Make ingress controller configurable in Helm charts (#101)

* theia-cloud-base: add `issuerprod.ingressClass` and use it in production ClusterIssuer
* theia-cloud: introduce ingress helper templates and centralize annotations/ingressClassName handling
* theia-cloud: add `ingress.controller`, optional `ingress.ingressClassName` and per-ingress `annotations` values

Co-authored-by: Lucas Koehler <[email protected]>

Author: jfaltermeier

charts/theia-cloud-base/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.2.0-next.0
+version: 1.2.0-next.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/theia-cloud-base/README.md

@@ -1,6 +1,6 @@
 # theia-cloud-base
 
-![Version: 1.2.0-next.0](https://img.shields.io/badge/Version-1.2.0--next.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.0-next](https://img.shields.io/badge/AppVersion-1.2.0--next-informational?style=flat-square)
+![Version: 1.2.0-next.1](https://img.shields.io/badge/Version-1.2.0--next.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.0-next](https://img.shields.io/badge/AppVersion-1.2.0--next-informational?style=flat-square)
 
 Theia-cloud base chart
 
@@ -16,6 +16,7 @@ Theia-cloud base chart
 | issuerca.enable | bool | `true` | whether to install the CA certificate signer |
 | issuerca.name | string | `"theia-cloud-ca-certificate-signer"` | name for the issuer preparing a self signed CA certificate |
 | issuerprod.enable | bool | `true` | whether to install the let's encrypt production cluster issuer |
+| issuerprod.ingressClass | string | `"nginx"` | ingress class for the HTTP-01 ACME challenge solver |
 | issuerprod.name | string | `"letsencrypt-prod"` | name for the let's encrypt production cluster issuer |
 | issuerstaging.name | string | `"theia-cloud-selfsigned-issuer"` | name for the self signed cluster issuer |
 | operatorrole.name | string | `"operator-api-access"` | name for the operator's cluster role |

charts/theia-cloud-base/templates/clusterissuer-production.yaml

@@ -12,6 +12,6 @@ spec:
     solvers:
     - http01: 
         ingress:
-            class: nginx
+            class: {{ .Values.issuerprod.ingressClass }}
 {{- end }}
 

charts/theia-cloud-base/values.yaml

@@ -9,6 +9,8 @@ issuerprod:
   enable: true
   # -- name for the let's encrypt production cluster issuer
   name: letsencrypt-prod
+  # -- ingress class for the HTTP-01 ACME challenge solver
+  ingressClass: nginx
 
 issuerstaging:
   # -- name for the self signed cluster issuer

charts/theia-cloud/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.2.0-next.2
+version: 1.2.0-next.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/theia-cloud/README.md

@@ -1,6 +1,6 @@
 # theia-cloud
 
-![Version: 1.2.0-next.2](https://img.shields.io/badge/Version-1.2.0--next.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.0-next](https://img.shields.io/badge/AppVersion-1.2.0--next-informational?style=flat-square)
+![Version: 1.2.0-next.3](https://img.shields.io/badge/Version-1.2.0--next.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.0-next](https://img.shields.io/badge/AppVersion-1.2.0--next-informational?style=flat-square)
 
 A Helm chart for Theia Cloud
 
@@ -38,11 +38,18 @@ A Helm chart for Theia Cloud
 | ingress.addTLSSecretName | bool | `true` | whether the default Theia Cloud tls secret names should be used. If false no tls secret name will be set on the ingress only needed when ingress.tls == true |
 | ingress.certManagerAnnotations | bool | `true` | When set to true the cert-manager.io annotations will be set. Only used when ingress.addTLSSecretName === true When false certificate management is handled outside of Theia Cloud. |
 | ingress.clusterIssuer | string | `"letsencrypt-prod"` | The cluster issuer to use Only needed when ingress.certManagerAnnotations is true |
-| ingress.instances | object | `{"allWildcardSecretNames":{},"configurationSnippets":["proxy_set_header 'X-Forwarded-Uri' $request_uri"],"name":"theia-cloud-demo-ws-ingress","proxyBodySize":"1m"}` | Values to influence the instances ingress |
+| ingress.controller | string | `"nginx"` | The ingress controller to use. Currently supported: "nginx" or null Determines controller-specific default annotations and ingress class name to use. Using null or an unknown value results in only explicitly specified annotations being used. |
+| ingress.ingressClassName | string | `""` | Optional: Override the ingressClassName. If empty, defaults based on ingress.controller |
+| ingress.instances | object | (see details below) | Values to influence the instances ingress |
 | ingress.instances.allWildcardSecretNames | object | `{}` | All additional wildcard hostnames and the respective TLS secret names. Use this for wildcard hostnames that should use a TLS certificate with a `secretName` different from the default one. Only accepts wildcard hostnames that are configured in `hosts.allWildcardInstances`. |
-| ingress.instances.configurationSnippets | list | `["proxy_set_header 'X-Forwarded-Uri' $request_uri"]` | Additional configuration to the ingress configuration via the `nginx.ingress.kubernetes.io/configuration-snippet` annotation. One entry in this array results in a line for the annotation. Do not add a semicolon at the end of the line here, it is automatically added. Note: Since ingress-nginx version 1.10 this annotation needs to be enabled. See [this README](../../README.md#cluster-prerequisites) for more information. |
+| ingress.instances.annotations | object | `{}` | Optional: Custom annotations for instances ingress. If empty, defaults based on ingress.controller |
+| ingress.instances.configurationSnippets | Deprecated | `["proxy_set_header 'X-Forwarded-Uri' $request_uri"]` | Additional configuration to the ingress configuration via the `nginx.ingress.kubernetes.io/configuration-snippet` annotation. One entry in this array results in a line for the annotation. Do not add a semicolon at the end of the line here, it is automatically added. This is deprecated in favor of using ingress.instances.annotations with the configuration-snippet key. If both configurationSnippets and annotations with configuration-snippet are provided, annotations takes precedence. Note: Since ingress-nginx version 1.10 this annotation needs to be enabled. See [this README](../../README.md#cluster-prerequisites) for more information. |
 | ingress.instances.name | string | `"theia-cloud-demo-ws-ingress"` | The name of the ingress which will be updated to publish new theia application. If this is not existing it will be created. You may chose to set the ingress up yourself and point Theia Cloud to the ingress via the name |
 | ingress.instances.proxyBodySize | string | `"1m"` | Sets the maximum allowed size of the client request body inside the application (e.g. file uploads in Theia). Defaults to 1m. Setting size to 0 disables checking of client request body size. |
+| ingress.landingPage | object | (see details below) | Values to influence the landing page ingress |
+| ingress.landingPage.annotations | object | `{}` | Optional: Custom annotations for landing page ingress. If empty, defaults based on ingress.controller |
+| ingress.service | object | (see details below)  | Values to influence the service ingress |
+| ingress.service.annotations | object | `{}` | Optional: Custom annotations for service ingress. If empty, defaults based on ingress.controller |
 | ingress.theiaCloudCommonName | bool | `false` | When set to true the cert-manager.io/common-name annotation will be set. This is only required when the issued certificate by the cert-manager misses a common-name Only needed when ingress.certManagerAnnotations is true |
 | ingress.tls | bool | `true` | Does Theia Cloud expect TLS connections (true) or is TLS terminated outside of Theia Cloud (e.g. via a Load Balancer) (false) |
 | issuer | object | (see details below) | Values related to certificates/Cert-manager |

charts/theia-cloud/templates/_helpers.tpl

@@ -0,0 +1,138 @@
+{{/*
+Return the ingress class name
+*/}}
+{{- define "theiacloud.ingress.className" -}}
+{{- if .Values.ingress.ingressClassName -}}
+{{ .Values.ingress.ingressClassName }}
+{{- else if eq .Values.ingress.controller "nginx" -}}
+nginx
+{{- else -}}
+{{ .Values.ingress.controller }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the annotations for the instances ingress
+*/}}
+{{- define "theiacloud.ingress.instances.annotations" -}}
+{{- $annotations := dict -}}
+{{- if .Values.ingress.instances.annotations -}}
+{{- $annotations = .Values.ingress.instances.annotations -}}
+{{- else -}}
+{{- if eq .Values.ingress.controller "nginx" -}}
+{{- $annotations = include "theiacloud.ingress.nginx.instances.defaultAnnotations" . | fromYaml | default (dict) -}}
+{{- end -}}
+{{- end -}}
+{{- $certAnnotations := include "theiacloud.ingress.certManagerAnnotations" . | fromYaml | default (dict) -}}
+{{- $annotations = merge $annotations $certAnnotations -}}
+{{- $annotations | toYaml -}}
+{{- end -}}
+
+{{/*
+Return the annotations for the landing page ingress
+*/}}
+{{- define "theiacloud.ingress.landingPage.annotations" -}}
+{{- $annotations := dict -}}
+{{- if .Values.ingress.landingPage.annotations -}}
+{{- $annotations = .Values.ingress.landingPage.annotations -}}
+{{- else -}}
+{{- if eq .Values.ingress.controller "nginx" -}}
+{{- $annotations = include "theiacloud.ingress.nginx.landingPage.defaultAnnotations" . | fromYaml | default (dict) -}}
+{{- end -}}
+{{- end -}}
+{{- $certAnnotations := include "theiacloud.ingress.certManagerAnnotations" (dict "root" . "includeHttp01" false) | fromYaml | default (dict) -}}
+{{- $annotations = merge $annotations $certAnnotations -}}
+{{- $annotations | toYaml -}}
+{{- end -}}
+
+{{/*
+Return the annotations for the service ingress
+*/}}
+{{- define "theiacloud.ingress.service.annotations" -}}
+{{- $annotations := dict -}}
+{{- if .Values.ingress.service.annotations -}}
+{{- $annotations = .Values.ingress.service.annotations -}}
+{{- else -}}
+{{- if eq .Values.ingress.controller "nginx" -}}
+{{- $annotations = include "theiacloud.ingress.nginx.service.defaultAnnotations" . | fromYaml | default (dict) -}}
+{{- end -}}
+{{- end -}}
+{{- $certAnnotations := include "theiacloud.ingress.certManagerAnnotations" . | fromYaml | default (dict) -}}
+{{- $annotations = merge $annotations $certAnnotations -}}
+{{- $annotations | toYaml -}}
+{{- end -}}
+
+{{/*
+Return default nginx annotations for instances ingress
+*/}}
+{{- define "theiacloud.ingress.nginx.instances.defaultAnnotations" -}}
+{{- if not .Values.ingress.tls }}
+nginx.ingress.kubernetes.io/ssl-redirect: "false"
+{{- end }}
+nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
+nginx.ingress.kubernetes.io/rewrite-target: /$2
+{{- if .Values.ingress.instances.configurationSnippets }}
+nginx.ingress.kubernetes.io/configuration-snippet: |
+  {{- range .Values.ingress.instances.configurationSnippets }}
+  {{ . }};
+  {{- end }}
+{{- else }}
+nginx.ingress.kubernetes.io/configuration-snippet: |
+  proxy_set_header 'X-Forwarded-Uri' $request_uri;
+{{- end }}
+nginx.ingress.kubernetes.io/proxy-body-size: {{ tpl (.Values.ingress.instances.proxyBodySize | toString) . }}
+{{- end -}}
+
+{{/*
+Return default nginx annotations for landing page ingress (path-based)
+*/}}
+{{- define "theiacloud.ingress.nginx.landingPage.defaultAnnotations" -}}
+{{- if not .Values.ingress.tls }}
+nginx.ingress.kubernetes.io/ssl-redirect: "false"
+{{- end }}
+{{- if .Values.hosts.usePaths }}
+{{- if .Values.hosts.configuration.landing }}
+nginx.ingress.kubernetes.io/rewrite-target: /$2
+{{- end }}
+nginx.ingress.kubernetes.io/configuration-snippet: |
+  rewrite ^([^.?]*[^/])$ $1/ redirect;
+{{- end }}
+{{- end -}}
+
+{{/*
+Return default nginx annotations for service ingress
+*/}}
+{{- define "theiacloud.ingress.nginx.service.defaultAnnotations" -}}
+{{- if not .Values.ingress.tls }}
+nginx.ingress.kubernetes.io/ssl-redirect: "false"
+{{- end }}
+nginx.ingress.kubernetes.io/rewrite-target: /service$1
+{{- end -}}
+
+{{/*
+Return cert-manager annotations if enabled
+Params:
+  . - root context
+  includeHttp01 - (optional) whether to include HTTP-01 specific annotations
+*/}}
+{{- define "theiacloud.ingress.certManagerAnnotations" -}}
+{{- $includeHttp01 := true -}}
+{{- if hasKey . "includeHttp01" -}}
+{{- $includeHttp01 = .includeHttp01 -}}
+{{- end -}}
+{{- $root := . -}}
+{{- if hasKey . "root" -}}
+{{- $root = .root -}}
+{{- end -}}
+{{- if $root.Values.ingress.addTLSSecretName }}
+{{- if $root.Values.ingress.certManagerAnnotations }}
+cert-manager.io/cluster-issuer: {{ tpl ($root.Values.ingress.clusterIssuer | toString) $root }}
+{{- if and $includeHttp01 $root.Values.ingress.theiaCloudCommonName }}
+cert-manager.io/common-name: "Theia Cloud"
+{{- end }}
+{{- if $includeHttp01 }}
+acme.cert-manager.io/http01-ingress-class: {{ include "theiacloud.ingress.className" $root }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end -}}

charts/theia-cloud/templates/instances-ingress-path-based.yaml

@@ -5,29 +5,9 @@ metadata:
   name: {{ tpl (.Values.ingress.instances.name | toString) . }}
   namespace: {{ .Release.Namespace }}
   annotations:
-    {{- if not .Values.ingress.tls }}
-    nginx.ingress.kubernetes.io/ssl-redirect: "false"
-    {{- end }}
-    nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
-    nginx.ingress.kubernetes.io/rewrite-target: /$2
-    {{- if .Values.ingress.instances.configurationSnippets }}
-    nginx.ingress.kubernetes.io/configuration-snippet: |
-      {{- range .Values.ingress.instances.configurationSnippets }}
-      {{ . }};
-      {{- end }}
-    {{- end }}
-    nginx.ingress.kubernetes.io/proxy-body-size: {{ tpl (.Values.ingress.instances.proxyBodySize | toString) . }}
-    {{- if .Values.ingress.addTLSSecretName }}
-    {{- if .Values.ingress.certManagerAnnotations }}
-    cert-manager.io/cluster-issuer: {{ tpl (.Values.ingress.clusterIssuer | toString) . }}
-    {{- if .Values.ingress.theiaCloudCommonName }}
-    cert-manager.io/common-name: "Theia Cloud"
-    {{- end }}
-    acme.cert-manager.io/http01-ingress-class: nginx
-    {{- end }}
-    {{- end }}
+    {{- include "theiacloud.ingress.instances.annotations" . | nindent 4 }}
 spec:
-  ingressClassName: nginx
+  ingressClassName: {{ include "theiacloud.ingress.className" . }}
   {{- if .Values.ingress.tls }}
   tls:
   - hosts:

charts/theia-cloud/templates/instances-ingress.yaml

@@ -5,29 +5,9 @@ metadata:
   name: {{ tpl (.Values.ingress.instances.name | toString) . }}
   namespace: {{ .Release.Namespace }}
   annotations:
-    {{- if not .Values.ingress.tls }}
-    nginx.ingress.kubernetes.io/ssl-redirect: "false"
-    {{- end }}
-    {{- if .Values.ingress.addTLSSecretName }}
-    {{- if .Values.ingress.certManagerAnnotations }}
-    cert-manager.io/cluster-issuer: {{ tpl (.Values.ingress.clusterIssuer | toString) . }}
-    {{- if .Values.ingress.theiaCloudCommonName }}
-    cert-manager.io/common-name: "Theia Cloud"
-    {{- end }}
-    acme.cert-manager.io/http01-ingress-class: nginx
-    {{- end }}
-    {{- end }}
-    nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
-    nginx.ingress.kubernetes.io/rewrite-target: /$2
-    {{- if .Values.ingress.instances.configurationSnippets }}
-    nginx.ingress.kubernetes.io/configuration-snippet: |
-      {{- range .Values.ingress.instances.configurationSnippets }}
-      {{ . }};
-      {{- end }}
-    {{- end }}
-    nginx.ingress.kubernetes.io/proxy-body-size: {{ tpl (.Values.ingress.instances.proxyBodySize | toString) . }}
+    {{- include "theiacloud.ingress.instances.annotations" . | nindent 4 }}
 spec:
-  ingressClassName: nginx
+  ingressClassName: {{ include "theiacloud.ingress.className" . }}
   {{- if .Values.ingress.tls }}
   tls:
   - hosts:

charts/theia-cloud/templates/landing-page-ingress-path-based.yaml

@@ -5,24 +5,10 @@ kind: Ingress
 metadata:
   name: landing-page-ingress
   annotations:
-    {{- if not .Values.ingress.tls }}
-    nginx.ingress.kubernetes.io/ssl-redirect: "false"
-    {{- end }}
-    {{- if .Values.hosts.configuration.landing }}
-    nginx.ingress.kubernetes.io/rewrite-target: /$2
-    {{- end }}
-    # Rewrite all URLs not ending with a segment containing . or ? with a trailing slash
-    # This is necessary to correctly resolve relative paths (e.g. for css files) from the landing page.
-    nginx.ingress.kubernetes.io/configuration-snippet: |
-      rewrite ^([^.?]*[^/])$ $1/ redirect;
-    {{- if .Values.ingress.addTLSSecretName }}
-    {{- if .Values.ingress.certManagerAnnotations }}
-    cert-manager.io/cluster-issuer: {{ tpl (.Values.ingress.clusterIssuer | toString) . }}
-    {{- end }}
-    {{- end }}
+    {{- include "theiacloud.ingress.landingPage.annotations" . | nindent 4 }}
   namespace: {{ .Release.Namespace }}
 spec:
-  ingressClassName: nginx
+  ingressClassName: {{ include "theiacloud.ingress.className" . }}
   {{- if .Values.ingress.tls }}
   tls:
   - hosts: