From 88d7f27247a1744e78b11f63aaaae7f25dc1180f Mon Sep 17 00:00:00 2001
From: Nico Schottelius <nico@nico-notebook.schottelius.org>
Date: Wed, 21 Jul 2021 13:50:28 +0200
Subject: [PATCH] chartmuseum: phase in SSL support

---
 apps/chartmuseum/Chart.yaml                |  2 +-
 apps/chartmuseum/templates/deployment.yaml | 83 ++++++++++++++++++++--
 2 files changed, 77 insertions(+), 8 deletions(-)

diff --git a/apps/chartmuseum/Chart.yaml b/apps/chartmuseum/Chart.yaml
index 4eef696..84e2f11 100644
--- a/apps/chartmuseum/Chart.yaml
+++ b/apps/chartmuseum/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: ungleich-chartmuseum
 description: Chartmuseum for the ungleich infrastructure
 
-version: 0.1.0
+version: 0.1.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/apps/chartmuseum/templates/deployment.yaml b/apps/chartmuseum/templates/deployment.yaml
index 592deee..f811498 100644
--- a/apps/chartmuseum/templates/deployment.yaml
+++ b/apps/chartmuseum/templates/deployment.yaml
@@ -14,14 +14,44 @@ spec:
         app: {{ .Release.Name }}-chartmuseum
         use-as-service: {{ .Release.Name }}
     spec:
+      # Wait before trying to start any container
+      initcontainers:
+        - name: wait-for-cert
+          image: busybox
+          command:
+            - sh
+            - -c
+            - until ls /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem; do sleep 5; done
+          volumeMounts:
+            - name: etcletsencrypt
+              mountPath: "/etc/letsencrypt"
       containers:
-        - name: chartmuseum
-          image: ghcr.io/helm/chartmuseum:v0.13.1
+        - name: certbot
+          image: ungleich/ungleich-certbot
+          imagePullPolicy: Always
           ports:
-            - containerPort: 8080
-          # args:
-          #   - --tls-cert=/etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem
-          #   - --tls-key=/etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/privkey.pem
+            - containerPort: 80
+          env:
+          - name: ONLYRENEWCERTS
+            value: "yes"
+          - name: DOMAIN
+            value: "{{ tpl .Values.fqdn . }}"
+          - name: EMAIL
+            value: "{{ .Values.email }}"
+          {{ if eq .Values.letsencryptStaging "no" }}
+          - name: STAGING
+            value: "no"
+          {{ end }}
+          volumeMounts:
+            - name: etcletsencrypt
+              mountPath: "/etc/letsencrypt"
+        - name: chartmuseum
+          image: ghcr.io/helm/chartmuseum:v{{ .Chart.AppVersion }}
+          ports:
+            - containerPort: 443
+          args:
+            - --tls-cert=/etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem
+            - --tls-key=/etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/privkey.pem
           env:
             - name: STORAGE
               value: "local"
@@ -49,7 +79,7 @@ metadata:
 spec:
   type: ClusterIP
   ports:
-   - port: 8080
+   - port: 80
      name: http
    - port: 443
      name: https
@@ -101,3 +131,42 @@ spec:
 #             proxy_pass http://localhost:3000;
 #         }
 #     }
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ tpl .Values.identifier . }}-getcert
+spec:
+  template:
+    metadata:
+      labels:
+        app: certbot-letsencrypt-getcert
+        use-as-service: {{ .Release.Name }}
+    spec:
+      restartPolicy: Never
+      containers:
+      - name: certbot
+        image: ungleich/ungleich-certbot
+        imagePullPolicy: Always
+
+        ports:
+          - containerPort: 80
+        env:
+          - name: ONLYGETCERT
+            value: "yes"
+          - name: DOMAIN
+            value: "{{ tpl .Values.fqdn . }}"
+          - name: EMAIL
+            value: "{{ .Values.email }}"
+          {{ if eq .Values.letsencryptStaging "no" }}
+          - name: STAGING
+            value: "no"
+          {{ end }}
+        volumeMounts:
+          - name: etcletsencrypt
+            mountPath: "/etc/letsencrypt"
+      volumes:
+        - name: etcletsencrypt
+          persistentVolumeClaim:
+            claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs
+  backoffLimit: 3