Skip to content

Commit

Permalink
Use single Ingress for webservices
Browse files Browse the repository at this point in the history
  • Loading branch information
treydock committed Jun 11, 2024
1 parent c17d201 commit cfda52d
Show file tree
Hide file tree
Showing 8 changed files with 165 additions and 88 deletions.
12 changes: 10 additions & 2 deletions .github/workflows/test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -84,9 +84,10 @@ jobs:
kubectl label node kind-worker node-role.kubernetes.io/test=''
kubectl label node kind-worker2 node-role.kubernetes.io/test=''
- name: Set image pull secret
if: matrix.chart != 'osc-common'
run: |
sed -i 's|OSC-IMAGE-PULL-PASSWORD|${{ secrets.OSC_REGISTRY_ROBOT_READ_TOKEN}}|g' charts/*/ci/*.yaml
sed -i 's|IMAGE-PULL-PASSWORD|${{ secrets.OSC_REGISTRY_ROBOT_WEBSERVICES_READ_TOKEN}}|g' charts/*/ci/*.yaml
sed -i 's|OSC-IMAGE-PULL-PASSWORD|${{ secrets.OSC_REGISTRY_ROBOT_READ_TOKEN}}|g' charts/${{ matrix.chart }}/ci/*.yaml
sed -i 's|IMAGE-PULL-PASSWORD|${{ secrets.OSC_REGISTRY_ROBOT_WEBSERVICES_READ_TOKEN}}|g' charts/${{ matrix.chart }}/ci/*.yaml
- name: Install Keycloak
run: |
helm repo add bitnami https://charts.bitnami.com/bitnami
Expand Down Expand Up @@ -114,3 +115,10 @@ jobs:
kubectl describe service -A
kubectl describe daemonset -A
kubectl logs -n kyverno -l app.kubernetes.io/component=admission-controller
kubectl logs -n webservice
if [ ${{ matrix.chart }} == "webservice" ]; then
kubectl describe job -n webservice
kubectl get pod -n webservice
kubectl get job -n webservice
kubectl logs -n webservice -l app=remove-auth-ingress
fi
8 changes: 4 additions & 4 deletions charts-private/emt-api/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,12 @@ apiVersion: v2
name: emt-api
description: OSC emt-api web service
type: application
version: 0.2.1
version: 0.2.2
appVersion: v0.1.0
maintainers:
- name: treydock
dependencies:
- name: webservice
version: 0.35.2
repository: https://osc.github.io/osc-helm-charts/
# repository: file://../../charts/webservice
version: 0.36.0
# repository: https://osc.github.io/osc-helm-charts/
repository: file://../../charts/webservice
2 changes: 1 addition & 1 deletion charts-private/emt-api/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ webservice:
auth: false
auth:
enable: true
skipAuthRoute: "/api/*"
skipAuthRoute: "^/api"
idpHost: EXTERNAL-DATA
clientSecret: EXTERNAL-SECRET
cookieSecret: EXTERNAL-SECRET
Expand Down
4 changes: 2 additions & 2 deletions charts/webservice/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: webservice
description: OSC webservice bootstrap Helm Chart
type: application
version: 0.35.2
version: 0.36.0
appVersion: "0.1.0"
maintainers:
- name: treydock
Expand All @@ -13,6 +13,6 @@ dependencies:
# repository: file://../database
condition: database.mariadb.enable, database.postgresql.enable
- name: osc-common
version: 0.5.0
version: 0.7.0
repository: https://osc.github.io/osc-helm-charts/
# repository: file://../common
49 changes: 0 additions & 49 deletions charts/webservice/templates/auth-ingress.yaml

This file was deleted.

117 changes: 117 additions & 0 deletions charts/webservice/templates/hooks/remove-auth-ingress.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
{{ if .Values.auth.enable }}
{{ $name := printf "%s-remove-auth-ingress" (include "webservice.name" .) }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ $name }}
labels:
{{- include "webservice.labels" . | nindent 4 }}
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-20"
"helm.sh/hook-delete-policy": hook-succeeded
imagePullSecrets:
- name: {{ include "osc.common.imagePullSecret.name" . }}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ $name }}
labels:
{{- include "webservice.labels" . | nindent 4 }}
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-15"
"helm.sh/hook-delete-policy": hook-succeeded
rules:
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $name }}
labels:
{{- include "webservice.labels" . | nindent 4 }}
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-10"
"helm.sh/hook-delete-policy": hook-succeeded
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $name }}
subjects:
- kind: ServiceAccount
name: {{ $name }}
namespace: {{ .Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ $name }}
labels:
app: "remove-auth-ingress"
{{ include "osc.common.serviceAccount" . }}
{{- include "webservice.labels" . | nindent 4 }}
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded
spec:
template:
metadata:
name: {{ $name }}
labels:
app: "remove-auth-ingress"
{{ include "osc.common.serviceAccount" . }}
{{- include "webservice.selectorLabels" . | nindent 8 }}
spec:
serviceAccountName: {{ $name }}
securityContext: {{ toYaml .Values.podSecurityContext | nindent 8 }}
restartPolicy: Never
containers:
- name: remove-auth-ingress
image: "{{ .Values.hook.image.repository }}:{{ .Values.hook.image.tag }}"
command:
- "kubectl"
args:
- "delete"
- "ingress"
- {{ include "webservice.auth.name" . | quote }}
{{- range $container := .Values.containers }}
- {{ printf "%s-%s" (include "webservice.name" $) (tpl $container.name $) | quote }}
{{- end }}
- "--namespace={{ .Release.Namespace }}"
- "--ignore-not-found=true"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
privileged: false
resources:
limits:
cpu: 1
memory: 512Mi
requests:
cpu: 500m
memory: 265Mi
nodeSelector:
{{ include "osc.common.nodeSelectorRole" . }}
{{- with .Values.nodeSelector }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{ end }}
57 changes: 27 additions & 30 deletions charts/webservice/templates/ingress.yaml
Original file line number Diff line number Diff line change
@@ -1,59 +1,56 @@
{{ $root := . }}
{{ range $idx, $container := .Values.containers }}
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
{{- if eq (len $root.Values.containers) 1 }}
name: {{ include "webservice.name" $root }}
{{- else }}
name: {{ include "webservice.name" $root }}-{{ tpl $container.name $root }}
{{- end }}
name: {{ include "webservice.name" . }}
labels:
{{- include "webservice.labels" $root | nindent 4 }}
{{- if (include "webservice.alert.receiver" $root) }}
receiver: {{ include "webservice.alert.receiver" $root }}
{{- include "webservice.labels" . | nindent 4 }}
{{- if (include "webservice.alert.receiver" .) }}
receiver: {{ include "webservice.alert.receiver" . }}
{{- end }}
annotations:
{{- if $root.Values.auth.enable }}
prometheus.io/probe_scheme: 'https'
{{- end }}
{{- if not $root.Values.auth.enable }}
cert-manager.io/cluster-issuer: letsencrypt
{{- with .Values.ingress.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $root.Values.ingress.annotations }}
{{- if .Values.auth.enable }}
{{- with .Values.auth.ingress.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if and (ne $container.auth false) (eq $root.Values.auth.enable true) }}
nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
{{- end }}
{{- if (include "webservice.ingressHostAlias" $root) }}
nginx.ingress.kubernetes.io/server-alias: {{ tpl (include "webservice.ingressHostAlias" $root) $root }}
{{- if (include "webservice.ingressHostAlias" .) }}
nginx.ingress.kubernetes.io/server-alias: {{ tpl (include "webservice.ingressHostAlias" .) . }}
{{- end }}
{{- if eq $root.Values.appType "rshiny" }}
{{- toYaml $root.Values.ingress.rShinyAnnotations | nindent 4 }}
{{- if eq .Values.appType "rshiny" }}
{{- toYaml .Values.ingress.rShinyAnnotations | nindent 4 }}
{{- end }}
spec:
ingressClassName: {{ $root.Values.ingress.className }}
{{- if or (eq $container.auth false) (eq $root.Values.auth.enable false) }}
ingressClassName: {{ .Values.ingress.className }}
tls:
- hosts:
- {{ required "Must provide ingress host" (tpl (include "webservice.ingressHost" $root) $root) | quote }}
{{- if (include "webservice.ingressHostAlias" $root) }}
- {{ tpl (include "webservice.ingressHostAlias" $root) $root | quote }}
- {{ required "Must provide ingress host" (tpl (include "webservice.ingressHost" .) .) | quote }}
{{- if (include "webservice.ingressHostAlias" .) }}
- {{ tpl (include "webservice.ingressHostAlias" .) . | quote }}
{{- end }}
secretName: {{ include "webservice.name" $root }}-{{ tpl $container.name $root }}-cert
{{- end }}
secretName: {{ include "webservice.name" . }}-cert
rules:
{{ $root := . }}
{{- range $idx, $container := .Values.containers }}
- host: {{ tpl (include "webservice.ingressHost" $root) $root | quote }}
http:
paths:
- path: {{ $container.ingressPath }}
- path: /
pathType: Prefix
backend:
service:
{{- if $root.Values.auth.enable }}
name: {{ include "webservice.auth.name" $root }}
port:
number: {{ $root.Values.auth.service.port }}
{{- else }}
name: {{ include "webservice.name" $root }}
port:
number: {{ $container.port | default (add $root.Values.service.port $idx) }}
{{ end }}
{{- end }}
{{- end }}
4 changes: 4 additions & 0 deletions charts/webservice/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -229,6 +229,10 @@ database:
podSelector:
app.kubernetes.io/name: '{{ include "webservice.name" . }}'

hook:
image:
repository: docker-registry.osc.edu/kubernetes/bitnami/kubectl
tag: '1.27.14'
# Used for network policies
ingressName: ingress-nginx
prometheusName: prometheus

0 comments on commit cfda52d

Please sign in to comment.