diff --git a/charts/wonderwall-forward-auth/templates/ingress.yaml b/charts/wonderwall-forward-auth/templates/ingress.yaml index d21e4ee..ea4f961 100644 --- a/charts/wonderwall-forward-auth/templates/ingress.yaml +++ b/charts/wonderwall-forward-auth/templates/ingress.yaml @@ -3,6 +3,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: + # nginx-specific; ignored by HAProxy. Remove when nginx is decommissioned. nginx.ingress.kubernetes.io/proxy-buffer-size: 16k nginx.ingress.kubernetes.io/enable-global-auth: "false" labels: @@ -21,3 +22,30 @@ spec: number: 80 path: / pathType: ImplementationSpecific +{{- range .Values.additionalIngressClassNames }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/proxy-buffer-size: 16k + nginx.ingress.kubernetes.io/enable-global-auth: "false" + prometheus.io/path: /oauth2/ping + prometheus.io/scrape: "true" + labels: + {{- include "wonderwall-forward-auth.labels" $ | nindent 4 }} + name: {{ include "wonderwall-forward-auth.fullname" $ }}-{{ . }} +spec: + ingressClassName: {{ . }} + rules: + - host: {{ $.Values.sso.domain }} + http: + paths: + - backend: + service: + name: {{ include "wonderwall-forward-auth.fullname" $ }} + port: + number: 80 + path: / + pathType: ImplementationSpecific +{{- end }} diff --git a/charts/wonderwall-forward-auth/templates/networkpolicy.yaml b/charts/wonderwall-forward-auth/templates/networkpolicy.yaml index 5663dd4..4467ab4 100644 --- a/charts/wonderwall-forward-auth/templates/networkpolicy.yaml +++ b/charts/wonderwall-forward-auth/templates/networkpolicy.yaml @@ -28,6 +28,15 @@ spec: podSelector: matchLabels: nais.io/ingressClass: {{ .Values.ingressClassName }} + {{- range .Values.additionalIngressClassNames }} + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: nais-system + podSelector: + matchLabels: + nais.io/ingressClass: {{ . }} + {{- end }} podSelector: matchLabels: {{- include "wonderwall-forward-auth.selectorLabels" . | nindent 6 }} diff --git a/charts/wonderwall-forward-auth/values.yaml b/charts/wonderwall-forward-auth/values.yaml index 90fb8e6..7015668 100644 --- a/charts/wonderwall-forward-auth/values.yaml +++ b/charts/wonderwall-forward-auth/values.yaml @@ -22,7 +22,11 @@ replicas: max: 4 podDisruptionBudget: maxUnavailable: 1 -ingressClassName: nais-ingress-fa +ingressClassName: external-fa-haproxy +# Additional ingress class names for dual-controller operation during nginx-to-HAProxy migration. +# Remove when nginx is decommissioned. +additionalIngressClassNames: + - nais-ingress-fa otel: endpoint: http://opentelemetry-management-collector.nais-system:4317 diff --git a/charts/wonderwall/templates/fa-ingress.yaml b/charts/wonderwall/templates/fa-ingress.yaml index 755395c..d6ef212 100644 --- a/charts/wonderwall/templates/fa-ingress.yaml +++ b/charts/wonderwall/templates/fa-ingress.yaml @@ -3,6 +3,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: + # nginx-specific; ignored by HAProxy. Remove when nginx is decommissioned. nginx.ingress.kubernetes.io/proxy-buffer-size: 16k nginx.ingress.kubernetes.io/enable-global-auth: "false" prometheus.io/path: /oauth2/ping @@ -23,4 +24,31 @@ spec: number: 80 path: / pathType: ImplementationSpecific +{{- range .Values.azure.forwardAuth.additionalIngressClassNames }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/proxy-buffer-size: 16k + nginx.ingress.kubernetes.io/enable-global-auth: "false" + prometheus.io/path: /oauth2/ping + prometheus.io/scrape: "true" + labels: + {{- include "wonderwall.labelsForwardAuth" $ | nindent 4 }} + name: {{ include "wonderwall.fullname" $ }}-fa-{{ . }} +spec: + ingressClassName: {{ . }} + rules: + - host: {{ $.Values.azure.forwardAuth.ssoDomain }} + http: + paths: + - backend: + service: + name: {{ include "wonderwall.fullname" $ }}-fa + port: + number: 80 + path: / + pathType: ImplementationSpecific +{{- end }} {{- end }} diff --git a/charts/wonderwall/templates/idporten-ingress.yaml b/charts/wonderwall/templates/idporten-ingress.yaml index 85fe2e0..7a10989 100644 --- a/charts/wonderwall/templates/idporten-ingress.yaml +++ b/charts/wonderwall/templates/idporten-ingress.yaml @@ -3,6 +3,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: + # nginx-specific; ignored by HAProxy. Remove when nginx is decommissioned. nginx.ingress.kubernetes.io/proxy-buffer-size: 16k prometheus.io/path: /oauth2/ping prometheus.io/scrape: "true" @@ -22,4 +23,30 @@ spec: number: 80 path: / pathType: ImplementationSpecific +{{- range .Values.idporten.additionalIngressClassNames }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/proxy-buffer-size: 16k + prometheus.io/path: /oauth2/ping + prometheus.io/scrape: "true" + labels: + {{- include "wonderwall.labelsIdporten" $ | nindent 4 }} + name: {{ include "wonderwall.fullname" $ }}-idporten-{{ . }} +spec: + ingressClassName: {{ . }} + rules: + - host: {{ $.Values.idporten.ssoServerHost }} + http: + paths: + - backend: + service: + name: {{ include "wonderwall.fullname" $ }}-idporten + port: + number: 80 + path: / + pathType: ImplementationSpecific +{{- end }} {{ end }} diff --git a/charts/wonderwall/templates/networkpolicy.yaml b/charts/wonderwall/templates/networkpolicy.yaml index a3c2e75..1591981 100644 --- a/charts/wonderwall/templates/networkpolicy.yaml +++ b/charts/wonderwall/templates/networkpolicy.yaml @@ -44,6 +44,15 @@ spec: podSelector: matchLabels: nais.io/ingressClass: {{ .Values.azure.forwardAuth.ingressClassName }} + {{- range .Values.azure.forwardAuth.additionalIngressClassNames }} + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: nais-system + podSelector: + matchLabels: + nais.io/ingressClass: {{ . }} + {{- end }} - from: - namespaceSelector: matchLabels: @@ -51,6 +60,15 @@ spec: podSelector: matchLabels: nais.io/ingressClass: {{ .Values.idporten.ingressClassName }} + {{- range .Values.idporten.additionalIngressClassNames }} + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: nais-system + podSelector: + matchLabels: + nais.io/ingressClass: {{ . }} + {{- end }} - from: - namespaceSelector: matchLabels: diff --git a/charts/wonderwall/values.yaml b/charts/wonderwall/values.yaml index fe0e761..9a464c5 100644 --- a/charts/wonderwall/values.yaml +++ b/charts/wonderwall/values.yaml @@ -26,7 +26,11 @@ azure: replicasMin: 2 replicasMax: 4 clientSecretName: azure-sso-server - ingressClassName: nais-ingress-fa + ingressClassName: external-fa-haproxy + # Additional ingress class names for dual-controller operation during nginx-to-HAProxy migration. + # Remove when nginx is decommissioned. + additionalIngressClassNames: + - nais-ingress-fa # 256 bits key, in standard base64 encoding sessionCookieEncryptionKey: sessionCookieName: forwardauth @@ -40,7 +44,11 @@ idporten: clientAccessTokenLifetime: 3600 clientSessionLifetime: 21600 clientSecretName: idporten-sso-server - ingressClassName: nais-ingress-external + ingressClassName: external-haproxy + # Additional ingress class names for dual-controller operation during nginx-to-HAProxy migration. + # Remove when nginx is decommissioned. + additionalIngressClassNames: + - nais-ingress-external openidAcrValues: idporten-loa-high openidLocale: nb openidPostLogoutRedirectURL: