If routes are available, prefer them

If routes are not available, use kubernetes ingress. If certificates are available for pod-to-pod communication, set the route to reencrypt. If not available, set the route to edge termination using the wildcard certificate on the cluster. CP4AIOPS-1224
bdunne · Aug 29, 2024 · 268917e · 268917e
1 parent 026a73b
commit 268917e
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 7 deletions.
diff --git a/manageiq-operator/api/v1alpha1/helpers/miq-components/httpd.go b/manageiq-operator/api/v1alpha1/helpers/miq-components/httpd.go
@@ -74,12 +74,12 @@ func Route(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme, client client.Clien
 
 		route.Spec.Host = cr.Spec.ApplicationDomain
 
-		var public = tlsSecret(cr, client)
-		route.Spec.TLS.Certificate = string(public.Data["tls.crt"])
-		route.Spec.TLS.Key = string(public.Data["tls.key"])
-
-		internalCerts := InternalCertificatesSecret(cr, client)
-		route.Spec.TLS.DestinationCACertificate = string(internalCerts.Data["root_crt"])
+		if internalCerts := InternalCertificatesSecret(cr, client); internalCerts.Data["httpd_crt"] != nil {
+			route.Spec.TLS.DestinationCACertificate = string(internalCerts.Data["root_crt"])
+			route.Spec.TLS.Termination = "reencrypt"
+		} else {
+			route.Spec.TLS.Termination = "edge"
+		}
 
 		return nil
 	}

diff --git a/manageiq-operator/internal/controller/manageiq_controller.go b/manageiq-operator/internal/controller/manageiq_controller.go
@@ -38,6 +38,7 @@ import (
 	miqtool "github.com/ManageIQ/manageiq-pods/manageiq-operator/api/v1alpha1/helpers/miq-components"
 	miqkafka "github.com/ManageIQ/manageiq-pods/manageiq-operator/api/v1alpha1/helpers/miq-components/kafka"
 	miqutilsv1alpha1 "github.com/ManageIQ/manageiq-pods/manageiq-operator/api/v1alpha1/miqutils"
+	routev1 "github.com/openshift/api/route/v1"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -425,7 +426,8 @@ func (r *ManageIQReconciler) generateHttpdResources(cr *miqv1alpha1.ManageIQ) er
 		return err
 	}
 
-	if internalCerts := miqtool.InternalCertificatesSecret(cr, r.Client); internalCerts.Data["httpd_crt"] != nil {
+	// Prefer routes if available, otherwise use ingress
+	if err := r.Client.List(context.TODO(), &routev1.RouteList{}); err == nil {
 		httpdRoute, mutateFunc := miqtool.Route(cr, r.Scheme, r.Client)
 		if result, err := controllerutil.CreateOrUpdate(context.TODO(), r.Client, httpdRoute, mutateFunc); err != nil {
 			return err