From 5ba0811678c1f793688f1faa5e6894dad3c30de9 Mon Sep 17 00:00:00 2001
From: Damien Gustave <damien.gustave@iwd.io>
Date: Tue, 7 Nov 2023 14:16:48 +0100
Subject: [PATCH 1/3] adds annotations on service

---
 charts/vouch/templates/service.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/charts/vouch/templates/service.yaml b/charts/vouch/templates/service.yaml
index 7ea5262..1b18948 100644
--- a/charts/vouch/templates/service.yaml
+++ b/charts/vouch/templates/service.yaml
@@ -4,6 +4,10 @@ metadata:
   name: {{ include "vouch.fullname" . }}
   labels:
 {{ include "vouch.labels" . | indent 4 }}
+  {{- with .Values.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   type: {{ .Values.service.type }}
   externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }}

From bacb048898da0582149c03e3cbf0d6a325c69fa6 Mon Sep 17 00:00:00 2001
From: Damien Gustave <damien.gustave@iwd.io>
Date: Thu, 9 Nov 2023 09:28:37 +0100
Subject: [PATCH 2/3] update values.yaml

---
 charts/vouch/values.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/charts/vouch/values.yaml b/charts/vouch/values.yaml
index 886acc1..b7f777f 100644
--- a/charts/vouch/values.yaml
+++ b/charts/vouch/values.yaml
@@ -43,6 +43,7 @@ service:
   externalTrafficPolicy:
   type: ClusterIP
   port: 9090
+  annotations: {}
 
 probes:
   liveness:

From 6b53501442b547626f14f0ee7b8d20db116e5555 Mon Sep 17 00:00:00 2001
From: Damien Gustave <damien.gustave@iwd.io>
Date: Thu, 9 Nov 2023 09:26:30 +0100
Subject: [PATCH 3/3] add native TLS

---
 charts/vouch/templates/deployment.yaml | 12 ++++++++++++
 charts/vouch/templates/ingress.yaml    |  6 +++++-
 charts/vouch/values.yaml               | 10 ++++++++++
 3 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/charts/vouch/templates/deployment.yaml b/charts/vouch/templates/deployment.yaml
index cb1f2b9..aaee4cf 100644
--- a/charts/vouch/templates/deployment.yaml
+++ b/charts/vouch/templates/deployment.yaml
@@ -75,6 +75,7 @@ spec:
             httpGet:
               path: /healthcheck
               port: http
+              scheme: {{ if .Values.nativeTLSSecretName }}HTTPS{{- else }}HTTP{{- end }}
             initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }}
             periodSeconds: {{ .Values.probes.liveness.periodSeconds }}
             timeoutSeconds: {{ .Values.probes.liveness.timeoutSeconds }}
@@ -86,6 +87,7 @@ spec:
             httpGet:
               path: /healthcheck
               port: http
+              scheme: {{ if .Values.nativeTLSSecretName }}HTTPS{{- else }}HTTP{{- end }}
             initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }}
             periodSeconds: {{ .Values.probes.readiness.periodSeconds }}
             timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }}
@@ -97,6 +99,7 @@ spec:
             httpGet:
               path: /healthcheck
               port: http
+              scheme: {{ if .Values.nativeTLSSecretName }}HTTPS{{- else }}HTTP{{- end }}
             initialDelaySeconds: {{ .Values.probes.startup.initialDelaySeconds }}
             periodSeconds: {{ .Values.probes.startup.periodSeconds }}
             timeoutSeconds: {{ .Values.probes.startup.timeoutSeconds }}
@@ -108,6 +111,10 @@ spec:
             mountPath: /data
           - name: config
             mountPath: /config
+          {{- if .Values.nativeTLSSecretName }}
+          - name: tls
+            mountPath: /tls
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       volumes:
@@ -116,6 +123,11 @@ spec:
           secretName: {{ if .Values.existingSecretName }}{{ .Values.existingSecretName }}{{- else }}{{ template "vouch.fullname" . }}{{- end }}
       - name: data
         emptyDir: {}
+      {{- if .Values.nativeTLSSecretName }}
+      - name: tls
+        secret:
+          secretName: {{ .Values.nativeTLSSecretName }}
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
diff --git a/charts/vouch/templates/ingress.yaml b/charts/vouch/templates/ingress.yaml
index c8db0f0..77cb752 100644
--- a/charts/vouch/templates/ingress.yaml
+++ b/charts/vouch/templates/ingress.yaml
@@ -14,8 +14,12 @@ metadata:
   name: {{ $fullName }}
   labels:
 {{ include "vouch.labels" . | indent 4 }}
-  {{- with .Values.ingress.annotations }}
   annotations:
+  {{- if .Values.nativeTLSSecretName }}
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    ingress.kubernetes.io/protocol: https
+  {{- end }}
+  {{- with .Values.ingress.annotations }}
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
diff --git a/charts/vouch/values.yaml b/charts/vouch/values.yaml
index b7f777f..ae38386 100644
--- a/charts/vouch/values.yaml
+++ b/charts/vouch/values.yaml
@@ -102,11 +102,21 @@ podAnnotations: {}
 
 deploymentAnnotations: {}
 
+# If you want to have native TLS support on Vouch, use this Secret as TLS certificate
+# If you configured it this way, the ingress will have to communicate with Vouch using HTTPS
+# The annotations are already included for Nginx and Traefik ingress, and can be added as annotation to the ingress
+nativeTLSSecretName: ""
+
 # vouch config
 # bare minimum to get vouch running with google
 
 config:
   vouch:
+    # tls key must exists if nativeTLSSecretName is set for native TLS to work
+    # Certs are mounted in /tls and the file name must map the ones set in the Secret
+    # tls:
+    #   cert: /tls/tls.crt
+    #   key: /tls/tls.key
     port: 9090
     domains: []
     allowAllUsers: false