From 5dfe2d824792ab24e5afb651accd15761eec1475 Mon Sep 17 00:00:00 2001
From: jk <77506864+1l1lIl1llll1Il1@users.noreply.github.com>
Date: Thu, 29 Apr 2021 14:39:10 +0300
Subject: [PATCH] Enable https and ambassador routing

---
 ambassador_mappings.yaml                      | 71 +++++++++++++++++++
 .../ambassador_values.yaml                    | 31 ++++++++
 .../container_deployment/jaeger_values.yaml   |  2 +-
 modules/container_deployment/main.tf          | 47 +++++++++---
 modules/container_deployment/prom_values.yaml | 16 ++++-
 modules/k8s/main.tf                           |  2 +-
 tls.yaml                                      | 61 ++++++++++++++++
 7 files changed, 218 insertions(+), 12 deletions(-)
 create mode 100644 ambassador_mappings.yaml
 create mode 100644 modules/container_deployment/ambassador_values.yaml
 create mode 100644 tls.yaml

diff --git a/ambassador_mappings.yaml b/ambassador_mappings.yaml
new file mode 100644
index 0000000..4f93881
--- /dev/null
+++ b/ambassador_mappings.yaml
@@ -0,0 +1,71 @@
+apiVersion: getambassador.io/v2
+kind:  TCPMapping
+metadata:
+  name: hono-http-adapter
+spec:
+  port: 18080
+  service: hono-adapter-http-vertx:8080
+---
+apiVersion: getambassador.io/v2
+kind:  TCPMapping
+metadata:
+  name: hono-mqtt-adapter
+spec:
+  port: 1883
+  service: hono-adapter-mqtt-vertx:1883
+---
+apiVersion: getambassador.io/v2
+kind:  TCPMapping
+metadata:
+  name: hono-device-registry
+spec:
+  port: 28080
+  service: hono-service-device-registry-ext:28080
+---
+apiVersion: getambassador.io/v2
+kind:  TCPMapping
+metadata:
+  name: hono-dispatch-router
+spec:
+  port: 15671
+  service: hono-service-device-registry-ext:15671
+---
+apiVersion: getambassador.io/v2
+kind:  TCPMapping
+metadata:
+  name: prometheus-grafana
+spec:
+  port: 3000
+  prefix: /grafana/
+  host: smaddis.westeurope.cloudapp.azure.com
+  service: prometheus-grafana:3000
+---
+apiVersion: getambassador.io/v2
+kind:  TCPMapping
+metadata:
+  name: jaeger-operator-jaeger-query
+spec:
+  port: 16686
+  prefix: /jaeger/
+  host: smaddis.westeurope.cloudapp.azure.com
+  service: jaeger-operator-jaeger-query:16686
+---
+apiVersion: getambassador.io/v2
+kind: Mapping
+metadata:
+  name: acme-challenge-mapping
+spec:
+  prefix: /.well-known/acme-challenge/
+  rewrite: ""
+  service: acme-challenge-service
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: acme-challenge-service
+spec:
+  ports:
+  - port: 80
+    targetPort: 8089
+  selector:
+    acme.cert-manager.io/http01-solver: "true"
\ No newline at end of file
diff --git a/modules/container_deployment/ambassador_values.yaml b/modules/container_deployment/ambassador_values.yaml
new file mode 100644
index 0000000..c03a652
--- /dev/null
+++ b/modules/container_deployment/ambassador_values.yaml
@@ -0,0 +1,31 @@
+enableAES: false
+replicaCount: 1
+service:
+  ports:
+    - name: http
+      port: 80
+      targetPort: 8080
+    - name: https
+      port: 443
+      targetPort: 8443
+    - name: mqtt-adapter
+      port: 1883
+      targetPort: 1883
+    - name: http-adapter
+      port: 18080
+      targetPort: 18080
+    - name: device-registry
+      port: 28080
+      targetPort: 28080
+    - name: dispatch-router
+      port: 5671
+      targetPort: 15671
+    - name: grafana
+      port: 3000
+      targetPort: 3000
+    - name: jaeger
+      port: 16686
+      targetPort: 16686
+    - name: prometheus
+      port: 9090
+      targetPort: 9090
\ No newline at end of file
diff --git a/modules/container_deployment/jaeger_values.yaml b/modules/container_deployment/jaeger_values.yaml
index eac59a1..9bd8c1f 100644
--- a/modules/container_deployment/jaeger_values.yaml
+++ b/modules/container_deployment/jaeger_values.yaml
@@ -1,4 +1,4 @@
 jaeger:
   create: true
 metadata:
-  name: "simple"
\ No newline at end of file
+  name: "simple"
diff --git a/modules/container_deployment/main.tf b/modules/container_deployment/main.tf
index bf4fb54..3ef8a34 100644
--- a/modules/container_deployment/main.tf
+++ b/modules/container_deployment/main.tf
@@ -29,7 +29,6 @@ resource "helm_release" "mongodb" {
     name  = "auth.username"
     value = var.mongodb_username
   }
-
 }
 
 # https://github.com/eclipse/packages/tree/83abeda25c0efd9446713aaa828ff4177ce4b27b/charts/hono
@@ -55,13 +54,17 @@ resource "helm_release" "hono" {
   }
 }
 
-# https://github.com/kubernetes/ingress-nginx/tree/f5cfd5730c4b296c87fbc531c83a6e4f33483b75/charts/ingress-nginx
-resource "helm_release" "ingress-nginx" {
-  name = "ingress-nginx"
+# https://github.com/datawire/ambassador-chart/tree/c540b0d9e91f7def8a7d9b99217cb62cfe3014fb
+resource "helm_release" "ambassador" {
+  name = "ambassador"
+
+  repository = "https://getambassador.io"
+  chart      = "ambassador"
+  version    = "~> 6.6.0"
+  values = [
+    file("${path.module}/ambassador_values.yaml")
+  ]
 
-  repository = "https://kubernetes.github.io/ingress-nginx"
-  chart      = "ingress-nginx"
-  version    = "~> 3.29.0"
 }
 # https://github.com/jaegertracing/helm-charts/tree/72db111cf61e9d85f75b74a8398f2c98da0bc9d3/charts/jaeger-operator
 resource "helm_release" "jaeger-operator" {
@@ -75,6 +78,20 @@ resource "helm_release" "jaeger-operator" {
   ]
 }
 
+# https://github.com/jetstack/cert-manager/tree/614438aed00e1060870b273f2238794ef69b60ab/deploy/charts/cert-manager
+resource "helm_release" "cert-manager" {
+  name = "cert-manager"
+
+  repository = "https://charts.jetstack.io"
+  chart      = "cert-manager"
+  version    = "~> 1.3.1"
+
+  set {
+    name  = "installCRDs"
+    value = "true"
+  }
+}
+
 # Import Hono dashboards to Grafana. Basically copied from Hono Helm charts.
 # How to import dashboards: https://github.com/grafana/helm-charts/tree/3327b6c7e9417f345774fd5a5eb46dd639ebeeec/charts/grafana#import-dashboards
 # Sidecar method: https://github.com/grafana/helm-charts/tree/3327b6c7e9417f345774fd5a5eb46dd639ebeeec/charts/grafana#sidecar-for-dashboards
@@ -108,4 +125,18 @@ resource "helm_release" "kube-prometheus-stack" {
   values = [
     file("${path.module}/prom_values.yaml")
   ]
-}
\ No newline at end of file
+}
+
+/*
+# Works if kubeconfig is properly configured (az aks get-credentials not needed after terraform apply is done)
+# Move tls.yaml and ambassador_mappings.yaml to modules/container_deployment directory
+# Terraform should apply them automatically after it's done creating the cluster
+# If it fails, it doesn't affect anything and you can apply them manually 
+resource "null_resource" "kubectl_apply" {
+  triggers = {
+    k8s_yaml_contents = file("${path.module}/ambassador_mappings.yaml")
+  }
+  provisioner "local-exec" {
+    command = "kubectl apply -f ${path.module}/ambassador_mappings.yaml && kubectl apply -f ${path.module}/tls.yaml"
+  }
+}*/
diff --git a/modules/container_deployment/prom_values.yaml b/modules/container_deployment/prom_values.yaml
index f993a44..fbdaca8 100644
--- a/modules/container_deployment/prom_values.yaml
+++ b/modules/container_deployment/prom_values.yaml
@@ -1,4 +1,18 @@
 grafana:
+  service:
+    type: "ClusterIP"
+  ingress:
+    enabled: true
+    ingressClassName: nginx
+    hosts:
+      - smaddis.westeurope.cloudapp.azure.com
+    path: /grafana/
+  grafana.ini: 
+   server:
+      domain: smaddis.westeurope.cloudapp.azure.com
+      root_url: "%(protocol)s://%(domain)s:%(http_port)s/grafana/"
+      serve_from_sub_path: true
+      http_port: 3000
   dashboardProviders:
     dashboardproviders.yaml:
       apiVersion: 1
@@ -11,8 +25,6 @@ grafana:
         editable: false
         options:
           path: /etc/secrets/dashboards/
-  service:
-    type: "LoadBalancer"
   extraSecretMounts:
     - name: dashboards-secret-mount
       secretName: grafana-hono-dashboards
diff --git a/modules/k8s/main.tf b/modules/k8s/main.tf
index ea287fd..f84cb3c 100644
--- a/modules/k8s/main.tf
+++ b/modules/k8s/main.tf
@@ -122,7 +122,7 @@ resource "kubernetes_persistent_volume_claim" "example" {
   }
 }
 
-#resource "kubernetes_namespace" "hono" {
+# resource "kubernetes_namespace" "hono" {
 #  metadata {
 #    name = "hono"
 #  }
diff --git a/tls.yaml b/tls.yaml
new file mode 100644
index 0000000..d2b6bd0
--- /dev/null
+++ b/tls.yaml
@@ -0,0 +1,61 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: amb-ingress
+  annotations:
+    kubernetes.io/ingress.class: ambassador
+spec:
+  tls:
+  - hosts:
+    - smaddis.westeurope.cloudapp.azure.com
+    secretName: ambassador-certs
+  rules:
+  - host: smaddis.westeurope.cloudapp.azure.com
+    http:
+      paths:
+      - path: /grafana/
+        pathType: Prefix
+        backend:
+          service:
+            name: prometheus-grafana
+            port:
+              number: 80
+      - path: /jaeger/
+        pathType: Prefix
+        backend:
+          service:
+            name: jaeger-operator-jaeger-query
+            port:
+              number: 16686
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    email: email@example.com
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+      selector: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ambassador-certs
+  # cert-manager will put the resulting Secret in the same Kubernetes 
+  # namespace as the Certificate. You should create the certificate in 
+  # whichever namespace you want to configure a Host.
+  namespace: default
+spec:
+  secretName: ambassador-certs
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+  dnsNames:
+  - smaddis.westeurope.cloudapp.azure.com
\ No newline at end of file