Skip to content

Allow deployment with manually installed TLS Secrets #227

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 16, 2020
Merged

Allow deployment with manually installed TLS Secrets #227

merged 1 commit into from
Nov 16, 2020

Conversation

@AndrewEckart
Copy link
Contributor

@AndrewEckart AndrewEckart commented Nov 13, 2020

This PR modifies the chart to allow cluster admins to deploy ServiceX with TLS-enabled Ingress by manually installing TLS Secrets containing certificates onto their cluster. This is an alternative to using cert-manager, and makes it optional where it was previously required.

Changes to the chart are as follows:

  • TLS-related values are organized under app.ingress.tls
  • To enabled TLS, you must set app.ingress.tls.enabled to true.
  • If using cert-manager, the only other thing you have to do is set app.ingress.tls.clusterIssuer (this is now empty by default).
  • If installing the secrets manually, you must install the certs.
    By default, the Ingress will look for a Secret named <helm release name>-app-tls, but you can change this by setting app.ingress.tls.secretName.
  • Repeat for Minio.

A full config without cert-manager would look something like:

app:
  ingress:
    enabled: true
    host: servicex.ssl-hep.org
    tls:
      enabled: true
      secretName: my-release-app-tls  # optional
minio:
  ingress:
    enabled: true
    annotations:
      kubernetes.io/ingress.class: nginx
    hosts:
    - my-release-minio.servicex.ssl-hep.org
    tls:
    - hosts:
      - my-release-minio.servicex.ssl-hep.org
      secretName: my-release-minio-tls

A full config with cert-manager would look like:

app:
  ingress:
    tls:
      enabled: true
      clusterIssuer: letsencrypt-prod
minio:
  ingress:
    enabled: true
    annotations:
      kubernetes.io/ingress.class: nginx
      cert-manager.io/cluster-issuer: letsencrypt-prod
      acme.cert-manager.io/http01-edit-in-place: "true"
    hosts:
    - my-release-minio.servicex.ssl-hep.org
    tls:
    - hosts:
      - my-release-minio.servicex.ssl-hep.org
      secretName: my-release-minio-tls

Partially addresses #222.

@AndrewEckart AndrewEckart self-assigned this Nov 13, 2020
BenGalewsky
BenGalewsky approved these changes Nov 16, 2020
View reviewed changes
Copy link
Contributor

@BenGalewsky BenGalewsky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great - like the complete documentation with this and the removal of ATLAS bias!

@BenGalewsky BenGalewsky merged commit 0188142 into develop Nov 16, 2020
@BenGalewsky BenGalewsky deleted the manual-tls-cert branch November 16, 2020 18:31
AndrewEckart added a commit that referenced this pull request Nov 17, 2020
@AndrewEckart
Update chart reference in deployment docs (missed in #227)
232461d
@AndrewEckart AndrewEckart mentioned this pull request Nov 17, 2020
Open
5 tasks
prajwalkkumar pushed a commit to prajwalkkumar/ServiceX-monorepo that referenced this pull request Sep 22, 2022
@AndrewEckart
Update chart reference in deployment docs (missed in ssl-hep#227)
9cf4586
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BenGalewsky BenGalewsky BenGalewsky approved these changes

@ivukotic ivukotic Awaiting requested review from ivukotic

Assignees

@AndrewEckart AndrewEckart

Labels

deployment

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AndrewEckart @BenGalewsky