feat(helm): Add ingress to the helm chart (#640)

* Added ingress values.

* Added most of the ingress

* Fixed indentations.

* Commented out the host.

* Updated the values so they would actually read the files.

* Added tls secret name.

* Added tls secret.

* Added the option for ingress class name.

* Disabled the ingress by default.

* Added explanation at the readme.

* Updated the readme to the actual behaviour.

* Updated the readme template to generate warning about enabling the ingress.

* Updated the readme.

* Fix docs for tls secret for the ingress.

* Bumped the chart version.

* Updated the ingress part at the readme.

helm/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: sql-exporter
 description: Database-agnostic SQL exporter for Prometheus
 type: application
-version: 0.9.0
+version: 0.10.0
 appVersion: 0.16.0
 keywords:
   - exporter

helm/README.md

@@ -1,6 +1,6 @@
 # sql-exporter
 
-![Version: 0.9.0](https://img.shields.io/badge/Version-0.9.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.16.0](https://img.shields.io/badge/AppVersion-0.16.0-informational?style=flat-square)
+![Version: 0.10.0](https://img.shields.io/badge/Version-0.10.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.16.0](https://img.shields.io/badge/AppVersion-0.16.0-informational?style=flat-square)
 
 Database-agnostic SQL exporter for Prometheus
 
@@ -23,6 +23,27 @@ helm repo add sql_exporter https://burningalchemist.github.io/sql_exporter/
 helm install sql_exporter/sql-exporter
 ```
 
+### Ingress support
+
+It's possible to enable the ingress creation by setting
+
+```yaml
+#Values
+ingress:
+  enabled: true
+```
+
+But as the sql_operator has a direct connection to databases,
+it might expose the database servers to possible DDoS attacks.
+It's not recommended by maintainers to use ingress for accessing the exporter,
+but if there are no other options,
+security measures should be taken.
+
+For example, a user might enable the basic auth on the ingress level.
+Take a look on how it's done at the
+[nginx ingress controller](https://kubernetes.github.io/ingress-nginx/examples/auth/basic/)
+as an example.
+
 ## Chart Values
 
 ### General parameters
@@ -39,6 +60,15 @@ helm install sql_exporter/sql-exporter
 | service.port | int | `80` | Service port |
 | service.labels | object | `{}` | Service labels |
 | service.annotations | object | `{}` | Service annotations |
+| ingress.enabled | bool | `false` |  |
+| ingress.labels | object | `{}` | Ingress labels |
+| ingress.annotations | object | `{}` | Ingress annotations |
+| ingress.ingressClassName | string | `""` | Ingress class name |
+| ingress.host | string | `""` | Ingress host |
+| ingress.tls | object | `{"crt":"","enabled":false,"key":"","secretName":""}` | Ingress TLS, can be defined by cert secret, or by key and cert. |
+| ingress.tls.secretName | string | `""` | Ingress tls secret if already exists. |
+| ingress.tls.crt | string | `""` | Ingress tls.crt, required if you don't have secret name. |
+| ingress.tls.key | string | `""` | Ingress tls.key, required if you don't have secret name. |
 | extraContainers | object | `{}` | Arbitrary sidecar containers list |
 | serviceAccount.create | bool | `true` | Specifies whether a Service Account should be created, creates "sql-exporter" service account if true, unless overriden. Otherwise, set to `default` if false, and custom service account name is not provided. Check all the available parameters. |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the Service Account |

helm/README.md.gotmpl

@@ -21,6 +21,27 @@ helm repo add sql_exporter https://burningalchemist.github.io/sql_exporter/
 helm install sql_exporter/sql-exporter
 ```
 
+### Ingress support
+
+It's possible to enable the ingress creation by setting
+
+```yaml
+#Values
+ingress:
+  enabled: true
+```
+
+But as the sql_operator has a direct connection to databases,
+it might expose the database servers to possible DDoS attacks.
+It's not recommended by maintainers to use ingress for accessing the exporter,
+but if there are no other options,
+security measures should be taken.
+
+For example, a user might enable the basic auth on the ingress level.
+Take a look on how it's done at the
+[nginx ingress controller](https://kubernetes.github.io/ingress-nginx/examples/auth/basic/)
+as an example.
+
 ## Chart Values
 
 ### General parameters

helm/templates/_helpers.tpl

@@ -30,6 +30,17 @@ Create chart name and version as used by the chart label.
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
+{{/*
+Create tls secret name based on the chart name
+*/}}
+{{- define "sql-exporter.tls.name" -}}
+{{- if ((.Values.ingress).tls).secretName -}}
+{{- .Values.ingress.tls.secretName }}
+{{- else -}}
+{{- printf "%s-%s" (include "sql-exporter.fullname" .) "tls" }}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Common labels
 */}}

helm/templates/ingress.yaml

@@ -0,0 +1,38 @@
+{{- if (.Values.ingress).enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "sql-exporter.fullname" . }}
+  labels:
+    {{- include "sql-exporter.labels" . | nindent 4 }}
+    {{- with .Values.ingress.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.ingress.ingressClassName }}
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+  {{- end }}
+  {{- if (.Values.ingress.tls).enabled }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.host | required "Ingress host is required if tls is enabled!" }}
+      secretName: {{ include "sql-exporter.tls.name" . }}
+  {{- end }}
+  rules:
+  - http:
+      paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: {{ include "sql-exporter.fullname" . }}
+              port:
+                number: {{ .Values.service.port }}
+    {{- if .Values.ingress.host }}
+    host: {{ .Values.ingress.host }}
+    {{- end }}
+{{- end -}}

helm/templates/secret.tls.yaml

@@ -0,0 +1,15 @@
+# ---------------------------------------------------------------------
+# -- This secret holds the tls key and cert of sql_exporter's ingress
+# ---------------------------------------------------------------------
+{{- if and (((.Values.ingress).tls).enabled) (not ((.Values.ingress).tls).secretName) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "sql-exporter.tls.name" . }}
+  labels:
+    {{- include "sql-exporter.labels" . | nindent 4 }}
+type: Opaque
+data:
+  tls.crt: {{ (tpl (.Values.ingress.tls.crt | required "crt is required if you want to create tls secret.") .) | required "crt is required if you want to create tls secret." | b64enc | quote }}
+  tls.key: {{ (tpl (.Values.ingress.tls.key | required "private key is required if you want to create tls secret.") .) | required "private key is required if you want to create tls secret." | b64enc | quote }}
+{{- end }}

helm/values.yaml

@@ -24,6 +24,28 @@ service:
     # example of prometheus usage
     # prometheus.io/scrape: "true"
     # prometheus.io/path: "/metrics"
+ingress:
+  enabled: false
+  # -- Ingress labels
+  labels: {}
+  # -- Ingress annotations
+  annotations: {}
+  # -- Ingress class name
+  ingressClassName: ""
+  # -- Ingress host
+  host: ""
+  # -- Ingress TLS, can be defined by cert secret, or by key and cert.
+  tls:
+    enabled: false
+    # -- Ingress tls secret if already exists.
+    secretName: ""
+    # -- Ingress tls.crt, required if you don't have secret name.
+    crt: ""
+    # crt: "{{- .Files.Get \"tls.crt\" -}}"
+    # -- Ingress tls.key, required if you don't have secret name.
+    key: ""
+    # key: "{{- .Files.Get \"tls.key\" -}}"
+
 # -- Arbitrary sidecar containers list
 extraContainers: {}
 #   - name: your_sidecar