redpanda: Convert certs.yaml to go

This commit converts the certs.yaml helm template into equivalent go
code and adds the appropriate bridge to render the output as a
multi-document YAML file.

Fixes #1111

Taskfile.yaml

@@ -89,6 +89,7 @@ tasks:
   go:generate:gotohelm:
     desc: "Generate files for the gotohelm go package"
     cmds:
+    - go test ./pkg/gotohelm -run 'TestTranspile/bootstrap' -update
     # Hoist shims.yaml from the bootstrap package and update the names to _shims.
     - cp ./pkg/gotohelm/testdata/src/example/bootstrap/bootstrap.yaml ./pkg/gotohelm/shims.yaml
     # Use nix develop here to ensure that sed is always gnu sed.

charts/redpanda/certs.go

@@ -0,0 +1,126 @@
+// +gotohelm:filename=certs.go.tpl
+package redpanda
+
+import (
+	"fmt"
+	"strings"
+
+	certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
+	"github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
+)
+
+func ClientCerts(dot *helmette.Dot) []certmanagerv1.Certificate {
+	if !TLSEnabled(dot) {
+		return []certmanagerv1.Certificate{}
+	}
+
+	values := helmette.Unwrap[Values](dot.Values)
+
+	fullname := Fullname(dot)
+	service := ServiceName(dot)
+	ns := dot.Release.Namespace
+	domain := strings.TrimSuffix(values.ClusterDomain, ".")
+
+	certs := []certmanagerv1.Certificate{}
+	for name, data := range values.TLS.Certs {
+		if !helmette.Empty(data.SecretRef) {
+			continue
+		}
+
+		names := []string{}
+		if data.IssuerRef == nil || ptr.Deref(data.ApplyInternalDNSNames, false) {
+			names = append(names, fmt.Sprintf("%s-cluster.%s.%s.svc.%s", fullname, service, ns, domain))
+			names = append(names, fmt.Sprintf("%s-cluster.%s.%s.svc", fullname, service, ns))
+			names = append(names, fmt.Sprintf("%s-cluster.%s.%s", fullname, service, ns))
+			names = append(names, fmt.Sprintf("*.%s-cluster.%s.%s.svc.%s", fullname, service, ns, domain))
+			names = append(names, fmt.Sprintf("*.%s-cluster.%s.%s.svc", fullname, service, ns))
+			names = append(names, fmt.Sprintf("*.%s-cluster.%s.%s", fullname, service, ns))
+			names = append(names, fmt.Sprintf("%s.%s.svc.%s", service, ns, domain))
+			names = append(names, fmt.Sprintf("%s.%s.svc", service, ns))
+			names = append(names, fmt.Sprintf("%s.%s", service, ns))
+			names = append(names, fmt.Sprintf("*.%s.%s.svc.%s", service, ns, domain))
+			names = append(names, fmt.Sprintf("*.%s.%s.svc", service, ns))
+			names = append(names, fmt.Sprintf("*.%s.%s", service, ns))
+		}
+
+		if values.External.Domain != nil {
+			names = append(names, helmette.Tpl(*values.External.Domain, dot))
+			names = append(names, helmette.Tpl(fmt.Sprintf("*.%s", *values.External.Domain), dot))
+		}
+
+		duration := helmette.Default("43800h", data.Duration).(string)
+		issuerRef := ptr.Deref(data.IssuerRef, cmmeta.ObjectReference{
+			Kind:  "Issuer",
+			Group: "cert-manager.io",
+			Name:  fmt.Sprintf("%s-%s-root-issuer", fullname, name),
+		})
+
+		certs = append(certs, certmanagerv1.Certificate{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: "cert-manager.io/v1",
+				Kind:       "Certificate",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      fmt.Sprintf("%s-%s-cert", fullname, name),
+				Labels:    FullLabels(dot),
+				Namespace: dot.Release.Namespace,
+			},
+			Spec: certmanagerv1.CertificateSpec{
+				DNSNames:   names,
+				Duration:   helmette.MustDuration(duration),
+				IsCA:       false,
+				IssuerRef:  issuerRef,
+				SecretName: fmt.Sprintf("%s-%s-cert", fullname, name),
+				PrivateKey: &certmanagerv1.CertificatePrivateKey{
+					Algorithm: "ECDSA",
+					Size:      256,
+				},
+			},
+		})
+	}
+
+	name := values.Listeners.Kafka.TLS.Cert
+
+	data, ok := values.TLS.Certs[name]
+	if !ok || (helmette.Empty(data.SecretRef) && !ClientAuthRequired(dot)) {
+		return certs
+	}
+
+	issuerRef := cmmeta.ObjectReference{
+		Group: "cert-manager.io",
+		Kind:  "Issuer",
+		Name:  fmt.Sprintf("%s-%s-root-issuer", fullname, name),
+	}
+
+	if data.IssuerRef != nil {
+		issuerRef = *data.IssuerRef
+		issuerRef.Group = "cert-manager.io"
+	}
+
+	duration := helmette.Default("43800h", data.Duration).(string)
+
+	return append(certs, certmanagerv1.Certificate{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "cert-manager.io/v1",
+			Kind:       "Certificate",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:   fmt.Sprintf("%s-client", fullname),
+			Labels: FullLabels(dot),
+		},
+		Spec: certmanagerv1.CertificateSpec{
+			CommonName: fmt.Sprintf("%s-client", fullname),
+			Duration:   helmette.MustDuration(duration),
+			IsCA:       false,
+			SecretName: fmt.Sprintf("%s-client", fullname),
+			PrivateKey: &certmanagerv1.CertificatePrivateKey{
+				Algorithm: "ECDSA",
+				Size:      256,
+			},
+			IssuerRef: issuerRef,
+		},
+	})
+}

charts/redpanda/helpers.go

@@ -194,7 +194,7 @@ func InternalDomain(dot *helmette.Dot) string {
 func TLSEnabled(dot *helmette.Dot) bool {
 	values := helmette.Unwrap[Values](dot.Values)
 
-	if values.TLS.Enabled != nil && *values.TLS.Enabled {
+	if values.TLS.Enabled {
 		return true
 	}
 

charts/redpanda/templates/_helpers.go.tpl

@@ -178,7 +178,7 @@
 {{- $dot := (index .a 0) -}}
 {{- range $_ := (list 1) -}}
 {{- $values := $dot.Values.AsMap -}}
-{{- if (and (ne $values.tls.enabled (coalesce nil)) $values.tls.enabled) -}}
+{{- if $values.tls.enabled -}}
 {{- (dict "r" true) | toJson -}}
 {{- break -}}
 {{- end -}}

charts/redpanda/templates/_shims.tpl

@@ -75,3 +75,16 @@
 {{- end -}}
 {{- end -}}
 
+{{- define "_shims.ptr_Deref" -}}
+{{- $ptr := (index .a 0) -}}
+{{- $def := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- if (ne $ptr (coalesce nil)) -}}
+{{- (dict "r" $ptr) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- (dict "r" $def) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+

charts/redpanda/templates/certs.go.tpl

@@ -0,0 +1,61 @@
+{{- /* Generated from "certs.go" */ -}}
+
+{{- define "redpanda.ClientCerts" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- if (not (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r")) -}}
+{{- (dict "r" (list )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $fullname := (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") -}}
+{{- $service := (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") -}}
+{{- $ns := $dot.Release.Namespace -}}
+{{- $domain := (trimSuffix "." $values.clusterDomain) -}}
+{{- $certs := (list ) -}}
+{{- range $name, $data := $values.tls.certs -}}
+{{- if (not (empty $data.secretRef)) -}}
+{{- continue -}}
+{{- end -}}
+{{- $names := (list ) -}}
+{{- if (or (eq $data.issuerRef (coalesce nil)) (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.applyInternalDNSNames false) ))) "r")) -}}
+{{- $names = (mustAppend $names (printf "%s-cluster.%s.%s.svc.%s" $fullname $service $ns $domain)) -}}
+{{- $names = (mustAppend $names (printf "%s-cluster.%s.%s.svc" $fullname $service $ns)) -}}
+{{- $names = (mustAppend $names (printf "%s-cluster.%s.%s" $fullname $service $ns)) -}}
+{{- $names = (mustAppend $names (printf "*.%s-cluster.%s.%s.svc.%s" $fullname $service $ns $domain)) -}}
+{{- $names = (mustAppend $names (printf "*.%s-cluster.%s.%s.svc" $fullname $service $ns)) -}}
+{{- $names = (mustAppend $names (printf "*.%s-cluster.%s.%s" $fullname $service $ns)) -}}
+{{- $names = (mustAppend $names (printf "%s.%s.svc.%s" $service $ns $domain)) -}}
+{{- $names = (mustAppend $names (printf "%s.%s.svc" $service $ns)) -}}
+{{- $names = (mustAppend $names (printf "%s.%s" $service $ns)) -}}
+{{- $names = (mustAppend $names (printf "*.%s.%s.svc.%s" $service $ns $domain)) -}}
+{{- $names = (mustAppend $names (printf "*.%s.%s.svc" $service $ns)) -}}
+{{- $names = (mustAppend $names (printf "*.%s.%s" $service $ns)) -}}
+{{- end -}}
+{{- if (ne $values.external.domain (coalesce nil)) -}}
+{{- $names = (mustAppend $names (tpl $values.external.domain $dot)) -}}
+{{- $names = (mustAppend $names (tpl (printf "*.%s" $values.external.domain) $dot)) -}}
+{{- end -}}
+{{- $duration := (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" (default "43800h" $data.duration)) ))) "r") -}}
+{{- $issuerRef := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.issuerRef (mustMergeOverwrite (dict "name" "" ) (dict "kind" "Issuer" "group" "cert-manager.io" "name" (printf "%s-%s-root-issuer" $fullname $name) ))) ))) "r") -}}
+{{- $certs = (mustAppend $certs (mustMergeOverwrite (mustMergeOverwrite (dict ) (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "secretName" "" "issuerRef" (dict "name" "" ) ) "status" (dict ) )) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-%s-cert" $fullname $name) "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace )) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "" ) ) (dict "dnsNames" $names "duration" $duration "isCA" false "issuerRef" $issuerRef "secretName" (printf "%s-%s-cert" $fullname $name) "privateKey" (mustMergeOverwrite (dict ) (dict "algorithm" "ECDSA" "size" 256 )) )) ))) -}}
+{{- end -}}
+{{- $name := $values.listeners.kafka.tls.cert -}}
+{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.tls.certs $name (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $ok := $tmp_tuple_1.T2 -}}
+{{- $data := $tmp_tuple_1.T1 -}}
+{{- if (or (not $ok) ((and (empty $data.secretRef) (not (get (fromJson (include "redpanda.ClientAuthRequired" (dict "a" (list $dot) ))) "r"))))) -}}
+{{- (dict "r" $certs) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $issuerRef := (mustMergeOverwrite (dict "name" "" ) (dict "group" "cert-manager.io" "kind" "Issuer" "name" (printf "%s-%s-root-issuer" $fullname $name) )) -}}
+{{- if (ne $data.issuerRef (coalesce nil)) -}}
+{{- $issuerRef = $data.issuerRef -}}
+{{- $_ := (set $issuerRef "group" "cert-manager.io") -}}
+{{- end -}}
+{{- $duration := (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" (default "43800h" $data.duration)) ))) "r") -}}
+{{- (dict "r" (mustAppend $certs (mustMergeOverwrite (mustMergeOverwrite (dict ) (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "secretName" "" "issuerRef" (dict "name" "" ) ) "status" (dict ) )) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-client" $fullname) "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "" ) ) (dict "commonName" (printf "%s-client" $fullname) "duration" $duration "isCA" false "secretName" (printf "%s-client" $fullname) "privateKey" (mustMergeOverwrite (dict ) (dict "algorithm" "ECDSA" "size" 256 )) "issuerRef" $issuerRef )) )))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+

charts/redpanda/templates/certs.yaml

@@ -14,93 +14,8 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */}}
-{{- if (include "tls-enabled" . | fromJson).bool }}
-  {{- $root := deepCopy . }}
-  {{- $service := include "redpanda.servicename" . }}
-  {{- $ns := .Release.Namespace }}
-  {{- $domain := .Values.clusterDomain | trimSuffix "." }}
-  {{- $listeners := .Values.listeners }}
-  {{- $values := .Values }}
-  {{- range $name, $data := .Values.tls.certs }}
-    {{- if (empty $data.secretRef ) }}
-      {{- $d := $data.duration }}
-
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: {{ template "redpanda.fullname" $ }}-{{ $name }}-cert
-  namespace: {{ $ns | quote }}
-      {{- with include "full.labels" $root }}
-  labels:
-        {{- . | nindent 4 }}
-      {{- end }}
-spec:
-  dnsNames:
-      {{- if or (empty $data.issuerRef) (dig "applyInternalDNSNames" false $data) }}
-    - {{ template "redpanda.fullname" $ }}-cluster.{{ printf "%s.%s.svc.%s" $service $ns $domain }}
-    - {{ template "redpanda.fullname" $ }}-cluster.{{ printf "%s.%s.svc" $service $ns }}
-    - {{ template "redpanda.fullname" $ }}-cluster.{{ printf "%s.%s" $service $ns }}
-    - "*.{{ template "redpanda.fullname" $ }}-cluster.{{ printf "%s.%s.svc.%s" $service $ns $domain }}"
-    - "*.{{ template "redpanda.fullname" $ }}-cluster.{{ printf "%s.%s.svc" $service $ns }}"
-    - "*.{{ template "redpanda.fullname" $ }}-cluster.{{ printf "%s.%s" $service $ns }}"
-    - {{ printf "%s.%s.svc.%s" $service $ns $domain }}
-    - {{ printf "%s.%s.svc" $service $ns }}
-    - {{ printf "%s.%s" $service $ns }}
-    - {{ printf "*.%s.%s.svc.%s" $service $ns $domain | quote }}
-    - {{ printf "*.%s.%s.svc" $service $ns | quote }}
-    - {{ printf "*.%s.%s" $service $ns | quote }}
-      {{- end }}
-      {{- if (tpl ($values.external.domain | default "") $) }}
-    - "{{ tpl $values.external.domain $ }}"
-    - "*.{{ tpl $values.external.domain $ }}"
-      {{- end }}
-  duration: {{ $d | default "43800h" }}
-  isCA: false
-  secretName: {{ template "redpanda.fullname" $ }}-{{ $name }}-cert
-  privateKey:
-    algorithm: ECDSA
-    size: 256
-      {{- if not (empty $data.issuerRef) }}
-  issuerRef:
-        {{- toYaml $data.issuerRef | nindent 4 }}
-    group: cert-manager.io
-      {{- else }}
-  issuerRef:
-    name: {{ template "redpanda.fullname" $ }}-{{ $name }}-root-issuer
-    kind: Issuer
-    group: cert-manager.io
-      {{- end }}
-    {{- end }}
-  {{- end }}
+{{-  $docs := (get ((include "redpanda.ClientCerts" (dict "a" (list .))) | fromJson) "r") }}
+{{- range $_, $doc := $docs }}
 ---
-  {{- $name := .Values.listeners.kafka.tls.cert }}
-  {{- $data := get .Values.tls.certs $name }}
-  {{- if and (empty $data.secretRef) (include "client-auth-required" . | fromJson).bool }}
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: {{ template "redpanda.fullname" $ }}-client
-  namespace: {{ $ns | quote }}
-  {{- with include "full.labels" $root }}
-  labels: {{- . | nindent 4 }}
-  {{- end }}
-spec:
-  commonName: {{ template "redpanda.fullname" $ }}-client
-  duration: {{ $data.duration | default "43800h" }}
-  isCA: false
-  secretName: {{ template "redpanda.fullname" $ }}-client
-  privateKey:
-    algorithm: ECDSA
-    size: 256
-  {{- if not (empty $data.issuerRef) }}
-  issuerRef: {{- toYaml $data.issuerRef | nindent 4 }}
-    group: cert-manager.io
-  {{- else }}
-  issuerRef:
-    name: {{ template "redpanda.fullname" $ }}-{{ $name }}-root-issuer
-    kind: Issuer
-    group: cert-manager.io
-  {{- end }}
-  {{- end }}
+{{ toYaml $doc }}
 {{- end }}