From 8e060e1514647d4ca12054be1ea521dc68516b13 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 27 Nov 2024 16:05:48 -0800 Subject: [PATCH] Tag every GafaelfawrIngress with a service Add service information to every authenticated `GafaelfawrIngress` resource. This will be used for metrics reporting. --- .../charts/alert-database/templates/ingress.yaml | 1 + applications/argo-workflows/templates/ingress.yaml | 3 ++- .../butler/templates/ingress-authenticated.yaml | 1 + applications/checkerboard/templates/ingress.yaml | 1 + applications/cm-service/templates/ingress.yaml | 1 + applications/consdb/templates/ingress.yaml | 1 + applications/datalinker/templates/ingress-image.yaml | 1 + applications/datalinker/templates/ingress-tap.yaml | 1 + applications/exposurelog/templates/ingress.yaml | 1 + applications/fastapi-bootcamp/templates/ingress.yaml | 1 + .../ghostwriter/templates/ingress-toplevel.yaml | 1 + applications/ghostwriter/templates/ingress.yaml | 1 + applications/giftless/templates/ingress.yaml | 1 + applications/hips/templates/ingress.yaml | 1 + applications/jira-data-proxy/templates/ingress.yaml | 3 ++- applications/livetap/README.md | 3 ++- applications/livetap/values.yaml | 5 ++++- applications/mobu/templates/ingress.yaml | 3 ++- applications/narrativelog/templates/ingress.yaml | 1 + applications/nightreport/templates/ingress.yaml | 1 + applications/noteburst/templates/ingress.yaml | 3 ++- .../nublado/templates/controller-ingress-admin.yaml | 1 + .../nublado/templates/controller-ingress-files.yaml | 3 ++- .../nublado/templates/controller-ingress-hub.yaml | 1 + .../nublado/templates/controller-ingress-user.yaml | 1 + applications/nublado/templates/proxy-ingress.yaml | 3 ++- .../nublado/templates/proxy-spawn-ingress.yaml | 3 ++- .../charts/obsenv-ui/templates/ingress.yaml | 3 ++- applications/ook/templates/ingress.yaml | 3 ++- applications/plot-navigator/templates/ingress.yaml | 3 ++- applications/portal/templates/ingress-admin.yaml | 3 ++- applications/portal/templates/ingress.yaml | 3 ++- applications/ppdb-replication/templates/ingress.yaml | 1 + applications/production-tools/templates/ingress.yaml | 3 ++- applications/s3proxy/templates/ingress.yaml | 1 + .../schedview-snapshot/templates/ingress.yaml | 3 ++- applications/sia/templates/ingress.yaml | 1 + applications/siav2/templates/ingress.yaml | 11 ++++++----- .../squareone/templates/ingress-times-square.yaml | 3 ++- applications/ssotap/README.md | 5 +++-- applications/ssotap/values.yaml | 7 +++++-- applications/tap/README.md | 5 +++-- applications/tap/values.yaml | 7 +++++-- .../times-square/templates/ingress-templates.yaml | 3 ++- applications/times-square/templates/ingress.yaml | 3 ++- applications/vo-cutouts/templates/ingress.yaml | 1 + charts/cadc-tap/README.md | 1 + .../cadc-tap/templates/tap-ingress-authenticated.yaml | 5 +++-- charts/cadc-tap/values.yaml | 5 +++++ charts/rubintv/templates/ingress.yaml | 3 ++- starters/fastapi-safir-uws/templates/ingress.yaml | 1 + starters/fastapi-safir/templates/ingress.yaml | 1 + starters/web-service/templates/ingress.yaml | 1 + 53 files changed, 98 insertions(+), 35 deletions(-) diff --git a/applications/alert-stream-broker/charts/alert-database/templates/ingress.yaml b/applications/alert-stream-broker/charts/alert-database/templates/ingress.yaml index 774dadf5a1..2205bd50a7 100644 --- a/applications/alert-stream-broker/charts/alert-database/templates/ingress.yaml +++ b/applications/alert-stream-broker/charts/alert-database/templates/ingress.yaml @@ -10,6 +10,7 @@ config: scopes: all: - "read:alertdb" + service: "alert-stream-broker" template: metadata: name: {{ template "alertDatabase.fullname" . }} diff --git a/applications/argo-workflows/templates/ingress.yaml b/applications/argo-workflows/templates/ingress.yaml index 03a5c5ed65..66a2ec497c 100644 --- a/applications/argo-workflows/templates/ingress.yaml +++ b/applications/argo-workflows/templates/ingress.yaml @@ -4,9 +4,10 @@ metadata: name: argo-workflows config: baseUrl: {{ .Values.global.baseUrl | quote }} + loginRedirect: true scopes: all: {{ .Values.ingress.scopes }} - loginRedirect: true + service: "argo-workflows" template: metadata: name: argo-workflows diff --git a/applications/butler/templates/ingress-authenticated.yaml b/applications/butler/templates/ingress-authenticated.yaml index bf7127de6e..8837ae054a 100644 --- a/applications/butler/templates/ingress-authenticated.yaml +++ b/applications/butler/templates/ingress-authenticated.yaml @@ -16,6 +16,7 @@ config: internal: service: "butler" scopes: [] + service: "butler" template: metadata: diff --git a/applications/checkerboard/templates/ingress.yaml b/applications/checkerboard/templates/ingress.yaml index edf033a11e..fb11ba4d0a 100644 --- a/applications/checkerboard/templates/ingress.yaml +++ b/applications/checkerboard/templates/ingress.yaml @@ -9,6 +9,7 @@ config: scopes: all: - "read:checkerboard" + service: "checkerboard" template: metadata: name: {{ template "checkerboard.fullname" . }} diff --git a/applications/cm-service/templates/ingress.yaml b/applications/cm-service/templates/ingress.yaml index 882de320dc..0820003c40 100644 --- a/applications/cm-service/templates/ingress.yaml +++ b/applications/cm-service/templates/ingress.yaml @@ -10,6 +10,7 @@ config: scopes: all: - "exec:internal-tools" + service: "cm-service" template: metadata: name: "cm-service" diff --git a/applications/consdb/templates/ingress.yaml b/applications/consdb/templates/ingress.yaml index 18a6c605df..1b0dfc38bd 100644 --- a/applications/consdb/templates/ingress.yaml +++ b/applications/consdb/templates/ingress.yaml @@ -11,6 +11,7 @@ config: scopes: all: - "read:image" + service: "consdb" template: metadata: name: "consdb-pq" diff --git a/applications/datalinker/templates/ingress-image.yaml b/applications/datalinker/templates/ingress-image.yaml index 325bfb41e4..7c6c9a3c82 100644 --- a/applications/datalinker/templates/ingress-image.yaml +++ b/applications/datalinker/templates/ingress-image.yaml @@ -9,6 +9,7 @@ config: scopes: all: - "read:image" + service: "datalinker" # Request a delegated token to use for making calls to Butler server with the # end-user's credentials. delegate: diff --git a/applications/datalinker/templates/ingress-tap.yaml b/applications/datalinker/templates/ingress-tap.yaml index 99245d239e..acd37d39aa 100644 --- a/applications/datalinker/templates/ingress-tap.yaml +++ b/applications/datalinker/templates/ingress-tap.yaml @@ -9,6 +9,7 @@ config: scopes: all: - "read:tap" + service: "datalinker" template: metadata: name: {{ include "datalinker.fullname" . }}-tap diff --git a/applications/exposurelog/templates/ingress.yaml b/applications/exposurelog/templates/ingress.yaml index c5eba0a88a..eb85e73506 100644 --- a/applications/exposurelog/templates/ingress.yaml +++ b/applications/exposurelog/templates/ingress.yaml @@ -11,6 +11,7 @@ config: scopes: all: - "exec:internal-tools" + service: "exposurelog" {{- else }} scopes: anonymous: true diff --git a/applications/fastapi-bootcamp/templates/ingress.yaml b/applications/fastapi-bootcamp/templates/ingress.yaml index 8e3c72bf44..8ba9afa2a7 100644 --- a/applications/fastapi-bootcamp/templates/ingress.yaml +++ b/applications/fastapi-bootcamp/templates/ingress.yaml @@ -9,6 +9,7 @@ config: scopes: all: - "read:image" + service: "fastapi-bootcamp" template: metadata: name: "fastapi-bootcamp" diff --git a/applications/ghostwriter/templates/ingress-toplevel.yaml b/applications/ghostwriter/templates/ingress-toplevel.yaml index fb8ebbf3b5..af4ef97d56 100644 --- a/applications/ghostwriter/templates/ingress-toplevel.yaml +++ b/applications/ghostwriter/templates/ingress-toplevel.yaml @@ -11,6 +11,7 @@ config: scopes: all: - "read:image" + service: "ghostwriter" delegate: notebook: {} template: diff --git a/applications/ghostwriter/templates/ingress.yaml b/applications/ghostwriter/templates/ingress.yaml index 1570a890a7..bac29c13a3 100644 --- a/applications/ghostwriter/templates/ingress.yaml +++ b/applications/ghostwriter/templates/ingress.yaml @@ -9,6 +9,7 @@ config: scopes: all: - "read:image" + service: "ghostwriter" delegate: notebook: {} template: diff --git a/applications/giftless/templates/ingress.yaml b/applications/giftless/templates/ingress.yaml index 77e97b5227..bf291fcd7a 100644 --- a/applications/giftless/templates/ingress.yaml +++ b/applications/giftless/templates/ingress.yaml @@ -91,6 +91,7 @@ config: scopes: all: - "write:git-lfs" + service: "giftless" template: metadata: name: {{ template "giftless.fullname" . }}-rw diff --git a/applications/hips/templates/ingress.yaml b/applications/hips/templates/ingress.yaml index 78bfe06ee9..8f87d5e1ac 100644 --- a/applications/hips/templates/ingress.yaml +++ b/applications/hips/templates/ingress.yaml @@ -9,6 +9,7 @@ config: scopes: all: - "read:image" + service: "hips" template: metadata: name: "hips" diff --git a/applications/jira-data-proxy/templates/ingress.yaml b/applications/jira-data-proxy/templates/ingress.yaml index 771d96fc5e..8d91d25dab 100644 --- a/applications/jira-data-proxy/templates/ingress.yaml +++ b/applications/jira-data-proxy/templates/ingress.yaml @@ -6,10 +6,11 @@ metadata: {{- include "jira-data-proxy.labels" . | nindent 4 }} config: baseUrl: {{ .Values.global.baseUrl | quote }} + loginRedirect: false # endpoint is for API use only scopes: all: - "exec:notebook" - loginRedirect: false # endpoint is for API use only + service: "jira-data-proxy" template: metadata: name: "jira-data-proxy" diff --git a/applications/livetap/README.md b/applications/livetap/README.md index 0884f22fe9..cbcac45566 100644 --- a/applications/livetap/README.md +++ b/applications/livetap/README.md @@ -16,7 +16,8 @@ IVOA TAP service | cadc-tap.config.pg.host | string | `"mock-pg:5432"` (the mock pg) | Postgres hostname:port to connect to | | cadc-tap.config.pg.username | string | `"rubin"` | Postgres username to use to connect | | cadc-tap.config.vaultSecretName | string | `"livetap"` | Vault secret name: the final key in the vault path | -| cadc-tap.ingress.path | string | `"live"` | | +| cadc-tap.ingress.path | string | `"live"` | Ingress path that should be routed to this service | +| cadc-tap.service | string | `"livetap"` | Name of the service from Gafaelfawr's perspective | | global.baseUrl | string | Set by Argo CD | Base URL for the environment | | global.host | string | Set by Argo CD | Host name for ingress | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | diff --git a/applications/livetap/values.yaml b/applications/livetap/values.yaml index df18fd489a..3c5c686e26 100644 --- a/applications/livetap/values.yaml +++ b/applications/livetap/values.yaml @@ -1,6 +1,6 @@ cadc-tap: - # Settings for the ingress rules. ingress: + # -- Ingress path that should be routed to this service path: "live" config: @@ -21,6 +21,9 @@ cadc-tap: # -- Vault secret name: the final key in the vault path vaultSecretName: "livetap" + # -- Name of the service from Gafaelfawr's perspective + service: "livetap" + # The following will be set by parameters injected by Argo CD and should not # be set in the individual environment values files. global: diff --git a/applications/mobu/templates/ingress.yaml b/applications/mobu/templates/ingress.yaml index ce60afd027..73d69de2eb 100644 --- a/applications/mobu/templates/ingress.yaml +++ b/applications/mobu/templates/ingress.yaml @@ -6,10 +6,11 @@ metadata: {{- include "mobu.labels" . | nindent 4 }} config: baseUrl: {{ .Values.global.baseUrl | quote }} + loginRedirect: true scopes: all: - "exec:admin" - loginRedirect: true + service: "mobu" template: metadata: name: {{ template "mobu.fullname" . }} diff --git a/applications/narrativelog/templates/ingress.yaml b/applications/narrativelog/templates/ingress.yaml index 796e78fd1d..73ad20a4d8 100644 --- a/applications/narrativelog/templates/ingress.yaml +++ b/applications/narrativelog/templates/ingress.yaml @@ -11,6 +11,7 @@ config: scopes: all: - "exec:internal-tools" + service: "narrativelog" {{- else }} scopes: anonymous: true diff --git a/applications/nightreport/templates/ingress.yaml b/applications/nightreport/templates/ingress.yaml index 930d61eab8..a6600c25a5 100644 --- a/applications/nightreport/templates/ingress.yaml +++ b/applications/nightreport/templates/ingress.yaml @@ -11,6 +11,7 @@ config: scopes: all: - "exec:internal-tools" + service: "nightreport" {{- else }} scopes: anonymous: true diff --git a/applications/noteburst/templates/ingress.yaml b/applications/noteburst/templates/ingress.yaml index 2072a48326..c468e359dc 100644 --- a/applications/noteburst/templates/ingress.yaml +++ b/applications/noteburst/templates/ingress.yaml @@ -6,10 +6,11 @@ metadata: {{- include "noteburst.labels" . | nindent 4 }} config: baseUrl: {{ .Values.global.baseUrl | quote }} + loginRedirect: true scopes: all: - "exec:notebook" - loginRedirect: true + service: "noteburst" template: metadata: name: {{ template "noteburst.fullname" . }} diff --git a/applications/nublado/templates/controller-ingress-admin.yaml b/applications/nublado/templates/controller-ingress-admin.yaml index 43043b1cc4..1778da8f75 100644 --- a/applications/nublado/templates/controller-ingress-admin.yaml +++ b/applications/nublado/templates/controller-ingress-admin.yaml @@ -9,6 +9,7 @@ config: scopes: all: - "exec:admin" + service: "nublado-controller" template: metadata: name: "controller-admin" diff --git a/applications/nublado/templates/controller-ingress-files.yaml b/applications/nublado/templates/controller-ingress-files.yaml index 19d7506b89..de85296010 100644 --- a/applications/nublado/templates/controller-ingress-files.yaml +++ b/applications/nublado/templates/controller-ingress-files.yaml @@ -10,9 +10,10 @@ config: scopes: all: - "write:files" + service: "nublado-files" delegate: internal: - service: "nublado" + service: "nublado-files" scopes: [] template: metadata: diff --git a/applications/nublado/templates/controller-ingress-hub.yaml b/applications/nublado/templates/controller-ingress-hub.yaml index 2c1c00c611..c25dbc96a7 100644 --- a/applications/nublado/templates/controller-ingress-hub.yaml +++ b/applications/nublado/templates/controller-ingress-hub.yaml @@ -9,6 +9,7 @@ config: scopes: all: - "admin:jupyterlab" + service: "nublado-controller" template: metadata: name: "controller-hub" diff --git a/applications/nublado/templates/controller-ingress-user.yaml b/applications/nublado/templates/controller-ingress-user.yaml index 45549f4703..ca6b9d26d8 100644 --- a/applications/nublado/templates/controller-ingress-user.yaml +++ b/applications/nublado/templates/controller-ingress-user.yaml @@ -9,6 +9,7 @@ config: scopes: all: - "exec:notebook" + service: "nublado-controller" delegate: notebook: {} template: diff --git a/applications/nublado/templates/proxy-ingress.yaml b/applications/nublado/templates/proxy-ingress.yaml index 4a7b13f7ce..96dc37c762 100644 --- a/applications/nublado/templates/proxy-ingress.yaml +++ b/applications/nublado/templates/proxy-ingress.yaml @@ -7,10 +7,11 @@ metadata: config: baseUrl: {{ .Values.global.baseUrl | quote }} authCacheDuration: "5m" + loginRedirect: true scopes: all: - "exec:notebook" - loginRedirect: true + service: "nublado" delegate: notebook: {} template: diff --git a/applications/nublado/templates/proxy-spawn-ingress.yaml b/applications/nublado/templates/proxy-spawn-ingress.yaml index 06af378237..54c4761c36 100644 --- a/applications/nublado/templates/proxy-spawn-ingress.yaml +++ b/applications/nublado/templates/proxy-spawn-ingress.yaml @@ -7,10 +7,11 @@ metadata: {{- include "nublado.labels" . | nindent 4 }} config: baseUrl: {{ .Values.global.baseUrl | quote }} + loginRedirect: true scopes: all: - "exec:notebook" - loginRedirect: true + service: "nublado" delegate: {{- if .Values.hub.minimumTokenLifetime }} minimumLifetime: {{ .Values.hub.minimumTokenLifetime }} diff --git a/applications/obsenv-management/charts/obsenv-ui/templates/ingress.yaml b/applications/obsenv-management/charts/obsenv-ui/templates/ingress.yaml index de30d87046..1ad03831c5 100644 --- a/applications/obsenv-management/charts/obsenv-ui/templates/ingress.yaml +++ b/applications/obsenv-management/charts/obsenv-ui/templates/ingress.yaml @@ -10,9 +10,10 @@ config: scopes: all: - "exec:internal-tools" + service: "obsenv-ui" delegate: internal: - service: "obsenv-api" + service: "obsenv-ui" scopes: [] template: metadata: diff --git a/applications/ook/templates/ingress.yaml b/applications/ook/templates/ingress.yaml index 41fe9578a7..d43bc0a839 100644 --- a/applications/ook/templates/ingress.yaml +++ b/applications/ook/templates/ingress.yaml @@ -6,10 +6,11 @@ metadata: {{- include "ook.labels" . | nindent 4 }} config: baseUrl: {{ .Values.global.baseUrl | quote }} + loginRedirect: true scopes: all: - "exec:admin" - loginRedirect: true + service: "ook" template: metadata: name: {{ template "ook.fullname" . }} diff --git a/applications/plot-navigator/templates/ingress.yaml b/applications/plot-navigator/templates/ingress.yaml index a0c1d19102..e32f7e32e5 100644 --- a/applications/plot-navigator/templates/ingress.yaml +++ b/applications/plot-navigator/templates/ingress.yaml @@ -6,10 +6,11 @@ metadata: {{- include "plot-navigator.labels" . | nindent 4 }} config: baseUrl: {{ .Values.global.baseUrl | quote }} + loginRedirect: true scopes: all: - "exec:portal" - loginRedirect: true + service: "plot-navigator" delegate: internal: scopes: [] diff --git a/applications/portal/templates/ingress-admin.yaml b/applications/portal/templates/ingress-admin.yaml index 2a107ab1f5..65fc675e29 100644 --- a/applications/portal/templates/ingress-admin.yaml +++ b/applications/portal/templates/ingress-admin.yaml @@ -6,10 +6,11 @@ metadata: {{- include "portal.labels" . | nindent 4 }} config: baseUrl: {{ .Values.global.baseUrl | quote }} + loginRedirect: true scopes: all: - "exec:admin" - loginRedirect: true + service: "portal" template: metadata: name: {{ include "portal.fullname" . }}-admin diff --git a/applications/portal/templates/ingress.yaml b/applications/portal/templates/ingress.yaml index 0d7d6fc957..b14411788a 100644 --- a/applications/portal/templates/ingress.yaml +++ b/applications/portal/templates/ingress.yaml @@ -7,10 +7,11 @@ metadata: config: baseUrl: {{ .Values.global.baseUrl | quote }} authCacheDuration: "5m" + loginRedirect: true scopes: all: - "exec:portal" - loginRedirect: true + service: "portal" delegate: internal: service: "portal" diff --git a/applications/ppdb-replication/templates/ingress.yaml b/applications/ppdb-replication/templates/ingress.yaml index 381bce084c..849ae8c296 100644 --- a/applications/ppdb-replication/templates/ingress.yaml +++ b/applications/ppdb-replication/templates/ingress.yaml @@ -9,6 +9,7 @@ config: scopes: all: - "read:image" + service: "ppdb-replication" template: metadata: name: "ppdb-replication" diff --git a/applications/production-tools/templates/ingress.yaml b/applications/production-tools/templates/ingress.yaml index fbf1fb3bde..fab4f59fbf 100644 --- a/applications/production-tools/templates/ingress.yaml +++ b/applications/production-tools/templates/ingress.yaml @@ -6,10 +6,11 @@ metadata: {{- include "production-tools.labels" . | nindent 4 }} config: baseUrl: {{ .Values.global.baseUrl | quote }} + loginRedirect: true scopes: all: - "exec:portal" - loginRedirect: true + service: "production-tools" template: metadata: name: {{ template "production-tools.fullname" . }} diff --git a/applications/s3proxy/templates/ingress.yaml b/applications/s3proxy/templates/ingress.yaml index 61ce54a2ff..ed4bf7d933 100644 --- a/applications/s3proxy/templates/ingress.yaml +++ b/applications/s3proxy/templates/ingress.yaml @@ -13,6 +13,7 @@ config: scopes: all: - "read:image" + service: "s3proxy" template: metadata: name: "s3proxy" diff --git a/applications/schedview-snapshot/templates/ingress.yaml b/applications/schedview-snapshot/templates/ingress.yaml index b6cb8ae716..9aa158b2f5 100644 --- a/applications/schedview-snapshot/templates/ingress.yaml +++ b/applications/schedview-snapshot/templates/ingress.yaml @@ -6,10 +6,11 @@ metadata: {{- include "schedview-snapshot.labels" . | nindent 4 }} config: baseUrl: {{ .Values.global.baseUrl | quote }} + loginRedirect: true scopes: all: - "exec:portal" - loginRedirect: true + service: "schedview-snapshot" template: metadata: name: "schedview-snapshot" diff --git a/applications/sia/templates/ingress.yaml b/applications/sia/templates/ingress.yaml index bb9638b596..b548e371bb 100644 --- a/applications/sia/templates/ingress.yaml +++ b/applications/sia/templates/ingress.yaml @@ -9,6 +9,7 @@ config: scopes: all: - "read:image" + service: "sia" delegate: internal: service: "sia" diff --git a/applications/siav2/templates/ingress.yaml b/applications/siav2/templates/ingress.yaml index 7f9fa4bd21..2af5227a0e 100644 --- a/applications/siav2/templates/ingress.yaml +++ b/applications/siav2/templates/ingress.yaml @@ -7,16 +7,17 @@ metadata: config: authType: "basic" baseUrl: {{ .Values.global.baseUrl | quote }} + loginRedirect: false + scopes: + all: + - "read:image" + service: "siav2" delegate: internal: scopes: - - read:tap + - "read:tap" service: "siav2" useAuthorization: true - loginRedirect: false - scopes: - all: - - read:image template: metadata: name: "siav2-authenticated" diff --git a/applications/squareone/templates/ingress-times-square.yaml b/applications/squareone/templates/ingress-times-square.yaml index e820c1b32e..3c5dad1ac0 100644 --- a/applications/squareone/templates/ingress-times-square.yaml +++ b/applications/squareone/templates/ingress-times-square.yaml @@ -6,10 +6,11 @@ metadata: {{- include "squareone.labels" . | nindent 4 }} config: baseUrl: {{ .Values.global.baseUrl | quote }} + loginRedirect: true scopes: all: - {{ .Values.ingress.timesSquareScope | quote }} - loginRedirect: true + service: "times-square" template: metadata: name: {{ template "squareone.fullname" . }}-times-square diff --git a/applications/ssotap/README.md b/applications/ssotap/README.md index 248e9b3cb4..7c2d741eef 100644 --- a/applications/ssotap/README.md +++ b/applications/ssotap/README.md @@ -16,8 +16,9 @@ IVOA TAP service for Solar System Objects | cadc-tap.config.pg.host | string | `"usdf-pg-catalogs.slac.stanford.edu:5432"` | Postgres hostname:port to connect to | | cadc-tap.config.pg.username | string | `"dp03"` | Postgres username to use to connect | | cadc-tap.config.vaultSecretName | string | `"ssotap"` | Vault secret name: the final key in the vault path | -| cadc-tap.ingress.path | string | `"ssotap"` | | -| cadc-tap.serviceAccount.name | string | `"ssotap"` | | +| cadc-tap.ingress.path | string | `"ssotap"` | Ingress path that should be routed to this service | +| cadc-tap.service | string | `"ssotap"` | Name of the service from Gafaelfawr's perspective | +| cadc-tap.serviceAccount.name | string | `"ssotap"` | Name of the Kubernetes `ServiceAccount`, used for CloudSQL access | | global.baseUrl | string | Set by Argo CD | Base URL for the environment | | global.host | string | Set by Argo CD | Host name for ingress | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | diff --git a/applications/ssotap/values.yaml b/applications/ssotap/values.yaml index bf5c3b7b82..b22e4e2e99 100644 --- a/applications/ssotap/values.yaml +++ b/applications/ssotap/values.yaml @@ -1,6 +1,6 @@ cadc-tap: - # Settings for the ingress rules. ingress: + # -- Ingress path that should be routed to this service path: "ssotap" config: @@ -21,9 +21,12 @@ cadc-tap: vaultSecretName: "ssotap" serviceAccount: - # Name of Service Account + # -- Name of the Kubernetes `ServiceAccount`, used for CloudSQL access name: "ssotap" + # -- Name of the service from Gafaelfawr's perspective + service: "ssotap" + # The following will be set by parameters injected by Argo CD and should not # be set in the individual environment values files. global: diff --git a/applications/tap/README.md b/applications/tap/README.md index 62685520be..92ccd1b29e 100644 --- a/applications/tap/README.md +++ b/applications/tap/README.md @@ -13,8 +13,9 @@ IVOA TAP service |-----|------|---------|-------------| | cadc-tap.config.backend | string | `"qserv"` | What type of backend? | | cadc-tap.config.vaultSecretName | string | `"tap"` | Vault secret name: the final key in the vault path | -| cadc-tap.ingress.path | string | `"tap"` | | -| cadc-tap.serviceAccount.name | string | `"tap"` | | +| cadc-tap.ingress.path | string | `"tap"` | Ingress path that should be routed to this service | +| cadc-tap.serviceAccount.name | string | `"tap"` | Name of the Kubernetes `ServiceAccount`, used for CloudSQL access | +| cadc-tap.serviceName | string | `"tap"` | Name of the service from Gafaelfawr's perspective | | global.baseUrl | string | Set by Argo CD | Base URL for the environment | | global.host | string | Set by Argo CD | Host name for ingress | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | diff --git a/applications/tap/values.yaml b/applications/tap/values.yaml index 21e256eeee..e7b34a6998 100644 --- a/applications/tap/values.yaml +++ b/applications/tap/values.yaml @@ -1,6 +1,6 @@ cadc-tap: - # Settings for the ingress rules. ingress: + # -- Ingress path that should be routed to this service path: "tap" config: @@ -11,9 +11,12 @@ cadc-tap: vaultSecretName: "tap" serviceAccount: - # Name of Service Account + # -- Name of the Kubernetes `ServiceAccount`, used for CloudSQL access name: "tap" + # -- Name of the service from Gafaelfawr's perspective + serviceName: "tap" + # The following will be set by parameters injected by Argo CD and should not # be set in the individual environment values files. global: diff --git a/applications/times-square/templates/ingress-templates.yaml b/applications/times-square/templates/ingress-templates.yaml index 28a4d8ad51..439a3d2cd8 100644 --- a/applications/times-square/templates/ingress-templates.yaml +++ b/applications/times-square/templates/ingress-templates.yaml @@ -6,10 +6,11 @@ metadata: {{- include "times-square.labels" . | nindent 4 }} config: baseUrl: {{ .Values.global.baseUrl | quote }} + loginRedirect: true scopes: all: - {{ .Values.ingress.templateApiScope | quote }} - loginRedirect: true + service: "times-square" template: metadata: name: "{{ template "times-square.fullname" . }}-templates" diff --git a/applications/times-square/templates/ingress.yaml b/applications/times-square/templates/ingress.yaml index 5f1a447ed5..5a74f8a68e 100644 --- a/applications/times-square/templates/ingress.yaml +++ b/applications/times-square/templates/ingress.yaml @@ -6,10 +6,11 @@ metadata: {{- include "times-square.labels" . | nindent 4 }} config: baseUrl: {{ .Values.global.baseUrl | quote }} + loginRedirect: true scopes: all: - {{ .Values.ingress.defaultScope }} - loginRedirect: true + service: "times-square" template: metadata: name: {{ template "times-square.fullname" . }} diff --git a/applications/vo-cutouts/templates/ingress.yaml b/applications/vo-cutouts/templates/ingress.yaml index 584bad30ec..cc11ae5341 100644 --- a/applications/vo-cutouts/templates/ingress.yaml +++ b/applications/vo-cutouts/templates/ingress.yaml @@ -9,6 +9,7 @@ config: scopes: all: - "read:image" + service: "vo-cutouts" # Request a delegated token to use for making calls to Butler server with the # end-user's credentials. delegate: diff --git a/charts/cadc-tap/README.md b/charts/cadc-tap/README.md index 9e9367dc3d..1dcfc1198a 100644 --- a/charts/cadc-tap/README.md +++ b/charts/cadc-tap/README.md @@ -39,6 +39,7 @@ IVOA TAP service | config.qserv.image.tag | string | `"2.5.0"` | Tag of TAP image to use | | config.qserv.jdbcParams | string | `""` | Extra JDBC connection parameters | | config.qserv.passwordEnabled | bool | false | Whether the Qserv database is password protected | +| config.serviceName | string | None, must be set | Name of the service from Gafaelfawr's perspective, used for metrics reporting | | config.tapSchemaAddress | string | `"cadc-tap-schema-db:3306"` | Address to a MySQL database containing TAP schema data | | config.vaultSecretName | string | `""` | Vault secret name, this is appended to the global path to find the vault secrets associated with this deployment. | | fullnameOverride | string | `"cadc-tap"` | Override the full name for resources (includes the release name) | diff --git a/charts/cadc-tap/templates/tap-ingress-authenticated.yaml b/charts/cadc-tap/templates/tap-ingress-authenticated.yaml index c4c0f4aaea..933baaba60 100644 --- a/charts/cadc-tap/templates/tap-ingress-authenticated.yaml +++ b/charts/cadc-tap/templates/tap-ingress-authenticated.yaml @@ -6,14 +6,15 @@ metadata: {{- include "cadc-tap.labels" . | nindent 4 }} config: baseUrl: {{ .Values.global.baseUrl | quote }} + authType: "basic" scopes: all: - "read:tap" - authType: "basic" + service: {{ required "config.serviceName must be set" .Values.config.serviceName | quote }} delegate: internal: scopes: [] - service: "tap" + service: {{ .Values.config.serviceName | quote }} useAuthorization: true template: metadata: diff --git a/charts/cadc-tap/values.yaml b/charts/cadc-tap/values.yaml index da92d70b04..8f043c830f 100644 --- a/charts/cadc-tap/values.yaml +++ b/charts/cadc-tap/values.yaml @@ -115,6 +115,11 @@ config: # maths. jvmMaxHeapSize: 31G + # -- Name of the service from Gafaelfawr's perspective, used for metrics + # reporting + # @default -- None, must be set + serviceName: "" + # -- Vault secret name, this is appended to the global path to find the # vault secrets associated with this deployment. vaultSecretName: "" diff --git a/charts/rubintv/templates/ingress.yaml b/charts/rubintv/templates/ingress.yaml index 9234160481..834447a46c 100644 --- a/charts/rubintv/templates/ingress.yaml +++ b/charts/rubintv/templates/ingress.yaml @@ -6,10 +6,11 @@ metadata: {{- include "rubintv.labels" . | nindent 4 }} config: baseUrl: {{ .Values.global.baseUrl | quote }} + loginRedirect: true scopes: all: - "read:image" - loginRedirect: true + service: "rubintv" template: metadata: name: {{ template "rubintv.fullname" . }} diff --git a/starters/fastapi-safir-uws/templates/ingress.yaml b/starters/fastapi-safir-uws/templates/ingress.yaml index 8b59497224..377d44ca08 100644 --- a/starters/fastapi-safir-uws/templates/ingress.yaml +++ b/starters/fastapi-safir-uws/templates/ingress.yaml @@ -9,6 +9,7 @@ config: scopes: all: - "read:image" + service: "" # Request a delegated token to use for making calls to Butler server with the # end-user's credentials. delegate: diff --git a/starters/fastapi-safir/templates/ingress.yaml b/starters/fastapi-safir/templates/ingress.yaml index ddbe364182..8d326fb9f3 100644 --- a/starters/fastapi-safir/templates/ingress.yaml +++ b/starters/fastapi-safir/templates/ingress.yaml @@ -9,6 +9,7 @@ config: scopes: all: - "read:image" + service: "" template: metadata: name: "" diff --git a/starters/web-service/templates/ingress.yaml b/starters/web-service/templates/ingress.yaml index b3a26d8bbf..e66ab1a80f 100644 --- a/starters/web-service/templates/ingress.yaml +++ b/starters/web-service/templates/ingress.yaml @@ -9,6 +9,7 @@ config: scopes: all: - "read:image" + service: "" template: metadata: name: ""