#2 OZG-7121 helm: Configure ingress with same secret as in cluster

5ea265ff · Jan Zickermann · e81401fa · 5ea265ff · 5ea265ff
Commit 5ea265ff authored 4 months ago by Jan Zickermann
--- a/src/main/helm/templates/ingress.yaml
+++ b/src/main/helm/templates/ingress.yaml
@@ -4,15 +4,9 @@ metadata:
  name: {{ .Release.Name }}
  namespace: {{ include "app.namespace" . }}
  annotations:
-    {{- if (.Values.ingress).certManagerAnnotations -}}
-    {{- range (.Values.ingress).certManagerAnnotations }}
-{{ . | indent 4 }}
-    {{- end }}
-    {{- else if (.Values.ingress).use_staging_cert }}
-    cert-manager.io/cluster-issuer: letsencrypt-staging
-    {{- else }}
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    {{- end }}
+    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+    nginx.ingress.kubernetes.io/auth-tls-secret: {{ include "app.namespace" . }}-ca-cert
+    nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
 spec:
  {{- if (.Values.ingress).className }}
  ingressClassName: {{ .Values.ingress.className }}
@@ -32,8 +26,4 @@ spec:
  tls:
    - hosts:
      - {{ include "app.baseDomain" . }}
-      {{- if (.Values.ingress).tlsSecretName }}
-      secretName: {{ (.Values.ingress).tlsSecretName }}
-      {{- else }}
-      secretName: {{ .Values.ozgcloud.bezeichner }}-{{ .Release.Name }}-tls
-      {{- end }}
\ No newline at end of file
+      secretName: {{ .Release.Name }}-tls-secret
\ No newline at end of file
--- a/src/test/helm/ingress_test.yaml
+++ b/src/test/helm/ingress_test.yaml
@@ -38,19 +38,11 @@ tests:
    asserts:
      - isKind:
          of: Ingress
-  - it: should create default ingress tls
+  - it: should use same tls secret as in cluster
    asserts:
      - equal:
          path: spec.tls[0].secretName
-          value: helm-matabase-tls
-  - it: should set ingress tls
-    set: 
-      ingress:
-        tlsSecretName: client-tls
-    asserts:
-      - equal:
-          path: spec.tls[0].secretName
-          value: client-tls
+          value: matabase-tls-secret

  - it: should not create ingress tls/ingressClass by default
    asserts:
@@ -65,27 +57,23 @@ tests:
          path: spec.ingressClassName
          value: ingress
  
-  - it: should use default letsencrypt-prod cluster-issuer
+  - it: should enable client verification
    asserts:
      - equal:
-          path: metadata.annotations["cert-manager.io/cluster-issuer"]
-          value: letsencrypt-prod
+          path: metadata.annotations["nginx.ingress.kubernetes.io/auth-tls-verify-client"]
+          value: "on"

-  - it: should use letsencrypt-staging cluster-issuer
-    set:
-      ingress.use_staging_cert: true
+  - it: should use CA of namespace to verify certificates
    asserts:
      - equal:
-          path: metadata.annotations["cert-manager.io/cluster-issuer"]
-          value: letsencrypt-staging
+          path: metadata.annotations["nginx.ingress.kubernetes.io/auth-tls-secret"]
+          value: sh-helm-test-ca-cert

-  - it: should use letsencrypt-prod cluster-issuer
-    set:
-      ingress.use_staging_cert: false
+  - it: should pass certificate to upstream server
    asserts:
      - equal:
-          path: metadata.annotations["cert-manager.io/cluster-issuer"]
-          value: letsencrypt-prod
+          path: metadata.annotations["nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream"]
+          value: "true"

  - it: should create tls hosts name correctly
    asserts: