Skip to content

feat(helm): prepare certificate refactor #87

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 25, 2025
Merged

feat(helm): prepare certificate refactor #87

merged 2 commits into from
Nov 25, 2025

Conversation

@ixxeL2097
Copy link
Collaborator

@ixxeL2097 ixxeL2097 commented Nov 21, 2025
edited
Loading

This PR also allows to provision only required resources for Cert-manager Vault PKI using following values :

nameOverride: ggbridge
fullnameOverride: ggbridge

commonLabels: {gg-team: SelfHosted}

mode: server

deploymentCount: 0
serviceAccount:
  create: false

tls:
  enabled: true
  certManager:
    enabled: true
    rbac:
      create: true
    issuer:
      spec:
        vault:
          path: pki_ggbridge_prod_int/sign/ggbridge
          server: https://vault.gitguardian.org
          auth:
            kubernetes:
              role: ggbridge
              mountPath: /v1/auth/kubernetes-prod
              serviceAccountRef:
                name: ggbridge-issuer  
---
# Source: ggbridge/templates/rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ggbridge-issuer
  labels:
    helm.sh/chart: ggbridge-0.0.0
    app.kubernetes.io/name: ggbridge
    app.kubernetes.io/instance: ggbridge
    app.kubernetes.io/version: "unstable"
    app.kubernetes.io/managed-by: Helm
    tenant: ggbridge
    gg-team: SelfHosted
---
# Source: ggbridge/templates/rbac.yaml
apiVersion: v1
kind: Secret
metadata:
  name: ggbridge-issuer-token
  annotations:
    kubernetes.io/service-account.name: ggbridge-issuer
type: kubernetes.io/service-account-token
---
# Source: ggbridge/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ggbridge-issuer-token-reviewer
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
  - kind: ServiceAccount
    name: ggbridge-issuer
    namespace: ggbridge
---
# Source: ggbridge/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ggbridge-issuer
  namespace: ggbridge
rules:
  - apiGroups: ['']
    resources: ['serviceaccounts/token']
    resourceNames: ["ggbridge-issuer"]
    verbs: ['create']
---
# Source: ggbridge/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ggbridge-issuer
  namespace: ggbridge
subjects:
  - kind: ServiceAccount
    name: cert-manager
    namespace: cert-manager
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ggbridge-issuer
---
# Source: ggbridge/templates/cert-manager.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: ggbridge-issuer
  namespace: ggbridge
  labels:
    helm.sh/chart: ggbridge-0.0.0
    app.kubernetes.io/name: ggbridge
    app.kubernetes.io/instance: ggbridge
    app.kubernetes.io/version: "unstable"
    app.kubernetes.io/managed-by: Helm
    tenant: ggbridge
    gg-team: SelfHosted
spec:
  vault:
    auth:
      kubernetes:
        mountPath: /v1/auth/kubernetes-prod
        role: ggbridge
        serviceAccountRef:
          name: ggbridge-issuer
    path: pki_ggbridge_prod_int/sign/ggbridge
    server: https://vault.gitguardian.org

@ixxeL2097 ixxeL2097 self-assigned this Nov 21, 2025
@linear
Copy link

linear bot commented Nov 21, 2025

ENT-3295 Adapt Helm chart to support Vault INT PKI Issuance

@ixxeL2097 ixxeL2097 force-pushed the fspiers/ENT-3295/cert-refactor branch from 4a0dfe3 to 29c9f05 Compare November 24, 2025 08:19
@ixxeL2097 ixxeL2097 marked this pull request as ready for review November 24, 2025 08:20
@ixxeL2097 ixxeL2097 force-pushed the fspiers/ENT-3295/cert-refactor branch from 29c9f05 to 2148d1a Compare November 24, 2025 08:20
jCOTINEAU
jCOTINEAU approved these changes Nov 24, 2025
View reviewed changes
Copy link

@jCOTINEAU jCOTINEAU left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Conceptually looks good to me, i have not tested, let me know if i should spin up an installation with vault etc.

@ixxeL2097
Copy link
Collaborator Author

ixxeL2097 commented Nov 24, 2025

Conceptually looks good to me, i have not tested, let me know if i should spin up an installation with vault etc.

Don't think it is necessary, I already tested it on my own and I will also gradually test it on different environments when implementing the whole solution, so it might not be worth to lose your time here

@ixxeL2097 ixxeL2097 merged commit a316e53 into main Nov 25, 2025
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jCOTINEAU jCOTINEAU jCOTINEAU approved these changes

@ggrosseveurgg ggrosseveurgg Awaiting requested review from ggrosseveurgg

Assignees

@ixxeL2097 ixxeL2097

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ixxeL2097 @jCOTINEAU