diff --git a/charts/lagoon-remote/ci/linter-values.yaml b/charts/lagoon-remote/ci/linter-values.yaml index 9c7e7d9d..1dc44358 100644 --- a/charts/lagoon-remote/ci/linter-values.yaml +++ b/charts/lagoon-remote/ci/linter-values.yaml @@ -32,16 +32,17 @@ mxoutHost: mxout1.example.com nats: enabled: true - cluster: - name: lagoon-remote-ci-example - # natsbox: + config: + cluster: + name: lagoon-remote-ci-example + # natsBox: # enabled: true # # additional labels are required due to the network policy # additionalLabels: # lagoon-remote-nats-client: "true" natsConfig: - coreURL: "nats://ci-ssh-portal:ci-password@lagoon-core-nats-concentrator:7422" + coreURL: "tls://ci-ssh-portal:ci-password@lagoon-core-nats-concentrator:7422" tls: secretData: ca.crt: | @@ -56,7 +57,7 @@ natsConfig: zJ6PDtVHMNclAWSDebP9nnwCIQDrblreePb+pUBHvxFZNVFYBV4wF2gEkJC51tjw a8aklQ== -----END CERTIFICATE----- - client.crt: | + tls.crt: | -----BEGIN CERTIFICATE----- MIIByDCCAW+gAwIBAgIUaBeYr4jOQfj1tZQsKmDqPtU9s8owCgYIKoZIzj0EAwIw HjEcMBoGA1UEAxMTbmF0cy1jYS5leGFtcGxlLmNvbTAeFw0yMjAzMDMxNDU2MDBa @@ -69,7 +70,7 @@ natsConfig: BAMCA0cAMEQCIGeTmjVk5evv1+dpddecLRhZqb2Op6YBuSxtiibEmaAJAiAuRI6A s+LwZcCJaL8Gf3W0NIh03fv7VOJ5AWRzYXzpdg== -----END CERTIFICATE----- - client.key: | + tls.key: | -----BEGIN EC PRIVATE KEY----- MHcCAQEEIGVXWxCYIOynJpYWn95j19DDNDeMZU+xYOhGU8IN9hwmoAoGCCqGSM49 AwEHoUQDQgAEJqD67BGaVtpzW7mFSsK9IAY5bPsI/zDCGO+zhSJhDS44duAbmWCB diff --git a/charts/lagoon-remote/templates/nats.secret.yaml b/charts/lagoon-remote/templates/nats.secret.yaml index e2bdb7bc..15b3f54f 100644 --- a/charts/lagoon-remote/templates/nats.secret.yaml +++ b/charts/lagoon-remote/templates/nats.secret.yaml @@ -30,18 +30,18 @@ metadata: labels: {{- include "lagoon-remote.labels" . | nindent 4 }} stringData: - lagoon-remote.conf: | + leafnodes.conf: | leafnodes { no_advertise: true remotes: [ { url: {{ .Values.natsConfig.coreURL | quote }} tls: { - {{- if .Values.natsConfig.tls.secretData -}} - ca_file: "/etc/lagoon-remote-nats-tls/ca.crt" + {{- if .Values.natsConfig.tls.secretData }} + ca_file: "/etc/nats-ca-cert/ca.crt" {{- end }} - cert_file: "/etc/lagoon-remote-nats-tls/client.crt" - key_file: "/etc/lagoon-remote-nats-tls/client.key" + cert_file: "/etc/nats-certs/leafnodes/tls.crt" + key_file: "/etc/nats-certs/leafnodes/tls.key" } } ] diff --git a/charts/lagoon-remote/templates/ssh-portal.deployment.yaml b/charts/lagoon-remote/templates/ssh-portal.deployment.yaml index 4caa2e45..1a6f60dc 100644 --- a/charts/lagoon-remote/templates/ssh-portal.deployment.yaml +++ b/charts/lagoon-remote/templates/ssh-portal.deployment.yaml @@ -18,7 +18,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} labels: - {{ include "lagoon-remote.fullname" . }}-nats-client: "true" + lagoon-remote-nats-client: "true" {{- include "lagoon-remote.sshPortal.selectorLabels" . | nindent 8 }} spec: serviceAccountName: {{ include "lagoon-remote.sshPortal.serviceAccountName" . }} diff --git a/charts/lagoon-remote/values.yaml b/charts/lagoon-remote/values.yaml index 9b0640b1..69580093 100644 --- a/charts/lagoon-remote/values.yaml +++ b/charts/lagoon-remote/values.yaml @@ -286,58 +286,128 @@ insightsRemote: # the nats chart is a subchart which is configured for use by lagoon-remote nats: enabled: false - # inject additional config - additionalVolumes: - - name: lagoon-remote-nats-tls - secret: - secretName: lagoon-remote-nats-tls - additionalVolumeMounts: - - name: lagoon-remote-nats-tls - mountPath: /etc/lagoon-remote-nats-tls - nats: - config: - - name: lagoon-remote - secret: - secretName: lagoon-remote-nats-conf - cluster: + tlsCA: enabled: true - name: lagoon-remote - # internal cluster IPs are not routable, so don't advertise them - noAdvertise: true - natsbox: + secretName: lagoon-remote-nats-tls + # Uncomment this block to enable monitoring if you have Prometheus Operator + # installed. + # promExporter: + # enabled: true + # podMonitor: + # enabled: true + # # fromNamespaces restricts the namespaces from which monitoring can occur + # # via the NetworkPolicy. At least one namespace name must be listed. + # fromNamespaces: + # - monitoring + natsBox: enabled: false + config: + cluster: + enabled: true + name: lagoon-remote + # internal cluster IPs are not routable, so don't advertise them + noAdvertise: true + merge: + 00$include: ./lagoon-remote/leafnodes.conf + # Uncomment this block if upgrading from lagoon-remote + {{ include "nats.fullname" $ | quote }} + labels: + $tplYaml: | + {{ include "nats.labels" $ }} + spec: + policyTypes: + - Ingress + podSelector: + matchLabels: + $tplYaml: | + {{- include "nats.selectorLabels" $ }} + ingress: + - from: + # pods in this namespace with the correct label can access NATS pods + - podSelector: + matchLabels: + lagoon-remote-nats-client: "true" + # NATS inter-pod communication is allowed + - podSelector: + matchLabels: + $tplYaml: | + {{- include "nats.selectorLabels" $ }} + # conditionally allow metrics collection + - $tplYamlSpread: | + {{- if and .Values.promExporter.enabled .Values.promExporter.podMonitor.enabled }} + - from: + {{- range .Values.promExporter.podMonitor.fromNamespaces }} + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ . | quote }} + {{- end }} + ports: + - port: 7777 + protocol: TCP + {{- end }} + # Configuration for the nats subchart natsConfig: - # coreURL format nats://:@:7422 + # coreURL format tls://:@:7422 coreURL: "" tls: {} # If the lagoon-remote-nats-tls secret should be created by the # lagoon-remote chart, certificate values can be specified directly in # secretData. Configuring TLS this way also allows specifying a custom - # ca.crt. + # ca.crt. The chart expects expects secretData to be specified unless + # nats.tlsCA.enabled is set to false. # # secretData: # ca.crt: | # ... - # client.crt: | + # tls.crt: | # ... - # client.key: | + # tls.key: | # ... # # If the TLS secret is created outside the lagoon-remote chart, it should # be named lagoon-remote-nats-tls. This secret should contain fields # tls.crt and tls.key, and the certificate should be issued by a public - # authority. + # authority. `nats.tlsCA.enabled: false` should be set in this case (it is + # true by default). storageCalculator: enabled: false