#2 OZG-7121 helm: Use letsencrypt for ingress

.gitlab-ci.yml

@@ -97,6 +97,9 @@ push-merge-request-helm-nexus:
   rules:
     - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
   when: manual
+  artifacts:
+    paths:
+      - "*.tgz"
 
 # Snapshot jobs
 push-snapshot-image-gitlab:

src/main/helm/templates/ingress.yaml

@@ -4,6 +4,15 @@ metadata:
   name: {{ .Release.Name }}
   namespace: {{ include "app.namespace" . }}
   annotations:
+    {{- if (.Values.ingress).certManagerAnnotations -}}
+    {{- range (.Values.ingress).certManagerAnnotations }}
+{{ . | indent 4 }}
+    {{- end }}
+    {{- else if (.Values.ingress).use_staging_cert }}
+    cert-manager.io/cluster-issuer: letsencrypt-staging
+    {{- else }}
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    {{- end }}
     nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
     nginx.ingress.kubernetes.io/auth-tls-secret: {{ include "app.namespace" . }}-ca-cert
     nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
@@ -22,8 +31,12 @@ spec:
                 port: 
                   number: 8443
 
-      host: {{ include "app.baseDomain" . }}
+      host: "{{ .Release.Name }}-{{ include "app.baseDomain" . }}"
   tls:
     - hosts:
-      - {{ include "app.baseDomain" . }}
-      secretName: {{ .Release.Name }}-tls-secret
\ No newline at end of file
+      - "{{ .Release.Name }}-{{ include "app.baseDomain" . }}"
+      {{- if (.Values.ingress).tlsSecretName }}
+      secretName: {{ (.Values.ingress).tlsSecretName }}
+      {{- else }}
+      secretName: {{ .Values.ozgcloud.bezeichner }}-{{ .Release.Name }}-tls
+      {{- end }}
\ No newline at end of file

src/test/helm/ingress_test.yaml

@@ -38,11 +38,14 @@ tests:
     asserts:
       - isKind:
           of: Ingress
-  - it: should use same tls secret as in cluster
+  - it: should set ingress tls
+    set:
+      ingress:
+        tlsSecretName: client-tls
     asserts:
       - equal:
           path: spec.tls[0].secretName
-          value: matabase-tls-secret
+          value: client-tls
 
   - it: should not create ingress tls/ingressClass by default
     asserts:
@@ -56,13 +59,25 @@ tests:
       - equal:
           path: spec.ingressClassName
           value: ingress
-  
+  - it: should use default letsencrypt-prod cluster-issuer
+    asserts:
+      - equal:
+          path: metadata.annotations["cert-manager.io/cluster-issuer"]
+          value: letsencrypt-prod
+
+  - it: should use letsencrypt-staging cluster-issuer
+    set:
+      ingress.use_staging_cert: true
+    asserts:
+      - equal:
+          path: metadata.annotations["cert-manager.io/cluster-issuer"]
+          value: letsencrypt-staging
+
   - it: should enable client verification
     asserts:
       - equal:
           path: metadata.annotations["nginx.ingress.kubernetes.io/auth-tls-verify-client"]
           value: "on"
-
   - it: should use CA of namespace to verify certificates
     asserts:
       - equal:
@@ -74,12 +89,11 @@ tests:
       - equal:
           path: metadata.annotations["nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream"]
           value: "true"
-
   - it: should create tls hosts name correctly
     asserts:
       - equal:
           path: spec.tls[0].hosts[0]
-          value: helm.test.by.ozg-cloud.de
+          value: matabase-helm.test.by.ozg-cloud.de
 
   - it: should create rules correctly
     asserts:
@@ -98,4 +112,4 @@ tests:
     asserts:
       - equal:
           path: spec.rules[0].host
-          value: helm.test.by.ozg-cloud.de
+          value: matabase-helm.test.by.ozg-cloud.de