From 843a59aad3aa428212b0faef090ae69729b48a29 Mon Sep 17 00:00:00 2001 From: monrax Date: Mon, 12 Dec 2022 21:31:05 -0400 Subject: [PATCH] feat(helm): add support for ibm openshift --- helm/resurfaceio/resurface/Chart.yaml | 14 +++++++------- helm/resurfaceio/resurface/templates/NOTES.txt | 13 +++++++------ helm/resurfaceio/resurface/templates/_helpers.tpl | 4 ++-- helm/resurfaceio/resurface/templates/ingress.yaml | 15 ++++++++++++--- helm/resurfaceio/resurface/templates/sa.yaml | 5 +++++ .../resurface/templates/snifferdaemon.yaml | 5 +++++ .../resurface/templates/stateful-coordinator.yaml | 1 + .../resurface/templates/stateful-worker.yaml | 1 + helm/resurfaceio/resurface/values.yaml | 2 ++ 9 files changed, 42 insertions(+), 18 deletions(-) create mode 100644 helm/resurfaceio/resurface/templates/sa.yaml diff --git a/helm/resurfaceio/resurface/Chart.yaml b/helm/resurfaceio/resurface/Chart.yaml index bb9b2ebe..03dcfcdd 100644 --- a/helm/resurfaceio/resurface/Chart.yaml +++ b/helm/resurfaceio/resurface/Chart.yaml @@ -1,15 +1,15 @@ apiVersion: v2 name: resurface -version: 3.3.0 +version: 3.4.0 type: application description: Resurface discovers and alerts on quality and security signatures in your API traffic. annotations: - artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/containsSecurityUpdates: "false" artifacthub.io/changes: | + - kind: added + description: Support for IBM OpenShift - kind: changed - description: Upgrade Resurface image to 3.3.13 - - kind: changed - description: Upgrade HAProxy dependency to 1.24.0 + description: Upgrade HAProxy dependency to 1.25.1 keywords: - API - HTTP @@ -23,9 +23,9 @@ keywords: home: https://resurface.io dependencies: - name: kubernetes-ingress - version: "1.24.0" + version: "1.25.1" repository: https://haproxytech.github.io/helm-charts - condition: ingress.enabled + condition: ingress.controller.enabled maintainers: - name: Ramón Márquez email: ramon@resurface.io diff --git a/helm/resurfaceio/resurface/templates/NOTES.txt b/helm/resurfaceio/resurface/templates/NOTES.txt index affd77b7..ae67b1dd 100644 --- a/helm/resurfaceio/resurface/templates/NOTES.txt +++ b/helm/resurfaceio/resurface/templates/NOTES.txt @@ -1,3 +1,4 @@ +{{- $tlsenabled := or .Values.ingress.tls.enabled (eq .Values.provider "ibm-openshift") -}} Resurface has been successfully {{ if .Release.IsInstall }}installed{{ else if .Release.IsUpgrade }}upgraded{{end}}. @@ -7,8 +8,8 @@ Resurface has been successfully {{ if .Release.IsInstall }}installed{{ else if . · Number of worker nodes: {{ .Values.multinode.workers }} {{- end }} {{- if .Values.ingress.enabled }} -· TLS is{{ if not .Values.ingress.tls.enabled }} not{{ end }} enabled. -· Authentication is{{ if and .Values.ingress.tls.enabled .Values.auth.enabled }} enabled. +· TLS is{{ if not $tlsenabled }} not{{ end }} enabled. +· Authentication is{{ if and $tlsenabled .Values.auth.enabled }} enabled. · Basic auth is{{ if not .Values.auth.basic.enabled }} not{{end}} enabled. · JWT auth is{{ if not .Values.auth.jwt.enabled }} not{{end}} enabled. · OAuth 2.0 is{{ if not .Values.auth.oauth2.enabled }} not{{end}} enabled. @@ -18,16 +19,16 @@ Resurface has been successfully {{ if .Release.IsInstall }}installed{{ else if . · Use the following command to list all the resources deployed with this release: helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} -{{ if and .Values.ingress.enabled .Values.ingress.tls.enabled }} -· You can find the API Explorer for your Resurface instance here: https://{{ .Values.ingress.tls.host}}/ui +{{ if and .Values.ingress.enabled $tlsenabled }} +· You can find the UI for your Resurface instance here: https://{{ .Values.ingress.tls.host }}/ui {{- else if .Values.ingress.enabled }} -· Once the EXTERNAL IP for the Ingress Controller has been assigned, you can get the URL of the API Explorer for your Resurface instance by running the following command: +· Once the EXTERNAL IP for the Ingress Controller has been assigned, you can get the URL of the UI for your Resurface instance by running the following command: echo http://$(kubectl get svc {{ include "resurface.fullname" . }}-kubernetes-ingress --namespace {{ .Release.Namespace }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")/ui {{- else }} -· You can get the URL of the API Explorer for your Resurface instance by running the following command: +· You can get the URL of the UI for your Resurface instance by running the following command: echo http://$(kubectl get svc --namespace {{ .Release.Namespace }} coordinator --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}"){{ if ne (int .Values.custom.service.apiexplorer.port) 80 }}:{{ .Values.custom.service.apiexplorer.port | default 7700 }}{{ end }}/ {{- end }} diff --git a/helm/resurfaceio/resurface/templates/_helpers.tpl b/helm/resurfaceio/resurface/templates/_helpers.tpl index 78fa1172..7bd587d5 100644 --- a/helm/resurfaceio/resurface/templates/_helpers.tpl +++ b/helm/resurfaceio/resurface/templates/_helpers.tpl @@ -56,7 +56,7 @@ Default options: container resources and persistent volumes {{- define "resurface.resources" }} {{- $provider := toString .Values.provider -}} {{- $cpureq := .Values.custom.resources.cpu | default (eq $provider "azure" | ternary 5 6) -}} -{{- $dbsize := .Values.custom.config.dbsize | default (eq $provider "azure" | ternary 7 9) | int -}} +{{- $dbsize := .Values.custom.config.dbsize | default (or (eq $provider "ibm-openshift") (eq $provider "azure") | ternary 7 9) | int -}} {{- $dbheap := .Values.custom.config.dbheap | default 3 | int -}} {{- $dbslabs := .Values.custom.config.dbslabs | default 3 | int -}} {{- $memreq := .Values.custom.resources.memory | default (add $dbsize $dbheap) }} @@ -98,7 +98,7 @@ Coordinator config.properties coordinator=true discovery.uri=http://localhost:7700 node-scheduler.include-coordinator=true -{{ if .Values.ingress.tls.enabled -}} +{{ if or .Values.ingress.tls.enabled (eq .Values.provider "ibm-openshift") -}} http-server.process-forwarded=true http-server.authentication.allow-insecure-over-http=true {{ include "resurface.config.auth" . -}} diff --git a/helm/resurfaceio/resurface/templates/ingress.yaml b/helm/resurfaceio/resurface/templates/ingress.yaml index f67ed7bf..20b45d28 100644 --- a/helm/resurfaceio/resurface/templates/ingress.yaml +++ b/helm/resurfaceio/resurface/templates/ingress.yaml @@ -4,10 +4,15 @@ kind: Ingress metadata: name: {{ include "resurface.fullname" . }}-ingress annotations: + {{- if eq .Values.provider "ibm-openshift" }} + route.openshift.io/termination: edge + haproxy.router.openshift.io/rewrite-target: / + {{- else }} haproxy.org/load-balance: "roundrobin" {{- if .Values.ingress.importer.expose }} haproxy.org/path-rewrite: {{ .Values.ingress.importer.path | default "/fluke" }}/(.*) /\1 {{- end }} + {{- end }} {{- if and .Values.ingress.tls.enabled .Values.ingress.tls.autoissue.enabled }} cert-manager.io/issuer: {{ include "resurface.fullname" . }}-letsencrypt{{ if .Values.ingress.tls.autoissue.staging }}-staging{{ end }} {{- end }} @@ -17,7 +22,9 @@ spec: name: kubernetes-ingress-default-backend port: number: 8080 + {{- if ne .Values.provider "ibm-openshift" }} ingressClassName: haproxy + {{- end }} rules: - http: paths: @@ -37,10 +44,12 @@ spec: port: name: fluke-svcport {{- end }} - {{- if .Values.ingress.tls.enabled }} - host: {{ .Values.ingress.tls.host }} + {{ if .Values.ingress.tls.enabled -}} + host: {{ required "A fully qualified domain name is needed when TLS is enabled" .Values.ingress.tls.host }} + {{- else if eq .Values.provider "ibm-openshift" -}} + host: {{ include "resurface.fullname" . }}.{{ required "The value ingress.tls.host must be set with the ingress subdomain name when running on OpenShift" .Values.ingress.tls.host }} {{- end }} - {{- if .Values.ingress.tls.enabled }} + {{- if and .Values.ingress.tls.enabled (ne .Values.provider "ibm-openshift") }} tls: - secretName: {{ .Values.ingress.tls.byoc.secretname | default (printf "%s-tls" (include "resurface.fullname" . )) }} hosts: diff --git a/helm/resurfaceio/resurface/templates/sa.yaml b/helm/resurfaceio/resurface/templates/sa.yaml new file mode 100644 index 00000000..22ab0087 --- /dev/null +++ b/helm/resurfaceio/resurface/templates/sa.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: resurface-sa + namespace: {{ .Release.Namespace }} diff --git a/helm/resurfaceio/resurface/templates/snifferdaemon.yaml b/helm/resurfaceio/resurface/templates/snifferdaemon.yaml index 23377c0c..49e59bd5 100644 --- a/helm/resurfaceio/resurface/templates/snifferdaemon.yaml +++ b/helm/resurfaceio/resurface/templates/snifferdaemon.yaml @@ -21,6 +21,11 @@ spec: - name: resurface-logger image: resurfaceio/network-sniffer{{ if .Values.sniffer.debug }}-debug:1.0.0{{ else }}:1.2.3{{ end }} imagePullPolicy: IfNotPresent + securityContext: + runAsUser: 0 + runAsGroup: 0 + capabilities: + add: [ "NET_ADMIN", "NET_RAW" ] env: - name: USAGE_LOGGERS_URL value: {{ .Values.custom.service.flukeserver.port | default 7701 | printf "http://worker.%s:%v/message" (.Release.Namespace) }} diff --git a/helm/resurfaceio/resurface/templates/stateful-coordinator.yaml b/helm/resurfaceio/resurface/templates/stateful-coordinator.yaml index 6ba88e9b..21e11c82 100644 --- a/helm/resurfaceio/resurface/templates/stateful-coordinator.yaml +++ b/helm/resurfaceio/resurface/templates/stateful-coordinator.yaml @@ -19,6 +19,7 @@ spec: {{- include "resurface.selectorLabels" . | nindent 8 }} db.resurface.io/role: coordinator spec: + serviceAccountName: resurface-sa volumes: - name: config-volume configMap: diff --git a/helm/resurfaceio/resurface/templates/stateful-worker.yaml b/helm/resurfaceio/resurface/templates/stateful-worker.yaml index cfa2ccd7..c9e84711 100644 --- a/helm/resurfaceio/resurface/templates/stateful-worker.yaml +++ b/helm/resurfaceio/resurface/templates/stateful-worker.yaml @@ -19,6 +19,7 @@ spec: labels: {{- include "resurface.selectorLabels" . | nindent 8 }} spec: + serviceAccountName: resurface-sa volumes: - name: config-volume configMap: diff --git a/helm/resurfaceio/resurface/values.yaml b/helm/resurfaceio/resurface/values.yaml index aa31c4cc..302d5304 100644 --- a/helm/resurfaceio/resurface/values.yaml +++ b/helm/resurfaceio/resurface/values.yaml @@ -5,6 +5,8 @@ provider: ingress: enabled: true + controller: + enabled: true importer: expose: true path: "/fluke"