diff --git a/packages/kontinuous/tests/__snapshots__/ingress-cert-optout.dev.yaml b/packages/kontinuous/tests/__snapshots__/ingress-cert-optout.dev.yaml new file mode 100644 index 0000000000..45c3a9fb57 --- /dev/null +++ b/packages/kontinuous/tests/__snapshots__/ingress-cert-optout.dev.yaml @@ -0,0 +1,118 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP + +exports[`test build manifests with snapshots ingress-cert-optout.dev 1`] = ` +"apiVersion: v1 +kind: Namespace +metadata: + annotations: + field.cattle.io/projectId: \\"1234\\" + kontinuous/gitBranch: feature-branch-1 + kontinuous/mainNamespace: \\"true\\" + kapp.k14s.io/exists: \\"\\" + kontinuous/chartPath: project.fabrique.contrib.rancher-namespace + kontinuous/source: project/charts/fabrique/charts/contrib/charts/rancher-namespace/templates/namespace.yaml + kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje + janitor/ttl: 7d + labels: + application: test-ingress-cert-optout + kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje + kontinuous/deployment.env: test-ingress-cert-optout-feature-branch-1 + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: namespace-test-ingress-cert-optout-feature-branch-1-2p8sssrl + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + name: test-ingress-cert-optout-feature-branch-1 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: netpol-ingress + namespace: test-ingress-cert-optout-feature-branch-1 + annotations: + kontinuous/chartPath: project.fabrique.contrib.security-policies + kontinuous/source: project/charts/fabrique/charts/contrib/charts/security-policies/templates/network-policy.yml + kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje + labels: + kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje + kontinuous/deployment.env: test-ingress-cert-optout-feature-branch-1 + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: networkpolicy-netpol-ingress-61ndxljw + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous +spec: + ingress: + - from: + - podSelector: {} + - from: + - namespaceSelector: + matchLabels: + network-policy/source: ingress-controller + - from: + - namespaceSelector: + matchLabels: + network-policy/source: monitoring + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: default + annotations: + kontinuous/chartPath: project.fabrique.contrib.security-policies + kontinuous/source: project/charts/fabrique/charts/contrib/charts/security-policies/templates/service-account.yaml + kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje + labels: + kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje + kontinuous/deployment.env: test-ingress-cert-optout-feature-branch-1 + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: serviceaccount-default-2g5dmk74 + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + namespace: test-ingress-cert-optout-feature-branch-1 +automountServiceAccountToken: false +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: files-public + annotations: + kubernetes.io/ingress.class: nginx + kontinuous/use-cert-manager: \\"false\\" + kontinuous/chartPath: project + kontinuous/source: project/templates/ingress.yaml + kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje + labels: + kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje + kontinuous/deployment.env: test-ingress-cert-optout-feature-branch-1 + kontinuous/ref: feature-branch-1 + kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53 + kontinuous/resourceName: ingress-files-public-5krby9jg + app.kubernetes.io/manifest-managed-by: kontinuous + app.kubernetes.io/manifest-created-by: kontinuous + namespace: test-ingress-cert-optout-feature-branch-1 +spec: + tls: + - hosts: + - test.fabrique.social.gouv.fr + rules: + - host: test.fabrique.social.gouv.fr + http: + paths: + - path: / + pathType: Exact + backend: + service: + name: app + port: + number: 80 +" +`; diff --git a/packages/kontinuous/tests/samples/ingress-cert-optout/config.yaml b/packages/kontinuous/tests/samples/ingress-cert-optout/config.yaml new file mode 100644 index 0000000000..ff779aad47 --- /dev/null +++ b/packages/kontinuous/tests/samples/ingress-cert-optout/config.yaml @@ -0,0 +1,3 @@ +dependencies: + fabrique: + import: socialgouv/kontinuous/plugins/fabrique \ No newline at end of file diff --git a/packages/kontinuous/tests/samples/ingress-cert-optout/templates/ingress.yaml b/packages/kontinuous/tests/samples/ingress-cert-optout/templates/ingress.yaml new file mode 100644 index 0000000000..b6870ca2d6 --- /dev/null +++ b/packages/kontinuous/tests/samples/ingress-cert-optout/templates/ingress.yaml @@ -0,0 +1,22 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: files-public + annotations: + kubernetes.io/ingress.class: nginx + kontinuous/use-cert-manager: "false" +spec: + tls: + - hosts: + - test.fabrique.social.gouv.fr + rules: + - host: test.fabrique.social.gouv.fr + http: + paths: + - path: / + pathType: Exact + backend: + service: + name: app + port: + number: 80 \ No newline at end of file diff --git a/plugins/contrib/patches/certs.js b/plugins/contrib/patches/certs.js index 69d539ba15..ff35bec93f 100644 --- a/plugins/contrib/patches/certs.js +++ b/plugins/contrib/patches/certs.js @@ -1,15 +1,21 @@ module.exports = (manifests, options) => { - const hasWildcard = (host) => host.endsWith(options.wildcardHost) - const isInternalHost = (host) => - options.internalHosts.some((internalHost) => host.endsWith(internalHost)) - const { + annotationEnableKey = "kontinuous/use-cert-manager", + defaultEnabled = true, + detectWildcard = true, + internalHosts = [], + detectInternal = internalHosts.length > 0, secretName = "wildcard-crt", clusterIssuer = "letsencrypt-prod", namespaceLabels = { cert: "wildcard", }, } = options + + const hasWildcard = (host) => host.endsWith(options.wildcardHost) + const isInternalHost = (host) => + internalHosts.some((internalHost) => host.endsWith(internalHost)) + const wildcardNamespaces = new Set() for (const manifest of manifests) { @@ -24,20 +30,37 @@ module.exports = (manifests, options) => { tlsEntry.secretName = secretName } - // apply cert-manager annotations only for internal, non-wildcard hosts - if (!hosts.every(hasWildcard) && hosts.every(isInternalHost)) { - if (!manifest.metadata) { - manifest.metadata = {} - } - if (!manifest.metadata.annotations) { - manifest.metadata.annotations = {} - } - Object.assign(manifest.metadata.annotations, { - "cert-manager.io": "cluster-issuer", - "cert-manager.io/cluster-issuer": clusterIssuer, - "kubernetes.io/tls-acme": "true", - }) + let enabled = defaultEnabled + + const annotationEnableValue = + manifest.metadata?.annotations?.[annotationEnableKey] + if ( + annotationEnableValue !== undefined && + annotationEnableValue !== null && + annotationEnableValue !== "" + ) { + enabled = annotationEnableValue !== "false" + } else if (detectWildcard && hosts.some(hasWildcard)) { + enabled = false + } else if (detectInternal && !hosts.every(isInternalHost)) { + enabled = false + } + + if (!enabled) { + continue + } + + if (!manifest.metadata) { + manifest.metadata = {} + } + if (!manifest.metadata.annotations) { + manifest.metadata.annotations = {} } + Object.assign(manifest.metadata.annotations, { + "cert-manager.io": "cluster-issuer", + "cert-manager.io/cluster-issuer": clusterIssuer, + "kubernetes.io/tls-acme": "true", + }) } }