[MM-23256] TLS support for ingress resource (#132)

* Add TLS for ingress * tests: update ingress tests
mattermost · Mar 24, 2020 · 8b9120b · 8b9120b
1 parent a9f1a33
commit 8b9120b
Show file tree

Hide file tree

Showing 6 changed files with 66 additions and 5 deletions.
diff --git a/deploy/crds/mattermost.com_clusterinstallations_crd.yaml b/deploy/crds/mattermost.com_clusterinstallations_crd.yaml
@@ -1218,6 +1218,8 @@ spec:
                 ''Minio.Replicas'', ''Minio.Resource'', ''Database.Replicas'', or
                 ''Database.Resources'' will override the values set by Size.'
               type: string
+            useIngressTLS:
+              type: boolean
             useServiceLoadBalancer:
               type: boolean
             version:

diff --git a/pkg/apis/mattermost/v1alpha1/clusterinstallation_types.go b/pkg/apis/mattermost/v1alpha1/clusterinstallation_types.go
@@ -67,6 +67,9 @@ type ClusterInstallationSpec struct {
 	// +optional
 	ServiceAnnotations map[string]string `json:"serviceAnnotations,omitempty"`
 
+	// +optional
+	UseIngressTLS bool `json:"useIngressTLS,omitempty"`
+
 	// +optional
 	IngressAnnotations map[string]string `json:"ingressAnnotations,omitempty"`
 	// Optional environment variables to set in the Mattermost application pods.

diff --git a/pkg/apis/mattermost/v1alpha1/clusterinstallation_utils.go b/pkg/apis/mattermost/v1alpha1/clusterinstallation_utils.go
@@ -233,8 +233,8 @@ func (mattermost *ClusterInstallation) GenerateService(serviceName, selectorName
 }
 
 // GenerateIngress returns the ingress for Mattermost
-func (mattermost *ClusterInstallation) GenerateIngress(name, ingressName string, ingressAnnotations map[string]string) *v1beta1.Ingress {
-	return &v1beta1.Ingress{
+func (mattermost *ClusterInstallation) GenerateIngress(name, ingressName string, ingressAnnotations map[string]string, useTLS bool) *v1beta1.Ingress {
+	ingress := &v1beta1.Ingress{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: mattermost.Namespace,
@@ -269,6 +269,17 @@ func (mattermost *ClusterInstallation) GenerateIngress(name, ingressName string,
 			},
 		},
 	}
+
+	if useTLS {
+		ingress.Spec.TLS = []v1beta1.IngressTLS{
+			{
+				Hosts:      []string{ingressName},
+				SecretName: strings.ReplaceAll(ingressName, ".", "-") + "-tls-cert",
+			},
+		}
+	}
+
+	return ingress
 }
 
 // GetContainerByName gets container from a deployment by name

diff --git a/pkg/apis/mattermost/v1alpha1/zz_generated.openapi.go b/pkg/apis/mattermost/v1alpha1/zz_generated.openapi.go
diff --git a/pkg/controller/clusterinstallation/mattermost.go b/pkg/controller/clusterinstallation/mattermost.go
@@ -73,7 +73,7 @@ func (r *ReconcileClusterInstallation) checkMattermostService(mattermost *matter
 }
 
 func (r *ReconcileClusterInstallation) checkMattermostIngress(mattermost *mattermostv1alpha1.ClusterInstallation, resourceName, ingressName string, ingressAnnotations map[string]string, reqLogger logr.Logger) error {
-	desired := mattermost.GenerateIngress(resourceName, ingressName, ingressAnnotations)
+	desired := mattermost.GenerateIngress(resourceName, ingressName, ingressAnnotations, mattermost.Spec.UseIngressTLS)
 
 	err := r.createIngressIfNotExists(mattermost, desired, reqLogger)
 	if err != nil {

diff --git a/pkg/controller/clusterinstallation/mattermost_test.go b/pkg/controller/clusterinstallation/mattermost_test.go
@@ -81,14 +81,16 @@ func TestCheckMattermost(t *testing.T) {
 		assert.Equal(t, original.Spec.Ports, found.Spec.Ports)
 	})
 
-	t.Run("ingress", func(t *testing.T) {
+	t.Run("ingress no tls", func(t *testing.T) {
+		ci.Spec.UseIngressTLS = false
 		err = r.checkMattermostIngress(ci, ci.Name, ci.Spec.IngressName, ci.Spec.IngressAnnotations, logger)
 		assert.NoError(t, err)
 
 		found := &v1beta1.Ingress{}
 		err = r.client.Get(context.TODO(), types.NamespacedName{Name: ciName, Namespace: ciNamespace}, found)
 		require.NoError(t, err)
 		require.NotNil(t, found)
+		require.Nil(t, found.Spec.TLS)
 
 		original := found.DeepCopy()
 		modified := found.DeepCopy()
@@ -105,7 +107,44 @@ func TestCheckMattermost(t *testing.T) {
 		assert.Equal(t, original.GetAnnotations(), found.GetAnnotations())
 		assert.Equal(t, original.GetName(), found.GetName())
 		assert.Equal(t, original.GetNamespace(), found.GetNamespace())
-		assert.Equal(t, original.Spec.Rules, original.Spec.Rules)
+		assert.Equal(t, original.Spec.Rules, found.Spec.Rules)
+	})
+
+	t.Run("ingress with tls", func(t *testing.T) {
+		ci.Spec.UseIngressTLS = true
+		ci.Spec.IngressAnnotations = map[string]string{
+			"kubernetes.io/ingress.class": "nginx-test",
+			"test-ingress":                "blabla",
+		}
+
+		err = r.checkMattermostIngress(ci, ci.Name, ci.Spec.IngressName, ci.Spec.IngressAnnotations, logger)
+		assert.NoError(t, err)
+
+		found := &v1beta1.Ingress{}
+		err = r.client.Get(context.TODO(), types.NamespacedName{Name: ciName, Namespace: ciNamespace}, found)
+		require.NoError(t, err)
+		require.NotNil(t, found)
+		require.NotNil(t, found.Spec.TLS)
+		require.NotNil(t, found.Annotations)
+		assert.Contains(t, found.Annotations, "kubernetes.io/ingress.class")
+
+		original := found.DeepCopy()
+		modified := found.DeepCopy()
+		modified.Labels = nil
+		modified.Annotations = nil
+		modified.Spec = v1beta1.IngressSpec{}
+
+		err = r.client.Update(context.TODO(), modified)
+		require.NoError(t, err)
+		err = r.checkMattermostIngress(ci, ci.Name, ci.Spec.IngressName, ci.Spec.IngressAnnotations, logger)
+		require.NoError(t, err)
+		err = r.client.Get(context.TODO(), types.NamespacedName{Name: ciName, Namespace: ciNamespace}, found)
+		require.NoError(t, err)
+		assert.Equal(t, original.GetAnnotations(), found.GetAnnotations())
+		assert.Equal(t, original.GetName(), found.GetName())
+		assert.Equal(t, original.GetNamespace(), found.GetNamespace())
+		assert.Equal(t, original.Spec.Rules, found.Spec.Rules)
+		assert.Equal(t, original.Spec.TLS, original.Spec.TLS)
 	})
 
 	t.Run("deployment", func(t *testing.T) {