add ssl backend capabilities

ff01b5a6 · Sandro Mathys · 3fc82618 · ff01b5a6 · ff01b5a6 · ff01b5a6
Commit ff01b5a6 authored Mar 23, 2021 by Sandro Mathys
--- a/chart/templates/configmap-apache.yaml
+++ b/chart/templates/configmap-apache.yaml
@@ -52,6 +52,7 @@ metadata:
    {{- include "shibboleth-sp.frontend.labels" . | nindent 4 }}
 data:
  000-basics.conf: |
+    # These modules are essential
    # LoadModule log_config_module modules/mod_log_config.so # built-in
    # LoadModule unixd_module modules/mod_unixd.so # built-in
    LoadModule authn_core_module modules/mod_authn_core.so
@@ -60,6 +61,10 @@ data:
    LoadModule mpm_event_module modules/mod_mpm_event.so
    LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_http_module modules/mod_proxy_http.so
+  {{- if .Values.frontend.apache.enableSSL }}
+  001-ssl.conf: |
+      LoadModule ssl_module modules/mod_ssl.so
+  {{- end }}
  010-shibboleth.conf: |
    LoadModule mod_shib modules/mod_shib.so

@@ -92,15 +97,19 @@ data:
    CustomLog "/dev/stdout" custom
    ErrorLog "/dev/stderr"

+    ProxyPreserveHost "{{ .Values.frontend.apache.proxyPreserveHost | default "off" }}"
+
+    {{- if .Values.frontend.apache.enableSSL }}
+    SSLProxyEngine "on"
+    {{- end }}
+
    <VirtualHost _default_:8080>
-      UseCanonicalName On
+      UseCanonicalName on
      ServerName https://{{ tpl .Values.global.domainName . }}
      ServerAlias https://*.{{ tpl .Values.global.domainName . }}
      ServerAlias http://{{ tpl .Values.global.domainName . }}
      ServerAlias http://*.{{ tpl .Values.global.domainName . }}

-      ProxyPreserveHost On
-
      ProxyPass "/" "{{ .Values.frontend.apache.remoteURL }}"
      ProxyPassReverse "/" "{{ .Values.frontend.apache.remoteURL }}"


--- a/chart/templates/cronjob.yaml
+++ b/chart/templates/cronjob.yaml
@@ -32,6 +32,6 @@ spec:
                  # replace secret with new sealer keys
                  kubectl create secret generic {{ include "shibboleth-sp.sealerKeys.secretName" . }} --from-file=/dev/shm/sealer.keys --dry-run=client -o yaml | kubectl replace --save-config -f-
                  # restart all pods in deployment in order to pick up new secret
-                  kubectl rollout restart {{ include "shibboleth-sp.fullname" . }}
+                  kubectl rollout restart deploy {{ include "shibboleth-sp.fullname" . }}
          restartPolicy: OnFailure
 {{- end -}}
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -233,9 +233,13 @@ frontend:
    extraModulesConfig: ""
    extraSitesConfig: ""

+    # enable SSL/TLS, i.e. load mod_ssl and enable SSLProxyEngine
+    enableSSL: false
+
    # Settings for the actual apache/proxy config.
    # They are not used if `sitesConfigMap` is specified above.
-    logLevel: ""    # default: "warn"
-    logFormat: ""   # default: "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
-    remoteURL: ""   # must be absolute (i.e. starting with http:// or https://)
+    logLevel: ""          # default: "warn"
+    logFormat: ""         # default: "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
+    proxyPreserveHost: "" # default: "off"
+    remoteURL: ""         # must be absolute (i.e. starting with http:// or https://)
    accessRules: ""
--- a/ci/values.yaml
+++ b/ci/values.yaml
@@ -24,7 +24,9 @@ backend:

 frontend:
  apache:
-    remoteURL: https://www.switch.ch
+    enableSSL: true
+
+    remoteURL: "https://os.zhdk.cloud.switch.ch/swift/v1/shibboleth-sp-helm-chart-demo-page/"

    accessRules: |
      Require shib-attr homeOrganization switch.ch