From 9234882d0eae64f8abf8ac4bd035ca55a4ded91e Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Fri, 27 Dec 2024 13:18:52 +1100 Subject: [PATCH 1/3] chore: updates to support keycloak 26 in testing --- .gitignore | 1 + Makefile | 66 ++++++++++++++++--- charts/lagoon-core/Chart.yaml | 15 +---- charts/lagoon-core/ci/linter-values.yaml | 2 + .../templates/ssh-portal-api.deployment.yaml | 4 ++ .../templates/ssh-token.deployment.yaml | 4 ++ 6 files changed, 70 insertions(+), 22 deletions(-) diff --git a/.gitignore b/.gitignore index dc41c877b..6cbb74d42 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ /test-suite.kind-config.yaml /test-suite.kind-config.calico.yaml +certs/ \ No newline at end of file diff --git a/Makefile b/Makefile index bd6a862cf..290abfbe6 100644 --- a/Makefile +++ b/Makefile @@ -3,6 +3,23 @@ TESTS = [api] # lagoon-remote, and lagoon-test charts. If IMAGE_TAG is not set, it will fall # back to the version set in the CI values file, then to the chart default. IMAGE_TAG = + +# UI_IMAGE_TAG controls the tag used for the ui image used in the charts +UI_IMAGE_TAG = +UI_IMAGE_REPO = + +# SSHPORTALAPI_IMAGE_REPO and SSHPORTALAPI_IMAGE_TAG are an easy way to override the ssh portal api image used in the charts +SSHPORTALAPI_IMAGE_REPO = +SSHPORTALAPI_IMAGE_TAG = + +# SSHTOKEN_IMAGE_REPO and SSHTOKEN_IMAGE_TAG are an easy way to override the ssh token image used in the charts +SSHTOKEN_IMAGE_REPO = +SSHTOKEN_IMAGE_TAG = + +# SSHPORTAL_IMAGE_REPO and SSHPORTAL_IMAGE_TAG are an easy way to override the ssh portal image used in the charts +SSHPORTAL_IMAGE_REPO = +SSHPORTAL_IMAGE_TAG = + # IMAGE_REGISTRY controls the registry used for container images in the # lagoon-core, lagoon-remote, and lagoon-test charts. If IMAGE_REGISTRY is not # set, it will fall back to the version set in the chart values files. This @@ -113,12 +130,12 @@ install-metallb: metallb \ metallb/metallb && \ $$(envsubst < test-suite.metallb-pool.yaml.tpl > test-suite.metallb-pool.yaml) && \ - $(KUBECTL) apply -f test-suite.metallb-pool.yaml \ + $(KUBECTL) apply -f test-suite.metallb-pool.yaml # cert-manager is used to allow self-signed certificates to be generated automatically by ingress in the same way lets-encrypt would # this allows for the registry and other services to use certificates .PHONY: install-certmanager -install-certmanager: install-metallb +install-certmanager: generate-ca install-metallb $(HELM) upgrade \ --install \ --create-namespace \ @@ -132,6 +149,8 @@ install-certmanager: install-metallb --version=v1.11.0 \ cert-manager \ jetstack/cert-manager + $(KUBECTL) -n cert-manager delete secret lagoon-test-secret || echo "lagoon-test-secret doesn't exist, ignoring" + $(KUBECTL) -n cert-manager create secret generic lagoon-test-secret --from-file=tls.crt=certs/lagoontest.crt --from-file=tls.key=certs/lagoontest.key --from-file=ca.crt=certs/lagoontest.crt $(KUBECTL) apply -f test-suite.certmanager-issuer-ss.yaml .PHONY: install-ingress @@ -321,6 +340,16 @@ install-k8upv2: k8upv2 \ k8up/k8up +# generate-ca will generate a CA certificate that will be used to issue certificates +# this CA certificate can be loaded into a web browser so that certificates don't present warnings +.PHONY: generate-ca +generate-ca: + mkdir -p certs && \ + openssl x509 -enddate -noout -in certs/lagoontest.crt || \ + (openssl genrsa -out certs/lagoontest.key 2048 && \ + openssl req -x509 -new -nodes -key certs/lagoontest.key \ + -sha256 -days 3560 -out certs/lagoontest.crt -addext keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign \ + -subj '/CN=lagoon.test') .PHONY: install-lagoon-dependencies # this will install all the Lagoon dependencies prior to anything related to Lagoon being installed @@ -373,9 +402,9 @@ endif $$([ $(OVERRIDE_BUILD_DEPLOY_DIND_IMAGE) ] && [ $(INSTALL_STABLE_CORE) != true ] && echo '--set buildDeployImage.default.image=$(OVERRIDE_BUILD_DEPLOY_DIND_IMAGE)') \ $$([ $(DISABLE_CORE_HARBOR) ] && echo '--set api.additionalEnvs.DISABLE_CORE_HARBOR=$(DISABLE_CORE_HARBOR)') \ $$([ $(OPENSEARCH_INTEGRATION_ENABLED) ] && echo '--set api.additionalEnvs.OPENSEARCH_INTEGRATION_ENABLED=$(OPENSEARCH_INTEGRATION_ENABLED)') \ - --set "keycloakFrontEndURL=http://lagoon-keycloak.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ - --set "lagoonAPIURL=http://lagoon-api.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io/graphql" \ - --set "lagoonUIURL=http://lagoon-ui.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ + --set "keycloakFrontEndURL=https://lagoon-keycloak.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ + --set "lagoonAPIURL=https://lagoon-api.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io/graphql" \ + --set "lagoonUIURL=https://lagoon-ui.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ --set "lagoonWebhookURL=http://lagoon-webhook.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ $$([ $(IMAGE_REGISTRY) ] && [ $(INSTALL_STABLE_CORE) != true ] && echo '--set actionsHandler.image.repository=$(IMAGE_REGISTRY)/actions-handler') \ $$([ $(IMAGE_REGISTRY) ] && [ $(INSTALL_STABLE_CORE) != true ] && echo '--set api.image.repository=$(IMAGE_REGISTRY)/api') \ @@ -412,18 +441,37 @@ endif --set api.ingress.enabled=true \ --set api.ingress.hosts[0].host="lagoon-api.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ --set api.ingress.hosts[0].paths[0]="/" \ + --set api.ingress.tls[0].hosts[0]="lagoon-api.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ + --set api.ingress.tls[0].secretName=api-tls \ + --set-string api.ingress.annotations.kubernetes\\.io/tls-acme=true \ --set ui.ingress.enabled=true \ --set ui.ingress.hosts[0].host="lagoon-ui.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ --set ui.ingress.hosts[0].paths[0]="/" \ + --set ui.ingress.tls[0].hosts[0]="lagoon-ui.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ + --set ui.ingress.tls[0].secretName=ui-tls \ + --set-string ui.ingress.annotations.kubernetes\\.io/tls-acme=true \ + $$([ $(UI_IMAGE_REPO) ] && echo '--set ui.image.repository=$(UI_IMAGE_REPO)') \ + $$([ $(UI_IMAGE_TAG) ] && echo '--set ui.image.tag=$(UI_IMAGE_TAG)') \ --set keycloak.ingress.enabled=true \ --set keycloak.ingress.hosts[0].host="lagoon-keycloak.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ --set keycloak.ingress.hosts[0].paths[0]="/" \ + --set keycloak.ingress.tls[0].hosts[0]="lagoon-keycloak.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ + --set keycloak.ingress.tls[0].secretName=keycloak-tls \ + --set-string keycloak.ingress.annotations.kubernetes\\.io/tls-acme=true \ --set webhookHandler.ingress.enabled=true \ --set webhookHandler.ingress.hosts[0].host="lagoon-webhook.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ --set webhookHandler.ingress.hosts[0].paths[0]="/" \ + --set-string webhookHandler.ingress.annotations.kubernetes\\.io/tls-acme=true \ --set broker.ingress.enabled=true \ --set broker.ingress.hosts[0].host="lagoon-broker.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ --set broker.ingress.hosts[0].paths[0]="/" \ + --set broker.ingress.tls[0].hosts[0]="lagoon-broker.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ + --set broker.ingress.tls[0].secretName=broker-tls \ + --set-string broker.ingress.annotations.kubernetes\\.io/tls-acme=true \ + $$([ $(SSHPORTALAPI_IMAGE_REPO) ] && echo '--set sshPortalAPI.image.repository=$(SSHPORTALAPI_IMAGE_REPO)') \ + $$([ $(SSHPORTALAPI_IMAGE_TAG) ] && echo '--set sshPortalAPI.image.tag=$(SSHPORTALAPI_IMAGE_TAG)') \ + $$([ $(SSHTOKEN_IMAGE_REPO) ] && echo '--set sshToken.image.repository=$(SSHTOKEN_IMAGE_REPO)') \ + $$([ $(SSHTOKEN_IMAGE_TAG) ] && echo '--set sshToken.image.tag=$(SSHTOKEN_IMAGE_TAG)') \ $$([ $(IMAGE_REGISTRY) ] && [ $(INSTALL_STABLE_CORE) != true ] && echo '--set workflows.image.repository=$(IMAGE_REGISTRY)/workflows') \ $$([ $(INSTALL_MAILPIT) = true ] && echo '--set keycloak.email.enabled=true') \ $$([ $(INSTALL_MAILPIT) = true ] && echo '--set keycloak.email.settings.host=mailpit-smtp.mailpit.svc') \ @@ -496,6 +544,8 @@ endif $$([ $(IMAGE_TAG) ] && [ $(INSTALL_STABLE_REMOTE) != true ] && echo '--set imageTag=$(IMAGE_TAG)') \ $$([ $(LAGOON_SSH_PORTAL_LOADBALANCER) ] && echo '--set sshPortal.service.type=LoadBalancer') \ $$([ $(LAGOON_SSH_PORTAL_LOADBALANCER) ] && echo '--set sshPortal.service.ports.sshserver=2222') \ + $$([ $(SSHPORTAL_IMAGE_REPO) ] && echo '--set sshPortal.image.repository=$(SSHPORTAL_IMAGE_REPO)') \ + $$([ $(SSHPORTAL_IMAGE_TAG) ] && echo '--set sshPortal.image.tag=$(SSHPORTAL_IMAGE_TAG)') \ lagoon-remote \ $$(if [ $(INSTALL_STABLE_REMOTE) = true ]; then echo 'lagoon/lagoon-remote'; else echo './charts/lagoon-remote'; fi) @@ -602,9 +652,9 @@ install-test-cluster: install-ingress install-registry install-bulk-storageclass .PHONY: get-admin-creds get-admin-creds: @echo "\nLagoon UI URL: " \ - && echo "http://lagoon-ui.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ + && echo "https://lagoon-ui.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ && echo "Lagoon API URL: " \ - && echo "http://lagoon-api.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io/graphql" \ + && echo "https://lagoon-api.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io/graphql" \ && echo "Lagoon API admin legacy token: \n$$(docker run \ -e JWTSECRET="$$($(KUBECTL) get secret -n lagoon-core lagoon-core-secrets -o jsonpath="{.data.JWTSECRET}" | base64 --decode)" \ -e JWTAUDIENCE=api.dev \ @@ -612,7 +662,7 @@ get-admin-creds: uselagoon/tests \ python3 /ansible/tasks/api/admin_token.py)" \ && echo "Keycloak admin URL: " \ - && echo "http://lagoon-keycloak.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io/auth" \ + && echo "https://lagoon-keycloak.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io/auth" \ && echo "Keycloak admin password: " \ && $(KUBECTL) get secret -n lagoon-core lagoon-core-keycloak -o jsonpath="{.data.KEYCLOAK_ADMIN_PASSWORD}" | base64 --decode \ && echo "\n" diff --git a/charts/lagoon-core/Chart.yaml b/charts/lagoon-core/Chart.yaml index 8b15aeb6c..14b73d5bb 100644 --- a/charts/lagoon-core/Chart.yaml +++ b/charts/lagoon-core/Chart.yaml @@ -41,17 +41,4 @@ dependencies: annotations: artifacthub.io/changes: | - kind: changed - description: update lagoon-core appVersion to v2.23.0 - links: - - name: Lagoon 2.23.0 release notes - url: https://docs.lagoon.sh/releases/2.23.0 - - kind: changed - description: add KEYCLOAK_ADMIN_API_CLIENT_SECRET variable to keycloak and api deployment - - kind: changed - description: update uselagoon/lagoon-ssh-portal/ssh-portal-api from v0.41.3 to v0.41.4 - - kind: changed - description: update uselagoon/lagoon-ssh-portal/ssh-token from v0.41.3 to v0.41.4 - - kind: changed - description: update uselagoon/lagoon-opensearch-sync from v0.8.0 to v0.8.1 - - kind: changed - description: update NATS chart dependency to 1.2.8 + description: update ssh-portal-api and ssh-token options diff --git a/charts/lagoon-core/ci/linter-values.yaml b/charts/lagoon-core/ci/linter-values.yaml index 10fcdb4c6..5ff86e748 100644 --- a/charts/lagoon-core/ci/linter-values.yaml +++ b/charts/lagoon-core/ci/linter-values.yaml @@ -229,6 +229,7 @@ sshPortalAPI: enabled: true replicaCount: 1 debug: true + insecureTLS: true serviceMonitor: enabled: false @@ -236,6 +237,7 @@ sshToken: enabled: true replicaCount: 1 debug: true + insecureTLS: true serviceMonitor: enabled: false service: diff --git a/charts/lagoon-core/templates/ssh-portal-api.deployment.yaml b/charts/lagoon-core/templates/ssh-portal-api.deployment.yaml index f1b65674d..1913bb858 100644 --- a/charts/lagoon-core/templates/ssh-portal-api.deployment.yaml +++ b/charts/lagoon-core/templates/ssh-portal-api.deployment.yaml @@ -43,6 +43,10 @@ spec: - name: DEBUG value: "true" {{- end }} + {{- if .Values.sshPortalAPI.insecureTLS }} + - name: KEYCLOAK_INSECURE_TLS + value: "true" + {{- end }} {{- if .Values.blockDeveloperSSH }} - name: BLOCK_DEVELOPER_SSH value: "true" diff --git a/charts/lagoon-core/templates/ssh-token.deployment.yaml b/charts/lagoon-core/templates/ssh-token.deployment.yaml index 1f2c0891c..a96937874 100644 --- a/charts/lagoon-core/templates/ssh-token.deployment.yaml +++ b/charts/lagoon-core/templates/ssh-token.deployment.yaml @@ -38,6 +38,10 @@ spec: - name: DEBUG value: "true" {{- end }} + {{- if .Values.sshToken.insecureTLS }} + - name: KEYCLOAK_INSECURE_TLS + value: "true" + {{- end }} {{- if .Values.blockDeveloperSSH }} - name: BLOCK_DEVELOPER_SSH value: "true" From e1939cbff7f0ebded1d4a91a4521ef94766592bf Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Mon, 30 Dec 2024 07:36:53 +1100 Subject: [PATCH 2/3] chore: support https with flag --- Makefile | 90 ++++++++++--------- charts/lagoon-core/ci/linter-values.yaml | 16 ++++ .../templates/ssh-portal-api.deployment.yaml | 6 +- .../templates/ssh-token.deployment.yaml | 6 +- charts/lagoon-core/values.yaml | 6 ++ 5 files changed, 82 insertions(+), 42 deletions(-) diff --git a/Makefile b/Makefile index 290abfbe6..c24986be0 100644 --- a/Makefile +++ b/Makefile @@ -4,21 +4,27 @@ TESTS = [api] # back to the version set in the CI values file, then to the chart default. IMAGE_TAG = -# UI_IMAGE_TAG controls the tag used for the ui image used in the charts -UI_IMAGE_TAG = -UI_IMAGE_REPO = +# UI_IMAGE_REPO and UI_IMAGE_TAG are an easy way to override the UI image used +# only works for installations where INSTALL_STABLE_CORE=false +# UI_IMAGE_REPO = uselagoon/ui +UI_IMAGE_TAG = -# SSHPORTALAPI_IMAGE_REPO and SSHPORTALAPI_IMAGE_TAG are an easy way to override the ssh portal api image used in the charts -SSHPORTALAPI_IMAGE_REPO = -SSHPORTALAPI_IMAGE_TAG = +# SSHPORTALAPI_IMAGE_REPO and SSHPORTALAPI_IMAGE_TAG are an easy way to override the ssh portal api image used in the local stack lagoon-core +# only works for installations where INSTALL_STABLE_CORE=false +SSHPORTALAPI_IMAGE_REPO = +SSHPORTALAPI_IMAGE_TAG = -# SSHTOKEN_IMAGE_REPO and SSHTOKEN_IMAGE_TAG are an easy way to override the ssh token image used in the charts -SSHTOKEN_IMAGE_REPO = -SSHTOKEN_IMAGE_TAG = +# SSHTOKEN_IMAGE_REPO and SSHTOKEN_IMAGE_TAG are an easy way to override the ssh token image used in the local stack lagoon-core +# only works for installations where INSTALL_STABLE_CORE=false +SSHTOKEN_IMAGE_REPO = +SSHTOKEN_IMAGE_TAG = -# SSHPORTAL_IMAGE_REPO and SSHPORTAL_IMAGE_TAG are an easy way to override the ssh portal image used in the charts -SSHPORTAL_IMAGE_REPO = -SSHPORTAL_IMAGE_TAG = +# SSHPORTAL_IMAGE_REPO and SSHPORTAL_IMAGE_TAG are an easy way to override the ssh portal image used in the local stack lagoon-remote +# only works for installations where INSTALL_STABLE_REMOTE=false +# SSHPORTAL_IMAGE_REPO = +# SSHPORTAL_IMAGE_TAG = + +LAGOON_CORE_USE_HTTPS = true # IMAGE_REGISTRY controls the registry used for container images in the # lagoon-core, lagoon-remote, and lagoon-test charts. If IMAGE_REGISTRY is not @@ -344,8 +350,8 @@ install-k8upv2: # this CA certificate can be loaded into a web browser so that certificates don't present warnings .PHONY: generate-ca generate-ca: - mkdir -p certs && \ - openssl x509 -enddate -noout -in certs/lagoontest.crt || \ + @ mkdir -p certs && \ + openssl x509 -enddate -noout -in certs/lagoontest.crt > /dev/null 2>&1 || \ (openssl genrsa -out certs/lagoontest.key 2048 && \ openssl req -x509 -new -nodes -key certs/lagoontest.key \ -sha256 -days 3560 -out certs/lagoontest.crt -addext keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign \ @@ -402,9 +408,9 @@ endif $$([ $(OVERRIDE_BUILD_DEPLOY_DIND_IMAGE) ] && [ $(INSTALL_STABLE_CORE) != true ] && echo '--set buildDeployImage.default.image=$(OVERRIDE_BUILD_DEPLOY_DIND_IMAGE)') \ $$([ $(DISABLE_CORE_HARBOR) ] && echo '--set api.additionalEnvs.DISABLE_CORE_HARBOR=$(DISABLE_CORE_HARBOR)') \ $$([ $(OPENSEARCH_INTEGRATION_ENABLED) ] && echo '--set api.additionalEnvs.OPENSEARCH_INTEGRATION_ENABLED=$(OPENSEARCH_INTEGRATION_ENABLED)') \ - --set "keycloakFrontEndURL=https://lagoon-keycloak.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ - --set "lagoonAPIURL=https://lagoon-api.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io/graphql" \ - --set "lagoonUIURL=https://lagoon-ui.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ + --set "keycloakFrontEndURL=$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "https" || echo "http")://lagoon-keycloak.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ + --set "lagoonAPIURL=$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "https" || echo "http")://lagoon-api.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io/graphql" \ + --set "lagoonUIURL=$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "https" || echo "http")://lagoon-ui.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ --set "lagoonWebhookURL=http://lagoon-webhook.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ $$([ $(IMAGE_REGISTRY) ] && [ $(INSTALL_STABLE_CORE) != true ] && echo '--set actionsHandler.image.repository=$(IMAGE_REGISTRY)/actions-handler') \ $$([ $(IMAGE_REGISTRY) ] && [ $(INSTALL_STABLE_CORE) != true ] && echo '--set api.image.repository=$(IMAGE_REGISTRY)/api') \ @@ -441,23 +447,26 @@ endif --set api.ingress.enabled=true \ --set api.ingress.hosts[0].host="lagoon-api.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ --set api.ingress.hosts[0].paths[0]="/" \ - --set api.ingress.tls[0].hosts[0]="lagoon-api.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ - --set api.ingress.tls[0].secretName=api-tls \ - --set-string api.ingress.annotations.kubernetes\\.io/tls-acme=true \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "--set api.ingress.tls[0].hosts[0]=lagoon-api.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io") \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set api.ingress.tls[0].secretName=api-tls') \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set-string api.ingress.annotations.kubernetes\\.io/tls-acme=true') \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set-string api.ingress.annotations.nginx\\.ingress\\.kubernetes\\.io/ssl-redirect=false') \ --set ui.ingress.enabled=true \ --set ui.ingress.hosts[0].host="lagoon-ui.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ --set ui.ingress.hosts[0].paths[0]="/" \ - --set ui.ingress.tls[0].hosts[0]="lagoon-ui.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ - --set ui.ingress.tls[0].secretName=ui-tls \ - --set-string ui.ingress.annotations.kubernetes\\.io/tls-acme=true \ - $$([ $(UI_IMAGE_REPO) ] && echo '--set ui.image.repository=$(UI_IMAGE_REPO)') \ - $$([ $(UI_IMAGE_TAG) ] && echo '--set ui.image.tag=$(UI_IMAGE_TAG)') \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "--set ui.ingress.tls[0].hosts[0]=lagoon-ui.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io") \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set ui.ingress.tls[0].secretName=ui-tls') \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set-string ui.ingress.annotations.kubernetes\\.io/tls-acme=true') \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set-string ui.ingress.annotations.nginx\\.ingress\\.kubernetes\\.io/ssl-redirect=false') \ + $$([ $(INSTALL_STABLE_CORE) != true ] && [ $(UI_IMAGE_REPO) ] && echo '--set ui.image.repository=$(UI_IMAGE_REPO)') \ + $$([ $(INSTALL_STABLE_CORE) != true ] && [ $(UI_IMAGE_TAG) ] && echo '--set ui.image.tag=$(UI_IMAGE_TAG)') \ --set keycloak.ingress.enabled=true \ --set keycloak.ingress.hosts[0].host="lagoon-keycloak.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ --set keycloak.ingress.hosts[0].paths[0]="/" \ - --set keycloak.ingress.tls[0].hosts[0]="lagoon-keycloak.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ - --set keycloak.ingress.tls[0].secretName=keycloak-tls \ - --set-string keycloak.ingress.annotations.kubernetes\\.io/tls-acme=true \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "--set keycloak.ingress.tls[0].hosts[0]=lagoon-keycloak.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io") \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set keycloak.ingress.tls[0].secretName=keycloak-tls') \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set-string keycloak.ingress.annotations.kubernetes\\.io/tls-acme=true') \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set-string keycloak.ingress.annotations.nginx\\.ingress\\.kubernetes\\.io/ssl-redirect=false') \ --set webhookHandler.ingress.enabled=true \ --set webhookHandler.ingress.hosts[0].host="lagoon-webhook.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ --set webhookHandler.ingress.hosts[0].paths[0]="/" \ @@ -465,13 +474,14 @@ endif --set broker.ingress.enabled=true \ --set broker.ingress.hosts[0].host="lagoon-broker.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ --set broker.ingress.hosts[0].paths[0]="/" \ - --set broker.ingress.tls[0].hosts[0]="lagoon-broker.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ - --set broker.ingress.tls[0].secretName=broker-tls \ - --set-string broker.ingress.annotations.kubernetes\\.io/tls-acme=true \ - $$([ $(SSHPORTALAPI_IMAGE_REPO) ] && echo '--set sshPortalAPI.image.repository=$(SSHPORTALAPI_IMAGE_REPO)') \ - $$([ $(SSHPORTALAPI_IMAGE_TAG) ] && echo '--set sshPortalAPI.image.tag=$(SSHPORTALAPI_IMAGE_TAG)') \ - $$([ $(SSHTOKEN_IMAGE_REPO) ] && echo '--set sshToken.image.repository=$(SSHTOKEN_IMAGE_REPO)') \ - $$([ $(SSHTOKEN_IMAGE_TAG) ] && echo '--set sshToken.image.tag=$(SSHTOKEN_IMAGE_TAG)') \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "--set broker.ingress.tls[0].hosts[0]=lagoon-broker.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io") \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set broker.ingress.tls[0].secretName=broker-tls') \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set-string broker.ingress.annotations.kubernetes\\.io/tls-acme=true') \ + $$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo '--set-string broker.ingress.annotations.nginx\\.ingress\\.kubernetes\\.io/ssl-redirect=false') \ + $$([ $(INSTALL_STABLE_CORE) != true ] && [ $(SSHPORTALAPI_IMAGE_REPO) ] && echo '--set sshPortalAPI.image.repository=$(SSHPORTALAPI_IMAGE_REPO)') \ + $$([ $(INSTALL_STABLE_CORE) != true ] && [ $(SSHPORTALAPI_IMAGE_TAG) ] && echo '--set sshPortalAPI.image.tag=$(SSHPORTALAPI_IMAGE_TAG)') \ + $$([ $(INSTALL_STABLE_CORE) != true ] && [ $(SSHTOKEN_IMAGE_REPO) ] && echo '--set sshToken.image.repository=$(SSHTOKEN_IMAGE_REPO)') \ + $$([ $(INSTALL_STABLE_CORE) != true ] && [ $(SSHTOKEN_IMAGE_TAG) ] && echo '--set sshToken.image.tag=$(SSHTOKEN_IMAGE_TAG)') \ $$([ $(IMAGE_REGISTRY) ] && [ $(INSTALL_STABLE_CORE) != true ] && echo '--set workflows.image.repository=$(IMAGE_REGISTRY)/workflows') \ $$([ $(INSTALL_MAILPIT) = true ] && echo '--set keycloak.email.enabled=true') \ $$([ $(INSTALL_MAILPIT) = true ] && echo '--set keycloak.email.settings.host=mailpit-smtp.mailpit.svc') \ @@ -544,8 +554,8 @@ endif $$([ $(IMAGE_TAG) ] && [ $(INSTALL_STABLE_REMOTE) != true ] && echo '--set imageTag=$(IMAGE_TAG)') \ $$([ $(LAGOON_SSH_PORTAL_LOADBALANCER) ] && echo '--set sshPortal.service.type=LoadBalancer') \ $$([ $(LAGOON_SSH_PORTAL_LOADBALANCER) ] && echo '--set sshPortal.service.ports.sshserver=2222') \ - $$([ $(SSHPORTAL_IMAGE_REPO) ] && echo '--set sshPortal.image.repository=$(SSHPORTAL_IMAGE_REPO)') \ - $$([ $(SSHPORTAL_IMAGE_TAG) ] && echo '--set sshPortal.image.tag=$(SSHPORTAL_IMAGE_TAG)') \ + $$([ $(INSTALL_STABLE_REMOTE) != true ] && [ $(SSHPORTAL_IMAGE_REPO) ] && echo '--set sshPortal.image.repository=$(SSHPORTAL_IMAGE_REPO)') \ + $$([ $(INSTALL_STABLE_REMOTE) != true ] && [ $(SSHPORTAL_IMAGE_TAG) ] && echo '--set sshPortal.image.tag=$(SSHPORTAL_IMAGE_TAG)') \ lagoon-remote \ $$(if [ $(INSTALL_STABLE_REMOTE) = true ]; then echo 'lagoon/lagoon-remote'; else echo './charts/lagoon-remote'; fi) @@ -652,9 +662,9 @@ install-test-cluster: install-ingress install-registry install-bulk-storageclass .PHONY: get-admin-creds get-admin-creds: @echo "\nLagoon UI URL: " \ - && echo "https://lagoon-ui.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ + && echo "$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "https" || echo "http")://lagoon-ui.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io" \ && echo "Lagoon API URL: " \ - && echo "https://lagoon-api.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io/graphql" \ + && echo "$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "https" || echo "http")://lagoon-api.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io/graphql" \ && echo "Lagoon API admin legacy token: \n$$(docker run \ -e JWTSECRET="$$($(KUBECTL) get secret -n lagoon-core lagoon-core-secrets -o jsonpath="{.data.JWTSECRET}" | base64 --decode)" \ -e JWTAUDIENCE=api.dev \ @@ -662,7 +672,7 @@ get-admin-creds: uselagoon/tests \ python3 /ansible/tasks/api/admin_token.py)" \ && echo "Keycloak admin URL: " \ - && echo "https://lagoon-keycloak.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io/auth" \ + && echo "$$([ $(LAGOON_CORE_USE_HTTPS) = true ] && echo "https" || echo "http")://lagoon-keycloak.$$($(KUBECTL) -n ingress-nginx get services ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}').nip.io/auth" \ && echo "Keycloak admin password: " \ && $(KUBECTL) get secret -n lagoon-core lagoon-core-keycloak -o jsonpath="{.data.KEYCLOAK_ADMIN_PASSWORD}" | base64 --decode \ && echo "\n" diff --git a/charts/lagoon-core/ci/linter-values.yaml b/charts/lagoon-core/ci/linter-values.yaml index 5ff86e748..d600ae8ba 100644 --- a/charts/lagoon-core/ci/linter-values.yaml +++ b/charts/lagoon-core/ci/linter-values.yaml @@ -232,6 +232,14 @@ sshPortalAPI: insecureTLS: true serviceMonitor: enabled: false + # loop over the startup of ssh-portal-api for faster startup during testing/development + command: + - /bin/sh + args: + - '-c' + - >- + i=0; while [ $i -le 5 ]; do /ssh-portal-api && + exit; sleep 10; let i=i+1; done sshToken: enabled: true @@ -253,6 +261,14 @@ sshToken: AAAECW61aE011GKLSFBJ82G6oGEOjJSUV3STx16veSvX38kD9iqXNt1OpHncEdwOG8/QRV 6lnrpkhPYdpdKnF3PCEyAAAAAAECAwQF -----END OPENSSH PRIVATE KEY----- + # loop over the startup of ssh-token for faster startup during testing/development + command: + - /bin/sh + args: + - '-c' + - >- + i=0; while [ $i -le 5 ]; do /ssh-token && + exit; sleep 10; let i=i+1; done controllerhandler: replicaCount: 1 diff --git a/charts/lagoon-core/templates/ssh-portal-api.deployment.yaml b/charts/lagoon-core/templates/ssh-portal-api.deployment.yaml index 1913bb858..3b6bfdeb6 100644 --- a/charts/lagoon-core/templates/ssh-portal-api.deployment.yaml +++ b/charts/lagoon-core/templates/ssh-portal-api.deployment.yaml @@ -37,7 +37,11 @@ spec: image: "{{ .Values.sshPortalAPI.image.repository }}:{{ coalesce .Values.sshPortalAPI.image.tag .Values.imageTag .Chart.AppVersion }}" imagePullPolicy: {{ .Values.sshPortalAPI.image.pullPolicy }} command: - - "/ssh-portal-api" + {{- .Values.sshPortalAPI.command | toYaml | nindent 8 }} + {{- if .Values.sshPortalAPI.args }} + args: + {{- .Values.sshPortalAPI.args | toYaml | nindent 8 }} + {{- end }} env: {{- if .Values.sshPortalAPI.debug }} - name: DEBUG diff --git a/charts/lagoon-core/templates/ssh-token.deployment.yaml b/charts/lagoon-core/templates/ssh-token.deployment.yaml index a96937874..eddf24bc8 100644 --- a/charts/lagoon-core/templates/ssh-token.deployment.yaml +++ b/charts/lagoon-core/templates/ssh-token.deployment.yaml @@ -32,7 +32,11 @@ spec: image: "{{ .Values.sshToken.image.repository }}:{{ coalesce .Values.sshToken.image.tag .Values.imageTag .Chart.AppVersion }}" imagePullPolicy: {{ .Values.sshToken.image.pullPolicy }} command: - - "/ssh-token" + {{- .Values.sshToken.command | toYaml | nindent 8 }} + {{- if .Values.sshToken.args }} + args: + {{- .Values.sshToken.args | toYaml | nindent 8 }} + {{- end }} env: {{- if .Values.sshToken.debug }} - name: DEBUG diff --git a/charts/lagoon-core/values.yaml b/charts/lagoon-core/values.yaml index 23bb0fae7..ad1cf84d9 100644 --- a/charts/lagoon-core/values.yaml +++ b/charts/lagoon-core/values.yaml @@ -967,6 +967,9 @@ sshPortalAPI: # Overrides the image tag whose default is the chart appVersion. tag: "v0.41.4" + command: + - /ssh-portal-api + podAnnotations: {} securityContext: {} @@ -1040,6 +1043,9 @@ sshToken: # Overrides the image tag whose default is the chart appVersion. tag: "v0.41.4" + command: + - /ssh-token + podAnnotations: {} securityContext: {} From 04a909498f1574f5da85f94bd2891901f6c07c1c Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Tue, 31 Dec 2024 08:41:15 +1100 Subject: [PATCH 3/3] chore: overrides for testing, revert later --- Makefile | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index c24986be0..a9e575c64 100644 --- a/Makefile +++ b/Makefile @@ -7,17 +7,17 @@ IMAGE_TAG = # UI_IMAGE_REPO and UI_IMAGE_TAG are an easy way to override the UI image used # only works for installations where INSTALL_STABLE_CORE=false # UI_IMAGE_REPO = uselagoon/ui -UI_IMAGE_TAG = +# UI_IMAGE_TAG = latest # SSHPORTALAPI_IMAGE_REPO and SSHPORTALAPI_IMAGE_TAG are an easy way to override the ssh portal api image used in the local stack lagoon-core # only works for installations where INSTALL_STABLE_CORE=false -SSHPORTALAPI_IMAGE_REPO = -SSHPORTALAPI_IMAGE_TAG = +SSHPORTALAPI_IMAGE_REPO = shreddedbacon/ssh-portal-api +SSHPORTALAPI_IMAGE_TAG = latest # SSHTOKEN_IMAGE_REPO and SSHTOKEN_IMAGE_TAG are an easy way to override the ssh token image used in the local stack lagoon-core # only works for installations where INSTALL_STABLE_CORE=false -SSHTOKEN_IMAGE_REPO = -SSHTOKEN_IMAGE_TAG = +SSHTOKEN_IMAGE_REPO = shreddedbacon/ssh-token +SSHTOKEN_IMAGE_TAG = latest # SSHPORTAL_IMAGE_REPO and SSHPORTAL_IMAGE_TAG are an easy way to override the ssh portal image used in the local stack lagoon-remote # only works for installations where INSTALL_STABLE_REMOTE=false