From 3cc0316794cc75ecffdf2b969b4ad98d0dd7e826 Mon Sep 17 00:00:00 2001 From: sousaedu Date: Thu, 29 Apr 2021 16:53:12 +0200 Subject: [PATCH] Adding cluster-issuer annotation for TLS provisioning Through the usage of cert-manager, the charms will be able request TLS certificates to protect the Kubernetes Ingress endpoint that is exposed. Note: Cert-manager must be configured ahead of time. Change-Id: I7dacdb8dca2f78664c5604e509e2516ae6023d06 Signed-off-by: sousaedu --- installers/charm/grafana/config.yaml | 4 ++++ installers/charm/grafana/src/charm.py | 4 ++++ installers/charm/grafana/tests/test_charm.py | 1 + installers/charm/kafka-exporter/config.yaml | 4 ++++ .../charm/kafka-exporter/src/pod_spec.py | 7 +++++++ .../charm/kafka-exporter/tests/test_charm.py | 8 ++++---- .../kafka-exporter/tests/test_pod_spec.py | 19 +++++++++++++++---- installers/charm/mongodb-exporter/config.yaml | 4 ++++ .../charm/mongodb-exporter/src/pod_spec.py | 8 ++++++++ .../mongodb-exporter/tests/test_pod_spec.py | 13 ++++++++++++- installers/charm/mysqld-exporter/config.yaml | 4 ++++ .../charm/mysqld-exporter/src/pod_spec.py | 7 +++++++ .../mysqld-exporter/tests/test_pod_spec.py | 13 ++++++++++++- installers/charm/nbi/config.yaml | 4 ++++ installers/charm/nbi/src/charm.py | 4 ++++ installers/charm/nbi/tests/test_charm.py | 1 + installers/charm/ng-ui/config.yaml | 4 ++++ installers/charm/ng-ui/src/charm.py | 4 ++++ installers/charm/ng-ui/tests/test_charm.py | 1 + installers/charm/prometheus/config.yaml | 4 ++++ installers/charm/prometheus/src/charm.py | 4 ++++ .../charm/prometheus/tests/test_charm.py | 1 + 22 files changed, 113 insertions(+), 10 deletions(-) diff --git a/installers/charm/grafana/config.yaml b/installers/charm/grafana/config.yaml index 37509dc7..19274e53 100644 --- a/installers/charm/grafana/config.yaml +++ b/installers/charm/grafana/config.yaml @@ -44,6 +44,10 @@ options: type: string description: Ingress URL default: "" + cluster_issuer: + type: string + description: Name of the cluster issuer for TLS certificates + default: "" osm_dashboards: type: boolean description: Enable OSM System monitoring dashboards diff --git a/installers/charm/grafana/src/charm.py b/installers/charm/grafana/src/charm.py index d10ccf23..bf6fbd9d 100755 --- a/installers/charm/grafana/src/charm.py +++ b/installers/charm/grafana/src/charm.py @@ -50,6 +50,7 @@ class ConfigModel(ModelValidator): max_file_size: int osm_dashboards: bool site_url: Optional[str] + cluster_issuer: Optional[str] ingress_whitelist_source_range: Optional[str] tls_secret_name: Optional[str] @@ -184,6 +185,9 @@ class GrafanaCharm(CharmedOsmBase): "nginx.ingress.kubernetes.io/whitelist-source-range" ] = config.ingress_whitelist_source_range + if config.cluster_issuer: + annotations["cert-manager.io/cluster-issuer"] = config.cluster_issuer + if parsed.scheme == "https": ingress_resource_builder.add_tls( [parsed.hostname], config.tls_secret_name diff --git a/installers/charm/grafana/tests/test_charm.py b/installers/charm/grafana/tests/test_charm.py index 4e269df9..5db3edab 100644 --- a/installers/charm/grafana/tests/test_charm.py +++ b/installers/charm/grafana/tests/test_charm.py @@ -43,6 +43,7 @@ class TestCharm(unittest.TestCase): "ingress_whitelist_source_range": "", "tls_secret_name": "", "site_url": "https://grafana.192.168.100.100.xip.io", + "cluster_issuer": "vault-issuer", "osm_dashboards": True, } self.harness.update_config(self.config) diff --git a/installers/charm/kafka-exporter/config.yaml b/installers/charm/kafka-exporter/config.yaml index a3aaa21a..8d3703e4 100644 --- a/installers/charm/kafka-exporter/config.yaml +++ b/installers/charm/kafka-exporter/config.yaml @@ -37,3 +37,7 @@ options: type: string description: Ingress URL default: "" + cluster_issuer: + type: string + description: Name of the cluster issuer for TLS certificates + default: "" diff --git a/installers/charm/kafka-exporter/src/pod_spec.py b/installers/charm/kafka-exporter/src/pod_spec.py index a50d96f6..90886cb2 100644 --- a/installers/charm/kafka-exporter/src/pod_spec.py +++ b/installers/charm/kafka-exporter/src/pod_spec.py @@ -62,6 +62,9 @@ def _validate_data(config_data: Dict[str, Any], relation_data: Dict[str, Any]) - "site_url": lambda value, _: isinstance(value, str) if value is not None else True, + "cluster_issuer": lambda value, _: isinstance(value, str) + if value is not None + else True, "ingress_whitelist_source_range": lambda value, _: _validate_ip_network(value), "tls_secret_name": lambda value, _: isinstance(value, str) if value is not None @@ -146,6 +149,7 @@ def _make_pod_ingress_resources( return ingress_whitelist_source_range = config["ingress_whitelist_source_range"] + cluster_issuer = config["cluster_issuer"] annotations = {} @@ -154,6 +158,9 @@ def _make_pod_ingress_resources( "nginx.ingress.kubernetes.io/whitelist-source-range" ] = ingress_whitelist_source_range + if cluster_issuer: + annotations["cert-manager.io/cluster-issuer"] = cluster_issuer + ingress_spec_tls = None if parsed.scheme == "https": diff --git a/installers/charm/kafka-exporter/tests/test_charm.py b/installers/charm/kafka-exporter/tests/test_charm.py index 53613214..fc50b499 100644 --- a/installers/charm/kafka-exporter/tests/test_charm.py +++ b/installers/charm/kafka-exporter/tests/test_charm.py @@ -70,7 +70,7 @@ class TestCharm(unittest.TestCase): } ], "envConfig": {}, - "command": ["kafka-exporter", "--kafka.server=kafka:9090"], + "command": ["kafka_exporter", "--kafka.server=kafka:9090"], "kubernetes": { "readinessProbe": { "httpGet": { @@ -136,7 +136,7 @@ class TestCharm(unittest.TestCase): } ], "envConfig": {}, - "command": ["kafka-exporter", "--kafka.server=kafka:9090"], + "command": ["kafka_exporter", "--kafka.server=kafka:9090"], "kubernetes": { "readinessProbe": { "httpGet": { @@ -228,7 +228,7 @@ class TestCharm(unittest.TestCase): } ], "envConfig": {}, - "command": ["kafka-exporter", "--kafka.server=kafka:9090"], + "command": ["kafka_exporter", "--kafka.server=kafka:9090"], "kubernetes": { "readinessProbe": { "httpGet": { @@ -329,7 +329,7 @@ class TestCharm(unittest.TestCase): } ], "envConfig": {}, - "command": ["kafka-exporter", "--kafka.server=kafka:9090"], + "command": ["kafka_exporter", "--kafka.server=kafka:9090"], "kubernetes": { "readinessProbe": { "httpGet": { diff --git a/installers/charm/kafka-exporter/tests/test_pod_spec.py b/installers/charm/kafka-exporter/tests/test_pod_spec.py index 44d99d8e..ad0e412f 100644 --- a/installers/charm/kafka-exporter/tests/test_pod_spec.py +++ b/installers/charm/kafka-exporter/tests/test_pod_spec.py @@ -58,7 +58,10 @@ class TestPodSpec(unittest.TestCase): def test_make_pod_ingress_resources_without_site_url(self) -> NoReturn: """Testing make pod ingress resources without site_url.""" - config = {"site_url": ""} + config = { + "cluster_issuer": "", + "site_url": "", + } app_name = "kafka-exporter" port = 9308 @@ -71,6 +74,7 @@ class TestPodSpec(unittest.TestCase): def test_make_pod_ingress_resources(self) -> NoReturn: """Testing make pod ingress resources.""" config = { + "cluster_issuer": "", "site_url": "http://kafka-exporter", "ingress_whitelist_source_range": "", } @@ -114,6 +118,7 @@ class TestPodSpec(unittest.TestCase): """Testing make pod ingress resources with whitelist_source_range.""" config = { "site_url": "http://kafka-exporter", + "cluster_issuer": "", "ingress_whitelist_source_range": "0.0.0.0/0", } app_name = "kafka-exporter" @@ -160,6 +165,7 @@ class TestPodSpec(unittest.TestCase): config = { "site_url": "https://kafka-exporter", "max_file_size": 0, + "cluster_issuer": "", "ingress_whitelist_source_range": "", "tls_secret_name": "", } @@ -203,6 +209,7 @@ class TestPodSpec(unittest.TestCase): config = { "site_url": "https://kafka-exporter", "max_file_size": 0, + "cluster_issuer": "", "ingress_whitelist_source_range": "", "tls_secret_name": "secret_name", } @@ -289,7 +296,7 @@ class TestPodSpec(unittest.TestCase): } expected_result = [ - "kafka-exporter", + "kafka_exporter", "--kafka.server={}:{}".format( relation.get("kafka_host"), relation.get("kafka_port") ), @@ -304,6 +311,7 @@ class TestPodSpec(unittest.TestCase): image_info = {"upstream-source": "bitnami/kafka-exporter:latest"} config = { "site_url": "", + "cluster_issuer": "", } relation_state = { "kafka_host": "kafka", @@ -327,7 +335,7 @@ class TestPodSpec(unittest.TestCase): } ], "envConfig": {}, - "command": ["kafka-exporter", "--kafka.server=kafka:9090"], + "command": ["kafka_exporter", "--kafka.server=kafka:9090"], "kubernetes": { "readinessProbe": { "httpGet": { @@ -366,6 +374,7 @@ class TestPodSpec(unittest.TestCase): image_info = {"upstream-source": "bitnami/kafka-exporter:latest"} config = { "site_url": "https://kafka-exporter", + "cluster_issuer": "", "tls_secret_name": "kafka-exporter", "max_file_size": 0, "ingress_whitelist_source_range": "0.0.0.0/0", @@ -392,7 +401,7 @@ class TestPodSpec(unittest.TestCase): } ], "envConfig": {}, - "command": ["kafka-exporter", "--kafka.server=kafka:9090"], + "command": ["kafka_exporter", "--kafka.server=kafka:9090"], "kubernetes": { "readinessProbe": { "httpGet": { @@ -466,6 +475,7 @@ class TestPodSpec(unittest.TestCase): image_info = None config = { "site_url": "", + "cluster_issuer": "", } relation_state = { "kafka_host": "kafka", @@ -485,6 +495,7 @@ class TestPodSpec(unittest.TestCase): image_info = {"upstream-source": "bitnami/kafka-exporter:latest"} config = { "site_url": "", + "cluster_issuer": "", } relation_state = {} app_name = "kafka-exporter" diff --git a/installers/charm/mongodb-exporter/config.yaml b/installers/charm/mongodb-exporter/config.yaml index a3aaa21a..8d3703e4 100644 --- a/installers/charm/mongodb-exporter/config.yaml +++ b/installers/charm/mongodb-exporter/config.yaml @@ -37,3 +37,7 @@ options: type: string description: Ingress URL default: "" + cluster_issuer: + type: string + description: Name of the cluster issuer for TLS certificates + default: "" diff --git a/installers/charm/mongodb-exporter/src/pod_spec.py b/installers/charm/mongodb-exporter/src/pod_spec.py index 8255b201..0cc3f8ca 100644 --- a/installers/charm/mongodb-exporter/src/pod_spec.py +++ b/installers/charm/mongodb-exporter/src/pod_spec.py @@ -62,6 +62,9 @@ def _validate_data(config_data: Dict[str, Any], relation_data: Dict[str, Any]) - "site_url": lambda value, _: isinstance(value, str) if value is not None else True, + "cluster_issuer": lambda value, _: isinstance(value, str) + if value is not None + else True, "ingress_whitelist_source_range": lambda value, _: _validate_ip_network(value), "tls_secret_name": lambda value, _: isinstance(value, str) if value is not None @@ -158,6 +161,8 @@ def _make_pod_ingress_resources( return ingress_whitelist_source_range = config["ingress_whitelist_source_range"] + cluster_issuer = config["cluster_issuer"] + annotations = {} if ingress_whitelist_source_range: @@ -165,6 +170,9 @@ def _make_pod_ingress_resources( "nginx.ingress.kubernetes.io/whitelist-source-range" ] = ingress_whitelist_source_range + if cluster_issuer: + annotations["cert-manager.io/cluster-issuer"] = cluster_issuer + ingress_spec_tls = None if parsed.scheme == "https": diff --git a/installers/charm/mongodb-exporter/tests/test_pod_spec.py b/installers/charm/mongodb-exporter/tests/test_pod_spec.py index 3e312f48..94ab6fb5 100644 --- a/installers/charm/mongodb-exporter/tests/test_pod_spec.py +++ b/installers/charm/mongodb-exporter/tests/test_pod_spec.py @@ -60,7 +60,10 @@ class TestPodSpec(unittest.TestCase): def test_make_pod_ingress_resources_without_site_url(self) -> NoReturn: """Testing make pod ingress resources without site_url.""" - config = {"site_url": ""} + config = { + "site_url": "", + "cluster_issuer": "", + } app_name = "mongodb-exporter" port = 9216 @@ -74,6 +77,7 @@ class TestPodSpec(unittest.TestCase): """Testing make pod ingress resources.""" config = { "site_url": "http://mongodb-exporter", + "cluster_issuer": "", "ingress_whitelist_source_range": "", } app_name = "mongodb-exporter" @@ -116,6 +120,7 @@ class TestPodSpec(unittest.TestCase): """Testing make pod ingress resources with whitelist_source_range.""" config = { "site_url": "http://mongodb-exporter", + "cluster_issuer": "", "ingress_whitelist_source_range": "0.0.0.0/0", } app_name = "mongodb-exporter" @@ -161,6 +166,7 @@ class TestPodSpec(unittest.TestCase): """Testing make pod ingress resources with HTTPs.""" config = { "site_url": "https://mongodb-exporter", + "cluster_issuer": "", "ingress_whitelist_source_range": "", "tls_secret_name": "", } @@ -203,6 +209,7 @@ class TestPodSpec(unittest.TestCase): """Testing make pod ingress resources with HTTPs and TLS secret name.""" config = { "site_url": "https://mongodb-exporter", + "cluster_issuer": "", "ingress_whitelist_source_range": "", "tls_secret_name": "secret_name", } @@ -286,6 +293,7 @@ class TestPodSpec(unittest.TestCase): image_info = {"upstream-source": "bitnami/mongodb-exporter:latest"} config = { "site_url": "", + "cluster_issuer": "", } relation_state = { "mongodb_connection_string": "mongodb://mongo", @@ -348,6 +356,7 @@ class TestPodSpec(unittest.TestCase): image_info = {"upstream-source": "bitnami/mongodb-exporter:latest"} config = { "site_url": "https://mongodb-exporter", + "cluster_issuer": "", "tls_secret_name": "mongodb-exporter", "ingress_whitelist_source_range": "0.0.0.0/0", } @@ -447,6 +456,7 @@ class TestPodSpec(unittest.TestCase): image_info = None config = { "site_url": "", + "cluster_issuer": "", } relation_state = { "mongodb_connection_string": "mongodb://mongo", @@ -465,6 +475,7 @@ class TestPodSpec(unittest.TestCase): image_info = {"upstream-source": "bitnami/mongodb-exporter:latest"} config = { "site_url": "", + "cluster_issuer": "", } relation_state = {} app_name = "mongodb-exporter" diff --git a/installers/charm/mysqld-exporter/config.yaml b/installers/charm/mysqld-exporter/config.yaml index a3aaa21a..8d3703e4 100644 --- a/installers/charm/mysqld-exporter/config.yaml +++ b/installers/charm/mysqld-exporter/config.yaml @@ -37,3 +37,7 @@ options: type: string description: Ingress URL default: "" + cluster_issuer: + type: string + description: Name of the cluster issuer for TLS certificates + default: "" diff --git a/installers/charm/mysqld-exporter/src/pod_spec.py b/installers/charm/mysqld-exporter/src/pod_spec.py index ec842218..e371030c 100644 --- a/installers/charm/mysqld-exporter/src/pod_spec.py +++ b/installers/charm/mysqld-exporter/src/pod_spec.py @@ -62,6 +62,9 @@ def _validate_data(config_data: Dict[str, Any], relation_data: Dict[str, Any]) - "site_url": lambda value, _: isinstance(value, str) if value is not None else True, + "cluster_issuer": lambda value, _: isinstance(value, str) + if value is not None + else True, "ingress_whitelist_source_range": lambda value, _: _validate_ip_network(value), "tls_secret_name": lambda value, _: isinstance(value, str) if value is not None @@ -152,6 +155,7 @@ def _make_pod_ingress_resources( return ingress_whitelist_source_range = config["ingress_whitelist_source_range"] + cluster_issuer = config["cluster_issuer"] annotations = {} @@ -160,6 +164,9 @@ def _make_pod_ingress_resources( "nginx.ingress.kubernetes.io/whitelist-source-range" ] = ingress_whitelist_source_range + if cluster_issuer: + annotations["cert-manager.io/cluster-issuer"] = cluster_issuer + ingress_spec_tls = None if parsed.scheme == "https": diff --git a/installers/charm/mysqld-exporter/tests/test_pod_spec.py b/installers/charm/mysqld-exporter/tests/test_pod_spec.py index c2dd1e25..a9c29eff 100644 --- a/installers/charm/mysqld-exporter/tests/test_pod_spec.py +++ b/installers/charm/mysqld-exporter/tests/test_pod_spec.py @@ -68,7 +68,10 @@ class TestPodSpec(unittest.TestCase): def test_make_pod_ingress_resources_without_site_url(self) -> NoReturn: """Testing make pod ingress resources without site_url.""" - config = {"site_url": ""} + config = { + "site_url": "", + "cluster_issuer": "", + } app_name = "mysqld-exporter" port = 9104 @@ -82,6 +85,7 @@ class TestPodSpec(unittest.TestCase): """Testing make pod ingress resources.""" config = { "site_url": "http://mysqld-exporter", + "cluster_issuer": "", "ingress_whitelist_source_range": "", } app_name = "mysqld-exporter" @@ -124,6 +128,7 @@ class TestPodSpec(unittest.TestCase): """Testing make pod ingress resources with whitelist_source_range.""" config = { "site_url": "http://mysqld-exporter", + "cluster_issuer": "", "ingress_whitelist_source_range": "0.0.0.0/0", } app_name = "mysqld-exporter" @@ -169,6 +174,7 @@ class TestPodSpec(unittest.TestCase): """Testing make pod ingress resources with HTTPs.""" config = { "site_url": "https://mysqld-exporter", + "cluster_issuer": "", "ingress_whitelist_source_range": "", "tls_secret_name": "", } @@ -211,6 +217,7 @@ class TestPodSpec(unittest.TestCase): """Testing make pod ingress resources with HTTPs and TLS secret name.""" config = { "site_url": "https://mysqld-exporter", + "cluster_issuer": "", "ingress_whitelist_source_range": "", "tls_secret_name": "secret_name", } @@ -294,6 +301,7 @@ class TestPodSpec(unittest.TestCase): image_info = {"upstream-source": "bitnami/mysqld-exporter:latest"} config = { "site_url": "", + "cluster_issuer": "", } relation_state = { "mysql_host": "mysql", @@ -362,6 +370,7 @@ class TestPodSpec(unittest.TestCase): image_info = {"upstream-source": "bitnami/mysqld-exporter:latest"} config = { "site_url": "https://mysqld-exporter", + "cluster_issuer": "", "tls_secret_name": "mysqld-exporter", "ingress_whitelist_source_range": "0.0.0.0/0", } @@ -467,6 +476,7 @@ class TestPodSpec(unittest.TestCase): image_info = None config = { "site_url": "", + "cluster_issuer": "", } relation_state = { "mysql_host": "mysql", @@ -489,6 +499,7 @@ class TestPodSpec(unittest.TestCase): image_info = {"upstream-source": "bitnami/mysqld-exporter:latest"} config = { "site_url": "", + "cluster_issuer": "", } relation_state = {} app_name = "mysqld-exporter" diff --git a/installers/charm/nbi/config.yaml b/installers/charm/nbi/config.yaml index ff6b7e13..ef0792bc 100644 --- a/installers/charm/nbi/config.yaml +++ b/installers/charm/nbi/config.yaml @@ -44,6 +44,10 @@ options: type: string description: Ingress URL default: "" + cluster_issuer: + type: string + description: Name of the cluster issuer for TLS certificates + default: "" log_level: description: "Log Level" type: string diff --git a/installers/charm/nbi/src/charm.py b/installers/charm/nbi/src/charm.py index 7efc5b0d..1f5812af 100755 --- a/installers/charm/nbi/src/charm.py +++ b/installers/charm/nbi/src/charm.py @@ -56,6 +56,7 @@ class ConfigModel(ModelValidator): log_level: str max_file_size: int site_url: Optional[str] + cluster_issuer: Optional[str] ingress_whitelist_source_range: Optional[str] tls_secret_name: Optional[str] @@ -240,6 +241,9 @@ class NbiCharm(CharmedOsmBase): "nginx.ingress.kubernetes.io/whitelist-source-range" ] = config.ingress_whitelist_source_range + if config.cluster_issuer: + annotations["cert-manager.io/cluster-issuer"] = config.cluster_issuer + if parsed.scheme == "https": ingress_resource_builder.add_tls( [parsed.hostname], config.tls_secret_name diff --git a/installers/charm/nbi/tests/test_charm.py b/installers/charm/nbi/tests/test_charm.py index c4e857fe..2b4ea0fe 100644 --- a/installers/charm/nbi/tests/test_charm.py +++ b/installers/charm/nbi/tests/test_charm.py @@ -48,6 +48,7 @@ class TestCharm(unittest.TestCase): "ingress_whitelist_source_range": "", "tls_secret_name": "", "site_url": "https://nbi.192.168.100.100.xip.io", + "cluster_issuer": "vault-issuer", } self.harness.update_config(self.config) diff --git a/installers/charm/ng-ui/config.yaml b/installers/charm/ng-ui/config.yaml index 279b7591..df096983 100644 --- a/installers/charm/ng-ui/config.yaml +++ b/installers/charm/ng-ui/config.yaml @@ -45,3 +45,7 @@ options: type: string description: Ingress URL default: "" + cluster_issuer: + type: string + description: Name of the cluster issuer for TLS certificates + default: "" diff --git a/installers/charm/ng-ui/src/charm.py b/installers/charm/ng-ui/src/charm.py index bf301f32..5efaaaef 100755 --- a/installers/charm/ng-ui/src/charm.py +++ b/installers/charm/ng-ui/src/charm.py @@ -50,6 +50,7 @@ class ConfigModel(ModelValidator): server_name: str max_file_size: int site_url: Optional[str] + cluster_issuer: Optional[str] ingress_whitelist_source_range: Optional[str] tls_secret_name: Optional[str] @@ -158,6 +159,9 @@ class NgUiCharm(CharmedOsmBase): "nginx.ingress.kubernetes.io/whitelist-source-range" ] = config.ingress_whitelist_source_range + if config.cluster_issuer: + annotations["cert-manager.io/cluster-issuer"] = config.cluster_issuer + if parsed.scheme == "https": ingress_resource_builder.add_tls( [parsed.hostname], config.tls_secret_name diff --git a/installers/charm/ng-ui/tests/test_charm.py b/installers/charm/ng-ui/tests/test_charm.py index 5b5327bc..38ad38b8 100644 --- a/installers/charm/ng-ui/tests/test_charm.py +++ b/installers/charm/ng-ui/tests/test_charm.py @@ -45,6 +45,7 @@ class TestCharm(unittest.TestCase): "ingress_whitelist_source_range": "", "tls_secret_name": "", "site_url": "https://ui.192.168.100.100.xip.io", + "cluster_issuer": "vault-issuer", } self.harness.update_config(self.config) diff --git a/installers/charm/prometheus/config.yaml b/installers/charm/prometheus/config.yaml index 9f35e511..a5f5e8a1 100644 --- a/installers/charm/prometheus/config.yaml +++ b/installers/charm/prometheus/config.yaml @@ -52,6 +52,10 @@ options: type: string description: Ingress URL default: "" + cluster_issuer: + type: string + description: Name of the cluster issuer for TLS certificates + default: "" enable_web_admin_api: type: boolean description: Boolean to enable the web admin api diff --git a/installers/charm/prometheus/src/charm.py b/installers/charm/prometheus/src/charm.py index 5cd163da..e71d949f 100755 --- a/installers/charm/prometheus/src/charm.py +++ b/installers/charm/prometheus/src/charm.py @@ -55,6 +55,7 @@ class ConfigModel(ModelValidator): default_target: str max_file_size: int site_url: Optional[str] + cluster_issuer: Optional[str] ingress_whitelist_source_range: Optional[str] tls_secret_name: Optional[str] enable_web_admin_api: bool @@ -206,6 +207,9 @@ class PrometheusCharm(CharmedOsmBase): "nginx.ingress.kubernetes.io/whitelist-source-range" ] = config.ingress_whitelist_source_range + if config.cluster_issuer: + annotations["cert-manager.io/cluster-issuer"] = config.cluster_issuer + if parsed.scheme == "https": ingress_resource_builder.add_tls( [parsed.hostname], config.tls_secret_name diff --git a/installers/charm/prometheus/tests/test_charm.py b/installers/charm/prometheus/tests/test_charm.py index dd8b732c..0713a845 100644 --- a/installers/charm/prometheus/tests/test_charm.py +++ b/installers/charm/prometheus/tests/test_charm.py @@ -45,6 +45,7 @@ class TestCharm(unittest.TestCase): "ingress_whitelist_source_range": "", "tls_secret_name": "", "site_url": "https://prometheus.192.168.100.100.xip.io", + "cluster_issuer": "vault-issuer", "enable_web_admin_api": False, } self.harness.update_config(self.config) -- 2.17.1