From 1fe7c4dd20041113f0086bc917d88e8943a3bb0a Mon Sep 17 00:00:00 2001
From: Yanis Guenane <yguenane@gmail.com>
Date: Wed, 10 Feb 2021 12:54:58 +0100
Subject: [PATCH] TLS: Enable passthrough termination mechanism

Depends-On: https://github.com/ansible/awx-operator/pull/94
---
 roles/installer/templates/tower.yaml.j2       | 26 ++++++++++++++++++-
 .../installer/templates/tower_config.yaml.j2  | 20 +++++++++++++-
 2 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/roles/installer/templates/tower.yaml.j2 b/roles/installer/templates/tower.yaml.j2
index 64056f0e..3000b040 100644
--- a/roles/installer/templates/tower.yaml.j2
+++ b/roles/installer/templates/tower.yaml.j2
@@ -50,10 +50,18 @@ spec:
           imagePullPolicy: '{{ tower_image_pull_policy }}'
           ports:
             - containerPort: 8052
+{% if tower_ingress_type | lower == 'route' and tower_route_tls_termination_mechanism | lower == 'passthrough' %}
+            - containerPort: 8053
+{% endif %}
           volumeMounts:
             - name: "{{ meta.name }}-application-credentials"
               mountPath: "/etc/tower/conf.d/"
               readOnly: true
+{% if tower_ingress_type | lower == 'route' and tower_route_tls_termination_mechanism | lower == 'passthrough' %}
+            - name: "{{ meta.name }}-nginx-certs"
+              mountPath: "/etc/nginx/pki"
+              readOnly: true
+{% endif %}
             - name: "{{ secret_key_secret_name }}"
               mountPath: /etc/tower/SECRET_KEY
               subPath: SECRET_KEY
@@ -160,6 +168,16 @@ spec:
               memory: '{{ tower_task_mem_request }}'
               cpu: '{{ tower_task_cpu_request }}'
       volumes:
+{% if tower_ingress_type | lower == 'route' and tower_route_tls_termination_mechanism | lower == 'passthrough' %}
+        - name: "{{ meta.name }}-nginx-certs"
+          secret:
+            secretName: "{{ tower_route_tls_secret }}"
+            items:
+              - key: tls.key
+                path: 'web.key'
+              - key: tls.crt
+                path: 'web.crt'
+{% endif %}
         - name: "{{ meta.name }}-application-credentials"
           secret:
             secretName: "{{ meta.name }}-secrets"
@@ -224,6 +242,12 @@ spec:
       protocol: TCP
       targetPort: 8052
       name: http
+{% if tower_ingress_type | lower == 'route' and tower_route_tls_termination_mechanism | lower == 'passthrough' %}
+    - port: 443
+      protocol: TCP
+      targetPort: 8053
+      name: https
+{% endif %}
   selector:
     app: '{{ deployment_type }}'
 {% if tower_ingress_type != "none" %}
@@ -271,7 +295,7 @@ spec:
   host: {{ tower_route_host }}
 {% endif %}
   port:
-    targetPort: http
+    targetPort: '{{ (tower_route_tls_termination_mechanism | lower == "passthrough") | ternary("https", "http") }}'
   tls:
     insecureEdgeTerminationPolicy: Redirect
     termination: {{ tower_route_tls_termination_mechanism | lower }}
diff --git a/roles/installer/templates/tower_config.yaml.j2 b/roles/installer/templates/tower_config.yaml.j2
index dba4413c..82ec38fe 100644
--- a/roles/installer/templates/tower_config.yaml.j2
+++ b/roles/installer/templates/tower_config.yaml.j2
@@ -119,9 +119,27 @@ data:
             server 127.0.0.1:8051;
         }
     
+
+        {% if tower_route_tls_termination_mechanism | lower == 'passthrough' %}
         server {
             listen 8052 default_server;
-    
+            server_name _;
+
+            # Redirect all HTTP links to the matching HTTPS page
+            return 301 https://$host$request_uri;
+        }
+        {% endif %}
+
+        server {
+        {% if tower_route_tls_termination_mechanism | lower == 'passthrough' %}
+            listen 8053 ssl;
+
+            ssl_certificate /etc/nginx/pki/web.crt;
+            ssl_certificate_key /etc/nginx/pki/web.key;
+        {% else %}
+            listen 8052 default_server;
+        {% endif %}
+
             # If you have a domain name, this is where to add it
             server_name _;
             keepalive_timeout 65;