From eea9d00392077d588f1cdb27d45da6f08c3f5c34 Mon Sep 17 00:00:00 2001 From: Ben Hardill Date: Fri, 29 Dec 2023 11:04:42 +0000 Subject: [PATCH 1/2] Add support for using cert manager Allows k8s to issue certificates for instancs with cert-manager.io --- kubernetes.js | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/kubernetes.js b/kubernetes.js index f8ae702..8e70ed5 100644 --- a/kubernetes.js +++ b/kubernetes.js @@ -360,6 +360,18 @@ const createIngress = async (project, options) => { const localIngress = JSON.parse(JSON.stringify(ingressTemplate)) + if (this._certManagerIssuer) { + localIngress.metadata.annotations['cert-manager.io/cluster-issuer'] = this._certManagerIssuer + localIngress.spec.tls = [ + { + hosts: [ + url.host + ], + secretName: project.safeName + } + ] + } + // process annotations with potential replacements Object.keys(localIngress.metadata.annotations).forEach((key) => { localIngress.metadata.annotations[key] = mustache(localIngress.metadata.annotations[key], exposedData) @@ -593,6 +605,7 @@ module.exports = { this._namespace = this._app.config.driver.options.projectNamespace || 'flowforge' this._k8sDelay = this._app.config.driver.options.k8sDelay || 1000 this._k8sRetries = this._app.config.driver.options.k8sRetries || 10 + this._certManagerIssuer = this._app.config.driver.options._certManagerIssuer const kc = new k8s.KubeConfig() @@ -753,6 +766,14 @@ module.exports = { this._app.log.error(`[k8s] Project ${project.id} - error deleting ingress: ${err.toString()}`) } + if (this._certManagerIssuer) { + try { + await this._k8sApi.deleteNamespacedSecret(project.safeName, this._namespace) + } catch (err) { + this._app.log.error(`[k8s] Project ${project.id} - error deleting tls secret: ${err.toString()}`) + } + } + // Note that, regardless, the main objective is to delete deployment (runnable) // Even if some k8s resources like ingress or service are still not deleted (maybe because of // k8s service latency), the most important thing is to get to deployment. @@ -851,6 +872,13 @@ module.exports = { } catch (err) { this._app.log.error(`[k8s] Project ${project.id} - error deleting ingress: ${err.toString()}`) } + if (this._certManagerIssuer) { + try { + await this._k8sApi.deleteNamespacedSecret(project.safeName, this._namespace) + } catch (err) { + this._app.log.error(`[k8s] Project ${project.id} - error deleting tls secret: ${err.toString()}`) + } + } try { if (project.safeName.match(/^[0-9]/)) { await this._k8sApi.deleteNamespacedService('srv-' + project.safeName, this._namespace) From e71bdfacb62d0680c609647abf65969a31f5815a Mon Sep 17 00:00:00 2001 From: Ben Hardill Date: Fri, 29 Dec 2023 14:17:48 +0000 Subject: [PATCH 2/2] update readme --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index a3b9e66..a46afdd 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,7 @@ driver: projectNamespace: flowforge cloudProvider: aws privateCA: ff-ca-certs + certManagerIssuer: lets-encrypt k8sDelay: 1000 k8sRetries: 10 ``` @@ -28,6 +29,7 @@ should run on - `cloudProvider` can be left unset for none `aws` deployments. This triggers the adding of AWS EKS specific annotation for ALB Ingress. - `privateCA` name of ConfigMap holding PEM CA Cert Bundle (file name `certs.pem`) Optional +- `certManagerIssuer` name of the ClusterIssuer to use to create HTTPS certs for instances (default not set) - `k8sRetries` how many times to retry actions against the K8s API - `k8sDelay` how long to wait (in ms) between retries to the K8s API