Merge pull request #151 from holaplex/mpw/gateway-certs

add deployment of self-signed certs on local dev

Author: mpwsh

charts/hub-gateway/Chart.lock

@@ -3,4 +3,4 @@ dependencies:
   repository: https://charts.apiseven.com
   version: 1.3.1
 digest: sha256:f5e4c06ee49ce8bdf2ee3cf997ece55fb80071c8e122fad43197d9be8ddd32f3
-generated: "2023-04-22T00:12:14.986923-03:00"
+generated: "2023-10-03T03:02:45.699841-03:00"

charts/hub-gateway/Chart.yaml

@@ -18,7 +18,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.23.10
+version: 0.24.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/hub-gateway/templates/certs.yaml

@@ -0,0 +1,42 @@
+{{- $domain := .Values.domain -}}
+{{- $devMode := .Values.certificates.devMode -}}
+{{- if .Values.certificates.deploy -}}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: hub-domains
+  namespace: ingress-apisix
+spec:
+  dnsNames:
+    {{- with .Values.routes }}
+    {{- $usedHosts := "" -}}
+    {{- range . }}
+    {{- $currentHost := .host | default (printf "%s.%s" .subdomain $domain) | quote -}}
+    {{- if not (contains $currentHost $usedHosts) }}
+    - {{ $currentHost }}
+    {{- $usedHosts = print $usedHosts $currentHost -}}
+    {{- end }}
+    {{- end }}
+    {{- end }}
+  issuerRef:
+    kind: ClusterIssuer
+    group: cert-manager.io
+    {{- if $devMode }}
+    name: selfsigned
+    {{- else }}
+    name: letsencrypt-prod
+    {{- end }}
+  {{- if $devMode }}
+  isCA: true
+  commonName: selfsigned-ca
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  {{- end }}
+  secretName: hub-certificates
+  usages:
+    - digital signature
+    - key encipherment
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+{{- end }}

charts/hub-gateway/templates/issuers.yaml

@@ -0,0 +1,38 @@
+{{- $namespace := .Values.hubNamespace -}}
+{{- $certEmail := .Values.certificates.email -}}
+{{- $devMode := .Values.certificates.devMode -}}
+{{- if $devMode }}
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: ca-issuer
+  namespace: {{ $namespace }}
+spec:
+  ca:
+    secretName: hub-certificates
+{{- else }}
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: {{ $certEmail }}
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+    - http01:
+        ingress:
+          class: apisix
+    - http01:
+        ingress:
+          class: nginx
+{{- end }}

charts/hub-gateway/templates/tls.yaml

@@ -0,0 +1,22 @@
+{{- $domain := .Values.domain -}}
+{{- if .Values.certificates.deploy -}}
+apiVersion: apisix.apache.org/v2
+kind: ApisixTls
+metadata:
+  name: hub-domains-tls
+spec:
+  hosts:
+    {{- with .Values.routes }}
+    {{- $usedHosts := "" -}}
+    {{- range . }}
+    {{- $currentHost := .host | default (printf "%s.%s" .subdomain $domain) | quote -}}
+    {{- if not (contains $currentHost $usedHosts) }}
+    - {{ $currentHost }}
+    {{- $usedHosts = print $usedHosts $currentHost -}}
+    {{- end }}
+    {{- end }}
+    {{- end }}
+  secret:
+    name: hub-certificates
+    namespace: ingress-apisix
+{{- end }}

charts/hub-gateway/values.yaml

@@ -15,6 +15,11 @@ internalService:
 networkPolicies:
   enabled: false
 
+certificates:
+  deploy: false
+  devMode: true
+  email: ""
+
 routes:
   - name: api
     serviceName: federated-router