feat(helm): prepare certificate refactor

Frederic Spiers · Frederic Spiers · commit 4a0dfe303673 · 2025-11-21T17:54:27.000+01:00
diff --git a/helm/ggbridge/templates/_helpers.tpl b/helm/ggbridge/templates/_helpers.tpl
@@ -566,9 +566,17 @@ Returns cert-manager issuer spec for TLS config
 {{- $fullname := include "ggbridge.fullname" . -}}
 {{- $spec := dict -}}
 {{- if hasKey .Values.tls.certManager.issuer.spec "vault" -}}
-  {{- $spec = dict "vault" (dict "auth" (dict "kubernetes" (dict "secretRef" (dict "name" (printf "%s-issuer-token" $fullname) "key" "token")))) -}}
+  {{- $userKubernetesAuth := dig "vault" "auth" "kubernetes" dict .Values.tls.certManager.issuer.spec -}}
+  {{- $kubernetesAuth := dict -}}
+  
+  {{/* Only add secretRef if user hasn't provided secretRef OR serviceAccountRef */}}
+  {{- if and (not (hasKey $userKubernetesAuth "secretRef")) (not (hasKey $userKubernetesAuth "serviceAccountRef")) -}}
+    {{- $_ := set $kubernetesAuth "secretRef" (dict "name" (printf "%s-issuer-token" $fullname) "key" "token") -}}
+  {{- end -}}
+  
+  {{- $spec = dict "vault" (dict "auth" (dict "kubernetes" $kubernetesAuth)) -}}
 {{- end -}}
-{{- $spec = include "ggbridge.tplvalues.merge" ( dict "values" ( list .Values.tls.certManager.issuer.spec $spec ) "context" . ) | fromYaml -}}
+{{- $spec = include "ggbridge.tplvalues.merge" ( dict "values" ( list $spec .Values.tls.certManager.issuer.spec ) "context" . ) | fromYaml -}}
 {{ include "ggbridge.tplvalues.render" ( dict "value" $spec "context" .) }}
 {{- end -}}
 
diff --git a/helm/ggbridge/templates/cert-manager.yaml b/helm/ggbridge/templates/cert-manager.yaml
@@ -1,6 +1,6 @@
-{{- if .Values.tls.certManager.enabled -}}
-  {{- $fullname := include "ggbridge.fullname" . -}}
-  {{- $namespace := ternary (default .Release.Namespace .Values.server.istio.gateway.namespace) .Release.Namespace .Values.server.istio.enabled -}}
+{{- $fullname := include "ggbridge.fullname" . -}}
+{{- $namespace := ternary (default .Release.Namespace .Values.server.istio.gateway.namespace) .Release.Namespace .Values.server.istio.enabled -}}
+{{- if and .Values.tls.certManager.enabled (not (hasKey .Values.tls.certManager.issuer.spec "vault")) -}}
   {{- if .Values.tls.certManager.issuer.spec }}
     {{- if hasKey .Values.tls.certManager.issuer.spec "selfSigned" -}}
 ---
@@ -69,3 +69,18 @@ spec:
     {{- end }}
   {{- end }}
 {{- end }}
+{{- if hasKey .Values.tls.certManager.issuer.spec "vault" }}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ printf "%s-issuer" $fullname }}
+  namespace: {{ $namespace }}
+  labels:
+    {{- include "ggbridge.labels" $ | nindent 4 }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "ggbridge.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  {{- include "ggbridge.certManager.issuer.spec" . | nindent 2 }}
+{{- end }}
diff --git a/helm/ggbridge/templates/client/cert-manager.yaml b/helm/ggbridge/templates/client/cert-manager.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.tls.certManager.enabled -}}
+{{- if and .Values.tls.certManager.enabled (and (not (empty .Values.tls.certManager.issuer.spec)) (not (hasKey .Values.tls.certManager.issuer.spec "vault"))) -}}
   {{- $fullname := include "ggbridge.fullname" . -}}
   {{- $namespace := ternary (default .Release.Namespace .Values.server.istio.gateway.namespace) .Release.Namespace .Values.server.istio.enabled -}}
   {{- $clientFullname := include "ggbridge.client.fullname" $ -}}
diff --git a/helm/ggbridge/templates/rbac.yaml b/helm/ggbridge/templates/rbac.yaml
@@ -45,7 +45,21 @@ metadata:
   annotations:
     kubernetes.io/service-account.name: {{ printf "%s-issuer" $fullname }}
 type: kubernetes.io/service-account-token
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ printf "%s-issuer" $fullname }}-token-reviewer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - kind: ServiceAccount
+    name: {{ printf "%s-issuer" $fullname }}
+    namespace: {{ .Release.Namespace }}
   {{- end }}
+  {{- if .Values.tls.certManager.rbac.subjects }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -79,7 +93,6 @@ rules:
       - 'list'
       - 'watch'
       - 'create'
-  {{- if .Values.tls.certManager.rbac.subjects }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-{{- if .Values.tls.certManager.enabled -}}`
	`1`	`+{{- if and .Values.tls.certManager.enabled (and (not (empty .Values.tls.certManager.issuer.spec)) (not (hasKey .Values.tls.certManager.issuer.spec "vault"))) -}}`
`2`	`2`	`{{- $fullname := include "ggbridge.fullname" . -}}`
`3`	`3`	`{{- $namespace := ternary (default .Release.Namespace .Values.server.istio.gateway.namespace) .Release.Namespace .Values.server.istio.enabled -}}`
`4`	`4`	`{{- $clientFullname := include "ggbridge.client.fullname" $ -}}`