Skip to content

feat(helm): sync TLS certificates from cloud secret manager via ESO (v0.2.1) #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cadolbeau-absyss merged 1 commit into from
May 28, 2026
Merged

feat(helm): sync TLS certificates from cloud secret manager via ESO (v0.2.1) #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/visual-tom/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ description: >
type: application

# Chart version (follows SemVer). Increment on every chart change.
version: 0.2.0
version: 0.2.1

# Reference application version (VTOM). ITC, ITM and MFT versions are defined in values.yaml.
appVersion: "7.3.2c"
Expand Down
128 changes: 128 additions & 0 deletions charts/visual-tom/templates/common/secrets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,134 @@ spec:
remoteRef:
key: {{ .Values.secrets.remoteKeys.itmDbPassword }}
{{- end }}

{{- if and .Values.tls.enabled (eq .Values.tls.provider "secret") }}

{{- if .Values.vtom.enabled }}
---
# TLS certificate for VTOM — synced from cloud secret manager
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: {{ .Values.tls.secret.vtom }}
namespace: {{ include "vtom.namespace" . }}
labels:
app.kubernetes.io/name: vtom
{{- include "vtom.labels" . | nindent 4 }}
spec:
refreshInterval: {{ .Values.secrets.refreshInterval }}
secretStoreRef:
name: {{ include "vtom.secretStoreName" . }}
kind: SecretStore
target:
name: {{ .Values.tls.secret.vtom }}
creationPolicy: Owner
deletionPolicy: Retain
template:
type: kubernetes.io/tls
data:
- secretKey: tls.crt
remoteRef:
key: {{ .Values.secrets.remoteKeys.vtomTlsCert }}
- secretKey: tls.key
remoteRef:
key: {{ .Values.secrets.remoteKeys.vtomTlsKey }}
{{- end }}

{{- if .Values.itc.enabled }}
---
# TLS certificate for ITC — synced from cloud secret manager
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: {{ .Values.tls.secret.itc }}
namespace: {{ include "vtom.namespace" . }}
labels:
app.kubernetes.io/name: itc
{{- include "vtom.labels" . | nindent 4 }}
spec:
refreshInterval: {{ .Values.secrets.refreshInterval }}
secretStoreRef:
name: {{ include "vtom.secretStoreName" . }}
kind: SecretStore
target:
name: {{ .Values.tls.secret.itc }}
creationPolicy: Owner
deletionPolicy: Retain
template:
type: kubernetes.io/tls
data:
- secretKey: tls.crt
remoteRef:
key: {{ .Values.secrets.remoteKeys.itcTlsCert }}
- secretKey: tls.key
remoteRef:
key: {{ .Values.secrets.remoteKeys.itcTlsKey }}
{{- end }}

{{- if .Values.itm.enabled }}
---
# TLS certificate for ITM — synced from cloud secret manager
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: {{ .Values.tls.secret.itm }}
namespace: {{ include "vtom.namespace" . }}
labels:
app.kubernetes.io/name: itm
{{- include "vtom.labels" . | nindent 4 }}
spec:
refreshInterval: {{ .Values.secrets.refreshInterval }}
secretStoreRef:
name: {{ include "vtom.secretStoreName" . }}
kind: SecretStore
target:
name: {{ .Values.tls.secret.itm }}
creationPolicy: Owner
deletionPolicy: Retain
template:
type: kubernetes.io/tls
data:
- secretKey: tls.crt
remoteRef:
key: {{ .Values.secrets.remoteKeys.itmTlsCert }}
- secretKey: tls.key
remoteRef:
key: {{ .Values.secrets.remoteKeys.itmTlsKey }}
{{- end }}

{{- if .Values.mft.enabled }}
---
# TLS certificate for MFT — synced from cloud secret manager
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: {{ .Values.tls.secret.mft }}
namespace: {{ include "vtom.namespace" . }}
labels:
app.kubernetes.io/name: mft
{{- include "vtom.labels" . | nindent 4 }}
spec:
refreshInterval: {{ .Values.secrets.refreshInterval }}
secretStoreRef:
name: {{ include "vtom.secretStoreName" . }}
kind: SecretStore
target:
name: {{ .Values.tls.secret.mft }}
creationPolicy: Owner
deletionPolicy: Retain
template:
type: kubernetes.io/tls
data:
- secretKey: tls.crt
remoteRef:
key: {{ .Values.secrets.remoteKeys.mftTlsCert }}
- secretKey: tls.key
remoteRef:
key: {{ .Values.secrets.remoteKeys.mftTlsKey }}
{{- end }}

{{- end }}
{{- end }}

{{- else }}
Expand Down
51 changes: 44 additions & 7 deletions charts/visual-tom/values-client-template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -240,6 +240,15 @@ secrets:
itcDbPassword: "itc-db-password" # TODO: Key Vault secret for the ITC password (plain text)
itmDbUser: "itm-db-user" # TODO: Key Vault secret holding the ITM DB username
itmDbPassword: "itm-db-password" # TODO: Key Vault secret for the ITM password (plain text)
# TLS certificates (Option B only — tls.provider=secret): uncomment and adjust names
# vtomTlsCert: "vtom-tls-cert" # TODO: Key Vault secret for the VTOM certificate chain (PEM)
# vtomTlsKey: "vtom-tls-key" # TODO: Key Vault secret for the VTOM private key (PEM)
# itcTlsCert: "itc-tls-cert"
# itcTlsKey: "itc-tls-key"
# itmTlsCert: "itm-tls-cert"
# itmTlsKey: "itm-tls-key"
# mftTlsCert: "mft-tls-cert"
# mftTlsKey: "mft-tls-key"

serviceAccount:
azure:
Expand All @@ -257,6 +266,15 @@ serviceAccount:
# itcDbPassword: "vtom/itc-db-password"
# itmDbUser: "vtom/itm-db-user"
# itmDbPassword: "vtom/itm-db-password"
# # TLS certificates (Option B only — tls.provider=secret): uncomment and adjust names
# # vtomTlsCert: "vtom/tls-cert" # TODO: SM secret for the VTOM certificate chain (PEM)
# # vtomTlsKey: "vtom/tls-key" # TODO: SM secret for the VTOM private key (PEM)
# # itcTlsCert: "itc/tls-cert"
# # itcTlsKey: "itc/tls-key"
# # itmTlsCert: "itm/tls-cert"
# # itmTlsKey: "itm/tls-key"
# # mftTlsCert: "mft/tls-cert"
# # mftTlsKey: "mft/tls-key"
#
# serviceAccount:
# aws:
Expand All @@ -274,6 +292,15 @@ serviceAccount:
# itcDbPassword: "itc-db-password"
# itmDbUser: "itm-db-user"
# itmDbPassword: "itm-db-password"
# # TLS certificates (Option B only — tls.provider=secret): uncomment and adjust names
# # vtomTlsCert: "vtom-tls-cert" # TODO: SM secret for the VTOM certificate chain (PEM)
# # vtomTlsKey: "vtom-tls-key" # TODO: SM secret for the VTOM private key (PEM)
# # itcTlsCert: "itc-tls-cert"
# # itcTlsKey: "itc-tls-key"
# # itmTlsCert: "itm-tls-cert"
# # itmTlsKey: "itm-tls-key"
# # mftTlsCert: "mft-tls-cert"
# # mftTlsKey: "mft-tls-key"
#
# serviceAccount:
# gcp:
Expand All @@ -295,16 +322,26 @@ serviceAccount:

# -----------------------------------------------------------------------------
# TLS
# cert-manager with Let's Encrypt (default) — requires cert-manager installed
# and a ClusterIssuer created in the cluster (see README / DEPLOIEMENT).
# Alternative: provider: secret to supply your own TLS certificates.
# Option A (default) — cert-manager + Let's Encrypt
# Requires cert-manager installed and a ClusterIssuer in the cluster.
# Option B — client-supplied certificates synced from the cloud secret manager
# Requirements: secrets.provider=external-secrets AND tls.provider=secret
# The chart creates ExternalSecret resources automatically.
# Cloud secrets must contain raw PEM content (no additional base64 encoding):
# <name>-cert -> full certificate chain (.crt)
# <name>-key -> private key (.key)
# Option C — client-supplied certificates (manual K8s TLS Secret)
# Create the K8s TLS Secret manually, then reference its name below.
# -----------------------------------------------------------------------------
tls:
certManager:
clusterIssuer: letsencrypt-prod # TODO: adjust if your ClusterIssuer has a different name
# provider: secret # Uncomment to supply your own TLS certificates

# Uncomment for Option B or C (client-supplied certificates):
# provider: secret
# secret:
# vtom: vtom-tls-secret # Name of the K8s TLS Secret for VTOM
# itc: itc-tls-secret # Name of the K8s TLS Secret for ITC
# itm: itm-tls-secret # Name of the K8s TLS Secret for ITM
# vtom: "vtom-tls-secret" # created automatically by ExternalSecret (Option B)
# itc: "itc-tls-secret" # or created manually (Option C)
# itm: "itm-tls-secret"
# mft: "mft-tls-secret"

29 changes: 24 additions & 5 deletions charts/visual-tom/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -433,6 +433,16 @@ secrets:
itcDbPassword: "itc-db-password"
itmDbUser: "itm-db-user"
itmDbPassword: "itm-db-password"
# TLS certificates (used when tls.provider=secret + secrets.provider=external-secrets)
# Each component requires two secrets: one for the certificate chain, one for the private key.
vtomTlsCert: "vtom-tls-cert"
vtomTlsKey: "vtom-tls-key"
itcTlsCert: "itc-tls-cert"
itcTlsKey: "itc-tls-key"
itmTlsCert: "itm-tls-cert"
itmTlsKey: "itm-tls-key"
mftTlsCert: "mft-tls-cert"
mftTlsKey: "mft-tls-key"

# -----------------------------------------------------------------------------
# Identity / Workload Identity
Expand Down Expand Up @@ -471,6 +481,14 @@ ingress:
# provider: cert-manager → cert-manager + ClusterIssuer (Let's Encrypt or other)
# provider: secret → certificate supplied by the client in a K8s TLS Secret
# provider: none → no TLS managed by the chart (external termination)
#
# provider: secret + secrets.provider: external-secrets
# -> the chart automatically creates ExternalSecret resources that sync TLS
# certificates from the cloud secret manager (GCP SM / Azure KV / AWS SM).
# Store two plain-text PEM secrets per component in your cloud provider:
# <name>-cert -> full certificate chain (.crt)
# <name>-key -> private key (.key)
# Secret names are configured via secrets.remoteKeys.*TlsCert / *TlsKey.
# -----------------------------------------------------------------------------
tls:
enabled: true
Expand All @@ -479,12 +497,13 @@ tls:
certManager:
clusterIssuer: letsencrypt-prod

# Used when provider=secret: names of existing K8s TLS Secrets
# Used when provider=secret: names of the K8s TLS Secrets (created manually or
# synced automatically from the cloud provider via ExternalSecret).
secret:
vtom: "" # e.g.: vtom-tls-secret
itc: "" # e.g.: itc-tls-secret
itm: "" # e.g.: itm-tls-secret
mft: "" # e.g.: mft-tls-secret
vtom: "vtom-tls-secret"
itc: "itc-tls-secret"
itm: "itm-tls-secret"
mft: "mft-tls-secret"

# -----------------------------------------------------------------------------
# NetworkPolicy
Expand Down