mello/Monitoring
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Monitoring/helm/istio-ingress-manager/templates/statefulset.yaml
James Mellors e49440844f setup of gateways
2025-05-01 22:23:22 +01:00

149 lines
5.8 KiB
YAML
Raw Blame History

{{- /* Loop through each application defined in values.yaml */}}
{{- range .Values.applications }}
{{- if .enabled }}
{{- /* Define variables for easier access within the loop */}}
{{- $appName := .name }}
{{- $namespace := .namespace }}
{{- $serviceName := .serviceName }}
{{- $servicePort := .servicePort }}
{{- $gatewayName := printf "%s-gateway" $appName }}
{{- /* Determine Certificate namespace: Use override if set, otherwise default to app namespace */}}
{{- $certNamespace := .certManager.createSecretInNamespace | default $namespace }}
{{- /* Determine Issuer details: Use app specific if set, otherwise use global */}}
{{- /* Note: Handling globals requires more complex logic or a helper template */}}
{{- /* For simplicity here, we assume issuerName/Kind are defined per-app if not using simple globals */}}
{{- $issuerName := .certManager.issuerName }} {{/* Simplified: Assumes set per app */}}
{{- $issuerKind := .certManager.issuerKind }} {{/* Simplified: Assumes set per app */}}
{{- /* Determine Gateway Selector: Use app specific if set, otherwise use global */}}
{{- /* Simplified: Assumes default or set per app */}}
{{- $gatewaySelector := .istio.gatewaySelector | default (dict "istio" "ingressgateway") }}
{{- /* --- Validation --- */}}
{{- if not $namespace }}{{- fail (printf "ERROR: Application '%s' requires 'namespace' field." $appName) }}{{- end }}
{{- if not $serviceName }}{{- fail (printf "ERROR: Application '%s' requires 'serviceName' field." $appName) }}{{- end }}
{{- if not $servicePort }}{{- fail (printf "ERROR: Application '%s' requires 'servicePort' field." $appName) }}{{- end }}
{{- if not .hosts }}{{- fail (printf "ERROR: Application '%s' requires 'hosts' field." $appName) }}{{- end }}
{{- if .tls.enabled }}
{{- if not .tls.secretName }}{{- fail (printf "ERROR: Application '%s' has tls.enabled=true but requires 'tls.secretName'." $appName) }}{{- end }}
{{- if not .tls.hosts }}{{- fail (printf "ERROR: Application '%s' has tls.enabled=true but requires 'tls.hosts'." $appName) }}{{- end }}
{{- /* Validation for Cert-Manager fields only if TLS is enabled */}}
{{- if not $issuerName }}{{- fail (printf "ERROR: Application '%s' requires 'certManager.issuerName' when tls.enabled=true." $appName) }}{{- end }}
{{- if not $issuerKind }}{{- fail (printf "ERROR: Application '%s' requires 'certManager.issuerKind' when tls.enabled=true." $appName) }}{{- end }}
{{- end }}
---
# --- Istio Gateway for {{ $appName }} ---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: {{ $gatewayName }}
namespace: {{ $namespace }} # Gateway lives in the app's namespace
labels:
app.kubernetes.io/name: {{ $appName }}-gateway
app.kubernetes.io/managed-by: {{ $.Release.Service }}
app.kubernetes.io/instance: {{ $.Release.Name }}
spec:
selector: {{ $gatewaySelector | toYaml | nindent 4 }}
servers:
# HTTP Server entry (Port 80)
- port:
number: 80
name: http-{{ $appName }}
protocol: HTTP
hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
{{- if and .tls.enabled .istio.httpRedirect }}
tls:
httpsRedirect: true
{{- end }}
{{- /* HTTPS Server entry (Port 443) - Only if TLS is enabled */}}
{{- if .tls.enabled }}
- port:
number: 443
name: https-{{ $appName }}
protocol: HTTPS
hosts:
{{- range .tls.hosts }}
- {{ . | quote }}
{{- end }}
tls:
mode: SIMPLE
# Credential name refers to the Secret name (expected in $certNamespace by Istio)
credentialName: {{ .tls.secretName }}
{{- end }}
---
# --- Istio VirtualService for {{ $appName }} ---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: {{ printf "%s-vs" $appName }}
namespace: {{ $namespace }} # VirtualService lives in the app's namespace
labels:
app.kubernetes.io/name: {{ $appName }}-vs
app.kubernetes.io/managed-by: {{ $.Release.Service }}
app.kubernetes.io/instance: {{ $.Release.Name }}
spec:
gateways:
- {{ $gatewayName }} # Link to the Gateway created above
hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
http:
{{- /* Assuming one path block per app for simplicity, extend if needed */}}
{{- range .paths }}
- match:
- uri:
{{- if eq .pathType "Prefix" }}
prefix: {{ .path }}
{{- else if eq .pathType "Exact" }}
exact: {{ .path }}
{{- else }}
prefix: {{ .path }} # Default to Prefix
{{- end }}
route:
- destination:
host: {{ $serviceName }}
port:
number: {{ $servicePort }}
{{- end }}
{{- /* --- Cert-Manager Certificate (only if TLS enabled) --- */}}
{{- if .tls.enabled }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
# Use the secret name for the Certificate resource name for consistency
name: {{ .tls.secretName }}
# Create Certificate (and Secret) in specified namespace (app namespace or override)
namespace: {{ $certNamespace }}
labels:
app.kubernetes.io/name: {{ $appName }}-certificate
app.kubernetes.io/managed-by: {{ $.Release.Service }}
app.kubernetes.io/instance: {{ $.Release.Name }}
{{- if ne $certNamespace $namespace }}
# Optional label indicating which app namespace this cert is FOR
app.kubernetes.io/for-namespace: {{ $namespace }}
{{- end }}
spec:
secretName: {{ .tls.secretName }} # Secret name used by Gateway's credentialName
issuerRef:
name: {{ $issuerName }}
kind: {{ $issuerKind }}
dnsNames:
{{- range .tls.hosts }}
- {{ . | quote }}
{{- end }}
{{- $firstHost := first .tls.hosts -}}
{{- if $firstHost }}
commonName: {{ $firstHost | quote }}
{{- end }}
{{- end }} {{- /* End if .tls.enabled for Certificate */}}
{{- end }} {{- /* End if .enabled */}}
{{- end }} {{- /* End range .Values.applications */}}
Reference in New Issue View Git Blame Copy Permalink