Comments (7)
Thank you for the explanation. If you have a working example, would you mind raising a PR with the proof of concept and describe how to test the setup?
from data-center-helm-charts.
@pathob, can you please expand on the use case? Do you want to define a fully qualified domain name for the instance host and wildcard for TLS hosts? E.g. ingress.host: jira.staging.example.com
and ingress.tlsHost: *.staging.example.com
?
In our setup we are usually using ingress configuration that is described here:
https://atlassian.github.io/data-center-helm-charts/examples/ingress/INGRESS_NGINX/#ingress-resource-configuration
We have a wildcard certificate for the domain and then we have an Issuer
that will create a TLS certificate for the instance domain name when it is installed. Would this setup work for you?
I just would like to understand whether we need to extend the helm chart to cater for a new use case and if so, understand the use case in more detail. Thank you very much.
from data-center-helm-charts.
Hi @nanux
Do you want to define a fully qualified domain name for the instance host and wildcard for TLS hosts? E.g.
ingress.host: jira.staging.example.com
andingress.tlsHost: *.staging.example.com
?
Yes, exactly
In our setup we are usually using ingress configuration that is described here: https://atlassian.github.io/data-center-helm-charts/examples/ingress/INGRESS_NGINX/#ingress-resource-configuration
We have a wildcard certificate for the domain and then we have an
Issuer
that will create a TLS certificate for the instance domain name when it is installed. Would this setup work for you?
I'm not sure whether I fully understand. Yes, we're also using the ingress configuration you mentioned. And we are also working with an issuer (ClusterIssuer
) that can issue TLS certificates for the instance domain name (e.g. jira.staging.example.com
). The problem is, that we cannot make the cert-manager issue or re-use existing wildcard-certificates in pre-production environments. And we would like to be able to use wildcard-certificates here, because:
- that helps to prevents from running into the "Certificates per Registered Domain" limit by Letsencrypt
- issuing a new TLS certificate for the instance domain name can take a moment and makes deployments very slow when many instances are involved.
To give more details: in our setup, developers can create a new test environment dynamically based on a PR and involving quite a large number of services, e.g.
- developer 1:
jira.pr42.example.com
,confluence.pr42.example.com
,keycloak.pr42.example.com
,jenkins.pr42.example.com
, ... - developer 2:
jira.pr43.example.com
,confluence.pr43.example.com
,keycloak.pr43.example.com
,jenkins.pr43.example.com
, ... - etc.
Being able to set ingress.tlsHost: *.pr42.example.com
would allow us to work with the same wildcard certificate in all instances (cert-manager automatically takes care of that). I also tried to solve that with cert-manager "Ingress shims" but that doesn't seem to be possible.
I hope this explanation is more clear now.
Thank you!
from data-center-helm-charts.
I will get back to you soon, thanks
from data-center-helm-charts.
Hey @pathob,
Just wondering if you've had time to look into this yet? If not I might close this issue for now.
from data-center-helm-charts.
@pathob I can see what you are trying to achieve here. I was just wondering if wildcard works for you in rules[0].host
. Obviously not, otherwise you'd never raise this issue. The change should be pretty straightforward:
spec:
{{ if and (.Values.ingress.tlsSecretName) (.Values.ingress.tlsHost) }}
tls:
- hosts:
- {{ .Values.ingress.tlsHost }}
secretName: {{ .Values.ingress.tlsSecretName }}
{{ end }}
and in values have ingress.tlsHost
or even better a list of hosts (then the syntax in ingress template will be different).
from data-center-helm-charts.
Closing due to no response. Feel free to reopen.
from data-center-helm-charts.
Related Issues (20)
- [Suggestion] - Make securityContext in fetch-jmx-exporter configurable HOT 3
- [Suggestion] - Add resource requests and limits for init-containers HOT 1
- [Breaking - Changes] - podAnnotations don't support Datadog labels anymore HOT 5
- [Suggestion] - Handling database and/or storage recovery HOT 1
- [Suggestion] - Flag to remove setup ingress in Confluence helm chart HOT 3
- [Suggestion] - monitoring.jmxExporterCustomConfig does not work if exposeJmxMetrics is set to true HOT 1
- [Suggestion] - Security Vulnerabilities on v8.5.2 and Helm Chart Doesn't Support v8.5.3 HOT 3
- [Suggestion] - Support Kubernetes StatefulSetStartOrdinal feature gate .spec.ordinals.start HOT 5
- [Suggestion] - Upgrade to Fluentbit HOT 2
- [Suggestion] - BlockList additions to Confluence JMX Exporter config HOT 8
- [Suggestion] - Don't assign pod annotations to test pods HOT 4
- [Suggestion] - internalProxies line should be removed when there is no proxyInternalIps value in tomcatConfig HOT 9
- [Suggestion] - Make examples in the Bitbucket DC Chart more clear HOT 3
- [Suggestion] - Remove confluence shared home from synchrony volumes when creating a dedicated synchrony volume HOT 1
- [Suggestion] - Use different labels for jmx-exporter service HOT 15
- Installation problem after license HOT 3
- [Suggestion] - Use image from values.yaml for all tests containers images HOT 4
- [Suggestion] - Shared home should not be removed from synchrony [revert request for #745] HOT 2
- [Suggestion] - Add chmod to import-cert init-container script when running as non-root HOT 2
- [Suggestion] Enable HTTPS connection to the Bamboo server HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from data-center-helm-charts.