feat: improve how ingress annotations are handled

helm/flowfuse/README.md

@@ -227,6 +227,7 @@ One of either `storageClass` or `storageClassEFSTag` needs to be set.
  - `forge.customHostname.cnameTarget` the hostname of the ingress loadbalancer that custom hostnames must point to. Required (default not set)
  - `forge.customHostname.certManagerIssuer` name of CertManager ClusterIssuer to use to request HTTPS certificates for custom hostnames (default is not set)
  - `forge.customHostname.ingressClass` name of the IngressClass to use for exposing the custom hostname (default is not set)
+ - `forge.customHostname.ingressAnnotations` ingress annotations for custom hostname ingress (default is `{}`)
 
  ### Rate Limiting
 

helm/flowfuse/templates/_helpers.tpl

@@ -222,3 +222,79 @@ Generate NPM registry admin password if not provided
 {{- sha256sum $seed | trunc 25 }}
 {{- end }}
 {{- end -}}
+
+{{/*
+Check if cert-manager is enabled by detecting cert-manager annotations in ingress.annotations
+Usage: {{ if include "forge.certManagerEnabled" . }}
+*/}}
+{{- define "forge.certManagerEnabled" -}}
+{{- $certManagerDetected := false -}}
+{{- if .Values.ingress.certManagerIssuer -}}
+  {{- $certManagerDetected = true -}}
+{{- else if .Values.ingress.annotations -}}
+  {{- range $key, $value := .Values.ingress.annotations -}}
+    {{- if hasPrefix "cert-manager.io/" $key -}}
+      {{- $certManagerDetected = true -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+{{- if $certManagerDetected -}}
+true
+{{- end -}}
+{{- end -}}
+
+{{/*
+Check if cert-manager is enabled by detecting cert-manager annotations in broker ingress annotations
+Usage: {{ if include "forge.brokerCertManagerEnabled" . }}
+*/}}
+{{- define "forge.brokerCertManagerEnabled" -}}
+{{- $certManagerDetected := false -}}
+{{- if and .Values.forge.broker.enabled .Values.ingress.certManagerIssuer -}}
+  {{- $certManagerDetected = true -}}
+{{- else if and .Values.forge.broker.enabled ((.Values.forge.broker).ingress).annotations -}}
+  {{- range $key, $value := .Values.forge.broker.ingress.annotations -}}
+    {{- if hasPrefix "cert-manager.io/" $key -}}
+      {{- $certManagerDetected = true -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+{{- if $certManagerDetected -}}
+true
+{{- end -}}
+{{- end -}}
+
+{{/*
+Filter ingress annotations to remove cert-manager.io annotations when certManagerIssuer is set
+Usage: {{ include "forge.filteredIngressAnnotations" . }}
+*/}}
+{{- define "forge.filteredIngressAnnotations" -}}
+{{- $filtered := dict -}}
+{{- if .Values.ingress.annotations -}}
+  {{- range $key, $value := .Values.ingress.annotations -}}
+    {{- if not (and $.Values.ingress.certManagerIssuer (hasPrefix "cert-manager.io/" $key)) -}}
+      {{- $_ := set $filtered $key $value -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+{{- if $filtered -}}
+{{- toYaml $filtered -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Filter broker ingress annotations to remove cert-manager.io annotations when certManagerIssuer is set
+Usage: {{ include "forge.filteredBrokerIngressAnnotations" . }}
+*/}}
+{{- define "forge.filteredBrokerIngressAnnotations" -}}
+{{- $filtered := dict -}}
+{{- if and .Values.forge.broker.enabled ((.Values.forge.broker).ingress).annotations -}}
+  {{- range $key, $value := (.Values.forge.broker).ingress.annotations -}}
+    {{- if not (and $.Values.ingress.certManagerIssuer (hasPrefix "cert-manager.io/" $key)) -}}
+      {{- $_ := set $filtered $key $value -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+{{- if $filtered -}}
+{{- toYaml $filtered -}}
+{{- end -}}
+{{- end -}}

helm/flowfuse/templates/broker-ingress.yaml

@@ -8,10 +8,11 @@ metadata:
     {{- include "forge.brokerSelectorLabels" . | nindent 4 }}
   annotations:
   {{- if .Values.ingress.certManagerIssuer }}
-    cert-manager.io/cluster-issuer: {{ $.Values.ingress.certManagerIssuer }}
+    cert-manager.io/cluster-issuer: {{ .Values.ingress.certManagerIssuer }}
   {{- end }}
-  {{- if and .Values.forge.broker.enabled .Values.forge.broker.ingress (hasKey .Values.forge.broker.ingress "annotations") }}
-{{ toYaml .Values.forge.broker.ingress.annotations | replace "{{ instanceHost }}" "{{ include forge.brokerDomain . }}" | replace "{{ serviceName }}" "flowforge-broker" | indent 4 }}
+  {{- $filteredAnnotations := include "forge.filteredBrokerIngressAnnotations" . | replace "{{ instanceHost }}" "{{ include forge.brokerDomain . }}" | replace "{{ serviceName }}" "flowforge-broker" }}
+  {{- if $filteredAnnotations }}
+{{ $filteredAnnotations | indent 4 }}
   {{- end }}
 spec:
   {{- if $.Values.ingress.className }}
@@ -28,7 +29,7 @@ spec:
                 name: flowforge-broker
                 port:
                   number: 1884
-  {{- if .Values.ingress.certManagerIssuer }}
+  {{- if include "forge.brokerCertManagerEnabled" . }}
   tls:
   - hosts:
     - {{ include "forge.brokerDomain" . }}

helm/flowfuse/templates/configmap.yaml

@@ -56,6 +56,12 @@ data:
           {{ $key }}: {{ $value }}
           {{- end}}
         {{- end }}
+        {{- if .Values.forge.projectIngressAnnotations }}
+        projectIngressAnnotations:
+          {{- range $key, $value := .Values.forge.projectIngressAnnotations }}
+          {{ $key }}: {{ $value }}
+          {{- end}}
+        {{- end }}
         {{ if .Values.forge.projectServiceType }}
         service:
           type: {{ .Values.forge.projectServiceType }}
@@ -84,6 +90,10 @@ data:
         {{- if .Values.forge.customHostname.ingressClass }}
           ingressClass: {{ .Values.forge.customHostname.ingressClass }}
         {{- end }}
+        {{- if .Values.forge.customHostname.ingressAnnotations }}
+          ingressAnnotations:
+{{ toYaml .Values.forge.customHostname.ingressAnnotations | indent 12 }}
+        {{- end }}
         {{- end }}
         {{- if .Values.forge.persistentStorage }}
         storage:

helm/flowfuse/templates/emqx.yaml

@@ -102,11 +102,12 @@ metadata:
       {{- include "forge.brokerSelectorLabels" . | nindent 4 }}
     annotations:
     {{- if .Values.ingress.certManagerIssuer }}
-        cert-manager.io/cluster-issuer: {{ $.Values.ingress.certManagerIssuer }}
-    {{- end }}
-    {{- if and .Values.forge.broker.enabled .Values.forge.broker.ingress (hasKey .Values.forge.broker.ingress "annotations") }}
-{{ toYaml .Values.forge.broker.ingress.annotations | replace "{{ instanceHost }}" "{{ include forge.brokerDomain . }}" | replace "{{ serviceName }}" "flowforge-broker" | indent 4 }}
+        cert-manager.io/cluster-issuer: {{ .Values.ingress.certManagerIssuer }}
     {{- end }}
+  {{- $filteredAnnotations := include "forge.filteredBrokerIngressAnnotations" . | replace "{{ instanceHost }}" "{{ include forge.brokerDomain . }}" | replace "{{ serviceName }}" "flowforge-broker" }}
+  {{- if $filteredAnnotations }}
+{{ $filteredAnnotations | indent 4 }}
+  {{- end }}
 spec:
     {{- if $.Values.ingress.className }}
     ingressClassName: {{ $.Values.ingress.className }}
@@ -122,7 +123,7 @@ spec:
                         name: emqx-listeners
                         port:
                             number: 8080
-  {{- if .Values.ingress.certManagerIssuer }}
+  {{- if include "forge.brokerCertManagerEnabled" . }}
     tls:
     - hosts:
         - {{ include "forge.brokerDomain" . }}

helm/flowfuse/templates/service-ingress.yaml

@@ -34,10 +34,11 @@ metadata:
   {{- include "forge.labels" . | nindent 4 }}
   annotations:
   {{- if .Values.ingress.certManagerIssuer }}
-    cert-manager.io/cluster-issuer: {{ $.Values.ingress.certManagerIssuer }}
+    cert-manager.io/cluster-issuer: {{ .Values.ingress.certManagerIssuer }}
   {{- end }}
-  {{- if .Values.ingress.annotations }}
-{{ toYaml .Values.ingress.annotations |  replace "{{ instanceHost }}" $forgeHostname | replace "{{ serviceName }}" "forge" | indent 4 }}
+  {{- $filteredAnnotations := include "forge.filteredIngressAnnotations" . | replace "{{ instanceHost }}" $forgeHostname | replace "{{ serviceName }}" "forge" }}
+  {{- if $filteredAnnotations }}
+{{ $filteredAnnotations | indent 4 }}
   {{- end }}
 spec:
   {{- if and $.Values.ingress.className (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
@@ -54,13 +55,13 @@ spec:
             name: forge
             port:
               number: 80
-  {{- if .Values.ingress.certManagerIssuer }}
+  {{- if include "forge.certManagerEnabled" . }}
   tls:
   - hosts:
     - {{ $forgeHostname }}
     secretName: {{ $forgeHostname }}
   {{- end }}
-{{- if gt (int .Values.forge.replicas) 1 -}}
+{{- if gt (int .Values.forge.replicas) 1 }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@@ -71,14 +72,17 @@ metadata:
   {{- include "forge.labels" . | nindent 4 }}
   annotations:
   {{- if .Values.ingress.certManagerIssuer }}
-    cert-manager.io/cluster-issuer: {{ $.Values.ingress.certManagerIssuer }}
+    cert-manager.io/cluster-issuer: {{ .Values.ingress.certManagerIssuer }}
   {{- end }}
   {{- if .Values.ingress.annotations }}
     nginx.ingress.kubernetes.io/affinity: cookie
     nginx.ingress.kubernetes.io/affinity-mode: persistent
     nginx.ingress.kubernetes.io/session-cookie-name: FFSESSION
     nginx.ingress.kubernetes.io/session-cookie-samesite: Strict
-{{ toYaml .Values.ingress.annotations |  replace "{{ instanceHost }}" $forgeHostname | replace "{{ serviceName }}" "forge" | indent 4 }}
+  {{- end }}
+  {{- $filteredAnnotations := include "forge.filteredIngressAnnotations" . | replace "{{ instanceHost }}" $forgeHostname | replace "{{ serviceName }}" "forge" }}
+  {{- if $filteredAnnotations }}
+{{ $filteredAnnotations | indent 4 }}
   {{- end }}
 spec:
   {{- if and $.Values.ingress.className (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
@@ -95,7 +99,7 @@ spec:
             name: forge
             port:
               number: 80
-  {{- if .Values.ingress.certManagerIssuer }}
+  {{- if include "forge.certManagerEnabled" . }}
   tls:
   - hosts:
     - {{ $forgeHostname }}