From 7dd169ac31517aa649f78f3833db649b86de8ca4 Mon Sep 17 00:00:00 2001 From: Walid Date: Fri, 24 Mar 2023 17:06:55 +0100 Subject: [PATCH] feat: sftpgo workload identity + fix sftpgo ui + add loadbalancer for TCP services (#572) * fix: fix sftpgo gcp depeendency * fix: fix sftpgo ingress + added optional service to access tcp services through a domain * feat(wip): add sftpgo workload identity * feat: add variables to register roles for sftpgo workload identity sa * fix: fix serviceAccount annotation * feat: bump sftpgo helm chart version --- sftpgo/helm/sftpgo/Chart.yaml | 2 +- sftpgo/helm/sftpgo/deps.yaml | 6 ++++++ sftpgo/helm/sftpgo/values.yaml.tpl | 25 +++++++++++++++++++++++-- sftpgo/plural/recipes/sftpgo-aws.yaml | 24 ++++++++++++++---------- sftpgo/plural/recipes/sftpgo-azure.yaml | 24 ++++++++++++++---------- sftpgo/plural/recipes/sftpgo-gcp.yaml | 24 ++++++++++++++---------- sftpgo/plural/recipes/sftpgo-kind.yaml | 24 ++++++++++++++---------- sftpgo/terraform/gcp/deps.yaml | 15 +++++++++++++++ sftpgo/terraform/gcp/main.tf | 20 ++++++++++++++++++++ sftpgo/terraform/gcp/outputs.tf | 3 +++ sftpgo/terraform/gcp/terraform.tfvars | 3 +++ sftpgo/terraform/gcp/variables.tf | 21 +++++++++++++++++++++ sftpgo/terraform/kube/deps.yaml | 8 +------- 13 files changed, 149 insertions(+), 50 deletions(-) create mode 100644 sftpgo/terraform/gcp/deps.yaml create mode 100644 sftpgo/terraform/gcp/main.tf create mode 100644 sftpgo/terraform/gcp/outputs.tf create mode 100644 sftpgo/terraform/gcp/terraform.tfvars create mode 100644 sftpgo/terraform/gcp/variables.tf diff --git a/sftpgo/helm/sftpgo/Chart.yaml b/sftpgo/helm/sftpgo/Chart.yaml index 7a4fe6b73..c6a7a221f 100644 --- a/sftpgo/helm/sftpgo/Chart.yaml +++ b/sftpgo/helm/sftpgo/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: sftpgo description: helm chart for sftpgo type: application -version: 0.1.0 +version: 0.1.1 icon: https://raw.githubusercontent.com/drakkan/sftpgo/main/img/logo.png appVersion: 2.4.3 dependencies: diff --git a/sftpgo/helm/sftpgo/deps.yaml b/sftpgo/helm/sftpgo/deps.yaml index 9077fedb7..2a49fa6e2 100644 --- a/sftpgo/helm/sftpgo/deps.yaml +++ b/sftpgo/helm/sftpgo/deps.yaml @@ -17,3 +17,9 @@ spec: name: kube repo: sftpgo version: '>= 0.1.0' + optional: true + - type: terraform + name: gcp + repo: sftpgo + version: '>= 0.1.0' + optional: true diff --git a/sftpgo/helm/sftpgo/values.yaml.tpl b/sftpgo/helm/sftpgo/values.yaml.tpl index 41665f113..17f1aff93 100644 --- a/sftpgo/helm/sftpgo/values.yaml.tpl +++ b/sftpgo/helm/sftpgo/values.yaml.tpl @@ -4,9 +4,30 @@ sftpgo: hosts: - host: {{ .Values.hostname }} paths: - - path: '/.*' + - path: '/' pathType: ImplementationSpecific tls: - secretName: sftpgo-tls hosts: - - {{ .Values.hostname }} \ No newline at end of file + - {{ .Values.hostname }} + {{ if .Values.loadBalancerHostname }} + service: + type: LoadBalancer + annotations: + external-dns.alpha.kubernetes.io/hostname: {{ .Values.loadBalancerHostname }} + {{ if eq .Provider "aws" }} + service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' + service.beta.kubernetes.io/aws-load-balancer-type: external + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip + service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' + {{ end }} + {{ end }} +{{ if eq .Provider "google" }} + serviceAccount: + annotations: + iam.gke.io/gcp-service-account: {{ importValue "Terraform" "gcp_sa_workload_identity_email" }} + +{{ end }} \ No newline at end of file diff --git a/sftpgo/plural/recipes/sftpgo-aws.yaml b/sftpgo/plural/recipes/sftpgo-aws.yaml index 4090b083b..484aad6b9 100644 --- a/sftpgo/plural/recipes/sftpgo-aws.yaml +++ b/sftpgo/plural/recipes/sftpgo-aws.yaml @@ -8,13 +8,17 @@ dependencies: - repo: ingress-nginx name: ingress-nginx-aws sections: -- name: sftpgo - configuration: - - name: hostname - type: DOMAIN - documentation: the fully qualified domain name your sftpgo instance will be available at - items: - - type: TERRAFORM - name: kube - - type: HELM - name: sftpgo + - name: sftpgo + configuration: + - name: hostname + type: DOMAIN + documentation: the fully qualified domain name your sftpgo instance will be available at + - name: loadBalancerHostname + documentation: a dns name to access the enabled services (sftp on port 22, etc.) + type: DOMAIN + optional: true + items: + - type: TERRAFORM + name: kube + - type: HELM + name: sftpgo diff --git a/sftpgo/plural/recipes/sftpgo-azure.yaml b/sftpgo/plural/recipes/sftpgo-azure.yaml index 437983441..0407f7531 100644 --- a/sftpgo/plural/recipes/sftpgo-azure.yaml +++ b/sftpgo/plural/recipes/sftpgo-azure.yaml @@ -8,13 +8,17 @@ dependencies: - repo: ingress-nginx name: ingress-nginx-azure sections: -- name: sftpgo - configuration: - - name: hostname - type: DOMAIN - documentation: the fully qualified domain name your sftpgo instance will be available at - items: - - type: TERRAFORM - name: kube - - type: HELM - name: sftpgo + - name: sftpgo + configuration: + - name: hostname + type: DOMAIN + documentation: the fully qualified domain name your sftpgo instance will be available at + - name: loadBalancerHostname + documentation: a dns name to access the enabled services (sftp on port 22, etc.) + type: DOMAIN + optional: true + items: + - type: TERRAFORM + name: kube + - type: HELM + name: sftpgo diff --git a/sftpgo/plural/recipes/sftpgo-gcp.yaml b/sftpgo/plural/recipes/sftpgo-gcp.yaml index 1c9445fb2..e188fc2c5 100644 --- a/sftpgo/plural/recipes/sftpgo-gcp.yaml +++ b/sftpgo/plural/recipes/sftpgo-gcp.yaml @@ -8,13 +8,17 @@ dependencies: - repo: ingress-nginx name: ingress-nginx-gcp sections: -- name: sftpgo - configuration: - - name: hostname - type: DOMAIN - documentation: the fully qualified domain name your sftpgo instance will be available at - items: - - type: TERRAFORM - name: kube - - type: HELM - name: sftpgo + - name: sftpgo + configuration: + - name: hostname + type: DOMAIN + documentation: the fully qualified domain name your sftpgo instance will be available at + - name: loadBalancerHostname + documentation: a dns name to access the enabled services (sftp on port 22, etc.) + type: DOMAIN + optional: true + items: + - type: TERRAFORM + name: gcp + - type: HELM + name: sftpgo diff --git a/sftpgo/plural/recipes/sftpgo-kind.yaml b/sftpgo/plural/recipes/sftpgo-kind.yaml index 02fa414a8..f6ac97aec 100644 --- a/sftpgo/plural/recipes/sftpgo-kind.yaml +++ b/sftpgo/plural/recipes/sftpgo-kind.yaml @@ -8,13 +8,17 @@ dependencies: - repo: ingress-nginx name: ingress-nginx-kind sections: -- name: sftpgo - configuration: - - name: hostname - type: DOMAIN - documentation: the fully qualified domain name your sftpgo instance will be available at - items: - - type: TERRAFORM - name: kube - - type: HELM - name: sftpgo + - name: sftpgo + configuration: + - name: hostname + type: DOMAIN + documentation: the fully qualified domain name your sftpgo instance will be available at + - name: loadBalancerHostname + documentation: a dns name to access the enabled services (sftp on port 22, etc.) + type: DOMAIN + optional: true + items: + - type: TERRAFORM + name: kube + - type: HELM + name: sftpgo diff --git a/sftpgo/terraform/gcp/deps.yaml b/sftpgo/terraform/gcp/deps.yaml new file mode 100644 index 000000000..f52e6a6ad --- /dev/null +++ b/sftpgo/terraform/gcp/deps.yaml @@ -0,0 +1,15 @@ +apiVersion: plural.sh/v1alpha1 +kind: Dependencies +metadata: + description: sftpgo gcp setup + version: 0.1.0 +spec: + dependencies: + - name: gcp-bootstrap + repo: bootstrap + type: terraform + version: ">= 0.1.1" + providers: + - gcp + outputs: + gcp_sa_workload_identity_email: gcp_sa_workload_identity_email diff --git a/sftpgo/terraform/gcp/main.tf b/sftpgo/terraform/gcp/main.tf new file mode 100644 index 000000000..539cc15d9 --- /dev/null +++ b/sftpgo/terraform/gcp/main.tf @@ -0,0 +1,20 @@ +resource "kubernetes_namespace" "sftpgo" { + metadata { + name = var.namespace + labels = { + "app.kubernetes.io/managed-by" = "plural" + "app.plural.sh/name" = "sftpgo" + } + } +} + +module "sftpgo-workload-identity" { + source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity" + name = "${var.cluster_name}-sftpgo-workload" + namespace = var.namespace + project_id = var.project_id + use_existing_k8s_sa = true + annotate_k8s_sa = false + k8s_sa_name = "sftpgo" + roles = var.roles +} diff --git a/sftpgo/terraform/gcp/outputs.tf b/sftpgo/terraform/gcp/outputs.tf new file mode 100644 index 000000000..e27a1afe2 --- /dev/null +++ b/sftpgo/terraform/gcp/outputs.tf @@ -0,0 +1,3 @@ +output "gcp_sa_workload_identity_email" { + value = module.sftpgo-workload-identity.gcp_service_account_email +} diff --git a/sftpgo/terraform/gcp/terraform.tfvars b/sftpgo/terraform/gcp/terraform.tfvars new file mode 100644 index 000000000..f93de8318 --- /dev/null +++ b/sftpgo/terraform/gcp/terraform.tfvars @@ -0,0 +1,3 @@ +namespace = {{ .Namespace | quote }} +cluster_name = {{ .Cluster | quote }} +project_id = {{ .Project | quote }} diff --git a/sftpgo/terraform/gcp/variables.tf b/sftpgo/terraform/gcp/variables.tf new file mode 100644 index 000000000..7509bf546 --- /dev/null +++ b/sftpgo/terraform/gcp/variables.tf @@ -0,0 +1,21 @@ +variable "namespace" { + type = string + default = "sftpgo" +} + +variable "cluster_name" { + type = string +} + +variable "project_id" { + type = string + description = <= 0.1.1' optional: true - - name: gcp-bootstrap - repo: bootstrap - type: terraform - version: '>= 0.1.1' - optional: true - name: kind-bootstrap repo: bootstrap type: terraform @@ -28,5 +23,4 @@ spec: providers: - aws - azure - - gcp - kind