Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/0-release-notes/cert-manager
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
If using [cert-manager](https://github.com/cert-manager/cert-manager), you need to have least version 1.0.0 (1.8.0 works at the time of writing) installed. Older cert-manager 0.15.X will no longer work.
1 change: 1 addition & 0 deletions changelog.d/2-features/ingress-services
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
charts/nginx-ingress-services: Allow more fine-grained control over what services are installed. Upgrade Certificate/Issuer resources to 'cert-manager.io/v1'
24 changes: 14 additions & 10 deletions charts/nginx-ingress-services/templates/certificate.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{{- if and .Values.tls.enabled .Values.tls.useCertManager -}}
apiVersion: cert-manager.io/v1alpha2
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: "{{ include "nginx-ingress-services.zone" . | replace "." "-" }}-csr"
Expand All @@ -10,26 +10,30 @@ metadata:
heritage: "{{ .Release.Service }}"
spec:
issuerRef:
name: letsencrypt-http01
kind: Issuer
name: {{ .Values.tls.issuer.name }}
kind: {{ .Values.tls.issuer.kind }}
usages:
- server auth
duration: 2160h # 90d, Letsencrypt default; NOTE: changes are ignored by Letsencrypt
renewBefore: 360h # 15d
isCA: false
keyAlgorithm: ecdsa
keySize: 384 # 521 is not supported by Letsencrypt
keyEncoding: pkcs1
secretName: {{ include "nginx-ingress-services.getCertificateSecretName" . | quote }}
# NOTE: disabled due to https://github.com/jetstack/cert-manager/issues/2978
# TODO: enable when fixed (probably when cert-manager:v0.16 released)
#privateKey:
# rotationPolicy: Always

privateKey:
algorithm: ECDSA
size: 384 # 521 is not supported by Letsencrypt
encoding: PKCS1
rotationPolicy: Always

dnsNames:
- {{ .Values.config.dns.https }}
- {{ .Values.config.dns.ssl }}
{{- if .Values.webapp.enabled }}
- {{ .Values.config.dns.webapp }}
{{- end }}
{{- if .Values.fakeS3.enabled }}
- {{ .Values.config.dns.fakeS3 }}
{{- end }}
{{- if .Values.teamSettings.enabled }}
- {{ .Values.config.dns.teamSettings }}
{{- end }}
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
{{- if and .Values.federator.enabled (not .Values.tls.enabled) }}
{{- fail "TLS is required by federator. Either disable federation or enable tls." }}
{{- end }}
{{- if and .Values.tls.enabled .Values.tls.useCertManager }}
apiVersion: cert-manager.io/v1alpha2
{{- if and .Values.federator.enabled (and .Values.tls.enabled .Values.tls.useCertManager) }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: "federator-{{ include "nginx-ingress-services.zone" . | replace "." "-" }}-csr"
Expand All @@ -13,8 +13,8 @@ metadata:
heritage: "{{ .Release.Service }}"
spec:
issuerRef:
name: letsencrypt-http01
kind: Issuer
name: {{ .Values.tls.issuer.name }}
kind: {{ .Values.tls.issuer.kind }}
usages:
- server auth
- client auth
Expand Down
8 changes: 8 additions & 0 deletions charts/nginx-ingress-services/templates/ingress.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,12 @@ spec:
- hosts:
- {{ .Values.config.dns.https }}
- {{ .Values.config.dns.ssl }}
{{- if .Values.webapp.enabled }}
- {{ .Values.config.dns.webapp }}
{{- end }}
{{- if .Values.fakeS3.enabled }}
- {{ .Values.config.dns.fakeS3 }}
{{- end }}
{{- if .Values.teamSettings.enabled }}
- {{ .Values.config.dns.teamSettings }}
{{- end }}
Expand All @@ -35,20 +39,24 @@ spec:
backend:
serviceName: nginz-tcp
servicePort: {{ .Values.service.nginz.externalTcpPort }}
{{- if .Values.webapp.enabled }}
- host: {{ .Values.config.dns.webapp }}
http:
paths:
- path: /
backend:
serviceName: webapp-http
servicePort: {{ .Values.service.webapp.externalPort }}
{{- end }}
{{- if .Values.fakeS3.enabled }}
- host: {{ .Values.config.dns.fakeS3 }}
http:
paths:
- path: /
backend:
serviceName: {{ .Values.service.s3.serviceName }}
servicePort: {{ .Values.service.s3.externalPort }}
{{- end }}
{{- if .Values.teamSettings.enabled }}
- host: {{ .Values.config.dns.teamSettings }}
http:
Expand Down
14 changes: 10 additions & 4 deletions charts/nginx-ingress-services/templates/issuer.yaml
Original file line number Diff line number Diff line change
@@ -1,9 +1,15 @@
{{- if and .Values.tls.enabled .Values.tls.useCertManager -}}
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
{{- if and .Values.tls.enabled .Values.tls.useCertManager .Values.tls.createIssuer -}}
apiVersion: cert-manager.io/v1
{{- if or (eq .Values.tls.issuer.kind "Issuer") (eq .Values.tls.issuer.kind "ClusterIssuer") }}
kind: "{{ .Values.tls.issuer.kind }}"
{{- else }}
{{- fail (cat ".tls.issuer.kind can only be one of Issuer or ClusterIssuer, got: " .tls.issuer.kind )}}
{{- end }}
metadata:
name: letsencrypt-http01
name: {{ .Values.tls.issuer.name }}
{{- if eq .Values.tls.issuer.kind "Issuer" }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
Expand Down
3 changes: 3 additions & 0 deletions charts/nginx-ingress-services/templates/service.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# FUTUREWORK: move services into the respective charts
apiVersion: v1
kind: Service
metadata:
Expand All @@ -21,6 +22,7 @@ spec:
targetPort: 8081
selector:
wireService: nginz
{{- if .Values.webapp.enabled }}
---
apiVersion: v1
kind: Service
Expand All @@ -33,6 +35,7 @@ spec:
targetPort: 8080
selector:
wireService: webapp
{{- end }}
{{- if not .Values.service.s3.externallyCreated }}
---
apiVersion: v1
Expand Down
10 changes: 10 additions & 0 deletions charts/nginx-ingress-services/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ teamSettings:
# Account pages may be useful to enable password reset or email validation done after the initial registration
accountPages:
enabled: false
webapp:
enabled: true
fakeS3:
enabled: true
federator:
enabled: false
integrationTestHelper: false
Expand All @@ -31,6 +35,10 @@ tls:
useCertManager: false
# the validation depth between a federator client certificate and tlsClientCA
verify_depth: 1
issuer:
create: true
name: letsencrypt-http01
kind: Issuer # Issuer | ClusterIssuer

certManager:
# Indicates whether Letsencrypt's staging API server is used and therefore certificates are NOT trusted
Expand Down Expand Up @@ -90,7 +98,9 @@ service:
# https: nginz-https.<domain>
# ssl: nginz-ssl.<domain>
# webapp: webapp.<domain>
# ^ webapp is ignored if webapp.enabled == false
# fakeS3: assets.<domain>
# ^ fakeS3 is ignored if fakeS3.enabled == false
# federator: federator.<domain>
# ^ federator is ignored unless federator.enabled == true
# teamSettings: teams.<domain>
Expand Down