Skip to content
This repository has been archived by the owner on Feb 22, 2022. It is now read-only.

[stable/gocd] Update ingress doc #21560

Merged
merged 2 commits into from
Mar 23, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions stable/gocd/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
### 1.25.0

* [21277f47](https://github.com/kubernetes/charts/commit/21277f47): Add docs for ingress

### 1.24.0

* [5b3b6e173](https://github.com/kubernetes/charts/commit/5b3b6e173): Update docs to mention about TLS changes
Expand Down
2 changes: 1 addition & 1 deletion stable/gocd/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v1
name: gocd
home: https://www.gocd.org/
version: 1.24.0
version: 1.25.0
appVersion: 20.2.0
description: GoCD is an open-source continuous delivery server to model and visualize complex workflows with ease.
icon: https://gocd.github.io/assets/images/go-icon-black-192x192.png
Expand Down
36 changes: 36 additions & 0 deletions stable/gocd/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -439,12 +439,48 @@ env:

- If you are adding a plugin to an existing Go server, it will result in a new Go server pod being created that has the plugin installed and running.

# Ingress

On a Kubernetes cluster, ingress is responsible for accepting incoming requests and forwarding them to the appropriate service in the backend.
The ingress controller acts as a reverse proxy in front of the GoCD server. The GoCD agents within the cluster can bypass ingress and connect to the service directly.
GoCD agents outside of the Kubernetes cluster may connect to the GoCD server via the Ingress or LoadBalancer.

You can secure an Ingress by specifying a `secret` that contains a TLS private key and certificate [here](https://github.com/helm/charts/blob/master/stable/gocd/values.yaml#L157).
Please refer to [Ingress documentation](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) about how to configure TLS.
Many ingress controllers make configuring TLS easy with the use of annotations. You can use ingress annotations to configure some of the TLS parameters like a managed SSL certificate, redirecting http to https, etc.

| Parameter | Description |
|---------------------------------------------|-----------------------------------------------------------------------------------------------|
| ingress.kubernetes.io/force-ssl-redirect | Redirect non-TLS requests to TLS even when TLS is not configured. |
| kubernetes.io/ingress.allow-http | Whether to accept non-TLS HTTP connections. Supported on GCE. Default: true |
| alb.ingress.kubernetes.io/backend-protocol | Specifies the protocol used when route traffic to pods on EKS. |
| ingress.kubernetes.io/proxy-pass-params | Parameters for proxy-pass directives. |
| kubernetes.io/ingress.global-static-ip-name | Name of the static global IP address in GCP to use when provisioning the HTTPS load balancer. |
| networking.gke.io/managed-certificates | Name of the ManagedCertificate on GCP |
| alb.ingress.kubernetes.io/certificate-arn | Certificate arn on AWS Cert Manager |

Popular managed Kubernetes offerings like GKE, EKS, AKS etc provide a default ingress controller which supports many more annotations.

| Ingress Controller | Annotations |
|--------------------|-------------------------------------------------------------------------------------------------------------------------------|
| AWS ALB | https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/ |
| GCE | https://cloud.google.com/kubernetes-engine/docs/how-to/load-balance-ingress |
| AKS | https://github.com/Azure/application-gateway-kubernetes-ingress/blob/master/docs/annotations.md#list-of-supported-annotations |
| Traefik | https://docs.traefik.io/v1.6/configuration/backends/kubernetes/#general-annotations |
| Nginx | https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/ |

For GoCD, annotations can be configured [here](https://github.com/helm/charts/blob/master/stable/gocd/values.yaml#L154)

# TLS for GoCD

As part of GoCD Release v20.2.0, GoCD changed how it handles SSL support. If you are upgrading to GoCD 20.2.0 or above, agents will have to be reconfigured to connect to the server. Know more about the GoCD SSL/TLS changes [here](https://github.com/gocd/gocd/issues/7872).

To set up TLS for GoCD, system admins will be required to front the GoCD server with a reverse proxy that supports TLS (like Apache, NGINX). Any existing agents that are using TLS, can connect to this reverse proxy. Reverse proxies have the advantage that they make it a lot easier and more convenient to setup and configure various TLS connection parameters. Refer the [GoCD documentation](https://docs.gocd.org/current/installation/configure-reverse-proxy.html) to setup a reverse proxy.

The GoCD agents within the cluster can bypass ingress and connect to the service directly via the 8153 port.

GoCD agents outside of the Kubernetes cluster may connect to the GoCD server via the http(s) port exposed by the ingress or, via the load balancer if the GoCD service type is `LoadBalancer`.

# License

```plain
Expand Down