flyteorg · lowc1012 · Feb 24, 2024 · Feb 24, 2024 · Mar 4, 2024 · Mar 4, 2024
diff --git a/charts/flyte-core/README.md b/charts/flyte-core/README.md
@@ -74,17 +74,17 @@ helm install gateway bitnami/contour -n flyte
 | cluster_resource_manager.service_account_name | string | `"flyteadmin"` | Service account name to run with |
 | cluster_resource_manager.templates | list | `[{"key":"aa_namespace","value":"apiVersion: v1\nkind: Namespace\nmetadata:\n  name: {{ namespace }}\nspec:\n  finalizers:\n  - kubernetes\n"},{"key":"ab_project_resource_quota","value":"apiVersion: v1\nkind: ResourceQuota\nmetadata:\n  name: project-quota\n  namespace: {{ namespace }}\nspec:\n  hard:\n    limits.cpu: {{ projectQuotaCpu }}\n    limits.memory: {{ projectQuotaMemory }}\n"}]` | Resource templates that should be applied |
 | cluster_resource_manager.templates[0] | object | `{"key":"aa_namespace","value":"apiVersion: v1\nkind: Namespace\nmetadata:\n  name: {{ namespace }}\nspec:\n  finalizers:\n  - kubernetes\n"}` | Template for namespaces resources |
-| common | object | `{"databaseSecret":{"name":"","secretManifest":{}},"flyteNamespaceTemplate":{"enabled":false},"ingress":{"albSSLRedirect":false,"annotations":{"nginx.ingress.kubernetes.io/app-root":"/console"},"enabled":true,"ingressClassName":null,"separateGrpcIngress":false,"separateGrpcIngressAnnotations":{"nginx.ingress.kubernetes.io/backend-protocol":"GRPC"},"tls":{"enabled":false},"webpackHMR":false}}` | ----------------------------------------------  COMMON SETTINGS  |
+| common | object | `{"databaseSecret":{"name":"","secretManifest":{}},"flyteNamespaceTemplate":{"enabled":false},"ingress":{"albSSLRedirect":false,"annotations":{"nginx.ingress.kubernetes.io/app-root":"/console"},"enabled":true,"host":"","ingressClassName":"","separateGrpcIngress":false,"separateGrpcIngressAnnotations":{"nginx.ingress.kubernetes.io/backend-protocol":"GRPC"},"tls":{"enabled":false},"webpackHMR":false}}` | ----------------------------------------------  COMMON SETTINGS  |
 | common.databaseSecret.name | string | `""` | Specify name of K8s Secret which contains Database password. Leave it empty if you don't need this Secret |
 | common.databaseSecret.secretManifest | object | `{}` | Specify your Secret (with sensitive data) or pseudo-manifest (without sensitive data). See https://github.com/godaddy/kubernetes-external-secrets |
 | common.flyteNamespaceTemplate.enabled | bool | `false` | - Enable or disable creating Flyte namespace in template. Enable when using helm as template-engine only. Disable when using `helm install ...`. |
 | common.ingress.albSSLRedirect | bool | `false` | - albSSLRedirect adds a special route for ssl redirect. Only useful in combination with the AWS LoadBalancer Controller. |
 | common.ingress.annotations | object | `{"nginx.ingress.kubernetes.io/app-root":"/console"}` | - Ingress annotations applied to both HTTP and GRPC ingresses. |
 | common.ingress.enabled | bool | `true` | - Enable or disable creating Ingress for Flyte. Relevant to disable when using e.g. Istio as ingress controller. |
-| common.ingress.ingressClassName | string | `nil` | - Sets the ingressClassName |
+| common.ingress.host | string | `""` | - Ingress hostname |
+| common.ingress.ingressClassName | string | `""` | - Sets the ingressClassName |
 | common.ingress.separateGrpcIngress | bool | `false` | - separateGrpcIngress puts GRPC routes into a separate ingress if true. Required for certain ingress controllers like nginx. |
 | common.ingress.separateGrpcIngressAnnotations | object | `{"nginx.ingress.kubernetes.io/backend-protocol":"GRPC"}` | - Extra Ingress annotations applied only to the GRPC ingress. Only makes sense if `separateGrpcIngress` is enabled. |
-| common.ingress.tls | object | `{"enabled":false}` | - Ingress hostname host: |
 | common.ingress.webpackHMR | bool | `false` | - Enable or disable HMR route to flyteconsole. This is useful only for frontend development. |
 | configmap.admin | object | `{"admin":{"clientId":"{{ .Values.secrets.adminOauthClientCredentials.clientId }}","clientSecretLocation":"/etc/secrets/client_secret","endpoint":"flyteadmin:81","insecure":true},"event":{"capacity":1000,"rate":500,"type":"admin"}}` | Admin Client configuration [structure](https://pkg.go.dev/github.com/flyteorg/flytepropeller/pkg/controller/nodes/subworkflow/launchplan#AdminConfig) |
 | configmap.adminServer | object | `{"auth":{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}},"flyteadmin":{"eventVersion":2,"metadataStoragePrefix":["metadata","admin"],"metricsScope":"flyte:","profilerPort":10254,"roleNameKey":"iam.amazonaws.com/role","testing":{"host":"http://flyteadmin"}},"server":{"grpcPort":8089,"httpPort":8088,"security":{"allowCors":true,"allowedHeaders":["Content-Type","flyte-authorization"],"allowedOrigins":["*"],"secure":false,"useAuth":false}}}` | FlyteAdmin server configuration |

diff --git a/charts/flyte-core/templates/_helpers.tpl b/charts/flyte-core/templates/_helpers.tpl
@@ -261,3 +261,152 @@ storage:
   limits:
     maxDownloadMBs: {{ .Values.storage.limits.maxDownloadMBs }}
 {{- end }}
+
+{{/* Generate grpcRoutes for ingress */}}
+{{- define "ingress.grpcRoutes" -}}
+{{- $grpcPort := .Values.configmap.adminServer.server.security.secure | ternary 80 81 -}}
+- path: /flyteidl.service.SignalService
+  pathType: ImplementationSpecific
+  backend:
+    {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+    service:
+      name: flyteadmin
+      port:
+        number: {{ $grpcPort }}
+    {{- else }}
+    serviceName: flyteadmin
+    servicePort: {{ $grpcPort }}
+    {{- end }}
+- path: /flyteidl.service.SignalService/*
+  pathType: ImplementationSpecific
+  backend:
+    {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+    service:
+      name: flyteadmin
+      port:
+        number: {{ $grpcPort }}
+    {{- else }}
+    serviceName: flyteadmin
+    servicePort: {{ $grpcPort }}
+    {{- end }}
+- path: /flyteidl.service.AdminService
+  pathType: ImplementationSpecific
+  backend:
+    {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+    service:
+      name: flyteadmin
+      port:
+        number: {{ $grpcPort }}
+    {{- else }}
+    serviceName: flyteadmin
+    servicePort: {{ $grpcPort }}
+    {{- end }}
+- path: /flyteidl.service.AdminService/*
+  pathType: ImplementationSpecific
+  backend:
+    {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+    service:
+      name: flyteadmin
+      port:
+        number: {{ $grpcPort }}
+    {{- else }}
+    serviceName: flyteadmin
+    servicePort: {{ $grpcPort }}
+    {{- end }}
+- path: /flyteidl.service.DataProxyService
+  pathType: ImplementationSpecific
+  backend:
+    {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+    service:
+      name: flyteadmin
+      port:
+        number: {{ $grpcPort }}
+    {{- else }}
+    serviceName: flyteadmin
+    servicePort: {{ $grpcPort }}
+    {{- end }}
+- path: /flyteidl.service.DataProxyService/*
+  pathType: ImplementationSpecific
+  backend:
+    {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+    service:
+      name: flyteadmin
+      port:
+        number: {{ $grpcPort }}
+    {{- else }}
+    serviceName: flyteadmin
+    servicePort: {{ $grpcPort }}
+    {{- end }}
+- path: /flyteidl.service.AuthMetadataService
+  pathType: ImplementationSpecific
+  backend:
+    {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+    service:
+      name: flyteadmin
+      port:
+        number: {{ $grpcPort }}
+    {{- else }}
+    serviceName: flyteadmin
+    servicePort: {{ $grpcPort }}
+    {{- end }}
+- path: /flyteidl.service.AuthMetadataService/*
+  pathType: ImplementationSpecific
+  backend:
+    {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+    service:
+      name: flyteadmin
+      port:
+        number: {{ $grpcPort }}
+    {{- else }}
+    serviceName: flyteadmin
+    servicePort: {{ $grpcPort }}
+    {{- end }}
+- path: /flyteidl.service.IdentityService
+  pathType: ImplementationSpecific
+  backend:
+    {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+    service:
+      name: flyteadmin
+      port:
+        number: {{ $grpcPort }}
+    {{- else }}
+    serviceName: flyteadmin
+    servicePort: {{ $grpcPort }}
+    {{- end }}
+- path: /flyteidl.service.IdentityService/*
+  pathType: ImplementationSpecific
+  backend:
+    {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+    service:
+      name: flyteadmin
+      port:
+        number: {{ $grpcPort }}
+    {{- else }}
+    serviceName: flyteadmin
+    servicePort: {{ $grpcPort }}
+    {{- end }}
+- path: /grpc.health.v1.Health
+  pathType: ImplementationSpecific
+  backend:
+    {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+    service:
+      name: flyteadmin
+      port:
+        number: {{ $grpcPort }}
+    {{- else }}
+    serviceName: flyteadmin
+    servicePort: {{ $grpcPort }}
+    {{- end }}
+- path: /grpc.health.v1.Health/*
+  pathType: ImplementationSpecific
+  backend:
+    {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+    service:
+      name: flyteadmin
+      port:
+        number: {{ $grpcPort }}
+    {{- else }}
+    serviceName: flyteadmin
+    servicePort: {{ $grpcPort }}
+    {{- end }}
+{{- end -}}
diff --git a/charts/flyte-core/templates/common/ingress-grpc.yaml b/charts/flyte-core/templates/common/ingress-grpc.yaml
@@ -0,0 +1,41 @@
+{{/* Certain ingress controllers like nginx cannot serve HTTP 1 and GRPC with a single ingress because GRPC can only */}}
+{{/* enabled on the ingress object, not on backend services (GRPC annotation is set on the ingress, not on the services). */}}
+
+{{- if and .Values.common.ingress.enabled .Values.common.ingress.separateGrpcIngress }}
+{{- $annotations := .Values.common.ingress.annotations | deepCopy -}}
+{{- $_ := merge $annotations .Values.common.ingress.separateGrpcIngressAnnotations -}}
+
+{{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+apiVersion: networking.k8s.io/v1
+{{- else }}
+apiVersion: networking.k8s.io/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ template "flyte.name" . }}-grpc
+  namespace: {{ template "flyte.namespace" . }}
+  {{- with $annotations }}
+  annotations:
+    {{- toYaml . | nindent 4}}
+  {{- end }}
+spec:
+  ingressClassName: {{ .Values.common.ingress.ingressClassName | quote }}
+  rules:
+    - host: {{ tpl (toYaml .Values.common.ingress.host) $ }}
+      http:
+        paths:
+          {{- include "ingress.grpcRoutes" . | nindent 10 -}}
+          {{- if .Values.common.ingress.albSSLRedirect }}
+          # - backend:
+          #     serviceName: ssl-redirect
+          #     servicePort: use-annotation
+          #   path: /*
+          #   pathType: ImplementationSpecific
+          {{- end }}
+  {{- if .Values.common.ingress.tls.enabled }}
+  tls:
+    - secretName: {{ .Values.common.ingress.tls.secretName | default (printf "%s-flyte-tls" .Release.Name) }}
+      hosts:
+        - {{ tpl (toYaml .Values.common.ingress.host) $ }}
+  {{ end }}
+{{- end }}