Merge pull request #95 from Spredzy/tls_custom_passthrough

TLS: Enable passthrough termination mechanism
2026-03-26 21:33:14 +00:00 · 2021-02-10 15:34:51 +01:00
parent b5536ffd80 1fe7c4dd20
commit 025dfa54df
2 changed files with 44 additions and 2 deletions
--- a/roles/installer/templates/tower.yaml.j2
+++ b/roles/installer/templates/tower.yaml.j2
@@ -50,10 +50,18 @@ spec:
          imagePullPolicy: '{{ tower_image_pull_policy }}'
          ports:
            - containerPort: 8052
+{% if tower_ingress_type | lower == 'route' and tower_route_tls_termination_mechanism | lower == 'passthrough' %}
+            - containerPort: 8053
+{% endif %}
          volumeMounts:
            - name: "{{ meta.name }}-application-credentials"
              mountPath: "/etc/tower/conf.d/"
              readOnly: true
+{% if tower_ingress_type | lower == 'route' and tower_route_tls_termination_mechanism | lower == 'passthrough' %}
+            - name: "{{ meta.name }}-nginx-certs"
+              mountPath: "/etc/nginx/pki"
+              readOnly: true
+{% endif %}
            - name: "{{ secret_key_secret_name }}"
              mountPath: /etc/tower/SECRET_KEY
              subPath: SECRET_KEY
@@ -160,6 +168,16 @@ spec:
              memory: '{{ tower_task_mem_request }}'
              cpu: '{{ tower_task_cpu_request }}'
      volumes:
+{% if tower_ingress_type | lower == 'route' and tower_route_tls_termination_mechanism | lower == 'passthrough' %}
+        - name: "{{ meta.name }}-nginx-certs"
+          secret:
+            secretName: "{{ tower_route_tls_secret }}"
+            items:
+              - key: tls.key
+                path: 'web.key'
+              - key: tls.crt
+                path: 'web.crt'
+{% endif %}
        - name: "{{ meta.name }}-application-credentials"
          secret:
            secretName: "{{ meta.name }}-secrets"
@@ -224,6 +242,12 @@ spec:
      protocol: TCP
      targetPort: 8052
      name: http
+{% if tower_ingress_type | lower == 'route' and tower_route_tls_termination_mechanism | lower == 'passthrough' %}
+    - port: 443
+      protocol: TCP
+      targetPort: 8053
+      name: https
+{% endif %}
  selector:
    app: '{{ deployment_type }}'
 {% if tower_ingress_type != "none" %}
@@ -271,7 +295,7 @@ spec:
  host: {{ tower_route_host }}
 {% endif %}
  port:
-    targetPort: http
+    targetPort: '{{ (tower_route_tls_termination_mechanism | lower == "passthrough") | ternary("https", "http") }}'
  tls:
    insecureEdgeTerminationPolicy: Redirect
    termination: {{ tower_route_tls_termination_mechanism | lower }}
--- a/roles/installer/templates/tower_config.yaml.j2
+++ b/roles/installer/templates/tower_config.yaml.j2
@@ -119,9 +119,27 @@ data:
            server 127.0.0.1:8051;
        }
    
+
+        {% if tower_route_tls_termination_mechanism | lower == 'passthrough' %}
        server {
            listen 8052 default_server;
-    
+            server_name _;
+
+            # Redirect all HTTP links to the matching HTTPS page
+            return 301 https://$host$request_uri;
+        }
+        {% endif %}
+
+        server {
+        {% if tower_route_tls_termination_mechanism | lower == 'passthrough' %}
+            listen 8053 ssl;
+
+            ssl_certificate /etc/nginx/pki/web.crt;
+            ssl_certificate_key /etc/nginx/pki/web.key;
+        {% else %}
+            listen 8052 default_server;
+        {% endif %}
+
            # If you have a domain name, this is where to add it
            server_name _;
            keepalive_timeout 65;