Fix OAuth2 TLS consistency and simplify ingress template

Copilot · phrocker · Copilot · commit 245c235e7a15 · 2025-07-02T11:03:06.000Z
Co-authored-by: phrocker &lt;1781585+phrocker@users.noreply.github.com&gt;
diff --git a/ops-scripts/local/deploy-helm.sh b/ops-scripts/local/deploy-helm.sh
@@ -60,6 +60,9 @@ if ! kubectl get deployment cert-manager -n cert-manager >/dev/null 2>&1 || \
             echo "ERROR: Failed to install cert-manager with Helm"
             exit 1
         fi
+        echo "Waiting for cert-manager to be ready..."
+        kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=cert-manager -n cert-manager --timeout=300s
+        kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=webhook -n cert-manager --timeout=300s
     else
         echo "ERROR: cert-manager is not fully installed in your cluster."
         echo "You can install it manually or rerun this script with --install-cert-manager --tls"
@@ -69,47 +72,6 @@ fi
 
 }
 
-# Function to wait for cert-manager CRDs and webhook to be ready
-wait_for_cert_manager_crds() {
-    local max_attempts=30
-    local attempt=1
-    
-    while [[ $attempt -le $max_attempts ]]; do
-        # Check if Certificate CRD is available and webhook is ready
-        if kubectl get crd certificates.cert-manager.io >/dev/null 2>&1 && \
-           kubectl get crd clusterissuers.cert-manager.io >/dev/null 2>&1; then
-            
-            # Test if we can actually create cert-manager resources by doing a dry-run
-            echo "Testing cert-manager webhook readiness..."
-            kubectl create --dry-run=server -o yaml - <<EOF >/dev/null 2>&1
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: test-issuer
-spec:
-  selfSigned: {}
-EOF
-            if [[ $? -eq 0 ]]; then
-                echo "cert-manager CRDs and webhook are ready ✓"
-                return 0
-            fi
-        fi
-        
-        echo "Waiting for cert-manager CRDs and webhook to be ready (attempt $attempt/$max_attempts)..."
-        sleep 10
-        ((attempt++))
-    done
-    
-    echo "ERROR: cert-manager CRDs or webhook are not ready after $((max_attempts * 10)) seconds"
-    echo "This may indicate an issue with cert-manager installation."
-    echo ""
-    echo "Try running these commands to check cert-manager status:"
-    echo "  kubectl get pods -n cert-manager"
-    echo "  kubectl logs -n cert-manager -l app.kubernetes.io/name=cert-manager"
-    echo "  kubectl get crd | grep cert-manager"
-    exit 1
-}
-
 # Configure TLS settings
 if [[ "$ENABLE_TLS" == "true" ]]; then
     echo "Deploying with TLS enabled..."
@@ -118,7 +80,7 @@ if [[ "$ENABLE_TLS" == "true" ]]; then
     KEYCLOAK_SUBDOMAIN="keycloak-${TENANT}.local"
     KEYCLOAK_HOSTNAME="${KEYCLOAK_SUBDOMAIN}"
     KEYCLOAK_DOMAIN="https://${KEYCLOAK_SUBDOMAIN}"
-    KEYCLOAK_INTERNAL_DOMAIN="https://${KEYCLOAK_SUBDOMAIN}"  # Internal cluster communication
+    KEYCLOAK_INTERNAL_DOMAIN="http://sentrius-keycloak:8081"  # Internal cluster communication uses HTTP
     SENTRIUS_DOMAIN="https://${SUBDOMAIN}"
     CERTIFICATES_ENABLED="true"
     INGRESS_TLS_ENABLED="true"
diff --git a/sentrius-chart/templates/ingress.yaml b/sentrius-chart/templates/ingress.yaml
@@ -5,18 +5,15 @@ metadata:
   name: managed-cert-ingress-{{ .Values.tenant }}
   namespace: {{ .Values.tenant }}
   annotations:
-    {{- if eq .Values.environment "gke" }}
-    {{- range $key, $value := .Values.ingress.annotations.gke }}
-    {{ $key }}: "{{ $value }}"
-    {{- end }}
-    {{- else if eq .Values.environment "aws" }}
-    {{- range $key, $value := .Values.ingress.annotations.aws }}
-    {{ $key }}: "{{ $value }}"
-    {{- end }}
-    {{- else if eq .Values.environment "local" }}
-    {{- range $key, $value := .Values.ingress.annotations.local }}
-    {{ $key }}: "{{ $value }}"
+    {{- with .Values.ingress.annotations }}
+    {{- toYaml . | nindent 4 }}
     {{- end }}
+    {{- if .Values.certificates.enabled }}
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    {{- else }}
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
     {{- end }}
 spec:
   {{- if .Values.ingress.tlsEnabled }}
diff --git a/sentrius-chart/values.yaml b/sentrius-chart/values.yaml
@@ -208,6 +208,10 @@ ingress:
   class: "nginx"  # Default for local; override for GKE/AWS
   tlsEnabled: true  # Enable TLS when supported
   annotations:
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/backend-protocol: HTTP
+  # Environment-specific annotation sets (use via --set-file or values override)
+  annotationSets:
     gke:  # GKE-specific annotations
       kubernetes.io/ingress.class: gce
       networking.gke.io/managed-certificates: wildcard-cert
@@ -219,8 +223,8 @@ ingress:
       alb.ingress.kubernetes.io/ssl-redirect: "443"
     local:  # Local environment annotations (e.g., Minikube)
       kubernetes.io/ingress.class: nginx
-      nginx.ingress.kubernetes.io/ssl-redirect: "{{ .Values.certificates.enabled | quote }}"
-      nginx.ingress.kubernetes.io/force-ssl-redirect: "{{ .Values.certificates.enabled | quote }}"
+      nginx.ingress.kubernetes.io/ssl-redirect: "{{ .Values.certificates.enabled }}"
+      nginx.ingress.kubernetes.io/force-ssl-redirect: "{{ .Values.certificates.enabled }}"
       nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
 
 
