Skip to content

feat(deployment): expose HTTP server for CAS #305

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Aug 21, 2023
Merged

feat(deployment): expose HTTP server for CAS #305

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b2abbdd
feat(deployment): expose HTTP server for CAS
migmartri Aug 21, 2023
0d3d61e
feat(deployment): expose HTTP server for CAS
migmartri Aug 21, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion deployment/chainloop/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ description: Chainloop is an open source software supply chain control plane, a

type: application
# Bump the patch (not minor, not major) version on each change in the Chart Source code
version: 1.10.2
version: 1.10.3
# Do not update appVersion, this is handled automatically by the release process
appVersion: v0.15.0

Expand Down
41 changes: 29 additions & 12 deletions deployment/chainloop/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -360,17 +360,17 @@ chainloop config save \

### Secrets Backend

| Name | Description | Value |
| ------------------------------------------- | ------------------------------------------------------------------------- | ----------- |
| `secretsBackend.backend` | Secrets backend type ("vault", "awsSecretManager" or "gcpSecretManager") | `vault` |
| `secretsBackend.secretPrefix` | Prefix that will be pre-pended to all secrets in the storage backend | `chainloop` |
| `secretsBackend.vault.address` | Vault address | |
| `secretsBackend.vault.token` | Vault authentication token | |
| `secretsBackend.awsSecretManager.accessKey` | AWS Access KEY ID | |
| `secretsBackend.awsSecretManager.secretKey` | AWS Secret Key | |
| `secretsBackend.awsSecretManager.region` | AWS Secret Manager Region | |
| `secretsBackend.gcpSecretManager.projectId` | GCP Project ID | |
| `secretsBackend.gcpSecretManager.serviceAccountKey` | GCP Auth Key | |
| Name | Description | Value |
| --------------------------------------------------- | ------------------------------------------------------------------------- | ----------- |
| `secretsBackend.backend` | Secrets backend type ("vault", "awsSecretManager" or "gcpSecretManager") | `vault` |
| `secretsBackend.secretPrefix` | Prefix that will be pre-pended to all secrets in the storage backend | `chainloop` |
| `secretsBackend.vault.address` | Vault address | |
| `secretsBackend.vault.token` | Vault authentication token | |
| `secretsBackend.awsSecretManager.accessKey` | AWS Access KEY ID | |
| `secretsBackend.awsSecretManager.secretKey` | AWS Secret Key | |
| `secretsBackend.awsSecretManager.region` | AWS Secret Manager Region | |
| `secretsBackend.gcpSecretManager.projectId` | GCP Project ID | |
| `secretsBackend.gcpSecretManager.serviceAccountKey` | GCP Auth Key | |

### Authentication

Expand Down Expand Up @@ -477,14 +477,31 @@ chainloop config save \

| Name | Description | Value |
| --------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ |
| `cas.service.type` | Service type | `ClusterIP` |
| `cas.service.port` | Service port | `80` |
| `cas.service.targetPort` | Service target Port | `http` |
| `cas.service.nodePorts.http` | Node port for HTTP. NOTE: choose port between <30000-32767> | |
| `cas.serviceAPI.type` | Service type | `ClusterIP` |
| `cas.serviceAPI.port` | Service port | `80` |
| `cas.serviceAPI.targetPort` | Service target Port | `grpc` |
| `cas.serviceAPI.annotations` | Service annotations | |
| `cas.serviceAPI.nodePorts.http` | Node port for HTTP. NOTE: choose port between <30000-32767> | |
| `cas.ingress.enabled` | Enable ingress record generation for %%MAIN_CONTAINER_NAME%% | `false` |
| `cas.ingress.pathType` | Ingress path type | `ImplementationSpecific` |
| `cas.ingress.hostname` | Default host for the ingress record | `cas.dev.local` |
| `cas.ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` |
| `cas.ingress.path` | Default path for the ingress record | `/` |
| `cas.ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` |
| `cas.ingress.tls` | Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter | `false` |
| `cas.ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` |
| `cas.ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` |
| `cas.ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` |
| `cas.ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` |
| `cas.ingress.secrets` | Custom TLS certificates as secrets | `[]` |
| `cas.ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` |
| `cas.ingressAPI.enabled` | Enable ingress record generation for %%MAIN_CONTAINER_NAME%% | `false` |
| `cas.ingressAPI.pathType` | Ingress path type | `ImplementationSpecific` |
| `cas.ingressAPI.hostname` | Default host for the ingress record | `api.cp.dev.local` |
| `cas.ingressAPI.hostname` | Default host for the ingress record | `api.cas.dev.local` |
| `cas.ingressAPI.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` |
| `cas.ingressAPI.path` | Default path for the ingress record | `/` |
| `cas.ingressAPI.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | |
Expand Down
60 changes: 60 additions & 0 deletions deployment/chainloop/templates/cas/ingress.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
{{- if .Values.cas.ingress.enabled }}
{{- $fullName := include "chainloop.cas.fullname" . -}}
apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
kind: Ingress
metadata:
name: {{ $fullName }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "chainloop.cas.labels" . | nindent 4 }}
{{- if or .Values.cas.ingress.annotations .Values.commonAnnotations }}
annotations:
{{- if .Values.cas.ingress.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.cas.ingress.annotations "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
spec:
{{- if and .Values.cas.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }}
ingressClassName: {{ .Values.cas.ingress.ingressClassName | quote }}
{{- end }}
rules:
{{- if .Values.cas.ingress.hostname }}
- host: {{ .Values.cas.ingress.hostname }}
http:
paths:
{{- if .Values.cas.ingress.extraPaths }}
{{- toYaml .Values.cas.ingress.extraPaths | nindent 10 }}
{{- end }}
- path: {{ .Values.cas.ingress.path }}
{{- if eq "true" (include "common.ingress.supportsPathType" .) }}
pathType: {{ .Values.cas.ingress.pathType }}
{{- end }}
backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "http" "context" $) | nindent 14 }}
{{- end }}
{{- range .Values.cas.ingress.extraHosts }}
- host: {{ .name | quote }}
http:
paths:
- path: {{ default "/" .path }}
{{- if eq "true" (include "common.ingress.supportsPathType" $) }}
pathType: {{ default "ImplementationSpecific" .pathType }}
{{- end }}
backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "http" "context" $) | nindent 14 }}
{{- end }}
{{- if .Values.cas.ingress.extraRules }}
{{- include "common.tplvalues.render" (dict "value" .Values.cas.ingress.extraRules "context" $) | nindent 4 }}
{{- end }}
{{- if or (and .Values.cas.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.cas.ingress.annotations )) .Values.cas.ingress.selfSigned)) .Values.cas.ingress.extraTls }}
tls:
{{- if and .Values.cas.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.cas.ingress.annotations )) .Values.cas.ingress.selfSigned) }}
- hosts:
- {{ .Values.cas.ingress.hostname | quote }}
secretName: {{ printf "%s-tls" .Values.cas.ingress.hostname }}
{{- end }}
{{- if .Values.cas.ingress.extraTls }}
{{- include "common.tplvalues.render" (dict "value" .Values.cas.ingress.extraTls "context" $) | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}
19 changes: 19 additions & 0 deletions deployment/chainloop/templates/cas/service_http.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "chainloop.cas.fullname" . }}
labels:
{{- include "chainloop.cas.labels" . | nindent 4 }}
{{- with .Values.cas.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.cas.service.type }}
ports:
- port: {{ .Values.cas.service.port }}
targetPort: {{ .Values.cas.service.targetPort }}
protocol: TCP
name: http
nodePort: {{ include "chainloop.node_port" .Values.cas.service }}
selector: {{- include "chainloop.cas.selectorLabels" . | nindent 4 }}
114 changes: 113 additions & 1 deletion deployment/chainloop/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -454,6 +454,19 @@ cas:
name: ""

## @section CAS Networking
service:
## @param cas.service.type Service type
type: ClusterIP
## @param cas.service.port Service port
port: 80
## @param cas.service.targetPort Service target Port
targetPort: http
## @extra cas.service.nodePorts.http Node port for HTTP. NOTE: choose port between <30000-32767>
# nodePorts:
# http: "30800"
annotations: {}
## @skip cas.service.annotations

serviceAPI:
## @param cas.serviceAPI.type Service type
type: ClusterIP
Expand All @@ -470,6 +483,105 @@ cas:
# nodePorts:
# http: "30901"

## ref: http://kubernetes.io/docs/user-guide/ingress/
ingress:
## @param cas.ingress.enabled Enable ingress record generation for %%MAIN_CONTAINER_NAME%%
##
enabled: false
## @param cas.ingress.pathType Ingress path type
##
pathType: ImplementationSpecific
## @param cas.ingress.hostname Default host for the ingress record
##
hostname: cas.dev.local
## @param cas.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
##
ingressClassName: ""
## @param cas.ingress.path Default path for the ingress record
## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers
##
path: /
## @param cas.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
## Use this parameter to set the required annotations for cert-manager, see
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
## e.g:
## annotations:
## kubernetes.io/cas.ingress.class: nginx
## cert-manager.io/cluster-issuer: cluster-issuer-name
##
annotations: {}
## @param cas.ingress.tls Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.controlplane.ingress.hostname }}`
## You can:
## - Use the `controlplane.ingress.secrets` parameter to create this TLS secret
## - Rely on cert-manager to create it by setting the corresponding annotations
## - Rely on Helm to create self-signed certificates by setting `controlplane.ingress.selfSigned=true`
##
tls: false
## @param cas.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
##
selfSigned: false
## @param cas.ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
## e.g:
## extraHosts:
## - name: cp.dev.local
## path: /
##
extraHosts: []
## @param cas.ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host
## e.g:
## extraPaths:
## - path: /*
## backend:
## serviceName: ssl-redirect
## servicePort: use-annotation
##
extraPaths: []
## @param cas.ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
## e.g:
## extraTls:
## - hosts:
## - cp.dev.local
## secretName: cp.dev.local-tls
##
extraTls: []
## @param cas.ingress.secrets Custom TLS certificates as secrets
## NOTE: 'key' and 'certificate' are expected in PEM format
## NOTE: 'name' should line up with a 'secretName' set further up
## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
## It is also possible to create and manage the certificates outside of this helm chart
## Please see README.md for more information
## e.g:
## secrets:
## - name: cp.dev.local-tls
## key: |-
## -----BEGIN RSA PRIVATE KEY-----
## ...
## -----END RSA PRIVATE KEY-----
## certificate: |-
## -----BEGIN CERTIFICATE-----
## ...
## -----END CERTIFICATE-----
##
secrets: []
## @param cas.ingress.extraRules Additional rules to be covered with this ingress record
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
## e.g:
## extraRules:
## - host: example.local
## http:
## path: /
## backend:
## service:
## name: example-svc
## port:
## name: http
##
extraRules: []

## ref: http://kubernetes.io/docs/user-guide/ingress/
ingressAPI:
Expand All @@ -481,7 +593,7 @@ cas:
pathType: ImplementationSpecific
## @param cas.ingressAPI.hostname Default host for the ingress record
##
hostname: api.cp.dev.local
hostname: api.cas.dev.local
## @param cas.ingressAPI.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
Expand Down