feat(certificate): init

95gabor · Oct 12, 2024 · bd12a04 · bd12a04
1 parent c0a7869
commit bd12a04
Show file tree

Hide file tree

Showing 3 changed files with 77 additions and 0 deletions.
diff --git a/helm-charts/k8s-mediaserver/templates/certificate.yaml b/helm-charts/k8s-mediaserver/templates/certificate.yaml
@@ -0,0 +1,45 @@
+{{- if and (.Capabilities.APIVersions.Has "cert-manager.io/v1") .Values.general.certificate.enabled -}}
+---
+### CERTIFICATE
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  {{- with .Values.general.certificate.annotations }}
+  annotations:
+    {{- range $key, $value := . }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
+  name: k8s-mediaserver
+  labels:
+    {{- include "k8s-mediaserver.labels" . | nindent 4 }}
+spec:
+  secretName: {{ .Values.general.certificate.secretName }}
+  commonName: {{ .Values.general.certificate.domain | quote }}
+  dnsNames:
+    - {{ .Values.general.certificate.domain | quote }}
+    {{- range .Values.general.certificate.additionalHosts }}
+    - {{ . | quote }}
+    {{- end }}
+  {{- with .Values.general.certificate.duration }}
+  duration: {{ . | quote }}
+  {{- end }}
+  {{- with .Values.general.certificate.renewBefore }}
+  renewBefore: {{ . | quote }}
+  {{- end }}
+  issuerRef:
+    {{- with .Values.general.certificate.issuer.group }}
+    group: {{ . | quote }}
+    {{- end }}
+    kind: {{ .Values.general.certificate.issuer.kind | quote }}
+    name: {{ .Values.general.certificate.issuer.name | quote }}
+  {{- with .Values.general.certificate.privateKey }}
+  privateKey:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.general.certificate.usages }}
+  usages:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+---
+{{- end }}
diff --git a/helm-charts/k8s-mediaserver/templates/plex-resources.yml b/helm-charts/k8s-mediaserver/templates/plex-resources.yml
@@ -52,6 +52,11 @@ spec:
           persistentVolumeClaim:
             claimName: {{ .Values.plex.volume.name }}
         {{- end }}
+        {{- if and (.Capabilities.APIVersions.Has "cert-manager.io/v1") .Values.general.certificate.enabled }}
+        - name: tls-secret
+          secret:
+            secretName: {{ .Values.general.certificate.secretName }}  # Reference to the generated secret
+        {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           envFrom:
@@ -90,6 +95,11 @@ spec:
               mountPath: /tv
               subPath: "{{ .Values.general.storage.subPaths.tv }}"
           {{- with .Values.plex.resources }}
+          {{- if and (.Capabilities.APIVersions.Has "cert-manager.io/v1") .Values.general.certificate.enabled }}
+            - name: tls-secret
+              mountPath: "/etc/tls"  # Path in the container where the certificate will be mounted
+              readOnly: true
+          {{- end }}
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}

diff --git a/helm-charts/k8s-mediaserver/values.yaml b/helm-charts/k8s-mediaserver/values.yaml
@@ -33,6 +33,28 @@ general:
   ingress:
     ingressClassName: ""
   nodeSelector: {}
+  # TLS certificate configuration via cert-manager
+  certificate:
+    enabled: false
+    secretName: k8s-mediaserver-tls
+    domain: plex.example.com
+    additionalHosts:
+      - plex.example.com
+      - sonarr.example.com
+      - radarr.example.com
+    duration: ""
+    renewBefore: ""
+    issuer:
+      group: ""
+      kind: ""
+      name: ""
+    privateKey:
+      rotationPolicy: Never
+      encoding: PKCS1
+      algorithm: RSA
+      size: 2048
+    annotations: {}
+    usages: []
 
 sonarr:
   enabled: true