Skip to content

chart/nginx-ingress-services: upgrade resources and allow fine-grained configurability #2401

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jschaul merged 8 commits into from
May 17, 2022
Merged

chart/nginx-ingress-services: upgrade resources and allow fine-grained configurability #2401

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
d603a52
tweak ingress-services chart to allow not installing webapp/s3
jschaul May 17, 2022
de86f26
allow not creating issuer
jschaul May 17, 2022
2b6df24
no need for federator dns if federation not enabled
jschaul May 17, 2022
f8aafb0
more guards
jschaul May 17, 2022
eaabbcd
charts/nginx-ingress-services: Allow using ClusterIssuer
akshaymankar May 17, 2022
115e660
charts/nginx-ingress-services: cert API v1apha2 -> v1
akshaymankar May 17, 2022
e744e9b
Apply suggestions from code review
jschaul May 17, 2022
270baf9
changelog
jschaul May 17, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/0-release-notes/cert-manager
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
If using [cert-manager](https://github.com/cert-manager/cert-manager), you need to have least version 1.0.0 (1.8.0 works at the time of writing) installed. Older cert-manager 0.15.X will no longer work.
1 change: 1 addition & 0 deletions changelog.d/2-features/ingress-services
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
charts/nginx-ingress-services: Allow more fine-grained control over what services are installed. Upgrade Certificate/Issuer resources to 'cert-manager.io/v1'
24 changes: 14 additions & 10 deletions charts/nginx-ingress-services/templates/certificate.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{{- if and .Values.tls.enabled .Values.tls.useCertManager -}}
apiVersion: cert-manager.io/v1alpha2
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: "{{ include "nginx-ingress-services.zone" . | replace "." "-" }}-csr"
Expand All @@ -10,26 +10,30 @@ metadata:
heritage: "{{ .Release.Service }}"
spec:
issuerRef:
name: letsencrypt-http01
kind: Issuer
name: {{ .Values.tls.issuer.name }}
kind: {{ .Values.tls.issuer.kind }}
usages:
- server auth
duration: 2160h # 90d, Letsencrypt default; NOTE: changes are ignored by Letsencrypt
renewBefore: 360h # 15d
isCA: false
keyAlgorithm: ecdsa
keySize: 384 # 521 is not supported by Letsencrypt
keyEncoding: pkcs1
secretName: {{ include "nginx-ingress-services.getCertificateSecretName" . | quote }}
# NOTE: disabled due to https://github.com/jetstack/cert-manager/issues/2978
# TODO: enable when fixed (probably when cert-manager:v0.16 released)
#privateKey:
# rotationPolicy: Always

privateKey:
algorithm: ECDSA
size: 384 # 521 is not supported by Letsencrypt
encoding: PKCS1
rotationPolicy: Always

dnsNames:
- {{ .Values.config.dns.https }}
- {{ .Values.config.dns.ssl }}
{{- if .Values.webapp.enabled }}
- {{ .Values.config.dns.webapp }}
{{- end }}
{{- if .Values.fakeS3.enabled }}
- {{ .Values.config.dns.fakeS3 }}
{{- end }}
{{- if .Values.teamSettings.enabled }}
- {{ .Values.config.dns.teamSettings }}
{{- end }}
Expand Down
8 changes: 4 additions & 4 deletions charts/nginx-ingress-services/templates/certificate_federator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
{{- if and .Values.federator.enabled (not .Values.tls.enabled) }}
{{- fail "TLS is required by federator. Either disable federation or enable tls." }}
{{- end }}
{{- if and .Values.tls.enabled .Values.tls.useCertManager }}
apiVersion: cert-manager.io/v1alpha2
{{- if and .Values.federator.enabled (and .Values.tls.enabled .Values.tls.useCertManager) }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: "federator-{{ include "nginx-ingress-services.zone" . | replace "." "-" }}-csr"
Expand All @@ -13,8 +13,8 @@ metadata:
heritage: "{{ .Release.Service }}"
spec:
issuerRef:
name: letsencrypt-http01
kind: Issuer
name: {{ .Values.tls.issuer.name }}
kind: {{ .Values.tls.issuer.kind }}
usages:
- server auth
- client auth
Expand Down
8 changes: 8 additions & 0 deletions charts/nginx-ingress-services/templates/ingress.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,12 @@ spec:
- hosts:
- {{ .Values.config.dns.https }}
- {{ .Values.config.dns.ssl }}
{{- if .Values.webapp.enabled }}
- {{ .Values.config.dns.webapp }}
{{- end }}
{{- if .Values.fakeS3.enabled }}
- {{ .Values.config.dns.fakeS3 }}
{{- end }}
{{- if .Values.teamSettings.enabled }}
- {{ .Values.config.dns.teamSettings }}
{{- end }}
Expand All @@ -35,20 +39,24 @@ spec:
backend:
serviceName: nginz-tcp
servicePort: {{ .Values.service.nginz.externalTcpPort }}
{{- if .Values.webapp.enabled }}
- host: {{ .Values.config.dns.webapp }}
http:
paths:
- path: /
backend:
serviceName: webapp-http
servicePort: {{ .Values.service.webapp.externalPort }}
{{- end }}
{{- if .Values.fakeS3.enabled }}
- host: {{ .Values.config.dns.fakeS3 }}
http:
paths:
- path: /
backend:
serviceName: {{ .Values.service.s3.serviceName }}
servicePort: {{ .Values.service.s3.externalPort }}
{{- end }}
{{- if .Values.teamSettings.enabled }}
- host: {{ .Values.config.dns.teamSettings }}
http:
Expand Down
14 changes: 10 additions & 4 deletions charts/nginx-ingress-services/templates/issuer.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,15 @@
{{- if and .Values.tls.enabled .Values.tls.useCertManager -}}
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
{{- if and .Values.tls.enabled .Values.tls.useCertManager .Values.tls.createIssuer -}}
apiVersion: cert-manager.io/v1
{{- if or (eq .Values.tls.issuer.kind "Issuer") (eq .Values.tls.issuer.kind "ClusterIssuer") }}
kind: "{{ .Values.tls.issuer.kind }}"
{{- else }}
{{- fail (cat ".tls.issuer.kind can only be one of Issuer or ClusterIssuer, got: " .tls.issuer.kind )}}
{{- end }}
metadata:
name: letsencrypt-http01
name: {{ .Values.tls.issuer.name }}
{{- if eq .Values.tls.issuer.kind "Issuer" }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
Expand Down
3 changes: 3 additions & 0 deletions charts/nginx-ingress-services/templates/service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# FUTUREWORK: move services into the respective charts
apiVersion: v1
kind: Service
metadata:
Expand All @@ -21,6 +22,7 @@ spec:
targetPort: 8081
selector:
wireService: nginz
{{- if .Values.webapp.enabled }}
---
apiVersion: v1
kind: Service
Expand All @@ -33,6 +35,7 @@ spec:
targetPort: 8080
selector:
wireService: webapp
{{- end }}
{{- if not .Values.service.s3.externallyCreated }}
---
apiVersion: v1
Expand Down
10 changes: 10 additions & 0 deletions charts/nginx-ingress-services/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ teamSettings:
# Account pages may be useful to enable password reset or email validation done after the initial registration
accountPages:
enabled: false
webapp:
enabled: true
fakeS3:
enabled: true
federator:
enabled: false
integrationTestHelper: false
Expand All @@ -31,6 +35,10 @@ tls:
useCertManager: false
# the validation depth between a federator client certificate and tlsClientCA
verify_depth: 1
issuer:
create: true
name: letsencrypt-http01
kind: Issuer # Issuer | ClusterIssuer

certManager:
# Indicates whether Letsencrypt's staging API server is used and therefore certificates are NOT trusted
Expand Down Expand Up @@ -90,7 +98,9 @@ service:
# https: nginz-https.<domain>
# ssl: nginz-ssl.<domain>
# webapp: webapp.<domain>
# ^ webapp is ignored if webapp.enabled == false
# fakeS3: assets.<domain>
# ^ fakeS3 is ignored if fakeS3.enabled == false
# federator: federator.<domain>
# ^ federator is ignored unless federator.enabled == true
# teamSettings: teams.<domain>
Expand Down