feat: refactor helm chart for applying in gold (#109)

* feat: refactor helm chart for applying in gold

* feat: use official spilo image

* fix: pre-commit issue with end of line

.github/workflows/publish-image.yml

@@ -86,10 +86,3 @@ jobs:
         with:
           bump_version_scheme: patch
           tag_prefix: v
-
-      - name: Check Output Parameters
-        if: github.ref == 'refs/heads/main'
-        run: |
-          echo "Got tag name ${{ steps.release.outputs.tag_name }}"
-          echo "Got release version ${{ steps.release.outputs.version }}"
-          echo "Upload release artifacts to ${{ steps.release.outputs.upload_url }}"

.tool-versions

@@ -2,4 +2,4 @@ nodejs 16.14.0
 yarn 1.22.4
 python 3.11.0
 postgres 14.1
-helm 3.2.4
+helm 3.10.2

app/.env.example

@@ -1,18 +1,18 @@
-SSO_URL=https://dev.oidc.gov.bc.ca/auth/realms/onestopauth
+SSO_URL=https://dev.loginproxy.gov.bc.ca/auth/realms/standard
 SSO_CLIENT_ID=sso-requests
 SSO_CLIENT_SECRET=sso-requests-secret
 SSO_REDIRECT_URI=http://localhost:3000
 SSO_LOGOUT_REDIRECT_URI=http://localhost:3000
 SSO_AUTHORIZATION_RESPONSE_TYPE=code
 SSO_AUTHORIZATION_SCOPE=openid
 SSO_TOKEN_GRANT_TYPE=authorization_code
-DEV_KC_URL=https://dev.oidc.gov.bc.ca
+DEV_KC_URL=https://dev.loginproxy.gov.bc.ca
 DEV_KC_CLIENT_ID=script-cli
 DEV_KC_CLIENT_SECRET=
-TEST_KC_URL=https://dev.oidc.gov.bc.ca
+TEST_KC_URL=https://dev.loginproxy.gov.bc.ca
 TEST_KC_CLIENT_ID=script-cli
 TEST_KC_CLIENT_SECRET=
-PROD_KC_URL=https://dev.oidc.gov.bc.ca
+PROD_KC_URL=https://dev.loginproxy.gov.bc.ca
 PROD_KC_CLIENT_ID=script-cli
 PROD_KC_CLIENT_SECRET=
 JWT_SECRET=verysecuresecret

app/next.config.js

@@ -24,21 +24,22 @@ module.exports = {
     pg_database: process.env.PGDATABASE || 'realm_profile',
     pg_ssl: process.env.PGSSL === 'true',
 
-    dev_kc_url: process.env.DEV_KC_URL || 'https://dev.oidc.gov.bc.ca',
+    dev_kc_url: process.env.DEV_KC_URL || 'https://dev.loginproxy.gov.bc.ca',
     dev_kc_client_id: process.env.DEV_KC_CLIENT_ID || 'script-cli',
     dev_kc_client_secret: process.env.DEV_KC_CLIENT_SECRET,
 
-    test_kc_url: process.env.TEST_KC_URL || 'https://dev.oidc.gov.bc.ca',
+    test_kc_url: process.env.TEST_KC_URL || 'https://dev.loginproxy.gov.bc.ca',
     test_kc_client_id: process.env.TEST_KC_CLIENT_ID || 'script-cli',
     test_kc_client_secret: process.env.TEST_KC_CLIENT_SECRET,
 
-    prod_kc_url: process.env.PROD_KC_URL || 'https://dev.oidc.gov.bc.ca',
+    prod_kc_url: process.env.PROD_KC_URL || 'https://dev.loginproxy.gov.bc.ca',
     prod_kc_client_id: process.env.PROD_KC_CLIENT_ID || 'script-cli',
     prod_kc_client_secret: process.env.PROD_KC_CLIENT_SECRET,
 
     ches_api_endpoint: process.env.CHES_API_ENDPOINT || 'https://ches.api.gov.bc.ca/api/v1/email',
     ches_token_endpoint:
-      process.env.CHES_TOKEN_ENDPOINT || 'https://dev.oidc.gov.bc.ca/auth/realms/xxxxxxx/protocol/openid-connect/token',
+      process.env.CHES_TOKEN_ENDPOINT ||
+      'https://dev.loginproxy.gov.bc.ca/auth/realms/xxxxxxx/protocol/openid-connect/token',
     ches_username: process.env.CHES_USERNAME,
     ches_password: process.env.CHES_PASSWORD,
 

app/page-partials/my-dashboard/DuplicateIDIR.tsx

@@ -91,7 +91,7 @@ const TableContent = ({
           {info.affected.map((realm: string) => (
             <li key={realm}>
               <Link
-                href={`https://${env === 'prod' ? '' : env + '.'}oidc.gov.bc.ca/auth/admin/${realm}/console`}
+                href={`https://${env === 'prod' ? '' : env + '.'}loginproxy.gov.bc.ca/auth/admin/${realm}/console`}
                 external
               >
                 {realm}

app/page-partials/my-dashboard/RealmIDIR.tsx

@@ -168,7 +168,7 @@ function RealmIDIR({ realm }: Props) {
             {result.affected.map((realmName) => (
               <li>
                 <Link
-                  href={`https://dev.oidc.gov.bc.ca/auth/admin/${realmName}/console`}
+                  href={`https://dev.loginproxy.gov.bc.ca/auth/admin/${realmName}/console`}
                   external
                 >{`Realm Link: ${realmName}`}</Link>
               </li>

app/page-partials/my-dashboard/RealmURIs.tsx

@@ -19,23 +19,23 @@ function RealmURIs({ realm }: Props) {
     <>
       <Title>Development</Title>
       <Link
-        href={`https://dev.oidc.gov.bc.ca/auth/admin/${realm.realm}/console`}
+        href={`https://dev.loginproxy.gov.bc.ca/auth/admin/${realm.realm}/console`}
         external
-      >{`https://dev.oidc.gov.bc.ca/auth/admin/${realm.realm}/console`}</Link>
+      >{`https://dev.loginproxy.gov.bc.ca/auth/admin/${realm.realm}/console`}</Link>
       <br />
       <br />
       <Title>Test</Title>
       <Link
-        href={`https://test.oidc.gov.bc.ca/auth/admin/${realm.realm}/console`}
+        href={`https://test.loginproxy.gov.bc.ca/auth/admin/${realm.realm}/console`}
         external
-      >{`https://test.oidc.gov.bc.ca/auth/admin/${realm.realm}/console`}</Link>
+      >{`https://test.loginproxy.gov.bc.ca/auth/admin/${realm.realm}/console`}</Link>
       <br />
       <br />
       <Title>Production</Title>
       <Link
-        href={`https://oidc.gov.bc.ca/auth/admin/${realm.realm}/console`}
+        href={`https://loginproxy.gov.bc.ca/auth/admin/${realm.realm}/console`}
         external
-      >{`https://oidc.gov.bc.ca/auth/admin/${realm.realm}/console`}</Link>
+      >{`https://loginproxy.gov.bc.ca/auth/admin/${realm.realm}/console`}</Link>
     </>
   );
 }

app/utils/ches.ts

@@ -1,6 +1,7 @@
 import axios from 'axios';
 import url from 'url';
 import getConfig from 'next/config';
+import https from 'https';
 
 const { serverRuntimeConfig = {} } = getConfig() || {};
 const { ches_api_endpoint, ches_token_endpoint, ches_username, ches_password } = serverRuntimeConfig;
@@ -19,10 +20,18 @@ interface EmailOptions {
   tag?: string;
 }
 
+const httpsAgent = new https.Agent({
+  rejectUnauthorized: false,
+});
+
 const fetchChesToken = async () => {
   const params = new url.URLSearchParams({ grant_type: 'client_credentials' });
   try {
     const { data } = await axios.post(ches_token_endpoint, params.toString(), {
+      headers: {
+        'Accept-Encoding': 'application/json',
+      },
+      httpsAgent,
       auth: {
         username: ches_username,
         password: ches_password,

helm/webapp/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 name: realm-registry
-version: 0.1.0
+version: 0.2.0
 appVersion: 0.1.0
 description: Nextjs application to manage SSO keycloak custom realm profiles
 dependencies:

helm/webapp/templates/deployment.yaml

@@ -23,7 +23,7 @@ spec:
         vault.hashicorp.com/agent-inject-token: 'true'
         vault.hashicorp.com/agent-init-first: 'true'
         vault.hashicorp.com/agent-pre-populate: 'true'
-        vault.hashicorp.com/auth-path: auth/k8s-silver
+        vault.hashicorp.com/auth-path: auth/k8s-gold
         vault.hashicorp.com/namespace: platform-services
         vault.hashicorp.com/role: {{ .Values.vault.vaultSecretEngine }}
         vault.hashicorp.com/agent-inject-secret-postgres: {{ .Values.vault.vaultSecretEngine }}/{{ .Values.vault.postgresSecret }}
@@ -49,6 +49,10 @@ spec:
             export TEST_KC_CLIENT_ID="{{ .Data.data.TEST_KC_CLIENT_ID}}"
             export TEST_KC_CLIENT_SECRET="{{ .Data.data.TEST_KC_CLIENT_SECRET}}"
             export TEST_KC_URL="{{ .Data.data.TEST_KC_URL}}"
+            export CHES_API_ENDPOINT="{{ .Data.data.CHES_API_ENDPOINT }}"
+            export CHES_PASSWORD="{{ .Data.data.CHES_PASSWORD }}"
+            export CHES_TOKEN_ENDPOINT="{{ .Data.data.CHES_TOKEN_ENDPOINT }}"
+            export CHES_USERNAME="{{ .Data.data.CHES_USERNAME }}"
           {{- end }}`}}
     spec:
       initContainers:

helm/webapp/values-c6af30-dev.yaml

@@ -0,0 +1,33 @@
+image:
+  tag: dev
+
+route:
+  host: realm-registry-sandbox.apps.gold.devops.gov.bc.ca
+
+sso:
+  url: https://dev.loginproxy.gov.bc.ca/auth/realms/standard
+  redirectUri: http://realm-registry-sandbox.apps.gold.devops.gov.bc.ca/oidc/keycloak
+  logoutRedirectUri: http://realm-registry-sandbox.apps.gold.devops.gov.bc.ca
+
+env:
+  APP_ENV: 'development'
+  SECURE_HEADERS: 'true'
+  IDIR_JWKS_URI: https://dev.loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/certs
+  IDIR_ISSUER: https://dev.loginproxy.gov.bc.ca/auth/realms/standard
+  IDIR_AUDIENCE: css-app-in-gold-4128
+  CHES_API_ENDPOINT: https://ches.api.gov.bc.ca/api/v1/email
+
+vault:
+  vaultSecretEngine: c6af30-nonprod
+  postgresSecret: sandbox-realm-registry-patroni-appusers
+  realmRegistrySecret: sandbox-realm-registry
+  serviceAccountName: c6af30-vault
+
+patroni:
+  image:
+    repository: registry.opensource.zalan.do/acid/spilo-14
+    pullPolicy: Always
+    tag: 2.1-p5
+
+  walG:
+    enabled: false

helm/webapp/values-c6af30-prod.yaml

@@ -0,0 +1,37 @@
+image:
+  tag: main
+
+route:
+  host: realm-registry.apps.gold.devops.gov.bc.ca
+
+sso:
+  url: https://loginproxy.gov.bc.ca/auth/realms/standard
+  redirectUri: http://realm-registry.apps.gold.devops.gov.bc.ca/oidc/keycloak
+  logoutRedirectUri: http://realm-registry.apps.gold.devops.gov.bc.ca
+
+env:
+  APP_ENV: 'production'
+  SECURE_HEADERS: 'true'
+  IDIR_JWKS_URI: https://loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/certs
+  IDIR_ISSUER: https://loginproxy.gov.bc.ca/auth/realms/standard
+  IDIR_AUDIENCE: css-app-in-gold-4128
+  CHES_API_ENDPOINT: https://ches.api.gov.bc.ca/api/v1/email
+
+vault:
+  vaultSecretEngine: c6af30-prod
+  postgresSecret: prod-realm-registry-patroni-appusers
+  realmRegistrySecret: prod-realm-registry
+  serviceAccountName: c6af30-vault
+
+patroni:
+  image:
+    repository: registry.opensource.zalan.do/acid/spilo-14
+    pullPolicy: Always
+    tag: 2.1-p5
+
+  walG:
+    enabled: true
+    scheduleCronJob: 00 01 * * *
+    retainBackups: 7
+    pvc:
+      size: 1Gi

helm/webapp/values.yaml

@@ -77,7 +77,7 @@ patroni:
 
   resources: {}
   persistentVolume:
-    size: 10Gi
+    size: 1Gi
 
   podDisruptionBudget:
     enabled: true