From 0401123b2ebf95e766312c3465bb2a9956d477bf Mon Sep 17 00:00:00 2001 From: Henrry Pulgarin <39854568+Henrrypg@users.noreply.github.com> Date: Tue, 7 Nov 2023 10:53:51 -0500 Subject: [PATCH] feat: split ingress per host, add patch to add lms extra hosts (#50) --- drydock/patches/kustomization-resources | 6 +- drydock/plugin.py | 3 + drydock/templates/drydock/k8s/ingress.yml | 85 ------------- drydock/templates/drydock/k8s/ingress/cms.yml | 52 ++++++++ .../drydock/k8s/ingress/extra-hosts.yml | 35 ++++++ .../templates/drydock/k8s/ingress/issuer.yml | 23 ++++ drydock/templates/drydock/k8s/ingress/lms.yml | 116 ++++++++++++++++++ drydock/templates/drydock/k8s/ingress/mfe.yml | 35 ++++++ 8 files changed, 269 insertions(+), 86 deletions(-) delete mode 100644 drydock/templates/drydock/k8s/ingress.yml create mode 100644 drydock/templates/drydock/k8s/ingress/cms.yml create mode 100644 drydock/templates/drydock/k8s/ingress/extra-hosts.yml create mode 100644 drydock/templates/drydock/k8s/ingress/issuer.yml create mode 100644 drydock/templates/drydock/k8s/ingress/lms.yml create mode 100644 drydock/templates/drydock/k8s/ingress/mfe.yml diff --git a/drydock/patches/kustomization-resources b/drydock/patches/kustomization-resources index f6d2c735..169344ed 100644 --- a/drydock/patches/kustomization-resources +++ b/drydock/patches/kustomization-resources @@ -11,7 +11,11 @@ - plugins/drydock/k8s/flower.yml {%- endif %} {% if DRYDOCK_INGRESS -%} -- plugins/drydock/k8s/ingress.yml +- plugins/drydock/k8s/ingress/issuer.yml +- plugins/drydock/k8s/ingress/lms.yml +- plugins/drydock/k8s/ingress/cms.yml +- plugins/drydock/k8s/ingress/mfe.yml +- plugins/drydock/k8s/ingress/extra-hosts.yml {%- endif %} {% if DRYDOCK_DEBUG -%} - plugins/drydock/k8s/debug/deployments.yml diff --git a/drydock/plugin.py b/drydock/plugin.py index 9c203a9b..ab99cf2b 100644 --- a/drydock/plugin.py +++ b/drydock/plugin.py @@ -24,16 +24,19 @@ "FLOWER": False, "INGRESS": False, "INGRESS_EXTRA_HOSTS": [], + "INGRESS_LMS_EXTRA_HOSTS": [], "NEWRELIC": False, "NEWRELIC_LICENSE_KEY": "", "CUSTOM_CERTS": {}, "DEBUG": False, + "LETSENCRYPT_EMAIL": "{{ CONTACT_EMAIL }}", "ENABLE_CELERY_TUNING": True, "ENABLE_MULTITENANCY": True, "ENABLE_SCORM": True, "ENABLE_SENTRY": True, "SENTRY_DSN": "", "POD_LIFECYCLE": True, + "BYPASS_CADDY": False, }, # Add here settings that don't have a reasonable default for all users. For # instance: passwords, secret keys, etc. diff --git a/drydock/templates/drydock/k8s/ingress.yml b/drydock/templates/drydock/k8s/ingress.yml deleted file mode 100644 index 08958e1e..00000000 --- a/drydock/templates/drydock/k8s/ingress.yml +++ /dev/null @@ -1,85 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: ingress - namespace: {{ K8S_NAMESPACE }} - annotations: - kubernetes.io/ingress.class: nginx - {%- if DRYDOCK_AUTO_TLS and not DRYDOCK_CUSTOM_CERTS%} - cert-manager.io/issuer: letsencrypt - {%- endif %} -spec: - rules: - {%- for host in [LMS_HOST, PREVIEW_LMS_HOST, CMS_HOST] %} - - host: {{ host }} - http: - paths: - - pathType: Prefix - path: "/" - backend: - service: - name: caddy - port: - number: 80 - {%- endfor %} - {%- for host in DRYDOCK_INGRESS_EXTRA_HOSTS %} - - host: {{ host }} - http: - paths: - - pathType: Prefix - path: "/" - backend: - service: - name: caddy - port: - number: 80 - {%- endfor %} - {% if DRYDOCK_AUTO_TLS or DRYDOCK_CUSTOM_CERTS -%} - tls: - - hosts: - {%- for host in [LMS_HOST, PREVIEW_LMS_HOST, CMS_HOST] %} - - {{ host }} - {%- endfor %} - {%- for host in DRYDOCK_INGRESS_EXTRA_HOSTS %} - - {{ host }} - {%- endfor %} - {% if DRYDOCK_CUSTOM_CERTS -%} - secretName: {{ DRYDOCK_CUSTOM_CERTS["secret_name"]|default("custom-tls-certs") }} - {% else -%} - secretName: {{ K8S_NAMESPACE }}-tls - {%- endif %} - {%- endif %} -{% if DRYDOCK_CUSTOM_CERTS -%} ---- -apiVersion: v1 -kind: Secret -type: kubernetes.io/tls -metadata: - name: {{ DRYDOCK_CUSTOM_CERTS["secret_name"]|default("custom-tls-certs") }} - namespace: {{ K8S_NAMESPACE }} -data: - tls.crt: {{ DRYDOCK_CUSTOM_CERTS["crt"] }} - tls.key: {{ DRYDOCK_CUSTOM_CERTS["key"] }} -{% elif DRYDOCK_AUTO_TLS %} ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: letsencrypt - namespace: {{ K8S_NAMESPACE }} - labels: - app.kubernetes.io/name: letsencrypt -spec: - acme: - # Let's Encrypt will use this to contact you about expiring - # certificates, and issues related to your account. - email: {{ DRYDOCK_LETSENCRYPT_EMAIL|default(CONTACT_EMAIL) }} - # Secret resource that will be used to store the account's private key. - privateKeySecretRef: - name: {{ K8S_NAMESPACE }}-letsencrypt-account-key - server: https://acme-v02.api.letsencrypt.org/directory - solvers: - - http01: - ingress: - class: nginx -{%- endif %} diff --git a/drydock/templates/drydock/k8s/ingress/cms.yml b/drydock/templates/drydock/k8s/ingress/cms.yml new file mode 100644 index 00000000..c633ea8f --- /dev/null +++ b/drydock/templates/drydock/k8s/ingress/cms.yml @@ -0,0 +1,52 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: ingress-cms + namespace: {{ K8S_NAMESPACE }} + annotations: + {%- if DRYDOCK_AUTO_TLS and not DRYDOCK_CUSTOM_CERTS%} + cert-manager.io/issuer: letsencrypt + {%- endif %} + {%- if DRYDOCK_ENABLE_SCORM and DRYDOCK_BYPASS_CADDY %} + nginx.ingress.kubernetes.io/server-snippet: | + location /scorm-proxy { + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_set_header Authorization ''; + proxy_set_header Host {% if MINIO_HOST is defined %}{{ MINIO_HOST }}{% else %}{{ S3_STORAGE_BUCKET }}.s3.amazonaws.com{%- endif %}; + proxy_hide_header x-amz-id-2; + proxy_hide_header x-amz-request-id; + proxy_hide_header x-amz-meta-server-side-encryption; + proxy_hide_header x-amz-server-side-encryption; + proxy_hide_header Set-Cookie; + proxy_ignore_headers Set-Cookie; + proxy_intercept_errors on; + add_header Cache-Control max-age=31536000; + rewrite /scorm-proxy(.*) $1 break; + proxy_pass https://{%- if MINIO_HOST is defined %}{{ MINIO_HOST }}{% else %}{{ S3_STORAGE_BUCKET }}.s3.amazonaws.com{%- endif %}; + } + {%- endif %} +spec: + ingressClassName: nginx + rules: + - host: {{ CMS_HOST }} + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: {% if DRYDOCK_BYPASS_CADDY -%}cms{% else -%}caddy{% endif %} + port: + number: {% if DRYDOCK_BYPASS_CADDY -%}8000{% else -%}80{% endif %} + {%- if DRYDOCK_AUTO_TLS or DRYDOCK_CUSTOM_CERTS %} + tls: + - hosts: + - {{ CMS_HOST }} + {%- if DRYDOCK_CUSTOM_CERTS %} + secretName: {{ DRYDOCK_CUSTOM_CERTS["secret_name"]|default("custom-tls-certs") }} + {%- else %} + secretName: cms-host-tls + {%- endif %} + {%- endif %} diff --git a/drydock/templates/drydock/k8s/ingress/extra-hosts.yml b/drydock/templates/drydock/k8s/ingress/extra-hosts.yml new file mode 100644 index 00000000..5804d56d --- /dev/null +++ b/drydock/templates/drydock/k8s/ingress/extra-hosts.yml @@ -0,0 +1,35 @@ +{%- for host in DRYDOCK_INGRESS_EXTRA_HOSTS %} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: ingress-{{ host|replace(".", "-") }}-tls + namespace: {{ K8S_NAMESPACE }} + {%- if DRYDOCK_AUTO_TLS and not DRYDOCK_CUSTOM_CERTS%} + annotations: + cert-manager.io/issuer: letsencrypt + {%- endif %} +spec: + ingressClassName: nginx + rules: + - host: {{ host }} + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: caddy + port: + number: 80 + {%- if DRYDOCK_AUTO_TLS or DRYDOCK_CUSTOM_CERTS %} + tls: + - hosts: + - {{ host }} + {%- if DRYDOCK_CUSTOM_CERTS %} + secretName: {{ DRYDOCK_CUSTOM_CERTS["secret_name"]|default("custom-tls-certs") }} + {%- else %} + secretName: {{ host|replace(".", "-") }}-tls + {%- endif %} + {%- endif %} +{%- endfor %} diff --git a/drydock/templates/drydock/k8s/ingress/issuer.yml b/drydock/templates/drydock/k8s/ingress/issuer.yml new file mode 100644 index 00000000..07a7ea8c --- /dev/null +++ b/drydock/templates/drydock/k8s/ingress/issuer.yml @@ -0,0 +1,23 @@ +{% if DRYDOCK_AUTO_TLS -%} +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: letsencrypt + namespace: {{ K8S_NAMESPACE }} + labels: + app.kubernetes.io/name: letsencrypt +spec: + acme: + # Let's Encrypt will use this to contact you about expiring + # certificates, and issues related to your account. + email: {{ DRYDOCK_LETSENCRYPT_EMAIL }} + # Secret resource that will be used to store the account's private key. + privateKeySecretRef: + name: {{ K8S_NAMESPACE }}-letsencrypt-account-key + server: https://acme-v02.api.letsencrypt.org/directory + solvers: + - http01: + ingress: + class: nginx +{% endif -%} diff --git a/drydock/templates/drydock/k8s/ingress/lms.yml b/drydock/templates/drydock/k8s/ingress/lms.yml new file mode 100644 index 00000000..8ee612aa --- /dev/null +++ b/drydock/templates/drydock/k8s/ingress/lms.yml @@ -0,0 +1,116 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: ingress-lms + namespace: {{ K8S_NAMESPACE }} + annotations: + {%- if DRYDOCK_AUTO_TLS and not DRYDOCK_CUSTOM_CERTS %} + cert-manager.io/issuer: letsencrypt + {%- endif %} + {%- if DRYDOCK_ENABLE_SCORM and DRYDOCK_BYPASS_CADDY %} + nginx.ingress.kubernetes.io/server-snippet: | + location /scorm-proxy { + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_set_header Authorization ''; + proxy_set_header Host {% if MINIO_HOST is defined %}{{ MINIO_HOST }}{% else %}{{ S3_STORAGE_BUCKET }}.s3.amazonaws.com{%- endif %}; + proxy_hide_header x-amz-id-2; + proxy_hide_header x-amz-request-id; + proxy_hide_header x-amz-meta-server-side-encryption; + proxy_hide_header x-amz-server-side-encryption; + proxy_hide_header Set-Cookie; + proxy_ignore_headers Set-Cookie; + proxy_intercept_errors on; + add_header Cache-Control max-age=31536000; + rewrite /scorm-proxy(.*) $1 break; + proxy_pass https://{%- if MINIO_HOST is defined %}{{ MINIO_HOST }}{% else %}{{ S3_STORAGE_BUCKET }}.s3.amazonaws.com{%- endif %}; + } + {%- endif %} +spec: + ingressClassName: nginx + rules: + - host: {{ LMS_HOST }} + http: + paths: + - pathType: Prefix + path: "/learning" + backend: + service: + name: {% if DRYDOCK_BYPASS_CADDY -%}mfe{% else -%}caddy{% endif %} + port: + number: {% if DRYDOCK_BYPASS_CADDY -%}8002{% else -%}80{% endif %} + - pathType: Prefix + path: "/" + backend: + service: + name: {% if DRYDOCK_BYPASS_CADDY -%}lms{% else -%}caddy{% endif %} + port: + number: {% if DRYDOCK_BYPASS_CADDY -%}8000{% else -%}80{% endif %} + {{ patch("drydock-lms-extra-paths")|indent(6) }} + {%- for host in DRYDOCK_INGRESS_LMS_EXTRA_HOSTS %} + - host: {{ host }} + http: + paths: + - pathType: Prefix + path: "/learning" + backend: + service: + name: {% if DRYDOCK_BYPASS_CADDY -%}mfe{% else -%}caddy{% endif %} + port: + number: {% if DRYDOCK_BYPASS_CADDY -%}8002{% else -%}80{% endif %} + - pathType: Prefix + path: "/" + backend: + service: + name: {% if DRYDOCK_BYPASS_CADDY -%}lms{% else -%}caddy{% endif %} + port: + number: {% if DRYDOCK_BYPASS_CADDY -%}8000{% else -%}80{% endif %} + {{ patch("drydock-lms-extra-paths")|indent(6) }} + {%- endfor %} + {%- if DRYDOCK_AUTO_TLS or DRYDOCK_CUSTOM_CERTS %} + tls: + - hosts: + - {{ LMS_HOST }} + {%- for host in DRYDOCK_INGRESS_LMS_EXTRA_HOSTS %} + - {{ host }} + {%- endfor %} + {%- if DRYDOCK_CUSTOM_CERTS %} + secretName: {{ DRYDOCK_CUSTOM_CERTS["secret_name"]|default("custom-tls-certs") }} + {%- else %} + secretName: lms-host-tls + {%- endif %} + {%- endif %} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: ingress-lms-preview + namespace: {{ K8S_NAMESPACE }} + annotations: + {%- if DRYDOCK_AUTO_TLS and not DRYDOCK_CUSTOM_CERTS %} + cert-manager.io/issuer: letsencrypt + {%- endif %} +spec: + ingressClassName: nginx + rules: + - host: {{ PREVIEW_LMS_HOST }} + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: {% if DRYDOCK_BYPASS_CADDY -%}lms{% else -%}caddy{% endif %} + port: + number: {% if DRYDOCK_BYPASS_CADDY -%}8000{% else -%}80{% endif %} + {%- if DRYDOCK_AUTO_TLS or DRYDOCK_CUSTOM_CERTS %} + tls: + - hosts: + - {{ PREVIEW_LMS_HOST }} + {%- if DRYDOCK_CUSTOM_CERTS %} + secretName: {{ DRYDOCK_CUSTOM_CERTS["secret_name"]|default("custom-tls-certs") }} + {%- else %} + secretName: lms-preview-host-tls + {%- endif %} + {%- endif %} diff --git a/drydock/templates/drydock/k8s/ingress/mfe.yml b/drydock/templates/drydock/k8s/ingress/mfe.yml new file mode 100644 index 00000000..c09e00ed --- /dev/null +++ b/drydock/templates/drydock/k8s/ingress/mfe.yml @@ -0,0 +1,35 @@ +{%- if MFE_HOST is defined %} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: ingress-mfe + namespace: {{ K8S_NAMESPACE }} + {%- if DRYDOCK_AUTO_TLS and not DRYDOCK_CUSTOM_CERTS %} + annotations: + cert-manager.io/issuer: letsencrypt + {%- endif %} +spec: + ingressClassName: nginx + rules: + - host: {{ MFE_HOST }} + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: {% if DRYDOCK_BYPASS_CADDY -%}mfe{% else -%}caddy{% endif %} + port: + number: {% if DRYDOCK_BYPASS_CADDY -%}8002{% else -%}80{% endif %} + {%- if DRYDOCK_AUTO_TLS or DRYDOCK_CUSTOM_CERTS %} + tls: + - hosts: + - {{ MFE_HOST }} + {%- if DRYDOCK_CUSTOM_CERTS %} + secretName: {{ DRYDOCK_CUSTOM_CERTS["secret_name"]|default("custom-tls-certs") }} + {%- else %} + secretName: mfe-host-tls + {%- endif %} + {%- endif %} +{%- endif %}