diff --git a/platforms/r3-corda-ent/charts/float/templates/service.yaml b/platforms/r3-corda-ent/charts/float/templates/service.yaml index 749041d0589..27dfa27daad 100644 --- a/platforms/r3-corda-ent/charts/float/templates/service.yaml +++ b/platforms/r3-corda-ent/charts/float/templates/service.yaml @@ -10,24 +10,6 @@ kind: Service metadata: name: {{ .Values.nodeName }} namespace: {{ .Values.metadata.namespace }} - annotations: - getambassador.io/config: | - --- - apiVersion: ambassador/v2 - kind: TCPMapping - name: {{ .Values.nodeName }}_{{ .Values.peerName }}_p2p_mapping - port: {{ .Values.ambassador.p2pPort }} - host: {{ .Values.nodeName }}.{{ .Values.peerName }}.{{ .Values.ambassador.external_url_suffix }} - service: {{ .Values.nodeName }}.{{ .Values.metadata.namespace }}:{{ .Values.node.p2pPort }} - tls: false - --- - apiVersion: ambassador/v2 - kind: TCPMapping - name: {{ .Values.nodeName }}_{{ .Values.peerName }}_tunnel_mapping - port: {{ .Values.ambassador.tunnelPort }} - host: {{ .Values.nodeName }}.{{ .Values.peerName }}.{{ .Values.ambassador.external_url_suffix }} - service: {{ .Values.nodeName }}.{{ .Values.metadata.namespace }}:{{ .Values.bridge.tunnelPort }} - tls: false labels: run: {{ .Values.nodeName }} app.kubernetes.io/name: {{ .Values.nodeName }} @@ -50,3 +32,23 @@ spec: protocol: TCP port: {{ .Values.node.p2pPort }} targetPort: {{ .Values.node.p2pPort }} +{{- if $.Values.ambassador }} +--- +apiVersion: getambassador.io/v3alpha1 +kind: TCPMapping +metadata: + name: {{ .Values.nodeName }}-{{ .Values.peerName }}-p2p + namespace: {{ .Values.metadata.namespace }} +spec: + port: {{ .Values.ambassador.p2pPort }} + service: {{ .Values.nodeName }}.{{ .Values.metadata.namespace }}:{{ .Values.node.p2pPort }} +--- +apiVersion: getambassador.io/v3alpha1 +kind: TCPMapping +metadata: + name: {{ .Values.nodeName }}-{{ .Values.peerName }}-tunnel + namespace: {{ .Values.metadata.namespace }} +spec: + port: {{ .Values.ambassador.tunnelPort }} + service: {{ .Values.nodeName }}.{{ .Values.metadata.namespace }}:{{ .Values.node.p2pPort }} +{{- end }} diff --git a/platforms/r3-corda-ent/charts/gateway/templates/service.yaml b/platforms/r3-corda-ent/charts/gateway/templates/service.yaml index 17d94970545..38644502172 100644 --- a/platforms/r3-corda-ent/charts/gateway/templates/service.yaml +++ b/platforms/r3-corda-ent/charts/gateway/templates/service.yaml @@ -10,26 +10,6 @@ kind: Service metadata: name: {{ .Values.nodeName }} namespace: {{ .Values.metadata.namespace }} - {{ if $.Values.ambassador }} - annotations: - getambassador.io/config: | - --- - apiVersion: ambassador/v2 - kind: TCPMapping - name: {{ .Values.nodeName }}-http - port: {{ .Values.ambassador.port }} - host: {{ .Values.nodeName }}.{{ .Values.ambassador.external_url_suffix }} - service: {{ .Values.nodeName }}.{{ .Values.metadata.namespace }}:{{ .Values.service.port }} - --- - apiVersion: ambassador/v2 - kind: TLSContext - name: {{ .Values.nodeName }}_mapping_tlscontext - hosts: - - {{ .Values.nodeName }}.{{ .Values.ambassador.external_url_suffix }} - secret: {{ .Values.nodeName }}-ambassador-certs.{{ .Values.metadata.namespace }} - secret_namespacing: true - min_tls_version: v1.2 - {{ end }} labels: run: {{ .Values.nodeName }} app.kubernetes.io/name: {{ .Values.nodeName }} @@ -45,3 +25,44 @@ spec: protocol: TCP selector: app: {{ .Values.nodeName }} +{{ if $.Values.ambassador }} +--- +apiVersion: getambassador.io/v3alpha1 +kind: Host +metadata: + name: {{ .Values.nodeName }}-host +spec: + hostname: {{ .Values.nodeName }}.{{ .Values.ambassador.external_url_suffix }} + acmeProvider: + authority: none + requestPolicy: + insecure: + action: Reject + tlsSecret: + name: {{ .Values.nodeName }}-ambassador-certs + namespace: {{ .Values.metadata.namespace }} + tls: + min_tls_version: v1.2 +--- +apiVersion: getambassador.io/v3alpha1 +kind: TCPMapping +metadata: + name: {{ .Values.nodeName }}-https + namespace: {{ .Values.metadata.namespace }} +spec: + host: {{ .Values.nodeName }}.{{ .Values.ambassador.external_url_suffix }} + port: {{ .Values.ambassador.port }} + service: {{ .Values.nodeName }}.{{ .Values.metadata.namespace }}:{{ .Values.service.port }} +--- +apiVersion: getambassador.io/v3alpha1 +kind: TLSContext +metadata: + name: {{ .Values.nodeName }}-tlscontext + namespace: {{ .Values.metadata.namespace }} +spec: + hosts: + - {{ .Values.nodeName }}.{{ .Values.ambassador.external_url_suffix }} + secret: {{ .Values.nodeName }}-ambassador-certs.{{ .Values.metadata.namespace }} + secret_namespacing: true + min_tls_version: v1.2 +{{- end }} diff --git a/platforms/r3-corda-ent/charts/idman/templates/service.yaml b/platforms/r3-corda-ent/charts/idman/templates/service.yaml index 78294847597..89d317db57b 100644 --- a/platforms/r3-corda-ent/charts/idman/templates/service.yaml +++ b/platforms/r3-corda-ent/charts/idman/templates/service.yaml @@ -9,27 +9,6 @@ kind: Service metadata: name: {{ .Values.nodeName }} namespace: {{ .Values.metadata.namespace }} - {{ if $.Values.ambassador }} - annotations: - getambassador.io/config: | - --- - apiVersion: ambassador/v2 - kind: Mapping - name: {{ .Values.nodeName }}-https - prefix: / - host: {{ .Values.nodeName }}.{{ .Values.ambassador.external_url_suffix }} - service: {{ .Values.nodeName }}.{{ .Values.metadata.namespace }}:{{ .Values.service.external.port }} - tls: false - --- - apiVersion: ambassador/v2 - kind: TLSContext - name: {{ .Values.nodeName }}_mapping_tlscontext - hosts: - - {{ .Values.nodeName }}.{{ .Values.ambassador.external_url_suffix }} - secret: {{ .Values.nodeName }}-ambassador-certs.{{ .Values.metadata.namespace }} - secret_namespacing: true - min_tls_version: v1.2 - {{ end }} labels: run: {{ .Values.nodeName }} app.kubernetes.io/name: {{ .Values.nodeName }} @@ -60,3 +39,44 @@ spec: targetPort: {{ .Values.service.adminListener.port }} protocol: TCP name: adminlistener +{{ if $.Values.ambassador }} +--- +apiVersion: getambassador.io/v3alpha1 +kind: Host +metadata: + name: {{ .Values.nodeName }}-host +spec: + hostname: {{ .Values.nodeName }}.{{ .Values.ambassador.external_url_suffix }} + acmeProvider: + authority: none + requestPolicy: + insecure: + action: Reject + tlsSecret: + name: {{ .Values.nodeName }}-ambassador-certs + namespace: {{ .Values.metadata.namespace }} + tls: + min_tls_version: v1.2 +--- +apiVersion: getambassador.io/v3alpha1 +kind: Mapping +metadata: + name: {{ .Values.nodeName }}-https + namespace: {{ .Values.metadata.namespace }} +spec: + host: {{ .Values.nodeName }}.{{ .Values.ambassador.external_url_suffix }} + prefix: / + service: {{ .Values.nodeName }}.{{ .Values.metadata.namespace }}:{{ .Values.service.external.port }} +--- +apiVersion: getambassador.io/v3alpha1 +kind: TLSContext +metadata: + name: {{ .Values.nodeName }}-tlscontext + namespace: {{ .Values.metadata.namespace }} +spec: + hosts: + - {{ .Values.nodeName }}.{{ .Values.ambassador.external_url_suffix }} + secret: {{ .Values.nodeName }}-ambassador-certs.{{ .Values.metadata.namespace }} + secret_namespacing: true + min_tls_version: v1.2 +{{- end }} diff --git a/platforms/r3-corda-ent/charts/nmap/templates/service.yaml b/platforms/r3-corda-ent/charts/nmap/templates/service.yaml index cfd0e9505ab..a60b86dad7d 100644 --- a/platforms/r3-corda-ent/charts/nmap/templates/service.yaml +++ b/platforms/r3-corda-ent/charts/nmap/templates/service.yaml @@ -10,27 +10,6 @@ kind: Service metadata: name: {{ .Values.nodeName }} namespace: {{ .Values.metadata.namespace }} - {{ if $.Values.ambassador }} - annotations: - getambassador.io/config: | - --- - apiVersion: ambassador/v2 - kind: Mapping - name: {{ .Values.nodeName }}-https - prefix: / - host: {{ .Values.nodeName }}.{{ .Values.ambassador.external_url_suffix }} - service: {{ .Values.nodeName }}.{{ .Values.metadata.namespace }}:{{ .Values.service.external.port }} - tls: false - --- - apiVersion: ambassador/v2 - kind: TLSContext - name: {{ .Values.nodeName }}_mapping_tlscontext - hosts: - - {{ .Values.nodeName }}.{{ .Values.ambassador.external_url_suffix }} - secret: {{ .Values.nodeName }}-ambassador-certs.{{ .Values.metadata.namespace }} - secret_namespacing: true - min_tls_version: v1.2 - {{ end }} labels: run: {{ .Values.nodeName }} app.kubernetes.io/name: {{ .Values.nodeName }} @@ -57,3 +36,44 @@ spec: targetPort: {{ .Values.service.adminListener.port }} protocol: TCP name: adminlistener +{{ if $.Values.ambassador }} +--- +apiVersion: getambassador.io/v3alpha1 +kind: Host +metadata: + name: {{ .Values.nodeName }}-host +spec: + hostname: {{ .Values.nodeName }}.{{ .Values.ambassador.external_url_suffix }} + acmeProvider: + authority: none + requestPolicy: + insecure: + action: Reject + tlsSecret: + name: {{ .Values.nodeName }}-ambassador-certs + namespace: {{ .Values.metadata.namespace }} + tls: + min_tls_version: v1.2 +--- +apiVersion: getambassador.io/v3alpha1 +kind: Mapping +metadata: + name: {{ .Values.nodeName }}-https + namespace: {{ .Values.metadata.namespace }} +spec: + host: {{ .Values.nodeName }}.{{ .Values.ambassador.external_url_suffix }} + prefix: / + service: {{ .Values.nodeName }}.{{ .Values.metadata.namespace }}:{{ .Values.service.external.port }} +--- +apiVersion: getambassador.io/v3alpha1 +kind: TLSContext +metadata: + name: {{ .Values.nodeName }}-tlscontext + namespace: {{ .Values.metadata.namespace }} +spec: + hosts: + - {{ .Values.nodeName }}.{{ .Values.ambassador.external_url_suffix }} + secret: {{ .Values.nodeName }}-ambassador-certs.{{ .Values.metadata.namespace }} + secret_namespacing: true + min_tls_version: v1.2 +{{- end }} diff --git a/platforms/r3-corda-ent/charts/node/templates/service.yaml b/platforms/r3-corda-ent/charts/node/templates/service.yaml index dbab181a702..c509f58ad51 100644 --- a/platforms/r3-corda-ent/charts/node/templates/service.yaml +++ b/platforms/r3-corda-ent/charts/node/templates/service.yaml @@ -9,26 +9,6 @@ kind: Service metadata: name: {{ .Values.nodeName }} namespace: {{ .Values.metadata.namespace }} - {{ if and ($.Values.nodeConf.ambassador.p2pAddress) (eq .Values.firewall.enabled false) }} - annotations: - getambassador.io/config: | - --- - apiVersion: ambassador/v2 - kind: TLSContext - name: {{ .Values.nodeName }}_context - hosts: - - {{ .Values.nodeName }}.{{ .Values.nodeConf.ambassador.external_url_suffix }} - secret: {{ .Values.nodeName }}-ambassador-certs.{{ .Values.metadata.namespace }} - secret_namespacing: true - min_tls_version: v1.2 - --- - apiVersion: ambassador/v2 - kind: TCPMapping - name: {{ .Values.nodeName }}_p2p_mapping - port: {{ .Values.nodeConf.ambassador.p2pPort }} - host: {{ .Values.nodeName }}.{{ .Values.nodeConf.ambassador.external_url_suffix }} - service: {{ .Values.nodeName }}.{{ .Values.metadata.namespace }}:{{ .Values.service.p2pPort }} - {{ end }} labels: run: {{ .Values.nodeName }} app.kubernetes.io/name: {{ .Values.nodeName }} @@ -58,3 +38,44 @@ spec: targetPort: {{ .Values.service.ssh.sshdPort }} protocol: TCP name: ssh +{{- if and ($.Values.nodeConf.ambassador.p2pAddress) (eq .Values.firewall.enabled false) }} +--- +apiVersion: getambassador.io/v3alpha1 +kind: Host +metadata: + name: {{ .Values.nodeName }}-host +spec: + hostname: {{ .Values.nodeName }}.{{ .Values.nodeConf.ambassador.external_url_suffix }} + acmeProvider: + authority: none + requestPolicy: + insecure: + action: Reject + tlsSecret: + name: {{ .Values.nodeName }}-ambassador-certs + namespace: {{ .Values.metadata.namespace }} + tls: + min_tls_version: v1.2 +--- +apiVersion: getambassador.io/v3alpha1 +kind: TCPMapping +metadata: + name: {{ .Values.nodeName }}-p2p + namespace: {{ .Values.metadata.namespace }} +spec: + host: {{ .Values.nodeName }}.{{ .Values.nodeConf.ambassador.external_url_suffix }} + port: {{ .Values.nodeConf.ambassador.p2pPort }} + service: {{ .Values.nodeName }}.{{ .Values.metadata.namespace }}:{{ .Values.service.p2pPort }} +--- +apiVersion: getambassador.io/v3alpha1 +kind: TLSContext +metadata: + name: {{ .Values.nodeName }}-tlscontext + namespace: {{ .Values.metadata.namespace }} +spec: + hosts: + - {{ .Values.nodeName }}.{{ .Values.nodeConf.ambassador.external_url_suffix }} + secret: {{ .Values.nodeName }}-ambassador-certs.{{ .Values.metadata.namespace }} + secret_namespacing: true + min_tls_version: v1.2 +{{- end }} diff --git a/platforms/r3-corda-ent/charts/notary/templates/service.yaml b/platforms/r3-corda-ent/charts/notary/templates/service.yaml index 09f1fad4e10..d4caabccfb2 100644 --- a/platforms/r3-corda-ent/charts/notary/templates/service.yaml +++ b/platforms/r3-corda-ent/charts/notary/templates/service.yaml @@ -9,26 +9,6 @@ kind: Service metadata: name: {{ .Values.nodeName }} namespace: {{ .Values.metadata.namespace }} - {{ if $.Values.nodeConf.ambassador }} - annotations: - getambassador.io/config: | - --- - apiVersion: ambassador/v2 - kind: TLSContext - name: {{ .Values.nodeName }}_context - hosts: - - {{ .Values.nodeName }}.{{ .Values.nodeConf.ambassador.external_url_suffix }} - secret: {{ .Values.nodeName }}-ambassador-certs.{{ .Values.metadata.namespace }} - secret_namespacing: true - min_tls_version: v1.2 - --- - apiVersion: ambassador/v2 - kind: TCPMapping - name: {{ .Values.nodeName }}_p2p_mapping - port: {{ .Values.nodeConf.ambassador.p2pPort }} - host: {{ .Values.nodeName }}.{{ .Values.nodeConf.ambassador.external_url_suffix }} - service: {{ .Values.nodeName }}.{{ .Values.metadata.namespace }}:{{ .Values.service.p2pPort }} - {{ end }} labels: run: {{ .Values.nodeName }} app.kubernetes.io/name: {{ .Values.nodeName }} @@ -58,3 +38,44 @@ spec: targetPort: {{ .Values.service.sshdPort }} protocol: TCP name: ssh +{{- if $.Values.nodeConf.ambassador }} +--- +apiVersion: getambassador.io/v3alpha1 +kind: Host +metadata: + name: {{ .Values.nodeName }}-host +spec: + hostname: {{ .Values.nodeName }}.{{ .Values.nodeConf.ambassador.external_url_suffix }} + acmeProvider: + authority: none + requestPolicy: + insecure: + action: Reject + tlsSecret: + name: {{ .Values.nodeName }}-ambassador-certs + namespace: {{ .Values.metadata.namespace }} + tls: + min_tls_version: v1.2 +--- +apiVersion: getambassador.io/v3alpha1 +kind: TCPMapping +metadata: + name: {{ .Values.nodeName }}-p2p + namespace: {{ .Values.metadata.namespace }} +spec: + host: {{ .Values.nodeName }}.{{ .Values.nodeConf.ambassador.external_url_suffix }} + port: {{ .Values.nodeConf.ambassador.p2pPort }} + service: {{ .Values.nodeName }}.{{ .Values.metadata.namespace }}:{{ .Values.service.p2pPort }} +--- +apiVersion: getambassador.io/v3alpha1 +kind: TLSContext +metadata: + name: {{ .Values.nodeName }}-tlscontext + namespace: {{ .Values.metadata.namespace }} +spec: + hosts: + - {{ .Values.nodeName }}.{{ .Values.nodeConf.ambassador.external_url_suffix }} + secret: {{ .Values.nodeName }}-ambassador-certs.{{ .Values.metadata.namespace }} + secret_namespacing: true + min_tls_version: v1.2 +{{- end }} diff --git a/platforms/r3-corda-ent/configuration/roles/setup/cenm/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/setup/cenm/tasks/main.yaml index 89d546708bb..9d7734419fa 100644 --- a/platforms/r3-corda-ent/configuration/roles/setup/cenm/tasks/main.yaml +++ b/platforms/r3-corda-ent/configuration/roles/setup/cenm/tasks/main.yaml @@ -52,7 +52,7 @@ include_role: name: "{{ playbook_dir }}/../../shared/configuration/roles/setup/vault_kubernetes" vars: - component_name: "{{ org.name }}-ent" + component_name: "{{ org.name | lower }}-vaultk8s-job" component_auth: "cordaent{{ org.name | lower }}" component_type: "{{ org.type | lower }}" diff --git a/platforms/r3-corda-ent/configuration/roles/setup/node/tasks/main.yaml b/platforms/r3-corda-ent/configuration/roles/setup/node/tasks/main.yaml index 5c135e156a1..78ea74cec93 100644 --- a/platforms/r3-corda-ent/configuration/roles/setup/node/tasks/main.yaml +++ b/platforms/r3-corda-ent/configuration/roles/setup/node/tasks/main.yaml @@ -54,33 +54,33 @@ when: org.firewall.enabled # ---------------------------------------------------------------------- -# create vault access policies +# Create vault access policies - name: "Setup vault access for nodes" include_role: name: "{{ playbook_dir }}/../../shared/configuration/roles/setup/vault_kubernetes" vars: - component_name: "{{ org.name | lower }}-ent" + component_name: "{{ org.name | lower }}-vaultk8s-job" component_auth: "cordaent{{ org.name | lower }}" component_type: "{{ org.type | lower }}" -# create float vault access policies +# Create float vault access policies - name: "Setup vault access for float" include_role: name: "{{ playbook_dir }}/../../shared/configuration/roles/setup/vault_kubernetes" vars: - component_name: "{{ org.name | lower }}-ent" + component_name: "{{ org.name | lower }}-vaultk8s-job" component_auth: "cordaent{{ org.name | lower }}float" component_type: "{{ org.type | lower }}" vault: "{{ org.services.float.vault }}" when: org.firewall.enabled # ---------------------------------------------------------------------- -# # create float vault access policies for the float cluster +# Create float vault access policies for the float cluster - name: "Setup vault access for float" include_role: name: "{{ playbook_dir }}/../../shared/configuration/roles/setup/vault_kubernetes" vars: - component_name: "{{ org.name | lower }}-ent" + component_name: "{{ org.name | lower }}-vaultk8s-job" component_auth: "cordaentfloat{{ org.name | lower }}" component_type: "{{ org.type | lower }}" vault: "{{ org.services.float.vault }}" diff --git a/platforms/r3-corda-ent/configuration/roles/setup/notary/tasks/notary_node.yaml b/platforms/r3-corda-ent/configuration/roles/setup/notary/tasks/notary_node.yaml index ad2555b2ebd..06b47e05945 100644 --- a/platforms/r3-corda-ent/configuration/roles/setup/notary/tasks/notary_node.yaml +++ b/platforms/r3-corda-ent/configuration/roles/setup/notary/tasks/notary_node.yaml @@ -52,7 +52,7 @@ include_role: name: "{{ playbook_dir }}/../../shared/configuration/roles/setup/vault_kubernetes" vars: - component_name: "{{ org.name | lower }}-ent" + component_name: "{{ org.name | lower }}-vaultk8s-job" component_auth: "cordaent{{ org.name | lower }}" component_type: "{{ org.type | lower }}" diff --git a/platforms/shared/configuration/setup-k8s-environment.yaml b/platforms/shared/configuration/setup-k8s-environment.yaml index 5ad02522cdc..6fc20524b39 100644 --- a/platforms/shared/configuration/setup-k8s-environment.yaml +++ b/platforms/shared/configuration/setup-k8s-environment.yaml @@ -56,7 +56,7 @@ with_items: "{{ network.organizations }}" when: - network.env.proxy == 'ambassador' - - network['type'] not in ['besu', 'quorum', 'substrate', 'corda'] + - network['type'] == 'indy' # Setup ambassador edge stack (enabled for besu and quorum) - include_role: @@ -69,7 +69,7 @@ with_items: "{{ network.organizations }}" when: - network.env.proxy == 'ambassador' - - network['type'] in ['besu', 'quorum', 'substrate','corda'] + - network['type'] != 'indy' # Installs cert-manager - include_role: