Add option in value-file for configuring a different http(s)-port

[lakrass]

Briefly describe the feature

I am using Paralus within an infrastructure where there is already an ingress-nginx running on port 80 and 443. As I currently can not route the backend-wildcard-urls (*.core-connector.example.com, *.user.example.com) with SSL-passthrough over my ingress-nginx (see kubernetes/ingress-nginx#9473), I have to use Contour in co-existence with my current ingress.
As Ports 80 and 443 are already reserved by my ingress-nginx and I don't want to use a second IP for my cluster, I want to put Contour on two different Ports (ex. 8080, 4433).
It would be nice to have an option for that on the helm-chart, as there are multiple places which need to be configured:

• Contour-Service
• Relay-Agent configuration (address the *.core-connector via desired port)
• Prompt configuration (address the *.user-backend via desired port)
• Kubeconfig
• Maybe other service configs (?)

TL;DR:
I need to change the ports Paralus is using for Contour and have the backend services configured accordingly by the helm-chart.

What problem does this feature solve? Please link any relevant documentation or Issues

• Paralus can be used together with another ingress than Contour
• There will be more config-options, see More config options in helm-charts #55

(optional) What is your current workaround?

• A lot of hacky configs and own images in an own wrapper-chart for this chart

[lakrass]

Sidenote:
It would be even better if Paralus would be compatible with ingress-nginx, but I understand that for this kubernetes/ingress-nginx#9473 needs to be solved first and there might be other issues with it I don't understand or see right now. :)

[spantaleev]

I've used a combination of:

• serving the console ingress via ingress-nginx (with SSL termination on the ingress-nginx side, assisted by cert-manager)
• serving the ztka (relay-server) ingress using TCP-proxying from ingress-nginx (on a brand new port - e.g. 6444).

Doing this is somewhat difficult and besides reconfiguring ingress-nginx to TCP-proxy port 6444 to paralus/relay-server:443 requires at least the following Helm chart values:

fqdn:
  domain: DOMAIN

ingress:
  enabled: true
  className: nginx
  tls:
    - hosts: [console.DOMAIN]
      secretName: paralus-ingress
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-live
contour:
  envoy:
    hostPorts:
      https: 6444
services:
  relay:
    ports:
    - name: "6444"
      containerPort: 443

The contour.envoy.hostPorts.https value is somewhat misleading as we're not enabling contour, but this value is used in configuration (the ztka.tcpPort definition) used for constructing URLs to *.user.DOMAIN and *.core-connector.DOMAIN. Changing the port via contour.envoy.hostPorts.https makes URLs include the correct port (*.user.DOMAIN:6444 and *.core-connector.DOMAIN:6444).

Changing services.relay.ports.name is necessary, because we wish to change where the relay-server service goes. The name is used for a targetPort. See:

helm-charts/charts/ztka/templates/service-relay.yaml

Line 15 in 5824ead

targetPort: {{ .name }}

However, using a numeric-like value for the name is causing other issues, so.. I suppose it'd be better if the Helm chart introduced a targetPort option for services.relay.ports, instead of making name double as both a name and a port.

---

With various such hacks I've been able to get Paralus working, but.. the whole product is very buggy and appears to be so poorly maintained, that I don't think it should be put into use.