Added TLS certificate support for op-challenger

celo-org · Dec 3, 2024 · 6139d27 · 6139d27
1 parent 6652a1a
commit 6139d27
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 2 deletions.
diff --git a/charts/op-challenger/Chart.yaml b/charts/op-challenger/Chart.yaml
@@ -3,7 +3,7 @@ apiVersion: v2
 name: op-challenger
 description: A Helm chart for Fault Proof Monitoring
 type: application
-version: 0.1.4
+version: 0.1.5
 appVersion: "main"
 maintainers:
   - name: cLabs

diff --git a/charts/op-challenger/README.md b/charts/op-challenger/README.md
@@ -1,6 +1,6 @@
 # op-challenger
 
-![Version: 0.1.4](https://img.shields.io/badge/Version-0.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: main](https://img.shields.io/badge/AppVersion-main-informational?style=flat-square)
+![Version: 0.1.5](https://img.shields.io/badge/Version-0.1.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: main](https://img.shields.io/badge/AppVersion-main-informational?style=flat-square)
 
 A Helm chart for Fault Proof Monitoring
 

diff --git a/charts/op-challenger/templates/certificate.yaml b/charts/op-challenger/templates/certificate.yaml
@@ -0,0 +1,36 @@
+{{- if .Values.config.signer.tls.certManager.enabled }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "op-challenger.fullname" . }}-tls
+spec:
+  secretName: {{ template "op-challenger.fullname" . }}-tls
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+
+  isCA: false
+  usages:
+    - client auth
+
+  subject:
+    organizations:
+      - cLabs
+  # The use of the common name field has been deprecated since 2000 and is
+  # discouraged from being used.
+  commonName: {{ template "op-challenger.fullname" . }}
+
+  # At least one of commonName (possibly through literalSubject), dnsNames, uris, emailAddresses, ipAddresses or otherNames is required.
+  dnsNames:
+    - {{ template "op-challenger.fullname" . }}
+
+  # Issuer references are always required.
+  issuerRef:
+    name: {{ .Values.config.signer.tls.certManager.issuerName }}
+    kind: {{ .Values.config.signer.tls.certManager.issuerKind }}
+    group: {{ .Values.config.signer.tls.certManager.issuerGroup }}
+{{- end }}
diff --git a/charts/op-challenger/templates/statefulset.yaml b/charts/op-challenger/templates/statefulset.yaml
@@ -172,10 +172,20 @@ spec:
           volumeMounts:
             - name: data
               mountPath: /data
+            {{- if .Values.config.signer.tls.enabled }}
+            - mountPath: "/certs"
+              name: pki
+              readOnly: true
+            {{- end }}
       volumes:
         - name: data
           persistentVolumeClaim:
             claimName: {{ include "op-challenger.fullname" . }}-data
+        {{- if .Values.config.signer.tls.enabled }}
+        - name: pki
+          secret:
+            secretName: {{ ternary (printf "%s-%s" (include "op-challenger.fullname" .) "tls" ) .Values.config.signer.tls.externalSecret.tlsSecretName .Values.config.signer.tls.certManager.enabled }}
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}