aboutsummaryrefslogtreecommitdiffstats
path: root/kubernetes/common
diff options
context:
space:
mode:
authorSylvain Desbureaux <sylvain.desbureaux@orange.com>2020-10-26 13:34:18 +0100
committerSylvain Desbureaux <sylvain.desbureaux@orange.com>2020-10-26 17:48:44 +0100
commit80a32b94ca05c392d49a0abaeeec27e859358633 (patch)
tree92cbdb07bb14cb1d7585a1845c60a48aad63c00e /kubernetes/common
parent951290ba262db65ac7f6cdfb659987cb394916ee (diff)
[COMMON] Add TLS for Ingress configuration
Instead of setting TLS termination at POD level, it may be interesting to terminate it at Ingress level. This patch add the ability to do that using "Ingress" templates. In order to achieve it, you need to configure it this way in `values.yaml`: ```yaml ingress: enabled: false service: - baseaddr: 'my-endpoint' name: 'my-service' port: 8080 config: tls: secret: my-service-ingress-certs ``` Secret (here `my-service-ingress-certs`) must follow Kubernetest `kubernetes.io/tls` type: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls Issue-ID: SO-3078 Issue-ID: SO-3237 Issue-ID: OOM-2609 Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com> Change-Id: I76c0929d53289a581bc26d0d03cc8b9bd72d0fd1
Diffstat (limited to 'kubernetes/common')
-rw-r--r--kubernetes/common/common/templates/_ingress.tpl28
1 files changed, 24 insertions, 4 deletions
diff --git a/kubernetes/common/common/templates/_ingress.tpl b/kubernetes/common/common/templates/_ingress.tpl
index 6b4f0ed36e..e57d4bedaa 100644
--- a/kubernetes/common/common/templates/_ingress.tpl
+++ b/kubernetes/common/common/templates/_ingress.tpl
@@ -1,19 +1,28 @@
+{{- define "ingress.config.host" -}}
+{{- $dot := default . .dot -}}
+{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}}
+{{- $burl := (required "'baseurl' param, set to the generic part of the fqdn, is required." $dot.Values.global.ingress.virtualhost.baseurl) -}}
+{{ printf "%s.%s" $baseaddr $burl }}
+{{- end -}}
+
{{- define "ingress.config.port" -}}
+{{- $dot := default . .dot -}}
{{- if .Values.ingress -}}
{{- if .Values.global.ingress -}}
{{- if or (not .Values.global.ingress.virtualhost) (not .Values.global.ingress.virtualhost.enabled) -}}
- http:
paths:
{{- range .Values.ingress.service }}
- - path: {{ printf "/%s" (required "baseaddr" .baseaddr) }}
+{{ $baseaddr := required "baseaddr" .baseaddr }}
+ - path: {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }}
backend:
serviceName: {{ .name }}
servicePort: {{ .port }}
{{- end -}}
{{- else if .Values.ingress.service -}}
-{{- $burl := (required "baseurl" .Values.global.ingress.virtualhost.baseurl) -}}
{{ range .Values.ingress.service }}
- - host: {{ printf "%s.%s" (required "baseaddr" .baseaddr) $burl }}
+{{ $baseaddr := required "baseaddr" .baseaddr }}
+ - host: {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }}
http:
paths:
- backend:
@@ -95,7 +104,18 @@ spec:
{{- if .Values.ingress.tls }}
tls:
{{ toYaml .Values.ingress.tls | indent 4 }}
- {{- end -}}
+{{- end -}}
+{{- if .Values.ingress.config -}}
+{{- if .Values.ingress.config.tls -}}
+{{- $dot := default . .dot -}}
+ tls:
+ - hosts:
+ {{- range .Values.ingress.service }}{{ $baseaddr := required "baseaddr" .baseaddr }}
+ - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }}
+ {{- end }}
+ secretName: {{ required "secret" (tpl (default "" .Values.ingress.config.tls.secret) $dot) }}
+{{- end -}}
+{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}