TLS: Enable customization of TLS behavior on route

2026-05-07 05:42:55 +00:00 · 2021-02-10 10:37:04 +01:00
parent 121c034e6c
commit c895ca0f6d
7 changed files with 85 additions and 1 deletions
--- a/roles/installer/defaults/main.yml
+++ b/roles/installer/defaults/main.yml
@@ -15,6 +15,21 @@ tower_ingress_annotations: ''
 # certificate and key.
 tower_ingress_tls_secret: ''

+# The TLS termination mechanism to use to access
+# the services. Supported mechanism are: edge, passthrough
+#
+tower_route_tls_termination_mechanism: edge
+
+# Secret to lookup that provide the TLS specific
+# credentials to deploy
+#
+tower_route_tls_secret: ''
+
+# Host to create the root with.
+# If not specific will default to <instance-name>-<namespace>-<routerCanonicalHostname>
+#
+tower_route_host: ''
+
 tower_hostname: '{{ deployment_type }}.example.com'

 tower_admin_user: admin
--- a/roles/installer/tasks/load_route_tls_secret.yml
+++ b/roles/installer/tasks/load_route_tls_secret.yml
@@ -0,0 +1,17 @@
+---
+- name: Retrieve Route TLS Secret
+  community.kubernetes.k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ tower_route_tls_secret }}'
+  register: route_tls
+
+- name: Load Route TLS Secret content
+  set_fact:
+    tower_route_tls_key: '{{ route_tls["resources"][0]["data"]["tls.key"] | b64decode }}'
+    tower_route_tls_crt: '{{ route_tls["resources"][0]["data"]["tls.crt"] | b64decode }}'
+
+- name: Load Route TLS Secret content
+  set_fact:
+    tower_route_ca_crt: '{{ route_tls["resources"][0]["data"]["ca.crt"] | b64decode }}'
+  when: '"ca.crt" in route_tls["resources"][0]["data"]'
--- a/roles/installer/tasks/main.yml
+++ b/roles/installer/tasks/main.yml
@@ -8,6 +8,12 @@
 - name: Include database configuration tasks
  include_tasks: database_configuration.yml

+- name: Load Route TLS certificate
+  include_tasks: load_route_tls_secret.yml
+  when:
+    - tower_ingress_type | lower == 'route'
+    - tower_route_tls_secret != ''
+
 - name: Ensure configured instance resources exist in the cluster.
  k8s:
    apply: yes
--- a/roles/installer/templates/tower.yaml.j2
+++ b/roles/installer/templates/tower.yaml.j2
@@ -267,11 +267,24 @@ metadata:
  name: '{{ meta.name }}'
  namespace: '{{ meta.namespace }}'
 spec:
+{% if tower_route_host != '' %}
+  host: {{ tower_route_host }}
+{% endif %}
  port:
    targetPort: http
  tls:
    insecureEdgeTerminationPolicy: Redirect
-    termination: edge
+    termination: {{ tower_route_tls_termination_mechanism | lower }}
+{% if tower_route_tls_termination_mechanism | lower == 'edge' and tower_route_tls_secret != '' %}
+    key: |-
+{{ tower_route_tls_key | indent(width=6, indentfirst=True) }}
+    certificate: |-
+{{ tower_route_tls_crt | indent(width=6, indentfirst=True) }}
+{% if tower_route_ca_crt is defined %}
+    caCertificate: |-
+{{ tower_route_ca_crt | indent(width=6, indentfirst=True) }}
+{% endif %}
+{% endif %}
  to:
    kind: Service
    name: {{ meta.name }}-service