✨ Add cert-manager HTTP01 resolver and Data Platform static asset dep…

…loyment (#5500) Signed-off-by: Jacob Woffenden <jacob.woffenden@digital.justice.gov.uk> Co-authored-by: Gary <Gary-H9@users.noreply.github.com>
ministryofjustice · Nov 17, 2023 · 8ea5c7e · 8ea5c7e
1 parent e927656
commit 8ea5c7e
Show file tree

Hide file tree

Showing 12 changed files with 157 additions and 2 deletions.
diff --git a/terraform/environments/data-platform-apps-and-tools/environment-configuration.tf b/terraform/environments/data-platform-apps-and-tools/environment-configuration.tf
@@ -60,6 +60,9 @@ locals {
       observability_platform_account_id     = local.environment_management.account_ids["observability-platform-development"]
       observability_platform_role           = "data-platform-apps-and-tools"
       observability_platform_prometheus_url = "https://aps-workspaces.eu-west-2.amazonaws.com/workspaces/ws-464eea97-631a-4e5d-af22-4c5528d9e0e6/api/v1/remote_write"
+
+      /* Static Assets */
+      static_assets_hostname = "assets.development.data-platform.service.justice.gov.uk"
     }
     production = {
       /* Route53 */
@@ -119,6 +122,9 @@ locals {
       observability_platform_account_id     = local.environment_management.account_ids["observability-platform-production"]
       observability_platform_role           = "data-platform-apps-and-tools"
       observability_platform_prometheus_url = "https://aps-workspaces.eu-west-2.amazonaws.com/workspaces/ws-55a65e9b-aab9-47a0-88b4-8275c50f1ff9/api/v1/remote_write"
+
+      /* Static Assets */
+      static_assets_hostname = "assets.development.data-platform.service.justice.gov.uk"
     }
   }
 }
diff --git a/terraform/environments/data-platform-apps-and-tools/helm-charts.tf b/terraform/environments/data-platform-apps-and-tools/helm-charts.tf
@@ -303,3 +303,16 @@ resource "helm_release" "amazon_managed_prometheus_proxy" {
 
   depends_on = [helm_release.gatekeeper]
 }
+
+resource "helm_release" "static_assets" {
+  name      = "static-assets"
+  chart     = "./src/helm/charts/static-assets"
+  namespace = kubernetes_namespace.static_assets.metadata[0].name
+
+  set {
+    name  = "ingress.host"
+    value = local.environment_configuration.static_assets_hostname
+  }
+
+  depends_on = [helm_release.cert_manager_additional]
+}
diff --git a/terraform/environments/data-platform-apps-and-tools/kubernetes-namespaces.tf b/terraform/environments/data-platform-apps-and-tools/kubernetes-namespaces.tf
@@ -16,6 +16,7 @@ resource "kubernetes_namespace" "external_dns" {
       "policy.sigstore.dev/include"    = "false"
     }
   }
+  depends_on = [helm_release.gatekeeper]
 }
 
 resource "kubernetes_namespace" "cert_manager" {
@@ -26,6 +27,7 @@ resource "kubernetes_namespace" "cert_manager" {
       "policy.sigstore.dev/include"    = "false"
     }
   }
+  depends_on = [helm_release.gatekeeper]
 }
 
 resource "kubernetes_namespace" "ingress_nginx" {
@@ -36,6 +38,7 @@ resource "kubernetes_namespace" "ingress_nginx" {
       "policy.sigstore.dev/include"    = "false"
     }
   }
+  depends_on = [helm_release.gatekeeper]
 }
 
 resource "kubernetes_namespace" "velero_system" {
@@ -46,6 +49,7 @@ resource "kubernetes_namespace" "velero_system" {
       "policy.sigstore.dev/include"    = "false"
     }
   }
+  depends_on = [helm_release.gatekeeper]
 }
 
 resource "kubernetes_namespace" "external_secrets" {
@@ -56,6 +60,7 @@ resource "kubernetes_namespace" "external_secrets" {
       "policy.sigstore.dev/include"    = "false"
     }
   }
+  depends_on = [helm_release.gatekeeper]
 }
 
 resource "kubernetes_namespace" "cosign_system" {
@@ -66,6 +71,7 @@ resource "kubernetes_namespace" "cosign_system" {
       "policy.sigstore.dev/include"    = "false"
     }
   }
+  depends_on = [helm_release.gatekeeper]
 }
 
 resource "kubernetes_namespace" "airflow" {
@@ -76,6 +82,7 @@ resource "kubernetes_namespace" "airflow" {
       "policy.sigstore.dev/include"        = "false"      // this will eventually be true, but we aren't currently signing images
     }
   }
+  depends_on = [helm_release.gatekeeper]
 }
 
 resource "kubernetes_namespace" "openmetadata" {
@@ -85,6 +92,7 @@ resource "kubernetes_namespace" "openmetadata" {
       "policy.sigstore.dev/include" = "false"
     }
   }
+  depends_on = [helm_release.gatekeeper]
 }
 
 resource "kubernetes_namespace" "prometheus" {
@@ -95,4 +103,16 @@ resource "kubernetes_namespace" "prometheus" {
       "policy.sigstore.dev/include"    = "false"
     }
   }
+  depends_on = [helm_release.gatekeeper]
+}
+
+resource "kubernetes_namespace" "static_assets" {
+  metadata {
+    name = "static-assets"
+    labels = {
+      "admission.gatekeeper.sh/ignore" = "true"
+      "policy.sigstore.dev/include"    = "false"
+    }
+  }
+  depends_on = [helm_release.gatekeeper]
 }
diff --git a/...ironments/data-platform-apps-and-tools/src/helm/charts/cert-manager-additional/Chart.yaml b/...ironments/data-platform-apps-and-tools/src/helm/charts/cert-manager-additional/Chart.yaml
@@ -3,5 +3,5 @@ apiVersion: v2
 name: cert-manager-additional
 description: A Helm chart to apply Cert Manager Resources
 type: application
-version: 1.0.4
+version: 1.0.5
 appVersion: 1.0.0
diff --git a/...form-apps-and-tools/src/helm/charts/cert-manager-additional/templates/cluster-issuer.yaml b/...form-apps-and-tools/src/helm/charts/cert-manager-additional/templates/cluster-issuer.yaml
@@ -18,3 +18,18 @@ spec:
           route53:
             region: {{ .Values.aws.region }}
             hostedZoneID: {{ .Values.aws.hostedZoneID }}
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-production-http01
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: {{ .Values.acme.email }}
+    privateKeySecretRef:
+      name: letsencrypt-production-http01
+    solvers:
+      - http01:
+          ingress:
+            ingressClassName: {{ .Values.http01.ingressClassName }}
diff --git a/...ronments/data-platform-apps-and-tools/src/helm/charts/cert-manager-additional/values.yaml b/...ronments/data-platform-apps-and-tools/src/helm/charts/cert-manager-additional/values.yaml
@@ -5,4 +5,7 @@ acme:
 aws:
   region:
   hostedZoneID:
-  dnsZone:
+  dnsZone:
+
+http01:
+  ingressClassName: default
diff --git a/terraform/environments/data-platform-apps-and-tools/src/helm/charts/static-assets/Chart.yaml b/terraform/environments/data-platform-apps-and-tools/src/helm/charts/static-assets/Chart.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: v2
+name: static-assets
+description: A Helm chart to deploy Data Platform static assets
+type: application
+version: 1.0.0
+appVersion: 1.0.0
diff --git a/...ments/data-platform-apps-and-tools/src/helm/charts/static-assets/templates/deployment.yml b/...ments/data-platform-apps-and-tools/src/helm/charts/static-assets/templates/deployment.yml
@@ -0,0 +1,29 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: static-assets
+  template:
+    metadata:
+      labels:
+        app: static-assets
+    spec:
+      containers:
+        - name: static-assets
+          image: {{ .Values.image.repository }}@sha256:{{ .Values.image.sha }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          resources:
+            requests:
+              memory: {{ .Values.container.staticAssets.resources.requests.memory }}
+              cpu: {{ .Values.container.staticAssets.resources.requests.cpu }}
+            limits:
+              memory: {{ .Values.container.staticAssets.resources.limits.memory }}
+              cpu: {{ .Values.container.staticAssets.resources.limits.cpu }}
+          ports:
+            - containerPort: {{ .Values.container.staticAssets.port }}
diff --git a/...ronments/data-platform-apps-and-tools/src/helm/charts/static-assets/templates/ingress.yml b/...ronments/data-platform-apps-and-tools/src/helm/charts/static-assets/templates/ingress.yml
@@ -0,0 +1,26 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    cert-manager.io/cluster-issuer: {{ .Values.ingress.certManager.issuer }}
+    external-dns.alpha.kubernetes.io/hostname: {{ .Values.ingress.host }}
+spec:
+  ingressClassName: default
+  tls:
+    - hosts:
+        - {{ .Values.ingress.host }}
+      secretName: static-assets-tls
+  rules:
+    - host: {{ .Values.ingress.host }}
+      http:
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: static-assets
+                port:
+                  number: {{ .Values.container.staticAssets.port }}
diff --git a/...ronments/data-platform-apps-and-tools/src/helm/charts/static-assets/templates/service.yml b/...ronments/data-platform-apps-and-tools/src/helm/charts/static-assets/templates/service.yml
@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: ClusterIP
+  selector:
+    app: static-assets
+  ports:
+    - protocol: TCP
+      port: {{ .Values.container.staticAssets.port }}
+      targetPort: {{ .Values.container.staticAssets.port }}
diff --git a/...aform/environments/data-platform-apps-and-tools/src/helm/charts/static-assets/values.yaml b/...aform/environments/data-platform-apps-and-tools/src/helm/charts/static-assets/values.yaml
@@ -0,0 +1,21 @@
+---
+image:
+  repository: ghcr.io/ministryofjustice/data-platform-static-assets
+  sha: 0b55c9eaecbd0fb517a4d32bedee9e682335eb74cadefba0a31cb874b3e1750d
+  pullPolicy: Always
+
+container:
+  staticAssets:
+    resources:
+      requests:
+        cpu: 250m
+        memory: 64Mi
+      limits:
+        cpu: 500m
+        memory: 128Mi
+    port: 8080
+
+ingress:
+  certManager:
+    issuer: letsencrypt-production-http01
+  host:
diff --git a/terraform/environments/data-platform-apps-and-tools/src/helm/gatekeeper/values.yml.tftpl b/terraform/environments/data-platform-apps-and-tools/src/helm/gatekeeper/values.yml.tftpl
@@ -9,3 +9,4 @@ controllerManager:
     - external-secrets
     - cosign-system
     - prometheus
+    - static-assets