fix: handle ssl case with cert maanger. Force ssl pull from domain only

GluuFederation · Oct 20, 2023 · 7ce457a · 7ce457a
1 parent 5c03353
commit 7ce457a
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 2 deletions.
diff --git a/pygluu/kubernetes/templates/helm/gluu/charts/config/templates/configmaps.yaml b/pygluu/kubernetes/templates/helm/gluu/charts/config/templates/configmaps.yaml
@@ -24,6 +24,7 @@ data:
   GLUU_SQL_PASSWORD_FILE: {{ .Values.configmap.cnSqlPasswordFile }}
   GLUU_CONFIG_ADAPTER: {{ .Values.global.configAdapterName }}
   GLUU_SECRET_ADAPTER: {{ .Values.global.configSecretAdapter }}
+  GLUU_SSL_CERT_FROM_DOMAIN: {{ .Values.global.sslCertFromDomain | quote }}
   # [google_envs] Envs related to using Google
   GOOGLE_APPLICATION_CREDENTIALS: {{ .Values.global.cnGoogleApplicationCredentials | quote }}
   GOOGLE_PROJECT_ID: {{ .Values.configmap.cnGoogleProjectId | quote }}

diff --git a/pygluu/kubernetes/templates/helm/gluu/charts/config/templates/load-init-config.yml b/pygluu/kubernetes/templates/helm/gluu/charts/config/templates/load-init-config.yml
@@ -32,7 +32,8 @@ spec:
 {{ toYaml . | indent 8 }}
     {{- end }}
       # handle edge case with ALB in a non FQDN setup .Values.global.alb.ingress.enabled
-      {{- if and (eq .Values.global.isDomainRegistered "false") (.Values.global.alb.ingress.enabled) }}
+      # removed: if and (eq .Values.global.isDomainRegistered "false") (.Values.global.alb.ingress.enabled)
+      {{- if eq .Values.global.isDomainRegistered "false"}}
       hostAliases:
        - ip: {{ .Values.global.lbIp }}
          hostnames:
@@ -104,7 +105,9 @@ spec:
               {{- else }}
               /app/scripts/entrypoint.sh load
               {{- end }}
+              {{- if eq .Values.global.sslCertFromDomain "true"}}
               /usr/bin/python3 /scripts/tls_generator.py
+              {{- end }}
               {{- if .Values.global.istio.enabled }}
               curl -X POST http://localhost:15020/quitquitquit
               {{- end }}

diff --git a/pygluu/kubernetes/templates/helm/gluu/values.yaml b/pygluu/kubernetes/templates/helm/gluu/values.yaml
@@ -115,6 +115,8 @@ global:
   configAdapterName: kubernetes
   # -- The config backend adapter that will hold Gluu secret layer. google|kubernetes
   configSecretAdapter: kubernetes
+  # -- Validate certificate is downloaded from given domain. If set to true (default to false), raise an error if cert is not downloaded. Note that the flag is ignored if mounted SSL cert and key files exist
+  sslCertFromDomain: false
   # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner.
   cnGoogleApplicationCredentials: /etc/gluu/conf/google-credentials.json
   oxauth:
@@ -489,7 +491,7 @@ config:
     # -- Image  to use for deploying.
     repository: gluufederation/config-init
     # -- Image  tag to use for deploying.
-    tag: 4.4.2-5
+    tag: 4.4.2-6
     # -- Image Pull Secrets
     pullSecrets: [ ]
   # -- Configure any additional volumes that need to be attached to the pod