From 3d1e81ea8f81686ead36e137b189dfec5b0afb80 Mon Sep 17 00:00:00 2001 From: nwalens Date: Mon, 12 Oct 2020 09:26:14 +0200 Subject: [PATCH 1/5] Add openshift support (#88) * Add openshift support * Add Security Context Constraint support (SCC) - Needed in order to run the Pods with arbitrary users in openshift * Add Route support - Routes replace Ingress in Openshift. While it is possible to use Ingress objects in Openshift, Routes offer support to some specific features * Add ServiceAccount to satefulset - SCC configurations require a target service account in order to set the correct secure context Signed-off-by: Ney Walens De Mesquita * Use port name instead of variables for route definition Using port name will permit variables to change in the future and it also makes it easy to understand where the service is connecting to. Signed-off-by: Ney Walens De Mesquita * Add openshift support to ca subchart As done priviously for NiFi, the following is being added to the CA subchart: * Service account for the deployment * Security Context Constraint (SCC in order to permit the chart to run with arbitrary users (runAsUser and fsGroup) Signed-off-by: Ney Walens De Mesquita * Bump up the CA subchart version Signed-off-by: Ney Walens De Mesquita * Smaill fixes and improvements * Add missing labels to ServiceAccount, Route and SCC manifests * Define service account name though a helper in order to have a cleaner code * Change the service account flag from `enabled` to `create` * The Statefulset will always have a service account now however if none is set, it will use the `default` service account, maintaining backwards compatibility Signed-off-by: Ney Walens De Mesquita * Add missing labels to CA SCC template Signed-off-by: Ney Walens De Mesquita * remove the suffix from the route as it will be used in the final url when host is not defined. Signed-off-by: Ney Walens De Mesquita * When using fsgroup and run as user, the container won't be allowed to change volume permissions unless running as a privileged user. The init container for the CA subchart has to run as uid 0 if we intend on setting fsGroup and runAsUser on the deployment Signed-off-by: Ney Walens De Mesquita * bump up CA dependency version Signed-off-by: Ney Walens De Mesquita Co-authored-by: Alexandre Nuttinck Co-authored-by: Ney Walens De Mesquita Co-authored-by: Ney Walens De Mesquita --- Chart.yaml | 4 +-- README.md | 10 ++++++ charts/ca/Chart.yaml | 2 +- charts/ca/templates/_helpers.tpl | 11 ++++++ charts/ca/templates/deployment.yaml | 2 ++ charts/ca/templates/scc.yaml | 45 +++++++++++++++++++++++++ charts/ca/templates/serviceaccount.yaml | 11 ++++++ charts/ca/values.yaml | 10 ++++++ templates/_helpers.tpl | 13 ++++++- templates/route.yaml | 37 ++++++++++++++++++++ templates/scc.yaml | 45 +++++++++++++++++++++++++ templates/serviceaccount.yaml | 11 ++++++ templates/statefulset.yaml | 1 + values.yaml | 19 +++++++++++ 14 files changed, 217 insertions(+), 4 deletions(-) create mode 100644 charts/ca/templates/scc.yaml create mode 100644 charts/ca/templates/serviceaccount.yaml create mode 100644 templates/route.yaml create mode 100644 templates/scc.yaml create mode 100644 templates/serviceaccount.yaml diff --git a/Chart.yaml b/Chart.yaml index 18742fee..fdfe5fbe 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ --- apiVersion: v2 name: nifi -version: 0.5.4 +version: 0.5.5 appVersion: 1.12.1 description: Apache NiFi is a software project from the Apache Software Foundation designed to automate the flow of data between software systems. keywords: @@ -27,5 +27,5 @@ dependencies: repository: https://dysnix.github.io/charts/ condition: registry.enabled - name: ca - version: 1.0.0 + version: 1.0.1 condition: ca.enabled diff --git a/README.md b/README.md index 2b9b38f4..5a03be51 100644 --- a/README.md +++ b/README.md @@ -88,6 +88,8 @@ The following table lists the configurable parameters of the nifi chart and the | `securityContext.runAsUser` | nifi Docker User | `1000` | | `securityContext.fsGroup` | nifi Docker Group | `1000` | | **sts** | +| `sts.serviceAccount.create` | If true, a service account will be created and used by the statefulset | `false` | +| `sts.serviceAccount.name` | When set, the set name will be used as the service account name. If a value is not provided a name will be generated based on Chart options | `nil` | | `sts.podManagementPolicy` | Parallel podManagementPolicy | `Parallel` | | `sts.AntiAffinity` | Affinity for pod assignment | `soft` | | `sts.pod.annotations` | Pod template annotations | `security.alpha.kubernetes.io/sysctls: net.ipv4.ip_local_port_range=10000 65000` | @@ -177,6 +179,11 @@ The following table lists the configurable parameters of the nifi chart and the | `env` | Additional environment variables for the nifi-container (see [spec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#envvar-v1-core) for details) | `[]` | | **extraContainers** | | `extraContainers` | Additional container-specifications that should run within the pod (see [spec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#container-v1-core) for details) | `[]` | +| **openshift** | +| `openshift.scc.enabled` | If true, a openshift security context will be created permitting to run the statefulset as AnyUID | `false` | +| `openshift.route.enabled` | If true, a openshift route will be created. This option cannot be used together with Ingress as a route object replaces the Ingress. The property `properties.externalSecure` will configure the route in edge termination mode, the default is passthrough. The property `properties.httpsPort` has to be set if the cluster is intended to work with SSL termination | `false` | +| `openshift.route.host` | The hostname intended to be used in order to access NiFi web interface | `nil` | +| `openshift.route.path` | Path to access frontend, works the same way as the ingress path option | `nil` | | **zookeeper** | | `zookeeper.enabled` | If true, deploy Zookeeper | `true` | | `zookeeper.url` | If the Zookeeper Chart is disabled a URL and port are required to connect | `nil` | @@ -191,6 +198,9 @@ The following table lists the configurable parameters of the nifi chart and the | `ca.port` | CA server port number | `9090` | | `ca.token` | The token to use to prevent MITM | `80` | | `ca.admin.cn` | CN for admin certificate | `admin` | +| `ca.serviceAccount.create` | If true, a service account will be created and used by the deployment | `false` | +| `ca.serviceAccount.name` |When set, the set name will be used as the service account name. If a value is not provided a name will be generated based on Chart options | `nil` | +| `ca.openshift.scc.enabled` | If true, an openshift security context will be created permitting to run the deployment as AnyUID | `false` | ## Credits diff --git a/charts/ca/Chart.yaml b/charts/ca/Chart.yaml index 34c35961..3d17b7f7 100644 --- a/charts/ca/Chart.yaml +++ b/charts/ca/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: ca -version: 1.0.0 +version: 1.0.1 # We are using the nifi version as appVersion appVersion: 1.11.4 description: A Helm chart to deploy ca server to generate self-signed certificates using nifi-toolkit. diff --git a/charts/ca/templates/_helpers.tpl b/charts/ca/templates/_helpers.tpl index 9cf51512..f89d79d7 100644 --- a/charts/ca/templates/_helpers.tpl +++ b/charts/ca/templates/_helpers.tpl @@ -23,3 +23,14 @@ If release name contains chart name it will be used as a full name. {{- end -}} {{- end -}} {{- end -}} + +{{/* +Set the service account name +*/}} +{{- define "ca.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "ca.fullname" .) .Values.serviceAccount.name }}-sa +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ca/templates/deployment.yaml b/charts/ca/templates/deployment.yaml index 9cc3f80d..0af662f7 100644 --- a/charts/ca/templates/deployment.yaml +++ b/charts/ca/templates/deployment.yaml @@ -20,6 +20,7 @@ spec: app: {{ template "ca.name" . }}-ca release: {{ .Release.Name }} spec: + serviceAccountName: {{ include "ca.serviceAccountName" . }} containers: - name: ca imagePullPolicy: {{ .Values.image.pullPolicy | quote }} @@ -62,6 +63,7 @@ spec: name: volume-permissions resources: {} securityContext: + runAsUser: 0 allowPrivilegeEscalation: false capabilities: {} privileged: false diff --git a/charts/ca/templates/scc.yaml b/charts/ca/templates/scc.yaml new file mode 100644 index 00000000..41279dc2 --- /dev/null +++ b/charts/ca/templates/scc.yaml @@ -0,0 +1,45 @@ +{{- if .Values.openshift.scc.enabled -}} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + labels: + app: {{ template "ca.name" . }}-ca + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + annotations: + kubernetes.io/description: nifi provides all features of the restricted SCC but + allows users to run with any UID and any GID. + name: {{ template "ca.fullname" . }}-scc +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: RunAsAny +groups: [] +priority: 10 +readOnlyRootFilesystem: false +requiredDropCapabilities: +- MKNOD +runAsUser: + type: RunAsAny +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny +users: +- system:serviceaccount:{{ .Release.Namespace }}:{{ include "ca.serviceAccountName" . }} +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- end }} \ No newline at end of file diff --git a/charts/ca/templates/serviceaccount.yaml b/charts/ca/templates/serviceaccount.yaml new file mode 100644 index 00000000..b9527ecf --- /dev/null +++ b/charts/ca/templates/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: {{ template "ca.name" . }}-ca + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + name: {{ include "ca.serviceAccountName" . }} +{{- end }} \ No newline at end of file diff --git a/charts/ca/values.yaml b/charts/ca/values.yaml index ad807b03..702d622d 100644 --- a/charts/ca/values.yaml +++ b/charts/ca/values.yaml @@ -49,3 +49,13 @@ token: sixteenCharacters securityContext: fsGroup: 1000 runAsUser: 1000 + +serviceAccount: + create: false + #name: nifi-ca + +## Openshift support +## Use the following varables in order to enable Route and Security Context Constraint creation +openshift: + scc: + enabled: false diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index e2be3e03..50e55733 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -78,4 +78,15 @@ Create ca.server {{- else -}} {{- printf "%s" .Values.ca.server }} {{- end -}} -{{- end -}} \ No newline at end of file +{{- end -}} + +{{/* +Set the service account name +*/}} +{{- define "apache-nifi.serviceAccountName" -}} +{{- if .Values.sts.serviceAccount.create }} +{{- default (include "apache-nifi.fullname" .) .Values.sts.serviceAccount.name }}-sa +{{- else }} +{{- default "default" .Values.sts.serviceAccount.name }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/route.yaml b/templates/route.yaml new file mode 100644 index 00000000..2637cd7e --- /dev/null +++ b/templates/route.yaml @@ -0,0 +1,37 @@ +{{- if .Values.openshift.route.enabled -}} +{{- $fullName := include "apache-nifi.fullname" . -}} +{{- $ingressPath := .Values.openshift.route.path -}} +kind: Route +apiVersion: route.openshift.io/v1 +metadata: + labels: + app: {{ include "apache-nifi.name" . | quote }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + name: {{ template "apache-nifi.fullname" . }} +spec: + {{- if .Values.openshift.route.host }} + host: {{ .Values.openshift.route.host }} + {{- end }} + {{- if .Values.openshift.route.host }} + path: {{ $ingressPath }} + {{- end }} + to: + kind: Service + name: {{ $fullName }} + weight: 100 + port: +{{- if .Values.properties.clusterSecure }} + targetPort: https + tls: + {{- if .Values.properties.externalSecure }} + termination: edge + {{- else }} + termination: passthrough + {{- end }} + insecureEdgeTerminationPolicy: Redirect +{{- else }} + targetPort: http +{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/scc.yaml b/templates/scc.yaml new file mode 100644 index 00000000..5f9afaf8 --- /dev/null +++ b/templates/scc.yaml @@ -0,0 +1,45 @@ +{{- if .Values.openshift.scc.enabled -}} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + labels: + app: {{ include "apache-nifi.name" . | quote }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + annotations: + kubernetes.io/description: {{ template "apache-nifi.fullname" . }}-scc provides all features of the restricted SCC but + allows users to run with any UID and any GID. + name: {{ template "apache-nifi.fullname" . }}-scc +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: RunAsAny +groups: [] +priority: 10 +readOnlyRootFilesystem: false +requiredDropCapabilities: +- MKNOD +runAsUser: + type: RunAsAny +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny +users: +- system:serviceaccount:{{ .Release.Namespace }}:{{ include "apache-nifi.serviceAccountName" . }} +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- end }} \ No newline at end of file diff --git a/templates/serviceaccount.yaml b/templates/serviceaccount.yaml new file mode 100644 index 00000000..852bcbdc --- /dev/null +++ b/templates/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if .Values.sts.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: {{ include "apache-nifi.name" . | quote }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + name: {{ include "apache-nifi.serviceAccountName" . }} +{{- end }} \ No newline at end of file diff --git a/templates/statefulset.yaml b/templates/statefulset.yaml index f459130f..fa91e837 100644 --- a/templates/statefulset.yaml +++ b/templates/statefulset.yaml @@ -31,6 +31,7 @@ spec: release: {{ .Release.Name | quote }} heritage: {{ .Release.Service | quote }} spec: + serviceAccountName: {{ include "apache-nifi.serviceAccountName" . }} {{- if eq .Values.sts.AntiAffinity "hard"}} affinity: podAntiAffinity: diff --git a/values.yaml b/values.yaml index 4de93a87..59f78d5f 100644 --- a/values.yaml +++ b/values.yaml @@ -29,6 +29,9 @@ sts: annotations: security.alpha.kubernetes.io/sysctls: net.ipv4.ip_local_port_range=10000 65000 #prometheus.io/scrape: "true" + serviceAccount: + create: false + #name: nifi ## Useful if using any custom secrets ## Pass in some secrets to use (if required) @@ -239,6 +242,16 @@ terminationGracePeriodSeconds: 30 ## Extra environment variables that will be pass onto deployment pods env: [] +## Openshift support +## Use the following varables in order to enable Route and Security Context Constraint creation +openshift: + scc: + enabled: false + route: + enabled: false + #host: www.test.com + #path: /nifi + # ca server details # Setting this true would create a nifi-toolkit based ca server # The ca server will be used to generate self-signed certificates required setting up secured cluster @@ -251,6 +264,12 @@ ca: token: sixteenCharacters admin: cn: admin + serviceAccount: + create: false + #name: nifi-ca + openshift: + scc: + enabled: false # ------------------------------------------------------------------------------ # Zookeeper: From b641cc2f8d9e8e0edb7c5244da9d4253fbf7cb59 Mon Sep 17 00:00:00 2001 From: Martijn Zwennes Date: Mon, 12 Oct 2020 09:52:33 +0200 Subject: [PATCH 2/5] Bump chart version. Signed-off-by: Martijn Zwennes (#89) Co-authored-by: Alexandre Nuttinck Co-authored-by: Martijn Zwennes --- configs/nifi.properties | 1 + 1 file changed, 1 insertion(+) diff --git a/configs/nifi.properties b/configs/nifi.properties index c5119ca8..044fd4ac 100644 --- a/configs/nifi.properties +++ b/configs/nifi.properties @@ -34,6 +34,7 @@ nifi.ui.banner.text= nifi.ui.autorefresh.interval=30 sec nifi.nar.library.directory=./lib nifi.nar.library.directory.custom={{.Values.properties.customLibPath}} +nifi.nar.library.autoload.directory=./extensions nifi.nar.working.directory=./work/nar/ nifi.documentation.working.directory=./work/docs/components From a7cc86146332e0c1928c7bc399cba6e04eff0f7e Mon Sep 17 00:00:00 2001 From: Sebastian Valle Date: Mon, 12 Oct 2020 02:57:11 -0500 Subject: [PATCH 3/5] Multiple fixes related to secure clusters (#93) * Use the proper port variable when clusterSecure is enabled. The Ingress definition was using the httpPort by default instead of the httpsPort when the cluster was installed in secure mode. * Bump chart version to 0.5.5 * Leave all the security configurations blank in nifi.properties by default. Nifi 1.12.1 checks whether any of these `nifi.security.XXX` values is non-empty to determine whether the user wants to set a keystore or not. We leave them blank by default so unsecured clusters will at least run. Fixes the "TlsException: The keystore properties are not valid" error when starting up. Fixes #77 * Set the keystore and truststore types to jks when clusterSecure is true This is a continuation of c5322c5a12fccd089252cab127e0dbd8d0ad80dc , it allows secured clusters to start up again by setting the keystore types to their expected values. * Corrected the label key for the soft antiAffinity configuration It was previously using "component" as the key, which doesn't actually exist by default, the proper key should be "app". Co-authored-by: Alexandre Nuttinck --- configs/nifi.properties | 4 ++-- templates/ingress.yaml | 4 ++++ templates/statefulset.yaml | 4 +++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/configs/nifi.properties b/configs/nifi.properties index 044fd4ac..8b602c30 100644 --- a/configs/nifi.properties +++ b/configs/nifi.properties @@ -152,11 +152,11 @@ nifi.sensitive.props.provider=BC nifi.sensitive.props.additional.keys= nifi.security.keystore= -nifi.security.keystoreType=jks +nifi.security.keystoreType= nifi.security.keystorePasswd= nifi.security.keyPasswd= nifi.security.truststore= -nifi.security.truststoreType=jks +nifi.security.truststoreType= nifi.security.truststorePasswd= nifi.security.needClientAuth={{.Values.properties.needClientAuth}} nifi.security.user.authorizer={{.Values.properties.authorizer}} diff --git a/templates/ingress.yaml b/templates/ingress.yaml index cb57547b..94faba0d 100644 --- a/templates/ingress.yaml +++ b/templates/ingress.yaml @@ -2,7 +2,11 @@ {{- if .Values.ingress.enabled -}} {{- $fullName := include "apache-nifi.fullname" . -}} {{- $ingressPath := .Values.ingress.path -}} +{{- if .Values.properties.clusterSecure -}} +{{- $ingressPort := .Values.service.httpsPort -}} +{{- else }} {{- $ingressPort := .Values.service.httpPort -}} +{{- end }} apiVersion: extensions/v1beta1 kind: Ingress metadata: diff --git a/templates/statefulset.yaml b/templates/statefulset.yaml index fa91e837..43642355 100644 --- a/templates/statefulset.yaml +++ b/templates/statefulset.yaml @@ -51,7 +51,7 @@ spec: podAffinityTerm: labelSelector: matchExpressions: - - key: "component" + - key: "app" operator: In values: - {{ include "apache-nifi.name" . | quote }} @@ -189,9 +189,11 @@ spec: {{- if .Values.properties.clusterSecure }} # Update nifi.properties for security properties prop_replace nifi.web.https.host ${FQDN} + prop_replace nifi.security.keystoreType jks prop_replace nifi.security.keystore ${NIFI_HOME}/config-data/certs/keystore.jks prop_replace nifi.security.keystorePasswd $(jq -r .keyStorePassword ${NIFI_HOME}/config-data/certs/config.json) prop_replace nifi.security.keyPasswd $(jq -r .keyPassword ${NIFI_HOME}/config-data/certs/config.json) + prop_replace nifi.security.truststoreType jks prop_replace nifi.security.truststore ${NIFI_HOME}/config-data/certs/truststore.jks prop_replace nifi.security.truststorePasswd $(jq -r .trustStorePassword ${NIFI_HOME}/config-data/certs/config.json) From 4f2ac1f5a0446272f983b268fc096c57f32b541e Mon Sep 17 00:00:00 2001 From: Sebastian Valle Date: Mon, 12 Oct 2020 02:59:39 -0500 Subject: [PATCH 4/5] Re-enable flow.xml bootstrapping (#94) This was commented out in #76 , but is needed for proper flow bootstrapping and out-of-the-box nifi-registry support Co-authored-by: Alexandre Nuttinck --- templates/statefulset.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/statefulset.yaml b/templates/statefulset.yaml index 43642355..700b4738 100644 --- a/templates/statefulset.yaml +++ b/templates/statefulset.yaml @@ -178,9 +178,9 @@ spec: cat "${NIFI_HOME}/conf/authorizers.empty" > "${NIFI_HOME}/conf/authorizers.xml" fi - # if ! test -f /opt/nifi/data/flow.xml.gz && test -f /opt/nifi/data/flow.xml; then - # gzip /opt/nifi/data/flow.xml - # fi + if ! test -f /opt/nifi/data/flow.xml.gz && test -f /opt/nifi/data/flow.xml; then + gzip /opt/nifi/data/flow.xml + fi prop_replace nifi.remote.input.host ${FQDN} prop_replace nifi.cluster.node.address ${FQDN} From 6fb42d12ad4d419c6f76bbd9c5958ccf811d443d Mon Sep 17 00:00:00 2001 From: Alexandre Nuttinck Date: Mon, 12 Oct 2020 10:08:09 +0200 Subject: [PATCH 5/5] fix ingress def --- templates/ingress.yaml | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/templates/ingress.yaml b/templates/ingress.yaml index 94faba0d..28b55f38 100644 --- a/templates/ingress.yaml +++ b/templates/ingress.yaml @@ -2,11 +2,8 @@ {{- if .Values.ingress.enabled -}} {{- $fullName := include "apache-nifi.fullname" . -}} {{- $ingressPath := .Values.ingress.path -}} -{{- if .Values.properties.clusterSecure -}} -{{- $ingressPort := .Values.service.httpsPort -}} -{{- else }} -{{- $ingressPort := .Values.service.httpPort -}} -{{- end }} +{{- $ingressHttpsPort := .Values.service.httpsPort -}} +{{- $ingressHttpPort := .Values.service.httpPort -}} apiVersion: extensions/v1beta1 kind: Ingress metadata: @@ -32,6 +29,7 @@ spec: secretName: {{ .secretName }} {{- end }} {{- end }} +{{- if .Values.properties.clusterSecure}} rules: {{- range .Values.ingress.hosts }} - host: {{ . }} @@ -40,6 +38,18 @@ spec: - path: {{ $ingressPath }} backend: serviceName: {{ $fullName }} - servicePort: {{ $ingressPort }} + servicePort: {{ $ingressHttpsPort }} + {{- end }} +{{- else}} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ . }} + http: + paths: + - path: {{ $ingressPath }} + backend: + serviceName: {{ $fullName }} + servicePort: {{ $ingressHttpPort }} {{- end }} {{- end }} +{{- end }} \ No newline at end of file