diff options
author | Sylvain Desbureaux <sylvain.desbureaux@orange.com> | 2020-10-26 13:34:18 +0100 |
---|---|---|
committer | Sylvain Desbureaux <sylvain.desbureaux@orange.com> | 2020-10-26 17:48:44 +0100 |
commit | 80a32b94ca05c392d49a0abaeeec27e859358633 (patch) | |
tree | 92cbdb07bb14cb1d7585a1845c60a48aad63c00e | |
parent | 951290ba262db65ac7f6cdfb659987cb394916ee (diff) |
[COMMON] Add TLS for Ingress configuration
Instead of setting TLS termination at POD level, it may be interesting
to terminate it at Ingress level.
This patch add the ability to do that using "Ingress" templates.
In order to achieve it, you need to configure it this way in
`values.yaml`:
```yaml
ingress:
enabled: false
service:
- baseaddr: 'my-endpoint'
name: 'my-service'
port: 8080
config:
tls:
secret: my-service-ingress-certs
```
Secret (here `my-service-ingress-certs`) must follow Kubernetest
`kubernetes.io/tls` type: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
Issue-ID: SO-3078
Issue-ID: SO-3237
Issue-ID: OOM-2609
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: I76c0929d53289a581bc26d0d03cc8b9bd72d0fd1
-rw-r--r-- | kubernetes/common/common/templates/_ingress.tpl | 28 |
1 files changed, 24 insertions, 4 deletions
diff --git a/kubernetes/common/common/templates/_ingress.tpl b/kubernetes/common/common/templates/_ingress.tpl index 6b4f0ed36e..e57d4bedaa 100644 --- a/kubernetes/common/common/templates/_ingress.tpl +++ b/kubernetes/common/common/templates/_ingress.tpl @@ -1,19 +1,28 @@ +{{- define "ingress.config.host" -}} +{{- $dot := default . .dot -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- $burl := (required "'baseurl' param, set to the generic part of the fqdn, is required." $dot.Values.global.ingress.virtualhost.baseurl) -}} +{{ printf "%s.%s" $baseaddr $burl }} +{{- end -}} + {{- define "ingress.config.port" -}} +{{- $dot := default . .dot -}} {{- if .Values.ingress -}} {{- if .Values.global.ingress -}} {{- if or (not .Values.global.ingress.virtualhost) (not .Values.global.ingress.virtualhost.enabled) -}} - http: paths: {{- range .Values.ingress.service }} - - path: {{ printf "/%s" (required "baseaddr" .baseaddr) }} +{{ $baseaddr := required "baseaddr" .baseaddr }} + - path: {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} backend: serviceName: {{ .name }} servicePort: {{ .port }} {{- end -}} {{- else if .Values.ingress.service -}} -{{- $burl := (required "baseurl" .Values.global.ingress.virtualhost.baseurl) -}} {{ range .Values.ingress.service }} - - host: {{ printf "%s.%s" (required "baseaddr" .baseaddr) $burl }} +{{ $baseaddr := required "baseaddr" .baseaddr }} + - host: {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} http: paths: - backend: @@ -95,7 +104,18 @@ spec: {{- if .Values.ingress.tls }} tls: {{ toYaml .Values.ingress.tls | indent 4 }} - {{- end -}} +{{- end -}} +{{- if .Values.ingress.config -}} +{{- if .Values.ingress.config.tls -}} +{{- $dot := default . .dot -}} + tls: + - hosts: + {{- range .Values.ingress.service }}{{ $baseaddr := required "baseaddr" .baseaddr }} + - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} + {{- end }} + secretName: {{ required "secret" (tpl (default "" .Values.ingress.config.tls.secret) $dot) }} +{{- end -}} +{{- end -}} {{- end -}} {{- end -}} {{- end -}} |