From 3034c7f391e8069e81343a496afb3193d9935bf1 Mon Sep 17 00:00:00 2001
From: ZhenYi <434836402@qq.com>
Date: Sun, 19 Apr 2026 22:35:31 +0800
Subject: [PATCH] feat(admin): add TLS support to ingress with cert-manager and
 manual secret options

---
 admin/deploy/templates/admin-ingress.yaml | 20 +++++++++++++++-----
 admin/deploy/values.yaml                  | 16 ++++++++++------
 2 files changed, 25 insertions(+), 11 deletions(-)

diff --git a/admin/deploy/templates/admin-ingress.yaml b/admin/deploy/templates/admin-ingress.yaml
index 4e8cfd2..151ad35 100644
--- a/admin/deploy/templates/admin-ingress.yaml
+++ b/admin/deploy/templates/admin-ingress.yaml
@@ -2,6 +2,16 @@
 {{- $fullName := include "admin.fullname" . -}}
 {{- $ns := include "admin.namespace" . -}}
 {{- $hosts := .Values.admin.ingress.hosts | default list -}}
+{{- $tlsSecret := .Values.admin.ingress.tlsSecret | default "" -}}
+{{- $useCertManager := $.Values.certManager.enabled -}}
+{{- $secretName := "" -}}
+{{- if ne $tlsSecret "" -}}
+{{-   $secretName = $tlsSecret -}}
+{{- else if $useCertManager -}}
+{{-   $secretName = printf "%s-admin-tls" $fullName -}}
+{{- end -}}
+{{- $tlsEnabled := or $useCertManager (ne $tlsSecret "") -}}
+{{- $addCertManagerAnnotation := and $useCertManager (eq $tlsSecret "") -}}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -14,7 +24,7 @@ metadata:
     {{- if .Values.admin.ingress.annotations }}
     {{- toYaml .Values.admin.ingress.annotations | nindent 4 }}
     {{- end }}
-    {{- if $.Values.certManager.enabled }}
+    {{- if and $addCertManagerAnnotation (not (hasKey (.Values.admin.ingress.annotations | default dict) "cert-manager.io/cluster-issuer")) }}
     cert-manager.io/cluster-issuer: {{ $.Values.certManager.clusterIssuerName }}
     {{- end }}
     nginx.ingress.kubernetes.io/proxy-body-size: "50m"
@@ -24,17 +34,17 @@ metadata:
     nginx.ingress.kubernetes.io/enable-websocket: "true"
 spec:
   ingressClassName: nginx
-  {{- if and $hosts $.Values.certManager.enabled }}
+  {{- if and $hosts $tlsEnabled }}
   tls:
     {{- range $hosts }}
     - hosts:
-        - {{ .host }}
-      secretName: {{ $fullName }}-admin-tls
+        - {{ . | toString }}
+      secretName: {{ $secretName }}
     {{- end }}
   {{- end }}
   rules:
     {{- range $hosts }}
-    - host: {{ .host }}
+    - host: {{ . | toString }}
       http:
         paths:
           - path: /
diff --git a/admin/deploy/values.yaml b/admin/deploy/values.yaml
index 82b8cec..8b4d6de 100644
--- a/admin/deploy/values.yaml
+++ b/admin/deploy/values.yaml
@@ -33,9 +33,13 @@ admin:
     port: 3000
 
   ingress:
-    enabled: false
-    hosts: [ ]
-    annotations: { }
+    enabled: true
+    hosts:
+      - admin.gitdata.me
+    # tlsSecret: my-tls-secret   # uncomment to use a pre-existing TLS secret (overrides cert-manager auto-issue)
+    annotations:
+      # cert-manager.io/cluster-issuer: cloudflare-acme-cluster-issuer  # auto-set by template when certManager.enabled=true
+      kubernetes.io/ingress.class: nginx
 
   resources:
     requests:
@@ -71,8 +75,8 @@ admin:
   affinity: { }
 
 secrets:
-  enabled: false
-  databaseUrl: ""
-  redisUrl: ""
+  enabled: true
+  databaseUrl: "postgresql://gitdataai:gitdataai123@cnpg-cluster-rw.cnpg:5432/gitdataai?sslmode=disable"
+  redisUrl: "redis://:redis123@valkey-cluster.valkey-cluster.svc.cluster.local:6379"
   nextAuthSecret: ""
   extra: { }