fix forward auth when using custom cert (#2479)

Co-authored-by: Vinicius D. Cerutti <[email protected]>

src/_nebari/stages/kubernetes_services/__init__.py

@@ -331,6 +331,7 @@ class KubernetesServicesInputVars(schema.Base):
     node_groups: Dict[str, Dict[str, str]]
     jupyterhub_logout_redirect_url: str = Field(alias="jupyterhub-logout-redirect-url")
     forwardauth_middleware_name: str = _forwardauth_middleware_name
+    cert_secret_name: Optional[str] = None
 
 
 def _split_docker_image_name(image_name):
@@ -491,6 +492,11 @@ def input_vars(self, stage_outputs: Dict[str, Dict[str, Any]]):
             realm_id=realm_id,
             node_groups=stage_outputs["stages/02-infrastructure"]["node_selectors"],
             jupyterhub_logout_redirect_url=final_logout_uri,
+            cert_secret_name=(
+                self.config.certificate.secret_name
+                if self.config.certificate.type == "existing"
+                else None
+            ),
         )
 
         conda_store_vars = CondaStoreInputVars(

src/_nebari/stages/kubernetes_services/template/forward-auth.tf

@@ -7,13 +7,19 @@ module "forwardauth" {
 
   node-group                  = var.node_groups.general
   forwardauth_middleware_name = var.forwardauth_middleware_name
+  cert_secret_name            = var.cert_secret_name
 }
 
 variable "forwardauth_middleware_name" {
   description = "Name of the traefik forward auth middleware"
   type        = string
 }
 
+variable "cert_secret_name" {
+  description = "Name of the secret containing the certificate"
+  type        = string
+}
+
 output "forward-auth-middleware" {
   description = "middleware name for use with forward auth"
   value       = module.forwardauth.forward-auth-middleware

src/_nebari/stages/kubernetes_services/template/modules/kubernetes/forwardauth/main.tf

@@ -59,7 +59,19 @@ resource "kubernetes_deployment" "forwardauth-deployment" {
         node_selector = {
           "${var.node-group.key}" = var.node-group.value
         }
-
+        dynamic "volume" {
+          for_each = var.cert_secret_name == null ? [] : [1]
+          content {
+            name = "cert-volume"
+            secret {
+              secret_name = var.cert_secret_name
+              items {
+                key  = "tls.crt"
+                path = "tls.crt"
+              }
+            }
+          }
+        }
         container {
           # image = "thomseddon/traefik-forward-auth:2.2.0"
           # Use PR #159 https://github.com/thomseddon/traefik-forward-auth/pull/159
@@ -125,10 +137,26 @@ resource "kubernetes_deployment" "forwardauth-deployment" {
             value = var.external-url
           }
 
+          dynamic "env" {
+            for_each = var.cert_secret_name == null ? [] : [1]
+            content {
+              name  = "SSL_CERT_FILE"
+              value = "/config/tls.crt"
+            }
+          }
+
           port {
             container_port = 4181
           }
 
+          dynamic "volume_mount" {
+            for_each = var.cert_secret_name == null ? [] : [1]
+            content {
+              name       = "cert-volume"
+              mount_path = "/config"
+              read_only  = true
+            }
+          }
         }
 
       }

src/_nebari/stages/kubernetes_services/template/modules/kubernetes/forwardauth/variables.tf

@@ -31,3 +31,8 @@ variable "forwardauth_middleware_name" {
   description = "Name of the traefik forward auth middleware"
   type        = string
 }
+
+variable "cert_secret_name" {
+  description = "Name of the secret containing the certificate"
+  type        = string
+}