Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
29 commits
Select commit Hold shift + click to select a range
9a50525
updated probe values
Nick-Andreano Jan 7, 2026
346a379
removed path from livenessProbe
Nick-Andreano Jan 7, 2026
e199619
Merge pull request #38 from Nick-Andreano/readinessProbe
Nick-Andreano Jan 8, 2026
7afe4e5
updated startup probe and ingress documentation
Nick-Andreano Jan 28, 2026
656537e
Merge pull request #39 from Nick-Andreano/main
Nick-Andreano Jan 29, 2026
00db956
Removed repository value
Nick-Andreano Feb 16, 2026
514b636
removed serviceAccoutnName
Nick-Andreano Mar 2, 2026
72c3eb6
updated test
Nick-Andreano Mar 2, 2026
d1d6e23
updated values
Nick-Andreano Mar 3, 2026
e3bf915
updated values
Nick-Andreano Mar 3, 2026
950dc40
removed nginx
Nick-Andreano Mar 3, 2026
56e4f76
updated ingress docs
Nick-Andreano Mar 6, 2026
c772fd4
added serviceAccount.Name
Nick-Andreano Mar 6, 2026
54de697
haproxy and traefik
Nick-Andreano Mar 9, 2026
64a0288
Merge pull request #40 from Nick-Andreano/removeRepo
Nick-Andreano Mar 10, 2026
80f0ee5
contour ignress
Nick-Andreano Mar 10, 2026
10f8344
ignress.md updates
Nick-Andreano Mar 10, 2026
7c3f306
ignress.md updates
Nick-Andreano Mar 10, 2026
30f49b4
ignress.md updates
Nick-Andreano Mar 10, 2026
edb9316
ignress.md updates
Nick-Andreano Mar 10, 2026
2d2cc85
ignress.md updates
Nick-Andreano Mar 11, 2026
42ec221
ignress.md updates
Nick-Andreano Mar 11, 2026
5e787b8
removed values file
Nick-Andreano Mar 11, 2026
ba9a771
changed order
Nick-Andreano Mar 11, 2026
386dcca
removed Contour
Nick-Andreano Mar 13, 2026
6b0a759
Merge pull request #41 from Nick-Andreano/ingress
Nick-Andreano Mar 13, 2026
de5fd38
Updated tls settings for ingress and dnsNames for certificates
Nick-Andreano Mar 20, 2026
55d7ecf
moved tls logic block to top of ingress
Nick-Andreano Mar 24, 2026
664ccf3
Merge pull request #43 from Nick-Andreano/ingress
Nick-Andreano Mar 24, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,7 @@ understand.
| processExporter.port | int | `9256` | Process exporter metrics port |
| replicaCount | int | `2` | The number of pods to start |
| securityContext | object | `{}` | Additional security context |
| serviceAccount.name | string | `""` | The name of the service account to assign to the StatefulSet pods. When set, the pod will use this service account for RBAC and IAM role bindings (e.g. IRSA on AWS). When left empty, Kubernetes will use the default service account in the namespace. |
| service.name | string | `"iap-service"` | The name of this Kubernetes service object. |
| service.port | int | `443` | The port that this service object is listening on. |
| service.type | string | `"ClusterIP"` | The service type. |
Expand Down
2 changes: 1 addition & 1 deletion charts/iap/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 1.9.0
version: 1.9.1

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
Expand Down
8 changes: 8 additions & 0 deletions charts/iap/templates/NOTES.txt
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,14 @@ The following environment variables are configured to override the defaults:
{{ $key }}: {{ $value | quote }}
{{- end }}

{{- if and .Values.certificate.enabled .Values.certificate.dnsNames }}
⚠ NOTICE: certificate.dnsNames is set and non-empty. The chart will use exactly
those entries as certificate SANs — per-replica DNS names will NOT be
auto-generated. If you are upgrading from a previous version and had
certificate.dnsNames set to the old chart default (e.g. [iap.example.com]),
clear it (set to []) to restore auto-generation of per-replica SANs.
{{- end }}

For more information consult the Itential documentation:
https://docs.itential.com/docs/about-itential-platform-6-feature-release

27 changes: 16 additions & 11 deletions charts/iap/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -52,17 +52,6 @@ app.kubernetes.io/name: {{ include "iap.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

{{/*
Create the name of the service account to use
*/}}
{{- define "iap.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "iap.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

{{/*
Common annotations.
*/}}
Expand All @@ -83,3 +72,19 @@ Direct host names
{{- printf "%s-%s-%d.%s" (include "iap.fullname" .) .Release.Namespace $iterator .Values.ingress.directAccess.baseDomain -}}
{{- end -}}
{{- end }}

{{/*
Generate the full list of TLS hostnames for the ingress spec.
Includes the load balancer hostname and one entry per replica for direct access.
Rendered as a YAML list of quoted strings, suitable for use with nindent.
*/}}
{{- define "iap.ingressTLSHosts" -}}
{{- if .Values.ingress.loadBalancer.enabled }}
- {{ .Values.ingress.loadBalancer.host | quote }}
{{- end }}
{{- if .Values.ingress.directAccess.enabled }}
{{- range $i := until (.Values.replicaCount | int) }}
- {{ include "iap.DirectAccessHost" (dict "Values" $.Values "Release" $.Release "Chart" $.Chart "Template" $.Template "iterator" $i) | quote }}
{{- end }}
{{- end }}
{{- end }}
11 changes: 9 additions & 2 deletions charts/iap/templates/certificate.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,18 @@ spec:
duration: {{ .Values.certificate.duration }}
commonName: {{ .Values.certificate.commonName | quote }}
dnsNames:
- {{ .Values.certificate.commonName | quote -}}
{{/* This will add DNS names for each of the pods for direct access */}}
{{- if .Values.certificate.dnsNames }}
{{/* Manual override — use exactly what the user provided */}}
{{- range .Values.certificate.dnsNames }}
- {{ . | quote }}
{{- end }}
{{- else }}
{{/* Auto-generate: commonName + one entry per replica for direct pod access */}}
- {{ .Values.certificate.commonName | quote }}
{{- range $i := until (.Values.replicaCount | int) }}
- {{ printf "%s-%s-%d.%s" (include "iap.fullname" $) $.Release.Namespace $i $.Values.certificate.domain | quote }}
{{- end }}
{{- end }}
{{- if or .Values.certificate.ipAddresses .Values.certificate.includeServiceIPs }}
ipAddresses:
{{- range .Values.certificate.ipAddresses }}
Expand Down
19 changes: 17 additions & 2 deletions charts/iap/templates/ingress.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,15 @@
{{- if .Values.ingress.enabled -}}
{{/* Build a list of TLS entries */}}
{{- $tlsList := list -}}
{{- if .Values.ingress.tls -}}
{{- if kindIs "slice" .Values.ingress.tls -}}
{{- range .Values.ingress.tls -}}
{{- $tlsList = append $tlsList (dict "secretName" .secretName "hosts" (.hosts | default list)) -}}
{{- end -}}
{{- else -}}
{{- $tlsList = append $tlsList (dict "secretName" .Values.ingress.tls.secretName "hosts" (.Values.ingress.tls.hosts | default list)) -}}
{{- end -}}
{{- end -}}
---
apiVersion: networking.k8s.io/v1
kind: Ingress
Expand All @@ -17,13 +28,17 @@ spec:
{{- if .Values.ingress.className }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
{{- if $tlsList }}
tls:
{{- range .Values.ingress.tls }}
{{- range $tlsList }}
- hosts:
{{- if .hosts }}
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
{{- else }}
{{- include "iap.ingressTLSHosts" $ | trim | nindent 8 }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
Expand Down
2 changes: 1 addition & 1 deletion charts/iap/templates/statefulset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ spec:
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: ""
serviceAccountName: {{ .Values.serviceAccount.name | default "" | quote }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- with .Values.hostAliases }}
Expand Down
81 changes: 81 additions & 0 deletions charts/iap/tests/certificate_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -247,6 +247,87 @@ tests:
- exists:
path: metadata.annotations["helm.sh/template-file"]

## dnsNames — auto vs manual
- it: should auto-generate dnsNames when dnsNames is empty
set:
certificate.enabled: true
certificate.issuerRef.name: "test-issuer"
certificate.issuerRef.kind: "ClusterIssuer"
certificate.commonName: "iap.example.com"
certificate.domain: "example.com"
certificate.renewBefore: "720h"
certificate.duration: "2160h"
certificate.dnsNames: []
replicaCount: 2
asserts:
- lengthEqual:
path: spec.dnsNames
count: 3 # commonName + 2 per-replica
- contains:
path: spec.dnsNames
content: "iap.example.com"
- matchRegex:
path: spec.dnsNames[1]
pattern: ".*-NAMESPACE-0\\.example.com"
- matchRegex:
path: spec.dnsNames[2]
pattern: ".*-NAMESPACE-1\\.example.com"

- it: should use manual dnsNames overriding auto-generation
set:
certificate.enabled: true
certificate.issuerRef.name: "test-issuer"
certificate.issuerRef.kind: "ClusterIssuer"
certificate.commonName: "iap.example.com"
certificate.domain: "example.com"
certificate.renewBefore: "720h"
certificate.duration: "2160h"
certificate.dnsNames:
- iap.example.com
- cdn.example.com
- "*.example.com"
replicaCount: 3
asserts:
- lengthEqual:
path: spec.dnsNames
count: 3 # only the manually provided entries
- contains:
path: spec.dnsNames
content: "iap.example.com"
- contains:
path: spec.dnsNames
content: "cdn.example.com"
- contains:
path: spec.dnsNames
content: "*.example.com"
- notMatchRegex:
path: spec.dnsNames[0]
pattern: ".*-NAMESPACE-.*"

- it: should not include per-replica names when dnsNames is manually set
set:
certificate.enabled: true
certificate.issuerRef.name: "test-issuer"
certificate.issuerRef.kind: "ClusterIssuer"
certificate.commonName: "iap.example.com"
certificate.domain: "example.com"
certificate.renewBefore: "720h"
certificate.duration: "2160h"
certificate.dnsNames:
- iap.example.com
- iap-prod-0.example.com
replicaCount: 5
asserts:
- lengthEqual:
path: spec.dnsNames
count: 2 # only what the user specified — replicaCount has no effect
- contains:
path: spec.dnsNames
content: "iap.example.com"
- contains:
path: spec.dnsNames
content: "iap-prod-0.example.com"

- it: should render custom annotations
set:
certificate.enabled: true
Expand Down
Loading
Loading