Added tls termination at a pod level for qtodo

sabre1041 · sabre1041 · commit 1053c49b50ff · 2026-06-23T08:06:11.000-05:00
Signed-off-by: Andrew Block &lt;andy.block@gmail.com&gt;
diff --git a/charts/qtodo/templates/_helpers.tpl b/charts/qtodo/templates/_helpers.tpl
@@ -37,4 +37,24 @@ Generate the JWT Audience
 {{- else }}
 {{- print .Values.app.vault.audience }}
 {{- end }}
-{{- end }}
+{{- end }}
+
+{{/*
+Returns true if the termination is secure (https) and false otherwise
+*/}}
+{{- define "qtodo.isSecureTermination" }}
+{{- if or (eq .Values.app.route.termination "reencrypt") (eq .Values.app.route.termination "passthrough") }}
+true
+{{- end }}
+{{- end }}
+
+{{/*
+Returns the port the application should list on
+*/}}
+{{- define "qtodo.app.port" -}}
+{{- if include "qtodo.isSecureTermination" . -}}
+{{ .Values.app.securePort }}
+{{- else -}}
+{{ .Values.app.insecurePort }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/qtodo/templates/app-deployment.yaml b/charts/qtodo/templates/app-deployment.yaml
@@ -198,8 +198,8 @@ spec:
         image: {{ template "qtodo.image" (dict "value" .Values.app.images.main "context" $ "useRegistry" true) }}
         imagePullPolicy: {{ .Values.app.images.main.pullPolicy }}
         ports:
-        - containerPort: 8080
-          name: http
+        - containerPort: {{ template "qtodo.app.port" . }}
+          name: {{ if (include "qtodo.isSecureTermination" .) }}https{{ else }}http{{ end }}
           protocol: TCP
         envFrom:
           - configMapRef:
@@ -219,7 +219,17 @@ spec:
         - name: QUARKUS_HTTP_HOST
           value: '0.0.0.0'
         - name: QUARKUS_HTTP_PORT
-          value: '8080'
+          value: {{ .Values.app.insecurePort | quote }}
+{{- if include "qtodo.isSecureTermination" . }}
+        - name: QUARKUS_HTTP_SSL_PORT
+          value: {{ .Values.app.securePort | quote }}
+        - name: QUARKUS_TLS_KEY_STORE_PEM_QTODO_CERT
+          value: /certs/tls.crt
+        - name: QUARKUS_TLS_KEY_STORE_PEM_QTODO_KEY
+          value: /certs/tls.key
+        - name: QUARKUS_HTTP_INSECURE_REQUESTS
+          value: 'disabled'
+{{- end }}
         - name: QUARKUS_HIBERNATE_ORM_SCHEMA_MANAGEMENT_STRATEGY
           value: 'drop-and-create'
 {{- if not .Values.app.spire.enabled }}
@@ -273,6 +283,11 @@ spec:
           - name: ztvp-trusted-ca
             mountPath: /etc/pki/ca-trust/extracted/pem
             readOnly: true
+{{- end }}
+{{- if include "qtodo.isSecureTermination" . }}
+          - name: tls-certs
+            mountPath: /certs
+            readOnly: true  
 {{- end }}
         resources: {}
       serviceAccountName: qtodo
@@ -304,4 +319,9 @@ spec:
           configMap:
             name: qtodo-truststore-java
 {{- end }}
+{{- if include "qtodo.isSecureTermination" . }}
+        - name: tls-certs
+          secret:
+            secretName: {{ .Values.app.tls.secret }}
+{{- end }}
 {{- end }}
diff --git a/charts/qtodo/templates/app-route.yaml b/charts/qtodo/templates/app-route.yaml
@@ -7,10 +7,10 @@ metadata:
   name: qtodo
 spec:
   port:
-    targetPort: 8080-tcp
+    targetPort: {{ printf "%s-tcp" (include "qtodo.app.port" .) }}
   tls:
     insecureEdgeTerminationPolicy: Redirect
-    termination: edge
+    termination: {{ .Values.app.route.termination }}
   to:
     kind: Service
     name: qtodo
diff --git a/charts/qtodo/templates/app-service.yaml b/charts/qtodo/templates/app-service.yaml
@@ -3,16 +3,19 @@ kind: Service
 metadata:
   annotations:
     argocd.argoproj.io/sync-wave: '51'
+    {{- if eq .Values.app.tls.serviceServing true }}
+    service.beta.openshift.io/serving-cert-secret-name: {{ .Values.app.tls.secret | quote }}
+    {{- end }}
   labels:
     app: qtodo
   name: qtodo
   namespace: qtodo
 spec:
   ports:
-  - name: 8080-tcp
-    port: 8080
+  - name: {{ printf "%s-tcp" (include "qtodo.app.port" .) }}
+    port: {{ template "qtodo.app.port" . }}
     protocol: TCP
-    targetPort: 8080
+    targetPort: {{ template "qtodo.app.port" . }}
   selector:
     app: qtodo
   sessionAffinity: None
diff --git a/charts/qtodo/templates/qtodo-network-policy.yaml b/charts/qtodo/templates/qtodo-network-policy.yaml
@@ -17,7 +17,7 @@ spec:
   # to generate the correct ACLs for host-network ingress traffic.
   - ports:
     - protocol: TCP
-      port: 8080
+      port: {{ include "qtodo.app.port" . }}
     from:
     - namespaceSelector:
         matchLabels:
diff --git a/charts/qtodo/values.yaml b/charts/qtodo/values.yaml
@@ -15,6 +15,8 @@ global:
 # QTodo application configuration
 app:
   name: qtodo
+  insecurePort: 8080
+  securePort: 8443
   images:
     main:
       name: quay.io/validatedpatterns/qtodo
@@ -62,10 +64,19 @@ app:
       name: "oidc-client-secret"
       vaultPath: "secret/data/apps/qtodo/qtodo-oidc-client"
 
+  # Route configuration
+  route:
+    termination: reencrypt
+
   spire:
     enabled: true   # Enable SPIFFE + OIDC integration by default
     sidecars: true
 
+  # TLS Configuration
+  tls:
+    secret: qtodo-tls
+    serviceServing: true
+
   # Vault configuration for SPIFFE integration
   # Uses SPIFFE JWT to authenticate and fetch DB password
   vault:
