diff --git a/charts/countly-web-ui-canary/templates/certificate.yaml b/charts/countly-web-ui-canary/templates/certificate.yaml index c917004..3a74a0a 100644 --- a/charts/countly-web-ui-canary/templates/certificate.yaml +++ b/charts/countly-web-ui-canary/templates/certificate.yaml @@ -1,10 +1,7 @@ -{{- if eq .Values.ingress.mode "acmeMergeable" -}} +{{- $issuer := .Values.ingress.tls.issuerRef -}} +{{- if $issuer.name -}} {{- $fullname := include "canary.fullname" . -}} {{- $hostname := include "canary.hostname" . -}} -{{- $issuer := .Values.ingress.tls.issuerRef -}} -{{- if not $issuer.name -}} -{{- fail "ingress.tls.issuerRef.name is required when ingress.mode=acmeMergeable" -}} -{{- end -}} apiVersion: cert-manager.io/v1 kind: Certificate metadata: diff --git a/charts/countly-web-ui-canary/templates/ingress-master.yaml b/charts/countly-web-ui-canary/templates/ingress-master.yaml index 6e75e12..94984fc 100644 --- a/charts/countly-web-ui-canary/templates/ingress-master.yaml +++ b/charts/countly-web-ui-canary/templates/ingress-master.yaml @@ -1,4 +1,3 @@ -{{- if eq .Values.ingress.mode "acmeMergeable" -}} {{- $fullname := include "canary.fullname" . -}} {{- $hostname := include "canary.hostname" . -}} apiVersion: networking.k8s.io/v1 @@ -23,10 +22,11 @@ metadata: {{- include "canary.ingressAnnotations" . | nindent 4 }} spec: ingressClassName: {{ .Values.ingress.className }} + {{- if .Values.ingress.tls.issuerRef.name }} tls: - hosts: - {{ $hostname | quote }} secretName: {{ $fullname }}-tls + {{- end }} rules: - host: {{ $hostname | quote }} -{{- end }} diff --git a/charts/countly-web-ui-canary/templates/ingress-minion.yaml b/charts/countly-web-ui-canary/templates/ingress-minion.yaml index 311fbab..9b62377 100644 --- a/charts/countly-web-ui-canary/templates/ingress-minion.yaml +++ b/charts/countly-web-ui-canary/templates/ingress-minion.yaml @@ -1,4 +1,3 @@ -{{- if eq .Values.ingress.mode "acmeMergeable" -}} {{- $fullname := include "canary.fullname" . -}} {{- $hostname := include "canary.hostname" . -}} {{- $stable := .Values.backend.release -}} @@ -62,4 +61,3 @@ spec: - path: / pathType: Prefix backend: { service: { name: {{ $fullname }}, port: { number: 80 } } } -{{- end }} diff --git a/charts/countly-web-ui-canary/templates/ingress.yaml b/charts/countly-web-ui-canary/templates/ingress.yaml deleted file mode 100644 index 17300e1..0000000 --- a/charts/countly-web-ui-canary/templates/ingress.yaml +++ /dev/null @@ -1,63 +0,0 @@ -{{- if eq .Values.ingress.mode "sharedSecret" -}} -{{- $fullname := include "canary.fullname" . -}} -{{- $stable := .Values.backend.release -}} -{{- $apiPort := .Values.backend.ports.api | int -}} -{{- $ingestorPort := .Values.backend.ports.ingestor | int -}} -{{- $jobserverPort := .Values.backend.ports.jobserver | int -}} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ $fullname }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "canary.labels" . | nindent 4 }} - annotations: - {{- include "canary.ingressAnnotations" . | nindent 4 }} -spec: - ingressClassName: {{ .Values.ingress.className }} - {{- with .Values.ingress.tls }} - {{- if .secretName }} - tls: - - hosts: - - {{ include "canary.hostname" $ | quote }} - secretName: {{ .secretName | quote }} - {{- end }} - {{- end }} - rules: - - host: {{ include "canary.hostname" . | quote }} - http: - paths: - - path: /i/bulk - pathType: Exact - backend: { service: { name: {{ printf "%s-ingestor" $stable }}, port: { number: {{ $ingestorPort }} } } } - - path: /i/feedback/input - pathType: Exact - backend: { service: { name: {{ printf "%s-ingestor" $stable }}, port: { number: {{ $ingestorPort }} } } } - - path: /i/feedback/inputs - pathType: Exact - backend: { service: { name: {{ printf "%s-ingestor" $stable }}, port: { number: {{ $ingestorPort }} } } } - - path: /i - pathType: Exact - backend: { service: { name: {{ printf "%s-ingestor" $stable }}, port: { number: {{ $ingestorPort }} } } } - - path: /i/ - pathType: Prefix - backend: { service: { name: {{ printf "%s-api" $stable }}, port: { number: {{ $apiPort }} } } } - - path: /o - pathType: Exact - backend: { service: { name: {{ printf "%s-api" $stable }}, port: { number: {{ $apiPort }} } } } - - path: /o/ - pathType: Prefix - backend: { service: { name: {{ printf "%s-api" $stable }}, port: { number: {{ $apiPort }} } } } - - path: /api - pathType: Prefix - backend: { service: { name: {{ printf "%s-api" $stable }}, port: { number: {{ $apiPort }} } } } - - path: /v2 - pathType: Prefix - backend: { service: { name: {{ printf "%s-api" $stable }}, port: { number: {{ $apiPort }} } } } - - path: /jobs - pathType: Prefix - backend: { service: { name: {{ printf "%s-jobserver" $stable }}, port: { number: {{ $jobserverPort }} } } } - - path: / - pathType: Prefix - backend: { service: { name: {{ $fullname }}, port: { number: 80 } } } -{{- end }} diff --git a/charts/countly-web-ui-canary/values.yaml b/charts/countly-web-ui-canary/values.yaml index 34f6b41..9f7ecae 100644 --- a/charts/countly-web-ui-canary/values.yaml +++ b/charts/countly-web-ui-canary/values.yaml @@ -26,22 +26,11 @@ ingress: className: nginx annotations: {} - # Two TLS strategies, mutually exclusive: - # sharedSecret — point at a pre-existing wildcard Secret (Flavor B). - # Single Ingress, references tls.secretName. - # acmeMergeable — per-canary LE cert via cert-manager + F5 mergeable - # Ingress (master + minion + Certificate). - # Default keeps the cluster on its current TLS path so a chart-only - # change is always a no-op until the AppSet flips this. - mode: sharedSecret - + # TLS: per-canary public cert via Let's Encrypt + cert-manager, served + # through F5 NIC mergeable Ingress (master + minion + Certificate). The + # ClusterIssuer is supplied per-cluster from the canary-web-ui + # ApplicationSet's helm.values, not from this chart default. tls: - # sharedSecret mode — name of the pre-existing wildcard Secret in the - # canary's namespace. Required when mode=sharedSecret. - secretName: "" - - # acmeMergeable mode — ClusterIssuer (or Issuer) cert-manager uses to - # issue the per-canary Certificate. Required when mode=acmeMergeable. issuerRef: kind: ClusterIssuer name: ""