Merge branch 'master' into generate-crypto-key

Author: cognifloyd

CHANGELOG.md

@@ -13,6 +13,8 @@
 * New feature: Add `envFromSecrets` to `st2actionrunner`, `st2client`, `st2sensorcontainer`, and jobs. This is useful for adding custom secrets to the environment. This complements the `extra_volumes` feature (loading secrets as files) to facilitate loading secrets that are not easily injected via the filesystem. (#259) (by @cognifloyd)
 * New feature to include `nodeSelector`, `affinity` and `tolerations` to `st2client`, allowing more flexibility to pod positioning. (#263) (by @sandesvitor)
 * Template `~/.st2/config`. This allows customizing the settings used by the `st2client` and jobs pods for using the st2 apis. (#262) (by @cognifloyd)
+* Fix indent for lifecycle postStart hook of `st2web` pod. (#268) (by @cognifloyd)
+* Advanced Feature: Allow `st2web` to serve HTTPS when the ssl certs are provided via `st2web.extra_volumes`. To enable this, add `ST2WEB_HTTPS: "1"` to `st2web.env` in your values file. (#264) (by @cognifloyd)
 * Auto-generate `datastore_crypto_key` on install if not provided. This way all HA installs will have a datastore_crypto_key configured. (#266) (by @cognifloyd)
 
 ## v0.70.0

templates/deployments.yaml

@@ -396,13 +396,13 @@ spec:
         image: '{{ template "imageRepository" . }}/st2web:{{ tpl (.Values.st2web.image.tag | default .Values.image.tag) . }}'
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         ports:
-        - containerPort: 80
+        - containerPort: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary 443 80 }}
         # Probe to check if app is running. Failure will lead to a pod restart.
         livenessProbe:
           httpGet:
-            scheme: HTTP
+            scheme: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary "HTTPS" "HTTP" }}
             path: /
-            port: 80
+            port: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary 443 80 }}
           initialDelaySeconds: 1
         # Probe to check if app is ready to serve traffic. Failure will lead to temp stop serving traffic.
         # TODO: Failing to add readinessProbe, since st2 requires authorization (401) and we don't have `/healthz` endpoints yet (https://github.com/StackStorm/st2/issues/4020)
@@ -422,20 +422,24 @@ spec:
         - configMapRef:
             name: {{ .Release.Name }}-st2-urls
             optional: true
-    {{- if or .Values.st2web.config .Values.st2web.postStartScript }}
+    {{- if or .Values.st2web.config .Values.st2web.extra_volumes .Values.st2web.postStartScript }}
         volumeMounts:
     {{- else }}
         volumeMounts: []
     {{- end }}
+        {{- range .Values.st2web.extra_volumes }}
+          - name: {{ required "Each volume must have a 'name' in st2web.extra_volumes" .name }}
+            {{- tpl (required "Each volume must have a 'mount' definition in st2web.extra_volumes" .mount | toYaml) $ | nindent 12 }}
+        {{- end }}
         {{- if .Values.st2web.config }}
           - name: st2web-config-vol
             mountPath: /opt/stackstorm/static/webui/config.js
             subPath: st2web.config.js
         {{- end }}
         {{- if .Values.st2web.postStartScript }}
-        - name: st2-post-start-script-vol
-          mountPath: /post-start.sh
-          subPath: post-start.sh
+          - name: st2-post-start-script-vol
+            mountPath: /post-start.sh
+            subPath: post-start.sh
         lifecycle:
           postStart:
             exec:
@@ -446,11 +450,15 @@ spec:
     {{- if .Values.st2web.serviceAccount.attach }}
       serviceAccountName: {{ template "stackstorm-ha.serviceAccountName" . }}
     {{- end }}
-    {{- if or .Values.st2web.config .Values.st2web.postStartScript }}
+    {{- if or .Values.st2web.config .Values.st2web.extra_volumes .Values.st2web.postStartScript }}
       volumes:
     {{- else }}
       volumes: []
     {{- end }}
+        {{- range .Values.st2web.extra_volumes }}
+        - name: {{ required "Each volume must have a 'name' in st2web.extra_volumes" .name }}
+          {{- tpl (required "Each volume must have a 'volume' definition in st2web.extra_volumes" .volume | toYaml) $ | nindent 10 }}
+        {{- end }}
         {{- if .Values.st2web.config }}
         - name: st2web-config-vol
           configMap:

templates/services.yaml

@@ -99,7 +99,7 @@ spec:
   {{- end }}
   ports:
   - protocol: TCP
-    port: 80
+    port: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary 443 80 }}
 
 {{ if .Values.st2chatops.enabled -}}
 ---

values.yaml

@@ -296,8 +296,17 @@ st2web:
   affinity: {}
   env: {}
   # HTTP_PROXY: http://proxy:1234
+  ## st2web serves HTTP (port 80) so that SSL termination can be managed
+  ## using kubernetes-native features like LoadBalancer or Ingress Controllers.
+  ## To configure st2web to directly serve HTTPS (port 443) instead of HTTP,
+  ## provide ssl certs via extra_volumes, and add the ST2WEB_HTTPS env var here:
+  # ST2WEB_HTTPS: 1
   serviceAccount:
     attach: false
+  # mount extra volumes on the st2web pod(s) (primarily useful for k8s-provisioned secrets)
+  ## Note that Helm templating is supported in 'mount' and 'volume'
+  extra_volumes: []
+    # see examples under st2workflowengine.extra_volumes
   # User-defined st2web config with custom settings to replace default config.js
   # See https://github.com/StackStorm/st2web#connecting-to-st2-server for more info
   # config: |