From b8208754cfcf7cf2b8b16d053a297d100fae24df Mon Sep 17 00:00:00 2001
From: Jawad Qureshi <qureshi@uchicago.edu>
Date: Tue, 14 Nov 2023 13:51:35 -0600
Subject: [PATCH] Add nginx sidecar for gunicorn to fence

---
 .secrets.baseline                          | 14 ++++++-------
 helm/fence/Chart.yaml                      |  2 +-
 helm/fence/README.md                       |  8 ++++++--
 helm/fence/nginx-config.yaml               | 13 ++++++++++++
 helm/fence/templates/fence-deployment.yaml | 23 +++++++++++++++-------
 helm/fence/values.yaml                     | 16 +++++++++++++++
 helm/fence/wsgi.yaml                       | 11 +++++++++++
 7 files changed, 70 insertions(+), 17 deletions(-)
 create mode 100644 helm/fence/nginx-config.yaml
 create mode 100644 helm/fence/wsgi.yaml

diff --git a/.secrets.baseline b/.secrets.baseline
index ea7061a4..3d2d316d 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2023-07-27T21:47:16Z",
+  "generated_at": "2023-11-14T19:51:24Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -289,10 +289,10 @@
         "type": "Secret Keyword"
       },
       {
-        "hashed_secret": "9d8fada0e01336e865c461bb3549084d206fe6da",
+        "hashed_secret": "680318f193e2ef208430b002ad07ff98a79ac457",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 181,
+        "line_number": 185,
         "type": "Secret Keyword"
       }
     ],
@@ -356,7 +356,7 @@
         "hashed_secret": "5d07e1b80e448a213b392049888111e1779a52db",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1916,
+        "line_number": 1932,
         "type": "Secret Keyword"
       }
     ],
@@ -470,10 +470,10 @@
         "type": "Secret Keyword"
       },
       {
-        "hashed_secret": "1cc98556e7b1353c7bd08344f9190808b0d3d6d4",
-        "is_secret": true,
+        "hashed_secret": "ffa29bb5e69093c793d39762da0340f0bcf3fe53",
+        "is_secret": false,
         "is_verified": false,
-        "line_number": 101,
+        "line_number": 104,
         "type": "Secret Keyword"
       }
     ],
diff --git a/helm/fence/Chart.yaml b/helm/fence/Chart.yaml
index 529a6d94..36d58d86 100644
--- a/helm/fence/Chart.yaml
+++ b/helm/fence/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.13
+version: 0.1.14
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/helm/fence/README.md b/helm/fence/README.md
index d75bdfa4..475f9096 100644
--- a/helm/fence/README.md
+++ b/helm/fence/README.md
@@ -1,6 +1,6 @@
 # fence
 
-![Version: 0.1.13](https://img.shields.io/badge/Version-0.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square)
+![Version: 0.1.14](https://img.shields.io/badge/Version-0.1.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square)
 
 A Helm chart for gen3 Fence
 
@@ -163,6 +163,10 @@ A Helm chart for gen3 Fence
 | serviceAccount.annotations."eks.amazonaws.com/role-arn" | string | `nil` | The Amazon Resource Name (ARN) of the role to associate with the service account |
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
 | serviceAccount.name | string | `"fence-sa"` | The name of the service account |
+| sidecar | map | `{"enabled":true,"image":"quay.io/cdis/nginx","pullPolicy":"Always","tag":"master"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. |
+| sidecar.image | string | `"quay.io/cdis/nginx"` | The Docker image repository for nginx |
+| sidecar.pullPolicy | string | `"Always"` | When to pull the image. |
+| sidecar.tag | string | `"master"` | Image tag. |
 | tolerations | list | `[]` | Tolerations for the pods |
 | usersync | map | `{"addDbgap":false,"custom_image":null,"onlyDbgap":false,"schedule":"*/30 * * * *","secrets":{"awsAccessKeyId":"","awsSecretAccessKey":""},"slack_send_dbgap":false,"slack_webhook":"None","syncFromDbgap":false,"userYamlS3Path":"s3://cdis-gen3-users/helm-test/user.yaml","usersync":false}` | Configuration options for usersync cronjob. |
 | usersync.addDbgap | bool | `false` | Force attempting a dbgap sync if "true", falls back on user.yaml |
@@ -178,7 +182,7 @@ A Helm chart for gen3 Fence
 | usersync.userYamlS3Path | string | `"s3://cdis-gen3-users/helm-test/user.yaml"` | Path to the user.yaml file in S3. |
 | usersync.usersync | bool | `false` | Whether to run Fence usersync or not. |
 | volumeMounts | list | `[{"mountPath":"/var/www/fence/local_settings.py","name":"old-config-volume","readOnly":true,"subPath":"local_settings.py"},{"mountPath":"/var/www/fence/fence_credentials.json","name":"json-secret-volume","readOnly":true,"subPath":"fence_credentials.json"},{"mountPath":"/var/www/fence/creds.json","name":"creds-volume","readOnly":true,"subPath":"creds.json"},{"mountPath":"/var/www/fence/config_helper.py","name":"config-helper","readOnly":true,"subPath":"config_helper.py"},{"mountPath":"/fence/fence/static/img/logo.svg","name":"logo-volume","readOnly":true,"subPath":"logo.svg"},{"mountPath":"/fence/fence/static/privacy_policy.md","name":"privacy-policy","readOnly":true,"subPath":"privacy_policy.md"},{"mountPath":"/var/www/fence/fence-config.yaml","name":"config-volume","readOnly":true,"subPath":"fence-config.yaml"},{"mountPath":"/var/www/fence/yaml_merge.py","name":"yaml-merge","readOnly":true,"subPath":"yaml_merge.py"},{"mountPath":"/var/www/fence/fence_google_app_creds_secret.json","name":"fence-google-app-creds-secret-volume","readOnly":true,"subPath":"fence_google_app_creds_secret.json"},{"mountPath":"/var/www/fence/fence_google_storage_creds_secret.json","name":"fence-google-storage-creds-secret-volume","readOnly":true,"subPath":"fence_google_storage_creds_secret.json"},{"mountPath":"/fence/keys/key/jwt_private_key.pem","name":"fence-jwt-keys","readOnly":true,"subPath":"jwt_private_key.pem"}]` | Volumes to mount to the container. |
-| volumes | list | `[{"name":"old-config-volume","secret":{"secretName":"fence-secret"}},{"name":"json-secret-volume","secret":{"optional":true,"secretName":"fence-json-secret"}},{"name":"creds-volume","secret":{"secretName":"fence-creds"}},{"configMap":{"name":"config-helper","optional":true},"name":"config-helper"},{"configMap":{"name":"logo-config"},"name":"logo-volume"},{"name":"config-volume","secret":{"secretName":"fence-config"}},{"name":"fence-google-app-creds-secret-volume","secret":{"secretName":"fence-google-app-creds-secret"}},{"name":"fence-google-storage-creds-secret-volume","secret":{"secretName":"fence-google-storage-creds-secret"}},{"name":"fence-jwt-keys","secret":{"secretName":"fence-jwt-keys"}},{"configMap":{"name":"privacy-policy"},"name":"privacy-policy"},{"configMap":{"name":"fence-yaml-merge","optional":true},"name":"yaml-merge"}]` | Volumes to attach to the container. |
+| volumes | list | `[{"name":"old-config-volume","secret":{"secretName":"fence-secret"}},{"name":"json-secret-volume","secret":{"optional":true,"secretName":"fence-json-secret"}},{"name":"creds-volume","secret":{"secretName":"fence-creds"}},{"configMap":{"name":"config-helper","optional":true},"name":"config-helper"},{"configMap":{"name":"logo-config"},"name":"logo-volume"},{"name":"config-volume","secret":{"secretName":"fence-config"}},{"name":"fence-google-app-creds-secret-volume","secret":{"secretName":"fence-google-app-creds-secret"}},{"name":"fence-google-storage-creds-secret-volume","secret":{"secretName":"fence-google-storage-creds-secret"}},{"name":"fence-jwt-keys","secret":{"secretName":"fence-jwt-keys"}},{"configMap":{"name":"privacy-policy"},"name":"privacy-policy"},{"configMap":{"name":"fence-yaml-merge","optional":true},"name":"yaml-merge"},{"configMap":{"name":"fence-wsgi"},"name":"wsgi-config"},{"configMap":{"name":"fence-nginx-configmap"},"name":"nginx-config"}]` | Volumes to attach to the container. |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
diff --git a/helm/fence/nginx-config.yaml b/helm/fence/nginx-config.yaml
new file mode 100644
index 00000000..0f422ef9
--- /dev/null
+++ b/helm/fence/nginx-config.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: fence-nginx-configmap
+data:
+  default.conf: |
+      server {
+          listen 80;
+          server_name localhost;
+          location / {
+              proxy_pass http://127.0.0.1:8000;  # Gunicorn binds to this address
+          }
+      }
\ No newline at end of file
diff --git a/helm/fence/templates/fence-deployment.yaml b/helm/fence/templates/fence-deployment.yaml
index 2fe2c6ec..733371c5 100644
--- a/helm/fence/templates/fence-deployment.yaml
+++ b/helm/fence/templates/fence-deployment.yaml
@@ -31,19 +31,28 @@ spec:
       volumes:
         {{- toYaml .Values.volumes | nindent 8 }}
       containers:
+        {{- if .Values.sidecar.enabled }}
+        - name: sidecar-nginx
+          image: {{ .Values.sidecar.image }}
+          ports:
+            - name: http
+              containerPort: 80
+          volumeMounts:
+            - name: "nginx-config"
+              mountPath: "/etc/nginx/conf.d/default.conf"
+              subPath: default.conf
+        {{- end }}
         - name: fence
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
-            - name: http
-              containerPort: 80
-              protocol: TCP
-            - name: https
-              containerPort: 443
-              protocol: TCP
+            - name: app
+              containerPort: 8000
+            # - name: https
+            #   containerPort: 443
+            #   protocol: TCP
             - name: container
               containerPort: 6567
-              protocol: TCP
           livenessProbe:
             httpGet:
               path: /_status
diff --git a/helm/fence/values.yaml b/helm/fence/values.yaml
index f0352346..950922d6 100644
--- a/helm/fence/values.yaml
+++ b/helm/fence/values.yaml
@@ -118,6 +118,16 @@ image:
   # -- (string) Overrides the image tag whose default is the chart appVersion.
   tag: "master"
 
+# -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn.
+sidecar:
+  enabled: true
+  # -- (string) The Docker image repository for nginx
+  image: quay.io/cdis/nginx
+  # -- (string) When to pull the image.
+  pullPolicy: Always
+  # -- (string) Image tag.
+  tag: "master"
+
 # -- (list) Docker image pull secrets.
 imagePullSecrets: []
 
@@ -333,6 +343,12 @@ volumes:
     configMap:
       name: "fence-yaml-merge"
       optional: true
+  - name: wsgi-config
+    configMap:
+      name: fence-wsgi
+  - name: nginx-config
+    configMap:
+      name: fence-nginx-configmap
 
 # -- (list) Volumes to mount to the container.
 volumeMounts:
diff --git a/helm/fence/wsgi.yaml b/helm/fence/wsgi.yaml
new file mode 100644
index 00000000..ff258ad7
--- /dev/null
+++ b/helm/fence/wsgi.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: fence-wsgi
+data:
+  gunicorn.conf.py: |
+    wsgi_app = "deployment.wsgi.wsgi:application"
+    bind = "0.0.0.0:8000"
+    workers = 1
+    user = 'appuser'
+    group = 'appuser'