feat(admin): add TLS support to ingress with cert-manager and manual secret options

2026-04-19 22:35:31 +08:00 · 2026-04-19 22:35:31 +08:00 · 3034c7f391
commit 3034c7f391
parent e612043e5f
2 changed files with 25 additions and 11 deletions
--- a/admin/deploy/templates/admin-ingress.yaml
+++ b/admin/deploy/templates/admin-ingress.yaml
@ -2,6 +2,16 @@
 {{- $fullName := include "admin.fullname" . -}}
 {{- $ns := include "admin.namespace" . -}}
 {{- $hosts := .Values.admin.ingress.hosts | default list -}}
+{{- $tlsSecret := .Values.admin.ingress.tlsSecret | default "" -}}
+{{- $useCertManager := $.Values.certManager.enabled -}}
+{{- $secretName := "" -}}
+{{- if ne $tlsSecret "" -}}
+{{-   $secretName = $tlsSecret -}}
+{{- else if $useCertManager -}}
+{{-   $secretName = printf "%s-admin-tls" $fullName -}}
+{{- end -}}
+{{- $tlsEnabled := or $useCertManager (ne $tlsSecret "") -}}
+{{- $addCertManagerAnnotation := and $useCertManager (eq $tlsSecret "") -}}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@ -14,7 +24,7 @@ metadata:
    {{- if .Values.admin.ingress.annotations }}
    {{- toYaml .Values.admin.ingress.annotations | nindent 4 }}
    {{- end }}
-    {{- if $.Values.certManager.enabled }}
+    {{- if and $addCertManagerAnnotation (not (hasKey (.Values.admin.ingress.annotations | default dict) "cert-manager.io/cluster-issuer")) }}
    cert-manager.io/cluster-issuer: {{ $.Values.certManager.clusterIssuerName }}
    {{- end }}
    nginx.ingress.kubernetes.io/proxy-body-size: "50m"
@ -24,17 +34,17 @@ metadata:
    nginx.ingress.kubernetes.io/enable-websocket: "true"
 spec:
  ingressClassName: nginx
-  {{- if and $hosts $.Values.certManager.enabled }}
+  {{- if and $hosts $tlsEnabled }}
  tls:
    {{- range $hosts }}
    - hosts:
-        - {{ .host }}
-      secretName: {{ $fullName }}-admin-tls
+        - {{ . | toString }}
+      secretName: {{ $secretName }}
    {{- end }}
  {{- end }}
  rules:
    {{- range $hosts }}
-    - host: {{ .host }}
+    - host: {{ . | toString }}
      http:
        paths:
          - path: /
--- a/admin/deploy/values.yaml
+++ b/admin/deploy/values.yaml
@ -33,9 +33,13 @@ admin:
    port: 3000

  ingress:
-    enabled: false
-    hosts: [ ]
-    annotations: { }
+    enabled: true
+    hosts:
+      - admin.gitdata.me
+    # tlsSecret: my-tls-secret   # uncomment to use a pre-existing TLS secret (overrides cert-manager auto-issue)
+    annotations:
+      # cert-manager.io/cluster-issuer: cloudflare-acme-cluster-issuer  # auto-set by template when certManager.enabled=true
+      kubernetes.io/ingress.class: nginx

  resources:
    requests:
@ -71,8 +75,8 @@ admin:
  affinity: { }

 secrets:
-  enabled: false
-  databaseUrl: ""
-  redisUrl: ""
+  enabled: true
+  databaseUrl: "postgresql://gitdataai:gitdataai123@cnpg-cluster-rw.cnpg:5432/gitdataai?sslmode=disable"
+  redisUrl: "redis://:redis123@valkey-cluster.valkey-cluster.svc.cluster.local:6379"
  nextAuthSecret: ""
  extra: { }