feat: Add support for cert-manager

riotkit-org · Apr 25, 2022 · d368195 · d368195
1 parent 756d66d
commit d368195
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 9 deletions.
diff --git a/helm/smtp-ext-relay/README.md b/helm/smtp-ext-relay/README.md
@@ -9,6 +9,7 @@ Simple SMTP server working on Kubernetes.
 - TLS authentication
 - Spam Assassin
 - Supports [SealedSecrets](https://github.com/bitnami-labs/sealed-secrets)
+- Supports [cert-manager](https://cert-manager.io/)
 
 Version v2.x was refactored to not depend on Python and Supervisord - instead lightweight Golang-based alternatives were used.
 

diff --git a/helm/smtp-ext-relay/templates/deployment.yaml b/helm/smtp-ext-relay/templates/deployment.yaml
@@ -50,11 +50,11 @@ spec:
                   env:
                       {{- if .Values.useTLS }}
                       - name: SMTP_TLS_CA_FILE
-                        value: /mnt/certs/ca
+                        value: /mnt/certs/ca.crt
                       - name: SMTPD_TLS_CERT_FILE
-                        value: /mnt/certs/cert
+                        value: /mnt/certs/tls.crt
                       - name: SMTPD_TLS_KEY_FILE
-                        value: /mnt/certs/key
+                        value: /mnt/certs/tls.key
                       - name: SMTPD_USE_TLS
                         value: "yes"
                       {{- end }}

diff --git a/helm/smtp-ext-relay/templates/tls-certificate.yaml b/helm/smtp-ext-relay/templates/tls-certificate.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.certManager.use }}
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: {{ .Values.tlsSecrets.name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+    commonName: {{ .Values.certManager.commonName }}
+    secretName: {{ include "smtp-ext-relay.fullname" . }}-tls-cert
+    dnsNames:
+        - {{ .Values.certManager.commonName }}
+    issuerRef:
+        name: {{ .Values.certManager.issuerName }}
+        kind: {{ .Values.certManager.issuerKind }}
+{{- end }}
diff --git a/helm/smtp-ext-relay/templates/tls-secrets.yaml b/helm/smtp-ext-relay/templates/tls-secrets.yaml
@@ -23,9 +23,9 @@ metadata:
     labels:
         {{- include "smtp-ext-relay.labels" . | nindent 8 }}
 data:
-    cert: {{ .Values.tlsSecrets.cert | b64enc }}
-    key: {{ .Values.tlsSecrets.key | b64enc }}
-    ca: {{ .Values.tlsSecrets.ca | b64enc }}
+    tls.crt: {{ .Values.tlsSecrets.cert | b64enc }}
+    tls.key: {{ .Values.tlsSecrets.key | b64enc }}
+    ca.crt: {{ .Values.tlsSecrets.ca | b64enc }}
 
 {{- end }}
 {{- end }}
diff --git a/helm/smtp-ext-relay/values.yaml b/helm/smtp-ext-relay/values.yaml
@@ -13,14 +13,17 @@ image:
     repository: ghcr.io/riotkit-org/smtp
     # tag:
 
-useTLS: true
-hostName: example.org
-
 usersSecret:
     kind: Secret # Secret or SealedSecret
     users: {}
         # user: password syntax, if SealedSecret then password must be already encrypted
 
+
+# =============
+#  TLS support
+# =============
+useTLS: true
+hostName: example.org
 tlsSecrets:
     create: true
     name: smtp-tls
@@ -32,6 +35,16 @@ tlsSecrets:
     ca: |
         ...
 
+# alternatively to manually managed certificated you can use cert-manager
+certManager:
+    use: false
+    commonName: example.org
+    issuerName: letsencrypt-prod
+    issuerKind: ClusterIssuer
+
+# ==================
+#  Data Persistence
+# ==================
 persistence:
     mail:
         enabled: false