Allow setting existing secret name for TLS certs (#233)

* allow change of cert secret name

* change to helpers.tpl

* update secretName

* fix certname

* fix name of default

* set static name

* Removing comment

* update Readme and set cert name as ${mail.fullname}

* update test file name

* add create

* Removing the certs.existing. As this was not setup to be used.

* Update to allow setting only existingSecret or certs.create

* allow existing secret to add certs script

---------

Co-authored-by: nicholasm <nicholas.matters@prontocloud.com.au>

README.md

@@ -640,7 +640,8 @@ Chart configuration is as follows:
 | `nodeSelector` | `{}` | Standard Kubernetes stuff |
 | `tolerations` | `[]` | Standard Kubernetes stuff |
 | `affinity` | `{}` | Standard Kubernetes stuff |
-| `certs.create` | `{}` | Auto generate TLS certificates for Postfix |
+| `certs.create` | `false` | Auto generate TLS certificates for Postfix |
+| `certs.existingSecret` | `""` | Existing secret containing the TLS certificates for Postfix |
 | `extraVolumes` | `[]` | Append any extra volumes to the pod |
 | `extraVolumeMounts` | `[]` | Append any extra volume mounts to the postfix container |
 | `extraInitContainers` | `[]` | Execute any extra init containers on startup |

helm/mail/templates/_helpers.tpl

@@ -76,3 +76,14 @@ checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . |
 configmap.reloader.stakater.com/reload: "{{ include "mail.fullname" . }}"
 {{- end -}}
 
+{{/*
+Return the secret containing HTTPS/TLS certificates
+*/}}
+{{- define "tls.secretName" -}}
+{{- $secretName := .Values.certs.existingSecret -}}
+{{- if $secretName -}}
+    {{- printf "%s" (tpl $secretName .) -}}
+{{- else -}}
+    {{- printf "%s-certs" (include "mail.fullname" .) -}}
+{{- end -}}
+{{- end -}}

helm/mail/templates/configmap.yaml

@@ -16,7 +16,7 @@ data:
   {{- range $key, $value := .Values.config.opendkim }}
   OPENDKIM_{{ $key }}: {{ $value | quote }}
   {{- end }}
-  {{- if .Values.certs.create }}
+  {{- if or .Values.certs.create .Values.certs.existingSecret }}
   _enable_tls.sh: |
     #!/usr/bin/env bash
     set -e

helm/mail/templates/secret-cert.yaml

@@ -10,7 +10,7 @@ apiVersion: v1
 kind: Secret
 type: kubernetes.io/tls
 metadata:
-  name: {{ $fullName }}-certs
+  name: {{ include "tls.secretName" . }}
   labels:
     {{- $labels | nindent 4 }}
   annotations:

helm/mail/templates/statefulset.yaml

@@ -117,7 +117,7 @@ spec:
               subPath: logrotate.sh
             {{- end }}
             {{- end }}
-            {{- if .Values.certs.create }}
+            {{- if or .Values.certs.create .Values.certs.existingSecret }}
             - name: certs
               mountPath: /var/run/certs
               readOnly: true
@@ -189,14 +189,14 @@ spec:
       volumes:
         - name: tmp
           emptyDir: {}
-        {{- if .Values.certs.create }}
+        {{- if or .Values.certs.create .Values.certs.existingSecret }}
         - name: certs-init
           configMap:
             name: {{ $fullName }}
             defaultMode: 0755
         - name: certs
           secret:
-            secretName: {{ $fullName }}-certs
+            secretName: {{ include "tls.secretName" . }}
         {{- end }}
         # Socket directories
         {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}

helm/mail/values.yaml

@@ -138,8 +138,8 @@ container:
 certs:
   # Auto-generate certificates for the server and mount them into Postfix volume
   create: false
-  # Provide existing cert
-  existing: false
+  # Provide existing secret name
+  existingSecret: ""
 
 # Define data which should be stored in a Secret
 # (and shared with the pod as environment variables)

helm/test_16_certs_existing_secret.yml

@@ -0,0 +1,3 @@
+certs:
+  create: false
+  existingSecret: "controller-generated-secret"