Enable Helm chart to reuse existing TLS secrets

oliviassss · Timothy-Dougherty · commit e3475d78d4c5 · 2023-11-09T11:29:06.000+11:00
diff --git a/helm/aws-load-balancer-controller/README.md b/helm/aws-load-balancer-controller/README.md
@@ -187,6 +187,7 @@ The default values set by the application itself can be confirmed [here](https:/
 | `webhookTLS.caCert`                         | TLS CA certificate for webhook (auto-generated if not provided)                                          | ""                                                                                 |
 | `webhookTLS.cert`                           | TLS certificate for webhook (auto-generated if not provided)                                             | ""                                                                                 |
 | `webhookTLS.key`                            | TLS private key for webhook (auto-generated if not provided)                                             | ""                                                                                 |
+| `keepTLSSecret`                             | Keeps the usage of existing TLS Secret                                                                   | `false`                                                                            |
 | `serviceAnnotations`                        | Annotations to be added to the provisioned webhook service resource                                      | `{}`                                                                               |
 | `serviceMaxConcurrentReconciles`            | Maximum number of concurrently running reconcile loops for service                                       | None                                                                               |
 | `targetgroupbindingMaxConcurrentReconciles` | Maximum number of concurrently running reconcile loops for targetGroupBinding                            | None                                                                               |
diff --git a/helm/aws-load-balancer-controller/templates/_helpers.tpl b/helm/aws-load-balancer-controller/templates/_helpers.tpl
@@ -76,12 +76,17 @@ Create the name of the service account to use
 Generate certificates for webhook
 */}}
 {{- define "aws-load-balancer-controller.webhook-certs" -}}
+{{- $namePrefix := ( include "aws-load-balancer-controller.namePrefix" . ) -}}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace (printf "%s-tls" $namePrefix) -}}
 {{- if (and .Values.webhookTLS.caCert .Values.webhookTLS.cert .Values.webhookTLS.key) -}}
 caCert: {{ .Values.webhookTLS.caCert | b64enc }}
 clientCert: {{ .Values.webhookTLS.cert | b64enc }}
 clientKey: {{ .Values.webhookTLS.key | b64enc }}
+{{- else if and .Values.keepTLSSecret $secret -}}
+caCert: {{ index $secret.data "ca.crt" }}
+clientCert: {{ index $secret.data "tls.crt" }}
+clientKey: {{ index $secret.data "tls.key" }}
 {{- else -}}
-{{- $namePrefix := ( include "aws-load-balancer-controller.namePrefix" . ) -}}
 {{- $altNames := list ( printf "%s-%s.%s" $namePrefix "webhook-service" .Release.Namespace ) ( printf "%s-%s.%s.svc" $namePrefix "webhook-service" .Release.Namespace ) -}}
 {{- $ca := genCA "aws-load-balancer-controller-ca" 3650 -}}
 {{- $cert := genSignedCert ( include "aws-load-balancer-controller.fullname" . ) nil $altNames 3650 $ca -}}
diff --git a/helm/aws-load-balancer-controller/values.yaml b/helm/aws-load-balancer-controller/values.yaml
@@ -133,6 +133,9 @@ webhookTLS:
   cert:
   key:
 
+# keepTLSSecret keeps using the existing TLS secrets, false by default
+keepTLSSecret: false
+
 # Maximum number of concurrently running reconcile loops for service (default 3)
 serviceMaxConcurrentReconciles:
 
