From 6c8b79ba26b7c6dc13e426ba93e7a3dd5d70323a Mon Sep 17 00:00:00 2001 From: aldbr Date: Sat, 21 Oct 2023 07:40:14 +0900 Subject: [PATCH] feat: integrate indigo IAM and restructure the chart --- README.md | 7 +++ demo/demo_cluster_conf.tpl.yaml | 3 ++ demo/values.tpl.yaml | 7 ++- diracx/templates/_helpers.tpl | 11 ++++ .../deployment.yaml} | 0 .../service.yaml} | 0 .../{ => diracx}/cs-store-volume.yml | 0 diracx/templates/{ => diracx}/deployment.yaml | 6 +-- .../diracx-container-entrypoint.yaml | 0 .../diracx-mysql-init-dbs.yaml} | 0 .../{ => diracx}/init-cs/_init-cs.sh.tpl | 0 .../{ => diracx}/init-cs/configmap.yaml | 2 +- .../templates/{ => diracx}/init-cs/job.yaml | 0 .../init-secrets/_init-secrets.sh.tpl | 0 .../{ => diracx}/init-secrets/configmap.yaml | 2 +- .../{ => diracx}/init-secrets/job.yaml | 0 .../init-secrets/rbac-config.yaml | 0 .../{ => diracx}/init-sql/_init-sql.sh.tpl | 0 .../{ => diracx}/init-sql/configmap.yaml | 2 +- .../templates/{ => diracx}/init-sql/job.yaml | 0 diracx/templates/{ => diracx}/secrets.yaml | 0 diracx/templates/{ => diracx}/service.yaml | 0 .../{ => diracx}/serviceaccount.yaml | 0 .../{ => diracx}/tests/test-connection.yaml | 0 .../tests/indigo-iam/deployment.yaml | 51 +++++++++++++++++++ .../indigo-iam/init-iam/_init-iam.sh.tpl | 4 ++ .../tests/indigo-iam/init-iam/configmap.yaml | 10 ++++ .../tests/indigo-iam/init-iam/job.yaml | 27 ++++++++++ .../templates/tests/indigo-iam/secrets.yaml | 24 +++++++++ .../templates/tests/indigo-iam/service.yaml | 16 ++++++ diracx/values.yaml | 14 +++++ 31 files changed, 179 insertions(+), 7 deletions(-) rename diracx/templates/{web-deployment.yaml => diracx-web/deployment.yaml} (100%) rename diracx/templates/{web-service.yaml => diracx-web/service.yaml} (100%) rename diracx/templates/{ => diracx}/cs-store-volume.yml (100%) rename diracx/templates/{ => diracx}/deployment.yaml (97%) rename diracx/templates/{ => diracx}/diracx-container-entrypoint.yaml (100%) rename diracx/templates/{mysql-init-dbs.yaml => diracx/diracx-mysql-init-dbs.yaml} (100%) rename diracx/templates/{ => diracx}/init-cs/_init-cs.sh.tpl (100%) rename diracx/templates/{ => diracx}/init-cs/configmap.yaml (80%) rename diracx/templates/{ => diracx}/init-cs/job.yaml (100%) rename diracx/templates/{ => diracx}/init-secrets/_init-secrets.sh.tpl (100%) rename diracx/templates/{ => diracx}/init-secrets/configmap.yaml (80%) rename diracx/templates/{ => diracx}/init-secrets/job.yaml (100%) rename diracx/templates/{ => diracx}/init-secrets/rbac-config.yaml (100%) rename diracx/templates/{ => diracx}/init-sql/_init-sql.sh.tpl (100%) rename diracx/templates/{ => diracx}/init-sql/configmap.yaml (80%) rename diracx/templates/{ => diracx}/init-sql/job.yaml (100%) rename diracx/templates/{ => diracx}/secrets.yaml (100%) rename diracx/templates/{ => diracx}/service.yaml (100%) rename diracx/templates/{ => diracx}/serviceaccount.yaml (100%) rename diracx/templates/{ => diracx}/tests/test-connection.yaml (100%) create mode 100644 diracx/templates/tests/indigo-iam/deployment.yaml create mode 100644 diracx/templates/tests/indigo-iam/init-iam/_init-iam.sh.tpl create mode 100644 diracx/templates/tests/indigo-iam/init-iam/configmap.yaml create mode 100644 diracx/templates/tests/indigo-iam/init-iam/job.yaml create mode 100644 diracx/templates/tests/indigo-iam/secrets.yaml create mode 100644 diracx/templates/tests/indigo-iam/service.yaml diff --git a/README.md b/README.md index 364177e..4f47553 100644 --- a/README.md +++ b/README.md @@ -149,6 +149,13 @@ TODO | global.images.tag | string | `"dev"` | | | global.images.web.repository | string | `"ghcr.io/diracgrid/diracx-web/static"` | | | global.images.web.tag | string | `"latest"` | | +| indigoiam.config.issuer | string | `"http://anything:32003"` | | +| indigoiam.enabled | bool | `true` | | +| indigoiam.image.repository | string | `"indigoiam/iam-login-service"` | | +| indigoiam.image.tag | string | `"v1.8.2"` | | +| indigoiam.service.nodePort | int | `32003` | | +| indigoiam.service.port | int | `8080` | | +| indigoiam.service.type | string | `"NodePort"` | | | ingress.annotations | object | `{}` | | | ingress.className | string | `"nginx"` | | | ingress.enabled | bool | `true` | | diff --git a/demo/demo_cluster_conf.tpl.yaml b/demo/demo_cluster_conf.tpl.yaml index 9b8982d..ec6fc12 100644 --- a/demo/demo_cluster_conf.tpl.yaml +++ b/demo/demo_cluster_conf.tpl.yaml @@ -32,3 +32,6 @@ nodes: - containerPort: 32002 hostPort: 32002 protocol: TCP + - containerPort: 32003 + hostPort: 32003 + protocol: TCP diff --git a/demo/values.tpl.yaml b/demo/values.tpl.yaml index c4c8e69..74b500c 100644 --- a/demo/values.tpl.yaml +++ b/demo/values.tpl.yaml @@ -8,6 +8,7 @@ developer: diracx: https://{{ hostname }}:8000 minio: http://{{ hostname }}:32000 dex: http://{{ hostname }}:32002 + iam: http://{{ hostname }}:32003 demoDir: {{ demo_dir }} mountedPythonModulesToInstall: {{ mounted_python_modules }} editableMountedPythonModules: {{ editable_mounted_modules }} @@ -17,7 +18,7 @@ init-cs: VOs: - name: diracAdmin IdP: - idp_url: http://{{ hostname }}:32002 + idp_url: http://{{ hostname }}:32003 idp_client_id: d396912e-2f04-439b-8ae7-d8c585a34790 defaultGroup: admin Users: @@ -55,3 +56,7 @@ dex: - email: "admin@example.com" hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" username: "admin" + +indigoiam: + config: + issuer: http://{{ hostname }}:32003 diff --git a/diracx/templates/_helpers.tpl b/diracx/templates/_helpers.tpl index 76c9a84..303ec15 100644 --- a/diracx/templates/_helpers.tpl +++ b/diracx/templates/_helpers.tpl @@ -100,6 +100,17 @@ Return the name template for shared-secrets job. {{- default "init-secrets" $sharedSecretValues.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- define "init-iam.fullname" -}} +{{- printf "%s-init-iam" .Release.Name -}} +{{- end -}} + +{{- define "init-iam.jobname" -}} +{{- $name := include "init-iam.fullname" . | trunc 55 | trimSuffix "-" -}} +{{- $rand := randAlphaNum 3 | lower }} +{{- printf "%s-%d-%s" $name .Release.Revision $rand | trunc 63 | trimSuffix "-" -}} +{{- end -}} + + {{/* Create a default fully qualified job name for init-secrets. Due to the job only being allowed to run once, we add the chart revision so helm diff --git a/diracx/templates/web-deployment.yaml b/diracx/templates/diracx-web/deployment.yaml similarity index 100% rename from diracx/templates/web-deployment.yaml rename to diracx/templates/diracx-web/deployment.yaml diff --git a/diracx/templates/web-service.yaml b/diracx/templates/diracx-web/service.yaml similarity index 100% rename from diracx/templates/web-service.yaml rename to diracx/templates/diracx-web/service.yaml diff --git a/diracx/templates/cs-store-volume.yml b/diracx/templates/diracx/cs-store-volume.yml similarity index 100% rename from diracx/templates/cs-store-volume.yml rename to diracx/templates/diracx/cs-store-volume.yml diff --git a/diracx/templates/deployment.yaml b/diracx/templates/diracx/deployment.yaml similarity index 97% rename from diracx/templates/deployment.yaml rename to diracx/templates/diracx/deployment.yaml index 0eb3167..64d3b77 100644 --- a/diracx/templates/deployment.yaml +++ b/diracx/templates/diracx/deployment.yaml @@ -17,9 +17,9 @@ spec: {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} - checksum/settings: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} - checksum/init-settings: {{ include (print $.Template.BasePath "/init-secrets/configmap.yaml") . | sha256sum }} - checksum/entrypoint: {{ include (print $.Template.BasePath "/diracx-container-entrypoint.yaml") . | sha256sum }} + checksum/settings: {{ include (print $.Template.BasePath "/diracx/secrets.yaml") . | sha256sum }} + checksum/init-settings: {{ include (print $.Template.BasePath "/diracx/init-secrets/configmap.yaml") . | sha256sum }} + checksum/entrypoint: {{ include (print $.Template.BasePath "/diracx/diracx-container-entrypoint.yaml") . | sha256sum }} labels: {{- include "diracx.selectorLabels" . | nindent 8 }} spec: diff --git a/diracx/templates/diracx-container-entrypoint.yaml b/diracx/templates/diracx/diracx-container-entrypoint.yaml similarity index 100% rename from diracx/templates/diracx-container-entrypoint.yaml rename to diracx/templates/diracx/diracx-container-entrypoint.yaml diff --git a/diracx/templates/mysql-init-dbs.yaml b/diracx/templates/diracx/diracx-mysql-init-dbs.yaml similarity index 100% rename from diracx/templates/mysql-init-dbs.yaml rename to diracx/templates/diracx/diracx-mysql-init-dbs.yaml diff --git a/diracx/templates/init-cs/_init-cs.sh.tpl b/diracx/templates/diracx/init-cs/_init-cs.sh.tpl similarity index 100% rename from diracx/templates/init-cs/_init-cs.sh.tpl rename to diracx/templates/diracx/init-cs/_init-cs.sh.tpl diff --git a/diracx/templates/init-cs/configmap.yaml b/diracx/templates/diracx/init-cs/configmap.yaml similarity index 80% rename from diracx/templates/init-cs/configmap.yaml rename to diracx/templates/diracx/init-cs/configmap.yaml index 57077a8..263f091 100644 --- a/diracx/templates/init-cs/configmap.yaml +++ b/diracx/templates/diracx/init-cs/configmap.yaml @@ -11,5 +11,5 @@ metadata: "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation data: init-cs: | - {{- include (print $.Template.BasePath "/init-cs/_init-cs.sh.tpl") . | nindent 4 }} + {{- include (print $.Template.BasePath "/diracx/init-cs/_init-cs.sh.tpl") . | nindent 4 }} {{- end -}} diff --git a/diracx/templates/init-cs/job.yaml b/diracx/templates/diracx/init-cs/job.yaml similarity index 100% rename from diracx/templates/init-cs/job.yaml rename to diracx/templates/diracx/init-cs/job.yaml diff --git a/diracx/templates/init-secrets/_init-secrets.sh.tpl b/diracx/templates/diracx/init-secrets/_init-secrets.sh.tpl similarity index 100% rename from diracx/templates/init-secrets/_init-secrets.sh.tpl rename to diracx/templates/diracx/init-secrets/_init-secrets.sh.tpl diff --git a/diracx/templates/init-secrets/configmap.yaml b/diracx/templates/diracx/init-secrets/configmap.yaml similarity index 80% rename from diracx/templates/init-secrets/configmap.yaml rename to diracx/templates/diracx/init-secrets/configmap.yaml index 83eb274..d333791 100644 --- a/diracx/templates/init-secrets/configmap.yaml +++ b/diracx/templates/diracx/init-secrets/configmap.yaml @@ -11,5 +11,5 @@ metadata: "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation data: init-secrets: | - {{- include (print $.Template.BasePath "/init-secrets/_init-secrets.sh.tpl") . | nindent 4 }} + {{- include (print $.Template.BasePath "/diracx/init-secrets/_init-secrets.sh.tpl") . | nindent 4 }} {{- end -}} diff --git a/diracx/templates/init-secrets/job.yaml b/diracx/templates/diracx/init-secrets/job.yaml similarity index 100% rename from diracx/templates/init-secrets/job.yaml rename to diracx/templates/diracx/init-secrets/job.yaml diff --git a/diracx/templates/init-secrets/rbac-config.yaml b/diracx/templates/diracx/init-secrets/rbac-config.yaml similarity index 100% rename from diracx/templates/init-secrets/rbac-config.yaml rename to diracx/templates/diracx/init-secrets/rbac-config.yaml diff --git a/diracx/templates/init-sql/_init-sql.sh.tpl b/diracx/templates/diracx/init-sql/_init-sql.sh.tpl similarity index 100% rename from diracx/templates/init-sql/_init-sql.sh.tpl rename to diracx/templates/diracx/init-sql/_init-sql.sh.tpl diff --git a/diracx/templates/init-sql/configmap.yaml b/diracx/templates/diracx/init-sql/configmap.yaml similarity index 80% rename from diracx/templates/init-sql/configmap.yaml rename to diracx/templates/diracx/init-sql/configmap.yaml index adef34e..99ad57e 100644 --- a/diracx/templates/init-sql/configmap.yaml +++ b/diracx/templates/diracx/init-sql/configmap.yaml @@ -11,5 +11,5 @@ metadata: "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation data: init-sql: | - {{- include (print $.Template.BasePath "/init-sql/_init-sql.sh.tpl") . | nindent 4 }} + {{- include (print $.Template.BasePath "/diracx/init-sql/_init-sql.sh.tpl") . | nindent 4 }} {{- end -}} diff --git a/diracx/templates/init-sql/job.yaml b/diracx/templates/diracx/init-sql/job.yaml similarity index 100% rename from diracx/templates/init-sql/job.yaml rename to diracx/templates/diracx/init-sql/job.yaml diff --git a/diracx/templates/secrets.yaml b/diracx/templates/diracx/secrets.yaml similarity index 100% rename from diracx/templates/secrets.yaml rename to diracx/templates/diracx/secrets.yaml diff --git a/diracx/templates/service.yaml b/diracx/templates/diracx/service.yaml similarity index 100% rename from diracx/templates/service.yaml rename to diracx/templates/diracx/service.yaml diff --git a/diracx/templates/serviceaccount.yaml b/diracx/templates/diracx/serviceaccount.yaml similarity index 100% rename from diracx/templates/serviceaccount.yaml rename to diracx/templates/diracx/serviceaccount.yaml diff --git a/diracx/templates/tests/test-connection.yaml b/diracx/templates/diracx/tests/test-connection.yaml similarity index 100% rename from diracx/templates/tests/test-connection.yaml rename to diracx/templates/diracx/tests/test-connection.yaml diff --git a/diracx/templates/tests/indigo-iam/deployment.yaml b/diracx/templates/tests/indigo-iam/deployment.yaml new file mode 100644 index 0000000..1a6649b --- /dev/null +++ b/diracx/templates/tests/indigo-iam/deployment.yaml @@ -0,0 +1,51 @@ +{{- if .Values.indigoiam.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: indigo-iam +spec: + replicas: 1 + selector: + matchLabels: + app: iam + template: + metadata: + labels: + app: iam + annotations: + checksum/init-iam: {{ include (print $.Template.BasePath "/tests/indigo-iam/init-iam/_init-iam.sh.tpl") . | sha256sum }} + spec: + volumes: + - name: iam-secret + secret: + secretName: indigo-iam-init-secrets + containers: + - name: indigo-iam + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.indigoiam.image.repository }}:{{ .Values.indigoiam.image.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - name: http + containerPort: {{ .Values.indigoiam.service.port }} + protocol: TCP + livenessProbe: + httpGet: + path: /.well-known/openid-configuration + port: http + readinessProbe: + httpGet: + path: /.well-known/openid-configuration + port: http + env: + - name: IAM_KEY_STORE_LOCATION + value: "file:///etc/indigo-iam/keystore/iam-keystore.jwks" + - name: IAM_BASE_URL + value: "{{ .Values.indigoiam.config.issuer }}" + - name: IAM_ISSUER + value: "{{ .Values.indigoiam.config.issuer }}" + volumeMounts: + - name: iam-secret + mountPath: "/etc/indigo-iam/keystore" + readOnly: true +{{- end}} diff --git a/diracx/templates/tests/indigo-iam/init-iam/_init-iam.sh.tpl b/diracx/templates/tests/indigo-iam/init-iam/_init-iam.sh.tpl new file mode 100644 index 0000000..47df6f7 --- /dev/null +++ b/diracx/templates/tests/indigo-iam/init-iam/_init-iam.sh.tpl @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +set -x + +curl {{ .Values.indigoiam.config.issuer }}/.well-known/openid-configuration diff --git a/diracx/templates/tests/indigo-iam/init-iam/configmap.yaml b/diracx/templates/tests/indigo-iam/init-iam/configmap.yaml new file mode 100644 index 0000000..a81bb54 --- /dev/null +++ b/diracx/templates/tests/indigo-iam/init-iam/configmap.yaml @@ -0,0 +1,10 @@ +{{- if .Values.indigoiam.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "init-iam.fullname" . }} + namespace: {{ .Release.Namespace }} +data: + init-iam: | + {{- include (print $.Template.BasePath "/tests/indigo-iam/init-iam/_init-iam.sh.tpl") . | nindent 4 }} +{{- end -}} diff --git a/diracx/templates/tests/indigo-iam/init-iam/job.yaml b/diracx/templates/tests/indigo-iam/init-iam/job.yaml new file mode 100644 index 0000000..3b638ae --- /dev/null +++ b/diracx/templates/tests/indigo-iam/init-iam/job.yaml @@ -0,0 +1,27 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: init-indigo-iam + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "1" +spec: + ttlSecondsAfterFinished: {{ .Values.global.batchJobTTL }} + activeDeadlineSeconds: {{ .Values.global.activeDeadlineSeconds }} + template: + spec: + restartPolicy: Never + containers: + - name: indigo-iam + image: "{{ .Values.indigoiam.image.repository }}:{{ .Values.indigoiam.image.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + command: ["/bin/sh", "/scripts/init-iam"] + volumeMounts: + - name: scripts + mountPath: /scripts + volumes: + - name: scripts + configMap: + name: {{ template "init-iam.fullname" . }} + restartPolicy: Never diff --git a/diracx/templates/tests/indigo-iam/secrets.yaml b/diracx/templates/tests/indigo-iam/secrets.yaml new file mode 100644 index 0000000..51c9798 --- /dev/null +++ b/diracx/templates/tests/indigo-iam/secrets.yaml @@ -0,0 +1,24 @@ +{{- if .Values.indigoiam.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: indigo-iam-init-secrets +stringData: + iam-keystore.jwks: | + { + "keys": [ + { + "p": "1vffpIvQ67Bp1XmnxuuNhgHGoS4iCEbEJN9kV2oh39xRMw2L1Fx6RrgHb0t04KAE4IT_48Y9grta7OHUty4dMQ", + "kty": "RSA", + "q": "v673PmzSoiClcZ6U8Rcb4GyB1H76jfY3dTdZNBT5cSVEPhPCnGNWXFKPUj5qeT4CGneR9tdGU7U-_vRNPJg9yw", + "d": "XC1QH6W--Hh9fIsswXB2H0S44GvbrVD75XiJwrOgmrOhBK8MFR0X_eQ-9nBNPmZbAu9NKK5ixwIcE8J-OhQaOcDkepAf1DUo6iIlXgtbHvOtT3GHNgPHJ4C7XbnO9ieNDMrMr2tpmGnH2sebvXwLrzjKJCB09bS6yj71XGkyVKE", + "e": "AQAB", + "kid": "rsa1", + "qi": "P8KH-16jsDjJygzggeLxlJwHYFYPoie3hgB__aajO03GiRzYJojD5dBKEiQuo9SxJ43U5csHWYQeukz9X01-zw", + "dp": "VYF6_6RtkZI2RqeBSOpg_LCwJWSIPOqJEnGZI_wfRUAJPFljCTFPodmJe4d0EfUUe4nrjtpHlTyYyih5x_MbwQ", + "dq": "sxzUTZG0dOjaj8PmWy4Dz361BpIsoDC9e5tfkGo0-AQhs3wVcrrkPNqsr-ZA6dAGeSLX0vcv8RJArk4sSf3cZw", + "n": "oPXb81pZRmxmRJVHva49e5-NOToDdZ6XITpqt3RF-Ovehkd52Fm-t0FfKjJZxP7Q4d-nw1gk-r894uRJPAU9mx3yya9p7L5Xnr6rs8jmf_KF2buaYMUQ001wpsjJwznyGHWNqrBNB4_2-3U_uMGWyJB-C8Gy2-3aXjHRSQ-d0ts" + } + ] + } +{{- end }} diff --git a/diracx/templates/tests/indigo-iam/service.yaml b/diracx/templates/tests/indigo-iam/service.yaml new file mode 100644 index 0000000..edd0120 --- /dev/null +++ b/diracx/templates/tests/indigo-iam/service.yaml @@ -0,0 +1,16 @@ +{{- if .Values.indigoiam.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: iam-login-service +spec: + type: {{ .Values.indigoiam.service.type }} + ports: + - port: {{ .Values.indigoiam.service.port }} + nodePort: {{ .Values.indigoiam.service.nodePort }} + targetPort: http + protocol: TCP + name: http + selector: + app: iam +{{- end }} diff --git a/diracx/values.yaml b/diracx/values.yaml index 190badf..2c0cce0 100644 --- a/diracx/values.yaml +++ b/diracx/values.yaml @@ -295,6 +295,20 @@ dex: ########################## +indigoiam: + enabled: true + config: + issuer: http://anything:32003 + image: + repository: indigoiam/iam-login-service + tag: v1.8.2 + service: + type: NodePort + port: 8080 + nodePort: 32003 + +########################## + mysql: enabled: true auth: