Skip to content

Commit 35ff398

Browse files
migmartrimigmartri
authored
feat(deployment): expose HTTP server for CAS (#305)
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
1 parent 9853beb commit 35ff398

File tree

5 files changed

+222
-14
lines changed

5 files changed

+222
-14
lines changed

deployment/chainloop/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ description: Chainloop is an open source software supply chain control plane, a
44

55
type: application
66
# Bump the patch (not minor, not major) version on each change in the Chart Source code
7-
version: 1.10.2
7+
version: 1.10.3
88
# Do not update appVersion, this is handled automatically by the release process
99
appVersion: v0.15.0
1010

deployment/chainloop/README.md

Lines changed: 29 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -360,17 +360,17 @@ chainloop config save \
360360
361361
### Secrets Backend
362362
363-
| Name | Description | Value |
364-
| ------------------------------------------- | ------------------------------------------------------------------------- | ----------- |
365-
| `secretsBackend.backend` | Secrets backend type ("vault", "awsSecretManager" or "gcpSecretManager") | `vault` |
366-
| `secretsBackend.secretPrefix` | Prefix that will be pre-pended to all secrets in the storage backend | `chainloop` |
367-
| `secretsBackend.vault.address` | Vault address | |
368-
| `secretsBackend.vault.token` | Vault authentication token | |
369-
| `secretsBackend.awsSecretManager.accessKey` | AWS Access KEY ID | |
370-
| `secretsBackend.awsSecretManager.secretKey` | AWS Secret Key | |
371-
| `secretsBackend.awsSecretManager.region` | AWS Secret Manager Region | |
372-
| `secretsBackend.gcpSecretManager.projectId` | GCP Project ID | |
373-
| `secretsBackend.gcpSecretManager.serviceAccountKey` | GCP Auth Key | |
363+
| Name | Description | Value |
364+
| --------------------------------------------------- | ------------------------------------------------------------------------- | ----------- |
365+
| `secretsBackend.backend` | Secrets backend type ("vault", "awsSecretManager" or "gcpSecretManager") | `vault` |
366+
| `secretsBackend.secretPrefix` | Prefix that will be pre-pended to all secrets in the storage backend | `chainloop` |
367+
| `secretsBackend.vault.address` | Vault address | |
368+
| `secretsBackend.vault.token` | Vault authentication token | |
369+
| `secretsBackend.awsSecretManager.accessKey` | AWS Access KEY ID | |
370+
| `secretsBackend.awsSecretManager.secretKey` | AWS Secret Key | |
371+
| `secretsBackend.awsSecretManager.region` | AWS Secret Manager Region | |
372+
| `secretsBackend.gcpSecretManager.projectId` | GCP Project ID | |
373+
| `secretsBackend.gcpSecretManager.serviceAccountKey` | GCP Auth Key | |
374374
375375
### Authentication
376376
@@ -477,14 +477,31 @@ chainloop config save \
477477
478478
| Name | Description | Value |
479479
| --------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ |
480+
| `cas.service.type` | Service type | `ClusterIP` |
481+
| `cas.service.port` | Service port | `80` |
482+
| `cas.service.targetPort` | Service target Port | `http` |
483+
| `cas.service.nodePorts.http` | Node port for HTTP. NOTE: choose port between <30000-32767> | |
480484
| `cas.serviceAPI.type` | Service type | `ClusterIP` |
481485
| `cas.serviceAPI.port` | Service port | `80` |
482486
| `cas.serviceAPI.targetPort` | Service target Port | `grpc` |
483487
| `cas.serviceAPI.annotations` | Service annotations | |
484488
| `cas.serviceAPI.nodePorts.http` | Node port for HTTP. NOTE: choose port between <30000-32767> | |
489+
| `cas.ingress.enabled` | Enable ingress record generation for %%MAIN_CONTAINER_NAME%% | `false` |
490+
| `cas.ingress.pathType` | Ingress path type | `ImplementationSpecific` |
491+
| `cas.ingress.hostname` | Default host for the ingress record | `cas.dev.local` |
492+
| `cas.ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` |
493+
| `cas.ingress.path` | Default path for the ingress record | `/` |
494+
| `cas.ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` |
495+
| `cas.ingress.tls` | Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter | `false` |
496+
| `cas.ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` |
497+
| `cas.ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` |
498+
| `cas.ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` |
499+
| `cas.ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` |
500+
| `cas.ingress.secrets` | Custom TLS certificates as secrets | `[]` |
501+
| `cas.ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` |
485502
| `cas.ingressAPI.enabled` | Enable ingress record generation for %%MAIN_CONTAINER_NAME%% | `false` |
486503
| `cas.ingressAPI.pathType` | Ingress path type | `ImplementationSpecific` |
487-
| `cas.ingressAPI.hostname` | Default host for the ingress record | `api.cp.dev.local` |
504+
| `cas.ingressAPI.hostname` | Default host for the ingress record | `api.cas.dev.local` |
488505
| `cas.ingressAPI.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` |
489506
| `cas.ingressAPI.path` | Default path for the ingress record | `/` |
490507
| `cas.ingressAPI.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | |

deployment/chainloop/templates/cas/ingress.yaml

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
{{- if .Values.cas.ingress.enabled }}
2+
{{- $fullName := include "chainloop.cas.fullname" . -}}
3+
apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
4+
kind: Ingress
5+
metadata:
6+
name: {{ $fullName }}
7+
namespace: {{ include "common.names.namespace" . | quote }}
8+
labels: {{- include "chainloop.cas.labels" . | nindent 4 }}
9+
{{- if or .Values.cas.ingress.annotations .Values.commonAnnotations }}
10+
annotations:
11+
{{- if .Values.cas.ingress.annotations }}
12+
{{- include "common.tplvalues.render" ( dict "value" .Values.cas.ingress.annotations "context" $) | nindent 4 }}
13+
{{- end }}
14+
{{- if .Values.commonAnnotations }}
15+
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
16+
{{- end }}
17+
{{- end }}
18+
spec:
19+
{{- if and .Values.cas.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }}
20+
ingressClassName: {{ .Values.cas.ingress.ingressClassName | quote }}
21+
{{- end }}
22+
rules:
23+
{{- if .Values.cas.ingress.hostname }}
24+
- host: {{ .Values.cas.ingress.hostname }}
25+
http:
26+
paths:
27+
{{- if .Values.cas.ingress.extraPaths }}
28+
{{- toYaml .Values.cas.ingress.extraPaths | nindent 10 }}
29+
{{- end }}
30+
- path: {{ .Values.cas.ingress.path }}
31+
{{- if eq "true" (include "common.ingress.supportsPathType" .) }}
32+
pathType: {{ .Values.cas.ingress.pathType }}
33+
{{- end }}
34+
backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "http" "context" $) | nindent 14 }}
35+
{{- end }}
36+
{{- range .Values.cas.ingress.extraHosts }}
37+
- host: {{ .name | quote }}
38+
http:
39+
paths:
40+
- path: {{ default "/" .path }}
41+
{{- if eq "true" (include "common.ingress.supportsPathType" $) }}
42+
pathType: {{ default "ImplementationSpecific" .pathType }}
43+
{{- end }}
44+
backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "http" "context" $) | nindent 14 }}
45+
{{- end }}
46+
{{- if .Values.cas.ingress.extraRules }}
47+
{{- include "common.tplvalues.render" (dict "value" .Values.cas.ingress.extraRules "context" $) | nindent 4 }}
48+
{{- end }}
49+
{{- if or (and .Values.cas.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.cas.ingress.annotations )) .Values.cas.ingress.selfSigned)) .Values.cas.ingress.extraTls }}
50+
tls:
51+
{{- if and .Values.cas.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.cas.ingress.annotations )) .Values.cas.ingress.selfSigned) }}
52+
- hosts:
53+
- {{ .Values.cas.ingress.hostname | quote }}
54+
secretName: {{ printf "%s-tls" .Values.cas.ingress.hostname }}
55+
{{- end }}
56+
{{- if .Values.cas.ingress.extraTls }}
57+
{{- include "common.tplvalues.render" (dict "value" .Values.cas.ingress.extraTls "context" $) | nindent 4 }}
58+
{{- end }}
59+
{{- end }}
60+
{{- end }}

deployment/chainloop/templates/cas/service_http.yaml

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
apiVersion: v1
2+
kind: Service
3+
metadata:
4+
name: {{ include "chainloop.cas.fullname" . }}
5+
labels:
6+
{{- include "chainloop.cas.labels" . | nindent 4 }}
7+
{{- with .Values.cas.service.annotations }}
8+
annotations:
9+
{{- toYaml . | nindent 4 }}
10+
{{- end }}
11+
spec:
12+
type: {{ .Values.cas.service.type }}
13+
ports:
14+
- port: {{ .Values.cas.service.port }}
15+
targetPort: {{ .Values.cas.service.targetPort }}
16+
protocol: TCP
17+
name: http
18+
nodePort: {{ include "chainloop.node_port" .Values.cas.service }}
19+
selector: {{- include "chainloop.cas.selectorLabels" . | nindent 4 }}

deployment/chainloop/values.yaml

Lines changed: 113 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -454,6 +454,19 @@ cas:
454454
name: ""
455455

456456
## @section CAS Networking
457+
service:
458+
## @param cas.service.type Service type
459+
type: ClusterIP
460+
## @param cas.service.port Service port
461+
port: 80
462+
## @param cas.service.targetPort Service target Port
463+
targetPort: http
464+
## @extra cas.service.nodePorts.http Node port for HTTP. NOTE: choose port between <30000-32767>
465+
# nodePorts:
466+
# http: "30800"
467+
annotations: {}
468+
## @skip cas.service.annotations
469+
457470
serviceAPI:
458471
## @param cas.serviceAPI.type Service type
459472
type: ClusterIP
@@ -470,6 +483,105 @@ cas:
470483
# nodePorts:
471484
# http: "30901"
472485

486+
## ref: http://kubernetes.io/docs/user-guide/ingress/
487+
ingress:
488+
## @param cas.ingress.enabled Enable ingress record generation for %%MAIN_CONTAINER_NAME%%
489+
##
490+
enabled: false
491+
## @param cas.ingress.pathType Ingress path type
492+
##
493+
pathType: ImplementationSpecific
494+
## @param cas.ingress.hostname Default host for the ingress record
495+
##
496+
hostname: cas.dev.local
497+
## @param cas.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
498+
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
499+
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
500+
##
501+
ingressClassName: ""
502+
## @param cas.ingress.path Default path for the ingress record
503+
## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers
504+
##
505+
path: /
506+
## @param cas.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
507+
## Use this parameter to set the required annotations for cert-manager, see
508+
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
509+
## e.g:
510+
## annotations:
511+
## kubernetes.io/cas.ingress.class: nginx
512+
## cert-manager.io/cluster-issuer: cluster-issuer-name
513+
##
514+
annotations: {}
515+
## @param cas.ingress.tls Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter
516+
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.controlplane.ingress.hostname }}`
517+
## You can:
518+
## - Use the `controlplane.ingress.secrets` parameter to create this TLS secret
519+
## - Rely on cert-manager to create it by setting the corresponding annotations
520+
## - Rely on Helm to create self-signed certificates by setting `controlplane.ingress.selfSigned=true`
521+
##
522+
tls: false
523+
## @param cas.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
524+
##
525+
selfSigned: false
526+
## @param cas.ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
527+
## e.g:
528+
## extraHosts:
529+
## - name: cp.dev.local
530+
## path: /
531+
##
532+
extraHosts: []
533+
## @param cas.ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host
534+
## e.g:
535+
## extraPaths:
536+
## - path: /*
537+
## backend:
538+
## serviceName: ssl-redirect
539+
## servicePort: use-annotation
540+
##
541+
extraPaths: []
542+
## @param cas.ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record
543+
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
544+
## e.g:
545+
## extraTls:
546+
## - hosts:
547+
## - cp.dev.local
548+
## secretName: cp.dev.local-tls
549+
##
550+
extraTls: []
551+
## @param cas.ingress.secrets Custom TLS certificates as secrets
552+
## NOTE: 'key' and 'certificate' are expected in PEM format
553+
## NOTE: 'name' should line up with a 'secretName' set further up
554+
## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
555+
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
556+
## It is also possible to create and manage the certificates outside of this helm chart
557+
## Please see README.md for more information
558+
## e.g:
559+
## secrets:
560+
## - name: cp.dev.local-tls
561+
## key: |-
562+
## -----BEGIN RSA PRIVATE KEY-----
563+
## ...
564+
## -----END RSA PRIVATE KEY-----
565+
## certificate: |-
566+
## -----BEGIN CERTIFICATE-----
567+
## ...
568+
## -----END CERTIFICATE-----
569+
##
570+
secrets: []
571+
## @param cas.ingress.extraRules Additional rules to be covered with this ingress record
572+
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
573+
## e.g:
574+
## extraRules:
575+
## - host: example.local
576+
## http:
577+
## path: /
578+
## backend:
579+
## service:
580+
## name: example-svc
581+
## port:
582+
## name: http
583+
##
584+
extraRules: []
473585

474586
## ref: http://kubernetes.io/docs/user-guide/ingress/
475587
ingressAPI:
@@ -481,7 +593,7 @@ cas:
481593
pathType: ImplementationSpecific
482594
## @param cas.ingressAPI.hostname Default host for the ingress record
483595
##
484-
hostname: api.cp.dev.local
596+
hostname: api.cas.dev.local
485597
## @param cas.ingressAPI.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
486598
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
487599
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/

0 commit comments

Comments
 (0)