Add support for using cert manager to issue TLS certs

This allows K8s to use cert-manager.io to issue TLS certs for both the core Forge apps and the Instances.
FlowFuse · Dec 29, 2023 · 2231360 · 2231360
1 parent 07c5394
commit 2231360
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 3 deletions.
diff --git a/helm/flowforge/README.md b/helm/flowforge/README.md
@@ -148,6 +148,7 @@ Everything under `forge.rate_limits` is used as input to Fastify Rate Limit plug
  ### Ingress
  - `ingress.annotations` ingress annotations (default is `{}`). This value is also applied to Editor instances created by FlowForge.
  - `ingress.className` ingress class name (default is `"""`). This value is also applied to Editor instances created by FlowForge. 
+ - `ingress.certManagerIssuer` the name of the CertManager Issuer to use to create HTTPS certificates. (default is not set)
 
  `ingress.annotations` values can contain the following tokens that will be replaced as follows:
 

diff --git a/helm/flowforge/templates/broker.yaml b/helm/flowforge/templates/broker.yaml
@@ -134,8 +134,11 @@ metadata:
   name: flowforge-broker
   labels:
     app: flowforge-broker
-  {{- if .Values.ingress.annotations }}
   annotations:
+  {{- if .Values.ingress.certManagerIssuer }}
+    cert-manager.io/cluster-issuer: {{ $.Values.ingress.certManagerIssuer }}
+  {{- end }}
+  {{- if .Values.ingress.annotations }}
 {{ toYaml .Values.ingress.annotations | replace "{{ instanceHost }}" $brokerHostname | replace "{{ serviceName }}" "flowforge-broker" | indent 4 }}
   {{- end }}
 spec:
@@ -153,6 +156,12 @@ spec:
                 name: flowforge-broker
                 port:
                   number: 1884
+  {{- if .Values.ingress.certManagerIssuer }}
+  tls:
+  - hosts:
+    - mqtt.{{ .Values.forge.domain }}
+    secretName: broker-tls
+  {{- end }}
 # ---
 # apiVersion: v1
 # kind: Service

diff --git a/helm/flowforge/templates/configmap.yaml b/helm/flowforge/templates/configmap.yaml
@@ -53,6 +53,9 @@ data:
         {{- if .Values.forge.privateCA }}
         privateCA: {{ .Values.forge.privateCA.configMapName }}
         {{- end }}
+        {{- if .Values.ingress.certManagerIssuer }}
+        certManagerIssuer: {{ .Values.ingress.certManagerIssuer }}
+        {{- end }}
     {{- if .Values.forge.email }}
     email:
       enabled: true

diff --git a/helm/flowforge/templates/service-ingress.yaml b/helm/flowforge/templates/service-ingress.yaml
@@ -15,16 +15,19 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: flowforge-ingress
-  {{- if .Values.ingress.annotations }}
   annotations:
+  {{- if .Values.ingress.certManagerIssuer }}
+    cert-manager.io/cluster-issuer: {{ $.Values.ingress.certManagerIssuer }}
+  {{- end }}
+  {{- if .Values.ingress.annotations }}
 {{ toYaml .Values.ingress.annotations |  replace "{{ instanceHost }}" $forgeHostname | replace "{{ serviceName }}" "forge" | indent 4 }}
   {{- end }}
 spec:
   {{- if and $.Values.ingress.className (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
   ingressClassName: {{ $.Values.ingress.className }}
   {{- end }}
   rules:
-  - host: {{ $forgeHostname}}
+  - host: {{ $forgeHostname }}
     http:
       paths:
       - pathType: Prefix
@@ -34,3 +37,9 @@ spec:
             name: forge
             port:
               number: 80
+  {{- if .Values.ingress.certManagerIssuer }}
+  tls:
+  - hosts:
+    - {{ $forgeHostname }}
+    secretName: flowforge-tls
+  {{- end }}
diff --git a/helm/flowforge/values.schema.json b/helm/flowforge/values.schema.json
@@ -412,6 +412,9 @@
                 },
                 "className": {
                     "type": "string"
+                },
+                "certManagerIssuer": {
+                    "type": "string"
                 }
             }
         },