From 6abfa3fd491500bfd45c7516d2d09cf72bd27a81 Mon Sep 17 00:00:00 2001 From: Kent Rancourt Date: Fri, 10 Jan 2025 15:53:47 -0500 Subject: [PATCH] refactor(chart): generalize option that specifies TLS is terminated upstream (#3243) Signed-off-by: Kent Rancourt --- charts/kargo/README.md | 4 ++-- charts/kargo/templates/_helpers.tpl | 2 +- charts/kargo/values.yaml | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/kargo/README.md b/charts/kargo/README.md index 47da81e1b..6f1c9a1e3 100644 --- a/charts/kargo/README.md +++ b/charts/kargo/README.md @@ -88,14 +88,14 @@ the Kargo controller is running. | `api.env` | Environment variables to add to API server pods. | `[]` | | `api.envFrom` | Environment variables to add to API server pods from ConfigMaps or Secrets. | `[]` | | `api.probes.enabled` | Whether liveness and readiness probes should be included in the API server deployment. It is sometimes advantageous to disable these during local development. | `true` | -| `api.tls.enabled` | Whether to enable TLS directly on the API server. This is helpful if you do not intend to use an ingress controller or if you require TLS end-to-end. All other settings in this section will be ignored when this is set to `false`. | `true` | +| `api.tls.enabled` | Whether to enable TLS directly on the API server. This is helpful if you do not intend to use an ingress controller or if you require TLS end-to-end. All other settings in this section EXCEPT `terminatedUpstream` will be ignored when this is set to `false`. | `true` | | `api.tls.selfSignedCert` | Whether to generate a self-signed certificate for use by the API server. If `true`, `cert-manager` CRDs **must** be present in the cluster. Kargo will create and use its own namespaced issuer. If `false`, a cert secret named `kargo-api-cert` **must** be provided in the same namespace as Kargo. | `true` | +| `api.tls.terminatedUpstream` | Whether TLS is terminated upstream, i.e. a load balancer, reverse-proxy, or an Ingress controller using a single wildcard cert is terminating it. Setting this to `true` forces all API server URLs to use HTTPS even if the Ingress (if applicable) or API server itself are listening for plain HTTP requests. | `false` | | `api.permissiveCORSPolicyEnabled` | Whether to enable a permissive CORS (Cross Origin Resource Sharing) policy. This is sometimes advantageous during local development, but otherwise, should generally be left disabled. | `false` | | `api.ingress.enabled` | Whether to enable ingress by creating an Ingress resource. By default, this is disabled. Enabling ingress is advanced usage. | `false` | | `api.ingress.annotations` | Annotations specified by your ingress controller to customize the behavior of the Ingress resource. | `{}` | | `api.ingress.ingressClassName` | If implemented by your ingress controller, specifies the ingress class. If your ingress controller does not support this, use the `kubernetes.io/ingress.class` annotation instead. | `nil` | | `api.ingress.tls.enabled` | Whether to associate a certificate with the Ingress resource. | `true` | -| `api.ingress.tls.usesControllerCert` | Whether the ingress controller has been configured to terminate SSL using its own certificate instead of the certificate, if any, referenced by the Ingress resource. This is an uncommon configuration. | `false` | | `api.ingress.tls.selfSignedCert` | Whether to generate a self-signed certificate for use with the API server's Ingress resource. If `true`, `cert-manager` CRDs **must** be present in the cluster. Kargo will create and use its own namespaced issuer. If `false`, a cert secret named `kargo-api-ingress-cert` **must** be provided in the same namespace as Kargo. The value in this field has no effect if `api.ingress.tls.enabled` is `false`. | `true` | | `api.ingress.pathType` | You may want to use `Prefix` for some controllers (like AWS LoadBalancer Ingress controller), which don't support `/` as wildcard path when pathType is set to `ImplementationSpecific` | `ImplementationSpecific` | | `api.service.type` | If you're not going to use an ingress controller, you may want to change this value to `LoadBalancer` for production deployments. If running locally, you may want to change it to `NodePort` OR leave it as `ClusterIP` and use `kubectl port-forward` to map a port on the local network interface to the service. | `ClusterIP` | diff --git a/charts/kargo/templates/_helpers.tpl b/charts/kargo/templates/_helpers.tpl index 51a990025..2771149e3 100644 --- a/charts/kargo/templates/_helpers.tpl +++ b/charts/kargo/templates/_helpers.tpl @@ -92,7 +92,7 @@ app.kubernetes.io/component: webhooks-server {{- end -}} {{- define "kargo.api.baseURL" -}} -{{- if or .Values.api.tls.enabled (and .Values.api.ingress.enabled (or .Values.api.ingress.tls.enabled .Values.api.ingress.tls.usesControllerCert)) -}} +{{- if or .Values.api.tls.enabled (and .Values.api.ingress.enabled .Values.api.ingress.tls.enabled) .Values.api.tls.terminatedUpstream -}} {{- printf "https://%s" .Values.api.host -}} {{- else -}} {{- printf "http://%s" .Values.api.host -}} diff --git a/charts/kargo/values.yaml b/charts/kargo/values.yaml index edc27f111..4c85ccd09 100755 --- a/charts/kargo/values.yaml +++ b/charts/kargo/values.yaml @@ -146,10 +146,12 @@ api: enabled: true tls: - ## @param api.tls.enabled Whether to enable TLS directly on the API server. This is helpful if you do not intend to use an ingress controller or if you require TLS end-to-end. All other settings in this section will be ignored when this is set to `false`. + ## @param api.tls.enabled Whether to enable TLS directly on the API server. This is helpful if you do not intend to use an ingress controller or if you require TLS end-to-end. All other settings in this section EXCEPT `terminatedUpstream` will be ignored when this is set to `false`. enabled: true ## @param api.tls.selfSignedCert Whether to generate a self-signed certificate for use by the API server. If `true`, `cert-manager` CRDs **must** be present in the cluster. Kargo will create and use its own namespaced issuer. If `false`, a cert secret named `kargo-api-cert` **must** be provided in the same namespace as Kargo. selfSignedCert: true + ## @param api.tls.terminatedUpstream Whether TLS is terminated upstream, i.e. a load balancer, reverse-proxy, or an Ingress controller using a single wildcard cert is terminating it. Setting this to `true` forces all API server URLs to use HTTPS even if the Ingress (if applicable) or API server itself are listening for plain HTTP requests. + terminatedUpstream: false ## @param api.permissiveCORSPolicyEnabled Whether to enable a permissive CORS (Cross Origin Resource Sharing) policy. This is sometimes advantageous during local development, but otherwise, should generally be left disabled. permissiveCORSPolicyEnabled: false @@ -165,8 +167,6 @@ api: tls: ## @param api.ingress.tls.enabled Whether to associate a certificate with the Ingress resource. enabled: true - ## @param api.ingress.tls.usesControllerCert Whether the ingress controller has been configured to terminate SSL using its own certificate instead of the certificate, if any, referenced by the Ingress resource. This is an uncommon configuration. - usesControllerCert: false ## @param api.ingress.tls.selfSignedCert Whether to generate a self-signed certificate for use with the API server's Ingress resource. If `true`, `cert-manager` CRDs **must** be present in the cluster. Kargo will create and use its own namespaced issuer. If `false`, a cert secret named `kargo-api-ingress-cert` **must** be provided in the same namespace as Kargo. The value in this field has no effect if `api.ingress.tls.enabled` is `false`. selfSignedCert: true ## @param api.ingress.pathType You may want to use `Prefix` for some controllers (like AWS LoadBalancer Ingress controller), which don't support `/` as wildcard path when pathType is set to `ImplementationSpecific`