Adding cluster-issuer annotation for TLS provisioning
Through the usage of cert-manager, the charms will be able
request TLS certificates to protect the Kubernetes Ingress
endpoint that is exposed.
Note: Cert-manager must be configured ahead of time.
Change-Id: I7dacdb8dca2f78664c5604e509e2516ae6023d06
Signed-off-by: sousaedu <eduardo.sousa@canonical.com>
diff --git a/installers/charm/nbi/config.yaml b/installers/charm/nbi/config.yaml
index ff6b7e1..ef0792b 100644
--- a/installers/charm/nbi/config.yaml
+++ b/installers/charm/nbi/config.yaml
@@ -44,6 +44,10 @@
type: string
description: Ingress URL
default: ""
+ cluster_issuer:
+ type: string
+ description: Name of the cluster issuer for TLS certificates
+ default: ""
log_level:
description: "Log Level"
type: string
diff --git a/installers/charm/nbi/src/charm.py b/installers/charm/nbi/src/charm.py
index 7efc5b0..1f5812a 100755
--- a/installers/charm/nbi/src/charm.py
+++ b/installers/charm/nbi/src/charm.py
@@ -56,6 +56,7 @@
log_level: str
max_file_size: int
site_url: Optional[str]
+ cluster_issuer: Optional[str]
ingress_whitelist_source_range: Optional[str]
tls_secret_name: Optional[str]
@@ -240,6 +241,9 @@
"nginx.ingress.kubernetes.io/whitelist-source-range"
] = config.ingress_whitelist_source_range
+ if config.cluster_issuer:
+ annotations["cert-manager.io/cluster-issuer"] = config.cluster_issuer
+
if parsed.scheme == "https":
ingress_resource_builder.add_tls(
[parsed.hostname], config.tls_secret_name
diff --git a/installers/charm/nbi/tests/test_charm.py b/installers/charm/nbi/tests/test_charm.py
index c4e857f..2b4ea0f 100644
--- a/installers/charm/nbi/tests/test_charm.py
+++ b/installers/charm/nbi/tests/test_charm.py
@@ -48,6 +48,7 @@
"ingress_whitelist_source_range": "",
"tls_secret_name": "",
"site_url": "https://nbi.192.168.100.100.xip.io",
+ "cluster_issuer": "vault-issuer",
}
self.harness.update_config(self.config)