feat: split ingress per host, add patch to add lms extra hosts (#50)

drydock/patches/kustomization-resources

@@ -11,7 +11,11 @@
 - plugins/drydock/k8s/flower.yml
 {%- endif %}
 {% if DRYDOCK_INGRESS -%}
-- plugins/drydock/k8s/ingress.yml
+- plugins/drydock/k8s/ingress/issuer.yml
+- plugins/drydock/k8s/ingress/lms.yml
+- plugins/drydock/k8s/ingress/cms.yml
+- plugins/drydock/k8s/ingress/mfe.yml
+- plugins/drydock/k8s/ingress/extra-hosts.yml
 {%- endif %}
 {% if DRYDOCK_DEBUG -%}
 - plugins/drydock/k8s/debug/deployments.yml

drydock/plugin.py

@@ -24,16 +24,19 @@
         "FLOWER": False,
         "INGRESS": False,
         "INGRESS_EXTRA_HOSTS": [],
+        "INGRESS_LMS_EXTRA_HOSTS": [],
         "NEWRELIC": False,
         "NEWRELIC_LICENSE_KEY": "",
         "CUSTOM_CERTS": {},
         "DEBUG": False,
+        "LETSENCRYPT_EMAIL": "{{ CONTACT_EMAIL }}",
         "ENABLE_CELERY_TUNING": True,
         "ENABLE_MULTITENANCY": True,
         "ENABLE_SCORM": True,
         "ENABLE_SENTRY": True,
         "SENTRY_DSN": "",
         "POD_LIFECYCLE": True,
+        "BYPASS_CADDY": False,
     },
     # Add here settings that don't have a reasonable default for all users. For
     # instance: passwords, secret keys, etc.

drydock/templates/drydock/k8s/ingress/cms.yml

@@ -0,0 +1,52 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-cms
+  namespace: {{ K8S_NAMESPACE }}
+  annotations:
+    {%- if DRYDOCK_AUTO_TLS and not DRYDOCK_CUSTOM_CERTS%}
+    cert-manager.io/issuer: letsencrypt
+    {%- endif %}
+    {%- if DRYDOCK_ENABLE_SCORM and DRYDOCK_BYPASS_CADDY %}
+    nginx.ingress.kubernetes.io/server-snippet: |
+      location /scorm-proxy {
+        proxy_http_version     1.1;
+        proxy_set_header       Connection "";
+        proxy_set_header       Authorization '';
+        proxy_set_header       Host {% if MINIO_HOST is defined %}{{ MINIO_HOST }}{% else %}{{ S3_STORAGE_BUCKET }}.s3.amazonaws.com{%- endif %};
+        proxy_hide_header      x-amz-id-2;
+        proxy_hide_header      x-amz-request-id;
+        proxy_hide_header      x-amz-meta-server-side-encryption;
+        proxy_hide_header      x-amz-server-side-encryption;
+        proxy_hide_header      Set-Cookie;
+        proxy_ignore_headers   Set-Cookie;
+        proxy_intercept_errors on;
+        add_header             Cache-Control max-age=31536000;
+        rewrite /scorm-proxy(.*) $1 break;
+        proxy_pass https://{%- if MINIO_HOST is defined %}{{ MINIO_HOST }}{% else %}{{ S3_STORAGE_BUCKET }}.s3.amazonaws.com{%- endif %};
+      }
+  {%- endif %}
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: {{ CMS_HOST }}
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: {% if DRYDOCK_BYPASS_CADDY -%}cms{% else -%}caddy{% endif %}
+            port:
+              number: {% if DRYDOCK_BYPASS_CADDY -%}8000{% else -%}80{% endif %}
+  {%- if DRYDOCK_AUTO_TLS or DRYDOCK_CUSTOM_CERTS %}
+  tls:
+  - hosts:
+    - {{ CMS_HOST }}
+    {%- if DRYDOCK_CUSTOM_CERTS %}
+    secretName: {{ DRYDOCK_CUSTOM_CERTS["secret_name"]|default("custom-tls-certs") }}
+    {%- else %}
+    secretName: cms-host-tls
+    {%- endif %}
+  {%- endif %}

drydock/templates/drydock/k8s/ingress/extra-hosts.yml

@@ -0,0 +1,35 @@
+{%- for host in DRYDOCK_INGRESS_EXTRA_HOSTS %}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-{{ host|replace(".", "-") }}-tls
+  namespace: {{ K8S_NAMESPACE }}
+  {%- if DRYDOCK_AUTO_TLS and not DRYDOCK_CUSTOM_CERTS%}
+  annotations:
+    cert-manager.io/issuer: letsencrypt
+  {%- endif %}
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: {{ host }}
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: caddy
+            port:
+              number: 80
+  {%- if DRYDOCK_AUTO_TLS or DRYDOCK_CUSTOM_CERTS %}
+  tls:
+  - hosts:
+    - {{ host }}
+    {%- if DRYDOCK_CUSTOM_CERTS %}
+    secretName: {{ DRYDOCK_CUSTOM_CERTS["secret_name"]|default("custom-tls-certs") }}
+    {%- else %}
+    secretName: {{ host|replace(".", "-") }}-tls
+    {%- endif %}
+  {%- endif %}
+{%- endfor %}

drydock/templates/drydock/k8s/ingress/issuer.yml

@@ -0,0 +1,23 @@
+{% if DRYDOCK_AUTO_TLS -%}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: letsencrypt
+  namespace: {{ K8S_NAMESPACE }}
+  labels:
+    app.kubernetes.io/name: letsencrypt
+spec:
+  acme:
+    # Let's Encrypt will use this to contact you about expiring
+    # certificates, and issues related to your account.
+    email: {{ DRYDOCK_LETSENCRYPT_EMAIL }}
+    # Secret resource that will be used to store the account's private key.
+    privateKeySecretRef:
+      name: {{ K8S_NAMESPACE }}-letsencrypt-account-key
+    server: https://acme-v02.api.letsencrypt.org/directory
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+{% endif -%}

drydock/templates/drydock/k8s/ingress/lms.yml

@@ -0,0 +1,116 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-lms
+  namespace: {{ K8S_NAMESPACE }}
+  annotations:
+  {%- if DRYDOCK_AUTO_TLS and not DRYDOCK_CUSTOM_CERTS %}
+    cert-manager.io/issuer: letsencrypt
+  {%- endif %}
+  {%- if DRYDOCK_ENABLE_SCORM and DRYDOCK_BYPASS_CADDY %}
+    nginx.ingress.kubernetes.io/server-snippet: |
+      location /scorm-proxy {
+        proxy_http_version     1.1;
+        proxy_set_header       Connection "";
+        proxy_set_header       Authorization '';
+        proxy_set_header       Host {% if MINIO_HOST is defined %}{{ MINIO_HOST }}{% else %}{{ S3_STORAGE_BUCKET }}.s3.amazonaws.com{%- endif %};
+        proxy_hide_header      x-amz-id-2;
+        proxy_hide_header      x-amz-request-id;
+        proxy_hide_header      x-amz-meta-server-side-encryption;
+        proxy_hide_header      x-amz-server-side-encryption;
+        proxy_hide_header      Set-Cookie;
+        proxy_ignore_headers   Set-Cookie;
+        proxy_intercept_errors on;
+        add_header             Cache-Control max-age=31536000;
+        rewrite /scorm-proxy(.*) $1 break;
+        proxy_pass https://{%- if MINIO_HOST is defined %}{{ MINIO_HOST }}{% else %}{{ S3_STORAGE_BUCKET }}.s3.amazonaws.com{%- endif %};
+      }
+  {%- endif %}
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: {{ LMS_HOST }}
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/learning"
+        backend:
+          service:
+            name: {% if DRYDOCK_BYPASS_CADDY -%}mfe{% else -%}caddy{% endif %}
+            port:
+              number: {% if DRYDOCK_BYPASS_CADDY -%}8002{% else -%}80{% endif %}
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: {% if DRYDOCK_BYPASS_CADDY -%}lms{% else -%}caddy{% endif %}
+            port:
+              number: {% if DRYDOCK_BYPASS_CADDY -%}8000{% else -%}80{% endif %}
+      {{ patch("drydock-lms-extra-paths")|indent(6) }}
+  {%- for host in DRYDOCK_INGRESS_LMS_EXTRA_HOSTS %}
+  - host: {{ host }}
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/learning"
+        backend:
+          service:
+            name: {% if DRYDOCK_BYPASS_CADDY -%}mfe{% else -%}caddy{% endif %}
+            port:
+              number: {% if DRYDOCK_BYPASS_CADDY -%}8002{% else -%}80{% endif %}
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: {% if DRYDOCK_BYPASS_CADDY -%}lms{% else -%}caddy{% endif %}
+            port:
+              number: {% if DRYDOCK_BYPASS_CADDY -%}8000{% else -%}80{% endif %}
+      {{ patch("drydock-lms-extra-paths")|indent(6) }}
+  {%- endfor %}
+  {%- if DRYDOCK_AUTO_TLS or DRYDOCK_CUSTOM_CERTS %}
+  tls:
+  - hosts:
+    - {{ LMS_HOST }}
+    {%- for host in DRYDOCK_INGRESS_LMS_EXTRA_HOSTS %}
+    - {{ host }}
+    {%- endfor %}
+    {%- if DRYDOCK_CUSTOM_CERTS %}
+    secretName: {{ DRYDOCK_CUSTOM_CERTS["secret_name"]|default("custom-tls-certs") }}
+    {%- else %}
+    secretName: lms-host-tls
+    {%- endif %}
+  {%- endif %}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-lms-preview
+  namespace: {{ K8S_NAMESPACE }}
+  annotations:
+  {%- if DRYDOCK_AUTO_TLS and not DRYDOCK_CUSTOM_CERTS %}
+    cert-manager.io/issuer: letsencrypt
+  {%- endif %}
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: {{ PREVIEW_LMS_HOST }}
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: {% if DRYDOCK_BYPASS_CADDY -%}lms{% else -%}caddy{% endif %}
+            port:
+              number: {% if DRYDOCK_BYPASS_CADDY -%}8000{% else -%}80{% endif %}
+  {%- if DRYDOCK_AUTO_TLS or DRYDOCK_CUSTOM_CERTS %}
+  tls:
+  - hosts:
+    - {{ PREVIEW_LMS_HOST }}
+    {%- if DRYDOCK_CUSTOM_CERTS %}
+    secretName: {{ DRYDOCK_CUSTOM_CERTS["secret_name"]|default("custom-tls-certs") }}
+    {%- else %}
+    secretName: lms-preview-host-tls
+    {%- endif %}
+  {%- endif %}

drydock/templates/drydock/k8s/ingress/mfe.yml

@@ -0,0 +1,35 @@
+{%- if MFE_HOST is defined %}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-mfe
+  namespace: {{ K8S_NAMESPACE }}
+  {%- if DRYDOCK_AUTO_TLS and not DRYDOCK_CUSTOM_CERTS %}
+  annotations:
+    cert-manager.io/issuer: letsencrypt
+  {%- endif %}
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: {{ MFE_HOST }}
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: {% if DRYDOCK_BYPASS_CADDY -%}mfe{% else -%}caddy{% endif %}
+            port:
+              number: {% if DRYDOCK_BYPASS_CADDY -%}8002{% else -%}80{% endif %}
+  {%- if DRYDOCK_AUTO_TLS or DRYDOCK_CUSTOM_CERTS %}
+  tls:
+  - hosts:
+    - {{ MFE_HOST }}
+    {%- if DRYDOCK_CUSTOM_CERTS %}
+    secretName: {{ DRYDOCK_CUSTOM_CERTS["secret_name"]|default("custom-tls-certs") }}
+    {%- else %}
+    secretName: mfe-host-tls
+    {%- endif %}
+  {%- endif %}
+{%- endif %}