This is an automated email from the ASF dual-hosted git repository.
houston pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr-operator.git
The following commit(s) were added to refs/heads/main by this push:
new 42a5bb7 Make new TLSTermination option, with or w/o secret (#452)
42a5bb7 is described below
commit 42a5bb751afdef90675f8cf2eb4e7ea63ccaa7eb
Author: Houston Putman <[email protected]>
AuthorDate: Wed Jul 20 12:33:12 2022 -0400
Make new TLSTermination option, with or w/o secret (#452)
New option is "spec.solrAddressability.external.ingressTLSTermination"
---
api/v1beta1/solrcloud_types.go | 80 ++++++++++++++++++---
api/v1beta1/solrcloud_with_defaults_test.go | 81 +++++++++++++++++++---
api/v1beta1/suite_test.go | 32 +++++++++
api/v1beta1/zz_generated.deepcopy.go | 20 ++++++
config/crd/bases/solr.apache.org_solrclouds.yaml | 13 +++-
controllers/solrcloud_controller.go | 2 +-
controllers/solrcloud_controller_backup_test.go | 2 +-
.../solrcloud_controller_basic_auth_test.go | 2 +-
.../solrcloud_controller_externaldns_test.go | 2 +-
controllers/solrcloud_controller_ingress_test.go | 2 +-
controllers/solrcloud_controller_storage_test.go | 2 +-
controllers/solrcloud_controller_test.go | 2 +-
controllers/solrcloud_controller_tls_test.go | 33 ++++++++-
controllers/solrcloud_controller_zk_test.go | 2 +-
controllers/suite_test.go | 5 +-
controllers/util/solr_util.go | 13 ++--
docs/README.md | 1 +
docs/solr-cloud/solr-cloud-crd.md | 20 ++++--
docs/upgrade-notes.md | 4 ++
helm/solr-operator/Chart.yaml | 11 +++
helm/solr-operator/crds/crds.yaml | 13 +++-
helm/solr/README.md | 5 +-
helm/solr/values.yaml | 4 +-
23 files changed, 302 insertions(+), 49 deletions(-)
diff --git a/api/v1beta1/solrcloud_types.go b/api/v1beta1/solrcloud_types.go
index dd2344d..95fde5a 100644
--- a/api/v1beta1/solrcloud_types.go
+++ b/api/v1beta1/solrcloud_types.go
@@ -19,6 +19,7 @@ package v1beta1
import (
"fmt"
+ "github.com/go-logr/logr"
"strconv"
"strings"
@@ -139,7 +140,7 @@ type SolrCloudSpec struct {
AdditionalLibs []string `json:"additionalLibs,omitempty"`
}
-func (spec *SolrCloudSpec) withDefaults() (changed bool) {
+func (spec *SolrCloudSpec) withDefaults(logger logr.Logger) (changed bool) {
if spec.Replicas == nil {
changed = true
r := DefaultSolrReplicas
@@ -166,7 +167,7 @@ func (spec *SolrCloudSpec) withDefaults() (changed bool) {
spec.SolrGCTune = DefaultSolrGCTune
}
- changed = spec.SolrAddressability.withDefaults(spec.SolrTLS != nil) ||
changed
+ changed = spec.SolrAddressability.withDefaults(spec.SolrTLS != nil,
logger) || changed
changed = spec.UpdateStrategy.withDefaults() || changed
@@ -467,9 +468,9 @@ type SolrAddressabilityOptions struct {
KubeDomain string `json:"kubeDomain,omitempty"`
}
-func (opts *SolrAddressabilityOptions) withDefaults(usesTLS bool) (changed
bool) {
+func (opts *SolrAddressabilityOptions) withDefaults(usesTLS bool, logger
logr.Logger) (changed bool) {
if opts.External != nil {
- changed = opts.External.withDefaults(usesTLS)
+ changed = opts.External.withDefaults(usesTLS, logger)
}
if opts.PodPort == 0 {
changed = true
@@ -554,11 +555,23 @@ type ExternalAddressability struct {
//
// When using this option, the UseExternalAddress option will be
disabled, since Solr cannot be running in HTTP mode and making internal
requests in HTTPS.
//
+ // DEPRECATED: Use ingressTLSTermination.tlsSecret instead
+ //
// +optional
IngressTLSTerminationSecret string
`json:"ingressTLSTerminationSecret,omitempty"`
+
+ // IngressTLSTermination tells the SolrCloud Ingress to terminate TLS
on incoming connections.
+ //
+ // This is option is only available when Method=Ingress, because
ExternalDNS and LoadBalancer Services do not support TLS termination.
+ // This option is also unavailable when the SolrCloud has TLS enabled
via `spec.solrTLS`, in this case the Ingress cannot terminate TLS before
reaching Solr.
+ //
+ // When using this option, the UseExternalAddress option will be
disabled, since Solr cannot be running in HTTP mode and making internal
requests in HTTPS.
+ //
+ // +optional
+ IngressTLSTermination *SolrIngressTLSTermination
`json:"ingressTLSTermination,omitempty"`
}
-// ExternalAddressability is a string enumeration type that enumerates
+// ExternalAddressabilityMethod is a string enumeration type that enumerates
// all possible ways that a SolrCloud can be made addressable external to the
kubernetes cluster.
// +kubebuilder:validation:Enum=Ingress;ExternalDNS
type ExternalAddressabilityMethod string
@@ -575,9 +588,29 @@ const (
LoadBalancer ExternalAddressabilityMethod = "LoadBalancer"
)
-func (opts *ExternalAddressability) withDefaults(usesTLS bool) (changed bool) {
+func (opts *ExternalAddressability) withDefaults(usesTLS bool, logger
logr.Logger) (changed bool) {
+ // TODO: Remove in v0.7.0
+ // If the deprecated IngressTLSTerminationSecret exists, use it to
default the new location of the value.
+ // If that location already exists, then merely remove the deprecated
option.
+ if opts.IngressTLSTerminationSecret != "" {
+ terminationSecretLogger := logger.WithValues("option",
"spec.solrAddressability.external.ingressTLSTerminationSecret").WithValues("newLocation",
"spec.solrAddressability.external.ingressTLSTermination.tlsSecret")
+ var loggingAction string
+ if !opts.HasIngressTLSTermination() {
+ opts.IngressTLSTermination = &SolrIngressTLSTermination{
+ TLSSecret: opts.IngressTLSTerminationSecret,
+ }
+ loggingAction = "Moving"
+ } else {
+ terminationSecretLogger =
terminationSecretLogger.WithValues("reason", "Cannot move deprecated option
because ingressTLSTermination is already defined")
+ loggingAction = "Removing"
+ }
+ opts.IngressTLSTerminationSecret = ""
+ terminationSecretLogger.Info(loggingAction + " deprecated CRD
option")
+ changed = true
+ }
+
// You can't use an externalAddress for Solr Nodes if the Nodes are
hidden externally
- if opts.UseExternalAddress && (opts.HideNodes ||
opts.IngressTLSTerminationSecret != "") {
+ if opts.UseExternalAddress && (opts.HideNodes ||
opts.IngressTLSTermination != nil) {
changed = true
opts.UseExternalAddress = false
}
@@ -606,6 +639,7 @@ func (opts *ExternalAddressability) withDefaults(usesTLS
bool) (changed bool) {
}
}
}
+ logger.Info("Moving deprecated CRD option", "option",
"spec.solrAddressability.external.additionalDomains", "newLocation",
"spec.solrAddressability.external.additionalDomainNames")
changed = true
opts.AdditionalDomains = nil
}
@@ -628,6 +662,25 @@ func (opts *ExternalAddressability) withDefaults(usesTLS
bool) (changed bool) {
return changed
}
+// SolrIngressTLSTermination defines how a SolrCloud should have TLS
Termination enabled.
+// Only one option can be provided.
+//
+// +kubebuilder:validation:MaxProperties=1
+type SolrIngressTLSTermination struct {
+
+ // UseDefaultTLSSecret determines whether the ingress should use the
default TLS secret provided by the Ingress implementation.
+ //
+ // For example, using nginx:
https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate
+ //
+ // +optional
+ UseDefaultTLSSecret bool `json:"useDefaultTLSSecret,omitempty"`
+
+ // TLSSecret defines a TLS Secret to use for TLS termination of all
exposed addresses for this SolrCloud in the Ingress.
+ //
+ // +optional
+ TLSSecret string `json:"tlsSecret,omitempty"`
+}
+
type SolrUpdateStrategy struct {
// Method defines the way in which SolrClouds should be updated when
the podSpec changes.
// +optional
@@ -1110,8 +1163,8 @@ type SolrCloud struct {
}
// WithDefaults set default values when not defined in the spec.
-func (sc *SolrCloud) WithDefaults() bool {
- return sc.Spec.withDefaults()
+func (sc *SolrCloud) WithDefaults(logger logr.Logger) bool {
+ return sc.Spec.withDefaults(logger)
}
func (sc *SolrCloud) GetAllSolrPodNames() []string {
@@ -1332,11 +1385,18 @@ func (sc *SolrCloud) ExternalCommonUrl(domainName
string, withPort bool) (url st
return url
}
+func (ea *ExternalAddressability) HasIngressTLSTermination() bool {
+ if ea != nil && ea.Method == Ingress && ea.IngressTLSTermination != nil
{
+ return ea.IngressTLSTermination.UseDefaultTLSSecret ||
ea.IngressTLSTermination.TLSSecret != ""
+ }
+ return false
+}
+
func (sc *SolrCloud) UrlScheme(external bool) string {
urlScheme := "http"
if sc.Spec.SolrTLS != nil {
urlScheme = "https"
- } else if external && sc.Spec.SolrAddressability.External != nil &&
sc.Spec.SolrAddressability.External.Method == Ingress &&
sc.Spec.SolrAddressability.External.IngressTLSTerminationSecret != "" {
+ } else if external &&
sc.Spec.SolrAddressability.External.HasIngressTLSTermination() {
urlScheme = "https"
}
return urlScheme
diff --git a/api/v1beta1/solrcloud_with_defaults_test.go
b/api/v1beta1/solrcloud_with_defaults_test.go
index 3f354ee..9c706e8 100644
--- a/api/v1beta1/solrcloud_with_defaults_test.go
+++ b/api/v1beta1/solrcloud_with_defaults_test.go
@@ -19,69 +19,128 @@ package v1beta1
import (
"github.com/stretchr/testify/assert"
+ ctrl "sigs.k8s.io/controller-runtime"
"testing"
)
func TestDeprecatedAdditionalDomains(t *testing.T) {
ext := &ExternalAddressability{}
+ logger := ctrl.Log
- assert.False(t, ext.withDefaults(false), "withDefaults() returned true
when nothing should have been changed (no additional domains in either field)")
+ assert.False(t, ext.withDefaults(false, logger), "withDefaults()
returned true when nothing should have been changed (no additional domains in
either field)")
ext.AdditionalDomainNames = []string{"t1", "t2"}
- assert.False(t, ext.withDefaults(false), "withDefaults() returned true
when nothing should have been changed (no additional domains in the deprecated
field)")
+ assert.False(t, ext.withDefaults(false, logger), "withDefaults()
returned true when nothing should have been changed (no additional domains in
the deprecated field)")
ext.AdditionalDomains = nil
- assert.False(t, ext.withDefaults(false), "withDefaults() returned true
when nothing should have been changed (no additional domains in the deprecated
field)")
+ assert.False(t, ext.withDefaults(false, logger), "withDefaults()
returned true when nothing should have been changed (no additional domains in
the deprecated field)")
ext.AdditionalDomains = []string{}
- assert.True(t, ext.withDefaults(false), "withDefaults() returned false
when the additionalDomains field needs to be removed")
+ assert.True(t, ext.withDefaults(false, logger), "withDefaults()
returned false when the additionalDomains field needs to be removed")
assert.ElementsMatch(t, []string{"t1", "t2"},
ext.AdditionalDomainNames, "There are no values from additionalDomains to
append to additionalDomainNames")
assert.Nil(t, ext.AdditionalDomains, "The additionalDomains field was
not set to nil")
ext.AdditionalDomains = []string{"t1", "t2"}
- assert.True(t, ext.withDefaults(false), "withDefaults() returned false
when the additionalDomains field needs to be removed")
+ assert.True(t, ext.withDefaults(false, logger), "withDefaults()
returned false when the additionalDomains field needs to be removed")
assert.ElementsMatch(t, []string{"t1", "t2"},
ext.AdditionalDomainNames, "The values are the same between additionalDomains
and additionalDomainNames, so nothing should be changed in
additionalDomainNames")
assert.Nil(t, ext.AdditionalDomains, "The additionalDomains field was
not set to nil")
ext.AdditionalDomains = []string{"t1", "t2", "t3"}
- assert.True(t, ext.withDefaults(false), "withDefaults() returned false
when the additionalDomains field needs to be removed")
+ assert.True(t, ext.withDefaults(false, logger), "withDefaults()
returned false when the additionalDomains field needs to be removed")
assert.ElementsMatch(t, []string{"t1", "t2", "t3"},
ext.AdditionalDomainNames, "The unique values from additionalDomains were not
appended to additionalDomainNames")
assert.Nil(t, ext.AdditionalDomains, "The additionalDomains field was
not set to nil")
ext.AdditionalDomains = []string{"t1", "t3"}
- assert.True(t, ext.withDefaults(false), "withDefaults() returned false
when the additionalDomains field needs to be removed")
+ assert.True(t, ext.withDefaults(false, logger), "withDefaults()
returned false when the additionalDomains field needs to be removed")
assert.ElementsMatch(t, []string{"t1", "t2", "t3"},
ext.AdditionalDomainNames, "The unique values from additionalDomains were not
appended to additionalDomainNames")
assert.Nil(t, ext.AdditionalDomains, "The additionalDomains field was
not set to nil")
ext.AdditionalDomains = []string{"t3"}
- assert.True(t, ext.withDefaults(false), "withDefaults() returned false
when the additionalDomains field needs to be removed")
+ assert.True(t, ext.withDefaults(false, logger), "withDefaults()
returned false when the additionalDomains field needs to be removed")
assert.ElementsMatch(t, []string{"t1", "t2", "t3"},
ext.AdditionalDomainNames, "The unique values from additionalDomains were not
appended to additionalDomainNames")
assert.Nil(t, ext.AdditionalDomains, "The additionalDomains field was
not set to nil")
ext.AdditionalDomains = []string{"t4", "t1", "t2", "t3"}
- assert.True(t, ext.withDefaults(false), "withDefaults() returned false
when the additionalDomains field needs to be removed")
+ assert.True(t, ext.withDefaults(false, logger), "withDefaults()
returned false when the additionalDomains field needs to be removed")
assert.ElementsMatch(t, []string{"t1", "t2", "t4", "t3"},
ext.AdditionalDomainNames, "The unique values from additionalDomains were not
appended to additionalDomainNames")
assert.Nil(t, ext.AdditionalDomains, "The additionalDomains field was
not set to nil")
ext.AdditionalDomainNames = nil
ext.AdditionalDomains = []string{"t4", "t1", "t2", "t3"}
- assert.True(t, ext.withDefaults(false), "withDefaults() returned false
when the additionalDomains field needs to be removed")
+ assert.True(t, ext.withDefaults(false, logger), "withDefaults()
returned false when the additionalDomains field needs to be removed")
assert.ElementsMatch(t, []string{"t4", "t1", "t2", "t3"},
ext.AdditionalDomainNames, "The unique values from additionalDomains were not
appended to additionalDomainNames")
assert.Nil(t, ext.AdditionalDomains, "The additionalDomains field was
not set to nil")
ext.AdditionalDomainNames = []string{}
ext.AdditionalDomains = []string{"t4", "t1", "t2", "t3"}
- assert.True(t, ext.withDefaults(false), "withDefaults() returned false
when the additionalDomains field needs to be removed")
+ assert.True(t, ext.withDefaults(false, logger), "withDefaults()
returned false when the additionalDomains field needs to be removed")
assert.ElementsMatch(t, []string{"t4", "t1", "t2", "t3"},
ext.AdditionalDomainNames, "The unique values from additionalDomains were not
appended to additionalDomainNames")
assert.Nil(t, ext.AdditionalDomains, "The additionalDomains field was
not set to nil")
}
+
+func TestDeprecatedIngressTerminationTLSSecret(t *testing.T) {
+ ext := &ExternalAddressability{
+ Method: Ingress,
+ NodePortOverride: 80,
+ }
+
+ logger := ctrl.Log
+
+ assert.False(t, ext.withDefaults(false, logger), "withDefaults()
returned true when nothing should have been changed (no termination in either
field)")
+
+ ext.IngressTLSTerminationSecret = ""
+
+ assert.False(t, ext.withDefaults(false, logger), "withDefaults()
returned true when nothing should have been changed (no termination in the
deprecated field)")
+
+ ext.IngressTLSTermination = &SolrIngressTLSTermination{
+ TLSSecret: "test",
+ }
+
+ assert.False(t, ext.withDefaults(false, logger), "withDefaults()
returned true when nothing should have been changed (no termination in the
deprecated field)")
+
+ ext.IngressTLSTermination = &SolrIngressTLSTermination{
+ UseDefaultTLSSecret: true,
+ }
+
+ assert.False(t, ext.withDefaults(false, logger), "withDefaults()
returned true when nothing should have been changed (no termination in the
deprecated field)")
+
+ ext.IngressTLSTermination = &SolrIngressTLSTermination{
+ UseDefaultTLSSecret: false,
+ }
+
+ assert.False(t, ext.withDefaults(false, logger), "withDefaults()
returned true when nothing should have been changed (no termination in the
deprecated field)")
+
+ ext.IngressTLSTerminationSecret = "test2"
+
+ assert.True(t, ext.withDefaults(false, logger), "withDefaults()
returned false when the additionalDomains field needs to be removed")
+ assert.Equal(t, "test2", ext.IngressTLSTermination.TLSSecret, "The
value from ingressTLSTerminationSecret should have populated
ingressTLSTermination.tlsSecret")
+ assert.Empty(t, ext.IngressTLSTerminationSecret, "The
ingressTLSTerminationSecret field was not set to nil")
+
+ ext.IngressTLSTerminationSecret = "test2"
+ ext.IngressTLSTermination = &SolrIngressTLSTermination{
+ UseDefaultTLSSecret: true,
+ }
+
+ assert.True(t, ext.withDefaults(false, logger), "withDefaults()
returned false when the additionalDomains field needs to be removed")
+ assert.Empty(t, ext.IngressTLSTermination.TLSSecret, "The value from
ingressTLSTerminationSecret should not have populated
ingressTLSTermination.tlsSecret, since useDefaultTLSSecret is set to true")
+ assert.Empty(t, ext.IngressTLSTerminationSecret, "The
ingressTLSTerminationSecret field was not set to nil")
+
+ ext.IngressTLSTerminationSecret = "test2"
+ ext.IngressTLSTermination = &SolrIngressTLSTermination{
+ TLSSecret: "test",
+ }
+
+ assert.True(t, ext.withDefaults(false, logger), "withDefaults()
returned false when the additionalDomains field needs to be removed")
+ assert.Equal(t, "test", ext.IngressTLSTermination.TLSSecret, "The value
from ingressTLSTerminationSecret should not have populated
ingressTLSTermination.tlsSecret, since the field is already set")
+ assert.Empty(t, ext.IngressTLSTerminationSecret, "The
ingressTLSTerminationSecret field was not set to nil")
+}
diff --git a/api/v1beta1/suite_test.go b/api/v1beta1/suite_test.go
new file mode 100644
index 0000000..9d1b482
--- /dev/null
+++ b/api/v1beta1/suite_test.go
@@ -0,0 +1,32 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package v1beta1
+
+import (
+ "os"
+ ctrl "sigs.k8s.io/controller-runtime"
+ "sigs.k8s.io/controller-runtime/pkg/log/zap"
+ "testing"
+)
+
+func TestMain(m *testing.M) {
+ ctrl.SetLogger(zap.New(zap.UseDevMode(true)))
+
+ code := m.Run()
+ os.Exit(code)
+}
diff --git a/api/v1beta1/zz_generated.deepcopy.go
b/api/v1beta1/zz_generated.deepcopy.go
index 235b6ea..513740c 100644
--- a/api/v1beta1/zz_generated.deepcopy.go
+++ b/api/v1beta1/zz_generated.deepcopy.go
@@ -263,6 +263,11 @@ func (in *ExternalAddressability) DeepCopyInto(out
*ExternalAddressability) {
*out = make([]string, len(*in))
copy(*out, *in)
}
+ if in.IngressTLSTermination != nil {
+ in, out := &in.IngressTLSTermination, &out.IngressTLSTermination
+ *out = new(SolrIngressTLSTermination)
+ **out = **in
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver,
creating a new ExternalAddressability.
@@ -1016,6 +1021,21 @@ func (in *SolrEphemeralDataStorageOptions) DeepCopy()
*SolrEphemeralDataStorageO
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
writing into out. in must be non-nil.
+func (in *SolrIngressTLSTermination) DeepCopyInto(out
*SolrIngressTLSTermination) {
+ *out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver,
creating a new SolrIngressTLSTermination.
+func (in *SolrIngressTLSTermination) DeepCopy() *SolrIngressTLSTermination {
+ if in == nil {
+ return nil
+ }
+ out := new(SolrIngressTLSTermination)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
writing into out. in must be non-nil.
func (in *SolrNodeStatus) DeepCopyInto(out *SolrNodeStatus) {
*out = *in
diff --git a/config/crd/bases/solr.apache.org_solrclouds.yaml
b/config/crd/bases/solr.apache.org_solrclouds.yaml
index d26e086..d0607e3 100644
--- a/config/crd/bases/solr.apache.org_solrclouds.yaml
+++ b/config/crd/bases/solr.apache.org_solrclouds.yaml
@@ -4860,8 +4860,19 @@ spec:
hideNodes:
description: Do not expose each of the Solr Node
services externally. The number of services this affects could range from 1 (a
headless service for ExternalDNS) to the number of Solr pods your cloud
contains (individual node services for Ingress/LoadBalancer). Defaults to false.
type: boolean
+ ingressTLSTermination:
+ description: "IngressTLSTermination tells the
SolrCloud Ingress to terminate TLS on incoming connections. \n This is option
is only available when Method=Ingress, because ExternalDNS and LoadBalancer
Services do not support TLS termination. This option is also unavailable when
the SolrCloud has TLS enabled via `spec.solrTLS`, in this case the Ingress
cannot terminate TLS before reaching Solr. \n When using this option, the
UseExternalAddress option will be disable [...]
+ maxProperties: 1
+ properties:
+ tlsSecret:
+ description: TLSSecret defines a TLS Secret to use
for TLS termination of all exposed addresses for this SolrCloud in the Ingress.
+ type: string
+ useDefaultTLSSecret:
+ description: "UseDefaultTLSSecret determines
whether the ingress should use the default TLS secret provided by the Ingress
implementation. \n For example, using nginx:
https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate";
+ type: boolean
+ type: object
ingressTLSTerminationSecret:
- description: "IngressTLSTerminationSecret defines a
TLS Secret to use for TLS termination of all exposed addresses in the ingress.
\n This is option is only available when Method=Ingress, because ExternalDNS
and LoadBalancer Services do not support TLS termination. This option is also
unavailable when the SolrCloud has TLS enabled via `spec.solrTLS`, in this case
the Ingress cannot terminate TLS before reaching Solr. \n When using this
option, the UseExternalAddre [...]
+ description: "IngressTLSTerminationSecret defines a
TLS Secret to use for TLS termination of all exposed addresses in the ingress.
\n This is option is only available when Method=Ingress, because ExternalDNS
and LoadBalancer Services do not support TLS termination. This option is also
unavailable when the SolrCloud has TLS enabled via `spec.solrTLS`, in this case
the Ingress cannot terminate TLS before reaching Solr. \n When using this
option, the UseExternalAddre [...]
type: string
method:
description: The way in which this SolrCloud's
service(s) should be made addressable externally.
diff --git a/controllers/solrcloud_controller.go
b/controllers/solrcloud_controller.go
index 89fbd06..c10a8de 100644
--- a/controllers/solrcloud_controller.go
+++ b/controllers/solrcloud_controller.go
@@ -100,7 +100,7 @@ func (r *SolrCloudReconciler) Reconcile(ctx
context.Context, req ctrl.Request) (
return reconcile.Result{}, err
}
- changed := instance.WithDefaults()
+ changed := instance.WithDefaults(logger)
if changed {
logger.Info("Setting default settings for SolrCloud")
if err = r.Update(ctx, instance); err != nil {
diff --git a/controllers/solrcloud_controller_backup_test.go
b/controllers/solrcloud_controller_backup_test.go
index e70fe5c..46429cb 100644
--- a/controllers/solrcloud_controller_backup_test.go
+++ b/controllers/solrcloud_controller_backup_test.go
@@ -55,7 +55,7 @@ var _ = FDescribe("SolrCloud controller - Backup
Repositories", func() {
By("defaulting the missing SolrCloud values")
expectSolrCloudWithChecks(ctx, solrCloud, func(g Gomega, found
*solrv1beta1.SolrCloud) {
- g.Expect(found.WithDefaults()).To(BeFalse(), "The
SolrCloud spec should not need to be defaulted eventually")
+ g.Expect(found.WithDefaults(logger)).To(BeFalse(), "The
SolrCloud spec should not need to be defaulted eventually")
})
})
diff --git a/controllers/solrcloud_controller_basic_auth_test.go
b/controllers/solrcloud_controller_basic_auth_test.go
index 05594a5..4305b3f 100644
--- a/controllers/solrcloud_controller_basic_auth_test.go
+++ b/controllers/solrcloud_controller_basic_auth_test.go
@@ -63,7 +63,7 @@ var _ = FDescribe("SolrCloud controller - Basic Auth", func()
{
By("defaulting the missing SolrCloud values")
expectSolrCloudWithChecks(ctx, solrCloud, func(g Gomega, found
*solrv1beta1.SolrCloud) {
- g.Expect(found.WithDefaults()).To(BeFalse(), "The
SolrCloud spec should not need to be defaulted eventually")
+ g.Expect(found.WithDefaults(logger)).To(BeFalse(), "The
SolrCloud spec should not need to be defaulted eventually")
})
})
diff --git a/controllers/solrcloud_controller_externaldns_test.go
b/controllers/solrcloud_controller_externaldns_test.go
index c3f5d4e..be1e922 100644
--- a/controllers/solrcloud_controller_externaldns_test.go
+++ b/controllers/solrcloud_controller_externaldns_test.go
@@ -70,7 +70,7 @@ var _ = FDescribe("SolrCloud controller - External DNS",
func() {
By("defaulting the missing SolrCloud values")
expectSolrCloudWithChecks(ctx, solrCloud, func(g Gomega, found
*solrv1beta1.SolrCloud) {
- g.Expect(found.WithDefaults()).To(BeFalse(), "The
SolrCloud spec should not need to be defaulted eventually")
+ g.Expect(found.WithDefaults(logger)).To(BeFalse(), "The
SolrCloud spec should not need to be defaulted eventually")
})
})
diff --git a/controllers/solrcloud_controller_ingress_test.go
b/controllers/solrcloud_controller_ingress_test.go
index 0f1a6c9..da20644 100644
--- a/controllers/solrcloud_controller_ingress_test.go
+++ b/controllers/solrcloud_controller_ingress_test.go
@@ -82,7 +82,7 @@ var _ = FDescribe("SolrCloud controller - Ingress", func() {
By("defaulting the missing SolrCloud values")
expectSolrCloudWithChecks(ctx, solrCloud, func(g Gomega, found
*solrv1beta1.SolrCloud) {
- g.Expect(found.WithDefaults()).To(BeFalse(), "The
SolrCloud spec should not need to be defaulted eventually")
+ g.Expect(found.WithDefaults(logger)).To(BeFalse(), "The
SolrCloud spec should not need to be defaulted eventually")
})
})
diff --git a/controllers/solrcloud_controller_storage_test.go
b/controllers/solrcloud_controller_storage_test.go
index fbdf54d..f69351f 100644
--- a/controllers/solrcloud_controller_storage_test.go
+++ b/controllers/solrcloud_controller_storage_test.go
@@ -71,7 +71,7 @@ var _ = FDescribe("SolrCloud controller - Storage", func() {
By("defaulting the missing SolrCloud values")
expectSolrCloudWithChecks(ctx, solrCloud, func(g Gomega, found
*solrv1beta1.SolrCloud) {
- g.Expect(found.WithDefaults()).To(BeFalse(), "The
SolrCloud spec should not need to be defaulted eventually")
+ g.Expect(found.WithDefaults(logger)).To(BeFalse(), "The
SolrCloud spec should not need to be defaulted eventually")
})
})
diff --git a/controllers/solrcloud_controller_test.go
b/controllers/solrcloud_controller_test.go
index 86d07f3..433ea9b 100644
--- a/controllers/solrcloud_controller_test.go
+++ b/controllers/solrcloud_controller_test.go
@@ -57,7 +57,7 @@ var _ = FDescribe("SolrCloud controller - General", func() {
By("defaulting the missing SolrCloud values")
expectSolrCloudWithChecks(ctx, solrCloud, func(g Gomega, found
*solrv1beta1.SolrCloud) {
- g.Expect(found.WithDefaults()).To(BeFalse(), "The
SolrCloud spec should not need to be defaulted eventually")
+ g.Expect(found.WithDefaults(logger)).To(BeFalse(), "The
SolrCloud spec should not need to be defaulted eventually")
})
})
diff --git a/controllers/solrcloud_controller_tls_test.go
b/controllers/solrcloud_controller_tls_test.go
index 4983dd8..f07cb11 100644
--- a/controllers/solrcloud_controller_tls_test.go
+++ b/controllers/solrcloud_controller_tls_test.go
@@ -75,7 +75,7 @@ var _ = FDescribe("SolrCloud controller - TLS", func() {
By("defaulting the missing SolrCloud values")
expectSolrCloudWithChecks(ctx, solrCloud, func(g Gomega, found
*solrv1beta1.SolrCloud) {
- g.Expect(found.WithDefaults()).To(BeFalse(), "The
SolrCloud spec should not need to be defaulted eventually")
+ g.Expect(found.WithDefaults(logger)).To(BeFalse(), "The
SolrCloud spec should not need to be defaulted eventually")
})
})
@@ -382,9 +382,11 @@ var _ = FDescribe("SolrCloud controller - TLS", func() {
tlsSecretName := "tls-cert-secret-from-user"
BeforeEach(func() {
solrCloud.Spec.SolrSecurity =
&solrv1beta1.SolrSecurityOptions{AuthenticationType: solrv1beta1.Basic}
-
solrCloud.Spec.SolrAddressability.External.IngressTLSTerminationSecret =
tlsSecretName
+
solrCloud.Spec.SolrAddressability.External.IngressTLSTermination =
&solrv1beta1.SolrIngressTLSTermination{
+ TLSSecret: tlsSecretName,
+ }
})
- FIt("has the correct resources", func() {
+ FIt("has the correct resources - Explicit Secret", func() {
By("Checking that the Ingress will terminate TLS")
expectTerminateIngressTLSConfig(ctx, solrCloud,
tlsSecretName, false)
@@ -401,6 +403,31 @@ var _ = FDescribe("SolrCloud controller - TLS", func() {
expectTLSService(ctx, solrCloud,
foundStatefulSet.Spec.Selector.MatchLabels, false)
})
})
+
+ FContext("Common Ingress TLS Termination - Default Secret", func() {
+ BeforeEach(func() {
+ solrCloud.Spec.SolrSecurity =
&solrv1beta1.SolrSecurityOptions{AuthenticationType: solrv1beta1.Basic}
+
solrCloud.Spec.SolrAddressability.External.IngressTLSTermination =
&solrv1beta1.SolrIngressTLSTermination{
+ UseDefaultTLSSecret: true,
+ }
+ })
+ FIt("has the correct resources", func() {
+ By("Checking that the Ingress will terminate TLS")
+ expectTerminateIngressTLSConfig(ctx, solrCloud, "",
false)
+
+ By("Checking that the SolrCloud status has the correct
scheme for URLs")
+ expectSolrCloudStatusWithChecks(ctx, solrCloud, func(g
Gomega, found *solrv1beta1.SolrCloudStatus) {
+
g.Expect(found.InternalCommonAddress).To(Equal("http://"+solrCloud.Name+"-solrcloud-common."+solrCloud.Namespace),
"Wrong internal common address in status")
+
g.Expect(found.ExternalCommonAddress).To(Not(BeNil()), "External common address
in Status should not be nil.")
+
g.Expect(*found.ExternalCommonAddress).To(Equal("https://"+solrCloud.Namespace+"-"+solrCloud.Name+"-solrcloud."+testDomain),
"Wrong external common address in status")
+ })
+
+ foundStatefulSet := expectStatefulSet(ctx, solrCloud,
solrCloud.StatefulSetName())
+
+ By("Checking that the Service has the correct settings")
+ expectTLSService(ctx, solrCloud,
foundStatefulSet.Spec.Selector.MatchLabels, false)
+ })
+ })
})
// Ensures all the TLS env vars, volume mounts and initContainers are setup
for the PodTemplateSpec
diff --git a/controllers/solrcloud_controller_zk_test.go
b/controllers/solrcloud_controller_zk_test.go
index 898a5f8..6bf4087 100644
--- a/controllers/solrcloud_controller_zk_test.go
+++ b/controllers/solrcloud_controller_zk_test.go
@@ -58,7 +58,7 @@ var _ = FDescribe("SolrCloud controller - Zookeeper", func() {
By("defaulting the missing SolrCloud values")
expectSolrCloudWithChecks(ctx, solrCloud, func(g Gomega, found
*solrv1beta1.SolrCloud) {
- g.Expect(found.WithDefaults()).To(BeFalse(), "The
SolrCloud spec should not need to be defaulted eventually")
+ g.Expect(found.WithDefaults(logger)).To(BeFalse(), "The
SolrCloud spec should not need to be defaulted eventually")
})
})
diff --git a/controllers/suite_test.go b/controllers/suite_test.go
index 67b45fc..8d25a7f 100644
--- a/controllers/suite_test.go
+++ b/controllers/suite_test.go
@@ -19,6 +19,7 @@ package controllers
import (
zk_api "github.com/apache/solr-operator/controllers/zk_api"
+ "github.com/go-logr/logr"
"path/filepath"
ctrl "sigs.k8s.io/controller-runtime"
"testing"
@@ -41,6 +42,7 @@ import (
// http://onsi.github.io/ginkgo/ to learn more about Ginkgo.
var cfg *rest.Config
+var logger logr.Logger
var k8sClient client.Client
var testEnv *envtest.Environment
@@ -62,7 +64,8 @@ var _ = BeforeSuite(func() {
SetDefaultEventuallyTimeout(timeout)
SetDefaultEventuallyPollingInterval(interval)
- logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true)))
+ logger = zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))
+ logf.SetLogger(logger)
By("bootstrapping test environment")
testEnv = &envtest.Environment{
diff --git a/controllers/util/solr_util.go b/controllers/util/solr_util.go
index 31e516c..44851d0 100644
--- a/controllers/util/solr_util.go
+++ b/controllers/util/solr_util.go
@@ -921,11 +921,14 @@ func GenerateIngress(solrCloud *solr.SolrCloud, nodeNames
[]string) (ingress *ne
ingressTLS = append(ingressTLS, netv1.IngressTLS{SecretName:
solrCloud.Spec.SolrTLS.PKCS12Secret.Name})
} // else if using mountedTLSDir, it's likely they'll have an
auto-wired TLS solution for Ingress as well via annotations
- if extOpts.IngressTLSTerminationSecret != "" {
- ingressTLS = append(ingressTLS, netv1.IngressTLS{
- SecretName: extOpts.IngressTLSTerminationSecret,
- Hosts: allHosts,
- })
+ if extOpts.HasIngressTLSTermination() {
+ newIngressTLS := netv1.IngressTLS{
+ Hosts: allHosts,
+ }
+ if extOpts.IngressTLSTermination.TLSSecret != "" {
+ newIngressTLS.SecretName =
extOpts.IngressTLSTermination.TLSSecret
+ }
+ ingressTLS = append(ingressTLS, newIngressTLS)
}
solrNodesRequireTLS := solrCloud.Spec.SolrTLS != nil
ingressFrontedByTLS := len(ingressTLS) > 0
diff --git a/docs/README.md b/docs/README.md
index d2a97cb..04580d7 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -20,6 +20,7 @@
Please visit the following pages for documentation on using and developing the
Solr Operator:
- [Local Tutorial](local_tutorial.md)
+- [Upgrade Notes](upgrade-notes.md)
- [Running the Solr Operator](running-the-operator.md)
- Available Solr Resources
- [Solr Clouds](solr-cloud)
diff --git a/docs/solr-cloud/solr-cloud-crd.md
b/docs/solr-cloud/solr-cloud-crd.md
index 2e28f36..f4dc6cf 100644
--- a/docs/solr-cloud/solr-cloud-crd.md
+++ b/docs/solr-cloud/solr-cloud-crd.md
@@ -119,11 +119,17 @@ Under `SolrCloud.Spec.solrAddressability`:
The goal is to support more methods in the future, such as LoadBalanced
Services.
- **`domainName`** - (Required) The primary domain name to open your cloud
endpoints on. If `useExternalAddress` is set to `true`, then this is the domain
that will be used in Solr Node names.
- **`additionalDomainNames`** - You can choose to listen on additional
domains for each endpoint, however Solr will not register itself under these
names.
- - **`useExternalAddress`** - Use the external address to advertise the
SolrNode. If a domain name is required for the chosen external `method`, then
the one provided in `domainName` will be used.
+ - **`useExternalAddress`** - Use the external address to advertise the
SolrNode. If a domain name is required for the chosen external `method`, then
the one provided in `domainName` will be used. \
+ This can not be set to `true` when **`hideNodes`** is set to `true` or
**`ingressTLSTermination`** is used.
- **`hideCommon`** - Do not externally expose the common service (one
endpoint for all solr nodes).
- **`hideNodes`** - Do not externally expose each node. (This cannot be set
to `true` if the cloud is running across multiple kubernetes clusters)
- **`nodePortOverride`** - Make the Node Service(s) override the podPort.
This is only available for the `Ingress` external method. If `hideNodes` is set
to `true`, then this option is ignored. If provided, this port will be used to
advertise the Solr Node. \
- If `method: Ingress` and `hideNodes: false`, then this value defaults to
`80` since that is the default port that ingress controllers listen on.
+ If `method: Ingress` and `hideNodes: false`, then this value defaults to
`80` since that is the default port that ingress controllers listen on.
+ - **`ingressTLSTermination`** - Terminate TLS for the SolrCloud at the
`Ingress`, if using the `Ingress` **method**. This will leave the inter-node
communication within the cluster to use HTTP. \
+ This option may not be used with **`useExternalAddress`**. Only one
sub-option can be provided.
+ - **`useDefaultTLSSecret`** - Use the default TLS Secret set by your
Ingress controller, if your Ingress controller supports this feature. Cannot be
used when `tlsSecret` is used. \
+ For example, using nginx:
https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate
+ - **`tlsSecret`** - Name a of Kubernetes TLS Secret to terminate TLS when
using the `Ingress` method. Cannot be used when `useDefaultTlsSecret` is used.
**Note:** Unless both `external.method=Ingress` and
`external.hideNodes=false`, a headless service will be used to make each Solr
Node in the statefulSet addressable.
If both of those criteria are met, then an individual ClusterIP Service will
be created for each Solr Node/Pod.
@@ -623,7 +629,7 @@ You may also use the `spec.solrClientTLS.mountedTLSDir`
option to load a pod spe
The Solr operator may create an Ingress for exposing Solr pods externally.
When TLS is enabled, the operator adds the following annotation and TLS
settings to the Ingress manifest, such as:
```yaml
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
@@ -767,13 +773,14 @@ spec:
method: Ingress
hideNodes: true
useExternalAddress: false
- ingressTLSTerminationSecret: my-selfsigned-cert-tls
+ ingressTLSTermination:
+ tlsSecret: my-selfsigned-cert-tls
```
The only additional settings required here are:
- Making sure that you are not using the external TLS address for Solr to
communicate internally via `useExternalAddress: false`.
This will be ignored, even if it is set to `true`.
-- Adding a TLS secret through `ingressTLSTerminationSecret`, this is passed to
the Kubernetes Ingress to handle the TLS termination.
+- Adding a TLS secret through `ingressTLSTermination.tlsSecret`, this is
passed to the Kubernetes Ingress to handle the TLS termination.
_This ensures that the only way to communicate with your Solr cluster
externally is through the TLS protected common-endpoint._
To generate a TLS secret, follow the [instructions
above](#use-cert-manager-to-issue-the-certificate) and use the templated
Hostname: `<namespace>-<name>-solrcloud.<domain>`
@@ -799,7 +806,8 @@ spec:
method: Ingress
hideNodes: true
useExternalAddress: false
- ingressTLSTerminationSecret: myingress-cert
+ ingressTLSTermination:
+ tlsSecret: myingress-cert
```
For more information on the Ingress TLS Termination options for cert-manager,
[refer to the documentation](https://cert-manager.io/docs/usage/ingress/).
diff --git a/docs/upgrade-notes.md b/docs/upgrade-notes.md
index 756ac45..9380cb9 100644
--- a/docs/upgrade-notes.md
+++ b/docs/upgrade-notes.md
@@ -122,6 +122,10 @@ _Note that the Helm chart version does not contain a `v`
prefix, which the downl
In this release `additionalDomains` is still accepted, but all values will
automatically be added to `additionalDomainNames` and the field will be set to
`nil` by the operator.
The `additionalDomains` option will be removed in a future version.
+- The SolrCloud CRD field
`Spec.solrAddressability.external.ingressTLSTerminationSecret` has been moved
to `Spec.solrAddressability.external.ingressTLSTermination.tlsSecret`.
+ In this release `ingressTLSTerminationSecret` is still accepted, but all
values will automatically be changed to `ingressTLSTermination.tlsSecret` and
the original field will be set to `nil` by the operator.
+ The `ingressTLSTerminationSecret` option will be removed in a future version.
+
- `SolrPrometheusExporter` resources without any image specifications
(`SolrPrometheusExporter.Spec.image.*`) will use the referenced `SolrCloud`
image, if the reference is by `name`, not `zkConnectionString`.
If any `SolrPrometheusExporter.Spec.image.*` option is provided, then those
values will be defaulted by the Solr Operator and the `SolrCloud` image will
not be used.
When upgrading from `v0.5.*` to `v0.6.0`, only new `SolrPrometheusExporter`
resources will use this new feature.
diff --git a/helm/solr-operator/Chart.yaml b/helm/solr-operator/Chart.yaml
index de5e399..28cd552 100644
--- a/helm/solr-operator/Chart.yaml
+++ b/helm/solr-operator/Chart.yaml
@@ -157,6 +157,17 @@ annotations:
url: https://github.com/apache/solr-operator/issues/376
- name: Github PR
url: https://github.com/apache/solr-operator/pull/455
+ - kind: changed
+ description: SolrClouds can now use the Ingress controller's default TLS
Secret when terminating TLS at the Ingress. The old
`ingressTLSTerminationSecret` option is now deprecated. Refer the upgrade notes
for more information.
+ links:
+ - name: Github Issue
+ url: https://github.com/apache/solr-operator/issues/437
+ - name: Github PR
+ url: https://github.com/apache/solr-operator/pull/452
+ - name: Upgrade Notes
+ url:
https://apache.github.io/solr-operator/docs/upgrade-notes.html#v060
+ - name: Solr Addressability Docs
+ url:
https://apache.github.io/solr-operator/docs/solr-cloud/solr-cloud-crd.html#addressability
artifacthub.io/images: |
- name: solr-operator
image: apache/solr-operator:v0.6.0-prerelease
diff --git a/helm/solr-operator/crds/crds.yaml
b/helm/solr-operator/crds/crds.yaml
index 2f68e55..164b130 100644
--- a/helm/solr-operator/crds/crds.yaml
+++ b/helm/solr-operator/crds/crds.yaml
@@ -5092,8 +5092,19 @@ spec:
hideNodes:
description: Do not expose each of the Solr Node
services externally. The number of services this affects could range from 1 (a
headless service for ExternalDNS) to the number of Solr pods your cloud
contains (individual node services for Ingress/LoadBalancer). Defaults to false.
type: boolean
+ ingressTLSTermination:
+ description: "IngressTLSTermination tells the
SolrCloud Ingress to terminate TLS on incoming connections. \n This is option
is only available when Method=Ingress, because ExternalDNS and LoadBalancer
Services do not support TLS termination. This option is also unavailable when
the SolrCloud has TLS enabled via `spec.solrTLS`, in this case the Ingress
cannot terminate TLS before reaching Solr. \n When using this option, the
UseExternalAddress option will be disable [...]
+ maxProperties: 1
+ properties:
+ tlsSecret:
+ description: TLSSecret defines a TLS Secret to use
for TLS termination of all exposed addresses for this SolrCloud in the Ingress.
+ type: string
+ useDefaultTLSSecret:
+ description: "UseDefaultTLSSecret determines
whether the ingress should use the default TLS secret provided by the Ingress
implementation. \n For example, using nginx:
https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate";
+ type: boolean
+ type: object
ingressTLSTerminationSecret:
- description: "IngressTLSTerminationSecret defines a
TLS Secret to use for TLS termination of all exposed addresses in the ingress.
\n This is option is only available when Method=Ingress, because ExternalDNS
and LoadBalancer Services do not support TLS termination. This option is also
unavailable when the SolrCloud has TLS enabled via `spec.solrTLS`, in this case
the Ingress cannot terminate TLS before reaching Solr. \n When using this
option, the UseExternalAddre [...]
+ description: "IngressTLSTerminationSecret defines a
TLS Secret to use for TLS termination of all exposed addresses in the ingress.
\n This is option is only available when Method=Ingress, because ExternalDNS
and LoadBalancer Services do not support TLS termination. This option is also
unavailable when the SolrCloud has TLS enabled via `spec.solrTLS`, in this case
the Ingress cannot terminate TLS before reaching Solr. \n When using this
option, the UseExternalAddre [...]
type: string
method:
description: The way in which this SolrCloud's
service(s) should be made addressable externally.
diff --git a/helm/solr/README.md b/helm/solr/README.md
index a6ce3e0..570eff2 100644
--- a/helm/solr/README.md
+++ b/helm/solr/README.md
@@ -143,11 +143,12 @@ External addressability is disabled by default.
| addressability.external.method | string | | The method by which Solr should
be made addressable outside of the Kubernetes cluster. Either `Ingress` or
`ExternalDNS` |
| addressability.external.domainName | string | | The base domain name that
Solr nodes should be addressed under. |
| addressability.external.additionalDomainNames | []string | | Additional base
domain names that Solr nodes should be addressed under. These are not used to
advertise Solr locations, just the `domainName` is. |
-| addressability.external.useExternalAddress | boolean | `false` | Make the
official hostname of the SolrCloud nodes the external address. This cannot be
used when `hideNodes` is set to `true` or `ingressTLSTerminationSecret` is set
to `true`. |
+| addressability.external.useExternalAddress | boolean | `false` | Make the
official hostname of the SolrCloud nodes the external address. This cannot be
used when `hideNodes` is set to `true` or `ingressTLSTermination` is used. |
| addressability.external.hideNodes | boolean | `false` | Do not make the
individual Solr nodes addressable outside of the Kubernetes cluster. |
| addressability.external.hideCommon | boolean | `false` | Do not make the
load-balanced common Solr endpoint addressable outside of the Kubernetes
cluster. |
| addressability.external.nodePortOverride | int | | Override the port of
individual Solr nodes when using the `Ingress` method. This will default to
`80` if using an Ingress without TLS and `443` when using an Ingress with Solr
TLS enabled (not TLS Termination described below). |
-| addressability.external.ingressTLSTerminationSecret | string | | Name of
Kubernetes Secret to terminate TLS when using the `Ingress` method. |
+| addressability.external.ingressTLSTermination.tlsSecret | string | | Name a
of Kubernetes TLS Secret to terminate TLS when using the `Ingress` method.
Cannot be used when `useDefaultTlsSecret` is used. |
+| addressability.external.ingressTLSTermination.useDefaultTLSSecret | boolean
| `false` | Use the default TLS Secret set by your Ingress controller, if your
Ingress controller supports this feature. Cannot be used when `tlsSecret` is
used. |
### ZK Options
diff --git a/helm/solr/values.yaml b/helm/solr/values.yaml
index d49ea54..c379b70 100644
--- a/helm/solr/values.yaml
+++ b/helm/solr/values.yaml
@@ -85,7 +85,9 @@ addressability:
# hideNodes: false
# hideCommon: false
# nodePortOverride: null
- # ingressTLSTerminationSecret: ""
+ # ingressTLSTermination:
+ # tlsSecret: ""
+ # useDefaultTLSSecret: false
# Specify how rolling updates should be managed for the Solr StatefulSet
#
https://apache.github.io/solr-operator/docs/solr-cloud/solr-cloud-crd.html#update-strategy
