Support a subject alternate name on ingresses

[ryan-a-baker]

We have a globally replicated Harbor instance, and I'd love to front it all with DNS leveraging Geo-location.

Unfortunately, I'm unable to do this because the value for the ingress host is only a single entry. The helm chart should support multiple hosts so that dynamically generated certificates (such as Let's Encrypt) can have SANs.

[reasonerjt]

@ryan-a-baker
Per my understanding this is a highly customized deployment approach, I'm reluctant to merge it into master.
I suggest that we wait until there are enough use cases like yours before we merge it.

[ryan-a-baker]

I understand. This was something I did a while back and just now opening the PR for it. We can work around it for now. In the meantime, I'll add more testing results and context to the issue and the PR, as I did this all in a bit of a hurry.

[mothershipper]

I'd like to add a plus one to this -- we also have a globally replicated harbor deployment

[sspreitzer]

Adding my 👍 to this request. Seems trivial.

[cfiehe]

We are facing the same limitation. We have a new harbor deployment with a new hostname, but we have to be backward-compatible with the old hostname. The plan is that the old hostname becomes a CNAME for the new one. I have modified the ingress resource, so that ingress.hosts.core becomes a list instead of a single hostname:

{{- if eq .Values.expose.type "ingress" }}
{{- $ingress := .Values.expose.ingress -}}
{{- $tls := .Values.expose.tls -}}
{{- if eq .Values.expose.ingress.controller "gce" }}
  {{- $_ := set . "portal_path" "/*" -}}
  {{- $_ := set . "api_path" "/api/*" -}}
  {{- $_ := set . "service_path" "/service/*" -}}
  {{- $_ := set . "v2_path" "/v2/*" -}}
  {{- $_ := set . "chartrepo_path" "/chartrepo/*" -}}
  {{- $_ := set . "controller_path" "/c/*" -}}
{{- else if eq .Values.expose.ingress.controller "ncp" }}
  {{- $_ := set . "portal_path" "/.*" -}}
  {{- $_ := set . "api_path" "/api/.*" -}}
  {{- $_ := set . "service_path" "/service/.*" -}}
  {{- $_ := set . "v2_path" "/v2/.*" -}}
  {{- $_ := set . "chartrepo_path" "/chartrepo/.*" -}}
  {{- $_ := set . "controller_path" "/c/.*" -}}
{{- else }}
  {{- $_ := set . "portal_path" "/" -}}
  {{- $_ := set . "api_path" "/api/" -}}
  {{- $_ := set . "service_path" "/service/" -}}
  {{- $_ := set . "v2_path" "/v2/" -}}
  {{- $_ := set . "chartrepo_path" "/chartrepo/" -}}
  {{- $_ := set . "controller_path" "/c/" -}}
{{- end }}

---
{{- if semverCompare "<1.14-0" (include "harbor.ingress.kubeVersion" .) }}
apiVersion: extensions/v1beta1
{{- else if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }}
apiVersion: networking.k8s.io/v1beta1
{{- else }}
apiVersion: networking.k8s.io/v1
{{- end }}
kind: Ingress
metadata:
  name: "{{ template "harbor.ingress" . }}"
  labels:
{{ include "harbor.labels" . | indent 4 }}
{{- if $ingress.harbor.labels }}
{{ toYaml $ingress.harbor.labels | indent 4 }}
{{- end }}
  annotations:
{{ toYaml $ingress.annotations | indent 4 }}
{{- if .Values.internalTLS.enabled }}
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
{{- end }}
{{- if eq .Values.expose.ingress.controller "ncp" }}
    ncp/use-regex: "true"
    {{- if $tls.enabled }}
    ncp/http-redirect: "true"
    {{- end }}
{{- end }}
{{- if $ingress.harbor.annotations }}
{{ toYaml $ingress.harbor.annotations | indent 4 }}
{{- end }}
spec:
  {{- if $ingress.className }}
  ingressClassName: {{ $ingress.className }}
  {{- end }}
  {{- if $tls.enabled }}
  tls:
  - secretName: {{ template "harbor.tlsCoreSecretForIngress" . }}
    {{- if $ingress.hosts.core }}
    hosts:
    {{- range $ingress.hosts.core }}
    - {{ . | quote }}
    {{- end }}
  {{- end }}
  rules:
  {{- range $ingress.hosts.core }}
  - host: {{ . | quote }}
    http:
      paths:
{{- if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" $) }}
      - path: {{ $.api_path }}
        backend:
          serviceName: {{ template "harbor.core" $ }}
          servicePort: {{ template "harbor.core.servicePort" $ }}
      - path: {{ $.service_path }}
        backend:
          serviceName: {{ template "harbor.core" $ }}
          servicePort: {{ template "harbor.core.servicePort" $ }}
      - path: {{ $.v2_path }}
        backend:
          serviceName: {{ template "harbor.core" $ }}
          servicePort: {{ template "harbor.core.servicePort" $ }}
      - path: {{ $.chartrepo_path }}
        backend:
          serviceName: {{ template "harbor.core" $ }}
          servicePort: {{ template "harbor.core.servicePort" $ }}
      - path: {{ $.controller_path }}
        backend:
          serviceName: {{ template "harbor.core" $ }}
          servicePort: {{ template "harbor.core.servicePort" $ }}
      - path: {{ $.portal_path }}
        backend:
          serviceName: {{ template "harbor.portal" $ }}
          servicePort: {{ template "harbor.portal.servicePort" $ }}
{{- else }}
      - path: {{ $.api_path }}
        pathType: Prefix
        backend:
          service:
            name: {{ template "harbor.core" $ }}
            port:
              number: {{ template "harbor.core.servicePort" $ }}
      - path: {{ $.service_path }}
        pathType: Prefix
        backend:
          service:
            name: {{ template "harbor.core" $ }}
            port:
              number: {{ template "harbor.core.servicePort" $ }}
      - path: {{ $.v2_path }}
        pathType: Prefix
        backend:
          service:
            name: {{ template "harbor.core" $ }}
            port:
              number: {{ template "harbor.core.servicePort" $ }}
      - path: {{ $.chartrepo_path }}
        pathType: Prefix
        backend:
          service:
            name: {{ template "harbor.core" $ }}
            port:
              number: {{ template "harbor.core.servicePort" $ }}
      - path: {{ $.controller_path }}
        pathType: Prefix
        backend:
          service:
            name: {{ template "harbor.core" $ }}
            port:
              number: {{ template "harbor.core.servicePort" $ }}
      - path: {{ $.portal_path }}
        pathType: Prefix
        backend:
          service:
            name: {{ template "harbor.portal" $ }}
            port:
              number: {{ template "harbor.portal.servicePort" $ }}
  {{- end }}
{{- end }}
{{- end }}
{{- end }}

[fretb]

Hi everyone

We are facing the same limitation here. Supporting multiple hosts for the core ingress seems like good practice. Adding my 👍 here.

[xanderpetit01]

Adding my 👍 to this request as well.

[github-actions]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[github-actions]

This issue was closed because it has been stalled for 30 days with no activity. If this issue is still relevant, please re-open a new issue.