Add Helm charts Ingress support docs

modules/ROOT/pages/installation/kubernetes/helm-charts.adoc

@@ -52,6 +52,12 @@ secretsFromSecrets:
   mTlsAgentCerts:
     secretName: ""
     key: "" # key in Secret for mTls agentCerts
+  ingressTlsCert:
+    secretName: ""
+    key: "" # key in Secret for mTls agentCerts
+  ingressTlsKey:
+    secretName: ""
+    key: "" # key in Secret for mTls agentCerts
 
 secrets:
   # storage
@@ -64,7 +70,10 @@ secrets:
   # jwt
   jwtSecret: ""
   # mTls
-  mTlsAgentCerts: ""
+  mTlsAgentCerts: "" # pem encoded string
+  # ingress tls
+  ingressTlsCert: "" # pem encoded string
+  ingressTlsKey: "" # pem encoded string
 
 service:
   http:
@@ -84,96 +93,26 @@ service:
     port: 9090
     loadBalancerIP: "" # optional static load balancer IP
 
-image:
-  name: neo4j/neo4j-ops-manager-server
-  pullPolicy: Always
-
-hpa:
-  spec:
-    targetCPUUtilizationPercentage: 70
+ingress:
+  enabled: false
+  sslPassthrough: false
+  ingressClassName: "nginx"
+  annotations: { }
+  httpHostName: ""
+  grpcHostName: ""
 
 nameOverride:
 
-additionalVolumeMounts:
-
-resources:
-  limits:
-    cpu: "2"
-    memory: "8G"
-  requests:
-    cpu: "0.2"
-    memory: "4G"
-
-nodeSelector: {}
-
-tolerations: []
-
-affinity: {}
-----
-
-* Run the following command to install the NOM server to your Kubernetes cluster
-[source, shell, role=noheader]
-----
-helm install -f values.yaml --set secrets.tlsPkcs12CertFileContent=$(cat server.pfx | base64) <Helm release name> /path/to/neo4j-ops-manager-server-<VERSION>.tgz
-----
-
-* If agents are self-registered, set the additional trusted agent certificates on the server before deploying the agents
-[source, shell, role=noheader]
-----
-helm install -f values.yaml --set secrets.tlsPkcs12CertFileContent=$(cat server.pfx | base64) --set secrets.mTlsAgentCerts=$(cat localhost.pem | base64) <Helm release name> /path/to/neo4j-ops-manager-server-<VERSION>.tgz
-----
-
-* If the command doesn't report any error, check if the NOM server pod and services are running with `kubectl` command.
-
-* An example `values.yaml` file is given below for quick render tests of the chart using following command:
-[source, shell, role=noheader]
-----
-helm template nom /path/to/neo4j-ops-manager-server-<VERSION>.tgz -f values.yaml
-----
-
-.values.yaml
-[source, yaml]
-----
-server:
-
-config:
-  logFileName: "app.log"
-  logLevel: info
-  maxHeapSize: 8g
-  jwtTTL: 2h
-  grpc:
-    advertisedHost: "https://localhost:9090"
-
-secrets:
-  # storage
-  storageUri: "neo4j://localhost:7687"
-  storageUsername: "neo4j"
-  storagePassword: "passw0rd"
-  # tls
-  tlsPassword: "changeit"
-  tlsPkcs12CertFileContent: "<base64 encoded string of pkcs12 server cert content>"
-  # jwt
-  jwtSecret: ""
-  # mTls
-  mTlsAgentCerts: ""
-
-service:
-  http:
-    ipAddress: "https://localhost:8080"
-  grpc:
-    ipAddress: "https://localhost:9090"
-    port: 9090
+additionalVolumeMounts: []
 
 image:
   name: neo4j/neo4j-ops-manager-server
-  pullPolicy: Always
+  pullPolicy: IfNotPresent
 
 hpa:
   spec:
     targetCPUUtilizationPercentage: 70
 
-nameOverride:
-
 resources:
   limits:
     cpu: "2"
@@ -182,11 +121,12 @@ resources:
     cpu: "0.2"
     memory: "4G"
 
+affinity: {}
+
 nodeSelector: {}
 
 tolerations: []
 
-affinity: {}
 ----
 
 === Using pre-configured secrets
@@ -222,3 +162,41 @@ To handle such cases it's advised to pass in the references to existing secrets
 helm install -f values.yaml --set secrets.<NOM secret type such as `storage`>.<NOM secret key such as `password`>=$(kubectl get secret <secretName> -o jsonpath='{.data.<secretKey>}' | base64 -d) --set secrets.tls.pkcs12CertFileContent=$(cat server.pfx | base64) <Helm release name> /path/to/neo4j-ops-manager-server-<VERSION>.tgz
 ----
 ====
+
+=== Ingress support
+
+* An Ingress resource can be deployed using the NOM server charts to support domain routing and SSL termination.
+* Enabling Ingress support using `values.yaml` with SSL termination:
+[source,yaml]
+----
+secrets:
+  ingressTlsCert: "<cert file conent as PEM encoded string>"
+  ingressTlsKey: "<key file content as PEM encoded string>"
+
+ingress:
+  enabled: true
+  sslPassthrough: false
+  ingressClassName: "<your ingress controller class name e.g nginx>"
+  annotations: { } 
+  httpHostName: "<Hostname/domain for NOM server http endpoints>"
+  grpcHostName: "<Hostname/domain for NOM server grpc endpoints>"
+----
+* Terminating SSL at Ingress means the TLS is handled by the Ingress resource itself. 
+To enable TLS handling, additional secrets need to be configured as shown in the previous example. 
+It's common practice to use something like link:https://cert-manager.io/docs/usage/ingress/[Cert Manager] to handle the provisioning and renewal of certificate secrets.
+* `annotations` can be used to further customize the Ingress controller based on your requirements.
+
+==== Disabling SSL termination
+
+* If you would not like Ingress resource to handle SSL termination and only use it for domain routing and load balancing, Ingress needs to allow SSL passthrough, and NOM server needs to be configured with the certificates as described previously. 
+An example of SSL passthrough:
+[source,yaml]
+----
+ingress:
+  enabled: true
+  sslPassthrough: true
+  ingressClassName: "<your ingress controller class name e.g nginx>"
+  annotations: { } 
+  httpHostName: "<Hostname/domain for NOM server http endpoints>"
+  grpcHostName: "<Hostname/domain for NOM server grpc endpoints>"
+----

yarn.lock

@@ -10,7 +10,6 @@
     "@antora/user-require-helper" "~2.0"
     "@asciidoctor/core" "~2.2"
 
-
 "@antora/cli@^3.1.7":
   version "3.1.7"
   resolved "https://registry.yarnpkg.com/@antora/cli/-/cli-3.1.7.tgz#8d80d83328793281f8f0b525020e761115accb49"
@@ -23,7 +22,6 @@
 "@antora/content-aggregator@3.1.7":
   version "3.1.7"
   resolved "https://registry.yarnpkg.com/@antora/content-aggregator/-/content-aggregator-3.1.7.tgz#7458f428afcbf2bc7b63014349b1305cd14ea60c"
-
   dependencies:
     "@antora/expand-path-helper" "~2.0"
     "@antora/logger" "3.1.7"
@@ -276,20 +274,21 @@ binary-extensions@^2.0.0:
   version "2.2.0"
   resolved "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.2.0.tgz"
 
-body-parser@1.20.1:
-  version "1.20.1"
-  resolved "https://registry.npmjs.org/body-parser/-/body-parser-1.20.1.tgz"
+body-parser@1.20.2:
+  version "1.20.2"
+  resolved "https://registry.yarnpkg.com/body-parser/-/body-parser-1.20.2.tgz#6feb0e21c4724d06de7ff38da36dad4f57a747fd"
+  integrity sha512-ml9pReCu3M61kGlqoTm2umSXTlRTuGTx0bfYj+uIUKKYycG5NtSbeetV3faSU6R7ajOPw0g/J1PvK4qNy7s5bA==
   dependencies:
     bytes "3.1.2"
-    content-type "~1.0.4"
+    content-type "~1.0.5"
     debug "2.6.9"
     depd "2.0.0"
     destroy "1.2.0"
     http-errors "2.0.0"
     iconv-lite "0.4.24"
     on-finished "2.4.1"
     qs "6.11.0"
-    raw-body "2.5.1"
+    raw-body "2.5.2"
     type-is "~1.6.18"
     unpipe "1.0.0"
 
@@ -401,7 +400,7 @@ content-disposition@0.5.4:
   dependencies:
     safe-buffer "5.2.1"
 
-content-type@~1.0.4:
+content-type@~1.0.4, content-type@~1.0.5:
   version "1.0.5"
   resolved "https://registry.npmjs.org/content-type/-/content-type-1.0.5.tgz"
 
@@ -420,9 +419,10 @@ cookie-signature@1.0.6:
   version "1.0.6"
   resolved "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz"
 
-cookie@0.5.0:
-  version "0.5.0"
-  resolved "https://registry.npmjs.org/cookie/-/cookie-0.5.0.tgz"
+cookie@0.6.0:
+  version "0.6.0"
+  resolved "https://registry.yarnpkg.com/cookie/-/cookie-0.6.0.tgz#2798b04b071b0ecbff0dbb62a505a8efa4e19051"
+  integrity sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw==
 
 core-util-is@~1.0.0:
   version "1.0.3"
@@ -530,16 +530,17 @@ events@^3.3.0:
   version "3.3.0"
   resolved "https://registry.npmjs.org/events/-/events-3.3.0.tgz"
 
-express@^4.18.2:
-  version "4.18.2"
-  resolved "https://registry.npmjs.org/express/-/express-4.18.2.tgz"
+express@^4.18.3:
+  version "4.19.2"
+  resolved "https://registry.yarnpkg.com/express/-/express-4.19.2.tgz#e25437827a3aa7f2a827bc8171bbbb664a356465"
+  integrity sha512-5T6nhjsT+EOMzuck8JjBHARTHfMht0POzlA60WV2pMD3gyXw2LZnZ+ueGdNxG+0calOJcWKbpFcuzLZ91YWq9Q==
   dependencies:
     accepts "~1.3.8"
     array-flatten "1.1.1"
-    body-parser "1.20.1"
+    body-parser "1.20.2"
     content-disposition "0.5.4"
     content-type "~1.0.4"
-    cookie "0.5.0"
+    cookie "0.6.0"
     cookie-signature "1.0.6"
     debug "2.6.9"
     depd "2.0.0"
@@ -1030,9 +1031,10 @@ neo-async@^2.6.2:
   version "2.6.2"
   resolved "https://registry.npmjs.org/neo-async/-/neo-async-2.6.2.tgz"
 
-nodemon@^3.0.2:
-  version "3.0.2"
-  resolved "https://registry.npmjs.org/nodemon/-/nodemon-3.0.2.tgz"
+nodemon@^3.1.0:
+  version "3.1.0"
+  resolved "https://registry.yarnpkg.com/nodemon/-/nodemon-3.1.0.tgz#ff7394f2450eb6a5e96fe4180acd5176b29799c9"
+  integrity sha512-xqlktYlDMCepBJd43ZQhjWwMw2obW/JRvkrLxq5RCNcuDDX1DbcPT+qT1IlIIdf+DhnWs90JpTMe+Y5KxOchvA==
   dependencies:
     chokidar "^3.5.2"
     debug "^4"
@@ -1261,9 +1263,10 @@ range-parser@~1.2.1:
   version "1.2.1"
   resolved "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz"
 
-raw-body@2.5.1:
-  version "2.5.1"
-  resolved "https://registry.npmjs.org/raw-body/-/raw-body-2.5.1.tgz"
+raw-body@2.5.2:
+  version "2.5.2"
+  resolved "https://registry.yarnpkg.com/raw-body/-/raw-body-2.5.2.tgz#99febd83b90e08975087e8f1f9419a149366b68a"
+  integrity sha512-8zGqypfENjCIqGhgXToC8aB2r7YrBX+AQAfIPs/Mlk+BtPTztOvTS01NRW/3Eh60J+a48lt8qsCzirQ6loCVfA==
   dependencies:
     bytes "3.1.2"
     http-errors "2.0.0"