From cba266202b0cd5d8cc8bbc7b839715813d2cb48d Mon Sep 17 00:00:00 2001 From: Steven Kang Date: Wed, 1 Dec 2021 14:01:05 +1300 Subject: [PATCH] feat(helm): introduce TLS only flag (#81) Co-authored-by: samdulam Co-authored-by: ssbkang --- .github/workflows/on-push-lint-charts.yml | 5 +++- charts/portainer/Chart.yaml | 2 +- charts/portainer/README.md | 6 ++--- charts/portainer/templates/deployment.yaml | 31 ++++++++++++++++------ charts/portainer/templates/service.yaml | 6 +++-- charts/portainer/values.yaml | 2 ++ 6 files changed, 37 insertions(+), 15 deletions(-) diff --git a/.github/workflows/on-push-lint-charts.yml b/.github/workflows/on-push-lint-charts.yml index 1d16cf6..c34daa6 100644 --- a/.github/workflows/on-push-lint-charts.yml +++ b/.github/workflows/on-push-lint-charts.yml @@ -4,7 +4,10 @@ on: push: paths: - 'charts/**' - - '.github/**' + - '.github/**' + pull_request: + branches: + - master workflow_dispatch: env: diff --git a/charts/portainer/Chart.yaml b/charts/portainer/Chart.yaml index e38a45e..8fc425a 100644 --- a/charts/portainer/Chart.yaml +++ b/charts/portainer/Chart.yaml @@ -16,7 +16,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 1.0.19 +version: 1.0.20 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. diff --git a/charts/portainer/README.md b/charts/portainer/README.md index fc45d98..2c678e8 100644 --- a/charts/portainer/README.md +++ b/charts/portainer/README.md @@ -77,12 +77,12 @@ The following table lists the configurable parameters of the Portainer chart and | `ingress.hosts.paths.port` | Port for the Portainer Web. | `9000` | | `ingress.tls` | TLS support on ingress. Must create a secret with TLS certificates in advance | `[]` | | `resources` | Portainer resource requests and limits | `{}` | +| `tls.force` | Force Portainer to be configured to use TLS only | `false` | +| `tls.existingSecret` | Mount the existing TLS secret into the pod | `""` | | `persistence.enabled` | Whether to enable data persistence | `true` | | `persistence.existingClaim` | Name of an existing PVC to use for data persistence | `nil` | | `persistence.size` | Size of the PVC used for persistence | `10Gi` | | `persistence.annotations` | Annotations to apply to PVC used for persistence | `{}` | | `persistence.storageClass` | StorageClass to apply to PVC used for persistence | `default` | | `persistence.accessMode` | AccessMode for persistence | `ReadWriteOnce` | -| `persistence.selector` | Selector for persistence | `nil` | - - +| `persistence.selector` | Selector for persistence | `nil` | \ No newline at end of file diff --git a/charts/portainer/templates/deployment.yaml b/charts/portainer/templates/deployment.yaml index 75f9ba1..2aedc66 100644 --- a/charts/portainer/templates/deployment.yaml +++ b/charts/portainer/templates/deployment.yaml @@ -43,13 +43,16 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} {{- end }} args: - {{- if .Values.tls.existingSecret }} + {{- if .Values.tls.force }} + - --http-disabled + {{- end }} + {{- if .Values.tls.existingSecret }} - --sslcert=/certs/tls.crt - --sslkey=/certs/tls.key - {{- end }} - {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.edgeNodePort))) }} + {{- end }} + {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.edgeNodePort))) }} - '--tunnel-port={{ .Values.service.edgeNodePort }}' - {{- end }} + {{- end }} volumeMounts: - name: data mountPath: /data @@ -57,26 +60,38 @@ spec: - name: certs mountPath: /certs readOnly: true - {{- end }} + {{- end }} ports: + {{- if not .Values.tls.force }} - name: http containerPort: 9000 protocol: TCP + {{- end }} - name: https containerPort: 9443 - protocol: TCP + protocol: TCP - name: tcp-edge containerPort: 8000 - protocol: TCP + protocol: TCP livenessProbe: httpGet: path: / + {{- if .Values.tls.force }} port: 9443 scheme: HTTPS + {{- else }} + port: 9000 + scheme: HTTP + {{- end }} readinessProbe: httpGet: path: / + {{- if .Values.tls.force }} port: 9443 - scheme: HTTPS + scheme: HTTPS + {{- else }} + port: 9000 + scheme: HTTP + {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} diff --git a/charts/portainer/templates/service.yaml b/charts/portainer/templates/service.yaml index 75f7399..b6f12e5 100644 --- a/charts/portainer/templates/service.yaml +++ b/charts/portainer/templates/service.yaml @@ -15,13 +15,15 @@ metadata: spec: type: {{ .Values.service.type }} ports: + {{- if not .Values.tls.force }} - port: {{ .Values.service.httpPort }} targetPort: 9000 protocol: TCP name: http {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.httpNodePort))) }} nodePort: {{ .Values.service.httpNodePort}} - {{- end }} + {{- end }} + {{- end }} - port: {{ .Values.service.httpsPort }} targetPort: 9443 protocol: TCP @@ -29,7 +31,7 @@ spec: {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.httpsNodePort))) }} nodePort: {{ .Values.service.httpsNodePort}} {{- end }} - {{- if (eq .Values.service.type "NodePort") }} + {{- if (eq .Values.service.type "NodePort") }} - port: {{ .Values.service.edgeNodePort }} targetPort: {{ .Values.service.edgeNodePort }} {{- else }} diff --git a/charts/portainer/values.yaml b/charts/portainer/values.yaml index 09234c3..980d9d5 100644 --- a/charts/portainer/values.yaml +++ b/charts/portainer/values.yaml @@ -39,6 +39,8 @@ service: annotations: {} tls: + # If set, Portainer will be configured to use TLS only + force: false # If set, will mount the existing secret into the pod existingSecret: ""