From ad4c8b1f633500890e9f2952aa9273e592cdb7b0 Mon Sep 17 00:00:00 2001
From: Jan Zickermann <jan.zickermann@dataport.de>
Date: Thu, 12 Dec 2024 11:42:59 +0100
Subject: [PATCH] #2 OZG-7121 helm: Use letsencrypt for ingress
---
.gitlab-ci.yml | 3 +++
src/main/helm/templates/ingress.yaml | 19 ++++++++++++++++---
src/test/helm/ingress_test.yaml | 28 +++++++++++++++++++++-------
3 files changed, 40 insertions(+), 10 deletions(-)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 8bdd507..909e48e 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -97,6 +97,9 @@ push-merge-request-helm-nexus:
rules:
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
when: manual
+ artifacts:
+ paths:
+ - "*.tgz"
# Snapshot jobs
push-snapshot-image-gitlab:
diff --git a/src/main/helm/templates/ingress.yaml b/src/main/helm/templates/ingress.yaml
index 30a0c4e..da01f42 100644
--- a/src/main/helm/templates/ingress.yaml
+++ b/src/main/helm/templates/ingress.yaml
@@ -4,6 +4,15 @@ metadata:
name: {{ .Release.Name }}
namespace: {{ include "app.namespace" . }}
annotations:
+ {{- if (.Values.ingress).certManagerAnnotations -}}
+ {{- range (.Values.ingress).certManagerAnnotations }}
+{{ . | indent 4 }}
+ {{- end }}
+ {{- else if (.Values.ingress).use_staging_cert }}
+ cert-manager.io/cluster-issuer: letsencrypt-staging
+ {{- else }}
+ cert-manager.io/cluster-issuer: letsencrypt-prod
+ {{- end }}
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-secret: {{ include "app.namespace" . }}-ca-cert
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
@@ -22,8 +31,12 @@ spec:
port:
number: 8443
- host: {{ include "app.baseDomain" . }}
+ host: "{{ .Release.Name }}-{{ include "app.baseDomain" . }}"
tls:
- hosts:
- - {{ include "app.baseDomain" . }}
- secretName: {{ .Release.Name }}-tls-secret
\ No newline at end of file
+ - "{{ .Release.Name }}-{{ include "app.baseDomain" . }}"
+ {{- if (.Values.ingress).tlsSecretName }}
+ secretName: {{ (.Values.ingress).tlsSecretName }}
+ {{- else }}
+ secretName: {{ .Values.ozgcloud.bezeichner }}-{{ .Release.Name }}-tls
+ {{- end }}
\ No newline at end of file
diff --git a/src/test/helm/ingress_test.yaml b/src/test/helm/ingress_test.yaml
index c9af200..27c7f37 100644
--- a/src/test/helm/ingress_test.yaml
+++ b/src/test/helm/ingress_test.yaml
@@ -38,11 +38,14 @@ tests:
asserts:
- isKind:
of: Ingress
- - it: should use same tls secret as in cluster
+ - it: should set ingress tls
+ set:
+ ingress:
+ tlsSecretName: client-tls
asserts:
- equal:
path: spec.tls[0].secretName
- value: matabase-tls-secret
+ value: client-tls
- it: should not create ingress tls/ingressClass by default
asserts:
@@ -56,13 +59,25 @@ tests:
- equal:
path: spec.ingressClassName
value: ingress
-
+ - it: should use default letsencrypt-prod cluster-issuer
+ asserts:
+ - equal:
+ path: metadata.annotations["cert-manager.io/cluster-issuer"]
+ value: letsencrypt-prod
+
+ - it: should use letsencrypt-staging cluster-issuer
+ set:
+ ingress.use_staging_cert: true
+ asserts:
+ - equal:
+ path: metadata.annotations["cert-manager.io/cluster-issuer"]
+ value: letsencrypt-staging
+
- it: should enable client verification
asserts:
- equal:
path: metadata.annotations["nginx.ingress.kubernetes.io/auth-tls-verify-client"]
value: "on"
-
- it: should use CA of namespace to verify certificates
asserts:
- equal:
@@ -74,12 +89,11 @@ tests:
- equal:
path: metadata.annotations["nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream"]
value: "true"
-
- it: should create tls hosts name correctly
asserts:
- equal:
path: spec.tls[0].hosts[0]
- value: helm.test.by.ozg-cloud.de
+ value: matabase-helm.test.by.ozg-cloud.de
- it: should create rules correctly
asserts:
@@ -98,4 +112,4 @@ tests:
asserts:
- equal:
path: spec.rules[0].host
- value: helm.test.by.ozg-cloud.de
+ value: matabase-helm.test.by.ozg-cloud.de
--
GitLab