openstack-helm-infra/ingress/templates/bin/_ingress-controller.sh.tpl
Phil Sphicas 341e9b29df Ingress: Configure Default SSL Certificate
Adds configuration options for the --default-ssl-certificate feature of
NGINX Ingress Controller, which provides a default certificate for
requests that do not match any configured server names.[0]

To enable with a new certificate, specify:
  .conf.default_ssl_certificate.enabled=true
  .endpoints.ingress.host_fqdn_override.public.tls.crt="PEM cert data"
  .endpoints.ingress.host_fqdn_override.public.tls.key="PEM key data"
  .manifests.secret_ingress_tls=true

To enable using a TLS cert in an existing secret, specify:
  .conf.default_ssl_certificate.enabled=true
  .conf.default_ssl_certificate.name="name of the secret"
  .conf.default_ssl_certificate.namespace="namespace of the secret"

0: https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate

Change-Id: Idd704fd880f56137923d4c38cc188b130ee3b56d
2020-08-14 05:32:51 +00:00

66 lines
2.2 KiB
Smarty

#!/bin/bash
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
set -ex
COMMAND="${@:-start}"
function start () {
find /tmp -maxdepth 1 \! -path /tmp -perm /222 -exec rm -rfv {} \;
declare -A desired_opts
desired_opts["--stream-port"]="${PORT_STREAM}"
desired_opts["--profiler-port"]="${PORT_PROFILER}"
possible_opts=$(/nginx-ingress-controller --help 2>&1 | awk '/^ --/ { print $1 }')
extra_opts=()
for k in "${!desired_opts[@]}"; do
if echo "$possible_opts" | grep -q -- ^${k}$; then
extra_opts+=($k=${desired_opts[$k]})
fi
done
exec /usr/bin/dumb-init \
/nginx-ingress-controller \
{{- if eq .Values.deployment.mode "namespace" }}
--watch-namespace ${POD_NAMESPACE} \
{{- end }}
--http-port=${PORT_HTTP} \
--https-port=${PORT_HTTPS} \
--healthz-port=${PORT_HEALTHZ} \
--status-port=${PORT_STATUS} \
--default-server-port=${DEFAULT_SERVER_PORT} \
--election-id=${RELEASE_NAME} \
--ingress-class=${INGRESS_CLASS} \
--default-backend-service=${POD_NAMESPACE}/${ERROR_PAGE_SERVICE} \
{{- if .Values.conf.default_ssl_certificate.enabled }}
{{- $ns := .Values.conf.default_ssl_certificate.namespace | default .Release.Namespace }}
{{- $secret := .Values.conf.default_ssl_certificate.name | default .Values.secrets.tls.ingress.api.public }}
--default-ssl-certificate={{ $ns }}/{{ $secret }} \
{{- end }}
--configmap=${POD_NAMESPACE}/ingress-conf \
--tcp-services-configmap=${POD_NAMESPACE}/ingress-services-tcp \
--udp-services-configmap=${POD_NAMESPACE}/ingress-services-udp \
"${extra_opts[@]}"
}
function stop () {
sleep 5
kill -TERM 1
}
$COMMAND