From 4a3fff59c03f8592b336e265032177f623a76d06 Mon Sep 17 00:00:00 2001 From: Exordian Date: Tue, 28 Nov 2023 13:52:33 +0100 Subject: [PATCH] Feat nginx default tls (#39) * feat(nginx-ingress): internal ingress for azure * feat(nginx-ingress): add option for default TLS cert --------- Co-authored-by: Jakob Englisch Co-authored-by: Michael Riedmann --- .../nginx-ingress/nginx-ingress.libsonnet | 28 +++++++++++++++++-- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/infrastructure/nginx-ingress/nginx-ingress.libsonnet b/infrastructure/nginx-ingress/nginx-ingress.libsonnet index 30793f1..c360d21 100644 --- a/infrastructure/nginx-ingress/nginx-ingress.libsonnet +++ b/infrastructure/nginx-ingress/nginx-ingress.libsonnet @@ -6,21 +6,39 @@ local k = (import '../../prelude.libsonnet'); // begin_config nginxingress: { name: 'nginx-ingress', - loadBalancerIP: error 'you need a static loadbalancer (public ip)', + type: 'external', + loadBalancerIP: error 'you need a static loadbalancer ip (public IP for external, internal IP for internal)', + internalSubnetAzure: null, replicas: 2, + defaultTlsCertificate: null, }, // end_config }, newNginxIngress(config={}):: manifest { + local this = self, local cfg = $._config.nginxingress + config, - 'service-ingress-nginx-controller'+: { + // https://github.com/google/jsonnet/issues/234#issuecomment-275489855 + local join(a) = + local notNull(i) = i != null; + local maybeFlatten(acc, i) = if std.type(i) == 'array' then acc + i else acc + [i]; + std.foldl(maybeFlatten, std.filter(notNull, a), []), + + 'service-ingress-nginx-controller'+: if cfg.type == 'external' then { spec+: { loadBalancerIP: cfg.loadBalancerIP, }, + } else if cfg.type == 'internal-azure' then { + metadata+: { + annotations+: { + 'service.beta.kubernetes.io/azure-load-balancer-internal': 'true', + 'service.beta.kubernetes.io/azure-load-balancer-ipv4': cfg.loadBalancerIP, + [if cfg.internalSubnetAzure != null then 'service.beta.kubernetes.io/azure-load-balancer-internal-subnet' else null]: cfg.internalSubnetAzure, + }, + }, }, 'deployment-ingress-nginx-controller'+: { @@ -30,7 +48,11 @@ local k = (import '../../prelude.libsonnet'); spec+: { containers: [ super.containers[0] { - args: super.args + ['--watch-ingress-without-class'], + args: join([ + super.args, + '--watch-ingress-without-class', + if cfg.defaultTlsCertificate != null then ['--default-ssl-certificate=' + cfg.defaultTlsCertificate], + ]), }, ] + super.containers[1:], },