templates/tls-init-job.yaml

# tls-init job generate Consul cluster CA and certificates for the Consul servers
# and creates Kubernetes secrets for them.
{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
{{- if .Values.global.tls.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
  name: {{ template "consul.fullname" . }}-tls-init
  labels:
    app: {{ template "consul.name" . }}
    chart: {{ template "consul.chart" . }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade
    "helm.sh/hook-weight": "1"
    "helm.sh/hook-delete-policy":  hook-succeeded
spec:
  template:
    metadata:
      name: {{ template "consul.fullname" . }}-tls-init
      labels:
        app: {{ template "consul.name" . }}
        chart: {{ template "consul.chart" . }}
        release: {{ .Release.Name }}
        component: tls-init
      annotations:
        "consul.hashicorp.com/connect-inject": "false"
    spec:
      restartPolicy: Never
      serviceAccountName: {{ template "consul.fullname" . }}-tls-init
      {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }}
      volumes:
      - name: consul-ca-cert
        secret:
          secretName: {{ .Values.global.tls.caCert.secretName }}
          items:
          - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
            path: tls.crt
      - name: consul-ca-key
        secret:
          secretName: {{ .Values.global.tls.caKey.secretName }}
          items:
          - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }}
            path: tls.key
      {{- end }}
      containers:
        - name: tls-init
          image: "{{ .Values.global.image }}"
          env:
            - name: NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          # We're using POST requests below to create secrets via Kubernetes API.
          # Note that in the subsequent runs of the job, POST requests will
          # return a 409 because these secrets would already exist;
          # we are ignoring these response codes.
          command:
            - "/bin/sh"
            - "-ec"
            - |
              {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }}
              consul tls ca create \
                -domain={{ .Values.global.domain }}
              curl -s -X POST --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
                https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets \
                -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" \
                -H "Content-Type: application/json" \
                -H "Accept: application/json" \
                -d "{ \"kind\": \"Secret\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"{{ template "consul.fullname" . }}-ca-cert\", \"namespace\": \"${NAMESPACE}\" }, \"type\": \"Opaque\", \"data\": { \"tls.crt\": \"$( cat {{ .Values.global.domain }}-agent-ca.pem | base64 | tr -d '\n' )\" }}" > /dev/null
              curl -s -X POST --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
                https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets \
                -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" \
                -H "Content-Type: application/json" \
                -H "Accept: application/json" \
                -d "{ \"kind\": \"Secret\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"{{ template "consul.fullname" . }}-ca-key\", \"namespace\": \"${NAMESPACE}\" }, \"type\": \"Opaque\", \"data\": { \"tls.key\": \"$( cat {{ .Values.global.domain }}-agent-ca-key.pem | base64 | tr -d '\n' )\" }}" > /dev/null
              {{- end }}
              consul tls cert create -server \
                -days=730 \
                {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }}
                -ca=/consul/tls/ca/cert/tls.crt \
                -key=/consul/tls/ca/key/tls.key \
                {{- end }}
                -additional-dnsname='{{ template "consul.fullname" . }}-server' \
                -additional-dnsname='*.{{ template "consul.fullname" . }}-server' \
                -additional-dnsname='*.{{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}' \
                -additional-dnsname='*.{{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc' \
                {{- range .Values.global.tls.serverAdditionalIPSANs }}
                -additional-ipaddress={{ . }} \
                {{- end }}
                {{- range .Values.global.tls.serverAdditionalDNSSANs }}
                 -additional-dnsname={{ . }} \
                 {{- end }}
                -dc={{ .Values.global.datacenter }} \
                -domain={{ .Values.global.domain }}
              curl -s -X POST --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
                https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets \
                -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" \
                -H "Content-Type: application/json" \
                -H "Accept: application/json" \
                -d "{ \"kind\": \"Secret\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"{{ template "consul.fullname" . }}-server-cert\", \"namespace\": \"${NAMESPACE}\" }, \"type\": \"kubernetes.io/tls\", \"data\": { \"tls.crt\": \"$( cat {{ .Values.global.datacenter }}-server-{{ .Values.global.domain }}-0.pem | base64 | tr -d '\n' )\", \"tls.key\": \"$( cat {{ .Values.global.datacenter }}-server-{{ .Values.global.domain }}-0-key.pem | base64 | tr -d '\n' )\" } }" > /dev/null
          {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }}
          volumeMounts:
            - name: consul-ca-cert
              mountPath: /consul/tls/ca/cert
              readOnly: true
            - name: consul-ca-key
              mountPath: /consul/tls/ca/key
              readOnly: true
          {{- end }}
{{- end }}
{{- end }}