Skip to content

Commit

Permalink
chore: support https with flag
Browse files Browse the repository at this point in the history
  • Loading branch information
@shreddedbacon
shreddedbacon committed Dec 30, 2024
1 parent 05f6e3c commit b52267c
Show file tree
Hide file tree
Showing 5 changed files with 66 additions and 30 deletions.
62 changes: 34 additions & 28 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ SSHTOKEN_IMAGE_TAG =
SSHPORTAL_IMAGE_REPO =
SSHPORTAL_IMAGE_TAG =

LAGOON_CORE_USE_HTTPS = true

# IMAGE_REGISTRY controls the registry used for container images in the
# lagoon-core, lagoon-remote, and lagoon-test charts. If IMAGE_REGISTRY is not
# set, it will fall back to the version set in the chart values files. This
Expand Down Expand Up @@ -344,8 +346,8 @@ install-k8upv2:
# this CA certificate can be loaded into a web browser so that certificates don't present warnings
.PHONY: generate-ca
generate-ca:
mkdir -p certs && \
openssl x509 -enddate -noout -in certs/lagoontest.crt || \
@ mkdir -p certs && \
openssl x509 -enddate -noout -in certs/lagoontest.crt > /dev/null 2>&1 || \
(openssl genrsa -out certs/lagoontest.key 2048 && \
openssl req -x509 -new -nodes -key certs/lagoontest.key \
-sha256 -days 3560 -out certs/lagoontest.crt -addext keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign \
Expand Down Expand Up @@ -402,9 +404,9 @@ endif
$$([ $(OVERRIDE_BUILD_DEPLOY_DIND_IMAGE) ] && [ $(INSTALL_STABLE_CORE) != true ] && echo '--set buildDeployImage.default.image=$(OVERRIDE_BUILD_DEPLOY_DIND_IMAGE)') \
$$([ $(DISABLE_CORE_HARBOR) ] && echo '--set api.additionalEnvs.DISABLE_CORE_HARBOR=$(DISABLE_CORE_HARBOR)') \
$$([ $(OPENSEARCH_INTEGRATION_ENABLED) ] && echo '--set api.additionalEnvs.OPENSEARCH_INTEGRATION_ENABLED=$(OPENSEARCH_INTEGRATION_ENABLED)') \
--set "keycloakFrontEndURL=https://lagoon-keycloak.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \
--set "lagoonAPIURL=https://lagoon-api.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io/graphql" \
--set "lagoonUIURL=https://lagoon-ui.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \
--set "keycloakFrontEndURL=$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "https" || echo "http")://lagoon-keycloak.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \
--set "lagoonAPIURL=$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "https" || echo "http")://lagoon-api.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io/graphql" \
--set "lagoonUIURL=$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "https" || echo "http")://lagoon-ui.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \
--set "lagoonWebhookURL=http://lagoon-webhook.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \
$$([ $(IMAGE_REGISTRY) ] && [ $(INSTALL_STABLE_CORE) != true ] && echo '--set actionsHandler.image.repository=$(IMAGE_REGISTRY)/actions-handler') \
$$([ $(IMAGE_REGISTRY) ] && [ $(INSTALL_STABLE_CORE) != true ] && echo '--set api.image.repository=$(IMAGE_REGISTRY)/api') \
Expand Down Expand Up @@ -441,37 +443,41 @@ endif
--set api.ingress.enabled=true \
--set api.ingress.hosts[0].host="lagoon-api.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \
--set api.ingress.hosts[0].paths[0]="/" \
--set api.ingress.tls[0].hosts[0]="lagoon-api.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \
--set api.ingress.tls[0].secretName=api-tls \
--set-string api.ingress.annotations.kubernetes\\.io/tls-acme=true \
$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "--set api.ingress.tls[0].hosts[0]=lagoon-api.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io") \
$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set api.ingress.tls[0].secretName=api-tls') \
$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set-string api.ingress.annotations.kubernetes\\.io/tls-acme=true') \
$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set-string api.ingress.annotations.nginx\\.ingress\\.kubernetes\\.io/ssl-redirect=false') \
--set ui.ingress.enabled=true \
--set ui.ingress.hosts[0].host="lagoon-ui.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \
--set ui.ingress.hosts[0].paths[0]="/" \
--set ui.ingress.tls[0].hosts[0]="lagoon-ui.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \
--set ui.ingress.tls[0].secretName=ui-tls \
--set-string ui.ingress.annotations.kubernetes\\.io/tls-acme=true \
$$([ $(UI_IMAGE_REPO) ] && echo '--set ui.image.repository=$(UI_IMAGE_REPO)') \
$$([ $(UI_IMAGE_TAG) ] && echo '--set ui.image.tag=$(UI_IMAGE_TAG)') \
$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "--set ui.ingress.tls[0].hosts[0]=lagoon-ui.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io") \
$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set ui.ingress.tls[0].secretName=ui-tls') \
$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set-string ui.ingress.annotations.kubernetes\\.io/tls-acme=true') \
$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set-string ui.ingress.annotations.nginx\\.ingress\\.kubernetes\\.io/ssl-redirect=false') \
$$([ $(INSTALL_STABLE_CORE) != true ] && [ $(UI_IMAGE_REPO) ] && echo '--set ui.image.repository=$(UI_IMAGE_REPO)') \
$$([ $(INSTALL_STABLE_CORE) != true ] && [ $(UI_IMAGE_TAG) ] && echo '--set ui.image.tag=$(UI_IMAGE_TAG)') \
--set keycloak.ingress.enabled=true \
--set keycloak.ingress.hosts[0].host="lagoon-keycloak.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \
--set keycloak.ingress.hosts[0].paths[0]="/" \
--set keycloak.ingress.tls[0].hosts[0]="lagoon-keycloak.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \
--set keycloak.ingress.tls[0].secretName=keycloak-tls \
--set-string keycloak.ingress.annotations.kubernetes\\.io/tls-acme=true \
$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "--set keycloak.ingress.tls[0].hosts[0]=lagoon-keycloak.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io") \
$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set keycloak.ingress.tls[0].secretName=keycloak-tls') \
$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set-string keycloak.ingress.annotations.kubernetes\\.io/tls-acme=true') \
$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set-string keycloak.ingress.annotations.nginx\\.ingress\\.kubernetes\\.io/ssl-redirect=false') \
--set webhookHandler.ingress.enabled=true \
--set webhookHandler.ingress.hosts[0].host="lagoon-webhook.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \
--set webhookHandler.ingress.hosts[0].paths[0]="/" \
--set-string webhookHandler.ingress.annotations.kubernetes\\.io/tls-acme=true \
--set broker.ingress.enabled=true \
--set broker.ingress.hosts[0].host="lagoon-broker.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \
--set broker.ingress.hosts[0].paths[0]="/" \
--set broker.ingress.tls[0].hosts[0]="lagoon-broker.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \
--set broker.ingress.tls[0].secretName=broker-tls \
--set-string broker.ingress.annotations.kubernetes\\.io/tls-acme=true \
$$([ $(SSHPORTALAPI_IMAGE_REPO) ] && echo '--set sshPortalAPI.image.repository=$(SSHPORTALAPI_IMAGE_REPO)') \
$$([ $(SSHPORTALAPI_IMAGE_TAG) ] && echo '--set sshPortalAPI.image.tag=$(SSHPORTALAPI_IMAGE_TAG)') \
$$([ $(SSHTOKEN_IMAGE_REPO) ] && echo '--set sshToken.image.repository=$(SSHTOKEN_IMAGE_REPO)') \
$$([ $(SSHTOKEN_IMAGE_TAG) ] && echo '--set sshToken.image.tag=$(SSHTOKEN_IMAGE_TAG)') \
$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "--set broker.ingress.tls[0].hosts[0]=lagoon-broker.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io") \
$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set broker.ingress.tls[0].secretName=broker-tls') \
$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set-string broker.ingress.annotations.kubernetes\\.io/tls-acme=true') \
$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set-string broker.ingress.annotations.nginx\\.ingress\\.kubernetes\\.io/ssl-redirect=false') \
$$([ $(INSTALL_STABLE_CORE) != true ] && [ $(SSHPORTALAPI_IMAGE_REPO) ] && echo '--set sshPortalAPI.image.repository=$(SSHPORTALAPI_IMAGE_REPO)') \
$$([ $(INSTALL_STABLE_CORE) != true ] && [ $(SSHPORTALAPI_IMAGE_TAG) ] && echo '--set sshPortalAPI.image.tag=$(SSHPORTALAPI_IMAGE_TAG)') \
$$([ $(INSTALL_STABLE_CORE) != true ] && [ $(SSHTOKEN_IMAGE_REPO) ] && echo '--set sshToken.image.repository=$(SSHTOKEN_IMAGE_REPO)') \
$$([ $(INSTALL_STABLE_CORE) != true ] && [ $(SSHTOKEN_IMAGE_TAG) ] && echo '--set sshToken.image.tag=$(SSHTOKEN_IMAGE_TAG)') \
$$([ $(IMAGE_REGISTRY) ] && [ $(INSTALL_STABLE_CORE) != true ] && echo '--set workflows.image.repository=$(IMAGE_REGISTRY)/workflows') \
$$([ $(INSTALL_MAILPIT) = true ] && echo '--set keycloak.email.enabled=true') \
$$([ $(INSTALL_MAILPIT) = true ] && echo '--set keycloak.email.settings.host=mailpit-smtp.mailpit.svc') \
Expand Down Expand Up @@ -544,8 +550,8 @@ endif
$$([ $(IMAGE_TAG) ] && [ $(INSTALL_STABLE_REMOTE) != true ] && echo '--set imageTag=$(IMAGE_TAG)') \
$$([ $(LAGOON_SSH_PORTAL_LOADBALANCER) ] && echo '--set sshPortal.service.type=LoadBalancer') \
$$([ $(LAGOON_SSH_PORTAL_LOADBALANCER) ] && echo '--set sshPortal.service.ports.sshserver=2222') \
$$([ $(SSHPORTAL_IMAGE_REPO) ] && echo '--set sshPortal.image.repository=$(SSHPORTAL_IMAGE_REPO)') \
$$([ $(SSHPORTAL_IMAGE_TAG) ] && echo '--set sshPortal.image.tag=$(SSHPORTAL_IMAGE_TAG)') \
$$([ $(INSTALL_STABLE_REMOTE) != true ] && [ $(SSHPORTAL_IMAGE_REPO) ] && echo '--set sshPortal.image.repository=$(SSHPORTAL_IMAGE_REPO)') \
$$([ $(INSTALL_STABLE_REMOTE) != true ] && [ $(SSHPORTAL_IMAGE_TAG) ] && echo '--set sshPortal.image.tag=$(SSHPORTAL_IMAGE_TAG)') \
lagoon-remote \
$$(if [ $(INSTALL_STABLE_REMOTE) = true ]; then echo 'lagoon/lagoon-remote'; else echo './charts/lagoon-remote'; fi)

Expand Down Expand Up @@ -652,17 +658,17 @@ install-test-cluster: install-ingress install-registry install-bulk-storageclass
.PHONY: get-admin-creds
get-admin-creds:
@echo "\nLagoon UI URL: " \
&& echo "https://lagoon-ui.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \
&& echo "$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "https" || echo "http")://lagoon-ui.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \
&& echo "Lagoon API URL: " \
&& echo "https://lagoon-api.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io/graphql" \
&& echo "$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "https" || echo "http")://lagoon-api.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io/graphql" \
&& echo "Lagoon API admin legacy token: \n$$(docker run \
-e JWTSECRET="$$($(KUBECTL) get secret -n lagoon-core lagoon-core-secrets -o jsonpath="{.data.JWTSECRET}" | base64 --decode)" \
-e JWTAUDIENCE=api.dev \
-e JWTUSER=localadmin \
uselagoon/tests \
python3 /ansible/tasks/api/admin_token.py)" \
&& echo "Keycloak admin URL: " \
&& echo "https://lagoon-keycloak.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io/auth" \
&& echo "$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "https" || echo "http")://lagoon-keycloak.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io/auth" \
&& echo "Keycloak admin password: " \
&& $(KUBECTL) get secret -n lagoon-core lagoon-core-keycloak -o jsonpath="{.data.KEYCLOAK_ADMIN_PASSWORD}" | base64 --decode \
&& echo "\n"
Expand Down
16 changes: 16 additions & 0 deletions charts/lagoon-core/ci/linter-values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -232,6 +232,14 @@ sshPortalAPI:
insecureTLS: true
serviceMonitor:
enabled: false
# loop over the startup of ssh-portal-api for faster startup during testing/development
command:
- /bin/sh
args:
- '-c'
- >-
i=0; while [ $i -le 5 ]; do /ssh-portal-api &&
exit; sleep 10; let i=i+1; done
sshToken:
enabled: true
Expand All @@ -253,6 +261,14 @@ sshToken:
AAAECW61aE011GKLSFBJ82G6oGEOjJSUV3STx16veSvX38kD9iqXNt1OpHncEdwOG8/QRV
6lnrpkhPYdpdKnF3PCEyAAAAAAECAwQF
-----END OPENSSH PRIVATE KEY-----
# loop over the startup of ssh-token for faster startup during testing/development
command:
- /bin/sh
args:
- '-c'
- >-
i=0; while [ $i -le 5 ]; do /ssh-token &&
exit; sleep 10; let i=i+1; done
controllerhandler:
replicaCount: 1
Expand Down
6 changes: 5 additions & 1 deletion charts/lagoon-core/templates/ssh-portal-api.deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,11 @@ spec:
image: "{{ .Values.sshPortalAPI.image.repository }}:{{ coalesce .Values.sshPortalAPI.image.tag .Values.imageTag .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.sshPortalAPI.image.pullPolicy }}
command:
- "/ssh-portal-api"
{{- .Values.sshPortalAPI.command | toYaml | nindent 10}}
{{- if .Values.sshPortalAPI.args }}
args:
{{- .Values.sshPortalAPI.args | toYaml | nindent 10}}
{{- end }}
env:
{{- if .Values.sshPortalAPI.debug }}
- name: DEBUG
Expand Down
6 changes: 5 additions & 1 deletion charts/lagoon-core/templates/ssh-token.deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,11 @@ spec:
image: "{{ .Values.sshToken.image.repository }}:{{ coalesce .Values.sshToken.image.tag .Values.imageTag .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.sshToken.image.pullPolicy }}
command:
- "/ssh-token"
{{- .Values.sshToken.command | toYaml | nindent 10}}
{{- if .Values.sshToken.args }}
args:
{{- .Values.sshToken.args | toYaml | nindent 10}}
{{- end }}
env:
{{- if .Values.sshToken.debug }}
- name: DEBUG
Expand Down
6 changes: 6 additions & 0 deletions charts/lagoon-core/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -967,6 +967,9 @@ sshPortalAPI:
# Overrides the image tag whose default is the chart appVersion.
tag: "v0.41.4"

command:
- /ssh-portal-api

podAnnotations: {}

securityContext: {}
Expand Down Expand Up @@ -1040,6 +1043,9 @@ sshToken:
# Overrides the image tag whose default is the chart appVersion.
tag: "v0.41.4"

command:
- /ssh-token

podAnnotations: {}

securityContext: {}
Expand Down

0 comments on commit b52267c

Please sign in to comment.