Merge pull request #37 from replicatedhq/gerard/sc-120411/nginx-letsencrypt

feat: add Nginx Ingress with TLS cert generated by LetsEncrypt + CertManager

Author: nvanthao

applications/fake-services/Makefile

@@ -23,6 +23,9 @@ helm-install-dry-run:
 helm-template:
 	helm template $(REPLICATED_APP) $(CHART_DIR)
 
+helm-template-with-values:
+	yq '.spec.values' replicated/kots-sample-config-values.yaml | helm template $(REPLICATED_APP) --values - $(CHART_DIR)
+
 helm-install:
 	helm install $(REPLICATED_APP) --debug --wait $(CHART_DIR)
 

applications/fake-services/app/Chart.lock

@@ -4,6 +4,6 @@ dependencies:
   version: 4.11.3
 - name: replicated
   repository: oci://registry.replicated.com/library
-  version: 1.0.0-beta.31
-digest: sha256:c349fc2fe99276ed430877ef2a0cf0e05150cd27f6e4eae2d7bfe47733f64846
-generated: "2025-02-04T08:53:26.530341+11:00"
+  version: 1.1.1
+digest: sha256:6dd6d2b307511c54683f36157c6763aa55b9913b2717972e55feb6ef007797a0
+generated: "2025-03-05T13:09:57.471411+11:00"

applications/fake-services/app/Chart.yaml

@@ -26,4 +26,4 @@ dependencies:
     condition: ingress-nginx.enabled
   - name: replicated
     repository: oci://registry.replicated.com/library
-    version: 1.0.0-beta.31
+    version: 1.1.1

applications/fake-services/app/templates/certificate.yaml

@@ -0,0 +1,21 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "fake-service.name" . }}-cert
+spec:
+  secretName: {{ include "fake-service.name" . }}-tls
+  duration: 2160h # 90 days
+  renewBefore: 360h # 15 days
+  subject:
+    organizations:
+      - Replicated
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+  dnsNames:
+    - {{ .Values.ingress.host }}
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+    group: cert-manager.io 

applications/fake-services/app/templates/cluster-issuer.yaml

@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: [email protected]
+    privateKeySecretRef:
+      name: letsencrypt-account-key
+    solvers:
+    - http01:
+        ingress:
+          class: nginx

applications/fake-services/app/templates/ingress.yaml

@@ -2,10 +2,17 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: {{ include "fake-service.name" . }}-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt"
 spec:
   ingressClassName: nginx
+  tls:
+  - hosts:
+    - {{ .Values.ingress.host }}
+    secretName: {{ include "fake-service.name" . }}-tls
   rules:
-  - http:
+  - host: {{ .Values.ingress.host }}
+    http:
       paths:
       - path: /
         pathType: Prefix

applications/fake-services/app/values.yaml

@@ -7,14 +7,14 @@ image:
 
 frontend:
   name: "frontend"
-  message: "Hello from frontend!"
+  message: "New frontend update! This is the way!"
   serverType: "http"
   logLevel: "debug"
   port: 9090
 
 backend:
   name: "backend"
-  message: "Hello from backend!"
+  message: "New backend update"
   serverType: "http"
   logLevel: "debug"
   port: 9091
@@ -40,7 +40,8 @@ ingress-nginx:
     service:
       type: NodePort
       nodePorts:
-        http: 30080
+        http: 80
+        https: 443
   ingressClassResource:
     default: true
 
@@ -54,3 +55,6 @@ rqliteui:
 
 cert-manager:
   enabled: true
+
+ingress:
+  host: gerard-vm.testcluster.net

applications/fake-services/replicated/k8s-app.yaml

@@ -7,4 +7,4 @@ spec:
   descriptor:
     links:
       - description: Open App
-        url: https://repl{{ ConfigOption "hostname" }}:30080
+        url: https://repl{{ ConfigOption "hostname" }}

applications/fake-services/replicated/kots-chart.yaml

@@ -36,9 +36,19 @@ spec:
             image:
               registry: '{{repl HasLocalRegistry | ternary LocalRegistryHost "quirkyquokka.dev" }}'
               image: '{{repl HasLocalRegistry | ternary LocalRegistryNamespace "proxy/gerard-helm-fake-service/429114214526.dkr.ecr.ap-southeast-2.amazonaws.com/gerard" }}/kube-webhook-certgen'
+        service:
+          type: NodePort
+          nodePorts:
+            http: "80"
+            https: "443"
     rqliteui:
       image:
         registry: '{{repl HasLocalRegistry | ternary LocalRegistryHost "quirkyquokka.dev" }}'
         repository: '{{repl HasLocalRegistry | ternary LocalRegistryNamespace "proxy/gerard-helm-fake-service/429114214526.dkr.ecr.ap-southeast-2.amazonaws.com/gerard" }}/rqman'
         imagePullSecrets:
           - name: "{{repl ImagePullSecretName }}"
+    ingress:
+      host: '{{repl ConfigOption "hostname" }}'
+    replicated:
+      podLabels:
+        message: thisistheway

applications/fake-services/replicated/kots-ec.yaml

@@ -1,7 +1,7 @@
 apiVersion: embeddedcluster.replicated.com/v1beta1
 kind: Config
 spec:
-  version: 2.0.0+k8s-1.30
+  version: 2.1.2+k8s-1.30
   roles:
     controller:
       name: management
@@ -11,3 +11,10 @@ spec:
       - name: app
         labels:
           app: "true"
+  unsupportedOverrides:
+    k0s: |
+      config:
+        spec:
+          api:
+            extraArgs:
+              service-node-port-range: 80-32767