Merge remote-tracking branch 'origin/main' into lazyoldbear/add-infra…

…structure-properties

Chart.yaml

@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: "1.0.3"
+version: "1.0.4"
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "8.0.0"
+appVersion: "8.2.0.1"

README.md

@@ -395,22 +395,23 @@ The following lists other variables that provide additional miscellaneous capabi
 | services.proxyAJP.bindIP      | IP to bind for proxy AJP communication                                                               | 0.0.0.0   |
 | services.proxyAJP.port        | Service port for proxy AJP communication                                                             | 8009      |
 | services.proxyHttp.enabled    | If service for reverse proxy servers to communicate with EJBCA container over HTTP should be enabled | false     |
-| services.proxyHttp.type       | Service type for proxy HTTP communication                                                            | ClusterIP |
+| services.proxyHttp.type       | Service type for proxy HTTP communication. When LoadBalancer type is used the nginx proxy must also be used with the following settings `nginx.enabled=true` and `nginx.service.enabled=false`                                                            | ClusterIP |
 | services.proxyHttp.bindIP     | IP to bind for proxy HTTP communication                                                              | 0.0.0.0   |
 | services.proxyHttp.httpPort   | Service port for proxy HTTP communication                                                            | 8081      |
 | services.proxyHttp.httpsPort  | Service port for proxy HTTP communication that accepts SSL_CLIENT_CERT header                        | 8082      |
 | services.sidecarPorts         | Additional ports to expose in sidecar containers                                                     | []        |
 
 ### NGINX Reverse Proxy Parameters
 
-| Name                    | Description                                                            | Default  |
-| ----------------------- | ---------------------------------------------------------------------- | -------- |
-| nginx.enabled           | If NGINX sidecar container should be deploy as reverse proxy for EJBCA | false    |
-| nginx.host              | NGINX reverse proxy server name                                        |          |
-| nginx.service.type      | Type of service to create for NGINX reverse proxy                      | NodePort |
-| nginx.service.httpPort  | HTTP port to use for NGINX reverse proxy                               | 30080    |
-| nginx.service.httpsPort | HTTPS port to use for NGINX reverse proxy                              | 30443    |
-| nginx.conf              | NGINX server configuration parameters                                  |          |
+| Name                       | Description                                                            | Default  |
+| -------------------------- | ---------------------------------------------------------------------- | -------- |
+| nginx.enabled              | If NGINX sidecar container should be deploy as reverse proxy for EJBCA | false    |
+| nginx.host                 | NGINX reverse proxy server name, used for the commonName in the nginx TLS certificate |          |
+| nginx.service.enabled      | Creates a service for accessing EJBCA. This should be used when using `services.proxyHttp.type=LoadBalancer`             | false    |
+| nginx.service.type         | Type of service to create for NGINX reverse proxy                      | NodePort |
+| nginx.service.httpPort     | HTTP port to use for NGINX reverse proxy                               | 30080    |
+| nginx.service.httpsPort    | HTTPS port to use for NGINX reverse proxy                              | 30443    |
+| nginx.conf                 | NGINX server configuration parameters                                  |          |
 
 ### Ingress Parameters
 

templates/_helpers.tpl

@@ -1,7 +1,7 @@
 {{/*
 Define the EJBCA deployment parameters
 */}}
-{{- define "ejbca-community-helm.ejbcaDeploymentParameters" -}}
+{{- define "ejbca.ejbcaDeploymentParameters" -}}
 {{- if .Values.ejbca.useEphemeralH2Database }}
 - name: DATABASE_JDBC_URL
   value: "jdbc:h2:mem:ejbcadb;DB_CLOSE_DELAY=-1"
@@ -23,8 +23,8 @@ Define the EJBCA deployment parameters
 {{/*
 Define port that EJBCA redirects for HTTPS
 */}}
-{{- define "ejbca-community-helm.ejbcaHttpsPort" -}}
-{{- if .Values.nginx.enabled }}
+{{- define "ejbca.ejbcaHttpsPort" -}}
+{{- if .Values.nginx.service.enabled }}
 {{- .Values.nginx.service.httpsPort }}
 {{- else if .Values.services.directHttp.enabled }}
 {{- .Values.services.directHttp.httpsPort }}
@@ -36,8 +36,8 @@ Define port that EJBCA redirects for HTTPS
 {{/*
 Define port that EJBCA redirects for HTTP
 */}}
-{{- define "ejbca-community-helm.ejbcaPubhttpPort" -}}
-{{- if .Values.nginx.enabled }}
+{{- define "ejbca.ejbcaPubhttpPort" -}}
+{{- if .Values.nginx.service.enabled }}
 {{- .Values.nginx.service.httpPort }}
 {{- else if .Values.services.directHttp.enabled }}
 {{- .Values.services.directHttp.httpPort }}
@@ -49,7 +49,7 @@ Define port that EJBCA redirects for HTTP
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "ejbca-community-helm.name" -}}
+{{- define "ejbca.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
@@ -58,7 +58,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "ejbca-community-helm.fullname" -}}
+{{- define "ejbca.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
@@ -74,16 +74,16 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "ejbca-community-helm.chart" -}}
+{{- define "ejbca.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
 {{/*
 Common labels
 */}}
-{{- define "ejbca-community-helm.labels" -}}
-helm.sh/chart: {{ include "ejbca-community-helm.chart" . }}
-{{ include "ejbca-community-helm.selectorLabels" . }}
+{{- define "ejbca.labels" -}}
+helm.sh/chart: {{ include "ejbca.chart" . }}
+{{ include "ejbca.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
@@ -93,17 +93,17 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{/*
 Selector labels
 */}}
-{{- define "ejbca-community-helm.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "ejbca-community-helm.name" . }}
+{{- define "ejbca.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "ejbca.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
 {{/*
 Create the name of the service account to use
 */}}
-{{- define "ejbca-community-helm.serviceAccountName" -}}
+{{- define "ejbca.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create }}
-{{- default (include "ejbca-community-helm.fullname" .) .Values.serviceAccount.name }}
+{{- default (include "ejbca.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}

templates/deployment.yaml

@@ -1,28 +1,32 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "ejbca-community-helm.fullname" . }}
+  name: {{ include "ejbca.fullname" . }}
   labels:
-    {{- include "ejbca-community-helm.labels" . | nindent 4 }}
+    {{- include "ejbca.labels" . | nindent 4 }}
 spec:
   {{- if not .Values.autoscaling.enabled }}
   replicas: {{ .Values.replicaCount }}
   {{- end }}
+  # Adding for stateful set coming in a later PR
+  #{{- if eq .Values.services.proxyHttp.type "LoadBalancer" }}
+  #serviceName: {{ include "ejbca.fullname" . }}
+  #{{- end }}
   {{- if .Values.updateStrategy }}
   strategy:
     {{- toYaml .Values.updateStrategy | nindent 4 }}
   {{- end }}
   selector:
     matchLabels:
-      {{- include "ejbca-community-helm.selectorLabels" . | nindent 6 }}
+      {{- include "ejbca.selectorLabels" . | nindent 6 }}
   template:
     metadata:
       {{- with .Values.podAnnotations }}
       annotations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:
-        {{- include "ejbca-community-helm.selectorLabels" . | nindent 8 }}
+        {{- include "ejbca.selectorLabels" . | nindent 8 }}
       {{- with .Values.podLabels }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
@@ -31,18 +35,18 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      serviceAccountName: {{ include "ejbca-community-helm.serviceAccountName" . }}
+      serviceAccountName: {{ include "ejbca.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}  
       {{- if or .Values.nginx.enabled .Values.ejbca.initContainers }}
       initContainers:
         {{- if .Values.nginx.enabled }}
-        - name: {{ .Chart.Name }}-init
+        - name: {{ template "ejbca.fullname" . }}-init
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          env: {{- include "ejbca-community-helm.ejbcaDeploymentParameters" . | nindent 12 }}
+          env: {{- include "ejbca.ejbcaDeploymentParameters" . | nindent 12 }}
           {{- with .Values.ejbca.envFrom }}
           envFrom:
             {{- toYaml . | nindent 12 }}
@@ -77,7 +81,7 @@ spec:
       {{- end }}
       containers:
         {{- if .Values.nginx.enabled }}
-        - name: {{ .Chart.Name }}-nginx
+        - name: {{ template "ejbca.fullname" . }}-nginx
           image: nginx:alpine
           ports:
           - name: nginx-http
@@ -97,12 +101,12 @@ spec:
             - name: nginx-cert
               mountPath: /etc/nginx/ssl/
         {{- end }}
-        - name: {{ .Chart.Name }}
+        - name: {{ template "ejbca.fullname" . }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          env: {{- include "ejbca-community-helm.ejbcaDeploymentParameters" . | nindent 12 }}
+          env: {{- include "ejbca.ejbcaDeploymentParameters" . | nindent 12 }}
             {{- if .Values.services.proxyAJP.enabled }}
             - name: PROXY_AJP_BIND
               value: {{ .Values.services.proxyAJP.bindIP }}
@@ -123,8 +127,8 @@ spec:
                   - "-c"
                   - |
                     {{- if not .Values.ejbca.importEjbcaConfFiles }}
-                    sed -i s/https=443/https={{- include "ejbca-community-helm.ejbcaHttpsPort" . -}}/g /opt/primekey/ejbca/conf/web.properties
-                    sed -i s/pubhttp=80/pubhttp={{- include "ejbca-community-helm.ejbcaPubhttpPort" . -}}/g /opt/primekey/ejbca/conf/web.properties
+                    sed -i s/https=443/https={{- include "ejbca.ejbcaHttpsPort" . -}}/g /opt/primekey/ejbca/conf/web.properties
+                    sed -i s/pubhttp=80/pubhttp={{- include "ejbca.ejbcaPubhttpPort" . -}}/g /opt/primekey/ejbca/conf/web.properties
                     {{- end }}
                     {{- if and (hasKey .Values.ejbca "superadminPasswordOverride") (eq .Values.ejbca.env.TLS_SETUP_ENABLED "true") }}
                     until [ -f /opt/keyfactor/appserver/standalone/deployments/ejbca.ear.deployed ]; do sleep 5; done

templates/hpa.yaml

@@ -6,14 +6,14 @@ apiVersion: autoscaling/v2beta2
 {{- end }}
 kind: HorizontalPodAutoscaler
 metadata:
-  name: {{ include "ejbca-community-helm.fullname" . }}
+  name: {{ include "ejbca.fullname" . }}
   labels:
-    {{- include "ejbca-community-helm.labels" . | nindent 4 }}
+    {{- include "ejbca.labels" . | nindent 4 }}
 spec:
   scaleTargetRef:
     apiVersion: apps/v1
     kind: Deployment
-    name: {{ include "ejbca-community-helm.fullname" . }}
+    name: {{ include "ejbca.fullname" . }}
   minReplicas: {{ .Values.autoscaling.minReplicas }}
   maxReplicas: {{ .Values.autoscaling.maxReplicas }}
   {{- with .Values.autoscaling.behavior }}

templates/ingress.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.ingress.enabled -}}
-{{- $fullName := include "ejbca-community-helm.fullname" . -}}
+{{- $fullName := include "ejbca.fullname" . -}}
 {{- $svcPort := .Values.services.directHttp.httpPort -}}
 {{- if .Values.services.proxyAJP.enabled }}
 {{- $svcPort = .Values.services.proxyAJP.port -}}
@@ -22,7 +22,7 @@ kind: Ingress
 metadata:
   name: {{ $fullName }}
   labels:
-    {{- include "ejbca-community-helm.labels" . | nindent 4 }}
+    {{- include "ejbca.labels" . | nindent 4 }}
   annotations:
     {{- if .Values.services.proxyAJP.enabled  }}
     nginx.ingress.kubernetes.io/backend-protocol: "AJP"

templates/nginx-service.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.nginx.enabled }}
+{{- if .Values.nginx.service.enabled }}
 kind: Service
 apiVersion: v1
 metadata:
@@ -21,5 +21,5 @@ spec:
       targetPort: nginx-https
       protocol: TCP
   selector:
-    {{- include "ejbca-community-helm.selectorLabels" . | nindent 4 }}
+    {{- include "ejbca.selectorLabels" . | nindent 4 }}
 {{- end }}

templates/serviceaccount.yaml

@@ -2,9 +2,9 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ include "ejbca-community-helm.serviceAccountName" . }}
+  name: {{ include "ejbca.serviceAccountName" . }}
   labels:
-    {{- include "ejbca-community-helm.labels" . | nindent 4 }}
+    {{- include "ejbca.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}

templates/services.yaml

@@ -1,9 +1,9 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "ejbca-community-helm.fullname" . }}
+  name: {{ include "ejbca.fullname" . }}
   labels:
-    {{- include "ejbca-community-helm.labels" . | nindent 4 }}
+    {{- include "ejbca.labels" . | nindent 4 }}
 {{- if .Values.services.directHttp.enabled }}
 spec:
   type: {{ .Values.services.directHttp.type }}
@@ -26,7 +26,7 @@ spec:
       {{- toYaml .Values.services.sidecarPorts | nindent 4 }}
     {{- end }}
   selector:
-    {{- include "ejbca-community-helm.selectorLabels" . | nindent 4 }}
+    {{- include "ejbca.selectorLabels" . | nindent 4 }}
 {{- end }}
 {{- if .Values.services.proxyAJP.enabled }}
 spec:
@@ -40,26 +40,37 @@ spec:
       protocol: TCP
       name: ajp
   selector:
-    {{- include "ejbca-community-helm.selectorLabels" . | nindent 4 }}
+    {{- include "ejbca.selectorLabels" . | nindent 4 }}
 {{- end }}
 {{- if .Values.services.proxyHttp.enabled }}
 spec:
   type: {{ .Values.services.proxyHttp.type }}
+  {{- if eq .Values.services.proxyHttp.type "LoadBalancer" }}
+  sessionAffinity: ClientIP
+  {{- end }}      
   ports:
     - port: {{ .Values.services.proxyHttp.httpPort }}
       {{- if eq .Values.services.proxyHttp.type "NodePort" }}
       nodePort: {{ .Values.services.proxyHttp.httpPort }}
       {{- end }}
+      {{- if eq .Values.services.proxyHttp.type "LoadBalancer" }}
+      targetPort: nginx-http
+      {{- else }}
       targetPort: proxy-http
+      {{- end }}
       protocol: TCP
       name: proxy-http
     - port: {{ .Values.services.proxyHttp.httpsPort }}
       {{- if eq .Values.services.proxyHttp.type "NodePort" }}
       nodePort: {{ .Values.services.proxyHttp.httpsPort }}
       {{- end }}
-      targetPort: proxy-https
+      {{- if eq .Values.services.proxyHttp.type "LoadBalancer" }}
+      targetPort: nginx-https
+      {{- else }}
+      targetPort: proxy-http
+      {{- end }}
       protocol: TCP
       name: proxy-https
   selector:
-    {{- include "ejbca-community-helm.selectorLabels" . | nindent 4 }}
+    {{- include "ejbca.selectorLabels" . | nindent 4 }}
 {{- end }}