allow injection of TLS config for OpenShift routes (#686)

* Add some tests on top of #396 * convert server-route.yaml to unix newlines * changelog Co-authored-by: André Becker <andre@arestless.com> Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2022-01-20 07:37:26 +01:00 · 2022-01-20 07:37:26 +01:00 · 92da512577
commit 92da512577
parent e629dc9d65
4 changed files with 46 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -9,6 +9,7 @@ Features:
 Improvements:
 * Set the namespace on the OpenShift Route [GH-679](https://github.com/hashicorp/vault-helm/pull/679)
 * Add volumes and env vars to helm hook test pod [GH-673](https://github.com/hashicorp/vault-helm/pull/673)
+* Make TLS configurable for OpenShift routes [GH-686](https://github.com/hashicorp/vault-helm/pull/686)

 ## 0.18.0 (November 17th, 2021)

--- a/templates/server-route.yaml
+++ b/templates/server-route.yaml
@ -28,7 +28,7 @@ spec:
  port:
    targetPort: 8200
  tls:
-    termination: passthrough
+    {{- toYaml .Values.server.route.tls | nindent  4 }}
 {{- end }}
 {{- end }}
 {{- end }}
--- a/test/unit/server-route.bats
+++ b/test/unit/server-route.bats
@ -141,3 +141,41 @@ load _helpers
      yq -r '.spec.to.name' | tee /dev/stderr)
  [ "${actual}" = "RELEASE-NAME-vault" ]
 }
+
+@test "server/route: OpenShift - route termination mode set to default passthrough" {
+  cd `chart_dir`
+
+  local actual=$(helm template \
+      --show-only templates/server-route.yaml \
+      --set 'global.openshift=true' \
+      --set 'server.route.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.tls.termination' | tee /dev/stderr)
+  [ "${actual}" = "passthrough" ]
+}
+
+@test "server/route: OpenShift - route termination mode set to edge" {
+  cd `chart_dir`
+
+  local actual=$(helm template \
+      --show-only templates/server-route.yaml \
+      --set 'global.openshift=true' \
+      --set 'server.route.enabled=true' \
+      --set 'server.route.tls.termination=edge' \
+      . | tee /dev/stderr |
+      yq -r '.spec.tls.termination' | tee /dev/stderr)
+  [ "${actual}" = "edge" ]
+}
+
+@test "server/route: OpenShift - route custom tls entry" {
+  cd `chart_dir`
+
+  local actual=$(helm template \
+      --show-only templates/server-route.yaml \
+      --set 'global.openshift=true' \
+      --set 'server.route.enabled=true' \
+      --set 'server.route.tls.insecureEdgeTerminationPolicy=Redirect' \
+      . | tee /dev/stderr |
+      yq -r '.spec.tls.insecureEdgeTerminationPolicy' | tee /dev/stderr)
+  [ "${actual}" = "Redirect" ]
+}
--- a/values.yaml
+++ b/values.yaml
@ -305,7 +305,7 @@ server:
    #      - chart-example.local

  # OpenShift only - create a route to expose the service
-  # The created route will be of type passthrough
+  # By default the created route will be of type passthrough
  route:
    enabled: false

@ -316,6 +316,11 @@ server:
    labels: {}
    annotations: {}
    host: chart-example.local
+    # tls will be passed directly to the route's TLS config, which
+    # can be used to configure other termination methods that terminate
+    # TLS at the router
+    tls:
+      termination: passthrough

  # authDelegator enables a cluster role binding to be attached to the service
  # account.  This cluster role binding can be used to setup Kubernetes auth