diff --git a/ingress/templates/bin/_ingress-controller.sh.tpl b/ingress/templates/bin/_ingress-controller.sh.tpl index 6bda57ee0..45a7023c4 100644 --- a/ingress/templates/bin/_ingress-controller.sh.tpl +++ b/ingress/templates/bin/_ingress-controller.sh.tpl @@ -46,6 +46,11 @@ function start () { --election-id=${RELEASE_NAME} \ --ingress-class=${INGRESS_CLASS} \ --default-backend-service=${POD_NAMESPACE}/${ERROR_PAGE_SERVICE} \ + {{- if .Values.conf.default_ssl_certificate.enabled }} + {{- $ns := .Values.conf.default_ssl_certificate.namespace | default .Release.Namespace }} + {{- $secret := .Values.conf.default_ssl_certificate.name | default .Values.secrets.tls.ingress.api.public }} + --default-ssl-certificate={{ $ns }}/{{ $secret }} \ + {{- end }} --configmap=${POD_NAMESPACE}/ingress-conf \ --tcp-services-configmap=${POD_NAMESPACE}/ingress-services-tcp \ --udp-services-configmap=${POD_NAMESPACE}/ingress-services-udp \ diff --git a/ingress/templates/secret-ingress-tls.yaml b/ingress/templates/secret-ingress-tls.yaml new file mode 100644 index 000000000..eeb39c688 --- /dev/null +++ b/ingress/templates/secret-ingress-tls.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_ingress_tls }} +{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "ingress" ) }} +{{- end }} diff --git a/ingress/values.yaml b/ingress/values.yaml index 50f44d3ca..460a6dafb 100644 --- a/ingress/values.yaml +++ b/ingress/values.yaml @@ -200,6 +200,13 @@ endpoints: error_pages: ingress-error-pages host_fqdn_override: default: null + # NOTE: The values under .endpoints.ingress.host_fqdn_override.public.tls + # will be used for the default SSL certificate. + # See also the .conf.default_ssl_certificate options below. + public: + tls: + crt: "" + key: "" port: http: default: 80 @@ -252,6 +259,14 @@ network_policy: egress: - {} +secrets: + tls: + ingress: + api: + # .secrets.tls.ingress.api.public="name of the TLS secret to create for the default cert" + # NOTE: The contents of the secret are from .endpoints.ingress.host_fqdn_override.public.tls + public: default-tls-public + conf: controller: # NOTE(portdirect): if left blank this is populated from @@ -267,6 +282,23 @@ conf: bind-address: null enable-vts-status: "true" server-tokens: "false" + # This block sets the --default-ssl-certificate option + # https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate + default_ssl_certificate: + # .conf.default_ssl_certificate.enabled=true: use a default certificate + enabled: false + # If referencing an existing TLS secret with the default cert + # .conf.default_ssl_certificate.name="name of the secret" + # (defaults to value of .secrets.tls.ingress.api.public) + # .conf.default_ssl_certificate.namespace="namespace of the secret" + # (optional, defaults to release namespace) + name: "" + namespace: "" + # NOTE: To create a new secret to hold the default certificate, leave the + # above values empty, and specify: + # .endpoints.ingress.host_fqdn_override.public.tls.crt="PEM cert data" + # .endpoints.ingress.host_fqdn_override.public.tls.key="PEM key data" + # .manifests.secret_ingress_tls=true services: tcp: null udp: null @@ -280,6 +312,7 @@ manifests: deployment_ingress: true endpoints_ingress: true ingress: true + secret_ingress_tls: false service_error: true service_ingress: true job_image_repo_sync: true