Skip to content

Commit

Permalink
feat(webserver): Add TLS configuration for WebServer
Browse files Browse the repository at this point in the history
  • Loading branch information
pedronauck committed Dec 27, 2024
1 parent 1ddc51c commit 1f90d04
Show file tree
Hide file tree
Showing 7 changed files with 113 additions and 18 deletions.
2 changes: 1 addition & 1 deletion cluster/charts/fuel-streams/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
appVersion: "1.0"
description: A Helm chart for Kubernetes
name: fuel-streams
version: 0.7.4
version: 0.8.2
dependencies:
- name: nats
version: 1.2.8
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{{- $consumer := .Values.consumer -}}
{{- if $consumer.enabled -}}
apiVersion: apps/v1
kind: StatefulSet
kind: Deployment
metadata:
{{- include "k8s.metadata" (dict "context" . "suffix" "-consumer") | nindent 2 }}
annotations:
Expand All @@ -10,7 +10,6 @@ metadata:
{{- include "fuel-streams.labels" (dict "name" "consumer" "context" .) | nindent 4 }}
{{- include "set-value" (dict "context" $consumer "path" "config.labels") | nindent 4 }}
spec:
serviceName: {{ include "fuel-streams.fullname" . }}-consumer
{{- if not $consumer.autoscaling.enabled }}
replicas: {{ $consumer.config.replicaCount }}
{{- end }}
Expand Down
60 changes: 60 additions & 0 deletions cluster/charts/fuel-streams/templates/webserver/certificate.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
{{- $webserver := .Values.webserver }}
{{- $service := $webserver.service }}
{{- $tls := $webserver.tls }}
{{- $certificate := $tls.certificate }}
{{- $ingress := $tls.ingress }}
{{- if and $webserver.enabled $service.host $tls.enabled }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
{{- include "k8s.metadata" (dict "context" . "suffix" "-webserver-cert") | nindent 2 }}
annotations:
{{- include "set-value" (dict "context" $certificate "path" "annotations") | nindent 4 }}
labels:
{{- include "fuel-streams.labels" (dict "name" "webserver" "context" .) | nindent 4 }}
{{- include "set-value" (dict "context" $certificate "path" "labels") | nindent 4 }}
app.kubernetes.io/component: webserver
spec:
secretName: {{ include "fuel-streams.fullname" . }}-webserver-tls
duration: {{ $certificate.duration }}
renewBefore: {{ $certificate.renewBefore }}
dnsNames:
- {{ $service.host }}
issuerRef:
name: {{ $certificate.issuer }}
kind: ClusterIssuer
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
{{- include "k8s.metadata" (dict "context" . "suffix" "-webserver-cert-validator") | nindent 2 }}
labels:
{{- include "fuel-streams.labels" (dict "name" "webserver" "context" .) | nindent 4 }}
{{- include "set-value" (dict "context" $ingress "path" "labels") | nindent 4 }}
app.kubernetes.io/component: webserver
annotations:
cert-manager.io/cluster-issuer: {{ $certificate.issuer }}
kubernetes.io/ingress.class: nginx
acme.cert-manager.io/http01-ingress-class: nginx
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
cert-manager.io/common-name: {{ $service.host }}
{{- include "set-value" (dict "context" $ingress "path" "annotations") | nindent 4 }}
spec:
ingressClassName: nginx
tls:
- hosts:
- {{ $service.host }}
secretName: {{ include "fuel-streams.fullname" . }}-webserver-tls
rules:
- host: {{ $service.host }}
http:
paths:
- path: /.well-known/acme-challenge/
pathType: Prefix
backend:
service:
name: cm-acme-http-solver
port:
number: 8089
{{- end }}
22 changes: 21 additions & 1 deletion cluster/charts/fuel-streams/templates/webserver/deployment.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{{- $webserver := .Values.webserver -}}
{{- $service := $webserver.service -}}
{{- $tls := $webserver.tls -}}
{{- if $webserver.enabled -}}
apiVersion: apps/v1
kind: Deployment
Expand Down Expand Up @@ -39,6 +39,13 @@ spec:
{{- include "set-field-and-value" (dict "context" $webserver "field" "tolerations" "path" "config.tolerations") | nindent 6 }}
{{- include "k8s.security-context" (dict "context" . "service" "webserver") | nindent 6 }}

{{- if $tls.enabled }}
volumes:
- name: tls-certs
secret:
secretName: {{ include "fuel-streams.fullname" . }}-webserver-tls
{{- end }}

containers:
- name: webserver
image: "{{ $webserver.image.repository }}:{{ $webserver.image.tag | default .Chart.AppVersion }}"
Expand Down Expand Up @@ -69,9 +76,22 @@ spec:
value: {{ $webserver.network | quote }}
- name: PORT
value: {{ $webserver.port | quote }}
{{- if $tls.enabled }}
- name: TLS_CERT_PATH
value: "/etc/ssl/certs/webserver/tls.crt"
- name: TLS_KEY_PATH
value: "/etc/ssl/certs/webserver/tls.key"
{{- end }}
{{- with $webserver.env }}
{{- toYaml . | nindent 12 }}
{{- end }}

{{- if $tls.enabled }}
volumeMounts:
- name: tls-certs
mountPath: /etc/ssl/certs/webserver
readOnly: true
{{- end }}

{{- include "k8s.hpa" (dict "context" . "service" (dict "name" "webserver" "autoscaling" $webserver.autoscaling)) }}
{{- end }}
18 changes: 12 additions & 6 deletions cluster/charts/fuel-streams/templates/webserver/service.yaml
Original file line number Diff line number Diff line change
@@ -1,18 +1,24 @@
{{- $service := .Values.webserver.service }}
{{- if and .Values.webserver.enabled $service.enabled }}
{{- $webserver := .Values.webserver }}
{{- $service := $webserver.service }}
{{- $tls := $webserver.tls }}
{{- if and $webserver.enabled $service.enabled }}
apiVersion: v1
kind: Service
metadata:
{{- include "k8s.metadata" (dict "context" . "suffix" "-webserver-nlb") | nindent 2 }}
annotations:
{{- if $service.dns }}
external-dns.alpha.kubernetes.io/hostname: {{ $service.dns }}
{{- if $service.host }}
external-dns.alpha.kubernetes.io/hostname: {{ $service.host }}
external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
{{- end }}
service.beta.kubernetes.io/aws-load-balancer-attributes: load_balancing.cross_zone.enabled=true
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
{{- if $tls.enabled }}
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tls
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ include "fuel-streams.fullname" . }}-webserver-tls
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "websocket"
{{- end }}
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
service.beta.kubernetes.io/aws-load-balancer-attributes: load_balancing.cross_zone.enabled=true
service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=true,stickiness.enabled=true,stickiness.type=source_ip,load_balancing.cross_zone.enabled=true
service.beta.kubernetes.io/aws-load-balancer-type: external
service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "WebSocket=true"
Expand Down
16 changes: 10 additions & 6 deletions cluster/charts/fuel-streams/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -239,17 +239,21 @@ webserver:
enabled: true
port: 8080
type: LoadBalancer
dns: "stream-staging.fuel.network"
host: "stream-staging.fuel.network"
annotations: {}
labels: {}

tls:
enabled: true
issuer: "letsencrypt-prod"
duration: "2160h"
renewBefore: "360h"
annotations: {}
labels: {}
certificate:
issuer: "letsencrypt-prod"
duration: "2160h"
renewBefore: "360h"
annotations: {}
labels: {}
ingress:
annotations: {}
labels: {}

# You can override the env variables for the container here
# using a map or an array of key-value pairs
Expand Down
10 changes: 8 additions & 2 deletions examples/Cargo.toml
Original file line number Diff line number Diff line change
@@ -1,8 +1,14 @@
[package]
name = "fuel-streams-examples"
version = "0.0.15"
authors = { workspace = true }
keywords = { workspace = true }
edition = { workspace = true }
homepage = { workspace = true }
license = { workspace = true }
repository = { workspace = true }
version = { workspace = true }
rust-version = { workspace = true }
publish = false
edition = "2021"

[dependencies]
anyhow = { workspace = true }
Expand Down

0 comments on commit 1f90d04

Please sign in to comment.