83 lines
3.2 KiB
YAML
83 lines
3.2 KiB
YAML
{{- /*
|
|
TLS source resolution:
|
|
|
|
- If the instance domain is COVERED by the tenant's shared wildcard
|
|
cert (e.g. instance domain ends in `.<tenantWildcardHost>`), we
|
|
reuse the existing wildcard Secret — no new cert to issue.
|
|
- Otherwise (multi-domain tenants deploying on a domain outside their
|
|
wildcard zone, e.g. `app.havari.me` when wildcard is
|
|
`*.tenants.4th.online`), cert-manager issues a per-host
|
|
Let's Encrypt cert via DNS-01. The IngressRoute references that
|
|
cert's Secret instead.
|
|
|
|
This logic lives at template render time so a single chart serves both
|
|
shapes — operators don't have to think about "which TLS mode am I in".
|
|
|
|
`tenantWildcardHost` is set by Tower per-instance from the tenant's
|
|
settings (the suffix of the wildcard pattern, without the `*.`). Empty
|
|
(legacy / no wildcard configured) → always per-host.
|
|
*/}}
|
|
{{- $useWildcard := false -}}
|
|
{{- if .Values.tenantWildcardHost -}}
|
|
{{- if hasSuffix (printf ".%s" .Values.tenantWildcardHost) .Values.instance.domain -}}
|
|
{{- $useWildcard = true -}}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
|
|
{{- if not $useWildcard }}
|
|
---
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: {{ include "instance.fullname" . }}-tls
|
|
labels:
|
|
{{- include "instance.labels" . | nindent 4 }}
|
|
spec:
|
|
secretName: {{ include "instance.fullname" . }}-tls
|
|
issuerRef:
|
|
name: {{ .Values.ingress.certIssuer | default "letsencrypt-prod" }}
|
|
kind: ClusterIssuer
|
|
dnsNames:
|
|
- {{ .Values.instance.domain }}
|
|
{{- end }}
|
|
---
|
|
# HTTP → HTTPS redirect lives at the cluster's Traefik entrypoint
|
|
# config (cluster-platform-v3 chart, `traefik.ports.web.redirectTo`)
|
|
# — every cluster's `web` entrypoint redirects port 80 → 443
|
|
# uniformly, before any IngressRoute matching runs. Per-instance
|
|
# redirect is redundant and intentionally NOT defined here.
|
|
apiVersion: traefik.io/v1alpha1
|
|
kind: IngressRoute
|
|
metadata:
|
|
name: {{ include "instance.fullname" . }}
|
|
labels:
|
|
{{- include "instance.labels" . | nindent 4 }}
|
|
spec:
|
|
entryPoints:
|
|
- {{ .Values.ingress.entryPoint }}
|
|
routes:
|
|
- match: Host(`{{ .Values.instance.domain }}`)
|
|
kind: Rule
|
|
# Cluster-level middleware (defined in cluster-platform-v3,
|
|
# same `tenants` namespace as this IngressRoute). Adds a
|
|
# bounded retry budget so transient Pod-not-ready windows
|
|
# during an Odoo restart don't surface as Traefik's default
|
|
# 404 to the customer. TLS-related fields below are unchanged.
|
|
#
|
|
# Gated on `.Values.ingress.useTenantsDefaults` so a cluster
|
|
# running with `traefik.enabled=false` in cluster-platform-v3
|
|
# (the Middleware would never be created) doesn't break every
|
|
# instance sync with "Middleware tenants-default-retry not
|
|
# found". Default true matches the standard platform shape;
|
|
# operators flip it to false only when running an externally-
|
|
# managed Traefik that doesn't carry our tenants-default-* set.
|
|
{{- if .Values.ingress.useTenantsDefaults | default true }}
|
|
middlewares:
|
|
- name: tenants-default-retry
|
|
{{- end }}
|
|
services:
|
|
- name: {{ include "instance.fullname" . }}-odoo
|
|
port: 8069
|
|
tls:
|
|
secretName: {{ if $useWildcard }}{{ .Values.ingress.tlsSecret }}{{ else }}{{ include "instance.fullname" . }}-tls{{ end }}
|