#2 OZG-7121 helm: Configure haproxy-ingress with ssl-passthrough

888a6eb3 · Jan Zickermann · 5b1809a8 · 888a6eb3 · 888a6eb3 · 888a6eb3
Commit 888a6eb3 authored 5 months ago by Jan Zickermann
--- a/src/main/helm/templates/certificate.yaml
+++ b/src/main/helm/templates/certificate.yaml
@@ -40,9 +40,4 @@ spec:
    - key encipherment
    - key agreement
  dnsNames:
-    - "*.{{ .Release.Name }}.{{ include "app.namespace" . }}.svc.cluster.local"
+    - "{{ .Release.Name }}-{{ include "app.baseDomain" . }}"
-    - "{{ .Release.Name }}.{{ include "app.namespace" . }}.svc.cluster.local"
\ No newline at end of file
-    - "{{ .Release.Name }}.{{ include "app.namespace" . }}.svc.cluster"
-    - "{{ .Release.Name }}.{{ include "app.namespace" . }}.svc"
-    - "{{ .Release.Name }}.{{ include "app.namespace" . }}"
-    - "{{ .Release.Name }}"
\ No newline at end of file
--- a/src/main/helm/templates/ingress.yaml
+++ b/src/main/helm/templates/ingress.yaml
@@ -4,24 +4,11 @@ metadata:
  name: {{ .Release.Name }}
  namespace: {{ include "app.namespace" . }}
  annotations:
-    {{- if (.Values.ingress).certManagerAnnotations -}}
+    haproxy-ingress.github.io/ssl-passthrough: "true"
-    {{- range (.Values.ingress).certManagerAnnotations }}
-{{ . | indent 4 }}
-    {{- end }}
-    {{- else if (.Values.ingress).use_staging_cert }}
-    cert-manager.io/cluster-issuer: letsencrypt-staging
-    {{- else }}
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    {{- end }}
-    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
-    nginx.ingress.kubernetes.io/auth-tls-secret: {{ include "app.namespace" . }}-ca-cert
-    nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
 spec:
-  {{- if (.Values.ingress).className }}
-  ingressClassName: {{ .Values.ingress.className }}
-  {{- end }}
  rules:
-    - http:
+    - host: "{{ .Release.Name }}-{{ include "app.baseDomain" . }}"
+      http:
        paths:
          - path: /
            pathType: Prefix
@@ -30,13 +17,3 @@ spec:
                name: {{ .Release.Name }}
                port:
                  number: 8443
\ No newline at end of file
-      host: "{{ .Release.Name }}-{{ include "app.baseDomain" . }}"
-  tls:
-    - hosts:
-      - "{{ .Release.Name }}-{{ include "app.baseDomain" . }}"
-      {{- if (.Values.ingress).tlsSecretName }}
-      secretName: {{ (.Values.ingress).tlsSecretName }}
-      {{- else }}
-      secretName: {{ .Values.ozgcloud.bezeichner }}-{{ .Release.Name }}-tls
-      {{- end }}
\ No newline at end of file
--- a/src/test/helm/certificate_test.yaml
+++ b/src/test/helm/certificate_test.yaml
@@ -63,12 +63,7 @@ tests:
      - equal:
          path: spec.dnsNames
          value:
-            - "*.xta-test-server-release-name.sh-helm-test.svc.cluster.local"
+            - "xta-test-server-release-name-helm.test.by.ozg-cloud.de"
-            - "xta-test-server-release-name.sh-helm-test.svc.cluster.local"
-            - "xta-test-server-release-name.sh-helm-test.svc.cluster"
-            - "xta-test-server-release-name.sh-helm-test.svc"
-            - "xta-test-server-release-name.sh-helm-test"
-            - "xta-test-server-release-name"
  - it: should contain default lables and component lables
    asserts:
      - equal:

--- a/src/test/helm/ingress_test.yaml
+++ b/src/test/helm/ingress_test.yaml
@@ -38,63 +38,11 @@ tests:
    asserts:
      - isKind:
          of: Ingress
-  - it: should set ingress tls
+  - it: should enable ssl passthrough
-    set:
-      ingress:
-        tlsSecretName: client-tls
-    asserts:
-      - equal:
-          path: spec.tls[0].secretName
-          value: client-tls
-  - it: should not create ingress tls/ingressClass by default
-    asserts:
-      - isNull:
-          path: spec.ingressClassName
-  - it: should set ingress tls/ingressClass
-    set:
-      ingress:
-        className: ingress
-    asserts:
-      - equal:
-          path: spec.ingressClassName
-          value: ingress
-  - it: should use default letsencrypt-prod cluster-issuer
-    asserts:
-      - equal:
-          path: metadata.annotations["cert-manager.io/cluster-issuer"]
-          value: letsencrypt-prod
-  - it: should use letsencrypt-staging cluster-issuer
-    set:
-      ingress.use_staging_cert: true
    asserts:
      - equal:
-          path: metadata.annotations["cert-manager.io/cluster-issuer"]
+          path: metadata.annotations["haproxy-ingress.github.io/ssl-passthrough"]
-          value: letsencrypt-staging
-  - it: should enable client verification
-    asserts:
-      - equal:
-          path: metadata.annotations["nginx.ingress.kubernetes.io/auth-tls-verify-client"]
-          value: "on"
-  - it: should use CA of namespace to verify certificates
-    asserts:
-      - equal:
-          path: metadata.annotations["nginx.ingress.kubernetes.io/auth-tls-secret"]
-          value: sh-helm-test-ca-cert
-  - it: should pass certificate to upstream server
-    asserts:
-      - equal:
-          path: metadata.annotations["nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream"]
          value: "true"
-  - it: should create tls hosts name correctly
-    asserts:
-      - equal:
-          path: spec.tls[0].hosts[0]
-          value: matabase-helm.test.by.ozg-cloud.de
  - it: should create rules correctly
    asserts:
      - equal: