[Kubeapps Chart] Simplify ingress configuration for cert-manager #740
Conversation
There was a problem hiding this comment.
Thanks for the PR! Apart than the tag changes the rest looks good to me. Wait for @migmartri input on this since he is already configuring Kubeapps with TLS in an internal cluster.
chart/kubeapps/Chart.yaml
Outdated
| version: 0.7.0 | ||
| appVersion: DEVEL | ||
| version: 0.8.0 | ||
| appVersion: v1.0.0-beta.2 |
There was a problem hiding this comment.
revert this change, here it should be DEVEL
chart/kubeapps/values.yaml
Outdated
| @@ -60,7 +90,7 @@ apprepository: | |||
| image: | |||
| registry: docker.io | |||
| repository: kubeapps/apprepository-controller | |||
| tag: latest | |||
| tag: v1.0.0-beta.2 | |||
There was a problem hiding this comment.
the same here, it's needed for this to be latest
There was a problem hiding this comment.
Thanks @juan131, I am requesting changes until you rollback the appVersion DEVEL and image.tag changes.
A couple of comments:
helm install --name kubeapps --namespace kubeapps bitnami/kubeapps
--set ingress.enabled=true
--set ingress.hosts[0].name=kubeapps.custom.domain
--set ingress.hosts[0].tls=true
--set ingress.hosts[0].tlsSecret=kubeapps-tls
--set ingress.hosts[0].certManager=true
I am a little bit confused about the scope of the different options offered, for example:
In the example above, you referenced --set ingress.hosts[0].certManager=true which seems to reference to host[0] while the annotation is set at the ingress top level. Shouldn't then not be scoped inside the host?
Also noticed that in the description you had:
tls:
- hosts:
- kubeapps.juan.bkpr.run
secretName: kubeapps-tls
I am assuming that kubeapps.juan.bkpr.run is a typo and was actually meant to be kubeapps.custom.domain?
| @@ -1,38 +1,36 @@ | |||
| {{- if .Values.ingress.enabled -}} | |||
| {{- $fullName := include "kubeapps.fullname" . -}} | |||
| {{- $ingressPath := .Values.ingress.path -}} | |||
| {{- range .Values.ingress.hosts }} | |||
There was a problem hiding this comment.
so this is creating an ingress per host? Why don't we want to use the multi-host capabilities of a single ingress?
Having different ingresses could mean that cert-manager instead of issuing a cert with multiple CN will potentially do different certs no?
There was a problem hiding this comment.
Yes, I think it's better to use multi-host since it requires issuing many certificates
| annotations: | ||
| # kubernetes.io/ingress.class: nginx | ||
|
|
||
| secrets: |
There was a problem hiding this comment.
I can not see the reference where this is being used.
chart/kubeapps/README.md
Outdated
| TLS can be configured using the `ingress.tls` object in the same format that the Kubernetes Ingress requests. Please see [this example](https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx/examples/tls) for more information. | ||
| TLS can be configured using setting the `ingress.hosts[].tls` boolean of the corresponding hostname to true, then you can choose the TLS secret name setting `ingress.hosts[].tlsSecret`. Please see [this example](https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx/examples/tls) for more information. | ||
|
|
||
| If your cluster has a [cert-manager](https://github.com/jetstack/cert-manager) add-on to automate the management and issuance of TLS certificates, set `ingress.hosts[].certManager` boolean to true to enable the corresponding annotations for cert-manager. Otherwise, you can provide your own certificates using the `ingress.secrets` object. |
There was a problem hiding this comment.
Maybe you can add here the example you put in the description
helm install --name kubeapps --namespace kubeapps bitnami/kubeapps \
--set ingress.enabled=true \
--set ingress.hosts[0].name=kubeapps.custom.domain \
--set ingress.hosts[0].tls=true \
--set ingress.hosts[0].tlsSecret=kubeapps-tls \
--set ingress.hosts[0].certManager=true
|
Out of curiosity, could you also post what would have been the equivalent to the following command before the change? I am wondering if it would make sense to just add the Thanks! |
Totally agree!! We should set it at the ingress top level.
Yes, it's a typo.
I'd rather user |
There was a problem hiding this comment.
Thanks @juan131 for the changes!
Just added a couple of comments.
Also, would you mind attaching the diff of the output of helm template before and after the change when a chart is configured with 1 or 2 tls domains please?
Thanks!
| release: {{ .Release.Name }} | ||
| heritage: {{ .Release.Service }} | ||
| {{- with .Values.ingress.annotations }} | ||
| app: {{ template "kubeapps.name" $ }} |
There was a problem hiding this comment.
Thanks for reverting back to template since it seems that here was the only place in which we used include.
There was a problem hiding this comment.
Why are you using $ instead of current scope .? It seems that in the other templates we use .
There was a problem hiding this comment.
We can use .. I'll update it. The $ was necessary when we were using {{- range ... at the top.
| app: {{ template "kubeapps.name" $ }} | ||
| chart: {{ template "kubeapps.chart" $ }} | ||
| release: {{ $.Release.Name }} | ||
| heritage: {{ $.Release.Service }} | ||
| annotations: |
There was a problem hiding this comment.
note that this key annotations in this new case will be always added regardless of we passing .Values.ingress.annotations or .Values.ingress.certManager is that ok?
There was a problem hiding this comment.
It's fine. The result is: no annotations
| kubernetes.io/tls-acme: "true" | ||
| {{- end }} | ||
| {{- range $key, $value := .Values.ingress.annotations }} | ||
| {{ $key }}: {{ $value | quote }} |
There was a problem hiding this comment.
Why do you prefer this approach vs dumping everything like before? {{ toYaml . | indent 4 }}
There was a problem hiding this comment.
I just used because it's how we use it on others charts. Anyway, it's only adding the value of quoting the value...
I think it's irrelevant to use one or the another.
There was a problem hiding this comment.
I just used because it's how we use it on others charts
ok, it makes sense. thanks for the explanation
We might need to move the rest of the chart to this approach in another PR since I believe that we use {{ toYaml . | indent 4 }} in other places.
| {{- end }} | ||
| --- |
There was a problem hiding this comment.
is this multi-yaml new line neccessary?
| apiVersion: v1 | ||
| kind: Secret | ||
| metadata: | ||
| name: {{ template "kubeapps.fullname" $ }} |
There was a problem hiding this comment.
isn't the name going to collide if there are two secrets?
There was a problem hiding this comment.
Nice catch!! I guess we can do sth like:
metadata:
name: {{ .name }}
|
Before: After: |
|
@migmartri as you can check it's not easy to setup the |
| kubernetes.io/tls-acme: "true" | ||
| {{- end }} | ||
| {{- range $key, $value := .Values.ingress.annotations }} | ||
| {{ $key }}: {{ $value | quote }} |
There was a problem hiding this comment.
I just used because it's how we use it on others charts
ok, it makes sense. thanks for the explanation
We might need to move the rest of the chart to this approach in another PR since I believe that we use {{ toYaml . | indent 4 }} in other places.
|
BTW, now that I think about this. I am a little bit worried about the change on the way we define the hosts since it will mean a breaking change right? Meaning that if somebody today has an automated upgrade process that relies on having ingress enable it will fail right? In that case, if we still decide to go ahead with the change we might need to bump the mayor version not the minor one. what do you think @prydonius @juan131 @andresmgot ? |
|
I agree. It breaks backwards compatibility and, therefore, it should be considered a major change. |
|
PR updated bumping the major version. |
There was a problem hiding this comment.
@migmartri as you can check it's not easy to setup the
annotationsandtlsbefore the changes. An also, you can't choose a differentpathper host
Wait, but in your example you are not setting TLS in the before case no?
And changing the example to do what your new code does (expect the path and annotation) would be something like:
helm template --name kubeapps --namespace kubeapps chart/kubeapps \
--set ingress.enabled=true \
--set ingress.hosts[0]=kubeapps.custom.domain \
--set ingress.hosts[1]=kubeapps.other.domain \
--set ingress.tls[0].secretName=kubeapps-tls \
--set ingress.tls.hosts[0]=kubeapps.custom.domain
which does not seems much more difficult that the new syntax. I agree that the new one is better though but I am not sure if it's worth breaking chart compatibility.
It might make sense to only add support to the custom certManager annotation without breaking compatibility, I am not even sure if adding support to path is even supported by out Nginx frontend?
I am removing my approval until more people chime in, probably breaking compatibility is fine since we are in beta and this change makes it consistent (I think) with our other upstreamed charts. But I'd like to hear from others.
Thanks!
|
IMHO doing a major release of a chart should not be a drama. We can add the steps you need to perform to do an upgrade if you consider it necessary but I think it's something normal since charts are improved constantly and some of these changes can break backward compatibility. |
|
Actually @andresmgot raised a good point that in semver, for 0.x versions, minor version changes are considered breaking. So feel free to revert back to 0.9 (in your case since 0.8 has already been taken). Thanks @juan131! |
What this PR does / why we need it:
This PR allows the user to configure the proper annotations when using cert-manager to handle TLS certificates in an easy way. The user just needs to setup a boolean to true to do so.
E.g.:
This will generate the following ingress:
See also bitnami/charts#882