Expose Istio Gateway TLS Credential Name

[p1-repo-sync-bot[bot]]

Feature Request

Hello! Is it possible to expose the istio gateways.tls.credentialName value as an abstracted value?

Why

Currently Big Bang exposes the Istio gateway tls values as:

gateways:
    <name>:
      ingressGateway: <selector>
      hosts:
        - <hosts>
      tls:
        key: <gateway-key>
        cert: <gateway-cert>

This is a bit un-ideal if you want to pass a secret, say one generated by cert-manager, directly to gateway.tls.credentialName. To do that, you have to use the pass through method, which can start muddying the values file if you still need the abstracted gateway block as well. It's also not good practice to take the data from the custom secret and pass it to the tls.key and tls.cert fields, because another secret will just be generated by Big Bang with that data and passed to the .credentialName. So now there are 2 secrets with the same data, and in the case of cert-manager, this potentially makes the automatic rotation more complicated.

Proposed Solution

Add credentialName to exposed values like so:

gateways:
    <name>:
      ingressGateway: <selector>
      hosts:
        - <hosts>
      tls:
        key: <gateway-key>
        cert: <gateway-cert>
        credentialName: <name of tls secret>

then in https://repo1.dso.mil/big-bang/bigbang/-/blob/master/chart/templates/istio/values.yaml on lines 122 and 139 -- credentialName: {{ $index }}-{{ $name }}-cert / credentialName: {{ $name }}-cert add a condition to check if $servervalues has credentialName and use that if found. There shouldn't be a need to edit https://repo1.dso.mil/big-bang/bigbang/-/blob/master/chart/templates/istio/secret-tls.yaml since this shouldn't get generated if the user does not pass tls.key and tls.cert.

[p1-repo-sync-bot[bot]]

Issue 'Expose Istio Gateway TLS Credential Name' closed from GitLab side

[p1-repo-sync-bot[bot]]

bb8-bot commented:

---

@tholaday this issue has been closed due to the label ~delete-me.