Merge pull request #284 from openziti/controller-mgmt-alt-ingress

add alt ingress for mgmt api

Author: qrkourier

charts/ziti-controller/README.md

@@ -288,9 +288,15 @@ For more information, please check [here](https://openziti.io/docs/learn/core-co
 | image.tag | string | `""` | override the container image tag specified in the chart |
 | ingress-nginx.controller.extraArgs.enable-ssl-passthrough | string | `"true"` | configure subchart ingress-nginx to enable the pass-through TLS feature |
 | ingress-nginx.enabled | bool | `false` | install the ingress-nginx subchart |
-| managementApi | object | `{"advertisedHost":"{{ .Values.clientApi.advertisedHost }}","advertisedPort":"{{ .Values.clientApi.advertisedPort }}","containerPort":"{{ .Values.clientApi.containerPort }}","dnsNames":[],"ingress":{"annotations":{},"enabled":false,"ingressClassName":"","labels":{},"tls":{}},"service":{"enabled":false,"type":"ClusterIP"}}` | by default, there's no need for a separate cluster service, ingress, or load balancer for the management API because it shares a TLS listener with the client API, and is reachable at the same address and presents the same web identity cert; you may configure a separate service, ingress, load balancer, etc.  for the management API by setting managementApi.service.enabled=true |
+| managementApi | object | `{"advertisedHost":"{{ .Values.clientApi.advertisedHost }}","advertisedPort":"{{ .Values.clientApi.advertisedPort }}","altIngress":{"advertisedHost":"","annotations":{},"enabled":false,"ingressClassName":"","labels":{},"tls":{}},"containerPort":"{{ .Values.clientApi.containerPort }}","dnsNames":[],"ingress":{"annotations":{},"enabled":false,"ingressClassName":"","labels":{},"tls":{}},"service":{"enabled":false,"type":"ClusterIP"}}` | by default, there's no need for a separate cluster service, ingress, or load balancer for the management API because it shares a TLS listener with the client API, and is reachable at the same address and presents the same web identity cert; you may configure a separate service, ingress, load balancer, etc.  for the management API by setting managementApi.service.enabled=true |
 | managementApi.advertisedHost | string | `"{{ .Values.clientApi.advertisedHost }}"` | global DNS name by which routers can resolve a reachable IP for this service |
 | managementApi.advertisedPort | string | `"{{ .Values.clientApi.advertisedPort }}"` | cluster service, node port, load balancer, and ingress port |
+| managementApi.altIngress.advertisedHost | string | `""` | alternative ingress host, e.g., ziti.example.com; must be distinct from managementApi.advertisedHost and all other advertised names |
+| managementApi.altIngress.annotations | object | `{}` | ingress annotations, e.g., to configure ingress-nginx |
+| managementApi.altIngress.enabled | bool | `false` | create an ingress for the client API's ClusterIP service with a trusted certificate, e.g., for BrowZer, ZAC |
+| managementApi.altIngress.ingressClassName | string | `""` | ingress class name, e.g., "nginx" |
+| managementApi.altIngress.labels | object | `{}` | ingress labels |
+| managementApi.altIngress.tls | object | `{}` | deprecated: tls passthrough is required; configure an alternative certificate to project into the container in webBindingPki.altServerCerts |
 | managementApi.containerPort | string | `"{{ .Values.clientApi.containerPort }}"` | cluster service target port on the container |
 | managementApi.dnsNames | list | `[]` | additional DNS SANs |
 | managementApi.ingress.annotations | object | `{}` | ingress annotations, e.g., to configure ingress-nginx |

charts/ziti-controller/templates/ingress.yaml

@@ -110,6 +110,42 @@ spec:
                   number: {{ .Values.clientApi.advertisedPort }}
 {{- end }}
 
+{{- if .Values.managementApi.altIngress.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "ziti-controller.fullname" . }}-alt-mgmt
+  labels:
+  {{- include "ziti-controller.labels" . | nindent 4 }}
+  {{- with .Values.managementApi.altIngress.labels }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.managementApi.altIngress.annotations }}
+  annotations:
+  {{ toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.managementApi.altIngress.ingressClassName }}
+  ingressClassName: {{ .Values.managementApi.altIngress.ingressClassName }}
+  {{- end }}
+  {{- if .Values.managementApi.altIngress.tls }}
+  tls:
+    {{- toYaml .Values.managementApi.altIngress.tls | nindent 4 }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.managementApi.altIngress.advertisedHost }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ include "ziti-controller.fullname" . }}-mgmt
+                port:
+                  number: {{ .Values.managementApi.advertisedPort }}
+{{- end }}
+
 {{- if .Values.managementApi.ingress.enabled }}
 ---
 apiVersion: networking.k8s.io/v1

charts/ziti-controller/values.yaml

@@ -73,6 +73,21 @@ managementApi:
     annotations: {}
     # -- deprecated: tls passthrough is required
     tls: {}
+  altIngress:
+    # -- create an ingress for the client API's ClusterIP service with a trusted certificate, e.g., for BrowZer, ZAC
+    enabled: false
+    # -- alternative ingress host, e.g., ziti.example.com; must be distinct from managementApi.advertisedHost and all
+    # other advertised names
+    advertisedHost: ""
+    # -- ingress class name, e.g., "nginx"
+    ingressClassName: ""
+    # -- ingress labels
+    labels: {}
+    # -- ingress annotations, e.g., to configure ingress-nginx
+    annotations: {}
+    # -- deprecated: tls passthrough is required; configure an alternative
+    # certificate to project into the container in webBindingPki.altServerCerts
+    tls: {}
   # -- additional DNS SANs
   dnsNames: []