upd sdx-edge chart

Author: ikethecoder

sdx/chart/sdx-edge/templates/deployment.yaml

@@ -26,6 +26,7 @@ spec:
         kuma.io/gateway: "enabled"
         traffic.sidecar.istio.io/includeInboundPorts: ""
       labels:
+        DataClass: Medium
         app.kubernetes.io/name: sdx-edge
         app.kubernetes.io/component: app
         app.kubernetes.io/instance: "{{ include "sdx-edge.fullname" . }}"
@@ -84,6 +85,8 @@ spec:
           value: "{{- if .Values.mtls_required }}3{{- else }}1{{- end }}"
         - name: KONG_PROXY_ACCESS_LOG
           value: "off"
+        - name: KONG_PROXY_LISTEN
+          value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl, 0.0.0.0:3443 http2 ssl
         lifecycle:
           preStop:
             exec:
@@ -116,6 +119,8 @@ spec:
             mountPath: /etc/secrets/sdx-edge-cluster-cert
           - name: sdx-edge-client-cert
             mountPath: /etc/secrets/kong-upstream-jwt
+          - name: sdx-public-ca
+            mountPath: /etc/secrets/sdx-public-ca
           - name: sdx-edge-ca
             mountPath: /etc/secrets/sdx-edge-ca
           - name:  kong-nginx-proxy-include
@@ -162,6 +167,9 @@ spec:
         - name: sdx-edge-server-cert
           secret:
             secretName: {{ include "sdx-edge.fullname" . }}-server
+        - name: sdx-public-ca
+          secret:
+            secretName: sdx-public-ca
         - name: sdx-edge-ca
           secret:
             secretName: sdx-edge-ca

sdx/chart/sdx-edge/templates/fluentbit.yaml

@@ -18,6 +18,7 @@ spec:
     metadata:
       creationTimestamp: null
       labels:
+        DataClass: Low
         app.kubernetes.io/name: fluentbit
         app.kubernetes.io/component: app
         app.kubernetes.io/instance: "{{ include "sdx-edge.fullname" . }}"
@@ -74,15 +75,28 @@ spec:
               readOnly: true
               mountPath: /fb/parsers.conf
               subPath: parsers.conf
+            - name: sdx-edge-client-cert
+              mountPath: /etc/secrets/sdx-edge-client-cert
+            - name: sdx-ca
+              mountPath: /etc/secrets/sdx-ca
+
+
           terminationMessagePolicy: File
-          image: 'cr.fluentbit.io/fluent/fluent-bit:3.2.1'
+          image: 'docker.io/fluent/fluent-bit:4.1.1'
           args:
             - '--config=/fb/fluentbit.yaml'
       volumes:
         - name: config-vol
           configMap:
             name: sdx-fluentbit-config
             defaultMode: 420
+        - name: sdx-edge-client-cert
+          secret:
+            secretName: {{ include "sdx-edge.fullname" . }}-client
+        - name: sdx-ca
+          secret:
+            secretName: sdx-edge-ca
+
       dnsPolicy: ClusterFirst
   strategy:
     type: RollingUpdate
@@ -116,20 +130,31 @@ data:
           buffer_max_size: 20M
           mem_buf_limit: 100MB
 
-        - name: fluentbit_metrics
-          tag: internal_metrics
-          scrape_interval: 2
+        # - name: fluentbit_metrics
+        #   tag: internal_metrics
+        #   scrape_interval: 2
 
       outputs:
-        - name: stdout
-          match: "*"
-          format: json_lines
+        # - name: stdout
+        #   match: "*"
+        #   format: json_lines
 
-        - name: prometheus_exporter
-          match: internal_metrics
-          host: 0.0.0.0
-          port: 2021
+        # - name: prometheus_exporter
+        #   match: internal_metrics
+        #   host: 0.0.0.0
+        #   port: 2021
 
+        - name: http
+          match: "*"
+          host: gwaggregator-api-gov-bc-ca-lab.dev.api.gov.bc.ca
+          port: 443
+          tls.vhost: gwaggregator-api-gov-bc-ca-lab.dev.api.gov.bc.ca
+          format: json
+          tls: on
+          tls.verify: off
+          tls.ca_file: /etc/secrets/sdx-ca/ca.crt
+          tls.crt_file: /etc/secrets/sdx-edge-client-cert/tls.crt
+          tls.key_file: /etc/secrets/sdx-edge-client-cert/tls.key
 
   parsers.conf: |-
     [MULTILINE_PARSER]

sdx/chart/sdx-edge/templates/job-cert-bootstrap.yaml

@@ -18,7 +18,11 @@ spec:
   ttlSecondsAfterFinished: 604800 # 7 days
   template:
     metadata:
-      creationTimestamp: null
+      labels:
+        DataClass: Low
+        app.kubernetes.io/name: job-cert-bootstrap
+        app.kubernetes.io/instance: "{{ include "sdx-edge.fullname" . }}"
+        data-plane: "{{ include "sdx-edge.fullname" . }}"
     spec:
       restartPolicy: Never
       serviceAccountName: sdx-job-cert-bootstrap
@@ -33,7 +37,7 @@ spec:
           name: cert-bootstrap
           command:
             - /bin/bash
-            - +x
+            - -x
             - -e
             - -c
             - |-
@@ -42,33 +46,58 @@ spec:
 
                 step certificate create \
                   --no-password --insecure \
+                   --san ${CN} --san ${IP} \
                   --csr ${CN} tls.csr tls.key
 
                 TOKEN=$(cat /etc/secrets/sdx-edge-bootstrap-token/token)
 
+                curl -kLO "${CLIENT_CA_URL}/roots.pem"
+
                 step ca sign \
                   --ca-url $CLIENT_CA_URL \
-                  --root /etc/secrets/sdx-edge-ca/ca.crt \
+                  --root ./roots.pem \
                   --force --token $TOKEN tls.csr tls.crt  
 
                 curl -sLO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
                 chmod +x kubectl
 
+                kubectl delete secret ${EDGE_NAME}-client || true
+                kubectl delete secret ${EDGE_NAME}-server || true
+
                 kubectl create secret \
                   --save-config --dry-run=client -o yaml \
                   tls ${EDGE_NAME}-client \
                   --cert=./tls.crt \
                   --key=./tls.key | kubectl apply -f -
 
+                kubectl create secret \
+                  --save-config --dry-run=client -o yaml \
+                  tls ${EDGE_NAME}-server \
+                  --cert=./tls.crt \
+                  --key=./tls.key | kubectl apply -f -
+
+{{- if .Values.shared.ca_secret }}
+
+                kubectl create secret \
+                  --save-config --dry-run=client -o yaml \
+                  generic sdx-edge-ca \
+                  --from-file=ca.crt=./roots.pem | kubectl apply -f -
+{{- end }}
                 kubectl rollout restart deployment $EDGE_NAME
 
           env:
             - name: CN
               value: "{{ .Values.tls.client.cn }}"
+            - name: IP
+              value: "{{ .Values.tls.server.ip }}"
             - name: EDGE_NAME
               value: "{{ include "sdx-edge.fullname" . }}"
             - name: CLIENT_CA_URL
               value: "{{ .Values.client_ca_url }}"
+            - name: HTTPS_PROXY
+              value: "{{ .Values.https_proxy }}"
+            - name: NO_PROXY
+              value: ".cluster.local,.svc,10.91.0.0/16,10.93.0.0/16,172.30.0.0/16,127.0.0.1,localhost,.gov.bc.ca"
           imagePullPolicy: IfNotPresent
           volumeMounts:
             - name: working-dir
@@ -79,8 +108,6 @@ spec:
               mountPropagation: None
             - name: sdx-edge-bootstrap-token
               mountPath: /etc/secrets/sdx-edge-bootstrap-token
-            - name: sdx-edge-ca
-              mountPath: /etc/secrets/sdx-edge-ca
           image: 'docker.io/smallstep/step-cli:0.23.0'
       automountServiceAccountToken: true
       volumes:
@@ -91,9 +118,6 @@ spec:
         - name: sdx-edge-bootstrap-token
           secret:
             secretName: {{ include "sdx-edge.fullname" . }}-bootstrap
-        - name: sdx-edge-ca
-          secret:
-            secretName: sdx-edge-ca
       dnsPolicy: ClusterFirst
 ---
 {{ end }}
@@ -115,6 +139,7 @@ rules:
   - verbs:
       - get
       - create
+      - delete
       - patch
     apiGroups:
       - ''

sdx/chart/sdx-edge/templates/job-cert-renewal.yaml

@@ -17,8 +17,6 @@ spec:
   concurrencyPolicy: Replace
   suspend: false
   jobTemplate:
-    metadata:
-      creationTimestamp: null
     spec:
       parallelism: 1
       completions: 1
@@ -27,7 +25,11 @@ spec:
       ttlSecondsAfterFinished: 604800 # 7 days
       template:
         metadata:
-          creationTimestamp: null
+          labels:
+            DataClass: Low
+            app.kubernetes.io/name: job-cert-renewal
+            app.kubernetes.io/instance: "{{ include "sdx-edge.fullname" . }}"
+            data-plane: "{{ include "sdx-edge.fullname" . }}"
         spec:
           restartPolicy: Never
           serviceAccountName: sdx-job-cert-renewal
@@ -58,19 +60,32 @@ spec:
                     curl -sLO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
                     chmod +x kubectl
 
+                    kubectl delete secret ${EDGE_NAME}-client || true
+                    kubectl delete secret ${EDGE_NAME}-server || true
+
                     kubectl create secret \
                       --save-config --dry-run=client -o yaml \
                       tls ${EDGE_NAME}-client \
                       --cert=./tls.crt \
                       --key=./tls.key | kubectl apply -f -
 
+                    kubectl create secret \
+                      --save-config --dry-run=client -o yaml \
+                      tls ${EDGE_NAME}-server \
+                      --cert=./tls.crt \
+                      --key=./tls.key | kubectl apply -f -
+
                     kubectl rollout restart deployment $EDGE_NAME
 
               env:
                 - name: EDGE_NAME
                   value: "{{ include "sdx-edge.fullname" . }}"
                 - name: CLIENT_CA_URL
                   value: "{{ .Values.client_ca_url }}"
+                - name: HTTPS_PROXY
+                  value: "{{ .Values.https_proxy }}"
+                - name: NO_PROXY
+                  value: ".cluster.local,.svc,10.91.0.0/16,10.93.0.0/16,172.30.0.0/16,127.0.0.1,localhost,.gov.bc.ca"
               imagePullPolicy: IfNotPresent
               volumeMounts:
                 - name: working-dir

…/chart/sdx-edge/templates/ocp_route.yaml …/chart/sdx-edge/templates/ocp-route.yamlsdx/chart/sdx-edge/templates/ocp_route.yaml renamed to sdx/chart/sdx-edge/templates/ocp-route.yaml sdx/chart/sdx-edge/templates/ocp_route.yaml renamed to sdx/chart/sdx-edge/templates/ocp-route.yaml

@@ -1,13 +1,14 @@
 kind: Route
 apiVersion: route.openshift.io/v1
 metadata:
-  name: "{{ include "sdx-edge.fullname" . }}"
+  name: "{{- .Values.route.host }}"
   labels:
+    app.kubernetes.io/name: sdx-edge
+    app.kubernetes.io/component: app
     app.kubernetes.io/instance: "{{ include "sdx-edge.fullname" . }}"
-    app.kubernetes.io/name: kong
     data-plane: "{{ include "sdx-edge.fullname" . }}"
 spec:
-  host: "{{ .Values.route.host }}"
+  host: "{{- .Values.route.host }}"
   to:
     kind: Service
     name: "{{ include "sdx-edge.fullname" . }}"

sdx/chart/sdx-edge/templates/prometheus.yaml

@@ -15,6 +15,7 @@ spec:
   template:
     metadata:
       labels:
+        DataClass: Low
         app.kubernetes.io/name: prometheus
         app.kubernetes.io/component: server
     spec:

sdx/chart/sdx-edge/templates/secret.yaml

@@ -1,12 +1,3 @@
-kind: Secret
-apiVersion: v1
-metadata:
-  name: {{ include "sdx-edge.fullname" . }}-server
-data:
-  tls.crt: {{ .Values.tls.server.crt | b64enc | quote }}
-  tls.key: {{ .Values.tls.server.key | b64enc | quote }}
-type: kubernetes.io/tls
----
 {{ if .Values.tls.client.bootstrap.token }}
 kind: Secret
 apiVersion: v1
@@ -21,9 +12,9 @@ type: Opaque
 kind: Secret
 apiVersion: v1
 metadata:
-  name: sdx-edge-ca
+  name: sdx-public-ca
 data:
-  ca.crt: {{ .Values.tls.ca | b64enc | quote }}
+  ca.crt: {{ .Values.tls.public_ca | b64enc | quote }}
 type: Opaque
 ---
 kind: Secret