From d188a7d48ecfae7516cc8fd2ea55bac2636250e8 Mon Sep 17 00:00:00 2001 From: Charles-Antoine Dolbeau Date: Thu, 28 May 2026 17:47:10 +0200 Subject: [PATCH] feat(helm): sync TLS certificates from cloud secret manager via ESO (v0.2.1) When secrets.provider=external-secrets and tls.provider=secret, the chart now automatically creates ExternalSecret resources for each enabled component (VTOM, ITC, ITM, MFT) to sync TLS certificates from GCP SM / Azure KV / AWS SM. - values.yaml: set default names for tls.secret.*, add remoteKeys for TLS cert/key pairs, document the new provider combination - templates/common/secrets.yaml: add 4 ExternalSecret blocks (type: kubernetes.io/tls) gated on tls.enabled + tls.provider=secret, inside the existing external-secrets guard - values-client-template.yaml: document Options A/B/C for TLS, add commented TLS remoteKeys in all 3 cloud provider sections (Azure, AWS, GCP) --- charts/visual-tom/Chart.yaml | 2 +- .../visual-tom/templates/common/secrets.yaml | 128 ++++++++++++++++++ charts/visual-tom/values-client-template.yaml | 51 ++++++- charts/visual-tom/values.yaml | 29 +++- 4 files changed, 197 insertions(+), 13 deletions(-) diff --git a/charts/visual-tom/Chart.yaml b/charts/visual-tom/Chart.yaml index d25f87a..458d758 100644 --- a/charts/visual-tom/Chart.yaml +++ b/charts/visual-tom/Chart.yaml @@ -7,7 +7,7 @@ description: > type: application # Chart version (follows SemVer). Increment on every chart change. -version: 0.2.0 +version: 0.2.1 # Reference application version (VTOM). ITC, ITM and MFT versions are defined in values.yaml. appVersion: "7.3.2c" diff --git a/charts/visual-tom/templates/common/secrets.yaml b/charts/visual-tom/templates/common/secrets.yaml index 17e367d..683275c 100644 --- a/charts/visual-tom/templates/common/secrets.yaml +++ b/charts/visual-tom/templates/common/secrets.yaml @@ -150,6 +150,134 @@ spec: remoteRef: key: {{ .Values.secrets.remoteKeys.itmDbPassword }} {{- end }} + +{{- if and .Values.tls.enabled (eq .Values.tls.provider "secret") }} + +{{- if .Values.vtom.enabled }} +--- +# TLS certificate for VTOM — synced from cloud secret manager +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: {{ .Values.tls.secret.vtom }} + namespace: {{ include "vtom.namespace" . }} + labels: + app.kubernetes.io/name: vtom + {{- include "vtom.labels" . | nindent 4 }} +spec: + refreshInterval: {{ .Values.secrets.refreshInterval }} + secretStoreRef: + name: {{ include "vtom.secretStoreName" . }} + kind: SecretStore + target: + name: {{ .Values.tls.secret.vtom }} + creationPolicy: Owner + deletionPolicy: Retain + template: + type: kubernetes.io/tls + data: + - secretKey: tls.crt + remoteRef: + key: {{ .Values.secrets.remoteKeys.vtomTlsCert }} + - secretKey: tls.key + remoteRef: + key: {{ .Values.secrets.remoteKeys.vtomTlsKey }} +{{- end }} + +{{- if .Values.itc.enabled }} +--- +# TLS certificate for ITC — synced from cloud secret manager +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: {{ .Values.tls.secret.itc }} + namespace: {{ include "vtom.namespace" . }} + labels: + app.kubernetes.io/name: itc + {{- include "vtom.labels" . | nindent 4 }} +spec: + refreshInterval: {{ .Values.secrets.refreshInterval }} + secretStoreRef: + name: {{ include "vtom.secretStoreName" . }} + kind: SecretStore + target: + name: {{ .Values.tls.secret.itc }} + creationPolicy: Owner + deletionPolicy: Retain + template: + type: kubernetes.io/tls + data: + - secretKey: tls.crt + remoteRef: + key: {{ .Values.secrets.remoteKeys.itcTlsCert }} + - secretKey: tls.key + remoteRef: + key: {{ .Values.secrets.remoteKeys.itcTlsKey }} +{{- end }} + +{{- if .Values.itm.enabled }} +--- +# TLS certificate for ITM — synced from cloud secret manager +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: {{ .Values.tls.secret.itm }} + namespace: {{ include "vtom.namespace" . }} + labels: + app.kubernetes.io/name: itm + {{- include "vtom.labels" . | nindent 4 }} +spec: + refreshInterval: {{ .Values.secrets.refreshInterval }} + secretStoreRef: + name: {{ include "vtom.secretStoreName" . }} + kind: SecretStore + target: + name: {{ .Values.tls.secret.itm }} + creationPolicy: Owner + deletionPolicy: Retain + template: + type: kubernetes.io/tls + data: + - secretKey: tls.crt + remoteRef: + key: {{ .Values.secrets.remoteKeys.itmTlsCert }} + - secretKey: tls.key + remoteRef: + key: {{ .Values.secrets.remoteKeys.itmTlsKey }} +{{- end }} + +{{- if .Values.mft.enabled }} +--- +# TLS certificate for MFT — synced from cloud secret manager +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: {{ .Values.tls.secret.mft }} + namespace: {{ include "vtom.namespace" . }} + labels: + app.kubernetes.io/name: mft + {{- include "vtom.labels" . | nindent 4 }} +spec: + refreshInterval: {{ .Values.secrets.refreshInterval }} + secretStoreRef: + name: {{ include "vtom.secretStoreName" . }} + kind: SecretStore + target: + name: {{ .Values.tls.secret.mft }} + creationPolicy: Owner + deletionPolicy: Retain + template: + type: kubernetes.io/tls + data: + - secretKey: tls.crt + remoteRef: + key: {{ .Values.secrets.remoteKeys.mftTlsCert }} + - secretKey: tls.key + remoteRef: + key: {{ .Values.secrets.remoteKeys.mftTlsKey }} +{{- end }} + +{{- end }} {{- end }} {{- else }} diff --git a/charts/visual-tom/values-client-template.yaml b/charts/visual-tom/values-client-template.yaml index f19c47a..749a9eb 100644 --- a/charts/visual-tom/values-client-template.yaml +++ b/charts/visual-tom/values-client-template.yaml @@ -240,6 +240,15 @@ secrets: itcDbPassword: "itc-db-password" # TODO: Key Vault secret for the ITC password (plain text) itmDbUser: "itm-db-user" # TODO: Key Vault secret holding the ITM DB username itmDbPassword: "itm-db-password" # TODO: Key Vault secret for the ITM password (plain text) + # TLS certificates (Option B only — tls.provider=secret): uncomment and adjust names + # vtomTlsCert: "vtom-tls-cert" # TODO: Key Vault secret for the VTOM certificate chain (PEM) + # vtomTlsKey: "vtom-tls-key" # TODO: Key Vault secret for the VTOM private key (PEM) + # itcTlsCert: "itc-tls-cert" + # itcTlsKey: "itc-tls-key" + # itmTlsCert: "itm-tls-cert" + # itmTlsKey: "itm-tls-key" + # mftTlsCert: "mft-tls-cert" + # mftTlsKey: "mft-tls-key" serviceAccount: azure: @@ -257,6 +266,15 @@ serviceAccount: # itcDbPassword: "vtom/itc-db-password" # itmDbUser: "vtom/itm-db-user" # itmDbPassword: "vtom/itm-db-password" +# # TLS certificates (Option B only — tls.provider=secret): uncomment and adjust names +# # vtomTlsCert: "vtom/tls-cert" # TODO: SM secret for the VTOM certificate chain (PEM) +# # vtomTlsKey: "vtom/tls-key" # TODO: SM secret for the VTOM private key (PEM) +# # itcTlsCert: "itc/tls-cert" +# # itcTlsKey: "itc/tls-key" +# # itmTlsCert: "itm/tls-cert" +# # itmTlsKey: "itm/tls-key" +# # mftTlsCert: "mft/tls-cert" +# # mftTlsKey: "mft/tls-key" # # serviceAccount: # aws: @@ -274,6 +292,15 @@ serviceAccount: # itcDbPassword: "itc-db-password" # itmDbUser: "itm-db-user" # itmDbPassword: "itm-db-password" +# # TLS certificates (Option B only — tls.provider=secret): uncomment and adjust names +# # vtomTlsCert: "vtom-tls-cert" # TODO: SM secret for the VTOM certificate chain (PEM) +# # vtomTlsKey: "vtom-tls-key" # TODO: SM secret for the VTOM private key (PEM) +# # itcTlsCert: "itc-tls-cert" +# # itcTlsKey: "itc-tls-key" +# # itmTlsCert: "itm-tls-cert" +# # itmTlsKey: "itm-tls-key" +# # mftTlsCert: "mft-tls-cert" +# # mftTlsKey: "mft-tls-key" # # serviceAccount: # gcp: @@ -295,16 +322,26 @@ serviceAccount: # ----------------------------------------------------------------------------- # TLS -# cert-manager with Let's Encrypt (default) — requires cert-manager installed -# and a ClusterIssuer created in the cluster (see README / DEPLOIEMENT). -# Alternative: provider: secret to supply your own TLS certificates. +# Option A (default) — cert-manager + Let's Encrypt +# Requires cert-manager installed and a ClusterIssuer in the cluster. +# Option B — client-supplied certificates synced from the cloud secret manager +# Requirements: secrets.provider=external-secrets AND tls.provider=secret +# The chart creates ExternalSecret resources automatically. +# Cloud secrets must contain raw PEM content (no additional base64 encoding): +# -cert -> full certificate chain (.crt) +# -key -> private key (.key) +# Option C — client-supplied certificates (manual K8s TLS Secret) +# Create the K8s TLS Secret manually, then reference its name below. # ----------------------------------------------------------------------------- tls: certManager: clusterIssuer: letsencrypt-prod # TODO: adjust if your ClusterIssuer has a different name - # provider: secret # Uncomment to supply your own TLS certificates + + # Uncomment for Option B or C (client-supplied certificates): + # provider: secret # secret: - # vtom: vtom-tls-secret # Name of the K8s TLS Secret for VTOM - # itc: itc-tls-secret # Name of the K8s TLS Secret for ITC - # itm: itm-tls-secret # Name of the K8s TLS Secret for ITM + # vtom: "vtom-tls-secret" # created automatically by ExternalSecret (Option B) + # itc: "itc-tls-secret" # or created manually (Option C) + # itm: "itm-tls-secret" + # mft: "mft-tls-secret" diff --git a/charts/visual-tom/values.yaml b/charts/visual-tom/values.yaml index a24d43e..fc36abe 100644 --- a/charts/visual-tom/values.yaml +++ b/charts/visual-tom/values.yaml @@ -433,6 +433,16 @@ secrets: itcDbPassword: "itc-db-password" itmDbUser: "itm-db-user" itmDbPassword: "itm-db-password" + # TLS certificates (used when tls.provider=secret + secrets.provider=external-secrets) + # Each component requires two secrets: one for the certificate chain, one for the private key. + vtomTlsCert: "vtom-tls-cert" + vtomTlsKey: "vtom-tls-key" + itcTlsCert: "itc-tls-cert" + itcTlsKey: "itc-tls-key" + itmTlsCert: "itm-tls-cert" + itmTlsKey: "itm-tls-key" + mftTlsCert: "mft-tls-cert" + mftTlsKey: "mft-tls-key" # ----------------------------------------------------------------------------- # Identity / Workload Identity @@ -471,6 +481,14 @@ ingress: # provider: cert-manager → cert-manager + ClusterIssuer (Let's Encrypt or other) # provider: secret → certificate supplied by the client in a K8s TLS Secret # provider: none → no TLS managed by the chart (external termination) +# +# provider: secret + secrets.provider: external-secrets +# -> the chart automatically creates ExternalSecret resources that sync TLS +# certificates from the cloud secret manager (GCP SM / Azure KV / AWS SM). +# Store two plain-text PEM secrets per component in your cloud provider: +# -cert -> full certificate chain (.crt) +# -key -> private key (.key) +# Secret names are configured via secrets.remoteKeys.*TlsCert / *TlsKey. # ----------------------------------------------------------------------------- tls: enabled: true @@ -479,12 +497,13 @@ tls: certManager: clusterIssuer: letsencrypt-prod - # Used when provider=secret: names of existing K8s TLS Secrets + # Used when provider=secret: names of the K8s TLS Secrets (created manually or + # synced automatically from the cloud provider via ExternalSecret). secret: - vtom: "" # e.g.: vtom-tls-secret - itc: "" # e.g.: itc-tls-secret - itm: "" # e.g.: itm-tls-secret - mft: "" # e.g.: mft-tls-secret + vtom: "vtom-tls-secret" + itc: "itc-tls-secret" + itm: "itm-tls-secret" + mft: "mft-tls-secret" # ----------------------------------------------------------------------------- # NetworkPolicy