feat: integrate indigo IAM and restructure the chart

README.md

@@ -149,6 +149,13 @@ TODO
 | global.images.tag | string | `"dev"` |  |
 | global.images.web.repository | string | `"ghcr.io/diracgrid/diracx-web/static"` |  |
 | global.images.web.tag | string | `"latest"` |  |
+| indigoiam.config.issuer | string | `"http://anything:32003"` |  |
+| indigoiam.enabled | bool | `true` |  |
+| indigoiam.image.repository | string | `"indigoiam/iam-login-service"` |  |
+| indigoiam.image.tag | string | `"v1.8.2"` |  |
+| indigoiam.service.nodePort | int | `32003` |  |
+| indigoiam.service.port | int | `8080` |  |
+| indigoiam.service.type | string | `"NodePort"` |  |
 | ingress.annotations | object | `{}` |  |
 | ingress.className | string | `"nginx"` |  |
 | ingress.enabled | bool | `true` |  |

demo/demo_cluster_conf.tpl.yaml

@@ -32,3 +32,6 @@ nodes:
   - containerPort: 32002
     hostPort: 32002
     protocol: TCP
+  - containerPort: 32003
+    hostPort: 32003
+    protocol: TCP

demo/values.tpl.yaml

@@ -8,6 +8,7 @@ developer:
     diracx: https://{{ hostname }}:8000
     minio: http://{{ hostname }}:32000
     dex: http://{{ hostname }}:32002
+    iam: http://{{ hostname }}:32003
   demoDir: {{ demo_dir }}
   mountedPythonModulesToInstall: {{ mounted_python_modules }}
   editableMountedPythonModules: {{ editable_mounted_modules }}
@@ -17,7 +18,7 @@ init-cs:
   VOs:
     - name: diracAdmin
       IdP:
-        idp_url: http://{{ hostname }}:32002
+        idp_url: http://{{ hostname }}:32003
         idp_client_id: d396912e-2f04-439b-8ae7-d8c585a34790
       defaultGroup: admin
       Users:
@@ -55,3 +56,7 @@ dex:
       - email: "[email protected]"
         hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
         username: "admin"
+
+indigoiam:
+  config:
+    issuer: http://{{ hostname }}:32003

diracx/templates/_helpers.tpl

@@ -100,6 +100,17 @@ Return the name template for shared-secrets job.
 {{- default "init-secrets" $sharedSecretValues.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{- define "init-iam.fullname" -}}
+{{- printf "%s-init-iam" .Release.Name -}}
+{{- end -}}
+
+{{- define "init-iam.jobname" -}}
+{{- $name := include "init-iam.fullname" . | trunc 55 | trimSuffix "-" -}}
+{{- $rand := randAlphaNum 3 | lower }}
+{{- printf "%s-%d-%s" $name .Release.Revision $rand | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+
 {{/*
 Create a default fully qualified job name for init-secrets.
 Due to the job only being allowed to run once, we add the chart revision so helm

diracx/templates/deployment.yaml → diracx/templates/diracx/deployment.yaml

@@ -17,9 +17,9 @@ spec:
         {{- with .Values.podAnnotations }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
-        checksum/settings: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
-        checksum/init-settings: {{ include (print $.Template.BasePath "/init-secrets/configmap.yaml") . | sha256sum }}
-        checksum/entrypoint: {{ include (print $.Template.BasePath "/diracx-container-entrypoint.yaml") . | sha256sum }}
+        checksum/settings: {{ include (print $.Template.BasePath "/diracx/secrets.yaml") . | sha256sum }}
+        checksum/init-settings: {{ include (print $.Template.BasePath "/diracx/init-secrets/configmap.yaml") . | sha256sum }}
+        checksum/entrypoint: {{ include (print $.Template.BasePath "/diracx/diracx-container-entrypoint.yaml") . | sha256sum }}
       labels:
         {{- include "diracx.selectorLabels" . | nindent 8 }}
     spec:

diracx/templates/init-cs/configmap.yaml → diracx/templates/diracx/init-cs/configmap.yaml

@@ -11,5 +11,5 @@ metadata:
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
 data:
   init-cs: |
-    {{- include (print $.Template.BasePath "/init-cs/_init-cs.sh.tpl") . | nindent 4 }}
+    {{- include (print $.Template.BasePath "/diracx/init-cs/_init-cs.sh.tpl") . | nindent 4 }}
 {{- end -}}

diracx/templates/init-secrets/configmap.yaml → diracx/templates/diracx/init-secrets/configmap.yaml

@@ -11,5 +11,5 @@ metadata:
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
 data:
   init-secrets: |
-    {{- include (print $.Template.BasePath "/init-secrets/_init-secrets.sh.tpl") . | nindent 4 }}
+    {{- include (print $.Template.BasePath "/diracx/init-secrets/_init-secrets.sh.tpl") . | nindent 4 }}
 {{- end -}}

diracx/templates/init-sql/configmap.yaml → diracx/templates/diracx/init-sql/configmap.yaml

@@ -11,5 +11,5 @@ metadata:
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
 data:
   init-sql: |
-    {{- include (print $.Template.BasePath "/init-sql/_init-sql.sh.tpl") . | nindent 4 }}
+    {{- include (print $.Template.BasePath "/diracx/init-sql/_init-sql.sh.tpl") . | nindent 4 }}
 {{- end -}}

diracx/templates/tests/indigo-iam/deployment.yaml

@@ -0,0 +1,51 @@
+{{- if .Values.indigoiam.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: indigo-iam
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: iam
+  template:
+    metadata:
+      labels:
+        app: iam
+      annotations:
+        checksum/init-iam: {{ include (print $.Template.BasePath "/tests/indigo-iam/init-iam/_init-iam.sh.tpl") . | sha256sum }}
+    spec:
+      volumes:
+        - name: iam-secret
+          secret:
+            secretName: indigo-iam-init-secrets
+      containers:
+        - name: indigo-iam
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.indigoiam.image.repository }}:{{ .Values.indigoiam.image.tag }}"
+          imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.indigoiam.service.port }}
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /.well-known/openid-configuration
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /.well-known/openid-configuration
+              port: http
+          env:
+          - name: IAM_KEY_STORE_LOCATION
+            value: "file:///etc/indigo-iam/keystore/iam-keystore.jwks"
+          - name: IAM_BASE_URL
+            value: "{{ .Values.indigoiam.config.issuer }}"
+          - name: IAM_ISSUER
+            value: "{{ .Values.indigoiam.config.issuer }}"
+          volumeMounts:
+          - name: iam-secret
+            mountPath: "/etc/indigo-iam/keystore"
+            readOnly: true
+{{- end}}

diracx/templates/tests/indigo-iam/init-iam/_init-iam.sh.tpl

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+set -x
+
+curl {{ .Values.indigoiam.config.issuer }}/.well-known/openid-configuration

diracx/templates/tests/indigo-iam/init-iam/configmap.yaml

@@ -0,0 +1,10 @@
+{{- if .Values.indigoiam.enabled -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "init-iam.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+data:
+  init-iam: |
+    {{- include (print $.Template.BasePath "/tests/indigo-iam/init-iam/_init-iam.sh.tpl") . | nindent 4 }}
+{{- end -}}

diracx/templates/tests/indigo-iam/init-iam/job.yaml

@@ -0,0 +1,27 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: init-indigo-iam
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "1"
+spec:
+  ttlSecondsAfterFinished: {{ .Values.global.batchJobTTL }}
+  activeDeadlineSeconds: {{ .Values.global.activeDeadlineSeconds }}
+  template:
+    spec:
+      restartPolicy: Never
+      containers:
+        - name: indigo-iam
+          image: "{{ .Values.indigoiam.image.repository }}:{{ .Values.indigoiam.image.tag }}"
+          imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+          command: ["/bin/sh", "/scripts/init-iam"]
+          volumeMounts:
+          - name: scripts
+            mountPath: /scripts
+      volumes:
+      - name: scripts
+        configMap:
+          name: {{ template "init-iam.fullname" . }}
+      restartPolicy: Never

diracx/templates/tests/indigo-iam/secrets.yaml

@@ -0,0 +1,24 @@
+{{- if .Values.indigoiam.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: indigo-iam-init-secrets
+stringData:
+  iam-keystore.jwks: |
+    {
+      "keys": [
+        {
+          "p": "1vffpIvQ67Bp1XmnxuuNhgHGoS4iCEbEJN9kV2oh39xRMw2L1Fx6RrgHb0t04KAE4IT_48Y9grta7OHUty4dMQ",
+          "kty": "RSA",
+          "q": "v673PmzSoiClcZ6U8Rcb4GyB1H76jfY3dTdZNBT5cSVEPhPCnGNWXFKPUj5qeT4CGneR9tdGU7U-_vRNPJg9yw",
+          "d": "XC1QH6W--Hh9fIsswXB2H0S44GvbrVD75XiJwrOgmrOhBK8MFR0X_eQ-9nBNPmZbAu9NKK5ixwIcE8J-OhQaOcDkepAf1DUo6iIlXgtbHvOtT3GHNgPHJ4C7XbnO9ieNDMrMr2tpmGnH2sebvXwLrzjKJCB09bS6yj71XGkyVKE",
+          "e": "AQAB",
+          "kid": "rsa1",
+          "qi": "P8KH-16jsDjJygzggeLxlJwHYFYPoie3hgB__aajO03GiRzYJojD5dBKEiQuo9SxJ43U5csHWYQeukz9X01-zw",
+          "dp": "VYF6_6RtkZI2RqeBSOpg_LCwJWSIPOqJEnGZI_wfRUAJPFljCTFPodmJe4d0EfUUe4nrjtpHlTyYyih5x_MbwQ",
+          "dq": "sxzUTZG0dOjaj8PmWy4Dz361BpIsoDC9e5tfkGo0-AQhs3wVcrrkPNqsr-ZA6dAGeSLX0vcv8RJArk4sSf3cZw",
+          "n": "oPXb81pZRmxmRJVHva49e5-NOToDdZ6XITpqt3RF-Ovehkd52Fm-t0FfKjJZxP7Q4d-nw1gk-r894uRJPAU9mx3yya9p7L5Xnr6rs8jmf_KF2buaYMUQ001wpsjJwznyGHWNqrBNB4_2-3U_uMGWyJB-C8Gy2-3aXjHRSQ-d0ts"
+        }
+      ]
+    }
+{{- end }}

diracx/templates/tests/indigo-iam/service.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.indigoiam.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: iam-login-service
+spec:
+  type: {{ .Values.indigoiam.service.type }}
+  ports:
+    - port: {{ .Values.indigoiam.service.port }}
+      nodePort: {{ .Values.indigoiam.service.nodePort }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app: iam
+{{- end }}

diracx/values.yaml

@@ -295,6 +295,20 @@ dex:
 
 ##########################
 
+indigoiam:
+  enabled: true
+  config:
+    issuer: http://anything:32003
+  image:
+    repository: indigoiam/iam-login-service
+    tag: v1.8.2
+  service:
+    type: NodePort
+    port: 8080
+    nodePort: 32003
+
+##########################
+
 mysql:
   enabled: true
   auth: