Mirrors/Checkmate
1
0
Fork 0
mirror of https://github.com/bluewave-labs/Checkmate.git synced 2025-12-22 10:47:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(helm): default TLS secretName to <release>-* and remove duplicate prechecks file; update docs with protocol flags

Browse Source
This commit is contained in:
Craig Lawson
2025-12-03 21:43:21 +00:00
parent c1b3d325f6
commit ac901b46c3
6 changed files with 7 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
charts/helm/checkmate/INSTALLATION.md
View File

@@ -87,6 +87,8 @@ You can also enable TLS during installation using Helm's `--set` flags:
```bash ```bash
helm install checkmate ./charts/helm/checkmate \ helm install checkmate ./charts/helm/checkmate \
--set client.protocol=https \
--set server.protocol=https \
--set client.ingress.annotations."cert-manager\.io/cluster-issuer"="letsencrypt-prod" \ --set client.ingress.annotations."cert-manager\.io/cluster-issuer"="letsencrypt-prod" \
--set client.ingress.tls.enabled=true \ --set client.ingress.tls.enabled=true \
--set client.ingress.tls.secretName=checkmate-client-tls \ --set client.ingress.tls.secretName=checkmate-client-tls \

41
charts/helm/checkmate/templates/_prechecks.yaml
View File

@@ -1,41 +0,0 @@
{{- if eq .Values.client.ingress.host "change_me" }}
{{- fail "client.ingress.host must be overridden and not set to 'change_me'" }}
{{- end }}
{{- if eq .Values.server.ingress.host "change_me" }}
{{- fail "server.ingress.host must be overridden and not set to 'change_me'" }}
{{- end }}
{{- $serverProtocol := .Values.server.protocol }}
{{- if not (or (eq $serverProtocol "http") (eq $serverProtocol "https")) }}
{{- fail "server.protocol must be either 'http' or 'https'" }}
{{- end }}
{{- $clientProtocol := .Values.client.protocol }}
{{- if not (or (eq $clientProtocol "http") (eq $clientProtocol "https")) }}
{{- fail "client.protocol must be either 'http' or 'https'" }}
{{- end }}
{{/* Enforce protocol when TLS is enabled to avoid mixed-content */}}
{{- if and .Values.client.ingress.tls.enabled (ne $clientProtocol "https") }}
{{- fail "client.ingress.tls.enabled is true but client.protocol is not 'https'. Set client.protocol: https to avoid mixed content." }}
{{- end }}
{{- if and .Values.server.ingress.tls.enabled (ne $serverProtocol "https") }}
{{- fail "server.ingress.tls.enabled is true but server.protocol is not 'https'. Set server.protocol: https to ensure correct API base URL." }}
{{- end }}
{{/* Fail early if TLS enabled without cert-manager annotations (cluster-issuer or issuer) */}}
{{- $cAnn := .Values.client.ingress.annotations | default dict }}
{{- $sAnn := .Values.server.ingress.annotations | default dict }}
{{- $clientHasIssuer := or (hasKey $cAnn "cert-manager.io/cluster-issuer") (hasKey $cAnn "cert-manager.io/issuer") }}
{{- $serverHasIssuer := or (hasKey $sAnn "cert-manager.io/cluster-issuer") (hasKey $sAnn "cert-manager.io/issuer") }}
{{- if and .Values.client.ingress.tls.enabled (not $clientHasIssuer) }}
{{- fail "client.ingress.tls.enabled is true but no cert-manager issuer annotation found. Add 'cert-manager.io/cluster-issuer' or 'cert-manager.io/issuer'." }}
{{- end }}
{{- if and .Values.server.ingress.tls.enabled (not $serverHasIssuer) }}
{{- fail "server.ingress.tls.enabled is true but no cert-manager issuer annotation found. Add 'cert-manager.io/cluster-issuer' or 'cert-manager.io/issuer'." }}
{{- end }}

2
charts/helm/checkmate/templates/client-ingress.yaml
View File

@@ -15,7 +15,7 @@ spec:
tls: tls:
- hosts: - hosts:
- {{ .Values.client.ingress.host }} - {{ .Values.client.ingress.host }}
secretName: {{ .Values.client.ingress.tls.secretName }} secretName: {{ default (printf "%s-client-tls" .Release.Name) .Values.client.ingress.tls.secretName }}
{{- end }} {{- end }}
rules: rules:
- host: {{ .Values.client.ingress.host }} - host: {{ .Values.client.ingress.host }}

9
charts/helm/checkmate/templates/prechecks.yaml
View File

@@ -45,11 +45,4 @@
{{- fail "server.ingress.tls.enabled is true but no cert-manager issuer annotation found. Add 'cert-manager.io/cluster-issuer' or 'cert-manager.io/issuer'." }} {{- fail "server.ingress.tls.enabled is true but no cert-manager issuer annotation found. Add 'cert-manager.io/cluster-issuer' or 'cert-manager.io/issuer'." }}
{{- end }} {{- end }}
{{/* Secret name must be set when TLS is enabled (Ingress requires it) */}} {{/* Secret name can be omitted; we default to <release>-client|server-tls in templates */}}
{{- if and .Values.client.ingress.tls.enabled (not .Values.client.ingress.tls.secretName) }}
{{- fail "client.ingress.tls.enabled is true but client.ingress.tls.secretName is empty. Set a secretName for cert-manager to manage." }}
{{- end }}
{{- if and .Values.server.ingress.tls.enabled (not .Values.server.ingress.tls.secretName) }}
{{- fail "server.ingress.tls.enabled is true but server.ingress.tls.secretName is empty. Set a secretName for cert-manager to manage." }}
{{- end }}

2
charts/helm/checkmate/templates/server-ingress.yaml
View File

@@ -22,7 +22,7 @@ spec:
tls: tls:
- hosts: - hosts:
- {{ .Values.server.ingress.host }} - {{ .Values.server.ingress.host }}
secretName: {{ .Values.server.ingress.tls.secretName }} secretName: {{ default (printf "%s-server-tls" .Release.Name) .Values.server.ingress.tls.secretName }}
{{- end }} {{- end }}
rules: rules:
- host: {{ .Values.server.ingress.host }} - host: {{ .Values.server.ingress.host }}

4
charts/helm/checkmate/values.yaml
View File

@@ -12,7 +12,7 @@ client:
# cert-manager.io/cluster-issuer: "letsencrypt-prod" # cert-manager.io/cluster-issuer: "letsencrypt-prod"
tls: tls:
enabled: false enabled: false
# secretName: checkmate-client-tls # Uncomment and set if using TLS with cert-manager # secretName: {{ .Release.Name }}-client-tls # Optional; defaults to <release>-client-tls if omitted
# Note: when enabling TLS, also set client.protocol: https and add # Note: when enabling TLS, also set client.protocol: https and add
# a cert-manager issuer annotation (e.g. cert-manager.io/cluster-issuer: "letsencrypt-prod"). # a cert-manager issuer annotation (e.g. cert-manager.io/cluster-issuer: "letsencrypt-prod").
# The secret will be automatically created by cert-manager when using the cert-manager.io/cluster-issuer annotation # The secret will be automatically created by cert-manager when using the cert-manager.io/cluster-issuer annotation
@@ -31,7 +31,7 @@ server:
# cert-manager.io/cluster-issuer: "letsencrypt-prod" # cert-manager.io/cluster-issuer: "letsencrypt-prod"
tls: tls:
enabled: false enabled: false
# secretName: checkmate-server-tls # Uncomment and set if using TLS with cert-manager # secretName: {{ .Release.Name }}-server-tls # Optional; defaults to <release>-server-tls if omitted
# Note: when enabling TLS, also set server.protocol: https and add # Note: when enabling TLS, also set server.protocol: https and add
# a cert-manager issuer annotation (e.g. cert-manager.io/cluster-issuer: "letsencrypt-prod"). # a cert-manager issuer annotation (e.g. cert-manager.io/cluster-issuer: "letsencrypt-prod").
# The secret will be automatically created by cert-manager when using the cert-manager.io/cluster-issuer annotation # The secret will be automatically created by cert-manager when using the cert-manager.io/cluster-issuer annotation