Merge pull request #48 from cetic/feature/traefik-ingress

Adding access features and updating Nifi
cetic · May 27, 2022 · ec8a02f · ec8a02f
2 parents 3f1a733 + 0c2cee8
commit ec8a02f
Show file tree

Hide file tree

Showing 6 changed files with 298 additions and 65 deletions.
diff --git a/Chart.yaml b/Chart.yaml
@@ -1,8 +1,8 @@
 ---
 apiVersion: v2
 name: fadi
-version: 0.2.13
-appVersion: 0.2.13
+version: 0.3.0
+appVersion: 0.3.0
 description: FADI is a Cloud Native platform for Big Data based on mature open source tools. 
 keywords:
   - fadi
@@ -48,7 +48,7 @@ dependencies:
   repository: https://jupyterhub.github.io/helm-chart/
   condition: jupyterhub.enabled
 - name: nifi
-  version: ~0.6.1
+  version: ~1.0.6
   repository: https://cetic.github.io/helm-charts/
   condition: nifi.enabled
 - name: openldap
@@ -135,3 +135,7 @@ dependencies:
   version: ~10.6.2
   repository: https://helm.traefik.io/traefik
   condition: traefik.enabled
+- name: cert-manager
+  version: ~1.7.1
+  repository: https://charts.jetstack.io
+  condition: cert-manager.enabled
diff --git a/README.md b/README.md
@@ -99,6 +99,8 @@ Each requirement is configured with the options provided by that Chart. Please c
 | `rabbitmq.enabled`                                                            | Enable [rabbitmq](https://artifacthub.io/packages/helm/bitnami/rabbitmq)                                                              | `false`                         |
 | `thingsboard.enabled`                                                            | Enable [thingsboard](https://github.com/cetic/helm-thingsboard)                                                              | `false`                         |
 | `influxdb.enabled`                                                            | Enable [influxdb](https://github.com/bitnami/charts/tree/master/bitnami/influxdb)                                                              | `false`                         |
+| `traefik.enabled`                                                            | Enable [traefik](https://github.com/traefik/traefik-helm-chart/tree/master/traefik)                                                              | `true`                         |
+| `cert-manager.enabled`                                                            | Enable [cert-manager](https://github.com/cert-manager/cert-manager)                                                              | `false`                         |
 ## Contributing
 
 Feel free to contribute by making a [pull request](https://github.com/cetic/helm-fadi/pull/new/master).

diff --git a/templates/NOTES.txt b/templates/NOTES.txt
@@ -1,7 +1,7 @@
 Thank you for installing FADI!
 
 * To list the different services of fadi framework: `minikube service list`
-* To list the different fadi pods and their status: `kubectl get pods`
+* To list the different fadi pods and their status: `kubectl get pods -n fadi`
 * To access a service in your browser, type for instance: `minikube service -n fadi fadi-nifi` (if you are on minikube)
 * You can list all the addresses by typing: `kubectl get ingress -n fadi` (if you setup ingress definitions)
 

diff --git a/templates/cert.yaml b/templates/cert.yaml
@@ -0,0 +1,78 @@
+{{- if .Values.clusterIssuer.enabled -}}
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: fadi-letsencrypt
+spec:
+  acme:
+    {{- if .Values.clusterIssuer.prod }}
+    server: https://acme-v02.api.letsencrypt.org/directory
+    {{ else }}
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    {{- end }}
+    email: {{ .Values.clusterIssuer.email }}
+    privateKeySecretRef:
+      name: fadi-letsencrypt-private-key
+    solvers:
+      - http01:
+          ingress:
+            ingressTemplate:
+              metadata:
+                annotations:
+                  kubernetes.io/ingress.class: traefik-cert-manager
+---
+{{- if .Values.grafana.traefikIngress.tls -}}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Values.grafana.traefikIngress.host }}
+  namespace: default
+  labels:
+    "use-http01-solver": "true"
+spec:
+  secretName: {{ .Values.grafana.traefikIngress.host }}
+  issuerRef:
+    name: fadi-letsencrypt
+    kind: ClusterIssuer
+  dnsNames:
+    - {{ .Values.grafana.traefikIngress.host }}
+---
+{{- end }}
+
+{{- if .Values.superset.traefikIngress.tls -}}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Values.superset.traefikIngress.host }}
+  namespace: default
+  labels:
+    "use-http01-solver": "true"
+spec:
+  secretName: {{ .Values.superset.traefikIngress.host }}
+  issuerRef:
+    name: fadi-letsencrypt
+    kind: ClusterIssuer
+  dnsNames:
+    - {{ .Values.superset.traefikIngress.host }}
+---
+{{- end }}
+
+{{- if .Values.jupyterhub.traefikIngress.tls -}}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Values.jupyterhub.traefikIngress.host }}
+  namespace: default
+  labels:
+    "use-http01-solver": "true"
+spec:
+  secretName: {{ .Values.jupyterhub.traefikIngress.host }}
+  issuerRef:
+    name: fadi-letsencrypt
+    kind: ClusterIssuer
+  dnsNames:
+    - {{ .Values.jupyterhub.traefikIngress.host }}
+---
+{{- end }}
+
+{{ end }}
diff --git a/templates/ingressroutes.yaml b/templates/ingressroutes.yaml
@@ -1,9 +1,27 @@
 {{- if .Values.traefik.enabled -}}
-{{- if .Values.grafana.traefikIngress.enabled -}}
+{{- if and (.Values.grafana.enabled) (.Values.grafana.traefikIngress.enabled) -}}
+{{- if .Values.grafana.traefikIngress.tls }}
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
   name: grafana
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - kind: Rule
+    match: Host(`{{ .Values.grafana.traefikIngress.host }}`) && PathPrefix(`/`)
+    services:
+      - name: {{ .Release.Name }}-grafana
+        port: 80
+  tls:
+    secretName: {{ .Values.grafana.traefikIngress.host }}  
+---
+{{- end }}
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: grafana-http
 spec:
   entryPoints:
     - web
@@ -13,10 +31,14 @@ spec:
     services:
     - name: {{ .Release.Name }}-grafana
       port: 80
-{{- end }}
+    {{- if .Values.grafana.traefikIngress.tls }}
+    middlewares:
+      - name: https-redirect
+    {{- end }}
 ---
-{{- if .Values.nifi.traefikIngress.enabled -}}
-{{- if .Values.nifi.properties.clusterSecure -}}
+{{- end }}
+
+{{- if and (.Values.nifi.enabled) (.Values.nifi.traefikIngress.enabled) -}}
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRouteTCP
 metadata:
@@ -31,39 +53,64 @@ spec:
         port: {{ .Values.nifi.properties.httpsPort }}
   tls:
     passthrough: true
-{{- else }}
+---
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
-  name: nifi
+  name: nifi-http
 spec:
   entryPoints:
     - web
   routes:
   - kind: Rule
     match: Host(`{{ .Values.nifi.traefikIngress.host }}`) && PathPrefix(`/`)
     services:
-    - name: {{ .Release.Name }}-nifi
-      port: {{ .Values.nifi.properties.httpPort }}
-{{- end }}
-{{- end }}
+      - name: {{ .Release.Name }}-nifi
+        port: {{ .Values.nifi.properties.httpsPort }}
+    middlewares:
+      - name: https-redirect
 ---
-{{- if .Values.jupyterhub.traefikIngress.enabled -}}
+{{- end }}
+
+{{- if and (.Values.jupyterhub.enabled) (.Values.jupyterhub.traefikIngress.enabled) -}}
+{{- if .Values.jupyterhub.traefikIngress.tls }}
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
   name: hub
 spec:
   entryPoints:
-    - web
+    - websecure
   routes:
   - kind: Rule
     match: Host(`{{ .Values.jupyterhub.traefikIngress.host }}`) && PathPrefix(`/`)
     services:
-    - name: hub
-      port: 8081
+    - name: proxy-public
+      port: 80
+  tls:
+    secretName: {{ .Values.jupyterhub.traefikIngress.host }}
+---
 {{- end }}
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: hub-http
+spec:
+  entryPoints:
+    - web
+  routes:
+  - kind: Rule
+    match: Host(`{{ .Values.jupyterhub.traefikIngress.host }}`) && PathPrefix(`/`)
+    services:
+    - name: proxy-public
+      port: 80
+    {{- if .Values.jupyterhub.traefikIngress.tls }}
+    middlewares:
+      - name: https-redirect
+    {{- end }}
 ---
+{{- end }}
+
 {{- if .Values.traefik.dashboardIngress.enabled -}}
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
@@ -78,13 +125,32 @@ spec:
       services:
         - name: api@internal
           kind: TraefikService
-{{- end }}
 ---
-{{- if .Values.superset.traefikIngress.enabled -}}
+{{- end }}
+
+{{- if and (.Values.superset.enabled) (.Values.superset.traefikIngress.enabled) -}}
+{{- if .Values.superset.traefikIngress.tls }}
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
   name: superset
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - kind: Rule
+    match: Host(`{{ .Values.superset.traefikIngress.host }}`) && PathPrefix(`/`)
+    services:
+    - name: {{ .Release.Name }}-superset
+      port: 9000
+  tls:
+    secretName: {{ .Values.superset.traefikIngress.host }}
+---
+{{- end }}
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: superset-http
 spec:
   entryPoints:
     - web
@@ -94,6 +160,22 @@ spec:
     services:
     - name: {{ .Release.Name }}-superset
       port: 9000
+    {{- if .Values.superset.traefikIngress.tls }}
+    middlewares:
+      - name: https-redirect
+    {{- end }}
+---
+{{- end }}
+
+{{- if .Values.clusterIssuer.enabled }}
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: https-redirect
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
 {{- end }}
 
-{{- end }}
+{{- end }}