feat: support configure gateway.tls and adding ingress class (#657)

commit: 0c05e7cf1f67ab603d94f595db5533cce4c9ce88 [log] [tgz]
author: Ghanil Mohamed Yusof <ghanil.yusof@gmail.com> Mon Nov 06 16:12:45 2023 +0800
committer: GitHub <noreply@github.com> Mon Nov 06 16:12:45 2023 +0800
tree: 67b6e18420fdcafe33a3bd2b8d5513722aff0705
parent: 10be00edb60c87b10eaf600491e4c438562c1282 [diff]
diff --git a/charts/apisix-ingress-controller/README.md b/charts/apisix-ingress-controller/README.md
index a2af3be..4f2bcf4 100644
--- a/charts/apisix-ingress-controller/README.md
+++ b/charts/apisix-ingress-controller/README.md

@@ -151,6 +151,15 @@
 | gateway.nginx.workerConnections | string | `"10620"` | Nginx worker connections |
 | gateway.nginx.workerProcesses | string | `"auto"` | Nginx worker processes |
 | gateway.nginx.workerRlimitNofile | string | `"20480"` | Nginx workerRlimitNoFile |
+| gateway.tls.additionalContainerPorts | list | `[]` | Support multiple https ports, See [Configuration](https://github.com/apache/apisix/blob/0bc65ea9acd726f79f80ae0abd8f50b7eb172e3d/conf/config-default.yaml#L99) |
+| gateway.tls.certCAFilename | string | `""` | Filename be used in the gateway.tls.existingCASecret |
+| gateway.tls.containerPort | int | `9443` |  |
+| gateway.tls.enabled | bool | `false` |  |
+| gateway.tls.existingCASecret | string | `""` | Specifies the name of Secret contains trusted CA certificates in the PEM format used to verify the certificate when APISIX needs to do SSL/TLS handshaking with external services (e.g. etcd) |
+| gateway.tls.fallbackSNI | string | `""` | Define SNI to fallback if none is presented by client |
+| gateway.tls.http2.enabled | bool | `true` |  |
+| gateway.tls.servicePort | int | `443` |  |
+| gateway.tls.sslProtocols | string | `"TLSv1.2 TLSv1.3"` | TLS protocols allowed to use. |
 | gateway.type | string | `"NodePort"` | Apache APISIX service type for user access itself |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.repository | string | `"apache/apisix-ingress-controller"` |  |

diff --git a/charts/apisix-ingress-controller/templates/apisix-configmap.yaml b/charts/apisix-ingress-controller/templates/apisix-configmap.yaml
index 7310524..6cdd5a2 100644
--- a/charts/apisix-ingress-controller/templates/apisix-configmap.yaml
+++ b/charts/apisix-ingress-controller/templates/apisix-configmap.yaml

@@ -58,6 +58,23 @@
       worker_rlimit_nofile: {{ .Values.gateway.nginx.workerRlimitNofile }}  # the number of files a worker process can open, should be larger than worker_connections
       event:
         worker_connections: {{ .Values.gateway.nginx.workerConnections  }}
+    
+    ssl:
+        enable: {{ .Values.gateway.tls.enabled }}
+        listen:
+          - port: {{ .Values.gateway.tls.containerPort }}
+            enable_http2: {{ .Values.gateway.tls.http2.enabled }}
+          {{- with .Values.gateway.tls.additionalContainerPorts }}
+          {{- toYaml . | nindent 10}}
+          {{- end }}
+        ssl_protocols: {{ .Values.gateway.tls.sslProtocols | quote }}
+        ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
+        {{- if and .Values.gateway.tls.enabled .Values.gateway.tls.existingCASecret }}
+        ssl_trusted_certificate: "/usr/local/apisix/conf/ssl/{{ .Values.gateway.tls.certCAFilename }}"
+        {{- end }}
+        {{- if and .Values.gateway.tls.enabled .Values.gateway.tls.fallbackSNI }}
+        fallback_sni: {{ .Values.gateway.tls.fallbackSNI | quote }}
+        {{- end }}
 
     plugins:                          # plugin list (sorted by priority)
       - real-ip                        # priority: 23000

diff --git a/charts/apisix-ingress-controller/templates/deployment.yaml b/charts/apisix-ingress-controller/templates/deployment.yaml
index efa8361..ccddd9e 100644
--- a/charts/apisix-ingress-controller/templates/deployment.yaml
+++ b/charts/apisix-ingress-controller/templates/deployment.yaml

@@ -140,7 +140,7 @@
               containerPort: 9180
               protocol: TCP
             - name: https
-              containerPort: 9443
+              containerPort: {{ .Values.gateway.tls.containerPort }}
               protocol: TCP
             {{- if .Values.serviceMonitor.enabled }}
             - containerPort: 9091

diff --git a/charts/apisix-ingress-controller/templates/ingress-class.yaml b/charts/apisix-ingress-controller/templates/ingress-class.yaml
new file mode 100644
index 0000000..0120614
--- /dev/null
+++ b/charts/apisix-ingress-controller/templates/ingress-class.yaml

@@ -0,0 +1,6 @@
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  name: {{ .Values.config.kubernetes.ingressClass | quote }}
+spec:
+  controller: apisix.apache.org/apisix-ingress # fix: https://github.com/apache/apisix-ingress-controller/issues/1653

diff --git a/charts/apisix-ingress-controller/templates/service-apisix.yaml b/charts/apisix-ingress-controller/templates/service-apisix.yaml
index 5125974..4abf0f3 100644
--- a/charts/apisix-ingress-controller/templates/service-apisix.yaml
+++ b/charts/apisix-ingress-controller/templates/service-apisix.yaml

@@ -17,8 +17,8 @@
       targetPort: 9080
     - name: https
       protocol: TCP
-      port: 443
-      targetPort: 9443
+      port: {{ .Values.gateway.tls.servicePort }}
+      targetPort: {{ .Values.gateway.tls.containerPort }}
   selector:
     {{- include "apisix-ingress-controller.selectorLabels" . | nindent 4 }}
   type: {{ .Values.gateway.type }} # LoadBalancer or NodePort

diff --git a/charts/apisix-ingress-controller/values.yaml b/charts/apisix-ingress-controller/values.yaml
index 6b8d265..d395ad5 100644
--- a/charts/apisix-ingress-controller/values.yaml
+++ b/charts/apisix-ingress-controller/values.yaml

@@ -232,3 +232,22 @@
     errorLog: stderr
     # -- Nginx error logs level
     errorLogLevel: warn
+  tls:
+    enabled: false
+    servicePort: 443
+    containerPort: 9443
+    # -- Support multiple https ports, See [Configuration](https://github.com/apache/apisix/blob/0bc65ea9acd726f79f80ae0abd8f50b7eb172e3d/conf/config-default.yaml#L99)
+    additionalContainerPorts: []
+      # - ip: 127.0.0.3           # Specific IP, If not set, the default value is `0.0.0.0`.
+      #   port: 9445
+      #   enable_http2: true
+    # -- Specifies the name of Secret contains trusted CA certificates in the PEM format used to verify the certificate when APISIX needs to do SSL/TLS handshaking with external services (e.g. etcd)
+    existingCASecret: ""
+    # -- Filename be used in the gateway.tls.existingCASecret
+    certCAFilename: ""
+    http2:
+      enabled: true
+    # -- TLS protocols allowed to use.
+    sslProtocols: "TLSv1.2 TLSv1.3"
+    # -- Define SNI to fallback if none is presented by client
+    fallbackSNI: ""
commit	0c05e7cf1f67ab603d94f595db5533cce4c9ce88	[log] [tgz]
author	Ghanil Mohamed Yusof <ghanil.yusof@gmail.com>	Mon Nov 06 16:12:45 2023 +0800
committer	GitHub <noreply@github.com>	Mon Nov 06 16:12:45 2023 +0800
tree	67b6e18420fdcafe33a3bd2b8d5513722aff0705
parent	10be00edb60c87b10eaf600491e4c438562c1282 [diff]