From 5bd073f84e52e69d8a25ec7d77aeee79796c40a9 Mon Sep 17 00:00:00 2001 From: Stelios Voutsinas Date: Fri, 25 Oct 2024 16:42:04 -0700 Subject: [PATCH] Add flag to annotate direct butler support & make direct butler secrets conditional --- applications/sia/Chart.yaml | 2 +- applications/sia/README.md | 1 + applications/sia/secrets.yaml | 3 +++ applications/sia/templates/deployment.yaml | 8 ++++++++ applications/sia/templates/ingress-anonymous.yaml | 5 +++-- applications/sia/values.yaml | 3 +++ 6 files changed, 19 insertions(+), 3 deletions(-) diff --git a/applications/sia/Chart.yaml b/applications/sia/Chart.yaml index 21df0de4e5..8ddf1e2c6d 100644 --- a/applications/sia/Chart.yaml +++ b/applications/sia/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 0.1.1 +appVersion: 0.1.2 description: Simple Image Access (SIA) IVOA Service using Butler name: sia sources: diff --git a/applications/sia/README.md b/applications/sia/README.md index 47ffeac2d5..e030a859fa 100644 --- a/applications/sia/README.md +++ b/applications/sia/README.md @@ -12,6 +12,7 @@ Simple Image Access (SIA) IVOA Service using Butler |-----|------|---------|-------------| | affinity | object | `{}` | Affinity rules for the sia deployment pod | | config.butlerDataCollections | list | `[]` | List of data (Butler) Collections Expected attributes: `config`, `label`, `name`, `butler_type`, `repository`, `datalink_url` & `default_instrument` | +| config.directButlerEnabled | bool | `false` | Whether direct butler access is enabled | | config.logLevel | string | `"INFO"` | Logging level | | config.logProfile | string | `"production"` | Logging profile (`production` for JSON, `development` for human-friendly) | | config.pathPrefix | string | `"/api/sia"` | URL path prefix | diff --git a/applications/sia/secrets.yaml b/applications/sia/secrets.yaml index ada6b88933..05d15deeea 100644 --- a/applications/sia/secrets.yaml +++ b/applications/sia/secrets.yaml @@ -1,12 +1,15 @@ "aws-credentials.ini": + if: config.directButlerEnabled copy: application: nublado key: "aws-credentials.ini" "butler-gcs-idf-creds.json": + if: config.directButlerEnabled copy: application: nublado key: "butler-gcs-idf-creds.json" "postgres-credentials.txt": + if: config.directButlerEnabled copy: application: nublado key: "postgres-credentials.txt" diff --git a/applications/sia/templates/deployment.yaml b/applications/sia/templates/deployment.yaml index 3cf3c23b7e..e7da6b12f4 100644 --- a/applications/sia/templates/deployment.yaml +++ b/applications/sia/templates/deployment.yaml @@ -24,6 +24,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} automountServiceAccountToken: false + {{- if .Values.config.directButlerEnabled }} initContainers: - name: fix-secret-permissions image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" @@ -44,6 +45,7 @@ spec: mountPath: "/etc/butler/secrets" - name: "secrets-raw" mountPath: "/tmp/secrets-raw" + {{- end }} containers: - name: {{ .Chart.Name }} envFrom: @@ -71,6 +73,7 @@ spec: name: "sia" key: "slack-webhook" {{- end }} + {{- if .Values.config.directButlerEnabled }} - name: "AWS_SHARED_CREDENTIALS_FILE" value: "/tmp/secrets/aws-credentials.ini" - name: "PGUSER" @@ -79,10 +82,13 @@ spec: value: "/etc/butler/secrets/postgres-credentials.txt" - name: "GOOGLE_APPLICATION_CREDENTIALS" value: "/tmp/secrets/butler-gcs-idf-creds.json" + {{- end }} + {{- if .Values.config.directButlerEnabled }} volumeMounts: - name: "secrets" mountPath: "/etc/butler/secrets" readOnly: true + {{- end }} securityContext: allowPrivilegeEscalation: false capabilities: @@ -97,12 +103,14 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + {{- if .Values.config.directButlerEnabled }} volumes: - name: "secrets-raw" secret: secretName: "sia" - name: "secrets" emptyDir: {} + {{- end }} securityContext: runAsNonRoot: true runAsUser: 1000 diff --git a/applications/sia/templates/ingress-anonymous.yaml b/applications/sia/templates/ingress-anonymous.yaml index 3587f2bc5d..c683c4e2d1 100644 --- a/applications/sia/templates/ingress-anonymous.yaml +++ b/applications/sia/templates/ingress-anonymous.yaml @@ -13,6 +13,7 @@ template: name: {{ template "sia.fullname" . }}-anonymous {{- with .Values.ingress.annotations }} annotations: + nginx.ingress.kubernetes.io/use-regex: "true" {{- toYaml . | nindent 6 }} {{- end }} spec: @@ -28,14 +29,14 @@ template: port: number: 8080 - path: "{{ .Values.ingress.path }}/.+/capabilities" - pathType: "Exact" + pathType: "ImplementationSpecific" backend: service: name: {{ template "sia.fullname" . }} port: number: 8080 - path: "{{ .Values.ingress.path }}/.+/availability" - pathType: "Exact" + pathType: "ImplementationSpecific" backend: service: name: {{ template "sia.fullname" . }} diff --git a/applications/sia/values.yaml b/applications/sia/values.yaml index ee0df61f5c..fe76b45dd4 100644 --- a/applications/sia/values.yaml +++ b/applications/sia/values.yaml @@ -36,6 +36,9 @@ config: # -- URL path prefix pathPrefix: "/api/sia" + # -- Whether direct butler access is enabled + directButlerEnabled: false + # -- List of data (Butler) Collections # Expected attributes: `config`, `label`, `name`, `butler_type`, `repository`, `datalink_url` & `default_instrument` butlerDataCollections: []