Fix Helm chart enableSecurity flag (#4537)

Fix Helm chart enableSecurity flag:

- Add parameter for whether to use v1alpha cert-manager CRDs, default off.
- Use self-signed Issuer only for the initial CA certificates, create a new
  Issuer that uses the generated CA certificate and use that for all the others

8 files changed, 46 insertions, 26 deletions

diff --git a/k8s/charts/seaweedfs/templates/ca-cert.yaml b/k8s/charts/seaweedfs/templates/ca-cert.yaml
index 056f01502..9b74db0b1 100644
--- a/k8s/charts/seaweedfs/templates/ca-cert.yaml
+++ b/k8s/charts/seaweedfs/templates/ca-cert.yaml
@@ -1,5 +1,5 @@
 {{- if .Values.global.enableSecurity }}
-apiVersion: certmanager.k8s.io/v1alpha1
+apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
 kind: Certificate
 metadata:
   name: {{ template "seaweedfs.name" . }}-ca-cert
diff --git a/k8s/charts/seaweedfs/templates/cert-caissuer.yaml b/k8s/charts/seaweedfs/templates/cert-caissuer.yaml
new file mode 100644
index 000000000..864652393
--- /dev/null
+++ b/k8s/charts/seaweedfs/templates/cert-caissuer.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.global.enableSecurity }}
+apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
+kind: Issuer
+metadata:
+  name: {{ template "seaweedfs.name" . }}-ca-issuer
+  namespace: {{ .Release.Namespace }}
+spec:
+  ca:
+    secretName: {{ template "seaweedfs.name" . }}-ca-cert
+{{- end }}
diff --git a/k8s/charts/seaweedfs/templates/cert-clusterissuer.yaml b/k8s/charts/seaweedfs/templates/cert-clusterissuer.yaml
index d0bd42593..2604927db 100644
--- a/k8s/charts/seaweedfs/templates/cert-clusterissuer.yaml
+++ b/k8s/charts/seaweedfs/templates/cert-clusterissuer.yaml
@@ -1,5 +1,5 @@
 {{- if .Values.global.enableSecurity }}
-apiVersion: certmanager.k8s.io/v1alpha1
+apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
 kind: ClusterIssuer
 metadata:
   name: {{ template "seaweedfs.name" . }}-clusterissuer
diff --git a/k8s/charts/seaweedfs/templates/client-cert.yaml b/k8s/charts/seaweedfs/templates/client-cert.yaml
index 4d27b5659..7960c3f8d 100644
--- a/k8s/charts/seaweedfs/templates/client-cert.yaml
+++ b/k8s/charts/seaweedfs/templates/client-cert.yaml
@@ -1,5 +1,5 @@
 {{- if .Values.global.enableSecurity }}
-apiVersion: certmanager.k8s.io/v1alpha1
+apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
 kind: Certificate
 metadata:
   name: {{ template "seaweedfs.name" . }}-client-cert
@@ -7,10 +7,11 @@ metadata:
 spec:
   secretName: {{ template "seaweedfs.name" . }}-client-cert
   issuerRef:
-    name: {{ template "seaweedfs.name" . }}-clusterissuer
-    kind: ClusterIssuer
+    name: {{ template "seaweedfs.name" . }}-ca-issuer
+    kind: Issuer
   commonName: {{ .Values.certificates.commonName }}
-  organization:
+  subject:
+    organizations:
     - "SeaweedFS CA"
   dnsNames:
     - '*.{{ .Release.Namespace }}'
@@ -26,8 +27,9 @@ spec:
     - {{ . }}
     {{- end }}
 {{- end }}
-  keyAlgorithm: {{ .Values.certificates.keyAlgorithm }}
-  keySize: {{ .Values.certificates.keySize }}
+  privateKey:
+    algorithm: {{ .Values.certificates.keyAlgorithm }}
+    size: {{ .Values.certificates.keySize }}
   duration: {{ .Values.certificates.duration }}
   renewBefore: {{ .Values.certificates.renewBefore }}
 {{- end }}
diff --git a/k8s/charts/seaweedfs/templates/filer-cert.yaml b/k8s/charts/seaweedfs/templates/filer-cert.yaml
index 855183c54..3c3565d33 100644
--- a/k8s/charts/seaweedfs/templates/filer-cert.yaml
+++ b/k8s/charts/seaweedfs/templates/filer-cert.yaml
@@ -1,5 +1,5 @@
 {{- if .Values.global.enableSecurity }}
-apiVersion: certmanager.k8s.io/v1alpha1
+apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
 kind: Certificate
 metadata:
   name: {{ template "seaweedfs.name" . }}-filer-cert
@@ -7,10 +7,11 @@ metadata:
 spec:
   secretName: {{ template "seaweedfs.name" . }}-filer-cert
   issuerRef:
-    name: {{ template "seaweedfs.name" . }}-clusterissuer
-    kind: ClusterIssuer
+    name: {{ template "seaweedfs.name" . }}-ca-issuer
+    kind: Issuer
   commonName: {{ .Values.certificates.commonName }}
-  organization:
+  subject:
+    organizations:
     - "SeaweedFS CA"
   dnsNames:
     - '*.{{ .Release.Namespace }}'
@@ -26,8 +27,9 @@ spec:
     - {{ . }}
     {{- end }}
 {{- end }}
-  keyAlgorithm: {{ .Values.certificates.keyAlgorithm }}
-  keySize: {{ .Values.certificates.keySize }}
+  privateKey:
+    algorithm: {{ .Values.certificates.keyAlgorithm }}
+    size: {{ .Values.certificates.keySize }}
   duration: {{ .Values.certificates.duration }}
   renewBefore: {{ .Values.certificates.renewBefore }}
 {{- end }}
diff --git a/k8s/charts/seaweedfs/templates/master-cert.yaml b/k8s/charts/seaweedfs/templates/master-cert.yaml
index a8b0fc1d1..1377ccda4 100644
--- a/k8s/charts/seaweedfs/templates/master-cert.yaml
+++ b/k8s/charts/seaweedfs/templates/master-cert.yaml
@@ -1,5 +1,5 @@
 {{- if .Values.global.enableSecurity }}
-apiVersion: certmanager.k8s.io/v1alpha1
+apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
 kind: Certificate
 metadata:
   name: {{ template "seaweedfs.name" . }}-master-cert
@@ -7,10 +7,11 @@ metadata:
 spec:
   secretName: {{ template "seaweedfs.name" . }}-master-cert
   issuerRef:
-    name: {{ template "seaweedfs.name" . }}-clusterissuer
-    kind: ClusterIssuer
+    name: {{ template "seaweedfs.name" . }}-ca-issuer
+    kind: Issuer
   commonName: {{ .Values.certificates.commonName }}
-  organization:
+  subject:
+    organizations:
     - "SeaweedFS CA"
   dnsNames:
     - '*.{{ .Release.Namespace }}'
@@ -26,8 +27,9 @@ spec:
     - {{ . }}
     {{- end }}
 {{- end }}
-  keyAlgorithm: {{ .Values.certificates.keyAlgorithm }}
-  keySize: {{ .Values.certificates.keySize }}
+  privateKey:
+    algorithm: {{ .Values.certificates.keyAlgorithm }}
+    size: {{ .Values.certificates.keySize }}
   duration: {{ .Values.certificates.duration }}
   renewBefore: {{ .Values.certificates.renewBefore }}
 {{- end }}
diff --git a/k8s/charts/seaweedfs/templates/volume-cert.yaml b/k8s/charts/seaweedfs/templates/volume-cert.yaml
index 72c62a0f5..4167867b1 100644
--- a/k8s/charts/seaweedfs/templates/volume-cert.yaml
+++ b/k8s/charts/seaweedfs/templates/volume-cert.yaml
@@ -1,5 +1,5 @@
 {{- if .Values.global.enableSecurity }}
-apiVersion: certmanager.k8s.io/v1alpha1
+apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
 kind: Certificate
 metadata:
   name: {{ template "seaweedfs.name" . }}-volume-cert
@@ -7,10 +7,11 @@ metadata:
 spec:
   secretName: {{ template "seaweedfs.name" . }}-volume-cert
   issuerRef:
-    name: {{ template "seaweedfs.name" . }}-clusterissuer
-    kind: ClusterIssuer
+    name: {{ template "seaweedfs.name" . }}-ca-issuer
+    kind: Issuer
   commonName: {{ .Values.certificates.commonName }}
-  organization:
+  subject:
+    organizations:
     - "SeaweedFS CA"
   dnsNames:
     - '*.{{ .Release.Namespace }}'
@@ -26,8 +27,9 @@ spec:
     - {{ . }}
     {{- end }}
 {{- end }}
-  keyAlgorithm: {{ .Values.certificates.keyAlgorithm }}
-  keySize: {{ .Values.certificates.keySize }}
+  privateKey:
+    algorithm: {{ .Values.certificates.keyAlgorithm }}
+    size: {{ .Values.certificates.keySize }}
   duration: {{ .Values.certificates.duration }}
   renewBefore: {{ .Values.certificates.renewBefore }}
 {{- end }}
diff --git a/k8s/charts/seaweedfs/values.yaml b/k8s/charts/seaweedfs/values.yaml
index 4a9638d31..05bdf4f69 100644
--- a/k8s/charts/seaweedfs/values.yaml
+++ b/k8s/charts/seaweedfs/values.yaml
@@ -9,6 +9,8 @@ global:
   restartPolicy: Always
   loggingLevel: 1
   enableSecurity: false
+  certificates:
+    alphacrds: false
   monitoring:
     enabled: false
     gatewayHost: null