feat: add kurl proxy resources to AdminConsole helm chart (#32)

* feat: Add kurl proxy service to allow TLS setup * Add admin-console labels to kurl resources * Only deploy admin console service if kURL proxy is absent * Remove duplicate labels * Delete helm chart before building and correct template error
replicatedhq · Jan 12, 2024 · 419f1f2 · 419f1f2
1 parent d1cf8e8
commit 419f1f2
Show file tree

Hide file tree

Showing 9 changed files with 133 additions and 4 deletions.
diff --git a/.helmignore b/.helmignore
@@ -2,4 +2,5 @@ scripts/
 /*.yaml.tmpl
 /.image.env
 /.git
-/.github
+/.github
+/.tgz
diff --git a/scripts/build-local.sh b/scripts/build-local.sh
@@ -14,6 +14,7 @@ export $(cat .image.env | sed 's/#.*//g' | xargs)
 envsubst < Chart.yaml.tmpl > Chart.yaml
 envsubst < values.yaml.tmpl > values.yaml
 
+rm -f admin-console-*.tgz
 export CHART_NAME=`helm package . | rev | cut -d/ -f1 | rev`
 helm push $CHART_NAME oci://ttl.sh/${CURRENT_USER}
 

diff --git a/scripts/build-ttl.sh b/scripts/build-ttl.sh
@@ -14,6 +14,7 @@ export $(cat .image.env | sed 's/#.*//g' | xargs)
 envsubst < Chart.yaml.tmpl > Chart.yaml
 envsubst < values.yaml.tmpl > values.yaml
 
+rm -f admin-console-*.tgz
 export CHART_NAME=`helm package . | rev | cut -d/ -f1 | rev`
 helm push $CHART_NAME oci://ttl.sh/$USER
 

diff --git a/templates/NOTES.txt b/templates/NOTES.txt
@@ -5,9 +5,10 @@
   http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
   {{- end }}
 {{- end }}
-{{- else if contains "NodePort" .Values.service.type }}
+{{- else if .Values.service.enabled }}
+{{- if contains "NodePort" .Values.service.type }}
   export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "admin-console.fullname" . }})
-  Create an external IP for your NodePort service.  This IP should be the public IP address of your instance.  Add the IP under spec.externalIPs
+  Create an external IP for your NodePort service. This IP should be the public IP address of your instance. Add the IP under spec.externalIPs
   kubectl edit svc admin-console --namespace {{ .Release.Namespace }}
   Ensure your security group allows for inbound requests on $NODE_PORT
   export EXTERNAL_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "admin-console.fullname" . }} -o jsonpath="{.spec.externalIPs[0]}")
@@ -23,4 +24,12 @@
   echo "Visit http://127.0.0.1:8080 to use your application"
   kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
 {{- end }}
-The default password is `password` and it is recommended to change this immediately after initially logging in.
+{{- else if .Values.kurlProxy.enabled }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "admin-console.fullname" . }})
+  Create an external IP for your NodePort service. This IP should be the public IP address of your instance. Add the IP under spec.externalIPs
+  kubectl edit svc kurl-proxy-kotsadm --namespace {{ .Release.Namespace }}
+  Ensure your security group allows for inbound requests on $NODE_PORT
+  export EXTERNAL_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "admin-console.fullname" . }} -o jsonpath="{.spec.externalIPs[0]}")
+  echo http://$EXTERNAL_IP:$NODE_PORT
+{{- end }}
+The default password is `password` and it is recommended to change this immediately after initially logging in.
diff --git a/templates/kotsadm-service.yaml b/templates/kotsadm-service.yaml
@@ -1,3 +1,4 @@
+{{ if .Values.service.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -17,3 +18,4 @@ spec:
   type: {{ .Values.service.type }}
 status:
   loadBalancer: {}
+{{ end }}
diff --git a/templates/kurl-proxy-deployment.yaml b/templates/kurl-proxy-deployment.yaml
@@ -0,0 +1,54 @@
+{{ if .Values.kurlProxy.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kurl-proxy-kotsadm
+  labels:
+    app: kurl-proxy-kotsadm
+    {{- include "admin-console.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app: kurl-proxy-kotsadm
+  template:
+    metadata:
+      labels:
+        app: kurl-proxy-kotsadm
+        {{- include "admin-console.labels" . | nindent 8 }}
+    spec:
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: proxy
+        image: {{ .Values.images.kurlProxy }}
+        imagePullPolicy: IfNotPresent
+        env:
+        - name: NODE_PORT
+          value: "{{ .Values.kurlProxy.targetPort }}"
+        - name: UPSTREAM_ORIGIN
+          value: http://kotsadm:3000
+        - name: TLS_SECRET_NAME
+          value: kotsadm-tls
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        volumeMounts:
+        - name: kotsadm-config
+          mountPath: /etc/kotsadm
+        resources:
+          limits:
+            cpu: 200m
+            memory: 200Mi
+          requests:
+            cpu: 50m
+            memory: 50Mi
+      serviceAccount: kurl-proxy
+      volumes:
+      - name: kotsadm-config
+        configMap:
+          name: kotsadm-application-metadata
+          optional: true
+{{ end }}
diff --git a/templates/kurl-proxy-rbac.yaml b/templates/kurl-proxy-rbac.yaml
@@ -0,0 +1,37 @@
+{{ if .Values.kurlProxy.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kurl-proxy
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "admin-console.labels" . | nindent 4 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: secret-manager
+  labels:
+    {{- include "admin-console.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "watch", "list", "create", "patch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kurl-proxy-tls-secrets
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "admin-console.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: secret-manager
+subjects:
+- kind: ServiceAccount
+  name: kurl-proxy
+  namespace: {{ .Release.Namespace }}
+{{ end }}
diff --git a/templates/kurl-proxy-service.yaml b/templates/kurl-proxy-service.yaml
@@ -0,0 +1,18 @@
+{{ if .Values.kurlProxy.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: kurl-proxy-kotsadm
+  labels:
+    {{- include "admin-console.labels" . | nindent 4 }}
+spec:
+  type: NodePort
+  selector:
+    app: kurl-proxy-kotsadm
+  ports:
+  - port: {{ .Values.kurlProxy.targetPort }}
+    targetPort: {{ .Values.kurlProxy.targetPort }}
+{{- if .Values.kurlProxy.nodePort }}
+    nodePort: {{ .Values.kurlProxy.nodePort }}
+{{- end}}
+{{ end }}
diff --git a/values.yaml.tmpl b/values.yaml.tmpl
@@ -7,6 +7,7 @@ images:
   migrations: ${KOTSADM_REGISTRY}/kotsadm-migrations:${KOTS_TAG}
   minio: ${KOTSADM_REGISTRY}/minio:${MINIO_TAG}
   rqlite: ${KOTSADM_REGISTRY}/rqlite:${RQLITE_TAG}
+  kurlProxy: ${KOTSADM_REGISTRY}/kurl-proxy:${KOTS_TAG}
 password: ""
 minimalRBAC: true
 isHelmManaged: true
@@ -47,6 +48,7 @@ securityContext: {}
   # runAsUser: 1000
 
 service:
+  enabled: true
   type: NodePort
   port: 80
 
@@ -102,3 +104,7 @@ affinity:
             operator: NotIn
             values:
               - arm64
+
+kurlProxy:
+  enabled: false
+  targetPort: 8800