k8s-infra: server routing strategies & basic TLS

assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties

@@ -447,7 +447,7 @@ che.infra.kubernetes.client.http.connection_pool.keep_alive_min=5
 che.infra.openshift.project=
 
 # Create routes with Transport Layer Security (TLS) enabled
-che.infra.openshift.tls_enabled=false
+che.infra.kubernetes.tls_enabled=false
 
 
 # Single port mode wildcard domain host & port. nip.io is used by default

dockerfiles/init/manifests/che.env

@@ -433,6 +433,10 @@ CHE_SINGLE_PORT=false
 #####                              Kubernetes Infrastructure                       #####
 #####                                                                              #####
 #
+
+# Create routes with Transport Layer Security (TLS) enabled
+CHE_INFRA_KUBERNETES_TLS_ENABLED=false
+
 #Configuration of Kubernetes client that Infra will use
 #CHE_INFRA_KUBERNETES_MASTER__URL=
 #CHE_INFRA_KUBERNETES_USERNAME=
@@ -511,9 +515,6 @@ CHE_SINGLE_PORT=false
 # If not set, every workspace will be created in a new project, where project name = workspace id
 #CHE_INFRA_OPENSHIFT_PROJECT=
 
-# Create routes with Transport Layer Security (TLS) enabled
-CHE_INFRA_OPENSHIFT_TLS_ENABLED=false
-
 
 ########################################################################################
 #####                                                                              #####

dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/templates/deployment.yaml

@@ -46,6 +46,9 @@ spec:
         - name: CHE_HOST
           value: {{ template "cheHost" . }}
         image: {{ .Values.image }}
+        securityContext:
+          runAsUser: 0
+          fsGroup: 0
         imagePullPolicy: Always
         name: keycloak
         livenessProbe:

dockerfiles/init/modules/che-kubernetes-helm/charts/che-keycloak/templates/ingress.yaml

@@ -14,27 +14,33 @@ metadata:
     {{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/proxy-read-timeout: "3600"
     {{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/proxy-connect-timeout: "3600"
 {{- if .Values.global.tlsEnabled }}
+    {{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/ssl-redirect: "true"
     kubernetes.io/tls-acme: "true"
 {{- else }}
     {{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/ssl-redirect: "false"
 {{- end }}
 spec:
-{{- if .Values.global.tlsEnabled }}
+{{- if .Values.global.tls.enabled }}
   tls:
   - hosts:
     - {{ template "keycloakHost" . }}
     secretName: keycloak-tls
 {{- end }}
   rules:
-{{- if .Values.global.isHostBased }}
+{{- if eq .Values.global.serverStrategy "default-host" }}
+  - http:
+      paths:
+      - path: /auth/
+{{- else if eq .Values.global.serverStrategy "single-host" }}
   - host: {{ template "keycloakHost" . }}
     http:
       paths:
-      - path: /
+      - path: /auth/
 {{- else }}
-  - http:
+  - host: {{ template "keycloakHost" . }}
+    http:
       paths:
-      - path: /auth/
+      - path: /
 {{- end }}
         backend:
           serviceName: keycloak

dockerfiles/init/modules/che-kubernetes-helm/charts/che-postgres/templates/deployment.yaml

@@ -36,6 +36,7 @@ spec:
         image: {{ .Values.image }}
         securityContext:
           runAsUser: 26
+          fsGroup: 26
         imagePullPolicy: Always
         name: postgres
         livenessProbe:

dockerfiles/init/modules/che-kubernetes-helm/readme.md

@@ -17,7 +17,7 @@
 
 In production, you should specify a hostname (see [here](https://github.com/eclipse/che/issues/8694) why). In case you don't have a hostname (e.g. during development), and would still want to use a host-based configuration, you can use services such as nip.io or xip.io.
 
-In case you're specifying a hostname, simply pass it as the value of the `cheDomain` parameter below.
+In case you're specifying a hostname, simply pass it as the value of the `ingressDomain` parameter below.
 
 If you must use an ip address (e.g. your corporate policy prevents you from using nip.io), you would also have to set `isHostBased` to `false`.
 
@@ -32,55 +32,53 @@ The context of the commands below is the directory in which this readme file res
 - Or, you can override default values during installation, using the `--set` flag:
 
   ```bash
-  helm upgrade --install <my-che-installation> --namespace <my-che-namespace> --set global.cheDomain=<my-hostname> --set cheImage=<my-image> ./
+  helm upgrade --install <my-che-installation> --namespace <my-che-namespace> --set global.ingressDomain=<my-hostname> --set cheImage=<my-image> ./
   ```
 
-#### Deployment types
-Currenty, only minikube deployment is supported.
+#### Deployment Options
 
 ##### Single User 
 Only Che will be deployed.
 
   ```bash
-  helm upgrade --install <che-release> --namespace <che-namespace> --set global.cheDomain=<domain> ./
+  helm upgrade --install <che-release-name> --namespace <che-namespace> --set global.ingressDomain=<domain> ./
   ```
 
 ##### Multi User 
 Che, KeyCloak and Postgres will be deployed.
 
   ```bash
-  helm upgrade --install <che-release> --namespace <che-namespace> --set global.multiuser=true --set global.cheDomain=<domain> ./
+  helm upgrade --install <che-release-name> --namespace <che-namespace> -f ./values/multi-user.yaml --set global.ingressDomain=<domain> ./
   ```
-
-##### No Host:
- Ingress will serve requests on minikube-ip. 
- Path based routing to Che, Secondary servers (KeyCloak) and Workspace servers.
 
+#### Default Host
+All Ingress specs are created without a host attribute (defaults to *).
+Path based routing to all components.
+Multi User configuration is enabled. 
+
   ```bash
-  helm upgrade --install <che-release> --namespace <che-namespace> --set global.isHostbased=false --set global.cheDomain=<minikube-ip> ./
-   Master: http://<minikube-ip>/
-   Workspaces: http://<minikube-ip>/<path-to-server>
-   Keycloak (if multiuser) : http://<minikube-ip>/auth/
+  helm upgrade --install <che-release-name> --namespace <che-namespace> -f ./values/default-host.yaml --set global.ingressDomain=<domain> ./
   ```
-
-##### Host (partial): 
- WS Master Ingress will serve requests on provided domain
- Workspaces: Ingress will serve requests on minikube-ip, Path Based routing to workspaces. 
- KeyCloak : dedicated hostname 
-
-   ```bash
-   helm upgrade --install <che-release> --namespace <che-namespace> --set global.cheDomain=<minikube-ip>.xip.io ./
-   Master: http://master.<minikube-ip>.xip.io
-   Workspaces: http://<minikube-ip>/<path-to-server>
-   Keycloak (if multiuser): http://keycloak.<minikube-ip>.xip.io/
-   ```
 
+* Master: `http://<minikube-ip>/`
+* Keycloak:  `http://<minikube-ip>/auth/`
+* Workspaces servers: `http://<minikube-ip>/<path-to-server>`
+
+#### TLS-enabled
+Cert-Manager is used to issue LetsEncrypt certificates.
+To avoid rate-limit issues, we use a single hostname for all ingresses.
+Path based routing to all components.
+Multi User configuration is enabled. 
+
+  ```bash
+  helm install --name <cert-manager-release-name> stable/cert-manager
+  helm upgrade --install <che-release-name> --namespace <che-namespace> -f ./values/tls.yaml --set global.ingressDomain=<your-domain> ./
+  ```
+
+* Master: `https://che-<che-namespace>.your-domain/`
+* Keycloak:  `https://che-<che-namespace>.your-domain/auth/`
+* Workspaces servers: `https://<che-namespace>.your-domain/<path-to-server>`
 
-##### Future options:
-- Path Based: single hostname for all components (che, keycloak, WS servers) 
-- Host Based: unique host for each component
-- TLS
-
 ## Deleting a Deployment
 You can delete a deployment using the following command:
 ``` bash

dockerfiles/init/modules/che-kubernetes-helm/templates/_hostHelper.tpl

@@ -1,7 +1,9 @@
 {{- define "cheHost" }}
-{{- if .Values.global.isHostBased }}
-{{- printf "master.%s" .Values.global.cheDomain }}
+{{- if eq .Values.global.serverStrategy "default-host" }}
+{{- printf "%s" .Values.global.ingressDomain }}
+{{- else if eq .Values.global.serverStrategy "single-host" }}
+{{- printf "che-%s.%s" .Release.Namespace .Values.global.ingressDomain }}
 {{- else }}
-{{- printf "%s" .Values.global.cheDomain }}
+{{- printf "che-%s.%s" .Release.Namespace .Values.global.ingressDomain }}
 {{- end }}
 {{- end }}

dockerfiles/init/modules/che-kubernetes-helm/templates/_keycloakAuthUrlHelper.tpl

@@ -1,15 +1,21 @@
 {{- define "keycloakAuthUrl" }}
-{{- if .Values.global.isHostBased }}
-{{- if .Values.global.tlsEnabled }}
-{{- printf "https://keycloak.%s/auth" .Values.global.cheDomain }}
-{{- else }}
-{{- printf "http://keycloak.%s/auth" .Values.global.cheDomain }}
-{{- end }}
-{{- else }}
-{{- if .Values.global.tlsEnabled }}
-{{- printf "https://%s/auth" .Values.global.cheDomain }}
-{{- else }}
-{{- printf "http://%s/auth" .Values.global.cheDomain }}
-{{- end }}
-{{- end }}
+  {{- if eq .Values.global.serverStrategy "default-host" }}
+    {{- if .Values.global.tls.enabled }}
+      {{- printf "https://%s/auth" .Values.global.ingressDomain }}
+    {{- else }}
+      {{- printf "http://%s/auth" .Values.global.ingressDomain }}
+    {{- end }}
+  {{- else if eq .Values.global.serverStrategy "single-host" }}
+    {{- if .Values.global.tls.enabled }}
+      {{- printf "https://che-%s.%s/auth" .Release.Namespace .Values.global.ingressDomain }}
+    {{- else }}
+      {{- printf "http:/che-%s./%s/auth" .Release.Namespace .Values.global.ingressDomain }}
+    {{- end }}
+  {{- else }}
+    {{- if .Values.global.tls.enabled }}
+      {{- printf "https://keycloak-%s.%s/auth" .Release.Namespace .Values.global.ingressDomain }}
+    {{- else }}
+      {{- printf "http://keycloak-%s.%s/auth" .Release.Namespace .Values.global.ingressDomain }}
+    {{- end }}
+  {{- end }}
 {{- end }}

dockerfiles/init/modules/che-kubernetes-helm/templates/_keycloakHostHelper.tpl

@@ -1,7 +1,9 @@
 {{- define "keycloakHost" }}
-{{- if .Values.global.isHostBased }}
-{{- printf "keycloak.%s" .Values.global.cheDomain }}
+{{- if eq .Values.global.serverStrategy "default-host" }}
+{{- printf "%s" .Values.global.ingressDomain }}
+{{- else if eq .Values.global.serverStrategy "single-host" }}
+{{- printf "che-%s.%s" .Release.Namespace .Values.global.ingressDomain }}
 {{- else }}
-{{- printf "%s" .Values.global.cheDomain }}
-{{- end }}
+{{- printf "keycloak-%s.%s" .Release.Namespace .Values.global.ingressDomain }}
 {{- end }}
+{{- end }}

dockerfiles/init/modules/che-kubernetes-helm/templates/cert-issuer.yaml

@@ -5,15 +5,20 @@
 # http://www.eclipse.org/legal/epl-v10.html
 #
 
-{{- if .Values.global.tlsEnabled }}
+{{- if .Values.global.tls }}
+{{- if and .Values.global.tls.enabled .Values.global.tls.useCertManager }}
 apiVersion: certmanager.k8s.io/v1alpha1
-kind: Issuer
+kind: ClusterIssuer
 metadata:
   name: letsencrypt
 spec:
   acme:
     # The ACME server URL
+{{- if .Values.global.tls.useStaging }}
+    server: https://acme-staging.api.letsencrypt.org/directory
+{{- else }}
     server: https://acme-v01.api.letsencrypt.org/directory
+{{- end }}
     # Email address used for ACME registration
     email: [email protected]
     # Name of a secret used to store the ACME account private key
@@ -22,3 +27,4 @@ spec:
     # Enable the HTTP-01 challenge provider
     http01: {}
 {{- end }}
+{{- end }}

dockerfiles/init/modules/che-kubernetes-helm/templates/configmap.yaml

@@ -12,10 +12,9 @@ metadata:
     app: che
   name: che
 data:
-  CHE_DOMAIN: {{ .Values.global.cheDomain }}
   CHE_HOST: {{ template "cheHost" . }}
   CHE_PORT: "8080"
-{{- if .Values.global.tlsEnabled }}
+{{- if and .Values.global.tls .Values.global.tls.enabled }}
   CHE_API: https://{{ template "cheHost" . }}/api
   CHE_WEBSOCKET_ENDPOINT:  wss://{{ template "cheHost" . }}/api/websocket
   CHE_INFRA_KUBERNETES_BOOTSTRAPPER_BINARY__URL: https://{{ template "cheHost" . }}/agent-binaries/linux_amd64/bootstrapper/bootstrapper
@@ -25,7 +24,8 @@ data:
   CHE_INFRA_KUBERNETES_BOOTSTRAPPER_BINARY__URL: http://{{ template "cheHost" . }}/agent-binaries/linux_amd64/bootstrapper/bootstrapper
 {{- end }}
   CHE_DEBUG_SERVER: "true"
-  CHE_INFRASTRUCTURE_ACTIVE: kubernetes
+  CHE_INFRASTRUCTURE_ACTIVE: "kubernetes"
+  CHE_INFRA_KUBERNETES_INGRESS_DOMAIN: {{ .Values.global.ingressDomain }}
   CHE_INFRA_KUBERNETES_MACHINE__START__TIMEOUT__MIN: "5"
   CHE_INFRA_KUBERNETES_MASTER__URL: ""
   CHE_INFRA_KUBERNETES_OAUTH__TOKEN: ""
@@ -36,7 +36,14 @@ data:
   CHE_KEYCLOAK_CLIENT__ID: {{ .Values.cheKeycloakClientId }}
   CHE_KEYCLOAK_REALM: {{ .Values.cheKeycloakRealm }}
 {{- end }}
-  CHE_INFRA_KUBERNETES_NAMESPACE: ""
+  CHE_INFRA_KUBERNETES_NAMESPACE: {{ .Values.global.cheNamespace }}
+{{- if and .Values.global.tls .Values.global.tls.enabled }}
+  CHE_INFRA_KUBERNETES_TLS__ENABLED: {{ .Values.global.tls.enabled | quote}}
+  CHE_INFRA_KUBERNETES_TLS__SECRET: {{ .Values.global.tls.secretName }}
+{{- else }}
+  CHE_INFRA_KUBERNETES_TLS__ENABLED: "false"
+  CHE_INFRA_KUBERNETES_TLS__SECRET: ""
+{{- end }}
   CHE_INFRA_KUBERNETES_TRUST__CERTS: "false"
   CHE_INFRA_KUBERNETES_PVC_STRATEGY: "common"
   CHE_INFRA_KUBERNETES_PVC_PRECREATE__SUBPATHS: "false"
@@ -51,8 +58,10 @@ data:
   CHE_PREDEFINED_STACKS_RELOAD__ON__START: "false"
   JAVA_OPTS: "-XX:MaxRAMFraction=2 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -Dsun.zip.disableMemoryMapping=true -Xms20m "
   CHE_WORKSPACE_AUTO_START: "false"
-{{- if .Values.global.tlsEnabled }}
+{{- if .Values.global.tls.enabled }}
   CHE_INFRA_KUBERNETES_INGRESS_ANNOTATIONS__JSON: '{"kubernetes.io/ingress.class": "nginx", "kubernetes.io/tls-acme": "true", "{{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/rewrite-target": "/","{{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/ssl-redirect": "true","{{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/proxy-connect-timeout": "3600","{{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/proxy-read-timeout": "3600"}'
 {{- else }}
   CHE_INFRA_KUBERNETES_INGRESS_ANNOTATIONS__JSON: '{"kubernetes.io/ingress.class": "nginx", "{{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/rewrite-target": "/","{{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/ssl-redirect": "false","{{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/proxy-connect-timeout": "3600","{{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/proxy-read-timeout": "3600"}'
 {{- end }}
+  CHE_INFRA_KUBERNETES_SERVER__STRATEGY: {{ .Values.global.serverStrategy }}
+