Latest tools version

tools/kubernetes/cells/Chart.lock

@@ -1,24 +1,30 @@
 dependencies:
 - name: mariadb
   repository: https://charts.bitnami.com/bitnami
-  version: 10.5.1
+  version: 11.4.4
 - name: redis
   repository: https://charts.bitnami.com/bitnami
-  version: 17.3.1
+  version: 17.6.0
 - name: nats
   repository: https://charts.bitnami.com/bitnami
-  version: 7.4.8
+  version: 7.5.6
 - name: mongodb
   repository: https://charts.bitnami.com/bitnami
-  version: 13.1.7
+  version: 13.6.6
 - name: etcd
   repository: https://charts.bitnami.com/bitnami
-  version: 8.5.5
+  version: 8.7.3
 - name: minio
   repository: https://charts.bitnami.com/bitnami
-  version: 11.10.3
+  version: 12.1.1
+- name: ingress-nginx
+  repository: https://kubernetes.github.io/ingress-nginx
+  version: 4.4.2
 - name: vault
   repository: https://helm.releases.hashicorp.com
-  version: 0.22.0
-digest: sha256:fe5c7badfbb4a366bc23ed0d9decd5b304df92ffeaf6740e8c02dc30e7fdf23a
-generated: "2022-10-05T04:58:47.229238003Z"
+  version: 0.23.0
+- name: cert-manager
+  repository: https://charts.jetstack.io
+  version: v1.11.0
+digest: sha256:1c59dc5310ef6e57a3bb917f4176dbb6c03453c7098e8d75925e4ee6aed22384
+generated: "2023-01-30T15:24:34.721289+01:00"

tools/kubernetes/cells/Chart.yaml

@@ -48,7 +48,7 @@ dependencies:
   - name: mariadb
     condition: mariadb.enabled
     repository: https://charts.bitnami.com/bitnami
-    version: 10.x.x
+    version: x.x.x
   - name: redis
     condition: redis.enabled
     repository: https://charts.bitnami.com/bitnami
@@ -69,7 +69,16 @@ dependencies:
     condition: minio.enabled
     repository: https://charts.bitnami.com/bitnami
     version: x.x.x
+  - name: ingress-nginx
+    condition: ingress.enabled
+    repository: https://kubernetes.github.io/ingress-nginx
+    version: x.x.x
   - name: vault  
     condition: vault.enabled
     repository: https://helm.releases.hashicorp.com
     version: x.x.x
+  - name: cert-manager
+    condition: tls.enabled
+    repository: https://charts.jetstack.io
+    version: x.x.x
+

tools/kubernetes/cells/templates/NOTES.txt

@@ -1,40 +1,12 @@
 CHART NAME: {{ .Chart.Name }}
-
-To upgrade, retrieve the different password from the different dependencies enabled
-{{- if .Values.mariadb.enabled }}
-export MARIADB_ROOT_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "cells.mariadbName" . }} -o jsonpath="{.data.mariadb-root-password}" | base64 -d)
-{{- end }}
-{{- if .Values.minio.enabled }}
-export MINIO_ROOT_USER=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "cells.minioName" . }} -o jsonpath="{.data.root-user}" | base64 -d)
-export MINIO_ROOT_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "cells.minioName" . }} -o jsonpath="{.data.root-password}" | base64 -d)
-{{- end }}
-{{- if.Values.etcd.enabled }}
-{{- if or .Values.etcd.auth.rbac.create .Values.etcd.auth.rbac.enabled }}
-export ETCD_ROOT_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "cells.etcdName" . }} -o jsonpath="{.data.etcd-root-password}" | base64 -d)
-{{- end }}
-{{- end }}
-{{- if and .Values.nats.enabled .Values.nats.auth.enabled }}
-export NATS_USER=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "cells.natsName" . }} -o jsonpath='{.data.*}' | base64 -d | grep -m 1 user | awk '{print $2}' | tr -d '"')
-export NATS_PASS=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "cells.natsName" . }} -o jsonpath='{.data.*}' | base64 -d | grep -m 1 password | awk '{print $2}' | tr -d '"')
-{{- end }}
-{{- if .Values.redis.enabled }}
-export REDIS_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "cells.redisName" . }} -o jsonpath="{.data.redis-password}" | base64 -d)
-{{- end }}
-{{- if and .Values.mongodb.enabled .Values.mongodb.auth.enabled }}
-export MONGODB_ROOT_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "cells.mongodbName" . }} -o jsonpath="{.data.mongodb-root-password}" | base64 -d)
-{{- end }}
-
-And pass them to the upgrade command
-
-helm upgrade --namespace {{ .Release.Namespace }} {{ .Release.Name }}
-{{- if .Values.mariadb.enabled }} --set mariadb.auth.password=$MARIADB_ROOT_PASSWORD{{- end }}
-{{- if .Values.minio.enabled }} --set minio.auth.rootUser=$MINIO_ROOT_USER{{- end }}
-{{- if .Values.minio.enabled }} --set minio.auth.rootPassword=$MINIO_ROOT_PASSWORD{{- end }}
-{{- if .Values.etcd.enabled }}{{- if or .Values.etcd.auth.rbac.create .Values.etcd.auth.rbac.enabled }} --set etcd.rbac.rootPassword=$ETCD_PASSWORD{{- end }}{{- end }}
-{{- if and .Values.nats.enabled .Values.nats.auth.enabled }} --set nats.auth.user=$NATS_USER{{- end }}
-{{- if and .Values.nats.enabled .Values.nats.auth.enabled }} --set nats.auth.password=$NATS_PASS{{- end }}
-{{- if .Values.redis.enabled }} --set redis.auth.password=$REDIS_PASSWORD{{- end }}
-{{- if .Values.mongodb.enabled }} --set mongodb.auth.rootPassword=$MONGODB_ROOT_PASSWORD{{- end }}
+                  _ _                  _ _
+                 | (_)                | | |
+  _ __  _   _  __| |_  ___     ___ ___| | |___
+ | '_ \| | | |/ _` | |/ _ \   / __/ _ \ | / __|
+ | |_) | |_| | (_| | | (_) | | (_|  __/ | \__ \
+ | .__/ \__, |\__,_|_|\___/   \___\___|_|_|___/
+ | |     __/ |
+ |_|    |___/
 
 {{- if .Values.ingress.enabled }}
 
@@ -51,6 +23,16 @@ Get the application URL by running these commands:
   export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
   echo http://$NODE_IP:$NODE_PORT
 
+If you're not on the same network as your kubernetes cluster, run a port-forward from your local machine with your cluster configuration:
+
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "cells.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+
+And access your URL there:
+
+  echo "http://127.0.0.1:8080"
+
 {{- else if contains "LoadBalancer" .Values.service.type }}
 
 Get the application URL by running these commands:

tools/kubernetes/cells/templates/_helpers.tpl

@@ -5,6 +5,10 @@ Expand the name of the chart.
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
+{{- define "cells.serviceDomain" }}
+{{- printf "%s.svc.%s" .Release.Namespace .Values.clusterDomain }}
+{{- end }}
+
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
@@ -73,15 +77,28 @@ ETCD HOST
 {{- end }}
 
 {{- define "cells.etcdHost" -}}
-{{- printf "%s-etcd.%s.svc.cluster.local" .Release.Name .Release.Namespace }}
+{{- printf "%s-etcd.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain }}
 {{- end }}
 
 {{- define "cells.etcdPort" -}}
 {{ .Values.etcd.service.ports.client | toString }}
 {{- end }}
 
 {{- define "cells.etcdURL" -}}
-{{- printf "etcd://%s:%s" (include "cells.etcdHost" .) (include "cells.etcdPort" .) }}
+{{- $path := index . 1 }}
+{{- with index . 0 }}
+{{- $user := "" }}
+{{- if .Values.etcd.auth.rbac.create }}
+{{- $user = "root:$(ETCD_ROOT_PASSWORD)@" }}
+{{- end }}
+{{- $tls := "" }}
+{{- $tlsParams := "" }}
+{{- if .Values.etcd.auth.client.secureTransport }}
+{{- $tls = "+tls" }}
+{{- $tlsParams = print "?tlsCertUUID=" .Values.etcd.auth.client.certFilename  "&tlsCertKeyUUID=" .Values.etcd.auth.client.certKeyFilename "&tlsCertCAUUID=" .Values.etcd.auth.client.caFilename }}
+{{- end }}
+{{- printf "etcd%s://%s%s:%s%s%s" $tls $user (include "cells.etcdHost" .) (include "cells.etcdPort" .) $path $tlsParams }}
+{{- end }}
 {{- end }}
 
 {{/*
@@ -92,7 +109,11 @@ NATS HOST
 {{- end }}
 
 {{- define "cells.natsHost" -}}
-{{- printf "%s-nats.%s.svc.cluster.local" .Release.Name .Release.Namespace }}
+{{- printf "%s-nats.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain }}
+{{- end }}
+
+{{- define "cells.natsPassword" -}}
+{{- printf "%s" (include "nats.randomPassword" .) }}
 {{- end }}
 
 {{- define "cells.natsPort" -}}
@@ -111,16 +132,20 @@ REDIS HOST
 {{- end }}
 
 {{- define "cells.redisHost" -}}
-{{- printf "%s-redis-master.%s.svc.cluster.local" .Release.Name .Release.Namespace }}
+{{- printf "%s-redis-master.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain }}
 {{- end }}
 
 {{- define "cells.redisPort" -}}
 {{ .Values.redis.master.service.ports.redis | toString }}
 {{- end }}
 
 {{- define "cells.redisURL" -}}
+{{- if .Values.redis.auth.enabled }}
+{{- printf "redis://root:$(REDIS_PASSWORD)@%s:%s" (include "cells.redisHost" .) (include "cells.redisPort" .) }}
+{{- else }}
 {{- printf "redis://%s:%s" (include "cells.redisHost" .) (include "cells.redisPort" .) }}
 {{- end }}
+{{- end }}
 
 {{/*
 VAULT HOST
@@ -130,7 +155,7 @@ VAULT HOST
 {{- end }}
 
 {{- define "cells.vaultHost" -}}
-{{- printf "%s-vault.%s.svc.cluster.local" .Release.Name .Release.Namespace }}
+{{- printf "%s-vault.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain }}
 {{- end }}
 
 {{- define "cells.vaultPort" -}}
@@ -141,6 +166,12 @@ VAULT HOST
 {{- printf "vault://%s:%s" (include "cells.vaultHost" .) (include "cells.vaultPort" .) }}
 {{- end }}
 
+{{- define "cells.httpVaultURL" -}}
+{{- printf "http://%s:%s" (include "cells.vaultHost" .) (include "cells.vaultPort" .) }}
+{{- end }}
+
+
+
 {{/*
 MARIADB HOST
 */}}
@@ -149,7 +180,7 @@ MARIADB HOST
 {{- end }}
 
 {{- define "cells.mariadbHost" -}}
-{{- printf "%s-mariadb.%s.svc.cluster.local" .Release.Name .Release.Namespace }}
+{{- printf "%s-mariadb.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain }}
 {{- end }}
 
 {{- define "cells.mariadbPort" -}}
@@ -168,7 +199,7 @@ MONGODB HOST
 {{- end }}
 
 {{- define "cells.mongodbHost" -}}
-{{- printf "%s-mongodb.%s.svc.cluster.local" .Release.Name .Release.Namespace }}
+{{- printf "%s-mongodb.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain }}
 {{- end }}
 
 {{- define "cells.mongodbPort" -}}
@@ -179,7 +210,6 @@ MONGODB HOST
 {{- printf "mongodb://%s:%s" (include "cells.mongodbHost" .) (include "cells.mongodbPort" .) }}
 {{- end }}
 
-
 {{/*
 MINIO HOST
 */}}
@@ -188,7 +218,7 @@ MINIO HOST
 {{- end }}
 
 {{- define "cells.minioHost" -}}
-{{- printf "%s-minio.%s.svc.cluster.local" .Release.Name .Release.Namespace }}
+{{- printf "%s-minio.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain }}
 {{- end }}
 
 {{- define "cells.minioPort" -}}

tools/kubernetes/cells/templates/clusterissuer.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: {{ default "letsencrypt" (index .Values.ingress.annotations "cert-manager.io/cluster-issuer") }}
+spec:
+  acme:
+    server: {{ default "" .Values.ingress.clusterissuer.server }}
+    email: {{ default "" .Values.ingress.clusterissuer.email }}
+    privateKeySecretRef:
+      name: {{ default "letsencrypt" (index .Values.ingress.annotations "cert-manager.io/cluster-issuer") }}
+    solvers:
+      - http01:
+          ingress:
+            class: {{  default "nginx" (index .Values.ingress.annotations "kubernetes.io/ingress.class") }} } }
+{{- end }}

tools/kubernetes/cells/templates/configmap.yaml

@@ -73,7 +73,26 @@ data:
     vault login -no-print ${root?}
 
     vault secrets enable -version=2 -path=secret kv
-    vault secrets enable -version=2 -path=caddycerts kv
+    # vault secrets enable -version=2 -path=caddycerts kv
+    vault secrets enable pki
+    
+    vault write pki/root/generate/internal \
+      common_name={{ include "cells.serviceDomain" . }} \
+      ttl=8760h
+    
+    vault write pki/config/urls \
+      issuing_certificates="{{ include "cells.vaultURL" . }}/v1/pki/ca" \
+      crl_distribution_points="{{ include "cells.vaultURL" . }}/v1/pki/crl"
+    
+    vault secrets tune -max-lease-ttl=8760h pki
+    
+    vault write pki/roles/application \
+      allowed_domains=*.{{ include "cells.serviceDomain" . }} \
+      allow_any_name=true \
+      allow_subdomains=true \
+      max_ttl=72h
+    
+    vault policy write pki /vault/userconfig/cells-vault/pki-policy.hcl
 
     vault auth enable kubernetes
 
@@ -86,7 +105,7 @@ data:
     vault write auth/kubernetes/role/app \
        bound_service_account_names=app \
        bound_service_account_namespaces=cells \
-       policies=app \
+       policies=app,pki \
        ttl=24h
 
     vault token create -policy=app
@@ -104,3 +123,11 @@ data:
     path "caddycerts/*" {
         capabilities = ["create", "update", "read", "delete"]
     }
+    path "pki*" {
+        capabilities = ["create", "update", "read", "delete"]
+    }
+
+  pki-policy.hcl: |
+    path "pki*"                    { capabilities = ["read", "list"] } 
+    path "pki/sign/application"    { capabilities = ["create", "update"] }
+    path "pki/issue/application"   { capabilities = ["create"] }