From da5f5fc657f77f3da811fbafd00cd51ff44c9a90 Mon Sep 17 00:00:00 2001
From: Marcin Jasion <5058132+mjasion@users.noreply.github.com>
Date: Thu, 20 Jul 2023 10:54:22 +0200
Subject: [PATCH] feat(tls): Make optional TLS key for Ingress over HTTPS
 (#125)

* feat(tls): Make optional TLS key for Ingress over HTTPS

* Bump Chart.yaml

---------

Co-authored-by: Marcin Jasion <mjasion@users.noreply.github.com>
---
 charts/studio/Chart.yaml                           |  2 +-
 charts/studio/README.md                            | 12 ++++++------
 charts/studio/templates/NOTES.txt                  |  2 +-
 charts/studio/templates/_helpers.tpl               |  5 +++++
 charts/studio/templates/configmap-studio.yaml      | 14 +++++++-------
 charts/studio/templates/ingress-blobvault.yaml     |  8 +++++---
 charts/studio/templates/ingress-studio-api.yaml    |  8 +++++---
 charts/studio/templates/ingress-studio-ui.yaml     |  8 +++++---
 .../studio/templates/ingress-studio-webhook.yaml   |  8 +++++---
 charts/studio/values.yaml                          |  6 ++++++
 10 files changed, 46 insertions(+), 27 deletions(-)

diff --git a/charts/studio/Chart.yaml b/charts/studio/Chart.yaml
index b3e3ea7a..95b81930 100644
--- a/charts/studio/Chart.yaml
+++ b/charts/studio/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.10
+version: 0.2.11
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/charts/studio/README.md b/charts/studio/README.md
index 19408ff2..33fe9591 100644
--- a/charts/studio/README.md
+++ b/charts/studio/README.md
@@ -1,6 +1,6 @@
 # studio
 
-![Version: 0.2.10](https://img.shields.io/badge/Version-0.2.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.9.1](https://img.shields.io/badge/AppVersion-v2.9.1-informational?style=flat-square)
+![Version: 0.2.11](https://img.shields.io/badge/Version-0.2.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.9.1](https://img.shields.io/badge/AppVersion-v2.9.1-informational?style=flat-square)
 
 A Helm chart for Kubernetes
 
@@ -37,12 +37,12 @@ A Helm chart for Kubernetes
 | global.envFromSecret | string | `""` | Studio: The name of an existing Secret that contains sensitive environment variables passed to all Studio pods. |
 | global.envVars | object | `{}` | Studio: Additional environment variables for all pods |
 | global.host | string | `"studio.example.com"` | Studio: Hostname for accessing Studio (no http(s) scheme) |
-| global.ingress.annotations | object | `{}` |  |
-| global.ingress.className | string | `""` |  |
+| global.ingress.annotations | object | `{}` | Additional Ingress annotations |
+| global.ingress.className | string | `""` | Ingress class to use |
 | global.ingress.enabled | bool | `true` |  |
-| global.ingress.hostnameEnabled | bool | `true` |  |
-| global.ingress.tlsEnabled | bool | `false` |  |
-| global.ingress.tlsSecretName | string | `"chart-example-tls"` |  |
+| global.ingress.hostnameEnabled | bool | `true` | Configure ingress resource to match hostnames to the service |
+| global.ingress.tlsEnabled | bool | `false` | Expose studio under HTTPS protocol |
+| global.ingress.tlsSecretName | string | `"chart-example-tls"` | TLS secret name to use for HTTPS on Ingress For ALB Ingress Controller leave empty. |
 | global.maxTeams | string | `"10"` | Studio: Maximum number of teams |
 | global.maxViews | string | `"100"` | Studio: Maximum number of views |
 | global.postgres.databaseName | string | `"iterativeai"` | Postgres database name |
diff --git a/charts/studio/templates/NOTES.txt b/charts/studio/templates/NOTES.txt
index 5919c377..f4c1f45b 100644
--- a/charts/studio/templates/NOTES.txt
+++ b/charts/studio/templates/NOTES.txt
@@ -1,6 +1,6 @@
 Application URL:
 {{- if .Values.global.ingress.enabled }}
-  http{{ if $.Values.global.ingress.tlsEnabled }}s{{ end }}://{{ .Values.global.host }}/
+  {{include "ingress.protocol" . }}://{{.Values.global.host }}/{{- if and .Values.global.basePath (not (eq .Values.global.basePath "/")) }}{{ include "studio.basePath" . }}{{- end }}
 {{- else if contains "NodePort" .Values.studioUi.service.type }}
 Get the application URL by running these commands:
   export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "studio.fullname" . }})
diff --git a/charts/studio/templates/_helpers.tpl b/charts/studio/templates/_helpers.tpl
index 1e5e4d76..53deec2a 100644
--- a/charts/studio/templates/_helpers.tpl
+++ b/charts/studio/templates/_helpers.tpl
@@ -144,3 +144,8 @@ DVCX_ROOT_DIR: {{ $dvcx.rootDir | default "/tmp" | quote }}
 DVCX_CH_HOST: {{ $dvcxClickhouse.host | default "" | quote }}
 DVCX_CH_DATABASE: {{ $dvcxClickhouse.database | default "" | quote }}
 {{- end }}
+
+{{- define "ingress.protocol" -}}
+http{{- if $.Values.global.ingress.tlsEnabled }}s{{- end}}
+{{- end }}
+
diff --git a/charts/studio/templates/configmap-studio.yaml b/charts/studio/templates/configmap-studio.yaml
index 0c699c8a..ab0a3179 100644
--- a/charts/studio/templates/configmap-studio.yaml
+++ b/charts/studio/templates/configmap-studio.yaml
@@ -9,8 +9,8 @@ data:
 {{- end }}
 
   ALLOWED_HOSTS: "*"
-  API_URL: "http{{ if $.Values.global.ingress.tlsEnabled }}s{{ end }}://{{.Values.global.host }}{{- if and .Values.global.basePath (not (eq .Values.global.basePath "/")) }}/{{ include "studio.basePath" . }}{{- end }}/api"
-  UI_URL: "http{{ if $.Values.global.ingress.tlsEnabled }}s{{ end }}://{{.Values.global.host }}/{{- if and .Values.global.basePath (not (eq .Values.global.basePath "/")) }}{{ include "studio.basePath" . }}{{- end }}"
+  API_URL: "{{include "ingress.protocol" . }}://{{.Values.global.host }}{{- if and .Values.global.basePath (not (eq .Values.global.basePath "/")) }}/{{ include "studio.basePath" . }}{{- end }}/api"
+  UI_URL: "{{include "ingress.protocol" . }}://{{.Values.global.host }}/{{- if and .Values.global.basePath (not (eq .Values.global.basePath "/")) }}{{ include "studio.basePath" . }}{{- end }}"
 
   {{- if and .Values.global.basePath (not (eq .Values.global.basePath "/")) }}
   BASE_PATH: /{{ include "studio.basePath" . }}
@@ -23,7 +23,7 @@ data:
   BITBUCKET_API_URL: {{ .Values.global.scmProviders.bitbucket.apiUrl | quote}}
   {{- end }}
   {{- if and .Values.global.scmProviders.bitbucket.enabled $webhookHost }}
-  BITBUCKET_WEBHOOK_URL: "http{{ if $.Values.global.ingress.tlsEnabled }}s{{ end }}://{{ $webhookHost }}/webhook/bitbucket/"
+  BITBUCKET_WEBHOOK_URL: "{{include "ingress.protocol" . }}://{{ $webhookHost }}/webhook/bitbucket/"
   {{- end }}
 
   ENABLE_BLOBVAULT: "True"
@@ -40,8 +40,8 @@ data:
   {{- else }}
   BLOBVAULT_LOCAL_ENABLED: "True"
   BLOBVAULT_LOCAL_PATH: "/blobvault"
-  BLOBVAULT_ENDPOINT_URL: "http{{ if $.Values.global.ingress.tlsEnabled }}s{{ end }}://{{.Values.global.host }}{{- if and .Values.global.basePath (not (eq .Values.global.basePath "/")) }}/{{ include "studio.basePath" . }}{{- end }}/blobvault"
-  BLOBVAULT_ENDPOINT_URL_FE: "http{{ if $.Values.global.ingress.tlsEnabled }}s{{ end }}://{{.Values.global.host }}{{- if and .Values.global.basePath (not (eq .Values.global.basePath "/")) }}/{{ include "studio.basePath" . }}{{- end }}/blobvault"
+  BLOBVAULT_ENDPOINT_URL: "{{include "ingress.protocol" . }}://{{.Values.global.host }}{{- if and .Values.global.basePath (not (eq .Values.global.basePath "/")) }}/{{ include "studio.basePath" . }}{{- end }}/blobvault"
+  BLOBVAULT_ENDPOINT_URL_FE: "{{include "ingress.protocol" . }}://{{.Values.global.host }}{{- if and .Values.global.basePath (not (eq .Values.global.basePath "/")) }}/{{ include "studio.basePath" . }}{{- end }}/blobvault"
   {{- end }}
 
   {{- if .Values.global.celery.brokerUrl }}
@@ -69,7 +69,7 @@ data:
   GITHUB_URL: {{ .Values.global.scmProviders.github.url | quote }}
   {{- end }}
   {{- if and .Values.global.scmProviders.github.enabled $webhookHost }}
-  GITHUB_WEBHOOK_URL: "http{{ if $.Values.global.ingress.tlsEnabled }}s{{ end }}://{{ $webhookHost }}/webhook/github/"
+  GITHUB_WEBHOOK_URL: "{{include "ingress.protocol" . }}://{{ $webhookHost }}/webhook/github/"
   {{- end }}
   {{- if .Values.global.scmProviders.github.clientId }}
   GITHUB_APP_CLIENT_ID: {{ .Values.global.scmProviders.github.clientId | quote }}
@@ -85,7 +85,7 @@ data:
   GITLAB_URL: {{ .Values.global.scmProviders.gitlab.url | quote}}
   {{- end }}
   {{- if and .Values.global.scmProviders.gitlab.enabled $webhookHost }}
-  GITLAB_WEBHOOK_URL: "http{{ if $.Values.global.ingress.tlsEnabled }}s{{ end }}://{{ $webhookHost }}/webhook/gitlab/"
+  GITLAB_WEBHOOK_URL: "{{include "ingress.protocol" . }}://{{ $webhookHost }}/webhook/gitlab/"
   {{- end }}
 
   {{- if .Values.global.maxViews }}
diff --git a/charts/studio/templates/ingress-blobvault.yaml b/charts/studio/templates/ingress-blobvault.yaml
index 592678fe..c0d65a32 100644
--- a/charts/studio/templates/ingress-blobvault.yaml
+++ b/charts/studio/templates/ingress-blobvault.yaml
@@ -24,11 +24,13 @@ spec:
   {{- if and .Values.global.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
   ingressClassName: {{ .Values.global.ingress.className }}
   {{- end }}
-  {{- if and .Values.global.ingress.tlsEnabled .Values.global.ingress.hostnameEnabled }}
+  {{- with .Values.global.ingress }}
+  {{- if and .tlsEnabled .hostnameEnabled .tlsSecretName }}
   tls:
     - hosts:
-        - {{ .Values.global.host }}
-      secretName: {{ .Values.global.ingress.tlsSecretName }}
+        - {{ $.Values.global.host }}
+      secretName: {{ .tlsSecretName }}
+  {{- end }}
   {{- end }}
   rules:
     - http:
diff --git a/charts/studio/templates/ingress-studio-api.yaml b/charts/studio/templates/ingress-studio-api.yaml
index 675d6834..8a7a7ba2 100644
--- a/charts/studio/templates/ingress-studio-api.yaml
+++ b/charts/studio/templates/ingress-studio-api.yaml
@@ -28,11 +28,13 @@ spec:
   {{- if and .Values.global.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
   ingressClassName: {{ .Values.global.ingress.className }}
   {{- end }}
-  {{- if and .Values.global.ingress.tlsEnabled .Values.global.ingress.hostnameEnabled }}
+  {{- with .Values.global.ingress }}
+  {{- if and .tlsEnabled .hostnameEnabled .tlsSecretName }}
   tls:
     - hosts:
-        - {{ .Values.global.host }}
-      secretName: {{ .Values.global.ingress.tlsSecretName }}
+        - {{ $.Values.global.host }}
+      secretName: {{ .tlsSecretName }}
+  {{- end }}
   {{- end }}
   rules:
     - http:
diff --git a/charts/studio/templates/ingress-studio-ui.yaml b/charts/studio/templates/ingress-studio-ui.yaml
index 32e0e584..837bdfbd 100644
--- a/charts/studio/templates/ingress-studio-ui.yaml
+++ b/charts/studio/templates/ingress-studio-ui.yaml
@@ -25,11 +25,13 @@ spec:
   {{- if and .Values.global.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
   ingressClassName: {{ .Values.global.ingress.className }}
   {{- end }}
-  {{- if and .Values.global.ingress.tlsEnabled .Values.global.ingress.hostnameEnabled }}
+  {{- with .Values.global.ingress }}
+  {{- if and .tlsEnabled .hostnameEnabled .tlsSecretName }}
   tls:
     - hosts:
-        - {{ .Values.global.host }}
-      secretName: {{ .Values.global.ingress.tlsSecretName }}
+        - {{ $.Values.global.host }}
+      secretName: {{ .tlsSecretName }}
+  {{- end }}
   {{- end }}
   rules:
     - http:
diff --git a/charts/studio/templates/ingress-studio-webhook.yaml b/charts/studio/templates/ingress-studio-webhook.yaml
index 47dd36fd..a920cf38 100644
--- a/charts/studio/templates/ingress-studio-webhook.yaml
+++ b/charts/studio/templates/ingress-studio-webhook.yaml
@@ -28,11 +28,13 @@ spec:
   {{- if and .Values.global.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
   ingressClassName: {{ .Values.global.ingress.className }}
   {{- end }}
-  {{- if and .Values.global.ingress.tlsEnabled .Values.global.ingress.hostnameEnabled }}
+  {{- with .Values.global.ingress }}
+  {{- if and .tlsEnabled .hostnameEnabled .tlsSecretName }}
   tls:
     - hosts:
-        - {{.Values.global.scmProviders.webhookHost | default .Values.global.host}}
-      secretName: {{ .Values.global.ingress.tlsSecretName }}
+        - {{ $.Values.global.host }}
+      secretName: {{ .tlsSecretName }}
+  {{- end }}
   {{- end }}
   rules:
     - http:
diff --git a/charts/studio/values.yaml b/charts/studio/values.yaml
index bb5ef362..47694d61 100644
--- a/charts/studio/values.yaml
+++ b/charts/studio/values.yaml
@@ -79,12 +79,18 @@ global:
 
   ingress:
     enabled: true
+    # -- Configure ingress resource to match hostnames to the service
     hostnameEnabled: true
+    # -- Ingress class to use
     className: ""
+    # -- Additional Ingress annotations
     annotations: {}
       # kubernetes.io/ingress.class: nginx
       # kubernetes.io/tls-acme: "true"
+    # -- Expose studio under HTTPS protocol
     tlsEnabled: false
+    # -- TLS secret name to use for HTTPS on Ingress
+    # For ALB Ingress Controller leave empty.
     tlsSecretName: chart-example-tls
 
   postgres: