Added ingress.secretNamespace

nano-byte · Mar 27, 2024 · fdb583b · fdb583b
1 parent 5faac4c
commit fdb583b
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 0 deletions.
diff --git a/charts/generic-service/README.md b/charts/generic-service/README.md
@@ -103,6 +103,7 @@ app:
 | `ingress.paths`                                 | `[]`                        | HTTP path prefixes to accept ingress traffic for (leave empty to accept traffic for any path)            |
 | `ingress.tls.enabled`                           | `false`                     | Enables TLS termination at the ingress (not applicable if `ingress.istio.enabled`)                       |
 | `ingress.tls.secret`                            | `{{ .Release.Name }}-tls`   | The name of the `Secret` holding the TLS private key (not applicable if `ingress.istio.enabled`)         |
+| `ingress.tls.secretNamespace`                   |                             | The Kubernetes namespace containing the `Secret` (only applicable if `ingress.class` is `contour`)       |
 | `ingress.cors.enabled`                          | `false`                     | Enables CORS (only applicable if `ingress.class` is `nginx` or `ingress.istio.enabled` is `true`)        |
 | `ingress.cors.allowOrigin`                      | `[]`                        | List of origins allowed to access the ingress via CORS; leave empty to allow any                         |
 | `ingress.cors.allowMethods`                     | `[GET]`                     | List of HTTP methods allowed to access the ingress via CORS                                              |
@@ -127,6 +128,7 @@ app:
 | `ingress.extra.*.paths`                         | `[]`                        | HTTP path prefixes to accept ingress traffic for (leave empty to accept traffic for any path)            |
 | `ingress.extra.*.tls.enabled`                   | `false`                     | Enables TLS termination at the ingress                                                                   |
 | `ingress.extra.*.tls.secret`                    | Release Name + `*` + `-tls` | The name of the `Secret` holding the TLS private key                                                     |
+| `ingress.extra.*.tls.secretNamespace`           |                             | The Kubernetes namespace containing the `Secret` (only applicable if `class` is `contour`)               |
 | `ingress.extra.*.annotations`                   | `{}`                        | Additional annotations, merged with `ingress.annotations` (use string `nil` to unset existing values)    |
 | `netpol.enabled`                                | `false`                     | Apply network policies for the `Pod`s                                                                    |
 | `netpol.ingress`                                | Allow from same namespace   | Ingress network policy rules to apply                                                                    |

diff --git a/charts/generic-service/ci/ingress-contour-values.yaml b/charts/generic-service/ci/ingress-contour-values.yaml
@@ -12,3 +12,9 @@ ingress:
     timeout:
       domains: ['timeout.example.com']
       timeoutSeconds: -1  # infinte
+    tls:
+      domains: ['tls.example.com']
+      tls:
+        enabled: true
+        secretNamespace: secret-namespace
+        secret: secret-name
diff --git a/charts/generic-service/templates/ingress-extra.yaml b/charts/generic-service/templates/ingress-extra.yaml
@@ -31,6 +31,9 @@ metadata:
     {{- if $timeout }}
     projectcontour.io/response-timeout: '{{ if eq (int $timeout) -1 }}infinity{{ else }}{{ $timeout }}s{{ end }}'
     {{- end }}
+    {{- if and $extra.tls (and $extra.tls.enabled $extra.tls.secretNamespace) }}
+    projectcontour.io/tls-cert-namespace: {{ $extra.tls.secretNamespace }}
+    {{- end }}
   {{- end }}
 
 spec:

diff --git a/charts/generic-service/templates/ingress.yaml b/charts/generic-service/templates/ingress.yaml
@@ -30,6 +30,9 @@ metadata:
     {{- if .Values.ingress.timeoutSeconds }}
     projectcontour.io/response-timeout: '{{ if eq (int .Values.ingress.timeoutSeconds) -1 }}infinity{{ else }}{{ .Values.ingress.timeoutSeconds }}s{{ end }}'
     {{- end }}
+    {{- if and .Values.ingress.tls.enabled .Values.ingress.tls.secretNamespace }}
+    projectcontour.io/tls-cert-namespace: {{ .Values.ingress.tls.secretNamespace }}
+    {{- end }}
   {{- end }}
 
 spec:

diff --git a/charts/generic-service/values.schema.json b/charts/generic-service/values.schema.json
@@ -535,6 +535,10 @@
               "type": "string",
               "default": "{{ .Release.Name }}-tls",
               "description": "The name of the Secret holding the TLS private key (not applicable if ingress.istio.enabled)"
+            },
+            "secretNamespace": {
+              "type": "string",
+              "description": "The Kubernetes namespace containing the Secret (only applicable if ingress.class is contour)"
             }
           },
           "additionalProperties": false
@@ -675,6 +679,10 @@
                   "secret": {
                     "type": "string",
                     "description": "The name of the Secret holding the TLS private key"
+                  },
+                  "secretNamespace": {
+                    "type": "string",
+                    "description": "The Kubernetes namespace containing the Secret (only applicable if class is contour)"
                   }
                 }
               },

diff --git a/charts/generic-service/values.yaml b/charts/generic-service/values.yaml
@@ -111,6 +111,7 @@ ingress:
   tls:
     enabled: false
     secret: '{{ .Release.Name }}-tls'
+    secretNamespace: ''
   cors:
     enabled: false
     allowOrigin: []