Adding cluster-issuer annotation for TLS provisioning
Through the usage of cert-manager, the charms will be able
request TLS certificates to protect the Kubernetes Ingress
endpoint that is exposed.
Note: Cert-manager must be configured ahead of time.
Change-Id: I7dacdb8dca2f78664c5604e509e2516ae6023d06
Signed-off-by: sousaedu <eduardo.sousa@canonical.com>
diff --git a/installers/charm/grafana/config.yaml b/installers/charm/grafana/config.yaml
index 37509dc..19274e5 100644
--- a/installers/charm/grafana/config.yaml
+++ b/installers/charm/grafana/config.yaml
@@ -44,6 +44,10 @@
type: string
description: Ingress URL
default: ""
+ cluster_issuer:
+ type: string
+ description: Name of the cluster issuer for TLS certificates
+ default: ""
osm_dashboards:
type: boolean
description: Enable OSM System monitoring dashboards
diff --git a/installers/charm/grafana/src/charm.py b/installers/charm/grafana/src/charm.py
index d10ccf2..bf6fbd9 100755
--- a/installers/charm/grafana/src/charm.py
+++ b/installers/charm/grafana/src/charm.py
@@ -50,6 +50,7 @@
max_file_size: int
osm_dashboards: bool
site_url: Optional[str]
+ cluster_issuer: Optional[str]
ingress_whitelist_source_range: Optional[str]
tls_secret_name: Optional[str]
@@ -184,6 +185,9 @@
"nginx.ingress.kubernetes.io/whitelist-source-range"
] = config.ingress_whitelist_source_range
+ if config.cluster_issuer:
+ annotations["cert-manager.io/cluster-issuer"] = config.cluster_issuer
+
if parsed.scheme == "https":
ingress_resource_builder.add_tls(
[parsed.hostname], config.tls_secret_name
diff --git a/installers/charm/grafana/tests/test_charm.py b/installers/charm/grafana/tests/test_charm.py
index 4e269df..5db3eda 100644
--- a/installers/charm/grafana/tests/test_charm.py
+++ b/installers/charm/grafana/tests/test_charm.py
@@ -43,6 +43,7 @@
"ingress_whitelist_source_range": "",
"tls_secret_name": "",
"site_url": "https://grafana.192.168.100.100.xip.io",
+ "cluster_issuer": "vault-issuer",
"osm_dashboards": True,
}
self.harness.update_config(self.config)
diff --git a/installers/charm/kafka-exporter/config.yaml b/installers/charm/kafka-exporter/config.yaml
index a3aaa21..8d3703e 100644
--- a/installers/charm/kafka-exporter/config.yaml
+++ b/installers/charm/kafka-exporter/config.yaml
@@ -37,3 +37,7 @@
type: string
description: Ingress URL
default: ""
+ cluster_issuer:
+ type: string
+ description: Name of the cluster issuer for TLS certificates
+ default: ""
diff --git a/installers/charm/kafka-exporter/src/pod_spec.py b/installers/charm/kafka-exporter/src/pod_spec.py
index a50d96f..90886cb 100644
--- a/installers/charm/kafka-exporter/src/pod_spec.py
+++ b/installers/charm/kafka-exporter/src/pod_spec.py
@@ -62,6 +62,9 @@
"site_url": lambda value, _: isinstance(value, str)
if value is not None
else True,
+ "cluster_issuer": lambda value, _: isinstance(value, str)
+ if value is not None
+ else True,
"ingress_whitelist_source_range": lambda value, _: _validate_ip_network(value),
"tls_secret_name": lambda value, _: isinstance(value, str)
if value is not None
@@ -146,6 +149,7 @@
return
ingress_whitelist_source_range = config["ingress_whitelist_source_range"]
+ cluster_issuer = config["cluster_issuer"]
annotations = {}
@@ -154,6 +158,9 @@
"nginx.ingress.kubernetes.io/whitelist-source-range"
] = ingress_whitelist_source_range
+ if cluster_issuer:
+ annotations["cert-manager.io/cluster-issuer"] = cluster_issuer
+
ingress_spec_tls = None
if parsed.scheme == "https":
diff --git a/installers/charm/kafka-exporter/tests/test_charm.py b/installers/charm/kafka-exporter/tests/test_charm.py
index 5361321..fc50b49 100644
--- a/installers/charm/kafka-exporter/tests/test_charm.py
+++ b/installers/charm/kafka-exporter/tests/test_charm.py
@@ -70,7 +70,7 @@
}
],
"envConfig": {},
- "command": ["kafka-exporter", "--kafka.server=kafka:9090"],
+ "command": ["kafka_exporter", "--kafka.server=kafka:9090"],
"kubernetes": {
"readinessProbe": {
"httpGet": {
@@ -136,7 +136,7 @@
}
],
"envConfig": {},
- "command": ["kafka-exporter", "--kafka.server=kafka:9090"],
+ "command": ["kafka_exporter", "--kafka.server=kafka:9090"],
"kubernetes": {
"readinessProbe": {
"httpGet": {
@@ -228,7 +228,7 @@
}
],
"envConfig": {},
- "command": ["kafka-exporter", "--kafka.server=kafka:9090"],
+ "command": ["kafka_exporter", "--kafka.server=kafka:9090"],
"kubernetes": {
"readinessProbe": {
"httpGet": {
@@ -329,7 +329,7 @@
}
],
"envConfig": {},
- "command": ["kafka-exporter", "--kafka.server=kafka:9090"],
+ "command": ["kafka_exporter", "--kafka.server=kafka:9090"],
"kubernetes": {
"readinessProbe": {
"httpGet": {
diff --git a/installers/charm/kafka-exporter/tests/test_pod_spec.py b/installers/charm/kafka-exporter/tests/test_pod_spec.py
index 44d99d8..ad0e412 100644
--- a/installers/charm/kafka-exporter/tests/test_pod_spec.py
+++ b/installers/charm/kafka-exporter/tests/test_pod_spec.py
@@ -58,7 +58,10 @@
def test_make_pod_ingress_resources_without_site_url(self) -> NoReturn:
"""Testing make pod ingress resources without site_url."""
- config = {"site_url": ""}
+ config = {
+ "cluster_issuer": "",
+ "site_url": "",
+ }
app_name = "kafka-exporter"
port = 9308
@@ -71,6 +74,7 @@
def test_make_pod_ingress_resources(self) -> NoReturn:
"""Testing make pod ingress resources."""
config = {
+ "cluster_issuer": "",
"site_url": "http://kafka-exporter",
"ingress_whitelist_source_range": "",
}
@@ -114,6 +118,7 @@
"""Testing make pod ingress resources with whitelist_source_range."""
config = {
"site_url": "http://kafka-exporter",
+ "cluster_issuer": "",
"ingress_whitelist_source_range": "0.0.0.0/0",
}
app_name = "kafka-exporter"
@@ -160,6 +165,7 @@
config = {
"site_url": "https://kafka-exporter",
"max_file_size": 0,
+ "cluster_issuer": "",
"ingress_whitelist_source_range": "",
"tls_secret_name": "",
}
@@ -203,6 +209,7 @@
config = {
"site_url": "https://kafka-exporter",
"max_file_size": 0,
+ "cluster_issuer": "",
"ingress_whitelist_source_range": "",
"tls_secret_name": "secret_name",
}
@@ -289,7 +296,7 @@
}
expected_result = [
- "kafka-exporter",
+ "kafka_exporter",
"--kafka.server={}:{}".format(
relation.get("kafka_host"), relation.get("kafka_port")
),
@@ -304,6 +311,7 @@
image_info = {"upstream-source": "bitnami/kafka-exporter:latest"}
config = {
"site_url": "",
+ "cluster_issuer": "",
}
relation_state = {
"kafka_host": "kafka",
@@ -327,7 +335,7 @@
}
],
"envConfig": {},
- "command": ["kafka-exporter", "--kafka.server=kafka:9090"],
+ "command": ["kafka_exporter", "--kafka.server=kafka:9090"],
"kubernetes": {
"readinessProbe": {
"httpGet": {
@@ -366,6 +374,7 @@
image_info = {"upstream-source": "bitnami/kafka-exporter:latest"}
config = {
"site_url": "https://kafka-exporter",
+ "cluster_issuer": "",
"tls_secret_name": "kafka-exporter",
"max_file_size": 0,
"ingress_whitelist_source_range": "0.0.0.0/0",
@@ -392,7 +401,7 @@
}
],
"envConfig": {},
- "command": ["kafka-exporter", "--kafka.server=kafka:9090"],
+ "command": ["kafka_exporter", "--kafka.server=kafka:9090"],
"kubernetes": {
"readinessProbe": {
"httpGet": {
@@ -466,6 +475,7 @@
image_info = None
config = {
"site_url": "",
+ "cluster_issuer": "",
}
relation_state = {
"kafka_host": "kafka",
@@ -485,6 +495,7 @@
image_info = {"upstream-source": "bitnami/kafka-exporter:latest"}
config = {
"site_url": "",
+ "cluster_issuer": "",
}
relation_state = {}
app_name = "kafka-exporter"
diff --git a/installers/charm/mongodb-exporter/config.yaml b/installers/charm/mongodb-exporter/config.yaml
index a3aaa21..8d3703e 100644
--- a/installers/charm/mongodb-exporter/config.yaml
+++ b/installers/charm/mongodb-exporter/config.yaml
@@ -37,3 +37,7 @@
type: string
description: Ingress URL
default: ""
+ cluster_issuer:
+ type: string
+ description: Name of the cluster issuer for TLS certificates
+ default: ""
diff --git a/installers/charm/mongodb-exporter/src/pod_spec.py b/installers/charm/mongodb-exporter/src/pod_spec.py
index 8255b20..0cc3f8c 100644
--- a/installers/charm/mongodb-exporter/src/pod_spec.py
+++ b/installers/charm/mongodb-exporter/src/pod_spec.py
@@ -62,6 +62,9 @@
"site_url": lambda value, _: isinstance(value, str)
if value is not None
else True,
+ "cluster_issuer": lambda value, _: isinstance(value, str)
+ if value is not None
+ else True,
"ingress_whitelist_source_range": lambda value, _: _validate_ip_network(value),
"tls_secret_name": lambda value, _: isinstance(value, str)
if value is not None
@@ -158,6 +161,8 @@
return
ingress_whitelist_source_range = config["ingress_whitelist_source_range"]
+ cluster_issuer = config["cluster_issuer"]
+
annotations = {}
if ingress_whitelist_source_range:
@@ -165,6 +170,9 @@
"nginx.ingress.kubernetes.io/whitelist-source-range"
] = ingress_whitelist_source_range
+ if cluster_issuer:
+ annotations["cert-manager.io/cluster-issuer"] = cluster_issuer
+
ingress_spec_tls = None
if parsed.scheme == "https":
diff --git a/installers/charm/mongodb-exporter/tests/test_pod_spec.py b/installers/charm/mongodb-exporter/tests/test_pod_spec.py
index 3e312f4..94ab6fb 100644
--- a/installers/charm/mongodb-exporter/tests/test_pod_spec.py
+++ b/installers/charm/mongodb-exporter/tests/test_pod_spec.py
@@ -60,7 +60,10 @@
def test_make_pod_ingress_resources_without_site_url(self) -> NoReturn:
"""Testing make pod ingress resources without site_url."""
- config = {"site_url": ""}
+ config = {
+ "site_url": "",
+ "cluster_issuer": "",
+ }
app_name = "mongodb-exporter"
port = 9216
@@ -74,6 +77,7 @@
"""Testing make pod ingress resources."""
config = {
"site_url": "http://mongodb-exporter",
+ "cluster_issuer": "",
"ingress_whitelist_source_range": "",
}
app_name = "mongodb-exporter"
@@ -116,6 +120,7 @@
"""Testing make pod ingress resources with whitelist_source_range."""
config = {
"site_url": "http://mongodb-exporter",
+ "cluster_issuer": "",
"ingress_whitelist_source_range": "0.0.0.0/0",
}
app_name = "mongodb-exporter"
@@ -161,6 +166,7 @@
"""Testing make pod ingress resources with HTTPs."""
config = {
"site_url": "https://mongodb-exporter",
+ "cluster_issuer": "",
"ingress_whitelist_source_range": "",
"tls_secret_name": "",
}
@@ -203,6 +209,7 @@
"""Testing make pod ingress resources with HTTPs and TLS secret name."""
config = {
"site_url": "https://mongodb-exporter",
+ "cluster_issuer": "",
"ingress_whitelist_source_range": "",
"tls_secret_name": "secret_name",
}
@@ -286,6 +293,7 @@
image_info = {"upstream-source": "bitnami/mongodb-exporter:latest"}
config = {
"site_url": "",
+ "cluster_issuer": "",
}
relation_state = {
"mongodb_connection_string": "mongodb://mongo",
@@ -348,6 +356,7 @@
image_info = {"upstream-source": "bitnami/mongodb-exporter:latest"}
config = {
"site_url": "https://mongodb-exporter",
+ "cluster_issuer": "",
"tls_secret_name": "mongodb-exporter",
"ingress_whitelist_source_range": "0.0.0.0/0",
}
@@ -447,6 +456,7 @@
image_info = None
config = {
"site_url": "",
+ "cluster_issuer": "",
}
relation_state = {
"mongodb_connection_string": "mongodb://mongo",
@@ -465,6 +475,7 @@
image_info = {"upstream-source": "bitnami/mongodb-exporter:latest"}
config = {
"site_url": "",
+ "cluster_issuer": "",
}
relation_state = {}
app_name = "mongodb-exporter"
diff --git a/installers/charm/mysqld-exporter/config.yaml b/installers/charm/mysqld-exporter/config.yaml
index a3aaa21..8d3703e 100644
--- a/installers/charm/mysqld-exporter/config.yaml
+++ b/installers/charm/mysqld-exporter/config.yaml
@@ -37,3 +37,7 @@
type: string
description: Ingress URL
default: ""
+ cluster_issuer:
+ type: string
+ description: Name of the cluster issuer for TLS certificates
+ default: ""
diff --git a/installers/charm/mysqld-exporter/src/pod_spec.py b/installers/charm/mysqld-exporter/src/pod_spec.py
index ec84221..e371030 100644
--- a/installers/charm/mysqld-exporter/src/pod_spec.py
+++ b/installers/charm/mysqld-exporter/src/pod_spec.py
@@ -62,6 +62,9 @@
"site_url": lambda value, _: isinstance(value, str)
if value is not None
else True,
+ "cluster_issuer": lambda value, _: isinstance(value, str)
+ if value is not None
+ else True,
"ingress_whitelist_source_range": lambda value, _: _validate_ip_network(value),
"tls_secret_name": lambda value, _: isinstance(value, str)
if value is not None
@@ -152,6 +155,7 @@
return
ingress_whitelist_source_range = config["ingress_whitelist_source_range"]
+ cluster_issuer = config["cluster_issuer"]
annotations = {}
@@ -160,6 +164,9 @@
"nginx.ingress.kubernetes.io/whitelist-source-range"
] = ingress_whitelist_source_range
+ if cluster_issuer:
+ annotations["cert-manager.io/cluster-issuer"] = cluster_issuer
+
ingress_spec_tls = None
if parsed.scheme == "https":
diff --git a/installers/charm/mysqld-exporter/tests/test_pod_spec.py b/installers/charm/mysqld-exporter/tests/test_pod_spec.py
index c2dd1e2..a9c29ef 100644
--- a/installers/charm/mysqld-exporter/tests/test_pod_spec.py
+++ b/installers/charm/mysqld-exporter/tests/test_pod_spec.py
@@ -68,7 +68,10 @@
def test_make_pod_ingress_resources_without_site_url(self) -> NoReturn:
"""Testing make pod ingress resources without site_url."""
- config = {"site_url": ""}
+ config = {
+ "site_url": "",
+ "cluster_issuer": "",
+ }
app_name = "mysqld-exporter"
port = 9104
@@ -82,6 +85,7 @@
"""Testing make pod ingress resources."""
config = {
"site_url": "http://mysqld-exporter",
+ "cluster_issuer": "",
"ingress_whitelist_source_range": "",
}
app_name = "mysqld-exporter"
@@ -124,6 +128,7 @@
"""Testing make pod ingress resources with whitelist_source_range."""
config = {
"site_url": "http://mysqld-exporter",
+ "cluster_issuer": "",
"ingress_whitelist_source_range": "0.0.0.0/0",
}
app_name = "mysqld-exporter"
@@ -169,6 +174,7 @@
"""Testing make pod ingress resources with HTTPs."""
config = {
"site_url": "https://mysqld-exporter",
+ "cluster_issuer": "",
"ingress_whitelist_source_range": "",
"tls_secret_name": "",
}
@@ -211,6 +217,7 @@
"""Testing make pod ingress resources with HTTPs and TLS secret name."""
config = {
"site_url": "https://mysqld-exporter",
+ "cluster_issuer": "",
"ingress_whitelist_source_range": "",
"tls_secret_name": "secret_name",
}
@@ -294,6 +301,7 @@
image_info = {"upstream-source": "bitnami/mysqld-exporter:latest"}
config = {
"site_url": "",
+ "cluster_issuer": "",
}
relation_state = {
"mysql_host": "mysql",
@@ -362,6 +370,7 @@
image_info = {"upstream-source": "bitnami/mysqld-exporter:latest"}
config = {
"site_url": "https://mysqld-exporter",
+ "cluster_issuer": "",
"tls_secret_name": "mysqld-exporter",
"ingress_whitelist_source_range": "0.0.0.0/0",
}
@@ -467,6 +476,7 @@
image_info = None
config = {
"site_url": "",
+ "cluster_issuer": "",
}
relation_state = {
"mysql_host": "mysql",
@@ -489,6 +499,7 @@
image_info = {"upstream-source": "bitnami/mysqld-exporter:latest"}
config = {
"site_url": "",
+ "cluster_issuer": "",
}
relation_state = {}
app_name = "mysqld-exporter"
diff --git a/installers/charm/nbi/config.yaml b/installers/charm/nbi/config.yaml
index ff6b7e1..ef0792b 100644
--- a/installers/charm/nbi/config.yaml
+++ b/installers/charm/nbi/config.yaml
@@ -44,6 +44,10 @@
type: string
description: Ingress URL
default: ""
+ cluster_issuer:
+ type: string
+ description: Name of the cluster issuer for TLS certificates
+ default: ""
log_level:
description: "Log Level"
type: string
diff --git a/installers/charm/nbi/src/charm.py b/installers/charm/nbi/src/charm.py
index 7efc5b0..1f5812a 100755
--- a/installers/charm/nbi/src/charm.py
+++ b/installers/charm/nbi/src/charm.py
@@ -56,6 +56,7 @@
log_level: str
max_file_size: int
site_url: Optional[str]
+ cluster_issuer: Optional[str]
ingress_whitelist_source_range: Optional[str]
tls_secret_name: Optional[str]
@@ -240,6 +241,9 @@
"nginx.ingress.kubernetes.io/whitelist-source-range"
] = config.ingress_whitelist_source_range
+ if config.cluster_issuer:
+ annotations["cert-manager.io/cluster-issuer"] = config.cluster_issuer
+
if parsed.scheme == "https":
ingress_resource_builder.add_tls(
[parsed.hostname], config.tls_secret_name
diff --git a/installers/charm/nbi/tests/test_charm.py b/installers/charm/nbi/tests/test_charm.py
index c4e857f..2b4ea0f 100644
--- a/installers/charm/nbi/tests/test_charm.py
+++ b/installers/charm/nbi/tests/test_charm.py
@@ -48,6 +48,7 @@
"ingress_whitelist_source_range": "",
"tls_secret_name": "",
"site_url": "https://nbi.192.168.100.100.xip.io",
+ "cluster_issuer": "vault-issuer",
}
self.harness.update_config(self.config)
diff --git a/installers/charm/ng-ui/config.yaml b/installers/charm/ng-ui/config.yaml
index 279b759..df09698 100644
--- a/installers/charm/ng-ui/config.yaml
+++ b/installers/charm/ng-ui/config.yaml
@@ -45,3 +45,7 @@
type: string
description: Ingress URL
default: ""
+ cluster_issuer:
+ type: string
+ description: Name of the cluster issuer for TLS certificates
+ default: ""
diff --git a/installers/charm/ng-ui/src/charm.py b/installers/charm/ng-ui/src/charm.py
index bf301f3..5efaaae 100755
--- a/installers/charm/ng-ui/src/charm.py
+++ b/installers/charm/ng-ui/src/charm.py
@@ -50,6 +50,7 @@
server_name: str
max_file_size: int
site_url: Optional[str]
+ cluster_issuer: Optional[str]
ingress_whitelist_source_range: Optional[str]
tls_secret_name: Optional[str]
@@ -158,6 +159,9 @@
"nginx.ingress.kubernetes.io/whitelist-source-range"
] = config.ingress_whitelist_source_range
+ if config.cluster_issuer:
+ annotations["cert-manager.io/cluster-issuer"] = config.cluster_issuer
+
if parsed.scheme == "https":
ingress_resource_builder.add_tls(
[parsed.hostname], config.tls_secret_name
diff --git a/installers/charm/ng-ui/tests/test_charm.py b/installers/charm/ng-ui/tests/test_charm.py
index 5b5327b..38ad38b 100644
--- a/installers/charm/ng-ui/tests/test_charm.py
+++ b/installers/charm/ng-ui/tests/test_charm.py
@@ -45,6 +45,7 @@
"ingress_whitelist_source_range": "",
"tls_secret_name": "",
"site_url": "https://ui.192.168.100.100.xip.io",
+ "cluster_issuer": "vault-issuer",
}
self.harness.update_config(self.config)
diff --git a/installers/charm/prometheus/config.yaml b/installers/charm/prometheus/config.yaml
index 9f35e51..a5f5e8a 100644
--- a/installers/charm/prometheus/config.yaml
+++ b/installers/charm/prometheus/config.yaml
@@ -52,6 +52,10 @@
type: string
description: Ingress URL
default: ""
+ cluster_issuer:
+ type: string
+ description: Name of the cluster issuer for TLS certificates
+ default: ""
enable_web_admin_api:
type: boolean
description: Boolean to enable the web admin api
diff --git a/installers/charm/prometheus/src/charm.py b/installers/charm/prometheus/src/charm.py
index 5cd163d..e71d949 100755
--- a/installers/charm/prometheus/src/charm.py
+++ b/installers/charm/prometheus/src/charm.py
@@ -55,6 +55,7 @@
default_target: str
max_file_size: int
site_url: Optional[str]
+ cluster_issuer: Optional[str]
ingress_whitelist_source_range: Optional[str]
tls_secret_name: Optional[str]
enable_web_admin_api: bool
@@ -206,6 +207,9 @@
"nginx.ingress.kubernetes.io/whitelist-source-range"
] = config.ingress_whitelist_source_range
+ if config.cluster_issuer:
+ annotations["cert-manager.io/cluster-issuer"] = config.cluster_issuer
+
if parsed.scheme == "https":
ingress_resource_builder.add_tls(
[parsed.hostname], config.tls_secret_name
diff --git a/installers/charm/prometheus/tests/test_charm.py b/installers/charm/prometheus/tests/test_charm.py
index dd8b732..0713a84 100644
--- a/installers/charm/prometheus/tests/test_charm.py
+++ b/installers/charm/prometheus/tests/test_charm.py
@@ -45,6 +45,7 @@
"ingress_whitelist_source_range": "",
"tls_secret_name": "",
"site_url": "https://prometheus.192.168.100.100.xip.io",
+ "cluster_issuer": "vault-issuer",
"enable_web_admin_api": False,
}
self.harness.update_config(self.config)