feat: update charts to be able to leverage external static IP address…

…es (#650)

Signed-off-by: Jeromy Cannon <jeromy@swirldslabs.com>

.github/workflows/zxc-fsnetman-tests.yaml

@@ -1,5 +1,5 @@
 ##
-# Copyright (C) 2023 Hedera Hashgraph, LLC
+# Copyright (C) 2023-2024 Hedera Hashgraph, LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -130,9 +130,14 @@ jobs:
           npm link
           fsnetman init -d ../charts
           fsnetman cluster create
-          fsnetman cluster setup
-          fsnetman chart install
-          npm run test-e2e
+          fsnetman cluster setup -d ../charts \
+            --cert-manager \
+            --cert-manager-crds
+          fsnetman chart install -d ../charts \
+            --enable-tls \
+            --self-signed \
+            --enable-hedera-explorer-tls
+
       - name: Output logs
         id: nodejs-test-e2e-logs
         working-directory: fullstack-network-manager

charts/fullstack-cluster-setup/Chart.lock

@@ -10,12 +10,9 @@ dependencies:
   version: 0.27.1
 - name: gateway-helm
   repository: oci://docker.io/envoyproxy
-  version: v0.5.0
+  version: v0.6.0
 - name: cert-manager
   repository: https://charts.jetstack.io
-  version: v1.13.2
-- name: acme-cluster-issuer
-  repository: ""
-  version: 0.3.0
-digest: sha256:630e4c5a362a5d9a9c8ea6b10653d9b35eb91e93a14e19578e8ef75eeb4a49c6
-generated: "2023-11-10T14:03:37.262415Z"
+  version: v1.13.3
+digest: sha256:6be28d5957a90c40e36baff239651c7d0ed730bf08b767694619cbc78e7dd325
+generated: "2024-01-05T21:22:49.794103Z"

charts/fullstack-cluster-setup/Chart.yaml

@@ -43,16 +43,11 @@ dependencies:
 
   - name: gateway-helm
     alias: envoy-gateway
-    version: v0.5.0
+    version: v0.6.0
     repository: oci://docker.io/envoyproxy
     condition: cloud.envoyGateway.enabled
 
   - name: cert-manager
-    version: v1.13.2
+    version: v1.13.3
     repository: https://charts.jetstack.io
     condition: cloud.certManager.enabled
-
-  - name: acme-cluster-issuer
-    version: 0.3.0
-    # TODO: uncomment #repository: https://swirldslabs.github.io/swirldslabs-helm-charts
-    condition: cloud.acmeClusterIssuer.enabled

charts/fullstack-cluster-setup/templates/gateway-api/fst-gateway.yaml

@@ -1,9 +1,8 @@
-apiVersion: gateway.networking.k8s.io/v1beta1
+apiVersion: gateway.networking.k8s.io/v1
 kind: GatewayClass
 metadata:
   name: fst-gateway-class
   labels:
     fullstack.hedera.com/type: gateway-class
 spec:
   controllerName: "gateway.envoyproxy.io/gatewayclass-controller"
-  #controllerName: "haproxy-ingress.github.io/controller"

charts/fullstack-cluster-setup/values.yaml

@@ -19,21 +19,7 @@ cloud:
     enabled: false
   certManager:
     enabled: false
-  acmeClusterIssuer:
-    enabled: false
-  selfSignedClusterIssuer:
-    enabled: true
 
 cert-manager:
   namespace: cert-manager
   installCRDs: false
-
-acme-cluster-issuer:
-  issuers:
-    annotations:
-      helm.sh/hook: post-install
-      helm.sh/hook-weight: "2"
-    staging:
-      email: ""
-    production:
-      email: ""

charts/fullstack-deployment/Chart.lock

@@ -8,5 +8,8 @@ dependencies:
 - name: tenant
   repository: https://operator.min.io/
   version: 5.0.7
-digest: sha256:07f6ea06b7748b59dd24b34f2e742222ca2718592efc66d6fc55f78b628d4366
-generated: "2023-11-03T13:52:20.781862Z"
+- name: acme-cluster-issuer
+  repository: ""
+  version: 0.3.0
+digest: sha256:65f708d654ba6d14c7b193cc833f132f6133cca53850bcd37cf27809246df0f6
+generated: "2024-01-05T21:23:17.852519Z"

charts/fullstack-deployment/Chart.yaml

@@ -45,3 +45,7 @@ dependencies:
     repository: https://operator.min.io/
     condition: cloud.minio.enabled
 
+  - name: acme-cluster-issuer
+    version: 0.3.0
+    # TODO: uncomment #repository: https://swirldslabs.github.io/swirldslabs-helm-charts
+    condition: cloud.acmeClusterIssuer.enabled

charts/fullstack-cluster-setup/charts/acme-cluster-issuer/templates/production.yaml → charts/fullstack-deployment/charts/acme-cluster-issuer/templates/production.yaml

@@ -16,10 +16,21 @@ spec:
     solvers:
       {{- if .Values.solvers.http01.enabled }}
       - http01:
+          {{- if .Values.solvers.http01.solverType | eq "ingress" }}
           ingress:
             {{- with .Values.solvers.http01.ingress }}
             name: {{ .name }}
             class: {{ .class }}
             serviceType: {{ .serviceType }}
             {{- end }}
+          {{- end }}
+          {{- if .Values.solvers.http01.solverType | eq "gatewayHTTPRoute" }}
+          gatewayHTTPRoute:
+            {{- with .Values.solvers.http01.gatewayHTTPRoute }}
+            parentRefs:
+              - name: {{ .name }}
+                namespace: {{ default $.Release.Namespace $.Values.global.namespaceOverride }}
+                kind: Gateway
+            {{- end }}
+          {{- end }}
       {{- end }}

charts/fullstack-cluster-setup/charts/acme-cluster-issuer/templates/staging.yaml → charts/fullstack-deployment/charts/acme-cluster-issuer/templates/staging.yaml

@@ -16,10 +16,21 @@ spec:
     solvers:
       {{- if .Values.solvers.http01.enabled }}
       - http01:
+          {{- if .Values.solvers.http01.solverType | eq "ingress" }}
           ingress:
             {{- with .Values.solvers.http01.ingress }}
             name: {{ .name }}
             class: {{ .class }}
             serviceType: {{ .serviceType }}
             {{- end }}
+          {{- end }}
+          {{- if .Values.solvers.http01.solverType | eq "gatewayHTTPRoute" }}
+          gatewayHTTPRoute:
+            {{- with .Values.solvers.http01.gatewayHTTPRoute }}
+            parentRefs:
+              - name: {{ .name }}
+                namespace: {{ default $.Release.Namespace $.Values.global.namespaceOverride }}
+                kind: Gateway
+            {{- end }}
+          {{- end }}
       {{- end }}

charts/fullstack-cluster-setup/charts/acme-cluster-issuer/values.yaml → charts/fullstack-deployment/charts/acme-cluster-issuer/values.yaml

@@ -10,8 +10,11 @@ issuers:
 solvers:
   http01:
     enabled: true
+    solverType: "ingress" # "ingress" or "gatewayHTTPRoute"
     ingress:
       name: ""
       class: ""
       serviceType: "NodePort"
-
+    gatewayHTTPRoute:
+      name: ""
+      namespace: ""

charts/fullstack-deployment/templates/gateway-api/certificate-requests.yaml

@@ -7,6 +7,8 @@ metadata:
 spec:
   isCA: false
   commonName: {{ $.Values.deployment.hederaExplorer.hostname }}
+  dnsNames:
+    - {{ $.Values.deployment.hederaExplorer.hostname }}
   secretName: {{ $.Values.gatewayApi.gateway.tlsClusterIssuerName }}-ca-secret-hedera-explorer
   privateKey:
     algorithm: RSA

charts/fullstack-deployment/templates/gateway-api/envoy-grpc-web-routes.yaml

@@ -3,7 +3,7 @@
 {{- $defaults := $.Values.defaults.envoyProxy }}
 {{- if default $defaults.enabled $envoyProxy.enabled | eq "true" }}
 ---
-apiVersion: gateway.networking.k8s.io/v1beta1
+apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
   name: envoy-grpc-web-route-{{ $node.name }}

charts/fullstack-deployment/templates/gateway-api/gateway.yaml

@@ -1,5 +1,5 @@
 {{- if $.Values.gatewayApi.gateway.enabled | eq "true" }}
-apiVersion: gateway.networking.k8s.io/v1beta1
+apiVersion: gateway.networking.k8s.io/v1
 kind: Gateway
 metadata:
   name: {{ $.Values.gatewayApi.gateway.name }}
@@ -9,6 +9,10 @@ metadata:
     {{- include "fullstack.testLabels" $ | nindent 4 }}
 spec:
   gatewayClassName: {{ $.Values.gatewayApi.gatewayClass.name }}
+  {{- if  $.Values.gatewayApi.gateway.loadBalancerEnabled }}
+  addresses:
+    - value: {{ $.Values.gatewayApi.gateway.loadBalancerIP }}
+  {{- end }}
   listeners:
   {{- $gossip_start_port   := $.Values.gatewayApi.gateway.listeners.gossip.port }} # i.e. node0:51000 ... node999: 51999, points to 50111 port in haproxy or network-node
   {{- $grpc_start_port     := $.Values.gatewayApi.gateway.listeners.grpc.port }} # i.e. node0:52000 ... node999: 52999, points to 50211 port in haproxy or network-node

charts/fullstack-deployment/templates/gateway-api/hedera-explorer-route.yaml

@@ -1,4 +1,4 @@
-apiVersion: gateway.networking.k8s.io/v1beta1
+apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
   name: hedera-explorer-route

charts/fullstack-deployment/values.yaml

@@ -14,6 +14,10 @@ cloud:
     enabled: "true"
   minio:
     enabled: true
+  acmeClusterIssuer:
+    enabled: false
+  selfSignedClusterIssuer:
+    enabled: false
 
 # telemetry configurations
 telemetry:
@@ -35,6 +39,22 @@ tester:
     pullPolicy: "IfNotPresent"
   resources: {}
 
+# lets encrypt acme cluster issuer configuration
+acme-cluster-issuer:
+  issuers:
+    staging:
+      email: ""
+      name: fst-letsencrypt-staging
+    production:
+      email: ""
+      name: fst-letsencrypt-prod
+  solvers:
+    http01:
+      solverType: "gatewayHTTPRoute"
+      gatewayHTTPRoute:
+        name: "fst" # needs to match gatewayApi.gateway.name in this values.yaml file
+        namespace: "{{ tpl (.Values.global.namespaceOverride | toString) }}"
+
 # gateway-api configuration
 gatewayApi:
   gatewayClass:
@@ -45,6 +65,8 @@ gatewayApi:
     tlsEnabled: false
     tlsClusterIssuerName: "" # for acme-cluster-setup: staging = letsencrypt-staging, prod = letsencrypt-prod
     tlsClusterIssuerNamespace: "" # for acme-cluster-setup: cert-manager # TODO is this needed?
+    loadBalancerIP: ""
+    loadBalancerEnabled: false
     listeners:
       gossip:
         port: 51000 # i.e. node0:51000 ... node999: 51999, points to 50111 port in haproxy or network-node
@@ -54,7 +76,7 @@ gatewayApi:
         enabled: "true"
       grpcs: # tls-grpc-port
         port: 53000 # i.e. node0:53000 ... node999: 53999, points to 50212 port in haproxy or network-node
-        enabled: "true"
+        enabled: "false"
         tlsEnabled: false
       grpcWeb:
         port: 18000 # i.e. node0:18000 ... node999: 18999, points to 8080 port in envoy proxy