From 954e2bf0a56509c54c87ac2c2f7e7e7cd343ee0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nathana=C3=ABl=20M=2E?= Date: Fri, 20 Dec 2024 16:48:23 +0100 Subject: [PATCH] feat: add more flexibility in Helm chart Add ingress configuration and add tls options in ingress to avoid using Caddy --- charts/ciso-assistant/templates/ingress.yaml | 27 +++++++++++--- charts/ciso-assistant/templates/service.yaml | 12 +++--- .../ciso-assistant/templates/statefulset.yaml | 37 ++++--------------- charts/ciso-assistant/values.yaml | 13 +++++-- 4 files changed, 45 insertions(+), 44 deletions(-) diff --git a/charts/ciso-assistant/templates/ingress.yaml b/charts/ciso-assistant/templates/ingress.yaml index 33f1e0e93..a7814eadc 100644 --- a/charts/ciso-assistant/templates/ingress.yaml +++ b/charts/ciso-assistant/templates/ingress.yaml @@ -1,16 +1,19 @@ +{{- if .Values.ingress.enabled }} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: + {{- with .Values.ingress.annotations }} annotations: - nginx.ingress.kubernetes.io/backend-protocol: HTTPS - nginx.ingress.kubernetes.io/ssl-passthrough: "true" - nginx.ingress.kubernetes.io/ssl-redirect: "true" + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} name: ciso-assistant-{{ .Values.clientName }} labels: client: {{ .Values.clientName }} {{- include "common.labels" . | nindent 4 }} spec: - ingressClassName: nginx + ingressClassName: {{ .Values.ingress.ingressClassName }} rules: - host: {{ .Values.clientName }}.{{ .Values.clusterDomain }} http: @@ -19,6 +22,20 @@ spec: service: name: ciso-assistant-{{ .Values.clientName }} port: - number: 443 + number: 3000 path: / pathType: Prefix + - backend: + service: + name: ciso-assistant-{{ .Values.clientName }} + port: + number: 8000 + path: /api/ + pathType: Prefix + {{- if .Values.ingress.tls }} + tls: + - hosts: + - {{ .Values.clientName }}.{{ .Values.clusterDomain }} + secretName: ciso-assistant-{{ .Values.clientName }}-tls + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/ciso-assistant/templates/service.yaml b/charts/ciso-assistant/templates/service.yaml index 4a0833500..1a631d19e 100644 --- a/charts/ciso-assistant/templates/service.yaml +++ b/charts/ciso-assistant/templates/service.yaml @@ -7,14 +7,14 @@ metadata: {{- include "common.labels" . | nindent 4 }} spec: ports: - - name: http - port: 80 + - name: backend + port: 8000 protocol: TCP - targetPort: 80 - - name: https - port: 443 + targetPort: 8000 + - name: frontend + port: 3000 protocol: TCP - targetPort: 443 + targetPort: 3000 selector: app: ciso-assistant client: {{ .Values.clientName }} diff --git a/charts/ciso-assistant/templates/statefulset.yaml b/charts/ciso-assistant/templates/statefulset.yaml index 75b1867a7..95c755700 100644 --- a/charts/ciso-assistant/templates/statefulset.yaml +++ b/charts/ciso-assistant/templates/statefulset.yaml @@ -1,3 +1,4 @@ +{{ $scheme := ternary "https" "http" .Values.ingress.tls -}} apiVersion: apps/v1 kind: StatefulSet metadata: @@ -26,7 +27,7 @@ spec: - name: CISO_ASSISTANT_SUPERUSER_EMAIL value: {{ .Values.emailAdmin }} - name: CISO_ASSISTANT_URL - value: https://{{ .Values.clientName }}.{{ .Values.clusterDomain }} + value: {{ $scheme }}://{{ .Values.clientName }}.{{ .Values.clusterDomain }} - name: ALLOWED_HOSTS value: localhost,127.0.0.1,{{ .Values.clientName }}.{{ .Values.clusterDomain }} - name: EMAIL_HOST_PASSWORD @@ -53,9 +54,13 @@ spec: - name: ciso-assistant-frontend env: - name: ORIGIN - value: "{{ .Values.frontendOrigin | default (printf "https://%s.%s" .Values.clientName .Values.clusterDomain) }}" + value: "{{ .Values.frontendOrigin | default (printf "%s://%s.%s" $scheme .Values.clientName .Values.clusterDomain) }}" + - name: PROTOCOL_HEADER + value: x-forwarded-proto + - name: HOST_HEADER + value: x-forwarded-host - name: PUBLIC_BACKEND_API_EXPOSED_URL - value: https://{{ .Values.clientName }}.{{ .Values.clusterDomain }}/api + value: {{ $scheme }}://{{ .Values.clientName }}.{{ .Values.clusterDomain }}/api envFrom: - configMapRef: name: ciso-assistant-config @@ -64,32 +69,6 @@ spec: ports: - containerPort: 3000 protocol: TCP - - name: caddy - command: - - sh - - '-c' - - | - echo {{ .Values.clientName }}.{{ .Values.clusterDomain }} "{" > Caddyfile - echo "reverse_proxy /api/iam/sso/redirect/ localhost:8000" >> Caddyfile - echo "reverse_proxy /api/accounts/saml/0/acs/ localhost:8000" >> Caddyfile - echo "reverse_proxy /api/accounts/saml/0/acs/finish/ localhost:8000" >> Caddyfile - echo "reverse_proxy /* localhost:3000" >> Caddyfile - echo "}" >> Caddyfile - exec caddy run - env: - - name: CISO_ASSISTANT_URL - value: https://{{ .Values.clientName }}.{{ .Values.clusterDomain }} - image: "{{ .Values.image.caddy.repository }}:{{ .Values.image.caddy.tag }}" - imagePullPolicy: {{ .Values.image.caddy.pullPolicy }} - ports: - - containerPort: 80 - protocol: TCP - - containerPort: 443 - protocol: TCP - volumeMounts: - - mountPath: /data - name: db-data - subPath: caddy enableServiceLinks: false imagePullSecrets: - name: registry-secret diff --git a/charts/ciso-assistant/values.yaml b/charts/ciso-assistant/values.yaml index cebe829cb..9ea69101f 100644 --- a/charts/ciso-assistant/values.yaml +++ b/charts/ciso-assistant/values.yaml @@ -34,11 +34,16 @@ image: repository: ghcr.io/intuitem/ciso-assistant-community/frontend tag: "{{ default .Chart.AppVersion .Values.global.appVersion }}" pullPolicy: Always - caddy: - repository: caddy - tag: "2.7.6" - pullPolicy: IfNotPresent persistence: size: 5Gi accessMode: ReadWriteOnce + +ingress: + enabled: true + annotations: {} + # nginx.ingress.kubernetes.io/ssl-redirect: "true" + # cert-manager.io/cluster-issuer: letsencrypt + ingressClassName: nginx + + tls: false