#2 OZG-7121 helm: Configure ingress with same secret as in cluster

5ea265ff · Jan Zickermann · e81401fa · 5ea265ff · 5ea265ff
Commit 5ea265ff authored 5 months ago by Jan Zickermann
--- a/src/main/helm/templates/ingress.yaml
+++ b/src/main/helm/templates/ingress.yaml
@@ -4,15 +4,9 @@ metadata:
  name: {{ .Release.Name }}
  namespace: {{ include "app.namespace" . }}
  annotations:
-    {{- if (.Values.ingress).certManagerAnnotations -}}
+    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
-    {{- range (.Values.ingress).certManagerAnnotations }}
+    nginx.ingress.kubernetes.io/auth-tls-secret: {{ include "app.namespace" . }}-ca-cert
-{{ . | indent 4 }}
+    nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
-    {{- end }}
-    {{- else if (.Values.ingress).use_staging_cert }}
-    cert-manager.io/cluster-issuer: letsencrypt-staging
-    {{- else }}
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    {{- end }}
 spec:
  {{- if (.Values.ingress).className }}
  ingressClassName: {{ .Values.ingress.className }}
@@ -32,8 +26,4 @@ spec:
  tls:
    - hosts:
      - {{ include "app.baseDomain" . }}
-      {{- if (.Values.ingress).tlsSecretName }}
+      secretName: {{ .Release.Name }}-tls-secret
-      secretName: {{ (.Values.ingress).tlsSecretName }}
\ No newline at end of file
-      {{- else }}
-      secretName: {{ .Values.ozgcloud.bezeichner }}-{{ .Release.Name }}-tls
-      {{- end }}
\ No newline at end of file
--- a/src/test/helm/ingress_test.yaml
+++ b/src/test/helm/ingress_test.yaml
@@ -38,19 +38,11 @@ tests:
    asserts:
      - isKind:
          of: Ingress
-  - it: should create default ingress tls
+  - it: should use same tls secret as in cluster
    asserts:
      - equal:
          path: spec.tls[0].secretName
-          value: helm-matabase-tls
+          value: matabase-tls-secret
-  - it: should set ingress tls
-    set: 
-      ingress:
-        tlsSecretName: client-tls
-    asserts:
-      - equal:
-          path: spec.tls[0].secretName
-          value: client-tls
  - it: should not create ingress tls/ingressClass by default
    asserts:
@@ -65,27 +57,23 @@ tests:
          path: spec.ingressClassName
          value: ingress
-  - it: should use default letsencrypt-prod cluster-issuer
+  - it: should enable client verification
    asserts:
      - equal:
-          path: metadata.annotations["cert-manager.io/cluster-issuer"]
+          path: metadata.annotations["nginx.ingress.kubernetes.io/auth-tls-verify-client"]
-          value: letsencrypt-prod
+          value: "on"
-  - it: should use letsencrypt-staging cluster-issuer
+  - it: should use CA of namespace to verify certificates
-    set:
-      ingress.use_staging_cert: true
    asserts:
      - equal:
-          path: metadata.annotations["cert-manager.io/cluster-issuer"]
+          path: metadata.annotations["nginx.ingress.kubernetes.io/auth-tls-secret"]
-          value: letsencrypt-staging
+          value: sh-helm-test-ca-cert
-  - it: should use letsencrypt-prod cluster-issuer
+  - it: should pass certificate to upstream server
-    set:
-      ingress.use_staging_cert: false
    asserts:
      - equal:
-          path: metadata.annotations["cert-manager.io/cluster-issuer"]
+          path: metadata.annotations["nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream"]
-          value: letsencrypt-prod
+          value: "true"
  - it: should create tls hosts name correctly
    asserts: