share: Add cert-manager

share/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 description: SHARE
 name: share
-version: 0.1.0
+version: 0.2.0
 keywords:
   - open
   - science

share/templates/_helpers.tpl

@@ -51,6 +51,15 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- printf "%s-%s-%s" .Release.Name $name .Values.web.name | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*
+Create a default fully qualified certificate name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "share.web.certificate.fullname" -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- printf "%s-%s-%s" .Release.Name $name .Values.web.certificate.name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
 {{/*
 Create a default fully qualified worker name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).

share/templates/certificate.yaml

@@ -0,0 +1,33 @@
+{{- if .Values.web.certificate.enabled -}}
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+  name: "{{ template "share.web.certificate.fullname" . }}"
+  labels:
+    app: {{ template "share.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  secretName: "{{ template "share.web.certificate.fullname" . }}"
+  issuerRef:
+    name: {{ .Values.web.certificate.issuerRef.name }}
+    kind: {{ .Values.web.certificate.issuerRef.kind }}
+  commonName: {{ .Values.web.certificate.commonName }}
+  dnsNames:
+    {{- range .Values.web.certificate.dnsNames }}
+    - {{ . }}
+    {{- end }}
+  acme:
+    config:
+      - http01:
+          {{- if hasKey .Values.web.certificate.acmeConfig.http01 "ingress" }}
+          ingress: {{ .Values.web.certificate.acmeConfig.http01.ingress }}
+          {{- else }}
+          ingress: {{ template "share.web.fullname" . }}
+          {{- end }}
+        domains:
+          {{- range .Values.web.certificate.acmeConfig.domains }}
+          - {{ . }}
+          {{- end }}
+{{- end -}}

share/templates/web-ingress.yaml

@@ -26,8 +26,17 @@ spec:
               servicePort: {{ $.Values.web.service.name }}
           {{- end -}}
     {{- end -}}
-  {{- if .Values.web.ingress.tls }}
+  {{- if (or .Values.web.ingress.tls (and .Values.web.certificate.enabled .Values.web.certificate.tls)) }}
   tls:
+    {{- if .Values.web.ingress.tls }}
     {{- toYaml .Values.web.ingress.tls | nindent 4 }}
+    {{- end -}}
+    {{- if (and .Values.web.certificate.enabled .Values.web.certificate.tls) }}
+    - secretName: "{{ template "share.web.certificate.fullname" . }}"
+      hosts:
+        {{- range .Values.web.certificate.acmeConfig.domains }}
+        - {{ . }}
+        {{- end }}
+    {{- end -}}
   {{- end -}}
 {{- end -}}

share/values.yaml

@@ -78,6 +78,27 @@ web:
       #   hosts:
       #     - chart-example.local
 
+  certificate:
+    enabled: false
+    name: cert
+    # WORKAROUND: Ingress deploy blocked to GLBC due to race condition w/ missing TLS certificate
+    # - Issue: https://github.com/jetstack/cert-manager/issues/606
+    # - PR: https://github.com/kubernetes/ingress-gce/pull/388
+    tls: true
+    # issuerRef:
+    #   name: letsencrypt-prod
+    #   kind: ClusterIssuer
+    # commonName: example.org
+    # dnsNames:
+    #   - example.org
+    #   - subdomain.example.org
+    # acmeConfig:
+    #   http01: {}
+    #     # ingress: ''
+    #   domains:
+    #     - example.org
+    #     - subdomain.example.org
+
   env: {}
 
   volumeMounts: []