Merge pull request #348 from element-hq/gaelg/tls-enable-by-default

gaelgatelement · web-flow · commit b552173f5d13 · 2025-04-04T15:04:37.000+02:00
Add ingress.tlsEnabled to disable ingress
diff --git a/README.md b/README.md
@@ -302,6 +302,8 @@ traefik          LoadBalancer   10.43.184.49    172.20.1.60   8080:32100/TCP,844
 
 4. Configure your reverse proxy so that the DNS names you configured are routed to the external IP of traefik on port 8080 (HTTP) and 8443 (HTTPS).
 
+5. If the certificates are handled in your reverse proxy, you can point to port 8080 (HTTP) only and disable TLS in ESS. Copy the file `charts/matrix-stack/ci/fragments/quick-setup-external-cert.yaml` to `tls.yaml`.
+
 ##### Example configurations
 To make running ESS Community behind a reverse proxy as easy as possible, you can find below some configuration examples for popular webservers.
 
diff --git a/charts/matrix-stack/ci/fragments/quick-setup-external-cert.yaml b/charts/matrix-stack/ci/fragments/quick-setup-external-cert.yaml
@@ -0,0 +1,6 @@
+# Copyright 2025 New Vector Ltd
+#
+# SPDX-License-Identifier: AGPL-3.0-only
+
+ingress:
+  tlsEnabled: false
diff --git a/charts/matrix-stack/ci/quick-setup-external-cert-pg-external-values.yaml b/charts/matrix-stack/ci/quick-setup-external-cert-pg-external-values.yaml
@@ -0,0 +1,36 @@
+# Copyright 2024-2025 New Vector Ltd
+#
+# SPDX-License-Identifier: AGPL-3.0-only
+#
+# source_fragments: quick-setup-all-enabled.yaml quick-setup-hostnames.yaml quick-setup-external-cert.yaml quick-setup-postgresql.yaml
+# DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values
+
+# initSecrets, postgres, wellKnownDelegation don't have any required properties to be set and defaults to enabled
+elementWeb:
+  ingress:
+    host: chat.your.tld
+ingress:
+  tlsEnabled: false
+matrixAuthenticationService:
+  ingress:
+    host: account.your.tld
+  postgres:
+    database: your-matrix-auth-service-database-name
+    host: your-db-host.tld
+    password:
+      value: your-matrix-auth-service-user-password
+    port: 5432
+    sslMode: prefer
+    user: your-matrix-auth-service-user
+serverName: your.tld
+synapse:
+  ingress:
+    host: matrix.your.tld
+  postgres:
+    database: your-synapse-database-name
+    host: your-db-host.tld
+    password:
+      value: your-synapse-user-password
+    port: 5432
+    sslMode: prefer
+    user: your-synapse-user
diff --git a/charts/matrix-stack/ci/quick-setup-external-cert-pg-with-helm-values.yaml b/charts/matrix-stack/ci/quick-setup-external-cert-pg-with-helm-values.yaml
@@ -0,0 +1,20 @@
+# Copyright 2024-2025 New Vector Ltd
+#
+# SPDX-License-Identifier: AGPL-3.0-only
+#
+# source_fragments: quick-setup-all-enabled.yaml quick-setup-hostnames.yaml quick-setup-external-cert.yaml
+# DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values
+
+# initSecrets, postgres, wellKnownDelegation don't have any required properties to be set and defaults to enabled
+elementWeb:
+  ingress:
+    host: chat.your.tld
+ingress:
+  tlsEnabled: false
+matrixAuthenticationService:
+  ingress:
+    host: account.your.tld
+serverName: your.tld
+synapse:
+  ingress:
+    host: matrix.your.tld
diff --git a/charts/matrix-stack/configs/well-known/partial-haproxy.cfg.tpl b/charts/matrix-stack/configs/well-known/partial-haproxy.cfg.tpl
@@ -21,7 +21,7 @@ frontend well-known-in
 {{ if .baseDomainRedirect.enabled }}
 {{- if $root.Values.elementWeb.enabled }}
 {{- with $root.Values.elementWeb }}
-{{- $elementWebHttps := include "element-io.ess-library.ingress.tlsSecret" (dict "root" $root "context" (dict "hosts" (list (required "elementWeb.ingress.host is required" .ingress.host)) "tlsSecret" .ingress.tlsSecret "ingressName" "element-web")) }}
+{{- $elementWebHttps := include "element-io.ess-library.ingress.tlsHostsSecret" (dict "root" $root "context" (dict "hosts" (list (required "elementWeb.ingress.host is required" .ingress.host)) "tlsSecret" .ingress.tlsSecret "ingressName" "element-web")) }}
   http-request redirect  code 301  location http{{ if $elementWebHttps }}s{{ end }}://{{ tpl .ingress.host $root }} unless well-known
 {{- end }}
 {{- else if .baseDomainRedirect.url }}
diff --git a/charts/matrix-stack/source/common/ingress.json b/charts/matrix-stack/source/common/ingress.json
@@ -16,6 +16,9 @@
     "className": {
       "type": "string"
     },
+    "tlsEnabled": {
+      "type": "boolean"
+    },
     "tlsSecret": {
       "type": "string"
     },
diff --git a/charts/matrix-stack/source/common/ingress_without_host.json b/charts/matrix-stack/source/common/ingress_without_host.json
@@ -10,6 +10,9 @@
     "className": {
       "type": "string"
     },
+    "tlsEnabled": {
+      "type": "boolean"
+    },
     "tlsSecret": {
       "type": "string"
     },
diff --git a/charts/matrix-stack/source/common/sub_schema_values.yaml.j2 b/charts/matrix-stack/source/common/sub_schema_values.yaml.j2
@@ -155,6 +155,9 @@ imagePullSecrets: []
   ## What Ingress Class Name that should be used for {{ 'all Ingresses by default' if global else 'this Ingress' }}
   # className:
 
+  ## Disable TLS configuration by setting it to false
+  tlsEnabled: true
+
   ## The name of the Secret containing the TLS certificate and the key that should be used for {{ 'all Ingresses by default' if global else 'this Ingress' }}
   # tlsSecret:
 
diff --git a/charts/matrix-stack/source/synapse/ingress_with_additional_paths.json b/charts/matrix-stack/source/synapse/ingress_with_additional_paths.json
@@ -16,6 +16,9 @@
     "className": {
       "type": "string"
     },
+    "tlsEnabled": {
+      "type": "boolean"
+    },
     "tlsSecret": {
       "type": "string"
     },
diff --git a/charts/matrix-stack/templates/ess-library/_ingress.tpl b/charts/matrix-stack/templates/ess-library/_ingress.tpl
@@ -32,28 +32,31 @@ annotations:
 
 {{- define "element-io.ess-library.ingress.tls" -}}
 {{- $root := .root -}}
-{{- with required "element-io.ess-library.ingress.tlsSecret missing context" .context -}}
+{{- with required "element-io.ess-library.ingress.tls missing context" .context -}}
 {{- $ingress := required "element-io.ess-library.ingress.tls missing ingress" .ingress -}}
 {{- $host := .host | default $ingress.host -}}
+{{- $tlsEnabled := and $root.Values.ingress.tlsEnabled .ingress.tlsEnabled -}}
 {{- $ingressName := required "element-io.ess-library.ingress.tls missing ingressName" .ingressName -}}
-{{- with (include "element-io.ess-library.ingress.tlsSecret" (dict "root" $root "context" (dict "hosts" (list $host) "tlsSecret" $ingress.tlsSecret "ingressName" $ingressName))) }}
+{{- if $tlsEnabled }}
 tls:
+{{- with (include "element-io.ess-library.ingress.tlsHostsSecret" (dict "root" $root "context" (dict "hosts" (list $host) "tlsSecret" $ingress.tlsSecret "ingressName" $ingressName))) }}
 {{ . | nindent 2 }}
 {{- end -}}
 {{- end -}}
 {{- end -}}
+{{- end -}}
 
-{{- define "element-io.ess-library.ingress.tlsSecret" -}}
+{{- define "element-io.ess-library.ingress.tlsHostsSecret" -}}
 {{- $root := .root -}}
-{{- with required "element-io.ess-library.ingress.tlsSecret missing context" .context -}}
-{{- $ingressName := required "element-io.ess-library.ingress.tlsSecret missing ingress name" .ingressName -}}
+{{- with required "element-io.ess-library.ingress.tlsHostsSecret missing context" .context -}}
+{{- $ingressName := required "element-io.ess-library.ingress.tlsHostsSecret missing ingress name" .ingressName -}}
 {{- $hosts := .hosts -}}
 {{- $tlsSecret := coalesce .tlsSecret $root.Values.ingress.tlsSecret -}}
-{{- if or $tlsSecret $root.Values.certManager -}}
 - hosts:
 {{- range $host := $hosts }}
   - {{ (tpl $host $root) | quote }}
 {{- end }}
+{{ if or $tlsSecret $root.Values.certManager }}
   secretName: {{ (tpl ($tlsSecret | default (printf "{{ .Release.Name }}-%s-certmanager-tls" $ingressName))  $root) | quote }}
 {{- end -}}
 {{- end -}}
diff --git a/charts/matrix-stack/values.schema.json b/charts/matrix-stack/values.schema.json
@@ -102,6 +102,9 @@
         "className": {
           "type": "string"
         },
+        "tlsEnabled": {
+          "type": "boolean"
+        },
         "tlsSecret": {
           "type": "string"
         },
@@ -572,6 +575,9 @@
             "className": {
               "type": "string"
             },
+            "tlsEnabled": {
+              "type": "boolean"
+            },
             "tlsSecret": {
               "type": "string"
             },
@@ -1533,6 +1539,9 @@
             "className": {
               "type": "string"
             },
+            "tlsEnabled": {
+              "type": "boolean"
+            },
             "tlsSecret": {
               "type": "string"
             },
@@ -2835,6 +2844,9 @@
             "className": {
               "type": "string"
             },
+            "tlsEnabled": {
+              "type": "boolean"
+            },
             "tlsSecret": {
               "type": "string"
             },
@@ -5411,6 +5423,9 @@
             "className": {
               "type": "string"
             },
+            "tlsEnabled": {
+              "type": "boolean"
+            },
             "tlsSecret": {
               "type": "string"
             },
diff --git a/charts/matrix-stack/values.yaml b/charts/matrix-stack/values.yaml
@@ -58,6 +58,9 @@ ingress:
   ## What Ingress Class Name that should be used for all Ingresses by default
   # className:
 
+  ## Disable TLS configuration by setting it to false
+  tlsEnabled: true
+
   ## The name of the Secret containing the TLS certificate and the key that should be used for all Ingresses by default
   # tlsSecret:
 
@@ -277,6 +280,9 @@ elementWeb:
     ## What Ingress Class Name that should be used for this Ingress
     # className:
 
+    ## Disable TLS configuration by setting it to false
+    tlsEnabled: true
+
     ## The name of the Secret containing the TLS certificate and the key that should be used for this Ingress
     # tlsSecret:
 
@@ -757,6 +763,9 @@ matrixAuthenticationService:
     ## What Ingress Class Name that should be used for this Ingress
     # className:
 
+    ## Disable TLS configuration by setting it to false
+    tlsEnabled: true
+
     ## The name of the Secret containing the TLS certificate and the key that should be used for this Ingress
     # tlsSecret:
 
@@ -1525,6 +1534,9 @@ synapse:
     ## What Ingress Class Name that should be used for this Ingress
     # className:
 
+    ## Disable TLS configuration by setting it to false
+    tlsEnabled: true
+
     ## The name of the Secret containing the TLS certificate and the key that should be used for this Ingress
     # tlsSecret:
 
@@ -1848,6 +1860,9 @@ wellKnownDelegation:
     ## What Ingress Class Name that should be used for this Ingress
     # className:
 
+    ## Disable TLS configuration by setting it to false
+    tlsEnabled: true
+
     ## The name of the Secret containing the TLS certificate and the key that should be used for this Ingress
     # tlsSecret:
 
diff --git a/newsfragments/348.changed.md b/newsfragments/348.changed.md
@@ -0,0 +1 @@
+Enable TLS by default on all ingresses. This can be disabled using `tlsEnabled: false` globally or per ingress.
diff --git a/tests/manifests/test_ingresses.py b/tests/manifests/test_ingresses.py
@@ -149,8 +149,21 @@ def set_annotations(values_fragment: dict[str, Any], deployable_details: Deploya
 
 @pytest.mark.parametrize("values_file", values_files_with_ingresses)
 @pytest.mark.asyncio_cooperative
-async def test_no_ingress_tlsSecret_by_default(templates):
-    for template in templates:
+async def test_no_ingress_tlsSecret_global(make_templates, values):
+    values.setdefault("ingress", {})["tlsEnabled"] = False
+    for template in await make_templates(values):
+        if template["kind"] == "Ingress":
+            assert "tls" not in template["spec"]
+
+
+@pytest.mark.parametrize("values_file", values_files_with_ingresses)
+@pytest.mark.asyncio_cooperative
+async def test_no_ingress_tlsSecret_beats_global(make_templates, values, deployables_details):
+    def set_tls_disabled(values_fragment: dict[str, Any], deployable_details: DeployableDetails):
+        values_fragment.setdefault("ingress", {})["tlsEnabled"] = False
+
+    iterate_deployables_ingress_parts(deployables_details, values, set_tls_disabled)
+    for template in await make_templates(values):
         if template["kind"] == "Ingress":
             assert "tls" not in template["spec"]
 
@@ -204,6 +217,16 @@ def set_tls_secret(values_fragment: dict[str, Any], deployable_details: Deployab
             assert template["spec"]["tls"][0]["secretName"] == "component"
 
 
+@pytest.mark.parametrize("values_file", values_files_with_ingresses)
+@pytest.mark.asyncio_cooperative
+async def test_tls_no_secretName_by_default(templates):
+    for template in templates:
+        if template["kind"] == "Ingress":
+            assert "tls" in template["spec"]
+            for tls_spec in template["spec"]["tls"]:
+                assert "secretName" not in tls_spec
+
+
 @pytest.mark.parametrize("values_file", values_files_with_ingresses)
 @pytest.mark.asyncio_cooperative
 async def test_no_ingressClassName_by_default(templates):
diff --git a/tests/manifests/test_well_known_delegation.py b/tests/manifests/test_well_known_delegation.py
@@ -102,7 +102,7 @@ async def test_has_redirect_to_element_web(release_name, values, make_templates)
             haproxy_cfg = template["data"]["haproxy.cfg"]
             assert (
                 re.search(
-                    rf"http-request redirect\s+code\s+301\s+location\s+http://{values['elementWeb']['ingress']['host']}\sunless\swell-known",
+                    rf"http-request redirect\s+code\s+301\s+location\s+https://{values['elementWeb']['ingress']['host']}\sunless\swell-known",
                     haproxy_cfg,
                 )
                 is not None
