Merge pull request #408 from rackerlabs/cluster-issuer

feat: refactor cert-manager issuer for better default

Author: cardoe

apps/appsets/components.yaml

@@ -50,9 +50,6 @@ spec:
                               - op: replace
                                 path: /spec/tls/0/hosts/0
                                 value: dex.{{index .metadata.annotations "dns_zone" }}
-                              - op: replace
-                                path: '/metadata/annotations/cert-manager.io~1cluster-issuer'
-                                value: 'understack-cluster-issuer'
                     - repoURL: '{{index .metadata.annotations "uc_deploy_git_url"}}'
                       targetRevision: '{{index .metadata.annotations "uc_deploy_ref"}}'
                       ref: deploy
@@ -85,9 +82,6 @@ spec:
                         releaseName: nautobot
                         valuesObject:
                           ingress:
-                            annotations:
-                              cert-manager.io/cluster-issuer: 'understack-cluster-issuer'
-                              nginx.ingress.kubernetes.io/backend-protocol: HTTPS
                             hostname: 'nautobot.{{index .metadata.annotations "dns_zone" }}'
                         valueFiles:
                           - $understack/components/nautobot/nautobot-values.yaml
@@ -158,9 +152,6 @@ spec:
                             - op: replace
                               path: /spec/tls/0/hosts/0
                               value: workflows.{{index .metadata.annotations "dns_zone" }}
-                            - op: replace
-                              path: '/metadata/annotations/cert-manager.io~1cluster-issuer'
-                              value: 'understack-cluster-issuer'
                 - component: argo-events
                   skipComponent: '{{has "argo-events" ((default "[]" (index .metadata.annotations "uc_skip_components") | fromJson))}}'
                   sources:

components/argo/ingress.yaml

@@ -3,7 +3,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   annotations:
-    cert-manager.io/cluster-issuer: selfsigned-cluster-issuer
+    cert-manager.io/cluster-issuer: understack-cluster-issuer
     nginx.ingress.kubernetes.io/backend-protocol: HTTPS
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
   name: argo-workflows

components/dex/ingress.yaml

@@ -3,7 +3,7 @@ kind: Ingress
 metadata:
   name: dex
   annotations:
-    cert-manager.io/cluster-issuer: selfsigned-cluster-issuer
+    cert-manager.io/cluster-issuer: understack-cluster-issuer
     nginx.ingress.kubernetes.io/backend-protocol: HTTP
 spec:
   ingressClassName: nginx

components/glance/aio-values.yaml

@@ -17,12 +17,25 @@ endpoints:
         public: 443
     scheme:
       public: https
+    host_fqdn_override:
+      public:
+        tls:
+          secretName: glance-tls-public
+          issuerRef:
+            name: understack-cluster-issuer
+            kind: ClusterIssuer
 
 network:
   # configure OpenStack Helm to use Undercloud's ingress
   # instead of expecting the ingress controller provided
   # by OpenStack Helm
   use_external_ingress_controller: true
+  api:
+    ingress:
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+        # set our default issuer
+        cert-manager.io/cluster-issuer: understack-cluster-issuer
 
 # Glance storage backend
 # we'll switch to radosgw in the future

components/horizon/aio-values.yaml

@@ -14,11 +14,27 @@ conf:
         allowed_hosts:
           - '*'
 
+endpoints:
+  dashboard:
+    host_fqdn_override:
+      public:
+        tls:
+          secretName: keystone-tls-public
+          issuerRef:
+            name: understack-cluster-issuer
+            kind: ClusterIssuer
+
 network:
   # configure OpenStack Helm to use Undercloud's ingress
   # instead of expecting the ingress controller provided
   # by OpenStack Helm
   use_external_ingress_controller: true
+  dashboard:
+    ingress:
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+        # set our default issuer
+        cert-manager.io/cluster-issuer: understack-cluster-issuer
 
 # (nicholas.kuechler) updating the jobs list to remove the 'horizon-db-init' job.
 dependencies:

components/ironic/aio-values.yaml

@@ -82,6 +82,13 @@ endpoints:
         public: 443
     scheme:
       public: https
+    host_fqdn_override:
+      public:
+        tls:
+          secretName: ironic-tls-public
+          issuerRef:
+            name: understack-cluster-issuer
+            kind: ClusterIssuer
 
 network:
   api:
@@ -92,6 +99,8 @@ network:
         cluster: "nginx-openstack"
       annotations:
         nginx.ingress.kubernetes.io/rewrite-target: /
+        # set our default issuer
+        cert-manager.io/cluster-issuer: understack-cluster-issuer
     external_policy_local: false
     node_port:
       enabled: false

components/keystone/aio-values.yaml

@@ -98,6 +98,12 @@ network:
   # instead of expecting the ingress controller provided
   # by OpenStack Helm
   use_external_ingress_controller: true
+  api:
+    ingress:
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+        # set our default issuer
+        cert-manager.io/cluster-issuer: understack-cluster-issuer
 
 dependencies:
   static:
@@ -317,6 +323,13 @@ endpoints:
     port:
       api:
         public: 443
+    host_fqdn_override:
+      public:
+        tls:
+          secretName: keystone-tls-public
+          issuerRef:
+            name: understack-cluster-issuer
+            kind: ClusterIssuer
 
 manifests:
   job_credential_cleanup: false

components/nautobot/nautobot-values.yaml

@@ -66,5 +66,5 @@ ingress:
   tls: true
   secretName: "nautobot-ingress-tls"
   annotations:
-    cert-manager.io/cluster-issuer: selfsigned-cluster-issuer
+    cert-manager.io/cluster-issuer: understack-cluster-issuer
     nginx.ingress.kubernetes.io/backend-protocol: HTTPS

components/neutron/aio-values.yaml

@@ -17,6 +17,13 @@ endpoints:
         public: 443
     scheme:
       public: https
+    host_fqdn_override:
+      public:
+        tls:
+          secretName: neutron-tls-public
+          issuerRef:
+            name: understack-cluster-issuer
+            kind: ClusterIssuer
 
 
 network:
@@ -28,6 +35,12 @@ network:
   # instead of expecting the ingress controller provided
   # by OpenStack Helm
   use_external_ingress_controller: true
+  server:
+    ingress:
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+        # set our default issuer
+        cert-manager.io/cluster-issuer: understack-cluster-issuer
 
 conf:
   plugins:

components/nova/aio-values.yaml

@@ -24,6 +24,13 @@ endpoints:
         public: 443
     scheme:
       public: https
+    host_fqdn_override:
+      public:
+        tls:
+          secretName: nova-tls-public
+          issuerRef:
+            name: understack-cluster-issuer
+            kind: ClusterIssuer
 
 network:
   # we're using ironic and actual switches
@@ -34,6 +41,12 @@ network:
   # instead of expecting the ingress controller provided
   # by OpenStack Helm
   use_external_ingress_controller: true
+  osapi:
+    ingress:
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+        # set our default issuer
+        cert-manager.io/cluster-issuer: understack-cluster-issuer
 
 conf:
   ceph: