97 lines
3.1 KiB
YAML
97 lines
3.1 KiB
YAML
{{- /*
|
|
TLS source resolution:
|
|
|
|
- If the instance domain is COVERED by the tenant's shared wildcard
|
|
cert (e.g. instance domain ends in `.<tenantWildcardHost>`), we
|
|
reuse the existing wildcard Secret — no new cert to issue.
|
|
- Otherwise (multi-domain tenants deploying on a domain outside their
|
|
wildcard zone, e.g. `app.havari.me` when wildcard is
|
|
`*.tenants.4th.online`), cert-manager issues a per-host
|
|
Let's Encrypt cert via DNS-01. The IngressRoute references that
|
|
cert's Secret instead.
|
|
|
|
This logic lives at template render time so a single chart serves both
|
|
shapes — operators don't have to think about "which TLS mode am I in".
|
|
|
|
`tenantWildcardHost` is set by Tower per-instance from the tenant's
|
|
settings (the suffix of the wildcard pattern, without the `*.`). Empty
|
|
(legacy / no wildcard configured) → always per-host.
|
|
*/}}
|
|
{{- $useWildcard := false -}}
|
|
{{- if .Values.tenantWildcardHost -}}
|
|
{{- if hasSuffix (printf ".%s" .Values.tenantWildcardHost) .Values.instance.domain -}}
|
|
{{- $useWildcard = true -}}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
|
|
{{- if not $useWildcard }}
|
|
---
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: {{ include "instance.fullname" . }}-tls
|
|
labels:
|
|
{{- include "instance.labels" . | nindent 4 }}
|
|
spec:
|
|
secretName: {{ include "instance.fullname" . }}-tls
|
|
issuerRef:
|
|
name: {{ .Values.ingress.certIssuer | default "letsencrypt-prod" }}
|
|
kind: ClusterIssuer
|
|
dnsNames:
|
|
- {{ .Values.instance.domain }}
|
|
{{- end }}
|
|
---
|
|
# HTTP → HTTPS redirect. Browsers default a bare hostname to http://,
|
|
# but the only entrypoint serving Odoo is `websecure` — without this
|
|
# route plain-http requests fall through to Traefik's default backend
|
|
# and the user sees Traefik's "404 page not found" even though the
|
|
# instance is fully up. The Middleware lives in this same chart so a
|
|
# legacy cluster without a global redirect-to-https middleware works
|
|
# the same as a fresh one.
|
|
apiVersion: traefik.io/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: {{ include "instance.fullname" . }}-redirect-https
|
|
labels:
|
|
{{- include "instance.labels" . | nindent 4 }}
|
|
spec:
|
|
redirectScheme:
|
|
scheme: https
|
|
permanent: true
|
|
---
|
|
apiVersion: traefik.io/v1alpha1
|
|
kind: IngressRoute
|
|
metadata:
|
|
name: {{ include "instance.fullname" . }}-http
|
|
labels:
|
|
{{- include "instance.labels" . | nindent 4 }}
|
|
spec:
|
|
entryPoints:
|
|
- web
|
|
routes:
|
|
- match: Host(`{{ .Values.instance.domain }}`)
|
|
kind: Rule
|
|
middlewares:
|
|
- name: {{ include "instance.fullname" . }}-redirect-https
|
|
services:
|
|
- name: {{ include "instance.fullname" . }}-odoo
|
|
port: 8069
|
|
---
|
|
apiVersion: traefik.io/v1alpha1
|
|
kind: IngressRoute
|
|
metadata:
|
|
name: {{ include "instance.fullname" . }}
|
|
labels:
|
|
{{- include "instance.labels" . | nindent 4 }}
|
|
spec:
|
|
entryPoints:
|
|
- {{ .Values.ingress.entryPoint }}
|
|
routes:
|
|
- match: Host(`{{ .Values.instance.domain }}`)
|
|
kind: Rule
|
|
services:
|
|
- name: {{ include "instance.fullname" . }}-odoo
|
|
port: 8069
|
|
tls:
|
|
secretName: {{ if $useWildcard }}{{ .Values.ingress.tlsSecret }}{{ else }}{{ include "instance.fullname" . }}-tls{{ end }}
|