diff --git a/charts/kong/templates/_helpers.tpl b/charts/kong/templates/_helpers.tpl index 6043b02b2..95f74098d 100644 --- a/charts/kong/templates/_helpers.tpl +++ b/charts/kong/templates/_helpers.tpl @@ -441,6 +441,7 @@ The name of the Service which will be used by the controller to update the Ingre {{- if .Values.ingressController.gatewayDiscovery.enabled -}} {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_SVC" (printf "%s/%s-%s" (include "kong.namespace" .) (include "kong.fullname" .) "admin") -}} + {{- $_ := set $autoEnv "CONTROLLER_GATEWAY_DISCOVERY_DNS_STRATEGY" "pod" -}} {{- else -}} {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_URL" (include "kong.adminLocalURL" .) -}} {{- end -}} @@ -641,6 +642,13 @@ The name of the Service which will be used by the controller to update the Ingre - name: admin-client-ca configMap: name: {{ template "kong.fullname" . }}-admin-client-ca +{{- else if (and $.Values.ingressController.adminApi.tls.client.enabled (not $.Values.ingressController.adminApi.tls.client.certProvided)) }} +- name: admin-client-ca + secret: + secretName: {{ template "adminApiService.caSecretName" . }} + items: + - key: tls.crt + path: tls.crt {{- end -}} {{- range $secretVolume := .Values.secretVolumes }} - name: {{ . }} @@ -710,7 +718,7 @@ The name of the Service which will be used by the controller to update the Ingre mountPath: /kong_dbless/ {{- end }} {{- end }} -{{- if or $.Values.admin.tls.client.caBundle $.Values.admin.tls.client.secretName }} +{{- if or $.Values.admin.tls.client.caBundle $.Values.admin.tls.client.secretName (and $.Values.ingressController.adminApi.tls.client.enabled (not $.Values.ingressController.adminApi.tls.client.certProvided)) }} - name: admin-client-ca mountPath: /etc/admin-client-ca/ readOnly: true @@ -867,7 +875,7 @@ the template that it itself is using form the above sections. {{- $_ := set $listenConfig "address" (default $address .address) -}} {{- $_ := set $autoEnv "KONG_ADMIN_LISTEN" (include "kong.listen" $listenConfig) -}} - {{- if or .tls.client.secretName .tls.client.caBundle -}} + {{- if or .tls.client.secretName .tls.client.caBundle (and $.Values.ingressController.adminApi.tls.client.enabled (not $.Values.ingressController.adminApi.tls.client.certProvided)) -}} {{- $_ := set $autoEnv "KONG_NGINX_ADMIN_SSL_VERIFY_CLIENT" "on" -}} {{- $_ := set $autoEnv "KONG_NGINX_ADMIN_SSL_CLIENT_CERTIFICATE" "/etc/admin-client-ca/tls.crt" -}} {{- end -}} diff --git a/charts/kong/values.yaml b/charts/kong/values.yaml index 8097ea580..9e9e30177 100644 --- a/charts/kong/values.yaml +++ b/charts/kong/values.yaml @@ -182,6 +182,9 @@ admin: # - secretName - the secret must contain a key named "tls.crt" with the PEM-encoded certificate. # - caBundle (PEM-encoded certificate string). # If both are set, caBundle takes precedence. + # If neither are set, and the controller uses generated client certificates + # (ingressController.adminApi.tls.client.enabled=true and ingressController.adminApi.tls.client.certProvided=false), + # the chart will use the generated certificate's CA for the Kong admin API client: caBundle: "" secretName: "" @@ -718,7 +721,7 @@ ingressController: tls: client: # Enable TLS client authentication for the Admin API. - enabled: false + enabled: true # If set to false, Helm will generate certificates for you. # If set to true, you are expected to provide your own secret (see secretName, caSecretName).