Skip to content

Commit

Permalink
[Kubeapps Chart] Simplify ingress configuration for cert-manager (#740)
Browse files Browse the repository at this point in the history
  • Loading branch information
@juan131 @migmartri
juan131 authored and migmartri committed Oct 19, 2018
1 parent e80fe5b commit 8cc2ba2
Show file tree
Hide file tree
Showing 5 changed files with 94 additions and 35 deletions.
2 changes: 1 addition & 1 deletion chart/kubeapps/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v1
name: kubeapps
version: 0.8.0
version: 0.9.0
appVersion: DEVEL
description: Kubeapps is a dashboard for your Kubernetes cluster that makes it easy to deploy and manage applications in your cluster using Helm
icon: https://raw.githubusercontent.com/kubeapps/kubeapps/master/docs/img/logo.png
Expand Down
15 changes: 13 additions & 2 deletions chart/kubeapps/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -171,15 +171,26 @@ To enable ingress integration, please set `ingress.enabled` to `true`

##### Hosts

Most likely you will only want to have one hostname that maps to this Kubeapps installation, however, it is possible to have more than one host. To facilitate this, the `ingress.hosts` object is an array.
Most likely you will only want to have one hostname that maps to this Kubeapps installation, however, it is possible to have more than one host. To facilitate this, the `ingress.hosts` object is an array.

##### Annotations

For annotations, please see [this document](https://github.com/kubernetes/ingress-nginx/blob/master/docs/annotations.md). Not all annotations are supported by all ingress controllers, but this document does a good job of indicating which annotation is supported by many popular ingress controllers. Annotations can be set using `ingress.annotations`.

##### TLS

TLS can be configured using the `ingress.tls` object in the same format that the Kubernetes Ingress requests. Please see [this example](https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx/examples/tls) for more information.
TLS can be configured using setting the `ingress.hosts[].tls` boolean of the corresponding hostname to true, then you can choose the TLS secret name setting `ingress.hosts[].tlsSecret`. Please see [this example](https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx/examples/tls) for more information.

You can provide your own certificates using the `ingress.secrets` object. If your cluster has a [cert-manager](https://github.com/jetstack/cert-manager) add-on to automate the management and issuance of TLS certificates, set `ingress.hosts[].certManager` boolean to true to enable the corresponding annotations for cert-manager as shown in the example below:

```console
helm install --name kubeapps --namespace kubeapps bitnami/kubeapps \
--set ingress.enabled=true \
--set ingress.certManager=true \
--set ingress.hosts[0].name=kubeapps.custom.domain \
--set ingress.hosts[0].tls=true \
--set ingress.hosts[0].tlsSecret=kubeapps-tls
```

## Troubleshooting

Expand Down
49 changes: 24 additions & 25 deletions chart/kubeapps/templates/ingress.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,38 +1,37 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "kubeapps.fullname" . -}}
{{- $ingressPath := .Values.ingress.path -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ $fullName }}
name: {{ template "kubeapps.fullname" . }}
labels:
app: {{ include "kubeapps.name" . }}
chart: {{ include "kubeapps.chart" . }}
app: {{ template "kubeapps.name" . }}
chart: {{ template "kubeapps.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- with .Values.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
{{- if .Values.ingress.certManager }}
kubernetes.io/tls-acme: "true"
{{- end }}
{{- range $key, $value := .Values.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ . | quote }}
http:
paths:
- path: {{ $ingressPath }}
backend:
serviceName: {{ $fullName }}
servicePort: http
- host: {{ .name }}
http:
paths:
- path: {{ default "/" .path }}

This comment has been minimized.

Sign in to view

Copy link
@lindhe

lindhe Aug 9, 2019

Contributor

I'm probably bashing my head into a wall unnecessarily right now, but I've been struggling with this for a while so I need to ask in case you have any answers: Is there any way, what so ever, to pass in a template here from a parent chart?

I would like to include this Kubeapps charts as a subchart in my project, with some modifications to the values.yaml file in the parent. It's dead easy to pass in a string from the parent to the child, and the path will indeed be set to that string. But I'm trying to pass a template instead. Is that impossible?

This comment has been minimized.

Sign in to view

Copy link
@prydonius

prydonius Aug 9, 2019

Contributor

@lindhe I don't believe you can do that without modifying the Kubeapps chart. What are you trying to do with the template you want to pass in? There might be a way we can support it in the chart.

This comment has been minimized.

Sign in to view

Copy link
@lindhe

lindhe Aug 11, 2019

Contributor

What I trying to do? That's a good question... I think what I want to achieve is having a chart in my Git repo with the following properties when packaged/deployed:

  • Pulls the image from somewhere else (e.g., bitnami or stable repo), so that I don't have to pull any new security updates manually.
  • Allows me to put in new values from the values.yaml so that it's configured for my environment, even when I pull from an external repo.

I hoped that it could be done by having for example Kubeapps as a subchart, but it seems like that is not enough (since I want to pass in a template instead of just a literal string).

This comment has been minimized.

Sign in to view

Copy link
@prydonius

prydonius Aug 12, 2019

Contributor

Hmm, I guess what I meant is, why do you need a template here? Is there something you're doing that applicable to other Kubeapps installations so we can modify the upstream Kubeapps chart here to support it, or is there another way you can achieve the change you need?

This comment has been minimized.

Sign in to view

Copy link
@lindhe

lindhe Aug 13, 2019

Contributor

I'm trying to create a path which is equal to the deployment name, so that each deployment can have its own path. Not sure how generally applicable that is.
backend:
serviceName: {{ template "kubeapps.fullname" $ }}
servicePort: http
{{- end }}
tls:
{{- range .Values.ingress.hosts }}
{{- if .tls }}
- hosts:
- {{ .name }}
secretName: {{ .tlsSecret }}
{{- end }}
{{- end }}
{{- end }}
17 changes: 17 additions & 0 deletions chart/kubeapps/templates/tls-secrets.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{{- if .Values.ingress.enabled }}
{{- range .Values.ingress.secrets }}
apiVersion: v1
kind: Secret
metadata:
name: {{ .name }}
labels:
app: {{ template "kubeapps.name" $ }}
chart: {{ template "kubeapps.chart" $ }}
release: {{ $.Release.Name }}
heritage: {{ $.Release.Service }}
type: kubernetes.io/tls
data:
tls.crt: {{ .certificate | b64enc }}
tls.key: {{ .key | b64enc }}
{{- end }}
{{- end }}
46 changes: 39 additions & 7 deletions chart/kubeapps/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,16 +6,48 @@
# The frontend service is the main reverse proxy used to access the Kubeapps UI
# To expose Kubeapps externally either configure the ingress object below or
# set frontend.service.type=LoadBalancer in the frontend configuration.
# ref: http://kubernetes.io/docs/user-guide/ingress/
#
ingress:
# Set to true to enable ingress record generation
enabled: false
annotations: {}
path: /

# Set this to true in order to add the corresponding annotations for cert-manager
certManager: false

# Ingress annotations done as key:value pairs
# For a full list of possible ingress annotations, please see
# ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/annotations.md
#
# If certManager is set to true, annotation kubernetes.io/tls-acme: "true" will automatically be set
annotations:
# kubernetes.io/ingress.class: nginx

# The list of hostnames to be covered with this ingress record.
# Most likely this will be just one host, but in the event more hosts are needed, this is an array
hosts:
- kubeapps.local
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
- name: kubeapps.local
path: /

# Set this to true in order to enable TLS on the ingress record
tls: false

## If TLS is set to true, you must declare what secret will store the key/certificate for TLS
tlsSecret: kubeapps.local-tls

secrets:
# If you're providing your own certificates, please use this to add the certificates as secrets
# key and certificate should start with -----BEGIN CERTIFICATE----- or
# -----BEGIN RSA PRIVATE KEY-----
#
# name should line up with a tlsSecret set further up
# If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set
#
# It is also possible to create and manage the certificates outside of this helm chart
# Please see README.md for more information
# - name: kubeapps.local-tls
# key:
# certificate:

frontend:
replicaCount: 2
Expand Down

0 comments on commit 8cc2ba2

Please sign in to comment.