updating values.yaml to support old method by default, updating...

updating values.yaml to support old method by default, updating secret-tls.yaml and values.yaml to support backwards-compatibility

updating values.yaml to support old method by default, updating...
a662f498 · Tim Seagren · 8c8bbba7 · a662f498 · a662f498 · a662f498
Commit a662f498 authored 3 years ago by Tim Seagren
--- a/chart/templates/istio/controlplane/secret-tls.yaml
+++ b/chart/templates/istio/controlplane/secret-tls.yaml
@@ -6,6 +6,7 @@ For backwards compatibility, get key/cert from .Values.istio.ingress
 {{- $default := .Values.istio.ingress | default dict -}}

 {{- range $name, $values := .Values.istio.gateways }}
+{{- if $values.servers }}
 {{- range $index, $servervalues := $values.servers }}
 {{- if or (and (dig "tls" "cert" "" $servervalues) (dig "tls" "key" "" $servervalues)) (and $default.cert $default.key) }}
 apiVersion: v1
@@ -24,6 +25,25 @@ data:
 ---
 {{- end }}
 {{- end }}
+{{/*
+For backwards compatibility, get certificate and key from .Values.istio.gateways.<gateway>.tls
+*/}}
+{{- else if or (and (dig "tls" "cert" "" $values) (dig "tls" "key" "" $values)) (and $default.cert $default.key) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-cert" $name }}
+  namespace: istio-system
+  labels:
+    app.kubernetes.io/name: istio-controlplane
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" $ | nindent 4}}
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ default $default.cert $values.tls.cert | b64enc }}
+  tls.key: {{ default $default.key $values.tls.key | b64enc }}
+---
+{{- end }}
 {{- end }}

 {{- end }}
--- a/chart/templates/istio/controlplane/values.yaml
+++ b/chart/templates/istio/controlplane/values.yaml
@@ -69,28 +69,42 @@ gateways:
    autoHttpRedirect:
      enabled: {{ dig "autoHttpRedirect" "enabled" "true" $values }}
    servers:
+    {{- if $values.servers }}
      {{- range $index, $servervalues := $values.servers}}
    - hosts:
      {{- tpl ( $servervalues.hosts | default (list) | toYaml) $ | nindent 8 }}
      port:
+      {{- if $servervalues.port }}
      {{- tpl ( $servervalues.port | default (dict) | toYaml) $ | nindent 8 }}
+      {{- else }}
+        name: https
+        number: 8443
+        protocol: HTTPS
+      {{- end }}
      tls:
        credentialName: {{ $index }}-{{ $name }}-cert
        mode: {{ dig "tls" "mode" "SIMPLE" $servervalues }}
      {{- end }}
-      {{ else }}
-      {{- range $index, $servervalues := $values.servers}}
+    {{- else if ($values.ports) }}
+    {{- range $values.ports }}
    - hosts:
-      {{- tpl ( $servervalues.hosts | default (list) | toYaml) $ | nindent 8 }}
+      {{- tpl ($values.hosts | default (list) | toYaml) $ | nindent 8 }}
+      port:
+      {{- tpl ( . | default (list) | toYaml) $ | nindent 8 }}
+      tls:
+        credentialName: {{ $name }}-cert
+        mode: {{ dig "tls" "mode" "SIMPLE" $values }}
+    {{- end }}
+    {{- else }}
+    - hosts:
+      {{- tpl ($values.hosts | default (list) | toYaml) $ | nindent 8 }}
      port:
        name: https
        number: 8443
        protocol: HTTPS
-      tls:
-        credentialName: {{ $index }}-{{ $name }}-cert
-        mode: {{ dig "tls" "mode" "SIMPLE" $values }}
-      {{- end }}
-      {{- end }}
+    {{- end }}
+    {{- end }}
+
 {{- end }}

 {{- define "istio.ingressgateway.k8s" -}}

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -155,19 +155,59 @@ istio:
  gateways:
    public:
      ingressGateway: "public-ingressgateway"
-      servers:
-      - hosts:
-          - "*.{{ .Values.domain }}"
-        # -- Controls default HTTP/8080 server entry with HTTP to HTTPS Redirect.
-        autoHttpRedirect:
-          enabled: true
-        port:
-          name: https
-          number: 8443
+      # DEPCRECATION NOTICE: This method of specifying gateway server configuration (hosts, tls secrets, autoHttpRedirect, etc.) is deprecated in favor of the example below
+      hosts:
+        - "*.{{ .Values.domain }}"
+      # -- Controls default HTTP/8080 server entry with HTTP to HTTPS Redirect.
+      ports:
+        - name: tls-1
+          number: 1234
+          protocol:  TCP
+        - name: https
+          number: 4567
          protocol: HTTPS
-        tls:
-          key: ""
-          cert: ""
+      autoHttpRedirect:
+        enabled: true
+      tls:
+        key: ""
+        cert: ""
+    # private:
+    #   ingressGateway: "private-ingressgateway"
+    #   hosts:
+    #   - "example.bigbang.dev"
+    #   ports:
+    #     - name: tls-2
+    #       number: 1234
+    #       protocol: TCP
+    #     - name: tls
+    #       number: 5678
+    #       protocol: TCP
+    #   # -- Controls default HTTP/8080 server entry with HTTP to HTTPS Redirect.
+    #   autoHttpRedirect:
+    #     enabled: false
+    #   tls:
+    #     key: ""
+    #     cert: ""
+    # passthrough:
+    #   ingressGateway: "passthrough-ingressgateway"
+    #   hosts:
+
+    ####
+    # New server configuration method
+    ####
+    #   servers:
+    #   - hosts:
+    #       - "*.{{ .Values.domain }}"
+    #     # -- Controls default HTTP/8080 server entry with HTTP to HTTPS Redirect.
+    #     autoHttpRedirect:
+    #       enabled: true
+    #     port:
+    #       name: https
+    #       number: 8443
+    #       protocol: HTTPS
+    #     tls:
+    #       key: ""
+    #       cert: ""
    # private:
    #   ingressGateway: "private-ingressgateway"
    #   servers: