Rename secrets for gw to avoid conflict (#1247)

Signed-off-by: Arnob kumar saha <arnob@appscode.com>

Author: ArnobKumarSaha

charts/ace-installer/resourcetemplates/helmreleases/ace/ace.yaml

@@ -36,7 +36,7 @@ spec:
     namespace: {{ $.Release.Namespace }}
   {{- if and (dig "catalog-manager" "enabled" false $.Values.helm.releases) (dig "service-gateway-presets" "enabled" false $.Values.helm.releases) }}
   - name: ace
-    namespace: ace-gw
+    namespace: ace
   {{- end }}
   chart:
     spec:

charts/ace-installer/templates/featuresets/saas-core/service-gateway-presets.yaml

@@ -18,8 +18,8 @@ spec:
   interval: 5m
   timeout: 30m
   releaseName: service-gateway-presets
-  targetNamespace: ace-gw
-  storageNamespace: ace-gw
+  targetNamespace: ace
+  storageNamespace: ace
   install:
     createNamespace: {{ $.Values.helm.createNamespace }}
     remediation:

charts/ace/templates/_helpers.tpl

@@ -209,6 +209,25 @@ Determine database host name
 {{- end -}}
 {{- end -}}
 
+{{/*
+Gateway-native FQDN for the ace deployment.
+Only used during the ingress→gateway migration window so
+phase-2 testers can hit the gateway directly while ingress still owns the main host.
+*/}}
+{{- define "ace.gateway.fqdn" -}}
+{{- printf "ace.ace.%s" .Values.global.platform.host -}}
+{{- end }}
+
+{{/*
+True iff both ingress and gateway are enabled — i.e. the chart is rendered for
+ingress→gateway migration phase 2. Used to gate the inclusion of the gateway-native
+FQDN in cert SANs and HTTPRoute hostnames; new gateway-only deployments and
+ingress-only deployments do not need it.
+*/}}
+{{- define "ace.gateway.migrationActive" -}}
+{{- and (index .Values "ingress-nginx" "enabled") (index .Values "gateway" "enabled") -}}
+{{- end }}
+
 {{/*
 Returns whether the OpenShift distribution is used
 */}}

charts/ace/templates/cleaner/job.yaml

@@ -40,6 +40,7 @@ spec:
             kubectl delete jobs -n {{ .Release.Namespace }} --selector app.kubernetes.io/instance=ace || true ; \
             kubectl delete cert -n {{ .Release.Namespace }} {{ include "ace.fullname" . }} || true ; \
             kubectl delete secret -n {{ .Release.Namespace }} {{ include "ace.fullname" . }}-cert || true
+            kubectl delete secret -n {{ .Release.Namespace }} {{ include "ace.fullname" . }}-gw-cert || true
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       {{- with .Values.nodeSelector }}

charts/ace/templates/gateway/cert-secret-ingress.yaml

@@ -0,0 +1,17 @@
+{{ if and (index .Values "gateway" "enabled") (index .Values "ingress-nginx" "enabled") }}
+
+{{- $secretName := printf "%s-cert" (include "ace.fullname" .) }}
+{{- $existing := lookup "v1" "Secret" .Release.Namespace $secretName }}
+{{- if $existing }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "ace.fullname" . }}-ingress-cert
+  namespace: {{ .Release.Namespace }}
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ index $existing.data "tls.crt" }}
+  tls.key: {{ index $existing.data "tls.key" }}
+{{- end }}
+
+{{- end }}

charts/ace/templates/gateway/gateway.yaml

@@ -9,6 +9,12 @@ metadata:
 spec:
   gatewayClassName: ace
   listeners:
+  - name: http
+    protocol: HTTP
+    port: 80
+    allowedRoutes:
+      namespaces:
+        from: Same
   - name: https
     protocol: HTTPS
     port: 443
@@ -17,8 +23,16 @@ spec:
       certificateRefs:
       - group: ""
         kind: Secret
-        name: {{ include "ace.fullname" . }}-cert
+        name: {{ include "ace.fullname" . }}-gw-cert
         namespace: {{ .Release.Namespace }}
+{{- $secretName := printf "%s-ingress-cert" (include "ace.fullname" .) }}
+{{- $existing := lookup "v1" "Secret" .Release.Namespace $secretName }}
+{{- if $existing }}
+      - group: ""
+        kind: Secret
+        name: {{ include "ace.fullname" . }}-ingress-cert
+        namespace: {{ .Release.Namespace }}
+{{- end }}
     allowedRoutes:
       namespaces:
         from: Same

charts/ace/templates/gateway/route-home.yaml

@@ -19,6 +19,9 @@ spec:
   {{- if eq .Values.global.platform.hostType "domain" }}
   hostnames:
     - {{ .Values.global.platform.host }}
+    {{- if eq (include "ace.gateway.migrationActive" .) "true" }}
+    - {{ include "ace.gateway.fqdn" . }}
+    {{- end }}
   {{- end }}
   rules:
   - matches:

charts/ace/templates/gateway/route-http-redirect.yaml

@@ -0,0 +1,25 @@
+{{- if (index .Values "gateway" "enabled") }}
+
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: {{ include "ace.fullname" . }}-http-redirect
+  namespace: {{ .Release.Namespace }}
+  {{- with .Values.gateway.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  parentRefs:
+  - group: gateway.networking.k8s.io
+    kind: Gateway
+    name: {{ include "ace.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+    sectionName: http
+  rules:
+  - filters:
+    - type: RequestRedirect
+      requestRedirect:
+        scheme: https
+        statusCode: 301
+{{- end }}

charts/ace/templates/gateway/route-main.yaml

@@ -19,6 +19,9 @@ spec:
   {{- if eq .Values.global.platform.hostType "domain" }}
   hostnames:
     - {{ .Values.global.platform.host }}
+    {{- if eq (include "ace.gateway.migrationActive" .) "true" }}
+    - {{ include "ace.gateway.fqdn" . }}
+    {{- end }}
   {{- end }}
   rules:
   - matches:

charts/ace/templates/gateway/route-nats.yaml

@@ -19,6 +19,9 @@ spec:
   {{- if eq .Values.global.platform.hostType "domain" }}
   hostnames:
     - {{ .Values.global.platform.host }}
+    {{- if eq (include "ace.gateway.migrationActive" .) "true" }}
+    - {{ include "ace.gateway.fqdn" . }}
+    {{- end }}
   {{- end }}
   rules:
   - matches:
@@ -53,7 +56,7 @@ spec:
     caCertificateRefs:
     - group: ""
       kind: Secret
-      name: {{ include "ace.fullname" . }}-cert
+      name: {{ include "ace.fullname" . }}-gw-cert
   {{ if eq (index .Values "global" "platform" "hostType") "ip" }}
     hostname: {{ include "ace.fullname" . }}-nats
   {{- else }}
@@ -73,10 +76,6 @@ spec:
     name: {{ include "ace.fullname" . }}
     namespace: {{ .Release.Namespace }}
     sectionName: nats-tcp
-  {{- if eq .Values.global.platform.hostType "domain" }}
-  hostnames:
-    - {{ .Values.global.platform.host }}
-  {{- end }}
   rules:
   - backendRefs:
     - group: ""