Commit e2191da8 authored by rawmind0's avatar rawmind0 Committed by Denise
Browse files

[2.2] check capabilities or cert-manager version for its api changes

parent e6bc45e6
No related merge requests found
Showing with 352 additions and 11 deletions
+352 -11
......@@ -16,7 +16,12 @@ metadata:
nginx.ingress.kubernetes.io/ssl-redirect: "false" # turn off ssl redirect for external.
{{- else }}
{{- if ne .Values.ingress.tls.source "secret" }}
{{- $certmanagerVer := split "." .Values.certmanager.version -}}
{{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
cert-manager.io/issuer: {{ template "rancher.fullname" . }}
{{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
certmanager.k8s.io/issuer: {{ template "rancher.fullname" . }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.ingress.extraAnnotations }}
......
{{- if eq .Values.tls "ingress" -}}
{{- if eq .Values.ingress.tls.source "letsEncrypt" -}}
{{- $certmanagerVer := split "." .Values.certmanager.version -}}
{{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
{{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
{{- end }}
metadata:
name: {{ template "rancher.fullname" . }}
labels:
......@@ -13,13 +19,19 @@ spec:
acme:
{{- if eq .Values.letsEncrypt.environment "production" }}
server: https://acme-v02.api.letsencrypt.org/directory
{{- end }}
{{- if eq .Values.letsEncrypt.environment "staging" }}
{{- else }}
server: https://acme-staging-v02.api.letsencrypt.org/directory
{{- end }}
email: {{ .Values.letsEncrypt.email }}
privateKeySecretRef:
name: letsencrypt-{{ .Values.letsEncrypt.environment }}
{{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
solvers:
- http01:
ingress:
class: nginx
{{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
http01: {}
{{- end }}
{{- end -}}
{{- end -}}
{{- if eq .Values.tls "ingress" -}}
{{- if eq .Values.ingress.tls.source "rancher" -}}
{{- $certmanagerVer := split "." .Values.certmanager.version -}}
{{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
apiVersion: cert-manager.io/v1alpha2
{{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
apiVersion: certmanager.k8s.io/v1alpha1
{{- end }}
kind: Issuer
metadata:
name: {{ template "rancher.fullname" . }}
......
......@@ -13,7 +13,10 @@ tests:
path: metadata.annotations.certmanager\.k8s\.io/issuer
- isNull:
path: spec.tls
- it: should set default annotations
- it: should set default annotations < 0.11.0 using capabilities
capabilities:
apiversions:
- certmanager.k8s.io/v1alpha1
asserts:
- equal:
path: metadata.annotations
......@@ -22,7 +25,44 @@ tests:
nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
- it: should over write proxy-connect-timeout
- it: should set default annotations < 0.11.0 using parameter
set:
certmanager.version: 0.9.0
asserts:
- equal:
path: metadata.annotations
value:
certmanager.k8s.io/issuer: RELEASE-NAME-rancher
nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
- it: should set default annotations > 0.11.0 using capabilities
capabilities:
apiversions:
- cert-manager.io/v1alpha2
asserts:
- equal:
path: metadata.annotations
value:
cert-manager.io/issuer: RELEASE-NAME-rancher
nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
- it: should set default annotations > 0.11.0 using parameter
set:
certmanager.version: 0.12.0
asserts:
- equal:
path: metadata.annotations
value:
cert-manager.io/issuer: RELEASE-NAME-rancher
nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
- it: should over write proxy-connect-timeout < 0.11.0 using capabilities
capabilities:
apiversions:
- certmanager.k8s.io/v1alpha1
set:
ingress.extraAnnotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: "15"
......@@ -34,7 +74,48 @@ tests:
nginx.ingress.kubernetes.io/proxy-connect-timeout: "15"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
- it: should set source secret
- it: should over write proxy-connect-timeout < 0.11.0 using parameter
set:
certmanager.version: 0.9.0
ingress.extraAnnotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: "15"
asserts:
- equal:
path: metadata.annotations
value:
certmanager.k8s.io/issuer: RELEASE-NAME-rancher
nginx.ingress.kubernetes.io/proxy-connect-timeout: "15"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
- it: should over write proxy-connect-timeout > 0.11.0 using capabilities
capabilities:
apiversions:
- cert-manager.io/v1alpha2
set:
ingress.extraAnnotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: "15"
asserts:
- equal:
path: metadata.annotations
value:
cert-manager.io/issuer: RELEASE-NAME-rancher
nginx.ingress.kubernetes.io/proxy-connect-timeout: "15"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
- it: should over write proxy-connect-timeout > 0.11.0 using parameter
set:
certmanager.version: 0.12.0
ingress.extraAnnotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: "15"
asserts:
- equal:
path: metadata.annotations
value:
cert-manager.io/issuer: RELEASE-NAME-rancher
nginx.ingress.kubernetes.io/proxy-connect-timeout: "15"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
- it: should set source secret
set:
hostname: test
ingress.tls.source: secret
......@@ -47,7 +128,10 @@ tests:
hosts:
- test
secretName: tls-rancher-ingress
- it: should set static X-Forwarded-Host header
- it: should set static X-Forwarded-Host header < 0.11.0 using capabilities
capabilities:
apiversions:
- certmanager.k8s.io/v1alpha1
set:
hostname: host.example.com
ingress:
......@@ -63,3 +147,56 @@ tests:
nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_input_headers X-Forwarded-Host host.example.com;
- it: should set static X-Forwarded-Host header < 0.11.0 using parameter
set:
certmanager.version: 0.9.0
hostname: host.example.com
ingress:
configurationSnippet: |
more_set_input_headers X-Forwarded-Host {{ .Values.hostname }};
asserts:
- equal:
path: metadata.annotations
value:
certmanager.k8s.io/issuer: RELEASE-NAME-rancher
nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_input_headers X-Forwarded-Host host.example.com;
- it: should set static X-Forwarded-Host header > 0.11.0 using capabilities
capabilities:
apiversions:
- cert-manager.io/v1alpha2
set:
hostname: host.example.com
ingress:
configurationSnippet: |
more_set_input_headers X-Forwarded-Host {{ .Values.hostname }};
asserts:
- equal:
path: metadata.annotations
value:
cert-manager.io/issuer: RELEASE-NAME-rancher
nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_input_headers X-Forwarded-Host host.example.com;
- it: should set static X-Forwarded-Host header > 0.11.0 using parameter
set:
certmanager.version: 0.12.0
hostname: host.example.com
ingress:
configurationSnippet: |
more_set_input_headers X-Forwarded-Host {{ .Values.hostname }};
asserts:
- equal:
path: metadata.annotations
value:
cert-manager.io/issuer: RELEASE-NAME-rancher
nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_input_headers X-Forwarded-Host host.example.com;
......@@ -23,7 +23,10 @@ tests:
- hasDocuments:
count: 0
template: issuer-rancher.yaml
- it: should render letsEncrypt but not rancher
- it: should render letsEncrypt but not rancher with cert-manager < 0.11.0 using capabilities
capabilities:
apiversions:
- certmanager.k8s.io/v1alpha1
set:
ingress.tls.source: letsEncrypt
asserts:
......@@ -33,7 +36,69 @@ tests:
- hasDocuments:
count: 0
template: issuer-rancher.yaml
- it: should render rancher but not letsEncrypt
- it: should render letsEncrypt but not rancher with cert-manager < 0.11.0 using parameter
set:
certmanager.version: 0.9.0
ingress.tls.source: letsEncrypt
asserts:
- hasDocuments:
count: 1
template: issuer-letsEncrypt.yaml
- hasDocuments:
count: 0
template: issuer-rancher.yaml
- it: should render letsEncrypt but not rancher with cert-manager > 0.11.0 using capabilities
capabilities:
apiversions:
- cert-manager.io/v1alpha2
set:
ingress.tls.source: letsEncrypt
asserts:
- hasDocuments:
count: 1
template: issuer-letsEncrypt.yaml
- hasDocuments:
count: 0
template: issuer-rancher.yaml
- it: should render letsEncrypt but not rancher with cert-manager > 0.11.0 using parameter
set:
certmanager.version: 0.12.0
ingress.tls.source: letsEncrypt
asserts:
- hasDocuments:
count: 1
template: issuer-letsEncrypt.yaml
- hasDocuments:
count: 0
template: issuer-rancher.yaml
- it: should render rancher but not letsEncrypt with cert-manager < 0.11.0 using capabilities
capabilities:
apiversions:
- certmanager.k8s.io/v1alpha1
set:
ingress.tls.source: rancher
asserts:
- hasDocuments:
count: 0
template: issuer-letsEncrypt.yaml
- hasDocuments:
count: 1
template: issuer-rancher.yaml
- it: should render rancher but not letsEncrypt with cert-manager < 0.11.0 using parameter
set:
certmanager.version: 0.9.0
ingress.tls.source: rancher
asserts:
- hasDocuments:
count: 0
template: issuer-letsEncrypt.yaml
- hasDocuments:
count: 1
template: issuer-rancher.yaml
- it: should render rancher but not letsEncrypt with cert-manager > 0.11.0 using capabilities
capabilities:
apiversions:
- cert-manager.io/v1alpha2
set:
ingress.tls.source: rancher
asserts:
......@@ -43,7 +108,21 @@ tests:
- hasDocuments:
count: 1
template: issuer-rancher.yaml
- it: should set letsEncrypt production by default
- it: should render rancher but not letsEncrypt with cert-manager > 0.11.0 using parameter
set:
certmanager.version: 0.12.0
ingress.tls.source: rancher
asserts:
- hasDocuments:
count: 0
template: issuer-letsEncrypt.yaml
- hasDocuments:
count: 1
template: issuer-rancher.yaml
- it: should set letsEncrypt production by default with cert-manager < 0.11.0 using capabilities
capabilities:
apiversions:
- certmanager.k8s.io/v1alpha1
set:
ingress.tls.source: letsEncrypt
asserts:
......@@ -51,7 +130,39 @@ tests:
path: spec.acme.server
value: https://acme-v02.api.letsencrypt.org/directory
template: issuer-letsEncrypt.yaml
- it: should set letsEncrypt staging
- it: should set letsEncrypt production by default with cert-manager < 0.11.0 using parameter
set:
certmanager.version: 0.9.0
ingress.tls.source: letsEncrypt
asserts:
- equal:
path: spec.acme.server
value: https://acme-v02.api.letsencrypt.org/directory
template: issuer-letsEncrypt.yaml
- it: should set letsEncrypt production by default with cert-manager > 0.11.0 using capabilities
capabilities:
apiversions:
- cert-manager.io/v1alpha2
set:
ingress.tls.source: letsEncrypt
asserts:
- equal:
path: spec.acme.server
value: https://acme-v02.api.letsencrypt.org/directory
template: issuer-letsEncrypt.yaml
- it: should set letsEncrypt production by default with cert-manager > 0.11.0 using parameter
set:
certmanager.version: 0.12.0
ingress.tls.source: letsEncrypt
asserts:
- equal:
path: spec.acme.server
value: https://acme-v02.api.letsencrypt.org/directory
template: issuer-letsEncrypt.yaml
- it: should set letsEncrypt staging with cert-manager < 0.11.0 using capabilities
capabilities:
apiversions:
- certmanager.k8s.io/v1alpha1
set:
ingress.tls.source: letsEncrypt
letsEncrypt.environment: staging
......@@ -60,8 +171,75 @@ tests:
path: spec.acme.server
value: https://acme-staging-v02.api.letsencrypt.org/directory
template: issuer-letsEncrypt.yaml
- it: should set letsEncrypt email address
- it: should set letsEncrypt staging with cert-manager < 0.11.0 using parameter
set:
certmanager.version: 0.9.0
ingress.tls.source: letsEncrypt
letsEncrypt.environment: staging
asserts:
- equal:
path: spec.acme.server
value: https://acme-staging-v02.api.letsencrypt.org/directory
template: issuer-letsEncrypt.yaml
- it: should set letsEncrypt staging with cert-manager > 0.11.0 using capabilities
capabilities:
apiversions:
- cert-manager.io/v1alpha2
set:
ingress.tls.source: letsEncrypt
letsEncrypt.environment: staging
asserts:
- equal:
path: spec.acme.server
value: https://acme-staging-v02.api.letsencrypt.org/directory
template: issuer-letsEncrypt.yaml
- it: should set letsEncrypt staging with cert-manager > 0.11.0 using parameter
set:
certmanager.version: 0.12.0
ingress.tls.source: letsEncrypt
letsEncrypt.environment: staging
asserts:
- equal:
path: spec.acme.server
value: https://acme-staging-v02.api.letsencrypt.org/directory
template: issuer-letsEncrypt.yaml
- it: should set letsEncrypt email address with cert-manager < 0.11.0 using capabilities
capabilities:
apiversions:
- certmanager.k8s.io/v1alpha1
set:
ingress.tls.source: letsEncrypt
letsEncrypt.email: test@test.org
asserts:
- equal:
path: spec.acme.email
value: test@test.org
template: issuer-letsEncrypt.yaml
- it: should set letsEncrypt email address with cert-manager < 0.11.0 using parameter
set:
certmanager.version: 0.9.0
ingress.tls.source: letsEncrypt
letsEncrypt.email: test@test.org
asserts:
- equal:
path: spec.acme.email
value: test@test.org
template: issuer-letsEncrypt.yaml
- it: should set letsEncrypt email address with cert-manager > 0.11.0 using capabilities
capabilities:
apiversions:
- cert-manager.io/v1alpha2
set:
ingress.tls.source: letsEncrypt
letsEncrypt.email: test@test.org
asserts:
- equal:
path: spec.acme.email
value: test@test.org
template: issuer-letsEncrypt.yaml
- it: should set letsEncrypt email address with cert-manager > 0.11.0 using parameter
set:
certmanager.version: 0.12.0
ingress.tls.source: letsEncrypt
letsEncrypt.email: test@test.org
asserts:
......
......@@ -98,3 +98,7 @@ resources: {}
# - ingress (default)
# - external
tls: ingress
# Certmanager version compatibility
certmanager:
version: ""
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment