From 044a62d5307140208e08042f25884d4fcd1942b8 Mon Sep 17 00:00:00 2001 From: Thomas Wessner Date: Wed, 30 Oct 2024 14:59:28 +0100 Subject: [PATCH 1/6] feat(common): support defining multiple hosts for one ingress --- charts/common/Chart.yaml | 2 +- charts/common/README.md | 11 ++++++----- charts/common/README.md.gotmpl | 1 + charts/common/templates/_ingress-ingress.yaml | 8 ++++---- charts/common/templates/_ingress-secret.yaml | 4 +++- charts/common/values.schema.json | 14 +++----------- charts/common/values.yaml | 7 +++---- 7 files changed, 21 insertions(+), 26 deletions(-) diff --git a/charts/common/Chart.yaml b/charts/common/Chart.yaml index 3b753571..ee4745f0 100644 --- a/charts/common/Chart.yaml +++ b/charts/common/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: common description: "Bedag's common Helm chart to use for creating other Helm charts" -version: 11.0.0 +version: 12.0.0 # A chart can be either an 'application' or a 'library' chart. # # Application charts are a collection of templates that can be packaged into versioned archives diff --git a/charts/common/README.md b/charts/common/README.md index 5a08fec3..02766c29 100644 --- a/charts/common/README.md +++ b/charts/common/README.md @@ -1,6 +1,6 @@ # common -![Version: 11.0.0](https://img.shields.io/badge/Version-11.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 12.0.0](https://img.shields.io/badge/Version-12.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) Bedag's common Helm chart to use for creating other Helm charts @@ -24,6 +24,7 @@ Major Changes to functions are documented with the version affected. **Before up |networkpolicy template changes|9.0.0|add possibility to define more than one Port in networkpolicy|https://github.com/bedag/helm-charts/pull/70| |networkpolicy template changes|10.0.0|add possibility to create multiple networkpolicies|https://github.com/bedag/helm-charts/pull/77| |ingress template changes|11.0.0|add possibility to create multiple ingress objects|https://github.com/bedag/helm-charts/pull/134 +|ingress template changes|12.0.0|support defining multiple hosts and secrets for one ingress| # Values by Component @@ -35,8 +36,8 @@ Major Changes to functions are documented with the version affected. **Before up | ingresses.ingress-1.annotations."nginx.ingress.kubernetes.io/ssl-redirect" | string | `"true"` | nginx.ingress.kubernetes.io/ssl-redirect needs to be set to 'true' when using SSL/TLS offloading with a LB outside of Kubernetes | | ingresses.ingress-1.deploy | bool | `false` | deploy has to be set to true for rendering to be applied | | ingresses.ingress-1.ingressClassName | string | `""` | ingressClassName, defines the class of the ingress controller. | -| ingresses.ingress-1.rules | list | `[{"host":"myapp.cluster.local","http":{"paths":[{"backend":{"serviceNameSuffix":"component-1","servicePort":"http"},"path":"/","pathType":"ImplementationSpecific"}]}}]` | rules is a list of host rules used to configure the Ingress | -| ingresses.ingress-1.rules[0] | object | `{"host":"myapp.cluster.local","http":{"paths":[{"backend":{"serviceNameSuffix":"component-1","servicePort":"http"},"path":"/","pathType":"ImplementationSpecific"}]}}` | host is the URL which ingress is listening | +| ingresses.ingress-1.rules | list | `[{"host":"myapp.cluster.local","http":{"paths":[{"backend":{"serviceNameSuffix":"component-1","servicePort":"http"},"path":"/","pathType":"ImplementationSpecific"}]},"secretName":""}]` | rules is a list of host rules used to configure the Ingress | +| ingresses.ingress-1.rules[0] | object | `{"host":"myapp.cluster.local","http":{"paths":[{"backend":{"serviceNameSuffix":"component-1","servicePort":"http"},"path":"/","pathType":"ImplementationSpecific"}]},"secretName":""}` | host is the URL which ingress is listening | | ingresses.ingress-1.rules[0].http | object | `{"paths":[{"backend":{"serviceNameSuffix":"component-1","servicePort":"http"},"path":"/","pathType":"ImplementationSpecific"}]}` | http is a list of http selectors pointing to backends | | ingresses.ingress-1.rules[0].http.paths | list | `[{"backend":{"serviceNameSuffix":"component-1","servicePort":"http"},"path":"/","pathType":"ImplementationSpecific"}]` | paths is a list of paths that map requests to backends | | ingresses.ingress-1.rules[0].http.paths[0] | object | `{"backend":{"serviceNameSuffix":"component-1","servicePort":"http"},"path":"/","pathType":"ImplementationSpecific"}` | backend defines the referenced service endpoint to which the traffic will be forwarded to | @@ -44,7 +45,7 @@ Major Changes to functions are documented with the version affected. **Before up | ingresses.ingress-1.rules[0].http.paths[0].backend.servicePort | string | `"http"` | servicePort describes the port where the service is listening at (can be either a string or a number) | | ingresses.ingress-1.rules[0].http.paths[0].path | string | `"/"` | path which ingress is listening | | ingresses.ingress-1.rules[0].http.paths[0].pathType | string | `"ImplementationSpecific"` | pathType Each path in an Ingress is required to have a corresponding path type. Comment out for using default ("ImplementationSpecific") | -| ingresses.ingress-1.tls.existing.secret | string | `""` | name of an existing secret with tls.crt & tls.key content | +| ingresses.ingress-1.rules[0].secretName | string | `""` | name of existing secrets with tls.crt & tls.key content | | ingresses.ingress-1.tls.provided.cert | string | `""` | If SSL is terminated on ingress and you have a generated (preferrably CERT-001) certificate/key Has to be base64 encoded and should be encrypted in the ejson vault Add Variable to your CI/CD Settings "SKIP_DECRYPT" with value "" that it doesnt decrypt the cert and fails. | | ingresses.ingress-1.tls.provided.key | string | `""` | The key must not have a passphrase | | ingresses.ingress-1.tls.self | object | `{"alternativeDnsNames":[],"commonName":"*.cluster.local","ipAddresses":[],"validityDuration":365}` | depending on the type you have further configuration options: | @@ -52,7 +53,7 @@ Major Changes to functions are documented with the version affected. **Before up | ingresses.ingress-1.tls.self.commonName | string | `"*.cluster.local"` | commonName of the certificate (mandatory) | | ingresses.ingress-1.tls.self.ipAddresses | list | `[]` | ipAddresses is an optional list of IP addresses to add in the Subject Alternative Names (SAN) section | | ingresses.ingress-1.tls.self.validityDuration | int | `365` | validityDuration defines how long the certificate is valid (in days) | -| ingresses.ingress-1.tls.type | string | `"none"` | define your type of tls certificate, it can be one of: none: tls will be disabled existing: use an existing secret already present in the namespace. Requires secret name to be specified provided: use an officially generated certificate/key k8s: use the default k8s-ingress tls. no further configuration needed self: generate a self signed certificate, which is stored as secret. Needs commonName and validityDuration at least | +| ingresses.ingress-1.tls.type | string | `"none"` | define your type of tls certificate, it can be one of: none: tls will be disabled existing: use an existing secret already present in the namespace. Requires secret name to be specified in .rules.host.secret provided: use an officially generated certificate/key k8s: use the default k8s-ingress tls. no further configuration needed self: generate a self signed certificate, which is stored as secret. Needs commonName and validityDuration at least | ## ServiceMonitor diff --git a/charts/common/README.md.gotmpl b/charts/common/README.md.gotmpl index 42e337e2..a0efe148 100644 --- a/charts/common/README.md.gotmpl +++ b/charts/common/README.md.gotmpl @@ -33,6 +33,7 @@ Major Changes to functions are documented with the version affected. **Before up |networkpolicy template changes|9.0.0|add possibility to define more than one Port in networkpolicy|https://github.com/bedag/helm-charts/pull/70| |networkpolicy template changes|10.0.0|add possibility to create multiple networkpolicies|https://github.com/bedag/helm-charts/pull/77| |ingress template changes|11.0.0|add possibility to create multiple ingress objects|https://github.com/bedag/helm-charts/pull/134 +|ingress template changes|12.0.0|support defining multiple hosts and secrets for one ingress| {{/* Chart Values */}} diff --git a/charts/common/templates/_ingress-ingress.yaml b/charts/common/templates/_ingress-ingress.yaml index 2b19e6d9..9e70e7b0 100644 --- a/charts/common/templates/_ingress-ingress.yaml +++ b/charts/common/templates/_ingress-ingress.yaml @@ -53,15 +53,15 @@ spec: {{- if $ingress.tls }} {{- if and (ne $ingress.tls.type "none") (ne $ingress.tls.type "") }} tls: + {{- range $ingress.rules }} - hosts: - {{- range $ingress.rules }} - {{ .host }} - {{- end }} {{- if or (eq $ingress.tls.type "self") (eq $ingress.tls.type "provided") }} - secretName: {{ template "library.name" $root }}-{{$name}}-tls + secretName: {{ regexReplaceAll "\\W+" .host "-" }} {{- else if eq $ingress.tls.type "existing" }} - secretName: {{ $ingress.tls.existing.secret }} + secretName: {{ .secretName }} {{- end }} + {{- end }} {{- end }} {{- end }} {{- end }} diff --git a/charts/common/templates/_ingress-secret.yaml b/charts/common/templates/_ingress-secret.yaml index e20416cd..13f0261c 100644 --- a/charts/common/templates/_ingress-secret.yaml +++ b/charts/common/templates/_ingress-secret.yaml @@ -11,11 +11,12 @@ {{- $cert = buildCustomCert $ingress.tls.provided.cert $ingress.tls.provided.key }} {{- end }} {{ if or (eq $ingress.tls.type "self") (eq $ingress.tls.type "provided")}} +{{- range $ingress.rules }} --- apiVersion: v1 kind: Secret metadata: - name: {{ template "library.name" $root }}-{{$name}}-tls + name: {{ regexReplaceAll "\\W+" .host "-" }} labels: {{ include "library.labels.standard" $root | indent 4 }} app.kubernetes.io/component: ingress-tls @@ -28,3 +29,4 @@ data: {{- end }} {{- end }} {{- end }} +{{- end }} diff --git a/charts/common/values.schema.json b/charts/common/values.schema.json index 48b0df00..1afd451d 100644 --- a/charts/common/values.schema.json +++ b/charts/common/values.schema.json @@ -609,6 +609,9 @@ } } } + }, + "secretName": { + "type": "string" } } } @@ -626,17 +629,6 @@ "type": "string", "default": "none" }, - "existing": { - "type": "object", - "required": [ - "secret" - ], - "properties": { - "secret": { - "type": "string" - } - } - }, "provided": { "type": "object", "required": [ diff --git a/charts/common/values.yaml b/charts/common/values.yaml index 32d709b1..0e9df47c 100644 --- a/charts/common/values.yaml +++ b/charts/common/values.yaml @@ -88,6 +88,8 @@ ingresses: path: "/" # -- pathType Each path in an Ingress is required to have a corresponding path type. Comment out for using default ("ImplementationSpecific") pathType: "ImplementationSpecific" + # -- name of existing secrets with tls.crt & tls.key content + secretName: "" # END ONLY FOR MULTI-SERVICE INGRESSES AND/OR SPECIFIC RULES # -- annotations is a dictionary for defining ingress controller specific annotations @@ -100,7 +102,7 @@ ingresses: tls: # -- define your type of tls certificate, it can be one of: # none: tls will be disabled - # existing: use an existing secret already present in the namespace. Requires secret name to be specified + # existing: use an existing secret already present in the namespace. Requires secret name to be specified in .rules.host.secret # provided: use an officially generated certificate/key # k8s: use the default k8s-ingress tls. no further configuration needed # self: generate a self signed certificate, which is stored as secret. Needs commonName and validityDuration at least @@ -117,9 +119,6 @@ ingresses: # - "foo.com" # -- validityDuration defines how long the certificate is valid (in days) validityDuration: 365 - existing: - # -- name of an existing secret with tls.crt & tls.key content - secret: "" provided: # -- If SSL is terminated on ingress and you have a generated (preferrably CERT-001) certificate/key # Has to be base64 encoded and should be encrypted in the ejson vault From 2eee6fc660be2d29fbc2810d4c7a7b998c532099 Mon Sep 17 00:00:00 2001 From: Thomas Wessner Date: Wed, 30 Oct 2024 15:06:26 +0100 Subject: [PATCH 2/6] feat(common): add pr number Signed-off-by: Thomas Wessner --- charts/common/templates/_ingress-ingress.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/common/templates/_ingress-ingress.yaml b/charts/common/templates/_ingress-ingress.yaml index 9e70e7b0..547e99fe 100644 --- a/charts/common/templates/_ingress-ingress.yaml +++ b/charts/common/templates/_ingress-ingress.yaml @@ -57,7 +57,7 @@ spec: - hosts: - {{ .host }} {{- if or (eq $ingress.tls.type "self") (eq $ingress.tls.type "provided") }} - secretName: {{ regexReplaceAll "\\W+" .host "-" }} + secretName: {{ regexReplaceAll "\\W+" .host "-" }} {{- else if eq $ingress.tls.type "existing" }} secretName: {{ .secretName }} {{- end }} From 3d1ceffed624a0d05a315c9b1fc2e63bcbfb1644 Mon Sep 17 00:00:00 2001 From: Thomas Wessner Date: Wed, 30 Oct 2024 15:24:35 +0100 Subject: [PATCH 3/6] feat(common): add pr number Signed-off-by: Thomas Wessner --- charts/common/README.md | 2 +- charts/common/README.md.gotmpl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/common/README.md b/charts/common/README.md index 02766c29..af3c026b 100644 --- a/charts/common/README.md +++ b/charts/common/README.md @@ -24,7 +24,7 @@ Major Changes to functions are documented with the version affected. **Before up |networkpolicy template changes|9.0.0|add possibility to define more than one Port in networkpolicy|https://github.com/bedag/helm-charts/pull/70| |networkpolicy template changes|10.0.0|add possibility to create multiple networkpolicies|https://github.com/bedag/helm-charts/pull/77| |ingress template changes|11.0.0|add possibility to create multiple ingress objects|https://github.com/bedag/helm-charts/pull/134 -|ingress template changes|12.0.0|support defining multiple hosts and secrets for one ingress| +|ingress template changes|12.0.0|support defining multiple hosts and secrets for one ingress|https://github.com/bedag/helm-charts/pull/138 # Values by Component diff --git a/charts/common/README.md.gotmpl b/charts/common/README.md.gotmpl index a0efe148..42bf92a2 100644 --- a/charts/common/README.md.gotmpl +++ b/charts/common/README.md.gotmpl @@ -33,7 +33,7 @@ Major Changes to functions are documented with the version affected. **Before up |networkpolicy template changes|9.0.0|add possibility to define more than one Port in networkpolicy|https://github.com/bedag/helm-charts/pull/70| |networkpolicy template changes|10.0.0|add possibility to create multiple networkpolicies|https://github.com/bedag/helm-charts/pull/77| |ingress template changes|11.0.0|add possibility to create multiple ingress objects|https://github.com/bedag/helm-charts/pull/134 -|ingress template changes|12.0.0|support defining multiple hosts and secrets for one ingress| +|ingress template changes|12.0.0|support defining multiple hosts and secrets for one ingress|https://github.com/bedag/helm-charts/pull/138 {{/* Chart Values */}} From 2962bdd81c9dfbd93507b4de3bd32aae6a581a10 Mon Sep 17 00:00:00 2001 From: Thomas Wessner Date: Fri, 15 Nov 2024 14:53:53 +0100 Subject: [PATCH 4/6] docs: update documentation --- charts/common/README.md | 2 +- charts/common/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/common/README.md b/charts/common/README.md index af3c026b..966ff760 100644 --- a/charts/common/README.md +++ b/charts/common/README.md @@ -53,7 +53,7 @@ Major Changes to functions are documented with the version affected. **Before up | ingresses.ingress-1.tls.self.commonName | string | `"*.cluster.local"` | commonName of the certificate (mandatory) | | ingresses.ingress-1.tls.self.ipAddresses | list | `[]` | ipAddresses is an optional list of IP addresses to add in the Subject Alternative Names (SAN) section | | ingresses.ingress-1.tls.self.validityDuration | int | `365` | validityDuration defines how long the certificate is valid (in days) | -| ingresses.ingress-1.tls.type | string | `"none"` | define your type of tls certificate, it can be one of: none: tls will be disabled existing: use an existing secret already present in the namespace. Requires secret name to be specified in .rules.host.secret provided: use an officially generated certificate/key k8s: use the default k8s-ingress tls. no further configuration needed self: generate a self signed certificate, which is stored as secret. Needs commonName and validityDuration at least | +| ingresses.ingress-1.tls.type | string | `"none"` | define your type of tls certificate, it can be one of: none: tls will be disabled existing: use an existing secret already present in the namespace. Requires secret name to be specified in .rules.host[].secretName provided: use an officially generated certificate/key k8s: use the default k8s-ingress tls. no further configuration needed self: generate a self signed certificate, which is stored as secret. Needs commonName and validityDuration at least | ## ServiceMonitor diff --git a/charts/common/values.yaml b/charts/common/values.yaml index 0e9df47c..2aa37bbe 100644 --- a/charts/common/values.yaml +++ b/charts/common/values.yaml @@ -102,7 +102,7 @@ ingresses: tls: # -- define your type of tls certificate, it can be one of: # none: tls will be disabled - # existing: use an existing secret already present in the namespace. Requires secret name to be specified in .rules.host.secret + # existing: use an existing secret already present in the namespace. Requires secret name to be specified in .rules.host[].secretName # provided: use an officially generated certificate/key # k8s: use the default k8s-ingress tls. no further configuration needed # self: generate a self signed certificate, which is stored as secret. Needs commonName and validityDuration at least From 4a5c6bf6e39c9b47479874ed4d763c420d6d584e Mon Sep 17 00:00:00 2001 From: Thomas Wessner Date: Fri, 15 Nov 2024 15:27:14 +0100 Subject: [PATCH 5/6] docs: update documentation --- charts/common/README.md | 2 +- charts/common/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/common/README.md b/charts/common/README.md index 966ff760..5bfb7ba4 100644 --- a/charts/common/README.md +++ b/charts/common/README.md @@ -53,7 +53,7 @@ Major Changes to functions are documented with the version affected. **Before up | ingresses.ingress-1.tls.self.commonName | string | `"*.cluster.local"` | commonName of the certificate (mandatory) | | ingresses.ingress-1.tls.self.ipAddresses | list | `[]` | ipAddresses is an optional list of IP addresses to add in the Subject Alternative Names (SAN) section | | ingresses.ingress-1.tls.self.validityDuration | int | `365` | validityDuration defines how long the certificate is valid (in days) | -| ingresses.ingress-1.tls.type | string | `"none"` | define your type of tls certificate, it can be one of: none: tls will be disabled existing: use an existing secret already present in the namespace. Requires secret name to be specified in .rules.host[].secretName provided: use an officially generated certificate/key k8s: use the default k8s-ingress tls. no further configuration needed self: generate a self signed certificate, which is stored as secret. Needs commonName and validityDuration at least | +| ingresses.ingress-1.tls.type | string | `"none"` | define your type of tls certificate, it can be one of: none: tls will be disabled existing: use an existing secret already present in the namespace. Requires 'secretName' to be specified in .rules.host provided: use an officially generated certificate/key k8s: use the default k8s-ingress tls. no further configuration needed self: generate a self signed certificate, which is stored as secret. Needs commonName and validityDuration at least | ## ServiceMonitor diff --git a/charts/common/values.yaml b/charts/common/values.yaml index 2aa37bbe..4f9a0cc0 100644 --- a/charts/common/values.yaml +++ b/charts/common/values.yaml @@ -102,7 +102,7 @@ ingresses: tls: # -- define your type of tls certificate, it can be one of: # none: tls will be disabled - # existing: use an existing secret already present in the namespace. Requires secret name to be specified in .rules.host[].secretName + # existing: use an existing secret already present in the namespace. Requires 'secretName' to be specified in .rules.host # provided: use an officially generated certificate/key # k8s: use the default k8s-ingress tls. no further configuration needed # self: generate a self signed certificate, which is stored as secret. Needs commonName and validityDuration at least From 25cc9976c369daff66a5b93eea6c91b1fd33b6f6 Mon Sep 17 00:00:00 2001 From: Thomas Wessner Date: Fri, 15 Nov 2024 15:29:53 +0100 Subject: [PATCH 6/6] docs: update documentation --- charts/common/README.md | 2 +- charts/common/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/common/README.md b/charts/common/README.md index 5bfb7ba4..5c501c05 100644 --- a/charts/common/README.md +++ b/charts/common/README.md @@ -53,7 +53,7 @@ Major Changes to functions are documented with the version affected. **Before up | ingresses.ingress-1.tls.self.commonName | string | `"*.cluster.local"` | commonName of the certificate (mandatory) | | ingresses.ingress-1.tls.self.ipAddresses | list | `[]` | ipAddresses is an optional list of IP addresses to add in the Subject Alternative Names (SAN) section | | ingresses.ingress-1.tls.self.validityDuration | int | `365` | validityDuration defines how long the certificate is valid (in days) | -| ingresses.ingress-1.tls.type | string | `"none"` | define your type of tls certificate, it can be one of: none: tls will be disabled existing: use an existing secret already present in the namespace. Requires 'secretName' to be specified in .rules.host provided: use an officially generated certificate/key k8s: use the default k8s-ingress tls. no further configuration needed self: generate a self signed certificate, which is stored as secret. Needs commonName and validityDuration at least | +| ingresses.ingress-1.tls.type | string | `"none"` | define your type of tls certificate, it can be one of: none: tls will be disabled existing: use an existing secret already present in the namespace. Requires `secretName` to be specified in `.rules.host` provided: use an officially generated certificate/key k8s: use the default k8s-ingress tls. no further configuration needed self: generate a self signed certificate, which is stored as secret. Needs commonName and validityDuration at least | ## ServiceMonitor diff --git a/charts/common/values.yaml b/charts/common/values.yaml index 4f9a0cc0..e6d4f05c 100644 --- a/charts/common/values.yaml +++ b/charts/common/values.yaml @@ -102,7 +102,7 @@ ingresses: tls: # -- define your type of tls certificate, it can be one of: # none: tls will be disabled - # existing: use an existing secret already present in the namespace. Requires 'secretName' to be specified in .rules.host + # existing: use an existing secret already present in the namespace. Requires `secretName` to be specified in `.rules.host` # provided: use an officially generated certificate/key # k8s: use the default k8s-ingress tls. no further configuration needed # self: generate a self signed certificate, which is stored as secret. Needs commonName and validityDuration at least