Merge pull request #94 from Spredzy/tls_customization

TLS: Enable customization of TLS behavior on route when using edge mechanism
2026-03-26 21:33:14 +00:00 · 2021-02-10 15:19:56 +01:00
parent 121c034e6c c895ca0f6d
commit b5536ffd80
7 changed files with 85 additions and 1 deletions
--- a/ansible/templates/role.yml.j2
+++ b/ansible/templates/role.yml.j2
@@ -9,6 +9,7 @@ rules:
      - route.openshift.io
    resources:
      - routes
+      - routes/custom-host
    verbs:
      - '*'
  - apiGroups:
--- a/deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml
+++ b/deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml
@@ -108,6 +108,25 @@ spec:
              - urn:alm:descriptor:com.tectonic.ui:select:none
              - urn:alm:descriptor:com.tectonic.ui:select:Ingress
              - urn:alm:descriptor:com.tectonic.ui:select:Route
+          - displayName: Route DNS host
+            path: tower_route_host
+            x-descriptors:
+              - urn:alm:descriptor:com.tectonic.ui:advanced
+              - urn:alm:descriptor:com.tectonic.ui:label
+              - urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_ingress_type:Route
+          - displayName: Route TLS termination mechanism
+            path: tower_route_tls_termination_mechanism
+            x-descriptors:
+              - urn:alm:descriptor:com.tectonic.ui:advanced
+              - urn:alm:descriptor:com.tectonic.ui:select:Edge
+              - urn:alm:descriptor:com.tectonic.ui:select:Passthrough
+              - urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_ingress_type:Route
+          - displayName: Route TLS credential secret
+            path: tower_route_tls_secret
+            x-descriptors:
+              - urn:alm:descriptor:com.tectonic.ui:advanced
+              - urn:alm:descriptor:io.kubernetes:Secret
+              - urn:alm:descriptor:com.tectonic.ui:fieldDependency:tower_ingress_type:Route
          - displayName: Image Pull Policy
            path: tower_image_pull_policy
            x-descriptors:
@@ -162,6 +181,7 @@ spec:
                - route.openshift.io
              resources:
                - routes
+                - routes/custom-host
              verbs:
                - '*'
            - apiGroups:
--- a/deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml
+++ b/deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml
@@ -42,6 +42,18 @@ spec:
                - none
                - Ingress
                - Route
+            tower_route_host:
+              description: The DNS to use to points to the instance
+              type: string
+            tower_route_tls_termination_mechanism:
+              description: The secure TLS termination mechanism to use
+              type: string
+              enum:
+                - Edge
+                - Passthrough
+            tower_route_tls_secret:
+              description: Secret where the TLS related credentials are stored
+              type: string
            tower_image_pull_policy:
              description: The image pull policy
              type: string
--- a/roles/installer/defaults/main.yml
+++ b/roles/installer/defaults/main.yml
@@ -15,6 +15,21 @@ tower_ingress_annotations: ''
 # certificate and key.
 tower_ingress_tls_secret: ''

+# The TLS termination mechanism to use to access
+# the services. Supported mechanism are: edge, passthrough
+#
+tower_route_tls_termination_mechanism: edge
+
+# Secret to lookup that provide the TLS specific
+# credentials to deploy
+#
+tower_route_tls_secret: ''
+
+# Host to create the root with.
+# If not specific will default to <instance-name>-<namespace>-<routerCanonicalHostname>
+#
+tower_route_host: ''
+
 tower_hostname: '{{ deployment_type }}.example.com'

 tower_admin_user: admin
--- a/roles/installer/tasks/load_route_tls_secret.yml
+++ b/roles/installer/tasks/load_route_tls_secret.yml
@@ -0,0 +1,17 @@
+---
+- name: Retrieve Route TLS Secret
+  community.kubernetes.k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ tower_route_tls_secret }}'
+  register: route_tls
+
+- name: Load Route TLS Secret content
+  set_fact:
+    tower_route_tls_key: '{{ route_tls["resources"][0]["data"]["tls.key"] | b64decode }}'
+    tower_route_tls_crt: '{{ route_tls["resources"][0]["data"]["tls.crt"] | b64decode }}'
+
+- name: Load Route TLS Secret content
+  set_fact:
+    tower_route_ca_crt: '{{ route_tls["resources"][0]["data"]["ca.crt"] | b64decode }}'
+  when: '"ca.crt" in route_tls["resources"][0]["data"]'
--- a/roles/installer/tasks/main.yml
+++ b/roles/installer/tasks/main.yml
@@ -8,6 +8,12 @@
 - name: Include database configuration tasks
  include_tasks: database_configuration.yml

+- name: Load Route TLS certificate
+  include_tasks: load_route_tls_secret.yml
+  when:
+    - tower_ingress_type | lower == 'route'
+    - tower_route_tls_secret != ''
+
 - name: Ensure configured instance resources exist in the cluster.
  k8s:
    apply: yes
--- a/roles/installer/templates/tower.yaml.j2
+++ b/roles/installer/templates/tower.yaml.j2
@@ -267,11 +267,24 @@ metadata:
  name: '{{ meta.name }}'
  namespace: '{{ meta.namespace }}'
 spec:
+{% if tower_route_host != '' %}
+  host: {{ tower_route_host }}
+{% endif %}
  port:
    targetPort: http
  tls:
    insecureEdgeTerminationPolicy: Redirect
-    termination: edge
+    termination: {{ tower_route_tls_termination_mechanism | lower }}
+{% if tower_route_tls_termination_mechanism | lower == 'edge' and tower_route_tls_secret != '' %}
+    key: |-
+{{ tower_route_tls_key | indent(width=6, indentfirst=True) }}
+    certificate: |-
+{{ tower_route_tls_crt | indent(width=6, indentfirst=True) }}
+{% if tower_route_ca_crt is defined %}
+    caCertificate: |-
+{{ tower_route_ca_crt | indent(width=6, indentfirst=True) }}
+{% endif %}
+{% endif %}
  to:
    kind: Service
    name: {{ meta.name }}-service