Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow configuration for a TLS Ingress/Route to be created #90

Open
a-roberts opened this issue Oct 28, 2020 · 2 comments
Open

Allow configuration for a TLS Ingress/Route to be created #90

a-roberts opened this issue Oct 28, 2020 · 2 comments
Labels
1.1.x Issues for 1.1.x release

Comments

@a-roberts
Copy link

Hey everybody, I'm using this package and creating an instance of the registry - really like the generated host name, and I do get a working Route!

Unfortunately when I get it (so either the Route or Ingress), I'm convinced it's not using TLS by default at the moment, so I'm wondering if we can expose some options to configure that - or if we're expected to write our code such that, after the instance is made, we go and then edit said Route (if that's allowed in Kube).

I couldn't see any docs pertaining to this, or relevant issues, but right now the Ingress/Route I get is one of these (note the force ssl redirect being false)

(base) Adams-MBP:test aroberts$ k get route my-apicurio-registry-ingress-4qwwt-6l7xg  -o yaml
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  annotations:
    nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  host: my-apicurio-registry.adam1.apps.foo.com
  path: /
  to:
    kind: Service
    name: my-apicurio-registry-service-tcvzd
    weight: 100
  wildcardPolicy: None
status:
  ingress:
  - conditions:
    - lastTransitionTime: "2020-10-28T10:07:26Z"
      status: "True"
      type: Admitted
    host: my-apicurio-registry.adam1.apps.foo.com
    routerCanonicalHostname: apps.foo.com
    routerName: default
    wildcardPolicy: None

Ingress:

    name: my-apicurio-registry-ingress-xn2vx
    namespace: adam1
    ownerReferences:
    - apiVersion: apicur.io/v1alpha1
      blockOwnerDeletion: true
      controller: true
      kind: ApicurioRegistry
      name: my-apicurio-registry
      uid: 1ec083d9-fa57-491f-9b08-a2b05f5bc700
    resourceVersion: "63661648"
    selfLink: /apis/extensions/v1beta1/namespaces/adam1/ingresses/my-apicurio-registry-ingress-xn2vx
    uid: 7cfc0fcd-c8de-45e0-a1a2-7768f86c7640
  spec:
    rules:
    - host: my-kafka-apicurio.adam1.apps.foo.com
      http:
        paths:
        - backend:
            serviceName: my-apicurio-registry-service-mjvcb
            servicePort: 8080
          path: /
          pathType: ImplementationSpecific
  status:
    loadBalancer: {}
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

This is how I'm making it, I've changed the name a little in both the resulting Kubernetes objects and this as it's for a non-disclosed project currently, so things may not match up exactly in terms of names and references:

func newRegistryInstance(namespace string) *registryv1alpha.ApicurioRegistry {
	return &registryv1alpha.ApicurioRegistry{
		TypeMeta: metav1.TypeMeta{
			Kind:       "ApicurioRegistry",
			APIVersion: "apicurioregistries.apicur.io/v1alpha1",
		},
		ObjectMeta: metav1.ObjectMeta{
			Name:      "adamtest",
			Namespace: namespace,
		},
		Spec: registryv1alpha.ApicurioRegistrySpec{
			Image: registryv1alpha.ApicurioRegistrySpecImage{Name: "docker.io/apicurio/apicurio-registry-mem@sha256:e4712e66edfc0a217531c282b1e2513172c993b5eb37f5c1024b2c14af6d7874"},
			Configuration: registryv1alpha.ApicurioRegistrySpecConfiguration{
				Kafka: registryv1alpha.ApicurioRegistrySpecConfigurationKafka{
					BootstrapServers: common.KafkaInstanceName + "-kafka-bootstrap:9092",
				},
			},
		},
	}

Would be useful if say, in ApicurioRegistrySpecConfiguration we had fields for tls: true and we could give it a secret to use for the Ingress - so wondering if it's possible now, planned, or easily doable.

Thanks!
@jsenko jsenko mentioned this issue Dec 10, 2020
Closed
@jsenko jsenko added the 1.1.x Issues for 1.1.x release label Apr 29, 2021
@stephennimmo
Copy link

stephennimmo commented Jan 29, 2022
edited
Loading

Adding some commentary here. It would be nice to have finer-grained control of the route/ingress created. Example route.

apiVersion: registry.apicur.io/v1
kind: ApicurioRegistry
metadata:
  name: example-service-registry
spec:
  configuration:
    persistence: 'kafkasql'
    kafkasql:
      bootstrapServers: 'example-kafka-kafka-bootstrap:9092'
  deployment:
    ingress:
      host: blah.namespace.cluster.domain.com
      type: route
      tls:
        termination: edge
        insecureEdgeTerminationPolicy: Redirect
      wildcardPolicy: None

or at least a configuration to turn off ingress creation and allow the user to create it manually. The documentation already points to this solution however the insecure route is created regardless.

@jsenko
Copy link
Member

jsenko commented Jan 31, 2022

Hello, thank you for the suggestion, I've created an issue #153 to track this. We've been a bit busy with other projects, but I plan to take some extra time to look into the current Operator issues.

@jsenko jsenko mentioned this issue Feb 2, 2022
Open
@ajborley ajborley mentioned this issue Feb 15, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1.1.x Issues for 1.1.x release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stephennimmo @jsenko @a-roberts