diff --git a/.gitignore b/.gitignore index 974f4ba4f..b07ccf33b 100644 --- a/.gitignore +++ b/.gitignore @@ -29,6 +29,5 @@ project.dict /gateway -build/package/helm/monoskope/Chart.lock build/package/helm/monoskope/charts/** .dccache diff --git a/build/package/helm/monoskope/Chart.lock b/build/package/helm/monoskope/Chart.lock new file mode 100644 index 000000000..19364c195 --- /dev/null +++ b/build/package/helm/monoskope/Chart.lock @@ -0,0 +1,27 @@ +dependencies: +- name: gateway + repository: file://../gateway + version: 0.0.1-local +- name: eventstore + repository: file://../eventstore + version: 0.0.1-local +- name: commandhandler + repository: file://../commandhandler + version: 0.0.1-local +- name: queryhandler + repository: file://../queryhandler + version: 0.0.1-local +- name: scimserver + repository: file://../scimserver + version: 0.0.1-local +- name: cockroachdb + repository: https://charts.cockroachdb.com/ + version: 7.0.1 +- name: rabbitmq + repository: https://charts.bitnami.com/bitnami + version: 8.32.2 +- name: emissary-ingress + repository: https://getambassador.io + version: 8.0.0 +digest: sha256:76299ec2f3da8693fe07db6183dc3183ef8a56e30007a5388d04e25d6bca8f0c +generated: "2022-07-27T09:56:50.706907+02:00" diff --git a/build/package/helm/monoskope/Chart.yaml b/build/package/helm/monoskope/Chart.yaml index 464ca520e..ad54b0a32 100644 --- a/build/package/helm/monoskope/Chart.yaml +++ b/build/package/helm/monoskope/Chart.yaml @@ -51,8 +51,9 @@ dependencies: # A list of the chart requirements version: 8.32.2 repository: https://charts.bitnami.com/bitnami condition: rabbitmq.enabled,global.rabbitmq.enabled - - name: ambassador - version: 6.9.4 + - name: emissary-ingress + alias: ambassador + version: 8.0.0 repository: https://getambassador.io condition: ambassador.deploy,global.ambassador.deploy diff --git a/build/package/helm/monoskope/templates/_helpers.tpl b/build/package/helm/monoskope/templates/_helpers.tpl index 89cd85bdd..4719e084e 100644 --- a/build/package/helm/monoskope/templates/_helpers.tpl +++ b/build/package/helm/monoskope/templates/_helpers.tpl @@ -69,10 +69,6 @@ Create the name of the service account to use {{- printf "%s-tls-cert" (include "monoskope.fullname" .) }} {{- end }} -{{- define "monoskope.mtlsSecretName" -}} -{{- printf "%s-mtls-cert" (include "monoskope.fullname" .) }} -{{- end }} - {{- define "monoskope.identityCAName" -}} {{- printf "%s-identity" (include "monoskope.fullname" .) }} {{- end }} @@ -81,10 +77,6 @@ Create the name of the service account to use {{- required "a value for .Values.hosting.domain has to be provided" .Values.hosting.domain }} {{- end }} -{{- define "monoskope.mtlsDomain" -}} -{{- printf "mapi.%s" .Values.hosting.domain }} -{{- end }} - {{- define "monoskope.tlsDomain" -}} {{- printf "api.%s" .Values.hosting.domain }} {{- end }} diff --git a/build/package/helm/monoskope/templates/ambassador/ambassador-cert.yaml b/build/package/helm/monoskope/templates/ambassador/ambassador-cert.yaml index f9bbf34a9..7769cc990 100644 --- a/build/package/helm/monoskope/templates/ambassador/ambassador-cert.yaml +++ b/build/package/helm/monoskope/templates/ambassador/ambassador-cert.yaml @@ -1,8 +1,6 @@ {{- if .Values.ambassador.enabled }} {{- $tlsSecretName := (include "monoskope.tlsSecretName" .) }} {{- $tlsDomain := (include "monoskope.tlsDomain" .) }} -{{- $mtlsSecretName := (include "monoskope.mtlsSecretName" .) }} -{{- $mtlsDomain := (include "monoskope.mtlsDomain" .) }} apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -20,30 +18,4 @@ spec: kind: ClusterIssuer dnsNames: - {{ $tlsDomain }} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ $mtlsSecretName }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "monoskope.labels" . | nindent 4 }} - {{- with (.Values.labels | default .Values.global.labels) }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - secretName: {{ $mtlsSecretName }} - duration: {{ .Values.pki.certificates.duration }} - renewBefore: {{ .Values.pki.certificates.renewBefore }} - issuerRef: - name: {{ .Values.pki.issuer.name }} - kind: Issuer - subject: - organizations: - - Monoskope - dnsNames: - - {{ $mtlsDomain }} - usages: - - client auth - - server auth {{- end }} diff --git a/build/package/helm/monoskope/templates/ambassador/ambassador-host.yaml b/build/package/helm/monoskope/templates/ambassador/ambassador-host.yaml index f82efe0c1..0d098e0a2 100644 --- a/build/package/helm/monoskope/templates/ambassador/ambassador-host.yaml +++ b/build/package/helm/monoskope/templates/ambassador/ambassador-host.yaml @@ -1,13 +1,11 @@ {{- if .Values.ambassador.enabled }} {{- $tlsSecretName := (include "monoskope.tlsSecretName" .) }} -{{- $mtlsSecretName := (include "monoskope.mtlsSecretName" .) }} {{- $tlsDomain := (include "monoskope.tlsDomain" .) }} -{{- $mtlsDomain := (include "monoskope.mtlsDomain" .) }} {{- if ne $tlsDomain "" }} apiVersion: getambassador.io/v2 kind: Host metadata: - name: {{ include "monoskope.fullname" . }}-tls + name: {{ include "monoskope.fullname" . }} namespace: {{ .Release.Namespace }} labels: {{- include "monoskope.labels" . | nindent 4 }} @@ -16,32 +14,20 @@ metadata: {{- end }} spec: hostname: {{ $tlsDomain }} - acmeProvider: - authority: none tlsSecret: name: {{ $tlsSecretName }} - tls: - min_tls_version: v1.2 + tlsContext: + name: {{ include "monoskope.fullname" . }}-tls --- -{{- end }} -{{- if ne $mtlsDomain "" }} -apiVersion: getambassador.io/v2 +apiVersion: getambassador.io/v3alpha1 kind: TLSContext metadata: - name: {{ include "monoskope.fullname" . }}-mtls - namespace: {{ .Release.Namespace }} - labels: - {{- include "monoskope.labels" . | nindent 4 }} - {{- with (.Values.labels | default .Values.global.labels) }} - {{- toYaml . | nindent 4 }} - {{- end }} + name: {{ include "monoskope.fullname" . }}-tls spec: + secret: {{ $tlsSecretName }} hosts: - - {{ $mtlsDomain }} - - {{ $mtlsDomain }}:443 - secret: {{ $mtlsSecretName }} - ca_secret: {{ .Values.pki.issuer.ca.existingTrustAnchorSecretName | default (printf "%s-trust-anchor" (include "monoskope.fullname" .)) }} - cert_required: true + - {{ $tlsDomain }} + alpn_protocols: h2,http/1.1 min_tls_version: v1.2 {{- end }} {{- end }} diff --git a/build/package/helm/monoskope/templates/ambassador/mappings/commandhandler.yaml b/build/package/helm/monoskope/templates/ambassador/mappings/commandhandler.yaml index 7bff46b69..3c0bceb62 100644 --- a/build/package/helm/monoskope/templates/ambassador/mappings/commandhandler.yaml +++ b/build/package/helm/monoskope/templates/ambassador/mappings/commandhandler.yaml @@ -1,5 +1,4 @@ {{- if .Values.ambassador.enabled }} -{{- $mtlsDomain := (include "monoskope.mtlsDomain" .) }} {{- if .Values.commandhandler.enabled }} apiVersion: getambassador.io/v2 kind: Mapping @@ -10,7 +9,7 @@ metadata: {{- include "monoskope.labels" . | nindent 4 }} spec: grpc: true - timeout_ms: 20000 + hostname: "*" prefix: /eventsourcing.CommandHandler/ rewrite: /eventsourcing.CommandHandler/ service: {{.Release.Name}}-commandhandler:{{.Values.commandhandler.ports.api}} @@ -24,7 +23,7 @@ metadata: {{- include "monoskope.labels" . | nindent 4 }} spec: grpc: true - timeout_ms: 20000 + hostname: "*" prefix: /domain.CommandHandlerExtensions/ rewrite: /domain.CommandHandlerExtensions/ service: {{.Release.Name}}-commandhandler:{{.Values.commandhandler.ports.api}} diff --git a/build/package/helm/monoskope/templates/ambassador/mappings/gateway.yaml b/build/package/helm/monoskope/templates/ambassador/mappings/gateway.yaml index d097808f0..bd3d5582b 100644 --- a/build/package/helm/monoskope/templates/ambassador/mappings/gateway.yaml +++ b/build/package/helm/monoskope/templates/ambassador/mappings/gateway.yaml @@ -1,5 +1,4 @@ {{- if .Values.ambassador.enabled }} -{{- $mtlsDomain := (include "monoskope.mtlsDomain" .) }} {{- if .Values.gateway.enabled }} apiVersion: getambassador.io/v2 kind: Mapping @@ -13,7 +12,7 @@ metadata: {{- end }} spec: grpc: true - timeout_ms: 20000 + hostname: "*" prefix: /gateway.Gateway/ rewrite: /gateway.Gateway/ service: {{.Release.Name}}-gateway:{{.Values.gateway.service.grpcApiPort}} @@ -30,7 +29,7 @@ metadata: {{- end }} spec: grpc: true - timeout_ms: 20000 + hostname: "*" prefix: /gateway.ClusterAuth/ rewrite: /gateway.ClusterAuth/ service: {{.Release.Name}}-gateway:{{.Values.gateway.service.grpcApiPort}} @@ -44,7 +43,7 @@ metadata: {{- include "monoskope.labels" . | nindent 4 }} spec: grpc: true - timeout_ms: 20000 + hostname: "*" prefix: /common.ServiceInformationService/ rewrite: /common.ServiceInformationService/ service: {{.Release.Name}}-gateway:{{.Values.gateway.service.grpcApiPort}} @@ -87,7 +86,7 @@ metadata: {{- end }} spec: grpc: true - timeout_ms: 20000 + hostname: "*" prefix: /gateway.APIToken/ rewrite: /gateway.APIToken/ service: {{.Release.Name}}-gateway:{{.Values.gateway.service.grpcApiPort}} diff --git a/build/package/helm/monoskope/templates/ambassador/mappings/queryhandler.yaml b/build/package/helm/monoskope/templates/ambassador/mappings/queryhandler.yaml index 2fb9c774a..7370eb16a 100644 --- a/build/package/helm/monoskope/templates/ambassador/mappings/queryhandler.yaml +++ b/build/package/helm/monoskope/templates/ambassador/mappings/queryhandler.yaml @@ -1,5 +1,4 @@ {{- if .Values.ambassador.enabled }} -{{- $mtlsDomain := (include "monoskope.mtlsDomain" .) }} {{- if .Values.queryhandler.enabled }} apiVersion: getambassador.io/v2 kind: Mapping @@ -10,7 +9,7 @@ metadata: {{- include "monoskope.labels" . | nindent 4 }} spec: grpc: true - timeout_ms: 20000 + hostname: "*" prefix: /domain.User/ rewrite: /domain.User/ service: {{.Release.Name}}-queryhandler:{{.Values.queryhandler.ports.api}} @@ -24,7 +23,7 @@ metadata: {{- include "monoskope.labels" . | nindent 4 }} spec: grpc: true - timeout_ms: 20000 + hostname: "*" prefix: /domain.Tenant/ rewrite: /domain.Tenant/ service: {{.Release.Name}}-queryhandler:{{.Values.queryhandler.ports.api}} @@ -38,7 +37,7 @@ metadata: {{- include "monoskope.labels" . | nindent 4 }} spec: grpc: true - timeout_ms: 20000 + hostname: "*" prefix: /domain.Cluster/ rewrite: /domain.Cluster/ service: {{.Release.Name}}-queryhandler:{{.Values.queryhandler.ports.api}} @@ -52,7 +51,7 @@ metadata: {{- include "monoskope.labels" . | nindent 4 }} spec: grpc: true - timeout_ms: 20000 + hostname: "*" prefix: /domain.ClusterAccess/ rewrite: /domain.ClusterAccess/ service: {{.Release.Name}}-queryhandler:{{.Values.queryhandler.ports.api}} @@ -66,7 +65,7 @@ metadata: {{- include "monoskope.labels" . | nindent 4 }} spec: grpc: true - timeout_ms: 20000 + hostname: "*" prefix: /domain.Certificate/ rewrite: /domain.Certificate/ service: {{.Release.Name}}-queryhandler:{{.Values.queryhandler.ports.api}} @@ -80,7 +79,7 @@ metadata: {{- include "monoskope.labels" . | nindent 4 }} spec: grpc: true - timeout_ms: 20000 + hostname: "*" prefix: /domain.AuditLog/ rewrite: /domain.AuditLog/ service: {{.Release.Name}}-queryhandler:{{.Values.queryhandler.ports.api}} diff --git a/build/package/helm/monoskope/templates/ambassador/mappings/scimserver.yaml b/build/package/helm/monoskope/templates/ambassador/mappings/scimserver.yaml index 4e1abe347..3b38674f3 100644 --- a/build/package/helm/monoskope/templates/ambassador/mappings/scimserver.yaml +++ b/build/package/helm/monoskope/templates/ambassador/mappings/scimserver.yaml @@ -1,5 +1,4 @@ {{- if .Values.ambassador.enabled }} -{{- $mtlsDomain := (include "monoskope.mtlsDomain" .) }} {{- if .Values.scimserver.enabled }} apiVersion: getambassador.io/v2 kind: Mapping diff --git a/build/package/helm/monoskope/values.yaml b/build/package/helm/monoskope/values.yaml index 23103fc39..b26c4fd69 100644 --- a/build/package/helm/monoskope/values.yaml +++ b/build/package/helm/monoskope/values.yaml @@ -72,12 +72,12 @@ eventstore: tlsSecret: *msgBusClientAuthCertSecretName storeDatabase: configSecret: "m8-db-client-config" - tlsSecret: "m8-db-client-auth-cert" + tlsSecret: "m8-db-client-auth-cert" commandhandler: enabled: true replicaCount: 1 - + queryhandler: enabled: true replicaCount: 1 @@ -151,7 +151,7 @@ rabbitmq: loadDefinition: enabled: true existingSecret: m8-rabbitmq-load-definition - extraPlugins: 'rabbitmq_auth_mechanism_ssl' + extraPlugins: "rabbitmq_auth_mechanism_ssl" extraConfiguration: |- auth_mechanisms.1 = EXTERNAL ssl_cert_login_from = common_name @@ -164,7 +164,7 @@ rabbitmq: tlsPort: 5671 auth: username: eventstore # admin user with read/write access - password: "w1!!b3r3pl4c3d" # in case you use VaultOperator this will be overwritten by the load definition which takes the password from a generated secret + password: "w1!!b3r3pl4c3d" # in case you use VaultOperator this will be overwritten by the load definition which takes the password from a generated secret # -- Name of the secret containing the erlang secret # If vaultOperator.enabled:true the secret will eb auto generated existingErlangSecret: m8-rabbitmq-erlang-cookie @@ -183,32 +183,23 @@ ambassador: deploy: true replicaCount: 1 image: - repository: datawire/ambassador - tag: 1.14.3 - enableAES: false + repository: docker.io/emissaryingress/emissary + tag: 3.0.0 agent: enabled: false - crds: - create: false - enabled: false rbac: create: false serviceAccount: create: true scope: singleNamespace: true - resources: - limits: - cpu: 4 - memory: 1000Mi - requests: - cpu: 100m - memory: 512Mi metrics: serviceMonitor: enabled: false adminService: create: false + module: + strip_matching_host_port: true # necessary for gRPC, see https://www.getambassador.io/docs/emissary/latest/howtos/grpc/#mappings-with-hosts scimserver: - enabled: false \ No newline at end of file + enabled: false