diff --git a/stack_orchestrator/deploy/k8s/cluster_info.py b/stack_orchestrator/deploy/k8s/cluster_info.py index 42c41b4b..c151f491 100644 --- a/stack_orchestrator/deploy/k8s/cluster_info.py +++ b/stack_orchestrator/deploy/k8s/cluster_info.py @@ -144,66 +144,70 @@ class ClusterInfo: return nodeports def get_ingress( - self, use_tls=False, certificate=None, cluster_issuer="letsencrypt-prod" + self, use_tls=False, certificates=None, cluster_issuer="letsencrypt-prod" ): # No ingress for a deployment that has no http-proxy defined, for now http_proxy_info_list = self.spec.get_http_proxy() ingress = None if http_proxy_info_list: - # TODO: handle multiple definitions - http_proxy_info = http_proxy_info_list[0] - if opts.o.debug: - print(f"http-proxy: {http_proxy_info}") - # TODO: good enough parsing for webapp deployment for now - host_name = http_proxy_info["host-name"] rules = [] - tls = ( - [ - client.V1IngressTLS( - hosts=certificate["spec"]["dnsNames"] - if certificate - else [host_name], - secret_name=certificate["spec"]["secretName"] - if certificate - else f"{self.app_name}-tls", - ) - ] - if use_tls - else None - ) - paths = [] - for route in http_proxy_info["routes"]: - path = route["path"] - proxy_to = route["proxy-to"] + tls = [] if use_tls else None + + for http_proxy_info in http_proxy_info_list: if opts.o.debug: - print(f"proxy config: {path} -> {proxy_to}") - # proxy_to has the form : - proxy_to_port = int(proxy_to.split(":")[1]) - paths.append( - client.V1HTTPIngressPath( - path_type="Prefix", - path=path, - backend=client.V1IngressBackend( - service=client.V1IngressServiceBackend( - # TODO: this looks wrong - name=f"{self.app_name}-service", - # TODO: pull port number from the service - port=client.V1ServiceBackendPort(number=proxy_to_port), - ) - ), + print(f"http-proxy: {http_proxy_info}") + host_name = http_proxy_info["host-name"] + certificate = (certificates or {}).get(host_name) + + if use_tls: + tls.append( + client.V1IngressTLS( + hosts=certificate["spec"]["dnsNames"] + if certificate + else [host_name], + secret_name=certificate["spec"]["secretName"] + if certificate + else f"{self.app_name}-{host_name}-tls", + ) + ) + + paths = [] + for route in http_proxy_info["routes"]: + path = route["path"] + proxy_to = route["proxy-to"] + if opts.o.debug: + print(f"proxy config: {path} -> {proxy_to}") + # proxy_to has the form : + proxy_to_port = int(proxy_to.split(":")[1]) + paths.append( + client.V1HTTPIngressPath( + path_type="Prefix", + path=path, + backend=client.V1IngressBackend( + service=client.V1IngressServiceBackend( + # TODO: this looks wrong + name=f"{self.app_name}-service", + # TODO: pull port number from the service + port=client.V1ServiceBackendPort( + number=proxy_to_port + ), + ) + ), + ) + ) + rules.append( + client.V1IngressRule( + host=host_name, + http=client.V1HTTPIngressRuleValue(paths=paths), ) ) - rules.append( - client.V1IngressRule( - host=host_name, http=client.V1HTTPIngressRuleValue(paths=paths) - ) - ) + spec = client.V1IngressSpec(tls=tls, rules=rules) ingress_annotations = { "kubernetes.io/ingress.class": "caddy", } - if not certificate: + if not certificates: ingress_annotations["cert-manager.io/cluster-issuer"] = cluster_issuer ingress = client.V1Ingress( diff --git a/stack_orchestrator/deploy/k8s/deploy_k8s.py b/stack_orchestrator/deploy/k8s/deploy_k8s.py index 3d0b697c..556b6bd7 100644 --- a/stack_orchestrator/deploy/k8s/deploy_k8s.py +++ b/stack_orchestrator/deploy/k8s/deploy_k8s.py @@ -321,17 +321,19 @@ class K8sDeployer(Deployer): http_proxy_info = self.cluster_info.spec.get_http_proxy() # Note: we don't support tls for kind (enabling tls causes errors) use_tls = http_proxy_info and not self.is_kind() - certificate = ( - self._find_certificate_for_host_name(http_proxy_info[0]["host-name"]) - if use_tls - else None - ) - if opts.o.debug: - if certificate: - print(f"Using existing certificate: {certificate}") + certificates = None + if use_tls: + certificates = {} + for proxy in http_proxy_info: + host_name = proxy["host-name"] + cert = self._find_certificate_for_host_name(host_name) + if cert: + certificates[host_name] = cert + if opts.o.debug: + print(f"Using existing certificate for {host_name}: {cert}") ingress = self.cluster_info.get_ingress( - use_tls=use_tls, certificate=certificate + use_tls=use_tls, certificates=certificates ) if ingress: if opts.o.debug: