feat(certs-patch): annotation + more granularity

packages/kontinuous/tests/__snapshots__/ingress-cert-optout.dev.yaml

@@ -0,0 +1,118 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`test build manifests with snapshots ingress-cert-optout.dev 1`] = `
+"apiVersion: v1
+kind: Namespace
+metadata:
+  annotations:
+    field.cattle.io/projectId: \\"1234\\"
+    kontinuous/gitBranch: feature-branch-1
+    kontinuous/mainNamespace: \\"true\\"
+    kapp.k14s.io/exists: \\"\\"
+    kontinuous/chartPath: project.fabrique.contrib.rancher-namespace
+    kontinuous/source: project/charts/fabrique/charts/contrib/charts/rancher-namespace/templates/namespace.yaml
+    kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje
+    janitor/ttl: 7d
+  labels:
+    application: test-ingress-cert-optout
+    kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje
+    kontinuous/deployment.env: test-ingress-cert-optout-feature-branch-1
+    kontinuous/ref: feature-branch-1
+    kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53
+    kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53
+    kontinuous/resourceName: namespace-test-ingress-cert-optout-feature-branch-1-2p8sssrl
+    app.kubernetes.io/manifest-managed-by: kontinuous
+    app.kubernetes.io/manifest-created-by: kontinuous
+  name: test-ingress-cert-optout-feature-branch-1
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: netpol-ingress
+  namespace: test-ingress-cert-optout-feature-branch-1
+  annotations:
+    kontinuous/chartPath: project.fabrique.contrib.security-policies
+    kontinuous/source: project/charts/fabrique/charts/contrib/charts/security-policies/templates/network-policy.yml
+    kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje
+  labels:
+    kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje
+    kontinuous/deployment.env: test-ingress-cert-optout-feature-branch-1
+    kontinuous/ref: feature-branch-1
+    kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53
+    kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53
+    kontinuous/resourceName: networkpolicy-netpol-ingress-61ndxljw
+    app.kubernetes.io/manifest-managed-by: kontinuous
+    app.kubernetes.io/manifest-created-by: kontinuous
+spec:
+  ingress:
+    - from:
+        - podSelector: {}
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              network-policy/source: ingress-controller
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              network-policy/source: monitoring
+  podSelector: {}
+  policyTypes:
+    - Ingress
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: default
+  annotations:
+    kontinuous/chartPath: project.fabrique.contrib.security-policies
+    kontinuous/source: project/charts/fabrique/charts/contrib/charts/security-policies/templates/service-account.yaml
+    kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje
+  labels:
+    kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje
+    kontinuous/deployment.env: test-ingress-cert-optout-feature-branch-1
+    kontinuous/ref: feature-branch-1
+    kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53
+    kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53
+    kontinuous/resourceName: serviceaccount-default-2g5dmk74
+    app.kubernetes.io/manifest-managed-by: kontinuous
+    app.kubernetes.io/manifest-created-by: kontinuous
+  namespace: test-ingress-cert-optout-feature-branch-1
+automountServiceAccountToken: false
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: files-public
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    kontinuous/use-cert-manager: \\"false\\"
+    kontinuous/chartPath: project
+    kontinuous/source: project/templates/ingress.yaml
+    kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje
+  labels:
+    kontinuous/deployment: test-ingress-cert-optout-feature-branch-1-ffac537e6cb-3c6i5sje
+    kontinuous/deployment.env: test-ingress-cert-optout-feature-branch-1
+    kontinuous/ref: feature-branch-1
+    kontinuous/gitSha: ffac537e6cbbf934b08745a378932722df287a53
+    kontinuous/appVersion: ffac537e6cbbf934b08745a378932722df287a53
+    kontinuous/resourceName: ingress-files-public-5krby9jg
+    app.kubernetes.io/manifest-managed-by: kontinuous
+    app.kubernetes.io/manifest-created-by: kontinuous
+  namespace: test-ingress-cert-optout-feature-branch-1
+spec:
+  tls:
+    - hosts:
+        - test.fabrique.social.gouv.fr
+  rules:
+    - host: test.fabrique.social.gouv.fr
+      http:
+        paths:
+          - path: /
+            pathType: Exact
+            backend:
+              service:
+                name: app
+                port:
+                  number: 80
+"
+`;

packages/kontinuous/tests/samples/ingress-cert-optout/config.yaml

@@ -0,0 +1,3 @@
+dependencies:
+  fabrique:
+    import: socialgouv/kontinuous/plugins/fabrique

packages/kontinuous/tests/samples/ingress-cert-optout/templates/ingress.yaml

@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: files-public
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    kontinuous/use-cert-manager: "false"
+spec:
+  tls:
+  - hosts:
+      - test.fabrique.social.gouv.fr
+  rules:
+  - host: test.fabrique.social.gouv.fr
+    http:
+      paths:
+      - path: /
+        pathType: Exact
+        backend:
+          service:
+            name: app
+            port: 
+              number: 80

plugins/contrib/patches/certs.js

@@ -1,15 +1,21 @@
 module.exports = (manifests, options) => {
-  const hasWildcard = (host) => host.endsWith(options.wildcardHost)
-  const isInternalHost = (host) =>
-    options.internalHosts.some((internalHost) => host.endsWith(internalHost))
-
   const {
+    annotationEnableKey = "kontinuous/use-cert-manager",
+    defaultEnabled = true,
+    detectWildcard = true,
+    internalHosts = [],
+    detectInternal = internalHosts.length > 0,
     secretName = "wildcard-crt",
     clusterIssuer = "letsencrypt-prod",
     namespaceLabels = {
       cert: "wildcard",
     },
   } = options
+
+  const hasWildcard = (host) => host.endsWith(options.wildcardHost)
+  const isInternalHost = (host) =>
+    internalHosts.some((internalHost) => host.endsWith(internalHost))
+
   const wildcardNamespaces = new Set()
 
   for (const manifest of manifests) {
@@ -24,20 +30,37 @@ module.exports = (manifests, options) => {
         tlsEntry.secretName = secretName
       }
 
-      // apply cert-manager annotations only for internal, non-wildcard hosts
-      if (!hosts.every(hasWildcard) && hosts.every(isInternalHost)) {
-        if (!manifest.metadata) {
-          manifest.metadata = {}
-        }
-        if (!manifest.metadata.annotations) {
-          manifest.metadata.annotations = {}
-        }
-        Object.assign(manifest.metadata.annotations, {
-          "cert-manager.io": "cluster-issuer",
-          "cert-manager.io/cluster-issuer": clusterIssuer,
-          "kubernetes.io/tls-acme": "true",
-        })
+      let enabled = defaultEnabled
+
+      const annotationEnableValue =
+        manifest.metadata?.annotations?.[annotationEnableKey]
+      if (
+        annotationEnableValue !== undefined &&
+        annotationEnableValue !== null &&
+        annotationEnableValue !== ""
+      ) {
+        enabled = annotationEnableValue !== "false"
+      } else if (detectWildcard && hosts.some(hasWildcard)) {
+        enabled = false
+      } else if (detectInternal && !hosts.every(isInternalHost)) {
+        enabled = false
+      }
+
+      if (!enabled) {
+        continue
+      }
+
+      if (!manifest.metadata) {
+        manifest.metadata = {}
+      }
+      if (!manifest.metadata.annotations) {
+        manifest.metadata.annotations = {}
       }
+      Object.assign(manifest.metadata.annotations, {
+        "cert-manager.io": "cluster-issuer",
+        "cert-manager.io/cluster-issuer": clusterIssuer,
+        "kubernetes.io/tls-acme": "true",
+      })
     }
   }