summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSylvain Desbureaux <sylvain.desbureaux@orange.com>2020-10-26 13:34:18 +0100
committerSylvain Desbureaux <sylvain.desbureaux@orange.com>2020-10-26 17:48:44 +0100
commit80a32b94ca05c392d49a0abaeeec27e859358633 (patch)
tree92cbdb07bb14cb1d7585a1845c60a48aad63c00e
parent951290ba262db65ac7f6cdfb659987cb394916ee (diff)
[COMMON] Add TLS for Ingress configuration
Instead of setting TLS termination at POD level, it may be interesting to terminate it at Ingress level. This patch add the ability to do that using "Ingress" templates. In order to achieve it, you need to configure it this way in `values.yaml`: ```yaml ingress: enabled: false service: - baseaddr: 'my-endpoint' name: 'my-service' port: 8080 config: tls: secret: my-service-ingress-certs ``` Secret (here `my-service-ingress-certs`) must follow Kubernetest `kubernetes.io/tls` type: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls Issue-ID: SO-3078 Issue-ID: SO-3237 Issue-ID: OOM-2609 Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com> Change-Id: I76c0929d53289a581bc26d0d03cc8b9bd72d0fd1
-rw-r--r--kubernetes/common/common/templates/_ingress.tpl28
1 files changed, 24 insertions, 4 deletions
diff --git a/kubernetes/common/common/templates/_ingress.tpl b/kubernetes/common/common/templates/_ingress.tpl
index 6b4f0ed36e..e57d4bedaa 100644
--- a/kubernetes/common/common/templates/_ingress.tpl
+++ b/kubernetes/common/common/templates/_ingress.tpl
@@ -1,19 +1,28 @@
+{{- define "ingress.config.host" -}}
+{{- $dot := default . .dot -}}
+{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}}
+{{- $burl := (required "'baseurl' param, set to the generic part of the fqdn, is required." $dot.Values.global.ingress.virtualhost.baseurl) -}}
+{{ printf "%s.%s" $baseaddr $burl }}
+{{- end -}}
+
{{- define "ingress.config.port" -}}
+{{- $dot := default . .dot -}}
{{- if .Values.ingress -}}
{{- if .Values.global.ingress -}}
{{- if or (not .Values.global.ingress.virtualhost) (not .Values.global.ingress.virtualhost.enabled) -}}
- http:
paths:
{{- range .Values.ingress.service }}
- - path: {{ printf "/%s" (required "baseaddr" .baseaddr) }}
+{{ $baseaddr := required "baseaddr" .baseaddr }}
+ - path: {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }}
backend:
serviceName: {{ .name }}
servicePort: {{ .port }}
{{- end -}}
{{- else if .Values.ingress.service -}}
-{{- $burl := (required "baseurl" .Values.global.ingress.virtualhost.baseurl) -}}
{{ range .Values.ingress.service }}
- - host: {{ printf "%s.%s" (required "baseaddr" .baseaddr) $burl }}
+{{ $baseaddr := required "baseaddr" .baseaddr }}
+ - host: {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }}
http:
paths:
- backend:
@@ -95,7 +104,18 @@ spec:
{{- if .Values.ingress.tls }}
tls:
{{ toYaml .Values.ingress.tls | indent 4 }}
- {{- end -}}
+{{- end -}}
+{{- if .Values.ingress.config -}}
+{{- if .Values.ingress.config.tls -}}
+{{- $dot := default . .dot -}}
+ tls:
+ - hosts:
+ {{- range .Values.ingress.service }}{{ $baseaddr := required "baseaddr" .baseaddr }}
+ - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }}
+ {{- end }}
+ secretName: {{ required "secret" (tpl (default "" .Values.ingress.config.tls.secret) $dot) }}
+{{- end -}}
+{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}