{{- /* Loop through each application defined in values.yaml */}} {{- range .Values.applications }} {{- if .enabled }} {{- /* Define variables for easier access within the loop */}} {{- $appName := .name }} {{- $namespace := .namespace }} {{- $serviceName := .serviceName }} {{- $servicePort := .servicePort }} {{- $gatewayName := printf "%s-gateway" $appName }} {{- /* Determine Certificate namespace: Use override if set, otherwise default to app namespace */}} {{- $certNamespace := .certManager.createSecretInNamespace | default $namespace }} {{- /* Determine Issuer details: Use app specific if set, otherwise use global */}} {{- /* Note: Handling globals requires more complex logic or a helper template */}} {{- /* For simplicity here, we assume issuerName/Kind are defined per-app if not using simple globals */}} {{- $issuerName := .certManager.issuerName }} {{/* Simplified: Assumes set per app */}} {{- $issuerKind := .certManager.issuerKind }} {{/* Simplified: Assumes set per app */}} {{- /* Determine Gateway Selector: Use app specific if set, otherwise use global */}} {{- /* Simplified: Assumes default or set per app */}} {{- $gatewaySelector := .istio.gatewaySelector | default (dict "istio" "ingressgateway") }} {{- /* --- Validation --- */}} {{- if not $namespace }}{{- fail (printf "ERROR: Application '%s' requires 'namespace' field." $appName) }}{{- end }} {{- if not $serviceName }}{{- fail (printf "ERROR: Application '%s' requires 'serviceName' field." $appName) }}{{- end }} {{- if not $servicePort }}{{- fail (printf "ERROR: Application '%s' requires 'servicePort' field." $appName) }}{{- end }} {{- if not .hosts }}{{- fail (printf "ERROR: Application '%s' requires 'hosts' field." $appName) }}{{- end }} {{- if .tls.enabled }} {{- if not .tls.secretName }}{{- fail (printf "ERROR: Application '%s' has tls.enabled=true but requires 'tls.secretName'." $appName) }}{{- end }} {{- if not .tls.hosts }}{{- fail (printf "ERROR: Application '%s' has tls.enabled=true but requires 'tls.hosts'." $appName) }}{{- end }} {{- /* Validation for Cert-Manager fields only if TLS is enabled */}} {{- if not $issuerName }}{{- fail (printf "ERROR: Application '%s' requires 'certManager.issuerName' when tls.enabled=true." $appName) }}{{- end }} {{- if not $issuerKind }}{{- fail (printf "ERROR: Application '%s' requires 'certManager.issuerKind' when tls.enabled=true." $appName) }}{{- end }} {{- end }} --- # --- Istio Gateway for {{ $appName }} --- apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: {{ $gatewayName }} namespace: {{ $namespace }} # Gateway lives in the app's namespace labels: app.kubernetes.io/name: {{ $appName }}-gateway app.kubernetes.io/managed-by: {{ $.Release.Service }} app.kubernetes.io/instance: {{ $.Release.Name }} spec: selector: {{ $gatewaySelector | toYaml | nindent 4 }} servers: # HTTP Server entry (Port 80) - port: number: 80 name: http-{{ $appName }} protocol: HTTP hosts: {{- range .hosts }} - {{ . | quote }} {{- end }} {{- if and .tls.enabled .istio.httpRedirect }} tls: httpsRedirect: true {{- end }} {{- /* HTTPS Server entry (Port 443) - Only if TLS is enabled */}} {{- if .tls.enabled }} - port: number: 443 name: https-{{ $appName }} protocol: HTTPS hosts: {{- range .tls.hosts }} - {{ . | quote }} {{- end }} tls: mode: SIMPLE # Credential name refers to the Secret name (expected in $certNamespace by Istio) credentialName: {{ .tls.secretName }} {{- end }} --- # --- Istio VirtualService for {{ $appName }} --- apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: {{ printf "%s-vs" $appName }} namespace: {{ $namespace }} # VirtualService lives in the app's namespace labels: app.kubernetes.io/name: {{ $appName }}-vs app.kubernetes.io/managed-by: {{ $.Release.Service }} app.kubernetes.io/instance: {{ $.Release.Name }} spec: gateways: - {{ $gatewayName }} # Link to the Gateway created above hosts: {{- range .hosts }} - {{ . | quote }} {{- end }} http: {{- /* Assuming one path block per app for simplicity, extend if needed */}} {{- range .paths }} - match: - uri: {{- if eq .pathType "Prefix" }} prefix: {{ .path }} {{- else if eq .pathType "Exact" }} exact: {{ .path }} {{- else }} prefix: {{ .path }} # Default to Prefix {{- end }} route: - destination: host: {{ $serviceName }} port: number: {{ $servicePort }} {{- end }} {{- /* --- Cert-Manager Certificate (only if TLS enabled) --- */}} {{- if .tls.enabled }} --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: # Use the secret name for the Certificate resource name for consistency name: {{ .tls.secretName }} # Create Certificate (and Secret) in specified namespace (app namespace or override) namespace: {{ $certNamespace }} labels: app.kubernetes.io/name: {{ $appName }}-certificate app.kubernetes.io/managed-by: {{ $.Release.Service }} app.kubernetes.io/instance: {{ $.Release.Name }} {{- if ne $certNamespace $namespace }} # Optional label indicating which app namespace this cert is FOR app.kubernetes.io/for-namespace: {{ $namespace }} {{- end }} spec: secretName: {{ .tls.secretName }} # Secret name used by Gateway's credentialName issuerRef: name: {{ $issuerName }} kind: {{ $issuerKind }} dnsNames: {{- range .tls.hosts }} - {{ . | quote }} {{- end }} {{- $firstHost := first .tls.hosts -}} {{- if $firstHost }} commonName: {{ $firstHost | quote }} {{- end }} {{- end }} {{- /* End if .tls.enabled for Certificate */}} {{- end }} {{- /* End if .enabled */}} {{- end }} {{- /* End range .Values.applications */}}