diff --git a/deployment/chainloop/Chart.yaml b/deployment/chainloop/Chart.yaml index ba64d20a4..547499864 100644 --- a/deployment/chainloop/Chart.yaml +++ b/deployment/chainloop/Chart.yaml @@ -4,7 +4,7 @@ description: Chainloop is an open source software supply chain control plane, a type: application # Bump the patch (not minor, not major) version on each change in the Chart Source code -version: 1.10.2 +version: 1.10.3 # Do not update appVersion, this is handled automatically by the release process appVersion: v0.15.0 diff --git a/deployment/chainloop/README.md b/deployment/chainloop/README.md index 1b862b709..b2559eaa9 100644 --- a/deployment/chainloop/README.md +++ b/deployment/chainloop/README.md @@ -360,17 +360,17 @@ chainloop config save \ ### Secrets Backend -| Name | Description | Value | -| ------------------------------------------- | ------------------------------------------------------------------------- | ----------- | -| `secretsBackend.backend` | Secrets backend type ("vault", "awsSecretManager" or "gcpSecretManager") | `vault` | -| `secretsBackend.secretPrefix` | Prefix that will be pre-pended to all secrets in the storage backend | `chainloop` | -| `secretsBackend.vault.address` | Vault address | | -| `secretsBackend.vault.token` | Vault authentication token | | -| `secretsBackend.awsSecretManager.accessKey` | AWS Access KEY ID | | -| `secretsBackend.awsSecretManager.secretKey` | AWS Secret Key | | -| `secretsBackend.awsSecretManager.region` | AWS Secret Manager Region | | -| `secretsBackend.gcpSecretManager.projectId` | GCP Project ID | | -| `secretsBackend.gcpSecretManager.serviceAccountKey` | GCP Auth Key | | +| Name | Description | Value | +| --------------------------------------------------- | ------------------------------------------------------------------------- | ----------- | +| `secretsBackend.backend` | Secrets backend type ("vault", "awsSecretManager" or "gcpSecretManager") | `vault` | +| `secretsBackend.secretPrefix` | Prefix that will be pre-pended to all secrets in the storage backend | `chainloop` | +| `secretsBackend.vault.address` | Vault address | | +| `secretsBackend.vault.token` | Vault authentication token | | +| `secretsBackend.awsSecretManager.accessKey` | AWS Access KEY ID | | +| `secretsBackend.awsSecretManager.secretKey` | AWS Secret Key | | +| `secretsBackend.awsSecretManager.region` | AWS Secret Manager Region | | +| `secretsBackend.gcpSecretManager.projectId` | GCP Project ID | | +| `secretsBackend.gcpSecretManager.serviceAccountKey` | GCP Auth Key | | ### Authentication @@ -477,14 +477,31 @@ chainloop config save \ | Name | Description | Value | | --------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `cas.service.type` | Service type | `ClusterIP` | +| `cas.service.port` | Service port | `80` | +| `cas.service.targetPort` | Service target Port | `http` | +| `cas.service.nodePorts.http` | Node port for HTTP. NOTE: choose port between <30000-32767> | | | `cas.serviceAPI.type` | Service type | `ClusterIP` | | `cas.serviceAPI.port` | Service port | `80` | | `cas.serviceAPI.targetPort` | Service target Port | `grpc` | | `cas.serviceAPI.annotations` | Service annotations | | | `cas.serviceAPI.nodePorts.http` | Node port for HTTP. NOTE: choose port between <30000-32767> | | +| `cas.ingress.enabled` | Enable ingress record generation for %%MAIN_CONTAINER_NAME%% | `false` | +| `cas.ingress.pathType` | Ingress path type | `ImplementationSpecific` | +| `cas.ingress.hostname` | Default host for the ingress record | `cas.dev.local` | +| `cas.ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `cas.ingress.path` | Default path for the ingress record | `/` | +| `cas.ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | +| `cas.ingress.tls` | Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter | `false` | +| `cas.ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `cas.ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | +| `cas.ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | +| `cas.ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | +| `cas.ingress.secrets` | Custom TLS certificates as secrets | `[]` | +| `cas.ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | | `cas.ingressAPI.enabled` | Enable ingress record generation for %%MAIN_CONTAINER_NAME%% | `false` | | `cas.ingressAPI.pathType` | Ingress path type | `ImplementationSpecific` | -| `cas.ingressAPI.hostname` | Default host for the ingress record | `api.cp.dev.local` | +| `cas.ingressAPI.hostname` | Default host for the ingress record | `api.cas.dev.local` | | `cas.ingressAPI.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | | `cas.ingressAPI.path` | Default path for the ingress record | `/` | | `cas.ingressAPI.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | | diff --git a/deployment/chainloop/templates/cas/ingress.yaml b/deployment/chainloop/templates/cas/ingress.yaml new file mode 100644 index 000000000..01053851a --- /dev/null +++ b/deployment/chainloop/templates/cas/ingress.yaml @@ -0,0 +1,60 @@ +{{- if .Values.cas.ingress.enabled }} +{{- $fullName := include "chainloop.cas.fullname" . -}} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ $fullName }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "chainloop.cas.labels" . | nindent 4 }} + {{- if or .Values.cas.ingress.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.cas.ingress.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.cas.ingress.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + {{- if and .Values.cas.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.cas.ingress.ingressClassName | quote }} + {{- end }} + rules: + {{- if .Values.cas.ingress.hostname }} + - host: {{ .Values.cas.ingress.hostname }} + http: + paths: + {{- if .Values.cas.ingress.extraPaths }} + {{- toYaml .Values.cas.ingress.extraPaths | nindent 10 }} + {{- end }} + - path: {{ .Values.cas.ingress.path }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.cas.ingress.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.cas.ingress.extraHosts }} + - host: {{ .name | quote }} + http: + paths: + - path: {{ default "/" .path }} + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.cas.ingress.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.cas.ingress.extraRules "context" $) | nindent 4 }} + {{- end }} + {{- if or (and .Values.cas.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.cas.ingress.annotations )) .Values.cas.ingress.selfSigned)) .Values.cas.ingress.extraTls }} + tls: + {{- if and .Values.cas.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.cas.ingress.annotations )) .Values.cas.ingress.selfSigned) }} + - hosts: + - {{ .Values.cas.ingress.hostname | quote }} + secretName: {{ printf "%s-tls" .Values.cas.ingress.hostname }} + {{- end }} + {{- if .Values.cas.ingress.extraTls }} + {{- include "common.tplvalues.render" (dict "value" .Values.cas.ingress.extraTls "context" $) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/deployment/chainloop/templates/cas/service_http.yaml b/deployment/chainloop/templates/cas/service_http.yaml new file mode 100644 index 000000000..c7beb1afa --- /dev/null +++ b/deployment/chainloop/templates/cas/service_http.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "chainloop.cas.fullname" . }} + labels: + {{- include "chainloop.cas.labels" . | nindent 4 }} + {{- with .Values.cas.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.cas.service.type }} + ports: + - port: {{ .Values.cas.service.port }} + targetPort: {{ .Values.cas.service.targetPort }} + protocol: TCP + name: http + nodePort: {{ include "chainloop.node_port" .Values.cas.service }} + selector: {{- include "chainloop.cas.selectorLabels" . | nindent 4 }} diff --git a/deployment/chainloop/values.yaml b/deployment/chainloop/values.yaml index bd582d7cf..0c8ab775e 100644 --- a/deployment/chainloop/values.yaml +++ b/deployment/chainloop/values.yaml @@ -454,6 +454,19 @@ cas: name: "" ## @section CAS Networking + service: + ## @param cas.service.type Service type + type: ClusterIP + ## @param cas.service.port Service port + port: 80 + ## @param cas.service.targetPort Service target Port + targetPort: http + ## @extra cas.service.nodePorts.http Node port for HTTP. NOTE: choose port between <30000-32767> + # nodePorts: + # http: "30800" + annotations: {} + ## @skip cas.service.annotations + serviceAPI: ## @param cas.serviceAPI.type Service type type: ClusterIP @@ -470,6 +483,105 @@ cas: # nodePorts: # http: "30901" + ## ref: http://kubernetes.io/docs/user-guide/ingress/ + ingress: + ## @param cas.ingress.enabled Enable ingress record generation for %%MAIN_CONTAINER_NAME%% + ## + enabled: false + ## @param cas.ingress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param cas.ingress.hostname Default host for the ingress record + ## + hostname: cas.dev.local + ## @param cas.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param cas.ingress.path Default path for the ingress record + ## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers + ## + path: / + ## @param cas.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## e.g: + ## annotations: + ## kubernetes.io/cas.ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param cas.ingress.tls Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.controlplane.ingress.hostname }}` + ## You can: + ## - Use the `controlplane.ingress.secrets` parameter to create this TLS secret + ## - Rely on cert-manager to create it by setting the corresponding annotations + ## - Rely on Helm to create self-signed certificates by setting `controlplane.ingress.selfSigned=true` + ## + tls: false + ## @param cas.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param cas.ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: cp.dev.local + ## path: / + ## + extraHosts: [] + ## @param cas.ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host + ## e.g: + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param cas.ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## e.g: + ## extraTls: + ## - hosts: + ## - cp.dev.local + ## secretName: cp.dev.local-tls + ## + extraTls: [] + ## @param cas.ingress.secrets Custom TLS certificates as secrets + ## NOTE: 'key' and 'certificate' are expected in PEM format + ## NOTE: 'name' should line up with a 'secretName' set further up + ## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates + ## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## secrets: + ## - name: cp.dev.local-tls + ## key: |- + ## -----BEGIN RSA PRIVATE KEY----- + ## ... + ## -----END RSA PRIVATE KEY----- + ## certificate: |- + ## -----BEGIN CERTIFICATE----- + ## ... + ## -----END CERTIFICATE----- + ## + secrets: [] + ## @param cas.ingress.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: example.local + ## http: + ## path: / + ## backend: + ## service: + ## name: example-svc + ## port: + ## name: http + ## + extraRules: [] ## ref: http://kubernetes.io/docs/user-guide/ingress/ ingressAPI: @@ -481,7 +593,7 @@ cas: pathType: ImplementationSpecific ## @param cas.ingressAPI.hostname Default host for the ingress record ## - hostname: api.cp.dev.local + hostname: api.cas.dev.local ## @param cas.ingressAPI.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/