diff --git a/deployment/chainloop/README.md b/deployment/chainloop/README.md index 13449556c..cb63361b5 100644 --- a/deployment/chainloop/README.md +++ b/deployment/chainloop/README.md @@ -17,6 +17,10 @@ Compatibility with the following Ingress Controllers has been verified, other co - [Nginx Ingress Controller](https://kubernetes.github.io/ingress-nginx/) - [Traefik](https://doc.traefik.io/traefik/providers/kubernetes-ingress/) +Compatibility with the following Gateway API Controllers has been verified, other controllers might or might not work. +- [Envoy Gateway](https://gateway.envoyproxy.io/) + + ## TL;DR Deploy Chainloop in [development mode](#development) by running @@ -306,6 +310,122 @@ cas: Remember, once you have set up your domain, make sure you use the [CLI pointing](#configure-chainloop-cli-to-point-to-your-instance) to it instead of the defaults. +### Use Gateway Api +When using Gateway Api we do not need to set another ingress for controlplane and cas API, below configuration is sufficient as GRPC and HTTP traffic is handled by HTTPRoute. +HttpRoute object provides possibility to have more hostnames but chainloop application is developed to work with only one domain per service so we have to configure accordingly. + +```yaml +controlplane: + enabled: true + tls: false + parentRefs: + - name: chainloop-gw + sectionName: cp + namespace: chainloop + ## Please do not use more than one hostname. + hostnames: + - cp.chainloop.dev +cas: + enabled: true + tls: false + parentRefs: + - name: chainloop-gw + sectionName: cas + namespace: chainloop + ## Please do not use more than one hostname. + hostnames: + - cas.chainloop.dev +``` + +Example Gateway resource can look like this: +```yaml +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: chainloop-gw +spec: +# We use envoy controller + gatewayClassName: envoy-gateway-class + listeners: + - hostname: '*.chainloop.dev' + name: http + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: All +``` + +### Use Gateway Api with TLS +```yaml +controlplane: + enabled: true + # Change here to true to indicate that https traffic is enabled + tls: true + parentRefs: + - name: chainloop-gw + sectionName: cp + namespace: chainloop + ## Please do not use more than one hostname. + hostnames: + - cp.chainloop.dev +cas: + enabled: true + # Change here to true to indicate that https traffic is enabled + tls: true + parentRefs: + - name: chainloop-gw + sectionName: cas + namespace: chainloop + ## Please do not use more than one hostname. + hostnames: + - cas.chainloop.dev +``` + +Example Gateway handling those request can look like this: +```yaml +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: chainloop-gw + annotations: + # We are using letsencrypt cluster issuer to generate certificates + cert-manager.io/cluster-issuer: letsencrypt-prod +spec: +# We use envoy controller + gatewayClassName: envoy-gateway-class + listeners: + - hostname: '*.chainloop.dev' + name: http + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: All + - hostname: 'cp.chainloop.dev' + name: cp-tls + port: 443 + protocol: HTTPS + tls: + mode: Terminate + certificateRefs: + - name: cp-chainloop-dev-tls + allowedRoutes: + namespaces: + from: All + - hostname: 'cas.chainloop.dev' + name: cas-tls + port: 443 + protocol: HTTPS + tls: + mode: Terminate + certificateRefs: + - name: cas-chainloop-dev-tls + allowedRoutes: + namespaces: + from: All +``` + ### Connect to an external PostgreSQL database ```yaml @@ -671,6 +791,15 @@ Once done, you can access with [two predefined users](https://github.com/chainlo | `controlplane.ingressAPI.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | | `controlplane.ingressAPI.secrets` | Custom TLS certificates as secrets | `[]` | | `controlplane.ingressAPI.extraRules` | Additional rules to be covered with this ingress record | `[]` | +| `controlplane.httpRoute.enabled` | Enable HTTPRoute generation for controlplane | `false` | +| `controlplane.httpRoute.annotations` | Additional annotations for the HTTPRoute resource | `{}` | +| `controlplane.httpRoute.tls` | Indicate if tls is active for this route | `false` | +| `controlplane.httpRoute.labels` | Additional labels for the HTTPRoute resource | `{}` | +| `controlplane.httpRoute.parentRefs` | Gateways the HTTPRoute is attached to. If unspecified, it'll be attached to Gateway named 'gateway' in the same namespace. | `[]` | +| `controlplane.httpRoute.hostnames` | List of hostnames matching HTTP header | `[]` | +| `controlplane.httpRoute.matches` | List of match rules applied to the HTTPRoute for the default svc backend reference | `[]` | +| `controlplane.httpRoute.filters` | List of filter rules applied to the HTTPRoute for the default svc backend reference | `[]` | +| `controlplane.httpRoute.extraRules` | List of extra rules applied to the HTTPRoute | `[]` | ### Controlplane Misc @@ -847,6 +976,15 @@ Once done, you can access with [two predefined users](https://github.com/chainlo | `cas.ingressAPI.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | | `cas.ingressAPI.secrets` | Custom TLS certificates as secrets | `[]` | | `cas.ingressAPI.extraRules` | Additional rules to be covered with this ingress record | `[]` | +| `cas.httpRoute.enabled` | Enable HTTPRoute generation for CAS | `false` | +| `cas.httpRoute.tls` | Indicate if tls is active for this route | `false` | +| `cas.httpRoute.annotations` | Additional annotations for the HTTPRoute resource | `{}` | +| `cas.httpRoute.labels` | Additional labels for the HTTPRoute resource | `{}` | +| `cas.httpRoute.parentRefs` | Gateways the HTTPRoute is attached to. If unspecified, it'll be attached to Gateway named 'gateway' in the same namespace. | `[]` | +| `cas.httpRoute.hostnames` | List of hostnames matching HTTP header | `[]` | +| `cas.httpRoute.matches` | List of match rules applied to the HTTPRoute for the default svc backend reference | `[]` | +| `cas.httpRoute.filters` | List of filter rules applied to the HTTPRoute for the default svc backend reference | `[]` | +| `cas.httpRoute.extraRules` | List of extra rules applied to the HTTPRoute | `[]` | ### CAS Misc @@ -928,23 +1066,31 @@ Once done, you can access with [two predefined users](https://github.com/chainlo ### Dependencies -| Name | Description | Value | -| ------------------------------------ | ------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------- | -| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` | -| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false` | -| `postgresql.auth.username` | Name for a custom user to create | `chainloop` | -| `postgresql.auth.password` | Password for the custom user to create | `chainlooppwd` | -| `postgresql.auth.database` | Name for a custom database to create | `chainloop-cp` | -| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` | -| `vault.server.args` | Arguments to pass to the vault server. This is useful for setting the server in development mode | `["server","-dev"]` | -| `vault.server.config` | Configuration for the vault server. Small override of default Bitnami configuration | `storage "inmem" {} -disable_mlock = true -ui = true -service_registration "kubernetes" {}` | -| `vault.server.extraEnvVars[0].name` | Root token for the vault server | `VAULT_DEV_ROOT_TOKEN_ID` | -| `vault.server.extraEnvVars[0].value` | The value of the root token. Default: notasecret | `notasecret` | -| `vault.server.extraEnvVars[1].name` | Address to listen on development mode | `VAULT_DEV_LISTEN_ADDRESS` | -| `vault.server.extraEnvVars[1].value` | The address to listen on. Default: [::]:8200 | `[::]:8200` | +| Name | Description | Value | +| ---------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | +| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` | +| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false` | +| `postgresql.auth.username` | Name for a custom user to create | `chainloop` | +| `postgresql.auth.password` | Password for the custom user to create | `chainlooppwd` | +| `postgresql.auth.database` | Name for a custom database to create | `chainloop-cp` | +| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` | +| `vault.server.command` | Override default container command | `["/vault-init.sh"]` | +| `vault.server.args` | Override default container args | `[""]` | +| `vault.server.extraVolumes[0].name` | Name of the extra volume | `vault-init` | +| `vault.server.extraVolumes[0].configMap.name` | Name of the ConfigMap to mount | `{{ include "vault.server.fullname" . }}-init` | +| `vault.server.extraVolumes[0].configMap.defaultMode` | Default mode for the ConfigMap files | `755` | +| `vault.server.extraVolumeMounts[0].name` | Name of the volume to mount | `vault-init` | +| `vault.server.extraVolumeMounts[0].mountPath` | Path where the volume should be mounted | `/vault-init.sh` | +| `vault.server.extraVolumeMounts[0].subPath` | Subpath within the volume to mount | `vault-init.sh` | +| `dex.dex.redirectURL` | Control Plane URL where Dex will redirect after a successful login | `http(s)://[controlplane http ingress]/auth/callback` | +| `dex.dex.ingress` | Configuration for the Dex ingress record | | +| `dex.dex.ingress.enabled` | Enable ingress record generation for Dex | `false` | +| `dex.dex.ingress.tls` | Enable TLS for the Dex ingress record | `false` | +| `dex.dex.ingress.hostname` | Hostname for the Dex ingress record | `""` | +| `dex.dex.ingress.ingressClassName` | IngressClass that will be be used to implement the Dex Ingress (Kubernetes 1.18+) | `""` | +| `dex.dex.httpRoute.enabled` | Enable HTTPRoute generation for controlplane | `false` | +| `dex.dex.httpRoute.hostnames` | List of hostnames to match for this route WARNING: Please use only one domain | `["dex.[domain]"]` | +| `dex.dex.httpRoute.parentRefs` | Gateways the HTTPRoute is attached to. If unspecified, it'll be attached to Gateway named 'gateway' in the same namespace. | `[]` | ## License diff --git a/deployment/chainloop/charts/dex/templates/_helpers.tpl b/deployment/chainloop/charts/dex/templates/_helpers.tpl index 7a231f980..f9444a3b1 100644 --- a/deployment/chainloop/charts/dex/templates/_helpers.tpl +++ b/deployment/chainloop/charts/dex/templates/_helpers.tpl @@ -43,13 +43,16 @@ Figure out the external URL for Dex service {{- define "chainloop.dex.external_url" -}} {{- $service := .Values.dex.service }} {{- $ingress := .Values.dex.ingress }} +{{- $httpRoute := .Values.dex.httpRoute }} {{- if (and $ingress $ingress.enabled $ingress.hostname) }} {{- printf "%s://%s/dex" (ternary "https" "http" $ingress.tls ) $ingress.hostname }} +{{- else if (and $httpRoute $httpRoute.enabled $httpRoute.hostnames ) }} +{{- printf "%s://%s/dex" (ternary "https" "http" $httpRoute.tls ) (index $httpRoute.hostnames 0) }} {{- else if (and (eq $service.type "NodePort") $service.nodePorts (not (empty $service.nodePorts.http))) }} {{- printf "http://localhost:%s" $service.nodePorts.http }} {{- else -}} -{{- printf "http://%s-dex:%d/dex" ( include "chainloop.dex.fullname" . ) ( int $service.ports.http ) }} +{{- printf "http://%s:%d/dex" ( include "chainloop.dex.fullname" . ) ( int $service.ports.http ) }} {{- end -}} {{- end -}} diff --git a/deployment/chainloop/charts/dex/templates/httproute.yaml b/deployment/chainloop/charts/dex/templates/httproute.yaml new file mode 100644 index 000000000..3edfc3af8 --- /dev/null +++ b/deployment/chainloop/charts/dex/templates/httproute.yaml @@ -0,0 +1,40 @@ +{{- if or .Values.dex.httpRoute.enabled}} +{{- /* +Copyright Chainloop, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} +{{- $fullName := include "chainloop.dex.fullname" . -}} +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: {{ $fullName }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "chainloop.dex.labels" . | nindent 4 }} + {{- if or .Values.dex.httpRoute.annotations }} + annotations: + {{- include "common.tplvalues.render" ( dict "value" .Values.dex.httpRoute.annotations "context" $) | nindent 4 }} + {{- end }} +spec: + parentRefs: + {{- if .Values.dex.httpRoute.parentRefs }} + {{- include "common.tplvalues.render" (dict "value" .Values.dex.httpRoute.parentRefs "context" .) | nindent 4 }} + {{- else }} + - name: gateway + namespace: {{ include "common.names.namespace" . | quote }} + {{- end }} + hostnames: {{- include "common.tplvalues.render" (dict "value" .Values.dex.httpRoute.hostnames "context" .) | nindent 4 }} + rules: + {{- $port := coalesce .Values.dex.service.port .Values.dex.service.ports.http }} + - backendRefs: + - name: {{ include "chainloop.dex.fullname" . }} + port: {{ $port }} + {{- if .Values.dex.httpRoute.matches }} + matches: {{- include "common.tplvalues.render" (dict "value" .Values.dex.httpRoute.matches "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.dex.httpRoute.filters }} + filters: {{- include "common.tplvalues.render" (dict "value" .Values.dex.httpRoute.filters "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.dex.httpRoute.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.dex.httpRoute.extraRules "context" .) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/deployment/chainloop/charts/dex/values.yaml b/deployment/chainloop/charts/dex/values.yaml index c0e3b3211..acbb8fc1a 100644 --- a/deployment/chainloop/charts/dex/values.yaml +++ b/deployment/chainloop/charts/dex/values.yaml @@ -674,4 +674,60 @@ dex: ## port: ## name: http ## + extraRules: [] + ## Gateway API HTTP routing parameters + ## ref: https://gateway-api.sigs.k8s.io/guides/http-routing/ + ## + httpRoute: + ## @param dex.httpRoute.enabled Enable HTTPRoute generation for dex + ## + enabled: false + ## @param controlplane.httpRoute.tls Indicate if tls is active for this route + tls: false + ## @param dex.httpRoute.annotations Additional annotations for the HTTPRoute resource + ## + annotations: {} + ## @param dex.httpRoute.labels Additional labels for the HTTPRoute resource + ## + labels: {} + ## @param dex.httpRoute.parentRefs Gateways the HTTPRoute is attached to. If unspecified, it'll be attached to Gateway named 'gateway' in the same namespace. + ## e.g: + ## parentRefs: + ## - name: my-gateway + ## sectionName: http + ## namespace: default + ## + parentRefs: [] + ## @param dex.httpRoute.hostnames [array] List of hostnames matching HTTP header + ## + hostnames: + - dex.dev.local + ## @param dex.httpRoute.matches [array] List of match rules applied to the HTTPRoute for the default svc backend reference + ## + matches: + - path: + type: PathPrefix + value: / + ## @param dex.httpRoute.filters List of filter rules applied to the HTTPRoute for the default svc backend reference + ## + filters: [] + ## @param dex.httpRoute.extraRules List of extra rules applied to the HTTPRoute + ## e.g: + ## extraRules: + ## - matches: + ## - path: + ## type: PathPrefix + ## value: /login + ## filters: + ## - type: RequestHeaderModifier + ## requestHeaderModifier: + ## set: + ## - name: My-Overwrite-Header + ## value: this-is-the-only-value + ## remove: + ## - User-Agent + ## backendRefs: + ## - name: chainloop-dex + ## port: 80 + ## extraRules: [] \ No newline at end of file diff --git a/deployment/chainloop/templates/_helpers.tpl b/deployment/chainloop/templates/_helpers.tpl index 57ba24c3e..08282117d 100644 --- a/deployment/chainloop/templates/_helpers.tpl +++ b/deployment/chainloop/templates/_helpers.tpl @@ -316,11 +316,14 @@ NOTE: Load balancer service type is not supported {{- define "chainloop.controlplane.external_url" -}} {{- $service := .Values.controlplane.service }} {{- $ingress := .Values.controlplane.ingress }} +{{- $httpRoute := .Values.controlplane.httpRoute }} {{- if .Values.controlplane.auth.oidc.externalURL }} {{- .Values.controlplane.auth.oidc.externalURL }} {{- else if (and $ingress $ingress.enabled $ingress.hostname) }} -{{- printf "%s://%s" (ternary "https" "http" $ingress.tls ) $ingress.hostname }} +{{- printf "%s://%s" (ternary "https" "http" $ingress.tls ) $ingress.hostnames }} +{{- else if (and $httpRoute $httpRoute.enabled $httpRoute.hostnames ) }} +{{- printf "%s://%s" (ternary "https" "http" $httpRoute.tls ) ( index $httpRoute.hostnames 0) }} {{- else if (and (eq $service.type "NodePort") $service.nodePorts (not (empty $service.nodePorts.http))) }} {{- printf "http://localhost:%s" $service.nodePorts.http }} {{- else -}} @@ -407,11 +410,14 @@ NOTE: Load balancer service type is not supported {{- define "chainloop.cas.external_url" -}} {{- $service := .Values.cas.service }} {{- $ingress := .Values.cas.ingress }} +{{- $httpRoute := .Values.cas.httpRoute }} {{- if .Values.cas.externalURL }} {{- .Values.cas.externalURL }} {{- else if (and $ingress $ingress.enabled $ingress.hostname) }} {{- printf "%s://%s" (ternary "https" "http" $ingress.tls ) $ingress.hostname }} +{{- else if (and $httpRoute $httpRoute.enabled $httpRoute.hostnames) }} +{{- printf "%s://%s" (ternary "https" "http" $httpRoute.tls ) (index $httpRoute.hostnames 0) }} {{- else if (and (eq $service.type "NodePort") $service.nodePorts (not (empty $service.nodePorts.http))) }} {{- printf "http://localhost:%s" $service.nodePorts.http }} {{- end -}} diff --git a/deployment/chainloop/templates/cas/httproute.yaml b/deployment/chainloop/templates/cas/httproute.yaml new file mode 100644 index 000000000..613e69591 --- /dev/null +++ b/deployment/chainloop/templates/cas/httproute.yaml @@ -0,0 +1,50 @@ +{{- if or .Values.cas.httpRoute.enabled }} +{{- /* +Copyright Chainloop, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} +{{- $fullName := include "chainloop.cas.fullname" . -}} +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: {{ $fullName }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "chainloop.cas.labels" . | nindent 4 }} + {{- if or .Values.cas.httpRoute.annotations }} + annotations: + {{- include "common.tplvalues.render" ( dict "value" .Values.cas.httpRoute.annotations "context" $) | nindent 4 }} + {{- end }} +spec: + parentRefs: + {{- if .Values.cas.httpRoute.parentRefs }} + {{- include "common.tplvalues.render" (dict "value" .Values.cas.httpRoute.parentRefs "context" .) | nindent 4 }} + {{- else }} + - name: gateway + namespace: {{ include "common.names.namespace" . | quote }} + {{- end }} + hostnames: {{- include "common.tplvalues.render" (dict "value" .Values.cas.httpRoute.hostnames "context" .) | nindent 4 }} + rules: + {{- $port := coalesce .Values.cas.service.port .Values.cas.service.ports.http }} + - backendRefs: + - name: {{ include "chainloop.cas.fullname" . }} + port: {{ $port }} + {{- if .Values.cas.httpRoute.matches }} + matches: {{- include "common.tplvalues.render" (dict "value" .Values.cas.httpRoute.matches "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.cas.httpRoute.filters }} + filters: {{- include "common.tplvalues.render" (dict "value" .Values.cas.httpRoute.filters "context" .) | nindent 8 }} + {{- end }} + - matches: + - headers: + - name: content-type + value: application/grpc + {{- $portAPI := coalesce .Values.cas.serviceAPI.port .Values.cas.serviceAPI.ports.http }} + backendRefs: + - name: {{ include "chainloop.cas.fullname" . }}-api + kind: Service + namespace: {{ include "common.names.namespace" . | quote }} + port: {{ $portAPI }} + {{- if .Values.cas.httpRoute.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.cas.httpRoute.extraRules "context" .) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/deployment/chainloop/templates/cas/service-grpc.yaml b/deployment/chainloop/templates/cas/service-grpc.yaml index 972aeba99..b30c9426c 100644 --- a/deployment/chainloop/templates/cas/service-grpc.yaml +++ b/deployment/chainloop/templates/cas/service-grpc.yaml @@ -40,6 +40,7 @@ spec: {{- if not (eq $port .Values.cas.containerPorts.grpc) }} targetPort: {{ .Values.cas.containerPorts.grpc }} {{- end }} + appProtocol: kubernetes.io/h2c protocol: TCP {{- if and (or (eq .Values.cas.serviceAPI.type "NodePort") (eq .Values.cas.serviceAPI.type "LoadBalancer")) (not (empty .Values.cas.serviceAPI.nodePorts.http)) }} nodePort: {{ .Values.cas.serviceAPI.nodePorts.http }} diff --git a/deployment/chainloop/templates/controlplane/httproute.yaml b/deployment/chainloop/templates/controlplane/httproute.yaml new file mode 100644 index 000000000..2ae68e277 --- /dev/null +++ b/deployment/chainloop/templates/controlplane/httproute.yaml @@ -0,0 +1,50 @@ +{{- if or .Values.controlplane.httpRoute.enabled}} +{{- /* +Copyright Chainloop, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} +{{- $fullName := include "chainloop.controlplane.fullname" . -}} +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: {{ $fullName }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }} + {{- if or .Values.controlplane.httpRoute.annotations }} + annotations: + {{- include "common.tplvalues.render" ( dict "value" .Values.controlplane.httpRoute.annotations "context" $) | nindent 4 }} + {{- end }} +spec: + parentRefs: + {{- if .Values.controlplane.httpRoute.parentRefs }} + {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.httpRoute.parentRefs "context" .) | nindent 4 }} + {{- else }} + - name: gateway + namespace: {{ include "common.names.namespace" . | quote }} + {{- end }} + hostnames: {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.httpRoute.hostnames "context" .) | nindent 4 }} + rules: + {{- $port := coalesce .Values.controlplane.service.port .Values.controlplane.service.ports.http }} + - backendRefs: + - name: {{ include "chainloop.controlplane.fullname" . }} + port: {{ $port }} + {{- if .Values.controlplane.httpRoute.matches }} + matches: {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.httpRoute.matches "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.controlplane.httpRoute.filters }} + filters: {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.httpRoute.filters "context" .) | nindent 8 }} + {{- end }} + - matches: + - headers: + - name: content-type + value: application/grpc + {{- $portAPI := coalesce .Values.controlplane.serviceAPI.port .Values.controlplane.serviceAPI.ports.http }} + backendRefs: + - name: {{ include "chainloop.controlplane.fullname" . }}-api + kind: Service + namespace: {{ include "common.names.namespace" . | quote }} + port: {{ $portAPI }} + {{- if .Values.controlplane.httpRoute.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.httpRoute.extraRules "context" .) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/deployment/chainloop/templates/controlplane/service-grpc.yaml b/deployment/chainloop/templates/controlplane/service-grpc.yaml index 83a96201c..86c543aa8 100644 --- a/deployment/chainloop/templates/controlplane/service-grpc.yaml +++ b/deployment/chainloop/templates/controlplane/service-grpc.yaml @@ -41,6 +41,7 @@ spec: targetPort: {{ .Values.controlplane.containerPorts.grpc }} {{- end }} protocol: TCP + appProtocol: kubernetes.io/h2c {{- if and (or (eq .Values.controlplane.serviceAPI.type "NodePort") (eq .Values.controlplane.serviceAPI.type "LoadBalancer")) (not (empty .Values.controlplane.serviceAPI.nodePorts.http)) }} nodePort: {{ .Values.controlplane.serviceAPI.nodePorts.http }} {{- else if eq .Values.controlplane.serviceAPI.type "ClusterIP" }} diff --git a/deployment/chainloop/values.yaml b/deployment/chainloop/values.yaml index 4f30c64de..6613deacb 100644 --- a/deployment/chainloop/values.yaml +++ b/deployment/chainloop/values.yaml @@ -601,6 +601,62 @@ controlplane: ## name: http ## extraRules: [] + ## Gateway API HTTP routing parameters + ## ref: https://gateway-api.sigs.k8s.io/guides/http-routing/ + ## + httpRoute: + ## @param controlplane.httpRoute.enabled Enable HTTPRoute generation for controlplane + ## + enabled: false + ## @param controlplane.httpRoute.annotations Additional annotations for the HTTPRoute resource + ## + ## @param controlplane.httpRoute.tls Indicate if tls is active for this route + tls: false + annotations: {} + ## @param controlplane.httpRoute.labels Additional labels for the HTTPRoute resource + ## + labels: {} + ## @param controlplane.httpRoute.parentRefs Gateways the HTTPRoute is attached to. If unspecified, it'll be attached to Gateway named 'gateway' in the same namespace. + ## e.g: + ## parentRefs: + ## - name: my-gateway + ## sectionName: http + ## namespace: default + ## + parentRefs: [] + ## @param controlplane.httpRoute.hostnames [array] List of hostnames matching HTTP header + ## + hostnames: + - cp.dev.local + ## @param controlplane.httpRoute.matches [array] List of match rules applied to the HTTPRoute for the default svc backend reference + ## + matches: + - path: + type: PathPrefix + value: / + ## @param controlplane.httpRoute.filters List of filter rules applied to the HTTPRoute for the default svc backend reference + ## + filters: [] + ## @param controlplane.httpRoute.extraRules List of extra rules applied to the HTTPRoute + ## e.g: + ## extraRules: + ## - matches: + ## - path: + ## type: PathPrefix + ## value: /login + ## filters: + ## - type: RequestHeaderModifier + ## requestHeaderModifier: + ## set: + ## - name: My-Overwrite-Header + ## value: this-is-the-only-value + ## remove: + ## - User-Agent + ## backendRefs: + ## - name: chainloop-controlplane + ## port: 80 + ## + extraRules: [] ## @section Controlplane Misc @@ -1349,7 +1405,62 @@ cas: ## name: http ## extraRules: [] - + ## Gateway API HTTP routing parameters + ## ref: https://gateway-api.sigs.k8s.io/guides/http-routing/ + ## + httpRoute: + ## @param cas.httpRoute.enabled Enable HTTPRoute generation for CAS + ## + enabled: false + ## @param cas.httpRoute.tls Indicate if tls is active for this route + tls: false + ## @param cas.httpRoute.annotations Additional annotations for the HTTPRoute resource + ## + annotations: {} + ## @param cas.httpRoute.labels Additional labels for the HTTPRoute resource + ## + labels: {} + ## @param cas.httpRoute.parentRefs Gateways the HTTPRoute is attached to. If unspecified, it'll be attached to Gateway named 'gateway' in the same namespace. + ## e.g: + ## parentRefs: + ## - name: my-gateway + ## sectionName: http + ## namespace: default + ## + parentRefs: [] + ## @param cas.httpRoute.hostnames [array] List of hostnames matching HTTP header + ## + hostnames: + - cas.dev.local + ## @param cas.httpRoute.matches [array] List of match rules applied to the HTTPRoute for the default svc backend reference + ## + matches: + - path: + type: PathPrefix + value: / + ## @param cas.httpRoute.filters List of filter rules applied to the HTTPRoute for the default svc backend reference + ## + filters: [] + ## @param cas.httpRoute.extraRules List of extra rules applied to the HTTPRoute + ## e.g: + ## extraRules: + ## - matches: + ## - path: + ## type: PathPrefix + ## value: /login + ## filters: + ## - type: RequestHeaderModifier + ## requestHeaderModifier: + ## set: + ## - name: My-Overwrite-Header + ## value: this-is-the-only-value + ## remove: + ## - User-Agent + ## backendRefs: + ## - name: chainloop-cas + ## port: 80 + ## + extraRules: [] ## @section CAS Misc ## @param cas.sentry.enabled Enable sentry.io alerting ## @param cas.sentry.dsn DSN endpoint @@ -1683,12 +1794,16 @@ postgresql: ## Bitnami Hashicorp Vault chart configuration ## ref: https://github.com/bitnami/charts/blob/main/bitnami/vault/values.yaml -## @param vault.server.args Arguments to pass to the vault server. This is useful for setting the server in development mode -## @param vault.server.config Configuration for the vault server. Small override of default Bitnami configuration -## @param vault.server.extraEnvVars[0].name Root token for the vault server -## @param vault.server.extraEnvVars[0].value The value of the root token. Default: notasecret -## @param vault.server.extraEnvVars[1].name Address to listen on development mode -## @param vault.server.extraEnvVars[1].value The address to listen on. Default: [::]:8200 +## @skip vault.extraDeploy Array of extra objects to deploy with Vault (evaluated as a template) +## @param vault.server.command Override default container command +## @param vault.server.args Override default container args +## @skip vault.server.config Configuration for the vault server +## @param vault.server.extraVolumes[0].name Name of the extra volume +## @param vault.server.extraVolumes[0].configMap.name Name of the ConfigMap to mount +## @param vault.server.extraVolumes[0].configMap.defaultMode Default mode for the ConfigMap files +## @param vault.server.extraVolumeMounts[0].name Name of the volume to mount +## @param vault.server.extraVolumeMounts[0].mountPath Path where the volume should be mounted +## @param vault.server.extraVolumeMounts[0].subPath Subpath within the volume to mount vault: extraDeploy: - | @@ -1781,3 +1896,35 @@ vault: - name: vault-init mountPath: /vault-init.sh subPath: vault-init.sh + +## Dex chart configuration +## @param dex.dex.redirectURL Control Plane URL where Dex will redirect after a successful login +## @extra dex.dex.ingress Configuration for the Dex ingress record +## @param dex.dex.ingress.enabled Enable ingress record generation for Dex +## @param dex.dex.ingress.tls Enable TLS for the Dex ingress record +## @param dex.dex.ingress.hostname Hostname for the Dex ingress record +## @param dex.dex.ingress.ingressClassName IngressClass that will be be used to implement the Dex Ingress (Kubernetes 1.18+) +## @param dex.dex.httpRoute.enabled Enable HTTPRoute generation for controlplane +## @param dex.dex.httpRoute.hostnames List of hostnames to match for this route WARNING: Please use only one domain +## @param dex.dex.httpRoute.parentRefs Gateways the HTTPRoute is attached to. If unspecified, it'll be attached to Gateway named 'gateway' in the same namespace. + +## Used only if .Values.development is true +## Yes, dex.dex, since we are overriding the dex section in the dex subchart +dex: + dex: + # Point to the [controlplane http ingress]/auth/callback + redirectURL: http(s)://[controlplane http ingress]/auth/callback + httpRoute: + enabled: false + hostnames: + - dex.[domain] + parentRefs: [] + # - name: your-gateway + # sectionName: http + # namespace: your-namespace + # Expose the dex instance to the outside world + ingress: + enabled: false + tls: false + hostname: "" + ingressClassName: ""