Add support for cert-manager issuer

[monrax]

This closes #10

This PR:

• Adds the required cert-manager.io/[cluster-]issuer: annotation to the Ingress resource when ingress.web.tls is configured, and one of these:
  • The cluster admin provisions an Issuer resource and sets ingress.web.config.tls.issuer.existingName to its name.
  • The cluster admin provisions a ClusterIssuer resource and sets ingress.web.config.tls.clusterIssuer.existingName to its name.
  • Or, ingress.config.tls.issuer.autoissue.enabled is set to true (see last bullet point).
• Adds a default path "/" with pathType="ImplementationSpecific" when no paths are specified for a given host.
• Fixes a typo "ingress.tls" -> "ingress.web.tls" for the Ingress web resource.
• Adds a fallback pod+service as defaultBackend to serve a static web page if the graylog-* pods can serve a response (e.g. they are still initializing)
• Adds an Issuer resource when graylog.config.tls.byoc.enabled is set to false, ingress.enabled is set to true, and ingress.config.tls.issuer.autoissue.enabled is set to true, as long as there are no other Issuers or ClusterIssuer resources. This is NOT the recommended way of using [Cluster]Issuers, as cluster admins should manage their own cert-manager resources. The intent behind this feature is mainly to be used in demos/pocs.

Notes for Reviewers

• The commit history must be preserved - please use the rebase-merge or standard merge option instead of squash-merge
• Sync up with the author before merging

[monrax]

Validation steps:

0. Checkout this branch:

git checkout feat/issuer
git pull

1. Install an Ingress Controller:

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx && helm repo update
helm install nginx ingress-nginx/ingress-nginx --namespace nginx --create-namespace

2. Install cert-manager:

helm repo add jetstack https://charts.jetstack.io && helm repo update
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace \
  --version v1.18.2 \
  --set crds.enabled=true

3. Install Graylog:

helm install graylog ./graylog -n graylog --set provider="aws-managed-sc"

4. Get External IP address/hostname from the ingress LoadBalancer Service:

kubectl get svc nginx-ingress-nginx-controller -n nginx

5. Update your DNS record to point to the hostname/address retrieved in step 4.

6. Enable Ingress:

helm upgrade graylog ./graylog -n graylog --reuse-values --set ingress.enabled=true --set ingress.web.enabled=true \
--set ingress.web.className=nginx \
--set ingress.web.hosts\[0\].host="<your domain name here>"

7. Enable cert-manager autoissuer:

helm upgrade graylog ./graylog -n graylog --reuse-values  --set ingress.config.tls.issuer.autoissue.enabled=true \
--set ingress.web.tls\[0\].hosts\[0\]="<your domain name here>"

8. Check that the Issuer resource has been correctly deployed:

kubectl ger issuer -n graylog

9. Wait until the cert-manager managed certificate has a READY=True status:

kubectl get cert -n graylog

10. Go to https://<your domain/ and verify that the certificate was issued by Let's Encrypt from a STAGING environment.
11. Verify that you can login and use the product as expected.

[williamtrelawny]

It works! 🚀