From 1f90d049f85708e4b64991817babcaa4d72f81b7 Mon Sep 17 00:00:00 2001 From: Pedro Nauck Date: Fri, 27 Dec 2024 19:43:00 -0300 Subject: [PATCH] feat(webserver): Add TLS configuration for WebServer --- cluster/charts/fuel-streams/Chart.yaml | 2 +- .../{statefulset.yaml => deployment.yaml} | 3 +- .../templates/webserver/certificate.yaml | 60 +++++++++++++++++++ .../templates/webserver/deployment.yaml | 22 ++++++- .../templates/webserver/service.yaml | 18 ++++-- cluster/charts/fuel-streams/values.yaml | 16 +++-- examples/Cargo.toml | 10 +++- 7 files changed, 113 insertions(+), 18 deletions(-) rename cluster/charts/fuel-streams/templates/consumer/{statefulset.yaml => deployment.yaml} (97%) create mode 100644 cluster/charts/fuel-streams/templates/webserver/certificate.yaml diff --git a/cluster/charts/fuel-streams/Chart.yaml b/cluster/charts/fuel-streams/Chart.yaml index cc1859f0..088c9bc2 100755 --- a/cluster/charts/fuel-streams/Chart.yaml +++ b/cluster/charts/fuel-streams/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: "1.0" description: A Helm chart for Kubernetes name: fuel-streams -version: 0.7.4 +version: 0.8.2 dependencies: - name: nats version: 1.2.8 diff --git a/cluster/charts/fuel-streams/templates/consumer/statefulset.yaml b/cluster/charts/fuel-streams/templates/consumer/deployment.yaml similarity index 97% rename from cluster/charts/fuel-streams/templates/consumer/statefulset.yaml rename to cluster/charts/fuel-streams/templates/consumer/deployment.yaml index a1f73522..39dcfecd 100644 --- a/cluster/charts/fuel-streams/templates/consumer/statefulset.yaml +++ b/cluster/charts/fuel-streams/templates/consumer/deployment.yaml @@ -1,7 +1,7 @@ {{- $consumer := .Values.consumer -}} {{- if $consumer.enabled -}} apiVersion: apps/v1 -kind: StatefulSet +kind: Deployment metadata: {{- include "k8s.metadata" (dict "context" . "suffix" "-consumer") | nindent 2 }} annotations: @@ -10,7 +10,6 @@ metadata: {{- include "fuel-streams.labels" (dict "name" "consumer" "context" .) | nindent 4 }} {{- include "set-value" (dict "context" $consumer "path" "config.labels") | nindent 4 }} spec: - serviceName: {{ include "fuel-streams.fullname" . }}-consumer {{- if not $consumer.autoscaling.enabled }} replicas: {{ $consumer.config.replicaCount }} {{- end }} diff --git a/cluster/charts/fuel-streams/templates/webserver/certificate.yaml b/cluster/charts/fuel-streams/templates/webserver/certificate.yaml new file mode 100644 index 00000000..48d32d8d --- /dev/null +++ b/cluster/charts/fuel-streams/templates/webserver/certificate.yaml @@ -0,0 +1,60 @@ +{{- $webserver := .Values.webserver }} +{{- $service := $webserver.service }} +{{- $tls := $webserver.tls }} +{{- $certificate := $tls.certificate }} +{{- $ingress := $tls.ingress }} +{{- if and $webserver.enabled $service.host $tls.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + {{- include "k8s.metadata" (dict "context" . "suffix" "-webserver-cert") | nindent 2 }} + annotations: + {{- include "set-value" (dict "context" $certificate "path" "annotations") | nindent 4 }} + labels: + {{- include "fuel-streams.labels" (dict "name" "webserver" "context" .) | nindent 4 }} + {{- include "set-value" (dict "context" $certificate "path" "labels") | nindent 4 }} + app.kubernetes.io/component: webserver +spec: + secretName: {{ include "fuel-streams.fullname" . }}-webserver-tls + duration: {{ $certificate.duration }} + renewBefore: {{ $certificate.renewBefore }} + dnsNames: + - {{ $service.host }} + issuerRef: + name: {{ $certificate.issuer }} + kind: ClusterIssuer +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + {{- include "k8s.metadata" (dict "context" . "suffix" "-webserver-cert-validator") | nindent 2 }} + labels: + {{- include "fuel-streams.labels" (dict "name" "webserver" "context" .) | nindent 4 }} + {{- include "set-value" (dict "context" $ingress "path" "labels") | nindent 4 }} + app.kubernetes.io/component: webserver + annotations: + cert-manager.io/cluster-issuer: {{ $certificate.issuer }} + kubernetes.io/ingress.class: nginx + acme.cert-manager.io/http01-ingress-class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/force-ssl-redirect: "false" + cert-manager.io/common-name: {{ $service.host }} + {{- include "set-value" (dict "context" $ingress "path" "annotations") | nindent 4 }} +spec: + ingressClassName: nginx + tls: + - hosts: + - {{ $service.host }} + secretName: {{ include "fuel-streams.fullname" . }}-webserver-tls + rules: + - host: {{ $service.host }} + http: + paths: + - path: /.well-known/acme-challenge/ + pathType: Prefix + backend: + service: + name: cm-acme-http-solver + port: + number: 8089 +{{- end }} \ No newline at end of file diff --git a/cluster/charts/fuel-streams/templates/webserver/deployment.yaml b/cluster/charts/fuel-streams/templates/webserver/deployment.yaml index 2b83f668..6ef1e815 100644 --- a/cluster/charts/fuel-streams/templates/webserver/deployment.yaml +++ b/cluster/charts/fuel-streams/templates/webserver/deployment.yaml @@ -1,5 +1,5 @@ {{- $webserver := .Values.webserver -}} -{{- $service := $webserver.service -}} +{{- $tls := $webserver.tls -}} {{- if $webserver.enabled -}} apiVersion: apps/v1 kind: Deployment @@ -39,6 +39,13 @@ spec: {{- include "set-field-and-value" (dict "context" $webserver "field" "tolerations" "path" "config.tolerations") | nindent 6 }} {{- include "k8s.security-context" (dict "context" . "service" "webserver") | nindent 6 }} + {{- if $tls.enabled }} + volumes: + - name: tls-certs + secret: + secretName: {{ include "fuel-streams.fullname" . }}-webserver-tls + {{- end }} + containers: - name: webserver image: "{{ $webserver.image.repository }}:{{ $webserver.image.tag | default .Chart.AppVersion }}" @@ -69,9 +76,22 @@ spec: value: {{ $webserver.network | quote }} - name: PORT value: {{ $webserver.port | quote }} + {{- if $tls.enabled }} + - name: TLS_CERT_PATH + value: "/etc/ssl/certs/webserver/tls.crt" + - name: TLS_KEY_PATH + value: "/etc/ssl/certs/webserver/tls.key" + {{- end }} {{- with $webserver.env }} {{- toYaml . | nindent 12 }} {{- end }} + {{- if $tls.enabled }} + volumeMounts: + - name: tls-certs + mountPath: /etc/ssl/certs/webserver + readOnly: true + {{- end }} + {{- include "k8s.hpa" (dict "context" . "service" (dict "name" "webserver" "autoscaling" $webserver.autoscaling)) }} {{- end }} diff --git a/cluster/charts/fuel-streams/templates/webserver/service.yaml b/cluster/charts/fuel-streams/templates/webserver/service.yaml index 5dfcf58d..6dc1081d 100644 --- a/cluster/charts/fuel-streams/templates/webserver/service.yaml +++ b/cluster/charts/fuel-streams/templates/webserver/service.yaml @@ -1,18 +1,24 @@ -{{- $service := .Values.webserver.service }} -{{- if and .Values.webserver.enabled $service.enabled }} +{{- $webserver := .Values.webserver }} +{{- $service := $webserver.service }} +{{- $tls := $webserver.tls }} +{{- if and $webserver.enabled $service.enabled }} apiVersion: v1 kind: Service metadata: {{- include "k8s.metadata" (dict "context" . "suffix" "-webserver-nlb") | nindent 2 }} annotations: - {{- if $service.dns }} - external-dns.alpha.kubernetes.io/hostname: {{ $service.dns }} + {{- if $service.host }} + external-dns.alpha.kubernetes.io/hostname: {{ $service.host }} external-dns.alpha.kubernetes.io/cloudflare-proxied: "false" {{- end }} - service.beta.kubernetes.io/aws-load-balancer-attributes: load_balancing.cross_zone.enabled=true - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + {{- if $tls.enabled }} + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tls + service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ include "fuel-streams.fullname" . }}-webserver-tls + service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "websocket" + {{- end }} service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing + service.beta.kubernetes.io/aws-load-balancer-attributes: load_balancing.cross_zone.enabled=true service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=true,stickiness.enabled=true,stickiness.type=source_ip,load_balancing.cross_zone.enabled=true service.beta.kubernetes.io/aws-load-balancer-type: external service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "WebSocket=true" diff --git a/cluster/charts/fuel-streams/values.yaml b/cluster/charts/fuel-streams/values.yaml index 71c6e971..a4d169e0 100755 --- a/cluster/charts/fuel-streams/values.yaml +++ b/cluster/charts/fuel-streams/values.yaml @@ -239,17 +239,21 @@ webserver: enabled: true port: 8080 type: LoadBalancer - dns: "stream-staging.fuel.network" + host: "stream-staging.fuel.network" annotations: {} labels: {} tls: enabled: true - issuer: "letsencrypt-prod" - duration: "2160h" - renewBefore: "360h" - annotations: {} - labels: {} + certificate: + issuer: "letsencrypt-prod" + duration: "2160h" + renewBefore: "360h" + annotations: {} + labels: {} + ingress: + annotations: {} + labels: {} # You can override the env variables for the container here # using a map or an array of key-value pairs diff --git a/examples/Cargo.toml b/examples/Cargo.toml index eea30828..0d57c4ea 100644 --- a/examples/Cargo.toml +++ b/examples/Cargo.toml @@ -1,8 +1,14 @@ [package] name = "fuel-streams-examples" -version = "0.0.15" +authors = { workspace = true } +keywords = { workspace = true } +edition = { workspace = true } +homepage = { workspace = true } +license = { workspace = true } +repository = { workspace = true } +version = { workspace = true } +rust-version = { workspace = true } publish = false -edition = "2021" [dependencies] anyhow = { workspace = true }