From 1275a4c7e0965eae222282514b0bd0b627dfcadf Mon Sep 17 00:00:00 2001
From: Tin Lam <tin@irrational.io>
Date: Sun, 13 May 2018 12:49:30 -0500
Subject: [PATCH] Update toolkit to support ingress TLS

This patch set cleans up inflight patch [1] by moving helm-toolkit
changes to OSH-infra per [0].

[0] https://review.openstack.org/#/c/558065/
[1] https://review.openstack.org/#/c/566350/

Change-Id: Ifdf3a1d11f2a7cb424476d57d407a224b1ab80eb
Needed-by: I8f1b699af29cbed2d83ad91bb6840dccce8c5146
Signed-off-by: Tin Lam <tin@irrational.io>
Signed-off-by: Pete Birley <pete@port.direct>
---
 .../_hostname_fqdn_endpoint_lookup.tpl        |  5 +++
 .../_keystone_endpoint_uri_lookup.tpl         |  5 +++
 .../templates/manifests/_ingress.yaml.tpl     | 18 ++++++--
 .../templates/manifests/_secret-tls.yaml.tpl  | 41 +++++++++++++++++++
 .../templates/manifests/_service-ingress.tpl  |  2 +
 5 files changed, 68 insertions(+), 3 deletions(-)
 create mode 100644 helm-toolkit/templates/manifests/_secret-tls.yaml.tpl

diff --git a/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
index 20a1cff86..3da61f2a7 100644
--- a/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
+++ b/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -32,7 +32,12 @@ limitations under the License.
 {{- $endpointScheme := .scheme }}
 {{- $endpointHost := index .hosts $endpoint | default .hosts.default }}
 {{- $endpointClusterHostname := printf "%s.%s.%s" $endpointHost $namespace $clusterSuffix }}
+{{- if kindIs "map" (index .host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index .host_fqdn_override $endpoint "host" | default .host_fqdn_override.default | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
 {{- $endpointHostname := index .host_fqdn_override $endpoint | default .host_fqdn_override.default | default $endpointClusterHostname }}
 {{- printf "%s" $endpointHostname -}}
 {{- end -}}
 {{- end -}}
+{{- end -}}
diff --git a/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
index 8c13651ef..d075f35ed 100644
--- a/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
+++ b/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -38,8 +38,13 @@ limitations under the License.
 {{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
 {{- printf "%s://%s:%1.f%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
 {{- else -}}
+{{- if kindIs "map" (index .host_fqdn_override $endpoint) }}
+{{- $endpointFqdnHostname := index .host_fqdn_override $endpoint "host" | default .host_fqdn_override.default | default $endpointClusterHostname }}
+{{- printf "%s://%s:%1.f%s" $endpointScheme $endpointFqdnHostname $endpointPort $endpointPath -}}
+{{- else }}
 {{- $endpointFqdnHostname := index .host_fqdn_override $endpoint | default .host_fqdn_override.default | default $endpointClusterHostname }}
 {{- printf "%s://%s:%1.f%s" $endpointScheme $endpointFqdnHostname $endpointPort $endpointPath -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}
+{{- end -}}
diff --git a/helm-toolkit/templates/manifests/_ingress.yaml.tpl b/helm-toolkit/templates/manifests/_ingress.yaml.tpl
index 09ca8515f..0934c36f2 100644
--- a/helm-toolkit/templates/manifests/_ingress.yaml.tpl
+++ b/helm-toolkit/templates/manifests/_ingress.yaml.tpl
@@ -56,18 +56,30 @@ spec:
 {{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4}}
 {{- end }}
 {{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- range $key2, $ingressController := tuple "namespace" "cluster" }}
 {{- $hostNameFullRules := dict "vHost" $hostNameFull "backendName" $backendName "backendPort" $backendPort }}
-{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4}}
 ---
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
-  name: {{ printf "%s-%s" $ingressName "fqdn" }}
+  name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
   annotations:
-    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "cluster" | quote }}
+    kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
 {{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
 spec:
+{{- $host := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" }}
+{{- if $host.public }}
+{{- if $host.public.tls }}
+{{- if and $host.public.tls.key $host.public.tls.crt }}
+  tls:
+    - secretName: {{ index $envAll.Values.secrets "tls" $backendServiceType $backendService "public" }}
+      hosts:
+        - {{ index $hostNameFullRules "vHost" }}
+{{- end }}
+{{- end }}
+{{- end }}
   rules:
 {{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4}}
 {{- end }}
 {{- end }}
+{{- end }}
diff --git a/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 000000000..1ca967f32
--- /dev/null
+++ b/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,41 @@
+{{/*
+Copyright 2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" }}
+{{- if $host.public }}
+{{- if $host.public.tls }}
+{{- if and $host.public.tls.key $host.public.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ index $envAll.Values.secrets.tls $backendServiceType $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ $host.public.tls.crt | b64enc }}
+  tls.key: {{ $host.public.tls.key | b64enc }}
+{{- if $host.public.tls.ca }}
+  tls.ca: {{ $host.public.tls.ca | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/helm-toolkit/templates/manifests/_service-ingress.tpl b/helm-toolkit/templates/manifests/_service-ingress.tpl
index 859b4b116..05bf343a9 100644
--- a/helm-toolkit/templates/manifests/_service-ingress.tpl
+++ b/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -31,6 +31,8 @@ spec:
   ports:
     - name: http
       port: 80
+    - name: https
+      port: 443
   selector:
     app: ingress-api
 {{- if index $envAll.Values.endpoints $backendServiceType }}