diff --git a/docs/reference/configuration/ingress.md b/docs/reference/configuration/ingress.md index ef52bc6d1..416469356 100644 --- a/docs/reference/configuration/ingress.md +++ b/docs/reference/configuration/ingress.md @@ -99,3 +99,32 @@ variables: :::note If you are using Private PKI or self-signed certificates for your tenant certificates it is necessary to additionally configure `UDS_CA_CERT` with additional [trusted certificate authorities](https://uds.defenseunicorns.com/reference/configuration/uds-operator/#trusted-certificate-authority). ::: + +#### Configuring TLS from a Secret + +As an alternative to specifying individual certificate, key, and CA certificate values, you can set `tls.credentialName` in the gateway configuration. This field specifies the name of a Kubernetes secret containing the TLS certificate, key, and optional CA certificate for the gateway. When `tls.credentialName` is set, it will override `tls.cert`, `tls.key`, and `tls.cacert` values, simplifying the configuration by allowing a direct reference to a Kubernetes TLS secret. This secret should be placed in the same namespace as the gateway resource. See [Gateway ServerTLSSettings](https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings) for all required and available secret keys. + +This approach is useful if you already have a Kubernetes secret that holds the necessary TLS data and want to use it directly. + +```yaml +kind: UDSBundle +metadata: + name: core-with-credentialName + description: A UDS example bundle for packaging UDS core with a custom TLS credentialName + version: "0.0.1" + +packages: + - name: core + repository: oci://ghcr.io/defenseunicorns/packages/uds/core + ref: 0.23.0-upstream + overrides: + istio-admin-gateway: + uds-istio-config: + values: + - path: tls.credentialName + value: admin-gateway-tls-secret # Reference to the Kubernetes secret for the admin gateway's TLS certificate + istio-tenant-gateway: + uds-istio-config: + values: + - path: tls.credentialName + value: tenant-gateway-tls-secret # Reference to the Kubernetes secret for the tenant gateway's TLS certificate diff --git a/src/istio/chart/templates/gateway.yaml b/src/istio/chart/templates/gateway.yaml index c14e81a74..3bcfdb040 100644 --- a/src/istio/chart/templates/gateway.yaml +++ b/src/istio/chart/templates/gateway.yaml @@ -34,7 +34,7 @@ spec: tls: mode: {{ $server.mode }} {{- if ne $server.mode "PASSTHROUGH" }} - credentialName: gateway-tls + credentialName: {{ $.Values.tls.credentialName | default "gateway-tls" | quote }} # if supportTLSV1_2 is both defined and true, use TLSV1_2, otherwise use TLSV1_3 minProtocolVersion: {{ if $.Values.tls.supportTLSV1_2 }}TLSV1_2{{ else }}TLSV1_3{{ end }} {{- end }} diff --git a/src/istio/chart/templates/tls-cert.yaml b/src/istio/chart/templates/tls-cert.yaml index 0fd4f0314..0c22dddee 100644 --- a/src/istio/chart/templates/tls-cert.yaml +++ b/src/istio/chart/templates/tls-cert.yaml @@ -2,7 +2,7 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial {{- $tls := .Values.tls }} -{{ if $tls.cert }} +{{ if and $tls.cert (not $tls.credentialName) }} apiVersion: v1 kind: Secret metadata: diff --git a/src/istio/chart/values.yaml b/src/istio/chart/values.yaml index a399181c4..bf23ff6ff 100644 --- a/src/istio/chart/values.yaml +++ b/src/istio/chart/values.yaml @@ -17,6 +17,9 @@ domain: "###ZARF_VAR_DOMAIN###" # # The CA certificate for the gateway when using `MUTUAL' or 'OPTIONAL_MUTUAL' (base64 encoded) # cacert: "" +# # The name of the secret containing the TLS certificate to use for this gateway, this will override cert, key and cacert +# credentialName: "" + # # Map of gateway server entries # servers: # # Name of the gateway port to use for TLS, this is effectively a "list" in map form