From 2a7883174cca7463c2d1d01fc170eee3e42d54b9 Mon Sep 17 00:00:00 2001 From: ravikiran-sulikeri Date: Wed, 1 May 2024 13:03:30 +0100 Subject: [PATCH 1/2] Add Helm charts Ingress support docs --- .../installation/kubernetes/helm-charts.adoc | 137 +++++++----------- yarn.lock | 47 +++--- 2 files changed, 81 insertions(+), 103 deletions(-) diff --git a/modules/ROOT/pages/installation/kubernetes/helm-charts.adoc b/modules/ROOT/pages/installation/kubernetes/helm-charts.adoc index c522c0a..a2dd697 100644 --- a/modules/ROOT/pages/installation/kubernetes/helm-charts.adoc +++ b/modules/ROOT/pages/installation/kubernetes/helm-charts.adoc @@ -52,6 +52,12 @@ secretsFromSecrets: mTlsAgentCerts: secretName: "" key: "" # key in Secret for mTls agentCerts + ingressTlsCert: + secretName: "" + key: "" # key in Secret for mTls agentCerts + ingressTlsKey: + secretName: "" + key: "" # key in Secret for mTls agentCerts secrets: # storage @@ -64,7 +70,10 @@ secrets: # jwt jwtSecret: "" # mTls - mTlsAgentCerts: "" + mTlsAgentCerts: "" # pem encoded string + # ingress tls + ingressTlsCert: "" # pem encoded string + ingressTlsKey: "" # pem encoded string service: http: @@ -84,96 +93,26 @@ service: port: 9090 loadBalancerIP: "" # optional static load balancer IP -image: - name: neo4j/neo4j-ops-manager-server - pullPolicy: Always - -hpa: - spec: - targetCPUUtilizationPercentage: 70 +ingress: + enabled: false + sslPassthrough: false + ingressClassName: "nginx" + annotations: { } + httpHostName: "" + grpcHostName: "" nameOverride: -additionalVolumeMounts: - -resources: - limits: - cpu: "2" - memory: "8G" - requests: - cpu: "0.2" - memory: "4G" - -nodeSelector: {} - -tolerations: [] - -affinity: {} ----- - -* Run the following command to install the NOM server to your Kubernetes cluster -[source, shell, role=noheader] ----- -helm install -f values.yaml --set secrets.tlsPkcs12CertFileContent=$(cat server.pfx | base64) /path/to/neo4j-ops-manager-server-.tgz ----- - -* If agents are self-registered, set the additional trusted agent certificates on the server before deploying the agents -[source, shell, role=noheader] ----- -helm install -f values.yaml --set secrets.tlsPkcs12CertFileContent=$(cat server.pfx | base64) --set secrets.mTlsAgentCerts=$(cat localhost.pem | base64) /path/to/neo4j-ops-manager-server-.tgz ----- - -* If the command doesn't report any error, check if the NOM server pod and services are running with `kubectl` command. - -* An example `values.yaml` file is given below for quick render tests of the chart using following command: -[source, shell, role=noheader] ----- -helm template nom /path/to/neo4j-ops-manager-server-.tgz -f values.yaml ----- - -.values.yaml -[source, yaml] ----- -server: - -config: - logFileName: "app.log" - logLevel: info - maxHeapSize: 8g - jwtTTL: 2h - grpc: - advertisedHost: "https://localhost:9090" - -secrets: - # storage - storageUri: "neo4j://localhost:7687" - storageUsername: "neo4j" - storagePassword: "passw0rd" - # tls - tlsPassword: "changeit" - tlsPkcs12CertFileContent: "" - # jwt - jwtSecret: "" - # mTls - mTlsAgentCerts: "" - -service: - http: - ipAddress: "https://localhost:8080" - grpc: - ipAddress: "https://localhost:9090" - port: 9090 +additionalVolumeMounts: [] image: name: neo4j/neo4j-ops-manager-server - pullPolicy: Always + pullPolicy: IfNotPresent hpa: spec: targetCPUUtilizationPercentage: 70 -nameOverride: - resources: limits: cpu: "2" @@ -182,11 +121,12 @@ resources: cpu: "0.2" memory: "4G" +affinity: {} + nodeSelector: {} tolerations: [] -affinity: {} ---- === Using pre-configured secrets @@ -222,3 +162,38 @@ To handle such cases it's advised to pass in the references to existing secrets helm install -f values.yaml --set secrets..=$(kubectl get secret -o jsonpath='{.data.}' | base64 -d) --set secrets.tls.pkcs12CertFileContent=$(cat server.pfx | base64) /path/to/neo4j-ops-manager-server-.tgz ---- ==== + +=== Ingress support + +* An Ingress resource can be deployed using the NOM server charts to support domain routing and SSL termination. +* Enabling ingress support using `values.yaml` with SSL termination: +[source,yaml] +---- +secrets: + ingressTlsCert: "" + ingressTlsKey: "" + +ingress: + enabled: true + sslPassthrough: false + ingressClassName: "" + annotations: { } + httpHostName: "" + grpcHostName: "" +---- +* Terminating SSL at Ingress means the TLS is handled by the Ingress resource itself. To enable TLS handling, additional secrets need to be configured as shown in the example above. It's common practice to use something like link:https://cert-manager.io/docs/usage/ingress/[Cert Manager] to handle provisioning and renewal of certificate secrets. +* `annotations` can be used to further customize the Ingress controller based on your requirements. + +==== Disabling SSL termination + +* If you would not like Ingress resource to handle SSL termination and only use it for domain routing and loadbalancing, Ingress needs to allow SSL passthrough and NOM server needs to be configured with the certiifcates as described above. An example of SSL passthrough: +[source,yaml] +---- +ingress: + enabled: true + sslPassthrough: true + ingressClassName: "" + annotations: { } + httpHostName: "" + grpcHostName: "" +---- diff --git a/yarn.lock b/yarn.lock index d13c741..b5bc878 100644 --- a/yarn.lock +++ b/yarn.lock @@ -10,7 +10,6 @@ "@antora/user-require-helper" "~2.0" "@asciidoctor/core" "~2.2" - "@antora/cli@^3.1.7": version "3.1.7" resolved "https://registry.yarnpkg.com/@antora/cli/-/cli-3.1.7.tgz#8d80d83328793281f8f0b525020e761115accb49" @@ -23,7 +22,6 @@ "@antora/content-aggregator@3.1.7": version "3.1.7" resolved "https://registry.yarnpkg.com/@antora/content-aggregator/-/content-aggregator-3.1.7.tgz#7458f428afcbf2bc7b63014349b1305cd14ea60c" - dependencies: "@antora/expand-path-helper" "~2.0" "@antora/logger" "3.1.7" @@ -276,12 +274,13 @@ binary-extensions@^2.0.0: version "2.2.0" resolved "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.2.0.tgz" -body-parser@1.20.1: - version "1.20.1" - resolved "https://registry.npmjs.org/body-parser/-/body-parser-1.20.1.tgz" +body-parser@1.20.2: + version "1.20.2" + resolved "https://registry.yarnpkg.com/body-parser/-/body-parser-1.20.2.tgz#6feb0e21c4724d06de7ff38da36dad4f57a747fd" + integrity sha512-ml9pReCu3M61kGlqoTm2umSXTlRTuGTx0bfYj+uIUKKYycG5NtSbeetV3faSU6R7ajOPw0g/J1PvK4qNy7s5bA== dependencies: bytes "3.1.2" - content-type "~1.0.4" + content-type "~1.0.5" debug "2.6.9" depd "2.0.0" destroy "1.2.0" @@ -289,7 +288,7 @@ body-parser@1.20.1: iconv-lite "0.4.24" on-finished "2.4.1" qs "6.11.0" - raw-body "2.5.1" + raw-body "2.5.2" type-is "~1.6.18" unpipe "1.0.0" @@ -401,7 +400,7 @@ content-disposition@0.5.4: dependencies: safe-buffer "5.2.1" -content-type@~1.0.4: +content-type@~1.0.4, content-type@~1.0.5: version "1.0.5" resolved "https://registry.npmjs.org/content-type/-/content-type-1.0.5.tgz" @@ -420,9 +419,10 @@ cookie-signature@1.0.6: version "1.0.6" resolved "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz" -cookie@0.5.0: - version "0.5.0" - resolved "https://registry.npmjs.org/cookie/-/cookie-0.5.0.tgz" +cookie@0.6.0: + version "0.6.0" + resolved "https://registry.yarnpkg.com/cookie/-/cookie-0.6.0.tgz#2798b04b071b0ecbff0dbb62a505a8efa4e19051" + integrity sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw== core-util-is@~1.0.0: version "1.0.3" @@ -530,16 +530,17 @@ events@^3.3.0: version "3.3.0" resolved "https://registry.npmjs.org/events/-/events-3.3.0.tgz" -express@^4.18.2: - version "4.18.2" - resolved "https://registry.npmjs.org/express/-/express-4.18.2.tgz" +express@^4.18.3: + version "4.19.2" + resolved "https://registry.yarnpkg.com/express/-/express-4.19.2.tgz#e25437827a3aa7f2a827bc8171bbbb664a356465" + integrity sha512-5T6nhjsT+EOMzuck8JjBHARTHfMht0POzlA60WV2pMD3gyXw2LZnZ+ueGdNxG+0calOJcWKbpFcuzLZ91YWq9Q== dependencies: accepts "~1.3.8" array-flatten "1.1.1" - body-parser "1.20.1" + body-parser "1.20.2" content-disposition "0.5.4" content-type "~1.0.4" - cookie "0.5.0" + cookie "0.6.0" cookie-signature "1.0.6" debug "2.6.9" depd "2.0.0" @@ -1030,9 +1031,10 @@ neo-async@^2.6.2: version "2.6.2" resolved "https://registry.npmjs.org/neo-async/-/neo-async-2.6.2.tgz" -nodemon@^3.0.2: - version "3.0.2" - resolved "https://registry.npmjs.org/nodemon/-/nodemon-3.0.2.tgz" +nodemon@^3.1.0: + version "3.1.0" + resolved "https://registry.yarnpkg.com/nodemon/-/nodemon-3.1.0.tgz#ff7394f2450eb6a5e96fe4180acd5176b29799c9" + integrity sha512-xqlktYlDMCepBJd43ZQhjWwMw2obW/JRvkrLxq5RCNcuDDX1DbcPT+qT1IlIIdf+DhnWs90JpTMe+Y5KxOchvA== dependencies: chokidar "^3.5.2" debug "^4" @@ -1261,9 +1263,10 @@ range-parser@~1.2.1: version "1.2.1" resolved "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz" -raw-body@2.5.1: - version "2.5.1" - resolved "https://registry.npmjs.org/raw-body/-/raw-body-2.5.1.tgz" +raw-body@2.5.2: + version "2.5.2" + resolved "https://registry.yarnpkg.com/raw-body/-/raw-body-2.5.2.tgz#99febd83b90e08975087e8f1f9419a149366b68a" + integrity sha512-8zGqypfENjCIqGhgXToC8aB2r7YrBX+AQAfIPs/Mlk+BtPTztOvTS01NRW/3Eh60J+a48lt8qsCzirQ6loCVfA== dependencies: bytes "3.1.2" http-errors "2.0.0" From 9ba827d280d7d2c30c5b8987b1b53529a9d13522 Mon Sep 17 00:00:00 2001 From: Ravikiran Sulikeri <98896557+ravikiran-sulikeri@users.noreply.github.com> Date: Thu, 2 May 2024 09:22:44 +0100 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Jessica Wright <49636617+AlexicaWright@users.noreply.github.com> --- .../ROOT/pages/installation/kubernetes/helm-charts.adoc | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/modules/ROOT/pages/installation/kubernetes/helm-charts.adoc b/modules/ROOT/pages/installation/kubernetes/helm-charts.adoc index a2dd697..d168cda 100644 --- a/modules/ROOT/pages/installation/kubernetes/helm-charts.adoc +++ b/modules/ROOT/pages/installation/kubernetes/helm-charts.adoc @@ -166,7 +166,7 @@ helm install -f values.yaml --set secrets.." grpcHostName: "" ---- -* Terminating SSL at Ingress means the TLS is handled by the Ingress resource itself. To enable TLS handling, additional secrets need to be configured as shown in the example above. It's common practice to use something like link:https://cert-manager.io/docs/usage/ingress/[Cert Manager] to handle provisioning and renewal of certificate secrets. +* Terminating SSL at Ingress means the TLS is handled by the Ingress resource itself. +To enable TLS handling, additional secrets need to be configured as shown in the previous example. +It's common practice to use something like link:https://cert-manager.io/docs/usage/ingress/[Cert Manager] to handle the provisioning and renewal of certificate secrets. * `annotations` can be used to further customize the Ingress controller based on your requirements. ==== Disabling SSL termination -* If you would not like Ingress resource to handle SSL termination and only use it for domain routing and loadbalancing, Ingress needs to allow SSL passthrough and NOM server needs to be configured with the certiifcates as described above. An example of SSL passthrough: +* If you would not like Ingress resource to handle SSL termination and only use it for domain routing and load balancing, Ingress needs to allow SSL passthrough, and NOM server needs to be configured with the certificates as described previously. +An example of SSL passthrough: [source,yaml] ---- ingress: