From bed566c8c5a6fbac936d1eccc140422614d93ad1 Mon Sep 17 00:00:00 2001
From: Carlos de Paula <me@carlosedp.com>
Date: Mon, 2 Mar 2020 16:46:38 -0300
Subject: [PATCH] Improve Ingress generation from #29

Add TLS to ingress as an optional feature and also be able to provide
own certificates.
---
 .gitignore                          |  2 ++
 Readme.md                           |  2 ++
 base_operator_stack.jsonnet         | 32 ++++++++++++++++++++++++----
 manifests/ingress-alertmanager.yaml |  3 +++
 manifests/ingress-grafana.yaml      |  3 +++
 manifests/ingress-prometheus.yaml   |  3 +++
 utils.libsonnet                     | 33 ++++++++++++++++++++++++-----
 vars.jsonnet                        |  7 ++++++
 8 files changed, 76 insertions(+), 9 deletions(-)

diff --git a/.gitignore b/.gitignore
index 47a49ee..8b2091a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,4 @@
 vendor
 auth
+server.crt
+server.key
diff --git a/Readme.md b/Readme.md
index 033ac70..36452c4 100644
--- a/Readme.md
+++ b/Readme.md
@@ -33,6 +33,8 @@ The additional modules are:
 
 There are also options to set the ingress domain suffix and enable persistence for Grafana and Prometheus.
 
+The ingresses can use TLS with the default self-signed certificate from your Ingress controller by setting `TLSingress` to `true` and use a custom certificate by creating the files `server.crt` and `server.key` and enabling the `UseProvidedCerts` parameter at `vars.jsonnet`.
+
 After changing these parameters, rebuild the manifests with `make`.
 
 ## Quickstart
diff --git a/base_operator_stack.jsonnet b/base_operator_stack.jsonnet
index 2e6dad9..af6440d 100644
--- a/base_operator_stack.jsonnet
+++ b/base_operator_stack.jsonnet
@@ -123,13 +123,34 @@ local utils = import 'utils.libsonnet';
   // Create ingress objects per application
   ingress+:: {
     alertmanager:
-      utils.newIngress('alertmanager-main', $._config.namespace, $._config.urls.alert_ingress, '/', 'alertmanager-main', 'web'),
+      local I = utils.newIngress('alertmanager-main', $._config.namespace, $._config.urls.alert_ingress, '/', 'alertmanager-main', 'web');
+      if vars.TLSingress then
+        if vars.UseProvidedCerts then
+          utils.addIngressTLS(I, 'ingress-TLS-secret')
+        else
+          utils.addIngressTLS(I)
+      else
+        I,
 
     grafana:
-      utils.newIngress('grafana', $._config.namespace, $._config.urls.grafana_ingress, '/', 'grafana', 'http'),
+      local I = utils.newIngress('grafana', $._config.namespace, $._config.urls.grafana_ingress, '/', 'grafana', 'http');
+      if vars.TLSingress then
+        if vars.UseProvidedCerts then
+          utils.addIngressTLS(I, 'ingress-TLS-secret')
+        else
+          utils.addIngressTLS(I)
+      else
+        I,
 
     prometheus:
-      utils.newIngress('prometheus-k8s', $._config.namespace, $._config.urls.prom_ingress, '/', 'prometheus-k8s', 'web'),
+      local I = utils.newIngress('prometheus-k8s', $._config.namespace, $._config.urls.prom_ingress, '/', 'prometheus-k8s', 'web');
+      if vars.TLSingress then
+        if vars.UseProvidedCerts then
+          utils.addIngressTLS(I, 'ingress-TLS-secret')
+        else
+          utils.addIngressTLS(I)
+      else
+        I,
 
     // // Example external ingress with authentication
     // 'grafana-external':
@@ -155,5 +176,8 @@ local utils = import 'utils.libsonnet';
     //     // First generate the auth secret with gen_auth.sh script
     //     secret.new('basic-auth', { auth: std.base64(importstr 'auth') }) +
     //     secret.mixin.metadata.withNamespace($._config.namespace),
-  },
+  } + if vars.UseProvidedCerts then {
+      secret:
+        utils.newTLSSecret('ingress-TLS-secret', $._config.namespace, vars.TLSCertificate, vars.TLSKey)
+    } else {},
 }
diff --git a/manifests/ingress-alertmanager.yaml b/manifests/ingress-alertmanager.yaml
index 3b0723a..d71e4b3 100644
--- a/manifests/ingress-alertmanager.yaml
+++ b/manifests/ingress-alertmanager.yaml
@@ -12,3 +12,6 @@ spec:
           serviceName: alertmanager-main
           servicePort: web
         path: /
+  tls:
+  - hosts:
+    - alertmanager.192.168.99.100.nip.io
diff --git a/manifests/ingress-grafana.yaml b/manifests/ingress-grafana.yaml
index 7b058b0..614ab82 100644
--- a/manifests/ingress-grafana.yaml
+++ b/manifests/ingress-grafana.yaml
@@ -12,3 +12,6 @@ spec:
           serviceName: grafana
           servicePort: http
         path: /
+  tls:
+  - hosts:
+    - grafana.192.168.99.100.nip.io
diff --git a/manifests/ingress-prometheus.yaml b/manifests/ingress-prometheus.yaml
index fc6b211..a79f768 100644
--- a/manifests/ingress-prometheus.yaml
+++ b/manifests/ingress-prometheus.yaml
@@ -12,3 +12,6 @@ spec:
           serviceName: prometheus-k8s
           servicePort: web
         path: /
+  tls:
+  - hosts:
+    - prometheus.192.168.99.100.nip.io
diff --git a/utils.libsonnet b/utils.libsonnet
index db24411..a3d0a6d 100644
--- a/utils.libsonnet
+++ b/utils.libsonnet
@@ -91,7 +91,6 @@ local k = import 'ksonnet/ksonnet.beta.4/k.libsonnet';
 
   // Creates ingress objects
   newIngress(name, namespace, host, path, serviceName, servicePort):: (
-    local secret = k.core.v1.secret;
     local ingress = k.extensions.v1beta1.ingress;
     local ingressTls = ingress.mixin.spec.tlsType;
     local ingressRule = ingress.mixin.spec.rulesType;
@@ -100,10 +99,6 @@ local k = import 'ksonnet/ksonnet.beta.4/k.libsonnet';
     ingress.new()
     + ingress.mixin.metadata.withName(name)
     + ingress.mixin.metadata.withNamespace(namespace)
-    + ingress.mixin.spec.withTls(
-      ingressTls.new()
-      + ingressTls.withHosts(host)
-    )
     + ingress.mixin.spec.withRules(
       ingressRule.new()
       + ingressRule.withHost(host)
@@ -116,6 +111,34 @@ local k = import 'ksonnet/ksonnet.beta.4/k.libsonnet';
     )
   ),
 
+  // Add TLS to Ingress resource with secret containing the certificates if exists
+  addIngressTLS(I, S=''):: (
+    local ingress = k.extensions.v1beta1.ingress;
+    local ingressTls = ingress.mixin.spec.tlsType;
+    local host = I.spec.rules[0].host;
+    local namespace = I.metadata.namespace;
+
+    I + ingress.mixin.spec.withTls(
+      ingressTls.new() +
+        ingressTls.withHosts(host) +
+        (if S != '' then {'secretName': S} else {})
+    )
+  ),
+
+  // Creates a new TLS Secred with Certificate and Key
+  newTLSSecret(name, namespace, crt, key):: (
+    local secret = k.core.v1.secret;
+
+    secret.new('ingress-secret') +
+      secret.mixin.metadata.withNamespace(namespace) +
+      secret.withType('kubernetes.io/tls') +
+      secret.withData(
+        {
+        'tls.crt': std.base64(crt),
+        'tls.key': std.base64(key),
+        })
+  ),
+
   // Creates new basic deployments
   newDeployment(name, namespace, image, cmd, port):: (
     local deployment = k.apps.v1.deployment;
diff --git a/vars.jsonnet b/vars.jsonnet
index c294aea..1a3334b 100644
--- a/vars.jsonnet
+++ b/vars.jsonnet
@@ -38,6 +38,13 @@
 
   // Domain suffix for the ingresses
   suffixDomain: '192.168.99.100.nip.io',
+  // If TLSingress is true, a self-signed HTTPS ingress with redirect will be created
+  TLSingress: true,
+  # If UseProvidedCerts is true, provided files will be used on created HTTPS ingresses.
+  # Use a wildcard certificate for the domain like ex. "*.192.168.99.100.nip.io"
+  UseProvidedCerts: false,
+  TLSCertificate: importstr 'server.crt',
+  TLSKey: importstr 'server.key',
 
   // Setting these to false, defaults to emptyDirs
   enablePersistence: {