @@ -55,7 +55,7 @@ When using this template, it requires the top-level scope {{- /* webhookName would be the FQDN of in-cluster service chaos-mesh.*/ -}} {{- $webhookName := printf "%s.%s.svc" (include "chaos-mesh.svc" .) .Release.Namespace }} {{- $webhookCA := required "self-signed CA keypair is requried" .selfSignedCAKeypair -}} - {{- /* Generate cert keypair for webhook with 5 year validity duration. */ -}} + {{- /* Generate cert keypair for webhook with 5 years validity duration. */ -}} {{- $webhookServerTLSKeypair := .webhookTLSKeypair | default (genSignedCert $webhookName nil (list $webhookName) 1825 $webhookCA) }} {{- $_ := set . "webhookTLSKeypair" $webhookServerTLSKeypair -}} {{- $webhookServerTLSKeypair.Cert -}} @@ -76,7 +76,7 @@ When using this template, it requires the top-level scope {{- /* webhookName would be the FQDN of in-cluster service chaos-mesh.*/ -}} {{- $webhookName := printf "%s.%s.svc" (include "chaos-mesh.svc" .) .Release.Namespace -}} {{- $webhookCA := required "self-signed CA keypair is requried" .selfSignedCAKeypair -}} - {{- /* Generate cert key pair for webhook with 5 year validity duration. */ -}} + {{- /* Generate cert key pair for webhook with 5 years validity duration. */ -}} {{- $webhookServerTLSKeypair := .webhookTLSKeypair | default (genSignedCert $webhookName nil (list $webhookName) 1825 $webhookCA) -}} {{- $_ := set . "webhookTLSKeypair" $webhookServerTLSKeypair -}} {{- $webhookServerTLSKeypair.Key -}} diff --git a/helm/chaos-mesh/templates/cert-manager-certs.yaml b/helm/chaos-mesh/templates/cert-manager-certs.yaml index e22488199b..9b5aec9601 100644 --- a/helm/chaos-mesh/templates/cert-manager-certs.yaml +++ b/helm/chaos-mesh/templates/cert-manager-certs.yaml @@ -52,7 +52,7 @@ metadata: {{- include "chaos-mesh.labels" . | nindent 4 }} app.kubernetes.io/component: chaos-mesh-ca spec: - duration: 43800h0m0s #5year + duration: 43800h0m0s # 5 years secretName: chaos-mesh-ca commonName: "chaos-mesh-ca" isCA: true @@ -98,12 +98,11 @@ metadata: {{- include "chaos-mesh.labels" . | nindent 4 }} app.kubernetes.io/component: chaos-mesh-cert spec: - duration: 43800h #5year + duration: 43800h0m0s # 5 years dnsNames: - {{ template "chaos-mesh.svc" . }} - {{ template "chaos-mesh.svc" . }}.{{ .Release.Namespace }} - {{ template "chaos-mesh.svc" . }}.{{ .Release.Namespace }}.svc - isCA: false secretName: {{ template "chaos-mesh.webhook.certs" . }} issuerRef: name: chaos-mesh-ca @@ -127,10 +126,9 @@ metadata: {{- include "chaos-mesh.labels" . | nindent 4 }} app.kubernetes.io/component: chaos-daemon-client-cert spec: - duration: 43800h0m0s #5year + duration: 43800h0m0s # 5 years dnsNames: - controller-manager.chaos-mesh.org - isCA: false secretName: {{ template "chaos-mesh.daemon-client.certs" . }} issuerRef: name: chaos-mesh-ca @@ -154,10 +152,9 @@ metadata: {{- include "chaos-mesh.labels" . | nindent 4 }} app.kubernetes.io/component: chaos-daemontcert spec: - duration: 43800h0m0s #5year + duration: 43800h0m0s # 5 years dnsNames: - chaos-daemon.chaos-mesh.org - isCA: false secretName: {{ template "chaos-mesh.daemon.certs" . }} issuerRef: name: chaos-mesh-ca