New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kubernetes: Allow generating secured Ingress resources #26443
Conversation
* If true, it will use the TLS configuration in the generated Ingress resource. | ||
*/ | ||
@ConfigItem | ||
boolean enabled; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't really like having to add this enabled
field... However, I didn't see any workaround for #7862 (this issue is closed, but having optional nested in other optional objects is not working).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@@ -74,10 +74,6 @@ public interface PlatformConfiguration extends EnvVarHolder { | |||
|
|||
ResourcesConfig getResources(); | |||
|
|||
default Optional<ExpositionConfig> getExposition() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No one used this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As this is not a generic code anymore, it's used in specific platforms only.
@@ -436,18 +435,6 @@ private static List<DecoratorBuildItem> createAnnotationDecorators(Optional<Proj | |||
now.format(DateTimeFormatter.ofPattern("yyyy-MM-dd - HH:mm:ss Z")), new String[0])))); | |||
} | |||
|
|||
if (config.getExposition().isPresent() && config.getExposition().get().expose) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see, we moved the generic code from common to platform specific processors. Makes sense.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep
Unfortunately, there is now a conflict. Any chance you could rebase and ping me loudly when done? Thanks! |
Kubernetes exposes applications using https://kubernetes.io/docs/concepts/services-networking/ingress[Ingress resources]. To generate the Ingress resource, just apply the following configuration: [source] ---- quarkus.kubernetes.ingress.expose=true ---- This would generate the following Ingress resource: [source, yaml] ---- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: app.quarkus.io/commit-id: a58d221 app.quarkus.io/build-timestamp: 2022-06-29 - 13:22:41 +0000 labels: app.kubernetes.io/name: kubernetes-with-ingress app.kubernetes.io/version: 0.1-SNAPSHOT name: kubernetes-with-ingress spec: rules: - http: paths: - backend: service: name: kubernetes-with-ingress port: name: http path: / pathType: Prefix ---- After deploying these resources to Kubernetes, the Ingress resource will allow unsecured connections to reach out your application. To secure the incoming connections, Kubernetes allows enabling https://kubernetes.io/docs/concepts/services-networking/ingress/#tls[TLS] within the Ingress resource by specifying a Secret that contains a TLS private key and certificate. You can generate a secured Ingress resource by simply adding the "tls.secret-name" properties: [source] ---- quarkus.kubernetes.ingress.expose=true quarkus.kubernetes.ingress.tls.my-secret.enabled=true ---- This configuration will generate the following secured Ingress resource: [source, yaml] ---- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: ... name: kubernetes-with-secure-ingress spec: rules: ... tls: - secretName: my-secret ---- Now, Kubernetes will validate all the incoming connections using SSL with the certificates provided within the secret with name "my-secret". [NOTE] ==== More information about how to create the secret in https://kubernetes.io/docs/concepts/services-networking/ingress/#tls[here]. ==== asd
a88a11c
to
788b5be
Compare
PR updated and conflicts resolved! |
Merged, thank you! |
Kubernetes exposes applications using https://kubernetes.io/docs/concepts/services-networking/ingress[Ingress resources]. To generate the Ingress resource, just apply the following configuration:
This would generate the following Ingress resource:
After deploying these resources to Kubernetes, the Ingress resource will allow unsecured connections to reach out your application.
To secure the incoming connections, Kubernetes allows enabling https://kubernetes.io/docs/concepts/services-networking/ingress/#tls[TLS] within the Ingress resource by specifying a Secret that contains a TLS private key and certificate. You can generate a secured Ingress resource by simply adding the "tls.secret-name" properties:
This configuration will generate the following secured Ingress resource:
Now, Kubernetes will validate all the incoming connections using SSL with the certificates provided within the secret with name "my-secret".
NOTE: More information about how to create the secret in https://kubernetes.io/docs/concepts/services-networking/ingress/#tls[here].