From 4a0cc0dd03c3287aba045d818ed8a23991c4c6ab Mon Sep 17 00:00:00 2001 From: Garry O'Donnell Date: Mon, 16 Sep 2024 14:29:09 +0100 Subject: [PATCH 1/6] Add opa to the central deployment --- charts/apps/Chart.yaml | 2 +- charts/apps/templates/opa-app.yaml | 28 ++++++++++++++++++++++++++++ charts/apps/values.yaml | 14 ++++++++++++++ 3 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 charts/apps/templates/opa-app.yaml diff --git a/charts/apps/Chart.yaml b/charts/apps/Chart.yaml index 57db732..727735b 100644 --- a/charts/apps/Chart.yaml +++ b/charts/apps/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v2 name: authz description: ArgoCD Apps used to deploy Authorization infrastructure type: application -version: 0.1.0 +version: 0.2.0 diff --git a/charts/apps/templates/opa-app.yaml b/charts/apps/templates/opa-app.yaml new file mode 100644 index 0000000..f46a6c8 --- /dev/null +++ b/charts/apps/templates/opa-app.yaml @@ -0,0 +1,28 @@ +{{ if .Values.opa.enabled }} +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: opa + namespace: {{ .Release.Namespace }} + finalizers: + - resources-finalizer.argocd.arogproj.io +spec: + project: {{ default .Release.Namespace .Values.project }} + source: + repoURL: {{ .Values.opa.repoUrl }} + targetRevision: {{ .Values.opa.targetRevision }} + path: {{ .Values.opa.path }} + {{- if .Values.opa.valuesObject }} + helm: + valuesObject: + {{ .Values.opa.valuesObject | toYaml | nindent 10 }} + {{- end }} + destination: + name: {{ .Values.destination.name }} + server: {{ .Values.destination.server }} + namespace: {{ default .Release.Namespace .Values.destination.namespace }} + syncPolicy: + automated: + prune: true + selfHeal: true +{{- end }} diff --git a/charts/apps/values.yaml b/charts/apps/values.yaml index b0ada9c..be79a74 100644 --- a/charts/apps/values.yaml +++ b/charts/apps/values.yaml @@ -10,3 +10,17 @@ bundler: repoUrl: https://github.com/DiamondLightSource/authz.git targetRevision: HEAD path: charts/bundler + +opa: + enabled: true + repoUrl: https://github.com/DiamondLightSource/authz.git + targetRevision: HEAD + path: charts/opa + valuesObject: + orgData: + bundlerSecret: + name: token-authorization + key: bearer + orgPolicy: + enabled: true + userinfoEndpoint: https://auth.diamond.ac.uk/cas/oidc/oidcProfile From 3492abc957fb58eefc7f5af4c1a3fc465e1c8efb Mon Sep 17 00:00:00 2001 From: Garry O'Donnell Date: Mon, 16 Sep 2024 16:38:13 +0100 Subject: [PATCH 2/6] Restrict bundler ingress path to /bundle.tar.gz --- charts/bundler/Chart.yaml | 2 +- charts/bundler/values.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/bundler/Chart.yaml b/charts/bundler/Chart.yaml index 6e48495..13873f7 100644 --- a/charts/bundler/Chart.yaml +++ b/charts/bundler/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: bundler description: A Open Policy Agent (OPA) Data Bundle Server providing permissionable data from ISPyB type: application -version: 0.2.1 +version: 0.3.0 appVersion: 0.0.11 maintainers: - name: garryod diff --git a/charts/bundler/values.yaml b/charts/bundler/values.yaml index 8a0747c..dd2ef5f 100644 --- a/charts/bundler/values.yaml +++ b/charts/bundler/values.yaml @@ -42,8 +42,8 @@ ingress: hosts: - host: authz.diamond.ac.uk paths: - - path: / - pathType: Prefix + - path: /bundle.tar.gz + pathType: ImplementationSpecific tls: [] resources: {} From e14b2ac66536940a8c9818e7981699c3bed007b5 Mon Sep 17 00:00:00 2001 From: Garry O'Donnell Date: Mon, 16 Sep 2024 16:38:52 +0100 Subject: [PATCH 3/6] Add ingress to opa chart --- charts/opa/Chart.yaml | 2 +- charts/opa/templates/ingress.yaml | 44 +++++++++++++++++++++++++++++++ charts/opa/values.yaml | 7 +++++ 3 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 charts/opa/templates/ingress.yaml diff --git a/charts/opa/Chart.yaml b/charts/opa/Chart.yaml index afdfa9e..b4e24ef 100644 --- a/charts/opa/Chart.yaml +++ b/charts/opa/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: opa description: An OPA deployment to run alongside applications requiring authorization type: application -version: 0.4.0 +version: 0.5.0 appVersion: 0.59.0 maintainers: - name: garryod diff --git a/charts/opa/templates/ingress.yaml b/charts/opa/templates/ingress.yaml new file mode 100644 index 0000000..ced0fbb --- /dev/null +++ b/charts/opa/templates/ingress.yaml @@ -0,0 +1,44 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.ingress.className }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if .pathType }} + pathType: {{ .pathType }} + {{- end }} + backend: + service: + name: {{ include "common.names.fullname" $ }} + port: + number: {{ $.Values.service.port }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/opa/values.yaml b/charts/opa/values.yaml index 0ce70e5..8973b9b 100644 --- a/charts/opa/values.yaml +++ b/charts/opa/values.yaml @@ -40,6 +40,13 @@ service: type: ClusterIP port: 80 +ingress: + enabled: false + className: "" + annotations: {} + hosts: [] + tls: [] + resources: {} replicaCount: 1 From afe8638568cfedc97a81d15cf67d965ff359e7a8 Mon Sep 17 00:00:00 2001 From: Garry O'Donnell Date: Mon, 16 Sep 2024 16:39:16 +0100 Subject: [PATCH 4/6] Enable ingress in central deployment --- charts/apps/values.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/charts/apps/values.yaml b/charts/apps/values.yaml index be79a74..54e6d07 100644 --- a/charts/apps/values.yaml +++ b/charts/apps/values.yaml @@ -24,3 +24,10 @@ opa: orgPolicy: enabled: true userinfoEndpoint: https://auth.diamond.ac.uk/cas/oidc/oidcProfile + ingress: + enabled: true + hosts: + - host: authz.diamond.ac.uk + paths: + - path: / + pathType: Prefix From af67cf8914a9bc9435b0f6e38d94f0a620df0f90 Mon Sep 17 00:00:00 2001 From: Garry O'Donnell Date: Tue, 17 Sep 2024 16:50:49 +0100 Subject: [PATCH 5/6] Fix service account name evaluation for opa chart --- charts/opa/templates/deployment.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/charts/opa/templates/deployment.yaml b/charts/opa/templates/deployment.yaml index f28b32c..26a1bbf 100644 --- a/charts/opa/templates/deployment.yaml +++ b/charts/opa/templates/deployment.yaml @@ -25,7 +25,11 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - serviceAccountName: {{ include "common.names.fullname" . }} + {{- if .Values.serviceAccount.create }} + serviceAccountName: {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }} + {{- else }} + serviceAccountName: {{ default "default" .Values.serviceAccount.name }} + {{- end }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: From ce168b0ca380b6d7d77506933381750517208b2d Mon Sep 17 00:00:00 2001 From: Garry O'Donnell Date: Tue, 17 Sep 2024 16:50:56 +0100 Subject: [PATCH 6/6] Enable opa service account by default --- charts/opa/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/opa/values.yaml b/charts/opa/values.yaml index 8973b9b..137e803 100644 --- a/charts/opa/values.yaml +++ b/charts/opa/values.yaml @@ -27,7 +27,7 @@ extraEnv: [] portOverride: "" serviceAccount: - create: false + create: true name: "" podAnnotations: {}