openstack/openstack-helm-infra
Code Issues Proposed changes

Ingress: Configure Default SSL Certificate

Browse Source 
Adds configuration options for the --default-ssl-certificate feature of
NGINX Ingress Controller, which provides a default certificate for
requests that do not match any configured server names.[0]

To enable with a new certificate, specify:
  .conf.default_ssl_certificate.enabled=true
  .endpoints.ingress.host_fqdn_override.public.tls.crt="PEM cert data"
  .endpoints.ingress.host_fqdn_override.public.tls.key="PEM key data"
  .manifests.secret_ingress_tls=true

To enable using a TLS cert in an existing secret, specify:
  .conf.default_ssl_certificate.enabled=true
  .conf.default_ssl_certificate.name="name of the secret"
  .conf.default_ssl_certificate.namespace="namespace of the secret"

0: https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate

Change-Id: Idd704fd880f56137923d4c38cc188b130ee3b56d
This commit is contained in:
Phil Sphicas 2020-08-14 05:12:24 +00:00
parent adf9fc7fc4
commit 341e9b29df
3 changed files with 55 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ingress/templates/bin/_ingress-controller.sh.tpl
View File

@ -46,6 +46,11 @@ function start () {
--election-id=${RELEASE_NAME} \ --election-id=${RELEASE_NAME} \
--ingress-class=${INGRESS_CLASS} \ --ingress-class=${INGRESS_CLASS} \
--default-backend-service=${POD_NAMESPACE}/${ERROR_PAGE_SERVICE} \ --default-backend-service=${POD_NAMESPACE}/${ERROR_PAGE_SERVICE} \
{{- if .Values.conf.default_ssl_certificate.enabled }}
{{- $ns := .Values.conf.default_ssl_certificate.namespace | default .Release.Namespace }}
{{- $secret := .Values.conf.default_ssl_certificate.name | default .Values.secrets.tls.ingress.api.public }}
--default-ssl-certificate={{ $ns }}/{{ $secret }} \
{{- end }}
--configmap=${POD_NAMESPACE}/ingress-conf \ --configmap=${POD_NAMESPACE}/ingress-conf \
--tcp-services-configmap=${POD_NAMESPACE}/ingress-services-tcp \ --tcp-services-configmap=${POD_NAMESPACE}/ingress-services-tcp \
--udp-services-configmap=${POD_NAMESPACE}/ingress-services-udp \ --udp-services-configmap=${POD_NAMESPACE}/ingress-services-udp \

17
ingress/templates/secret-ingress-tls.yaml Normal file
View File

@ -0,0 +1,17 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.secret_ingress_tls }}
{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "ingress" ) }}
{{- end }}

33
ingress/values.yaml
View File

@ -200,6 +200,13 @@ endpoints:
error_pages: ingress-error-pages error_pages: ingress-error-pages
host_fqdn_override: host_fqdn_override:
default: null default: null
# NOTE: The values under .endpoints.ingress.host_fqdn_override.public.tls
# will be used for the default SSL certificate.
# See also the .conf.default_ssl_certificate options below.
public:
tls:
crt: ""
key: ""
port: port:
http: http:
default: 80 default: 80
@ -252,6 +259,14 @@ network_policy:
egress: egress:
- {} - {}
secrets:
tls:
ingress:
api:
# .secrets.tls.ingress.api.public="name of the TLS secret to create for the default cert"
# NOTE: The contents of the secret are from .endpoints.ingress.host_fqdn_override.public.tls
public: default-tls-public
conf: conf:
controller: controller:
# NOTE(portdirect): if left blank this is populated from # NOTE(portdirect): if left blank this is populated from
@ -267,6 +282,23 @@ conf:
bind-address: null bind-address: null
enable-vts-status: "true" enable-vts-status: "true"
server-tokens: "false" server-tokens: "false"
# This block sets the --default-ssl-certificate option
# https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate
default_ssl_certificate:
# .conf.default_ssl_certificate.enabled=true: use a default certificate
enabled: false
# If referencing an existing TLS secret with the default cert
# .conf.default_ssl_certificate.name="name of the secret"
# (defaults to value of .secrets.tls.ingress.api.public)
# .conf.default_ssl_certificate.namespace="namespace of the secret"
# (optional, defaults to release namespace)
name: ""
namespace: ""
# NOTE: To create a new secret to hold the default certificate, leave the
# above values empty, and specify:
# .endpoints.ingress.host_fqdn_override.public.tls.crt="PEM cert data"
# .endpoints.ingress.host_fqdn_override.public.tls.key="PEM key data"
# .manifests.secret_ingress_tls=true
services: services:
tcp: null tcp: null
udp: null udp: null
@ -280,6 +312,7 @@ manifests:
deployment_ingress: true deployment_ingress: true
endpoints_ingress: true endpoints_ingress: true
ingress: true ingress: true
secret_ingress_tls: false
service_error: true service_error: true
service_ingress: true service_ingress: true
job_image_repo_sync: true job_image_repo_sync: true