Skip to content

Comments

Default tls#2

Open
rauerhans wants to merge 2 commits intomainfrom
default-tls
Open

Default tls#2
rauerhans wants to merge 2 commits intomainfrom
default-tls

Conversation

@rauerhans
Copy link
Collaborator

@rauerhans rauerhans commented May 16, 2023

for your consideration @davidspek

@rauerhans
Copy link
Collaborator Author

rauerhans commented May 16, 2023
edited
Loading

This feature allows the yatai-deployment controller to add TLS config to the ingress of a Bento deployment through added parameters to the network ConfigMap.

Previously this was only possible by adding the ingress tls secret to the BentoDeployment CRD, which limited the usability of the UI.
(Cert-manager annotations could be added through the network ConfigMap, but the secret had to be set manually in the CRD.)

Changes

  • Add ingress-tls-mode field to network ConfigMap
  • Add ingress-static-tls-secret field to network ConfigMap
  • Implement controller logic to add TLS to ingress depending which on ingress-tls-mode field

Setup can be validated using this image rauerhans/yatai-deployment:1.1.12
in the yatai-deployment deployment and playing by adding the new fields to the network ConfigMap.

Functionality

Depending on the new ingress-tls-mode field in the network ConfigMap, the controller will add the TLS config (hosts is reused, secretName is inferred, based on setting) to the ingress of the Bento deployment.

  • If the mode is set to none, the controller will not add any TLS config to the ingress, as previously.
  • If the mode is set to static, the controller will reference to a wildcard certificate to the ingress of the Bento deployment.
  • If the mode is set to auto, reuse the name of the BentoDeployment CRD for the name of the TLS secret. This is useful in a scenario where the user wants to use cert-manager to generate a certificate for the ingress of the Bento deployment, so in addition you would have the appropriate annotations in the network ConfigMap, see below.

Mode: None

As previously, only way to add TLS is through the field in the deployment CRD.

Mode: Static

The controller will create a wildcard certificate for each deployment.

  • Network Configmap for mode "static"
apiVersion: v1
kind: ConfigMap
metadata:
  name: network
  namespace: yatai
data:
  domain-suffix: yatai.dev.plural.sh
  ingress-annotations: ""
  ingress-class: nginx
  ingress-path: /
  ingress-path-type: ImplementationSpecific
  ingress-static-tls-secret: yatai-deployment-static-tls
  ingress-tls-mode: static
  • One wildcard certificate. Needs to be created manually.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: yatai-deployment-static-tls
  namespace: yatai
spec:
  dnsNames:
    - '*.yatai.dev.plural.sh'
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: letsencrypt-prod
  secretName: yatai-deployment-static-tls
  usages:
    - digital signature
    - key encipherment
  • results in one secret to be used by all deployments
apiVersion: v1
kind: Secret
metadata:
  name: yatai-deployment-static-tls
  namespace: yatai
  labels:
    controller.cert-manager.io/fao: 'true'
type: kubernetes.io/tls
data:
  tls.crt: xxx
  tls.key: xxx
  • ingress of deployment A created by yatai-deployment controller
kind: Ingress
metadata:
  name: dep-a
  namespace: yatai
  labels:
    yatai.ai/bento-deployment: dep-a
    yatai.ai/bento-deployment-component-type: api-server
    yatai.ai/bento-deployment-target-type: production
    yatai.ai/bento-repository: iris_classifier_pydantic_test
    yatai.ai/bento-version: zavubixtgkiqotwt
    yatai.ai/creator: yatai-deployment
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/tls-acme: 'true'
    yatai.ai/bento-repository: iris_classifier_pydantic_test
    yatai.ai/bento-version: zavubixtgkiqotwt
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - dep-a-yatai.yatai.dev.plural.sh
      secretName: yatai-deployment-static-tls
  rules:
    - host: dep-a-yatai.yatai.dev.plural.sh
      http:
        paths:
          - path: /
            pathType: ImplementationSpecific
            backend:
              service:
                name: dep-a
                port:
                  name: http
  • ingress deployment B
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: dep-b
  namespace: yatai
  labels:
    yatai.ai/bento-deployment: dep-b
    yatai.ai/bento-deployment-component-type: api-server
    yatai.ai/bento-deployment-target-type: production
    yatai.ai/bento-repository: iris_classifier_pydantic_test
    yatai.ai/bento-version: f26pbxhtfczdgtwt
    yatai.ai/creator: yatai-deployment
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/tls-acme: 'true'
    nginx.ingress.kubernetes.io/ssl-redirect: 'false'
    yatai.ai/bento-repository: iris_classifier_pydantic_test
    yatai.ai/bento-version: f26pbxhtfczdgtwt
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - dep-b-yatai.yatai.dev.plural.sh
      secretName: yatai-deployment-static-tls
  rules:
    - host: dep-b-yatai.yatai.dev.plural.sh
      http:
        paths:
          - path: /
            pathType: ImplementationSpecific
            backend:
              service:
                name: iris-classifier-pydantic-test
                port:
                  name: http

Mode: Auto

Use default annotations to add TLS to ingress through cert-manager.
Results in a concrete TLS secret for each Bento deployment.

  • Network Configmap for mode "auto"
apiVersion: v1
kind: ConfigMap
metadata:
  name: network
  namespace: yatai
data:
  domain-suffix: yatai.dev.plural.sh
  ingress-annotations: >-
    {"cert-manager.io/cluster-issuer":"letsencrypt-prod","kubernetes.io/tls-acme":"true"}
  ingress-class: nginx
  ingress-path: /
  ingress-path-type: ImplementationSpecific
  ingress-static-tls-secret: ""
  ingress-tls-mode: auto

@rauerhans rauerhans marked this pull request as ready for review May 16, 2023 17:40
@davidspek davidspek force-pushed the default-tls branch 3 times, most recently from 3051336 to bd452ba Compare June 22, 2023 08:16
@rauerhans @davidspek
add default tls option logic to controller
85b0485 
add ingress tls options to configmap

refactor, allow auto vs static modes

adapt helm chart to changes

renamt to secret name

add validations

fix helm validation

parametrize tls mode in quick installation script

test installation with ingress

validate ingress/tls behaviour

add ingress test action

default installtion tls mode should be none

use my image

make kind ingress compatible

need an example where ingress is enabled

polish test code

rename example with ingress

fix template condition

commit before we delete it

delete env vars for local testing

make sure configmap is refreshed

add gh action for all three modes

for 1-26 we need the kind cluster config too

fix lynt issues

fix lint

Signed-off-by: David van der Spek <vanderspek.david@gmail.com>
@davidspek
fix: make script executable
93dd418 
Signed-off-by: David van der Spek <vanderspek.david@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rauerhans @davidspek