Merge pull request #31 from gruntwork-io/gke_ssl_cert

Add support for Google managed ssl certificates

Author: autero1

charts/k8s-service/README.md

@@ -13,6 +13,8 @@ This Helm Chart can also be used to front the `Pods` of the `Deployment` resourc
 [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) rules to further configure complex routing
 rules in front of the `Service`.
 
+If you're using the chart to deploy to [GKE](https://cloud.google.com/kubernetes-engine/), you can also use the chart to deploy a [Google Managed SSL Certificate](https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs) and associate it with the Ingress.
+
 
 ## How to use this chart?
 
@@ -38,6 +40,8 @@ The following resources will be deployed with this Helm Chart, depending on whic
                          the `Deployment`. This manages how many pods can be disrupted by a voluntary disruption (e.g
                          node maintenance). Created if you specify a non-zero value for the `minPodsAvailable` input
                          value.
+- `ManagedCertificate`: The `ManagedCertificate` is a [GCP](https://cloud.google.com/) -specific resource that creates a Google Managed SSL certificate. Google-managed SSL certificates are provisioned, renewed, and managed for your domain names. Read more about Google-managed SSL certificates [here](https://cloud.google.com/load-balancing/docs/ssl-certificates#managed-certs). Created only if you configure the `google.managedCertificate` input (and set
+                         `google.managedCertificate.enabled = true` and `google.managedCertificate.domainName = your.domain.name`).
 
 
 ## How do I expose my application internally to the cluster?

charts/k8s-service/templates/gmc.yaml

@@ -0,0 +1,27 @@
+{{- /*
+If the operator configures the google.managedCertificate input variable, then also create a ManagedCertificate resource
+that will provision a Google managed SSL certificate.
+*/ -}}
+{{- if .Values.google.managedCertificate.enabled -}}
+{{- /*
+We declare some variables defined on the Values. These are reused in `with` and `range` blocks where the scoped variable
+(`.`) is rebound within the block.
+*/ -}}
+{{- $fullName := include "k8s-service.fullname" . -}}
+{{- $domainName := .Values.google.managedCertificate.domainName -}}
+apiVersion: networking.gke.io/v1beta1
+kind: ManagedCertificate
+metadata:
+  name: {{ $fullName }}
+  labels:
+    gruntwork.io/app-name: {{ .Values.applicationName }}
+    # These labels are required by helm. You can read more about required labels in the chart best practices guide:
+    # https://docs.helm.sh/chart_best_practices/#standard-labels
+    app.kubernetes.io/name: {{ include "k8s-service.name" . }}
+    helm.sh/chart: {{ include "k8s-service.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  domains:
+    - {{ $domainName }}
+{{- end }}

charts/k8s-service/values.yaml

@@ -333,3 +333,29 @@ tolerations: []
 # imagePullSecrets lists the Secret resources that should be used for accessing private registries. Each item in the
 # list is a string that corresponds to the Secret name.
 imagePullSecrets: []
+
+#----------------------------------------------------------------------------------------------------------------------
+# GOOGLE SPECIFIC VALUES
+# google specifies Google (GKE) specific configuration to be set via arguments/env. variables
+#----------------------------------------------------------------------------------------------------------------------
+google:
+  # managedCertificate can be used to provision a Google Managed Certificate. Associate the ManagedCertificate object
+  # to an Ingress by adding an annotation 'networking.gke.io/managed-certificates' to the Ingress.
+  #
+  # The expected keys are:
+  #   - enabled      (bool)   (required) : Whether or not the ManagedCertificate resource should be created.
+  #   - domainName   (string)            : Specifies the domain that the SSL certificate will be created for
+  #
+  # The following example specifies a ManagedCertificate with a domain name 'api.acme.com':
+  #
+  # EXAMPLE:
+  #
+  # google:
+  #   managedCertificate:
+  #     enabled: true
+  #     domainName: api.acme.com
+  #
+  # NOTE: if you enable managedCertificate, then Ingress must also be enabled.
+  # Use a Google Managed Certificate. By default, turn off.
+  managedCertificate:
+    enabled: false

test/Gopkg.lock

@@ -29,6 +29,10 @@
   name = "github.com/gruntwork-io/terratest"
   version = "0.17.6"
 
+[[constraint]]
+  name = "github.com/GoogleCloudPlatform/gke-managed-certs"
+  version = "0.3.4"
+
 [prune]
   go-tests = true
   unused-packages = true

test/Gopkg.toml

@@ -13,6 +13,8 @@ import (
 	"github.com/stretchr/testify/require"
 	appsv1 "k8s.io/api/apps/v1"
 	extv1beta1 "k8s.io/api/extensions/v1beta1"
+
+	certapi "github.com/GoogleCloudPlatform/gke-managed-certs/pkg/apis/networking.gke.io/v1beta1"
 )
 
 func renderK8SServiceDeploymentWithSetValues(t *testing.T, setValues map[string]string) appsv1.Deployment {
@@ -50,3 +52,21 @@ func renderK8SServiceIngressWithSetValues(t *testing.T, setValues map[string]str
 	helm.UnmarshalK8SYaml(t, out, &ingress)
 	return ingress
 }
+
+func renderK8SServiceManagedCertificateWithSetValues(t *testing.T, setValues map[string]string) certapi.ManagedCertificate {
+	helmChartPath, err := filepath.Abs(filepath.Join("..", "charts", "k8s-service"))
+	require.NoError(t, err)
+
+	// We make sure to pass in the linter_values.yaml values file, which we assume has all the required values defined.
+	options := &helm.Options{
+		ValuesFiles: []string{filepath.Join("..", "charts", "k8s-service", "linter_values.yaml")},
+		SetValues:   setValues,
+	}
+	// Render just the google managed certificate resource
+	out := helm.RenderTemplate(t, options, helmChartPath, []string{"templates/gmc.yaml"})
+
+	// Parse the deployment and verify the preStop hook is set
+	var cert certapi.ManagedCertificate
+	helm.UnmarshalK8SYaml(t, out, &cert)
+	return cert
+}

test/k8s_service_template_render_helpers_for_test.go

@@ -436,3 +436,42 @@ func TestK8SServiceIngressAdditionalPathsHigherPriorityNoServiceName(t *testing.
 	assert.Equal(t, strings.ToLower(secondPath.Backend.ServiceName), "release-name-linter")
 	assert.Equal(t, secondPath.Backend.ServicePort.StrVal, "app")
 }
+
+// Test rendering Managed Certificate
+func TestK8SServiceManagedCertDomainName(t *testing.T) {
+	t.Parallel()
+
+	cert := renderK8SServiceManagedCertificateWithSetValues(
+		t,
+		map[string]string{
+			"google.managedCertificate.enabled":    "true",
+			"google.managedCertificate.domainName": "api.acme.io",
+		},
+	)
+
+	domains := cert.Spec.Domains
+	assert.Equal(t, len(domains), 1)
+	assert.Equal(t, domains[0], "api.acme.io")
+}
+
+// Test that setting ingress.enabled = false will cause the helm template to not render the ManagedCertificate resource
+func TestK8SServiceManagedCertificateDefaultsDoesNotCreateManagedCertificate(t *testing.T) {
+	t.Parallel()
+
+	helmChartPath, err := filepath.Abs(filepath.Join("..", "charts", "k8s-service"))
+	require.NoError(t, err)
+
+	// We make sure to pass in the linter_values.yaml values file, which we assume has all the required values defined.
+	// We then use SetValues to override all the defaults.
+	options := &helm.Options{
+		ValuesFiles: []string{filepath.Join("..", "charts", "k8s-service", "linter_values.yaml")},
+		SetValues:   map[string]string{},
+	}
+	out := helm.RenderTemplate(t, options, helmChartPath, []string{"templates/gmc.yaml"})
+
+	// We take the output and render it to a map to validate it is an empty yaml
+	rendered := map[string]interface{}{}
+	err = yaml.Unmarshal([]byte(out), &rendered)
+	assert.NoError(t, err)
+	assert.Equal(t, len(rendered), 0)
+}