wip: improve TLS management for helm

PJEstrada · PJEstrada · commit fcf515975ae6 · 2022-05-25T18:30:00.000-06:00
Still need to fix some redirects issues. But main goal is to add better resources for testing diffgram in local minikube env. This will help both first time users and helm chart developers to iterate faster over the helm chart changes and test faster any changes to the k8s resources generated by helm.
diff --git a/.gitignore b/.gitignore
@@ -18,4 +18,9 @@ example.com\+6-key.pem
 example.com\+6.pem
 
 # Chart dependencies
-**/charts/*.tgz
+**/charts/*.tgz
+ca.crt
+
+ca.key
+
+local-ca.crt
diff --git a/Chart.lock b/Chart.lock
@@ -2,8 +2,5 @@ dependencies:
 - name: rabbitmq
   repository: https://charts.bitnami.com/bitnami
   version: 9.1.4
-- name: cert-manager
-  repository: https://charts.jetstack.io
-  version: v1.1.0
-digest: sha256:16a0d329ffcd4f4ec533d51af30ac1c014066795596729f5572bf93a379a5416
-generated: "2022-05-23T09:23:56.111110299-06:00"
+digest: sha256:a92c6d671ae303d36df25c5c05705ee5193e1e22a6987e1476f4f815aa9887d7
+generated: "2022-05-24T22:45:09.592488539-06:00"
diff --git a/README.md b/README.md
@@ -46,15 +46,41 @@ imagePullCredentials:
 ### TLS Ceritificates
 #### Using minikube (For local testing) 
 Install Cert Manager
-`helm repo add jetstack https://charts.jetstack.io`
+```
+helm repo add jetstack https://charts.jetstack.io
+helm install cert-manager --namespace default jetstack/cert-manager --set installCRDs=true
+```
 
-`helm install cert-manager --namespace default jetstack/cert-manager --set installCRDs=true`
 
 Default domain on diffgram is: `example.com` so make sure you add that to your local hosts file:
 
 `echo "$(minikube ip) example.com" | sudo tee -a /etc/hosts`
 
-#### Using cert-manager             
+In order for TLS to work on your local machine, you will need to provide local certificate authorities.
+Otherwise your web browser will detect the certificates as invalid.
+
+To do that you can generate a key and certificate like this:
+```
+# Generate key
+openssl genrsa -out ca.key 2048
+# Create CA certificate signing it with the previous key.
+openssl req -x509 -new -nodes -key ca.key -sha256 -subj "/CN=sampleissuer.local" -days 1024 -out ca.crt -extensions v3_ca
+```
+Now create the certificates as secrets on your minkube cluster:
+```angular2html
+kubectl create secret tls my-local-ca-key-pair --key=ca.key --cert=ca.crt
+```
+Finally Modify your `values.yaml` so that helm chart can grab the secret using cert-manager
+issuers. Set `tlsIssuer` to `issuer-local` and `localCaSecretName` to the name you have to the secret created above:
+
+```angular2html
+tlsIssuer: issuer-local # One of: "issuer-local", "letsencrypt-staging", or "letsencrypt-prod"
+localCaSecretName: my-local-ca-key-pair
+
+```
+
+
+#### Using cert-manager & Public Domains           
 
 1. If you want to have TLS connections, please make sure you have a domain available and access to the name servers so you can modify the records to point to the IP addresses of the ingress.
 
diff --git a/templates/ingress.yaml b/templates/ingress.yaml
@@ -11,7 +11,7 @@ metadata:
     nginx.ingress.kubernetes.io/enable-cors: "true"
     nginx.ingress.kubernetes.io/hsts: "false"
     hsts: "false"
-    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+
     nginx.ingress.kubernetes.io/configuration-snippet: |
       add_header Access-Control-Allow-Methods "POST, GET, PUT, PATCH, DELETE, OPTIONS";
       add_header Access-Control-Allow-Credentials true;
@@ -31,10 +31,9 @@ metadata:
 
     nginx.org/proxy-pass-headers: directory_id
     {{ if eq .Values.useTls true}}
-    cert-manager.io/issuer: "letsencrypt-prod"
+    cert-manager.io/issuer: {{ .Values.tlsIssuer }}
     {{ end }}
     watch-namespace: {{ .Release.Namespace }}
-#    nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
     # Limit uploads to 8TB
     nginx.ingress.kubernetes.io/proxy-body-size: 800000m
 
@@ -47,27 +46,27 @@ spec:
       secretName: diffgram-cert-tls-{{ .Values.diffgramDomain }}
   {{ end }}
   rules:
-  - host: {{ .Values.diffgramDomain }}
-    http:
-      paths:
-      - path: /api/walrus(/|$)(.*)
-        pathType: ImplementationSpecific
-        backend:
-          service:
-            name: diffgram-walrus
-            port:
-                number: 8080
-      - path: /api(/|$)(.*)
-        pathType: ImplementationSpecific
-        backend:
-          service:
-            name: diffgram-default
-            port:
-                number: 8080
-      - path: /(.*)
-        pathType: ImplementationSpecific
-        backend:
-          service:
-            name: frontend
-            port:
-                number: 8080
+    - host: {{ .Values.diffgramDomain }}
+      http:
+        paths:
+          - path: /api/walrus(/|$)(.*)
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: diffgram-walrus
+                port:
+                    number: 8080
+          - path: /api(/|$)(.*)
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: diffgram-default
+                port:
+                    number: 8080
+          - path: /(.*)
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: frontend
+                port:
+                    number: 8080
diff --git a/templates/postgres/deployment.yaml b/templates/postgres/deployment.yaml
@@ -13,7 +13,6 @@ metadata:
     # job is considered part of the release.
     "helm.sh/hook": pre-install
     "helm.sh/hook-weight": "-3"
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 spec:
   replicas: 1
   selector:
diff --git a/templates/tls/issuer_local.yaml b/templates/tls/issuer_local.yaml
@@ -0,0 +1,9 @@
+{{ if eq .Values.tlsIssuer "issuer-local" }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: issuer-local
+spec:
+  ca:
+    secretName: {{ .Values.localCaSecretName }}
+{{ end }}
diff --git a/templates/tls/issuer_prod.yaml b/templates/tls/issuer_prod.yaml
@@ -8,7 +8,7 @@ spec:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
-   email: pablo.estrada@diffgram.com
+   email: {{ .Values.issuerEmail }}
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
diff --git a/templates/tls/issuer_staging.yaml b/templates/tls/issuer_staging.yaml
@@ -8,7 +8,7 @@ spec:
    # The ACME server URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
-   email: pablo.estrada@diffgram.com
+   email: {{ .Values.issuerEmail }}
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-staging
diff --git a/values.yaml b/values.yaml
@@ -12,12 +12,16 @@ diffgramEdition: opencore
 # Set this to your public domain where you want diffgram to be.
 # This must be a domain name and not a public IP address.
 # The chart will generate TLS certificates for the provided domain if useCertManager is 'true'
-diffgramDomain: example.com
+diffgramDomain: mydiffgram1.com
 
 # Set this to true if you want to use cert manager for TLS certificates generation.
 useCertManager: true
+
 # Use it to activate TLS on the nginx ingress
 useTls: true
+tlsIssuer: issuer-local # One of: "issuer-local", "letsencrypt-staging", or "letsencrypt-prod"
+localCaSecretName: my-local-ca-key-pair
+issuerEmail: pablo.estrada@diffgram.com
 
 dbSettings:
   # Specify How the DB Service should be created
