feat(charts): Add control of certificate algorithms (#5774)

Co-authored-by: Gergely Bräutigam <skarlso777@gmail.com>

deploy/charts/external-secrets/README.md

@@ -221,8 +221,10 @@ The command removes all the Kubernetes components associated with the chart and
 | webhook.certManager.cert.create | bool | `true` | Create a certificate resource within this chart. See https://cert-manager.io/docs/usage/certificate/ |
 | webhook.certManager.cert.duration | string | `"8760h0m0s"` | Set the requested duration (i.e. lifetime) of the Certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec One year by default. |
 | webhook.certManager.cert.issuerRef | object | `{"group":"cert-manager.io","kind":"Issuer","name":"my-issuer"}` | For the Certificate created by this chart, setup the issuer. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec |
+| webhook.certManager.cert.privateKey | object | `{}` | Specific settings on the privateKey and its generation |
 | webhook.certManager.cert.renewBefore | string | `""` | How long before the currently issued certificate’s expiry cert-manager should renew the certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec Note that renewBefore should be greater than .webhook.lookaheadInterval since the webhook will check this far in advance that the certificate is valid. |
 | webhook.certManager.cert.revisionHistoryLimit | int | `0` | Set the revisionHistoryLimit on the Certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec Defaults to 0 (ignored). |
+| webhook.certManager.cert.signatureAlgorithm | string | `""` | Specific settings on the signatureAlgorithm used on the cert. signatureAlgorithm is only valid for cert-manager v1.18.0+ |
 | webhook.certManager.enabled | bool | `false` | Enabling cert-manager support will disable the built in secret and switch to using cert-manager (installed separately) to automatically issue and renew the webhook certificate. This chart does not install cert-manager for you, See https://cert-manager.io/docs/ |
 | webhook.create | bool | `true` | Specifies whether a webhook deployment be created. If set to false, crds.conversion.enabled should also be set to false otherwise the kubeapi will be hammered because the conversion is looking for a webhook endpoint. |
 | webhook.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |

deploy/charts/external-secrets/templates/webhook-certificate.yaml

@@ -23,6 +23,13 @@ spec:
   {{- with .Values.webhook.certManager.cert.duration }}
   duration: {{ . | quote }}
   {{- end }}
+  {{- with .Values.webhook.certManager.cert.privateKey }}
+  privateKey:
+{{ toYaml . | indent 4 }}
+  {{- end }}
+  {{- if .Values.webhook.certManager.cert.signatureAlgorithm }}
+  signatureAlgorithm: {{ .Values.webhook.certManager.cert.signatureAlgorithm }}
+  {{- end }}
   {{- with .Values.webhook.certManager.cert.renewBefore }}
   renewBefore: {{ . | quote }}
   {{- end }}

deploy/charts/external-secrets/tests/webhook_test.yaml

@@ -93,6 +93,38 @@ tests:
       - equal:
           path: spec.renewBefore
           value: "5d"
+      - notExists:
+          path: spec.privateKey
+      - notExists:
+          path: spec.signatureAlgorithm
+      - hasDocuments:
+          count: 1
+    templates:
+      - webhook-certificate.yaml
+  - it: should create a certificate CRD with privateKey and signatureAlgorithm
+    set:
+      webhook:
+        certManager:
+          enabled: true
+          cert:
+            privateKey:
+              algorithm: RSA
+              rotationPolicy: Always
+              size: 2048
+            signatureAlgorithm: SHA256WithRSA
+    asserts:
+      - equal:
+          path: spec.privateKey.algorithm
+          value: "RSA"
+      - equal:
+          path: spec.privateKey.rotationPolicy
+          value: "Always"
+      - equal:
+          path: spec.privateKey.size
+          value: 2048
+      - equal:
+          path: spec.signatureAlgorithm
+          value: "SHA256WithRSA"
       - hasDocuments:
           count: 1
     templates:

deploy/charts/external-secrets/values.schema.json

@@ -828,11 +828,17 @@
                                         }
                                     }
                                 },
+                                "privateKey": {
+                                    "type": "object"
+                                },
                                 "renewBefore": {
                                     "type": "string"
                                 },
                                 "revisionHistoryLimit": {
                                     "type": "integer"
+                                },
+                                "signatureAlgorithm": {
+                                    "type": "string"
                                 }
                             }
                         },

deploy/charts/external-secrets/values.yaml

@@ -474,6 +474,14 @@ webhook:
       # since the webhook will check this far in advance that the certificate is
       # valid.
       renewBefore: ""
+      # -- Specific settings on the privateKey and its generation
+      privateKey: {}
+        # rotationPolicy: Always
+        # algorithm: RSA
+        # size: 2048
+      # -- Specific settings on the signatureAlgorithm used on the cert.
+      # signatureAlgorithm is only valid for cert-manager v1.18.0+
+      signatureAlgorithm: ""
       # -- Add extra annotations to the Certificate resource.
       annotations: {}