Add configurable secret names for wildcard instances (#73)

iyannsch · lucas-koehler · web-flow · commit f1a4b39f1dec · 2024-09-30T18:36:58.000+02:00
Previously, all instances - regardless of whether they contain wildcards or not - were using the same hard-coded `ws-cert-secret` TLS secret name. This results in the inability to use a preconfigured certificate only for the wildcard routes but keep the regular process for non-wildcard routes in place.

This PR introduces an optional field `ingress.allWildcardSecretNames` that accepts a wildcardPattern-&gt;secretName mapping and configures the ingress to use the configured secret for the wildcard host.
Making sure that no existing functionality is broken, the changes also make sure that:
- ingress.allWildcardSecretNames does not introduce new routes. Only routes that were already
  configured via hosts.allWildcardInstances can be modified with a new secretName.
- ingress.allWildcardSecretNames is optional and any wildcard-instance will use the `ws-cert-secret` by default.
  This also allows partial changes to some routes' certs.

Co-authored-by: Lucas Koehler &lt;lkoehler@eclipsesource.com&gt;
diff --git a/charts/theia-cloud/README.md b/charts/theia-cloud/README.md
@@ -33,6 +33,7 @@ A Helm chart for Theia Cloud
 | imagePullPolicy | string | `"Always"` | The default imagePullPolicy for containers of theia cloud. Can be overridden for individual components by specifying the imagePullPolicy variable there. Possible values: - Always - IfNotPresent - Never |
 | ingress | object | (see details below) | Values to influence the ingresses |
 | ingress.addTLSSecretName | bool | `true` | whether the default Theia Cloud tls secret names should be used. If false no tls secret name will be set on the ingress only needed when ingress.tls == true |
+| ingress.allWildcardSecretNames | object | `{}` | All additional wildcard hostnames and the respective TLS secret names. Use this for wildcard hostnames that should use a TLS certificate with a `secretName` different from the default one. Only accepts wildcard hostnames that are configured in `hosts.allWildcardInstances`. |
 | ingress.certManagerAnnotations | bool | `true` | When set to true the cert-manager.io annotations will be set. Only used when ingress.addTLSSecretName === true When false certificate management is handled outside of Theia Cloud. |
 | ingress.clusterIssuer | string | `"letsencrypt-prod"` | The cluster issuer to use Only needed when ingress.certManagerAnnotations is true |
 | ingress.instanceName | string | `"theia-cloud-demo-ws-ingress"` | The name of the ingress which will be updated to publish new theia application. If this is not existing it will be created. You may chose to set the ingress up yourself and point Theia Cloud to the ingress via the name |
diff --git a/charts/theia-cloud/templates/instances-ingress-path-based.yaml b/charts/theia-cloud/templates/instances-ingress-path-based.yaml
@@ -28,19 +28,30 @@ spec:
   tls:
   - hosts:
     - {{ tpl (.Values.hosts.configuration.baseHost | toString) . }}
-    {{- range .Values.hosts.allWildcardInstances }}
-    - {{ printf "'%s%s'" . $.Values.hosts.configuration.baseHost }}
-    {{- end }}
     {{- if .Values.ingress.addTLSSecretName }}
+    {{- range $wildcard := .Values.hosts.allWildcardInstances }}
+    {{- if (not (hasKey $.Values.ingress.allWildcardSecretNames $wildcard)) }}
+    - {{ printf "%s%s" (tpl . $) (tpl $.Values.hosts.configuration.baseHost $)| quote }}
+    {{- end }}
+    {{- end }}
     secretName: ws-cert-secret
     {{- end }}
   {{- end }}
+
+  {{- range $wildcard := .Values.hosts.allWildcardInstances }}
+  {{- if hasKey $.Values.ingress.allWildcardSecretNames $wildcard }}
+  {{- $secretName := get $.Values.ingress.allWildcardSecretNames $wildcard }}
+  - hosts:
+    - {{ printf "%s%s" (tpl $wildcard $) (tpl $.Values.hosts.configuration.baseHost $) | quote }}
+    secretName: {{ tpl $secretName $ | quote }}
+  {{- end }}
+  {{- end }}
   {{- if not (lookup "networking.k8s.io/v1" "Ingress" .Release.Namespace  (tpl (.Values.ingress.instanceName | toString) .) ) }}
   rules:
     - host: {{ tpl (.Values.hosts.configuration.baseHost | toString) . }}
       http:
     {{- range .Values.hosts.allWildcardInstances }}
-    - host: {{ printf "'%s%s'" . $.Values.hosts.configuration.baseHost }}
+    - host: {{ printf "'%s%s'" (tpl . $) (tpl $.Values.hosts.configuration.baseHost $) }}
       http:
     {{- end }}
   {{- else }}
diff --git a/charts/theia-cloud/templates/instances-ingress.yaml b/charts/theia-cloud/templates/instances-ingress.yaml
@@ -28,19 +28,31 @@ spec:
   tls:
   - hosts:
     - {{ tpl (printf "%s.%s" .Values.hosts.configuration.instance .Values.hosts.configuration.baseHost | toString) . }}
-    {{- range .Values.hosts.allWildcardInstances }}
-    - {{ printf "'%s%s.%s'" . $.Values.hosts.configuration.instance $.Values.hosts.configuration.baseHost }}
-    {{- end }}
     {{- if .Values.ingress.addTLSSecretName }}
+    {{- range $wildcard := .Values.hosts.allWildcardInstances }}
+    {{- if (not (hasKey $.Values.ingress.allWildcardSecretNames $wildcard)) }}
+    - {{ printf "%s%s.%s" (tpl . $) (tpl $.Values.hosts.configuration.instance $) (tpl $.Values.hosts.configuration.baseHost $) | quote }}
+    {{- end }}
+    {{- end }}
     secretName: ws-cert-secret
     {{- end }}
   {{- end }}
+
+  {{- range $wildcard := .Values.hosts.allWildcardInstances }}
+  {{- if hasKey $.Values.ingress.allWildcardSecretNames $wildcard }}
+  {{- $secretName := get $.Values.ingress.allWildcardSecretNames $wildcard }}
+  - hosts:
+    - {{ printf "%s%s.%s" (tpl $wildcard $) (tpl $.Values.hosts.configuration.instance $) (tpl $.Values.hosts.configuration.baseHost $) | quote }}
+    secretName: {{ tpl $secretName $ | quote }}
+  {{- end }}
+  {{- end }}
+
   {{- if not (lookup "networking.k8s.io/v1" "Ingress" .Release.Namespace  (tpl (.Values.ingress.instanceName | toString) .) ) }}
   rules:
-    - host: {{ tpl (printf "%s.%s" .Values.hosts.configuration.instance .Values.hosts.configuration.baseHost | toString) . }}
+    - host: {{ printf "%s.%s" (tpl .Values.hosts.configuration.instance .) (tpl .Values.hosts.configuration.baseHost .) }}
       http:
     {{- range .Values.hosts.allWildcardInstances }}
-    - host: {{ printf "'%s%s.%s'" . $.Values.hosts.configuration.instance $.Values.hosts.configuration.baseHost }}
+    - host: {{ printf "%s%s.%s" (tpl . $) (tpl $.Values.hosts.configuration.instance $) (tpl $.Values.hosts.configuration.baseHost $) | quote }}
       http:
     {{- end }}
   {{- else }}
diff --git a/charts/theia-cloud/values.yaml b/charts/theia-cloud/values.yaml
@@ -326,6 +326,12 @@ ingress:
   # only needed when ingress.tls == true
   addTLSSecretName: true
 
+  # -- All additional wildcard hostnames and the respective TLS secret names.
+  # Use this for wildcard hostnames that should use a TLS certificate with a `secretName` different from the default one.
+  # Only accepts wildcard hostnames that are configured in `hosts.allWildcardInstances`.
+  allWildcardSecretNames: {}
+  #  "*.webview.": webview-ws-cert-secret
+
 operatorrole:
   name: operator-api-access
 
