Update toolkit to support ingress TLS

This patch set cleans up inflight patch [1] by moving helm-toolkit changes to OSH-infra per [0]. [0] https://review.openstack.org/#/c/558065/ [1] https://review.openstack.org/#/c/566350/ Change-Id: Ifdf3a1d11f2a7cb424476d57d407a224b1ab80eb Needed-by: I8f1b699af29cbed2d83ad91bb6840dccce8c5146 Signed-off-by: Tin Lam <tin@irrational.io> Signed-off-by: Pete Birley <pete@port.direct>
2018-05-13 12:49:30 -05:00 · 2018-05-13 12:49:30 -05:00 · 1275a4c7e0
commit 1275a4c7e0
parent ce21f6e96d
5 changed files with 68 additions and 3 deletions
--- a/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
+++ b/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@ -32,7 +32,12 @@ limitations under the License.
 {{- $endpointScheme := .scheme }}
 {{- $endpointHost := index .hosts $endpoint | default .hosts.default }}
 {{- $endpointClusterHostname := printf "%s.%s.%s" $endpointHost $namespace $clusterSuffix }}
+{{- if kindIs "map" (index .host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index .host_fqdn_override $endpoint "host" | default .host_fqdn_override.default | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
 {{- $endpointHostname := index .host_fqdn_override $endpoint | default .host_fqdn_override.default | default $endpointClusterHostname }}
 {{- printf "%s" $endpointHostname -}}
 {{- end -}}
 {{- end -}}
+{{- end -}}
--- a/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
+++ b/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@ -38,8 +38,13 @@ limitations under the License.
 {{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
 {{- printf "%s://%s:%1.f%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
 {{- else -}}
+{{- if kindIs "map" (index .host_fqdn_override $endpoint) }}
+{{- $endpointFqdnHostname := index .host_fqdn_override $endpoint "host" | default .host_fqdn_override.default | default $endpointClusterHostname }}
+{{- printf "%s://%s:%1.f%s" $endpointScheme $endpointFqdnHostname $endpointPort $endpointPath -}}
+{{- else }}
 {{- $endpointFqdnHostname := index .host_fqdn_override $endpoint | default .host_fqdn_override.default | default $endpointClusterHostname }}
 {{- printf "%s://%s:%1.f%s" $endpointScheme $endpointFqdnHostname $endpointPort $endpointPath -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}
+{{- end -}}
--- a/helm-toolkit/templates/manifests/_ingress.yaml.tpl
+++ b/helm-toolkit/templates/manifests/_ingress.yaml.tpl
@ -56,18 +56,30 @@ spec:
 {{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4}}
 {{- end }}
 {{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- range $key2, $ingressController := tuple "namespace" "cluster" }}
 {{- $hostNameFullRules := dict "vHost" $hostNameFull "backendName" $backendName "backendPort" $backendPort }}
-{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4}}
 ---
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
-  name: {{ printf "%s-%s" $ingressName "fqdn" }}
+  name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
  annotations:
-    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "cluster" | quote }}
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
 {{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
 spec:
+{{- $host := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" }}
+{{- if $host.public }}
+{{- if $host.public.tls }}
+{{- if and $host.public.tls.key $host.public.tls.crt }}
+  tls:
+    - secretName: {{ index $envAll.Values.secrets "tls" $backendServiceType $backendService "public" }}
+      hosts:
+        - {{ index $hostNameFullRules "vHost" }}
+{{- end }}
+{{- end }}
+{{- end }}
  rules:
 {{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4}}
 {{- end }}
 {{- end }}
+{{- end }}
--- a/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
+++ b/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@ -0,0 +1,41 @@
+{{/*
+Copyright 2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" }}
+{{- if $host.public }}
+{{- if $host.public.tls }}
+{{- if and $host.public.tls.key $host.public.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ index $envAll.Values.secrets.tls $backendServiceType $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ $host.public.tls.crt | b64enc }}
+  tls.key: {{ $host.public.tls.key | b64enc }}
+{{- if $host.public.tls.ca }}
+  tls.ca: {{ $host.public.tls.ca | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
--- a/helm-toolkit/templates/manifests/_service-ingress.tpl
+++ b/helm-toolkit/templates/manifests/_service-ingress.tpl
@ -31,6 +31,8 @@ spec:
  ports:
    - name: http
      port: 80
+    - name: https
+      port: 443
  selector:
    app: ingress-api
 {{- if index $envAll.Values.endpoints $backendServiceType }}