build(repo): Add DNS/TLS configuration for Nats (#357)

* build(repo): Add DNS/TLS configuration for Nats * build(repo): bump chart version * build(repo): fix chart * build(repo): fix chart * build(repo): fix secretName on nats client websocket config
FuelLabs · Dec 17, 2024 · a444792 · a444792
1 parent 86db991
commit a444792
Show file tree

Hide file tree

Showing 15 changed files with 394 additions and 227 deletions.
diff --git a/Tiltfile b/Tiltfile
@@ -104,7 +104,8 @@ k8s_yaml(helm(
     namespace='fuel-streams',
     values=[
         'cluster/charts/fuel-streams/values-publisher-secrets.yaml',
-        'cluster/charts/fuel-streams/values.yaml'
+        'cluster/charts/fuel-streams/values.yaml',
+        'cluster/charts/fuel-streams/values-local.yaml'
     ]
 ))
 

diff --git a/cluster/charts/fuel-streams/Chart.yaml b/cluster/charts/fuel-streams/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: "1.0"
 description: A Helm chart for Kubernetes
 name: fuel-streams
-version: 0.4.10
+version: 0.5.6
 dependencies:
   - name: nats
     version: 1.2.6

diff --git a/cluster/charts/fuel-streams/templates/_blocks.tpl b/cluster/charts/fuel-streams/templates/_blocks.tpl
@@ -57,4 +57,56 @@ readinessProbe:
 startupProbe:
   {{- include "merge" (dict "context" .context "service" .service "defaultKey" "startupProbe" "path" "config.startupProbe") | nindent 2 }}
 {{- end }}
-{{- end }}
+{{- end }}
+
+{{/*
+Configure nats accounts
+*/}}
+{{- define "nats-accounts" -}}
+data:
+  auth.conf: |
+    accounts {
+      SYS: {
+        users: [
+          {user: $NATS_SYS_USER, password: $NATS_SYS_PASSWORD}
+        ]
+      }
+      ADMIN: {
+        jetstream: enabled
+        users: [
+          {user: $NATS_ADMIN_USER, password: $NATS_ADMIN_PASSWORD}
+        ]
+      }
+      PUBLIC: {
+        jetstream: enabled
+        users: [
+          {
+            user: $NATS_PUBLIC_USER
+            password: $NATS_PUBLIC_PASSWORD
+            permissions: {
+              subscribe: ">"
+              publish: {
+                deny: [
+                  "*.by_id.>"
+                  "*.blocks.>"
+                  "*.transactions.>"
+                  "*.inputs.>"
+                  "*.outputs.>"
+                  "*.receipts.>"
+                  "*.logs.>"
+                  "*.utxos.>"
+                  "$JS.API.STREAM.CREATE.>"
+                  "$JS.API.STREAM.UPDATE.>"
+                  "$JS.API.STREAM.DELETE.>"
+                  "$JS.API.STREAM.PURGE.>"
+                  "$JS.API.STREAM.RESTORE.>"
+                  "$JS.API.STREAM.MSG.DELETE.>"
+                  "$JS.API.CONSUMER.DURABLE.CREATE.>"
+                ]
+              }
+            }
+          }
+        ]
+      }
+    }
+{{- end }}
diff --git a/cluster/charts/fuel-streams/templates/_helpers.tpl b/cluster/charts/fuel-streams/templates/_helpers.tpl
@@ -3,6 +3,16 @@ Expand the name of the chart.
 If nameOverride is provided in Values.config, use that instead of .Chart.Name.
 The result is truncated to 63 chars and has any trailing "-" removed to comply with Kubernetes naming rules.
 Returns: String - The chart name, truncated and cleaned
+Example:
+  Given:
+    .Chart.Name = "fuel-streams"
+    .Values.config.nameOverride = "custom-name"
+  Result: "custom-name"
+
+  Given:
+    .Chart.Name = "fuel-streams"
+    .Values.config.nameOverride = null
+  Result: "fuel-streams"
 */}}
 {{- define "fuel-streams.name" -}}
 {{- default .Chart.Name .Values.config.nameOverride | trunc 63 | trimSuffix "-" }}
@@ -17,6 +27,24 @@ This template follows these rules:
    - If not, concatenate release name and chart name with a hyphen
 The result is truncated to 63 chars and has any trailing "-" removed to comply with Kubernetes naming rules.
 Returns: String - The fully qualified app name, truncated and cleaned
+Example:
+  Given:
+    .Values.config.fullnameOverride = "override-name"
+  Result: "override-name"
+
+  Given:
+    .Release.Name = "my-release"
+    .Chart.Name = "fuel-streams"
+    .Values.config.nameOverride = null
+    .Values.config.fullnameOverride = null
+  Result: "my-release-fuel-streams"
+
+  Given:
+    .Release.Name = "fuel-streams-prod"
+    .Chart.Name = "fuel-streams"
+    .Values.config.nameOverride = null
+    .Values.config.fullnameOverride = null
+  Result: "fuel-streams-prod"
 */}}
 {{- define "fuel-streams.fullname" -}}
 {{- if .Values.config.fullnameOverride }}
@@ -49,26 +77,43 @@ Includes:
 - Selector labels (app name and instance)
 - App version (if defined)
 - Managed-by label indicating Helm management
+Parameters:
+  - name: Optional custom name to use instead of the default name
+  - .: Full context (passed automatically or as "context")
 Returns: Map - A set of key-value pairs representing Kubernetes labels
+Example:
+  {{- include "fuel-streams.labels" . }}
+  # Or with custom name:
+  {{- include "fuel-streams.labels" (dict "name" "custom-name" "context" $) }}
 */}}
 {{- define "fuel-streams.labels" -}}
-helm.sh/chart: {{ include "fuel-streams.chart" . }}
-{{ include "fuel-streams.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- $context := default . .context -}}
+helm.sh/chart: {{ include "fuel-streams.chart" $context }}
+{{ include "fuel-streams.selectorLabels" (dict "name" .name "context" $context) }}
+{{- if $context.Chart.AppVersion }}
+app.kubernetes.io/version: {{ $context.Chart.AppVersion | quote }}
 {{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/managed-by: {{ $context.Release.Service }}
 {{- end }}
 
 {{/*
 Selector labels
 Core identifying labels used for object selection and service discovery.
 These labels should be used consistently across all related resources.
+Parameters:
+  - name: Optional custom name to use instead of the default name
+  - .: Full context (passed automatically or as "context")
 Returns: Map - A set of key-value pairs for Kubernetes selector labels
+Example:
+  {{- include "fuel-streams.selectorLabels" . }}
+  # Or with custom name:
+  {{- include "fuel-streams.selectorLabels" (dict "name" "custom-name" "context" $) }}
 */}}
 {{- define "fuel-streams.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "fuel-streams.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
+{{- $context := default . .context -}}
+{{- $name := default (include "fuel-streams.name" $context) .name -}}
+app.kubernetes.io/name: {{ $name }}
+app.kubernetes.io/instance: {{ $context.Release.Name }}
 {{- end }}
 
 {{/*

diff --git a/cluster/charts/fuel-streams/templates/_hpa.yaml b/cluster/charts/fuel-streams/templates/_hpa.yaml
@@ -9,8 +9,7 @@ kind: HorizontalPodAutoscaler
 metadata:
   {{- include "k8s.metadata" (dict "context" $context "suffix" (printf "-%s" $service.name)) | nindent 2 }}
   labels:
-    {{- include "fuel-streams.labels" $context | nindent 4 }}
-    app.kubernetes.io/component: {{ $service.name }}
+    {{- include "fuel-streams.labels" (dict "name" $service.name "context" $context) | nindent 4 }}
 spec:
   scaleTargetRef:
     apiVersion: apps/v1

diff --git a/cluster/charts/fuel-streams/templates/consumer/statefulset.yaml b/cluster/charts/fuel-streams/templates/consumer/statefulset.yaml
@@ -7,28 +7,24 @@ metadata:
   annotations:
     {{- include "set-value" (dict "context" $consumer "path" "config.annotations") | nindent 4 }}
   labels:
-    {{- include "fuel-streams.labels" . | nindent 4 }}
+    {{- include "fuel-streams.labels" (dict "name" "consumer" "context" .) | nindent 4 }}
     {{- include "set-value" (dict "context" $consumer "path" "config.labels") | nindent 4 }}
-    app.kubernetes.io/component: consumer
 spec:
   serviceName: {{ include "fuel-streams.fullname" . }}-consumer
   {{- if not $consumer.autoscaling.enabled }}
   replicas: {{ $consumer.config.replicaCount }}
   {{- end }}
   selector:
     matchLabels:
-      {{- include "fuel-streams.selectorLabels" . | nindent 6 }}
-      {{- include "set-value" (dict "context" $consumer "path" "config.selectorLabels") | nindent 6 }}
-      app.kubernetes.io/component: consumer
+      {{- include "fuel-streams.selectorLabels" (dict "name" "consumer" "context" .) | nindent 6 }}
 
   template:
     metadata:
       annotations:
         {{- include "set-value" (dict "context" $consumer "path" "config.podAnnotations") | nindent 8 }}
       labels:
-        {{- include "fuel-streams.selectorLabels" . | nindent 8 }}
+        {{- include "fuel-streams.labels" (dict "name" "consumer" "context" .) | nindent 8 }}
         {{- include "set-value" (dict "context" $consumer "path" "config.labels") | nindent 8 }}
-        app.kubernetes.io/component: consumer
 
     spec:
       {{- if .Values.serviceAccount.create }}
@@ -79,6 +75,5 @@ spec:
             {{- toYaml . | nindent 12 }}
             {{- end }}
 
-
 {{- include "k8s.hpa" (dict "context" . "service" (dict "name" "consumer" "autoscaling" $consumer.autoscaling)) }}
 {{- end }}
diff --git a/cluster/charts/fuel-streams/templates/nats/accounts-secret.yaml b/cluster/charts/fuel-streams/templates/nats/accounts-secret.yaml
@@ -0,0 +1,15 @@
+{{- $secret := .Values.natsAccountsSecret }}
+{{- if $secret.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  {{- include "k8s.metadata" (dict "context" . "suffix" "-nats-accounts") | nindent 2 }}
+  labels:
+    {{- include "fuel-streams.labels" (dict "name" "nats-accounts" "context" .) | nindent 4 }}
+    app.kubernetes.io/component: nats
+type: Opaque
+data:
+  {{- if $secret.data }}
+  {{- toYaml $secret.data | nindent 2 }}
+  {{- end }}
+{{- end }}
diff --git a/cluster/charts/fuel-streams/templates/nats/certificate.yaml b/cluster/charts/fuel-streams/templates/nats/certificate.yaml
@@ -1,23 +1,48 @@
 {{- $cert := .Values.natsExternalService.certificate}}
 {{- $service := .Values.natsExternalService.service }}
 {{- if and .Values.natsExternalService.enabled $service.dns }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  {{- include "k8s.metadata" (dict "context" . "suffix" "-nats-cert") | nindent 2 }}
+  annotations:
+    {{- include "set-value" (dict "context" $cert "path" "annotations") | nindent 4 }}
+  labels:
+    {{- include "fuel-streams.labels" (dict "name" "nats-client" "context" .) | nindent 4 }}
+    {{- include "set-value" (dict "context" $cert "path" "labels") | nindent 4 }}
+    app.kubernetes.io/component: nats
+spec:
+  secretName: {{ include "fuel-streams.fullname" . }}-nats-tls
+  duration: {{ $cert.duration }}
+  renewBefore: {{ $cert.renewBefore }}
+  dnsNames:
+    - {{ $service.dns }}
+  issuerRef:
+    name: {{ $cert.issuer }}
+    kind: ClusterIssuer
+---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   {{- include "k8s.metadata" (dict "context" . "suffix" "-nats-cert-validator") | nindent 2 }}
   labels:
-    {{- include "fuel-streams.labels" . | nindent 4 }}
+    {{- include "fuel-streams.labels" (dict "name" "nats-client" "context" .) | nindent 4 }}
     {{- include "set-value" (dict "context" $cert "path" "labels") | nindent 4 }}
-    app.kubernetes.io/service: external-ws
+    app.kubernetes.io/component: nats
   annotations:
     cert-manager.io/cluster-issuer: {{ $cert.issuer }}
     kubernetes.io/ingress.class: nginx
     acme.cert-manager.io/http01-ingress-class: nginx
     nginx.ingress.kubernetes.io/ssl-redirect: "false"
     nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
+    cert-manager.io/common-name: {{ $service.dns }}
     {{- include "set-value" (dict "context" $cert "path" "annotations") | nindent 4 }}
 spec:
   ingressClassName: nginx
+  tls:
+    - hosts:
+        - {{ $service.dns }}
+      secretName: {{ include "fuel-streams.fullname" . }}-nats-tls
   rules:
     - host: {{ $service.dns }}
       http:
@@ -29,24 +54,4 @@ spec:
                 name: cm-acme-http-solver
                 port:
                   number: 8089
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  {{- include "k8s.metadata" (dict "context" . "suffix" "-nats-cert") | nindent 2 }}
-  labels:
-    {{- include "fuel-streams.labels" . | nindent 4 }}
-    {{- include "set-value" (dict "context" $cert "path" "labels") | nindent 4 }}
-    app.kubernetes.io/service: external-ws
-  annotations:
-    {{- include "set-value" (dict "context" $cert "path" "annotations") | nindent 4 }}
-spec:
-  secretName: {{ include "fuel-streams.fullname" . }}-nats-tls
-  duration: {{ $cert.duration }}
-  renewBefore: {{ $cert.renewBefore }}
-  dnsNames:
-    - {{ $service.dns }}
-  issuerRef:
-    name: {{ $cert.issuer }}
-    kind: ClusterIssuer
 {{- end }}
diff --git a/cluster/charts/fuel-streams/templates/nats/external-service.yaml b/cluster/charts/fuel-streams/templates/nats/external-service.yaml
@@ -3,13 +3,9 @@
 apiVersion: v1
 kind: Service
 metadata:
-  {{- include "k8s.metadata" (dict "context" . "suffix" "-nats-external") | nindent 2 }}
-  labels:
-    {{- include "fuel-streams.labels" . | nindent 4 }}
-    {{- include "set-value" (dict "context" $service "path" "labels") | nindent 4 }}
-    app.kubernetes.io/service: external-ws
+  {{- include "k8s.metadata" (dict "context" . "suffix" "-nats-client-nlb") | nindent 2 }}
   annotations:
-    external-dns.alpha.kubernetes.io/hostname: {{ $service.dns | quote }}
+    external-dns.alpha.kubernetes.io/hostname: {{ $service.dns }}
     external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
     service.beta.kubernetes.io/aws-load-balancer-attributes: load_balancing.cross_zone.enabled=true
     service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
@@ -19,15 +15,15 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-type: external
     service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "WebSocket=true"
     {{- include "set-value" (dict "context" $service "path" "annotations") | nindent 2 }}
+  labels:
+    {{- include "fuel-streams.labels" (dict "name" "nats-client" "context" .) | nindent 4 }}
+    {{- include "set-value" (dict "context" $service "path" "labels") | nindent 4 }}
+    app.kubernetes.io/component: nats
 spec:
   type: LoadBalancer
   loadBalancerClass: service.k8s.aws/nlb
   externalTrafficPolicy: Local
   ports:
-    - name: http-acme
-      port: 80
-      targetPort: 8089
-      protocol: TCP
     - appProtocol: tcp
       name: nats
       port: 4222
@@ -39,7 +35,6 @@ spec:
       protocol: TCP
       targetPort: websocket
   selector:
-    {{- include "fuel-streams.selectorLabels" . | nindent 4 }}
-    app.kubernetes.io/service: external-ws
+    {{- include "fuel-streams.selectorLabels" (dict "name" "nats-client" "context" .) | nindent 4 }}
+    app.kubernetes.io/component: nats
 {{- end }}
-
diff --git a/cluster/charts/fuel-streams/templates/publisher/statefulset.yaml b/cluster/charts/fuel-streams/templates/publisher/statefulset.yaml
@@ -7,28 +7,24 @@ metadata:
   annotations:
     {{- include "set-value" (dict "context" $publisher "path" "config.annotations") | nindent 4 }}
   labels:
-    {{- include "fuel-streams.labels" . | nindent 4 }}
+    {{- include "fuel-streams.labels" (dict "name" "publisher" "context" .) | nindent 4 }}
     {{- include "set-value" (dict "context" $publisher "path" "config.labels") | nindent 4 }}
-    app.kubernetes.io/component: publisher
 spec:
   serviceName: {{ include "fuel-streams.fullname" . }}-publisher
   {{- if not $publisher.autoscaling.enabled }}
   replicas: {{ $publisher.replicas }}
   {{- end }}
   selector:
     matchLabels:
-      {{- include "fuel-streams.selectorLabels" . | nindent 6 }}
-      {{- include "set-value" (dict "context" $publisher "path" "config.selectorLabels") | nindent 6 }}
-      app.kubernetes.io/component: publisher
+      {{- include "fuel-streams.selectorLabels" (dict "name" "publisher" "context" .) | nindent 6 }}
 
   template:
     metadata:
       annotations:
         {{- include "set-value" (dict "context" $publisher "path" "config.podAnnotations") | nindent 8 }}
       labels:
-        {{- include "fuel-streams.selectorLabels" . | nindent 8 }}
+        {{- include "fuel-streams.labels" (dict "name" "publisher" "context" .) | nindent 8 }}
         {{- include "set-value" (dict "context" $publisher "path" "config.labels") | nindent 8 }}
-        app.kubernetes.io/component: publisher
 
     spec:
       {{- if .Values.serviceAccount.create }}