Adding cluster-issuer annotation for TLS provisioning
Through the usage of cert-manager, the charms will be able
request TLS certificates to protect the Kubernetes Ingress
endpoint that is exposed.
Note: Cert-manager must be configured ahead of time.
Change-Id: I7dacdb8dca2f78664c5604e509e2516ae6023d06
Signed-off-by: sousaedu <eduardo.sousa@canonical.com>
diff --git a/installers/charm/mongodb-exporter/config.yaml b/installers/charm/mongodb-exporter/config.yaml
index a3aaa21..8d3703e 100644
--- a/installers/charm/mongodb-exporter/config.yaml
+++ b/installers/charm/mongodb-exporter/config.yaml
@@ -37,3 +37,7 @@
type: string
description: Ingress URL
default: ""
+ cluster_issuer:
+ type: string
+ description: Name of the cluster issuer for TLS certificates
+ default: ""
diff --git a/installers/charm/mongodb-exporter/src/pod_spec.py b/installers/charm/mongodb-exporter/src/pod_spec.py
index 8255b20..0cc3f8c 100644
--- a/installers/charm/mongodb-exporter/src/pod_spec.py
+++ b/installers/charm/mongodb-exporter/src/pod_spec.py
@@ -62,6 +62,9 @@
"site_url": lambda value, _: isinstance(value, str)
if value is not None
else True,
+ "cluster_issuer": lambda value, _: isinstance(value, str)
+ if value is not None
+ else True,
"ingress_whitelist_source_range": lambda value, _: _validate_ip_network(value),
"tls_secret_name": lambda value, _: isinstance(value, str)
if value is not None
@@ -158,6 +161,8 @@
return
ingress_whitelist_source_range = config["ingress_whitelist_source_range"]
+ cluster_issuer = config["cluster_issuer"]
+
annotations = {}
if ingress_whitelist_source_range:
@@ -165,6 +170,9 @@
"nginx.ingress.kubernetes.io/whitelist-source-range"
] = ingress_whitelist_source_range
+ if cluster_issuer:
+ annotations["cert-manager.io/cluster-issuer"] = cluster_issuer
+
ingress_spec_tls = None
if parsed.scheme == "https":
diff --git a/installers/charm/mongodb-exporter/tests/test_pod_spec.py b/installers/charm/mongodb-exporter/tests/test_pod_spec.py
index 3e312f4..94ab6fb 100644
--- a/installers/charm/mongodb-exporter/tests/test_pod_spec.py
+++ b/installers/charm/mongodb-exporter/tests/test_pod_spec.py
@@ -60,7 +60,10 @@
def test_make_pod_ingress_resources_without_site_url(self) -> NoReturn:
"""Testing make pod ingress resources without site_url."""
- config = {"site_url": ""}
+ config = {
+ "site_url": "",
+ "cluster_issuer": "",
+ }
app_name = "mongodb-exporter"
port = 9216
@@ -74,6 +77,7 @@
"""Testing make pod ingress resources."""
config = {
"site_url": "http://mongodb-exporter",
+ "cluster_issuer": "",
"ingress_whitelist_source_range": "",
}
app_name = "mongodb-exporter"
@@ -116,6 +120,7 @@
"""Testing make pod ingress resources with whitelist_source_range."""
config = {
"site_url": "http://mongodb-exporter",
+ "cluster_issuer": "",
"ingress_whitelist_source_range": "0.0.0.0/0",
}
app_name = "mongodb-exporter"
@@ -161,6 +166,7 @@
"""Testing make pod ingress resources with HTTPs."""
config = {
"site_url": "https://mongodb-exporter",
+ "cluster_issuer": "",
"ingress_whitelist_source_range": "",
"tls_secret_name": "",
}
@@ -203,6 +209,7 @@
"""Testing make pod ingress resources with HTTPs and TLS secret name."""
config = {
"site_url": "https://mongodb-exporter",
+ "cluster_issuer": "",
"ingress_whitelist_source_range": "",
"tls_secret_name": "secret_name",
}
@@ -286,6 +293,7 @@
image_info = {"upstream-source": "bitnami/mongodb-exporter:latest"}
config = {
"site_url": "",
+ "cluster_issuer": "",
}
relation_state = {
"mongodb_connection_string": "mongodb://mongo",
@@ -348,6 +356,7 @@
image_info = {"upstream-source": "bitnami/mongodb-exporter:latest"}
config = {
"site_url": "https://mongodb-exporter",
+ "cluster_issuer": "",
"tls_secret_name": "mongodb-exporter",
"ingress_whitelist_source_range": "0.0.0.0/0",
}
@@ -447,6 +456,7 @@
image_info = None
config = {
"site_url": "",
+ "cluster_issuer": "",
}
relation_state = {
"mongodb_connection_string": "mongodb://mongo",
@@ -465,6 +475,7 @@
image_info = {"upstream-source": "bitnami/mongodb-exporter:latest"}
config = {
"site_url": "",
+ "cluster_issuer": "",
}
relation_state = {}
app_name = "mongodb-exporter"