From 80a32b94ca05c392d49a0abaeeec27e859358633 Mon Sep 17 00:00:00 2001 From: Sylvain Desbureaux Date: Mon, 26 Oct 2020 13:34:18 +0100 Subject: [COMMON] Add TLS for Ingress configuration Instead of setting TLS termination at POD level, it may be interesting to terminate it at Ingress level. This patch add the ability to do that using "Ingress" templates. In order to achieve it, you need to configure it this way in `values.yaml`: ```yaml ingress: enabled: false service: - baseaddr: 'my-endpoint' name: 'my-service' port: 8080 config: tls: secret: my-service-ingress-certs ``` Secret (here `my-service-ingress-certs`) must follow Kubernetest `kubernetes.io/tls` type: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls Issue-ID: SO-3078 Issue-ID: SO-3237 Issue-ID: OOM-2609 Signed-off-by: Sylvain Desbureaux Change-Id: I76c0929d53289a581bc26d0d03cc8b9bd72d0fd1 --- kubernetes/common/common/templates/_ingress.tpl | 28 +++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) (limited to 'kubernetes') diff --git a/kubernetes/common/common/templates/_ingress.tpl b/kubernetes/common/common/templates/_ingress.tpl index 6b4f0ed36e..e57d4bedaa 100644 --- a/kubernetes/common/common/templates/_ingress.tpl +++ b/kubernetes/common/common/templates/_ingress.tpl @@ -1,19 +1,28 @@ +{{- define "ingress.config.host" -}} +{{- $dot := default . .dot -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- $burl := (required "'baseurl' param, set to the generic part of the fqdn, is required." $dot.Values.global.ingress.virtualhost.baseurl) -}} +{{ printf "%s.%s" $baseaddr $burl }} +{{- end -}} + {{- define "ingress.config.port" -}} +{{- $dot := default . .dot -}} {{- if .Values.ingress -}} {{- if .Values.global.ingress -}} {{- if or (not .Values.global.ingress.virtualhost) (not .Values.global.ingress.virtualhost.enabled) -}} - http: paths: {{- range .Values.ingress.service }} - - path: {{ printf "/%s" (required "baseaddr" .baseaddr) }} +{{ $baseaddr := required "baseaddr" .baseaddr }} + - path: {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} backend: serviceName: {{ .name }} servicePort: {{ .port }} {{- end -}} {{- else if .Values.ingress.service -}} -{{- $burl := (required "baseurl" .Values.global.ingress.virtualhost.baseurl) -}} {{ range .Values.ingress.service }} - - host: {{ printf "%s.%s" (required "baseaddr" .baseaddr) $burl }} +{{ $baseaddr := required "baseaddr" .baseaddr }} + - host: {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} http: paths: - backend: @@ -95,7 +104,18 @@ spec: {{- if .Values.ingress.tls }} tls: {{ toYaml .Values.ingress.tls | indent 4 }} - {{- end -}} +{{- end -}} +{{- if .Values.ingress.config -}} +{{- if .Values.ingress.config.tls -}} +{{- $dot := default . .dot -}} + tls: + - hosts: + {{- range .Values.ingress.service }}{{ $baseaddr := required "baseaddr" .baseaddr }} + - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} + {{- end }} + secretName: {{ required "secret" (tpl (default "" .Values.ingress.config.tls.secret) $dot) }} +{{- end -}} +{{- end -}} {{- end -}} {{- end -}} {{- end -}} -- cgit 1.2.3-korg