expose Helm chart values for custom certs

[rahil-p]

What type of PR is this?

/kind feature

What this PR does:

This PR provides a convenient alternative for installing Agones with custom certificates. Instead of having to pull and modify the contents of the chart, custom certificates may be passed in as values:

helm install my-release agones/agones \
  --set agones.allocator.generateTLS=false \
  --set-file agones.allocator.tlsCert=mydir/tls.crt \ # or --set agones.allocator.tlsCert="$(cat mydir/tls.crt)"
  --set-file agones.allocator.tlsKey=mydir/tls.key \
  --set-file "agones.allocator.clientCAs.my-ca\.crt"=mydir/ca.crt

Which issue(s) this PR fixes:

Closes #2364

Special notes for your reviewer:

[agones-bot]

Build Failed 😱

Build Id: a2526e4b-474c-4dff-8e33-aba4a46ca17d

• Cloud Build view
• Cloud Build log download

To get permission to view the Cloud Build view, join the agones-discuss Google Group.

[roberthbailey]

Would it work to put "certs/server.crt" into values.yaml and just use the new variable here?

From https://helm.sh/docs/chart_template_guide/functions_and_pipelines/:

In an actual chart, all static default values should live in the values.yaml, and should not be repeated using the default command (otherwise they would be redundant).

I'm not particularly familiar with the --set-file option, but it looks like if the new parameter is a file name and we keep the .Files.Get here referencing the variable, then it might work (but using the --set flag instead of --set-file because you wouldn't pass the file contents into the variable).

[rahil-p]

The new parameter expects the file's contents. The --set-file option will set a value to the contents of the file at the provided path - it's equivalent to --set value="$(cat value.txt)".

The idea behind the new parameter is to allow the user to pass the certificate directly as a value. When the value isn't provided, .Files.Get will be used as a fallback to read the file from the certs directory. I included this so that the old way of passing in certificates (i.e. modifying the files in certs) continues to be supported.

That said, I think it could simplify things to remove the fallback and simply expect the value to be passed.

Let me know if that makes sense and if you'd like to see any changes.

[agones-bot]

Build Succeeded 👏

Build Id: 2b9e695b-57ec-48ad-8385-2385f6cd0ee4

The following development artifacts have been built, and will exist for the next 30 days:

• image: gcr.io/agones-images/agones-controller:1.19.0-adbfa06
• image: gcr.io/agones-images/agones-ping:1.19.0-adbfa06
• Linux C++ SDK (build): agonessdk-1.19.0-adbfa06-linux-arch_64.tar.gz
• SDK Server: agonessdk-server-1.19.0-adbfa06.zip

A preview of the website (the last 30 builds are retained):

• https://adbfa06-dot-preview-dot-agones-images.appspot.com/

To install this version:

• git fetch https://github.com/googleforgames/agones.git pull/2367/head:pr_2367 && git checkout pr_2367
• helm install ./install/helm/agones --namespace agones-system --name agones --set agones.image.tag=1.19.0-adbfa06

[agones-bot]

Build Succeeded 👏

Build Id: b02fc29b-2039-4f29-9177-a364703fa5af

The following development artifacts have been built, and will exist for the next 30 days:

• image: gcr.io/agones-images/agones-controller:1.19.0-28f5dc6
• image: gcr.io/agones-images/agones-ping:1.19.0-28f5dc6
• Linux C++ SDK (build): agonessdk-1.19.0-28f5dc6-linux-arch_64.tar.gz
• SDK Server: agonessdk-server-1.19.0-28f5dc6.zip

A preview of the website (the last 30 builds are retained):

• https://28f5dc6-dot-preview-dot-agones-images.appspot.com/

To install this version:

• git fetch https://github.com/googleforgames/agones.git pull/2367/head:pr_2367 && git checkout pr_2367
• helm install ./install/helm/agones --namespace agones-system --name agones --set agones.image.tag=1.19.0-28f5dc6

[agones-bot]

Build Failed 😱

Build Id: 5db5082a-0652-435b-bdf3-e6611cdb0db4

• Cloud Build view
• Cloud Build log download

To get permission to view the Cloud Build view, join the agones-discuss Google Group.

[agones-bot]

Build Failed 😱

Build Id: d3c14421-450a-49dc-96b1-1d5b5a871887

• Cloud Build view
• Cloud Build log download

To get permission to view the Cloud Build view, join the agones-discuss Google Group.

[rahil-p]

I pushed a commit that removes reading in defaults from the certs directory. This simplifies the template. It also should provide some security in case of a user failing to pass in their own certificate - instead of silently falling back on the repository certificate, the server will log an error and exit after failing to load empty credentials.

This is breaking for releases that disable allocator.generateTLS or controller.generateTLS. If this isn't the right call, let me know and I'll revert it.

Edit: I updated the Makefile to pass in the chart certificates when generating install/yaml/install.yaml (the resulting file matches upstream).

[roberthbailey]

I like these changes, but I'm on the fence about whether this will break too many folks.

@markmandel - WDYT?

[markmandel]

🤔 I'm on the fence with the breaking change as well. I feel like not many people use a custom certs directory (I'm actually not sure how you would do so to be honest, I assume you would have to grab the chart source, and run it locally???)

But it's hard to judge impact. Maybe we should have this PR merge with the non-breaking behaviour for now, and file an issue for the breaking change, and see if anyone objects?

[rahil-p]

I'd guess that workflow is the most common - it would probably look something like this during deployment:

helm pull agones/agones --untar
cp -TR my-certs/ agones/certs/
helm install my-release agones --values overrides.yaml

I think a new issue is a good call - it could benefit from some more discussion.

[agones-bot]

Build Failed 😱

Build Id: ec6d99bc-16ae-410c-ba83-c3e0fd66431a

• Cloud Build view
• Cloud Build log download

To get permission to view the Cloud Build view, join the agones-discuss Google Group.

[markmandel]

Flake in TestAutoscalerBasicFunctions

[markmandel]

@roberthbailey you've been tracking this more closely than I have. If you are happy with this PR, I'm happy to squeeze this in before RC today.

[agones-bot]

Build Succeeded 👏

Build Id: bedddd62-418d-4a35-84af-0908b485f07b

The following development artifacts have been built, and will exist for the next 30 days:

• image: gcr.io/agones-images/agones-controller:1.19.0-3ace450
• image: gcr.io/agones-images/agones-ping:1.19.0-3ace450
• Linux C++ SDK (build): agonessdk-1.19.0-3ace450-linux-arch_64.tar.gz
• SDK Server: agonessdk-server-1.19.0-3ace450.zip

A preview of the website (the last 30 builds are retained):

• https://3ace450-dot-preview-dot-agones-images.appspot.com/

To install this version:

• git fetch https://github.com/googleforgames/agones.git pull/2367/head:pr_2367 && git checkout pr_2367
• helm install ./install/helm/agones --namespace agones-system --name agones --set agones.image.tag=1.19.0-3ace450

[google-oss-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rahil-p, roberthbailey

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [roberthbailey]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment