feat: Add gateway API ingress

Makefile

@@ -64,10 +64,6 @@ k3d-up: ## Setup k3d cluster
 	make create-k3d-cluster
 	@echo "Installing nginx-ingress"
 	make helm-nginx
-	@echo "Installing postgresql"
-	make helm-postgresql
-	@echo "Installing Minio"
-	make helm-minio
 	@echo "Create Test namespace"
 	make create-test-ns
 
@@ -84,6 +80,16 @@ k3d-ci-up: ## Setup CI k3d cluster
 k3d-down: ## Teardown k3d cluster
 	make delete-k3d-cluster
 
+.PHONY: k3d-ci-down
+install-dev-deps:  ## Install development dependencies (PostgreSQL, Minio, monitoring stack) not needed for CT tests
+	kubectl create namespace ${NAMESPACE} || true
+	@echo "Installing postgresql"
+	make helm-postgresql
+	@echo "Installing Minio"
+	make helm-minio
+	@echo "Installing Monitoring stack"
+	make helm-monitoring-stack
+
 # Extended targets
 ##################
 

README.md

@@ -69,6 +69,7 @@ database running.
 ```shell
 $ make helm-deps
 $ make k3d-up
+$ make install-dev-deps
 ```
 
 *Postgresql credentials:*

charts/gateway/README.md

@@ -85,6 +85,27 @@ This section specify internal service configuration
 | ------------------------------ | ----------- | ----- |
 | `service.internal.annotations` |             | `{}`  |
 
+### Gateway ingress configurations
+
+This section contains Kubernetes ingress configuration.
+
+| Name                       | Description                                                                                                                      | Value                    |
+| -------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ |
+| `ingress.enabled`          | Enable ingress for Gateway                                                                                                       | `false`                  |
+| `ingress.pathType`         | Ingress path type                                                                                                                | `ImplementationSpecific` |
+| `ingress.apiVersion`       | Force Ingress API version (automatically detected if not set)                                                                    | `""`                     |
+| `ingress.hostname`         | Default host for the ingress record                                                                                              | `gateway.local`          |
+| `ingress.ingressClassName` | IngressClass that will be used to implement the Ingress (Kubernetes 1.18+)                                                       | `""`                     |
+| `ingress.path`             | Default path for the ingress record                                                                                              | `/`                      |
+| `ingress.annotations`      | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}`                     |
+| `ingress.tls`              | Enable TLS configuration for the host defined at `ingress.hostname` parameter                                                    | `false`                  |
+| `ingress.selfSigned`       | Create a TLS secret for this ingress record using self-signed certificates generated by Helm                                     | `false`                  |
+| `ingress.extraHosts`       | An array with additional hostname(s) to be covered with the ingress record                                                       | `[]`                     |
+| `ingress.extraPaths`       | An array with additional arbitrary paths that may need to be added to the ingress under the main host                            | `[]`                     |
+| `ingress.extraTls`         | TLS configuration for additional hostname(s) to be covered with this ingress record                                              | `[]`                     |
+| `ingress.secrets`          | Custom TLS certificates as secrets                                                                                               | `[]`                     |
+| `ingress.extraRules`       | Additional rules to be covered with this ingress record                                                                          | `[]`                     |
+
 ### Gateway metrics activation
 
 Gateway embed metrics to be installed within you cluster if your have the correct capabilities (Prometheus and Grafana operators).
@@ -151,3 +172,66 @@ gateway:
 See [Gateway Documentation](https://docs.conduktor.io/gateway/configuration/env-variables/) for a list of environment variables that can be used.
 In particular, the [Client to Gateway Authentication page](https://docs.conduktor.io/gateway/configuration/client-authentication/) details the different authentication mechanisms that can be used with Gateway.
 
+
+### Ingress configuration examples
+
+#### Nginx Ingress without TLS
+
+**values.yaml** :
+```yaml
+ingress:
+  enabled: true
+  ingressClassName: "nginx"
+  hostname: conduktor-gateway.mycompany.com
+  tls: false
+  selfSigned: false
+```
+
+#### Nginx Ingress with Self-signed TLS
+
+**values.yaml** :
+```yaml
+ingress:
+  enabled: true
+  ingressClassName: "nginx"
+  hostname: conduktor-gateway.mycompany.com
+  tls: true
+  selfSigned: true
+```
+
+#### Nginx Ingress with Let's Encrypt TLS
+
+**values.yaml** :
+```yaml
+ingress:
+  enabled: true
+  ingressClassName: "nginx"
+  hostname: conduktor-gateway.mycompany.com
+  tls: true
+  selfSigned: false
+  ingress.annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    kubernetes.io/ingress.class: nginx
+```
+
+#### Nginx Ingress with Custom TLS secret
+
+**values.yaml** :
+```yaml
+ingress:
+  enabled: true
+  ingressClassName: "nginx"
+  hostname: conduktor-gateway.mycompany.com
+  tls: true
+  selfSigned: false
+  secrets:
+    - name: my-tls-secret
+      certificate: |
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+      key: |
+        -----BEGIN RSA PRIVATE KEY-----
+        ...
+        -----END RSA PRIVATE KEY-----
+```

charts/gateway/ci/gateway-required-values.yaml → charts/gateway/ci/01-basic-gateway-required-values.yaml

@@ -1,3 +1,5 @@
+nameOverride: gateway-test-01
+
 kafka:
   enabled: true
   startupProbe:

charts/gateway/ci/02-gateway-with-selfSigned-ingress-values.yaml

@@ -0,0 +1,18 @@
+nameOverride: gateway-test-02
+
+gateway:
+  admin:
+    port: 8888
+
+ingress:
+  enabled: true
+  ingressClassName: "nginx"
+  hostname: gateway.private
+  tls: true
+  selfSigned: true
+
+kafka:
+  enabled: true
+  startupProbe:
+    enabled: true
+    failureThreshold: 30

charts/gateway/templates/NOTES.txt

@@ -17,7 +17,7 @@ Please verify your connectivity
 {{- end }}
 
 {{- if not (hasKey .Values.gateway.env "GATEWAY_ADVERTISED_HOST") }}
-You can connect to gateway from inside your cluster with {{ include "conduktor-gateway.fullname" . | trunc 54 }}-internal:{{ .Values.gateway.portRange.start }} as bootstrap server.
+You can connect to gateway from inside your cluster with {{ include "conduktor-gateway.internalServiceName" . }}:{{ .Values.gateway.portRange.start }} as bootstrap server.
 {{- else }}
 You defined a specific domain to be advertised : {{ .Values.gateway.env.GATEWAY_ADVERTISED_HOST }}
 You'll need to configure your network connections to gateway with this domain.

charts/gateway/templates/_helpers.tpl

@@ -79,3 +79,17 @@ opt-out for a custom bootstrap server.
 {{-     required "value .kafka.bootstrapServers is required" .Values.kafka.bootstrapServers -}}
 {{-   end -}}
 {{- end -}}
+
+{{/*
+Define internal service name
+*/}}
+{{- define "conduktor-gateway.internalServiceName" -}}
+{{- printf "%s-internal" (include "conduktor-gateway.fullname" . | trunc 54) -}}
+{{- end -}}
+
+{{/*
+Define external service name
+*/}}
+{{- define "conduktor-gateway.externalServiceName"}}
+{{- printf "%s-external" (include "conduktor-gateway.fullname" . | trunc 54) -}}
+{{- end -}}

charts/gateway/templates/deployment.yaml

@@ -38,7 +38,7 @@ spec:
             {{- end}}
             {{- if not (hasKey .Values.gateway.env "GATEWAY_ADVERTISED_HOST") }}
             - name: GATEWAY_ADVERTISED_HOST
-              value: {{ include "conduktor-gateway.fullname" . | trunc 54 }}-internal
+              value: {{ include "conduktor-gateway.internalServiceName" . }}
             {{- end }}
             - name: GATEWAY_PORT_START
               value: {{ .Values.gateway.portRange.start | quote }}

charts/gateway/templates/ingress-tls-secret.yaml

@@ -0,0 +1,37 @@
+{{- if .Values.ingress.secrets }}
+{{- range .Values.ingress.secrets }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .name }}
+  namespace: {{ include "common.names.namespace" $ | quote }}
+  labels: {{ include "conduktor-gateway.labels" . | nindent 4 }}
+  {{- if $.Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ .certificate | b64enc }}
+  tls.key: {{ .key | b64enc }}
+{{- end }}
+---
+{{- end }}
+{{- if and .Values.ingress.tls .Values.ingress.selfSigned }}
+{{- $secretName := printf "%s-tls" .Values.ingress.hostname }}
+{{- $ca := genCA "conduktor-gateway-ca" 365 }}
+{{- $cert := genSignedCert .Values.ingress.hostname nil (list .Values.ingress.hostname) 365 $ca }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{ include "conduktor-gateway.labels" . | nindent 4 }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
+  tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
+  ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
+{{- end }}

charts/gateway/templates/ingress.yaml

@@ -0,0 +1,59 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
+kind: Ingress
+metadata:
+  name: {{ template "common.names.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{ include "conduktor-gateway.labels" . | nindent 4 }}
+  {{- if or .Values.ingress.annotations .Values.commonAnnotations }}
+  annotations:
+    {{- if .Values.ingress.annotations }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.ingress.annotations "context" $) | nindent 4 }}
+    {{- end }}
+    {{- if .Values.commonAnnotations }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }}
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+  {{- end }}
+  rules:
+    {{- if .Values.ingress.hostname }}
+    - host: {{ .Values.ingress.hostname }}
+      http:
+        paths:
+          {{- if .Values.ingress.extraPaths }}
+          {{- toYaml .Values.ingress.extraPaths | nindent 10 }}
+          {{- end }}
+          - path: {{ .Values.ingress.path }}
+            {{- if eq "true" (include "common.ingress.supportsPathType" .) }}
+            pathType: {{ .Values.ingress.pathType }}
+            {{- end }}
+            backend: {{- include "common.ingress.backend" (dict "serviceName" (include "conduktor-gateway.internalServiceName" .) "servicePort" "admin-http" "context" $)  | nindent 14 }}
+    {{- end }}
+    {{- range .Values.ingress.extraHosts }}
+    - host: {{ .name | quote }}
+      http:
+        paths:
+          - path: {{ default "/" .path }}
+            {{- if eq "true" (include "common.ingress.supportsPathType" $) }}
+            pathType: {{ default "ImplementationSpecific" .pathType }}
+            {{- end }}
+            backend: {{- include "common.ingress.backend" (dict "serviceName" (include "conduktor-gateway.internalServiceName" $) "servicePort" "admin-http" "context" $) | nindent 14 }}
+    {{- end }}
+    {{- if .Values.ingress.extraRules }}
+    {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraRules "context" $) | nindent 4 }}
+    {{- end }}
+  {{- if or (and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned)) .Values.ingress.extraTls }}
+  tls:
+    {{- if and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned) }}
+    - hosts:
+        - {{ .Values.ingress.hostname | quote }}
+      secretName: {{ printf "%s-tls" .Values.ingress.hostname }}
+    {{- end }}
+    {{- if .Values.ingress.extraTls }}
+    {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraTls "context" $) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end }}

charts/gateway/templates/service-external.yaml

@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "conduktor-gateway.fullname" . | trunc 54 }}-external
+  name:  {{ include "conduktor-gateway.externalServiceName" . }}
   labels: {{ include "conduktor-gateway.labels" . | nindent 4 }}
   {{- with .Values.service.external.annotations }}
   annotations: {{ toYaml . | nindent 4 }}

charts/gateway/templates/service-internal.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "conduktor-gateway.fullname" . | trunc 54 }}-internal
+  name:  {{ include "conduktor-gateway.internalServiceName" . }}
   labels: {{ include "conduktor-gateway.labels" . | nindent 4 }}
     metrics.conduktor.io/prometheus: {{ .Values.metrics.prometheus.enable | quote }}
   {{- with .Values.service.internal.annotations }}

charts/gateway/templates/tests/01-gateway-healthy.yaml

@@ -0,0 +1,24 @@
+{{- $internalServiceName := include "conduktor-gateway.internalServiceName" . -}}
+{{- $internalServicePort := .Values.gateway.admin.port -}}
+{{- $internalHealthUrl := printf "http://%v:%v/health" $internalServiceName $internalServicePort -}}
+{{- $externalServiceName := include "conduktor-gateway.externalServiceName" . -}}
+{{- $externalServicePort := .Values.gateway.admin.port -}}
+{{- $externalHealthUrl := printf "http://%v:%v/health" $externalServiceName $externalServicePort -}}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "common.names.fullname" . }}-test-gateway"
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  containers:
+    - name: curl-gateway-internal
+      image: curlimages/curl:8.1.2
+      args: [ '--insecure', "--verbose" ,'{{ $internalHealthUrl }}']
+{{- if .Values.service.external.enable }}
+    - name: curl-gateway-external
+      image: curlimages/curl:8.1.2
+      args: [ '--insecure', "--verbose" ,'{{ $externalHealthUrl }}']
+{{- end }}
+  restartPolicy: Never