Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(chart): add option for ingress controller terminating ssl with its own cert #3158

Merged
merged 2 commits into from
Dec 19, 2024
Merged

feat(chart): add option for ingress controller terminating ssl with its own cert #3158

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bfce7c0
add option for ingress controller terminating ssl with its own cert
krancour Dec 19, 2024
7927640
run codegen
krancour Dec 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 6 additions & 5 deletions charts/kargo/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,11 +91,12 @@ the Kargo controller is running.
| `api.tls.enabled` | Whether to enable TLS directly on the API server. This is helpful if you do not intend to use an ingress controller or if you require TLS end-to-end. All other settings in this section will be ignored when this is set to `false`. | `true` |
| `api.tls.selfSignedCert` | Whether to generate a self-signed certificate for use by the API server. If `true`, `cert-manager` CRDs **must** be present in the cluster. Kargo will create and use its own namespaced issuer. If `false`, a cert secret named `kargo-api-cert` **must** be provided in the same namespace as Kargo. | `true` |
| `api.permissiveCORSPolicyEnabled` | Whether to enable a permissive CORS (Cross Origin Resource Sharing) policy. This is sometimes advantageous during local development, but otherwise, should generally be left disabled. | `false` |
| `api.ingress.enabled` | Whether to enable ingress. By default, this is disabled. Enabling ingress is advanced usage. | `false` |
| `api.ingress.annotations` | Annotations specified by your ingress controller to customize the behavior of the ingress resource. | `{}` |
| `api.ingress.ingressClassName` | From Kubernetes 1.18+, this field is supported if implemented by your ingress controller. When set, you do not need to add the ingress class as annotation. | `nil` |
| `api.ingress.tls.enabled` | Whether to enable TLS for the ingress. All other settings in this section will be ignored when this is set to `false`. | `true` |
| `api.ingress.tls.selfSignedCert` | Whether to generate a self-signed certificate for use with the API server's Ingress resource. If `true`, `cert-manager` CRDs **must** be present in the cluster. Kargo will create and use its own namespaced issuer. If `false`, a cert secret named `kargo-api-ingress-cert` **must** be provided in the same namespace as Kargo. | `true` |
| `api.ingress.enabled` | Whether to enable ingress by creating an Ingress resource. By default, this is disabled. Enabling ingress is advanced usage. | `false` |
| `api.ingress.annotations` | Annotations specified by your ingress controller to customize the behavior of the Ingress resource. | `{}` |
| `api.ingress.ingressClassName` | If implemented by your ingress controller, specifies the ingress class. If your ingress controller does not support this, use the `kubernetes.io/ingress.class` annotation instead. | `nil` |
| `api.ingress.tls.enabled` | Whether to associate a certificate with the Ingress resource. | `true` |
| `api.ingress.tls.usesControllerCert` | Whether the ingress controller has been configured to terminate SSL using its own certificate instead of the certificate, if any, referenced by the Ingress resource. This is an uncommon configuration. | `false` |
| `api.ingress.tls.selfSignedCert` | Whether to generate a self-signed certificate for use with the API server's Ingress resource. If `true`, `cert-manager` CRDs **must** be present in the cluster. Kargo will create and use its own namespaced issuer. If `false`, a cert secret named `kargo-api-ingress-cert` **must** be provided in the same namespace as Kargo. The value in this field has no effect if `api.ingress.tls.enabled` is `false`. | `true` |
| `api.ingress.pathType` | You may want to use `Prefix` for some controllers (like AWS LoadBalancer Ingress controller), which don't support `/` as wildcard path when pathType is set to `ImplementationSpecific` | `ImplementationSpecific` |
| `api.service.type` | If you're not going to use an ingress controller, you may want to change this value to `LoadBalancer` for production deployments. If running locally, you may want to change it to `NodePort` OR leave it as `ClusterIP` and use `kubectl port-forward` to map a port on the local network interface to the service. | `ClusterIP` |
| `api.service.nodePort` | Host port the `Service` will be mapped to when `type` is either `NodePort` or `LoadBalancer`. If not specified, Kubernetes chooses. | `undefined` |
Expand Down
8 changes: 8 additions & 0 deletions charts/kargo/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,14 @@ app.kubernetes.io/component: management-controller
app.kubernetes.io/component: webhooks-server
{{- end -}}

{{- define "kargo.api.baseURL" -}}
{{- if or .Values.api.tls.enabled (and .Values.api.ingress.enabled (or .Values.api.ingress.tls.enabled .Values.api.ingress.tls.usesControllerCert)) -}}
{{- printf "https://%s" .Values.api.host -}}
{{- else -}}
{{- printf "http://%s" .Values.api.host -}}
{{- end -}}
{{- end -}}

{{- define "call-nested" }}
{{- $dot := index . 0 }}
{{- $subchart := index . 1 }}
Expand Down
12 changes: 2 additions & 10 deletions charts/kargo/templates/api/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,7 @@ data:
PERMISSIVE_CORS_POLICY_ENABLED: {{ quote .Values.api.permissiveCORSPolicyEnabled }}
{{- if .Values.api.adminAccount.enabled }}
ADMIN_ACCOUNT_ENABLED: "true"
{{- if or .Values.api.tls.enabled (and .Values.api.ingress.enabled .Values.api.ingress.tls.enabled) }}
ADMIN_ACCOUNT_TOKEN_ISSUER: https://{{ .Values.api.host }}
{{- else }}
ADMIN_ACCOUNT_TOKEN_ISSUER: http://{{ .Values.api.host }}
{{- end }}
ADMIN_ACCOUNT_TOKEN_ISSUER: {{ include "kargo.api.baseURL" . }}
ADMIN_ACCOUNT_TOKEN_AUDIENCE: {{ quote .Values.api.host }}
ADMIN_ACCOUNT_TOKEN_TTL: {{ quote .Values.api.adminAccount.tokenTTL }}
{{- end }}
Expand All @@ -41,11 +37,7 @@ data:
GLOBAL_SERVICE_ACCOUNT_NAMESPACES: {{ .Release.Namespace }}
{{- end }}
{{- if .Values.api.oidc.dex.enabled }}
{{- if or .Values.api.tls.enabled (and .Values.api.ingress.enabled .Values.api.ingress.tls.enabled) }}
OIDC_ISSUER_URL: https://{{ .Values.api.host }}/dex
{{- else }}
OIDC_ISSUER_URL: http://{{ .Values.api.host }}/dex
{{- end }}
OIDC_ISSUER_URL: {{ include "kargo.api.baseURL" . }}/dex
OIDC_CLIENT_ID: {{ quote .Values.api.host }}
OIDC_CLI_CLIENT_ID: {{ .Values.api.host }}-cli
DEX_ENABLED: "true"
Expand Down
6 changes: 1 addition & 5 deletions charts/kargo/templates/controller/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,7 @@ metadata:
{{- include "kargo.controller.labels" . | nindent 4 }}
data:
{{- if .Values.api.enabled }}
{{- if or .Values.api.tls.enabled (and .Values.api.ingress.enabled .Values.api.ingress.tls.enabled) }}
API_SERVER_BASE_URL: https://{{ .Values.api.host }}
{{- else }}
API_SERVER_BASE_URL: http://{{ .Values.api.host }}
{{- end }}
API_SERVER_BASE_URL: {{ include "kargo.api.baseURL" . }}
{{- end }}
LOG_LEVEL: {{ quote .Values.controller.logLevel }}
{{- if .Values.controller.shardName }}
Expand Down
12 changes: 2 additions & 10 deletions charts/kargo/templates/dex-server/secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,7 @@ metadata:
{{- include "kargo.dexServer.labels" . | nindent 4 }}
stringData:
config.yaml: |-
{{- if or .Values.api.tls.enabled (and .Values.api.ingress.enabled .Values.api.ingress.tls.enabled) }}
issuer: https://{{ .Values.api.host }}/dex
{{- else }}
issuer: http://{{ .Values.api.host }}/dex
{{- end }}
issuer: {{ include "kargo.api.baseURL" . }}/dex

storage:
type: memory
Expand All @@ -35,11 +31,7 @@ stringData:
public: true
{{- if not (hasPrefix "localhost:" .Values.api.host) }}
redirectURIs:
{{- if or .Values.api.tls.enabled (and .Values.api.ingress.enabled .Values.api.ingress.tls.enabled) }}
- https://{{ .Values.api.host }}/login
{{- else }}
- http://{{ .Values.api.host }}/login
{{- end }}
- {{ include "kargo.api.baseURL" . }}/login
{{- end }}
- id: {{ .Values.api.host }}-cli
name: Kargo CLI
Expand Down
12 changes: 7 additions & 5 deletions charts/kargo/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,17 +155,19 @@ api:
permissiveCORSPolicyEnabled: false

ingress:
## @param api.ingress.enabled Whether to enable ingress. By default, this is disabled. Enabling ingress is advanced usage.
## @param api.ingress.enabled Whether to enable ingress by creating an Ingress resource. By default, this is disabled. Enabling ingress is advanced usage.
enabled: false
## @param api.ingress.annotations Annotations specified by your ingress controller to customize the behavior of the ingress resource.
## @param api.ingress.annotations Annotations specified by your ingress controller to customize the behavior of the Ingress resource.
annotations: {}
# kubernetes.io/ingress.class: nginx
## @param api.ingress.ingressClassName From Kubernetes 1.18+, this field is supported if implemented by your ingress controller. When set, you do not need to add the ingress class as annotation.
## @param api.ingress.ingressClassName If implemented by your ingress controller, specifies the ingress class. If your ingress controller does not support this, use the `kubernetes.io/ingress.class` annotation instead.
ingressClassName:
tls:
## @param api.ingress.tls.enabled Whether to enable TLS for the ingress. All other settings in this section will be ignored when this is set to `false`.
## @param api.ingress.tls.enabled Whether to associate a certificate with the Ingress resource.
enabled: true
## @param api.ingress.tls.selfSignedCert Whether to generate a self-signed certificate for use with the API server's Ingress resource. If `true`, `cert-manager` CRDs **must** be present in the cluster. Kargo will create and use its own namespaced issuer. If `false`, a cert secret named `kargo-api-ingress-cert` **must** be provided in the same namespace as Kargo.
## @param api.ingress.tls.usesControllerCert Whether the ingress controller has been configured to terminate SSL using its own certificate instead of the certificate, if any, referenced by the Ingress resource. This is an uncommon configuration.
usesControllerCert: false
## @param api.ingress.tls.selfSignedCert Whether to generate a self-signed certificate for use with the API server's Ingress resource. If `true`, `cert-manager` CRDs **must** be present in the cluster. Kargo will create and use its own namespaced issuer. If `false`, a cert secret named `kargo-api-ingress-cert` **must** be provided in the same namespace as Kargo. The value in this field has no effect if `api.ingress.tls.enabled` is `false`.
selfSignedCert: true
## @param api.ingress.pathType You may want to use `Prefix` for some controllers (like AWS LoadBalancer Ingress controller), which don't support `/` as wildcard path when pathType is set to `ImplementationSpecific`
pathType: ImplementationSpecific
Expand Down
Loading