Enable TLS support for minikube in helm charts

.gitignore

@@ -55,4 +55,9 @@ api/node_modules/
 
 # Ignore generated frontend assets
 api/src/main/resources/static/node/
-api/node
+api/node
+
+.generated/
+# Ignore Generated keys if they exist
+docker/dev-certs/sentrius-ca.crt
+docker/dev-certs/sentrius-ca.key

.local.env

@@ -1,7 +1,8 @@
-SENTRIUS_VERSION=1.1.110
-SENTRIUS_SSH_VERSION=1.1.19
-SENTRIUS_KEYCLOAK_VERSION=1.1.31
-SENTRIUS_AGENT_VERSION=1.1.19
-SENTRIUS_AI_AGENT_VERSION=1.1.34
-LLMPROXY_VERSION=1.0.22
-LAUNCHER_VERSION=1.0.30
+SENTRIUS_VERSION=1.1.158
+SENTRIUS_SSH_VERSION=1.1.32
+SENTRIUS_KEYCLOAK_VERSION=1.1.44
+SENTRIUS_AGENT_VERSION=1.1.31
+SENTRIUS_AI_AGENT_VERSION=1.1.50
+LLMPROXY_VERSION=1.0.40
+LAUNCHER_VERSION=1.0.47
+AGENTPROXY_VERSION=1.0.58

.local.env.bak

@@ -1,7 +1,8 @@
-SENTRIUS_VERSION=1.1.110
-SENTRIUS_SSH_VERSION=1.1.19
-SENTRIUS_KEYCLOAK_VERSION=1.1.30
-SENTRIUS_AGENT_VERSION=1.1.19
-SENTRIUS_AI_AGENT_VERSION=1.1.34
-LLMPROXY_VERSION=1.0.22
-LAUNCHER_VERSION=1.0.30
+SENTRIUS_VERSION=1.1.158
+SENTRIUS_SSH_VERSION=1.1.32
+SENTRIUS_KEYCLOAK_VERSION=1.1.44
+SENTRIUS_AGENT_VERSION=1.1.31
+SENTRIUS_AI_AGENT_VERSION=1.1.50
+LLMPROXY_VERSION=1.0.40
+LAUNCHER_VERSION=1.0.47
+AGENTPROXY_VERSION=1.0.58

README.md

@@ -117,8 +117,8 @@ Run the Helm deployment script to deploy Sentrius to your local Kubernetes clust
 
     ./ops-scripts/local/deploy-helm.sh
 
-
 
+## If Not using TLS
 You may wish to forward ports so you can access the services locally. The following commands will forward the necessary ports for the core and api modules:
     kubectl port-forward -n dev service/sentrius-sentrius 8080:8080
     kubectl port-forward -n dev service/sentrius-keycloak 8081:8081
@@ -127,6 +127,15 @@ This will require that you either change the hostnames in the deploy-helm script
     127.0.0.1 sentrius-sentrius
     127.0.0.1 sentrius-keycloak
 
+## If Using TLS
+The deploy script will automatically install cert-manager and create self-signed certificates for the services. You can access the services via:
+
+    https://sentrius-dev.local
+    https://keycloak-dev.local
+
+Add these to /etc/hosts file pointing to your minikube or local cluster IP.
+
+
 There is a GCP deployment that is hasn't been tested in some time. You can find it in the ops-scripts/gcp directory.
 
 You will need to ensure you link to your GKE cluster and have the necessary permissions to deploy resources.
@@ -230,20 +239,39 @@ Sentrius provides comprehensive Helm charts for Kubernetes deployment across mul
 # Build all images
 ./build-images.sh --all --no-cache
 
-# Deploy to local Kubernetes cluster
+# Deploy to local Kubernetes cluster (HTTP)
 ./ops-scripts/local/deploy-helm.sh
 
-# Forward ports for local access
+# OR deploy with TLS enabled for secure transport
+./ops-scripts/local/deploy-helm.sh --tls
+
+# OR deploy with TLS and auto-install cert-manager
+./ops-scripts/local/deploy-helm.sh --tls --install-cert-manager
+
+# Forward ports for local access (HTTP deployment)
 kubectl port-forward -n dev service/sentrius-sentrius 8080:8080
 kubectl port-forward -n dev service/sentrius-keycloak 8081:8081
 ```
 
-Add to `/etc/hosts` for local development:
+**For HTTP deployment**, add to `/etc/hosts`:
 ```
 127.0.0.1 sentrius-sentrius
 127.0.0.1 sentrius-keycloak
 ```
 
+**For TLS deployment**, add to `/etc/hosts`:
+```
+127.0.0.1 sentrius-dev.local
+127.0.0.1 keycloak-dev.local
+```
+
+**TLS Requirements:**
+- cert-manager must be installed in your cluster. You can:
+  - Install manually: `kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml`
+  - Use auto-install flag: `./ops-scripts/local/deploy-helm.sh --tls --install-cert-manager`
+- Access via: `https://sentrius-dev.local` and `https://keycloak-dev.local`
+- Self-signed certificates will be automatically generated
+
 #### GCP/GKE Deployment
 
 ```bash
@@ -277,6 +305,20 @@ ingress:
       networking.gke.io/managed-certificates: wildcard-cert
 ```
 
+**TLS/SSL Configuration:**
+```yaml
+certificates:
+  enabled: true  # Enable certificate generation
+  issuer: "letsencrypt-prod"  # For AWS/Azure (cert-manager)
+
+# For local development with self-signed certificates:
+environment: local
+certificates:
+  enabled: true
+ingress:
+  tlsEnabled: true
+```
+
 **Agent Configuration:**
 ```yaml
 sentriusagent:

agent-launcher/src/main/java/io/sentrius/agent/launcher/service/PodLauncherService.java

@@ -1,5 +1,6 @@
 package io.sentrius.agent.launcher.service;
 
+import io.kubernetes.client.custom.IntOrString;
 import io.kubernetes.client.custom.Quantity;
 import io.kubernetes.client.openapi.ApiClient;
 import io.kubernetes.client.openapi.apis.CoreV1Api;
@@ -71,8 +72,8 @@ public V1Pod launchAgentPod(String agentId, String callbackUrl) throws Exception
                         ))
                     .resources(new V1ResourceRequirements()
                         .limits(Map.of(
-                            "cpu", Quantity.fromString("500m"),
-                            "memory", Quantity.fromString("512Mi")
+                            "cpu", Quantity.fromString("1000m"),
+                            "memory", Quantity.fromString("1Gi")
                         )))
                         .volumeMounts(List.of(
                             new V1VolumeMount()
@@ -91,6 +92,26 @@ public V1Pod launchAgentPod(String agentId, String callbackUrl) throws Exception
                 )));
         pod.getSpec().setOverhead(null);
 
-        return coreV1Api.createNamespacedPod(agentNamespace, pod).execute();
+        var createdPod = coreV1Api.createNamespacedPod(agentNamespace, pod).execute();
+
+        // Create corresponding service for WebSocket routing
+        V1Service service = new V1Service()
+            .metadata(new V1ObjectMeta()
+                .name("sentrius-agent-" + agentId)
+                .labels(Map.of("agentId", agentId)))
+            .spec(new V1ServiceSpec()
+                .selector(Map.of("agentId", agentId))
+                .ports(List.of(new V1ServicePort()
+                    .protocol("TCP")
+                    .port(8090)
+                    .targetPort(new IntOrString(8090))
+                ))
+                .type("ClusterIP")
+            );
+
+        log.info("Created service pod: {} and service {}", createdPod, service);
+        coreV1Api.createNamespacedService(agentNamespace, service).execute();
+
+        return createdPod;
     }
 }