[Feature] Add TCP Ingress Chart (#564)

ajanikow · web-flow · commit c936ec168d3a · 2020-05-18T10:37:10.000+02:00
diff --git a/chart/arangodb-ingress-proxy/Chart.yaml b/chart/arangodb-ingress-proxy/Chart.yaml
@@ -0,0 +1,4 @@
+description: ArangoDB Ingress Proxy
+name: arangodb-ingress-proxy
+tillerVersion: '>2.7'
+version: 1.0.0
diff --git a/chart/arangodb-ingress-proxy/LICENSE b/chart/arangodb-ingress-proxy/LICENSE
@@ -0,0 +1,15 @@
+Copyright 2020 ArangoDB GmbH, Cologne, Germany
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Copyright holder is ArangoDB GmbH, Cologne, Germany
diff --git a/chart/arangodb-ingress-proxy/README.md b/chart/arangodb-ingress-proxy/README.md
@@ -0,0 +1,20 @@
+# Introduction
+
+Kubernetes ArangoDB Ingress for custom certificates.
+
+ArangoDB supports more than only HTTP protocol, so simple Ingress is not enough.
+
+## Before
+
+Before Ingress proxy will be installed certificate secret needs to be created:
+
+```
+kubectl -n <deployment namespace> create secret tls <secret name> --cert <path to cert> --key <path to key>
+```
+
+## Installation
+
+To install Ingress:
+```
+helm install --name <my ingress name> --namespace <deployment namespace> <path to kube-arangodb repository>/chart/arangodb-ingress-proxy --set replicas=2 --set tls=TLS Secret name> --set deployment=<ArangoDeployment name>
+```
diff --git a/chart/arangodb-ingress-proxy/templates/NOTES.txt b/chart/arangodb-ingress-proxy/templates/NOTES.txt
@@ -0,0 +1,3 @@
+Your LB is ready!
+
+Get LoadBalancer IP using `kubectl --namespace "{{ .Release.Namespace }}" get svc "{{ template "arangodb-ingress-proxy.name" . }}" -o jsonpath="{.status.loadBalancer.ingress[0].ip}"`
diff --git a/chart/arangodb-ingress-proxy/templates/_helpers.tpl b/chart/arangodb-ingress-proxy/templates/_helpers.tpl
@@ -0,0 +1,15 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "arangodb-ingress-proxy.name" -}}
+{{- printf "%s" .Chart.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Expand the name of the release.
+*/}}
+{{- define "arangodb-ingress-proxy.releaseName" -}}
+{{- printf "%s" .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
diff --git a/chart/arangodb-ingress-proxy/templates/configmap.yaml b/chart/arangodb-ingress-proxy/templates/configmap.yaml
@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+    name: {{ template "arangodb-ingress-proxy.name" . }}
+    namespace: {{ .Release.Namespace }}
+    labels:
+        app.kubernetes.io/name: {{ template "arangodb-ingress-proxy.name" . }}
+        helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+        app.kubernetes.io/managed-by: {{ .Release.Service }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        release: {{ .Release.Name }}
+data:
+  config: |
+    user  nginx;
+    worker_processes  1;
+
+    error_log /dev/stdout info;
+
+    pid        /var/run/nginx.pid;
+
+
+    events {
+        worker_connections  1024;
+    }
+
+    stream {
+        log_format basic '$remote_addr [$time_local] '
+                       '$protocol $status $bytes_sent $bytes_received '
+                       '$session_time';
+        access_log /dev/stdout basic;
+
+        server {
+            listen              8529 ssl;
+            proxy_pass          {{ required "Arango Deployment name needs to be provided!" .Values.deployment }}:8529;
+
+            proxy_ssl  on;
+
+            ssl_certificate     /etc/nginx/local-tls/tls.crt;
+            ssl_certificate_key /etc/nginx/local-tls/tls.key;
+            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+            ssl_ciphers   HIGH:!aNULL:!MD5;
+            ssl_session_timeout   4h;
+            ssl_handshake_timeout 30s;
+            proxy_timeout 6h;
+        }
+    }
diff --git a/chart/arangodb-ingress-proxy/templates/deployment.yaml b/chart/arangodb-ingress-proxy/templates/deployment.yaml
@@ -0,0 +1,68 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+    name: {{ template "arangodb-ingress-proxy.name" . }}
+    namespace: {{ .Release.Namespace }}
+    labels:
+        app.kubernetes.io/name: {{ template "arangodb-ingress-proxy.name" . }}
+        helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+        app.kubernetes.io/managed-by: {{ .Release.Service }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        release: {{ .Release.Name }}
+spec:
+    replicas: {{ .Values.replicas }}
+    selector:
+        matchLabels:
+            app.kubernetes.io/name: {{ template "arangodb-ingress-proxy.name" . }}
+            helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+            app.kubernetes.io/instance: {{ .Release.Name }}
+            release: {{ .Release.Name }}
+    template:
+        metadata:
+            labels:
+                app.kubernetes.io/name: {{ template "arangodb-ingress-proxy.name" . }}
+                helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+                app.kubernetes.io/managed-by: {{ .Release.Service }}
+                app.kubernetes.io/instance: {{ .Release.Name }}
+                release: {{ .Release.Name }}
+        spec:
+            affinity:
+                nodeAffinity:
+                    requiredDuringSchedulingIgnoredDuringExecution:
+                        nodeSelectorTerms:
+                            - matchExpressions:
+                                  - key: beta.kubernetes.io/arch
+                                    operator: In
+                                    values:
+                                        - amd64
+                podAntiAffinity:
+                    preferredDuringSchedulingIgnoredDuringExecution:
+                        - weight: 100
+                          podAffinityTerm:
+                              topologyKey: "kubernetes.io/hostname"
+                              labelSelector:
+                                  matchExpressions:
+                                      - key: app.kubernetes.io/name
+                                        operator: In
+                                        values:
+                                            - {{ template "arangodb-ingress-proxy.name" . }}
+            containers:
+                - name: nginx
+                  imagePullPolicy: {{ .Values.imagePullPolicy }}
+                  image: {{ .Values.image }}
+                  ports:
+                      - name: nginx
+                        containerPort: 8529
+                  volumeMounts:
+                    - mountPath: /etc/nginx/nginx.conf
+                      name: config
+                      subPath: config
+                    - mountPath: /etc/nginx/local-tls
+                      name: tls
+            volumes:
+              - name: config
+                configMap:
+                  name: {{ template "arangodb-ingress-proxy.name" . }}
+              - name: tls
+                secret:
+                  secretName: {{ required "TLS certificate need to be provided!" .Values.tls }}
diff --git a/chart/arangodb-ingress-proxy/templates/service.yaml b/chart/arangodb-ingress-proxy/templates/service.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+    name: {{ template "arangodb-ingress-proxy.name" . }}
+    namespace: {{ .Release.Namespace }}
+    labels:
+        app.kubernetes.io/name: {{ template "arangodb-ingress-proxy.name" . }}
+        helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+        app.kubernetes.io/managed-by: {{ .Release.Service }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        release: {{ .Release.Name }}
+spec:
+    ports:
+        - name: server
+          port: 8529
+          protocol: TCP
+          targetPort: 8529
+    selector:
+        app.kubernetes.io/name: {{ template "arangodb-ingress-proxy.name" . }}
+        app.kubernetes.io/managed-by: {{ .Release.Service }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        release: {{ .Release.Name }}
+    type: LoadBalancer
diff --git a/chart/arangodb-ingress-proxy/values.yaml b/chart/arangodb-ingress-proxy/values.yaml
@@ -0,0 +1,5 @@
+---
+
+replicas: 2
+imagePullPolicy: Always
+image: nginx:1.16.1-alpine
diff --git a/pkg/apis/deployment/v1/tls_sni_spec.go b/pkg/apis/deployment/v1/tls_sni_spec.go
@@ -44,7 +44,7 @@ const (
 
 // TLSSNISpec holds TLS SNI additional certificates
 type TLSSNISpec struct {
-	Mapping map[string][]string `json:"sniMapping,omitempty"`
+	Mapping map[string][]string `json:"mapping,omitempty"`
 	Mode    *TLSSNIRotateMode   `json:"mode,omitempty"`
 }
 
diff --git a/pkg/apis/deployment/v1/tls_spec.go b/pkg/apis/deployment/v1/tls_spec.go
@@ -40,7 +40,7 @@ type TLSSpec struct {
 	CASecretName *string     `json:"caSecretName,omitempty"`
 	AltNames     []string    `json:"altNames,omitempty"`
 	TTL          *Duration   `json:"ttl,omitempty"`
-	SNI          *TLSSNISpec `json:",inline"`
+	SNI          *TLSSNISpec `json:"sni,omitempty"`
 }
 
 const (
@@ -58,19 +58,19 @@ func (s TLSSpec) GetAltNames() []string {
 	return s.AltNames
 }
 
-func (s TLSSpec) GetTLSSNISpec() TLSSNISpec {
-	if s.SNI == nil {
-		return TLSSNISpec{}
-	}
-
-	return *s.SNI
-}
-
 // GetTTL returns the value of ttl.
 func (s TLSSpec) GetTTL() Duration {
 	return DurationOrDefault(s.TTL)
 }
 
+func (a TLSSpec) GetSNI() TLSSNISpec {
+	if a.SNI == nil {
+		return TLSSNISpec{}
+	}
+
+	return *a.SNI
+}
+
 // IsSecure returns true when a CA secret has been set, false otherwise.
 func (s TLSSpec) IsSecure() bool {
 	return s.GetCASecretName() != CASecretNameDisabled
@@ -134,6 +134,7 @@ func (s *TLSSpec) SetDefaultsFrom(source TLSSpec) {
 	if s.TTL == nil {
 		s.TTL = NewDurationOrNil(source.TTL)
 	}
-
-	s.SNI.SetDefaultsFrom(source.SNI)
+	if s.SNI == nil {
+		s.SNI = source.SNI.DeepCopy()
+	}
 }
diff --git a/pkg/deployment/pod/sni.go b/pkg/deployment/pod/sni.go
@@ -74,7 +74,7 @@ func (s sni) Verify(i Input, secrets k8sutil.SecretInterface) error {
 		return nil
 	}
 
-	for _, secret := range util.SortKeys(i.Deployment.TLS.GetTLSSNISpec().Mapping) {
+	for _, secret := range util.SortKeys(i.Deployment.TLS.GetSNI().Mapping) {
 		kubeSecret, err := secrets.Get(secret, meta.GetOptions{})
 		if err != nil {
 			return err
@@ -93,7 +93,7 @@ func (s sni) Volumes(i Input) ([]core.Volume, []core.VolumeMount) {
 		return nil, nil
 	}
 
-	sni := i.Deployment.TLS.GetTLSSNISpec()
+	sni := i.Deployment.TLS.GetSNI()
 	volumes := make([]core.Volume, 0, len(sni.Mapping))
 	volumeMounts := make([]core.VolumeMount, 0, len(sni.Mapping))
 
@@ -131,7 +131,7 @@ func (s sni) Args(i Input) k8sutil.OptionPairs {
 
 	opts := k8sutil.CreateOptionPairs()
 
-	for _, volume := range util.SortKeys(i.Deployment.TLS.GetTLSSNISpec().Mapping) {
+	for _, volume := range util.SortKeys(i.Deployment.TLS.GetSNI().Mapping) {
 		servers, ok := i.Deployment.TLS.SNI.Mapping[volume]
 		if !ok {
 			continue

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+Your LB is ready!`
	`2`	`+`
	`3`	+Get LoadBalancer IP using `kubectl --namespace "{{ .Release.Namespace }}" get svc "{{ template "arangodb-ingress-proxy.name" . }}" -o jsonpath="{.status.loadBalancer.ingress[0].ip}"`
Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ const (`
`44`	`44`
`45`	`45`	`// TLSSNISpec holds TLS SNI additional certificates`
`46`	`46`	`type TLSSNISpec struct {`
`47`		- Mapping map[string][]string `json:"sniMapping,omitempty"`
	`47`	+ Mapping map[string][]string `json:"mapping,omitempty"`
`48`	`48`	Mode *TLSSNIRotateMode `json:"mode,omitempty"`
`49`	`49`	`}`
`50`	`50`