openedx / openedx-k8s-harmony

A Prototype Helm Chart for deploying multiple Open edX instances (via Tutor) onto a cluster.
GNU Affero General Public License v3.0
10 stars 14 forks source link

Add option for nginx + cert manager #1

Closed bradenmacdonald closed 1 year ago

bradenmacdonald commented 1 year ago

Currently this helm chart deploys Traefik as the Ingress Controller.

We want an option (probably should the default) to instead install nginx + cert-manager.

It should work the same way as the current prototype - when a new Open edX instance is installed via Tutor, the Ingress object it creates will register it with the Ingress Controller, and nginx+cert-manager will take care of getting an HTTPS cert and forwarding traffic to that new Caddy instance.

antoviaque commented 1 year ago

We quickly discussed this work during the meeting, with @felipemontoya and @MoisesGSalas having posted a pull request for the work at https://github.com/openedx/tutor-contrib-multi/pull/10 . @bradenmacdonald will do a review (anyone else wants to review too?)

lknite commented 1 year ago

I'd recommend expecting that 'cert-manager' and 'nginx-ingress-controller' are already installed.

Most helm charts just have an ingress template, which you can enable to not, generally enabled by default & a place to specify ingress annotations (that's where you'd add your cert-manager annotations). Also, in general there is a field to specify 'ingressClassName', which for me would be 'nginx' because I use the nginx ingress controller.

There was a project 'k8s-at-home' which used a common charts library. They had maybe 100 apps. For each of the apps, you'd specify the configuration of the ingress and the common library would generate the ingress. 'k8s-at-home' has since become deprecated and the common library has been moved over to the 'truecharts' project.

I'm not suggesting you might want to use that common library, but to see it as an example that for all those apps everyone was just expected to have the ingress controller & cert-manager installed, and only to specify how to configure the ingress ... after that an ingress template would fill in the values for ingressClassName, the host url, and the tls host url, and also the annotations.

Lots of ingress templates out there, all fairly similar, maybe this one is a good example: https://github.com/MoJo2600/pihole-kubernetes/blob/master/charts/pihole/templates/ingress.yaml

With the ingress section in the values file looking something like this:

# -- Configuration for the Ingress
ingress:
  # -- Generate a Ingress resource
  enabled: false

  # -- Specify an ingressClassName
  # ingressClassName: nginx

  # -- Annotations for the ingress
  annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  path: /
  hosts:
    # virtualHost (default value is pi.hole) will be appended to the hosts
    - chart-example.local
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #     #- virtualHost (default value is pi.hole) will be appended to the hosts
  #      - chart-example.local

I'm only just stopping by today, so maybe you already have something else in mind. I was just looking to see if there was a helm chart so I could install Open edX and give it a shot. I wouldn't want it to install cert-manager or an ingress controller by default.

bradenmacdonald commented 1 year ago

@lknite Thanks for the info. We are working on this now in https://github.com/openedx/tutor-contrib-multi/pull/10 . Whether we install nginx+cert-manager for you or not, it will certainly be optional, so you can turn it off if you already have an ingress controller set up.

antoviaque commented 1 year ago

Recap from the meeting update - this is now waiting for a new review from @bradenmacdonald , which should likely lead to a merge of the work.

felipemontoya commented 1 year ago

Now that #10 is merged we can close this.