allow st2web to use https and auto-generate the ssl cert as needed

Author: cognifloyd

templates/deployments.yaml

@@ -400,13 +400,13 @@ spec:
         image: '{{ template "imageRepository" . }}/st2web:{{ tpl (.Values.st2web.image.tag | default .Values.image.tag) . }}'
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         ports:
-        - containerPort: 80
+        - containerPort: {{ .Values.st2web.use_https | ternary 443 80 }}
         # Probe to check if app is running. Failure will lead to a pod restart.
         livenessProbe:
           httpGet:
-            scheme: HTTP
+            scheme: {{ .Values.st2web.use_https | ternary "HTTPS" "HTTP" }}
             path: /
-            port: 80
+            port: {{ .Values.st2web.use_https | ternary 443 80 }}
           initialDelaySeconds: 1
         # Probe to check if app is ready to serve traffic. Failure will lead to temp stop serving traffic.
         # TODO: Failing to add readinessProbe, since st2 requires authorization (401) and we don't have `/healthz` endpoints yet (https://github.com/StackStorm/st2/issues/4020)
@@ -419,18 +419,29 @@ spec:
 #            path: /api/
 #            port: 443
 #          initialDelaySeconds: 3
-        {{- if .Values.st2web.env }}
-        env: {{- include "stackstorm-ha.customEnv" .Values.st2web | nindent 8 }}
+        {{- if or .Values.st2web.env .Values.st2web.use_https }}
+        env:
+          {{- if .Values.st2web.env }}
+            {{- include "stackstorm-ha.customEnv" .Values.st2web | nindent 10 }}
+          {{- end }}
+          {{- if .Values.st2web.use_https }}
+          - name: ST2WEB_HTTPS
+            value: "1"
+          {{- end }}
         {{- end }}
         envFrom:
         - configMapRef:
             name: {{ .Release.Name }}-st2-urls
             optional: true
-    {{- if or .Values.st2web.config .Values.st2web.postStartScript }}
+    {{- if or .Values.st2web.use_https .Values.st2web.config .Values.st2web.postStartScript }}
         volumeMounts:
     {{- else }}
         volumeMounts: []
     {{- end }}
+        {{- if .Values.st2web.use_https }}
+          - name: st2web-ssl-certs-vol
+            mountPath: /etc/ssl/st2
+        {{- end }}
         {{- if .Values.st2web.config }}
           - name: st2web-config-vol
             mountPath: /opt/stackstorm/static/webui/config.js
@@ -450,11 +461,21 @@ spec:
     {{- if .Values.st2web.serviceAccount.attach }}
       serviceAccountName: {{ template "stackstorm-ha.serviceAccountName" . }}
     {{- end }}
-    {{- if or .Values.st2web.config .Values.st2web.postStartScript }}
+    {{- if or .Values.st2web.use_https .Values.st2web.config .Values.st2web.postStartScript }}
       volumes:
     {{- else }}
       volumes: []
     {{- end }}
+        {{- if .Values.st2web.use_https }}
+        - name: st2web-ssl-certs-vol
+          secret:
+            secretName: {{ .Release.Name }}-st2web-ssl-certs
+            items:
+              - key: ssl_certificate
+                path: st2.crt
+              - key: ssl_certificate_key
+                path: st2.key
+        {{- end }}
         {{- if .Values.st2web.config }}
         - name: st2web-config-vol
           configMap:

templates/secrets_st2web-ssl-certs.yaml

@@ -0,0 +1,47 @@
+{{- if .Values.st2web.use_https }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  {{- $name := print .Release.Name "-st2web-ssl-certs" }}
+  name: {{ $name }}
+  annotations:
+    description: StackStorm st2web SSL Certificates
+  labels:
+    app: st2
+    tier: backend
+    vendor: stackstorm
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+type: Opaque
+data:
+  # SSL Cert+Key used to serve HTTPS from st2web (default: auto-generated)
+{{- $previous := lookup "v1" "Secret" .Release.Namespace $name }}
+{{- if and .Values.st2web.ssl_certifcate .Values.st2web.ssl_certificate_key }}
+  ssl_certificate: |
+    {{- .Values.st2web.ssl_certificate | b64enc | nindent 4 }}
+  ssl_certificate_key: |
+    {{- .Values.st2web.ssl_certificate_key | b64enc | nindent 4 }}
+{{- else if $previous }}
+  ssl_certificate: |
+    {{- $previous.data.ssl_certificate | nindent 4 }}
+  ssl_certificate_key: |
+    {{- $previous.data.ssl_certificate_key | nindent 4 }}
+{{- else }}
+  {{- $hosts := list .Values.st2web.service.hostname (printf "%s-st2web.%s.svc" .Release.Name .Release.Namespace) | compact }}
+  {{- $altNamesDict := dict "altNames" (list) }}
+  {{- range $domain := (append "" (.Values.dnsConfig.searches | default (list)) }}
+    {{- range $host := $hosts }}
+      {{- $_ := printf "%s.%s" $host $domain | trimSuffix "." | append $altNamesDict.altNames | set $altNamesDict "altNames" }}
+    {{- end }}
+  {{- end }}
+  {{- $altNames := append (printf "%s-st2web.%s" .Release.Name .Release.Namespace) $altNamesDict.altNames }}
+  {{- $ca := genCA (print .Release.Name "-st2web-ca") 365 }}
+  {{- $generated := genSignedCert (print .Release.Name "-st2web") nil $altNames 365 $ca }}
+  ssl_certificate: |
+    {{- $generated.Cert | b64enc | nindent 4 }}
+  ssl_certificate_key: |
+    {{- $generated.Key | b64enc | nindent 4 }}
+{{- end }}
+{{- end }}

templates/services.yaml

@@ -99,7 +99,7 @@ spec:
   {{- end }}
   ports:
   - protocol: TCP
-    port: 80
+    port: {{ .Values.st2web.use_https | ternary 443 80 }}
 
 {{ if .Values.st2chatops.enabled -}}
 ---

values.yaml

@@ -297,6 +297,13 @@ st2web:
   # HTTP_PROXY: http://proxy:1234
   serviceAccount:
     attach: false
+  # Have st2web pod and service use HTTPS on port 443 when true. default: false (use HTTP on port 80)
+  use_https: false
+  # User-defined st2web ssl certificate+key (ignored for http; defaults to autogenerated for https)
+  # ssl_certificate: |
+  #  # x.509 certficate
+  # ssl_certificate_key: |
+  #  # x.509 private key
   # User-defined st2web config with custom settings to replace default config.js
   # See https://github.com/StackStorm/st2web#connecting-to-st2-server for more info
   # config: |