HTK: Support tls secrets on non-fqdn overridden hosts in ingress

This PS adds support for tls secrets on non-fqdn overriden hosts in ingress rules. Change-Id: I134af614e7c2ac3fae6eba2bc4bda9f8b41f7f78 Signed-off-by: Pete Birley <pete@port.direct>
2019-01-29 16:06:15 -06:00 · 2019-01-29 16:06:15 -06:00 · bf4713f04b
commit bf4713f04b
parent a6aabe0feb
1 changed files with 218 additions and 117 deletions
--- a/helm-toolkit/templates/manifests/_ingress.tpl
+++ b/helm-toolkit/templates/manifests/_ingress.tpl
@ -17,127 +17,210 @@ limitations under the License.
 {{/*
 abstract: |
  Creates a manifest for a services ingress rules.
-values: |
+examples:
-  network:
+  - values: |
-    api:
+      network:
-      ingress:
+        api:
-        public: true
+          ingress:
-        classes:
+            public: true
-          namespace: "nginx"
+            classes:
-          cluster: "nginx-cluster"
+              namespace: "nginx"
              cluster: "nginx-cluster"
            annotations:
              nginx.ingress.kubernetes.io/rewrite-target: /
      secrets:
        tls:
          key_manager:
            api:
              public: barbican-tls-public
      endpoints:
        cluster_domain_suffix: cluster.local
        key_manager:
          name: barbican
          hosts:
            default: barbican-api
            public: barbican
          host_fqdn_override:
            default: null
            public:
              host: barbican.openstackhelm.example
              tls:
                crt: |
                  FOO-CRT
                key: |
                  FOO-KEY
                ca: |
                  FOO-CA_CRT
          path:
            default: /
          scheme:
            default: http
            public: https
          port:
            api:
              default: 9311
              public: 80
    usage: |
      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
    return: |
      ---
      apiVersion: extensions/v1beta1
      kind: Ingress
      metadata:
        name: barbican
        annotations:
          kubernetes.io/ingress.class: "nginx"
          nginx.ingress.kubernetes.io/rewrite-target: /
-  secrets:
+
-    tls:
+      spec:
-      key_manager:
+        rules:
          - host: barbican
            http:
              paths:
                - path: /
                  backend:
                    serviceName: barbican-api
                    servicePort: b-api
          - host: barbican.default
            http:
              paths:
                - path: /
                  backend:
                    serviceName: barbican-api
                    servicePort: b-api
          - host: barbican.default.svc.cluster.local
            http:
              paths:
                - path: /
                  backend:
                    serviceName: barbican-api
                    servicePort: b-api
      ---
      apiVersion: extensions/v1beta1
      kind: Ingress
      metadata:
        name: barbican-namespace-fqdn
        annotations:
          kubernetes.io/ingress.class: "nginx"
          nginx.ingress.kubernetes.io/rewrite-target: /
      spec:
        tls:
          - secretName: barbican-tls-public
            hosts:
              - barbican.openstackhelm.example
        rules:
          - host: barbican.openstackhelm.example
            http:
              paths:
                - path: /
                  backend:
                    serviceName: barbican-api
                    servicePort: b-api
      ---
      apiVersion: extensions/v1beta1
      kind: Ingress
      metadata:
        name: barbican-cluster-fqdn
        annotations:
          kubernetes.io/ingress.class: "nginx-cluster"
          nginx.ingress.kubernetes.io/rewrite-target: /
      spec:
        tls:
          - secretName: barbican-tls-public
            hosts:
              - barbican.openstackhelm.example
        rules:
          - host: barbican.openstackhelm.example
            http:
              paths:
                - path: /
                  backend:
                    serviceName: barbican-api
                    servicePort: b-api
  - values: |
      network:
        api:
-          public: barbican-tls-public
+          ingress:
-  endpoints:
+            public: true
-    cluster_domain_suffix: cluster.local
+            classes:
-    key_manager:
+              namespace: "nginx"
-      name: barbican
+              cluster: "nginx-cluster"
-      hosts:
+            annotations:
-        default: barbican-api
+              nginx.ingress.kubernetes.io/rewrite-target: /
-        public: barbican
+      secrets:
-      host_fqdn_override:
+        tls:
-        default: null
+          key_manager:
-        public:
+            api:
-          host: barbican.openstackhelm.example
+              public: barbican-tls-public
-          tls:
+      endpoints:
-            crt: |
+        cluster_domain_suffix: cluster.local
-              FOO-CRT
+        key_manager:
-            key: |
+          name: barbican
-              FOO-KEY
+          hosts:
-            ca: |
+            default: barbican-api
-              FOO-CA_CRT
+            public:
-      path:
+              host: barbican
-        default: /
+              tls:
-      scheme:
+                crt: |
-        default: http
+                  FOO-CRT
-        public: https
+                key: |
-      port:
+                  FOO-KEY
-        api:
+                ca: |
-          default: 9311
+                  FOO-CA_CRT
-          public: 80
+          host_fqdn_override:
-usage: |
+            default: null
-  {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+          path:
-return: |
+            default: /
-  ---
+          scheme:
-  apiVersion: extensions/v1beta1
+            default: http
-  kind: Ingress
+            public: https
-  metadata:
+          port:
-    name: barbican
+            api:
-    annotations:
+              default: 9311
-      kubernetes.io/ingress.class: "nginx"
+              public: 80
-      nginx.ingress.kubernetes.io/rewrite-target: /
+    usage: |
      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
    return: |
      ---
      apiVersion: extensions/v1beta1
      kind: Ingress
      metadata:
        name: barbican
        annotations:
          kubernetes.io/ingress.class: "nginx"
          nginx.ingress.kubernetes.io/rewrite-target: /
-  spec:
+      spec:
-    rules:
+        tls:
-      - host: barbican
+          - secretName: barbican-tls-public
-        http:
+            hosts:
-          paths:
+              - barbican
-            - path: /
+              - barbican.default
-              backend:
+              - barbican.default.svc.cluster.local
-                serviceName: barbican-api
+        rules:
-                servicePort: b-api
+          - host: barbican
-      - host: barbican.default
+            http:
-        http:
+              paths:
-          paths:
+                - path: /
-            - path: /
+                  backend:
-              backend:
+                    serviceName: barbican-api
-                serviceName: barbican-api
+                    servicePort: b-api
-                servicePort: b-api
+          - host: barbican.default
-      - host: barbican.default.svc.cluster.local
+            http:
-        http:
+              paths:
-          paths:
+                - path: /
-            - path: /
+                  backend:
-              backend:
+                    serviceName: barbican-api
-                serviceName: barbican-api
+                    servicePort: b-api
-                servicePort: b-api
+          - host: barbican.default.svc.cluster.local
-  ---
+            http:
-  apiVersion: extensions/v1beta1
+              paths:
-  kind: Ingress
+                - path: /
-  metadata:
+                  backend:
-    name: barbican-namespace-fqdn
+                    serviceName: barbican-api
-    annotations:
+                    servicePort: b-api
      kubernetes.io/ingress.class: "nginx"
      nginx.ingress.kubernetes.io/rewrite-target: /
  spec:
    tls:
      - secretName: barbican-tls-public
        hosts:
          - barbican.openstackhelm.example
    rules:
      - host: barbican.openstackhelm.example
        http:
          paths:
            - path: /
              backend:
                serviceName: barbican-api
                servicePort: b-api
  ---
  apiVersion: extensions/v1beta1
  kind: Ingress
  metadata:
    name: barbican-cluster-fqdn
    annotations:
      kubernetes.io/ingress.class: "nginx-cluster"
      nginx.ingress.kubernetes.io/rewrite-target: /
  spec:
    tls:
      - secretName: barbican-tls-public
        hosts:
          - barbican.openstackhelm.example
    rules:
      - host: barbican.openstackhelm.example
        http:
          paths:
            - path: /
              backend:
                serviceName: barbican-api
                servicePort: b-api
 */}}
 {{- define "helm-toolkit.manifests.ingress._host_rules" -}}
@ -172,6 +255,24 @@ metadata:
    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
 {{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
 spec:
 {{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
 {{- if hasKey $host $endpoint }}
 {{- $endpointHost := index $host $endpoint }}
 {{- if kindIs "map" $endpointHost }}
 {{- if hasKey $endpointHost "tls" }}
 {{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
 {{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
 {{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
  tls:
    - secretName: {{ $secretName }}
      hosts:
 {{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
        - {{ $vHost }}
 {{- end }}
 {{- end }}
 {{- end }}
 {{- end }}
 {{- end }}
  rules:
 {{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
 {{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}