diff --git a/charts/litmus/Chart.yaml b/charts/litmus/Chart.yaml index dee9a516..29a49886 100644 --- a/charts/litmus/Chart.yaml +++ b/charts/litmus/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "3.8.0" +appVersion: "3.9.0" description: A Helm chart to install ChaosCenter name: litmus -version: 3.8.0 +version: 3.9.0 kubeVersion: ">=1.16.0-0" home: https://litmuschaos.io sources: diff --git a/charts/litmus/README.md b/charts/litmus/README.md index f0448b34..90c530ba 100644 --- a/charts/litmus/README.md +++ b/charts/litmus/README.md @@ -1,6 +1,6 @@ # litmus -![Version: 3.8.0](https://img.shields.io/badge/Version-3.8.0-informational?style=flat-square) ![AppVersion: 3.8.0](https://img.shields.io/badge/AppVersion-3.8.0-informational?style=flat-square) +![Version: 3.9.0](https://img.shields.io/badge/Version-3.9.0-informational?style=flat-square) ![AppVersion: 3.9.0](https://img.shields.io/badge/AppVersion-3.9.0-informational?style=flat-square) A Helm chart to install ChaosCenter @@ -55,23 +55,38 @@ We separated service configuration from `portal.server.service` to `portal.serve | adminConfig.DBUSER | string | `""` | | | adminConfig.DB_PORT | string | `""` | | | adminConfig.DB_SERVER | string | `""` | | -| adminConfig.JWTSecret | string | `"litmus-portal@123"` | | | adminConfig.SKIP_SSL_VERIFY | string | `"false"` | | -| adminConfig.VERSION | string | `"3.8.0"` | | +| adminConfig.VERSION | string | `"3.9.1"` | | +| allowedOrigins | string | `".*"` | | | customLabels | object | `{}` | Additional labels | | existingSecret | string | `""` | Use existing secret (e.g., External Secrets) | | image.imagePullSecrets | list | `[]` | | | image.imageRegistryName | string | `"litmuschaos.docker.scarf.sh/litmuschaos"` | | -| ingress.annotations | object | `{}` | | +| ingress.annotations."ingress.kubernetes.io/proxy-body-size" | string | `"0"` | | +| ingress.annotations."ingress.kubernetes.io/ssl-redirect" | string | `"true"` | | +| ingress.annotations."nginx.ingress.kubernetes.io/proxy-body-size" | string | `"0"` | | +| ingress.annotations."nginx.ingress.kubernetes.io/ssl-redirect" | string | `"true"` | | | ingress.enabled | bool | `false` | | -| ingress.host.backend.path | string | `"/backend/(.*)"` | You may need adapt the path depending your ingress-controller | -| ingress.host.backend.pathType | string | `"ImplementationSpecific"` | Allow to set [pathType](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) for the backend path | -| ingress.host.frontend.path | string | `"/(.*)"` | You may need adapt the path depending your ingress-controller | +| ingress.host.frontend.path | string | `"/"` | You may need adapt the path depending your ingress-controller | | ingress.host.frontend.pathType | string | `"ImplementationSpecific"` | Allow to set [pathType](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) for the frontend path | | ingress.host.name | string | `""` | This is ingress hostname (ex: my-domain.com) | | ingress.ingressClassName | string | `""` | | | ingress.name | string | `"litmus-ingress"` | | | ingress.tls | list | `[]` | | +| internalTLS.authServer.crt | string | `""` | | +| internalTLS.authServer.key | string | `""` | | +| internalTLS.authServer.secretName | string | `""` | | +| internalTLS.certMountPath | string | `"/etc/tls"` | | +| internalTLS.certSource | string | `"auto"` | | +| internalTLS.enabled | bool | `false` | | +| internalTLS.graphqlServer.crt | string | `""` | | +| internalTLS.graphqlServer.key | string | `""` | | +| internalTLS.graphqlServer.secretName | string | `""` | | +| internalTLS.strong_ssl_ciphers | bool | `false` | | +| internalTLS.trustCa | string | `""` | | +| internalTLS.web.crt | string | `""` | | +| internalTLS.web.key | string | `""` | | +| internalTLS.web.secretName | string | `""` | | | mongodb | object | `{"architecture":"replicaset","auth":{"enabled":true,"existingSecret":"","rootPassword":"1234","rootUser":"root"},"enabled":true,"livenessProbe":{"timeoutSeconds":20},"metrics":{"enabled":false,"prometheusRule":{"enabled":false}},"persistence":{"enabled":true},"readinessProbe":{"timeoutSeconds":20},"replicaCount":3,"volumePermissions":{"enabled":true}}` | Configure the Bitnami MongoDB subchart see values at https://github.com/bitnami/charts/blob/master/bitnami/mongodb/values.yaml | | mongodb.auth.existingSecret | string | `""` | existingSecret Existing secret with MongoDB(®) credentials (keys: `mongodb-passwords`, `mongodb-root-password`, `mongodb-metrics-password`, ` mongodb-replica-set-key`) | | nameOverride | string | `""` | | @@ -91,7 +106,7 @@ We separated service configuration from `portal.server.service` to `portal.serve | portal.frontend.customLabels | object | `{}` | | | portal.frontend.image.pullPolicy | string | `"Always"` | | | portal.frontend.image.repository | string | `"litmusportal-frontend"` | | -| portal.frontend.image.tag | string | `"3.8.0"` | | +| portal.frontend.image.tag | string | `"3.9.1"` | | | portal.frontend.livenessProbe.failureThreshold | int | `5` | | | portal.frontend.livenessProbe.initialDelaySeconds | int | `30` | | | portal.frontend.livenessProbe.periodSeconds | int | `10` | | @@ -126,13 +141,13 @@ We separated service configuration from `portal.server.service` to `portal.serve | portal.server.authServer.autoscaling.minReplicas | int | `2` | | | portal.server.authServer.autoscaling.targetCPUUtilizationPercentage | int | `50` | | | portal.server.authServer.autoscaling.targetMemoryUtilizationPercentage | int | `50` | | -| portal.server.authServer.env.LITMUS_GQL_GRPC_PORT | string | `":8000"` | | +| portal.server.authServer.env | object | `{}` | | | portal.server.authServer.image.pullPolicy | string | `"Always"` | | | portal.server.authServer.image.repository | string | `"litmusportal-auth-server"` | | -| portal.server.authServer.image.tag | string | `"3.8.0"` | | -| portal.server.authServer.ports[0].containerPort | int | `3030` | | +| portal.server.authServer.image.tag | string | `"3.9.1"` | | +| portal.server.authServer.ports[0].containerPort | int | `3000` | | | portal.server.authServer.ports[0].name | string | `"auth-server"` | | -| portal.server.authServer.ports[1].containerPort | int | `3000` | | +| portal.server.authServer.ports[1].containerPort | int | `3030` | | | portal.server.authServer.ports[1].name | string | `"auth-rpc-server"` | | | portal.server.authServer.replicas | int | `1` | | | portal.server.authServer.resources.limits.cpu | string | `"550m"` | | @@ -146,35 +161,34 @@ We separated service configuration from `portal.server.service` to `portal.serve | portal.server.authServer.securityContext.runAsNonRoot | bool | `true` | | | portal.server.authServer.securityContext.runAsUser | int | `2000` | | | portal.server.authServer.service.annotations | object | `{}` | | +| portal.server.authServer.service.authRestServer.port | int | `9003` | | +| portal.server.authServer.service.authRestServer.targetPort | int | `3000` | | | portal.server.authServer.service.authRpcServer.port | int | `3030` | | | portal.server.authServer.service.authRpcServer.targetPort | int | `3030` | | -| portal.server.authServer.service.authServer.port | int | `9003` | | -| portal.server.authServer.service.authServer.targetPort | int | `3000` | | | portal.server.authServer.service.type | string | `"ClusterIP"` | | | portal.server.authServer.volumeMounts | list | `[]` | | | portal.server.authServer.volumes | list | `[]` | | | portal.server.customLabels | object | `{}` | | +| portal.server.graphqlServer.automountServiceAccountToken | bool | `false` | | | portal.server.graphqlServer.genericEnv.CHAOS_CENTER_UI_ENDPOINT | string | `""` | | | portal.server.graphqlServer.genericEnv.CONTAINER_RUNTIME_EXECUTOR | string | `"k8sapi"` | | -| portal.server.graphqlServer.genericEnv.DEFAULT_HUB_BRANCH_NAME | string | `"v3.8.x"` | | +| portal.server.graphqlServer.genericEnv.DEFAULT_HUB_BRANCH_NAME | string | `"v3.9.x"` | | | portal.server.graphqlServer.genericEnv.ENABLE_GQL_INTROSPECTION | string | `"false"` | | -| portal.server.graphqlServer.genericEnv.INFRA_COMPATIBLE_VERSIONS | string | `"[\"3.8.0\"]"` | | +| portal.server.graphqlServer.genericEnv.INFRA_COMPATIBLE_VERSIONS | string | `"[\"3.9.0\"]"` | | | portal.server.graphqlServer.genericEnv.INFRA_DEPLOYMENTS | string | `"[\"app=chaos-exporter\", \"name=chaos-operator\", \"app=event-tracker\", \"app=workflow-controller\"]"` | | -| portal.server.graphqlServer.genericEnv.LITMUS_AUTH_GRPC_PORT | string | `":3030"` | | | portal.server.graphqlServer.genericEnv.REMOTE_HUB_MAX_SIZE | string | `"5000000"` | | | portal.server.graphqlServer.genericEnv.TLS_CERT_64 | string | `""` | | -| portal.server.graphqlServer.genericEnv.TLS_SECRET_NAME | string | `""` | | -| portal.server.graphqlServer.genericEnv.WORKFLOW_HELPER_IMAGE_VERSION | string | `"3.8.0"` | | +| portal.server.graphqlServer.genericEnv.WORKFLOW_HELPER_IMAGE_VERSION | string | `"3.9.0"` | | | portal.server.graphqlServer.image.pullPolicy | string | `"Always"` | | | portal.server.graphqlServer.image.repository | string | `"litmusportal-server"` | | -| portal.server.graphqlServer.image.tag | string | `"3.8.0"` | | +| portal.server.graphqlServer.image.tag | string | `"3.9.1"` | | | portal.server.graphqlServer.imageEnv.ARGO_WORKFLOW_CONTROLLER_IMAGE | string | `"workflow-controller:v3.3.1"` | | | portal.server.graphqlServer.imageEnv.ARGO_WORKFLOW_EXECUTOR_IMAGE | string | `"argoexec:v3.3.1"` | | -| portal.server.graphqlServer.imageEnv.EVENT_TRACKER_IMAGE | string | `"litmusportal-event-tracker:3.8.0"` | | -| portal.server.graphqlServer.imageEnv.LITMUS_CHAOS_EXPORTER_IMAGE | string | `"chaos-exporter:3.8.0"` | | -| portal.server.graphqlServer.imageEnv.LITMUS_CHAOS_OPERATOR_IMAGE | string | `"chaos-operator:3.8.0"` | | -| portal.server.graphqlServer.imageEnv.LITMUS_CHAOS_RUNNER_IMAGE | string | `"chaos-runner:3.8.0"` | | -| portal.server.graphqlServer.imageEnv.SUBSCRIBER_IMAGE | string | `"litmusportal-subscriber:3.8.0"` | | +| portal.server.graphqlServer.imageEnv.EVENT_TRACKER_IMAGE | string | `"litmusportal-event-tracker:3.9.1"` | | +| portal.server.graphqlServer.imageEnv.LITMUS_CHAOS_EXPORTER_IMAGE | string | `"chaos-exporter:3.9.0"` | | +| portal.server.graphqlServer.imageEnv.LITMUS_CHAOS_OPERATOR_IMAGE | string | `"chaos-operator:3.9.0"` | | +| portal.server.graphqlServer.imageEnv.LITMUS_CHAOS_RUNNER_IMAGE | string | `"chaos-runner:3.9.0"` | | +| portal.server.graphqlServer.imageEnv.SUBSCRIBER_IMAGE | string | `"litmusportal-subscriber:3.9.1"` | | | portal.server.graphqlServer.livenessProbe.failureThreshold | int | `5` | | | portal.server.graphqlServer.livenessProbe.initialDelaySeconds | int | `30` | | | portal.server.graphqlServer.livenessProbe.periodSeconds | int | `10` | | @@ -199,10 +213,10 @@ We separated service configuration from `portal.server.service` to `portal.serve | portal.server.graphqlServer.securityContext.runAsNonRoot | bool | `true` | | | portal.server.graphqlServer.securityContext.runAsUser | int | `2000` | | | portal.server.graphqlServer.service.annotations | object | `{}` | | +| portal.server.graphqlServer.service.graphqlRestServer.port | int | `9002` | | +| portal.server.graphqlServer.service.graphqlRestServer.targetPort | int | `8080` | | | portal.server.graphqlServer.service.graphqlRpcServer.port | int | `8000` | | | portal.server.graphqlServer.service.graphqlRpcServer.targetPort | int | `8000` | | -| portal.server.graphqlServer.service.graphqlServer.port | int | `9002` | | -| portal.server.graphqlServer.service.graphqlServer.targetPort | int | `8080` | | | portal.server.graphqlServer.service.type | string | `"ClusterIP"` | | | portal.server.graphqlServer.volumeMounts[0].mountPath | string | `"/tmp/"` | | | portal.server.graphqlServer.volumeMounts[0].name | string | `"gitops-storage"` | | @@ -214,7 +228,6 @@ We separated service configuration from `portal.server.service` to `portal.serve | portal.server.graphqlServer.volumes[1].name | string | `"hub-storage"` | | | portal.server.nodeSelector | object | `{}` | | | portal.server.replicas | int | `1` | | -| portal.server.serviceAccountName | string | `"litmus-server-account"` | | | portal.server.tolerations | list | `[]` | | | portal.server.updateStrategy | object | `{}` | | | portal.server.waitForMongodb.image.pullPolicy | string | `"Always"` | | @@ -227,16 +240,6 @@ We separated service configuration from `portal.server.service` to `portal.serve | portal.server.waitForMongodb.resources.requests.ephemeral-storage | string | `"500Mi"` | | | portal.server.waitForMongodb.resources.requests.memory | string | `"150Mi"` | | | portal.server.waitForMongodb.securityContext | object | `{}` | | -| portalScope | string | `"cluster"` | | -| upgradeAgent.affinity | object | `{}` | | -| upgradeAgent.controlPlane.image.pullPolicy | string | `"Always"` | | -| upgradeAgent.controlPlane.image.repository | string | `"upgrade-agent-cp"` | | -| upgradeAgent.controlPlane.image.tag | string | `"3.8.0"` | | -| upgradeAgent.controlPlane.restartPolicy | string | `"OnFailure"` | | -| upgradeAgent.enabled | bool | `true` | | -| upgradeAgent.nodeSelector | object | `{}` | | -| upgradeAgent.resources | object | `{}` | | -| upgradeAgent.tolerations | list | `[]` | | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/litmus/templates/_helpers.tpl b/charts/litmus/templates/_helpers.tpl index d5490fb5..865dd119 100644 --- a/charts/litmus/templates/_helpers.tpl +++ b/charts/litmus/templates/_helpers.tpl @@ -91,3 +91,48 @@ Check for existing secret mongodb://{{ trimSuffix "," $hosts }}/admin {{- end -}} +{{- define "litmus-portal.internalTLS.web.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.web.secretName -}} + {{- else -}} + {{- printf "%s-web-internal-tls" (include "litmus-portal.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "litmus-portal.internalTLS.authServer.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.authServer.secretName -}} + {{- else -}} + {{- printf "%s-auth-server-internal-tls" (include "litmus-portal.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "litmus-portal.internalTLS.graphqlServer.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.graphqlServer.secretName -}} + {{- else -}} + {{- printf "%s-graphql-server-internal-tls" (include "litmus-portal.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "litmus-portal.web" -}} + {{- printf "%s-web-service" (include "litmus-portal.fullname" .) -}} +{{- end -}} + +{{- define "litmus-portal.auth-server" -}} + {{- printf "%s-auth-server-service" (include "litmus-portal.fullname" .) -}} +{{- end -}} + +{{- define "litmus-portal.graphql-server" -}} + {{- printf "%s-graphql-server-service" (include "litmus-portal.fullname" .) -}} +{{- end -}} + +{{/* scheme for all components because it only support http mode */}} +{{- define "litmus-portal.component.scheme" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "https" -}} + {{- else -}} + {{- printf "http" -}} + {{- end -}} +{{- end -}} + diff --git a/charts/litmus/templates/auth-server-deployment.yaml b/charts/litmus/templates/auth-server-deployment.yaml index 19e0b1b5..19bb042e 100644 --- a/charts/litmus/templates/auth-server-deployment.yaml +++ b/charts/litmus/templates/auth-server-deployment.yaml @@ -1,10 +1,10 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "litmus-portal.fullname" . }}-auth-server + name: '{{ include "litmus-portal.fullname" . }}-auth-server' namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/component: {{ include "litmus-portal.name" . }}-auth-server + app.kubernetes.io/component: '{{ include "litmus-portal.name" . }}-auth-server' {{- include "litmus-portal.labels" . | nindent 4 }} {{- if .Values.portal.server.customLabels }} {{ toYaml .Values.portal.server.customLabels | nindent 4 }} @@ -30,7 +30,6 @@ spec: {{- end }} spec: automountServiceAccountToken: {{ .Values.portal.server.authServer.automountServiceAccountToken }} - serviceAccountName: {{ .Values.portal.server.serviceAccountName }} {{- if .Values.image.imagePullSecrets }} imagePullSecrets: {{ toYaml .Values.image.imagePullSecrets | indent 8 }} @@ -122,18 +121,48 @@ spec: {{- end }} - name: LITMUS_GQL_GRPC_ENDPOINT value: "{{ include "litmus-portal.fullname" . }}-server-service" + - name: "LITMUS_GQL_GRPC_PORT" + value: "{{ .Values.portal.server.graphqlServer.service.graphqlRpcServer.port }}" + {{- if .Values.internalTLS.enabled }} + - name: ENABLE_INTERNAL_TLS + value: "true" + - name: TLS_CERT_PATH + value: "{{ .Values.internalTLS.certMountPath }}/tls.crt" + - name: TLS_KEY_PATH + value: "{{ .Values.internalTLS.certMountPath }}/tls.key" + - name: CA_CERT_TLS_PATH + value: "{{ .Values.internalTLS.certMountPath }}/ca.crt" + {{- else }} + - name: ENABLE_INTERNAL_TLS + value: "false" + {{- end }} + - name: REST_PORT + value: "{{ (index .Values.portal.server.authServer.ports 0).containerPort }}" + - name: GRPC_PORT + value: "{{ (index .Values.portal.server.authServer.ports 1).containerPort }}" + - name: ALLOWED_ORIGINS + value: "{{ .Values.allowedOrigins }}" {{- range $key, $val := .Values.portal.server.authServer.env }} - name: {{ $key }} value: {{ $val | quote }} {{- end }} - {{- with .Values.portal.server.authServer.volumeMounts }} volumeMounts: + {{- with .Values.portal.server.authServer.volumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} - {{- with .Values.portal.server.authServer.volumes }} + {{- if .Values.internalTLS.enabled }} + - name: auth-server-internal-certs + mountPath: {{ .Values.internalTLS.certMountPath }} + {{- end }} volumes: + {{- with .Values.portal.server.authServer.volumes }} {{- toYaml . | nindent 8 }} {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: auth-server-internal-certs + secret: + secretName: {{ template "litmus-portal.internalTLS.authServer.secretName" . }} + {{- end }} {{- with .Values.portal.server.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/litmus/templates/auth-server-svc.yaml b/charts/litmus/templates/auth-server-svc.yaml index 6c6b16a6..ba724203 100644 --- a/charts/litmus/templates/auth-server-svc.yaml +++ b/charts/litmus/templates/auth-server-svc.yaml @@ -14,8 +14,8 @@ spec: type: {{ .Values.portal.server.authServer.service.type }} ports: - name: auth-server - port: {{ .Values.portal.server.authServer.service.authServer.port }} - targetPort: {{ .Values.portal.server.authServer.service.authServer.targetPort }} + port: {{ .Values.portal.server.authServer.service.authRestServer.port }} + targetPort: {{ .Values.portal.server.authServer.service.authRestServer.targetPort }} - name: auth-rpc-server port: {{ .Values.portal.server.authServer.service.authRpcServer.port }} targetPort: {{ .Values.portal.server.authServer.service.authRpcServer.targetPort }} diff --git a/charts/litmus/templates/auth-server-tls.yaml b/charts/litmus/templates/auth-server-tls.yaml new file mode 100644 index 00000000..9e652428 --- /dev/null +++ b/charts/litmus/templates/auth-server-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "litmus-portal.internalTLS.authServer.secretName" . }}" + labels: +{{ include "litmus-portal.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.authServer.crt\" is required!" .Values.internalTLS.authServer.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.authServer.key\" is required!" .Values.internalTLS.authServer.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/charts/litmus/templates/auto-tls.yaml b/charts/litmus/templates/auto-tls.yaml new file mode 100644 index 00000000..84cd06a5 --- /dev/null +++ b/charts/litmus/templates/auto-tls.yaml @@ -0,0 +1,49 @@ +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} +{{- $ca := genCA "litmus-portal-internal-ca" 365 }} +{{- $webCN := (include "litmus-portal.web" .) }} +{{- $webCrt := genSignedCert $webCN (list "127.0.0.1") (list "localhost" $webCN) 365 $ca }} +{{- $authServerCN := (include "litmus-portal.auth-server" .) }} +{{- $authServerCrt := genSignedCert $authServerCN nil (list $authServerCN) 365 $ca }} +{{- $graphqlServerCN := (include "litmus-portal.graphql-server" .) }} +{{- $graphqlServerCrt := genSignedCert $graphqlServerCN nil (list $graphqlServerCN) 365 $ca }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "litmus-portal.internalTLS.web.secretName" . }}" + labels: +{{ include "litmus-portal.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $webCrt.Cert | b64enc | quote }} + tls.key: {{ $webCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "litmus-portal.internalTLS.authServer.secretName" . }}" + labels: +{{ include "litmus-portal.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $authServerCrt.Cert | b64enc | quote }} + tls.key: {{ $authServerCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "litmus-portal.internalTLS.graphqlServer.secretName" . }}" + labels: +{{ include "litmus-portal.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $graphqlServerCrt.Cert | b64enc | quote }} + tls.key: {{ $graphqlServerCrt.Key | b64enc | quote }} + +{{- end }} \ No newline at end of file diff --git a/charts/litmus/templates/controlplane-configs.yaml b/charts/litmus/templates/controlplane-configs.yaml index 0182aabb..3ab8e081 100644 --- a/charts/litmus/templates/controlplane-configs.yaml +++ b/charts/litmus/templates/controlplane-configs.yaml @@ -7,8 +7,6 @@ metadata: {{- include "litmus-portal.labels" . | nindent 4 }} app.kubernetes.io/component: {{ include "litmus-portal.name" . }}-admin-config data: - INFRA_SCOPE: "{{ .Values.portalScope }}" - INFRA_NAMESPACE: "{{ .Release.Namespace }}" {{- if .Values.adminConfig.DB_SERVER }} DB_SERVER: "{{ .Values.adminConfig.DB_SERVER }}" {{- else }} @@ -61,7 +59,26 @@ data: error_log /var/log/nginx/error.log; server { - listen 8185 default_server; + {{- if .Values.internalTLS.enabled }} + listen {{ .Values.portal.frontend.containerPort }} ssl; + # SSL + ssl_certificate {{ .Values.internalTLS.certMountPath }}/tls.crt; + ssl_certificate_key {{ .Values.internalTLS.certMountPath }}/tls.key; + ssl_client_certificate {{ .Values.internalTLS.certMountPath }}/ca.crt; + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.2 TLSv1.3; + {{- if .Values.internalTLS.strong_ssl_ciphers }} + ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128; + {{ else }} + ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; + {{- end }} + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + {{- else }} + listen {{ .Values.portal.frontend.containerPort }}; + {{- end }} + server_name default_server; root /opt/chaos; location /health { @@ -83,32 +100,39 @@ data: } location /auth/ { + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + proxy_ssl_certificate {{ .Values.internalTLS.certMountPath }}/tls.crt; + proxy_ssl_certificate_key {{ .Values.internalTLS.certMountPath }}/tls.key; + proxy_pass "https://{{ include "litmus-portal.fullname" . }}-auth-server-service:{{ .Values.portal.server.authServer.service.authRestServer.port }}/"; + {{- else }} + proxy_pass "http://{{ include "litmus-portal.fullname" . }}-auth-server-service:{{ .Values.portal.server.authServer.service.authRestServer.port }}/"; + {{- end }} proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass "http://{{ include "litmus-portal.fullname" . }}-auth-server-service:9003/"; } location /api/ { + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + proxy_ssl_certificate {{ .Values.internalTLS.certMountPath }}/tls.crt; + proxy_ssl_certificate_key {{ .Values.internalTLS.certMountPath }}/tls.key; + proxy_pass "https://{{ include "litmus-portal.fullname" . }}-server-service:{{ .Values.portal.server.graphqlServer.service.graphqlRestServer.port }}/"; + {{- else }} + proxy_pass "http://{{ include "litmus-portal.fullname" . }}-server-service:{{ .Values.portal.server.graphqlServer.service.graphqlRestServer.port }}/"; + {{- end }} proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass "http://{{ include "litmus-portal.fullname" . }}-server-service:9002/"; - } - - location /ws/ { - proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass "http://{{ include "litmus-portal.fullname" . }}-server-service:9002/"; } } } diff --git a/charts/litmus/templates/controlplane-secrets.yaml b/charts/litmus/templates/controlplane-secrets.yaml index 6e2a8908..0e8631c1 100644 --- a/charts/litmus/templates/controlplane-secrets.yaml +++ b/charts/litmus/templates/controlplane-secrets.yaml @@ -12,7 +12,6 @@ data: DB_USER: {{ .Values.adminConfig.DBUSER | b64enc | quote }} DB_PASSWORD: {{ .Values.adminConfig.DBPASSWORD | b64enc | quote }} {{- end }} - JWT_SECRET: {{ .Values.adminConfig.JWTSecret | b64enc | quote }} ADMIN_USERNAME: {{ .Values.adminConfig.ADMIN_USERNAME | b64enc | quote }} ADMIN_PASSWORD: {{ .Values.adminConfig.ADMIN_PASSWORD | b64enc | quote }} {{- end }} diff --git a/charts/litmus/templates/frontend-deployment.yaml b/charts/litmus/templates/frontend-deployment.yaml index 111187f4..bc3ce13e 100644 --- a/charts/litmus/templates/frontend-deployment.yaml +++ b/charts/litmus/templates/frontend-deployment.yaml @@ -38,6 +38,11 @@ spec: - name: nginx-config configMap: name: {{ include "litmus-portal.fullname" . }}-frontend-nginx-configuration + {{- if .Values.internalTLS.enabled }} + - name: web-internal-certs + secret: + secretName: {{ template "litmus-portal.internalTLS.web.secretName" . }} + {{- end }} containers: - name: litmusportal-frontend image: {{ .Values.image.imageRegistryName }}/{{ .Values.portal.frontend.image.repository }}:{{ .Values.portal.frontend.image.tag }} @@ -50,11 +55,13 @@ spec: httpGet: path: / port: http + scheme: {{ include "litmus-portal.component.scheme" . | upper }} {{- toYaml .Values.portal.frontend.livenessProbe | nindent 12 }} readinessProbe: httpGet: path: / port: http + scheme: {{ include "litmus-portal.component.scheme" . | upper }} {{- toYaml .Values.portal.frontend.readinessProbe | nindent 12 }} ports: - containerPort: {{ .Values.portal.frontend.containerPort }} @@ -63,6 +70,10 @@ spec: - name: nginx-config mountPath: /etc/nginx/nginx.conf subPath: nginx.conf + {{- if .Values.internalTLS.enabled }} + - name: web-internal-certs + mountPath: {{ .Values.internalTLS.certMountPath }} + {{- end }} {{- with .Values.portal.frontend.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/litmus/templates/ingress.yaml b/charts/litmus/templates/ingress.yaml index 816b6f75..2e446c6c 100644 --- a/charts/litmus/templates/ingress.yaml +++ b/charts/litmus/templates/ingress.yaml @@ -14,10 +14,13 @@ metadata: labels: app.kubernetes.io/component: {{ include "litmus-portal.name" . }}-frontend {{- include "litmus-portal.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} annotations: + {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 4 }} {{- end }} +{{- if .Values.internalTLS.enabled }} + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" +{{- end }} spec: {{- if .Values.ingress.ingressClassName }} ingressClassName: {{ .Values.ingress.ingressClassName }} @@ -48,21 +51,10 @@ spec: name: {{ $fullName }}-frontend-service port: number: {{ .Values.portal.frontend.service.port }} - - path: {{ .Values.ingress.host.backend.path }} - pathType: {{ .Values.ingress.host.backend.pathType }} - backend: - service: - name: {{ $fullName }}-server-service - port: - number: {{ .Values.portal.server.graphqlServer.service.graphqlServer.port }} {{- else if semverCompare "<1.19-0" .Capabilities.KubeVersion.GitVersion }} - path: {{ .Values.ingress.host.paths.frontend }} backend: serviceName: {{ $fullName }}-frontend-service servicePort: {{ .Values.portal.frontend.service.port }} - - path: {{ .Values.ingress.host.paths.backend }} - backend: - serviceName: {{ $fullName }}-server-service - servicePort: {{ .Values.portal.server.graphqlServer.service.graphqlServer.port }} {{- end }} {{- end }} diff --git a/charts/litmus/templates/server-cluster-role-binding.yaml b/charts/litmus/templates/server-cluster-role-binding.yaml deleted file mode 100644 index 57b38c75..00000000 --- a/charts/litmus/templates/server-cluster-role-binding.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{ if eq .Values.portalScope "cluster" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: litmus-server-crb-for-{{ include "litmus-portal.fullname" . }}-server - labels: - app.kubernetes.io/component: litmus-server-crb-for-{{ include "litmus-portal.name" . }}-server - {{- include "litmus-portal.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: litmus-server-cr-for-{{ include "litmus-portal.fullname" . }}-server -subjects: - - kind: ServiceAccount - name: {{ .Values.portal.server.serviceAccountName }} - namespace: {{ .Release.Namespace }} -{{ end }} diff --git a/charts/litmus/templates/server-cluster-role.yaml b/charts/litmus/templates/server-cluster-role.yaml deleted file mode 100644 index d5a53960..00000000 --- a/charts/litmus/templates/server-cluster-role.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{ if eq .Values.portalScope "cluster" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: litmus-server-cr-for-{{ include "litmus-portal.fullname" . }}-server - labels: - app.kubernetes.io/component: litmus-server-cr-for-{{ include "litmus-portal.name" . }}-server - {{- include "litmus-portal.labels" . | nindent 4 }} -rules: - - apiGroups: [networking.k8s.io, extensions] - resources: [ingresses] - verbs: [get] - - apiGroups: [""] - resources: [services, nodes, pods/log] - verbs: [get, watch] - - apiGroups: [""] # To get TLS Cert from secrets incase of cluster scope - resources: [secrets] - verbs: [get] -{{ end }} diff --git a/charts/litmus/templates/server-deployment.yaml b/charts/litmus/templates/server-deployment.yaml index 6047bb47..0ec9f270 100644 --- a/charts/litmus/templates/server-deployment.yaml +++ b/charts/litmus/templates/server-deployment.yaml @@ -27,13 +27,18 @@ spec: {{ toYaml .Values.portal.server.customLabels | nindent 8 }} {{- end }} spec: - serviceAccountName: {{ .Values.portal.server.serviceAccountName }} + automountServiceAccountToken: {{ .Values.portal.server.graphqlServer.automountServiceAccountToken }} {{- if .Values.image.imagePullSecrets }} imagePullSecrets: {{ toYaml .Values.image.imagePullSecrets | indent 8 }} {{- end }} volumes: {{- toYaml .Values.portal.server.graphqlServer.volumes | default "" | nindent 8 }} + {{- if .Values.internalTLS.enabled }} + - name: graphql-server-internal-certs + secret: + secretName: {{ template "litmus-portal.internalTLS.graphqlServer.secretName" . }} + {{- end }} initContainers: - name: wait-for-mongodb image: {{ .Values.image.imageRegistryName }}/{{ .Values.portal.server.waitForMongodb.image.repository }}:{{ .Values.portal.server.waitForMongodb.image.tag }} @@ -83,6 +88,10 @@ spec: image: {{ .Values.image.imageRegistryName }}/{{ .Values.portal.server.graphqlServer.image.repository }}:{{ .Values.portal.server.graphqlServer.image.tag }} volumeMounts: {{- toYaml .Values.portal.server.graphqlServer.volumeMounts | default "" | nindent 12 }} + {{- if .Values.internalTLS.enabled }} + - name: graphql-server-internal-certs + mountPath: {{ .Values.internalTLS.certMountPath }} + {{- end }} imagePullPolicy: {{ .Values.portal.server.graphqlServer.image.pullPolicy }} ports: {{- toYaml .Values.portal.server.graphqlServer.ports | nindent 12 }} @@ -90,16 +99,6 @@ spec: {{- toYaml .Values.portal.server.graphqlServer.resources | nindent 12 }} securityContext: {{- toYaml .Values.portal.server.graphqlServer.securityContext | nindent 12 }} - livenessProbe: - httpGet: - path: / - port: gql-server - {{- toYaml .Values.portal.server.graphqlServer.livenessProbe | nindent 12 }} - readinessProbe: - httpGet: - path: / - port: gql-server - {{- toYaml .Values.portal.server.graphqlServer.readinessProbe | nindent 12 }} envFrom: - secretRef: name: {{ include "litmus-portal.secretname" . }} @@ -131,24 +130,29 @@ spec: name: {{ include "litmus-portal.secretname" . }} key: DB_USER {{- end }} - - name: LITMUS_PORTAL_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CHAOS_CENTER_SCOPE - value: {{ .Values.portalScope }} - - name: SERVER_SERVICE_NAME - value: {{ include "litmus-portal.fullname" . }}-server-service - - name: INGRESS - value: "{{ .Values.ingress.enabled }}" - - name: INGRESS_NAME - value: "{{ .Values.ingress.name }}" - - name: "LITMUS_AUTH_GRPC_ENDPOINT" - value: "{{ include "litmus-portal.fullname" . }}-auth-server-service" - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName + - name: LITMUS_AUTH_GRPC_ENDPOINT + value: '{{ include "litmus-portal.fullname" . }}-auth-server-service' + - name: "LITMUS_AUTH_GRPC_PORT" + value: "{{ .Values.portal.server.authServer.service.authRpcServer.port }}" + {{- if .Values.internalTLS.enabled }} + - name: ENABLE_INTERNAL_TLS + value: "true" + - name: TLS_CERT_PATH + value: "{{ .Values.internalTLS.certMountPath }}/tls.crt" + - name: TLS_KEY_PATH + value: "{{ .Values.internalTLS.certMountPath }}/tls.key" + - name: CA_CERT_TLS_PATH + value: "{{ .Values.internalTLS.certMountPath }}/ca.crt" + {{- else }} + - name: ENABLE_INTERNAL_TLS + value: "false" + {{- end }} + - name: REST_PORT + value: "{{ (index .Values.portal.server.graphqlServer.ports 0).containerPort }}" + - name: GRPC_PORT + value: "{{ (index .Values.portal.server.graphqlServer.ports 1).containerPort }}" + - name: ALLOWED_ORIGINS + value: "{{ .Values.allowedOrigins }}" {{- $imageRegistry := .Values.image.imageRegistryName -}} {{- range $key, $val := .Values.portal.server.graphqlServer.imageEnv }} - name: {{ $key }} diff --git a/charts/litmus/templates/server-role.yaml b/charts/litmus/templates/server-role.yaml deleted file mode 100644 index 92a6406c..00000000 --- a/charts/litmus/templates/server-role.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{ if eq .Values.portalScope "namespace" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: litmus-server-role-for-{{ include "litmus-portal.fullname" . }}-server - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/component: litmus-server-role-for-{{ include "litmus-portal.name" . }}-server - {{- include "litmus-portal.labels" . | nindent 4 }} -rules: - - apiGroups: [networking.k8s.io, extensions] - resources: [ingresses] - verbs: [get] - - apiGroups: [""] - resources: [services, pods/log] - verbs: [get, watch] -{{ end }} diff --git a/charts/litmus/templates/server-rolebinding.yaml b/charts/litmus/templates/server-rolebinding.yaml deleted file mode 100644 index 75e94fe8..00000000 --- a/charts/litmus/templates/server-rolebinding.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{ if eq .Values.portalScope "namespace" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: litmus-server-rb-for-{{ include "litmus-portal.fullname" . }}-server - namespace: {{ .Release.Namespace }} - labels: - name: litmus-server-rb-for-{{ include "litmus-portal.name" . }}-server - app.kubernetes.io/component: litmus-server-rb-for-{{ include "litmus-portal.name" . }}-server -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: litmus-server-role-for-{{ include "litmus-portal.fullname" . }}-server -subjects: - - kind: ServiceAccount - name: {{ .Values.portal.server.serviceAccountName }} - namespace: {{ .Release.Namespace }} -{{ end }} diff --git a/charts/litmus/templates/server-sa.yaml b/charts/litmus/templates/server-sa.yaml deleted file mode 100644 index 92094e22..00000000 --- a/charts/litmus/templates/server-sa.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ .Values.portal.server.serviceAccountName }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/component: {{ include "litmus-portal.name" . }}-server - {{- include "litmus-portal.labels" . | nindent 4 }} diff --git a/charts/litmus/templates/server-svc.yaml b/charts/litmus/templates/server-svc.yaml index ead31fec..b1c5c551 100644 --- a/charts/litmus/templates/server-svc.yaml +++ b/charts/litmus/templates/server-svc.yaml @@ -14,8 +14,8 @@ spec: type: {{ .Values.portal.server.graphqlServer.service.type }} ports: - name: graphql-server - port: {{ .Values.portal.server.graphqlServer.service.graphqlServer.port }} - targetPort: {{ .Values.portal.server.graphqlServer.service.graphqlServer.targetPort }} + port: {{ .Values.portal.server.graphqlServer.service.graphqlRestServer.port }} + targetPort: {{ .Values.portal.server.graphqlServer.service.graphqlRestServer.targetPort }} - name: graphql-rpc-server port: {{ .Values.portal.server.graphqlServer.service.graphqlRpcServer.port }} targetPort: {{ .Values.portal.server.graphqlServer.service.graphqlRpcServer.targetPort }} diff --git a/charts/litmus/templates/server-tls.yaml b/charts/litmus/templates/server-tls.yaml new file mode 100644 index 00000000..546e1167 --- /dev/null +++ b/charts/litmus/templates/server-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "litmus-portal.internalTLS.graphqlServer.secretName" . }}" + labels: +{{ include "litmus-portal.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.graphqlServer.crt\" is required!" .Values.internalTLS.graphqlServer.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.graphqlServer.key\" is required!" .Values.internalTLS.graphqlServer.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/charts/litmus/templates/web-tls.yaml b/charts/litmus/templates/web-tls.yaml new file mode 100644 index 00000000..32740a61 --- /dev/null +++ b/charts/litmus/templates/web-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "litmus-portal.internalTLS.web.secretName" . }}" + labels: +{{ include "litmus-portal.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.web.crt\" is required!" .Values.internalTLS.web.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.web.key\" is required!" .Values.internalTLS.web.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/charts/litmus/values.yaml b/charts/litmus/values.yaml index 0b8dc8a2..4a1d5a16 100644 --- a/charts/litmus/values.yaml +++ b/charts/litmus/values.yaml @@ -1,9 +1,6 @@ # Default values for litmus. # This is a YAML-formatted file. # Declare variables to be passed into your templates. - -portalScope: cluster - nameOverride: "" # -- Additional labels @@ -13,9 +10,11 @@ customLabels: {} # -- Use existing secret (e.g., External Secrets) existingSecret: "" +# eg: ^(http://|https://|)litmuschaos.io(:[0-9]+|)?,^(http://|https://|)litmusportal-server-service(:[0-9]+|)? +allowedOrigins: ".*" + adminConfig: - JWTSecret: "litmus-portal@123" - VERSION: "3.8.0" + VERSION: "3.9.1" SKIP_SSL_VERIFY: "false" # -- leave empty if uses Mongo DB deployed by this chart DBPASSWORD: "" @@ -30,11 +29,53 @@ image: # Optional pod imagePullSecrets imagePullSecrets: [] +internalTLS: + # If internal TLS enabled + enabled: false + # enable strong ssl ciphers (default: false) + strong_ssl_ciphers: false + # There are three ways to provide tls + # 1) "auto" will generate cert automatically + # 2) "manual" need provide cert file manually in following value + # 3) "secret" internal certificates from secret + certSource: "auto" + # The content of trust ca, only available when `certSource` is "manual" + trustCa: "" + # Path on which the certs & keys will be mounted across all components + certMountPath: "/etc/tls" + # web related cert configuration + web: + # secret name for web's tls certs + secretName: "" + # Content of web's TLS cert file, only available when `certSource` is "manual" + crt: "" + # Content of web's TLS key file, only available when `certSource` is "manual" + key: "" + # graph-server related cert configuration + graphqlServer: + # secret name for graph-server's tls certs + secretName: "" + # Content of graphqlServer's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of graphqlServer's TLS key file, only available when `certSource` is "manual" + key: "" + # auth-server related cert configuration + authServer: + # secret name for auth-server's tls certs + secretName: "" + # Content of auth-server's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of auth-server's TLS key file, only available when `certSource` is "manual" + key: "" + ingress: enabled: false name: litmus-ingress annotations: - {} + ingress.kubernetes.io/ssl-redirect: "true" + ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "0" # kubernetes.io/tls-acme: "true" # nginx.ingress.kubernetes.io/rewrite-target: /$1 @@ -44,41 +85,13 @@ ingress: name: "" frontend: # -- You may need adapt the path depending your ingress-controller - path: /(.*) + path: / # -- Allow to set [pathType](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) for the frontend path pathType: ImplementationSpecific - backend: - # -- You may need adapt the path depending your ingress-controller - path: /backend/(.*) - # -- Allow to set [pathType](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) for the backend path - pathType: ImplementationSpecific tls: [] # - secretName: chart-example-tls # hosts: [] -upgradeAgent: - enabled: true - controlPlane: - image: - repository: upgrade-agent-cp - tag: "3.8.0" - pullPolicy: "Always" - restartPolicy: OnFailure - nodeSelector: {} - tolerations: [] - affinity: {} - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. -# limits: -# cpu: 100m -# memory: 128Mi -# requests: -# cpu: 100m -# memory: 128Mi - portal: frontend: replicas: 1 @@ -105,7 +118,7 @@ portal: # runAsNonRoot: true image: repository: litmusportal-frontend - tag: 3.8.0 + tag: 3.9.1 pullPolicy: "Always" containerPort: 8185 customLabels: {} @@ -140,6 +153,8 @@ portal: type: ClusterIP port: 9091 targetPort: 8185 +# NOTE: Using virtualService is not compatible with native mTLS of Litmus. +# It's recommended to use mTLS feature provided by Istio itself in such scenario. virtualService: enabled: false hosts: [] @@ -161,7 +176,6 @@ portal: ## rollingUpdate: ## maxSurge: 1 ## maxUnavailable: 25% - serviceAccountName: litmus-server-account customLabels: {} # my.company.com/tier: "backend" waitForMongodb: @@ -189,6 +203,7 @@ portal: cpu: "250m" ephemeral-storage: "1Gi" graphqlServer: + automountServiceAccountToken: false volumes: - name: gitops-storage emptyDir: {} @@ -206,7 +221,7 @@ portal: readOnlyRootFilesystem: true image: repository: litmusportal-server - tag: 3.8.0 + tag: 3.9.1 pullPolicy: "Always" ports: - name: gql-server @@ -216,30 +231,28 @@ portal: service: annotations: {} type: ClusterIP - graphqlServer: + graphqlRestServer: port: 9002 targetPort: 8080 graphqlRpcServer: port: 8000 targetPort: 8000 imageEnv: - SUBSCRIBER_IMAGE: "litmusportal-subscriber:3.8.0" - EVENT_TRACKER_IMAGE: "litmusportal-event-tracker:3.8.0" + SUBSCRIBER_IMAGE: "litmusportal-subscriber:3.9.1" + EVENT_TRACKER_IMAGE: "litmusportal-event-tracker:3.9.1" ARGO_WORKFLOW_CONTROLLER_IMAGE: "workflow-controller:v3.3.1" ARGO_WORKFLOW_EXECUTOR_IMAGE: "argoexec:v3.3.1" - LITMUS_CHAOS_OPERATOR_IMAGE: "chaos-operator:3.8.0" - LITMUS_CHAOS_RUNNER_IMAGE: "chaos-runner:3.8.0" - LITMUS_CHAOS_EXPORTER_IMAGE: "chaos-exporter:3.8.0" + LITMUS_CHAOS_OPERATOR_IMAGE: "chaos-operator:3.9.0" + LITMUS_CHAOS_RUNNER_IMAGE: "chaos-runner:3.9.0" + LITMUS_CHAOS_EXPORTER_IMAGE: "chaos-exporter:3.9.0" genericEnv: - TLS_SECRET_NAME: "" TLS_CERT_64: "" CONTAINER_RUNTIME_EXECUTOR: "k8sapi" - DEFAULT_HUB_BRANCH_NAME: "v3.8.x" + DEFAULT_HUB_BRANCH_NAME: "v3.9.x" INFRA_DEPLOYMENTS: '["app=chaos-exporter", "name=chaos-operator", "app=event-tracker", "app=workflow-controller"]' - LITMUS_AUTH_GRPC_PORT: ":3030" - WORKFLOW_HELPER_IMAGE_VERSION: "3.8.0" + WORKFLOW_HELPER_IMAGE_VERSION: "3.9.0" REMOTE_HUB_MAX_SIZE: "5000000" - INFRA_COMPATIBLE_VERSIONS: '["3.8.0"]' + INFRA_COMPATIBLE_VERSIONS: '["3.9.0"]' # Provide UI endpoint if using namespaced scope CHAOS_CENTER_UI_ENDPOINT: "" ENABLE_GQL_INTROSPECTION: "false" @@ -283,24 +296,23 @@ portal: automountServiceAccountToken: false image: repository: litmusportal-auth-server - tag: 3.8.0 + tag: 3.9.1 pullPolicy: "Always" ports: - name: auth-server - containerPort: 3030 - - name: auth-rpc-server containerPort: 3000 + - name: auth-rpc-server + containerPort: 3030 service: annotations: {} type: ClusterIP - authServer: + authRestServer: port: 9003 targetPort: 3000 authRpcServer: port: 3030 targetPort: 3030 - env: - LITMUS_GQL_GRPC_PORT: ":8000" + env: {} resources: # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little