mount envoy volumes correctly

charts/envoy/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.3.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/envoy/templates/_environment.tpl

@@ -54,6 +54,37 @@ If the web auth cookie domain isn't specified, compute it from the origin
 {{- end -}}
 {{- end -}}
 
+
+{{/*
+If the path to the certificates isn't provided, compute it from the certificates values
+*/}}
+{{- define "envoy.nodeCerts" -}}
+{{- if .Values.trisa.node.certs -}}
+{{ .Values.trisa.node.certs }}
+{{- else -}}
+{{- if .Values.certificate.name -}}
+{{ .Values.certificate.mountPath }}/{{ .Values.certificate.name }}
+{{- else -}}
+{{ .Values.certificate.mountPath}}/trisa-certificate.pem
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+If the path to the TRISA cert pool isn't provided, compute it from the certificates values
+*/}}
+{{- define "envoy.nodePool" -}}
+{{- if .Values.trisa.node.pool -}}
+{{ .Values.trisa.node.pool }}
+{{- else -}}
+{{- if .Values.certificate.name -}}
+{{ .Values.certificate.mountPath }}/{{ .Values.certificate.name }}
+{{- else -}}
+{{ .Values.certificate.mountPath}}/trisa-certificate.pem
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 If the web auth cookie domain isn't specified, compute it from the origin
 */}}
@@ -129,9 +160,9 @@ env:
   - name: TRISA_NODE_BIND_ADDR
     value: {{ include "envoy.grpcBindAddr" . | quote }}
   - name: TRISA_NODE_POOL
-    value: {{ .Values.trisa.node.pool | quote }}
+    value: {{ include "envoy.nodePool" . | quote }}
   - name: TRISA_NODE_CERTS
-    value: {{ .Values.trisa.node.certs | quote }}
+    value: {{ include "envoy.nodeCerts" . | quote }}
   - name: TRISA_NODE_KEY_EXCHANGE_CACHE_TTL
     value: {{ .Values.trisa.node.keyExchangeCacheTTL | quote }}
   - name: TRISA_NODE_DIRECTORY_INSECURE

charts/envoy/templates/_helpers.tpl

@@ -94,3 +94,50 @@ Selector labels
 app.kubernetes.io/name: {{ include "envoy.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
+
+{{/*
+All volume mounts for the envoy node
+*/}}
+{{- define "envoy.volumeMounts" -}}
+volumeMounts:
+  {{- include "envoy.volumeMounts.certs" . | nindent 2 }}
+  {{- include "envoy.volumeMounts.nodeData" . | nindent 2 }}
+{{- end }}
+
+{{/*
+Volume mounts for the certificates secret
+*/}}
+{{- define "envoy.volumeMounts.certs" -}}
+- name: {{ include "envoy.name" . }}-certs
+  mountPath: {{ .Values.certificate.mountPath }}
+  readOnly: true
+{{- end }}
+
+{{/*
+Volume mounts for the certificates secret
+*/}}
+{{- define "envoy.volumeMounts.nodeData" -}}
+- name: {{ include "envoy.name" . }}-data
+  MountPath: {{ .Values.storage.nodeData.mountPath }}
+{{- end }}
+
+{{/*
+Volumes for the certificates secret
+*/}}
+{{- define "envoy.volumes" -}}
+volumes:
+  - name: {{ include "envoy.name" . }}-certs
+    secret:
+      secretName: {{ include "envoy.certificate.secret" . }}
+{{- end }}
+
+{{/*
+Define the secret name for the certificates
+*/}}
+{{- define "envoy.certificate.secret" -}}
+{{- if .Values.certificate.secretName }}
+{{- .Values.certificate.secretName }}
+{{- else }}
+{{- include "envoy.name" . }}-certs
+{{- end }}
+{{- end }}

charts/envoy/templates/statefulset.yaml

@@ -56,21 +56,15 @@ spec:
               containerPort: {{ .grpc.port }}
             {{- end }}
             {{- end }}
-          {{- with .Values.volumeMounts }}
-          volumeMounts:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
+          {{- include "envoy.volumeMounts" . | nindent 10 }}
           {{- include "envoy.environment" . | nindent 10 }}
           {{- if .Values.services.web.enabled }}
           livenessProbe:
             {{- toYaml .Values.livenessProbe | nindent 12 }}
           readinessProbe:
             {{- toYaml .Values.readinessProbe | nindent 12 }}
           {{- end }}
-      {{- with .Values.volumes }}
-      volumes:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
+      {{ include "envoy.volumes" . | nindent 6 }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -87,6 +81,6 @@ spec:
     - metadata:
         name: {{ include "envoy.name" . }}-data
       spec:
-        {{- with .Values.volumeClaimTemplates.nodeData }}
+        {{- with .Values.storage.nodeData.spec }}
         {{- toYaml . | nindent 8 }}
         {{- end }}

charts/envoy/values.yaml

@@ -36,6 +36,7 @@ certificate:
   secretName: ""
   name: ""
   data: ""
+  mountPath: "/data/certs"
 
 # The following is the TRISA configuration for the Envoy node. For more about
 # configuration options, please see https://trisa.dev/envoy/configuration/index.html
@@ -175,26 +176,15 @@ resources: {}
 #    cpu: "500m"
 
 # Define PVCs that are allocated per pod on the stateful set (e.g. envoy data)
-volumeClaimTemplates:
+storage:
   # The node data spec will be included in volume claim templates.
   nodeData:
-    accessModes: ["ReadWriteOnce"]
-    resources:
-      requests:
-        storage: 32Gi
-
-# Define the secrets volumes associated with the envoy node
-volumes: []
-# - name: foo
-#   secret:
-#     secretName: mysecret
-#     optional: false
-
-# Mount the envoy data volume and certificates information volumes
-volumeMounts: []
-# - name: foo
-#   mountPath: "/etc/foo"
-#   readOnly: true
+    mountPath: /data/db
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 32Gi
 
 # Optionally specify the security context fort of the pod
 # TODO: ensure these do not conflict with the operation of Envoy