From b52267cfb581ef81dfe5f1d6f093a505e2d365dd Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Mon, 30 Dec 2024 07:36:53 +1100 Subject: [PATCH] chore: support https with flag --- Makefile | 62 ++++++++++--------- charts/lagoon-core/ci/linter-values.yaml | 16 +++++ .../templates/ssh-portal-api.deployment.yaml | 6 +- .../templates/ssh-token.deployment.yaml | 6 +- charts/lagoon-core/values.yaml | 6 ++ 5 files changed, 66 insertions(+), 30 deletions(-) diff --git a/Makefile b/Makefile index 290abfbe..17688976 100644 --- a/Makefile +++ b/Makefile @@ -20,6 +20,8 @@ SSHTOKEN_IMAGE_TAG = SSHPORTAL_IMAGE_REPO = SSHPORTAL_IMAGE_TAG = +LAGOON_CORE_USE_HTTPS = true + # IMAGE_REGISTRY controls the registry used for container images in the # lagoon-core, lagoon-remote, and lagoon-test charts. If IMAGE_REGISTRY is not # set, it will fall back to the version set in the chart values files. This @@ -344,8 +346,8 @@ install-k8upv2: # this CA certificate can be loaded into a web browser so that certificates don't present warnings .PHONY: generate-ca generate-ca: - mkdir -p certs && \ - openssl x509 -enddate -noout -in certs/lagoontest.crt || \ + @ mkdir -p certs && \ + openssl x509 -enddate -noout -in certs/lagoontest.crt > /dev/null 2>&1 || \ (openssl genrsa -out certs/lagoontest.key 2048 && \ openssl req -x509 -new -nodes -key certs/lagoontest.key \ -sha256 -days 3560 -out certs/lagoontest.crt -addext keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign \ @@ -402,9 +404,9 @@ endif $$([ $(OVERRIDE_BUILD_DEPLOY_DIND_IMAGE) ] && [ $(INSTALL_STABLE_CORE) != true ] && echo '--set buildDeployImage.default.image=$(OVERRIDE_BUILD_DEPLOY_DIND_IMAGE)') \ $$([ $(DISABLE_CORE_HARBOR) ] && echo '--set api.additionalEnvs.DISABLE_CORE_HARBOR=$(DISABLE_CORE_HARBOR)') \ $$([ $(OPENSEARCH_INTEGRATION_ENABLED) ] && echo '--set api.additionalEnvs.OPENSEARCH_INTEGRATION_ENABLED=$(OPENSEARCH_INTEGRATION_ENABLED)') \ - --set "keycloakFrontEndURL=https://lagoon-keycloak.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ - --set "lagoonAPIURL=https://lagoon-api.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io/graphql" \ - --set "lagoonUIURL=https://lagoon-ui.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ + --set "keycloakFrontEndURL=$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "https" || echo "http")://lagoon-keycloak.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ + --set "lagoonAPIURL=$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "https" || echo "http")://lagoon-api.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io/graphql" \ + --set "lagoonUIURL=$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "https" || echo "http")://lagoon-ui.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ --set "lagoonWebhookURL=http://lagoon-webhook.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ $$([ $(IMAGE_REGISTRY) ] && [ $(INSTALL_STABLE_CORE) != true ] && echo '--set actionsHandler.image.repository=$(IMAGE_REGISTRY)/actions-handler') \ $$([ $(IMAGE_REGISTRY) ] && [ $(INSTALL_STABLE_CORE) != true ] && echo '--set api.image.repository=$(IMAGE_REGISTRY)/api') \ @@ -441,23 +443,26 @@ endif --set api.ingress.enabled=true \ --set api.ingress.hosts[0].host="lagoon-api.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ --set api.ingress.hosts[0].paths[0]="/" \ - --set api.ingress.tls[0].hosts[0]="lagoon-api.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ - --set api.ingress.tls[0].secretName=api-tls \ - --set-string api.ingress.annotations.kubernetes\\.io/tls-acme=true \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "--set api.ingress.tls[0].hosts[0]=lagoon-api.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io") \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set api.ingress.tls[0].secretName=api-tls') \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set-string api.ingress.annotations.kubernetes\\.io/tls-acme=true') \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set-string api.ingress.annotations.nginx\\.ingress\\.kubernetes\\.io/ssl-redirect=false') \ --set ui.ingress.enabled=true \ --set ui.ingress.hosts[0].host="lagoon-ui.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ --set ui.ingress.hosts[0].paths[0]="/" \ - --set ui.ingress.tls[0].hosts[0]="lagoon-ui.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ - --set ui.ingress.tls[0].secretName=ui-tls \ - --set-string ui.ingress.annotations.kubernetes\\.io/tls-acme=true \ - $$([ $(UI_IMAGE_REPO) ] && echo '--set ui.image.repository=$(UI_IMAGE_REPO)') \ - $$([ $(UI_IMAGE_TAG) ] && echo '--set ui.image.tag=$(UI_IMAGE_TAG)') \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "--set ui.ingress.tls[0].hosts[0]=lagoon-ui.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io") \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set ui.ingress.tls[0].secretName=ui-tls') \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set-string ui.ingress.annotations.kubernetes\\.io/tls-acme=true') \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set-string ui.ingress.annotations.nginx\\.ingress\\.kubernetes\\.io/ssl-redirect=false') \ + $$([ $(INSTALL_STABLE_CORE) != true ] && [ $(UI_IMAGE_REPO) ] && echo '--set ui.image.repository=$(UI_IMAGE_REPO)') \ + $$([ $(INSTALL_STABLE_CORE) != true ] && [ $(UI_IMAGE_TAG) ] && echo '--set ui.image.tag=$(UI_IMAGE_TAG)') \ --set keycloak.ingress.enabled=true \ --set keycloak.ingress.hosts[0].host="lagoon-keycloak.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ --set keycloak.ingress.hosts[0].paths[0]="/" \ - --set keycloak.ingress.tls[0].hosts[0]="lagoon-keycloak.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ - --set keycloak.ingress.tls[0].secretName=keycloak-tls \ - --set-string keycloak.ingress.annotations.kubernetes\\.io/tls-acme=true \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "--set keycloak.ingress.tls[0].hosts[0]=lagoon-keycloak.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io") \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set keycloak.ingress.tls[0].secretName=keycloak-tls') \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set-string keycloak.ingress.annotations.kubernetes\\.io/tls-acme=true') \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set-string keycloak.ingress.annotations.nginx\\.ingress\\.kubernetes\\.io/ssl-redirect=false') \ --set webhookHandler.ingress.enabled=true \ --set webhookHandler.ingress.hosts[0].host="lagoon-webhook.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ --set webhookHandler.ingress.hosts[0].paths[0]="/" \ @@ -465,13 +470,14 @@ endif --set broker.ingress.enabled=true \ --set broker.ingress.hosts[0].host="lagoon-broker.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ --set broker.ingress.hosts[0].paths[0]="/" \ - --set broker.ingress.tls[0].hosts[0]="lagoon-broker.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ - --set broker.ingress.tls[0].secretName=broker-tls \ - --set-string broker.ingress.annotations.kubernetes\\.io/tls-acme=true \ - $$([ $(SSHPORTALAPI_IMAGE_REPO) ] && echo '--set sshPortalAPI.image.repository=$(SSHPORTALAPI_IMAGE_REPO)') \ - $$([ $(SSHPORTALAPI_IMAGE_TAG) ] && echo '--set sshPortalAPI.image.tag=$(SSHPORTALAPI_IMAGE_TAG)') \ - $$([ $(SSHTOKEN_IMAGE_REPO) ] && echo '--set sshToken.image.repository=$(SSHTOKEN_IMAGE_REPO)') \ - $$([ $(SSHTOKEN_IMAGE_TAG) ] && echo '--set sshToken.image.tag=$(SSHTOKEN_IMAGE_TAG)') \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "--set broker.ingress.tls[0].hosts[0]=lagoon-broker.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io") \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set broker.ingress.tls[0].secretName=broker-tls') \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set-string broker.ingress.annotations.kubernetes\\.io/tls-acme=true') \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set-string broker.ingress.annotations.nginx\\.ingress\\.kubernetes\\.io/ssl-redirect=false') \ + $$([ $(INSTALL_STABLE_CORE) != true ] && [ $(SSHPORTALAPI_IMAGE_REPO) ] && echo '--set sshPortalAPI.image.repository=$(SSHPORTALAPI_IMAGE_REPO)') \ + $$([ $(INSTALL_STABLE_CORE) != true ] && [ $(SSHPORTALAPI_IMAGE_TAG) ] && echo '--set sshPortalAPI.image.tag=$(SSHPORTALAPI_IMAGE_TAG)') \ + $$([ $(INSTALL_STABLE_CORE) != true ] && [ $(SSHTOKEN_IMAGE_REPO) ] && echo '--set sshToken.image.repository=$(SSHTOKEN_IMAGE_REPO)') \ + $$([ $(INSTALL_STABLE_CORE) != true ] && [ $(SSHTOKEN_IMAGE_TAG) ] && echo '--set sshToken.image.tag=$(SSHTOKEN_IMAGE_TAG)') \ $$([ $(IMAGE_REGISTRY) ] && [ $(INSTALL_STABLE_CORE) != true ] && echo '--set workflows.image.repository=$(IMAGE_REGISTRY)/workflows') \ $$([ $(INSTALL_MAILPIT) = true ] && echo '--set keycloak.email.enabled=true') \ $$([ $(INSTALL_MAILPIT) = true ] && echo '--set keycloak.email.settings.host=mailpit-smtp.mailpit.svc') \ @@ -544,8 +550,8 @@ endif $$([ $(IMAGE_TAG) ] && [ $(INSTALL_STABLE_REMOTE) != true ] && echo '--set imageTag=$(IMAGE_TAG)') \ $$([ $(LAGOON_SSH_PORTAL_LOADBALANCER) ] && echo '--set sshPortal.service.type=LoadBalancer') \ $$([ $(LAGOON_SSH_PORTAL_LOADBALANCER) ] && echo '--set sshPortal.service.ports.sshserver=2222') \ - $$([ $(SSHPORTAL_IMAGE_REPO) ] && echo '--set sshPortal.image.repository=$(SSHPORTAL_IMAGE_REPO)') \ - $$([ $(SSHPORTAL_IMAGE_TAG) ] && echo '--set sshPortal.image.tag=$(SSHPORTAL_IMAGE_TAG)') \ + $$([ $(INSTALL_STABLE_REMOTE) != true ] && [ $(SSHPORTAL_IMAGE_REPO) ] && echo '--set sshPortal.image.repository=$(SSHPORTAL_IMAGE_REPO)') \ + $$([ $(INSTALL_STABLE_REMOTE) != true ] && [ $(SSHPORTAL_IMAGE_TAG) ] && echo '--set sshPortal.image.tag=$(SSHPORTAL_IMAGE_TAG)') \ lagoon-remote \ $$(if [ $(INSTALL_STABLE_REMOTE) = true ]; then echo 'lagoon/lagoon-remote'; else echo './charts/lagoon-remote'; fi) @@ -652,9 +658,9 @@ install-test-cluster: install-ingress install-registry install-bulk-storageclass .PHONY: get-admin-creds get-admin-creds: @echo "\nLagoon UI URL: " \ - && echo "https://lagoon-ui.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ + && echo "$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "https" || echo "http")://lagoon-ui.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ && echo "Lagoon API URL: " \ - && echo "https://lagoon-api.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io/graphql" \ + && echo "$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "https" || echo "http")://lagoon-api.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io/graphql" \ && echo "Lagoon API admin legacy token: \n$$(docker run \ -e JWTSECRET="$$($(KUBECTL) get secret -n lagoon-core lagoon-core-secrets -o jsonpath="{.data.JWTSECRET}" | base64 --decode)" \ -e JWTAUDIENCE=api.dev \ @@ -662,7 +668,7 @@ get-admin-creds: uselagoon/tests \ python3 /ansible/tasks/api/admin_token.py)" \ && echo "Keycloak admin URL: " \ - && echo "https://lagoon-keycloak.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io/auth" \ + && echo "$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "https" || echo "http")://lagoon-keycloak.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io/auth" \ && echo "Keycloak admin password: " \ && $(KUBECTL) get secret -n lagoon-core lagoon-core-keycloak -o jsonpath="{.data.KEYCLOAK_ADMIN_PASSWORD}" | base64 --decode \ && echo "\n" diff --git a/charts/lagoon-core/ci/linter-values.yaml b/charts/lagoon-core/ci/linter-values.yaml index 5ff86e74..d600ae8b 100644 --- a/charts/lagoon-core/ci/linter-values.yaml +++ b/charts/lagoon-core/ci/linter-values.yaml @@ -232,6 +232,14 @@ sshPortalAPI: insecureTLS: true serviceMonitor: enabled: false + # loop over the startup of ssh-portal-api for faster startup during testing/development + command: + - /bin/sh + args: + - '-c' + - >- + i=0; while [ $i -le 5 ]; do /ssh-portal-api && + exit; sleep 10; let i=i+1; done sshToken: enabled: true @@ -253,6 +261,14 @@ sshToken: AAAECW61aE011GKLSFBJ82G6oGEOjJSUV3STx16veSvX38kD9iqXNt1OpHncEdwOG8/QRV 6lnrpkhPYdpdKnF3PCEyAAAAAAECAwQF -----END OPENSSH PRIVATE KEY----- + # loop over the startup of ssh-token for faster startup during testing/development + command: + - /bin/sh + args: + - '-c' + - >- + i=0; while [ $i -le 5 ]; do /ssh-token && + exit; sleep 10; let i=i+1; done controllerhandler: replicaCount: 1 diff --git a/charts/lagoon-core/templates/ssh-portal-api.deployment.yaml b/charts/lagoon-core/templates/ssh-portal-api.deployment.yaml index 1913bb85..3ef6617f 100644 --- a/charts/lagoon-core/templates/ssh-portal-api.deployment.yaml +++ b/charts/lagoon-core/templates/ssh-portal-api.deployment.yaml @@ -37,7 +37,11 @@ spec: image: "{{ .Values.sshPortalAPI.image.repository }}:{{ coalesce .Values.sshPortalAPI.image.tag .Values.imageTag .Chart.AppVersion }}" imagePullPolicy: {{ .Values.sshPortalAPI.image.pullPolicy }} command: - - "/ssh-portal-api" + {{- .Values.sshPortalAPI.command | toYaml | nindent 10}} + {{- if .Values.sshPortalAPI.args }} + args: + {{- .Values.sshPortalAPI.args | toYaml | nindent 10}} + {{- end }} env: {{- if .Values.sshPortalAPI.debug }} - name: DEBUG diff --git a/charts/lagoon-core/templates/ssh-token.deployment.yaml b/charts/lagoon-core/templates/ssh-token.deployment.yaml index a9693787..752750c3 100644 --- a/charts/lagoon-core/templates/ssh-token.deployment.yaml +++ b/charts/lagoon-core/templates/ssh-token.deployment.yaml @@ -32,7 +32,11 @@ spec: image: "{{ .Values.sshToken.image.repository }}:{{ coalesce .Values.sshToken.image.tag .Values.imageTag .Chart.AppVersion }}" imagePullPolicy: {{ .Values.sshToken.image.pullPolicy }} command: - - "/ssh-token" + {{- .Values.sshToken.command | toYaml | nindent 10}} + {{- if .Values.sshToken.args }} + args: + {{- .Values.sshToken.args | toYaml | nindent 10}} + {{- end }} env: {{- if .Values.sshToken.debug }} - name: DEBUG diff --git a/charts/lagoon-core/values.yaml b/charts/lagoon-core/values.yaml index 23bb0fae..ad1cf84d 100644 --- a/charts/lagoon-core/values.yaml +++ b/charts/lagoon-core/values.yaml @@ -967,6 +967,9 @@ sshPortalAPI: # Overrides the image tag whose default is the chart appVersion. tag: "v0.41.4" + command: + - /ssh-portal-api + podAnnotations: {} securityContext: {} @@ -1040,6 +1043,9 @@ sshToken: # Overrides the image tag whose default is the chart appVersion. tag: "v0.41.4" + command: + - /ssh-token + podAnnotations: {} securityContext: {}