diff --git a/chart/README.md b/chart/README.md index 0e56bd93..efa809fc 100644 --- a/chart/README.md +++ b/chart/README.md @@ -173,16 +173,6 @@ To install, upgrade or uninstall this chart, please refer to [the root README.md | `cartoSecrets.gitbookApiToken.existingSecret.name` | Name of the pre-existent secret containing the `cartoSecrets.gitbookApiToken.existingSecret.key`. If `cartoSecrets.gitbookApiToken.value` is defined, this value is going to be ignored and not used. | `""` | | `cartoSecrets.gitbookApiToken.existingSecret.key` | Key to find in `cartoSecrets.gitbookApiToken.existingSecret.name` where the value of `cartoSecrets.gitbookApiToken` is found. If `cartoSecrets.gitbookApiToken.value` is defined, this value is going to be ignored and not used. | `""` | -### TLS parameters - -| Name | Description | Value | -| --------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | -| `tlsCerts.httpsEnabled` | Enable https on the router component. CARTO only works with `HTTPS`, if you disable this protocol here you should configure it in a higher layer like a Load Balancer | `true` | -| `tlsCerts.autoGenerate` | Generate self-signed TLS certificates | `true` | -| `tlsCerts.existingSecret.name` | Name of a secret containing the certificate | `""` | -| `tlsCerts.existingSecret.certKey` | Key of the certificate inside the secret | `tls.crt` | -| `tlsCerts.existingSecret.keyKey` | Key of the certificate key inside the secret | `tls.key` | - ### common backend service account | Name | Description | Value | @@ -779,8 +769,12 @@ To install, upgrade or uninstall this chart, please refer to [the root README.md | `router.nginxConfig.proxy_buffer_size` | Sets the size of the buffer used for reading the first part of the response received from the proxied server | `8k` | | `router.nginxConfig.proxy_busy_buffers_size` | Limits the total size of buffers that can be busy sending a response to the client while the response is not yet fully read | `8k` | | `router.nginxConfig.client_max_body_size` | Sets the maximum allowed size of the client request body | `10M` | +| `router.httpsEnabled` | Terminate or not TLS inside Carto router | `false` | | `router.tlsCertificates.certificateValueBase64` | certificate in base64 | `""` | | `router.tlsCertificates.privateKeyValueBase64` | private key in base64 | `""` | +| `router.tlsCertificates.existingSecret.name` | existing secret name ref | `""` | +| `router.tlsCertificates.existingSecret.certKey` | secret certificate ref | `""` | +| `router.tlsCertificates.existingSecret.keyKey` | secret key ref | `""` | | `router.podSecurityContext.enabled` | Enabled router pods' Security Context | `true` | | `router.podSecurityContext.fsGroup` | Set router pod's Security Context fsGroup | `101` | | `router.podSecurityContext.supplementalGroups[0]` | Set router pod's Security Context supplementalGroups | `2345` | @@ -820,41 +814,44 @@ To install, upgrade or uninstall this chart, please refer to [the root README.md ### router Service Parameters -| Name | Description | Value | -| ----------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | -| `router.service.type` | router service type | `ClusterIP` | -| `router.service.ports.http` | router service HTTP port | `80` | -| `router.service.ports.httpTargetPort` | router service HTTP Target port | `http` | -| `router.service.ports.https` | router service HTTPS port | `443` | -| `router.service.ports.httpsTargetPort` | router service HTTPS Target port | `https` | -| `router.service.nodePorts.http` | Node.js port for HTTP | `""` | -| `router.service.nodePorts.https` | Node.js port for HTTPS | `""` | -| `router.service.clusterIP` | router service Cluster IP | `""` | -| `router.service.loadBalancerIP` | router service Load Balancer IP | `""` | -| `router.service.labelSelectorsOverride` | Selector for router service | `{}` | -| `router.service.loadBalancerSourceRanges` | router service Load Balancer sources | `[]` | -| `router.service.externalTrafficPolicy` | router service external traffic policy | `Cluster` | -| `router.service.annotations` | Additional custom annotations for router service | `{}` | -| `router.service.extraPorts` | Extra ports to expose in router service (normally used with the `sidecars` value) | `[]` | -| `router.ingress.enabled` | Enable ingress controller resource | `false` | -| `router.ingress.pathType` | Ingress Path type | `ImplementationSpecific` | -| `router.ingress.apiVersion` | Override API Version (automatically detected if not set) | `""` | -| `router.ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | -| `router.ingress.path` | The Path to CARTO. You may need to set this to '/*' in order to use this | `/*` | -| `router.ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | -| `router.ingress.tls` | Enable TLS configuration for the hostname defined at ingress.hostname parameter | `false` | -| `router.ingress.extraHosts` | The list of additional hostnames to be covered with this ingress record. | `[]` | -| `router.ingress.extraPaths` | Any additional arbitrary paths that may need to be added to the ingress under the main host. | `[]` | -| `router.ingress.extraTls` | The tls configuration for additional hostnames to be covered with this ingress record. | `[]` | -| `router.ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | +| Name | Description | Value | +| ----------------------------------------- | --------------------------------------------------------------------------------- | ----------- | +| `router.service.type` | router service type | `ClusterIP` | +| `router.service.ports.http` | router service HTTP port | `80` | +| `router.service.ports.httpTargetPort` | router service HTTP Target port | `http` | +| `router.service.ports.https` | router service HTTPS port | `443` | +| `router.service.ports.httpsTargetPort` | router service HTTPS Target port | `https` | +| `router.service.nodePorts.http` | Node.js port for HTTP | `""` | +| `router.service.nodePorts.https` | Node.js port for HTTPS | `""` | +| `router.service.clusterIP` | router service Cluster IP | `""` | +| `router.service.loadBalancerIP` | router service Load Balancer IP | `""` | +| `router.service.labelSelectorsOverride` | Selector for router service | `{}` | +| `router.service.loadBalancerSourceRanges` | router service Load Balancer sources | `[]` | +| `router.service.externalTrafficPolicy` | router service external traffic policy | `Cluster` | +| `router.service.annotations` | Additional custom annotations for router service | `{}` | +| `router.service.extraPorts` | Extra ports to expose in router service (normally used with the `sidecars` value) | `[]` | ### router ServiceAccount configuration -| Name | Description | Value | -| ---------------------------------------------------- | ---------------------------------------------------- | ------- | -| `router.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | -| `router.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `router.serviceAccount.automountServiceAccountToken` | Mount service account token in the deployment | `false` | +| Name | Description | Value | +| ---------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `router.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `router.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `router.serviceAccount.automountServiceAccountToken` | Mount service account token in the deployment | `false` | +| `ingress.enabled` | Enable ingress controller resource | `false` | +| `ingress.pathType` | Ingress Path type | `ImplementationSpecific` | +| `ingress.apiVersion` | Override API Version (automatically detected if not set) | `""` | +| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `ingress.path` | The Path to CARTO. You may need to set this to '/*' in order to use this | `/*` | +| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | +| `ingress.tls` | Enable TLS configuration for the hostname defined at ingress.hostname parameter | `false` | +| `ingress.tlsCertificates.existingSecret.name` | existing secret name ref | `""` | +| `ingress.tlsCertificates.existingSecret.certKey` | secret certificate ref | `""` | +| `ingress.tlsCertificates.existingSecret.keyKey` | secret key ref | `""` | +| `ingress.extraHosts` | The list of additional hostnames to be covered with this ingress record. | `[]` | +| `ingress.extraPaths` | Any additional arbitrary paths that may need to be added to the ingress under the main host. | `[]` | +| `ingress.extraTls` | The tls configuration for additional hostnames to be covered with this ingress record. | `[]` | +| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | ### httpCache Deployment Parameters @@ -1611,7 +1608,8 @@ To install, upgrade or uninstall this chart, please refer to [the root README.md | `gateway.tlsCertificates.customSSLCerts.enabled` | enable if customer provides their own certificates. | `false` | | `gateway.tlsCertificates.customSSLCerts.certificateValueBase64` | custom certificate in base64. | `""` | | `gateway.tlsCertificates.customSSLCerts.privateKeyValueBase64` | custom private key in base64. | `""` | -| `gateway.tlsCertificates.managedCerts.enabled` | enable if managed certs creation is required. | `false` | +| `gateway.tlsCertificates.managedCerts.enabled` | enable to use a managed cert | `false` | +| `gateway.tlsCertificates.managedCerts.name` | managed certificate name | `""` | | `gateway.apiVersion` | Kubernetes Gateway API Version. | `""` | | `gateway.gatewayClassName` | GatewayClass that will be be used to implement the gateway api. | `""` | | `gateway.path` | The Path to CARTO | `/` | @@ -1621,6 +1619,8 @@ To install, upgrade or uninstall this chart, please refer to [the root README.md | `gateway.listeners.http.name` | HTTP listener name | `http` | | `gateway.listeners.http.port` | HTTP listener port | `80` | | `gateway.address.type` | AddressType defines how a network address is represented as a text string. | `NamedAddress` | +| `gateway.staticIP.enabled` | Assign a Static IP to the Gateway-api | `false` | +| `gateway.staticIP.value` | Static IP name | `""` | | `gateway.annotations` | Additional annotations for the gateway resource. | `{}` | diff --git a/chart/templates/NOTES.txt b/chart/templates/NOTES.txt index a8a578e1..6b82e9bd 100644 --- a/chart/templates/NOTES.txt +++ b/chart/templates/NOTES.txt @@ -16,8 +16,8 @@ WARNING: You are using a non-production installation, please follow the producti ** Please be patient while the chart is being deployed ** -** Did you check our recommendations to customize your app in production mode? ** -https://github.com/CartoDB/carto-selfhosted-helm/blob/{{- include "chart.version" . }}/customizations/README.md#production-ready +** Did you check our recommendations to enable High Availability? ** +https://docs.carto.com/carto-self-hosted/guides/high-availability-configuration-for-carto-self-hosted {{- if .Values.diagnosticMode.enabled }} @@ -54,7 +54,7 @@ host. To configure CARTO with the URL of your service: {{- else }} 1. Get the CARTO URL by running: -{{- if .Values.router.ingress.enabled }} +{{- if .Values.ingress.enabled }} NOTE: It may take a few minutes for the Ingress IP to be available. @@ -62,6 +62,13 @@ host. To configure CARTO with the URL of your service: export CARTO_HOST_CNAME=$(kubectl get ingress --namespace {{ .Release.Namespace }} {{ include "carto.router.fullname" . }} -o jsonpath='{.spec..host}') +{{- else if .Values.gateway.enabled }} + + NOTE: It may take a few minutes for the Gateway IP to be available. + + export CARTO_HOST_IP=$(kubectl get gateway --namespace {{ .Release.Namespace }} {{ include "carto.gateway.fullname" . }} -o jsonpath='{.status..addresses..value}') + + export CARTO_HOST_CNAME=$(kubectl get httproutes --namespace {{ .Release.Namespace }} {{ include "carto.gateway.fullname" . }}-https -o jsonpath='{.spec..hostnames[0]}') {{- else if eq .Values.router.service.type "ClusterIP" }} {{- $port := default 80 .Values.router.service.ports.http | toString }} @@ -78,8 +85,6 @@ host. To configure CARTO with the URL of your service: sudo -E kubectl --kubeconfig=${CARTO_KUBECONFIG} port-forward --namespace {{ .Release.Namespace }} svc/{{ include "carto.router.fullname" . }} {{ $port }}:{{ $port }} {{ $port_https }}:{{ $port_https }} -+ - - {{- else if eq .Values.router.service.type "NodePort" }} export CARTO_HOST_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl index b5afd23c..e83b7037 100644 --- a/chart/templates/_helpers.tpl +++ b/chart/templates/_helpers.tpl @@ -941,17 +941,13 @@ Return the absolute path where the Google Secret will be mounted {{/* Return the proper Carto TLS Secret name -FIXME: Deprecated in favor of router.tlsCertificates and gateway.tlsCertificates TODO: We have to regenerate the secret if the private key changes */}} -{{- define "carto.tlsCerts.secretName" -}} -{{- include "carto.tlsCerts.duplicatedValueValidator" . -}} -{{- if .Values.tlsCerts.existingSecret.name -}} -{{- .Values.tlsCerts.existingSecret.name -}} +{{- define "carto.router.tlsCertificates.secretName" -}} +{{- include "carto.router.tlsCertificates.duplicatedValueValidator" . -}} +{{- if .Values.router.tlsCertificates.existingSecret.name -}} +{{- .Values.router.tlsCertificates.existingSecret.name -}} {{- else if (empty .Values.router.tlsCertificates.certificateValueBase64) -}} -{{/* - Preserved the original behaviour in case someone use the default secret name without explicitly define that parameter -*/}} {{- printf "%s-tls" (include "common.names.fullname" .) -}} {{- else -}} {{- printf "%s-tls-%s" (include "common.names.fullname" .) (.Values.router.tlsCertificates.certificateValueBase64 | sha256sum | substr 0 5) -}} @@ -960,11 +956,10 @@ TODO: We have to regenerate the secret if the private key changes {{/* Return the proper Carto TLS secret key for the TLS cert -FIXME: Deprecated in favor of router.tlsCertificates and gateway.tlsCertificates */}} -{{- define "carto.tlsCerts.secretCertKey" -}} -{{- if .Values.tlsCerts.existingSecret.name -}} -{{- .Values.tlsCerts.existingSecret.certKey -}} +{{- define "carto.router.tlsCertificates.secretCertKey" -}} +{{- if .Values.router.tlsCertificates.existingSecret.name -}} +{{- .Values.router.tlsCertificates.existingSecret.certKey -}} {{- else -}} {{- print "tls.crt" -}} {{- end -}} @@ -972,23 +967,15 @@ FIXME: Deprecated in favor of router.tlsCertificates and gateway.tlsCertificates {{/* Return the proper Carto TLS secret key for the TLS key -FIXME: Deprecated in favor of router.tlsCertificates and gateway.tlsCertificates */}} -{{- define "carto.tlsCerts.secretKeyKey" -}} -{{- if .Values.tlsCerts.existingSecret.name -}} -{{- .Values.tlsCerts.existingSecret.keyKey -}} +{{- define "carto.router.tlsCertificates.secretKeyKey" -}} +{{- if .Values.router.tlsCertificates.existingSecret.name -}} +{{- .Values.router.tlsCertificates.existingSecret.keyKey -}} {{- else -}} {{- print "tls.key" -}} {{- end -}} {{- end -}} -{{/* -Return the proper Carto Router TLS Secret name -*/}} -{{- define "carto.router.tlsCertificates.secretName" -}} -{{- printf "%s-tls-%s" (include "common.names.fullname" .) (.Values.router.tlsCertificates.certificateValueBase64 | sha256sum | substr 0 5) -}} -{{- end -}} - {{/* Return the proper Carto Gateway custom TLS Secret name */}} diff --git a/chart/templates/_validators.tpl b/chart/templates/_validators.tpl index 3bd42fd2..992824e5 100644 --- a/chart/templates/_validators.tpl +++ b/chart/templates/_validators.tpl @@ -1,5 +1,5 @@ -{{- define "carto.tlsCerts.duplicatedValueValidator" -}} - {{- if and (.Values.tlsCerts.existingSecret.name) (not (empty .Values.router.tlsCertificates.certificateValueBase64)) -}} - {{- fail "You cannot define both tlsCerts.existingSecret.name and router.tlsCertificates.certificateValueBase64" -}} +{{- define "carto.router.tlsCertificates.duplicatedValueValidator" -}} + {{- if and (.Values.router.tlsCertificates.existingSecret.name) (not (empty .Values.router.tlsCertificates.certificateValueBase64)) -}} + {{- fail "You cannot define both router.tlsCertificates.existingSecret.name and router.tlsCertificates.certificateValueBase64" -}} {{- end -}} {{- end -}} diff --git a/chart/templates/auto-tls-secret.yaml b/chart/templates/auto-tls-secret.yaml deleted file mode 100644 index 150b37e1..00000000 --- a/chart/templates/auto-tls-secret.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.tlsCerts.autoGenerate }} -{{- $ca := genCA "carto-ca" 365 }} -{{- $cert := genSignedCert (include "carto.baseUrl" .) nil (list (include "carto.baseUrl" .)) 365 $ca }} -{{- $cert_chain := printf "%s\n\n%s" $cert.Cert $ca.Cert }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "carto.tlsCerts.secretName" . }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -type: kubernetes.io/tls -data: - {{ template "carto.tlsCerts.secretCertKey" . }}: {{ $cert_chain | b64enc | quote }} - {{ template "carto.tlsCerts.secretKeyKey" . }}: {{ $cert.Key | b64enc | quote }} -{{- end }} diff --git a/chart/templates/gateway/gateway-api.yaml b/chart/templates/gateway/gateway-api.yaml index 546fd032..1b0e7dca 100644 --- a/chart/templates/gateway/gateway-api.yaml +++ b/chart/templates/gateway/gateway-api.yaml @@ -55,7 +55,7 @@ spec: value: {{ .Values.gateway.path }} backendRefs: - name: {{ template "carto.router.fullname" . }} - {{- if .Values.tlsCerts.httpsEnabled }} + {{- if .Values.router.httpsEnabled }} port: {{ .Values.router.service.ports.https }} {{- else }} port: {{ .Values.router.service.ports.http }} diff --git a/chart/templates/router/ingress.yaml b/chart/templates/ingress.yaml similarity index 64% rename from chart/templates/router/ingress.yaml rename to chart/templates/ingress.yaml index de020374..d47add48 100644 --- a/chart/templates/router/ingress.yaml +++ b/chart/templates/ingress.yaml @@ -1,4 +1,4 @@ -{{- if .Values.router.ingress.enabled }} +{{- if .Values.ingress.enabled }} apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} kind: Ingress metadata: @@ -9,31 +9,31 @@ metadata: {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} {{- end }} annotations: - {{- if .Values.router.ingress.annotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.router.ingress.annotations "context" $) | nindent 4 }} + {{- if .Values.ingress.annotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.annotations "context" $) | nindent 4 }} {{- end }} {{- if .Values.commonAnnotations }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} spec: - {{- if and .Values.router.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} - ingressClassName: {{ .Values.router.ingress.ingressClassName | quote }} + {{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.ingress.ingressClassName | quote }} {{- end }} rules: {{- if .Values.appConfigValues.selfHostedDomain }} - host: {{ .Values.appConfigValues.selfHostedDomain }} http: paths: - - path: {{ .Values.router.ingress.path }} + - path: {{ .Values.ingress.path }} {{- if eq "true" (include "common.ingress.supportsPathType" .) }} - pathType: {{ .Values.router.ingress.pathType }} + pathType: {{ .Values.ingress.pathType }} {{- end }} backend: {{- include "common.ingress.backend" (dict "serviceName" (include "carto.router.fullname" .) "servicePort" "http" "context" $) | nindent 14 }} - {{- if .Values.router.ingress.extraPaths }} - {{- toYaml .Values.router.ingress.extraPaths | nindent 10 }} + {{- if .Values.ingress.extraPaths }} + {{- toYaml .Values.ingress.extraPaths | nindent 10 }} {{- end }} {{- end }} - {{- range (coalesce .Values.router.ingress.extraHosts .Values.router.ingress.hosts) }} + {{- range (coalesce .Values.ingress.extraHosts .Values.ingress.hosts) }} - host: {{ .name | quote }} http: paths: @@ -43,18 +43,18 @@ spec: {{- end }} backend: {{- include "common.ingress.backend" (dict "serviceName" (include "carto.router.fullname" $) "servicePort" "http" "context" $) | nindent 14 }} {{- end }} - {{- if .Values.router.ingress.extraRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.router.ingress.extraRules "context" $) | nindent 4 }} + {{- if .Values.ingress.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraRules "context" $) | nindent 4 }} {{- end }} - {{- if or .Values.router.ingress.tls .Values.router.ingress.extraTls }} + {{- if or .Values.ingress.tls .Values.ingress.extraTls }} tls: - {{- if .Values.router.ingress.tls }} + {{- if .Values.ingress.tls }} - hosts: - {{ .Values.appConfigValues.selfHostedDomain | quote }} - secretName: {{ .Values.tlsCerts.existingSecret.name }} + secretName: {{ .Values.ingress.existingSecret.name }} {{- end }} - {{- if .Values.router.ingress.extraTls }} - {{- include "common.tplvalues.render" (dict "value" .Values.router.ingress.extraTls "context" $) | nindent 4 }} + {{- if .Values.ingress.extraTls }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraTls "context" $) | nindent 4 }} {{- end }} {{- end }} {{- end }} diff --git a/chart/templates/router/configmap.yaml b/chart/templates/router/configmap.yaml index 77d7b5a1..0f934472 100644 --- a/chart/templates/router/configmap.yaml +++ b/chart/templates/router/configmap.yaml @@ -31,11 +31,11 @@ data: ROUTER_MAPS_API_INTERNAL_URL: {{ include "carto.mapsApi.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} # If required, is going to be generated by Helm and inyected as secret ROUTER_SSL_AUTOGENERATE: "0" - ROUTER_SSL_CERTIFICATE_KEY_PATH: /usr/src/certs/{{ template "carto.tlsCerts.secretKeyKey" . }} - ROUTER_SSL_CERTIFICATE_PATH: /usr/src/certs/{{ template "carto.tlsCerts.secretCertKey" . }} + ROUTER_SSL_CERTIFICATE_KEY_PATH: /usr/src/certs/{{ template "carto.router.tlsCertificates.secretKeyKey" . }} + ROUTER_SSL_CERTIFICATE_PATH: /usr/src/certs/{{ template "carto.router.tlsCertificates.secretCertKey" . }} ROUTER_WORKSPACE_API_INTERNAL_URL: {{ include "carto.workspaceApi.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} ROUTER_WORKSPACE_WWW_INTERNAL_URL: {{ include "carto.workspaceWww.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} - ROUTER_ENABLE_HTTPS: {{ .Values.tlsCerts.httpsEnabled | quote }} + ROUTER_ENABLE_HTTPS: {{ .Values.router.httpsEnabled | quote }} ROUTER_METRICS_PUBSUB_PROJECT_ID: {{ .Values.cartoConfigValues.selfHostedGcpProjectId | quote }} ROUTER_METRICS_PUBSUB_TOPIC: "data-updates" ROUTER_METRICS_HOST: "localhost" diff --git a/chart/templates/router/custom-tls-secret.yaml b/chart/templates/router/custom-tls-secret.yaml index c1fa1f48..bcaa6b51 100644 --- a/chart/templates/router/custom-tls-secret.yaml +++ b/chart/templates/router/custom-tls-secret.yaml @@ -1,8 +1,8 @@ -{{- if (and .Values.tlsCerts.httpsEnabled (not (empty .Values.router.tlsCertificates.certificateValueBase64))) }} +{{- if (and .Values.router.httpsEnabled (not (empty .Values.router.tlsCertificates.certificateValueBase64))) }} apiVersion: v1 kind: Secret metadata: - name: {{ include "carto.tlsCerts.secretName" . }} + name: {{ include "carto.router.tlsCertificates.secretName" . }} labels: {{- include "common.labels.standard" . | nindent 4 }} {{- if .Values.commonLabels }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} @@ -12,6 +12,6 @@ metadata: {{- end }} type: kubernetes.io/tls data: - {{ template "carto.tlsCerts.secretCertKey" . }}: {{ .Values.router.tlsCertificates.certificateValueBase64 | nindent 4 }} - {{ template "carto.tlsCerts.secretKeyKey" . }}: {{ .Values.router.tlsCertificates.privateKeyValueBase64 | nindent 4 }} + {{ template "carto.router.tlsCertificates.secretCertKey" . }}: {{ .Values.router.tlsCertificates.certificateValueBase64 | nindent 4 }} + {{ template "carto.router.tlsCertificates.secretKeyKey" . }}: {{ .Values.router.tlsCertificates.privateKeyValueBase64 | nindent 4 }} {{- end }} diff --git a/chart/templates/router/deployment.yaml b/chart/templates/router/deployment.yaml index 11a863d7..6f976330 100644 --- a/chart/templates/router/deployment.yaml +++ b/chart/templates/router/deployment.yaml @@ -147,13 +147,13 @@ spec: lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.router.lifecycleHooks "context" $) | nindent 12 }} {{- end }} volumeMounts: - {{- if .Values.tlsCerts.httpsEnabled }} + {{- if .Values.router.httpsEnabled }} - name: tls-secret - mountPath: /usr/src/certs/{{ template "carto.tlsCerts.secretCertKey" . }} - subPath: {{ template "carto.tlsCerts.secretCertKey" . }} + mountPath: /usr/src/certs/{{ template "carto.router.tlsCertificates.secretCertKey" . }} + subPath: {{ template "carto.router.tlsCertificates.secretCertKey" . }} - name: tls-secret - mountPath: /usr/src/certs/{{ template "carto.tlsCerts.secretKeyKey" . }} - subPath: {{ template "carto.tlsCerts.secretKeyKey" . }} + mountPath: /usr/src/certs/{{ template "carto.router.tlsCertificates.secretKeyKey" . }} + subPath: {{ template "carto.router.tlsCertificates.secretKeyKey" . }} {{- end }} {{- if .Values.router.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.router.extraVolumeMounts "context" $) | nindent 12 }} @@ -240,10 +240,10 @@ spec: {{- include "common.tplvalues.render" ( dict "value" .Values.router.sidecars "context" $) | nindent 8 }} {{- end }} volumes: - {{- if .Values.tlsCerts.httpsEnabled }} + {{- if .Values.router.httpsEnabled }} - name: tls-secret secret: - secretName: {{ include "carto.tlsCerts.secretName" . }} + secretName: {{ include "carto.router.tlsCertificates.secretName" . }} {{- end }} - name: gcp-default-service-account-key secret: diff --git a/chart/values.yaml b/chart/values.yaml index 03226f0d..6c0af670 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -349,23 +349,6 @@ cartoSecrets: name: "" key: "" -## FIXME: Deprecated in favor of router.tlsCertificates and ingress.tlsCertificates -## @section TLS parameters -## Global TLS parameters -## @param tlsCerts.httpsEnabled Enable https on the router component. CARTO only works with `HTTPS`, if you disable this protocol here you should configure it in a higher layer like a Load Balancer -## @param tlsCerts.autoGenerate Generate self-signed TLS certificates -## @param tlsCerts.existingSecret.name Name of a secret containing the certificate -## @param tlsCerts.existingSecret.certKey Key of the certificate inside the secret -## @param tlsCerts.existingSecret.keyKey Key of the certificate key inside the secret -## -tlsCerts: - httpsEnabled: true - autoGenerate: true - existingSecret: - name: "" - keyKey: "tls.key" - certKey: "tls.crt" - ## @section common backend service account ## Service Account to be specified for the client to be used in common backend deployments commonBackendServiceAccount: @@ -2340,13 +2323,22 @@ router: proxy_buffer_size: "8k" proxy_busy_buffers_size: "8k" client_max_body_size: "10M" + ## @param router.httpsEnabled Terminate or not TLS inside Carto router + httpsEnabled: false ## TLS Certificates ## @param router.tlsCertificates.certificateValueBase64 certificate in base64 ## @param router.tlsCertificates.privateKeyValueBase64 private key in base64 + ## @param router.tlsCertificates.existingSecret.name existing secret name ref + ## @param router.tlsCertificates.existingSecret.certKey secret certificate ref + ## @param router.tlsCertificates.existingSecret.keyKey secret key ref ## tlsCertificates: certificateValueBase64: "" privateKeyValueBase64: "" + existingSecret: + name: "" + certKey: "" + keyKey: "" ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod @@ -2567,83 +2559,6 @@ router: ## @param router.service.extraPorts Extra ports to expose in router service (normally used with the `sidecars` value) ## extraPorts: [] - ## FIXME: Deprecated in favor of ingress instead of router.ingress - ## Configure the ingress resource that allows you to access the - ## Carto installation. Set up the URL - ## ref: https://kubernetes.io/docs/user-guide/ingress/ - ## - ingress: - ## @param router.ingress.enabled Enable ingress controller resource - ## - enabled: false - - ## @param router.ingress.pathType Ingress Path type - ## - pathType: ImplementationSpecific - ## @param router.ingress.apiVersion Override API Version (automatically detected if not set) - ## - apiVersion: "" - ## @param router.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) - ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . - ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ - ## - ingressClassName: "" - ## @param router.ingress.path The Path to CARTO. You may need to set this to '/*' in order to use this - ## with ALB ingress controllers. - ## - path: /* - ## @param router.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. - ## For a full list of possible ingress annotations, please see - ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md - ## Use this parameter to set the required annotations for cert-manager, see - ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations - ## - ## e.g: - ## annotations: - ## kubernetes.io/ingress.class: nginx - ## cert-manager.io/cluster-issuer: cluster-issuer-name - ## - annotations: {} - ## @param router.ingress.tls Enable TLS configuration for the hostname defined at ingress.hostname parameter - ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }} - ## You can use the ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it - ## - tls: false - ## @param router.ingress.extraHosts The list of additional hostnames to be covered with this ingress record. - ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array - ## extraHosts: - ## - name: example.local - ## path: / - extraHosts: [] - ## @param router.ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host. - ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. - ## extraPaths: - ## - path: /* - ## backend: - ## serviceName: ssl-redirect - ## servicePort: use-annotation - extraPaths: [] - ## @param router.ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. - ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls - ## extraTls: - ## - hosts: - ## - example.local - ## secretName: example.local-tls - extraTls: [] - ## @param router.ingress.extraRules Additional rules to be covered with this ingress record - ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules - ## e.g: - ## extraRules: - ## - host: example.local - ## http: - ## path: / - ## backend: - ## service: - ## name: example-svc - ## port: - ## name: http - ## - extraRules: [] ## @section router ServiceAccount configuration ## serviceAccount: @@ -2658,6 +2573,91 @@ router: ## automountServiceAccountToken: false +## Configure the ingress resource that allows you to access the +## Carto installation. Set up the URL +## ref: https://kubernetes.io/docs/user-guide/ingress/ +## +ingress: + ## @param ingress.enabled Enable ingress controller resource + ## + enabled: false + ## @param ingress.pathType Ingress Path type + ## + pathType: ImplementationSpecific + ## @param ingress.apiVersion Override API Version (automatically detected if not set) + ## + apiVersion: "" + ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param ingress.path The Path to CARTO. You may need to set this to '/*' in order to use this + ## with ALB ingress controllers. + ## + path: /* + ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## For a full list of possible ingress annotations, please see + ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param ingress.tls Enable TLS configuration for the hostname defined at ingress.hostname parameter + ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }} + ## You can use the ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it + ## + tls: false + ## @param ingress.tlsCertificates.existingSecret.name existing secret name ref + ## @param ingress.tlsCertificates.existingSecret.certKey secret certificate ref + ## @param ingress.tlsCertificates.existingSecret.keyKey secret key ref + ## + tlsCertificates: + existingSecret: + name: "" + certKey: "" + keyKey: "" + ## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record. + ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array + ## extraHosts: + ## - name: example.local + ## path: / + extraHosts: [] + ## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host. + ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + extraPaths: [] + ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. + ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## extraTls: + ## - hosts: + ## - example.local + ## secretName: example.local-tls + extraTls: [] + ## @param ingress.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: example.local + ## http: + ## path: / + ## backend: + ## service: + ## name: example-svc + ## port: + ## name: http + ## + extraRules: [] + ## @section httpCache Deployment Parameters ## httpCache: @@ -5060,10 +5060,12 @@ gateway: enabled: false certificateValueBase64: "" privateKeyValueBase64: "" - ## @param gateway.tlsCertificates.managedCerts.enabled enable if managed certs creation is required. + ## @param gateway.tlsCertificates.managedCerts.enabled enable to use a managed cert + ## @param gateway.tlsCertificates.managedCerts.name managed certificate name ## managedCerts: enabled: false + name: "" ## @param gateway.apiVersion Kubernetes Gateway API Version. ## apiVersion: "" @@ -5095,5 +5097,11 @@ gateway: ## Use NamedAddress to pass the Static IP name value address: type: NamedAddress + # Static IP + ## @param gateway.staticIP.enabled Assign a Static IP to the Gateway-api + ## @param gateway.staticIP.value Static IP name + staticIP: + enabled: false + value: "" ## @param gateway.annotations Additional annotations for the gateway resource. annotations: {} diff --git a/manifests/kots-helm.yaml b/manifests/kots-helm.yaml index 23e9a57b..2febb013 100644 --- a/manifests/kots-helm.yaml +++ b/manifests/kots-helm.yaml @@ -108,13 +108,11 @@ spec: annotations: iam.gke.io/gcp-service-account: '{{repl ConfigOption "googleWorkloadIdentityEmail" }}' - ## TLS Certs - # FIXME: Deprecated in favor of router.tlsCertificates and gateway.tlsCertificates - # Disable legacy tlsCerts - tlsCerts: + # Router + router: httpsEnabled: repl{{ if ConfigOptionEquals "cartoRouterHTTPSEnabled" "true"}}truerepl{{ else }}falserepl{{ end }} - autoGenerate: false + # api-gateway gateway: enabled: repl{{ if ConfigOptionEquals "kubernetesGatewayEnabled" "true"}}truerepl{{ else }}falserepl{{ end }} gatewayClassName: '{{repl fromJson (ConfigOption "loadBalancerSupportedKind") | dig "gatewayClassName" "" }}' @@ -242,7 +240,7 @@ spec: ## Terminate TLS at router ## Access to Carto # Router - - when: '{{repl ConfigOptionEquals "customRouterSSLCerts" "true" }}' + - when: '{{repl and (ConfigOptionEquals "cartoRouterHTTPSEnabled" "true") (ConfigOptionEquals "customRouterSSLCerts" "true") }}' recursiveMerge: true values: router: