Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(certs-patch): annotation + more granularity #276

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
118 changes: 118 additions & 0 deletions packages/kontinuous/tests/__snapshots__/ingress-cert-optout.dev.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
// Jest Snapshot v1, https://goo.gl/fbAQLP

exports[`test build manifests with snapshots ingress-cert-optout.dev 1`] = `
"apiVersion: v1
kind: Namespace
metadata:
annotations:
field.cattle.io/projectId: \\"1234\\"
kontinuous/gitBranch: feature-branch-1
kontinuous/mainNamespace: \\"true\\"
kapp.k14s.io/exists: \\"\\"
kontinuous/chartPath: project.fabrique.contrib.rancher-namespace
kontinuous/source: project/charts/fabrique/charts/contrib/charts/rancher-namespace/templates/namespace.yaml
kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje
janitor/ttl: 7d
labels:
application: test-ingress-cert-optout
kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje
kontinuous/deployment.env: test-ingress-cert-optout-feature-branch-1
kontinuous/ref: feature-branch-1
kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53
kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53
kontinuous/resourceName: namespace-test-ingress-cert-optout-feature-branch-1-2p8sssrl
app.kubernetes.io/manifest-managed-by: kontinuous
app.kubernetes.io/manifest-created-by: kontinuous
name: test-ingress-cert-optout-feature-branch-1
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: netpol-ingress
namespace: test-ingress-cert-optout-feature-branch-1
annotations:
kontinuous/chartPath: project.fabrique.contrib.security-policies
kontinuous/source: project/charts/fabrique/charts/contrib/charts/security-policies/templates/network-policy.yml
kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje
labels:
kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje
kontinuous/deployment.env: test-ingress-cert-optout-feature-branch-1
kontinuous/ref: feature-branch-1
kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53
kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53
kontinuous/resourceName: networkpolicy-netpol-ingress-61ndxljw
app.kubernetes.io/manifest-managed-by: kontinuous
app.kubernetes.io/manifest-created-by: kontinuous
spec:
ingress:
- from:
- podSelector: {}
- from:
- namespaceSelector:
matchLabels:
network-policy/source: ingress-controller
- from:
- namespaceSelector:
matchLabels:
network-policy/source: monitoring
podSelector: {}
policyTypes:
- Ingress
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
annotations:
kontinuous/chartPath: project.fabrique.contrib.security-policies
kontinuous/source: project/charts/fabrique/charts/contrib/charts/security-policies/templates/service-account.yaml
kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje
labels:
kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje
kontinuous/deployment.env: test-ingress-cert-optout-feature-branch-1
kontinuous/ref: feature-branch-1
kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53
kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53
kontinuous/resourceName: serviceaccount-default-2g5dmk74
app.kubernetes.io/manifest-managed-by: kontinuous
app.kubernetes.io/manifest-created-by: kontinuous
namespace: test-ingress-cert-optout-feature-branch-1
automountServiceAccountToken: false
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: files-public
annotations:
kubernetes.io/ingress.class: nginx
kontinuous/use-cert-manager: \\"false\\"
kontinuous/chartPath: project
kontinuous/source: project/templates/ingress.yaml
kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje
labels:
kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje
kontinuous/deployment.env: test-ingress-cert-optout-feature-branch-1
kontinuous/ref: feature-branch-1
kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53
kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53
kontinuous/resourceName: ingress-files-public-5krby9jg
app.kubernetes.io/manifest-managed-by: kontinuous
app.kubernetes.io/manifest-created-by: kontinuous
namespace: test-ingress-cert-optout-feature-branch-1
spec:
tls:
- hosts:
- test.fabrique.social.gouv.fr
rules:
- host: test.fabrique.social.gouv.fr
http:
paths:
- path: /
pathType: Exact
backend:
service:
name: app
port:
number: 80
"
`;
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
dependencies:
fabrique:
import: socialgouv/kontinuous/plugins/fabrique
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: files-public
annotations:
kubernetes.io/ingress.class: nginx
kontinuous/use-cert-manager: "false"
spec:
tls:
- hosts:
- test.fabrique.social.gouv.fr
rules:
- host: test.fabrique.social.gouv.fr
http:
paths:
- path: /
pathType: Exact
backend:
service:
name: app
port:
number: 80
57 changes: 40 additions & 17 deletions plugins/contrib/patches/certs.js
Original file line number Diff line number Diff line change
@@ -1,15 +1,21 @@
module.exports = (manifests, options) => {
const hasWildcard = (host) => host.endsWith(options.wildcardHost)
const isInternalHost = (host) =>
options.internalHosts.some((internalHost) => host.endsWith(internalHost))

const {
annotationEnableKey = "kontinuous/use-cert-manager",
defaultEnabled = true,
detectWildcard = true,
internalHosts = [],
detectInternal = internalHosts.length > 0,
secretName = "wildcard-crt",
clusterIssuer = "letsencrypt-prod",
namespaceLabels = {
cert: "wildcard",
},
} = options

const hasWildcard = (host) => host.endsWith(options.wildcardHost)
const isInternalHost = (host) =>
internalHosts.some((internalHost) => host.endsWith(internalHost))

const wildcardNamespaces = new Set()

for (const manifest of manifests) {
@@ -24,20 +30,37 @@ module.exports = (manifests, options) => {
tlsEntry.secretName = secretName
}

// apply cert-manager annotations only for internal, non-wildcard hosts
if (!hosts.every(hasWildcard) && hosts.every(isInternalHost)) {
if (!manifest.metadata) {
manifest.metadata = {}
}
if (!manifest.metadata.annotations) {
manifest.metadata.annotations = {}
}
Object.assign(manifest.metadata.annotations, {
"cert-manager.io": "cluster-issuer",
"cert-manager.io/cluster-issuer": clusterIssuer,
"kubernetes.io/tls-acme": "true",
})
let enabled = defaultEnabled

const annotationEnableValue =
manifest.metadata?.annotations?.[annotationEnableKey]
if (
annotationEnableValue !== undefined &&
annotationEnableValue !== null &&
annotationEnableValue !== ""
) {
enabled = annotationEnableValue !== "false"
} else if (detectWildcard && hosts.some(hasWildcard)) {
enabled = false
} else if (detectInternal && !hosts.every(isInternalHost)) {
enabled = false
}

if (!enabled) {
continue
}

if (!manifest.metadata) {
manifest.metadata = {}
}
if (!manifest.metadata.annotations) {
manifest.metadata.annotations = {}
}
Object.assign(manifest.metadata.annotations, {
"cert-manager.io": "cluster-issuer",
"cert-manager.io/cluster-issuer": clusterIssuer,
"kubernetes.io/tls-acme": "true",
})
}
}