[0.5.5] Allow Customizing http.tls (#55)

* [v0.5.5] Allow Customizing http.tls Signed-off-by: hfuss <[email protected]> * mTLS integration test Signed-off-by: hfuss <[email protected]> * missing mtls integration test values Signed-off-by: hfuss <[email protected]> * chart and app version bumps Signed-off-by: hfuss <[email protected]> * allow overridding the URL for ff registration Signed-off-by: hfuss <[email protected]> Signed-off-by: hfuss <[email protected]>
hyperledger · Aug 29, 2022 · adaa436 · adaa436
1 parent 62f6204
commit adaa436
Show file tree

Hide file tree

Showing 8 changed files with 89 additions and 2 deletions.
diff --git a/Makefile b/Makefile
@@ -28,6 +28,7 @@ deps:
 	helm repo add bitnami https://charts.bitnami.com/bitnami || true
 	helm upgrade --install --set postgresqlPassword=firef1y --set extraEnv[0].name=POSTGRES_DATABASE --set extraEnv[0].value=firefly postgresql bitnami/postgresql --version 10.16.2
 	kubectl create secret generic custom-psql-config --dry-run --from-literal="url=postgres://postgres:[email protected]:5432/postgres?sslmode=disable" -o json | kubectl apply -f -
+	kubectl apply -n default -f manifests/mtls-cert.yaml
 
 starter: charts/firefly/local-values.yaml
 

diff --git a/charts/firefly/Chart.yaml b/charts/firefly/Chart.yaml
@@ -18,8 +18,8 @@ apiVersion: v2
 name: firefly
 description: A Helm chart for deploying FireFly and FireFly HTTPS Dataexchange onto Kubernetes.
 type: application
-appVersion: "1.0.3"
-version: "0.5.4"
+appVersion: "1.0.4"
+version: "0.5.5"
 
 maintainers:
   - name: hfuss

diff --git a/charts/firefly/ci/mtls-values.yaml b/charts/firefly/ci/mtls-values.yaml
@@ -0,0 +1,50 @@
+config:
+  debugEnabled: true
+  adminEnabled: true
+  metricsEnabled: true
+  preInit: true
+
+  organizationName: "firefly-os"
+  organizationKey: "0xeb7284ce905e0665b7d42cabe31c76c45da1d331"
+  fireflyContractAddress: "0xeb7284ce905e0665b7d42cabe31c76c45da1d254"
+
+  ethconnectUrl: "http://ethconnect.firefly-os"
+
+  postgresUrl: "postgres://postgres:[email protected]:5432?sslmode=disable"
+  postgresAutomigrate: true
+
+  ipfsApiUrl: "http://ipfs.firefly-os:5001"
+  ipfsGatewayUrl: "http://ipfs.firefly-os:8080"
+
+  addresssResolverUrlTemplate: "http://address-resolver.firefly-os/wallets/{{.Key}}"
+
+  httpTls:
+    caFile: /etc/pki/internal/ca.crt
+    certFile: /etc/pki/internal/tls.crt
+    keyFile: /etc/pki/internal/tls.key
+    enabled: true
+    clientAuth: true
+
+core:
+  metrics:
+    serviceMonitor:
+      enabled: true
+
+  extraVolumeMounts: |
+    - name: firefly-mtls
+      mountPath: /etc/pki/internal/
+
+  extraVolumes: |
+    - name: firefly-mtls
+      secret:
+        secretName: firefly-mtls-tls
+
+dataexchange:
+  certificate:
+    enabled: true
+    issuerRef:
+      kind: ClusterIssuer
+      name: selfsigned-ca
+
+  tlsSecret:
+    enabled: false
diff --git a/charts/firefly/templates/_helpers.tpl b/charts/firefly/templates/_helpers.tpl
@@ -211,6 +211,10 @@ http:
   port: {{ .Values.core.service.httpPort }}
   address: 0.0.0.0
   publicURL: {{ .Values.config.httpPublicUrl | default (include "firefly.coreHttpPublicURL" . ) }}
+  {{- if .Values.config.httpTls }}
+  tls:
+    {{- toYaml .Values.config.httpTls | nindent 4 }}
+  {{- end }}
 admin:
   port:  {{ .Values.core.service.adminPort }}
   address: 0.0.0.0

diff --git a/charts/firefly/templates/core/job-registration.yaml b/charts/firefly/templates/core/job-registration.yaml
@@ -41,7 +41,12 @@ spec:
         - |
 {{ .Files.Get  "scripts/ff-registration.sh" | indent 10 }}
         env:
+        {{- if .Values.core.jobs.registration.ffUrl }}
+        - name: FF_URL
+          value: "{{ tpl .Values.core.jobs.registration.ffUrl . }}"
+        {{- else }}
         - name: FF_URL
           value: "http://{{ include "firefly.fullname" . }}:{{ .Values.core.service.httpPort }}"
+        {{- end }}
       restartPolicy: Never
 {{- end }}
diff --git a/charts/firefly/templates/core/statefulset.yaml b/charts/firefly/templates/core/statefulset.yaml
@@ -97,6 +97,9 @@ spec:
           volumeMounts:
             - mountPath: /etc/firefly/
               name: firefly-config
+            {{- if .Values.core.extraVolumeMounts }}
+            {{- tpl .Values.core.extraVolumeMounts . | nindent 12 }}
+            {{- end }}
           resources:
             {{- toYaml .Values.core.resources | nindent 12 }}
       {{- if .Values.core.extraContainers }}

diff --git a/charts/firefly/values.yaml b/charts/firefly/values.yaml
@@ -31,6 +31,15 @@ config:
   # The public URL of the Firefly API server, if not set defaults to the Ingress URL or the Service URL within Kubernetes
   httpPublicUrl: ""
 
+  # Allows customizing the TLS configuration for the API server such as for pass-through TLS or mTLS
+  # see https://hyperledger.github.io/firefly/reference/config.html#httptls for configuration options
+  httpTls: {}
+  #   caFile: /etc/pki/internal/ca.crt
+  #   certFile: /etc/pki/internaltls.crt
+  #   keyFile: /etc/pki/internal/tls.key
+  #   enabled: true
+  #   clientAuth: true
+
   # Enables the metrics server / port for Prometheus scraping
   metricsEnabled: true
 
@@ -184,6 +193,7 @@ core:
   initContainers: ""
   extraContainers: ""
   extraVolumes: ""
+  extraVolumeMounts: ""
   volumeClaimTemplates: ""
 
   service:
@@ -245,6 +255,7 @@ core:
     # Note registration will not be successful until the new node has caught up with the head of the chain.
     registration:
       enabled: false
+      ffUrl: ""
 
 # Configures the properties of the StatefulSet, Service, and optionally Ingress used to deploy and expose FireFly HTTPS DataExchange
 dataexchange:

diff --git a/manifests/mtls-cert.yaml b/manifests/mtls-cert.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: firefly-mtls
+spec:
+  issuerRef:
+    name: selfsigned-ca
+    kind: ClusterIssuer
+  secretName: firefly-mtls-tls
+  commonName: firefly-mtls
+  dnsNames:
+    - firefly.default.svc