61 lines
2.0 KiB
YAML
61 lines
2.0 KiB
YAML
{{- /*
|
|
TLS source resolution:
|
|
|
|
- If the instance domain is COVERED by the tenant's shared wildcard
|
|
cert (e.g. instance domain ends in `.<tenantWildcardHost>`), we
|
|
reuse the existing wildcard Secret — no new cert to issue.
|
|
- Otherwise (multi-domain tenants deploying on a domain outside their
|
|
wildcard zone, e.g. `app.havari.me` when wildcard is
|
|
`*.tenants.4th.online`), cert-manager issues a per-host
|
|
Let's Encrypt cert via HTTP-01. The IngressRoute references that
|
|
cert's Secret instead.
|
|
|
|
This logic lives at template render time so a single chart serves both
|
|
shapes — operators don't have to think about "which TLS mode am I in".
|
|
|
|
`tenantWildcardHost` is set by Tower per-instance from the tenant's
|
|
settings (the suffix of the wildcard pattern, without the `*.`). Empty
|
|
(legacy / no wildcard configured) → always per-host.
|
|
*/}}
|
|
{{- $useWildcard := false -}}
|
|
{{- if .Values.tenantWildcardHost -}}
|
|
{{- if hasSuffix (printf ".%s" .Values.tenantWildcardHost) .Values.instance.domain -}}
|
|
{{- $useWildcard = true -}}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
|
|
{{- if not $useWildcard }}
|
|
---
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: {{ include "instance.fullname" . }}-tls
|
|
labels:
|
|
{{- include "instance.labels" . | nindent 4 }}
|
|
spec:
|
|
secretName: {{ include "instance.fullname" . }}-tls
|
|
issuerRef:
|
|
name: {{ .Values.ingress.certIssuer | default "letsencrypt-prod" }}
|
|
kind: ClusterIssuer
|
|
dnsNames:
|
|
- {{ .Values.instance.domain }}
|
|
{{- end }}
|
|
---
|
|
apiVersion: traefik.io/v1alpha1
|
|
kind: IngressRoute
|
|
metadata:
|
|
name: {{ include "instance.fullname" . }}
|
|
labels:
|
|
{{- include "instance.labels" . | nindent 4 }}
|
|
spec:
|
|
entryPoints:
|
|
- {{ .Values.ingress.entryPoint }}
|
|
routes:
|
|
- match: Host(`{{ .Values.instance.domain }}`)
|
|
kind: Rule
|
|
services:
|
|
- name: {{ include "instance.fullname" . }}-odoo
|
|
port: 8069
|
|
tls:
|
|
secretName: {{ if $useWildcard }}{{ .Values.ingress.tlsSecret }}{{ else }}{{ include "instance.fullname" . }}-tls{{ end }}
|