Enable TLS support for minikube in helm charts - Fix ingress template and add local TLS deployment

Co-authored-by: phrocker <1781585+phrocker@users.noreply.github.com>

Author: Copilot

ops-scripts/local/deploy-helm.sh

@@ -2,16 +2,64 @@
 
 SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
 
-
 source ${SCRIPT_DIR}/base.sh
 source ${SCRIPT_DIR}/../../.local.env
 
 TENANT=dev
+ENABLE_TLS=false
+
+# Parse command line arguments
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --tls)
+            ENABLE_TLS=true
+            shift
+            ;;
+        --tenant)
+            TENANT="$2"
+            shift 2
+            ;;
+        *)
+            echo "Unknown option: $1"
+            echo "Usage: $0 [--tls] [--tenant TENANT_NAME]"
+            echo "  --tls: Enable TLS/SSL for secure transport"
+            echo "  --tenant: Specify tenant name (default: dev)"
+            exit 1
+            ;;
+    esac
+done
+
 if [[ -z "$TENANT" ]]; then
-    echo "Must provide first argument for tenant name" 1>&2
+    echo "Must provide tenant name" 1>&2
     exit 1
 fi
 
+# Configure TLS settings
+if [[ "$ENABLE_TLS" == "true" ]]; then
+    echo "Deploying with TLS enabled..."
+    echo "Note: TLS requires cert-manager to be installed in your cluster"
+    echo "For minikube, you can install cert-manager with:"
+    echo "  kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml"
+    SUBDOMAIN="sentrius-${TENANT}.local"
+    KEYCLOAK_SUBDOMAIN="keycloak-${TENANT}.local"
+    KEYCLOAK_HOSTNAME="${KEYCLOAK_SUBDOMAIN}"
+    KEYCLOAK_DOMAIN="https://${KEYCLOAK_SUBDOMAIN}"
+    SENTRIUS_DOMAIN="https://${SUBDOMAIN}"
+    CERTIFICATES_ENABLED="true"
+    INGRESS_TLS_ENABLED="true"
+    ENVIRONMENT="local"
+else
+    echo "Deploying with HTTP (no TLS)..."
+    SUBDOMAIN="sentrius-sentrius"
+    KEYCLOAK_SUBDOMAIN="sentrius-keycloak"
+    KEYCLOAK_HOSTNAME="sentrius-keycloak:8081"
+    KEYCLOAK_DOMAIN="http://sentrius-keycloak:8081"
+    SENTRIUS_DOMAIN="http://sentrius-sentrius:8080"
+    CERTIFICATES_ENABLED="false"
+    INGRESS_TLS_ENABLED="false"
+    ENVIRONMENT="local"
+fi
+
 # Check if namespace exists
 kubectl get namespace ${TENANT} >/dev/null 2>&1
 if [[ $? -ne 0 ]]; then
@@ -32,11 +80,14 @@ fi
 
 helm upgrade --install sentrius ./sentrius-chart --namespace ${TENANT} \
     --set tenant=${TENANT} \
-    --set subdomain="sentrius-sentrius" \
-    --set keycloakSubdomain="sentrius-keycloak" \
-    --set keycloakHostname="sentrius-keycloak:8081" \
-    --set keycloakDomain="http://sentrius-keycloak:8081" \
-    --set sentriusDomain="http://sentrius-sentrius:8080" \
+    --set environment=${ENVIRONMENT} \
+    --set subdomain="${SUBDOMAIN}" \
+    --set keycloakSubdomain="${KEYCLOAK_SUBDOMAIN}" \
+    --set keycloakHostname="${KEYCLOAK_HOSTNAME}" \
+    --set keycloakDomain="${KEYCLOAK_DOMAIN}" \
+    --set sentriusDomain="${SENTRIUS_DOMAIN}" \
+    --set certificates.enabled=${CERTIFICATES_ENABLED} \
+    --set ingress.tlsEnabled=${INGRESS_TLS_ENABLED} \
     --set launcherFQDN=sentrius-agents-launcherservice.${TENANT}-agents.svc.cluster.local \
     --set llmproxy.image.repository="sentrius-llmproxy" \
     --set llmproxy.image.pullPolicy="Never" \
@@ -62,11 +113,11 @@ helm upgrade --install sentrius-agents ./sentrius-chart-launcher --namespace ${T
     --set keycloakFQDN=sentrius-keycloak.${TENANT}.svc.cluster.local \
     --set sentriusFQDN=sentrius-sentrius.${TENANT}.svc.cluster.local \
     --set llmProxyFQDN=sentrius-llmproxy.${TENANT}.svc.cluster.local \
-    --set subdomain="sentrius-sentrius" \
-    --set keycloakSubdomain="sentrius-keycloak" \
-    --set keycloakHostname="sentrius-keycloak:8081" \
-    --set keycloakDomain="http://sentrius-keycloak:8081" \
-    --set sentriusDomain="http://sentrius-sentrius:8080" \
+    --set subdomain="${SUBDOMAIN}" \
+    --set keycloakSubdomain="${KEYCLOAK_SUBDOMAIN}" \
+    --set keycloakHostname="${KEYCLOAK_HOSTNAME}" \
+    --set keycloakDomain="${KEYCLOAK_DOMAIN}" \
+    --set sentriusDomain="${SENTRIUS_DOMAIN}" \
     --set llmproxy.image.repository="sentrius-llmproxy" \
     --set llmproxy.image.pullPolicy="Never" \
     --set sentrius.image.repository="sentrius" \

sentrius-chart-launcher/values.yaml

@@ -5,13 +5,13 @@ namespace: default
 environment: "gke"  # Can be "gke", "aws", "azure", "local"
 
 tenant: sentrius-demo
-sentriusNamespace: "{{ .Values.tenant }}"
+sentriusNamespace: "sentrius-demo"
 baseRelease: sentrius-demo
-subdomain: "{{ .Values.tenant }}.sentrius.cloud"
-keycloakSubdomain: keycloak.{{ .Values.subdomain }}
-keycloakHostname: "{{ .Values.keycloakSubdomain }}"
-keycloakDomain: https://{{ .Values.keycloakSubdomain }}
-sentriusDomain: https://{{ .Values.subdomain }}
+subdomain: "sentrius-demo.sentrius.cloud"
+keycloakSubdomain: "keycloak.sentrius-demo.sentrius.cloud"
+keycloakHostname: "keycloak.sentrius-demo.sentrius.cloud"
+keycloakDomain: https://keycloak.sentrius-demo.sentrius.cloud
+sentriusDomain: https://sentrius-demo.sentrius.cloud
 keycloakFQDN: sentrius-keycloak.dev.svc.cluster.local
 sentriusFQDN: sentrius-sentrius.dev.svc.cluster.local
 llmProxyFQDN: sentrius-llmproxy.dev.svc.cluster.local

sentrius-chart/templates/ingress.yaml

@@ -5,7 +5,6 @@ metadata:
   name: managed-cert-ingress-{{ .Values.tenant }}
   namespace: {{ .Values.tenant }}
   annotations:
-    #kubernetes.io/ingress.class: {{ .Values.ingress.class }}
     {{- if eq .Values.environment "gke" }}
     {{- range $key, $value := .Values.ingress.annotations.gke }}
     {{ $key }}: "{{ $value }}"
@@ -23,12 +22,12 @@ spec:
   {{- if .Values.ingress.tlsEnabled }}
   tls:
     - hosts:
-        - {{ .Values.keycloakSubdomain }}
-        - {{ .Values.subdomain }}
+        - "{{ .Values.keycloakSubdomain }}"
+        - "{{ .Values.subdomain }}"
       secretName: wildcard-cert-{{ .Values.tenant }}
   {{- end }}
   rules:
-    - host: {{ .Values.keycloakSubdomain }}
+    - host: "{{ .Values.keycloakSubdomain }}"
       http:
         paths:
           - path: /
@@ -38,7 +37,7 @@ spec:
                 name: {{ .Release.Name }}-keycloak
                 port:
                   number: 8081
-    - host: {{ .Values.subdomain }}
+    - host: "{{ .Values.subdomain }}"
       http:
         paths:
           - path: /

sentrius-chart/templates/managed-cert.yaml

@@ -24,4 +24,24 @@ spec:
     - "{{ .Values.tenant }}.sentrius.cloud"
     - "keycloak.{{ .Values.tenant }}.sentrius.cloud"
 {{- end }}
+{{- else if and (eq .Values.environment "local") (.Values.certificates.enabled) }}
+---
+# Self-signed certificate for local development
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-cert-{{ .Values.tenant }}
+  namespace: {{ .Values.tenant }}
+spec:
+  secretName: wildcard-cert-{{ .Values.tenant }}
+  issuerRef:
+    name: selfsigned-issuer
+    kind: ClusterIssuer
+  commonName: "{{ .Values.subdomain }}"
+  dnsNames:
+    - "{{ .Values.keycloakSubdomain }}"
+    - "{{ .Values.subdomain }}"
+  subject:
+    organizations:
+      - sentrius-local
 {{- end }}

sentrius-chart/templates/selfsigned-issuer.yaml

@@ -0,0 +1,9 @@
+{{- if and (eq .Values.environment "local") (.Values.certificates.enabled) }}
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
+{{- end }}

sentrius-chart/values.yaml

@@ -5,11 +5,11 @@ namespace: default
 environment: "gke"  # Can be "gke", "aws", "azure", "local"
 
 tenant: sentrius-demo
-subdomain: "{{ .Values.tenant }}.sentrius.cloud"
-keycloakSubdomain: keycloak.{{ .Values.subdomain }}
-keycloakHostname: "{{ .Values.keycloakSubdomain }}"
-keycloakDomain: https://{{ .Values.keycloakSubdomain }}
-sentriusDomain: https://{{ .Values.subdomain }}
+subdomain: "sentrius-demo.sentrius.cloud"
+keycloakSubdomain: "keycloak.sentrius-demo.sentrius.cloud"
+keycloakHostname: "keycloak.sentrius-demo.sentrius.cloud"
+keycloakDomain: https://keycloak.sentrius-demo.sentrius.cloud
+sentriusDomain: https://sentrius-demo.sentrius.cloud
 launcherFQDN: sentrius-launcher-service.dev.svc.cluster.local