diff --git a/src/_nebari/stages/kubernetes_services/__init__.py b/src/_nebari/stages/kubernetes_services/__init__.py index 3c9f19a064..fae8955de1 100644 --- a/src/_nebari/stages/kubernetes_services/__init__.py +++ b/src/_nebari/stages/kubernetes_services/__init__.py @@ -331,6 +331,7 @@ class KubernetesServicesInputVars(schema.Base): node_groups: Dict[str, Dict[str, str]] jupyterhub_logout_redirect_url: str = Field(alias="jupyterhub-logout-redirect-url") forwardauth_middleware_name: str = _forwardauth_middleware_name + cert_secret_name: Optional[str] = None def _split_docker_image_name(image_name): @@ -491,6 +492,11 @@ def input_vars(self, stage_outputs: Dict[str, Dict[str, Any]]): realm_id=realm_id, node_groups=stage_outputs["stages/02-infrastructure"]["node_selectors"], jupyterhub_logout_redirect_url=final_logout_uri, + cert_secret_name=( + self.config.certificate.secret_name + if self.config.certificate.type == "existing" + else None + ), ) conda_store_vars = CondaStoreInputVars( diff --git a/src/_nebari/stages/kubernetes_services/template/forward-auth.tf b/src/_nebari/stages/kubernetes_services/template/forward-auth.tf index 6ff9ac45b1..2d98bf3e6a 100644 --- a/src/_nebari/stages/kubernetes_services/template/forward-auth.tf +++ b/src/_nebari/stages/kubernetes_services/template/forward-auth.tf @@ -7,6 +7,7 @@ module "forwardauth" { node-group = var.node_groups.general forwardauth_middleware_name = var.forwardauth_middleware_name + cert_secret_name = var.cert_secret_name } variable "forwardauth_middleware_name" { @@ -14,6 +15,11 @@ variable "forwardauth_middleware_name" { type = string } +variable "cert_secret_name" { + description = "Name of the secret containing the certificate" + type = string +} + output "forward-auth-middleware" { description = "middleware name for use with forward auth" value = module.forwardauth.forward-auth-middleware diff --git a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/forwardauth/main.tf b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/forwardauth/main.tf index 2fe1f2d0a0..564d397d1a 100644 --- a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/forwardauth/main.tf +++ b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/forwardauth/main.tf @@ -59,7 +59,19 @@ resource "kubernetes_deployment" "forwardauth-deployment" { node_selector = { "${var.node-group.key}" = var.node-group.value } - + dynamic "volume" { + for_each = var.cert_secret_name == null ? [] : [1] + content { + name = "cert-volume" + secret { + secret_name = var.cert_secret_name + items { + key = "tls.crt" + path = "tls.crt" + } + } + } + } container { # image = "thomseddon/traefik-forward-auth:2.2.0" # Use PR #159 https://github.com/thomseddon/traefik-forward-auth/pull/159 @@ -125,10 +137,26 @@ resource "kubernetes_deployment" "forwardauth-deployment" { value = var.external-url } + dynamic "env" { + for_each = var.cert_secret_name == null ? [] : [1] + content { + name = "SSL_CERT_FILE" + value = "/config/tls.crt" + } + } + port { container_port = 4181 } + dynamic "volume_mount" { + for_each = var.cert_secret_name == null ? [] : [1] + content { + name = "cert-volume" + mount_path = "/config" + read_only = true + } + } } } diff --git a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/forwardauth/variables.tf b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/forwardauth/variables.tf index 212238bc76..ae53c5b3a1 100644 --- a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/forwardauth/variables.tf +++ b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/forwardauth/variables.tf @@ -31,3 +31,8 @@ variable "forwardauth_middleware_name" { description = "Name of the traefik forward auth middleware" type = string } + +variable "cert_secret_name" { + description = "Name of the secret containing the certificate" + type = string +}