Improve Ingress generation from #29

Add TLS to ingress as an optional feature and also be able to provide
own certificates.

.gitignore

@@ -1,2 +1,4 @@
 vendor
 auth
+server.crt
+server.key

Readme.md

@@ -33,6 +33,8 @@ The additional modules are:
 
 There are also options to set the ingress domain suffix and enable persistence for Grafana and Prometheus.
 
+The ingresses can use TLS with the default self-signed certificate from your Ingress controller by setting `TLSingress` to `true` and use a custom certificate by creating the files `server.crt` and `server.key` and enabling the `UseProvidedCerts` parameter at `vars.jsonnet`.
+
 After changing these parameters, rebuild the manifests with `make`.
 
 ## Quickstart

base_operator_stack.jsonnet

@@ -123,13 +123,34 @@ local utils = import 'utils.libsonnet';
   // Create ingress objects per application
   ingress+:: {
     alertmanager:
-      utils.newIngress('alertmanager-main', $._config.namespace, $._config.urls.alert_ingress, '/', 'alertmanager-main', 'web'),
+      local I = utils.newIngress('alertmanager-main', $._config.namespace, $._config.urls.alert_ingress, '/', 'alertmanager-main', 'web');
+      if vars.TLSingress then
+        if vars.UseProvidedCerts then
+          utils.addIngressTLS(I, 'ingress-TLS-secret')
+        else
+          utils.addIngressTLS(I)
+      else
+        I,
 
     grafana:
-      utils.newIngress('grafana', $._config.namespace, $._config.urls.grafana_ingress, '/', 'grafana', 'http'),
+      local I = utils.newIngress('grafana', $._config.namespace, $._config.urls.grafana_ingress, '/', 'grafana', 'http');
+      if vars.TLSingress then
+        if vars.UseProvidedCerts then
+          utils.addIngressTLS(I, 'ingress-TLS-secret')
+        else
+          utils.addIngressTLS(I)
+      else
+        I,
 
     prometheus:
-      utils.newIngress('prometheus-k8s', $._config.namespace, $._config.urls.prom_ingress, '/', 'prometheus-k8s', 'web'),
+      local I = utils.newIngress('prometheus-k8s', $._config.namespace, $._config.urls.prom_ingress, '/', 'prometheus-k8s', 'web');
+      if vars.TLSingress then
+        if vars.UseProvidedCerts then
+          utils.addIngressTLS(I, 'ingress-TLS-secret')
+        else
+          utils.addIngressTLS(I)
+      else
+        I,
 
     // // Example external ingress with authentication
     // 'grafana-external':
@@ -155,5 +176,8 @@ local utils = import 'utils.libsonnet';
     //     // First generate the auth secret with gen_auth.sh script
     //     secret.new('basic-auth', { auth: std.base64(importstr 'auth') }) +
     //     secret.mixin.metadata.withNamespace($._config.namespace),
-  },
+  } + if vars.UseProvidedCerts then {
+      secret:
+        utils.newTLSSecret('ingress-TLS-secret', $._config.namespace, vars.TLSCertificate, vars.TLSKey)
+    } else {},
 }

manifests/ingress-alertmanager.yaml

@@ -12,3 +12,6 @@ spec:
           serviceName: alertmanager-main
           servicePort: web
         path: /
+  tls:
+  - hosts:
+    - alertmanager.192.168.99.100.nip.io

manifests/ingress-grafana.yaml

@@ -12,3 +12,6 @@ spec:
           serviceName: grafana
           servicePort: http
         path: /
+  tls:
+  - hosts:
+    - grafana.192.168.99.100.nip.io

manifests/ingress-prometheus.yaml

@@ -12,3 +12,6 @@ spec:
           serviceName: prometheus-k8s
           servicePort: web
         path: /
+  tls:
+  - hosts:
+    - prometheus.192.168.99.100.nip.io

utils.libsonnet

@@ -91,7 +91,6 @@ local k = import 'ksonnet/ksonnet.beta.4/k.libsonnet';
 
   // Creates ingress objects
   newIngress(name, namespace, host, path, serviceName, servicePort):: (
-    local secret = k.core.v1.secret;
     local ingress = k.extensions.v1beta1.ingress;
     local ingressTls = ingress.mixin.spec.tlsType;
     local ingressRule = ingress.mixin.spec.rulesType;
@@ -100,10 +99,6 @@ local k = import 'ksonnet/ksonnet.beta.4/k.libsonnet';
     ingress.new()
     + ingress.mixin.metadata.withName(name)
     + ingress.mixin.metadata.withNamespace(namespace)
-    + ingress.mixin.spec.withTls(
-      ingressTls.new()
-      + ingressTls.withHosts(host)
-    )
     + ingress.mixin.spec.withRules(
       ingressRule.new()
       + ingressRule.withHost(host)
@@ -116,6 +111,34 @@ local k = import 'ksonnet/ksonnet.beta.4/k.libsonnet';
     )
   ),
 
+  // Add TLS to Ingress resource with secret containing the certificates if exists
+  addIngressTLS(I, S=''):: (
+    local ingress = k.extensions.v1beta1.ingress;
+    local ingressTls = ingress.mixin.spec.tlsType;
+    local host = I.spec.rules[0].host;
+    local namespace = I.metadata.namespace;
+
+    I + ingress.mixin.spec.withTls(
+      ingressTls.new() +
+        ingressTls.withHosts(host) +
+        (if S != '' then {'secretName': S} else {})
+    )
+  ),
+
+  // Creates a new TLS Secred with Certificate and Key
+  newTLSSecret(name, namespace, crt, key):: (
+    local secret = k.core.v1.secret;
+
+    secret.new('ingress-secret') +
+      secret.mixin.metadata.withNamespace(namespace) +
+      secret.withType('kubernetes.io/tls') +
+      secret.withData(
+        {
+        'tls.crt': std.base64(crt),
+        'tls.key': std.base64(key),
+        })
+  ),
+
   // Creates new basic deployments
   newDeployment(name, namespace, image, cmd, port):: (
     local deployment = k.apps.v1.deployment;

vars.jsonnet

@@ -38,6 +38,13 @@
 
   // Domain suffix for the ingresses
   suffixDomain: '192.168.99.100.nip.io',
+  // If TLSingress is true, a self-signed HTTPS ingress with redirect will be created
+  TLSingress: true,
+  # If UseProvidedCerts is true, provided files will be used on created HTTPS ingresses.
+  # Use a wildcard certificate for the domain like ex. "*.192.168.99.100.nip.io"
+  UseProvidedCerts: false,
+  TLSCertificate: importstr 'server.crt',
+  TLSKey: importstr 'server.key',
 
   // Setting these to false, defaults to emptyDirs
   enablePersistence: {