From de4551ab3086a03d68ad222366f54121b70b0b4c Mon Sep 17 00:00:00 2001
From: Lebaud Antoine <lebaud.antoine131@gmail.com>
Date: Wed, 20 Mar 2024 15:22:22 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=9A=80(helm)=20support=20Django=20Admin?=
 =?UTF-8?q?=20pages=20in=20ingress=20paths?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Based on @rouja reco, I added a dedicated ingress to serve Django Admin
pages and Django statics. The admin route will be secured by the oauth proxy.

I simply copy/pasted the first ingress template, and adapted it.
---
 src/helm/desk/templates/ingress_admin.yaml    | 97 +++++++++++++++++++
 src/helm/desk/values.yaml                     | 20 ++++
 src/helm/env.d/dev/values.desk.yaml.gotmpl    |  4 +-
 .../env.d/staging/values.desk.yaml.gotmpl     |  7 ++
 4 files changed, 127 insertions(+), 1 deletion(-)
 create mode 100644 src/helm/desk/templates/ingress_admin.yaml

diff --git a/src/helm/desk/templates/ingress_admin.yaml b/src/helm/desk/templates/ingress_admin.yaml
new file mode 100644
index 0000000..de66e7a
--- /dev/null
+++ b/src/helm/desk/templates/ingress_admin.yaml
@@ -0,0 +1,97 @@
+{{- if .Values.ingressAdmin.enabled -}}
+{{- $fullName := include "desk.fullname" . -}}
+{{- if and .Values.ingressAdmin.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingressAdmin.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingressAdmin.annotations "kubernetes.io/ingress.class" .Values.ingressAdmin.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}-admin
+  labels:
+    {{- include "desk.labels" . | nindent 4 }}
+  {{- with .Values.ingressAdmin.annotations }}
+  annotations:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingressAdmin.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingressAdmin.className }}
+  {{- end }}
+  {{- if .Values.ingressAdmin.tls.enabled }}
+  tls:
+    {{- if .Values.ingressAdmin.host }}
+    - secretName: {{ $fullName }}-tls
+      hosts:
+        - {{ .Values.ingressAdmin.host | quote }}
+    {{- end }}
+    {{- range .Values.ingressAdmin.tls.additional }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- if .Values.ingressAdmin.host }}
+    - host: {{ .Values.ingressAdmin.host | quote }}
+      http:
+        paths:
+          - path: {{ .Values.ingressAdmin.path | quote }}
+            {{- if semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion }}
+            pathType: Prefix
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ include "desk.backend.fullname" . }}
+                port:
+                  number: {{ .Values.backend.service.port }}
+              {{- else }}
+              serviceName: {{ include "desk.backend.fullname" . }}
+              servicePort: {{ .Values.backend.service.port }}
+            {{- end }}
+          - path: /static
+            {{- if semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion }}
+            pathType: Prefix
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ include "desk.backend.fullname" . }}
+                port:
+                  number: {{ .Values.backend.service.port }}
+              {{- else }}
+              serviceName: {{ include "desk.backend.fullname" . }}
+              servicePort: {{ .Values.backend.service.port }}
+            {{- end }}
+    {{- end }}
+    {{- range .Values.ingressAdmin.hosts }}
+    - host: {{ . | quote }}
+      http:
+        paths:
+          - path: {{ $.Values.ingressAdmin.path | quote }}
+            {{- if semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion }}
+            pathType: Prefix
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ include "desk.backend.fullname" $ }}
+                port:
+                  number: {{ $.Values.backend.service.port }}
+              {{- else }}
+              serviceName: {{ include "desk.backend.fullname" $ }}
+              servicePort: {{ $.Values.backend.service.port }}
+            {{- end }}
+    {{- end }}
+{{- end }}
+
diff --git a/src/helm/desk/values.yaml b/src/helm/desk/values.yaml
index 34f27be..ccf0346 100644
--- a/src/helm/desk/values.yaml
+++ b/src/helm/desk/values.yaml
@@ -48,6 +48,26 @@ ingress:
   ## @param ingress.customBackends Add custom backends to ingress
   customBackends: []
 
+## @param ingressAdmin.enabled whether to enable the Ingress or not
+## @param ingressAdmin.className IngressClass to use for the Ingress
+## @param ingressAdmin.host Host for the Ingress
+## @param ingressAdmin.path Path to use for the Ingress
+ingressAdmin:
+  enabled: false
+  className: null
+  host: desk.example.com
+  path: /admin
+  ## @param ingressAdmin.hosts Additional host to configure for the Ingress
+  hosts: [ ]
+  #  - chart-example.local
+  ## @param ingressAdmin.tls.enabled Weather to enable TLS for the Ingress
+  ## @skip ingressAdmin.tls.additional
+  ## @extra ingressAdmin.tls.additional[].secretName Secret name for additional TLS config
+  ## @extra ingressAdmin.tls.additional[].hosts[] Hosts for additional TLS config
+  tls:
+    enabled: true
+    additional: []
+
 
 ## @section backend
 
diff --git a/src/helm/env.d/dev/values.desk.yaml.gotmpl b/src/helm/env.d/dev/values.desk.yaml.gotmpl
index 062054f..5bc1cba 100644
--- a/src/helm/env.d/dev/values.desk.yaml.gotmpl
+++ b/src/helm/env.d/dev/values.desk.yaml.gotmpl
@@ -46,4 +46,6 @@ ingress:
   enabled: true
   host: desk.127.0.0.1.nip.io
 
-
+admin:
+  enabled: true
+  host: desk.127.0.0.1.nip.io
diff --git a/src/helm/env.d/staging/values.desk.yaml.gotmpl b/src/helm/env.d/staging/values.desk.yaml.gotmpl
index b61a74e..55a91a3 100644
--- a/src/helm/env.d/staging/values.desk.yaml.gotmpl
+++ b/src/helm/env.d/staging/values.desk.yaml.gotmpl
@@ -75,3 +75,10 @@ ingress:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
 
+admin:
+  enabled: true
+  host: desk-staging.beta.numerique.gouv.fr
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy-preprod.beta.numerique.gouv.fr/oauth2/start
+    nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy-preprod.beta.numerique.gouv.fr/oauth2/auth