From eb19dc79fc82b316ed2ea7ae0353e5123d36a367 Mon Sep 17 00:00:00 2001 From: marcellmueller Date: Wed, 1 May 2024 11:40:08 -0700 Subject: [PATCH 1/4] chore: update route.yaml --- chart/cas-cif/templates/route.yaml | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/chart/cas-cif/templates/route.yaml b/chart/cas-cif/templates/route.yaml index c719c96afc..d42a29e18d 100644 --- a/chart/cas-cif/templates/route.yaml +++ b/chart/cas-cif/templates/route.yaml @@ -1,11 +1,12 @@ -{{- $route := (lookup "route.openshift.io/v1" "Route" .Release.Namespace "cas-cif" ) }} -{{- $certificate := "" }} -{{- $key := "" }} -{{- $caCertificate := "" }} -{{- if $route }} -{{- $certificate = $route.spec.tls.certificate }} -{{- $key = $route.spec.tls.key }} -{{- $caCertificate = $route.spec.tls.caCertificate }} +{{- $keySecret := "Secret not found" }} +{{- $certSecret := "Secret not found" }} +{{- $CACertSecret := "Secret not found" }} + +{{- $existingSSLSecret := (lookup "v1" "Secret" .Release.Namespace "ssl-cert-cas-cif" ) }} +{{- if $existingSSLSecret }} +{{- $keySecret = index $existingSSLSecret.data "private-key" | b64dec | quote}} +{{- $certSecret = index $existingSSLSecret.data "certificate" | b64dec | quote}} +{{- $CACertSecret = index $existingSSLSecret.data "CACert" | b64dec | quote}} {{- end -}} apiVersion: route.openshift.io/v1 @@ -20,15 +21,16 @@ spec: port: targetPort: {{ template "cas-cif.fullname" . }} tls: - termination: edge insecureEdgeTerminationPolicy: Redirect - {{- if $certificate }} - certificate: {{ $certificate | quote }} - key: {{ $key | quote }} - caCertificate: {{ $caCertificate | quote }} - {{- end }} + termination: edge +{{- if hasSuffix "-prod" .Release.Namespace }} + key: {{ $keySecret }} + certificate: {{ $certSecret }} + caCertificate: {{ $CACertSecret }} +{{- end }} to: kind: Service name: {{ template "cas-cif.fullname" . }} weight: 100 wildcardPolicy: None + From 01012d9ba4eff19b80445da617b05dea96ce5029 Mon Sep 17 00:00:00 2001 From: Mike Vesprini Date: Mon, 6 May 2024 12:17:17 -0700 Subject: [PATCH 2/4] chore: add a separate route template specifically for prod --- chart/cas-cif/templates/route.prod.yaml | 38 +++++++++++++++++++++++++ chart/cas-cif/templates/route.yaml | 30 ++++++++++--------- 2 files changed, 54 insertions(+), 14 deletions(-) create mode 100644 chart/cas-cif/templates/route.prod.yaml diff --git a/chart/cas-cif/templates/route.prod.yaml b/chart/cas-cif/templates/route.prod.yaml new file mode 100644 index 0000000000..f36f47dbb4 --- /dev/null +++ b/chart/cas-cif/templates/route.prod.yaml @@ -0,0 +1,38 @@ +{{- if hasSuffix "-prod" .Release.Namespace }} + +{{- $keySecret := "Secret not found" }} +{{- $certSecret := "Secret not found" }} +{{- $CACertSecret := "Secret not found" }} + +{{- $existingSSLSecret := (lookup "v1" "Secret" .Release.Namespace "ssl-cert-cas-cif" ) }} +{{- if $existingSSLSecret }} +{{- $keySecret = index $existingSSLSecret.data "private-key" | b64dec | quote}} +{{- $certSecret = index $existingSSLSecret.data "certificate" | b64dec | quote}} +{{- $CACertSecret = index $existingSSLSecret.data "CACert" | b64dec | quote}} +{{- end -}} + +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: {{ template "cas-cif.fullname" . }} + labels: {{ include "cas-cif.labels" . | nindent 4 }} + annotations: + haproxy.router.openshift.io/balance: roundrobin + +spec: + host: {{ .Values.hostName }} + port: + targetPort: {{ template "cas-cif.fullname" . }} + tls: + insecureEdgeTerminationPolicy: Redirect + termination: edge + key: {{ $keySecret }} + certificate: {{ $certSecret }} + caCertificate: {{ $CACertSecret }} + to: + kind: Service + name: {{ template "cas-cif.fullname" . }} + weight: 100 + wildcardPolicy: None + +{{- end }} diff --git a/chart/cas-cif/templates/route.yaml b/chart/cas-cif/templates/route.yaml index d42a29e18d..b4e75bf824 100644 --- a/chart/cas-cif/templates/route.yaml +++ b/chart/cas-cif/templates/route.yaml @@ -1,12 +1,13 @@ -{{- $keySecret := "Secret not found" }} -{{- $certSecret := "Secret not found" }} -{{- $CACertSecret := "Secret not found" }} +{{- if not (hasSuffix "-prod" .Release.Namespace)}} -{{- $existingSSLSecret := (lookup "v1" "Secret" .Release.Namespace "ssl-cert-cas-cif" ) }} -{{- if $existingSSLSecret }} -{{- $keySecret = index $existingSSLSecret.data "private-key" | b64dec | quote}} -{{- $certSecret = index $existingSSLSecret.data "certificate" | b64dec | quote}} -{{- $CACertSecret = index $existingSSLSecret.data "CACert" | b64dec | quote}} +{{- $route := (lookup "route.openshift.io/v1" "Route" .Release.Namespace "cas-cif" ) }} +{{- $certificate := "" }} +{{- $key := "" }} +{{- $caCertificate := "" }} +{{- if $route }} +{{- $certificate = $route.spec.tls.certificate }} +{{- $key = $route.spec.tls.key }} +{{- $caCertificate = $route.spec.tls.caCertificate }} {{- end -}} apiVersion: route.openshift.io/v1 @@ -21,16 +22,17 @@ spec: port: targetPort: {{ template "cas-cif.fullname" . }} tls: - insecureEdgeTerminationPolicy: Redirect termination: edge -{{- if hasSuffix "-prod" .Release.Namespace }} - key: {{ $keySecret }} - certificate: {{ $certSecret }} - caCertificate: {{ $CACertSecret }} -{{- end }} + insecureEdgeTerminationPolicy: Redirect + {{- if $certificate }} + certificate: {{ $certificate | quote }} + key: {{ $key | quote }} + caCertificate: {{ $caCertificate | quote }} + {{- end }} to: kind: Service name: {{ template "cas-cif.fullname" . }} weight: 100 wildcardPolicy: None +{{- end -}} From 319a8bf8727cfbf79c65b92ffee2fe26f50cc60e Mon Sep 17 00:00:00 2001 From: Mike Vesprini Date: Mon, 6 May 2024 13:02:28 -0700 Subject: [PATCH 3/4] chore: remove reference to certbot in prod values --- chart/cas-cif/values-prod.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/chart/cas-cif/values-prod.yaml b/chart/cas-cif/values-prod.yaml index 60cae58abf..b31202b6e6 100644 --- a/chart/cas-cif/values-prod.yaml +++ b/chart/cas-cif/values-prod.yaml @@ -1,11 +1,5 @@ hostName: cif.gov.bc.ca -certbot: - certbot: - server: - secretName: cas-acme-url - secretKey: url - deploy-db: airflowEndpoint: https://cas-airflow-prod.apps.silver.devops.gov.bc.ca From af8f2571f7e6ba5d4eb43d69d8467712b84158f9 Mon Sep 17 00:00:00 2001 From: Mike Vesprini Date: Mon, 6 May 2024 13:09:48 -0700 Subject: [PATCH 4/4] chore: enable certbot conditionally by environment --- chart/cas-cif/Chart.yaml | 1 + chart/cas-cif/values-dev.yaml | 3 +++ chart/cas-cif/values-prod.yaml | 3 +++ chart/cas-cif/values-test.yaml | 3 +++ 4 files changed, 10 insertions(+) diff --git a/chart/cas-cif/Chart.yaml b/chart/cas-cif/Chart.yaml index 00c3918322..9d0fac767a 100644 --- a/chart/cas-cif/Chart.yaml +++ b/chart/cas-cif/Chart.yaml @@ -21,3 +21,4 @@ dependencies: - name: certbot version: 0.1.3 repository: https://bcdevops.github.io/certbot + condition: certbot.enabled diff --git a/chart/cas-cif/values-dev.yaml b/chart/cas-cif/values-dev.yaml index 8839edc1ee..ef3db145eb 100644 --- a/chart/cas-cif/values-dev.yaml +++ b/chart/cas-cif/values-dev.yaml @@ -18,3 +18,6 @@ deploy-db: download-dags: airflowEndpoint: https://cas-airflow-dev.apps.silver.devops.gov.bc.ca + +certbot: + enabled: true diff --git a/chart/cas-cif/values-prod.yaml b/chart/cas-cif/values-prod.yaml index b31202b6e6..520dbdea46 100644 --- a/chart/cas-cif/values-prod.yaml +++ b/chart/cas-cif/values-prod.yaml @@ -1,5 +1,8 @@ hostName: cif.gov.bc.ca +certbot: + enabled: false + deploy-db: airflowEndpoint: https://cas-airflow-prod.apps.silver.devops.gov.bc.ca diff --git a/chart/cas-cif/values-test.yaml b/chart/cas-cif/values-test.yaml index 0cd3d638a3..d511e9cae3 100644 --- a/chart/cas-cif/values-test.yaml +++ b/chart/cas-cif/values-test.yaml @@ -28,3 +28,6 @@ deploy-db: download-dags: airflowEndpoint: https://cas-airflow-test.apps.silver.devops.gov.bc.ca + +certbot: + enabled: true