From 419f1f2194e4c2b07d8c7f01120a09e959a9b0a1 Mon Sep 17 00:00:00 2001
From: Evans Mungai <evans@replicated.com>
Date: Fri, 12 Jan 2024 19:02:35 +0000
Subject: [PATCH] feat: add kurl proxy resources to AdminConsole helm chart
 (#32)

* feat: Add kurl proxy service to allow TLS setup

* Add admin-console labels to kurl resources

* Only deploy admin console service if kURL proxy is absent

* Remove duplicate labels

* Delete helm chart before building and correct template error
---
 .helmignore                          |  3 +-
 scripts/build-local.sh               |  1 +
 scripts/build-ttl.sh                 |  1 +
 templates/NOTES.txt                  | 15 ++++++--
 templates/kotsadm-service.yaml       |  2 ++
 templates/kurl-proxy-deployment.yaml | 54 ++++++++++++++++++++++++++++
 templates/kurl-proxy-rbac.yaml       | 37 +++++++++++++++++++
 templates/kurl-proxy-service.yaml    | 18 ++++++++++
 values.yaml.tmpl                     |  6 ++++
 9 files changed, 133 insertions(+), 4 deletions(-)
 create mode 100644 templates/kurl-proxy-deployment.yaml
 create mode 100644 templates/kurl-proxy-rbac.yaml
 create mode 100644 templates/kurl-proxy-service.yaml

diff --git a/.helmignore b/.helmignore
index 0df088b..b71be19 100644
--- a/.helmignore
+++ b/.helmignore
@@ -2,4 +2,5 @@ scripts/
 /*.yaml.tmpl
 /.image.env
 /.git
-/.github
\ No newline at end of file
+/.github
+/.tgz
diff --git a/scripts/build-local.sh b/scripts/build-local.sh
index d69c5f0..7d5438e 100755
--- a/scripts/build-local.sh
+++ b/scripts/build-local.sh
@@ -14,6 +14,7 @@ export $(cat .image.env | sed 's/#.*//g' | xargs)
 envsubst < Chart.yaml.tmpl > Chart.yaml
 envsubst < values.yaml.tmpl > values.yaml
 
+rm -f admin-console-*.tgz
 export CHART_NAME=`helm package . | rev | cut -d/ -f1 | rev`
 helm push $CHART_NAME oci://ttl.sh/${CURRENT_USER}
 
diff --git a/scripts/build-ttl.sh b/scripts/build-ttl.sh
index 36cda39..e2f1bcd 100755
--- a/scripts/build-ttl.sh
+++ b/scripts/build-ttl.sh
@@ -14,6 +14,7 @@ export $(cat .image.env | sed 's/#.*//g' | xargs)
 envsubst < Chart.yaml.tmpl > Chart.yaml
 envsubst < values.yaml.tmpl > values.yaml
 
+rm -f admin-console-*.tgz
 export CHART_NAME=`helm package . | rev | cut -d/ -f1 | rev`
 helm push $CHART_NAME oci://ttl.sh/$USER
 
diff --git a/templates/NOTES.txt b/templates/NOTES.txt
index c6bbd06..21a063e 100644
--- a/templates/NOTES.txt
+++ b/templates/NOTES.txt
@@ -5,9 +5,10 @@
   http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
   {{- end }}
 {{- end }}
-{{- else if contains "NodePort" .Values.service.type }}
+{{- else if .Values.service.enabled }}
+{{- if contains "NodePort" .Values.service.type }}
   export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "admin-console.fullname" . }})
-  Create an external IP for your NodePort service.  This IP should be the public IP address of your instance.  Add the IP under spec.externalIPs
+  Create an external IP for your NodePort service. This IP should be the public IP address of your instance. Add the IP under spec.externalIPs
   kubectl edit svc admin-console --namespace {{ .Release.Namespace }}
   Ensure your security group allows for inbound requests on $NODE_PORT
   export EXTERNAL_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "admin-console.fullname" . }} -o jsonpath="{.spec.externalIPs[0]}")
@@ -23,4 +24,12 @@
   echo "Visit http://127.0.0.1:8080 to use your application"
   kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
 {{- end }}
-The default password is `password` and it is recommended to change this immediately after initially logging in.
\ No newline at end of file
+{{- else if .Values.kurlProxy.enabled }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "admin-console.fullname" . }})
+  Create an external IP for your NodePort service. This IP should be the public IP address of your instance. Add the IP under spec.externalIPs
+  kubectl edit svc kurl-proxy-kotsadm --namespace {{ .Release.Namespace }}
+  Ensure your security group allows for inbound requests on $NODE_PORT
+  export EXTERNAL_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "admin-console.fullname" . }} -o jsonpath="{.spec.externalIPs[0]}")
+  echo http://$EXTERNAL_IP:$NODE_PORT
+{{- end }}
+The default password is `password` and it is recommended to change this immediately after initially logging in.
diff --git a/templates/kotsadm-service.yaml b/templates/kotsadm-service.yaml
index 0087481..cb0b996 100644
--- a/templates/kotsadm-service.yaml
+++ b/templates/kotsadm-service.yaml
@@ -1,3 +1,4 @@
+{{ if .Values.service.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -17,3 +18,4 @@ spec:
   type: {{ .Values.service.type }}
 status:
   loadBalancer: {}
+{{ end }}
diff --git a/templates/kurl-proxy-deployment.yaml b/templates/kurl-proxy-deployment.yaml
new file mode 100644
index 0000000..d0a754b
--- /dev/null
+++ b/templates/kurl-proxy-deployment.yaml
@@ -0,0 +1,54 @@
+{{ if .Values.kurlProxy.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kurl-proxy-kotsadm
+  labels:
+    app: kurl-proxy-kotsadm
+    {{- include "admin-console.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app: kurl-proxy-kotsadm
+  template:
+    metadata:
+      labels:
+        app: kurl-proxy-kotsadm
+        {{- include "admin-console.labels" . | nindent 8 }}
+    spec:
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: proxy
+        image: {{ .Values.images.kurlProxy }}
+        imagePullPolicy: IfNotPresent
+        env:
+        - name: NODE_PORT
+          value: "{{ .Values.kurlProxy.targetPort }}"
+        - name: UPSTREAM_ORIGIN
+          value: http://kotsadm:3000
+        - name: TLS_SECRET_NAME
+          value: kotsadm-tls
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        volumeMounts:
+        - name: kotsadm-config
+          mountPath: /etc/kotsadm
+        resources:
+          limits:
+            cpu: 200m
+            memory: 200Mi
+          requests:
+            cpu: 50m
+            memory: 50Mi
+      serviceAccount: kurl-proxy
+      volumes:
+      - name: kotsadm-config
+        configMap:
+          name: kotsadm-application-metadata
+          optional: true
+{{ end }}
diff --git a/templates/kurl-proxy-rbac.yaml b/templates/kurl-proxy-rbac.yaml
new file mode 100644
index 0000000..4bd9f25
--- /dev/null
+++ b/templates/kurl-proxy-rbac.yaml
@@ -0,0 +1,37 @@
+{{ if .Values.kurlProxy.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kurl-proxy
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "admin-console.labels" . | nindent 4 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: secret-manager
+  labels:
+    {{- include "admin-console.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "watch", "list", "create", "patch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kurl-proxy-tls-secrets
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "admin-console.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: secret-manager
+subjects:
+- kind: ServiceAccount
+  name: kurl-proxy
+  namespace: {{ .Release.Namespace }}
+{{ end }}
diff --git a/templates/kurl-proxy-service.yaml b/templates/kurl-proxy-service.yaml
new file mode 100644
index 0000000..fbfb883
--- /dev/null
+++ b/templates/kurl-proxy-service.yaml
@@ -0,0 +1,18 @@
+{{ if .Values.kurlProxy.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: kurl-proxy-kotsadm
+  labels:
+    {{- include "admin-console.labels" . | nindent 4 }}
+spec:
+  type: NodePort
+  selector:
+    app: kurl-proxy-kotsadm
+  ports:
+  - port: {{ .Values.kurlProxy.targetPort }}
+    targetPort: {{ .Values.kurlProxy.targetPort }}
+{{- if .Values.kurlProxy.nodePort }}
+    nodePort: {{ .Values.kurlProxy.nodePort }}
+{{- end}}
+{{ end }}
diff --git a/values.yaml.tmpl b/values.yaml.tmpl
index df45590..e4fabac 100644
--- a/values.yaml.tmpl
+++ b/values.yaml.tmpl
@@ -7,6 +7,7 @@ images:
   migrations: ${KOTSADM_REGISTRY}/kotsadm-migrations:${KOTS_TAG}
   minio: ${KOTSADM_REGISTRY}/minio:${MINIO_TAG}
   rqlite: ${KOTSADM_REGISTRY}/rqlite:${RQLITE_TAG}
+  kurlProxy: ${KOTSADM_REGISTRY}/kurl-proxy:${KOTS_TAG}
 password: ""
 minimalRBAC: true
 isHelmManaged: true
@@ -47,6 +48,7 @@ securityContext: {}
   # runAsUser: 1000
 
 service:
+  enabled: true
   type: NodePort
   port: 80
 
@@ -102,3 +104,7 @@ affinity:
             operator: NotIn
             values:
               - arm64
+
+kurlProxy:
+  enabled: false
+  targetPort: 8800