Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace st2web https with http #72

Merged
merged 11 commits into from
May 31, 2019
Merged

Replace st2web https with http #72

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
9c50ca4
Replace st2web https with http
warrenvw May 29, 2019
3276ed2
Remove secrets_st2web.yaml
warrenvw May 29, 2019
02da896
Remove checksum/ssl annotation for st2web
warrenvw May 29, 2019
5fa6b7d
Use port 80 for st2web
warrenvw May 30, 2019
49f8c4d
Change default st2web servicePort from 443 to 80
warrenvw May 30, 2019
d8fff8e
Update st2web with note it is HTTP-by-default
warrenvw May 30, 2019
da85ec8
Bump Chart version and update CHANGELOG
warrenvw May 30, 2019
8a5e1b3
Add --wait to helm install in helm-e2e tests
warrenvw May 30, 2019
4dcfc59
Recommend LoadBalancer or Ingress for https
warrenvw May 31, 2019
4b4beb1
Remove reference to ST2WEB_HTTPS
warrenvw May 31, 2019
7b494ac
Replace https with http
warrenvw May 31, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .circleci/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ jobs:
name: Helm install stackstorm-ha chart
command: |
# disable mongodb-ha chart persistent volumes as cluster can't start in CircleCI/KinD env
helm install --debug --name stackstorm-ha . \
helm install --debug --wait --name stackstorm-ha . \
--set mongodb-ha.persistentVolume.enabled=false
- run:
when: always
Expand Down
3 changes: 3 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@

## In Development

## v0.16.0
* st2web now uses HTTP by default (#72). We now recommend you rely on `LoadBalancer` or `Ingress` to add HTTPS layer on top of it.

## v0.15.0
* Add support for ingress (#68)

Expand Down
2 changes: 1 addition & 1 deletion Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v1
# Update StackStorm version here to rely on other Docker images tags
appVersion: 3.1dev
name: stackstorm-ha
version: 0.15.0
version: 0.16.0
description: StackStorm K8s Helm Chart, optimized for running StackStorm in HA environment.
home: https://stackstorm.com/#product
icon: https://avatars1.githubusercontent.com/u/4969009
Expand Down
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@ kubectl exec -it ${ST2CLIENT} /bin/bash
### [st2web](https://docs.stackstorm.com/latest/reference/ha.html#nginx-and-load-balancing)
st2web is a StackStorm Web UI admin dashboard. By default, st2web K8s config includes a Pod Deployment and a Service.
`2` replicas (configurable) of st2web serve the web app and proxy requests to st2auth, st2api, st2stream.
By default, st2web uses HTTP instead of HTTPS. We recommend you rely on `LoadBalancer` or `Ingress` to add HTTPS layer on top of it.
> **Note!** By default, st2web is a NodePort Service and is not exposed to the public net.
If your Kubernetes cluster setup supports the LoadBalancer service type, you can edit the corresponding helm values to configure st2web as a LoadBalancer service in order to expose it and the services it proxies to the public net.
Copy link
Member

@arm4b arm4b May 30, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can mention Ingress here as well as that's one of the possible solutions apart of LoadBalancer.


Expand Down
6 changes: 3 additions & 3 deletions templates/NOTES.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,14 +18,14 @@ echo https://${ST2WEB_IP}/

{{- else if contains "ClusterIP" .Values.st2web.service.type }}

echo https://127.0.0.1:8443
kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ .Release.Name }}-st2web{{ template "enterpriseSuffix" . }} 8443:443
echo http://127.0.0.1:8080
kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ .Release.Name }}-st2web{{ template "enterpriseSuffix" . }} 8080:80

{{- else if contains "NodePort" .Values.st2web.service.type }}

export ST2WEB_IP=$(minikube ip 2>/dev/null || kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
export ST2WEB_PORT="$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ .Release.Name }}-st2web{{ template "enterpriseSuffix" . }})"
echo https://${ST2WEB_IP}:${ST2WEB_PORT}/
echo http://${ST2WEB_IP}:${ST2WEB_PORT}/

{{- end }}

Expand Down
27 changes: 5 additions & 22 deletions templates/deployments.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -338,8 +338,6 @@ spec:
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
checksum/ssl: {{ include (print $.Template.BasePath "/secrets_st2web.yaml") . | sha256sum }}
spec:
{{- if .Values.enterprise.enabled }}
imagePullSecrets:
Expand All @@ -350,13 +348,13 @@ spec:
image: "{{ template "imageRepository" . }}/st2web{{ template "enterpriseSuffix" . }}:{{ .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- containerPort: 443
- containerPort: 80
# Probe to check if app is running. Failure will lead to a pod restart.
livenessProbe:
httpGet:
scheme: HTTPS
scheme: HTTP
path: /
port: 443
port: 80
initialDelaySeconds: 1
# Probe to check if app is ready to serve traffic. Failure will lead to temp stop serving traffic.
# TODO: Failing to add readinessProbe, since st2 requires authorization (401) and we don't have `/healthz` endpoints yet (https://github.com/StackStorm/st2/issues/4020)
Expand All @@ -373,25 +371,10 @@ spec:
- configMapRef:
name: {{ .Release.Name }}-st2-urls
optional: true
volumeMounts:
- name: st2web-ssl-cert
mountPath: /etc/ssl/st2/
readOnly: true
volumeMounts: []
resources:
{{ toYaml .Values.st2web.resources | indent 10 }}
volumes:
- name: st2web-ssl-cert
secret:
secretName: {{ .Release.Name }}-st2web
items:
- key: ssl_certificate
path: st2.crt
# 0400 file permission
mode: 256
- key: ssl_certificate_key
path: st2.key
# 0400 file permission
mode: 256
volumes: []
{{- with .Values.st2web.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
Expand Down
2 changes: 1 addition & 1 deletion templates/ingress.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ spec:
- path: "/*"
backend:
serviceName: {{ .Release.Name }}-st2web{{ template "enterpriseSuffix" . }}
servicePort: "443"
servicePort: "80"
{{- end }}
{{- if .Values.ingress.tls }}
tls:
Expand Down
21 changes: 0 additions & 21 deletions templates/secrets_st2web.yaml
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion templates/services.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ spec:
{{- end }}
ports:
- protocol: TCP
port: 443
port: 80

{{ if .Values.st2chatops.enabled -}}
---
Expand Down
60 changes: 0 additions & 60 deletions values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,66 +189,6 @@ secrets:
WE8BWLQ1vBV6c7V4Q0Wp6LuTnNnvu/lvVugJW/TbrzFw6CFe5fEISmIHAMnqVz8x
OdOJyinSM1svoBGnYfyAqINKrqCSGSKmprlMo0Ma3erI7SuojWBS
-----END RSA PRIVATE KEY-----
st2web:
# SSL Certificate used for StackStorm Web UI in nginx (HTTPS)
# Warning! This is dummy auto-generated self-signed SSL cert. Use your own instead!
# TODO: For prod/stable consider auto-generating if no cert provided (#15)
ssl_certificate: |-
-----BEGIN CERTIFICATE-----
MIID2zCCAsOgAwIBAgIJANcrpXluUyomMA0GCSqGSIb3DQEBCwUAMIGDMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJUGFsbyBBbHRv
MRMwEQYDVQQKDApTdGFja1N0b3JtMSEwHwYDVQQLDBhJbmZvcm1hdGlvbiAgIFRl
Y2hub2xvZ3kxEzARBgNVBAMMCnN0YWNrc3Rvcm0wHhcNMTgwNTIzMTQxMDMyWhcN
MTkwNTIzMTQxMDMyWjCBgzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3Ju
aWExEjAQBgNVBAcMCVBhbG8gQWx0bzETMBEGA1UECgwKU3RhY2tTdG9ybTEhMB8G
A1UECwwYSW5mb3JtYXRpb24gICBUZWNobm9sb2d5MRMwEQYDVQQDDApzdGFja3N0
b3JtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5r2f8xtKToZM3rMS
J+gcpRjCIACv4ivJDxhhOJ1L9WXpR5UGUtftuiRKvhQA6lW0buPyAWnIDdEyUKHa
QoPPYfB/mmuu5qc14JLJ9swzqkfHkgcgi1DjXFg8GkfWKXymtD2F/jU+Mf94NS9P
kfZO7mAfOMjsX18J7Vmq/Jk2dYOmbQHsj549VNUcaj4HEmf52cqHlJCAdl8gVJ0H
8NDJwDkb1okNKqCMLu5sR3ffmTnVO+zxsNIZMnngevWfhkLkYdEpxraL0Dyi8HkA
004cvPryoit4sucYvEWU2ZWBjBtOFJmqH8QQYei/G9JDVjfXk8KoRm1EvH1G3Hab
6wmB0QIDAQABo1AwTjAdBgNVHQ4EFgQUrTArdEoZeiCoYs5xp+BDp9/AlhowHwYD
VR0jBBgwFoAUrTArdEoZeiCoYs5xp+BDp9/AlhowDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAQEAjhMlepcXlWlbr7HcwDX0bNAAze+tJ/NVQGAkl92Nu/9L
KsJmObhFEJmok4ZuYhzeVlNRVkC465oHhDLOjUzZoZ6y4hiyH8YJacnZ8mpFFxcc
/s18QEw5+G6/xTAzTsrvN2aS+M6qVfEM2tmtwzb7cE14nExLrKq9MGZ6c9qBbH/k
YP18QVLx89mBcrWHzbUmCXkVzVxcII2U2CyPhGoHpN054oZ9XT5r0p/JqWLl2wEh
6iNbkxysfAeB2J0tY10uSWCzQuQ1UtzDaBkGUHd+UKR98EcduoNqMoUIwkAu0gjk
k8kkryYUKpQ/OAiyXIDJiR9lWPGG1Kr8ZqOwjeCRKw==
-----END CERTIFICATE-----
# SSL Certificate private key used for StackStorm Web UI in nginx (HTTPS)
# Warning! This is dummy auto-generated self-signed SSL cert. Use your own instead!
# TODO: For prod/stable consider auto-generating if no cert provided (#15)
ssl_certificate_key: |-
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDmvZ/zG0pOhkze
sxIn6BylGMIgAK/iK8kPGGE4nUv1ZelHlQZS1+26JEq+FADqVbRu4/IBacgN0TJQ
odpCg89h8H+aa67mpzXgksn2zDOqR8eSByCLUONcWDwaR9YpfKa0PYX+NT4x/3g1
L0+R9k7uYB84yOxfXwntWar8mTZ1g6ZtAeyPnj1U1RxqPgcSZ/nZyoeUkIB2XyBU
nQfw0MnAORvWiQ0qoIwu7mxHd9+ZOdU77PGw0hkyeeB69Z+GQuRh0SnGtovQPKLw
eQDTThy8+vKiK3iy5xi8RZTZlYGMG04UmaofxBBh6L8b0kNWN9eTwqhGbUS8fUbc
dpvrCYHRAgMBAAECggEBAKiTETCDV55W8AIjwbf2FDdqBylqVxVd995XaW/7O2tl
sTDi52PO7Zd4vEJyStjpFJGPZ1cw+T9e/ut51AOUWQastg0TbwyETRBtLbBpL7XQ
CzXcjyI5TmJA9Gge45AbyY8VA7fdHjtY8XGpxvBUiwYMo8LQyCBFRvNo90rkhK0E
xk+mk+DhVFTFvJbYhENTAA8iCq3GeeA7tC+hwOkyNUeyiroIYa1m9uwIPFHS4gxF
+uCRsTnhOxUVzxfAWsWBZDe0Yo5zVHl7xwFfse1T//vbwoF5ouIP2IjbwGveCbeW
hunsYOPdkkT8rdszyLmrfrpA6Bc0tHKuOz9fJRcCuSECgYEA+9RIc/mzz0AI09oA
8vNWYImgPRa0l+AxX3EuL/xx49i8swpELtjNzsz0H1J0nY6baPMaoxj4TEJFxT7c
X5NSltcZlxxAxi5WdEpJSdSvznNTKpYVqyDkJWN+1NuoW5e8LOMOuR3NRx7ogA2P
o2NpsbShIp22odMaj1tW9kED+N8CgYEA6o/uBVs+y2Fv7Y86PSnaBJPzO07YO1xG
tan0zr4TBp2o4YX5sgSdCSlZmSsrGi5Vq20RsBkOg4w8o4ZFYPBZmi+xDyomiibA
qssbYTTovwooy5y5LMO+HSz0ClWe17v+o/M0OWwM/uLZ/dOb309NT81A58f0jZIn
6ghnWscF608CgYBmAxRmhpxkNBhfWUxRHmm7KYUTugLmExdtBjgjkCvClKW8EUiV
gZW9VCEAHzLGMGKcHP6JWzAaFC6XPGOhA9jM6c2f/P3wSg0ThpQxqEqfYvAprCqS
6/v/eVKDf4evssOzmzb3ni7txIOCe/vXwAmsxvMPRrwYyZ9Uuzd7AdNOGQKBgB8G
Alk7BEcqD/+/ndhRHMDWQKlreDYBsmh8niBqC2IooBmT+r6M1ahMi8kyaHUCA9q0
hk5gQgcsGSkXrT1xDKjT/fsffBFxprHwQyLMOKxrz5F+nQ9KpG5/b5eeU2/9MWTF
2fZuUBm2L1bfEhKrDnKrlxYQ4EuJNTZC/kiHYkUJAoGBAICBQqCOkFaugy0obNvD
BRmc3S5gNeMQHangZKKO1I0hnK0WeWV/D/sTNY1GxxPNhHfU3yfQvfI+Kswspi/b
ofUOhwAXuMsTtuLagOMyAJVs+KRVrvnXGT/p9l213ZAnDtFSpkvcjD9WUcupeTca
BjdoJBzImjVB5znOgIui3ME5
-----END PRIVATE KEY-----

##
## StackStorm HA Cluster pod settings for each individual service/component.
Expand Down