Creating New Release

README.md

@@ -191,6 +191,7 @@ understand.
 | processExporter.port | int | `9256` | Process exporter metrics port |
 | replicaCount | int | `2` | The number of pods to start |
 | securityContext | object | `{}` | Additional security context |
+| serviceAccount.name | string | `""` | The name of the service account to assign to the StatefulSet pods. When set, the pod will use this service account for RBAC and IAM role bindings (e.g. IRSA on AWS). When left empty, Kubernetes will use the default service account in the namespace. |
 | service.name | string | `"iap-service"` | The name of this Kubernetes service object. |
 | service.port | int | `443` | The port that this service object is listening on. |
 | service.type | string | `"ClusterIP"` | The service type. |

charts/iap/Chart.yaml

@@ -10,7 +10,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.9.0
+version: 1.9.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/iap/templates/NOTES.txt

@@ -28,6 +28,14 @@ The following environment variables are configured to override the defaults:
   {{ $key }}: {{ $value | quote }}
 {{- end }}
 
+{{- if and .Values.certificate.enabled .Values.certificate.dnsNames }}
+⚠ NOTICE: certificate.dnsNames is set and non-empty. The chart will use exactly
+  those entries as certificate SANs — per-replica DNS names will NOT be
+  auto-generated. If you are upgrading from a previous version and had
+  certificate.dnsNames set to the old chart default (e.g. [iap.example.com]),
+  clear it (set to []) to restore auto-generation of per-replica SANs.
+{{- end }}
+
 For more information consult the Itential documentation:
 https://docs.itential.com/docs/about-itential-platform-6-feature-release
 

charts/iap/templates/_helpers.tpl

@@ -52,17 +52,6 @@ app.kubernetes.io/name: {{ include "iap.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "iap.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "iap.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}
-
 {{/*
 Common annotations.
 */}}
@@ -83,3 +72,19 @@ Direct host names
 {{- printf "%s-%s-%d.%s" (include "iap.fullname" .) .Release.Namespace $iterator .Values.ingress.directAccess.baseDomain -}}
 {{- end -}}
 {{- end }}
+
+{{/*
+Generate the full list of TLS hostnames for the ingress spec.
+Includes the load balancer hostname and one entry per replica for direct access.
+Rendered as a YAML list of quoted strings, suitable for use with nindent.
+*/}}
+{{- define "iap.ingressTLSHosts" -}}
+{{- if .Values.ingress.loadBalancer.enabled }}
+- {{ .Values.ingress.loadBalancer.host | quote }}
+{{- end }}
+{{- if .Values.ingress.directAccess.enabled }}
+{{- range $i := until (.Values.replicaCount | int) }}
+- {{ include "iap.DirectAccessHost" (dict "Values" $.Values "Release" $.Release "Chart" $.Chart "Template" $.Template "iterator" $i) | quote }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/iap/templates/certificate.yaml

@@ -25,11 +25,18 @@ spec:
   duration: {{ .Values.certificate.duration }}
   commonName: {{ .Values.certificate.commonName | quote }}
   dnsNames:
-    - {{ .Values.certificate.commonName | quote -}}
-    {{/* This will add DNS names for each of the pods for direct access */}}
+    {{- if .Values.certificate.dnsNames }}
+    {{/* Manual override — use exactly what the user provided */}}
+    {{- range .Values.certificate.dnsNames }}
+    - {{ . | quote }}
+    {{- end }}
+    {{- else }}
+    {{/* Auto-generate: commonName + one entry per replica for direct pod access */}}
+    - {{ .Values.certificate.commonName | quote }}
     {{- range $i := until (.Values.replicaCount | int) }}
     - {{ printf "%s-%s-%d.%s" (include "iap.fullname" $) $.Release.Namespace $i $.Values.certificate.domain | quote }}
     {{- end }}
+    {{- end }}
   {{- if or .Values.certificate.ipAddresses .Values.certificate.includeServiceIPs }}
   ipAddresses:
   {{- range .Values.certificate.ipAddresses }}

charts/iap/templates/ingress.yaml

@@ -1,4 +1,15 @@
 {{- if .Values.ingress.enabled -}}
+{{/* Build a list of TLS entries */}}
+{{- $tlsList := list -}}
+{{- if .Values.ingress.tls -}}
+  {{- if kindIs "slice" .Values.ingress.tls -}}
+    {{- range .Values.ingress.tls -}}
+      {{- $tlsList = append $tlsList (dict "secretName" .secretName "hosts" (.hosts | default list)) -}}
+    {{- end -}}
+  {{- else -}}
+    {{- $tlsList = append $tlsList (dict "secretName" .Values.ingress.tls.secretName "hosts" (.Values.ingress.tls.hosts | default list)) -}}
+  {{- end -}}
+{{- end -}}
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@@ -17,13 +28,17 @@ spec:
   {{- if .Values.ingress.className }}
   ingressClassName: {{ .Values.ingress.className }}
   {{- end }}
-  {{- if .Values.ingress.tls }}
+  {{- if $tlsList }}
   tls:
-    {{- range .Values.ingress.tls }}
+    {{- range $tlsList }}
     - hosts:
+        {{- if .hosts }}
         {{- range .hosts }}
         - {{ . | quote }}
         {{- end }}
+        {{- else }}
+        {{- include "iap.ingressTLSHosts" $ | trim | nindent 8 }}
+        {{- end }}
       secretName: {{ .secretName }}
     {{- end }}
   {{- end }}

charts/iap/templates/statefulset.yaml

@@ -41,7 +41,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      serviceAccountName: ""
+      serviceAccountName: {{ .Values.serviceAccount.name | default "" | quote }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       {{- with .Values.hostAliases }}

charts/iap/tests/certificate_test.yaml

@@ -247,6 +247,87 @@ tests:
       - exists:
           path: metadata.annotations["helm.sh/template-file"]
 
+  ## dnsNames — auto vs manual
+  - it: should auto-generate dnsNames when dnsNames is empty
+    set:
+      certificate.enabled: true
+      certificate.issuerRef.name: "test-issuer"
+      certificate.issuerRef.kind: "ClusterIssuer"
+      certificate.commonName: "iap.example.com"
+      certificate.domain: "example.com"
+      certificate.renewBefore: "720h"
+      certificate.duration: "2160h"
+      certificate.dnsNames: []
+      replicaCount: 2
+    asserts:
+      - lengthEqual:
+          path: spec.dnsNames
+          count: 3  # commonName + 2 per-replica
+      - contains:
+          path: spec.dnsNames
+          content: "iap.example.com"
+      - matchRegex:
+          path: spec.dnsNames[1]
+          pattern: ".*-NAMESPACE-0\\.example.com"
+      - matchRegex:
+          path: spec.dnsNames[2]
+          pattern: ".*-NAMESPACE-1\\.example.com"
+
+  - it: should use manual dnsNames overriding auto-generation
+    set:
+      certificate.enabled: true
+      certificate.issuerRef.name: "test-issuer"
+      certificate.issuerRef.kind: "ClusterIssuer"
+      certificate.commonName: "iap.example.com"
+      certificate.domain: "example.com"
+      certificate.renewBefore: "720h"
+      certificate.duration: "2160h"
+      certificate.dnsNames:
+        - iap.example.com
+        - cdn.example.com
+        - "*.example.com"
+      replicaCount: 3
+    asserts:
+      - lengthEqual:
+          path: spec.dnsNames
+          count: 3  # only the manually provided entries
+      - contains:
+          path: spec.dnsNames
+          content: "iap.example.com"
+      - contains:
+          path: spec.dnsNames
+          content: "cdn.example.com"
+      - contains:
+          path: spec.dnsNames
+          content: "*.example.com"
+      - notMatchRegex:
+          path: spec.dnsNames[0]
+          pattern: ".*-NAMESPACE-.*"
+
+  - it: should not include per-replica names when dnsNames is manually set
+    set:
+      certificate.enabled: true
+      certificate.issuerRef.name: "test-issuer"
+      certificate.issuerRef.kind: "ClusterIssuer"
+      certificate.commonName: "iap.example.com"
+      certificate.domain: "example.com"
+      certificate.renewBefore: "720h"
+      certificate.duration: "2160h"
+      certificate.dnsNames:
+        - iap.example.com
+        - iap-prod-0.example.com
+      replicaCount: 5
+    asserts:
+      - lengthEqual:
+          path: spec.dnsNames
+          count: 2  # only what the user specified — replicaCount has no effect
+      - contains:
+          path: spec.dnsNames
+          content: "iap.example.com"
+      - contains:
+          path: spec.dnsNames
+          content: "iap-prod-0.example.com"
+
   - it: should render custom annotations
     set:
       certificate.enabled: true