Enable Ingress TLS config

Support safe-client-gateway last version (new env variables) Specify Ganache node docker image + new env variables
5afe · Aug 12, 2024 · f2cd0bc · f2cd0bc
1 parent 2978534
commit f2cd0bc
Show file tree

Hide file tree

Showing 19 changed files with 118 additions and 21 deletions.
diff --git a/.gitignore b/.gitignore
@@ -2,4 +2,5 @@
 /charts/*/charts
 .idea
 .vscode
-.DS_Store
+.DS_Store
+/tmp
diff --git a/charts/packages/safe-client-gateway-0.1.0.tgz b/charts/packages/safe-client-gateway-0.1.0.tgz
diff --git a/charts/packages/safe-config-service-0.1.0.tgz b/charts/packages/safe-config-service-0.1.0.tgz
diff --git a/charts/packages/safe-stack-0.1.0.tgz b/charts/packages/safe-stack-0.1.0.tgz
diff --git a/charts/packages/safe-transaction-service-0.1.0.tgz b/charts/packages/safe-transaction-service-0.1.0.tgz
diff --git a/charts/packages/safe-wallet-web-0.1.0.tgz b/charts/packages/safe-wallet-web-0.1.0.tgz
diff --git a/charts/safe-client-gateway/templates/env.configmap.yaml b/charts/safe-client-gateway/templates/env.configmap.yaml
@@ -64,6 +64,11 @@ data:
   RELAY_PROVIDER_API_KEY_GNOSIS_CHAIN: ""
   RELAY_PROVIDER_API_KEY_SEPOLIA: ""
 
+  # Push Notification
+  PUSH_NOTIFICATIONS_API_PROJECT: ""
+  PUSH_NOTIFICATIONS_API_SERVICE_ACCOUNT_CLIENT_EMAIL: "[email protected]"
+  PUSH_NOTIFICATIONS_API_SERVICE_ACCOUNT_PRIVATE_KEY: ""
+
   ## Extra envs
   {{- if .Values.extraEnvVars }}
   {{ .Values.extraEnvVars | toYaml | nindent 2 }}

diff --git a/charts/safe-client-gateway/templates/web.ingress.yaml b/charts/safe-client-gateway/templates/web.ingress.yaml
@@ -14,9 +14,14 @@ metadata:
 
 spec:
   ingressClassName: {{ .Values.ingress.ingressClassName }}
-
+  {{- if .Values.ingress.tls.enabled }}
+  tls:
+    - hosts:
+        - "{{ .Values.ingress.tls.host }}"
+      secretName: {{ .Values.ingress.tls.secretName }}
+  {{- end }}
   rules:
-    - host: {{ .Values.ingress.host }}
+    - host: "{{ .Values.ingress.host }}"
       http:
         paths:
         - path: /

diff --git a/charts/safe-client-gateway/values.yaml b/charts/safe-client-gateway/values.yaml
@@ -30,7 +30,7 @@ config:
   security:
     authToken: "1234567890"
   redis: 
-    host: # leave empty unless useExisting=true
+    host: # leave empty unless safe-client-gateway-redis.enabled=true
     port: 6379
 
 web:
@@ -57,6 +57,10 @@ ingress:
     nginx.ingress.kubernetes.io/cors-allow-methods: "OPTIONS, GET, HEAD, DELETE, PUT, POST"
     nginx.ingress.kubernetes.io/cors-allow-origin: "https://*.minikube.net"
     nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,Safe-Wallet-Signature,Safe-Wallet-Signature-Timestamp"
+  tls:
+    enabled: false
+    #host: 
+    #secretName:
 
 safe-client-gateway-redis:
   enabled: true

diff --git a/charts/safe-config-service/templates/web.ingress.yaml b/charts/safe-config-service/templates/web.ingress.yaml
@@ -14,9 +14,14 @@ metadata:
 
 spec:
   ingressClassName: {{ .Values.ingress.ingressClassName }}
-
+  {{- if .Values.ingress.tls.enabled }}
+  tls:
+    - hosts:
+        - "{{ .Values.ingress.tls.host }}"
+      secretName: {{ .Values.ingress.tls.secretName }}
+  {{- end }}
   rules:
-    - host: {{ .Values.ingress.host }}
+    - host: "{{ .Values.ingress.host }}"
       http:
         paths:
         - path: /

diff --git a/charts/safe-config-service/values.yaml b/charts/safe-config-service/values.yaml
@@ -33,11 +33,11 @@ config:
     token: "1234567890"  # change me (should be the same as client-gateway.auth.token)
   database:
     runMigration: true
-    host: # leave empty if postgresql.enabled=true
-    port: # leave empty if postgresql.enabled=true
-    password: # leave empty if postgresql.enabled=true
-    user: # leave empty if postgresql.enabled=true
-    db: # leave empty if postgresql.enabled=true
+    host: # leave empty if safe-config-service-postgresql.enabled=true
+    port: # leave empty if safe-config-service-postgresql.enabled=true
+    password: # leave empty if safe-config-service-postgresql.enabled=true
+    user: # leave empty if safe-config-service-postgresql.enabled=true
+    db: # leave empty if safe-config-service-postgresql.enabled=true
   admin:
     auth:
       enabled: true
@@ -66,6 +66,10 @@ ingress:
   annotations: 
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
     nginx.ingress.kubernetes.io/enable-cors: "false"
+  tls:
+    enabled: false
+    #host: 
+    #secretName:
 
 safe-config-service-postgresql:
   enabled: true

diff --git a/charts/safe-stack/values.yaml b/charts/safe-stack/values.yaml
@@ -96,11 +96,20 @@ safe-transaction-service:
     annotations: 
       nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
       nginx.ingress.kubernetes.io/enable-cors: "false"
+    tls:
+      enabled: false
+      #host: 
+      #secretName:
   ganacheNode:
     enabled: true
+    image:
+      repository: gjeanmart/safe-ganache-node
+      tag: latest
+      pullPolicy: Always
     config:
       mnemonic: "test test test test test test test test test test test junk"
       chainId: 1337
+      deterministicDeployment: "true"
       persistence:
         storageClass: standard
         size: 100Mi
@@ -109,6 +118,10 @@ safe-transaction-service:
       ingressClassName: nginx
       host: node.minikube.net
       annotations: {}
+      tls:
+        enabled: false
+        #host: 
+        #secretName:
   safe-transaction-service-postgresql:
     enabled: true
     global:
@@ -197,6 +210,10 @@ safe-config-service:
     annotations: 
       nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
       nginx.ingress.kubernetes.io/enable-cors: "false"
+    tls:
+      enabled: false
+      #host: 
+      #secretName:
   safe-config-service-postgresql:
     enabled: true
     global:
@@ -221,7 +238,7 @@ safe-client-gateway:
   replicaCount: 1
   image:
     repository: safeglobal/safe-client-gateway-nest
-    tag: latest
+    tag: v1.51.0 #latest
     pullPolicy: Always
   extraEnv: []
   config:
@@ -256,6 +273,10 @@ safe-client-gateway:
       nginx.ingress.kubernetes.io/cors-allow-methods: "OPTIONS, GET, HEAD, DELETE, PUT, POST"
       nginx.ingress.kubernetes.io/cors-allow-origin: "https://*.minikube.net"
       nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,Safe-Wallet-Signature,Safe-Wallet-Signature-Timestamp"
+    tls:
+      enabled: false
+      #host: 
+      #secretName:
   safe-client-gateway-redis:
     enabled: true
     auth:
@@ -294,3 +315,7 @@ safe-wallet-web:
     annotations:
         nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
         nginx.ingress.kubernetes.io/enable-cors: "false"
+    tls:
+      enabled: false
+      #host: 
+      #secretName:
diff --git a/charts/safe-transaction-service/templates/ganache-node/ganache-node.deployment.yaml b/charts/safe-transaction-service/templates/ganache-node/ganache-node.deployment.yaml
@@ -18,7 +18,8 @@ spec:
     spec:
       containers:
         - name: ganache-node
-          image: gjeanmart/safe-ganache-node:latest
+          image: "{{ .Values.ganacheNode.image.repository }}:{{ .Values.ganacheNode.image.tag }}"
+          imagePullPolicy: {{ .Values.ganacheNode.image.pullPolicy }}
           ports:
             - name: node-rpc
               containerPort: 8545
@@ -27,6 +28,8 @@ spec:
               value: "{{ .Values.ganacheNode.config.mnemonic }}"
             - name: CHAIN_ID
               value: "{{ .Values.ganacheNode.config.chainId }}"
+            - name: DETERMINISTIC_DEPLOYMENT
+              value: "{{ .Values.ganacheNode.config.deterministicDeployment }}"
           volumeMounts:
             - name: ganache-node-claim
               mountPath: /db

diff --git a/charts/safe-transaction-service/templates/ganache-node/ganache-node.ingress.yaml b/charts/safe-transaction-service/templates/ganache-node/ganache-node.ingress.yaml
@@ -14,9 +14,14 @@ metadata:
 spec:
   # notice: ref: https://kubernetes.github.io/ingress-nginx/user-guide/multiple-ingress/
   ingressClassName: {{ .Values.ganacheNode.ingress.ingressClassName }}
-
+  {{- if .Values.ganacheNode.ingress.tls.enabled }}
+  tls:
+    - hosts:
+        - "{{ .Values.ganacheNode.ingress.host }}"
+      secretName: {{ .Values.ganacheNode.ingress.tls.secretName }}
+  {{- end }}
   rules:
-    - host: {{ .Values.ganacheNode.ingress.host }}
+    - host: "{{ .Values.ganacheNode.ingress.host }}"
       http:
         paths:
           - path: /

diff --git a/charts/safe-transaction-service/templates/web.ingress.yaml b/charts/safe-transaction-service/templates/web.ingress.yaml
@@ -14,9 +14,14 @@ metadata:
 
 spec:
   ingressClassName: {{ .Values.ingress.ingressClassName }}
-
+  {{- if .Values.ingress.tls.enabled }}
+  tls:
+    - hosts:
+        - "{{ .Values.ingress.tls.host }}"
+      secretName: {{ .Values.ingress.tls.secretName }}
+  {{- end }}
   rules:
-    - host: {{ .Values.ingress.host }}
+    - host: "{{ .Values.ingress.host }}"
       http:
         paths:
         - path: /

diff --git a/charts/safe-transaction-service/values.yaml b/charts/safe-transaction-service/values.yaml
@@ -90,15 +90,24 @@ ingress:
   annotations: 
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
     nginx.ingress.kubernetes.io/enable-cors: "false"
+  tls:
+    enabled: false
+    #host: 
+    #secretName:
 
 ##
 ## Ganache (test) node configuration
 ##
 ganacheNode:
   enabled: true
+  image:
+    repository: gjeanmart/safe-ganache-node
+    tag: latest
+    pullPolicy: Always
   config:
     mnemonic: "test test test test test test test test test test test junk"
     chainId: 1337
+    deterministicDeployment: "true"
     persistence:
       storageClass: standard
       size: 100Mi
@@ -107,6 +116,10 @@ ganacheNode:
     ingressClassName: nginx
     host: node.minikube.net
     annotations: {}
+    tls:
+      enabled: false
+      #host: 
+      #secretName:
 
 safe-transaction-service-postgresql:
   enabled: true

diff --git a/charts/safe-wallet-web/templates/web.ingress.yaml b/charts/safe-wallet-web/templates/web.ingress.yaml
@@ -15,9 +15,14 @@ metadata:
 spec:
   # notice: ref: https://kubernetes.github.io/ingress-nginx/user-guide/multiple-ingress/
   ingressClassName: {{ .Values.ingress.ingressClassName }}
-
+  {{- if .Values.ingress.tls.enabled }}
+  tls:
+    - hosts:
+        - "{{ .Values.ingress.tls.host }}"
+      secretName: {{ .Values.ingress.tls.secretName }}
+  {{- end }}
   rules:
-    - host: {{ .Values.ingress.host }}
+    - host: "{{ .Values.ingress.host }}"
       http:
         paths:
           - path: /

diff --git a/charts/safe-wallet-web/values.yaml b/charts/safe-wallet-web/values.yaml
@@ -44,3 +44,7 @@ ingress:
   annotations:
       nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
       nginx.ingress.kubernetes.io/enable-cors: "false"
+  tls:
+    enabled: false
+    #host: 
+    #secretName:
diff --git a/docs/development.md b/docs/development.md
@@ -6,11 +6,11 @@
 
 ```bash
 brew install minikube
-minikube start
+minikube start --listen-address='0.0.0.0'
 minikube addons enable ingress
 ```
 
-#### Configure TLS for your Ingresses
+#### Configure TLS (self-signed) for your Ingresses
 
 ```bash
 brew install mkcert
@@ -28,11 +28,24 @@ vi /etc/hosts
 127.0.0.1 node.minikube.net
 
 minikube addons configure ingress
+Enter kube-system/mkcert   
+
 minikube addons disable ingress
 minikube addons enable ingress
 ```
 
 
+#### Configure TLS (with authority) for your Ingresses
+
+```
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cert-manager.crds.yaml
+helm repo add jetstack https://charts.jetstack.io && helm repo update
+helm install cert-manager jetstack/cert-manager --namespace kube-system --version v1.13.3
+kubectl apply -f my-cluster_issuer.yml
+kubectl apply -f my-certificate.yml
+```
+
+
 #### Install the Chart independantly
 
 ```bash