From 2231360f723022816af3f1f0e9fa8228c1fb8385 Mon Sep 17 00:00:00 2001
From: Ben Hardill <ben@flowforge.com>
Date: Fri, 29 Dec 2023 10:57:02 +0000
Subject: [PATCH] Add support for using cert manager to issue TLS certs

This allows K8s to use cert-manager.io to issue TLS certs for
both the core Forge apps and the Instances.
---
 helm/flowforge/README.md                      |  1 +
 helm/flowforge/templates/broker.yaml          | 11 ++++++++++-
 helm/flowforge/templates/configmap.yaml       |  3 +++
 helm/flowforge/templates/service-ingress.yaml | 13 +++++++++++--
 helm/flowforge/values.schema.json             |  3 +++
 5 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/helm/flowforge/README.md b/helm/flowforge/README.md
index 95340be9..d0107ef7 100644
--- a/helm/flowforge/README.md
+++ b/helm/flowforge/README.md
@@ -148,6 +148,7 @@ Everything under `forge.rate_limits` is used as input to Fastify Rate Limit plug
  ### Ingress
  - `ingress.annotations` ingress annotations (default is `{}`). This value is also applied to Editor instances created by FlowForge.
  - `ingress.className` ingress class name (default is `"""`). This value is also applied to Editor instances created by FlowForge. 
+ - `ingress.certManagerIssuer` the name of the CertManager Issuer to use to create HTTPS certificates. (default is not set)
 
  `ingress.annotations` values can contain the following tokens that will be replaced as follows:
 
diff --git a/helm/flowforge/templates/broker.yaml b/helm/flowforge/templates/broker.yaml
index 349889aa..16e9f6a9 100644
--- a/helm/flowforge/templates/broker.yaml
+++ b/helm/flowforge/templates/broker.yaml
@@ -134,8 +134,11 @@ metadata:
   name: flowforge-broker
   labels:
     app: flowforge-broker
-  {{- if .Values.ingress.annotations }}
   annotations:
+  {{- if .Values.ingress.certManagerIssuer }}
+    cert-manager.io/cluster-issuer: {{ $.Values.ingress.certManagerIssuer }}
+  {{- end }}
+  {{- if .Values.ingress.annotations }}
 {{ toYaml .Values.ingress.annotations | replace "{{ instanceHost }}" $brokerHostname | replace "{{ serviceName }}" "flowforge-broker" | indent 4 }}
   {{- end }}
 spec:
@@ -153,6 +156,12 @@ spec:
                 name: flowforge-broker
                 port:
                   number: 1884
+  {{- if .Values.ingress.certManagerIssuer }}
+  tls:
+  - hosts:
+    - mqtt.{{ .Values.forge.domain }}
+    secretName: broker-tls
+  {{- end }}
 # ---
 # apiVersion: v1
 # kind: Service
diff --git a/helm/flowforge/templates/configmap.yaml b/helm/flowforge/templates/configmap.yaml
index b1b36a7e..6ab38bb5 100644
--- a/helm/flowforge/templates/configmap.yaml
+++ b/helm/flowforge/templates/configmap.yaml
@@ -53,6 +53,9 @@ data:
         {{- if .Values.forge.privateCA }}
         privateCA: {{ .Values.forge.privateCA.configMapName }}
         {{- end }}
+        {{- if .Values.ingress.certManagerIssuer }}
+        certManagerIssuer: {{ .Values.ingress.certManagerIssuer }}
+        {{- end }}
     {{- if .Values.forge.email }}
     email:
       enabled: true
diff --git a/helm/flowforge/templates/service-ingress.yaml b/helm/flowforge/templates/service-ingress.yaml
index 25cba145..0a3e5c56 100644
--- a/helm/flowforge/templates/service-ingress.yaml
+++ b/helm/flowforge/templates/service-ingress.yaml
@@ -15,8 +15,11 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: flowforge-ingress
-  {{- if .Values.ingress.annotations }}
   annotations:
+  {{- if .Values.ingress.certManagerIssuer }}
+    cert-manager.io/cluster-issuer: {{ $.Values.ingress.certManagerIssuer }}
+  {{- end }}
+  {{- if .Values.ingress.annotations }}
 {{ toYaml .Values.ingress.annotations |  replace "{{ instanceHost }}" $forgeHostname | replace "{{ serviceName }}" "forge" | indent 4 }}
   {{- end }}
 spec:
@@ -24,7 +27,7 @@ spec:
   ingressClassName: {{ $.Values.ingress.className }}
   {{- end }}
   rules:
-  - host: {{ $forgeHostname}}
+  - host: {{ $forgeHostname }}
     http:
       paths:
       - pathType: Prefix
@@ -34,3 +37,9 @@ spec:
             name: forge
             port:
               number: 80
+  {{- if .Values.ingress.certManagerIssuer }}
+  tls:
+  - hosts:
+    - {{ $forgeHostname }}
+    secretName: flowforge-tls
+  {{- end }}
diff --git a/helm/flowforge/values.schema.json b/helm/flowforge/values.schema.json
index acf57f19..2bc5665b 100644
--- a/helm/flowforge/values.schema.json
+++ b/helm/flowforge/values.schema.json
@@ -412,6 +412,9 @@
                 },
                 "className": {
                     "type": "string"
+                },
+                "certManagerIssuer": {
+                    "type": "string"
                 }
             }
         },