diff --git a/Makefile b/Makefile index fd97784..b6f5374 100644 --- a/Makefile +++ b/Makefile @@ -28,6 +28,7 @@ deps: helm repo add bitnami https://charts.bitnami.com/bitnami || true helm upgrade --install --set postgresqlPassword=firef1y --set extraEnv[0].name=POSTGRES_DATABASE --set extraEnv[0].value=firefly postgresql bitnami/postgresql --version 10.16.2 kubectl create secret generic custom-psql-config --dry-run --from-literal="url=postgres://postgres:firef1y@postgresql.default.svc:5432/postgres?sslmode=disable" -o json | kubectl apply -f - + kubectl apply -n default -f manifests/mtls-cert.yaml starter: charts/firefly/local-values.yaml diff --git a/charts/firefly/Chart.yaml b/charts/firefly/Chart.yaml index 2a38ce2..3c1158c 100644 --- a/charts/firefly/Chart.yaml +++ b/charts/firefly/Chart.yaml @@ -18,8 +18,8 @@ apiVersion: v2 name: firefly description: A Helm chart for deploying FireFly and FireFly HTTPS Dataexchange onto Kubernetes. type: application -appVersion: "1.0.3" -version: "0.5.4" +appVersion: "1.0.4" +version: "0.5.5" maintainers: - name: hfuss diff --git a/charts/firefly/ci/mtls-values.yaml b/charts/firefly/ci/mtls-values.yaml new file mode 100644 index 0000000..b2b989e --- /dev/null +++ b/charts/firefly/ci/mtls-values.yaml @@ -0,0 +1,50 @@ +config: + debugEnabled: true + adminEnabled: true + metricsEnabled: true + preInit: true + + organizationName: "firefly-os" + organizationKey: "0xeb7284ce905e0665b7d42cabe31c76c45da1d331" + fireflyContractAddress: "0xeb7284ce905e0665b7d42cabe31c76c45da1d254" + + ethconnectUrl: "http://ethconnect.firefly-os" + + postgresUrl: "postgres://postgres:firef1y@postgresql.default.svc:5432?sslmode=disable" + postgresAutomigrate: true + + ipfsApiUrl: "http://ipfs.firefly-os:5001" + ipfsGatewayUrl: "http://ipfs.firefly-os:8080" + + addresssResolverUrlTemplate: "http://address-resolver.firefly-os/wallets/{{.Key}}" + + httpTls: + caFile: /etc/pki/internal/ca.crt + certFile: /etc/pki/internal/tls.crt + keyFile: /etc/pki/internal/tls.key + enabled: true + clientAuth: true + +core: + metrics: + serviceMonitor: + enabled: true + + extraVolumeMounts: | + - name: firefly-mtls + mountPath: /etc/pki/internal/ + + extraVolumes: | + - name: firefly-mtls + secret: + secretName: firefly-mtls-tls + +dataexchange: + certificate: + enabled: true + issuerRef: + kind: ClusterIssuer + name: selfsigned-ca + + tlsSecret: + enabled: false \ No newline at end of file diff --git a/charts/firefly/templates/_helpers.tpl b/charts/firefly/templates/_helpers.tpl index df4f60b..25a3455 100644 --- a/charts/firefly/templates/_helpers.tpl +++ b/charts/firefly/templates/_helpers.tpl @@ -211,6 +211,10 @@ http: port: {{ .Values.core.service.httpPort }} address: 0.0.0.0 publicURL: {{ .Values.config.httpPublicUrl | default (include "firefly.coreHttpPublicURL" . ) }} + {{- if .Values.config.httpTls }} + tls: + {{- toYaml .Values.config.httpTls | nindent 4 }} + {{- end }} admin: port: {{ .Values.core.service.adminPort }} address: 0.0.0.0 diff --git a/charts/firefly/templates/core/job-registration.yaml b/charts/firefly/templates/core/job-registration.yaml index be7cacc..127d5dc 100644 --- a/charts/firefly/templates/core/job-registration.yaml +++ b/charts/firefly/templates/core/job-registration.yaml @@ -41,7 +41,12 @@ spec: - | {{ .Files.Get "scripts/ff-registration.sh" | indent 10 }} env: + {{- if .Values.core.jobs.registration.ffUrl }} + - name: FF_URL + value: "{{ tpl .Values.core.jobs.registration.ffUrl . }}" + {{- else }} - name: FF_URL value: "http://{{ include "firefly.fullname" . }}:{{ .Values.core.service.httpPort }}" + {{- end }} restartPolicy: Never {{- end }} diff --git a/charts/firefly/templates/core/statefulset.yaml b/charts/firefly/templates/core/statefulset.yaml index 8450307..6233f3e 100644 --- a/charts/firefly/templates/core/statefulset.yaml +++ b/charts/firefly/templates/core/statefulset.yaml @@ -97,6 +97,9 @@ spec: volumeMounts: - mountPath: /etc/firefly/ name: firefly-config + {{- if .Values.core.extraVolumeMounts }} + {{- tpl .Values.core.extraVolumeMounts . | nindent 12 }} + {{- end }} resources: {{- toYaml .Values.core.resources | nindent 12 }} {{- if .Values.core.extraContainers }} diff --git a/charts/firefly/values.yaml b/charts/firefly/values.yaml index ba5052f..5ed1b22 100644 --- a/charts/firefly/values.yaml +++ b/charts/firefly/values.yaml @@ -31,6 +31,15 @@ config: # The public URL of the Firefly API server, if not set defaults to the Ingress URL or the Service URL within Kubernetes httpPublicUrl: "" + # Allows customizing the TLS configuration for the API server such as for pass-through TLS or mTLS + # see https://hyperledger.github.io/firefly/reference/config.html#httptls for configuration options + httpTls: {} + # caFile: /etc/pki/internal/ca.crt + # certFile: /etc/pki/internaltls.crt + # keyFile: /etc/pki/internal/tls.key + # enabled: true + # clientAuth: true + # Enables the metrics server / port for Prometheus scraping metricsEnabled: true @@ -184,6 +193,7 @@ core: initContainers: "" extraContainers: "" extraVolumes: "" + extraVolumeMounts: "" volumeClaimTemplates: "" service: @@ -245,6 +255,7 @@ core: # Note registration will not be successful until the new node has caught up with the head of the chain. registration: enabled: false + ffUrl: "" # Configures the properties of the StatefulSet, Service, and optionally Ingress used to deploy and expose FireFly HTTPS DataExchange dataexchange: diff --git a/manifests/mtls-cert.yaml b/manifests/mtls-cert.yaml new file mode 100644 index 0000000..175f787 --- /dev/null +++ b/manifests/mtls-cert.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: firefly-mtls +spec: + issuerRef: + name: selfsigned-ca + kind: ClusterIssuer + secretName: firefly-mtls-tls + commonName: firefly-mtls + dnsNames: + - firefly.default.svc