Skip to content

Commit

Permalink
Use single Ingress for webservices
Browse files Browse the repository at this point in the history
  • Loading branch information
treydock committed Jun 12, 2024
1 parent c17d201 commit 7af7833
Show file tree
Hide file tree
Showing 6 changed files with 195 additions and 82 deletions.
4 changes: 2 additions & 2 deletions charts/webservice/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: webservice
description: OSC webservice bootstrap Helm Chart
type: application
version: 0.35.2
version: 0.36.0
appVersion: "0.1.0"
maintainers:
- name: treydock
Expand All @@ -13,6 +13,6 @@ dependencies:
# repository: file://../database
condition: database.mariadb.enable, database.postgresql.enable
- name: osc-common
version: 0.5.0
version: 0.7.0
repository: https://osc.github.io/osc-helm-charts/
# repository: file://../common
2 changes: 1 addition & 1 deletion charts/webservice/templates/auth-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ spec:
{{- if ne $container.ingressPath "/" }}
{{- $path = $container.ingressPath }}
{{- end }}
- --upstream=http://{{ tpl $container.name $root }}.{{ $root.Release.Namespace }}.svc.cluster.local:{{ $container.port | default (add $root.Values.service.port $idx) }}{{ $path }}
- --upstream=http://{{ include "webservice.name" $root }}.{{ $root.Release.Namespace }}.svc.cluster.local:{{ $container.port | default (add $root.Values.service.port $idx) }}{{ $path }}
{{- end }}
- --metrics-address=:{{ .Values.auth.metricsService.port }}
{{- if (include "webservice.idpHost" .) }}
Expand Down
49 changes: 0 additions & 49 deletions charts/webservice/templates/auth-ingress.yaml

This file was deleted.

161 changes: 161 additions & 0 deletions charts/webservice/templates/hooks/remove-auth-ingress.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,161 @@
{{ if .Values.auth.enable }}
{{ $name := printf "%s-remove-auth-ingress" (include "webservice.name" .) }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ $name }}
labels:
{{- include "webservice.labels" . | nindent 4 }}
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-25"
"helm.sh/hook-delete-policy": hook-succeeded
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: {{ template "osc.common.imagePullSecret" . }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ $name }}
labels:
{{- include "webservice.labels" . | nindent 4 }}
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-20"
"helm.sh/hook-delete-policy": hook-succeeded
imagePullSecrets:
- name: {{ $name }}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ $name }}
labels:
{{- include "webservice.labels" . | nindent 4 }}
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-15"
"helm.sh/hook-delete-policy": hook-succeeded
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["delete"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $name }}
labels:
{{- include "webservice.labels" . | nindent 4 }}
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-10"
"helm.sh/hook-delete-policy": hook-succeeded
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $name }}
subjects:
- kind: ServiceAccount
name: {{ $name }}
namespace: {{ .Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ $name }}
labels:
app: "remove-auth-ingress"
{{ include "osc.common.serviceAccount" . }}
{{- include "webservice.labels" . | nindent 4 }}
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded
spec:
template:
metadata:
name: {{ $name }}
labels:
app: "remove-auth-ingress"
{{ include "osc.common.serviceAccount" . }}
{{- include "webservice.selectorLabels" . | nindent 8 }}
spec:
serviceAccountName: {{ $name }}
securityContext: {{ toYaml .Values.podSecurityContext | nindent 8 }}
restartPolicy: Never
containers:
- name: remove-auth-ingress
image: "{{ .Values.hook.image.repository }}:{{ .Values.hook.image.tag }}"
command:
- "kubectl"
args:
- "delete"
- "ingress"
- {{ include "webservice.auth.name" . | quote }}
{{- range $container := .Values.containers }}
- {{ printf "%s-%s" (include "webservice.name" $) (tpl $container.name $) | quote }}
{{- end }}
- "--namespace={{ .Release.Namespace }}"
- "--ignore-not-found=true"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
privileged: false
resources:
limits:
cpu: 1
memory: 512Mi
requests:
cpu: 500m
memory: 265Mi
- name: remove-auth-secret
image: "{{ .Values.hook.image.repository }}:{{ .Values.hook.image.tag }}"
command:
- "kubectl"
args:
- "delete"
- "secret"
- {{ include "webservice.auth.name" . }}-cert
- "--namespace={{ .Release.Namespace }}"
- "--ignore-not-found=true"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
privileged: false
resources:
limits:
cpu: 1
memory: 512Mi
requests:
cpu: 500m
memory: 265Mi
nodeSelector:
{{ include "osc.common.nodeSelectorRole" . }}
{{- with .Values.nodeSelector }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{ end }}
57 changes: 27 additions & 30 deletions charts/webservice/templates/ingress.yaml
Original file line number Diff line number Diff line change
@@ -1,59 +1,56 @@
{{ $root := . }}
{{ range $idx, $container := .Values.containers }}
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
{{- if eq (len $root.Values.containers) 1 }}
name: {{ include "webservice.name" $root }}
{{- else }}
name: {{ include "webservice.name" $root }}-{{ tpl $container.name $root }}
{{- end }}
name: {{ include "webservice.name" . }}
labels:
{{- include "webservice.labels" $root | nindent 4 }}
{{- if (include "webservice.alert.receiver" $root) }}
receiver: {{ include "webservice.alert.receiver" $root }}
{{- include "webservice.labels" . | nindent 4 }}
{{- if (include "webservice.alert.receiver" .) }}
receiver: {{ include "webservice.alert.receiver" . }}
{{- end }}
annotations:
{{- if $root.Values.auth.enable }}
prometheus.io/probe_scheme: 'https'
{{- end }}
{{- if not $root.Values.auth.enable }}
cert-manager.io/cluster-issuer: letsencrypt
{{- with .Values.ingress.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $root.Values.ingress.annotations }}
{{- if .Values.auth.enable }}
{{- with .Values.auth.ingress.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if and (ne $container.auth false) (eq $root.Values.auth.enable true) }}
nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
{{- end }}
{{- if (include "webservice.ingressHostAlias" $root) }}
nginx.ingress.kubernetes.io/server-alias: {{ tpl (include "webservice.ingressHostAlias" $root) $root }}
{{- if (include "webservice.ingressHostAlias" .) }}
nginx.ingress.kubernetes.io/server-alias: {{ tpl (include "webservice.ingressHostAlias" .) . }}
{{- end }}
{{- if eq $root.Values.appType "rshiny" }}
{{- toYaml $root.Values.ingress.rShinyAnnotations | nindent 4 }}
{{- if eq .Values.appType "rshiny" }}
{{- toYaml .Values.ingress.rShinyAnnotations | nindent 4 }}
{{- end }}
spec:
ingressClassName: {{ $root.Values.ingress.className }}
{{- if or (eq $container.auth false) (eq $root.Values.auth.enable false) }}
ingressClassName: {{ .Values.ingress.className }}
tls:
- hosts:
- {{ required "Must provide ingress host" (tpl (include "webservice.ingressHost" $root) $root) | quote }}
{{- if (include "webservice.ingressHostAlias" $root) }}
- {{ tpl (include "webservice.ingressHostAlias" $root) $root | quote }}
- {{ required "Must provide ingress host" (tpl (include "webservice.ingressHost" .) .) | quote }}
{{- if (include "webservice.ingressHostAlias" .) }}
- {{ tpl (include "webservice.ingressHostAlias" .) . | quote }}
{{- end }}
secretName: {{ include "webservice.name" $root }}-{{ tpl $container.name $root }}-cert
{{- end }}
secretName: {{ include "webservice.name" . }}-cert
rules:
{{ $root := . }}
{{- range $idx, $container := .Values.containers }}
- host: {{ tpl (include "webservice.ingressHost" $root) $root | quote }}
http:
paths:
- path: {{ $container.ingressPath }}
- path: /
pathType: Prefix
backend:
service:
{{- if $root.Values.auth.enable }}
name: {{ include "webservice.auth.name" $root }}
port:
number: {{ $root.Values.auth.service.port }}
{{- else }}
name: {{ include "webservice.name" $root }}
port:
number: {{ $container.port | default (add $root.Values.service.port $idx) }}
{{ end }}
{{- end }}
{{- end }}
4 changes: 4 additions & 0 deletions charts/webservice/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -229,6 +229,10 @@ database:
podSelector:
app.kubernetes.io/name: '{{ include "webservice.name" . }}'

hook:
image:
repository: docker-registry.osc.edu/kubernetes/bitnami/kubectl
tag: '1.27.14'
# Used for network policies
ingressName: ingress-nginx
prometheusName: prometheus

0 comments on commit 7af7833

Please sign in to comment.