Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding https support on OpenShift #115

Draft
wants to merge 7 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,5 +6,5 @@ description: |-
and maintained by your friends at Equinix Metal

type: application
version: 0.1.35
version: 0.1.35-os-2
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was this a slip up?

appVersion: 2.7.2
14 changes: 14 additions & 0 deletions templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -108,4 +108,18 @@ Get krakend templates directory path
*/}}
{{- define "krakend.templatesDir" -}}
{{- printf "%s/templates" (include "krakend.FilesDir" .) -}}
{{- end }}

{{/*
Get krakend tls cert directory path
*/}}
{{- define "krakend.tlsCertDir" -}}
{{- printf "%s/tls" (include "krakend.FilesDir" .) -}}
{{- end }}

{{/*
Get krakend tls CA directory path
*/}}
{{- define "krakend.tlsCADir" -}}
{{- printf "%s/tlsCA" (include "krakend.FilesDir" .) -}}
{{- end }}
10 changes: 10 additions & 0 deletions templates/cm-additional-trust.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{{- if .Values.openshift.trustSignerCA }}
# This ConfigMap is used to get access to the OpenShift service signer CA
# see https://docs.openshift.com/container-platform/4.8/security/certificates/service-serving-certificate.html#add-service-certificate-configmap_service-serving-certificate
kind: ConfigMap
apiVersion: v1
metadata:
name: {{ include "krakend.fullname" . }}-additional-trust
annotations:
service.beta.openshift.io/inject-cabundle: 'true'
{{- end }}
14 changes: 14 additions & 0 deletions templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,12 @@ spec:
mountPath: {{ include "krakend.settingsDir" . }}
- name: templates
mountPath: {{ include "krakend.templatesDir" . }}
{{- if .Values.openshift.trustSignerCA }}
- name: service-cert-ca
mountPath: {{ include "krakend.tlsCADir" . }}
- name: service-cert
mountPath: {{ include "krakend.tlsCertDir" . }}
{{- end }}
{{- end }}
{{- with .Values.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
Expand Down Expand Up @@ -150,6 +156,14 @@ spec:
- name: templates
configMap:
name: {{ include "krakend.fullname" . }}-templates
{{- if .Values.openshift.trustSignerCA }}
- name: service-cert-ca
configMap:
name: {{ include "krakend.fullname" . }}-additional-trust
- name: service-cert
secret:
secretName: {{ include "krakend.fullname" . }}-service-cert
{{- end }}
{{- end }}
{{- with .Values.extraVolumes }}
{{- toYaml . | nindent 8 }}
Expand Down
21 changes: 21 additions & 0 deletions templates/route.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
{{- if and .Values.openshift .Values.openshift.route.contextPath }}
kind: Route
apiVersion: route.openshift.io/v1
metadata:
name: {{ include "krakend.fullname" . }}-route
spec:
{{- if .Values.openshift.route.host }}
host: {{ .Values.openshift.route.host }}
{{- end }}
path: {{ .Values.openshift.route.contextPath }}
to:
kind: Service
name: {{ include "krakend.fullname" . }}
weight: 100
port:
targetPort: http
tls:
termination: reencrypt
insecureEdgeTerminationPolicy: Redirect
wildcardPolicy: None
{{ end }}
5 changes: 4 additions & 1 deletion templates/service.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,14 @@ metadata:
name: {{ include "krakend.fullname" . }}
labels:
{{- include "krakend.labels" . | nindent 4 }}
{{- if .Values.service.annotations }}
{{- if coalesce .Values.service.annotations .Values.openshift.trustSignerCA }}
annotations:
{{- range $key, $value := .Values.service.annotations }}
{{ $key }}: {{ tpl $value $ | quote }}
{{- end }}
{{- if .Values.openshift.trustSignerCA }}
service.beta.openshift.io/serving-cert-secret-name: {{ include "krakend.fullname" . }}-service-cert
{{- end}}
{{- end }}
spec:
{{- if .Values.service.externalTrafficPolicy }}
Expand Down
8 changes: 8 additions & 0 deletions values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -451,6 +451,14 @@
},
"topologySpreadConstraints": {
"type": "array"
},
"openshift": {
"type": "object",
"properties": {
"trustSignerCA": {
"type": "boolean"
}
}
}
}
}
5 changes: 5 additions & 0 deletions values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -235,12 +235,14 @@ livenessProbe:
httpGet:
path: /__health
port: http
scheme: HTTPS

# -- (object) The readinessProbe to use for the krakend pod
readinessProbe:
httpGet:
path: /__health
port: http
scheme: HTTPS
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might need to use a macro for this instead of setting it up directly here. HTTPS won't work in default settings where TLS is not handled by krakend.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note this is still a blocker for merging this.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I thought I created the pull request in DRAFT mode, I wasn't done yet and I'm aware that there are some things that are not yet general enough but just take care of my own issue. I will try and generalize and address your comments


# -- (object) podDisruptionBudget allows you to define minumum and maximum available pods
podDisruptionBudget:
Expand All @@ -266,6 +268,9 @@ serviceMonitor:
# -- prometheus metrics port exposed by krakend
targetPort: 9091

openshift:
trustSignerCA: false

# -- (object) The networkPolicies configures ingress NetworkPolicies for your application
networkPolicies:
# -- (bool) Set to true to create NetworkPolicies for your application
Expand Down
Loading