Ingress: Configure Default SSL Certificate

Adds configuration options for the --default-ssl-certificate feature of NGINX Ingress Controller, which provides a default certificate for requests that do not match any configured server names.[0] To enable with a new certificate, specify: .conf.default_ssl_certificate.enabled=true .endpoints.ingress.host_fqdn_override.public.tls.crt="PEM cert data" .endpoints.ingress.host_fqdn_override.public.tls.key="PEM key data" .manifests.secret_ingress_tls=true To enable using a TLS cert in an existing secret, specify: .conf.default_ssl_certificate.enabled=true .conf.default_ssl_certificate.name="name of the secret" .conf.default_ssl_certificate.namespace="namespace of the secret" 0: https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate Change-Id: Idd704fd880f56137923d4c38cc188b130ee3b56d
2020-08-14 05:12:24 +00:00 · 2020-08-14 05:12:24 +00:00 · 341e9b29df
commit 341e9b29df
parent adf9fc7fc4
3 changed files with 55 additions and 0 deletions
--- a/ingress/templates/bin/_ingress-controller.sh.tpl
+++ b/ingress/templates/bin/_ingress-controller.sh.tpl
@ -46,6 +46,11 @@ function start () {
      --election-id=${RELEASE_NAME} \
      --ingress-class=${INGRESS_CLASS} \
      --default-backend-service=${POD_NAMESPACE}/${ERROR_PAGE_SERVICE} \
+      {{- if .Values.conf.default_ssl_certificate.enabled }}
+      {{- $ns := .Values.conf.default_ssl_certificate.namespace | default .Release.Namespace }}
+      {{- $secret := .Values.conf.default_ssl_certificate.name | default .Values.secrets.tls.ingress.api.public }}
+      --default-ssl-certificate={{ $ns }}/{{ $secret }} \
+      {{- end }}
      --configmap=${POD_NAMESPACE}/ingress-conf \
      --tcp-services-configmap=${POD_NAMESPACE}/ingress-services-tcp \
      --udp-services-configmap=${POD_NAMESPACE}/ingress-services-udp \
--- a/ingress/templates/secret-ingress-tls.yaml
+++ b/ingress/templates/secret-ingress-tls.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "ingress" ) }}
+{{- end }}
--- a/ingress/values.yaml
+++ b/ingress/values.yaml
@ -200,6 +200,13 @@ endpoints:
      error_pages: ingress-error-pages
    host_fqdn_override:
      default: null
+      # NOTE: The values under .endpoints.ingress.host_fqdn_override.public.tls
+      # will be used for the default SSL certificate.
+      # See also the .conf.default_ssl_certificate options below.
+      public:
+        tls:
+          crt: ""
+          key: ""
    port:
      http:
        default: 80
@ -252,6 +259,14 @@ network_policy:
    egress:
      - {}

+secrets:
+  tls:
+    ingress:
+      api:
+        # .secrets.tls.ingress.api.public="name of the TLS secret to create for the default cert"
+        # NOTE: The contents of the secret are from .endpoints.ingress.host_fqdn_override.public.tls
+        public: default-tls-public
+
 conf:
  controller:
    # NOTE(portdirect): if left blank this is populated from
@ -267,6 +282,23 @@ conf:
    bind-address: null
    enable-vts-status: "true"
    server-tokens: "false"
+  # This block sets the --default-ssl-certificate option
+  # https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate
+  default_ssl_certificate:
+    # .conf.default_ssl_certificate.enabled=true: use a default certificate
+    enabled: false
+    # If referencing an existing TLS secret with the default cert
+    # .conf.default_ssl_certificate.name="name of the secret"
+    #     (defaults to value of .secrets.tls.ingress.api.public)
+    # .conf.default_ssl_certificate.namespace="namespace of the secret"
+    #     (optional, defaults to release namespace)
+    name: ""
+    namespace: ""
+    # NOTE: To create a new secret to hold the default certificate, leave the
+    # above values empty, and specify:
+    # .endpoints.ingress.host_fqdn_override.public.tls.crt="PEM cert data"
+    # .endpoints.ingress.host_fqdn_override.public.tls.key="PEM key data"
+    # .manifests.secret_ingress_tls=true
  services:
    tcp: null
    udp: null
@ -280,6 +312,7 @@ manifests:
  deployment_ingress: true
  endpoints_ingress: true
  ingress: true
+  secret_ingress_tls: false
  service_error: true
  service_ingress: true
  job_image_repo_sync: true