feat: sftpgo workload identity + fix sftpgo ui + add loadbalancer for…

… TCP services (#572)

* fix: fix sftpgo gcp depeendency

* fix: fix sftpgo ingress + added optional service to access tcp services through a domain

* feat(wip): add sftpgo workload identity

* feat: add variables to register roles for sftpgo workload identity sa

* fix: fix serviceAccount annotation

* feat: bump sftpgo helm chart version

sftpgo/helm/sftpgo/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: sftpgo
 description: helm chart for sftpgo
 type: application
-version: 0.1.0
+version: 0.1.1
 icon: https://raw.githubusercontent.com/drakkan/sftpgo/main/img/logo.png
 appVersion: 2.4.3
 dependencies:

sftpgo/helm/sftpgo/deps.yaml

@@ -17,3 +17,9 @@ spec:
     name: kube
     repo: sftpgo
     version: '>= 0.1.0'
+    optional: true
+  - type: terraform
+    name: gcp
+    repo: sftpgo
+    version: '>= 0.1.0'
+    optional: true

sftpgo/helm/sftpgo/values.yaml.tpl

@@ -4,9 +4,30 @@ sftpgo:
       hosts:
       - host: {{ .Values.hostname }}
         paths:
-          - path: '/.*'
+          - path: '/'
             pathType: ImplementationSpecific
       tls:
       - secretName: sftpgo-tls
         hosts:
-          - {{ .Values.hostname }}
+          - {{ .Values.hostname }}
+  {{ if .Values.loadBalancerHostname }}
+  service:
+    type: LoadBalancer
+    annotations:
+      external-dns.alpha.kubernetes.io/hostname: {{ .Values.loadBalancerHostname }}
+    {{ if eq .Provider "aws" }}
+      service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
+      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
+      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
+      service.beta.kubernetes.io/aws-load-balancer-type: external
+      service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
+      service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+      service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
+    {{ end }}
+  {{ end }}
+{{ if eq .Provider "google" }}
+  serviceAccount:
+    annotations:
+      iam.gke.io/gcp-service-account: {{ importValue "Terraform" "gcp_sa_workload_identity_email" }}
+
+{{ end }}

sftpgo/plural/recipes/sftpgo-aws.yaml

@@ -8,13 +8,17 @@ dependencies:
 - repo: ingress-nginx
   name: ingress-nginx-aws
 sections:
-- name: sftpgo
-  configuration:
-  - name: hostname
-    type: DOMAIN
-    documentation: the fully qualified domain name your sftpgo instance will be available at
-  items:
-  - type: TERRAFORM
-    name: kube
-  - type: HELM
-    name: sftpgo
+  - name: sftpgo
+    configuration:
+      - name: hostname
+        type: DOMAIN
+        documentation: the fully qualified domain name your sftpgo instance will be available at
+      - name: loadBalancerHostname
+        documentation: a dns name to access the enabled services (sftp on port 22, etc.)
+        type: DOMAIN
+        optional: true
+    items:
+      - type: TERRAFORM
+        name: kube
+      - type: HELM
+        name: sftpgo

sftpgo/plural/recipes/sftpgo-azure.yaml

@@ -8,13 +8,17 @@ dependencies:
 - repo: ingress-nginx
   name: ingress-nginx-azure
 sections:
-- name: sftpgo
-  configuration:
-  - name: hostname
-    type: DOMAIN
-    documentation: the fully qualified domain name your sftpgo instance will be available at
-  items:
-  - type: TERRAFORM
-    name: kube
-  - type: HELM
-    name: sftpgo
+  - name: sftpgo
+    configuration:
+      - name: hostname
+        type: DOMAIN
+        documentation: the fully qualified domain name your sftpgo instance will be available at
+      - name: loadBalancerHostname
+        documentation: a dns name to access the enabled services (sftp on port 22, etc.)
+        type: DOMAIN
+        optional: true
+    items:
+      - type: TERRAFORM
+        name: kube
+      - type: HELM
+        name: sftpgo

sftpgo/plural/recipes/sftpgo-gcp.yaml

@@ -8,13 +8,17 @@ dependencies:
 - repo: ingress-nginx
   name: ingress-nginx-gcp
 sections:
-- name: sftpgo
-  configuration:
-  - name: hostname
-    type: DOMAIN
-    documentation: the fully qualified domain name your sftpgo instance will be available at
-  items:
-  - type: TERRAFORM
-    name: kube
-  - type: HELM
-    name: sftpgo
+  - name: sftpgo
+    configuration:
+      - name: hostname
+        type: DOMAIN
+        documentation: the fully qualified domain name your sftpgo instance will be available at
+      - name: loadBalancerHostname
+        documentation: a dns name to access the enabled services (sftp on port 22, etc.)
+        type: DOMAIN
+        optional: true
+    items:
+      - type: TERRAFORM
+        name: gcp
+      - type: HELM
+        name: sftpgo

sftpgo/plural/recipes/sftpgo-kind.yaml

@@ -8,13 +8,17 @@ dependencies:
 - repo: ingress-nginx
   name: ingress-nginx-kind
 sections:
-- name: sftpgo
-  configuration:
-  - name: hostname
-    type: DOMAIN
-    documentation: the fully qualified domain name your sftpgo instance will be available at
-  items:
-  - type: TERRAFORM
-    name: kube
-  - type: HELM
-    name: sftpgo
+  - name: sftpgo
+    configuration:
+      - name: hostname
+        type: DOMAIN
+        documentation: the fully qualified domain name your sftpgo instance will be available at
+      - name: loadBalancerHostname
+        documentation: a dns name to access the enabled services (sftp on port 22, etc.)
+        type: DOMAIN
+        optional: true
+    items:
+      - type: TERRAFORM
+        name: kube
+      - type: HELM
+        name: sftpgo

sftpgo/terraform/gcp/deps.yaml

@@ -0,0 +1,15 @@
+apiVersion: plural.sh/v1alpha1
+kind: Dependencies
+metadata:
+  description: sftpgo gcp setup
+  version: 0.1.0
+spec:
+  dependencies:
+    - name: gcp-bootstrap
+      repo: bootstrap
+      type: terraform
+      version: ">= 0.1.1"
+  providers:
+    - gcp
+  outputs:
+    gcp_sa_workload_identity_email: gcp_sa_workload_identity_email

sftpgo/terraform/gcp/main.tf

@@ -0,0 +1,20 @@
+resource "kubernetes_namespace" "sftpgo" {
+  metadata {
+    name = var.namespace
+    labels = {
+      "app.kubernetes.io/managed-by" = "plural"
+      "app.plural.sh/name" = "sftpgo"
+    }
+  }
+}
+
+module "sftpgo-workload-identity" {
+  source              = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
+  name                = "${var.cluster_name}-sftpgo-workload"
+  namespace           = var.namespace
+  project_id          = var.project_id
+  use_existing_k8s_sa = true
+  annotate_k8s_sa     = false
+  k8s_sa_name         = "sftpgo"
+  roles               = var.roles
+}

sftpgo/terraform/gcp/outputs.tf

@@ -0,0 +1,3 @@
+output "gcp_sa_workload_identity_email" {
+  value = module.sftpgo-workload-identity.gcp_service_account_email
+}

sftpgo/terraform/gcp/terraform.tfvars

@@ -0,0 +1,3 @@
+namespace = {{ .Namespace | quote }}
+cluster_name = {{ .Cluster | quote }}
+project_id = {{ .Project | quote }}

sftpgo/terraform/gcp/variables.tf

@@ -0,0 +1,21 @@
+variable "namespace" {
+  type = string
+  default = "sftpgo"
+}
+
+variable "cluster_name" {
+  type = string
+}
+
+variable "project_id" {
+  type = string
+  description = <<EOF
+The ID of the project in which the resources belong.
+EOF
+}
+
+variable "roles" {
+  type        = list(string)
+  description = "A list of roles to be added to the sftpgo workload identity service account"
+  default     = []
+}

sftpgo/terraform/kube/deps.yaml

@@ -1,7 +1,7 @@
 apiVersion: plural.sh/v1alpha1
 kind: Dependencies
 metadata:
-  description: sftpgo aws setup
+  description: sftpgo kube setup
   version: 0.1.0
 spec:
   dependencies:
@@ -15,11 +15,6 @@ spec:
     type: terraform
     version: '>= 0.1.1'
     optional: true
-  - name: gcp-bootstrap
-    repo: bootstrap
-    type: terraform
-    version: '>= 0.1.1'
-    optional: true
   - name: kind-bootstrap
     repo: bootstrap
     type: terraform
@@ -28,5 +23,4 @@ spec:
   providers:
   - aws
   - azure
-  - gcp
   - kind