From 7b862e05d8200c67ebbf42629c86474d1dbae854 Mon Sep 17 00:00:00 2001
From: Tin Lam <tin@irrational.io>
Date: Tue, 26 Jun 2018 17:03:09 -0500
Subject: [PATCH] feat(tls): add tls to ingress for public endpoint

This patch set adds TLS on overridden fqdns for public endpoints for
airship-deckhand. As cacerts are not loaded into the containers, this
only supports certificates that can be externally verified.

Change-Id: I41606129c8d59dfedcb648f5390985a31b690eec
---
 .../deckhand/templates/secret-ingress-tls.yaml   | 16 ++++++++++++++++
 charts/deckhand/values.yaml                      | 12 ++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 charts/deckhand/templates/secret-ingress-tls.yaml

diff --git a/charts/deckhand/templates/secret-ingress-tls.yaml b/charts/deckhand/templates/secret-ingress-tls.yaml
new file mode 100644
index 00000000..0ec92ab1
--- /dev/null
+++ b/charts/deckhand/templates/secret-ingress-tls.yaml
@@ -0,0 +1,16 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "deckhand" ) }}
+{{- end }}
diff --git a/charts/deckhand/values.yaml b/charts/deckhand/values.yaml
index 14f6f635..d5f9e6b9 100644
--- a/charts/deckhand/values.yaml
+++ b/charts/deckhand/values.yaml
@@ -165,6 +165,13 @@ endpoints:
       default: http
     host_fqdn_override:
       default: null
+      # NOTE(lamt): This chart supports TLS for fqdn overriden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
   postgresql:
     name: postgresql
     auth:
@@ -215,6 +222,10 @@ secrets:
   postgresql:
     admin: deckhand-db-admin
     user: deckhand-db-user
+  tls:
+    deckhand:
+      api:
+        public: deckhand-tls-public
 
 conf:
   uwsgi:
@@ -386,6 +397,7 @@ manifests:
   job_ks_service: true
   job_ks_user: true
   secret_db: true
+  secret_ingress_tls: true
   secret_keystone: true
   service_api: true
   service_ingress_api: true