Add WebView Support eclipse-theia/theia-cloud#296

* add additional information to AppDefinition for other hostnames that
have to be exposed
* adapt self-signed certificate generation to use a CA that can be
imported as an authority in a browser
* add additional wildcard rules when installing the instance ingress
* adapt document regeneration documentation to always use latest image

CHANGELOG.md

@@ -4,6 +4,9 @@
 
 - [theia-cloud-crds] Add option field to CRDs and increase version to `Session.v1beta8`, `Workspace.v1beta5` and `AppDefinition.v1beta10` [#55](https://github.com/eclipsesource/theia-cloud-helm/pull/55) | [#293](https://github.com/eclipsesource/theia-cloud/pull/293)
 - [theia-cloud] Add configurable image preloading [#56](https://github.com/eclipsesource/theia-cloud-helm/pull/56)
+- [theia-cloud-base] Self signed certificates are now signed by a Theia Cloud certificate authority. The certificate of the authority may be exported and imported in your Browser for easier local testing [#57](https://github.com/eclipsesource/theia-cloud-helm/pull/57)
+- [theia-cloud-crds] Add `ingressHostnamePrefixes` list to `AppDefinition.v1beta10` [#57](https://github.com/eclipsesource/theia-cloud-helm/pull/57) | [#298](https://github.com/eclipsesource/theia-cloud/pull/298)
+- [theia-cloud] Add `additionalWildcardInstances` to values and create TLS entries for them in the instances-ingress [#57](https://github.com/eclipsesource/theia-cloud-helm/pull/57)
 
 ## [0.10.0] - 2024-04-02
 

README.md

@@ -44,5 +44,5 @@ Furthermore, the new version, together with a release estimation date, should be
 ## How to generate Chart READMEs
 
 ```bash
-docker run --rm --volume "$(pwd)/charts:/helm-docs" -u $(id -u) jnorwood/helm-docs:latest
+docker pull jnorwood/helm-docs:latest && docker run --rm --volume "$(pwd)/charts:/helm-docs" -u $(id -u) jnorwood/helm-docs:latest
 ```

charts/theia-cloud-crds/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.11.0-next.1
+version: 0.11.0-next.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/theia-cloud-crds/README.md

@@ -13,4 +13,4 @@ A Helm chart for the custom resource definitions (CRDs) of Theia Cloud
 | conversion.image | string | `"theiacloud/theia-cloud-conversion-webhook:0.11.0-next"` | The image of the webhook container |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0)
+Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)

charts/theia-cloud-crds/templates/appdefinition-spec-resource.yaml

@@ -51,6 +51,10 @@ spec:
  maximum: 65535
  ingressname:
  type: string
+ ingressHostnamePrefixes:
+ type: array
+ items:
+ type: string
  minInstances:
  type: integer
  maxInstances:

charts/theia.cloud-base/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.11.0-next.0
+version: 0.11.0-next.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/theia.cloud-base/README.md

@@ -8,7 +8,9 @@ Theia-cloud base chart
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| certmanager.namespace | string | `"cert-manager"` | the namespace where the cert-manager is installed |
 | issuer.email | string | `"mmorlock@example.com"` | email used to issue let's encrypt certificates |
+| issuerca.name | string | `"theia-cloud-ca-certificate-signer"` | name for the issuer preparing a self signed CA certificate |
 | issuerprod.name | string | `"letsencrypt-prod"` | name for the let's encrypt production cluster issuer |
 | issuerstaging.name | string | `"theia-cloud-selfsigned-issuer"` | name for the self signed cluster issuer |
 | operatorrole.name | string | `"operator-api-access"` | name for the operator's cluster role |

charts/theia.cloud-base/templates/clusterissuer-for-ca.yaml

@@ -0,0 +1,7 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ name: {{ .Values.issuerca.name }}
+spec:
+ selfSigned: {}
+

charts/theia.cloud-base/templates/clusterissuer-selfsigned.yaml

@@ -3,5 +3,6 @@ kind: ClusterIssuer
 metadata:
  name: {{ .Values.issuerstaging.name }}
 spec:
- selfSigned: {}
+ ca:
+ secretName: theia-cloud-ca-key-pair
 

charts/theia.cloud-base/templates/theia-cloud-ca-certificate.yaml

@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: theia-cloud-ca-certificate
+ namespace: {{ .Values.certmanager.namespace }}
+spec:
+ commonName: "Theia Cloud CA"
+ secretName: theia-cloud-ca-key-pair
+ isCA: true
+ issuerRef:
+ name: {{ .Values.issuerca.name }}
+ kind: ClusterIssuer
+ duration: 2160h
+ renewBefore: 360h

charts/theia.cloud-base/values.yaml

@@ -1,3 +1,7 @@
+issuerca:
+ # -- name for the issuer preparing a self signed CA certificate
+ name: theia-cloud-ca-certificate-signer
+
 issuerprod:
  # -- name for the let's encrypt production cluster issuer
  name: letsencrypt-prod
@@ -16,4 +20,8 @@ operatorrole:
 
 servicerole:
  # -- name for the services' cluster role
- name: service-api-access
+ name: service-api-access
+
+certmanager:
+ # -- the namespace where the cert-manager is installed
+ namespace: cert-manager

charts/theia.cloud/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.11.0-next.1
+version: 0.11.0-next.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/theia.cloud/README.md

@@ -1,6 +1,6 @@
 # theia-cloud
 
-![Version: 0.11.0-next.0](https://img.shields.io/badge/Version-0.11.0--next.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.11.0-next](https://img.shields.io/badge/AppVersion-0.11.0--next-informational?style=flat-square)
+![Version: 0.11.0-next.1](https://img.shields.io/badge/Version-0.11.0--next.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.11.0-next](https://img.shields.io/badge/AppVersion-0.11.0--next-informational?style=flat-square)
 
 A Helm chart for Theia.cloud
 
@@ -25,6 +25,7 @@ A Helm chart for Theia.cloud
 | demoApplication.pullSecret | string | `""` | the image pull secret. Leave empty if registry is public |
 | demoApplication.timeout | string | `"30"` | Limit in minutes |
 | hosts | object | (see details below) | You may adjust the hostname below. |
+| hosts.additionalWildcardInstances | list | `["*.webview."]` | additional wildcard hostnames that may be required in the launched Theia-applications, e.g. "*.webview." which leads to "*.webview.ws.192.168.39.173.nip.io" to expose webviews These are required to configure TLS (if enabled via hosts.tls == true) |
 | hosts.instance | string | `"ws.192.168.39.173.nip.io"` | hostname for the launched Theia-applications |
 | hosts.landing | string | `"theia.cloud.192.168.39.173.nip.io"` | hostname of the landing page |
 | hosts.paths | object | (see details below) | Only needed when usePaths == true. Contains the baseHost and paths for all services |

charts/theia.cloud/templates/instances-ingress.yaml

@@ -24,12 +24,19 @@ spec:
  tls:
  - hosts:
  - {{ tpl (.Values.hosts.instance | toString) . }}
+ {{- range .Values.hosts.additionalWildcardInstances }}
+ - {{ printf "'%s%s'" . $.Values.hosts.instance }}
+ {{- end }}
  secretName: ws-cert-secret
  {{- end }}
  {{- if not (lookup "networking.k8s.io/v1" "Ingress" .Release.Namespace (tpl (.Values.ingress.instanceName | toString) .) ) }}
  rules:
  - host: {{ tpl (.Values.hosts.instance | toString) . }}
  http:
+ {{- range .Values.hosts.additionalWildcardInstances }}
+ - host: {{ printf "'%s%s'" . $.Values.hosts.instance }}
+ http:
+ {{- end }}
  {{- else }}
  rules:
  {{ range $rule := (lookup "networking.k8s.io/v1" "Ingress" .Release.Namespace (tpl (.Values.ingress.instanceName | toString) .)).spec.rules }}

charts/theia.cloud/templates/theia-appdefinition-spec.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.demoApplication.install }}
-apiVersion: theia.cloud/v1beta9
+apiVersion: theia.cloud/v1beta10
 kind: AppDefinition
 metadata:
  name: theia-cloud-demo
@@ -11,6 +11,8 @@ spec:
  uid: 101
  port: 3000
  ingressname: {{ tpl (.Values.ingress.instanceName | toString) . }}
+ ingressHostnamePrefixes:
+ - "*.webview."
  minInstances: 0
  maxInstances: 10
  timeout: {{ tpl (.Values.demoApplication.timeout | toString) . }}

charts/theia.cloud/values.yaml

@@ -108,6 +108,11 @@ hosts:
  # -- hostname for the launched Theia-applications
  instance: ws.192.168.39.173.nip.io
 
+ # -- additional wildcard hostnames that may be required in the launched Theia-applications, e.g.
+ # "*.webview." which leads to "*.webview.ws.192.168.39.173.nip.io" to expose webviews
+ # These are required to configure TLS (if enabled via hosts.tls == true)
+ additionalWildcardInstances: ["*.webview."]
+
 # -- Values related to the landing page
 # @default -- (see details below)
 landingPage: