From e81c95a920a52c3efdda1f85625d6e84cf36e952 Mon Sep 17 00:00:00 2001
From: Thomas E Lackey <telackey@bozemanpass.com>
Date: Mon, 4 Mar 2024 15:24:14 -0600
Subject: [PATCH] Support wildcard certs.

---
 stack_orchestrator/deploy/k8s/cluster_info.py | 40 ++++++++++++++-----
 stack_orchestrator/deploy/spec.py             | 37 ++++++++---------
 2 files changed, 47 insertions(+), 30 deletions(-)

diff --git a/stack_orchestrator/deploy/k8s/cluster_info.py b/stack_orchestrator/deploy/k8s/cluster_info.py
index 55393bbf..4c2a6049 100644
--- a/stack_orchestrator/deploy/k8s/cluster_info.py
+++ b/stack_orchestrator/deploy/k8s/cluster_info.py
@@ -110,13 +110,33 @@ class ClusterInfo:
             http_proxy_info = http_proxy_info_list[0]
             if opts.o.debug:
                 print(f"http-proxy: {http_proxy_info}")
-            # TODO: good enough parsing for webapp deployment for now
+
             host_name = http_proxy_info["host-name"]
+
+            tls = None
+            tls_issuer = None
+
+            if use_tls:
+                tls_info = http_proxy_info.get("tls", {})
+                tls_hosts = tls_info.get("hosts", [host_name])
+                tls_issuer = tls_info.get("issuer", "letsencrypt-prod")
+                tls_secret_name = f"{self.app_name}-tls"
+                if "secret" in tls_info:
+                    # If an existing secret is specified, unset the issuer so
+                    # we don't try to re-request it.
+                    tls_secret_name = tls_info["secret"]
+                    tls_issuer = None
+
+                if opts.o.debug:
+                    print(f"TLS hosts/secret: {tls_hosts}/{tls_secret_name}")
+
+                tls = [client.V1IngressTLS(
+                    hosts=tls_hosts,
+                    secret_name=tls_secret_name
+                )]
+
+            # TODO: good enough parsing for webapp deployment for now
             rules = []
-            tls = [client.V1IngressTLS(
-                hosts=[host_name],
-                secret_name=f"{self.app_name}-tls"
-            )] if use_tls else None
             paths = []
             for route in http_proxy_info["routes"]:
                 path = route["path"]
@@ -147,13 +167,15 @@ class ClusterInfo:
                 tls=tls,
                 rules=rules
             )
+            annotations = {
+                "kubernetes.io/ingress.class": "nginx",
+            }
+            if tls_issuer:
+                annotations["cert-manager.io/cluster-issuer"] = tls_issuer
             ingress = client.V1Ingress(
                 metadata=client.V1ObjectMeta(
                     name=f"{self.app_name}-ingress",
-                    annotations={
-                        "kubernetes.io/ingress.class": "nginx",
-                        "cert-manager.io/cluster-issuer": "letsencrypt-prod"
-                    }
+                    annotations=annotations
                 ),
                 spec=spec
             )
diff --git a/stack_orchestrator/deploy/spec.py b/stack_orchestrator/deploy/spec.py
index ab452fe3..427e1fd7 100644
--- a/stack_orchestrator/deploy/spec.py
+++ b/stack_orchestrator/deploy/spec.py
@@ -91,49 +91,44 @@ class Spec:
             self.file_path = file_path
 
     def get_image_registry(self):
-        return (self.obj[constants.image_registry_key]
-                if self.obj and constants.image_registry_key in self.obj
-                else None)
+        return self.obj.get(constants.image_registry_key)
 
     def get_volumes(self):
-        return (self.obj["volumes"]
-                if self.obj and "volumes" in self.obj
-                else {})
+        return self.obj.get(constants.volumes_key, {})
 
     def get_configmaps(self):
-        return (self.obj["configmaps"]
-                if self.obj and "configmaps" in self.obj
-                else {})
+        return self.obj.get(constants.configmap)
 
     def get_container_resources(self):
-        return Resources(self.obj.get("resources", {}).get("containers", {}))
+        return Resources(self.obj.get(constants.resources_key, {})
+                         .get("containers", {}))
 
     def get_volume_resources(self):
-        return Resources(self.obj.get("resources", {}).get("volumes", {}))
+        return Resources(self.obj.get(constants.resources_key, {})
+                         .get(constants.volumes_key, {}))
 
     def get_http_proxy(self):
-        return (self.obj[constants.network_key][constants.http_proxy_key]
-                if self.obj and constants.network_key in self.obj
-                and constants.http_proxy_key in self.obj[constants.network_key]
-                else None)
+        return self.obj.get(constants.network_key, {}).get(constants.http_proxy_key, [])
 
     def get_annotations(self):
-        return self.obj.get("annotations", {})
+        return self.obj.get(constants.annotations_key, {})
 
     def get_labels(self):
-        return self.obj.get("labels", {})
+        return self.obj.get(constants.labels_key, {})
 
     def get_privileged(self):
-        return "true" == str(self.obj.get("security", {}).get("privileged", "false")).lower()
+        return "true" == str(self.obj.get(constants.security_key, {})
+                             .get("privileged", "false")).lower()
 
     def get_capabilities(self):
-        return self.obj.get("security", {}).get("capabilities", [])
+        return self.obj.get(constants.security_key, {}).get("capabilities", [])
 
     def get_deployment_type(self):
-        return self.obj[constants.deploy_to_key]
+        return self.obj.get(constants.deploy_to_key)
 
     def is_kubernetes_deployment(self):
-        return self.get_deployment_type() in [constants.k8s_kind_deploy_type, constants.k8s_deploy_type]
+        return self.get_deployment_type() in [constants.k8s_kind_deploy_type,
+                                              constants.k8s_deploy_type]
 
     def is_kind_deployment(self):
         return self.get_deployment_type() in [constants.k8s_kind_deploy_type]