Add WebView Support eclipse-theia/theia-cloud#296 (#57)

* add additional information to AppDefinition for other hostnames that have to be exposed
* adapt self-signed certificate generation to use a CA that can be imported as an authority in a browser
* add additional wildcard rules when installing the instance ingress
* adapt document regeneration documentation to always use latest image
* optionally set tls secret name when using paths

CHANGELOG.md

@@ -5,6 +5,11 @@
 - [theia-cloud-crds] Add option field to CRDs and increase version to `Session.v1beta8`, `Workspace.v1beta5` and `AppDefinition.v1beta10` [#55](https://github.com/eclipsesource/theia-cloud-helm/pull/55) | [#293](https://github.com/eclipsesource/theia-cloud/pull/293)
 - [theia-cloud] Add configurable image preloading [#56](https://github.com/eclipsesource/theia-cloud-helm/pull/56)
 - [theia-cloud] Add landing page configuration options for logo file extension, loading text, user info title & text [#58](https://github.com/eclipsesource/theia-cloud-helm/pull/58) - contributed on behalf of STMicroelectronics
+- [theia-cloud-base] Self signed certificates are now signed by a Theia Cloud certificate authority. The certificate of the authority may be exported and imported in your Browser for easier local testing [#57](https://github.com/eclipsesource/theia-cloud-helm/pull/57)
+- [theia-cloud-crds] Add `ingressHostnamePrefixes` list to `AppDefinition.v1beta10` [#57](https://github.com/eclipsesource/theia-cloud-helm/pull/57) | [#298](https://github.com/eclipsesource/theia-cloud/pull/298)
+- [theia-cloud] Add `allWildcardInstances` to values and create TLS entries for them in the instances-ingress [#57](https://github.com/eclipsesource/theia-cloud-helm/pull/57)
+- [theia-cloud] Add `hosts.paths.tlsSecretName` to values which allows to optionally set the tls secretName on the ingress tls section when using paths [#57](https://github.com/eclipsesource/theia-cloud-helm/pull/57)
+- [theia-cloud] Add `ingress.certManagerAnnotations` to values which allows to configure whether cert manager annotations will be added to the ingresses [#57](https://github.com/eclipsesource/theia-cloud-helm/pull/57)
 
 ## [0.10.0] - 2024-04-02
 

README.md

@@ -44,5 +44,5 @@ Furthermore, the new version, together with a release estimation date, should be
 ## How to generate Chart READMEs
 
 ```bash
-docker run --rm --volume "$(pwd)/charts:/helm-docs" -u $(id -u) jnorwood/helm-docs:latest
+docker pull jnorwood/helm-docs:latest && docker run --rm --volume "$(pwd)/charts:/helm-docs" -u $(id -u) jnorwood/helm-docs:latest
 ```

charts/theia-cloud-crds/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.11.0-next.1
+version: 0.11.0-next.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/theia-cloud-crds/README.md

@@ -1,6 +1,6 @@
 # theia-cloud-crds
 
-![Version: 0.11.0-next.1](https://img.shields.io/badge/Version-0.11.0--next.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.11.0-next](https://img.shields.io/badge/AppVersion-0.11.0--next-informational?style=flat-square)
+![Version: 0.11.0-next.2](https://img.shields.io/badge/Version-0.11.0--next.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.11.0-next](https://img.shields.io/badge/AppVersion-0.11.0--next-informational?style=flat-square)
 
 A Helm chart for the custom resource definitions (CRDs) of Theia Cloud
 
@@ -13,4 +13,4 @@ A Helm chart for the custom resource definitions (CRDs) of Theia Cloud
 | conversion.image | string | `"theiacloud/theia-cloud-conversion-webhook:0.11.0-next"` | The image of the webhook container |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0)
+Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)

charts/theia-cloud-crds/templates/appdefinition-spec-resource.yaml

@@ -51,6 +51,10 @@ spec:
                   maximum: 65535
                 ingressname:
                   type: string
+                ingressHostnamePrefixes:
+                  type: array
+                  items:
+                    type: string
                 minInstances:
                   type: integer
                 maxInstances:

charts/theia.cloud-base/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.11.0-next.0
+version: 0.11.0-next.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/theia.cloud-base/README.md

@@ -1,14 +1,16 @@
 # theia-cloud-base
 
-![Version: 0.11.0-next.0](https://img.shields.io/badge/Version-0.11.0--next.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.11.0-next](https://img.shields.io/badge/AppVersion-0.11.0--next-informational?style=flat-square)
+![Version: 0.11.0-next.1](https://img.shields.io/badge/Version-0.11.0--next.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.11.0-next](https://img.shields.io/badge/AppVersion-0.11.0--next-informational?style=flat-square)
 
 Theia-cloud base chart
 
 ## Values
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| certmanager.namespace | string | `"cert-manager"` | the namespace where the cert-manager is installed |
 | issuer.email | string | `"[email protected]"` | email used to issue let's encrypt certificates |
+| issuerca.name | string | `"theia-cloud-ca-certificate-signer"` | name for the issuer preparing a self signed CA certificate |
 | issuerprod.name | string | `"letsencrypt-prod"` | name for the let's encrypt production cluster issuer |
 | issuerstaging.name | string | `"theia-cloud-selfsigned-issuer"` | name for the self signed cluster issuer |
 | operatorrole.name | string | `"operator-api-access"` | name for the operator's cluster role |

charts/theia.cloud-base/templates/clusterissuer-for-ca.yaml

@@ -0,0 +1,7 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: {{ .Values.issuerca.name }}
+spec:
+  selfSigned: {}
+

charts/theia.cloud-base/templates/clusterissuer-selfsigned.yaml

@@ -3,5 +3,6 @@ kind: ClusterIssuer
 metadata:
   name: {{ .Values.issuerstaging.name }}
 spec:
-  selfSigned: {}
+  ca:
+    secretName: theia-cloud-ca-key-pair
 

charts/theia.cloud-base/templates/theia-cloud-ca-certificate.yaml

@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: theia-cloud-ca-certificate
+  namespace: {{ .Values.certmanager.namespace }}
+spec:
+  commonName: "Theia Cloud CA"
+  secretName: theia-cloud-ca-key-pair
+  isCA: true
+  issuerRef:
+    name: {{ .Values.issuerca.name }}
+    kind: ClusterIssuer
+  duration: 2160h
+  renewBefore: 360h

charts/theia.cloud-base/values.yaml

@@ -1,3 +1,7 @@
+issuerca:
+  # -- name for the issuer preparing a self signed CA certificate
+  name: theia-cloud-ca-certificate-signer
+
 issuerprod:
   # -- name for the let's encrypt production cluster issuer
   name: letsencrypt-prod
@@ -16,4 +20,8 @@ operatorrole:
 
 servicerole:
   # -- name for the services' cluster role
-  name: service-api-access
+  name: service-api-access
+
+certmanager:
+  # -- the namespace where the cert-manager is installed
+  namespace: cert-manager

charts/theia.cloud/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.11.0-next.2
+version: 0.11.0-next.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/theia.cloud/README.md

@@ -1,6 +1,6 @@
 # theia-cloud
 
-![Version: 0.11.0-next.0](https://img.shields.io/badge/Version-0.11.0--next.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.11.0-next](https://img.shields.io/badge/AppVersion-0.11.0--next-informational?style=flat-square)
+![Version: 0.11.0-next.3](https://img.shields.io/badge/Version-0.11.0--next.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.11.0-next](https://img.shields.io/badge/AppVersion-0.11.0--next-informational?style=flat-square)
 
 A Helm chart for Theia.cloud
 
@@ -12,6 +12,7 @@ A Helm chart for Theia.cloud
 | app.id | string | `"asdfghjkl"` | The app id which is used in the communication between website and REST-API as a spam migitation. This id is public. Please choose an random generated string. |
 | app.logo | string | `"logos/theiablueprint.svg"` | The logo of the application that should be displayed on the landing pages |
 | app.logoData | string | `nil` | set app.logoData=$(cat path/to/file.svg | base64 -w 0 -) Another way is to directly add the base64 string to the values file. |
+| app.logoFileExtension | string | `"svg"` | The file extension of the logo. Must be set to match the logo respectively the logoData. This is required because browsers cannot show a binary image (e.g. png) with a svg ending and vice-versa. |
 | app.name | string | `"Theia Blueprint"` | The name of the application that should be displayed on the landing pages |
 | demoApplication | object | (see details below) | Information about the demo application to be installed |
 | demoApplication.imagePullPolicy | string | `nil` | Optional: Override the imagePullPolicy for the main application's docker image. If this is omitted or empty, the root at .Values.imagePullPolicy is used. |
@@ -25,13 +26,15 @@ A Helm chart for Theia.cloud
 | demoApplication.pullSecret | string | `""` | the image pull secret. Leave empty if registry is public |
 | demoApplication.timeout | string | `"30"` | Limit in minutes |
 | hosts | object | (see details below) | You may adjust the hostname below. |
+| hosts.allWildcardInstances | list | `["*.webview."]` | all additional wildcard hostnames that may be required in the launched Theia-applications, e.g. "*.webview." which leads to "*.webview.ws.192.168.39.173.nip.io" to expose webviews.  Please note that this means that this usually means that all "ingressHostnamePrefixes" patterns from all app definitions need to be added. These are required to configure TLS (if enabled via hosts.tls == true) |
 | hosts.instance | string | `"ws.192.168.39.173.nip.io"` | hostname for the launched Theia-applications |
 | hosts.landing | string | `"theia.cloud.192.168.39.173.nip.io"` | hostname of the landing page |
 | hosts.paths | object | (see details below) | Only needed when usePaths == true. Contains the baseHost and paths for all services |
 | hosts.paths.baseHost | string | `"192.168.39.173.nip.io"` | baseHost configures the host for all services when usePaths == true. Otherwise the explicit host definitions of the services are used. |
 | hosts.paths.instance | string | `"instances"` | path for deployed instances |
 | hosts.paths.landing | string | `"trynow"` | path of the landing page |
 | hosts.paths.service | string | `"servicex"` | path of the REST service |
+| hosts.paths.tlsSecretName | bool | `false` | whether the default Theia Cloud tls secret names should be used. If false no tls secret name will be set on the ingress only needed when hosts.usePaths == true and hosts.tls == true |
 | hosts.service | string | `"service.192.168.39.173.nip.io"` | hostname of the REST-API |
 | hosts.servicePort | int | `8081` | service port (default: 8081) |
 | hosts.serviceProtocol | string | `"https"` | protocol of the REST-API |
@@ -40,10 +43,11 @@ A Helm chart for Theia.cloud
 | hosts.useServicePortInHostname | bool | `false` | whether the service port needs to be part of the service URL (default: false) |
 | imagePullPolicy | string | `"Always"` | The default imagePullPolicy for containers of theia cloud. Can be overridden for individual components by specifying the imagePullPolicy variable there. Possible values: - Always - IfNotPresent - Never |
 | ingress | object | (see details below) | Values to influence the ingresses |
-| ingress.clusterIssuer | string | `"letsencrypt-prod"` | The cluster issuer to use |
+| ingress.certManagerAnnotations | bool | `true` | When set to true the cert-manager.io annotations will be set. When false certificate management is handled outside of Theia Cloud. |
+| ingress.clusterIssuer | string | `"letsencrypt-prod"` | The cluster issuer to use Only needed when ingress.certManagerAnnotations is true |
 | ingress.instanceName | string | `"theia-cloud-demo-ws-ingress"` | The name of the ingress which will be updated to publish new theia application. If this is not existing it will be created. You may chose to set the ingress up yourself and point theia.cloud to the ingress via the name |
 | ingress.proxyBodySize | string | `"1m"` | Sets the maximum allowed size of the client request body inside the application (e.g. file uploads in Theia). Defaults to 1m. Setting size to 0 disables checking of client request body size. |
-| ingress.theiaCloudCommonName | bool | `false` | When set to true the cert-manager.io/common-name annotation will be set. This is only required when the issued certificate by the cert-manager misses a common-name |
+| ingress.theiaCloudCommonName | bool | `false` | When set to true the cert-manager.io/common-name annotation will be set. This is only required when the issued certificate by the cert-manager misses a common-name Only needed when ingress.certManagerAnnotations is true |
 | issuer | object | (see details below) | Values related to certificates/Cert-manager |
 | issuer.email | string | `"[email protected]"` | EMail address of the certificate issuer. |
 | keycloak | object | (see details below) | Values related to Keycloak |
@@ -56,10 +60,14 @@ A Helm chart for Theia.cloud
 | landingPage | object | (see details below) | Values related to the landing page |
 | landingPage.additionalApps | string | `nil` | The page may show these additional apps in a drop down. This is a map. The key maps to the app definition name The value is the label that is supposed to be shown in the UI  Example: different-app-definition:   label: "Different App Definition" further-app-definition:   label: "Further App Definition" |
 | landingPage.appDefinition | string | `"theia-cloud-demo"` | the app id to launch |
+| landingPage.disableInfo | bool | `false` | Should showing info title and text below the launch button be disabled true hides the info title and text false shows the info title and text |
 | landingPage.ephemeralStorage | bool | `true` | If set to true no persisted storage is used when creating sessions on the landing page. Set to false if you want to use persisted storage. |
 | landingPage.image | string | `"theiacloud/theia-cloud-landing-page:0.11.0-next"` | the landing page image to use |
 | landingPage.imagePullPolicy | string | `nil` | Optional: Override the imagePullPolicy for the landing page's docker image. If this is omitted or empty, the root at .Values.imagePullPolicy is used. |
 | landingPage.imagePullSecret | string | `nil` | Optional: the image pull secret |
+| landingPage.infoText | string | `nil` | Optional: If specified with a value, this overrides the info text shown on the landing page. Empty values are ignored. Use `disableInfo` to deactivate showing the info completely. |
+| landingPage.infoTitle | string | `nil` | Optional: If specified with a value, this overrides the title of the info text shown on the landing page. Empty values are ignored. Use `disableInfo` to deactivate showing the info completely. |
+| landingPage.loadingText | string | `nil` | Optional: If specified with a value, this overrides the message shown to the user while the session is started. Empty values are ignored and the default text is used. |
 | monitor | object | (see details below) | Values to influence the monitor initialization on the operator |
 | monitor.activityTracker | object | (see details below) | Values to influence the activityTracker module |
 | monitor.activityTracker.enable | bool | `true` | Should the activityTracker module be enabled |

charts/theia.cloud/templates/instances-ingress-path-based.yaml

@@ -13,17 +13,36 @@ metadata:
     nginx.ingress.kubernetes.io/configuration-snippet: |
       proxy_set_header 'X-Forwarded-Uri' $request_uri;
     nginx.ingress.kubernetes.io/proxy-body-size: {{ tpl (.Values.ingress.proxyBodySize | toString) . }}
+    {{- if .Values.hosts.paths.tlsSecretName }}
+    {{- if .Values.ingress.certManagerAnnotations }}
+    cert-manager.io/cluster-issuer: {{ tpl (.Values.ingress.clusterIssuer | toString) . }}
+    {{- if .Values.ingress.theiaCloudCommonName }}
+    cert-manager.io/common-name: "Theia.Cloud"
+    {{- end }}
+    acme.cert-manager.io/http01-ingress-class: nginx
+    {{- end }}
+    {{- end }}
 spec:
   ingressClassName: nginx
   {{- if .Values.hosts.tls }}
   tls:
   - hosts:
     - {{ tpl (.Values.hosts.paths.baseHost | toString) . }}
+    {{- range .Values.hosts.allWildcardInstances }}
+    - {{ printf "'%s%s'" . $.Values.hosts.paths.baseHost }}
+    {{- end }}
+    {{- if .Values.hosts.paths.tlsSecretName }}
+    secretName: ws-cert-secret
+    {{- end }}
   {{- end }}
   {{- if not (lookup "networking.k8s.io/v1" "Ingress" .Release.Namespace  (tpl (.Values.ingress.instanceName | toString) .) ) }}
   rules:
     - host: {{ tpl (.Values.hosts.paths.baseHost | toString) . }}
       http:
+    {{- range .Values.hosts.allWildcardInstances }}
+    - host: {{ printf "'%s%s'" . $.Values.hosts.paths.baseHost }}
+      http:
+    {{- end }}
   {{- else }}
   rules:
     {{ range $rule := (lookup "networking.k8s.io/v1" "Ingress" .Release.Namespace (tpl (.Values.ingress.instanceName | toString) .)).spec.rules }}
@@ -43,4 +62,4 @@ spec:
       {{ end }}
     {{- end }}
   {{- end }}
-{{- end }}
+{{- end }}

charts/theia.cloud/templates/instances-ingress.yaml

@@ -8,11 +8,13 @@ metadata:
     {{- if not .Values.hosts.tls }}
     nginx.ingress.kubernetes.io/ssl-redirect: "false"
     {{- end }}
+    {{- if .Values.ingress.certManagerAnnotations }}
     cert-manager.io/cluster-issuer: {{ tpl (.Values.ingress.clusterIssuer | toString) . }}
     {{- if .Values.ingress.theiaCloudCommonName }}
     cert-manager.io/common-name: "Theia.Cloud"
     {{- end }}
     acme.cert-manager.io/http01-ingress-class: nginx
+    {{- end }}
     nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
     nginx.ingress.kubernetes.io/rewrite-target: /$2
     nginx.ingress.kubernetes.io/configuration-snippet: |
@@ -24,12 +26,19 @@ spec:
   tls:
   - hosts:
     - {{ tpl (.Values.hosts.instance | toString) . }}
+    {{- range .Values.hosts.allWildcardInstances }}
+    - {{ printf "'%s%s'" . $.Values.hosts.instance }}
+    {{- end }}
     secretName: ws-cert-secret
   {{- end }}
   {{- if not (lookup "networking.k8s.io/v1" "Ingress" .Release.Namespace  (tpl (.Values.ingress.instanceName | toString) .) ) }}
   rules:
     - host: {{ tpl (.Values.hosts.instance | toString) . }}
       http:
+    {{- range .Values.hosts.allWildcardInstances }}
+    - host: {{ printf "'%s%s'" . $.Values.hosts.instance }}
+      http:
+    {{- end }}
   {{- else }}
   rules:
     {{ range $rule := (lookup "networking.k8s.io/v1" "Ingress" .Release.Namespace (tpl (.Values.ingress.instanceName | toString) .)).spec.rules }}
@@ -49,4 +58,4 @@ spec:
       {{ end }}
     {{- end }}
   {{- end }}
-{{- end }}
+{{- end }}