diff --git a/changelog.d/0-release-notes/cert-manager b/changelog.d/0-release-notes/cert-manager new file mode 100644 index 0000000000..1b74b8f4d6 --- /dev/null +++ b/changelog.d/0-release-notes/cert-manager @@ -0,0 +1 @@ +If using [cert-manager](https://github.com/cert-manager/cert-manager), you need to have least version 1.0.0 (1.8.0 works at the time of writing) installed. Older cert-manager 0.15.X will no longer work. diff --git a/changelog.d/2-features/ingress-services b/changelog.d/2-features/ingress-services new file mode 100644 index 0000000000..442955280c --- /dev/null +++ b/changelog.d/2-features/ingress-services @@ -0,0 +1 @@ +charts/nginx-ingress-services: Allow more fine-grained control over what services are installed. Upgrade Certificate/Issuer resources to 'cert-manager.io/v1' diff --git a/charts/nginx-ingress-services/templates/certificate.yaml b/charts/nginx-ingress-services/templates/certificate.yaml index 21975e93c7..9b223f1132 100644 --- a/charts/nginx-ingress-services/templates/certificate.yaml +++ b/charts/nginx-ingress-services/templates/certificate.yaml @@ -1,5 +1,5 @@ {{- if and .Values.tls.enabled .Values.tls.useCertManager -}} -apiVersion: cert-manager.io/v1alpha2 +apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: "{{ include "nginx-ingress-services.zone" . | replace "." "-" }}-csr" @@ -10,26 +10,30 @@ metadata: heritage: "{{ .Release.Service }}" spec: issuerRef: - name: letsencrypt-http01 - kind: Issuer + name: {{ .Values.tls.issuer.name }} + kind: {{ .Values.tls.issuer.kind }} usages: - server auth duration: 2160h # 90d, Letsencrypt default; NOTE: changes are ignored by Letsencrypt renewBefore: 360h # 15d isCA: false - keyAlgorithm: ecdsa - keySize: 384 # 521 is not supported by Letsencrypt - keyEncoding: pkcs1 secretName: {{ include "nginx-ingress-services.getCertificateSecretName" . | quote }} - # NOTE: disabled due to https://github.com/jetstack/cert-manager/issues/2978 - # TODO: enable when fixed (probably when cert-manager:v0.16 released) - #privateKey: - # rotationPolicy: Always + + privateKey: + algorithm: ECDSA + size: 384 # 521 is not supported by Letsencrypt + encoding: PKCS1 + rotationPolicy: Always + dnsNames: - {{ .Values.config.dns.https }} - {{ .Values.config.dns.ssl }} + {{- if .Values.webapp.enabled }} - {{ .Values.config.dns.webapp }} + {{- end }} + {{- if .Values.fakeS3.enabled }} - {{ .Values.config.dns.fakeS3 }} + {{- end }} {{- if .Values.teamSettings.enabled }} - {{ .Values.config.dns.teamSettings }} {{- end }} diff --git a/charts/nginx-ingress-services/templates/certificate_federator.yaml b/charts/nginx-ingress-services/templates/certificate_federator.yaml index 50466af495..4aa35bcc6e 100644 --- a/charts/nginx-ingress-services/templates/certificate_federator.yaml +++ b/charts/nginx-ingress-services/templates/certificate_federator.yaml @@ -1,8 +1,8 @@ {{- if and .Values.federator.enabled (not .Values.tls.enabled) }} {{- fail "TLS is required by federator. Either disable federation or enable tls." }} {{- end }} -{{- if and .Values.tls.enabled .Values.tls.useCertManager }} -apiVersion: cert-manager.io/v1alpha2 +{{- if and .Values.federator.enabled (and .Values.tls.enabled .Values.tls.useCertManager) }} +apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: "federator-{{ include "nginx-ingress-services.zone" . | replace "." "-" }}-csr" @@ -13,8 +13,8 @@ metadata: heritage: "{{ .Release.Service }}" spec: issuerRef: - name: letsencrypt-http01 - kind: Issuer + name: {{ .Values.tls.issuer.name }} + kind: {{ .Values.tls.issuer.kind }} usages: - server auth - client auth diff --git a/charts/nginx-ingress-services/templates/ingress.yaml b/charts/nginx-ingress-services/templates/ingress.yaml index 34dbcdb35c..4ce2619ef9 100644 --- a/charts/nginx-ingress-services/templates/ingress.yaml +++ b/charts/nginx-ingress-services/templates/ingress.yaml @@ -11,8 +11,12 @@ spec: - hosts: - {{ .Values.config.dns.https }} - {{ .Values.config.dns.ssl }} +{{- if .Values.webapp.enabled }} - {{ .Values.config.dns.webapp }} +{{- end }} +{{- if .Values.fakeS3.enabled }} - {{ .Values.config.dns.fakeS3 }} +{{- end }} {{- if .Values.teamSettings.enabled }} - {{ .Values.config.dns.teamSettings }} {{- end }} @@ -35,6 +39,7 @@ spec: backend: serviceName: nginz-tcp servicePort: {{ .Values.service.nginz.externalTcpPort }} +{{- if .Values.webapp.enabled }} - host: {{ .Values.config.dns.webapp }} http: paths: @@ -42,6 +47,8 @@ spec: backend: serviceName: webapp-http servicePort: {{ .Values.service.webapp.externalPort }} +{{- end }} +{{- if .Values.fakeS3.enabled }} - host: {{ .Values.config.dns.fakeS3 }} http: paths: @@ -49,6 +56,7 @@ spec: backend: serviceName: {{ .Values.service.s3.serviceName }} servicePort: {{ .Values.service.s3.externalPort }} +{{- end }} {{- if .Values.teamSettings.enabled }} - host: {{ .Values.config.dns.teamSettings }} http: diff --git a/charts/nginx-ingress-services/templates/issuer.yaml b/charts/nginx-ingress-services/templates/issuer.yaml index 1958f2193c..c6ed831007 100644 --- a/charts/nginx-ingress-services/templates/issuer.yaml +++ b/charts/nginx-ingress-services/templates/issuer.yaml @@ -1,9 +1,15 @@ -{{- if and .Values.tls.enabled .Values.tls.useCertManager -}} -apiVersion: cert-manager.io/v1alpha2 -kind: Issuer +{{- if and .Values.tls.enabled .Values.tls.useCertManager .Values.tls.createIssuer -}} +apiVersion: cert-manager.io/v1 +{{- if or (eq .Values.tls.issuer.kind "Issuer") (eq .Values.tls.issuer.kind "ClusterIssuer") }} +kind: "{{ .Values.tls.issuer.kind }}" +{{- else }} +{{- fail (cat ".tls.issuer.kind can only be one of Issuer or ClusterIssuer, got: " .tls.issuer.kind )}} +{{- end }} metadata: - name: letsencrypt-http01 + name: {{ .Values.tls.issuer.name }} + {{- if eq .Values.tls.issuer.kind "Issuer" }} namespace: {{ .Release.Namespace }} + {{- end }} labels: chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" release: "{{ .Release.Name }}" diff --git a/charts/nginx-ingress-services/templates/service.yaml b/charts/nginx-ingress-services/templates/service.yaml index 41373505fc..e969219700 100644 --- a/charts/nginx-ingress-services/templates/service.yaml +++ b/charts/nginx-ingress-services/templates/service.yaml @@ -1,3 +1,4 @@ +# FUTUREWORK: move services into the respective charts apiVersion: v1 kind: Service metadata: @@ -21,6 +22,7 @@ spec: targetPort: 8081 selector: wireService: nginz +{{- if .Values.webapp.enabled }} --- apiVersion: v1 kind: Service @@ -33,6 +35,7 @@ spec: targetPort: 8080 selector: wireService: webapp +{{- end }} {{- if not .Values.service.s3.externallyCreated }} --- apiVersion: v1 diff --git a/charts/nginx-ingress-services/values.yaml b/charts/nginx-ingress-services/values.yaml index fd16809244..fba9394c0e 100644 --- a/charts/nginx-ingress-services/values.yaml +++ b/charts/nginx-ingress-services/values.yaml @@ -6,6 +6,10 @@ teamSettings: # Account pages may be useful to enable password reset or email validation done after the initial registration accountPages: enabled: false +webapp: + enabled: true +fakeS3: + enabled: true federator: enabled: false integrationTestHelper: false @@ -31,6 +35,10 @@ tls: useCertManager: false # the validation depth between a federator client certificate and tlsClientCA verify_depth: 1 + issuer: + create: true + name: letsencrypt-http01 + kind: Issuer # Issuer | ClusterIssuer certManager: # Indicates whether Letsencrypt's staging API server is used and therefore certificates are NOT trusted @@ -90,7 +98,9 @@ service: # https: nginz-https. # ssl: nginz-ssl. # webapp: webapp. +# ^ webapp is ignored if webapp.enabled == false # fakeS3: assets. +# ^ fakeS3 is ignored if fakeS3.enabled == false # federator: federator. # ^ federator is ignored unless federator.enabled == true # teamSettings: teams.