Kubernetes: Allow generating secured Ingress resources #26443
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sgitario
commented
Jun 29, 2022
| * If true, it will use the TLS configuration in the generated Ingress resource. | ||
| */ | ||
| @ConfigItem | ||
| boolean enabled; |
There was a problem hiding this comment.
I don't really like having to add this enabled field... However, I didn't see any workaround for #7862 (this issue is closed, but having optional nested in other optional objects is not working).
iocanel
approved these changes
Jul 5, 2022
| @@ -74,10 +74,6 @@ public interface PlatformConfiguration extends EnvVarHolder { | |||
|
|
|||
| ResourcesConfig getResources(); | |||
|
|
|||
| default Optional<ExpositionConfig> getExposition() { | |||
There was a problem hiding this comment.
As this is not a generic code anymore, it's used in specific platforms only.
| @@ -436,18 +435,6 @@ private static List<DecoratorBuildItem> createAnnotationDecorators(Optional<Proj | |||
| now.format(DateTimeFormatter.ofPattern("yyyy-MM-dd - HH:mm:ss Z")), new String[0])))); | |||
| } | |||
|
|
|||
| if (config.getExposition().isPresent() && config.getExposition().get().expose) { | |||
There was a problem hiding this comment.
I see, we moved the generic code from common to platform specific processors. Makes sense.
mamadaliev
approved these changes
Jul 5, 2022
|
Unfortunately, there is now a conflict. Any chance you could rebase and ping me loudly when done? Thanks! |
Kubernetes exposes applications using https://kubernetes.io/docs/concepts/services-networking/ingress[Ingress resources]. To generate the Ingress resource, just apply the following configuration: [source] ---- quarkus.kubernetes.ingress.expose=true ---- This would generate the following Ingress resource: [source, yaml] ---- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: app.quarkus.io/commit-id: a58d221 app.quarkus.io/build-timestamp: 2022-06-29 - 13:22:41 +0000 labels: app.kubernetes.io/name: kubernetes-with-ingress app.kubernetes.io/version: 0.1-SNAPSHOT name: kubernetes-with-ingress spec: rules: - http: paths: - backend: service: name: kubernetes-with-ingress port: name: http path: / pathType: Prefix ---- After deploying these resources to Kubernetes, the Ingress resource will allow unsecured connections to reach out your application. To secure the incoming connections, Kubernetes allows enabling https://kubernetes.io/docs/concepts/services-networking/ingress/#tls[TLS] within the Ingress resource by specifying a Secret that contains a TLS private key and certificate. You can generate a secured Ingress resource by simply adding the "tls.secret-name" properties: [source] ---- quarkus.kubernetes.ingress.expose=true quarkus.kubernetes.ingress.tls.my-secret.enabled=true ---- This configuration will generate the following secured Ingress resource: [source, yaml] ---- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: ... name: kubernetes-with-secure-ingress spec: rules: ... tls: - secretName: my-secret ---- Now, Kubernetes will validate all the incoming connections using SSL with the certificates provided within the secret with name "my-secret". [NOTE] ==== More information about how to create the secret in https://kubernetes.io/docs/concepts/services-networking/ingress/#tls[here]. ==== asd
Sgitario
force-pushed
the
k8s_support_tls
branch
from
a88a11c
to
788b5be
Compare
PR updated and conflicts resolved! |
|
Merged, thank you! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Kubernetes exposes applications using https://kubernetes.io/docs/concepts/services-networking/ingress[Ingress resources]. To generate the Ingress resource, just apply the following configuration:
This would generate the following Ingress resource:
After deploying these resources to Kubernetes, the Ingress resource will allow unsecured connections to reach out your application.
To secure the incoming connections, Kubernetes allows enabling https://kubernetes.io/docs/concepts/services-networking/ingress/#tls[TLS] within the Ingress resource by specifying a Secret that contains a TLS private key and certificate. You can generate a secured Ingress resource by simply adding the "tls.secret-name" properties:
This configuration will generate the following secured Ingress resource:
Now, Kubernetes will validate all the incoming connections using SSL with the certificates provided within the secret with name "my-secret".
NOTE: More information about how to create the secret in https://kubernetes.io/docs/concepts/services-networking/ingress/#tls[here].