Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: root domain templating #1343

Merged
merged 17 commits into from
Mar 11, 2025
Merged

feat: root domain templating #1343

merged 17 commits into from
Mar 11, 2025
+128 −5

Conversation

UnicornChance
Copy link
Contributor

Description

New feature to add root domain configuration to the istio package. This allows for applications to sit on the root domain and be configured with a virtual service to be accessed. Templating includes options for TLS mode, TLSversion, cert, key, and cacert. Also a credential override if not using the templated tls secret.

Related Issue

Fixes #1301

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Other (security config, docs update, etc)

Steps to Validate

This is a bit complicated to test but here are some steps:

  • Configure the values.yaml (certs for uds.dev and uds.admin.dev):
enableRootDomain: true
rootDomainTLS:
  mode: SIMPLE                        # e.g., SIMPLE, MUTUAL, etc. default SIMPLE
  credentialName: ""                  # If set to a non-empty value, the chart will assume this secret already exists and will not auto-generate it using the provided cert data.
  supportTLSV1_2: true                # Set to false to enforce TLSV1_3 only
  cert: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5akNDQWQ2Z0F3SUJBZ0lVS2xZTlg5TG9CcSt4QytOWEF4eHg0R3VDZ0RZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0VqRVFNQTRHQTFVRUF3d0hkV1J6TG1SbGRqQWVGdzB5TlRBek1EWXhORFUwTlRsYUZ3MHlOakF6TURZeApORFUwTlRsYU1CSXhFREFPQmdOVkJBTU1CM1ZrY3k1a1pYWXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQ3hMTHJ2ZWFHNDQ0NDFsbk8xaEVTSXUvM2UvOTRFVkxMZE5NSnpTNHJxOHl1Qi8wZGUKeVdaRFpISUJpb0RnbGFhaENUUUtUNFlFWTlkenBmNVFiWW9PUkZON1BoWEJUSTBacjlNUjRBQk9SeEpLbUREawpxelBWOGZPZW41a0dKaEFtWmllS0NuWk44a0FUZ29zQVVNUlh0Mk9laXE3Rmh0VUFQU0JaaGRueXJSOWZobGtsCnl0dGRxYXAxcFJZNmtzbStuWjVsbTdxc2RqMXdoQnVvN1lZcmtoYWlqUEF6WWFISkJCZ0VjWnVyMVN0a05BcjEKU2FmM1V5SmwxSkVMTG1ta2hiV0FBSDI2eVZKcGsyZTRkUVRrM3U3eWw3c1A2ZkhPSUoyeTdDbWZTM2xzV3hWMApBK0VUVC9DUVpBVHVXMHVYenowWFVjaDduL3EybnlyVHArREpBZ01CQUFHalJEQkNNQ0VHQTFVZEVRUWFNQmlDCkIzVmtjeTVrWlhhQ0RXRmtiV2x1TG5Wa2N5NWtaWFl3SFFZRFZSME9CQllFRk03dGdpdlovNC9LNzlwTzBUcnYKd2hvZUJaUm5NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFYd1p5MkdTaksreVJ2SGpBd0J5UlRUUW9hZ1RKeQpIUG1zK2kxY0xRMEJJaWE1b2hsMmE2U1d2eHpVdzcxczNCK0kyaHo5aTQ3TFlaQ1hCYWpsUzZLeEZ6bXRneXNaCitBa0VWOWFNZk9kb1dLMVA3UHVEQWZtYXFSY21pQU1SYWd2NDZCRnYyL2ozNU9FUTZUQTNGZGNIYitrN0tQWjMKUmJwcFVTWk84RHJpN0dLMnJXeVZBMHBLK0FUdzBtYWJzS1FNYVVmNFZ1cEhxNWRON21VS2U1S2cxZmluS2ltZAppZEhBYWxuREw4c3c0UTYzbTBpWTd0T1h1eGIvRlFmM0c4Smx5RXF0SUZyTWFndkZ6UzhoVExxTlRpRVdSbTJpClkvYitZMGZyazRyQTR2RUowWGlMVEpnSzJlOTVCZU1IMWJlUWV1ZG9DY3JyRmNuYnpMTmJBalpSCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
  key: "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ3hMTHJ2ZWFHNDQ0NDEKbG5PMWhFU0l1LzNlLzk0RVZMTGROTUp6UzRycTh5dUIvMGRleVdaRFpISUJpb0RnbGFhaENUUUtUNFlFWTlkegpwZjVRYllvT1JGTjdQaFhCVEkwWnI5TVI0QUJPUnhKS21ERGtxelBWOGZPZW41a0dKaEFtWmllS0NuWk44a0FUCmdvc0FVTVJYdDJPZWlxN0ZodFVBUFNCWmhkbnlyUjlmaGxrbHl0dGRxYXAxcFJZNmtzbStuWjVsbTdxc2RqMXcKaEJ1bzdZWXJraGFpalBBellhSEpCQmdFY1p1cjFTdGtOQXIxU2FmM1V5SmwxSkVMTG1ta2hiV0FBSDI2eVZKcAprMmU0ZFFUazN1N3lsN3NQNmZIT0lKMnk3Q21mUzNsc1d4VjBBK0VUVC9DUVpBVHVXMHVYenowWFVjaDduL3EyCm55clRwK0RKQWdNQkFBRUNnZ0VBTlk5MEk1ajlqc3NiM285UkEzcXN6VGtua2haL280ZUhXdC9zT0xhSmxHVlcKcmNIaWJZRXM3UXFjZkdMR2V4NUNkVVEyK3piM0tMU1dHVndBK1lkanlOUlcrRmJZZE1zVGpNUmVablQxSXJUUgpqc05iWklWczhpeG1uWGxaNVVYMGMrZEY1TEVzK250VmE1QjNQTzB0cmVhK3N0cng0cnpULzNKN0tSVVJ3ZzZhCnM5c1R2T3dNU2RGUkxvWHU5bUE1RXlrWndTcjFuaVNkblp4OUlvNlJ1OFdRNEY5eXBuVVplQUd3VDBlWWd5QjcKcnczNmlzR3kzZC92SlJuNnZIcklDMk5rc2dqQURJYkpLUzdNNG5yc0s0WkRqYm5SZHlOVnBYYkc2UFdyMTJsTQp0bC9ZNndKeXhmaG5kSURYWERlYkVJL3Nxa2hjTTlqYitoaXV3aDd6MFFLQmdRRHBWbzMxZThRTDhvbGNBZ1loCnUvV0xDWlh3cjVFc2xXWkduWXhlSllYQjMwNE82T0M0SnlPTXd3dHJDOUlhMk9kK1IrMTc2VC8xb3Z4RFoxNHAKaWZNdFJnWEpQNTlQQXhVMGNpQUhoQUsrbWNUUXk1Q0JETXNUbmlXdUZIUDBab3g1WHpYRXN3U0JUck9DWExyTQpPSGVzZ25DVElCWlpYUFJ3WGlWWlozdE5id0tCZ1FEQ1ljdVZPeHlONkl3SVhpR0x4bXFabEM1dVhkc2ZoUkthCmJzWDdwdXJXbmJ0UUQzZVFUWGtvOWJPRUV6NFQvWFA0cmw2NkpMMllGQnY4MnVOY05KMEV4MkNtM3VHbGh1QWgKc0Rwa0t3ckQ2UGlJclZlT2p0RXNpR2pEZTVMNGgwczQ2UFZjTVBVUXlXQjAyNGhuSEZnRytFaWhRUWE3N0J1TAp3UzdQazh1SlJ3S0JnRFp2VzlUT0Y5RlZ0cGZCWFI3WGs1UHBHNUszMHAxZENTd21LdzMzb1BtMmw2WkF5OVFLClJXL2NQTGl2WEVlcEhIQklaVzNIMzRUMWpmWkhraDhNc0s5NkszVmtvMHl5Z21ybXlQUVg1dkFDUFhrY1ZFelcKNkRWZWFwbnU2WkkxcmtYT1lXUFBBNWtLL0RQSVlFZXVVTFR0QlVnOWJ4bFA1ektqdEFEa2RFNS9Bb0dBZktTSgpEdUFncHo1K3pMN1BjL2wvVVl1Yldsb0VzR2w4VEZyTHlWcDNLN2RvN1NWOTNhSlFGdHUyaVBKdDFCT3AwY1MrCktVNTE1SmJBZTV0QVAxZmRkN3NCVnYrRVljZmk0TGRJT2dML25EQS9iaVQ1Q0FpOFNIb1A4NG5CN0d1VTZLRTQKOUN6UWVEc3BCc1hlNlg5YlV0elNkZFJrcFF2NWZkd2FVREROU3ZFQ2dZRUEzT0hhV2k3eDF0c1ZLSWpjMEtGZwpxbmtjOTZBQlQ5dTR3V0t0bG9ZNXZFNDNWN2M1ZGM4QnZ0UGp1QUNucjZ2Q253YzZ3MjlhT3RzVUJPdVJNZ2QrCmlFRlpGcTN4bjVGK2I5MURLUzZDN2FLTjcvRzY3OUl6OFpZaGdVZGhuL1I4SjRPNkdXbGJEL2gvQThGQUJDOHIKZzlMTW9KUUxlc1VNQXVma1I5V25udGc9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K"
  cacert: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5akNDQWQ2Z0F3SUJBZ0lVS2xZTlg5TG9CcSt4QytOWEF4eHg0R3VDZ0RZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0VqRVFNQTRHQTFVRUF3d0hkV1J6TG1SbGRqQWVGdzB5TlRBek1EWXhORFUwTlRsYUZ3MHlOakF6TURZeApORFUwTlRsYU1CSXhFREFPQmdOVkJBTU1CM1ZrY3k1a1pYWXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQ3hMTHJ2ZWFHNDQ0NDFsbk8xaEVTSXUvM2UvOTRFVkxMZE5NSnpTNHJxOHl1Qi8wZGUKeVdaRFpISUJpb0RnbGFhaENUUUtUNFlFWTlkenBmNVFiWW9PUkZON1BoWEJUSTBacjlNUjRBQk9SeEpLbUREawpxelBWOGZPZW41a0dKaEFtWmllS0NuWk44a0FUZ29zQVVNUlh0Mk9laXE3Rmh0VUFQU0JaaGRueXJSOWZobGtsCnl0dGRxYXAxcFJZNmtzbStuWjVsbTdxc2RqMXdoQnVvN1lZcmtoYWlqUEF6WWFISkJCZ0VjWnVyMVN0a05BcjEKU2FmM1V5SmwxSkVMTG1ta2hiV0FBSDI2eVZKcGsyZTRkUVRrM3U3eWw3c1A2ZkhPSUoyeTdDbWZTM2xzV3hWMApBK0VUVC9DUVpBVHVXMHVYenowWFVjaDduL3EybnlyVHArREpBZ01CQUFHalJEQkNNQ0VHQTFVZEVRUWFNQmlDCkIzVmtjeTVrWlhhQ0RXRmtiV2x1TG5Wa2N5NWtaWFl3SFFZRFZSME9CQllFRk03dGdpdlovNC9LNzlwTzBUcnYKd2hvZUJaUm5NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFYd1p5MkdTaksreVJ2SGpBd0J5UlRUUW9hZ1RKeQpIUG1zK2kxY0xRMEJJaWE1b2hsMmE2U1d2eHpVdzcxczNCK0kyaHo5aTQ3TFlaQ1hCYWpsUzZLeEZ6bXRneXNaCitBa0VWOWFNZk9kb1dLMVA3UHVEQWZtYXFSY21pQU1SYWd2NDZCRnYyL2ozNU9FUTZUQTNGZGNIYitrN0tQWjMKUmJwcFVTWk84RHJpN0dLMnJXeVZBMHBLK0FUdzBtYWJzS1FNYVVmNFZ1cEhxNWRON21VS2U1S2cxZmluS2ltZAppZEhBYWxuREw4c3c0UTYzbTBpWTd0T1h1eGIvRlFmM0c4Smx5RXF0SUZyTWFndkZ6UzhoVExxTlRpRVdSbTJpClkvYitZMGZyazRyQTR2RUowWGlMVEpnSzJlOTVCZU1IMWJlUWV1ZG9DY3JyRmNuYnpMTmJBalpSCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
  • modify /etc/hosts file to include the ingress-gateway external ip <external-ip> uds.dev
  • deploy slim-dev uds run slim-dev
  • add virtual service to app-tenant manifest
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: test-tenant-app
  namespace: test-tenant-app
spec:
  hosts:
    - uds.dev
  gateways:
    - istio-tenant-gateway/tenant-gateway
  http:
    - match:
        - uri:
            prefix: /port8080
      name: route-8080
      rewrite:
        uri: /
      route:
        - destination:
            host: test-tenant-app
            port:
              number: 8080
    - match:
        - uri:
            prefix: /port8081
      name: route-8081
      rewrite:
        uri: /
      route:
        - destination:
            host: test-tenant-app
            port:
              number: 8081
  • build and deploy test apps uds zarf package create src/test --confirm --no-progress --skip-sbom && uds zarf package deploy build/zarf-package-uds-core-test-apps-*.zst --confirm --no-progress
  • curl the uds.dev url: curl -vk https://uds.dev/port8080 and should receive a Hello from port 8080

Checklist before merging

@UnicornChance UnicornChance self-assigned this Mar 6, 2025
@UnicornChance UnicornChance linked an issue Mar 6, 2025 that may be closed by this pull request
feat: Append DOMAIN to gateways #1301
Closed
@UnicornChance UnicornChance marked this pull request as ready for review March 6, 2025 18:23
@UnicornChance UnicornChance requested a review from a team as a code owner March 6, 2025 18:23
mjnagel
mjnagel reviewed Mar 7, 2025
View reviewed changes
@UnicornChance UnicornChance enabled auto-merge (squash) March 11, 2025 15:43
@UnicornChance UnicornChance merged commit f64974c into main Mar 11, 2025
22 checks passed
@UnicornChance UnicornChance deleted the root-domain branch March 11, 2025 15:59
@github-actions github-actions bot mentioned this pull request Mar 11, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mjnagel mjnagel mjnagel approved these changes

Assignees

@UnicornChance UnicornChance

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat: Append DOMAIN to gateways
2 participants
@UnicornChance @mjnagel