From ebdae8bffeed25d8cad95ef322ab44ebbaba55be Mon Sep 17 00:00:00 2001 From: treydock Date: Thu, 13 Jun 2024 09:36:47 -0400 Subject: [PATCH] Use single Ingress for webservices (#253) --- charts/webservice/Chart.yaml | 4 +- .../webservice/templates/auth-deployment.yaml | 2 +- charts/webservice/templates/auth-ingress.yaml | 49 ------ .../templates/hooks/remove-auth-ingress.yaml | 161 ++++++++++++++++++ charts/webservice/templates/ingress.yaml | 57 +++---- charts/webservice/values.yaml | 4 + 6 files changed, 195 insertions(+), 82 deletions(-) delete mode 100644 charts/webservice/templates/auth-ingress.yaml create mode 100644 charts/webservice/templates/hooks/remove-auth-ingress.yaml diff --git a/charts/webservice/Chart.yaml b/charts/webservice/Chart.yaml index d727a94..277912a 100644 --- a/charts/webservice/Chart.yaml +++ b/charts/webservice/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: webservice description: OSC webservice bootstrap Helm Chart type: application -version: 0.35.2 +version: 0.36.0 appVersion: "0.1.0" maintainers: - name: treydock @@ -13,6 +13,6 @@ dependencies: # repository: file://../database condition: database.mariadb.enable, database.postgresql.enable - name: osc-common - version: 0.5.0 + version: 0.7.0 repository: https://osc.github.io/osc-helm-charts/ # repository: file://../common diff --git a/charts/webservice/templates/auth-deployment.yaml b/charts/webservice/templates/auth-deployment.yaml index ec5fbab..b961ce9 100644 --- a/charts/webservice/templates/auth-deployment.yaml +++ b/charts/webservice/templates/auth-deployment.yaml @@ -71,7 +71,7 @@ spec: {{- if ne $container.ingressPath "/" }} {{- $path = $container.ingressPath }} {{- end }} - - --upstream=http://{{ tpl $container.name $root }}.{{ $root.Release.Namespace }}.svc.cluster.local:{{ $container.port | default (add $root.Values.service.port $idx) }}{{ $path }} + - --upstream=http://{{ include "webservice.name" $root }}.{{ $root.Release.Namespace }}.svc.cluster.local:{{ $container.port | default (add $root.Values.service.port $idx) }}{{ $path }} {{- end }} - --metrics-address=:{{ .Values.auth.metricsService.port }} {{- if (include "webservice.idpHost" .) }} diff --git a/charts/webservice/templates/auth-ingress.yaml b/charts/webservice/templates/auth-ingress.yaml deleted file mode 100644 index 4eeccb9..0000000 --- a/charts/webservice/templates/auth-ingress.yaml +++ /dev/null @@ -1,49 +0,0 @@ -{{ if .Values.auth.enable }} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ include "webservice.auth.name" . }} - labels: - {{- include "webservice.auth.labels" . | nindent 4 }} - {{- if (include "webservice.alert.receiver" .) }} - receiver: {{ include "webservice.alert.receiver" . }} - {{- end }} - annotations: - cert-manager.io/cluster-issuer: letsencrypt - {{- with .Values.ingress.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.auth.ingress.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- if (include "webservice.ingressHostAlias" .) }} - nginx.ingress.kubernetes.io/server-alias: {{ tpl (include "webservice.ingressHostAlias" .) . }} - {{- end }} -spec: - ingressClassName: {{ .Values.auth.ingress.className | default .Values.ingress.className }} - tls: - - hosts: - - {{ tpl (include "webservice.ingressHost" .) . | quote }} - {{- if (include "webservice.ingressHostAlias" .) }} - - {{ tpl (include "webservice.ingressHostAlias" .) . | quote }} - {{- end }} - secretName: {{ include "webservice.auth.name" . }}-cert - rules: - - host: {{ tpl (include "webservice.ingressHost" .) . | quote }} - http: - paths: - - path: /oauth2 - pathType: Prefix - backend: - service: - name: {{ include "webservice.auth.name" . }} - port: - number: {{ .Values.auth.service.port }} - - path: /ping - pathType: Prefix - backend: - service: - name: {{ include "webservice.auth.name" . }} - port: - number: {{ .Values.auth.service.port }} -{{ end }} diff --git a/charts/webservice/templates/hooks/remove-auth-ingress.yaml b/charts/webservice/templates/hooks/remove-auth-ingress.yaml new file mode 100644 index 0000000..e2a43e9 --- /dev/null +++ b/charts/webservice/templates/hooks/remove-auth-ingress.yaml @@ -0,0 +1,161 @@ +{{ if .Values.auth.enable }} +{{ $name := printf "%s-remove-auth-ingress" (include "webservice.name" .) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $name }} + labels: + {{- include "webservice.labels" . | nindent 4 }} + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-25" + "helm.sh/hook-delete-policy": hook-succeeded +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ template "osc.common.imagePullSecret" . }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $name }} + labels: + {{- include "webservice.labels" . | nindent 4 }} + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-20" + "helm.sh/hook-delete-policy": hook-succeeded +imagePullSecrets: + - name: {{ $name }} +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ $name }} + labels: + {{- include "webservice.labels" . | nindent 4 }} + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-15" + "helm.sh/hook-delete-policy": hook-succeeded +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["delete"] +- apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: ["delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $name }} + labels: + {{- include "webservice.labels" . | nindent 4 }} + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-10" + "helm.sh/hook-delete-policy": hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $name }} +subjects: +- kind: ServiceAccount + name: {{ $name }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ $name }} + labels: + app: "remove-auth-ingress" + {{ include "osc.common.serviceAccount" . }} + {{- include "webservice.labels" . | nindent 4 }} + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ $name }} + labels: + app: "remove-auth-ingress" + {{ include "osc.common.serviceAccount" . }} + {{- include "webservice.selectorLabels" . | nindent 8 }} + spec: + serviceAccountName: {{ $name }} + securityContext: {{ toYaml .Values.podSecurityContext | nindent 8 }} + restartPolicy: Never + containers: + - name: remove-auth-ingress + image: "{{ .Values.hook.image.repository }}:{{ .Values.hook.image.tag }}" + command: + - "kubectl" + args: + - "delete" + - "ingress" + - {{ include "webservice.auth.name" . | quote }} + {{- range $container := .Values.containers }} + - {{ printf "%s-%s" (include "webservice.name" $) (tpl $container.name $) | quote }} + {{- end }} + - "--namespace={{ .Release.Namespace }}" + - "--ignore-not-found=true" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + privileged: false + resources: + limits: + cpu: 1 + memory: 512Mi + requests: + cpu: 500m + memory: 265Mi + - name: remove-auth-secret + image: "{{ .Values.hook.image.repository }}:{{ .Values.hook.image.tag }}" + command: + - "kubectl" + args: + - "delete" + - "secret" + - {{ include "webservice.auth.name" . }}-cert + - "--namespace={{ .Release.Namespace }}" + - "--ignore-not-found=true" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + privileged: false + resources: + limits: + cpu: 1 + memory: 512Mi + requests: + cpu: 500m + memory: 265Mi + nodeSelector: + {{ include "osc.common.nodeSelectorRole" . }} + {{- with .Values.nodeSelector }} + {{- toYaml . | nindent 8 }} + {{- end }} +{{ end }} diff --git a/charts/webservice/templates/ingress.yaml b/charts/webservice/templates/ingress.yaml index 366592a..0216dd3 100644 --- a/charts/webservice/templates/ingress.yaml +++ b/charts/webservice/templates/ingress.yaml @@ -1,59 +1,56 @@ -{{ $root := . }} -{{ range $idx, $container := .Values.containers }} --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - {{- if eq (len $root.Values.containers) 1 }} - name: {{ include "webservice.name" $root }} - {{- else }} - name: {{ include "webservice.name" $root }}-{{ tpl $container.name $root }} - {{- end }} + name: {{ include "webservice.name" . }} labels: - {{- include "webservice.labels" $root | nindent 4 }} - {{- if (include "webservice.alert.receiver" $root) }} - receiver: {{ include "webservice.alert.receiver" $root }} + {{- include "webservice.labels" . | nindent 4 }} + {{- if (include "webservice.alert.receiver" .) }} + receiver: {{ include "webservice.alert.receiver" . }} {{- end }} annotations: - {{- if $root.Values.auth.enable }} prometheus.io/probe_scheme: 'https' - {{- end }} - {{- if not $root.Values.auth.enable }} cert-manager.io/cluster-issuer: letsencrypt + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} {{- end }} - {{- with $root.Values.ingress.annotations }} + {{- if .Values.auth.enable }} + {{- with .Values.auth.ingress.annotations }} {{- toYaml . | nindent 4 }} {{- end }} - {{- if and (ne $container.auth false) (eq $root.Values.auth.enable true) }} - nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth" - nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri" {{- end }} - {{- if (include "webservice.ingressHostAlias" $root) }} - nginx.ingress.kubernetes.io/server-alias: {{ tpl (include "webservice.ingressHostAlias" $root) $root }} + {{- if (include "webservice.ingressHostAlias" .) }} + nginx.ingress.kubernetes.io/server-alias: {{ tpl (include "webservice.ingressHostAlias" .) . }} {{- end }} - {{- if eq $root.Values.appType "rshiny" }} - {{- toYaml $root.Values.ingress.rShinyAnnotations | nindent 4 }} + {{- if eq .Values.appType "rshiny" }} + {{- toYaml .Values.ingress.rShinyAnnotations | nindent 4 }} {{- end }} spec: - ingressClassName: {{ $root.Values.ingress.className }} -{{- if or (eq $container.auth false) (eq $root.Values.auth.enable false) }} + ingressClassName: {{ .Values.ingress.className }} tls: - hosts: - - {{ required "Must provide ingress host" (tpl (include "webservice.ingressHost" $root) $root) | quote }} - {{- if (include "webservice.ingressHostAlias" $root) }} - - {{ tpl (include "webservice.ingressHostAlias" $root) $root | quote }} + - {{ required "Must provide ingress host" (tpl (include "webservice.ingressHost" .) .) | quote }} + {{- if (include "webservice.ingressHostAlias" .) }} + - {{ tpl (include "webservice.ingressHostAlias" .) . | quote }} {{- end }} - secretName: {{ include "webservice.name" $root }}-{{ tpl $container.name $root }}-cert -{{- end }} + secretName: {{ include "webservice.name" . }}-cert rules: + {{ $root := . }} + {{- range $idx, $container := .Values.containers }} - host: {{ tpl (include "webservice.ingressHost" $root) $root | quote }} http: paths: - - path: {{ $container.ingressPath }} + - path: / pathType: Prefix backend: service: + {{- if $root.Values.auth.enable }} + name: {{ include "webservice.auth.name" $root }} + port: + number: {{ $root.Values.auth.service.port }} + {{- else }} name: {{ include "webservice.name" $root }} port: number: {{ $container.port | default (add $root.Values.service.port $idx) }} -{{ end }} + {{- end }} + {{- end }} diff --git a/charts/webservice/values.yaml b/charts/webservice/values.yaml index 18fc731..ebec844 100644 --- a/charts/webservice/values.yaml +++ b/charts/webservice/values.yaml @@ -229,6 +229,10 @@ database: podSelector: app.kubernetes.io/name: '{{ include "webservice.name" . }}' +hook: + image: + repository: docker-registry.osc.edu/kubernetes/bitnami/kubectl + tag: '1.27.14' # Used for network policies ingressName: ingress-nginx prometheusName: prometheus