From 31598860e3d03da6ce69539fc34574d1dddbacd7 Mon Sep 17 00:00:00 2001
From: Paul Gear <github@libertysys.com.au>
Date: Fri, 13 Apr 2018 13:20:27 +1000
Subject: [PATCH] Add option to control SSL chain completion

---
 cluster/juju/layers/kubernetes-worker/config.yaml        | 9 +++++++++
 .../kubernetes-worker/reactive/kubernetes_worker.py      | 2 ++
 .../kubernetes-worker/templates/ingress-daemon-set.yaml  | 1 +
 3 files changed, 12 insertions(+)

diff --git a/cluster/juju/layers/kubernetes-worker/config.yaml b/cluster/juju/layers/kubernetes-worker/config.yaml
index 7f51776c169..6cf1ea71eef 100644
--- a/cluster/juju/layers/kubernetes-worker/config.yaml
+++ b/cluster/juju/layers/kubernetes-worker/config.yaml
@@ -58,6 +58,15 @@ options:
 
       The value for this config must be a JSON array of credential objects, like this:
         [{"server": "my.registry", "username": "myUser", "password": "myPass"}]
+  ingress-ssl-chain-completion:
+    type: boolean
+    default: false
+    description: |
+      Enable chain completion for TLS certificates used by the nginx ingress
+      controller.  Set this to true if you would like the ingress controller
+      to attempt auto-retrieval of intermediate certificates.  The default
+      (false) is recommended for all production kubernetes installations, and
+      any environment which does not have outbound Internet access.
   nginx-image:
     type: string
     default: "auto"
diff --git a/cluster/juju/layers/kubernetes-worker/reactive/kubernetes_worker.py b/cluster/juju/layers/kubernetes-worker/reactive/kubernetes_worker.py
index a944174c1e0..c9774238467 100644
--- a/cluster/juju/layers/kubernetes-worker/reactive/kubernetes_worker.py
+++ b/cluster/juju/layers/kubernetes-worker/reactive/kubernetes_worker.py
@@ -686,6 +686,7 @@ def create_kubeconfig(kubeconfig, server, ca, key=None, certificate=None,
 
 
 @when_any('config.changed.default-backend-image',
+          'config.changed.ingress-ssl-chain-completion',
           'config.changed.nginx-image')
 @when('kubernetes-worker.config.created')
 def launch_default_ingress_controller():
@@ -728,6 +729,7 @@ def launch_default_ingress_controller():
         return
 
     # Render the ingress daemon set controller manifest
+    context['ssl_chain_completion'] = config.get('ingress-ssl-chain-completion')
     context['ingress_image'] = config.get('nginx-image')
     if context['ingress_image'] == "" or context['ingress_image'] == "auto":
         if context['arch'] == 's390x':
diff --git a/cluster/juju/layers/kubernetes-worker/templates/ingress-daemon-set.yaml b/cluster/juju/layers/kubernetes-worker/templates/ingress-daemon-set.yaml
index 744913cab71..b305d32e7fb 100644
--- a/cluster/juju/layers/kubernetes-worker/templates/ingress-daemon-set.yaml
+++ b/cluster/juju/layers/kubernetes-worker/templates/ingress-daemon-set.yaml
@@ -176,3 +176,4 @@ spec:
         - /nginx-ingress-controller
         - --default-backend-service=$(POD_NAMESPACE)/default-http-backend
         - --configmap=$(POD_NAMESPACE)/nginx-load-balancer-conf
+        - --enable-ssl-chain-completion={{ ssl_chain_completion }}