feat: use Acme Lets Encrypt cluster issuer for TLS in Hedera Explorer (…

…#677)

Signed-off-by: Jeromy Cannon <[email protected]>

charts/fullstack-deployment/charts/acme-cluster-issuer/templates/production.yaml

@@ -1,7 +1,7 @@
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
-  name: {{ .Values.issuers.production.name }}
+  name: {{ tpl .Values.issuers.production.name $ }}
   namespace: cert-manager
   {{- with .Values.issuers.annotations }}
   annotations:
@@ -12,15 +12,22 @@ spec:
     server: https://acme-v02.api.letsencrypt.org/directory
     email: {{ .Values.issuers.production.email }}
     privateKeySecretRef:
-      name: {{ .Values.issuers.production.name }}
+      name: {{ tpl .Values.issuers.production.name $ }}
     solvers:
       {{- if .Values.solvers.http01.enabled }}
       - http01:
           {{- if .Values.solvers.http01.solverType | eq "ingress" }}
           ingress:
             {{- with .Values.solvers.http01.ingress }}
-            name: {{ .name }}
-            class: {{ .class }}
+            {{- with .name }}
+            name: {{ . }}
+            {{- end }}
+            {{- with .class }}
+            class: {{ . }}
+            {{- end }}
+            {{- with $.Values.global.ingressClassName }}
+            ingressClassName: {{ . }}
+            {{- end }}
             serviceType: {{ .serviceType }}
             {{- end }}
           {{- end }}

charts/fullstack-deployment/charts/acme-cluster-issuer/templates/staging.yaml

@@ -1,7 +1,7 @@
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
-  name: {{ .Values.issuers.staging.name }}
+  name: {{ tpl .Values.issuers.staging.name $ }}
   namespace: cert-manager
   {{- with .Values.issuers.annotations }}
   annotations:
@@ -12,15 +12,22 @@ spec:
     server: https://acme-staging-v02.api.letsencrypt.org/directory
     email: {{ .Values.issuers.staging.email }}
     privateKeySecretRef:
-      name: {{ .Values.issuers.staging.name }}
+      name: {{ tpl .Values.issuers.staging.name $ }}
     solvers:
       {{- if .Values.solvers.http01.enabled }}
       - http01:
           {{- if .Values.solvers.http01.solverType | eq "ingress" }}
           ingress:
             {{- with .Values.solvers.http01.ingress }}
-            name: {{ .name }}
-            class: {{ .class }}
+            {{- with .name }}
+            name: {{ . }}
+            {{- end }}
+            {{- with .class }}
+            class: {{ . }}
+            {{- end }}
+            {{- with $.Values.global.ingressClassName }}
+            ingressClassName: {{ . }}
+            {{- end }}
             serviceType: {{ .serviceType }}
             {{- end }}
           {{- end }}

charts/fullstack-deployment/charts/acme-cluster-issuer/values.yaml

@@ -1,3 +1,7 @@
+global:
+  namespaceOverride: ""
+  ingressClassName: ""
+
 issuers:
   annotations:
   staging:

charts/fullstack-deployment/charts/hedera-explorer/templates/ingress.yaml

@@ -13,8 +13,8 @@ metadata:
   name: {{ $fullName }}
   namespace: {{ include "hedera-explorer.namespace" . }}
 spec:
-  {{- with .Values.ingress.className }}
-  ingressClassName: {{ . }}
+  {{- if or $.Values.global.ingressClassName .Values.ingress.className }}
+  ingressClassName: {{ $.Values.global.ingressClassName | default .Values.ingress.className }}
   {{- end }}
   rules:
   {{- range .Values.ingress.hosts }}
@@ -36,7 +36,7 @@ spec:
     {{- range . }}
     - hosts:
         {{- range .hosts }}
-        - {{ . | quote }}
+        - {{ tpl . $ | quote }}
         {{- end }}
       secretName: {{ .secretName }}
     {{- end }}

charts/fullstack-deployment/charts/hedera-explorer/values.yaml

@@ -41,6 +41,7 @@ fullnameOverride: ""
 
 global:
   namespaceOverride: ""
+  ingressClassName: "" # if set, takes precedence over the .Values.ingress.className
 
 image:
   pullPolicy: IfNotPresent

charts/fullstack-deployment/templates/cert-manager/certificate-requests.yaml

@@ -1,21 +1,27 @@
-{{- if $.Values.cloud.selfSignedClusterIssuer.enabled }}
+{{- if or $.Values.cloud.selfSignedClusterIssuer.enabled (index $.Values "hedera-explorer" "certClusterIssuerType" | ne "self-signed" ) }}
 {{- if index $.Values "hedera-explorer" "enabled" | eq true }}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: self-signed-ca-secret-hedera-explorer
+  name: ca-secret-hedera-explorer
   namespace: {{ default $.Release.Namespace $.Values.global.namespaceOverride }}
 spec:
   isCA: false
-  commonName: {{ $.Values.deployment.hederaExplorer.hostname }}
+  commonName: {{ index $.Values "hedera-explorer" "ingress" "hosts" 0 "host" }}
   dnsNames:
-    - {{ $.Values.deployment.hederaExplorer.hostname }}
-  secretName: self-signed-ca-secret-hedera-explorer
+    - {{ index $.Values "hedera-explorer" "ingress" "hosts" 0 "host" }}
+  secretName: ca-secret-hedera-explorer
   privateKey:
     algorithm: RSA
     size: 3072
   issuerRef:
-    name: fst-self-signed-cluster-issuer
+    {{- if index .Values "hedera-explorer" "certClusterIssuerType" | eq "self-signed"}}
+    name: {{ tpl (index .Values "hedera-explorer" "selfSignedCertClusterIssuer") . }}
+    {{- else if index .Values "hedera-explorer" "certClusterIssuerType" | eq "acme-staging" }}
+    name: {{ tpl (index .Values "acme-cluster-issuer" "issuers" "staging" "name") . }}
+    {{- else if index .Values "hedera-explorer" "certClusterIssuerType" | eq "acme-prod" }}
+    name: {{ tpl (index .Values "acme-cluster-issuer" "issuers" "production" "name") . }}
+    {{- end }}
     kind: ClusterIssuer
     group: cert-manager.io
 {{- end }}

charts/fullstack-deployment/templates/cert-manager/cluster-issuer.yaml

@@ -2,7 +2,7 @@
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
-  name: fst-self-signed-cluster-issuer
+  name: {{ tpl (index .Values "hedera-explorer" "selfSignedCertClusterIssuer") . }}
   namespace: cert-manager
   annotations:
     helm.sh/hook: post-install

charts/fullstack-deployment/templates/ingress/ingress-class.yaml

@@ -2,7 +2,7 @@
 apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
-  name: {{ index $.Values "hedera-explorer" "ingress" "className" }}
+  name: {{ .Values.global.ingressClassName }}
 spec:
   controller: haproxy-ingress.github.io/controller
 {{- end }}

charts/fullstack-deployment/values.yaml

@@ -2,6 +2,7 @@
 
 global:
   namespaceOverride: ""
+  ingressClassName: "hedera-explorer-ingress-class" # override for multiple deployments within the same cluster and make unique per cluster
 
 # cloud configuration
 cloud:
@@ -46,16 +47,13 @@ acme-cluster-issuer:
   issuers:
     staging:
       email: ""
-      name: fst-letsencrypt-staging
+      name: '{{ .Values.global.namespaceOverride | default .Release.Namespace | printf "%s-letsencrypt-staging" }}'
     production:
       email: ""
-      name: fst-letsencrypt-prod
+      name: '{{ .Values.global.namespaceOverride | default .Release.Namespace | printf "%s-letsencrypt-prod" }}'
   solvers: # TODO change in: https://github.com/hashgraph/full-stack-testing/issues/631
     http01:
-      solverType: "gatewayHTTPRoute"
-      gatewayHTTPRoute:
-        name: "fst" # needs to match gatewayApi.gateway.name in this values.yaml file
-        namespace: "{{ tpl (.Values.global.namespaceOverride | toString) }}"
+      solverType: "ingress"
 
 # default settings for a single node
 # This default configurations can be overridden for each node in the hedera.nodes section.
@@ -370,18 +368,20 @@ haproxy-ingress:
 # hedera-mirror-node-explorer configuration
 hedera-explorer:
   enabled: true
+  # leave blank to use default, set if you have multiple deployments in a cluster to make it unique
+  selfSignedCertClusterIssuer: '{{ .Values.global.namespaceOverride | default .Release.Namespace | printf "%s-self-signed-cluster-issuer" }}'
+  certClusterIssuerType: "self-signed" # "acme-staging", "acme-prod", or "self-signed"
   ingress:
     enabled: false
-    className: "hedera-explorer-ingress-class" # override for multiple deployments within the same cluster
     hosts:
       - host: "explorer.fst.local"
         paths:
           - path: /
             pathType: Prefix
     tls:
-      - secretName: self-signed-ca-secret-hedera-explorer # TODO update
+      - secretName: ca-secret-hedera-explorer
         hosts:
-          - "explorer.fst.local"
+          - '{{ index .Values.ingress.hosts 0 "host" }}'
   labels:
     fullstack.hedera.com/testSuiteName: ""
     fullstack.hedera.com/testName: ""
@@ -400,7 +400,7 @@ hedera-explorer:
       value: "network"
       effect: "NoSchedule"
   global:
-    namespaceOverride: "{{ tpl (.Values.global.namespaceOverride | toString) }}"
+    namespaceOverride: "{{ .Values.global.namespaceOverride }}"
   # The hedera explorer UI /api url will proxy  all request to mirror node
   #
   # Without this we would need to expose the mirror node rest API publicly and specify its public url in the network config below
@@ -422,8 +422,6 @@ hedera-explorer:
 
 # common deployment configuration
 deployment:
-  hederaExplorer:
-    hostname: "explorer.fst.local" # TODO remove duplication
   podAnnotations: {}
   podLabels: {}
   nodeSelector: {}