diff --git a/helm-charts/k8s-mediaserver/templates/certificate.yaml b/helm-charts/k8s-mediaserver/templates/certificate.yaml new file mode 100644 index 0000000..df8a348 --- /dev/null +++ b/helm-charts/k8s-mediaserver/templates/certificate.yaml @@ -0,0 +1,45 @@ +{{- if and (.Capabilities.APIVersions.Has "cert-manager.io/v1") .Values.general.certificate.enabled -}} +--- +### CERTIFICATE +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + {{- with .Values.general.certificate.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + name: k8s-mediaserver + labels: + {{- include "k8s-mediaserver.labels" . | nindent 4 }} +spec: + secretName: {{ .Values.general.certificate.secretName }} + commonName: {{ .Values.general.certificate.domain | quote }} + dnsNames: + - {{ .Values.general.certificate.domain | quote }} + {{- range .Values.general.certificate.additionalHosts }} + - {{ . | quote }} + {{- end }} + {{- with .Values.general.certificate.duration }} + duration: {{ . | quote }} + {{- end }} + {{- with .Values.general.certificate.renewBefore }} + renewBefore: {{ . | quote }} + {{- end }} + issuerRef: + {{- with .Values.general.certificate.issuer.group }} + group: {{ . | quote }} + {{- end }} + kind: {{ .Values.general.certificate.issuer.kind | quote }} + name: {{ .Values.general.certificate.issuer.name | quote }} + {{- with .Values.general.certificate.privateKey }} + privateKey: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.general.certificate.usages }} + usages: + {{- toYaml . | nindent 4 }} + {{- end }} +--- +{{- end }} diff --git a/helm-charts/k8s-mediaserver/templates/plex-resources.yml b/helm-charts/k8s-mediaserver/templates/plex-resources.yml index a5a032e..af23232 100644 --- a/helm-charts/k8s-mediaserver/templates/plex-resources.yml +++ b/helm-charts/k8s-mediaserver/templates/plex-resources.yml @@ -52,6 +52,11 @@ spec: persistentVolumeClaim: claimName: {{ .Values.plex.volume.name }} {{- end }} + {{- if and (.Capabilities.APIVersions.Has "cert-manager.io/v1") .Values.general.certificate.enabled }} + - name: tls-secret + secret: + secretName: {{ .Values.general.certificate.secretName }} # Reference to the generated secret + {{- end }} containers: - name: {{ .Chart.Name }} envFrom: @@ -90,6 +95,11 @@ spec: mountPath: /tv subPath: "{{ .Values.general.storage.subPaths.tv }}" {{- with .Values.plex.resources }} + {{- if and (.Capabilities.APIVersions.Has "cert-manager.io/v1") .Values.general.certificate.enabled }} + - name: tls-secret + mountPath: "/etc/tls" # Path in the container where the certificate will be mounted + readOnly: true + {{- end }} resources: {{- toYaml . | nindent 12 }} {{- end }} diff --git a/helm-charts/k8s-mediaserver/values.yaml b/helm-charts/k8s-mediaserver/values.yaml index 8adf7e4..abcc805 100644 --- a/helm-charts/k8s-mediaserver/values.yaml +++ b/helm-charts/k8s-mediaserver/values.yaml @@ -33,6 +33,28 @@ general: ingress: ingressClassName: "" nodeSelector: {} + # TLS certificate configuration via cert-manager + certificate: + enabled: false + secretName: k8s-mediaserver-tls + domain: plex.example.com + additionalHosts: + - plex.example.com + - sonarr.example.com + - radarr.example.com + duration: "" + renewBefore: "" + issuer: + group: "" + kind: "" + name: "" + privateKey: + rotationPolicy: Never + encoding: PKCS1 + algorithm: RSA + size: 2048 + annotations: {} + usages: [] sonarr: enabled: true