diff --git a/charts/odpi-egeria-lab/Chart.yaml b/charts/odpi-egeria-lab/Chart.yaml index 66157ebf..291c2f88 100644 --- a/charts/odpi-egeria-lab/Chart.yaml +++ b/charts/odpi-egeria-lab/Chart.yaml @@ -4,7 +4,7 @@ name: odpi-egeria-lab description: Egeria lab environment apiVersion: v2 -version: 4.0.0-prerelease.8 +version: 4.0.0-prerelease.9 appVersion: "4.0" icon: https://raw.githubusercontent.com/odpi/egeria/99016e77167fa30dcfade809b061358a92a59973/assets/img/egeria.png keywords: diff --git a/charts/odpi-egeria-lab/etc/default.conf.template b/charts/odpi-egeria-lab/etc/default.conf.template deleted file mode 100644 index f2983177..00000000 --- a/charts/odpi-egeria-lab/etc/default.conf.template +++ /dev/null @@ -1,44 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright Contributors to the Egeria project. - -#pid /tmp/nginx.pid; - -#http { -# client_body_temp_path /tmp/client_temp; -# proxy_temp_path /tmp/proxy_temp_path; -# fastcgi_temp_path /tmp/fastcgi_temp; -# uwsgi_temp_path /tmp/uwsgi_temp; -# scgi_temp_path /tmp/scgi_temp; -#} - -server { - - listen 8443 ssl; - #listen 80; - server_name ${NGINX_SERVER_NAME}; - ssl_certificate /etc/nginx/ssl/tls.crt; - ssl_certificate_key /etc/nginx/ssl/tls.key; - ssl_password_file /etc/nginx/pass/pass.txt; - - - #root /var/www/; - #index index.html; - - # Force all paths to load either itself (js files) or go through index.html. - location /api { - proxy_pass ${UI_API}; - proxy_set_header Host $http_host; - proxy_ssl_verify off; - proxy_ssl_session_reuse on; - proxy_ssl_server_name on; - } - - location / { - proxy_pass ${UI_STATIC}; - proxy_set_header Host $http_host; - proxy_ssl_verify off; - proxy_ssl_session_reuse on; - proxy_ssl_server_name on; - } - -} diff --git a/charts/odpi-egeria-lab/etc/staticui.conf.template b/charts/odpi-egeria-lab/etc/staticui.conf.template index a6ee820c..5f98538b 100644 --- a/charts/odpi-egeria-lab/etc/staticui.conf.template +++ b/charts/odpi-egeria-lab/etc/staticui.conf.template @@ -2,13 +2,24 @@ # Copyright Contributors to the Egeria project server { - listen 8080; - server_name _; + listen 8443 ssl default_server; + server_name _; + ssl_certificate /etc/nginx/ssl/tls.crt; + ssl_certificate_key /etc/nginx/ssl/tls.key; + ssl_password_file /etc/nginx/pass/pass.txt; root /var/www/; index index.html; - # Force all paths to load either itself (js files) or go through index.html. + location /api { + proxy_pass ${UI_API}; + proxy_set_header Host $http_host; + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + proxy_ssl_server_name on; + } + + # Force all other paths to load either itself (js files) or go through index.html. location / { try_files $uri /index.html; } diff --git a/charts/odpi-egeria-lab/templates/egeria-nginx.yaml b/charts/odpi-egeria-lab/templates/egeria-nginx.yaml deleted file mode 100644 index 30f58a1a..00000000 --- a/charts/odpi-egeria-lab/templates/egeria-nginx.yaml +++ /dev/null @@ -1,214 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright Contributors to the Egeria project. ---- -# Configmap needed to store 'base' nginx configuration - needed to ensure all the paths -# used are writeable when running unpriviliged. The actual server config is -# defined in an included template -{{ if .Values.egeria.egeriaui }} -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/name: {{ include "myapp.name" . }} - helm.sh/chart: {{ include "myapp.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/component: nginx-conf - name: {{ .Release.Name }}-nginx-conf -data: - nginx.conf: | - # SPDX-License-Identifier: Apache-2.0 - # Copyright Contributors to the Egeria project. - worker_processes auto; - error_log /var/log/nginx/error.log notice; - events { - worker_connections 1024; - } - pid /tmp/nginx.pid; - http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - access_log /var/log/nginx/access.log main; - sendfile on; - keepalive_timeout 65; - client_body_temp_path /tmp/client_temp; - proxy_temp_path /tmp/proxy_temp_path; - fastcgi_temp_path /tmp/fastcgi_temp; - uwsgi_temp_path /tmp/uwsgi_temp; - scgi_temp_path /tmp/scgi_temp; - include /etc/nginx/conf.d/*.conf; - } -... ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/name: {{ include "myapp.name" . }} - helm.sh/chart: {{ include "myapp.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/component: nginx - name: {{ .Release.Name }}-nginx - -spec: - type: {{ .Values.service.type }} - ports: - - port: 443 - targetPort: 8443 - {{- if ( eq .Values.service.type "NodePort" ) }} - nodePort: {{ .Values.service.nodeport.nginx }} - {{- end }} - selector: - app.kubernetes.io/name: {{ include "myapp.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: nginx -... ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "myapp.fullname" . }}-nginx - labels: - app.kubernetes.io/name: {{ include "myapp.name" . }} - helm.sh/chart: {{ include "myapp.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/component: nginx - -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: {{ include "myapp.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: nginx - strategy: {} - template: - metadata: - labels: - app.kubernetes.io/name: {{ include "myapp.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: nginx - spec: - containers: - - name: nginx - # Note we don't include the default namespace here as this is a standard docker image with no namespace - image: "{{ if (.Values.image.nginx.registry | default .Values.imageDefaults.registry) }}{{ .Values.image.nginx.registry | default .Values.imageDefaults.registry }}/{{ end }}\ - {{ if (.Values.image.nginx.namespace) }}{{ .Values.image.nginx.namespace }}/{{ end }}\ - {{ .Values.image.nginx.name }}\ - {{ if (.Values.image.nginx.tag) }}:{{ .Values.image.nginx.tag }}{{ end }}" - imagePullPolicy: {{ .Values.image.nginx.pullPolicy | default .Values.imageDefaults.pullPolicy | default "IfNotPresent" }} - ports: - - containerPort: 8443 - readinessProbe: - tcpSocket: - port: 8443 - initialDelaySeconds: 10 - periodSeconds: 10 - failureThreshold: 6 - resources: {{ toYaml .Values.nginx.resources | nindent 12 }} - env: - - name: UI_STATIC - value: http://{{ .Release.Name }}-uistatic:8080 - - name: UI_API - value: https://{{ .Release.Name }}-ui:8443 - - name: NGINX_SERVER_NAME - value: {{ .Release.Name}}-nginx - - name: JAVA_OPTS_APPEND - value: {{ .Values.nginx.jvmopts | quote }} - volumeMounts: - - name: template-vol - mountPath: /etc/nginx/templates - - name: conf-vol - mountPath: /etc/nginx/nginx.conf - subPath: nginx.conf - - name: confd-vol - mountPath: /etc/nginx/conf.d - - name: ssl-vol - mountPath: /etc/nginx/ssl - - name: pass-vol - mountPath: /etc/nginx/pass - restartPolicy: Always - volumes: - - name: template-vol - configMap: - name: {{ .Release.Name }}-template-configmap - # default config file - read only (configmap) - - name: conf-vol - configMap: - name: {{ .Release.Name }}-nginx-conf - # Created each time, so an empty local directory is suitable. Must be writeable - - name: confd-vol - emptyDir: {} - - name: ssl-vol - secret: - secretName: {{ .Release.Name }}-nginx-ssl - items: - - key: tls.key - path: tls.key - - key: tls.crt - path: tls.crt - - name: pass-vol - secret: - secretName: {{ .Release.Name }}-nginx-ssl-pass - items: - - key: pass.txt - path: pass.txt ---- -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/name: {{ include "myapp.name" . }} - helm.sh/chart: {{ include "myapp.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/component: etc - name: {{ .Release.Name }}-template-configmap -{{- if and (.Files.Glob "etc/default.conf.template") }} -binaryData: - {{- $root := . }} - {{- range $path, $bytes := .Files.Glob "etc/default.conf.template" }} - {{ base $path }}: {{ $root.Files.Get $path | b64enc | quote }} - {{- end }} - {{- end }} - ---- -# The built in tls type is fixed to key/cert. So we need another secret to manage the key password (if required) -apiVersion: v1 -kind: Secret -metadata: - labels: - app.kubernetes.io/name: {{ include "myapp.name" . }} - helm.sh/chart: {{ include "myapp.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/component: nginx-ssl-pass - name: {{ .Release.Name }}-nginx-ssl-pass -data: - # echo 'egeria' | base64 - pass.txt: ZWdlcmlhCg== ---- -apiVersion: v1 -kind: Secret -metadata: - labels: - app.kubernetes.io/name: {{ include "myapp.name" . }} - helm.sh/chart: {{ include "myapp.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/component: nginx-ssl - name: {{ .Release.Name }}-nginx-ssl -type: kubernetes.io/tls -# TODO - Initially hardcoded here to prove the k8s deployment/nginx config. Certs are copied from egeria master 17 Mar 2021 -# See open-metadata-resources/open-metadata-deployment/certificates . We're using the EgeriaClient certs -# Also see https://stackoverflow.com/questions/51899844/nginx-ssl-no-start-line-expecting-trusted-certificate - for TRUSTED issue -data: - # cat EgeriaUIChassis.cert.pem | sed 's/CERTIFICATE/TRUSTED CERTIFICATE/g' | base64 - tls.crt: LS0tLS1CRUdJTiBUUlVTVEVEIENFUlRJRklDQVRFLS0tLS0KTUlJRkZUQ0NBdjJnQXdJQkFnSUNFQUV3RFFZSktvWklodmNOQVFFTEJRQXdYakVMTUFrR0ExVUVCaE1DVlZNeApDekFKQmdOVkJBZ01Ba05CTVJFd0R3WURWUVFLREFoTVJrRkpSR0YwWVRFdk1DMEdBMVVFQXd3bVJXZGxjbWxoClNXNTBaWEp0WldScFlYUmxRMlZ5ZEdsbWFXTmhkR1ZCZFhSb2IzSnBkSGt3SGhjTk1qRXdNekExTVRVeE1EUXoKV2hjTk1qSXdNekUxTVRVeE1EUXpXakJCTVFzd0NRWURWUVFHRXdKVlV6RUxNQWtHQTFVRUNBd0NRMEV4RVRBUApCZ05WQkFvTUNFeEdRVWxFWVhSaE1SSXdFQVlEVlFRRERBbFZTVU5vWVhOemFYTXdnZ0VpTUEwR0NTcUdTSWIzCkRRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRHFhNWFOaG9YZzh1ZVdFblpJbXQ0Qm9OdHV1QWhPclJwNFZkbkEKSXEvR0VDSWxIVTdkQWhsUFJDbit5Rkh3MGxTTGZXaU1oNUp0M1RqeDZYVDhIK25BTTZXbUVCcVc1Q1EzNDhiRwpJZzZZSiszZmpiMkUxekthMkZPSXZLclZENW5sWEtybFg5MEVKcVJydGtuby9KeDd5WitGd1g4L0ZNdVNCWmJICkVYR2Vxc1U0WmU1SGxRR0RQY3I2L09KSkszUFk2OVRRa05IbVJmeExWOGY4K1BveGI3bXRaYkI4UTdkTXdia3UKbHVCblZ2R2YwZlA2NlNsdzJLQ1FTdGNhQWZkQkwzdmU1S3ViWFlLTFF1WFkwRkkyLzU1cDBZM1d2bHpRWlBXdAorMW9xMGI2OVMzaFR5cFd1ajdlRFA5NjNkKzA1UVJldWJKVVhjUERzbHJRUTVVYlBBZ01CQUFHamdma3dnZll3CkNRWURWUjBUQkFJd0FEQVJCZ2xnaGtnQmh2aENBUUVFQkFNQ0JrQXdIUVlEVlIwT0JCWUVGTGM4M3M2cWUrZnYKYmJDTXVpSVFJZ2JFbXJUWE1Bc0dBMVVkRHdRRUF3SUY0REFUQmdOVkhTVUVEREFLQmdnckJnRUZCUWNEQVRBVQpCZ05WSFJFRURUQUxnZ2xzYjJOaGJHaHZjM1F3ZndZRFZSMGpCSGd3ZG9BVWRkS1BGbUFEWWpINTNNWG13YTJxClVlM05zZmloV3FSWU1GWXhDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJREFKRFFURVJNQThHQTFVRUNnd0kKVEVaQlNVUmhkR0V4SnpBbEJnTlZCQU1NSGtWblpYSnBZVkp2YjNSRFpYSjBhV1pwWTJGMFpVRjFkR2h2Y21sMAplWUlDRUFBd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dJQkFDbCtpWjdQZC8vY2FHQWJIeHk1d2wrVkl1NDk3SkxJCk1KaVBYa0xzWXQ0N1ZDQUtxZWY0TjZZek8zZ0I4bXZ6VzdxNEFHbFdSR1dEbVJYbnY2R2J6RWxQaE8wTjE5eGoKVWtpT2RkR3ZVb1pwTXVMYmFkQUZjU29MZUNjRlFQMzYrZzgwMktuWDNHZ3M5R2U3aFllSUNrd25hbkFFdFRQWAp3NFBITnFnZzVWY3VGcHdVZ0lyeGl4c0RqbTVZcDhEaDdhaEU3Z3dITFRXWTdLdEdjUS9Qcis4MmI2ZkxnSGd3ClRwSmV6bmdEREozQU4yNUJ1eG5DU2lneUpLcEM2T0pFdkZJMlBkVW85TUZURkhrbHZNWXdEQlFtRlpvOU5YVWkKVURpMzk1cklKdXJjVnVqSlBxMUVGTlVaUkRPZkR2UDRWYmhJR2ZhRHUxU3VMeDMveEVCdGtuVDVvSENPcitGbQpjT1B4WFZ3MXY5bEJFRzFXaGFva2ZaWUl0cFJaOEVlU05RNTl5bjVYV1RZaGRIa1Q5bEhZUDc4TG5hSGZZUENCCm1wT0ozZFJSTCtRNUZ3aUZMTnNNTG5CZHI2OEROT24wN29RaDNmWjFrMGhCQ2VkNi9kYjdydHZVK2NyeU5wVWgKeVJNeFJ6elJ6K0JDSVJxQ2FzNExGaGdTMGNJMDlpVmU3K2xySW5OUUREMURaSjR0MzQ0S21CR0VvNVZQN3lWRgpBT2hnd09lYmdyS2sycTdkbk4rb2t2b0ZIVSt5OEQzMjQ4TXFuby9TT0xRYTROcVJCemhkTjU2UHpxb3lsckEvCmhHaUtWby8ydFlScy9Ub0pvSVRuY0piODBFc1lJc201RWxOMkZoa2tabnlKekVTekRNcXpQK041ZEdmdFp3TFMKcnpMNFBNVEd6YmI5Ci0tLS0tRU5EIFRSVVNURUQgQ0VSVElGSUNBVEUtLS0tLQo= - # cat EgeriaUIChassis.key.pem | base64 - tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpQcm9jLVR5cGU6IDQsRU5DUllQVEVECkRFSy1JbmZvOiBBRVMtMjU2LUNCQyw3OTQ5MjU5MEZFMjBGNkNEQzA4NEY2MEM5MUUxOEZGOQoKaFhLd1R3L3AyMEtlb0tlL1FHeGRPbDFmblB2SUF0SUQySDNkRzVDSEp6ZDRJeFEvS2M0Vmt3ekJJMDNKQ3d5RApZS3BLN01xd09WYVJqUVV4cDNYZGZ5QTd0Q1RUUzIwc2F5c2gyaGxPa1gvK3RVb1VNWHV3Y05QRGNYMWE3bnVLCjNtTUdRRXIwL2VwRUkrNjNscEwyRko0dmk2aHpoY2V3S2w1ZGJNbmtDVnpLWUpNNmt0bDYrSlVOZnZuUUllRjkKZEwzWW85ZTJUS2g3a3ZaSUxVRzF2RG9TcDR5aFU0R0w1Vk1mVG1NQWFLc0I4dFNRQUdyQ2t3RlQrL21uZ0M0ZwpmSGFXTWxqK0JlM1hCSlFaQUlrcXJYYXA1V2ppRXcrNW1JbFUvSisxTjZuV0ZoTHZocHBtR1U5TWRtYzMzd3h6CkQ0VHJSZ2w3Nm9HcDkveFlZMiswbjdySHlDVnAyR2dFUFR0MDV4VUo2WTFEMzVoOTZ0OURPVlZ2aXNQeG04SmQKdnZrMVVrRGIyb0NybjVzMUR4aXpURUVRRTE4TXJoL2xsQndvQXlvMUZNZlpwY04wTE1QanJ4SGMwTEtRQ25SVwpPWGZyWFhrU1ZDODRDWWNuc2N4UU9kd2ZWY1dYVCs0K3lBb01lcjJsVTVSOUZDVHhPTkNlKzZER1J2ZHREME1jClBaV0E2WUlSbi9KMTE1OE1hdmN6cmJIQXh2NytxRmJjYlYyWHJzUVN1a2h4a3AxVEZ6QVlBSSsvdURZQVNKM1MKVEZoMzcvT0JxUGloWmpFcnFoZnoySWpRZWxpRGlrSlJEVnE1bWdjaXp5Q0dUV3ZnNGhhQTVXMXFYMXlGa0dlNwpnSlZuTXlFcmVSZnBOaHhrMzg4QVhuT1AydnRIMWwxdndQLytKZHFiZTVOU01tT2Y1K2c1amJYaHVTMUNvdGRiClpJQ0h2YVZoZ2J0TGd1bkhmUGRxMWxoTVpPOU9Pb0xIQURkbllnd3I4YUk1Yno0QnFacTRpYTRFNlFiME9vTE8KbHpUbW43WDR4WnVRQnozY0tETU55V2paTCtDM1NtV29pd1p6dmw1SlJJNnIxSWhYbVJCSEdvSzQzKzRGM2RJRAptSEpqRWFyaS9UTHZUa1RsaGFkWCswRTVjT2cxTEdLYUdFSVVCWWVVcGtHZi9pRWhhVXFaUUphZm5jYnBBM2RuCm5JK0xpaXgzR3ZzT3YwazVSSXVnYjE5NjFVU292M0lsVlBOQy82U1U4UXNhTmFUTzZyTFZPcnNyVmxiZTBTNjMKc202eFR6WXlRejNWbEthS0RZYlV0c2ttdjFlL096cEE0YVM4eXJqU2FQbnRMOXpCZklrNTdFTzhXVkJIOW1OLwpUY1BNTFZmbUdTSFk5ZmlnNmZSQWUzcXJHRFdybEl4bVlFcGdwaHF6OEcwVjAyMzBqYXBkdmY1Y3g5Y1RxZ29FCjI3RDRQZnNuSmxoaW05N25KNG40TEJVVWNDTE0vUzhsc0FUTm0zUURyNmN3c0ZmRlVZNG92bjVjMmY3bDU0ZDIKN1BnYXg2OHdRZ1l0TEpQMDFQM0JFS1g4ME1BMHVRS0hVZVllZm1YS29uVno2SU44MnoyUHBOdGNBem1UNWRGQwpyODFpblVsRVJDbjJJQVFYcGV2emxXMWdWcmhtbm5hRUNtTXpQekxlL1UrdWJVbnBRN3ZkQ2ZSbk9qaTNqV3VvClJnTTd0QUZ4Z1JuQXM2WVgrQXVnSUN2bG54cmxya3pXRXU4UisyNHkxdCtXVVBOdTZYNTVLb2lML0FVTHBWcWkKOXJmd0dxb0NTVGhHSGNORDZZNUFnVU1aQk5PQzJOVVhLV1ZiMDNJelJXaDVBUmRBdzZTUDhpNjY3WktkVGxPYwpWTlB4aWI1RFZncGx1QzhVSWtrNzkwKy84RDFhVjJFMVJNTUhlZU5naWFySU5FRnN0RFhBN0E3REg0WGNtV29tCi82SG5aSkZEZjhGZzh0aVdXNVlncm05VEx0cGFPT1ltZUg1am1ET0NBeEZiVndDZFlnTCtEak44VGlYYzZjYy8KY1BXZ3U5RlpsTUpmcFVYQlFYMFRwUmZqMXhNRU5NdGdpYmhsZVh6K2VvMFBjcmo2T1FJbDQydFVFVDdxWXN1NAotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= -... -{{ end }} diff --git a/charts/odpi-egeria-lab/templates/egeria-uistatic.yaml b/charts/odpi-egeria-lab/templates/egeria-uistatic.yaml index 735e4e67..1ff534bc 100644 --- a/charts/odpi-egeria-lab/templates/egeria-uistatic.yaml +++ b/charts/odpi-egeria-lab/templates/egeria-uistatic.yaml @@ -1,5 +1,6 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright Contributors to the Egeria project. +{{ if .Values.egeria.egeriaui }} --- apiVersion: v1 kind: ConfigMap @@ -16,7 +17,7 @@ data: # SPDX-License-Identifier: Apache-2.0 # Copyright Contributors to the Egeria project. worker_processes auto; - error_log /var/log/nginx/error.log notice; + #error_log /var/log/nginx/error.log notice; events { worker_connections 1024; } @@ -25,7 +26,7 @@ data: include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - access_log /var/log/nginx/access.log main; + #access_log /var/log/nginx/access.log main; sendfile on; keepalive_timeout 65; client_body_temp_path /tmp/client_temp; @@ -37,7 +38,6 @@ data: } ... --- -{{ if .Values.egeria.egeriaui }} apiVersion: v1 kind: Service metadata: @@ -52,8 +52,8 @@ metadata: spec: type: {{ .Values.service.type }} ports: - - port: 8080 - targetPort: 8080 + - port: 8443 + targetPort: 8443 {{- if ( eq .Values.service.type "NodePort" ) }} nodePort: {{ .Values.service.nodeport.uistatic }} {{- end }} @@ -97,10 +97,10 @@ spec: :{{ .Values.image.uistatic.tag | default .Values.egeria.version }}" imagePullPolicy: {{ .Values.image.uistatic.pullPolicy | default .Values.imageDefaults.pullPolicy | default "IfNotPresent" }} ports: - - containerPort: 8080 + - containerPort: 8443 readinessProbe: tcpSocket: - port: 8080 + port: 8443 initialDelaySeconds: 10 periodSeconds: 10 failureThreshold: 6 @@ -119,6 +119,19 @@ spec: subPath: nginx.conf - name: confd-vol mountPath: /etc/nginx/conf.d + - name: ssl-vol + mountPath: /etc/nginx/ssl + - name: pass-vol + mountPath: /etc/nginx/pass + env: + - name: NGINX_SERVER_NAME + value: {{ .Release.Name}}-uistatic + - name: EGERIA_UI_API_URL + value: "https://{{ .Release.Name }}-ui:8443" + - name: REACT_APP_API_URL + value: "https://{{ .Release.Name }}-ui:8443" + - name: UI_API + value: "https://{{ .Release.Name }}-ui:8443" restartPolicy: Always volumes: - name: template-vol @@ -131,6 +144,20 @@ spec: # Created each time, so an empty local directory is suitable. Must be writeable - name: confd-vol emptyDir: { } + - name: ssl-vol + secret: + secretName: {{ .Release.Name }}-uistatic-ssl + items: + - key: tls.key + path: tls.key + - key: tls.crt + path: tls.crt + - name: pass-vol + secret: + secretName: {{ .Release.Name }}-uistatic-ssl-pass + items: + - key: pass.txt + path: pass.txt --- apiVersion: v1 @@ -152,4 +179,40 @@ binaryData: {{- end }} ... +--- +# The built in tls type is fixed to key/cert. So we need another secret to manage the key password (if required) +apiVersion: v1 +kind: Secret +metadata: + labels: + app.kubernetes.io/name: {{ include "myapp.name" . }} + helm.sh/chart: {{ include "myapp.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: uistatic-ssl-pass + name: {{ .Release.Name }}-uistatic-ssl-pass +data: + # echo 'egeria' | base64 + pass.txt: ZWdlcmlhCg== +--- +apiVersion: v1 +kind: Secret +metadata: + labels: + app.kubernetes.io/name: {{ include "myapp.name" . }} + helm.sh/chart: {{ include "myapp.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/component: uistatic-ssl + name: {{ .Release.Name }}-uistatic-ssl +type: kubernetes.io/tls +# TODO - Initially hardcoded here to prove the k8s deployment/nginx config. Certs are copied from egeria master 17 Mar 2021 +# See open-metadata-resources/open-metadata-deployment/certificates . We're using the EgeriaClient certs +# Also see https://stackoverflow.com/questions/51899844/nginx-ssl-no-start-line-expecting-trusted-certificate - for TRUSTED issue +data: + # cat EgeriaUIChassis.cert.pem | sed 's/CERTIFICATE/TRUSTED CERTIFICATE/g' | base64 + tls.crt: LS0tLS1CRUdJTiBUUlVTVEVEIENFUlRJRklDQVRFLS0tLS0KTUlJRkZUQ0NBdjJnQXdJQkFnSUNFQVl3RFFZSktvWklodmNOQVFFTEJRQXdYakVMTUFrR0ExVUVCaE1DVlZNeApDekFKQmdOVkJBZ01Ba05CTVJFd0R3WURWUVFLREFoTVJrRkpSR0YwWVRFdk1DMEdBMVVFQXd3bVJXZGxjbWxoClNXNTBaWEp0WldScFlYUmxRMlZ5ZEdsbWFXTmhkR1ZCZFhSb2IzSnBkSGt3SGhjTk1qTXdNekE1TVRJek1EUTQKV2hjTk1qUXdNekU0TVRJek1EUTRXakJCTVFzd0NRWURWUVFHRXdKVlV6RUxNQWtHQTFVRUNBd0NRMEV4RVRBUApCZ05WQkFvTUNFeEdRVWxFWVhSaE1SSXdFQVlEVlFRRERBbFZTVU5vWVhOemFYTXdnZ0VpTUEwR0NTcUdTSWIzCkRRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRG5oRXBwVGNzaEZLR0FwK01oUTRRVGdsKzVxYUp2WHhjcTdsS3kKSDVPNk5LMm82VVhqaHNiWnNXUmJPdEsrdmxuRTV2b1pMdEkyWFFPK3dUUG1CNWhJb2xPcmNzL00wTXVJSHZIZgpqTXFsajJJamZMcXZKK1FvZkFwOStoWVBUTkFqQjJoYUZuczZDc1FLN1BhT1BmQnlqQi8yaWRVNncvYWV5YXB0Ck8wZG93QlNmdzBobXA3ZDBzR1ZHa2c2VEhOeFdMb053RXF3NXdibWNlQzIxajVHaUkwVzNOR2kxbnI1RnVUdkUKWlJUYTJOV2lEanhqSkFYMDROS0tqVzIyZ0ZjYzVUV0h6OUNpK1NXRVB1ZzFuMUdyK0NtbUZXWGVKSkw1b0pBNwp1T2V2dFcvOTVmTXVDZUIwSWpqdjF5YTNDNHFZR21aSk1wL3cwa1lrZ3BsSFVBMU5BZ01CQUFHamdma3dnZll3CkNRWURWUjBUQkFJd0FEQVJCZ2xnaGtnQmh2aENBUUVFQkFNQ0JrQXdIUVlEVlIwT0JCWUVGUHd4Z1BxdGpkOFgKaGEwNDRjQlZWd0hDbEtXZE1Bc0dBMVVkRHdRRUF3SUY0REFUQmdOVkhTVUVEREFLQmdnckJnRUZCUWNEQVRBVQpCZ05WSFJFRURUQUxnZ2xzYjJOaGJHaHZjM1F3ZndZRFZSMGpCSGd3ZG9BVXNDdWI3ZlFUekN4bldzTTNCQ3pBCmlZWjZjYjZoV3FSWU1GWXhDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJREFKRFFURVJNQThHQTFVRUNnd0kKVEVaQlNVUmhkR0V4SnpBbEJnTlZCQU1NSGtWblpYSnBZVkp2YjNSRFpYSjBhV1pwWTJGMFpVRjFkR2h2Y21sMAplWUlDRUFBd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dJQkFLdm81ZG5DcGw4Z3doT2dycjZXekJGc1FKVWM0bGtUCis2cUhBN3JVV3VTV3hOeTB3OVgyTitKUkc3emo4SHZkY0FWZ2NpK0xrb1BDWDF4L1VWNi95M3YxQVpZcFIwU3IKS0dYdDF6QTJlcFFLbFBHdzlUdWptbUZmSEwydFpqYUpEV0ZmZTVVZERPRXo5V3dZaFk3UUZENWd1SWJhS1NzdQo1T01tNkNpT2pRbFg3a2E5U1BSZ09tN082ZlNZYVVQWndkNU9BdTRDSDN5dm13T2JITWMxRXkvL0E2YmNYU3RmCkxDNUU5K3d1Wm5TZkcyWGJsT1E2bUZLTXArSittY3ZRZk0rMFh3NEI0L216RGhWM3g0czhZM25PZzlDNVFyOVkKWk9aaytTK24vQWRQK2xyajBMMmRkd2JWdmQ4SkhiNEhPMm0vYmMvc0MzTlZIQndaNk16YmVWQjFCTTRTL1RudgphTTloRExZVkFTQ3k3Uk5iay83TldWK01IYWdSMXBBTmZvSklNVUVEaTgzS0hpdkZIYTNVMThZQ2RERjRUTmpTCkF2TmJJcGZrTFlqcS9jQzBScGtXYUx4YnA3ZVQwV1FMU29DNC80MWpSRnBrNnE2ZmFQR3VNWTBVWHM1ZzZFUUIKQkJGSmFFV2VXVDR6UURYcWNqMDV0ZEx5b2poT3VkOUI3QXFXU3FrZ2FGakVEOHZKdFA5VTU5dExGQnErU1AvbwpUSGR1NW5nUTFTSURpbUtWUXBSWGVKYndpR3FDSCtycG56elV2bkNON3VwUTdpMEZvZmRNSStQYjJ4U1g3eDAzCjFQSzZyVitNakU1Y2NCTWo5R3BpWjA0NTYrU0RLdmxFRG1sUVFXbXV1dWdWKzI4ZjZKa1VJVEdBaHRIR2d0WlkKZUF6bDNTaWIyU3dnCi0tLS0tRU5EIFRSVVNURUQgQ0VSVElGSUNBVEUtLS0tLQo= + # cat EgeriaUIChassis.key.pem | base64 + tls.key: LS0tLS1CRUdJTiBFTkNSWVBURUQgUFJJVkFURSBLRVktLS0tLQpNSUlGTFRCWEJna3Foa2lHOXcwQkJRMHdTakFwQmdrcWhraUc5dzBCQlF3d0hBUUlPSHpMMHdOanhtNENBZ2dBCk1Bd0dDQ3FHU0liM0RRSUpCUUF3SFFZSllJWklBV1VEQkFFcUJCRDFza3d3dHFXYmNMM3RxMDR0bUxwNUJJSUUKMEZJcFZnQXMvY0ZGZnZSSzl2Sisza2tFQ1htYm9HTUoyUUU5dEhVRFVJQ2Z5WFUvVHZiT0lxZkYwK1VvZENIVgpZamVVZE10NWJWY2NIWUdHRitjaENiQmt3Y21sK0FyT3h0R2l0YUc4NWRYZ0dERUo0dVVSZFpWNVBvdU02SU83CkZXV0VnOUlBMDhERWg2Nk1pUkdiRXVpTjJHdnhLQ3NLUzVCRDE2S1hJMm9PT2pFVWRjdjh5YXRKUStoUlVZQXAKejlNTGZndnlSbDJUUCswQjF6bHg1bHg5c3poRy9PVkNKUm4wR25Vc1c5bW9sWWs4Z3dtSUQ1NGI4R25KZEJJeApxOTdmaXg2YVhENXdzQ2UxbnBhR0RQeXV1L1BtUzR6SWlZNkxiaFhYR0krd0p6MGlLTnMxWmZQOXpmcnJ2Ymg5ClY0Rm1yYUdPeGxaeUZKMkRzd3R0NHI5YjhPOTFyK0NhOGJvVHp5UDZwL2ZzNTcrMzA3WmkrRFlJdC9YREl1OG0KdERzK09tdUIvdk9hOGNXZlZkUXAzVlZqMFAzSkVtSkp2T0NpYVRVeUtyLzlvcE9IdWxoMVZONDlEMTh4M0NMcgpCWHRHaVU4V1k5a2xZWjBaK1ZIT1lLaUdKOUdyNklCeHRzWEhaVml3OFdBMG1aRG5TU1QxZFNHeDM5SVFxOXdPClZZNlZ4U0IrdVErT1B0bktHYm5KaWpUU3NsdU5rWUhGbmJOKzB4NjRyd3lhNXhwWEFLNVVmVnRYZGVleUlzdk4KR0Z6cTBIeWFTeVR2c0F4OEtNTVFidXVoSERyRXVuVFBBaUJwYmVzS0o1dUlnQ1FhR2s0QmlmS1dqbWREU2xEdQpJRWkvblBRUHdyZ1N5N3NkdUJPSVlaYUlyM0pVeWRmby9lZ2UxZG9IZS9ZYWNBcFBtUE1DS2xPZzhkcUwzYTNyCkVIYzhsdmUxY0l5NEd5clBRTkhHRWFTOXdiRUNmR0lhNXBGWVlnNStuWFU1QXlzakJaeFVuQ3VCTEhiT05sVGEKaFhNMnMrd3pNVSs4YTZBQzdTcTNJbzRocTFORjczRGttUVdRa2s2MHVDTWV3bjdxL1F5SDRzR2R4dHNXR1ZBWQpaSkw0ei90OU9uZlVjd1BZVlN4YmszYkszbFhBS0FNNlRGcmpadmh0VS94Vlk0cU85TnVwSVZ6Y2VaMHV2VTIyCmFGYUpIT29ZK3ptekRxL2dGOU00djFwM0xMUkxCQjhXT2F4ckZ4dS9rdXhDSHBPVmxCdWVTc2hpclhXR00ydEMKeHVCUFFkVXlLQjY1Z1dUUUt2VzRpUE1hU1ozaVU3TEIycmNqR3I0dVNqZFZCenVmN2twSTZ6RTBTS0xveGxjNwpjRmFsUDRkNFRpM1BXa3Z3SVUxSlppVGp1bmdGQnFPWlZOY1RrUG9mQUkzS1JscktGc2kvU3d5bi9iMS9LclplCjM0SDJPeFJLVlZXVUlWZ3pxay84THlHNWpXUTRBQ0xmZ0tRdFlTUFdyVGVuMU1UVHRvYWxhTUNnaVV1WW1KbTAKaTMyZzRreGtSdEN1YTFEMWxSUFUreGxWL0VSWFBvU2lOa1h0SjZIY2xKbTUzd0dqWHdlVHVJQTZaOUl0NythYgpnOUpTZUtaVnBoVWZIa1dHcm1zSTV3aUdhNW95dVBDMURqVHdyRFk1cEhITCtoQlJhd0NSL1lOM1kvZDBqQmRJCjBYZXkyOFRLM0RwRExQM2N3cjh4UzR4NzA0VGszVTlucVJwT0lSNXhKbTZWTXprcEdYNzd5RU5UN1lQSnVndzQKcVVrVmVzM2prQ01FZzh5OEQramhtRGNjSXppRkRqTSsvLzh1YTA4M0xoMnpJS1lvdE0wMU51Z2JMallJQVJVVQoyQnJPdHltMFVGRUFBUzMvS3RNMGw1eU83MXNCYUpvRVQ0QnBnaUkrOVlvQTRzSlI2aERYRHJXbE52T3laN2hSCkZTWXRiMEYwN0hkTXYyZVhSMkxqWC9jdGUyOTIvbjJVRUVBTm9JaWZiSThDMHVZeExOWnNZbXhBOHhEY2JFczMKclVvYlhUWmppL0Y3Vm1VRGJIcFIxVUU2ZlpzQ3NHOUY5Y05PelN0S3FnYjV6ZlJSR3c2TmNuZjBTNzNLVEFvdwpzdExtU0xucVhDbnVCT2tzMUdMTWd4cTVHM1VkUzg0eDBhYjNIYXlUSk9QbwotLS0tLUVORCBFTkNSWVBURUQgUFJJVkFURSBLRVktLS0tLQo= +... {{ end }} diff --git a/charts/odpi-egeria-lab/values.yaml b/charts/odpi-egeria-lab/values.yaml index a78fb90b..3d8fc8f3 100644 --- a/charts/odpi-egeria-lab/values.yaml +++ b/charts/odpi-egeria-lab/values.yaml @@ -130,7 +130,7 @@ image: tag: "lab-3.5.2" uistatic: name: egeria-ui - tag: "3.2.2" + tag: "4.1.1" nginx: registry: public.ecr.aws name: nginx/nginx