Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[blocked] Add support for ingress #64

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 37 additions & 8 deletions terracottabigmemorymax/helm/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -93,28 +93,53 @@ kubectl create secret generic certificatesecret \
--from-file=/home/mdh@eur.ad.sag/4.xconfig/k8sCert/terracotta-1-keystore.jks
````

### Step #2: Install the helm chart and use the above created secret.
Steps related to ingress -

````
helm install "my-release" --set terracotta.stripeCount=2 --set terracotta.nodeCountPerStripe=1 --set-file terracotta.license=/home/mdh@eur.ad.sag/4.xlicense/license.key --set tag=4.3.10-SNAPSHOT --set security=true --set secretName=certificatesecret .
Following two steps are required to secure the ingress -
1. Create a certificate like openssl req -x509 -nodes -days 9999 -newkey rsa:2048 -keyout certs/ingress-tls.key -out certs/ingress-tls.crt
Note- The CN should match the hostname in terracotta.ingressHostname.
2. Create a kubernetes secret in the same namespace in which terracotta is supposed to be deployed.
kubectl create secret tls test-ingress-secret --key=certs/ingress-tls.key --cert=certs/ingress-tls.crt -o yaml
3. Ingress controller for specified terracotta.ingressClass needs to be installed in the k8s cluster.
For ex- If using terracotta.ingressClass as "nginx" then ingress controller for nginx needs to be deployed in the cluster.

helm install ingress-nginx ingress-nginx/ingress-nginx -n ingress-nginx --create-namespace

mdh@SAG-1HXQKG3:~/Myrepos/webmethods-helm-charts/terracottabigmemorymax/helm$ kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-controller-967b94856-4c7mp 1/1 Running 1 (32h ago) 2d
mdh@SAG-1HXQKG3:~/Myrepos/webmethods-helm-charts/terracottabigmemorymax/helm$ kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller-admission ClusterIP 10.43.152.27 <none> 443/TCP 2d
ingress-nginx-controller LoadBalancer 10.43.190.88 172.30.119.197 80:31717/TCP,443:31285/TCP 2d
````

### Step #3: Verify from the browser to see if connections can be created securely to tmc.

- First enable port-forwarding for tmc-service using -
### Step #2: Install the helm chart and use the above created secret.

````
kubectl port-forward service/tmc-service 8080:9443
helm install "my-release" --set terracotta.stripeCount=2 \
--set terracotta.nodeCountPerStripe=1 \
--set-file terracotta.license=/home/mdh@eur.ad.sag/4.xlicense/license.key \
--set tag=4.3.10-SNAPSHOT \
--set terracotta.security=true \
--set terracotta.secretName=certificatesecret \
--set terracotta.ingressSecretName=test-ingress-secret \
--set terracotta.secureIngress=true \
--set terracotta.ingressHostname = hostname.terracotta.com \
--set terracotta.tmcOpts = "-Dcom.tc.management.config.disable.csrfGuard=true -Djdk.internal.httpclient.disableHostnameVerification=true -Djetty.sslContext.sniRequired=false -Djetty.ssl.sniHostCheck=false -Djetty.ssl.sniRequired=false"
````

- Go to browser and go to url https://localhost:8080 and then set up authentication.
### Step #3: Verify from the browser to see if connections can be created securely to tmc.

- Go to browser and go to url https://hostname.terracotta.com:443 and then set up authentication.
- It will ask for tmc restart so do it using

```
kubectl delete pod tmc-0.
```

- Now again start port-forwarding and go to browser and provide the connection location (URL) -
- Now go to browser to the same url https://hostname.terracotta.com:443 and provide the connection location (URL) -

```
https://terracotta-0.terracotta-service.default.svc.cluster.local:9540
Expand Down Expand Up @@ -198,6 +223,10 @@ helm delete <release-name>
| terracotta.tmcEnabled | bool | `true` | TMC Enabled or not |
| terracotta.tmcManagementPort | int | `9889` | TMC Management Port |
| terracotta.tmcOpts | string | `""` | Can be used for passing some jvm related options for tmc. |
| terracotta.ingressClass | string | `"nginx"` | Ingress controller to be used. |
| terracotta.ingressSecretName | string | `""` | Ingress secret of "kubernetes.io/tls" deployed in the same namespace. |
| terracotta.secureIngress | bool | `false` | Ingress is secured or not. |
| terracotta.ingressHostname | string | `""` | Configure hostname which will be used to access tmc ui from browser. When ingress is secured the hostname in the ingress secret should match hostname configured here. |
| terracotta.tmcSecurePort | int | `9443` | TMC Secure Port |
| terracotta.tsaGroupPort | int | `9530` | TSA group port |
| terracotta.tsaManagementPort | int | `9540` | TSA Management port |
Expand Down
57 changes: 57 additions & 0 deletions terracottabigmemorymax/helm/templates/tmc-ingress.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
# /*
# * Copyright (c) 2021 Software AG, Darmstadt, Germany and/or its licensors
# *
# * SPDX-License-Identifier: Apache-2.0
# *
# * Licensed under the Apache License, Version 2.0 (the "License");
# * you may not use this file except in compliance with the License.
# * You may obtain a copy of the License at
# *
# * http://www.apache.org/licenses/LICENSE-2.0
# *
# * Unless required by applicable law or agreed to in writing, software
# * distributed under the License is distributed on an "AS IS" BASIS,
# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# * See the License for the specific language governing permissions and
# * limitations under the License.
# *
# */
{{- if eq $.Values.terracotta.tmcEnabled true }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tmc-ingress
labels:
{{- include "common.labels.standard" . | nindent 4 }}
{{- with .Values.extraLabels -}}
{{ toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- if eq $.Values.terracotta.security true }}
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
{{- end }}
spec:
ingressClassName: {{ $.Values.terracotta.ingressClass }}
{{- if eq $.Values.terracotta.secureIngress true }}
tls:
- hosts:
- {{ $.Values.terracotta.ingressHostname }}
secretName: {{ $.Values.terracotta.ingressSecretName }}
{{- end }}
rules:
- host: {{ $.Values.terracotta.ingressHostname }}
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: tmc-service
port:
{{- if eq $.Values.terracotta.security true }}
number: {{ .Values.terracotta.tmcSecurePort }}
{{ else }}
number: {{ .Values.terracotta.tmcManagementPort }}
{{- end }}
{{- end }}

10 changes: 9 additions & 1 deletion terracottabigmemorymax/helm/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -73,9 +73,17 @@ terracotta:
# -- TMC Management Port
tmcManagementPort: 9889
# -- Can be used for passing some jvm related options for tmc.
tmcOpts: ""
tmcOpts: "-Dcom.tc.management.config.disable.csrfGuard=true"
# -- The license content for the Terracotta cluster. Optional.
license: ""
# -- ingress class to be used
ingressClass: "nginx"
# -- secret to secure the ingress
ingressSecretName: ""
# -- Ingress secured or not
secureIngress: false
# -- hostname which is accessed publicly on browser to reach tmc.
ingressHostname: ""

# -- TSA container-specific configurations for probes
tsaServer:
Expand Down