From facec87b818b5f29d018a3ae30266d9f0a2c1a7d Mon Sep 17 00:00:00 2001 From: David Young Date: Thu, 19 Aug 2021 13:24:52 +1200 Subject: [PATCH 1/6] First cut at chart supporting SSL Signed-off-by: David Young --- charts/portainer/templates/NOTES.txt | 10 ++++----- charts/portainer/templates/deployment.yaml | 24 ++++++++++++++++++---- charts/portainer/templates/service.yaml | 11 ++++++++-- charts/portainer/values.yaml | 7 +++++++ 4 files changed, 41 insertions(+), 11 deletions(-) diff --git a/charts/portainer/templates/NOTES.txt b/charts/portainer/templates/NOTES.txt index d1e5f18..604843e 100644 --- a/charts/portainer/templates/NOTES.txt +++ b/charts/portainer/templates/NOTES.txt @@ -7,17 +7,17 @@ {{- end }} {{- else if contains "NodePort" .Values.service.type }} Get the application URL by running these commands: - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "portainer.fullname" . }}) + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[1].nodePort}" services {{ include "portainer.fullname" . }}) export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT + echo https://$NODE_IP:$NODE_PORT {{- else if contains "LoadBalancer" .Values.service.type }} Get the application URL by running these commands: NOTE: It may take a few minutes for the LoadBalancer IP to be available. You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "portainer.fullname" . }}' export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "portainer.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") - echo http://$SERVICE_IP:{{ .Values.service.httpPort }} + echo http://$SERVICE_IP:{{ .Values.service.httpsPort }} {{- else if contains "ClusterIP" .Values.service.type }} Get the application URL by running these commands: - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "portainer.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].me$ echo "Visit http://127.0.0.1:9000 to use your application" - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 9000:9000 + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "portainer.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].me$ echo "Visit http://127.0.0.1:9443 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 9443:9443 {{- end }} diff --git a/charts/portainer/templates/deployment.yaml b/charts/portainer/templates/deployment.yaml index 1081d82..c6fa49e 100644 --- a/charts/portainer/templates/deployment.yaml +++ b/charts/portainer/templates/deployment.yaml @@ -25,9 +25,14 @@ spec: {{- end }} serviceAccountName: {{ include "portainer.serviceAccountName" . }} volumes: - - name: "data" - persistentVolumeClaim: - claimName: {{ template "portainer.pvcName" . }} + - name: "data" + persistentVolumeClaim: + claimName: {{ template "portainer.pvcName" . }} + {{- if .Values.tls.existingSecret }} + - name: certs + secret: + secretName: {{ .Values.tls.existingSecret }} + {{- end }} containers: - name: {{ .Chart.Name }} {{- if .Values.enterpriseEdition.enabled }} @@ -37,16 +42,27 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} {{- end }} + args: + - --sslcert=/certs/tls.crt # Always use these paths for cert/key, whether they exist or not + - --sslkey=/certs/tls.key # Always use these paths for cert/key, whether they exist or not {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.edgeNodePort))) }} - args: [ '--tunnel-port','{{ .Values.service.edgeNodePort }}' ] + - '--tunnel-port={{ .Values.service.edgeNodePort }}' {{- end }} volumeMounts: - name: data mountPath: /data + {{- if .Values.tls.existingSecret }} + - name: certs + mountPath: /certs + readOnly: true + {{- end }} ports: - name: http containerPort: 9000 protocol: TCP + - name: https + containerPort: 9443 + protocol: TCP - name: tcp-edge containerPort: 8000 protocol: TCP diff --git a/charts/portainer/templates/service.yaml b/charts/portainer/templates/service.yaml index ce70f0c..464fd1a 100644 --- a/charts/portainer/templates/service.yaml +++ b/charts/portainer/templates/service.yaml @@ -22,7 +22,14 @@ spec: {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.httpNodePort))) }} nodePort: {{ .Values.service.httpNodePort}} {{- end }} - {{- if (eq .Values.service.type "NodePort") }} + - port: {{ .Values.service.httpsPort }} + targetPort: 9443 + protocol: TCP + name: https + {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.httpsNodePort))) }} + nodePort: {{ .Values.service.httpsNodePort}} + {{- end }} + {{- if (eq .Values.service.type "NodePort") }} - port: {{ .Values.service.edgeNodePort }} targetPort: {{ .Values.service.edgeNodePort }} {{- else }} @@ -33,6 +40,6 @@ spec: name: edge {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.edgeNodePort))) }} nodePort: {{ .Values.service.edgeNodePort }} - {{- end }} + {{- end }} selector: {{- include "portainer.selectorLabels" . | nindent 4 }} diff --git a/charts/portainer/values.yaml b/charts/portainer/values.yaml index 3313d99..f5340b2 100644 --- a/charts/portainer/values.yaml +++ b/charts/portainer/values.yaml @@ -31,14 +31,21 @@ service: # For Cloud Providers, set the type to be LoadBalancer type: NodePort httpPort: 9000 + httpsPort: 9443 httpNodePort: 30777 + httpsNodePort: 30778 edgePort: 8000 edgeNodePort: 30776 annotations: {} +tls: + # If set, will mount the existing secret into the pod + existingSecret: "" + ingress: enabled: false annotations: {} +# nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" hosts: - host: paths: [] From ce1dfc6b23f7dff4e9eb96cff4d95a8bcbb3c801 Mon Sep 17 00:00:00 2001 From: David Young Date: Mon, 13 Sep 2021 09:47:19 +1200 Subject: [PATCH 2/6] Switch probes to HTTPS scheme Signed-off-by: David Young --- charts/portainer/templates/deployment.yaml | 6 +++-- deploy/manifests/portainer/portainer-ee.yaml | 27 ++++++++++++++----- .../manifests/portainer/portainer-lb-ee.yaml | 26 +++++++++++++----- deploy/manifests/portainer/portainer-lb.yaml | 26 +++++++++++++----- deploy/manifests/portainer/portainer.yaml | 27 ++++++++++++++----- 5 files changed, 82 insertions(+), 30 deletions(-) diff --git a/charts/portainer/templates/deployment.yaml b/charts/portainer/templates/deployment.yaml index c6fa49e..4279116 100644 --- a/charts/portainer/templates/deployment.yaml +++ b/charts/portainer/templates/deployment.yaml @@ -69,10 +69,12 @@ spec: livenessProbe: httpGet: path: / - port: 9000 + port: 9443 + scheme: HTTPS readinessProbe: httpGet: path: / - port: 9000 + port: 9443 + scheme: HTTPS resources: {{- toYaml .Values.resources | nindent 12 }} diff --git a/deploy/manifests/portainer/portainer-ee.yaml b/deploy/manifests/portainer/portainer-ee.yaml index cef5b86..fd6524e 100644 --- a/deploy/manifests/portainer/portainer-ee.yaml +++ b/deploy/manifests/portainer/portainer-ee.yaml @@ -73,6 +73,11 @@ spec: protocol: TCP name: http nodePort: 30777 + - port: 9443 + targetPort: 9443 + protocol: TCP + name: https + nodePort: 30778 - port: 30776 targetPort: 30776 protocol: TCP @@ -111,32 +116,40 @@ spec: {} serviceAccountName: portainer-sa-clusteradmin volumes: - - name: "data" - persistentVolumeClaim: - claimName: portainer + - name: "data" + persistentVolumeClaim: + claimName: portainer containers: - name: portainer image: "portainer/portainer-ee:2.7.0" imagePullPolicy: Always - args: [ '--tunnel-port','30776' ] + args: + - --sslcert=/certs/tls.crt # Always use these paths for cert/key, whether they exist or not + - --sslkey=/certs/tls.key # Always use these paths for cert/key, whether they exist or not + - '--tunnel-port=30776' volumeMounts: - name: data - mountPath: /data + mountPath: /data ports: - name: http containerPort: 9000 protocol: TCP + - name: https + containerPort: 9443 + protocol: TCP - name: tcp-edge containerPort: 8000 protocol: TCP livenessProbe: httpGet: path: / - port: 9000 + port: 9443 + scheme: HTTPS readinessProbe: httpGet: path: / - port: 9000 + port: 9443 + scheme: HTTPS resources: {} diff --git a/deploy/manifests/portainer/portainer-lb-ee.yaml b/deploy/manifests/portainer/portainer-lb-ee.yaml index f5494d5..045d3d8 100644 --- a/deploy/manifests/portainer/portainer-lb-ee.yaml +++ b/deploy/manifests/portainer/portainer-lb-ee.yaml @@ -72,6 +72,10 @@ spec: targetPort: 9000 protocol: TCP name: http + - port: 9443 + targetPort: 9443 + protocol: TCP + name: https - port: 8000 targetPort: 8000 protocol: TCP @@ -109,31 +113,39 @@ spec: {} serviceAccountName: portainer-sa-clusteradmin volumes: - - name: "data" - persistentVolumeClaim: - claimName: portainer + - name: "data" + persistentVolumeClaim: + claimName: portainer containers: - name: portainer image: "portainer/portainer-ee:2.7.0" - imagePullPolicy: Always + imagePullPolicy: Always + args: + - --sslcert=/certs/tls.crt # Always use these paths for cert/key, whether they exist or not + - --sslkey=/certs/tls.key # Always use these paths for cert/key, whether they exist or not volumeMounts: - name: data - mountPath: /data + mountPath: /data ports: - name: http containerPort: 9000 protocol: TCP + - name: https + containerPort: 9443 + protocol: TCP - name: tcp-edge containerPort: 8000 protocol: TCP livenessProbe: httpGet: path: / - port: 9000 + port: 9443 + scheme: HTTPS readinessProbe: httpGet: path: / - port: 9000 + port: 9443 + scheme: HTTPS resources: {} diff --git a/deploy/manifests/portainer/portainer-lb.yaml b/deploy/manifests/portainer/portainer-lb.yaml index 895b8e7..49e3144 100644 --- a/deploy/manifests/portainer/portainer-lb.yaml +++ b/deploy/manifests/portainer/portainer-lb.yaml @@ -72,6 +72,10 @@ spec: targetPort: 9000 protocol: TCP name: http + - port: 9443 + targetPort: 9443 + protocol: TCP + name: https - port: 8000 targetPort: 8000 protocol: TCP @@ -109,31 +113,39 @@ spec: {} serviceAccountName: portainer-sa-clusteradmin volumes: - - name: "data" - persistentVolumeClaim: - claimName: portainer + - name: "data" + persistentVolumeClaim: + claimName: portainer containers: - name: portainer image: "portainer/portainer-ce:latest" - imagePullPolicy: Always + imagePullPolicy: Always + args: + - --sslcert=/certs/tls.crt # Always use these paths for cert/key, whether they exist or not + - --sslkey=/certs/tls.key # Always use these paths for cert/key, whether they exist or not volumeMounts: - name: data - mountPath: /data + mountPath: /data ports: - name: http containerPort: 9000 protocol: TCP + - name: https + containerPort: 9443 + protocol: TCP - name: tcp-edge containerPort: 8000 protocol: TCP livenessProbe: httpGet: path: / - port: 9000 + port: 9443 + scheme: HTTPS readinessProbe: httpGet: path: / - port: 9000 + port: 9443 + scheme: HTTPS resources: {} diff --git a/deploy/manifests/portainer/portainer.yaml b/deploy/manifests/portainer/portainer.yaml index a696811..5573ea0 100644 --- a/deploy/manifests/portainer/portainer.yaml +++ b/deploy/manifests/portainer/portainer.yaml @@ -73,6 +73,11 @@ spec: protocol: TCP name: http nodePort: 30777 + - port: 9443 + targetPort: 9443 + protocol: TCP + name: https + nodePort: 30778 - port: 30776 targetPort: 30776 protocol: TCP @@ -111,32 +116,40 @@ spec: {} serviceAccountName: portainer-sa-clusteradmin volumes: - - name: "data" - persistentVolumeClaim: - claimName: portainer + - name: "data" + persistentVolumeClaim: + claimName: portainer containers: - name: portainer image: "portainer/portainer-ce:latest" imagePullPolicy: Always - args: [ '--tunnel-port','30776' ] + args: + - --sslcert=/certs/tls.crt # Always use these paths for cert/key, whether they exist or not + - --sslkey=/certs/tls.key # Always use these paths for cert/key, whether they exist or not + - '--tunnel-port=30776' volumeMounts: - name: data - mountPath: /data + mountPath: /data ports: - name: http containerPort: 9000 protocol: TCP + - name: https + containerPort: 9443 + protocol: TCP - name: tcp-edge containerPort: 8000 protocol: TCP livenessProbe: httpGet: path: / - port: 9000 + port: 9443 + scheme: HTTPS readinessProbe: httpGet: path: / - port: 9000 + port: 9443 + scheme: HTTPS resources: {} From 026f1c3dea95c75079d98dbaeadccbc555b24875 Mon Sep 17 00:00:00 2001 From: David Young Date: Mon, 13 Sep 2021 10:29:51 +1200 Subject: [PATCH 3/6] Only override ssl cert/key path if using existing cert Signed-off-by: David Young --- charts/portainer/templates/deployment.yaml | 6 ++++-- deploy/manifests/portainer/portainer-ee.yaml | 4 +--- deploy/manifests/portainer/portainer-lb-ee.yaml | 4 +--- deploy/manifests/portainer/portainer-lb.yaml | 4 +--- deploy/manifests/portainer/portainer.yaml | 4 +--- 5 files changed, 8 insertions(+), 14 deletions(-) diff --git a/charts/portainer/templates/deployment.yaml b/charts/portainer/templates/deployment.yaml index 4279116..0d6d150 100644 --- a/charts/portainer/templates/deployment.yaml +++ b/charts/portainer/templates/deployment.yaml @@ -43,8 +43,10 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} {{- end }} args: - - --sslcert=/certs/tls.crt # Always use these paths for cert/key, whether they exist or not - - --sslkey=/certs/tls.key # Always use these paths for cert/key, whether they exist or not + {{- if .Values.tls.existingSecret }} + - --sslcert=/certs/tls.crt + - --sslkey=/certs/tls.key + {{- end }} {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.edgeNodePort))) }} - '--tunnel-port={{ .Values.service.edgeNodePort }}' {{- end }} diff --git a/deploy/manifests/portainer/portainer-ee.yaml b/deploy/manifests/portainer/portainer-ee.yaml index fd6524e..5fa23dc 100644 --- a/deploy/manifests/portainer/portainer-ee.yaml +++ b/deploy/manifests/portainer/portainer-ee.yaml @@ -123,9 +123,7 @@ spec: - name: portainer image: "portainer/portainer-ee:2.7.0" imagePullPolicy: Always - args: - - --sslcert=/certs/tls.crt # Always use these paths for cert/key, whether they exist or not - - --sslkey=/certs/tls.key # Always use these paths for cert/key, whether they exist or not + args: - '--tunnel-port=30776' volumeMounts: - name: data diff --git a/deploy/manifests/portainer/portainer-lb-ee.yaml b/deploy/manifests/portainer/portainer-lb-ee.yaml index 045d3d8..4b56b93 100644 --- a/deploy/manifests/portainer/portainer-lb-ee.yaml +++ b/deploy/manifests/portainer/portainer-lb-ee.yaml @@ -120,9 +120,7 @@ spec: - name: portainer image: "portainer/portainer-ee:2.7.0" imagePullPolicy: Always - args: - - --sslcert=/certs/tls.crt # Always use these paths for cert/key, whether they exist or not - - --sslkey=/certs/tls.key # Always use these paths for cert/key, whether they exist or not + args: volumeMounts: - name: data mountPath: /data diff --git a/deploy/manifests/portainer/portainer-lb.yaml b/deploy/manifests/portainer/portainer-lb.yaml index 49e3144..181bfd5 100644 --- a/deploy/manifests/portainer/portainer-lb.yaml +++ b/deploy/manifests/portainer/portainer-lb.yaml @@ -120,9 +120,7 @@ spec: - name: portainer image: "portainer/portainer-ce:latest" imagePullPolicy: Always - args: - - --sslcert=/certs/tls.crt # Always use these paths for cert/key, whether they exist or not - - --sslkey=/certs/tls.key # Always use these paths for cert/key, whether they exist or not + args: volumeMounts: - name: data mountPath: /data diff --git a/deploy/manifests/portainer/portainer.yaml b/deploy/manifests/portainer/portainer.yaml index 5573ea0..41d2f10 100644 --- a/deploy/manifests/portainer/portainer.yaml +++ b/deploy/manifests/portainer/portainer.yaml @@ -123,9 +123,7 @@ spec: - name: portainer image: "portainer/portainer-ce:latest" imagePullPolicy: Always - args: - - --sslcert=/certs/tls.crt # Always use these paths for cert/key, whether they exist or not - - --sslkey=/certs/tls.key # Always use these paths for cert/key, whether they exist or not + args: - '--tunnel-port=30776' volumeMounts: - name: data From d62f43b5a12c90dc0087ca6ecc99365c64490b01 Mon Sep 17 00:00:00 2001 From: David Young Date: Thu, 16 Sep 2021 17:08:24 +1200 Subject: [PATCH 4/6] Update httpsNodePort to 30779 Signed-off-by: David Young --- charts/portainer/values.yaml | 2 +- deploy/manifests/portainer/portainer-ee.yaml | 2 +- deploy/manifests/portainer/portainer.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/portainer/values.yaml b/charts/portainer/values.yaml index f5340b2..8418ede 100644 --- a/charts/portainer/values.yaml +++ b/charts/portainer/values.yaml @@ -33,7 +33,7 @@ service: httpPort: 9000 httpsPort: 9443 httpNodePort: 30777 - httpsNodePort: 30778 + httpsNodePort: 30779 edgePort: 8000 edgeNodePort: 30776 annotations: {} diff --git a/deploy/manifests/portainer/portainer-ee.yaml b/deploy/manifests/portainer/portainer-ee.yaml index 5fa23dc..8adffec 100644 --- a/deploy/manifests/portainer/portainer-ee.yaml +++ b/deploy/manifests/portainer/portainer-ee.yaml @@ -77,7 +77,7 @@ spec: targetPort: 9443 protocol: TCP name: https - nodePort: 30778 + nodePort: 30779 - port: 30776 targetPort: 30776 protocol: TCP diff --git a/deploy/manifests/portainer/portainer.yaml b/deploy/manifests/portainer/portainer.yaml index 41d2f10..e250912 100644 --- a/deploy/manifests/portainer/portainer.yaml +++ b/deploy/manifests/portainer/portainer.yaml @@ -77,7 +77,7 @@ spec: targetPort: 9443 protocol: TCP name: https - nodePort: 30778 + nodePort: 30779 - port: 30776 targetPort: 30776 protocol: TCP From 41f944d116c1e0b09e98fff91995f2ef467bc6c2 Mon Sep 17 00:00:00 2001 From: David Young Date: Thu, 16 Sep 2021 17:08:53 +1200 Subject: [PATCH 5/6] Bump chart version for ssl changes Signed-off-by: David Young --- charts/portainer/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/portainer/Chart.yaml b/charts/portainer/Chart.yaml index 92977a9..fdff806 100644 --- a/charts/portainer/Chart.yaml +++ b/charts/portainer/Chart.yaml @@ -16,7 +16,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 1.0.16 +version: 1.0.17 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. From a158f5557aaab21f01f5b59fd5f4be4e89aa20e8 Mon Sep 17 00:00:00 2001 From: samdulam Date: Mon, 27 Sep 2021 15:16:28 +1300 Subject: [PATCH 6/6] Update on-push-lint-charts.yml change uses: helm/kind-action@v1.1.0 to 1.2.0 --- .github/workflows/on-push-lint-charts.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/on-push-lint-charts.yml b/.github/workflows/on-push-lint-charts.yml index 9e00e4a..1d16cf6 100644 --- a/.github/workflows/on-push-lint-charts.yml +++ b/.github/workflows/on-push-lint-charts.yml @@ -60,7 +60,7 @@ jobs: # Refer to https://github.com/kubernetes-sigs/kind/releases when updating the node_images - name: Create 1.20 kind cluster - uses: helm/kind-action@v1.1.0 + uses: helm/kind-action@v1.2.0 with: node_image: kindest/node:v1.20.2@sha256:8f7ea6e7642c0da54f04a7ee10431549c0257315b3a634f6ef2fecaaedb19bab cluster_name: kubernetes-1.20 @@ -70,7 +70,7 @@ jobs: run: ct install --config .ci/ct-config.yaml - name: Create 1.19 kind cluster - uses: helm/kind-action@v1.1.0 + uses: helm/kind-action@v1.2.0 with: node_image: kindest/node:v1.19.7@sha256:a70639454e97a4b733f9d9b67e12c01f6b0297449d5b9cbbef87473458e26dca cluster_name: kubernetes-1.19 @@ -80,7 +80,7 @@ jobs: run: ct install --config .ci/ct-config.yaml - name: Create 1.18 kind cluster - uses: helm/kind-action@v1.1.0 + uses: helm/kind-action@v1.2.0 with: node_image: kindest/node:v1.18.15@sha256:5c1b980c4d0e0e8e7eb9f36f7df525d079a96169c8a8f20d8bd108c0d0889cc4 cluster_name: kubernetes-1.18