From 1dc62c193fe605704b3cc5ea30b0596c0f422ba2 Mon Sep 17 00:00:00 2001 From: HubbeKing Date: Sat, 26 Sep 2020 14:33:33 +0300 Subject: [PATCH 1/4] Add TLS settings to k8s.jsonnet Use jsonnet computed field names to optionally add TLS configuration to generated Ingress object In this way, one can easily let the kubernetes ingress handle TLS, with or without a secretName Additional configuration would be required to tie into cert-manager for automated cert generation --- k8s.jsonnet | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/k8s.jsonnet b/k8s.jsonnet index e91bf3c..667fd53 100644 --- a/k8s.jsonnet +++ b/k8s.jsonnet @@ -43,7 +43,14 @@ // The hostname to use in the Ingress ingress_host: "wubloader.example.com", - + + // Set to true to let the ingress handle TLS + ingress_tls: true, + + // Set to true and give a secretName for ingress, if required for ingress TLS + ingress_secret_name_needed: false, + ingress_secret_name: "wubloader/tls", + // Connection args for the database. // If database is defined in this config, host and port should be postgres:5432. db_args: { @@ -232,8 +239,15 @@ }, }, ], + [if ($.config.ingress_tls) then 'tls']: [ + { + hosts: [ + $.config.ingress_host, + ], + [if ($.config.ingress_secret_name_needed) then 'secretName']: $.config.ingress_secret_name, + }, + ], }, }, ], - } From cf7670d0081606689b69741dcfdfe2d932233042 Mon Sep 17 00:00:00 2001 From: HubbeKing Date: Sat, 26 Sep 2020 14:56:31 +0300 Subject: [PATCH 2/4] More sensible default secretName for ingress TLS The given secretName has to be in the same namespace as the ingress itself. --- k8s.jsonnet | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s.jsonnet b/k8s.jsonnet index 667fd53..246bb3b 100644 --- a/k8s.jsonnet +++ b/k8s.jsonnet @@ -49,7 +49,7 @@ // Set to true and give a secretName for ingress, if required for ingress TLS ingress_secret_name_needed: false, - ingress_secret_name: "wubloader/tls", + ingress_secret_name: "wubloader-tls", // Connection args for the database. // If database is defined in this config, host and port should be postgres:5432. From 4ca425dd128e58e79828cfe8540b1ee7dc674757 Mon Sep 17 00:00:00 2001 From: HubbeKing Date: Sat, 26 Sep 2020 21:38:42 +0300 Subject: [PATCH 3/4] Simplify ingress_secret_name setting and add ingress_labels setting using std.objectHas() removes the need to have a separate boolean to check. --- k8s.jsonnet | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/k8s.jsonnet b/k8s.jsonnet index 246bb3b..43ab196 100644 --- a/k8s.jsonnet +++ b/k8s.jsonnet @@ -47,9 +47,11 @@ // Set to true to let the ingress handle TLS ingress_tls: true, - // Set to true and give a secretName for ingress, if required for ingress TLS - ingress_secret_name_needed: false, - ingress_secret_name: "wubloader-tls", + // Uncomment and give a secretName for ingress, if required for ingress TLS + //ingress_secret_name: "wubloader-tls", + + // Additional metadata labels for Ingress (cert-manager, etc.) - uncomment if needed, adjust as necessary + //ingress_labels: {"cert-manager.io/cluster-issuer": "name-of-issuer"}, // Connection args for the database. // If database is defined in this config, host and port should be postgres:5432. @@ -208,7 +210,7 @@ apiVersion: "networking.k8s.io/v1beta1", metadata: { name: "wubloader", - labels: {app: "wubloader"}, + labels: {app: "wubloader"} + (if (std.objectHas($.config, "ingress_labels")) then $.config.ingress_labels else {}), }, spec: { rules: [ @@ -244,7 +246,7 @@ hosts: [ $.config.ingress_host, ], - [if ($.config.ingress_secret_name_needed) then 'secretName']: $.config.ingress_secret_name, + [if (std.objectHas($.config, "ingress_secret_name")) then 'secretName']: $.config.ingress_secret_name, }, ], }, From 9eca34c7a9d474339ff50916904a0f44416fe5c7 Mon Sep 17 00:00:00 2001 From: HubbeKing Date: Sun, 27 Sep 2020 17:21:41 +0300 Subject: [PATCH 4/4] Fix suggested style changes --- k8s.jsonnet | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/k8s.jsonnet b/k8s.jsonnet index 43ab196..60eae30 100644 --- a/k8s.jsonnet +++ b/k8s.jsonnet @@ -50,8 +50,8 @@ // Uncomment and give a secretName for ingress, if required for ingress TLS //ingress_secret_name: "wubloader-tls", - // Additional metadata labels for Ingress (cert-manager, etc.) - uncomment if needed, adjust as necessary - //ingress_labels: {"cert-manager.io/cluster-issuer": "name-of-issuer"}, + // Additional metadata labels for Ingress (cert-manager, etc.) - adjust as needed for your setup + ingress_labels: {}, // Connection args for the database. // If database is defined in this config, host and port should be postgres:5432. @@ -210,7 +210,7 @@ apiVersion: "networking.k8s.io/v1beta1", metadata: { name: "wubloader", - labels: {app: "wubloader"} + (if (std.objectHas($.config, "ingress_labels")) then $.config.ingress_labels else {}), + labels: {app: "wubloader"} + $.config.ingress_labels, }, spec: { rules: [ @@ -241,12 +241,12 @@ }, }, ], - [if ($.config.ingress_tls) then 'tls']: [ + [if $.config.ingress_tls then 'tls']: [ { hosts: [ $.config.ingress_host, ], - [if (std.objectHas($.config, "ingress_secret_name")) then 'secretName']: $.config.ingress_secret_name, + [if "ingress_secret_name" in $.config then 'secretName']: $.config.ingress_secret_name, }, ], },