feat!: update lagoon-remote for NATS 1.0 compatibility

uselagoon · Sep 7, 2023 · 276d42c · 276d42c
1 parent 6815a7f
commit 276d42c
Show file tree

Hide file tree

Showing 4 changed files with 114 additions and 43 deletions.
diff --git a/charts/lagoon-remote/ci/linter-values.yaml b/charts/lagoon-remote/ci/linter-values.yaml
@@ -32,16 +32,17 @@ mxoutHost: mxout1.example.com
 
 nats:
   enabled: true
-  cluster:
-    name: lagoon-remote-ci-example
-  # natsbox:
+  config:
+    cluster:
+      name: lagoon-remote-ci-example
+  # natsBox:
   #   enabled: true
   #   # additional labels are required due to the network policy
   #   additionalLabels:
   #     lagoon-remote-nats-client: "true"
 
 natsConfig:
-  coreURL: "nats://ci-ssh-portal:ci-password@lagoon-core-nats-concentrator:7422"
+  coreURL: "tls://ci-ssh-portal:ci-password@lagoon-core-nats-concentrator:7422"
   tls:
     secretData:
       ca.crt: |
@@ -56,7 +57,7 @@ natsConfig:
         zJ6PDtVHMNclAWSDebP9nnwCIQDrblreePb+pUBHvxFZNVFYBV4wF2gEkJC51tjw
         a8aklQ==
         -----END CERTIFICATE-----
-      client.crt: |
+      tls.crt: |
         -----BEGIN CERTIFICATE-----
         MIIByDCCAW+gAwIBAgIUaBeYr4jOQfj1tZQsKmDqPtU9s8owCgYIKoZIzj0EAwIw
         HjEcMBoGA1UEAxMTbmF0cy1jYS5leGFtcGxlLmNvbTAeFw0yMjAzMDMxNDU2MDBa
@@ -69,7 +70,7 @@ natsConfig:
         BAMCA0cAMEQCIGeTmjVk5evv1+dpddecLRhZqb2Op6YBuSxtiibEmaAJAiAuRI6A
         s+LwZcCJaL8Gf3W0NIh03fv7VOJ5AWRzYXzpdg==
         -----END CERTIFICATE-----
-      client.key: |
+      tls.key: |
         -----BEGIN EC PRIVATE KEY-----
         MHcCAQEEIGVXWxCYIOynJpYWn95j19DDNDeMZU+xYOhGU8IN9hwmoAoGCCqGSM49
         AwEHoUQDQgAEJqD67BGaVtpzW7mFSsK9IAY5bPsI/zDCGO+zhSJhDS44duAbmWCB

diff --git a/charts/lagoon-remote/templates/nats.secret.yaml b/charts/lagoon-remote/templates/nats.secret.yaml
@@ -30,18 +30,18 @@ metadata:
   labels:
     {{- include "lagoon-remote.labels" . | nindent 4 }}
 stringData:
-  lagoon-remote.conf: |
+  leafnodes.conf: |
     leafnodes {
       no_advertise: true
       remotes: [
         {
           url: {{ .Values.natsConfig.coreURL | quote }}
           tls: {
-            {{- if .Values.natsConfig.tls.secretData -}}
-            ca_file: "/etc/lagoon-remote-nats-tls/ca.crt"
+            {{- if .Values.natsConfig.tls.secretData }}
+            ca_file: "/etc/nats-ca-cert/ca.crt"
             {{- end }}
-            cert_file: "/etc/lagoon-remote-nats-tls/client.crt"
-            key_file: "/etc/lagoon-remote-nats-tls/client.key"
+            cert_file: "/etc/nats-certs/leafnodes/tls.crt"
+            key_file: "/etc/nats-certs/leafnodes/tls.key"
           }
         }
       ]

diff --git a/charts/lagoon-remote/templates/ssh-portal.deployment.yaml b/charts/lagoon-remote/templates/ssh-portal.deployment.yaml
@@ -18,7 +18,7 @@ spec:
         {{- toYaml . | nindent 8 }}
     {{- end }}
       labels:
-        {{ include "lagoon-remote.fullname" . }}-nats-client: "true"
+        lagoon-remote-nats-client: "true"
         {{- include "lagoon-remote.sshPortal.selectorLabels" . | nindent 8 }}
     spec:
       serviceAccountName: {{ include "lagoon-remote.sshPortal.serviceAccountName" . }}

diff --git a/charts/lagoon-remote/values.yaml b/charts/lagoon-remote/values.yaml
@@ -286,58 +286,128 @@ insightsRemote:
 # the nats chart is a subchart which is configured for use by lagoon-remote
 nats:
   enabled: false
-  # inject additional config
-  additionalVolumes:
-  - name: lagoon-remote-nats-tls
-    secret:
-      secretName: lagoon-remote-nats-tls
-  additionalVolumeMounts:
-  - name: lagoon-remote-nats-tls
-    mountPath: /etc/lagoon-remote-nats-tls
-  nats:
-    config:
-    - name: lagoon-remote
-      secret:
-        secretName: lagoon-remote-nats-conf
-  cluster:
+  tlsCA:
     enabled: true
-    name: lagoon-remote
-    # internal cluster IPs are not routable, so don't advertise them
-    noAdvertise: true
-  natsbox:
+    secretName: lagoon-remote-nats-tls
+  # Uncomment this block to enable monitoring if you have Prometheus Operator
+  # installed.
+  # promExporter:
+  #   enabled: true
+  #   podMonitor:
+  #     enabled: true
+  #     # fromNamespaces restricts the namespaces from which monitoring can occur
+  #     # via the NetworkPolicy. At least one namespace name must be listed.
+  #     fromNamespaces:
+  #     - monitoring
+  natsBox:
     enabled: false
+  config:
+    cluster:
+      enabled: true
+      name: lagoon-remote
+      # internal cluster IPs are not routable, so don't advertise them
+      noAdvertise: true
+    merge:
+      00$include: ./lagoon-remote/leafnodes.conf
+  # Uncomment this block if upgrading from lagoon-remote <v0.82.0.
+  # statefulSet:
+  #   patch:
+  #   - op: remove
+  #     path: /spec/selector/matchLabels/app.kubernetes.io~1component
+  podTemplate:
+    patch:
+    - op: add
+      path: /spec/volumes/-
+      value:
+        name: lagoon-remote-nats-conf
+        secret:
+          secretName: lagoon-remote-nats-conf
+    - op: add
+      path: /spec/volumes/-
+      value:
+        name: lagoon-remote-nats-tls
+        secret:
+          secretName: lagoon-remote-nats-tls
+  container:
+    patch:
+    - op: add
+      path: /volumeMounts/-
+      value:
+        name: lagoon-remote-nats-conf
+        mountPath: /etc/nats-config/lagoon-remote
+    - op: add
+      path: /volumeMounts/-
+      value:
+        name: lagoon-remote-nats-tls
+        mountPath: /etc/nats-certs/leafnodes
   # to connect to nats, pods must have the right label
-  networkPolicy:
-    enabled: true
-    allowExternal: false
-    # allow outbound leaf connection
-    extraEgress:
-    - ports:
-      - port: 7422
-        protocol: TCP
+  extraResources:
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name:
+        $tplYaml: >
+          {{ include "nats.fullname" $ | quote }}
+      labels:
+        $tplYaml: |
+          {{ include "nats.labels" $ }}
+    spec:
+      policyTypes:
+      - Ingress
+      podSelector:
+        matchLabels:
+          $tplYaml: |
+            {{- include "nats.selectorLabels" $ }}
+      ingress:
+      - from:
+        # pods in this namespace with the correct label can access NATS pods
+        - podSelector:
+            matchLabels:
+              lagoon-remote-nats-client: "true"
+        # NATS inter-pod communication is allowed
+        - podSelector:
+            matchLabels:
+              $tplYaml: |
+                {{- include "nats.selectorLabels" $ }}
+      # conditionally allow metrics collection
+      - $tplYamlSpread: |
+          {{- if and .Values.promExporter.enabled .Values.promExporter.podMonitor.enabled }}
+          - from:
+            {{- range .Values.promExporter.podMonitor.fromNamespaces }}
+            - namespaceSelector:
+                matchLabels:
+                  kubernetes.io/metadata.name: {{ . | quote }}
+            {{- end }}
+            ports:
+            - port: 7777
+              protocol: TCP
+          {{- end }}
+
 
 # Configuration for the nats subchart
 natsConfig:
-  # coreURL format nats://<username>:<password>@<host>:7422
+  # coreURL format tls://<username>:<password>@<host>:7422
   coreURL: ""
   tls: {}
     # If the lagoon-remote-nats-tls secret should be created by the
     # lagoon-remote chart, certificate values can be specified directly in
     # secretData. Configuring TLS this way also allows specifying a custom
-    # ca.crt.
+    # ca.crt. The chart expects expects secretData to be specified unless
+    # nats.tlsCA.enabled is set to false.
     #
     # secretData:
     #   ca.crt: |
     #     ...
-    #   client.crt: |
+    #   tls.crt: |
     #     ...
-    #   client.key: |
+    #   tls.key: |
     #     ...
     #
     # If the TLS secret is created outside the lagoon-remote chart, it should
     # be named lagoon-remote-nats-tls. This secret should contain fields
     # tls.crt and tls.key, and the certificate should be issued by a public
-    # authority.
+    # authority. `nats.tlsCA.enabled: false` should be set in this case (it is
+    # true by default).
 
 storageCalculator:
   enabled: false