From e57b80a89459a60090a1d3723da60a913548511c Mon Sep 17 00:00:00 2001 From: dena Date: Thu, 12 Dec 2024 13:25:21 +0100 Subject: [PATCH 1/7] add makefile target and docs --- Makefile | 6 ++++++ doc/local-dev-env.md | 11 ++++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index ff6b2c5c4..6b92be11d 100644 --- a/Makefile +++ b/Makefile @@ -8,6 +8,12 @@ help: { printf " %-20s %s\n", $$1, $$2 }; \ ' +.PHONY: local-ca +local-ca: # @HELP Get the CA certificate that is used in the local environment +local-ca: + kubectl get secret wikibase-local-tls -o json | jq -r '.data."ca.crt"' | base64 -d > wikibase-local-tls.crt + realpath wikibase-local-tls.crt + .PHONY: minikube-start minikube-start: # @HELP Start a local k8s cluster using minikube minikube-start: diff --git a/doc/local-dev-env.md b/doc/local-dev-env.md index dd387ffd4..175914a50 100644 --- a/doc/local-dev-env.md +++ b/doc/local-dev-env.md @@ -245,6 +245,15 @@ sudo wget https://raw.githubusercontent.com/roboll/helmfile/master/autocomplete/ sudo sh -c 'skaffold completion bash > /usr/share/bash-completion/completions/skaffold' ``` +## [Optional] install local CA certificate +Since we [introduced](https://phabricator.wikimedia.org/T378691) using HTTPS for local ingresses, you will get a scary warning when accessing local web interfaces. This can be mitigated by trusting the local CA certificate that is getting used for self-signing. The easiest way to do this is to save the local CA certificate in a file by accessing the secret it lives in (`wikibase-local-tls`) and importing it in your browser. There is also the possibility to import it into the trust store of your operating system, for example via the tool [mkcert](https://github.com/FiloSottile/mkcert), but you should be aware of the possible consequences this could have for the security of your machine. + +> [!TIP] +> Running `make local-ca` will save the certificate to the file `wikibase-local-tls.crt`. It is highly recommended to delete the file again after importing it. + +> [!NOTE] +> If you recreate your local cluster, you have to re-import the CA certificate, as a new one will get generated and used instead. + ## Testing changes [skaffold](https://skaffold.dev) is used to load changes made in other repositories (e.g. `api`, `mediawiki`, `quickstatements`, etc) into the pods running in minikube. See the [README](../skaffold/README.md) in the skaffold directory for details on how to use. @@ -270,7 +279,7 @@ it is likely because `make diff-local` uses the `--skip-deps` option when execut Here are a few things to try: - make sure minikube is running `make minikube-start` - make sure the minikube tunnel is running `make minikube-tunnel` - - make sure you are using http:// and not https:// (there are no TLS certificates) + - make sure you are using https:// and not http:// - check the health of your pods `kubectl --profile minikube-wbaas get pods` ### **API isn't running // Some pods are missing** From fc6972bf8786072863e172353390d1133e6d3581 Mon Sep 17 00:00:00 2001 From: dena <91744937+deer-wmde@users.noreply.github.com> Date: Thu, 12 Dec 2024 13:36:04 +0100 Subject: [PATCH 2/7] Update local-dev-env.md --- doc/local-dev-env.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/local-dev-env.md b/doc/local-dev-env.md index 175914a50..29d027b53 100644 --- a/doc/local-dev-env.md +++ b/doc/local-dev-env.md @@ -246,7 +246,7 @@ sudo sh -c 'skaffold completion bash > /usr/share/bash-completion/completions/sk ``` ## [Optional] install local CA certificate -Since we [introduced](https://phabricator.wikimedia.org/T378691) using HTTPS for local ingresses, you will get a scary warning when accessing local web interfaces. This can be mitigated by trusting the local CA certificate that is getting used for self-signing. The easiest way to do this is to save the local CA certificate in a file by accessing the secret it lives in (`wikibase-local-tls`) and importing it in your browser. There is also the possibility to import it into the trust store of your operating system, for example via the tool [mkcert](https://github.com/FiloSottile/mkcert), but you should be aware of the possible consequences this could have for the security of your machine. +Since we [introduced](https://phabricator.wikimedia.org/T378691) using HTTPS for local ingresses, you will get a scary warning when accessing local web interfaces. This can be mitigated by trusting the local CA certificate that is getting used for self-signing. The easiest way to do this is to save the local CA certificate in a file by accessing the secret it lives in (`wikibase-local-tls`) and importing it in your browser settings. There is also the possibility to import it into the trust store of your operating system, for example via the tool [mkcert](https://github.com/FiloSottile/mkcert), but you should be aware of the possible consequences this could have for the security of your machine. > [!TIP] > Running `make local-ca` will save the certificate to the file `wikibase-local-tls.crt`. It is highly recommended to delete the file again after importing it. From f63015e9f01f392cc1fe1c8b9acc8f8e779a6d45 Mon Sep 17 00:00:00 2001 From: dena Date: Fri, 13 Dec 2024 14:10:21 +0100 Subject: [PATCH 3/7] change issuerref --- k8s/helmfile/env/local/certificates.values.yaml.gotmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/helmfile/env/local/certificates.values.yaml.gotmpl b/k8s/helmfile/env/local/certificates.values.yaml.gotmpl index 4ea7cf9be..2f7d778d8 100644 --- a/k8s/helmfile/env/local/certificates.values.yaml.gotmpl +++ b/k8s/helmfile/env/local/certificates.values.yaml.gotmpl @@ -5,4 +5,4 @@ certificates: - '*.wbaas.localhost' - 'wbaas.localhost' secretName: wikibase-local-tls - issuerRef: selfsigned-cluster-issuer + issuerRef: wikibase-local-issuer From fac873c7aa1dd286eefa30680829c15485a95d92 Mon Sep 17 00:00:00 2001 From: dena Date: Fri, 13 Dec 2024 14:10:54 +0100 Subject: [PATCH 4/7] use new chart --- k8s/helmfile/helmfile.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/helmfile/helmfile.yaml b/k8s/helmfile/helmfile.yaml index d222bb9a0..c8f365b3f 100644 --- a/k8s/helmfile/helmfile.yaml +++ b/k8s/helmfile/helmfile.yaml @@ -79,7 +79,7 @@ releases: - name: clusterissuers namespace: cert-manager chart: wbstack/wikibase-cloud-clusterissuers - version: 0.2.0 + version: 0.2.1 values: - email: {{ .Values.external.letsencrypt.email }} - gceProject: {{ .Values.gceProject }} From 716ae8f00c275fd0798731d04bc78dbf6a595645 Mon Sep 17 00:00:00 2001 From: dena <91744937+deer-wmde@users.noreply.github.com> Date: Fri, 13 Dec 2024 14:18:50 +0100 Subject: [PATCH 5/7] Update Makefile --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 6b92be11d..29b297f06 100644 --- a/Makefile +++ b/Makefile @@ -11,8 +11,8 @@ help: .PHONY: local-ca local-ca: # @HELP Get the CA certificate that is used in the local environment local-ca: - kubectl get secret wikibase-local-tls -o json | jq -r '.data."ca.crt"' | base64 -d > wikibase-local-tls.crt - realpath wikibase-local-tls.crt + kubectl get secret wikibase-local-tls -o json | jq -r '.data."ca.crt"' | base64 -d > wikibase-local-ca.crt + realpath wikibase-local-ca.crt .PHONY: minikube-start minikube-start: # @HELP Start a local k8s cluster using minikube From d7a70a3d78a1d404a638824cd93af9c195b445c0 Mon Sep 17 00:00:00 2001 From: dena Date: Fri, 13 Dec 2024 14:21:14 +0100 Subject: [PATCH 6/7] add .gitignore --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 000000000..cd6b74629 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +wikibase-local-ca.crt + From c8c33f7f48358b1d5a568a738f83c54caeb4c244 Mon Sep 17 00:00:00 2001 From: dena Date: Fri, 13 Dec 2024 14:51:09 +0100 Subject: [PATCH 7/7] add local ssl conf for argo --- k8s/helmfile/env/local/argo-cd-base.values.yaml.gotmpl | 4 ---- k8s/helmfile/env/local/certificates.values.yaml.gotmpl | 7 +++++++ k8s/helmfile/helmfile.yaml | 2 +- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/k8s/helmfile/env/local/argo-cd-base.values.yaml.gotmpl b/k8s/helmfile/env/local/argo-cd-base.values.yaml.gotmpl index ab116941f..7c39c4f74 100644 --- a/k8s/helmfile/env/local/argo-cd-base.values.yaml.gotmpl +++ b/k8s/helmfile/env/local/argo-cd-base.values.yaml.gotmpl @@ -27,7 +27,3 @@ server: ingress: enabled: true ingressClassName: nginx - annotations: - nginx.ingress.kubernetes.io/force-ssl-redirect: "false" - nginx.ingress.kubernetes.io/ssl-passthrough: "false" - tls: false \ No newline at end of file diff --git a/k8s/helmfile/env/local/certificates.values.yaml.gotmpl b/k8s/helmfile/env/local/certificates.values.yaml.gotmpl index 2f7d778d8..f0904fcc3 100644 --- a/k8s/helmfile/env/local/certificates.values.yaml.gotmpl +++ b/k8s/helmfile/env/local/certificates.values.yaml.gotmpl @@ -6,3 +6,10 @@ certificates: - 'wbaas.localhost' secretName: wikibase-local-tls issuerRef: wikibase-local-issuer + - name: argocd-server-tls + namespace: argocd + commonName: argo.wbaas.localhost + dnsNames: + - 'argo.wbaas.localhost' + secretName: argocd-server-tls + issuerRef: wikibase-local-issuer diff --git a/k8s/helmfile/helmfile.yaml b/k8s/helmfile/helmfile.yaml index c8f365b3f..d363a9cfc 100644 --- a/k8s/helmfile/helmfile.yaml +++ b/k8s/helmfile/helmfile.yaml @@ -95,7 +95,7 @@ releases: - name: certificates namespace: default chart: wbstack/certificates - version: 0.1.0 + version: 0.1.1 <<: *default_release - name: argocd-config