feat: Add cert options to ingress

charts/operator-wandb/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: operator-wandb
 description: A Helm chart for deploying W&B to Kubernetes
 type: application
-version: 0.3.4
+version: 0.4.0
 appVersion: 1.0.0
 icon: https://wandb.ai/logo.svg
 

charts/operator-wandb/charts/app/templates/deployment.yaml

@@ -131,13 +131,16 @@ spec:
                   key: SLACK_SECRET          
 
             - name: OIDC_SECRET
-              value: {{ .Values.global.oidc.secret }}
+              value: {{ .Values.global.auth.oidc.secret }}
             - name: OIDC_CLIENT_ID
-              value: {{ .Values.global.oidc.clientId }}
+              value: {{ .Values.global.auth.oidc.clientId }}
             - name: OIDC_AUTH_METHOD
-              value: {{ .Values.global.oidc.authMethod }}
+              value: {{ .Values.global.auth.oidc.authMethod }}
             - name: OIDC_ISSUER
-              value: {{ .Values.global.oidc.issuer }}
+              value: {{ .Values.global.auth.oidc.issuer }}
+
+            - name: GORILLA_SESSION_LENGTH
+              value: "{{ .Values.global.auth.oidc.sessionLengthHours }}h"
 
             - name: BUCKET
               value: {{ .Values.global.storage.connectionString }}

charts/operator-wandb/charts/app/values.yaml

@@ -58,4 +58,4 @@ resources:
     memory: 1Gi
   limits:
     cpu: 4000m
-    memory: 8Gi
+    memory: 8Gi

charts/operator-wandb/templates/ingress.yaml

@@ -1,17 +1,77 @@
+{{- if .Values.ingress.issuer.create }}
+{{- if eq .Values.ingress.issuer.type "google" }}
+---
+apiVersion: networking.gke.io/v1
+kind: ManagedCertificate
+metadata:
+  name: {{ .Release.Name }}-cert
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "wandb.commonLabels" . | nindent 4 }}
+spec:
+  domains:
+  - {{ replace "https://" "" (replace "http://" "" .Values.global.host) }}
+{{- else }}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ .Release.Name }}-issuer
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "wandb.commonLabels" . | nindent 4 }}
+spec:
+  acme:
+    # The ACME server URL
+    server: {{ .Values.ingress.issuer.server | quote }}
+    email: {{ .Values.ingress.issuer.email | quote }}
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: {{ .Release.Name }}-acme-key
+    # Enable the HTTP-01 challenge provider
+    solvers:
+      - http01:
+          ingress:
+            class: {{ .Values.ingress.class }}
+{{- end }}
+{{- end }}
+---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: {{ .Release.Name }}
   labels:
     {{- include "wandb.commonLabels" . | nindent 4 }}
-    {{- if .Values.global.ingress.labels -}}
-    {{-   toYaml .Values.global.ingress.labels | nindent 4 }}
+    {{- if .Values.ingress.labels -}}
+    {{-   toYaml .Values.ingress.labels | nindent 4 }}
     {{- end }}
   annotations:
-    {{- if .Values.global.ingress.annotations -}}
-    {{-   toYaml .Values.global.ingress.annotations | nindent 4 }}
+    {{- if .Values.ingress.issuer.create }}
+      {{- if eq .Values.ingress.issuer.type "google" }}
+    "networking.gke.io/managed-certificates" : "{{ .Release.Name }}-cert"
+      {{- else }}
+    "cert-manager.io/issuer": "{{ .Release.Name }}-issuer"
+    "cert-manager.io/acme-challenge-type": "http01"
+      {{- end }}
+    "kubernetes.io/ingress.allow-http" : "false"
+    {{- end }}
+
+    {{- if .Values.ingress.annotations -}}
+    {{-   toYaml .Values.ingress.annotations | nindent 4 }}
     {{- end }}
 spec:
+  ingressClassName: {{ .Values.ingress.class }}
+
+  {{- if .Values.ingress.issuer.create }}
+  {{- if ne .Values.ingress.issuer.type "google" }}
+  tls:
+    - host: [{{ replace "https://" "" (replace "http://" "" .Values.global.host) }}]
+      secretName: {{ .Release.Name }}-tls
+  {{- end }}
+  {{- else }}
+  tls: {{ toYaml .Values.ingress.tls | nindent 4 }}
+  {{- end }}
+
   rules:
   - http:
       paths:
@@ -22,9 +82,10 @@ spec:
             name: {{ .Release.Name }}-console
             port:
               number: 8082
+
   defaultBackend:
     service:
-      {{- if eq .Values.global.ingress.defaultBackend "console" }}
+      {{- if eq .Values.ingress.defaultBackend "console" }}
       name: {{ .Release.Name }}-console
       port:
         number: 8082

charts/operator-wandb/values.yaml

@@ -43,11 +43,13 @@ global:
     user: "wandb"
     password: ""
 
-  oidc:
-    clientId: ""
-    secret: ""
-    authMethod: ""
-    issuer: ""
+  auth:
+    sessionLengthHours: 720
+    oidc:
+      clientId: ""
+      secret: ""
+      authMethod: ""
+      issuer: ""
 
   storage:
     connectionString: ""
@@ -61,10 +63,16 @@ global:
     parameters: {}
     caCert: ""
 
-  ingress:
-    defaultBackend: "app"
-    annotations: {}
-    labels: {}
+ingress:
+  defaultBackend: "app"
+  annotations: {}
+  labels: {}
+  tls: []
+  class: ""
+  issuer:
+    create: false
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: support@wandb.com
 
   slack:
     secret: ""