Resolve "Add configuration for configurable-http-proxy TLS with Traefik"

b229e8d6 · Benoît · d1d817cc · b229e8d6 · b229e8d6 · b229e8d6
Commit b229e8d6 authored 1 year ago by Benoît
--- a/codehub/Chart.yaml
+++ b/codehub/Chart.yaml
@@ -42,4 +42,4 @@ sources:
  - https://github.com/bitnami/containers/tree/main/bitnami/jupyterhub
  - https://github.com/jupyterhub/jupyterhub
  - https://github.com/coder/code-server
-version: 5.0.2
+version: 5.1.0
--- a/codehub/templates/proxy/certificates.yaml
+++ b/codehub/templates/proxy/certificates.yaml
@@ -39,6 +39,7 @@ spec:
      - {{ .Values.tls.subject.countries }}
  dnsNames:
    - "{{ printf "%s-proxy-api" $serviceName }}"
+    - "{{ printf "%s-proxy-public" $serviceName }}"
    - "{{ printf "%s-proxy-api.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain }}"
    - "{{ printf "%s-proxy-public.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain }}"
    - "localhost"

--- a/codehub/templates/proxy/deployment.yaml
+++ b/codehub/templates/proxy/deployment.yaml
@@ -153,6 +153,9 @@ spec:
            httpGet:
              path: /_chp_healthz
              port: http
+              {{- if .Values.tls.enabled }}
+              scheme: HTTPS
+              {{- end }}
          {{- end }}
          {{- if .Values.proxy.customLivenessProbe }}
          livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.proxy.customLivenessProbe "context" $) | nindent 12 }}
@@ -161,6 +164,9 @@ spec:
            httpGet:
              path: /_chp_healthz
              port: http
+              {{- if .Values.tls.enabled }}
+              scheme: HTTPS
+              {{- end }}
          {{- end }}
          {{- if .Values.proxy.customReadinessProbe }}
          readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.proxy.customReadinessProbe "context" $) | nindent 12 }}
@@ -169,6 +175,9 @@ spec:
            httpGet:
              path: /_chp_healthz
              port: http
+              {{- if .Values.tls.enabled }}
+              scheme: HTTPS
+              {{- end }}
          {{- end }}
          {{- end }}
          volumeMounts:

--- a/codehub/templates/proxy/ingress.yaml
+++ b/codehub/templates/proxy/ingress.yaml
@@ -10,7 +10,7 @@ metadata:
    app.kubernetes.io/component: proxy
  namespace: {{ .Release.Namespace | quote }}
  annotations:
-    {{- if .Values.tls.enabled }}
+    {{- if and (eq .Values.proxy.ingress.ingressControllerType "nginx") .Values.tls.enabled }}
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    {{- end }}
    {{- if .Values.proxy.ingress.annotations }}

--- a/codehub/templates/proxy/serverstransport.yaml
+++ b/codehub/templates/proxy/serverstransport.yaml
+{{- if and (eq .Values.proxy.ingress.ingressControllerType "traefik") .Values.tls.enabled }}
+{{- $releaseNamespace := .Release.Namespace }}
+{{- $clusterDomain := .Values.clusterDomain }}
+{{- $fullname := include "common.names.fullname" . }}
+{{- $serviceName := include "common.names.fullname" . }}
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransport
+metadata:
+  name: {{ include "codehub.proxy.name" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+    app.kubernetes.io/component: proxy
+    {{- if .Values.commonLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  rootCAsSecrets:
+    - {{ include "common.names.fullname" . }}-proxy-crt
+  serverName: {{ printf "%s-proxy-public" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
+{{- end }}
\ No newline at end of file
--- a/codehub/templates/proxy/service-public.yaml
+++ b/codehub/templates/proxy/service-public.yaml
@@ -15,6 +15,10 @@ metadata:
    {{- if .Values.proxy.service.public.annotations }}
    {{- include "common.tplvalues.render" (dict "value" .Values.proxy.service.public.annotations "context" $) | nindent 4 }}
    {{- end }}
+    {{- if and (eq .Values.proxy.ingress.ingressControllerType "traefik") .Values.tls.enabled }}
+    traefik.ingress.kubernetes.io/service.serversscheme: https
+    traefik.ingress.kubernetes.io/service.serverstransport: "{{ .Release.Namespace }}-{{ include "codehub.proxy.name" . }}@kubernetescrd"
+    {{- end }}
 spec:
  type: {{ .Values.proxy.service.public.type }}
  {{- if and .Values.proxy.service.public.clusterIP (eq .Values.proxy.service.public.type "ClusterIP") }}

--- a/codehub/values.yaml
+++ b/codehub/values.yaml
@@ -1040,6 +1040,8 @@ proxy:
    ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
    ##
    ingressClassName: ""
+    ## @param proxy.ingress.ingressControllerType ingressControllerType that will be be used to implement the Ingress specific annotations (Ex. nginx or traefik)
+    ingressControllerType: "nginx"
    ## @param proxy.ingress.pathType Ingress path type
    ##
    pathType: ImplementationSpecific
@@ -1643,7 +1645,7 @@ tls:
  ## @param tls.algorithm Algorithm of the private key. Allowed values are either RSA,Ed25519 or ECDSA.
  algorithm: RSA
  ## @param tls.size Size is the key bit size of the corresponding private key for this certificate. If algorithm is set to RSA, valid values are 2048, 4096 or 8192, and will default to 2048 if not specified. If algorithm is set to ECDSA, valid values are 256, 384 or 521, and will default to 256 if not specified. If algorithm is set to Ed25519, Size is ignored. No other values are allowed. 
-  size: 2048
+  size: 4096

  ## @param tls.existingSecret Existing secret containing the certificates for Codehub
  ##