From 5bfe874d57eaec3c663b838c8e1259bf0f28ae06 Mon Sep 17 00:00:00 2001 From: Roth Alain Date: Fri, 4 Oct 2024 19:59:20 +0200 Subject: [PATCH 1/2] feat(common): making multiple ingress objects possible Signed-off-by: Roth Alain --- charts/common/Chart.yaml | 2 +- charts/common/README.md | 45 +-- charts/common/README.md.gotmpl | 3 +- charts/common/templates/_ingress-ingress.yaml | 10 +- charts/common/templates/_ingress-secret.yaml | 9 +- charts/common/values.schema.json | 315 +++++++++--------- charts/common/values.yaml | 146 ++++---- 7 files changed, 272 insertions(+), 258 deletions(-) diff --git a/charts/common/Chart.yaml b/charts/common/Chart.yaml index 36a87906..3b753571 100644 --- a/charts/common/Chart.yaml +++ b/charts/common/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: common description: "Bedag's common Helm chart to use for creating other Helm charts" -version: 10.12.0 +version: 11.0.0 # A chart can be either an 'application' or a 'library' chart. # # Application charts are a collection of templates that can be packaged into versioned archives diff --git a/charts/common/README.md b/charts/common/README.md index 965d1cbe..5a08fec3 100644 --- a/charts/common/README.md +++ b/charts/common/README.md @@ -1,6 +1,6 @@ # common -![Version: 10.12.0](https://img.shields.io/badge/Version-10.12.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 11.0.0](https://img.shields.io/badge/Version-11.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) Bedag's common Helm chart to use for creating other Helm charts @@ -23,6 +23,7 @@ Major Changes to functions are documented with the version affected. **Before up |logPersistence removed|8.0.0|Removes logPersistence functionality as it can be achieved with volumeMounts & extraVolumeClaimTemplates and is buggy anyway.|https://github.com/bedag/helm-charts/pull/68| |networkpolicy template changes|9.0.0|add possibility to define more than one Port in networkpolicy|https://github.com/bedag/helm-charts/pull/70| |networkpolicy template changes|10.0.0|add possibility to create multiple networkpolicies|https://github.com/bedag/helm-charts/pull/77| +|ingress template changes|11.0.0|add possibility to create multiple ingress objects|https://github.com/bedag/helm-charts/pull/134 # Values by Component @@ -30,26 +31,28 @@ Major Changes to functions are documented with the version affected. **Before up | Key | Type | Default | Description | |-----|------|---------|-------------| -| ingress.annotations | object | `{"nginx.ingress.kubernetes.io/ssl-redirect":"true"}` | annotations is a dictionary for defining ingress controller specific annotations | -| ingress.deploy | bool | `false` | deploy has to be set to true for rendering to be applied | -| ingress.ingressClassName | string | `""` | ingressClassName, defines the class of the ingress controller. | -| ingress.rules | list | `[{"host":"myapp.cluster.local","http":{"paths":[{"backend":{"serviceNameSuffix":"component-1","servicePort":"http"},"path":"/","pathType":"ImplementationSpecific"}]}}]` | rules is a list of host rules used to configure the Ingress | -| ingress.rules[0] | object | `{"host":"myapp.cluster.local","http":{"paths":[{"backend":{"serviceNameSuffix":"component-1","servicePort":"http"},"path":"/","pathType":"ImplementationSpecific"}]}}` | host is the URL which ingress is listening | -| ingress.rules[0].http | object | `{"paths":[{"backend":{"serviceNameSuffix":"component-1","servicePort":"http"},"path":"/","pathType":"ImplementationSpecific"}]}` | http is a list of http selectors pointing to backends | -| ingress.rules[0].http.paths | list | `[{"backend":{"serviceNameSuffix":"component-1","servicePort":"http"},"path":"/","pathType":"ImplementationSpecific"}]` | paths is a list of paths that map requests to backends | -| ingress.rules[0].http.paths[0] | object | `{"backend":{"serviceNameSuffix":"component-1","servicePort":"http"},"path":"/","pathType":"ImplementationSpecific"}` | backend defines the referenced service endpoint to which the traffic will be forwarded to | -| ingress.rules[0].http.paths[0].backend.serviceNameSuffix | string | `"component-1"` | serviceNameSuffix describes the suffix of the serviceName | -| ingress.rules[0].http.paths[0].backend.servicePort | string | `"http"` | servicePort describes the port where the service is listening at (can be either a string or a number) | -| ingress.rules[0].http.paths[0].path | string | `"/"` | path which ingress is listening | -| ingress.rules[0].http.paths[0].pathType | string | `"ImplementationSpecific"` | pathType Each path in an Ingress is required to have a corresponding path type. Comment out for using default ("ImplementationSpecific") | -| ingress.tls.existing.secret | string | `""` | name of an existing secret with tls.crt & tls.key content | -| ingress.tls.provided.cert | string | `""` | If SSL is terminated on ingress and you have a generated (preferrably CERT-001) certificate/key Has to be base64 encoded and should be encrypted in the ejson vault Add Variable to your CI/CD Settings "SKIP_DECRYPT" with value "" that it doesnt decrypt the cert and fails. | -| ingress.tls.provided.key | string | `""` | The key must not have a passphrase | -| ingress.tls.self | object | `{"alternativeDnsNames":[],"commonName":"*.cluster.local","ipAddresses":[],"validityDuration":365}` | depending on the type you have further configuration options: | -| ingress.tls.self.alternativeDnsNames | list | `[]` | alternativeDnsNames is an optional list of DNS names to add in the Subject Alternative Names (SAN) sectiom | -| ingress.tls.self.commonName | string | `"*.cluster.local"` | commonName of the certificate (mandatory) | -| ingress.tls.self.ipAddresses | list | `[]` | ipAddresses is an optional list of IP addresses to add in the Subject Alternative Names (SAN) section | -| ingress.tls.self.validityDuration | int | `365` | validityDuration defines how long the certificate is valid (in days) | +| ingresses.ingress-1.annotations | object | `{"nginx.ingress.kubernetes.io/ssl-redirect":"true"}` | annotations is a dictionary for defining ingress controller specific annotations | +| ingresses.ingress-1.annotations."nginx.ingress.kubernetes.io/ssl-redirect" | string | `"true"` | nginx.ingress.kubernetes.io/ssl-redirect needs to be set to 'true' when using SSL/TLS offloading with a LB outside of Kubernetes | +| ingresses.ingress-1.deploy | bool | `false` | deploy has to be set to true for rendering to be applied | +| ingresses.ingress-1.ingressClassName | string | `""` | ingressClassName, defines the class of the ingress controller. | +| ingresses.ingress-1.rules | list | `[{"host":"myapp.cluster.local","http":{"paths":[{"backend":{"serviceNameSuffix":"component-1","servicePort":"http"},"path":"/","pathType":"ImplementationSpecific"}]}}]` | rules is a list of host rules used to configure the Ingress | +| ingresses.ingress-1.rules[0] | object | `{"host":"myapp.cluster.local","http":{"paths":[{"backend":{"serviceNameSuffix":"component-1","servicePort":"http"},"path":"/","pathType":"ImplementationSpecific"}]}}` | host is the URL which ingress is listening | +| ingresses.ingress-1.rules[0].http | object | `{"paths":[{"backend":{"serviceNameSuffix":"component-1","servicePort":"http"},"path":"/","pathType":"ImplementationSpecific"}]}` | http is a list of http selectors pointing to backends | +| ingresses.ingress-1.rules[0].http.paths | list | `[{"backend":{"serviceNameSuffix":"component-1","servicePort":"http"},"path":"/","pathType":"ImplementationSpecific"}]` | paths is a list of paths that map requests to backends | +| ingresses.ingress-1.rules[0].http.paths[0] | object | `{"backend":{"serviceNameSuffix":"component-1","servicePort":"http"},"path":"/","pathType":"ImplementationSpecific"}` | backend defines the referenced service endpoint to which the traffic will be forwarded to | +| ingresses.ingress-1.rules[0].http.paths[0].backend.serviceNameSuffix | string | `"component-1"` | serviceNameSuffix describes the suffix of the serviceName | +| ingresses.ingress-1.rules[0].http.paths[0].backend.servicePort | string | `"http"` | servicePort describes the port where the service is listening at (can be either a string or a number) | +| ingresses.ingress-1.rules[0].http.paths[0].path | string | `"/"` | path which ingress is listening | +| ingresses.ingress-1.rules[0].http.paths[0].pathType | string | `"ImplementationSpecific"` | pathType Each path in an Ingress is required to have a corresponding path type. Comment out for using default ("ImplementationSpecific") | +| ingresses.ingress-1.tls.existing.secret | string | `""` | name of an existing secret with tls.crt & tls.key content | +| ingresses.ingress-1.tls.provided.cert | string | `""` | If SSL is terminated on ingress and you have a generated (preferrably CERT-001) certificate/key Has to be base64 encoded and should be encrypted in the ejson vault Add Variable to your CI/CD Settings "SKIP_DECRYPT" with value "" that it doesnt decrypt the cert and fails. | +| ingresses.ingress-1.tls.provided.key | string | `""` | The key must not have a passphrase | +| ingresses.ingress-1.tls.self | object | `{"alternativeDnsNames":[],"commonName":"*.cluster.local","ipAddresses":[],"validityDuration":365}` | depending on the type you have further configuration options: | +| ingresses.ingress-1.tls.self.alternativeDnsNames | list | `[]` | alternativeDnsNames is an optional list of DNS names to add in the Subject Alternative Names (SAN) sectiom | +| ingresses.ingress-1.tls.self.commonName | string | `"*.cluster.local"` | commonName of the certificate (mandatory) | +| ingresses.ingress-1.tls.self.ipAddresses | list | `[]` | ipAddresses is an optional list of IP addresses to add in the Subject Alternative Names (SAN) section | +| ingresses.ingress-1.tls.self.validityDuration | int | `365` | validityDuration defines how long the certificate is valid (in days) | +| ingresses.ingress-1.tls.type | string | `"none"` | define your type of tls certificate, it can be one of: none: tls will be disabled existing: use an existing secret already present in the namespace. Requires secret name to be specified provided: use an officially generated certificate/key k8s: use the default k8s-ingress tls. no further configuration needed self: generate a self signed certificate, which is stored as secret. Needs commonName and validityDuration at least | ## ServiceMonitor diff --git a/charts/common/README.md.gotmpl b/charts/common/README.md.gotmpl index 9d7e9dec..42e337e2 100644 --- a/charts/common/README.md.gotmpl +++ b/charts/common/README.md.gotmpl @@ -32,6 +32,7 @@ Major Changes to functions are documented with the version affected. **Before up |logPersistence removed|8.0.0|Removes logPersistence functionality as it can be achieved with volumeMounts & extraVolumeClaimTemplates and is buggy anyway.|https://github.com/bedag/helm-charts/pull/68| |networkpolicy template changes|9.0.0|add possibility to define more than one Port in networkpolicy|https://github.com/bedag/helm-charts/pull/70| |networkpolicy template changes|10.0.0|add possibility to create multiple networkpolicies|https://github.com/bedag/helm-charts/pull/77| +|ingress template changes|11.0.0|add possibility to create multiple ingress objects|https://github.com/bedag/helm-charts/pull/134 {{/* Chart Values */}} @@ -49,7 +50,7 @@ Major Changes to functions are documented with the version affected. **Before up {{ template "table.heading" . }} {{- range .Values }} - {{- if and (hasPrefix "ingress." .Key) }} + {{- if and (hasPrefix "ingresses.ingress-1" .Key) }} | {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | {{- end }} {{- end }} diff --git a/charts/common/templates/_ingress-ingress.yaml b/charts/common/templates/_ingress-ingress.yaml index 51b4ea17..5e0bca82 100644 --- a/charts/common/templates/_ingress-ingress.yaml +++ b/charts/common/templates/_ingress-ingress.yaml @@ -1,14 +1,15 @@ {{- define "common.ingress.ingress" -}} {{- $root := . }} -{{- $ingress := .Values.ingress }} +{{- $ingresses := .Values.ingresses }} +{{- range $name, $ingress := $ingresses }} {{- if $ingress.deploy }} --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ template "library.name" . }}-ingress + name: {{ template "library.name" $root }}-{{$name}} labels: -{{ include "library.labels.standard" . | indent 4 }} +{{ include "library.labels.standard" $root | indent 4 }} app.kubernetes.io/component: ingress {{- if $ingress.annotations }} annotations: @@ -57,7 +58,7 @@ spec: - {{ .host }} {{- end }} {{- if or (eq $ingress.tls.type "self") (eq $ingress.tls.type "provided") }} - secretName: {{ template "library.name" . }}-ingress-tls + secretName: {{ template "library.name" $root }}-ingress-tls {{- else if eq $ingress.tls.type "existing" }} secretName: {{ $ingress.tls.existing.secret }} {{- end }} @@ -65,4 +66,5 @@ spec: {{- end }} {{- end }} {{- end }} +{{- end }} {{- end -}} diff --git a/charts/common/templates/_ingress-secret.yaml b/charts/common/templates/_ingress-secret.yaml index 409262c8..fa8bc23c 100644 --- a/charts/common/templates/_ingress-secret.yaml +++ b/charts/common/templates/_ingress-secret.yaml @@ -1,5 +1,7 @@ {{- define "common.ingress.secret" -}} -{{- $ingress := .Values.ingress }} +{{- $root := . }} +{{- $ingresses := .Values.ingresses }} +{{- range $ingress := $ingresses }} {{- $cert := "" }} {{- if $ingress }} {{- if $ingress.deploy }} @@ -13,9 +15,9 @@ apiVersion: v1 kind: Secret metadata: - name: {{ template "library.name" . }}-ingress-tls + name: {{ template "library.name" $root }}-ingress-tls labels: -{{ include "library.labels.standard" . | indent 4 }} +{{ include "library.labels.standard" $root | indent 4 }} app.kubernetes.io/component: ingress-tls type: Opaque data: @@ -25,3 +27,4 @@ data: {{- end }} {{- end }} {{- end }} +{{- end }} diff --git a/charts/common/values.schema.json b/charts/common/values.schema.json index 2d9076c7..48b0df00 100644 --- a/charts/common/values.schema.json +++ b/charts/common/values.schema.json @@ -496,197 +496,200 @@ } } }, - "ingress": { + "ingresses": { "type": "object", - "required": [ - "deploy" - ], - "if": { - "properties": { - "deploy": { - "const": true - } - } - }, - "then": { - "required": [ - "rules", - "annotations", - "tls" - ] - }, - "properties": { - "deploy": { - "type": "boolean", - "default": false - }, - "ingressClassName": { - "type": "string" - }, - "defaultBackend":{ - "type":"object", - "required": [ - "serviceNameSuffix", - "servicePort" - ], + "patternProperties": { + "^.*$": { + "type": "object", + "required": [ + "deploy" + ], + "if": { "properties": { - "serviceNameSuffix": { - "type": "string" - }, - "servicePort": { - "type": [ - "number", - "string" - ] - } + "deploy": { + "const": true + } } - }, - "rules": { - "type": "array", - "items": { - "type": "object", + }, + "then": { "required": [ - "host", - "http" - ], - "properties": { - "host": { - "type": "string", - "examples": [ - "myapp.cluster.local" - ] - }, - "http": { + "tls" + ] + }, + "properties": { + "deploy": { + "type": "boolean", + "default": false + }, + "ingressClassName": { + "type": "string" + }, + "defaultBackend":{ + "type":"object", + "required": [ + "serviceNameSuffix", + "servicePort" + ], + "properties": { + "serviceNameSuffix": { + "type": "string" + }, + "servicePort": { + "type": [ + "number", + "string" + ] + } + } + }, + "rules": { + "type": "array", + "items": { "type": "object", "required": [ - "paths" + "host", + "http" ], "properties": { - "paths": { - "type": "array", - "items": { - "type": "object", - "required": [ - "backend", - "path" - ], - "properties": { - "backend": { + "host": { + "type": "string", + "examples": [ + "myapp.cluster.local" + ] + }, + "http": { + "type": "object", + "required": [ + "paths" + ], + "properties": { + "paths": { + "type": "array", + "items": { "type": "object", "required": [ - "serviceNameSuffix", - "servicePort" + "backend", + "path" ], "properties": { - "serviceNameSuffix": { - "type": "string" + "backend": { + "type": "object", + "required": [ + "serviceNameSuffix", + "servicePort" + ], + "properties": { + "serviceNameSuffix": { + "type": "string" + }, + "servicePort": { + "type": [ + "number", + "string" + ] + } + } }, - "servicePort": { - "type": [ - "number", - "string" + "path": { + "type": "string", + "examples": [ + "/" + ] + }, + "pathType": { + "type": "string", + "default": "ImplementationSpecific", + "examples": [ + "ImplementationSpecific", + "Exact", + "Prefix" ] } } - }, - "path": { - "type": "string", - "examples": [ - "/" - ] - }, - "pathType": { - "type": "string", - "default": "ImplementationSpecific", - "examples": [ - "ImplementationSpecific", - "Exact", - "Prefix" - ] } } } } } } - } - } - }, - "annotations": { - "type": "object" - }, - "tls": { - "type": "object", - "required": [ - "type" - ], - "properties": { - "type": { - "type": "string", - "default": "none" }, - "existing": { - "type": "object", - "required": [ - "secret" - ], - "properties": { - "secret": { - "type": "string" - } - } - }, - "provided": { - "type": "object", - "required": [ - "cert", - "key" - ], - "properties": { - "cert": { - "type": "string" - }, - "key": { - "type": "string" - } - } + "annotations": { + "type": "object" }, - "self": { + "tls": { "type": "object", "required": [ - "commonName", - "validityDuration" + "type" ], "properties": { - "commonName": { - "type": "string" + "type": { + "type": "string", + "default": "none" }, - "ipAddresses": { - "type": "array" + "existing": { + "type": "object", + "required": [ + "secret" + ], + "properties": { + "secret": { + "type": "string" + } + } }, - "alternativeDnsNames": { - "type": "array" + "provided": { + "type": "object", + "required": [ + "cert", + "key" + ], + "properties": { + "cert": { + "type": "string" + }, + "key": { + "type": "string" + } + } }, - "validityDuration": { - "type": "integer" + "self": { + "type": "object", + "required": [ + "commonName", + "validityDuration" + ], + "properties": { + "commonName": { + "type": "string" + }, + "ipAddresses": { + "type": "array" + }, + "alternativeDnsNames": { + "type": "array" + }, + "validityDuration": { + "type": "integer" + } + } } } } - } - } - }, - "oneOf": [ - { - "required": [ - "defaultBackend" - ] - }, - { - "required": [ - "rules" - ] + }, + "oneOf": [ + { + "required": [ + "rules" + ] + }, + { + "required": [ + "defaultBackend" + ] + } + ] } - ] + } }, "servicemonitor": { "type": "object", diff --git a/charts/common/values.yaml b/charts/common/values.yaml index 6b90d802..32d709b1 100644 --- a/charts/common/values.yaml +++ b/charts/common/values.yaml @@ -54,78 +54,80 @@ networkpolicy: # start common.ingress # -- ingress is used for access from outside of kubernetes -ingress: - # -- deploy has to be set to true for rendering to be applied - deploy: false - # -- ingressClassName, defines the class of the ingress controller. - ingressClassName: "" - # START ONLY FOR SINGLE-SERVICE INGRESSES AND NOT RULESETS - # -- defaultBackend may be used if only a single Service Backend with no Rulesets is needed. - # defaultBackend: - # -- serviceNameSuffix describes the suffix of the serviceName - # serviceNameSuffix: component-1 - # -- servicePort describes the port where the service is listening at (can be either a string or a number) - # servicePort: http - # END ONLY FOR SINGLE-SERVICE INGRESSES AND NOT RULESETS - # START ONLY FOR MULTI-SERVICE INGRESSES AND/OR SPECIFIC RULES - # -- rules is a list of host rules used to configure the Ingress - rules: - # -- host is the URL which ingress is listening - - host: myapp.cluster.local - # -- http is a list of http selectors pointing to backends - http: - # -- paths is a list of paths that map requests to backends - paths: - # -- backend defines the referenced service endpoint to which the traffic will be forwarded to - - backend: - # -- serviceNameSuffix describes the suffix of the serviceName - serviceNameSuffix: component-1 - # -- servicePort describes the port where the service is listening at (can be either a string or a number) - servicePort: http - # -- path which ingress is listening - path: "/" - # -- pathType Each path in an Ingress is required to have a corresponding path type. Comment out for using default ("ImplementationSpecific") - pathType: "ImplementationSpecific" - # END ONLY FOR MULTI-SERVICE INGRESSES AND/OR SPECIFIC RULES - - # -- annotations is a dictionary for defining ingress controller specific annotations - annotations: - # nginx.ingress.kubernetes.io/proxy-buffer-size known to be necessary for keycloak because defaults are too small - # nginx.ingress.kubernetes.io/proxy-buffer-size: "16k" - # nginx.ingress.kubernetes.io/ssl-redirect needs to be set to 'true' when using SSL/TLS offloading with a LB outside of Kubernetes - nginx.ingress.kubernetes.io/ssl-redirect: "true" - # tls configuration - tls: - # define your type of tls certificate, it can be one of: - # none: tls will be disabled - # existing: use an existing secret already present in the namespace. Requires secret name to be specified - # provided: use an officially generated certificate/key - # k8s: use the default k8s-ingress tls. no further configuration needed - # self: generate a self signed certificate, which is stored as secret. Needs commonName and validityDuration at least - type: "none" - # -- depending on the type you have further configuration options: - self: - # -- commonName of the certificate (mandatory) - commonName: "*.cluster.local" - # -- ipAddresses is an optional list of IP addresses to add in the Subject Alternative Names (SAN) section - ipAddresses: [] - # - "10.0.0.1" - # -- alternativeDnsNames is an optional list of DNS names to add in the Subject Alternative Names (SAN) sectiom - alternativeDnsNames: [] - # - "foo.com" - # -- validityDuration defines how long the certificate is valid (in days) - validityDuration: 365 - existing: - # -- name of an existing secret with tls.crt & tls.key content - secret: "" - provided: - # -- If SSL is terminated on ingress and you have a generated (preferrably CERT-001) certificate/key - # Has to be base64 encoded and should be encrypted in the ejson vault - # Add Variable to your CI/CD Settings "SKIP_DECRYPT" with value "" that it doesnt decrypt the cert and fails. - cert: "" - # -- The key must not have a passphrase - key: "" -# end common.ingress +# -- ingresses are a dictionary of single ingresses to be configured +ingresses: + ingress-1: + # -- deploy has to be set to true for rendering to be applied + deploy: false + # -- ingressClassName, defines the class of the ingress controller. + ingressClassName: "" + # START ONLY FOR SINGLE-SERVICE INGRESSES AND NOT RULESETS + # -- defaultBackend may be used if only a single Service Backend with no Rulesets is needed. + # defaultBackend: + # -- serviceNameSuffix describes the suffix of the serviceName + # serviceNameSuffix: component-1 + # -- servicePort describes the port where the service is listening at (can be either a string or a number) + # servicePort: http + # END ONLY FOR SINGLE-SERVICE INGRESSES AND NOT RULESETS + # START ONLY FOR MULTI-SERVICE INGRESSES AND/OR SPECIFIC RULES + # -- rules is a list of host rules used to configure the Ingress + rules: + # -- host is the URL which ingress is listening + - host: myapp.cluster.local + # -- http is a list of http selectors pointing to backends + http: + # -- paths is a list of paths that map requests to backends + paths: + # -- backend defines the referenced service endpoint to which the traffic will be forwarded to + - backend: + # -- serviceNameSuffix describes the suffix of the serviceName + serviceNameSuffix: component-1 + # -- servicePort describes the port where the service is listening at (can be either a string or a number) + servicePort: http + # -- path which ingress is listening + path: "/" + # -- pathType Each path in an Ingress is required to have a corresponding path type. Comment out for using default ("ImplementationSpecific") + pathType: "ImplementationSpecific" + # END ONLY FOR MULTI-SERVICE INGRESSES AND/OR SPECIFIC RULES + + # -- annotations is a dictionary for defining ingress controller specific annotations + annotations: + # -- nginx.ingress.kubernetes.io/proxy-buffer-size known to be necessary for keycloak because defaults are too small + # nginx.ingress.kubernetes.io/proxy-buffer-size: "16k" + # -- nginx.ingress.kubernetes.io/ssl-redirect needs to be set to 'true' when using SSL/TLS offloading with a LB outside of Kubernetes + nginx.ingress.kubernetes.io/ssl-redirect: "true" + # tls configuration + tls: + # -- define your type of tls certificate, it can be one of: + # none: tls will be disabled + # existing: use an existing secret already present in the namespace. Requires secret name to be specified + # provided: use an officially generated certificate/key + # k8s: use the default k8s-ingress tls. no further configuration needed + # self: generate a self signed certificate, which is stored as secret. Needs commonName and validityDuration at least + type: "none" + # -- depending on the type you have further configuration options: + self: + # -- commonName of the certificate (mandatory) + commonName: "*.cluster.local" + # -- ipAddresses is an optional list of IP addresses to add in the Subject Alternative Names (SAN) section + ipAddresses: [] + # - "10.0.0.1" + # -- alternativeDnsNames is an optional list of DNS names to add in the Subject Alternative Names (SAN) sectiom + alternativeDnsNames: [] + # - "foo.com" + # -- validityDuration defines how long the certificate is valid (in days) + validityDuration: 365 + existing: + # -- name of an existing secret with tls.crt & tls.key content + secret: "" + provided: + # -- If SSL is terminated on ingress and you have a generated (preferrably CERT-001) certificate/key + # Has to be base64 encoded and should be encrypted in the ejson vault + # Add Variable to your CI/CD Settings "SKIP_DECRYPT" with value "" that it doesnt decrypt the cert and fails. + cert: "" + # -- The key must not have a passphrase + key: "" +# end common.ingresses # start common.servicemonitor # servicemonitor is from CoreOS and lets you scrape metrics with the prometheus-operators From 5e135664e82f2de8c4228fe05287293aeccc9429 Mon Sep 17 00:00:00 2001 From: Roth Alain Date: Mon, 7 Oct 2024 18:30:32 +0200 Subject: [PATCH 2/2] fix(common): name of tls secret in ingress Signed-off-by: Roth Alain --- charts/common/templates/_ingress-ingress.yaml | 2 +- charts/common/templates/_ingress-secret.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/common/templates/_ingress-ingress.yaml b/charts/common/templates/_ingress-ingress.yaml index 5e0bca82..2b19e6d9 100644 --- a/charts/common/templates/_ingress-ingress.yaml +++ b/charts/common/templates/_ingress-ingress.yaml @@ -58,7 +58,7 @@ spec: - {{ .host }} {{- end }} {{- if or (eq $ingress.tls.type "self") (eq $ingress.tls.type "provided") }} - secretName: {{ template "library.name" $root }}-ingress-tls + secretName: {{ template "library.name" $root }}-{{$name}}-tls {{- else if eq $ingress.tls.type "existing" }} secretName: {{ $ingress.tls.existing.secret }} {{- end }} diff --git a/charts/common/templates/_ingress-secret.yaml b/charts/common/templates/_ingress-secret.yaml index fa8bc23c..e20416cd 100644 --- a/charts/common/templates/_ingress-secret.yaml +++ b/charts/common/templates/_ingress-secret.yaml @@ -1,7 +1,7 @@ {{- define "common.ingress.secret" -}} {{- $root := . }} {{- $ingresses := .Values.ingresses }} -{{- range $ingress := $ingresses }} +{{- range $name, $ingress := $ingresses }} {{- $cert := "" }} {{- if $ingress }} {{- if $ingress.deploy }} @@ -15,7 +15,7 @@ apiVersion: v1 kind: Secret metadata: - name: {{ template "library.name" $root }}-ingress-tls + name: {{ template "library.name" $root }}-{{$name}}-tls labels: {{ include "library.labels.standard" $root | indent 4 }} app.kubernetes.io/component: ingress-tls