From 198ad1dea1b90472b2ca21fc72f7a5059815fd25 Mon Sep 17 00:00:00 2001 From: wajihyassine Date: Mon, 27 Jan 2025 13:40:48 -0800 Subject: [PATCH] Move loadbalancer code to OSDFIR and remove from sub charts to de duplicate code --- .../charts/timesketch/templates/NOTES.txt | 3 - .../templates/certs/cert-manager-issuer.yaml | 20 ---- .../templates/certs/tls-secrets.yaml | 17 ---- .../templates/gcp/backendconfig.yaml | 2 +- .../templates/gcp/frontendconfig.yaml | 10 -- .../templates/gcp/managedcertificate.yaml | 10 -- .../charts/timesketch/templates/ingress.yaml | 98 ------------------- .../templates/nginx/nginx-configmap.yaml | 2 +- .../templates/nginx/nginx-deployment.yaml | 2 +- .../templates/nginx/nginx-service.yaml | 4 +- .../charts/timesketch/values.yaml | 52 ---------- .../charts/yeti/templates/NOTES.txt | 3 - .../templates/certs/cert-manager-issuer.yaml | 20 ---- .../yeti/templates/certs/tls-secrets.yaml | 17 ---- .../yeti/templates/gcp/backendconfig.yaml | 2 +- .../yeti/templates/gcp/frontendconfig.yaml | 10 -- .../templates/gcp/managedcertificate.yaml | 10 -- .../charts/yeti/templates/ingress.yaml | 95 ------------------ .../templates/nginx/frontend-service.yaml | 2 +- .../charts/yeti/values.yaml | 53 ---------- .../osdfir-infrastructure/templates/NOTES.txt | 8 +- .../templates/_helpers.tpl | 64 +----------- .../templates/certs/tls-secrets.yaml | 2 +- .../templates/gcp/managedcertificate.yaml | 8 +- .../templates/ingress-ipv6.yaml | 63 ++++++++++++ .../templates/ingress.yaml | 76 ++------------ charts/osdfir-infrastructure/values.yaml | 25 ++--- 27 files changed, 97 insertions(+), 581 deletions(-) delete mode 100644 charts/osdfir-infrastructure/charts/timesketch/templates/certs/cert-manager-issuer.yaml delete mode 100644 charts/osdfir-infrastructure/charts/timesketch/templates/certs/tls-secrets.yaml delete mode 100644 charts/osdfir-infrastructure/charts/timesketch/templates/gcp/frontendconfig.yaml delete mode 100644 charts/osdfir-infrastructure/charts/timesketch/templates/gcp/managedcertificate.yaml delete mode 100644 charts/osdfir-infrastructure/charts/timesketch/templates/ingress.yaml delete mode 100644 charts/osdfir-infrastructure/charts/yeti/templates/certs/cert-manager-issuer.yaml delete mode 100644 charts/osdfir-infrastructure/charts/yeti/templates/certs/tls-secrets.yaml delete mode 100644 charts/osdfir-infrastructure/charts/yeti/templates/gcp/frontendconfig.yaml delete mode 100644 charts/osdfir-infrastructure/charts/yeti/templates/gcp/managedcertificate.yaml delete mode 100644 charts/osdfir-infrastructure/charts/yeti/templates/ingress.yaml create mode 100644 charts/osdfir-infrastructure/templates/ingress-ipv6.yaml diff --git a/charts/osdfir-infrastructure/charts/timesketch/templates/NOTES.txt b/charts/osdfir-infrastructure/charts/timesketch/templates/NOTES.txt index 7e1bb37a..96642ddc 100644 --- a/charts/osdfir-infrastructure/charts/timesketch/templates/NOTES.txt +++ b/charts/osdfir-infrastructure/charts/timesketch/templates/NOTES.txt @@ -8,9 +8,6 @@ To learn more about the release, try: $ kubectl get pods To connect to the Timesketch URL: - {{- if and (.Values.ingress.enabled) (.Values.ingress.host) }} - $ echo "Visit https://{{ .Values.ingress.host }} to access Timesketch externally" - {{- end }} $ kubectl --namespace {{ .Release.Namespace }} port-forward service/{{ .Release.Name }}-timesketch 5000:5000 $ echo "Visit http://127.0.0.1:5000 to access Timesketch through port-forwarding" diff --git a/charts/osdfir-infrastructure/charts/timesketch/templates/certs/cert-manager-issuer.yaml b/charts/osdfir-infrastructure/charts/timesketch/templates/certs/cert-manager-issuer.yaml deleted file mode 100644 index 60d3a684..00000000 --- a/charts/osdfir-infrastructure/charts/timesketch/templates/certs/cert-manager-issuer.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if and .Values.ingress.enabled .Values.ingress.certManager }} -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: {{ .Release.Name }}-timesketch-letsencrypt-production - labels: - {{- include "timesketch.labels" . | nindent 4 }} - annotations: - helm.sh/hook: "pre-install" - helm.sh/hook-delete-policy: "before-hook-creation" -spec: - acme: - server: https://acme-v02.api.letsencrypt.org/directory - privateKeySecretRef: - name: {{ .Release.Name }}-timesketch-letsencrypt-production - solvers: - - http01: - ingress: - name: {{ .Release.Name }}-timesketch-ingress -{{- end }} \ No newline at end of file diff --git a/charts/osdfir-infrastructure/charts/timesketch/templates/certs/tls-secrets.yaml b/charts/osdfir-infrastructure/charts/timesketch/templates/certs/tls-secrets.yaml deleted file mode 100644 index b0224304..00000000 --- a/charts/osdfir-infrastructure/charts/timesketch/templates/certs/tls-secrets.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if and .Values.ingress.enabled (or .Values.ingress.selfSigned .Values.ingress.certManager) }} -{{- $secretName := printf "%s-timesketch-tls" (.Release.Name) }} -{{- $ca := genCA "timesketch-ca" 365 }} -{{- $cert := genSignedCert "timesketch-apps" nil (list .Values.ingress.host) 365 $ca }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Release.Name }}-timesketch-tls - namespace: {{ .Release.Namespace | quote }} - annotations: - helm.sh/hook: "pre-install" - helm.sh/hook-delete-policy: "before-hook-creation" -type: kubernetes.io/tls -data: - tls.crt: {{ $cert.Cert | b64enc }} - tls.key: {{ $cert.Key | b64enc }} -{{- end }} \ No newline at end of file diff --git a/charts/osdfir-infrastructure/charts/timesketch/templates/gcp/backendconfig.yaml b/charts/osdfir-infrastructure/charts/timesketch/templates/gcp/backendconfig.yaml index 042e2a0f..455295c8 100644 --- a/charts/osdfir-infrastructure/charts/timesketch/templates/gcp/backendconfig.yaml +++ b/charts/osdfir-infrastructure/charts/timesketch/templates/gcp/backendconfig.yaml @@ -1,4 +1,4 @@ -{{- if or (and (.Values.ingress.enabled) (eq .Values.ingress.className "gce")) (and (.Values.global.ingress.enabled) (eq .Values.global.ingress.className "gce")) }} +{{- if (and (.Values.global.ingress.enabled) (eq .Values.global.ingress.className "gce")) }} apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: diff --git a/charts/osdfir-infrastructure/charts/timesketch/templates/gcp/frontendconfig.yaml b/charts/osdfir-infrastructure/charts/timesketch/templates/gcp/frontendconfig.yaml deleted file mode 100644 index 479c6cec..00000000 --- a/charts/osdfir-infrastructure/charts/timesketch/templates/gcp/frontendconfig.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{- if and (.Values.ingress.enabled) (eq .Values.ingress.className "gce") }} -apiVersion: networking.gke.io/v1beta1 -kind: FrontendConfig -metadata: - name: {{ .Release.Name }}-timesketch-frontend-config - namespace: {{ .Release.Namespace | quote }} -spec: - redirectToHttps: - enabled: true -{{- end }} \ No newline at end of file diff --git a/charts/osdfir-infrastructure/charts/timesketch/templates/gcp/managedcertificate.yaml b/charts/osdfir-infrastructure/charts/timesketch/templates/gcp/managedcertificate.yaml deleted file mode 100644 index 07b7e257..00000000 --- a/charts/osdfir-infrastructure/charts/timesketch/templates/gcp/managedcertificate.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{- if and (.Values.ingress.enabled) (.Values.ingress.gcp.managedCertificates) }} -apiVersion: networking.gke.io/v1 -kind: ManagedCertificate -metadata: - name: {{ .Release.Name }}-timesketch-managed-ssl - namespace: {{ .Release.Namespace | quote }} -spec: - domains: - - {{ required "A valid .Values.ingress.host entry is required!" .Values.ingress.host }} -{{- end }} \ No newline at end of file diff --git a/charts/osdfir-infrastructure/charts/timesketch/templates/ingress.yaml b/charts/osdfir-infrastructure/charts/timesketch/templates/ingress.yaml deleted file mode 100644 index e06a2775..00000000 --- a/charts/osdfir-infrastructure/charts/timesketch/templates/ingress.yaml +++ /dev/null @@ -1,98 +0,0 @@ -{{- if .Values.ingress.enabled -}} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ .Release.Name }}-timesketch-ingress - namespace: {{ .Release.Namespace | quote }} - labels: - {{- include "timesketch.labels" . | nindent 4 }} - annotations: - kubernetes.io/ingressClassName: {{ .Values.ingress.className }} - {{- if .Values.ingress.certManager }} - kubernetes.io/tls-acme: "true" - cert-manager.io/issuer: {{ .Release.Name }}-timesketch-letsencrypt-production - {{- end }} - # GKE specific annotations - {{- if (eq .Values.ingress.className "gce") }} - {{- if .Values.ingress.gcp.staticIPName }} - kubernetes.io/ingress.global-static-ip-name: {{ .Values.ingress.gcp.staticIPName }} - networking.gke.io/v1beta1.FrontendConfig: {{ .Release.Name }}-timesketch-frontend-config - {{- end }} - {{- if .Values.ingress.gcp.managedCertificates }} - networking.gke.io/managed-certificates: {{ .Release.Name }}-timesketch-managed-ssl - networking.gke.io/v1beta1.FrontendConfig: {{ .Release.Name }}-timesketch-frontend-config - {{- end }} - {{- end }} -spec: - {{- if or .Values.ingress.selfSigned .Values.ingress.certManager }} - tls: - - hosts: - - {{ .Values.ingress.host | quote }} - secretName: {{ .Release.Name }}-timesketch-tls - {{- end }} - rules: - - host: {{ .Values.ingress.host }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: {{ .Release.Name }}-timesketch-nginx - port: - number: 8080 - defaultBackend: - service: - name: {{ .Release.Name }}-timesketch-nginx # Name of the Service targeted by the Ingress - port: - number: 8080 # Should match the port used by the Service -{{- end }} -{{- if and .Values.ingress.enabled .Values.ingress.gcp.staticIPV6Name }} ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ include "timesketch.fullname" . }}-ingress-ipv6 - namespace: {{ .Release.Namespace | quote }} - labels: - {{- include "timesketch.labels" . | nindent 4 }} - annotations: - kubernetes.io/ingressClassName: {{ .Values.ingress.className }} - {{- if .Values.ingress.certManager }} - kubernetes.io/tls-acme: "true" - cert-manager.io/issuer: {{ include "timesketch.fullname" . }}-letsencrypt-production - {{- end }} - # GKE specific annotations - {{- if (eq .Values.ingress.className "gce") }} - {{- if .Values.ingress.gcp.staticIPV6Name }} - kubernetes.io/ingress.global-static-ip-name: {{ .Values.ingress.gcp.staticIPV6Name }} - {{- end }} - {{- if .Values.ingress.gcp.managedCertificates }} - networking.gke.io/managed-certificates: {{ include "timesketch.fullname" . }}-managed-ssl - networking.gke.io/v1beta1.FrontendConfig: {{ include "timesketch.fullname" . }}-frontend-config - {{- end }} - {{- end }} -spec: - {{- if or .Values.ingress.selfSigned .Values.ingress.certManager }} - tls: - - hosts: - - {{ .Values.ingress.host | quote }} - secretName: {{ include "timesketch.fullname" . }}-tls - {{- end }} - rules: - - host: {{ .Values.ingress.host }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: {{ include "timesketch.fullname" . }}-nginx - port: - number: 80 - defaultBackend: - service: - name: {{ include "timesketch.fullname" . }}-nginx # Name of the Service targeted by the Ingress - port: - number: 80 # Should match the port used by the Service -{{- end }} \ No newline at end of file diff --git a/charts/osdfir-infrastructure/charts/timesketch/templates/nginx/nginx-configmap.yaml b/charts/osdfir-infrastructure/charts/timesketch/templates/nginx/nginx-configmap.yaml index e0d9c780..9c549c14 100644 --- a/charts/osdfir-infrastructure/charts/timesketch/templates/nginx/nginx-configmap.yaml +++ b/charts/osdfir-infrastructure/charts/timesketch/templates/nginx/nginx-configmap.yaml @@ -1,4 +1,4 @@ -{{- if or (.Values.ingress.enabled) (.Values.global.ingress.enabled) -}} +{{- if (.Values.global.ingress.enabled) -}} apiVersion: v1 kind: ConfigMap metadata: diff --git a/charts/osdfir-infrastructure/charts/timesketch/templates/nginx/nginx-deployment.yaml b/charts/osdfir-infrastructure/charts/timesketch/templates/nginx/nginx-deployment.yaml index 8f75aafe..b2373f08 100644 --- a/charts/osdfir-infrastructure/charts/timesketch/templates/nginx/nginx-deployment.yaml +++ b/charts/osdfir-infrastructure/charts/timesketch/templates/nginx/nginx-deployment.yaml @@ -1,4 +1,4 @@ -{{- if or (.Values.ingress.enabled) (.Values.global.ingress.enabled) -}} +{{- if (.Values.global.ingress.enabled) -}} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/charts/osdfir-infrastructure/charts/timesketch/templates/nginx/nginx-service.yaml b/charts/osdfir-infrastructure/charts/timesketch/templates/nginx/nginx-service.yaml index fad26eb1..80c1549d 100644 --- a/charts/osdfir-infrastructure/charts/timesketch/templates/nginx/nginx-service.yaml +++ b/charts/osdfir-infrastructure/charts/timesketch/templates/nginx/nginx-service.yaml @@ -1,4 +1,4 @@ -{{- if or (.Values.ingress.enabled) (.Values.global.ingress.enabled) -}} +{{- if (.Values.global.ingress.enabled) -}} apiVersion: v1 kind: Service metadata: @@ -6,7 +6,7 @@ metadata: namespace: {{ .Release.Namespace | quote }} labels: {{- include "timesketch.labels" . | nindent 4 }} - {{- if or (eq .Values.ingress.className "gce") (eq .Values.global.ingress.className "gce") }} + {{- if (eq .Values.global.ingress.className "gce") }} annotations: cloud.google.com/neg: '{"ingress": true}' cloud.google.com/backend-config: '{"ports": {"8080":"{{ .Release.Name }}-timesketch-backend-config"}}' diff --git a/charts/osdfir-infrastructure/charts/timesketch/values.yaml b/charts/osdfir-infrastructure/charts/timesketch/values.yaml index 598a6a20..758ed6fb 100644 --- a/charts/osdfir-infrastructure/charts/timesketch/values.yaml +++ b/charts/osdfir-infrastructure/charts/timesketch/values.yaml @@ -5,34 +5,18 @@ ## Please, note that this will override the parameters configured to use the global value ## global: - ## Global Persistence Configuration - ## timesketch: ## @param global.timesketch.enabled Enables the Timesketch deployment (only used in the main OSDFIR Infrastructure Helm chart) ## enabled: false - ## @param global.timesketch.servicePort Timesketch service port (overrides `timesketch.service.port`) - ## - servicePort: yeti: ## @param global.yeti.enabled Enables the Yeti deployment (only used in the main OSDFIR Infrastructure Helm chart) ## enabled: false - ## @param global.yeti.servicePort Yeti API service port (overrides `yeti.api.service.port`) - ## - servicePort: - ## Global ingress parameters used to configure Turbinia, Timesketch, Yeti under a single loadbalancer - ## ingress: ## @param global.ingress.enabled Enable the global loadbalancer for external access (only used in the main OSDFIR Infrastructure Helm chart) ## enabled: false - ## @param global.existingPVC Existing claim for Timesketch persistent volume (overrides `persistent.name`) - ## - existingPVC: "" - ## @param global.storageClass StorageClass for the Timesketch persistent volume (overrides `persistent.storageClass`) - ## - storageClass: "" ## @section Timesketch image configuration ## image: @@ -183,42 +167,6 @@ securityContext: ## @param securityContext.enabled Enable SecurityContext for Timesketch pods ## enabled: true -## Ingress Parameters -## -ingress: - ## @param ingress.enabled Enable the Timesketch loadbalancer for external access - ## - enabled: false - ## @param ingress.host Domain name Timesketch will be hosted under - ## Please ensure you have a DNS record set for the IP address registered under - ## ingress.gcp.staticIPName - ## - host: "" - ## @param ingress.className IngressClass that will be be used to implement the Ingress - ## ref https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/ - ## - className: "" - ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm - ## - selfSigned: false - ## @param ingress.certManager Add the corresponding annotations for cert-manager integration - ## - certManager: false - ## GCP ingress configuration - ## - gcp: - ## @param ingress.gcp.managedCertificates Enables GCP managed certificates for your domain - ## ref https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs - ## - managedCertificates: false - ## @param ingress.gcp.staticIPName Name of the static IP address you reserved in GCP. - ## ref https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address - ## - staticIPName: "" - ## @param ingress.gcp.staticIPV6Name Name of the static IPV6 address you reserved. This can be optionally provided to deploy a loadbalancer with an IPV6 address in GCP. - ## ref https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address - ## - staticIPV6Name: "" ## @section Third Party Configuration ## This section contains all the main configuration for third party dependencies Timesketch needs to run ## diff --git a/charts/osdfir-infrastructure/charts/yeti/templates/NOTES.txt b/charts/osdfir-infrastructure/charts/yeti/templates/NOTES.txt index bd497d16..474bed5b 100644 --- a/charts/osdfir-infrastructure/charts/yeti/templates/NOTES.txt +++ b/charts/osdfir-infrastructure/charts/yeti/templates/NOTES.txt @@ -8,9 +8,6 @@ To learn more about the release, try: $ kubectl get pods To connect to the Yeti URL, run: - {{- if and (.Values.ingress.enabled) (.Values.ingress.host) }} - $ echo "Visit https://{{ .Values.ingress.host }} to access Yeti externally" - {{- end }} $ kubectl --namespace {{ .Release.Namespace }} port-forward service/{{ .Release.Name }}-yeti 9000:9000 $ echo "Visit http://127.0.0.1:9000 to access Yeti through port-forwarding" diff --git a/charts/osdfir-infrastructure/charts/yeti/templates/certs/cert-manager-issuer.yaml b/charts/osdfir-infrastructure/charts/yeti/templates/certs/cert-manager-issuer.yaml deleted file mode 100644 index fbeefeb6..00000000 --- a/charts/osdfir-infrastructure/charts/yeti/templates/certs/cert-manager-issuer.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if and .Values.ingress.enabled .Values.ingress.certManager }} -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: {{ .Release.Name }}-yeti-letsencrypt-production - labels: - {{- include "yeti.labels" . | nindent 4 }} - annotations: - helm.sh/hook: "pre-install" - helm.sh/hook-delete-policy: "before-hook-creation" -spec: - acme: - server: https://acme-v02.api.letsencrypt.org/directory - privateKeySecretRef: - name: {{ .Release.Name }}-yeti-letsencrypt-production - solvers: - - http01: - ingress: - name: {{ .Release.Name }}-yeti-ingress -{{- end }} \ No newline at end of file diff --git a/charts/osdfir-infrastructure/charts/yeti/templates/certs/tls-secrets.yaml b/charts/osdfir-infrastructure/charts/yeti/templates/certs/tls-secrets.yaml deleted file mode 100644 index b455e657..00000000 --- a/charts/osdfir-infrastructure/charts/yeti/templates/certs/tls-secrets.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if and .Values.ingress.enabled (or .Values.ingress.selfSigned .Values.ingress.certManager) }} -{{- $secretName := printf "%s-yeti-tls" (.Release.Name) }} -{{- $ca := genCA "yeti-ca" 365 }} -{{- $cert := genSignedCert "yeti-apps" nil (list .Values.ingress.host) 365 $ca }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Release.Name }}-yeti-tls - namespace: {{ .Release.Namespace | quote }} - annotations: - helm.sh/hook: "pre-install" - helm.sh/hook-delete-policy: "before-hook-creation" -type: kubernetes.io/tls -data: - tls.crt: {{ $cert.Cert | b64enc }} - tls.key: {{ $cert.Key | b64enc }} -{{- end }} \ No newline at end of file diff --git a/charts/osdfir-infrastructure/charts/yeti/templates/gcp/backendconfig.yaml b/charts/osdfir-infrastructure/charts/yeti/templates/gcp/backendconfig.yaml index d3a34da3..95a73772 100644 --- a/charts/osdfir-infrastructure/charts/yeti/templates/gcp/backendconfig.yaml +++ b/charts/osdfir-infrastructure/charts/yeti/templates/gcp/backendconfig.yaml @@ -1,4 +1,4 @@ -{{- if or (and (.Values.ingress.enabled) (eq .Values.ingress.className "gce")) (and (.Values.global.ingress.enabled) (eq .Values.global.ingress.className "gce")) }} +{{- if (and (.Values.global.ingress.enabled) (eq .Values.global.ingress.className "gce")) }} apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: diff --git a/charts/osdfir-infrastructure/charts/yeti/templates/gcp/frontendconfig.yaml b/charts/osdfir-infrastructure/charts/yeti/templates/gcp/frontendconfig.yaml deleted file mode 100644 index 3e11380a..00000000 --- a/charts/osdfir-infrastructure/charts/yeti/templates/gcp/frontendconfig.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{- if and (.Values.ingress.enabled) (eq .Values.ingress.className "gce") }} -apiVersion: networking.gke.io/v1beta1 -kind: FrontendConfig -metadata: - name: {{ .Release.Name }}-yeti-frontend-config - namespace: {{ .Release.Namespace | quote }} -spec: - redirectToHttps: - enabled: true -{{- end }} \ No newline at end of file diff --git a/charts/osdfir-infrastructure/charts/yeti/templates/gcp/managedcertificate.yaml b/charts/osdfir-infrastructure/charts/yeti/templates/gcp/managedcertificate.yaml deleted file mode 100644 index 9c6ce3f1..00000000 --- a/charts/osdfir-infrastructure/charts/yeti/templates/gcp/managedcertificate.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{- if and (.Values.ingress.enabled) (eq .Values.ingress.className "gce") }} -apiVersion: networking.gke.io/v1 -kind: ManagedCertificate -metadata: - name: {{ .Release.Name }}-yeti-managed-ssl - namespace: {{ .Release.Namespace | quote }} -spec: - domains: - - {{ required "A valid .Values.ingress.host entry is required!" .Values.ingress.host }} -{{- end }} \ No newline at end of file diff --git a/charts/osdfir-infrastructure/charts/yeti/templates/ingress.yaml b/charts/osdfir-infrastructure/charts/yeti/templates/ingress.yaml deleted file mode 100644 index 40e80348..00000000 --- a/charts/osdfir-infrastructure/charts/yeti/templates/ingress.yaml +++ /dev/null @@ -1,95 +0,0 @@ -{{- if .Values.ingress.enabled -}} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ .Release.Name }}-yeti-ingress - namespace: {{ .Release.Namespace | quote }} - labels: - {{- include "yeti.labels" . | nindent 4 }} - annotations: - kubernetes.io/ingressClassName: {{ .Values.ingress.className }} - {{- if .Values.ingress.gcp.managedCertificates }} - networking.gke.io/managed-certificates: {{ .Release.Name }}-yeti-managed-ssl - {{- end }} - {{- if .Values.ingress.certManager }} - kubernetes.io/tls-acme: "true" - cert-manager.io/issuer: {{ .Release.Name }}-yeti-letsencrypt-production - {{- end }} - {{- if (eq .Values.ingress.className "gce") }} - {{- if .Values.ingress.gcp.staticIPName }} - kubernetes.io/ingress.global-static-ip-name: {{ .Values.ingress.gcp.staticIPName }} - networking.gke.io/v1beta1.FrontendConfig: {{ .Release.Name }}-yeti-frontend-config - {{- else }} - {{- fail "A valied .Values.ingress.gcp.staticIPName entry is required when using the GCE Ingress" }} - {{- end }} - {{- end }} -spec: - {{- if or .Values.ingress.selfSigned .Values.ingress.certManager }} - tls: - - hosts: - - {{ .Values.ingress.host | quote }} - secretName: {{ .Release.Name }}-yeti-tls - {{- end }} - rules: - - host: {{ required "A valid .Values.ingress.host entry is required!" .Values.ingress.host }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: {{ .Release.Name }}-yeti - port: - number: 9000 - defaultBackend: - service: - name: {{ .Release.Name }}-yeti # Name of the Service targeted by the Ingress - port: - number: 9000 # Should match the port used by the Service -{{- end }} -{{- if and .Values.ingress.enabled .Values.ingress.gcp.staticIPV6Name }} ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ include "yeti.fullname" . }}-ingress-ipv6 - namespace: {{ .Release.Namespace | quote }} - labels: - {{- include "yeti.labels" . | nindent 4 }} - annotations: - kubernetes.io/ingressClassName: {{ .Values.ingress.className }} - {{- if .Values.ingress.gcp.managedCertificates }} - networking.gke.io/managed-certificates: {{ include "yeti.fullname" . }}-managed-ssl - {{- end }} - {{- if .Values.ingress.certManager }} - kubernetes.io/tls-acme: "true" - cert-manager.io/issuer: {{ include "yeti.fullname" . }}-letsencrypt-production - {{- end }} - {{- if (eq .Values.ingress.className "gce") }} - kubernetes.io/ingress.global-static-ip-name: {{ .Values.ingress.gcp.staticIPV6Name }} - networking.gke.io/v1beta1.FrontendConfig: {{ include "yeti.fullname" . }}-frontend-config - {{- end }} -spec: - {{- if or .Values.ingress.selfSigned .Values.ingress.certManager }} - tls: - - hosts: - - {{ .Values.ingress.host | quote }} - secretName: {{ include "yeti.fullname" . }}-tls - {{- end }} - rules: - - host: {{ required "A valid .Values.ingress.host entry is required!" .Values.ingress.host }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: {{ include "yeti.fullname" . }} - port: - number: {{ include "yeti.service.port" . }} - defaultBackend: - service: - name: {{ include "yeti.fullname" . }} # Name of the Service targeted by the Ingress - port: - number: {{ include "yeti.service.port" . }} # Should match the port used by the Service -{{- end }} \ No newline at end of file diff --git a/charts/osdfir-infrastructure/charts/yeti/templates/nginx/frontend-service.yaml b/charts/osdfir-infrastructure/charts/yeti/templates/nginx/frontend-service.yaml index 0c05ec02..25cf70ca 100644 --- a/charts/osdfir-infrastructure/charts/yeti/templates/nginx/frontend-service.yaml +++ b/charts/osdfir-infrastructure/charts/yeti/templates/nginx/frontend-service.yaml @@ -5,7 +5,7 @@ metadata: namespace: {{ .Release.Namespace | quote }} labels: {{- include "yeti.labels" . | nindent 4 }} - {{- if or (eq .Values.ingress.className "gce") (eq .Values.global.ingress.className "gce") }} + {{- if (eq .Values.global.ingress.className "gce") }} annotations: cloud.google.com/neg: '{"ingress": true}' cloud.google.com/backend-config: '{"ports": {"9000":"{{ .Release.Name }}-yeti-backend-config"}}' diff --git a/charts/osdfir-infrastructure/charts/yeti/values.yaml b/charts/osdfir-infrastructure/charts/yeti/values.yaml index cb597c1c..d546de83 100644 --- a/charts/osdfir-infrastructure/charts/yeti/values.yaml +++ b/charts/osdfir-infrastructure/charts/yeti/values.yaml @@ -5,34 +5,18 @@ ## Please, note that this will override the parameters configured to use the global value ## global: - ## Global Persistence Configuration - ## timesketch: ## @param global.timesketch.enabled Enables the Timesketch deployment (only used in the main OSDFIR Infrastructure Helm chart) ## enabled: false - ## @param global.timesketch.servicePort Timesketch service port (overrides `timesketch.service.port`) - ## - servicePort: yeti: ## @param global.yeti.enabled Enables the Yeti deployment (only used in the main OSDFIR Infrastructure Helm chart) ## enabled: false - ## @param global.yeti.servicePort Yeti API service port (overrides `yeti.api.service.port`) - ## - servicePort: - ## Global ingress parameters used to configure Turbinia, Timesketch, Yeti under a single loadbalancer - ## ingress: ## @param global.ingress.enabled Enable the global loadbalancer for external access (only used in the main OSDFIR Infrastructure Helm chart) ## enabled: false - ## @param global.existingPVC Existing claim for Yeti persistent volume (overrides `persistent.name`) - ## - existingPVC: "" - ## @param global.storageClass StorageClass for the Yeti persistent volume (overrides `persistent.storageClass`) - ## - storageClass: "" ## @section Yeti configuration ## The following section covers configuration parameters for Yeti ## @@ -145,43 +129,6 @@ config: ## @param config.oidc.existingSecret Existing secret with the client ID, secret and cookie secret ## existingSecret: "" -## Ingress Parameters -## -ingress: - ## @param ingress.enabled Enable the Yeti loadbalancer for external access - ## - enabled: false - ## @param ingress.host Domain name Yeti will be hosted under - ## Please ensure this value is set when enabling Ingress. If using "gce" for - ## ingress.className, please ensure you have a DNS record set for the IP address - ## registered under ingress.gcp.staticIPName - ## - host: "" - ## @param ingress.className IngressClass that will be be used to implement the Ingress - ## ref https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/ - ## - className: "" - ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm - ## - selfSigned: false - ## @param ingress.certManager Add the corresponding annotations for cert-manager integration - ## - certManager: false - ## GCP ingress configuration - ## - gcp: - ## @param ingress.gcp.managedCertificates Enables GCP managed certificates for your domain - ## ref https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs - ## - managedCertificates: false - ## @param ingress.gcp.staticIPName Name of the static IP address you reserved in GCP. Required when using "gce" in ingress.className - ## ref https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address - ## - staticIPName: "" - ## @param ingress.gcp.staticIPV6Name Name of the static IPV6 address you reserved in GCP. This can be optionally provided to deploy a loadbalancer with an IPV6 address - ## ref https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address - ## - staticIPV6Name: "" ## @section Third Party Configuration ## This section contains all the main configuration for third party dependencies Yeti needs to run ## diff --git a/charts/osdfir-infrastructure/templates/NOTES.txt b/charts/osdfir-infrastructure/templates/NOTES.txt index a5083d8a..a031da8f 100644 --- a/charts/osdfir-infrastructure/templates/NOTES.txt +++ b/charts/osdfir-infrastructure/templates/NOTES.txt @@ -9,8 +9,8 @@ To learn more about the release, try: {{ if .Values.global.timesketch.enabled -}} To connect to the Timesketch UI, run: - {{- if and (.Values.global.ingress.enabled) (.Values.timesketch.ingress.host) }} - $ echo "Visit https://{{ .Values.timesketch.ingress.host }} to access Timesketch externally" + {{- if and (.Values.global.ingress.enabled) (.Values.global.ingress.timesketchHost) }} + $ echo "Visit https://{{ .Values.global.ingress.timesketchHost }} to access Timesketch externally" {{- end }} $ kubectl --namespace {{ .Release.Namespace }} port-forward service/{{ .Release.Name }}-timesketch 5000:5000 $ echo "Visit http://127.0.0.1:5000 to access Timesketch" @@ -23,8 +23,8 @@ Login to Timesketch with the User `timesketch`. To get your password run: {{ if .Values.global.yeti.enabled -}} To connect to the Yeti URL, run: - {{- if and (.Values.global.ingress.enabled) (.Values.yeti.ingress.host) }} - $ echo "Visit https://{{ .Values.yeti.ingress.host }} to access Yeti externally" + {{- if and (.Values.global.ingress.enabled) (.Values.global.ingress.yetiHost) }} + $ echo "Visit https://{{ .Values.global.ingress.yetiHost }} to access Yeti externally" {{- end }} $ kubectl --namespace {{ .Release.Namespace }} port-forward service/{{ .Release.Name }} 9000:9000 $ echo "Visit http://127.0.0.1:9000 to access Yeti through port-forwarding" diff --git a/charts/osdfir-infrastructure/templates/_helpers.tpl b/charts/osdfir-infrastructure/templates/_helpers.tpl index 3c923a4a..a15f9cdd 100644 --- a/charts/osdfir-infrastructure/templates/_helpers.tpl +++ b/charts/osdfir-infrastructure/templates/_helpers.tpl @@ -1,34 +1,8 @@ - -{{/* -Expand the name of the chart. -*/}} -{{- define "osdfir.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -*/}} -{{- define "osdfir.fullname" -}} -{{- if contains .Chart.Name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name "osdfir" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "osdfir.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - {{/* Common labels */}} {{- define "osdfir.labels" -}} -helm.sh/chart: {{ include "osdfir.chart" . }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version }} {{ include "osdfir.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} @@ -41,38 +15,6 @@ date: "{{ now | htmlDate }}" Selector labels */}} {{- define "osdfir.selectorLabels" -}} -app.kubernetes.io/name: {{ include "osdfir.name" . }} +app.kubernetes.io/name: osdfir app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Return the proper persistence volume claim name -*/}} -{{- define "osdfir.pvc.name" -}} -{{- $pvcName := .Values.persistence.name -}} -{{- if .Values.global -}} - {{- if .Values.global.existingPVC -}} - {{- $pvcName = .Values.global.existingPVC -}} - {{- end -}} -{{- printf "%s-%s" $pvcName "claim" }} -{{- end -}} -{{- end -}} - -{{/* -Return the proper Storage Class -*/}} -{{- define "osdfir.storage.class" -}} -{{- $storageClass := .Values.persistence.storageClass -}} -{{- if .Values.global -}} - {{- if .Values.global.storageClass -}} - {{- $storageClass = .Values.global.storageClass -}} - {{- end -}} -{{- end -}} -{{- if $storageClass -}} - {{- if (eq "-" $storageClass) -}} - {{- printf "storageClassName: \"\"" -}} - {{- else }} - {{- printf "storageClassName: %s" $storageClass -}} - {{- end -}} -{{- end -}} -{{- end -}} \ No newline at end of file +{{- end }} \ No newline at end of file diff --git a/charts/osdfir-infrastructure/templates/certs/tls-secrets.yaml b/charts/osdfir-infrastructure/templates/certs/tls-secrets.yaml index 02768ef3..fe895fe5 100644 --- a/charts/osdfir-infrastructure/templates/certs/tls-secrets.yaml +++ b/charts/osdfir-infrastructure/templates/certs/tls-secrets.yaml @@ -1,6 +1,6 @@ {{- if and .Values.global.ingress.enabled (or .Values.global.ingress.selfSigned .Values.global.ingress.certManager) }} {{- $ca := genCA "osdfir-ca" 365 }} -{{- $cert := genSignedCert "osdfir-apps" nil (list .Values.timesketch.ingress.host .Values.yeti.ingress.host) 365 $ca }} +{{- $cert := genSignedCert "osdfir-apps" nil (list .Values.global.ingress.timesketchHost .Values.global.ingress.yetiHost) 365 $ca }} apiVersion: v1 kind: Secret metadata: diff --git a/charts/osdfir-infrastructure/templates/gcp/managedcertificate.yaml b/charts/osdfir-infrastructure/templates/gcp/managedcertificate.yaml index 6cb023a4..22e65346 100644 --- a/charts/osdfir-infrastructure/templates/gcp/managedcertificate.yaml +++ b/charts/osdfir-infrastructure/templates/gcp/managedcertificate.yaml @@ -6,10 +6,10 @@ metadata: namespace: {{ .Release.Namespace | quote }} spec: domains: - {{- if and .Values.global.timesketch.enabled .Values.timesketch.ingress.host }} - - {{ .Values.timesketch.ingress.host }} + {{- if and .Values.global.timesketch.enabled .Values.global.ingress.timesketchHost }} + - {{ .Values.global.ingress.timesketchHost }} {{- end }} - {{- if and .Values.global.yeti.enabled .Values.yeti.ingress.host }} - - {{ .Values.yeti.ingress.host }} + {{- if and .Values.global.yeti.enabled .Values.global.ingress.yetiHost }} + - {{ .Values.global.ingress.yetiHost }} {{- end }} {{- end }} \ No newline at end of file diff --git a/charts/osdfir-infrastructure/templates/ingress-ipv6.yaml b/charts/osdfir-infrastructure/templates/ingress-ipv6.yaml new file mode 100644 index 00000000..8ed588c1 --- /dev/null +++ b/charts/osdfir-infrastructure/templates/ingress-ipv6.yaml @@ -0,0 +1,63 @@ +{{- if and .Values.global.ingress.enabled .Values.global.ingress.gcp.staticIPV6Name }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ .Release.Name }}-osdfir-ingress-ipv6 + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "osdfir.labels" . | nindent 4 }} + annotations: + kubernetes.io/ingressClassName: {{ .Values.global.ingress.className }} + {{- if .Values.global.ingress.gcp.managedCertificates }} + networking.gke.io/managed-certificates: {{ .Release.Name }}-osdfir-managed-ssl + {{- end }} + {{- if .Values.global.ingress.certManager }} + kubernetes.io/tls-acme: "true" + cert-manager.io/issuer: {{ .Release.Name }}-osdfir-letsencrypt-production + {{- end }} + {{- if (eq .Values.global.ingress.className "gce") }} + {{- if .Values.global.ingress.gcp.staticIPV6Name }} + kubernetes.io/ingress.global-static-ip-name: {{ .Values.global.ingress.gcp.staticIPV6Name }} + networking.gke.io/v1beta1.FrontendConfig: {{ .Release.Name }}-osdfir-frontend-config + {{- else }} + {{- fail "A valid .Values.global.ingress.gcp.staticIPV6Name entry is required when using the GCE Ingress" }} + {{- end }} + {{- end }} +spec: + {{- if or .Values.global.ingress.selfSigned .Values.global.ingress.certManager }} + tls: + - hosts: + {{- if .Values.global.ingress.timesketchHost }} + - {{ .Values.global.ingress.timesketchHost | quote }} + {{- end }} + {{- if .Values.global.ingress.yetiHost }} + - {{ .Values.global.ingress.yetiHost | quote }} + {{- end }} + secretName: {{ .Release.Name }}-osdfir-tls + {{- end }} + rules: + {{- if .Values.global.ingress.timesketchHost }} + - host: {{ .Values.global.ingress.timesketchHost }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ .Release.Name }}-timesketch-nginx + port: + number: 8080 + {{- end }} + {{- if .Values.global.ingress.yetiHost }} + - host: {{.Values.global.ingress.yetiHost }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ .Release.Name }}-yeti + port: + number: 9000 + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/osdfir-infrastructure/templates/ingress.yaml b/charts/osdfir-infrastructure/templates/ingress.yaml index 833b2b08..8aec7748 100644 --- a/charts/osdfir-infrastructure/templates/ingress.yaml +++ b/charts/osdfir-infrastructure/templates/ingress.yaml @@ -27,17 +27,17 @@ spec: {{- if or .Values.global.ingress.selfSigned .Values.global.ingress.certManager }} tls: - hosts: - {{- if and .Values.global.timesketch.enabled .Values.timesketch.ingress.host }} - - {{ .Values.timesketch.ingress.host | quote }} + {{- if .Values.global.ingress.timesketchHost }} + - {{ .Values.global.ingress.timesketchHost | quote }} {{- end }} - {{- if and .Values.global.yeti.enabled .Values.yeti.ingress.host }} - - {{ .Values.yeti.ingress.host | quote }} + {{- if .Values.global.ingress.yetiHost }} + - {{ .Values.global.ingress.yetiHost | quote }} {{- end }} secretName: {{ .Release.Name }}-osdfir-tls {{- end }} rules: - {{- if and .Values.global.timesketch.enabled .Values.timesketch.ingress.host }} - - host: {{ .Values.timesketch.ingress.host }} + {{- if .Values.global.ingress.timesketchHost }} + - host: {{ .Values.global.ingress.timesketchHost }} http: paths: - path: / @@ -48,68 +48,8 @@ spec: port: number: 8080 {{- end }} - {{- if and .Values.global.yeti.enabled .Values.yeti.ingress.host }} - - host: {{.Values.yeti.ingress.host }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: {{ .Release.Name }}-yeti - port: - number: 9000 - {{- end }} -{{- end }} -{{- if and .Values.global.ingress.enabled .Values.global.ingress.gcp.staticIPV6Name }} ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ .Release.Name }}-osdfir-ingress-ipv6 - namespace: {{ .Release.Namespace | quote }} - labels: - {{- include "osdfir.labels" . | nindent 4 }} - annotations: - kubernetes.io/ingressClassName: {{ .Values.global.ingress.className }} - {{- if .Values.global.ingress.gcp.managedCertificates }} - networking.gke.io/managed-certificates: {{ .Release.Name }}-osdfir-managed-ssl - {{- end }} - {{- if .Values.global.ingress.certManager }} - kubernetes.io/tls-acme: "true" - cert-manager.io/issuer: {{ .Release.Name }}-osdfir-letsencrypt-production - {{- end }} - {{- if (eq .Values.global.ingress.className "gce") }} - kubernetes.io/ingress.global-static-ip-name: {{ .Values.global.ingress.gcp.staticIPName }} - networking.gke.io/v1beta1.FrontendConfig: {{ .Release.Name }}-osdfir-frontend-config - {{- end }} -spec: - {{- if or .Values.global.ingress.selfSigned .Values.global.ingress.certManager }} - tls: - - hosts: - {{- if and .Values.global.timesketch.enabled .Values.timesketch.ingress.host }} - - {{ .Values.timesketch.ingress.host | quote }} - {{- end }} - {{- if and .Values.global.yeti.enabled .Values.yeti.ingress.host }} - - {{ .Values.yeti.ingress.host | quote }} - {{- end }} - secretName: {{ .Release.Name }}-osdfir-tls - {{- end }} - rules: - {{- if and .Values.global.timesketch.enabled .Values.timesketch.ingress.host }} - - host: {{ .Values.timesketch.ingress.host }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: {{ .Release.Name }}-timesketch-nginx - port: - number: 8080 - {{- end }} - {{- if and .Values.global.yeti.enabled .Values.yeti.ingress.host }} - - host: {{.Values.yeti.ingress.host }} + {{- if .Values.global.ingress.yetiHost }} + - host: {{.Values.global.ingress.yetiHost }} http: paths: - path: / diff --git a/charts/osdfir-infrastructure/values.yaml b/charts/osdfir-infrastructure/values.yaml index 98a64bbd..7dc45c73 100644 --- a/charts/osdfir-infrastructure/values.yaml +++ b/charts/osdfir-infrastructure/values.yaml @@ -19,12 +19,18 @@ global: ## @param global.yeti.enabled Enables the Yeti deployment (only used in the main OSDFIR Infrastructure Helm chart) ## enabled: true - ## Global ingress parameters used to configure Turbinia, Timesketch, Yeti under a single loadbalancer + ## Global ingress parameters used to configure Timesketch, Yeti under a loadbalancer ## ingress: ## @param global.ingress.enabled Enable the global loadbalancer for external access (only used in the main OSDFIR Infrastructure Helm chart) ## enabled: false + ## @param global.ingress.timesketchHost Domain name Timesketch will be hosted under + ## + timesketchHost: "" + ## @param global.ingress.yetiHost Domain name Yeti will be hosted under + ## + yetiHost: "" ## @param global.ingress.className IngressClass that will be be used to implement the Ingress ## ref https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/ ## @@ -180,14 +186,6 @@ timesketch: ## @param timesketch.securityContext.enabled Enable SecurityContext for Timesketch pods ## enabled: true - ## Ingress Parameters - ## - ingress: - ## @param timesketch.ingress.host Domain name Timesketch will be hosted under - ## Please ensure you have a DNS record set for the IP address registered under - ## ingress.gcp.staticIPName - ## - host: "" ## Third Party Timesketch Configuration ## This section contains all the main configuration for third party dependencies Timesketch needs to run ## @@ -361,15 +359,6 @@ yeti: ## @param yeti.config.oidc.existingSecret Existing secret with the client ID, secret and cookie secret ## existingSecret: "" - ## Ingress Parameters - ## - ingress: - ## @param yeti.ingress.host Domain name Yeti will be hosted under - ## Please ensure this value is set when enabling Ingress. If using "gce" for - ## ingress.className, please ensure you have a DNS record set for the IP address - ## registered under ingress.gcp.staticIPName - ## - host: "" ## Third Party Configuration ## This section contains all the main configuration for third party dependencies Yeti needs to run ##