Merge pull request #72 from StackStorm/feature/http

Replace st2web https with http

Author: warrenvw

.circleci/config.yml

@@ -95,7 +95,7 @@ jobs:
           name: Helm install stackstorm-ha chart
           command: |
             # disable mongodb-ha chart persistent volumes as cluster can't start in CircleCI/KinD env
-            helm install --debug --name stackstorm-ha . \
+            helm install --debug --wait --name stackstorm-ha . \
               --set mongodb-ha.persistentVolume.enabled=false
       - run:
           when: always

CHANGELOG.md

@@ -2,6 +2,9 @@
 
 ## In Development
 
+## v0.16.0
+* st2web now uses HTTP by default (#72). We now recommend you rely on `LoadBalancer` or `Ingress` to add HTTPS layer on top of it.
+
 ## v0.15.0
 * Add support for ingress (#68)
 

Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 # Update StackStorm version here to rely on other Docker images tags
 appVersion: 3.1dev
 name: stackstorm-ha
-version: 0.15.0
+version: 0.16.0
 description: StackStorm K8s Helm Chart, optimized for running StackStorm in HA environment.
 home: https://stackstorm.com/#product
 icon: https://avatars1.githubusercontent.com/u/4969009

README.md

@@ -83,6 +83,7 @@ kubectl exec -it ${ST2CLIENT} /bin/bash
 ### [st2web](https://docs.stackstorm.com/latest/reference/ha.html#nginx-and-load-balancing)
 st2web is a StackStorm Web UI admin dashboard. By default, st2web K8s config includes a Pod Deployment and a Service.
 `2` replicas (configurable) of st2web serve the web app and proxy requests to st2auth, st2api, st2stream.
+By default, st2web uses HTTP instead of HTTPS. We recommend you rely on `LoadBalancer` or `Ingress` to add HTTPS layer on top of it.
 > **Note!** By default, st2web is a NodePort Service and is not exposed to the public net.
   If your Kubernetes cluster setup supports the LoadBalancer service type, you can edit the corresponding helm values to configure st2web as a LoadBalancer service in order to expose it and the services it proxies to the public net.
 

templates/NOTES.txt

@@ -18,14 +18,14 @@ echo https://${ST2WEB_IP}/
 
 {{- else if contains "ClusterIP" .Values.st2web.service.type }}
 
-echo https://127.0.0.1:8443
-kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ .Release.Name }}-st2web{{ template "enterpriseSuffix" . }} 8443:443
+echo http://127.0.0.1:8080
+kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ .Release.Name }}-st2web{{ template "enterpriseSuffix" . }} 8080:80
 
 {{- else if contains "NodePort" .Values.st2web.service.type }}
 
 export ST2WEB_IP=$(minikube ip 2>/dev/null || kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
 export ST2WEB_PORT="$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ .Release.Name }}-st2web{{ template "enterpriseSuffix" . }})"
-echo https://${ST2WEB_IP}:${ST2WEB_PORT}/
+echo http://${ST2WEB_IP}:${ST2WEB_PORT}/
 
 {{- end }}
 

templates/deployments.yaml

@@ -338,8 +338,6 @@ spec:
         chart: {{ .Chart.Name }}-{{ .Chart.Version }}
         release: {{ .Release.Name }}
         heritage: {{ .Release.Service }}
-      annotations:
-        checksum/ssl: {{ include (print $.Template.BasePath "/secrets_st2web.yaml") . | sha256sum }}
     spec:
       {{- if .Values.enterprise.enabled }}
       imagePullSecrets:
@@ -350,13 +348,13 @@ spec:
         image: "{{ template "imageRepository" . }}/st2web{{ template "enterpriseSuffix" . }}:{{ .Chart.AppVersion }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         ports:
-        - containerPort: 443
+        - containerPort: 80
         # Probe to check if app is running. Failure will lead to a pod restart.
         livenessProbe:
           httpGet:
-            scheme: HTTPS
+            scheme: HTTP
             path: /
-            port: 443
+            port: 80
           initialDelaySeconds: 1
         # Probe to check if app is ready to serve traffic. Failure will lead to temp stop serving traffic.
         # TODO: Failing to add readinessProbe, since st2 requires authorization (401) and we don't have `/healthz` endpoints yet (https://github.com/StackStorm/st2/issues/4020)
@@ -373,25 +371,10 @@ spec:
         - configMapRef:
             name: {{ .Release.Name }}-st2-urls
             optional: true
-        volumeMounts:
-        - name: st2web-ssl-cert
-          mountPath: /etc/ssl/st2/
-          readOnly: true
+        volumeMounts: []
         resources:
 {{ toYaml .Values.st2web.resources | indent 10 }}
-      volumes:
-      - name: st2web-ssl-cert
-        secret:
-          secretName: {{ .Release.Name }}-st2web
-          items:
-          - key: ssl_certificate
-            path: st2.crt
-            # 0400 file permission
-            mode: 256
-          - key: ssl_certificate_key
-            path: st2.key
-            # 0400 file permission
-            mode: 256
+      volumes: []
     {{- with .Values.st2web.nodeSelector }}
       nodeSelector:
 {{ toYaml . | indent 8 }}

templates/ingress.yaml

@@ -40,7 +40,7 @@ spec:
         - path: "/*"
           backend:
             serviceName: {{ .Release.Name }}-st2web{{ template "enterpriseSuffix" . }}
-            servicePort: "443"
+            servicePort: "80"
   {{- end }}
   {{- if .Values.ingress.tls }}
   tls:

templates/secrets_st2web.yaml

@@ -107,7 +107,7 @@ spec:
   {{- end }}
   ports:
   - protocol: TCP
-    port: 443
+    port: 80
 
 {{ if .Values.st2chatops.enabled -}}
 ---

templates/services.yaml

@@ -189,66 +189,6 @@ secrets:
       WE8BWLQ1vBV6c7V4Q0Wp6LuTnNnvu/lvVugJW/TbrzFw6CFe5fEISmIHAMnqVz8x
       OdOJyinSM1svoBGnYfyAqINKrqCSGSKmprlMo0Ma3erI7SuojWBS
       -----END RSA PRIVATE KEY-----
-  st2web:
-    # SSL Certificate used for StackStorm Web UI in nginx (HTTPS)
-    # Warning! This is dummy auto-generated self-signed SSL cert. Use your own instead!
-    # TODO: For prod/stable consider auto-generating if no cert provided (#15)
-    ssl_certificate: |-
-      -----BEGIN CERTIFICATE-----
-      MIID2zCCAsOgAwIBAgIJANcrpXluUyomMA0GCSqGSIb3DQEBCwUAMIGDMQswCQYD
-      VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJUGFsbyBBbHRv
-      MRMwEQYDVQQKDApTdGFja1N0b3JtMSEwHwYDVQQLDBhJbmZvcm1hdGlvbiAgIFRl
-      Y2hub2xvZ3kxEzARBgNVBAMMCnN0YWNrc3Rvcm0wHhcNMTgwNTIzMTQxMDMyWhcN
-      MTkwNTIzMTQxMDMyWjCBgzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3Ju
-      aWExEjAQBgNVBAcMCVBhbG8gQWx0bzETMBEGA1UECgwKU3RhY2tTdG9ybTEhMB8G
-      A1UECwwYSW5mb3JtYXRpb24gICBUZWNobm9sb2d5MRMwEQYDVQQDDApzdGFja3N0
-      b3JtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5r2f8xtKToZM3rMS
-      J+gcpRjCIACv4ivJDxhhOJ1L9WXpR5UGUtftuiRKvhQA6lW0buPyAWnIDdEyUKHa
-      QoPPYfB/mmuu5qc14JLJ9swzqkfHkgcgi1DjXFg8GkfWKXymtD2F/jU+Mf94NS9P
-      kfZO7mAfOMjsX18J7Vmq/Jk2dYOmbQHsj549VNUcaj4HEmf52cqHlJCAdl8gVJ0H
-      8NDJwDkb1okNKqCMLu5sR3ffmTnVO+zxsNIZMnngevWfhkLkYdEpxraL0Dyi8HkA
-      004cvPryoit4sucYvEWU2ZWBjBtOFJmqH8QQYei/G9JDVjfXk8KoRm1EvH1G3Hab
-      6wmB0QIDAQABo1AwTjAdBgNVHQ4EFgQUrTArdEoZeiCoYs5xp+BDp9/AlhowHwYD
-      VR0jBBgwFoAUrTArdEoZeiCoYs5xp+BDp9/AlhowDAYDVR0TBAUwAwEB/zANBgkq
-      hkiG9w0BAQsFAAOCAQEAjhMlepcXlWlbr7HcwDX0bNAAze+tJ/NVQGAkl92Nu/9L
-      KsJmObhFEJmok4ZuYhzeVlNRVkC465oHhDLOjUzZoZ6y4hiyH8YJacnZ8mpFFxcc
-      /s18QEw5+G6/xTAzTsrvN2aS+M6qVfEM2tmtwzb7cE14nExLrKq9MGZ6c9qBbH/k
-      YP18QVLx89mBcrWHzbUmCXkVzVxcII2U2CyPhGoHpN054oZ9XT5r0p/JqWLl2wEh
-      6iNbkxysfAeB2J0tY10uSWCzQuQ1UtzDaBkGUHd+UKR98EcduoNqMoUIwkAu0gjk
-      k8kkryYUKpQ/OAiyXIDJiR9lWPGG1Kr8ZqOwjeCRKw==
-      -----END CERTIFICATE-----
-    # SSL Certificate private key used for StackStorm Web UI in nginx (HTTPS)
-    # Warning! This is dummy auto-generated self-signed SSL cert. Use your own instead!
-    # TODO: For prod/stable consider auto-generating if no cert provided (#15)
-    ssl_certificate_key: |-
-      -----BEGIN PRIVATE KEY-----
-      MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDmvZ/zG0pOhkze
-      sxIn6BylGMIgAK/iK8kPGGE4nUv1ZelHlQZS1+26JEq+FADqVbRu4/IBacgN0TJQ
-      odpCg89h8H+aa67mpzXgksn2zDOqR8eSByCLUONcWDwaR9YpfKa0PYX+NT4x/3g1
-      L0+R9k7uYB84yOxfXwntWar8mTZ1g6ZtAeyPnj1U1RxqPgcSZ/nZyoeUkIB2XyBU
-      nQfw0MnAORvWiQ0qoIwu7mxHd9+ZOdU77PGw0hkyeeB69Z+GQuRh0SnGtovQPKLw
-      eQDTThy8+vKiK3iy5xi8RZTZlYGMG04UmaofxBBh6L8b0kNWN9eTwqhGbUS8fUbc
-      dpvrCYHRAgMBAAECggEBAKiTETCDV55W8AIjwbf2FDdqBylqVxVd995XaW/7O2tl
-      sTDi52PO7Zd4vEJyStjpFJGPZ1cw+T9e/ut51AOUWQastg0TbwyETRBtLbBpL7XQ
-      CzXcjyI5TmJA9Gge45AbyY8VA7fdHjtY8XGpxvBUiwYMo8LQyCBFRvNo90rkhK0E
-      xk+mk+DhVFTFvJbYhENTAA8iCq3GeeA7tC+hwOkyNUeyiroIYa1m9uwIPFHS4gxF
-      +uCRsTnhOxUVzxfAWsWBZDe0Yo5zVHl7xwFfse1T//vbwoF5ouIP2IjbwGveCbeW
-      hunsYOPdkkT8rdszyLmrfrpA6Bc0tHKuOz9fJRcCuSECgYEA+9RIc/mzz0AI09oA
-      8vNWYImgPRa0l+AxX3EuL/xx49i8swpELtjNzsz0H1J0nY6baPMaoxj4TEJFxT7c
-      X5NSltcZlxxAxi5WdEpJSdSvznNTKpYVqyDkJWN+1NuoW5e8LOMOuR3NRx7ogA2P
-      o2NpsbShIp22odMaj1tW9kED+N8CgYEA6o/uBVs+y2Fv7Y86PSnaBJPzO07YO1xG
-      tan0zr4TBp2o4YX5sgSdCSlZmSsrGi5Vq20RsBkOg4w8o4ZFYPBZmi+xDyomiibA
-      qssbYTTovwooy5y5LMO+HSz0ClWe17v+o/M0OWwM/uLZ/dOb309NT81A58f0jZIn
-      6ghnWscF608CgYBmAxRmhpxkNBhfWUxRHmm7KYUTugLmExdtBjgjkCvClKW8EUiV
-      gZW9VCEAHzLGMGKcHP6JWzAaFC6XPGOhA9jM6c2f/P3wSg0ThpQxqEqfYvAprCqS
-      6/v/eVKDf4evssOzmzb3ni7txIOCe/vXwAmsxvMPRrwYyZ9Uuzd7AdNOGQKBgB8G
-      Alk7BEcqD/+/ndhRHMDWQKlreDYBsmh8niBqC2IooBmT+r6M1ahMi8kyaHUCA9q0
-      hk5gQgcsGSkXrT1xDKjT/fsffBFxprHwQyLMOKxrz5F+nQ9KpG5/b5eeU2/9MWTF
-      2fZuUBm2L1bfEhKrDnKrlxYQ4EuJNTZC/kiHYkUJAoGBAICBQqCOkFaugy0obNvD
-      BRmc3S5gNeMQHangZKKO1I0hnK0WeWV/D/sTNY1GxxPNhHfU3yfQvfI+Kswspi/b
-      ofUOhwAXuMsTtuLagOMyAJVs+KRVrvnXGT/p9l213ZAnDtFSpkvcjD9WUcupeTca
-      BjdoJBzImjVB5znOgIui3ME5
-      -----END PRIVATE KEY-----
 
 ##
 ## StackStorm HA Cluster pod settings for each individual service/component.