Merge pull request #234 from developmentseed/ingress-ssl

Ingress ssl

Author: Ruben L. Mendoza

osm-seed/README.md

@@ -29,6 +29,40 @@ You need to install `helm` onto your cluster, and make sure it has adequate perm
 
 With `minikube` as your cluster backend, this can be accomplished with `helm init`. Depending on your Kubernetes cluster backend, you may need some extra steps to ensure `helm` has adequate permissions on your cluster. See https://github.com/kubernetes/helm/blob/master/docs/rbac.md
 
+### Install dependencies on your cluster
+
+To handle domain routing and SSL, osm-seed needs the nginx ingress controller setup on the cluster as well as Lets Encrypt to handle SSL certificate generation.
+
+You can do this with:
+
+```sh
+    helm upgrade --install ingress-nginx ingress-nginx \
+  --repo https://kubernetes.github.io/ingress-nginx \
+  --namespace ingress-nginx --create-namespace
+```
+
+or install using `kubectl`
+
+```sh
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/cloud/deploy.yaml
+```
+
+For more options and cloud-specific instructions, see: https://kubernetes.github.io/ingress-nginx/deploy/
+
+To install the Lets Encrypt `cert-manager` helm chart:
+
+```sh
+    helm repo add jetstack https://charts.jetstack.io
+    helm repo update
+    helm install \
+        cert-manager jetstack/cert-manager \
+        --namespace cert-manager \
+        --create-namespace \
+        --version v1.7.1 \
+        --set installCRDs=true
+```
+For further information: https://cert-manager.io/docs/installation/helm/
+
 ### Install osm-seed onto your cluster
 
 Look at the [`values.yaml`](osm-seed/values.yaml) file in the `osm-seed` sub-folder to see the various configuration options and values that you need to configure for your installation. Then create a `myvalues.yaml` file, where you can over-ride any of the values defined in `values.yaml`.

osm-seed/templates/NOTES.txt

@@ -1,9 +1,5 @@
 1. Get the application URL by running these commands:
-{{- if .Values.ingress.enabled }}
-{{- range .Values.ingress.hosts }}
-  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }}
-{{- end }}
-{{- else if contains "minikube" .Values.cloudProvider }}
+{{- if contains "minikube" .Values.cloudProvider }}
   export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "osm-seed.fullname" . }}-web)
   export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
   echo http://$NODE_IP:$NODE_PORT
@@ -17,4 +13,4 @@
            You can watch the status of by running 'kubectl get svc -w {{ template "osm-seed.fullname" . }}'
   export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "osm-seed.fullname" . }}-web -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
   echo http://$SERVICE_IP
-{{- end }}
+{{- end }}

osm-seed/templates/ingress.yaml

@@ -0,0 +1,26 @@
+{{- if eq .Values.serviceType "ClusterIP" }}
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+    name: letsencrypt-prod-issuer
+spec:
+    acme:
+        # You must replace this email address with your own.
+        # Let's Encrypt will use this to contact you about expiring
+        # certificates, and issues related to your account.
+        email: {{ .Values.adminEmail }}
+        # ACME server URL for Let’s Encrypt’s staging environment.
+        # Specify custom server here (https://acme-staging-v02.api.letsencrypt.org/directory)
+        # to hit staging LE
+        server: https://acme-v02.api.letsencrypt.org/directory
+        privateKeySecretRef:
+        # Secret resource used to store the account's private key.
+            name: letsencrypt-issuer-key
+        # Enable the HTTP-01 challenge provider
+        # you prove ownership of a domain by ensuring that a particular
+        # file is present at the domain
+        solvers:
+        - http01:
+            ingress:
+                class: nginx
+{{- end }}

osm-seed/templates/letsencrypt-issuer.yaml

@@ -0,0 +1,26 @@
+{{- if and .Values.nominatimApi.enabled (eq .Values.serviceType "ClusterIP") }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ template "osm-seed.fullname" . }}-ingress-nominatim-api
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    cert-manager.io/cluster-issuer: letsencrypt-prod-issuer
+spec:
+  tls:
+    - hosts:
+      - nominatim.{{ .Values.domain }}
+      secretName: {{ template "osm-seed.fullname" . }}-secret-nominatim
+
+  rules:
+  - host: nominatim.{{ .Values.domain }}
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: {{ template "osm-seed.fullname" . }}-nominatim-api
+            port:
+              number: 80
+{{- end }}

osm-seed/templates/nominatim-api/nominatim-api-ingress.yaml

@@ -8,34 +8,29 @@ metadata:
     component: nominatim-api-service
     environment: {{ .Values.environment }}
     release: {{ .Release.Name }}
-  {{- if eq .Values.cloudProvider "aws" }}
   annotations:
-    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300"
-    {{- if .Values.AWS_SSL_ARN }}
+    {{- if and (eq .Values.serviceType "LoadBalancer") .Values.AWS_SSL_ARN }}
     service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ .Values.AWS_SSL_ARN }}
     service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
-    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
+    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https    
+    {{- end }}
+    {{- if eq .Values.serviceType "ClusterIP" }}
+    kubernetes.io/ingress.class: nginx
+    cert-manager.io/cluster-issuer: letsencrypt-prod-issuer
+    {{- else }}
+    fake.annotation: fake
+    {{- end }}
+    {{- with .Values.nominatimApi.serviceAnnotations }}
+    {{- toYaml . | nindent 4 }}
     {{- end }}
-  {{- end }}
 spec:
-  # In case cloudProvider=aws
-  {{- if eq .Values.cloudProvider "aws" }}
-  type: LoadBalancer
-  {{- end }}
-  # In case cloudProvider=gcp
-  {{- if eq .Values.cloudProvider "gcp" }}
-  type: LoadBalancer
-  {{- end }}
-  # In case cloudProvider=minikube
-  {{- if eq .Values.cloudProvider "minikube" }}
-  type: NodePort
-  {{- end }}
+  type: {{ .Values.serviceType }}
   ports:
-    - port: 8080
+    - port: 80
       targetPort: http
       protocol: TCP
       name: http
-  {{- if .Values.AWS_SSL_ARN }} #FIXME: make generic
+  {{- if and (eq .Values.serviceType "LoadBalancer") .Values.AWS_SSL_ARN }}
     - port: 443
       targetPort: http
       protocol: TCP

osm-seed/templates/nominatim-api/nominatim-api-service.yaml

@@ -0,0 +1,26 @@
+{{- if and .Values.overpassApi.enabled (eq .Values.serviceType "ClusterIP") }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ template "osm-seed.fullname" . }}-ingress-overpass-api
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    cert-manager.io/cluster-issuer: letsencrypt-prod-issuer
+spec:
+  tls:
+    - hosts:
+      - overpass.{{ .Values.domain }}
+      secretName: {{ template "osm-seed.fullname" . }}-secret-overpass
+
+  rules:
+  - host: overpass.{{ .Values.domain }}
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: {{ template "osm-seed.fullname" . }}-overpass-api
+            port:
+              number: 80
+{{- end }}

osm-seed/templates/overpass-api/overpass-api-ingress.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.tilerServer.enabled -}}
+{{- if .Values.overpassApi.enabled -}}
 apiVersion: v1
 kind: Service
 metadata:
@@ -8,37 +8,33 @@ metadata:
     component: overpass-api-service
     environment: {{ .Values.environment }}
     release: {{ .Release.Name }}
-  {{- if eq .Values.cloudProvider "aws" }}
   annotations:
-    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300"
-    {{- if .Values.AWS_SSL_ARN }}
+    {{- if and (eq .Values.serviceType "LoadBalancer") .Values.AWS_SSL_ARN }}
     service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ .Values.AWS_SSL_ARN }}
     service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
+    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https    
+    {{- end }}
+    {{- if eq .Values.serviceType "ClusterIP" }}
+    kubernetes.io/ingress.class: nginx
+    cert-manager.io/cluster-issuer: letsencrypt-prod-issuer
+    {{- else }}
+    fake.annotation: fake
+    {{- end }}
+    {{- with .Values.overpassApi.serviceAnnotations }}
+    {{- toYaml . | nindent 4 }}
     {{- end }}
-  {{- end }}
 spec:
-  # In case cloudProvider=aws
-  {{- if eq .Values.cloudProvider "aws" }}
-  type: LoadBalancer
-  {{- end }}
-  # In case cloudProvider=gcp
-  {{- if eq .Values.cloudProvider "gcp" }}
-  type: LoadBalancer
-  {{- end }}
-  # In case cloudProvider=minikube
-  {{- if eq .Values.cloudProvider "minikube" }}
-  type: NodePort
-  {{- end }}
+  type: {{ .Values.serviceType }}
   ports:
     - port: 80
-      targetPort: 80
+      targetPort: http
       protocol: TCP
       name: http
-  {{- if .Values.AWS_SSL_ARN }}
+  {{- if and (eq .Values.serviceType "LoadBalancer") .Values.AWS_SSL_ARN }}
     - port: 443
       targetPort: http
       protocol: TCP
-      name: https      
+      name: https
   {{- end }}
 
   selector:

osm-seed/templates/overpass-api/overpass-api-service.yaml

@@ -0,0 +1,26 @@
+{{- if and .Values.taginfo.enabled (eq .Values.serviceType "ClusterIP") }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ template "osm-seed.fullname" . }}-ingress-taginfo-api
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    cert-manager.io/cluster-issuer: letsencrypt-prod-issuer
+spec:
+  tls:
+    - hosts:
+      - taginfo.{{ .Values.domain }}
+      secretName: {{ template "osm-seed.fullname" . }}-secret-taginfo
+
+  rules:
+  - host: taginfo.{{ .Values.domain }}
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: {{ template "osm-seed.fullname" . }}-taginfo
+            port:
+              number: 80
+{{- end }}

osm-seed/templates/taginfo/taginfo-ingress.yaml

@@ -8,34 +8,29 @@ metadata:
     component: taginfo-service
     environment: {{ .Values.environment }}
     release: {{ .Release.Name }}
-  {{- if eq .Values.cloudProvider "aws" }}
   annotations:
-    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300"
-    {{- if .Values.AWS_SSL_ARN }}
+    {{- if and (eq .Values.serviceType "LoadBalancer") .Values.AWS_SSL_ARN }}
     service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ .Values.AWS_SSL_ARN }}
     service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
-    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
+    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https    
+    {{- end }}
+    {{- if eq .Values.serviceType "ClusterIP" }}
+    kubernetes.io/ingress.class: nginx
+    cert-manager.io/cluster-issuer: letsencrypt-prod-issuer
+    {{- else }}
+    fake.annotation: fake
+    {{- end }}
+    {{- with .Values.taginfo.serviceAnnotations }}
+    {{- toYaml . | nindent 4 }}
     {{- end }}
-  {{- end }}
 spec:
-  # In case cloudProvider=aws
-  {{- if eq .Values.cloudProvider "aws" }}
-  type: LoadBalancer
-  {{- end }}
-  # In case cloudProvider=gcp
-  {{- if eq .Values.cloudProvider "gcp" }}
-  type: LoadBalancer
-  {{- end }}
-  # In case cloudProvider=minikube
-  {{- if eq .Values.cloudProvider "minikube" }}
-  type: NodePort
-  {{- end }}
+  type: {{ .Values.serviceType }}
   ports:
     - port: 80
       targetPort: http
       protocol: TCP
       name: http
-  {{- if .Values.AWS_SSL_ARN }} #FIXME: make generic
+  {{- if and (eq .Values.serviceType "LoadBalancer") .Values.AWS_SSL_ARN }}
     - port: 443
       targetPort: http
       protocol: TCP