From 794cb5825522e7337ae230a5468e1036794133ec Mon Sep 17 00:00:00 2001 From: Ronen Hilewicz Date: Tue, 4 Mar 2025 16:35:08 -0500 Subject: [PATCH 1/8] Controller and directory ingresses --- README.md | 4 +- charts/aserto-lib/templates/_golangsvc.tpl | 20 ++--- charts/aserto-lib/templates/_ports.tpl | 22 ++++- charts/aserto/values.yaml | 6 +- charts/authorizer/ci/test-values.yaml | 4 + charts/authorizer/templates/_helpers.tpl | 10 +-- charts/authorizer/templates/deployment.yaml | 24 +++--- charts/authorizer/templates/ingress.yaml | 28 ++----- charts/authorizer/templates/service.yaml | 6 +- charts/authorizer/values.yaml | 76 ++++++++--------- charts/console/values.yaml | 2 +- charts/controller/templates/NOTES.txt | 22 ----- charts/controller/templates/config.yaml | 2 +- charts/controller/templates/deployment.yaml | 14 ++-- charts/controller/templates/ingress.yaml | 83 ++++++++++-------- charts/controller/templates/service.yaml | 43 ++++++++-- charts/controller/test/no-tls.values.yaml | 13 ++- charts/controller/test/tests.yaml | 6 +- charts/controller/test/tls.values.yaml | 6 +- charts/controller/values.yaml | 48 ++++++----- charts/directory/templates/NOTES.txt | 22 ----- charts/directory/templates/config.yaml | 2 +- charts/directory/templates/deployment.yaml | 14 ++-- charts/directory/templates/ingress.yaml | 84 +++++++++++-------- charts/directory/templates/service.yaml | 43 ++++++++-- charts/directory/test/no-tls.values.yaml | 13 ++- charts/directory/test/tests.yaml | 10 +-- charts/directory/test/tls.values.yaml | 4 +- charts/directory/values.yaml | 46 +++++----- charts/discovery/templates/config.yaml | 2 +- charts/discovery/templates/deployment.yaml | 14 ++-- charts/discovery/templates/service.yaml | 6 +- charts/discovery/values.yaml | 2 +- .../multi-tenant-scim/templates/config.yaml | 8 +- .../templates/deployment.yaml | 16 ++-- charts/multi-tenant-scim/values.yaml | 2 +- charts/registry-proxy/templates/_helpers.tpl | 6 +- .../registry-proxy/templates/deployment.yaml | 20 ++--- charts/registry-proxy/templates/service.yaml | 6 +- charts/registry-proxy/values.yaml | 2 +- charts/scim/templates/config.yaml | 6 +- charts/scim/templates/deployment.yaml | 6 +- charts/scim/values.yaml | 2 +- charts/topaz/README.md | 6 +- charts/topaz/templates/_helpers.tpl | 10 +-- charts/topaz/templates/deployment.yaml | 12 +-- charts/topaz/templates/service.yaml | 2 +- charts/topaz/test/tls.values.yaml | 2 +- charts/topaz/values.yaml | 4 +- makefile | 2 +- tools/ktest/ktest.py | 33 +++++--- tools/ktest/model.py | 2 +- 52 files changed, 464 insertions(+), 384 deletions(-) delete mode 100644 charts/controller/templates/NOTES.txt delete mode 100644 charts/directory/templates/NOTES.txt diff --git a/README.md b/README.md index 3546a93..01e81f7 100644 --- a/README.md +++ b/README.md @@ -162,7 +162,7 @@ global: aserto: ports: grpc: 8282 - https: 8383 + http: 8383 health: 8484 mertics: 8585 ... @@ -201,7 +201,7 @@ values for several required fields: - `global.aserto.oidc` holds the domain and client ID for your OpenID Connect application used to authenticate access to the management console. -- `global.aserto.https.allowed_origins` should include the ingress domain where the management console +- `global.aserto.http.allowed_origins` should include the ingress domain where the management console will be hosted. - `diretcory.rootDirectory.database.host` and `directory.tenantDirectory.database.host` should be set to the hostname of the PostgreSQL instance(s) for the root and tenant directories. diff --git a/charts/aserto-lib/templates/_golangsvc.tpl b/charts/aserto-lib/templates/_golangsvc.tpl index f600594..d257f78 100644 --- a/charts/aserto-lib/templates/_golangsvc.tpl +++ b/charts/aserto-lib/templates/_golangsvc.tpl @@ -6,10 +6,10 @@ Returns gRPC service options. {{- end }} {{/* -Returns HTTPS service options. +Returns HTTP service options. */}} -{{- define "aserto-lib.httpsConfig" }} -{{ include "aserto-lib.mergeGlobal" (list . "https") }} +{{- define "aserto-lib.httpConfig" }} +{{ include "aserto-lib.mergeGlobal" (list . "http") }} {{- end }} {{/* @@ -29,11 +29,11 @@ certs: {{- end }} {{/* -Renders HTTPS service configuration. +Renders HTTP service configuration. */}} -{{- define "aserto-lib.httpsService" -}} -listen_address: 0.0.0.0:{{ include "aserto-lib.httpsPort" . }} -{{- with include "aserto-lib.httpsConfig" . | fromYaml }} +{{- define "aserto-lib.httpService" -}} +listen_address: 0.0.0.0:{{ include "aserto-lib.httpPort" . }} +{{- with include "aserto-lib.httpConfig" . | fromYaml }} {{- with .allowed_origins }} allowed_origins: {{- . | toYaml | nindent 2 }} @@ -44,9 +44,9 @@ write_timeout: {{ .write_timeout | default "2s" }} idle_timeout: {{ .idle_timeout | default "30s" }} {{- with .certSecret }} certs: - tls_key_path: '/https-certs/tls.key' - tls_cert_path: '/https-certs/tls.crt' - tls_ca_cert_path: '/https-certs/ca.crt' + tls_key_path: '/tls-certs/tls.key' + tls_cert_path: '/tls-certs/tls.crt' + tls_ca_cert_path: '/tls-certs/ca.crt' {{- end }} {{- end }} {{- end }} diff --git a/charts/aserto-lib/templates/_ports.tpl b/charts/aserto-lib/templates/_ports.tpl index ff7117e..3f1bccd 100644 --- a/charts/aserto-lib/templates/_ports.tpl +++ b/charts/aserto-lib/templates/_ports.tpl @@ -3,12 +3,12 @@ Returns port configuration. Values are selected with the following precedence: 1. .Values.ports (chart specific overrides) 2. .Values.global.aserto.ports (global overrides) -3. default values ({grpc: 8282, https: 8383, health: 8484, metrics: 8585}) +3. default values ({grpc: 8282, http: 8383, health: 8484, metrics: 8585}) */}} {{- define "aserto-lib.ports" }} {{- $scope := first . }} {{- $svc := last . }} -{{- $defaults := dict "grpc" 8282 "https" 8383 "health" 8484 "metrics" 8585}} +{{- $defaults := dict "grpc" 8282 "http" 8383 "health" 8484 "metrics" 8585}} {{- $global := ($scope.global).aserto | default dict | dig "ports" dict }} {{- $local := $svc | eq "self" | ternary $scope.ports (dig "global" "aserto" $svc "ports" dict $scope.AsMap) }} {{- merge $local $global $defaults | toYaml }} @@ -22,8 +22,8 @@ Values are selected with the following precedence: {{- (include "aserto-lib.ports" (list . "self") | fromYaml).grpc }} {{- end }} -{{- define "aserto-lib.httpsPort" }} -{{- (include "aserto-lib.ports" (list . "self") | fromYaml).https }} +{{- define "aserto-lib.httpPort" }} +{{- (include "aserto-lib.ports" (list . "self") | fromYaml).http }} {{- end }} {{- define "aserto-lib.healthPort" }} @@ -34,3 +34,17 @@ Values are selected with the following precedence: {{- (include "aserto-lib.ports" (list . "self") | fromYaml).metrics }} {{- end }} +{{- define "aserto-lib.ingressDomain" -}} +{{ (.Values.ingress).domain | default (((.Values.global).aserto).ingress).domain }} +{{- end }} + +{{- define "aserto-lib.ingressHost" -}} +{{- $scope := first . -}} +{{- $svc := last . -}} +{{- $domain := include "aserto-lib.ingressDomain" $scope -}} +{{- if $domain -}} + {{ printf "%s.%s" $svc.subdomain $domain | quote }} +{{- else -}} + {{ $svc.host | quote | required "ingress.hosts[].host is required if ingress.domain is empty" }} +{{- end -}} +{{- end }} diff --git a/charts/aserto/values.yaml b/charts/aserto/values.yaml index 08822a2..fe46d0e 100644 --- a/charts/aserto/values.yaml +++ b/charts/aserto/values.yaml @@ -14,7 +14,7 @@ global: # Port configuration. ports: grpc: 8282 - https: 8383 + http: 8383 health: 8484 mertics: 8585 @@ -22,8 +22,8 @@ global: grpc: connectionTimeoutSec: 2 - # HTTPS configuration. - https: + # HTTP configuration. + http: read_timeout: 2s read_header_timeout: 2s write_timeout: 2s diff --git a/charts/authorizer/ci/test-values.yaml b/charts/authorizer/ci/test-values.yaml index c1d5139..ea614d3 100644 --- a/charts/authorizer/ci/test-values.yaml +++ b/charts/authorizer/ci/test-values.yaml @@ -2,3 +2,7 @@ oidc: domain: oidc_domain audience: oidc_audience + +ingress: + enabled: true + domain: aserto.com diff --git a/charts/authorizer/templates/_helpers.tpl b/charts/authorizer/templates/_helpers.tpl index ef8f5bc..c53cebd 100644 --- a/charts/authorizer/templates/_helpers.tpl +++ b/charts/authorizer/templates/_helpers.tpl @@ -80,19 +80,19 @@ credentials: {{- with (include "aserto-lib.discoveryCfg" . | fromYaml) }} {{- if .disableTLSVerification }} allow_insecure_tls : true -{{- else if .httpsCertSecret }} +{{- else if .tlsCertSecret }} tls: - ca_cert: /discovery-https-certs/ca.crt + ca_cert: /discovery-tls-certs/ca.crt {{- else }} tls: - ca_cert: /https-certs/ca.crt + ca_cert: /tls-certs/ca.crt {{- end }} {{- end }} {{- end }} {{- define "authorizer.gatewayService" -}} -{{ include "aserto-lib.httpsService" . }} -{{- $cfg := include "aserto-lib.httpsConfig" . | fromYaml }} +{{ include "aserto-lib.httpService" . }} +{{- $cfg := include "aserto-lib.httpConfig" . | fromYaml }} allowed_headers: {{- $cfg.allowed_headers | default (list "Aserto-Tenant-Id" "Authorization" "Content-Type" "Depth") | toYaml | nindent 2 }} {{- end }} diff --git a/charts/authorizer/templates/deployment.yaml b/charts/authorizer/templates/deployment.yaml index bb290b7..12b1547 100644 --- a/charts/authorizer/templates/deployment.yaml +++ b/charts/authorizer/templates/deployment.yaml @@ -38,8 +38,8 @@ spec: secretName: {{ . }} {{- end }} - {{- with (include "aserto-lib.httpsConfig" . | fromYaml).certSecret }} - - name: https-certs + {{- with (include "aserto-lib.httpConfig" . | fromYaml).certSecret }} + - name: tls-certs secret: secretName: {{ . }} {{- end }} @@ -53,8 +53,8 @@ spec: path: ca.crt {{- end }} - {{- with (include "aserto-lib.discoveryCfg" . | fromYaml).httpsCertSecret }} - - name: discovery-https-certs + {{- with (include "aserto-lib.discoveryCfg" . | fromYaml).tlsCertSecret }} + - name: discovery-tls-certs secret: secretName: {{ . }} items: @@ -71,8 +71,8 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} ports: {{- with (include "aserto-lib.selfPorts" . | fromYaml )}} - - name: https - containerPort: {{ .https }} + - name: http + containerPort: {{ .http }} - name: grpc containerPort: {{ .grpc }} - name: metrics @@ -89,9 +89,9 @@ spec: readOnly: true {{- end }} - {{- with (include "aserto-lib.httpsConfig" . | fromYaml).certSecret }} - - name: https-certs - mountPath: /https-certs + {{- with (include "aserto-lib.httpConfig" . | fromYaml).certSecret }} + - name: tls-certs + mountPath: /tls-certs readOnly: true {{- end }} @@ -101,9 +101,9 @@ spec: readOnly: true {{- end }} - {{- if (include "aserto-lib.discoveryCfg" . | fromYaml).httpsCertSecret }} - - name: discovery-https-certs - mountPath: /discovery-https-certs + {{- if (include "aserto-lib.discoveryCfg" . | fromYaml).tlsCertSecret }} + - name: discovery-tls-certs + mountPath: /discovery-tls-certs readOnly: true {{- end }} env: diff --git a/charts/authorizer/templates/ingress.yaml b/charts/authorizer/templates/ingress.yaml index 29238b7..b7ac648 100644 --- a/charts/authorizer/templates/ingress.yaml +++ b/charts/authorizer/templates/ingress.yaml @@ -1,17 +1,6 @@ {{- if .Values.ingress.enabled -}} {{- $fullName := include "authorizer.fullname" . -}} -{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} - {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} - {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} - {{- end }} -{{- end }} -{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} apiVersion: networking.k8s.io/v1 -{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1beta1 -{{- else -}} -apiVersion: extensions/v1beta1 -{{- end }} kind: Ingress metadata: name: {{ $fullName }} @@ -22,12 +11,12 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ .Values.ingress.className }} + {{- with .Values.ingress.className }} + ingressClassName: {{ . }} {{- end }} - {{- if .Values.ingress.tls }} + {{- with .Values.ingress.tls }} tls: - {{- range .Values.ingress.tls }} + {{- range . }} - hosts: {{- range .hosts }} - {{ . | quote }} @@ -37,22 +26,15 @@ spec: {{- end }} rules: {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} + - host: {{ include "aserto-lib.ingressHost" (list $ .) }} http: paths: - path: / - {{- if (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} pathType: Prefix - {{- end }} backend: - {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} service: name: {{ $fullName }} port: name: {{ .port }} - {{- else }} - serviceName: {{ $fullName }} - servicePort: {{ .port }} - {{- end }} {{- end }} {{- end }} diff --git a/charts/authorizer/templates/service.yaml b/charts/authorizer/templates/service.yaml index cbca030..dff1625 100644 --- a/charts/authorizer/templates/service.yaml +++ b/charts/authorizer/templates/service.yaml @@ -7,9 +7,9 @@ metadata: spec: type: {{ .Values.service.type }} ports: - - name: https - port: {{ include "aserto-lib.httpsPort" . }} - targetPort: https + - name: http + port: {{ include "aserto-lib.httpPort" . }} + targetPort: http - name: grpc port: {{ include "aserto-lib.grpcPort" . }} targetPort: grpc diff --git a/charts/authorizer/values.yaml b/charts/authorizer/values.yaml index 36edf75..2cb863d 100644 --- a/charts/authorizer/values.yaml +++ b/charts/authorizer/values.yaml @@ -1,7 +1,7 @@ -# Default values for directory. +# Default values for authorizer. # This is a YAML-formatted file. # Declare variables to be passed into your templates. - +--- image: repository: ghcr.io/aserto-dev/authorizer pullPolicy: IfNotPresent @@ -24,12 +24,12 @@ apiKey: # logLevel: info # grpc: -# The services generates self-signed certificates by default. -# To use your own certificate provide the name of a secret -# of type kubernetes.io/tls +# Pods do not use TLS by default. TLS is defined on ingresses. +# To enable TLS on pods, provide the name of a secret of type +# kubernetes.io/tls. # certSecret: authorizer-grpc-cert -# https: +# http: # allowed_origins: # - https://*.example.com # allowed_headers: @@ -42,10 +42,10 @@ apiKey: # write_timeout: 2s # idle_timeout: 30s # -# The services generates self-signed certificates by default. -# To use your own certificate provide the name of a secret -# of type kubernetes.io/tls -# certSecret: directory-rest-cert +# Pods do not use TLS by default. TLS is defined on ingresses. +# To enable TLS on pods, provide the name of a secret of type +# kubernetes.io/tls. +# certSecret: authorizer-rest-cert # Disable authorization # noAuthorization: false @@ -73,52 +73,46 @@ serviceAccount: podAnnotations: {} podSecurityContext: {} - # fsGroup: 2000 +# fsGroup: 2000 securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 +# capabilities: +# drop: +# - ALL +# readOnlyRootFilesystem: true +# runAsNonRoot: true +# runAsUser: 1000 service: type: ClusterIP ingress: enabled: false + # domain: example.com className: "" annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" hosts: - - host: directory.example.com - port: https - - host: grpc.directory.example.com + - subdomain: authorizer + port: http + # host: authorizer.example.com + - subdomain: grpc-authorizer port: grpc - paths: - - path: / - pathType: Prefix + # host: grpc-authorizer.example.com tls: [] - # - secretName: directory-example-com-tls - # hosts: - # - directory.example.com - # - secretName: grpc-directory-example-com-tls - # hosts: - # - grpc.directory.example.com + # - secretName: authorizer-tls + # subdomains: + # - authorizer + # - secretName: grpc-authorizer-tls + # subdomains: + # - grpc-authorizer resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi +# limits: +# cpu: 100m +# memory: 128Mi +# requests: +# cpu: 100m +# memory: 128Mi autoscaling: enabled: false diff --git a/charts/console/values.yaml b/charts/console/values.yaml index 774ab76..7749025 100644 --- a/charts/console/values.yaml +++ b/charts/console/values.yaml @@ -81,7 +81,7 @@ ingress: # kubernetes.io/tls-acme: "true" hosts: - host: directory.example.com - port: https + port: http - host: grpc.directory.example.com port: grpc paths: diff --git a/charts/controller/templates/NOTES.txt b/charts/controller/templates/NOTES.txt deleted file mode 100644 index a85c4d6..0000000 --- a/charts/controller/templates/NOTES.txt +++ /dev/null @@ -1,22 +0,0 @@ -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range $host := .Values.ingress.hosts }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "controller.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "controller.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "controller.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") - echo http://$SERVICE_IP:{{ .Values.service.port }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "controller.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - export HTTPS_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") - export GRPC_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[1].containerPort}") - echo "gRPC Service exposed on http://127.0.0.1:8282" - echo "REST Service exposed on http://127.0.0.1:8383" - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8282:$GRPC_PORT 8383:$HTTPS_PORT -{{- end }} diff --git a/charts/controller/templates/config.yaml b/charts/controller/templates/config.yaml index 8b516de..3e33940 100644 --- a/charts/controller/templates/config.yaml +++ b/charts/controller/templates/config.yaml @@ -16,7 +16,7 @@ stringData: grpc: {{- include "aserto-lib.grpcService" . | nindent 8 }} gateway: - {{- include "aserto-lib.httpsService" . | nindent 8 }} + {{- include "aserto-lib.httpService" . | nindent 8 }} health: listen_address: 0.0.0.0:{{ include "aserto-lib.healthPort" . }} metrics: diff --git a/charts/controller/templates/deployment.yaml b/charts/controller/templates/deployment.yaml index 7d40512..f60a62c 100644 --- a/charts/controller/templates/deployment.yaml +++ b/charts/controller/templates/deployment.yaml @@ -41,8 +41,8 @@ spec: secret: secretName: {{ . }} {{- end }} - {{- with (include "aserto-lib.httpsConfig" . | fromYaml).certSecret }} - - name: https-certs + {{- with (include "aserto-lib.httpConfig" . | fromYaml).certSecret }} + - name: tls-certs secret: secretName: {{ . }} {{- end }} @@ -56,8 +56,8 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} ports: {{- with (include "aserto-lib.selfPorts" . | fromYaml )}} - - name: https - containerPort: {{ .https }} + - name: http + containerPort: {{ .http }} - name: grpc containerPort: {{ .grpc }} - name: metrics @@ -77,9 +77,9 @@ spec: mountPath: /grpc-certs readOnly: true {{- end }} - {{- with (include "aserto-lib.httpsConfig" . | fromYaml).certSecret }} - - name: https-certs - mountPath: /https-certs + {{- with (include "aserto-lib.httpConfig" . | fromYaml).certSecret }} + - name: tls-certs + mountPath: /tls-certs readOnly: true {{- end }} diff --git a/charts/controller/templates/ingress.yaml b/charts/controller/templates/ingress.yaml index e3dcffe..717d3dd 100644 --- a/charts/controller/templates/ingress.yaml +++ b/charts/controller/templates/ingress.yaml @@ -1,58 +1,73 @@ {{- if .Values.ingress.enabled -}} {{- $fullName := include "controller.fullname" . -}} -{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} - {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} - {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} - {{- end }} -{{- end }} -{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +--- +{{- with .Values.ingress.http }} apiVersion: networking.k8s.io/v1 -{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1beta1 -{{- else -}} -apiVersion: extensions/v1beta1 -{{- end }} kind: Ingress metadata: name: {{ $fullName }} labels: - {{- include "controller.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} + {{- include "controller.labels" $ | nindent 4 }} + {{- with .annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ .Values.ingress.className }} + {{- with .className }} + ingressClassName: {{ . }} {{- end }} - {{- if .Values.ingress.tls }} + {{- $host := include "aserto-lib.ingressHost" (list $ .) }} + rules: + - host: {{ $host }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ $fullName }} + port: + name: http + {{- with .tlsSecret }} tls: - {{- range .Values.ingress.tls }} - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} + - {{ $host }} + secretName: {{ . }} {{- end }} +{{- end }} +--- +{{- with .Values.ingress.grpc }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-grpc + labels: + {{- include "controller.labels" $ | nindent 4 }} + {{- with .annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with .className }} + ingressClassName: {{ . }} + {{- end }} + {{- $host := include "aserto-lib.ingressHost" (list $ .) }} rules: - {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} + - host: {{ $host }} http: paths: - path: / - {{- if (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} pathType: Prefix - {{- end }} backend: - {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} service: - name: {{ $fullName }} + name: {{ $fullName }}-grpc port: - name: {{ .port }} - {{- else }} - serviceName: {{ $fullName }} - servicePort: {{ .port }} - {{- end }} - {{- end }} + name: grpc + {{- with .tlsSecret }} + tls: + - hosts: + - {{ $host }} + secretName: {{ . }} + {{- end }} +{{- end }} {{- end }} diff --git a/charts/controller/templates/service.yaml b/charts/controller/templates/service.yaml index 2866147..81e0654 100644 --- a/charts/controller/templates/service.yaml +++ b/charts/controller/templates/service.yaml @@ -1,20 +1,51 @@ +--- apiVersion: v1 kind: Service metadata: name: {{ include "controller.fullname" . }} labels: {{- include "controller.labels" . | nindent 4 }} + + {{- with .Values.service.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} spec: type: {{ .Values.service.type }} ports: - - name: https - port: {{ include "aserto-lib.httpsPort" . }} - targetPort: https - - name: grpc - port: {{ include "aserto-lib.grpcPort" . }} - targetPort: grpc + - name: http + port: {{ include "aserto-lib.httpPort" . }} + targetPort: http - name: metrics port: {{ include "aserto-lib.metricsPort" . }} targetPort: metrics + {{- if not .Values.ingress.enabled }} + - name: grpc + port: {{ include "aserto-lib.grpcPort" . }} + targetPort: grpc + {{- end }} + selector: + {{- include "controller.selectorLabels" . | nindent 4 }} + +{{- if .Values.ingress.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "controller.fullname" . }}-grpc + labels: + {{- include "controller.labels" . | nindent 4 }} + + {{- with .Values.service.grpc.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} +spec: + type: {{ .Values.service.grpc.type }} + ports: + - name: grpc + port: {{ include "aserto-lib.grpcPort" . }} + targetPort: grpc selector: {{- include "controller.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/controller/test/no-tls.values.yaml b/charts/controller/test/no-tls.values.yaml index aa657e0..eb2167e 100644 --- a/charts/controller/test/no-tls.values.yaml +++ b/charts/controller/test/no-tls.values.yaml @@ -1,12 +1,12 @@ --- image: - tag: 0.33.13-ce1e7a05-amd64 + tag: 0.33.13-ce1e7a05-arm64 imagePullSecrets: - name: ghcr-creds database: - host: postgresql.postgres.svc.cluster.local + host: postgres.postgresql.svc.cluster.local dbName: test-controller sslMode: disable admin: @@ -21,3 +21,12 @@ sshAdminKeys: configMap: name: controller-admin-keys key: authorized_keys + +ingress: + enabled: true + domain: local.test + +service: + grpc: + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: h2c diff --git a/charts/controller/test/tests.yaml b/charts/controller/test/tests.yaml index c9b8537..c52d293 100644 --- a/charts/controller/test/tests.yaml +++ b/charts/controller/test/tests.yaml @@ -33,14 +33,16 @@ tests: values: no-tls.values.yaml ports: 2222: 2222 - 8282: 8282 run: - | ssh -i ${SSH_PRIVATE_KEY:-$(ls -1 ~/.ssh/id_* | head -1)} -p 2222 -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR \ localhost provision root-keys + - sleep 1 - | - ${TOPAZ:-topaz} ds get manifest -H localhost:8282 --tenant-id 00000000-0000-11ef-0000-000000000000 \ + ${TOPAZ:-topaz} ds get manifest -H grpc-controller.local.test:8008 --tenant-id 00000000-0000-11ef-0000-000000000000 \ -k controller_apikey_reader --stdout --plaintext + - | + curl -f http://controller.local.test:8008/openapi.json - name: controller-tls pull_secret: $GITHUB_TOKEN diff --git a/charts/controller/test/tls.values.yaml b/charts/controller/test/tls.values.yaml index 304bae0..80ef00f 100644 --- a/charts/controller/test/tls.values.yaml +++ b/charts/controller/test/tls.values.yaml @@ -1,12 +1,12 @@ --- image: - tag: 0.33.13-ce1e7a05-amd64 + tag: 0.33.13-ce1e7a05-arm64 imagePullSecrets: - name: ghcr-creds database: - host: postgresql.postgres.svc.cluster.local + host: postgres.postgresql.svc.cluster.local dbName: test-controller sslMode: disable admin: @@ -25,5 +25,5 @@ sshAdminKeys: grpc: certSecret: grpc-cert -https: +http: certSecret: gateway-cert diff --git a/charts/controller/values.yaml b/charts/controller/values.yaml index eb3de4d..3431a90 100644 --- a/charts/controller/values.yaml +++ b/charts/controller/values.yaml @@ -11,7 +11,7 @@ image: # Optional: override default ports. # ports: # grpc: 8282 -# https: 8383 +# http: 8383 # health: 8484 # metrics: 8585 @@ -99,7 +99,7 @@ grpc: # runs without it, you must configure TLS at the ingress or gateway. certSecret: -# https: +# http: # allowed_origins: # - https://*.example.com # read_timeout: 2s @@ -157,28 +157,34 @@ securityContext: {} service: type: ClusterIP + annotations: {} + # When ingress is enabled, the gRPC port is defined on a separate 'controller-grpc' service. + # This allows for configuration of ingresses using service annotations. In particular, the service + # scheme needs to be set to 'h2c'. + # When ingress is not enabled, these values are ignored. + grpc: + type: ClusterIP + annotations: {} + # With traefik ingress use: + # traefik.ingress.kubernetes.io/service.serversscheme: h2c + # + # With kong: + # konghq.com/protocol: grpc ingress: enabled: false - className: "" - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: directory.example.com - port: https - - host: grpc.directory.example.com - port: grpc - paths: - - path: / - pathType: Prefix - tls: [] - # - secretName: directory-example-com-tls - # hosts: - # - directory.example.com - # - secretName: grpc-directory-example-com-tls - # hosts: - # - grpc.directory.example.com + # The ingress domain can be set here or in global.aserto.ingress.domain + # domain: example.com + http: + subdomain: controller + className: "" + annotations: {} + # tlsSecret: controller-tls + grpc: + subdomain: grpc-controller + className: "" + annotations: {} + # tlsSecret: grpc-controller-tls resources: {} # We usually recommend not to specify default resources and to leave this as a conscious diff --git a/charts/directory/templates/NOTES.txt b/charts/directory/templates/NOTES.txt deleted file mode 100644 index 4f30376..0000000 --- a/charts/directory/templates/NOTES.txt +++ /dev/null @@ -1,22 +0,0 @@ -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range $host := .Values.ingress.hosts }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "directory.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "directory.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "directory.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") - echo http://$SERVICE_IP:{{ .Values.service.port }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "directory.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - export HTTPS_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") - export GRPC_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[1].containerPort}") - echo "gRPC Service exposed on http://127.0.0.1:8282" - echo "REST Service exposed on http://127.0.0.1:8383" - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8282:$GRPC_PORT 8383:$HTTPS_PORT -{{- end }} diff --git a/charts/directory/templates/config.yaml b/charts/directory/templates/config.yaml index 2c1dec4..591413f 100644 --- a/charts/directory/templates/config.yaml +++ b/charts/directory/templates/config.yaml @@ -16,7 +16,7 @@ stringData: grpc: {{- include "aserto-lib.grpcService" . | nindent 8 }} gateway: - {{- include "aserto-lib.httpsService" . | nindent 8 }} + {{- include "aserto-lib.httpService" . | nindent 8 }} health: listen_address: 0.0.0.0:{{ include "aserto-lib.healthPort" . }} metrics: diff --git a/charts/directory/templates/deployment.yaml b/charts/directory/templates/deployment.yaml index 1ee65d8..6d147df 100644 --- a/charts/directory/templates/deployment.yaml +++ b/charts/directory/templates/deployment.yaml @@ -41,8 +41,8 @@ spec: secret: secretName: {{ . }} {{- end }} - {{- with (include "aserto-lib.httpsConfig" . | fromYaml).certSecret }} - - name: https-certs + {{- with (include "aserto-lib.httpConfig" . | fromYaml).certSecret }} + - name: tls-certs secret: secretName: {{ . }} {{- end }} @@ -65,8 +65,8 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} ports: {{- with (include "aserto-lib.selfPorts" . | fromYaml )}} - - name: https - containerPort: {{ .https }} + - name: http + containerPort: {{ .http }} - name: grpc containerPort: {{ .grpc }} - name: metrics @@ -86,9 +86,9 @@ spec: mountPath: /grpc-certs readOnly: true {{- end }} - {{- with (include "aserto-lib.httpsConfig" . | fromYaml).certSecret }} - - name: https-certs - mountPath: /https-certs + {{- with (include "aserto-lib.httpConfig" . | fromYaml).certSecret }} + - name: tls-certs + mountPath: /tls-certs readOnly: true {{- end }} diff --git a/charts/directory/templates/ingress.yaml b/charts/directory/templates/ingress.yaml index 9b6b089..0482f89 100644 --- a/charts/directory/templates/ingress.yaml +++ b/charts/directory/templates/ingress.yaml @@ -1,58 +1,74 @@ {{- if .Values.ingress.enabled -}} {{- $fullName := include "directory.fullname" . -}} -{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} - {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} - {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} - {{- end }} -{{- end }} -{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +--- +{{- with .Values.ingress.http }} apiVersion: networking.k8s.io/v1 -{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1beta1 -{{- else -}} -apiVersion: extensions/v1beta1 -{{- end }} kind: Ingress metadata: name: {{ $fullName }} labels: - {{- include "directory.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} + {{- include "directory.labels" $ | nindent 4 }} + {{- with .annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ .Values.ingress.className }} + {{- with .className }} + ingressClassName: {{ . }} {{- end }} - {{- if .Values.ingress.tls }} + {{- $host := include "aserto-lib.ingressHost" (list $ .) }} + rules: + - host: {{ $host }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ $fullName }} + port: + name: http + {{- with .tlsSecret }} tls: - {{- range .Values.ingress.tls }} - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} + - {{ $host }} + secretName: {{ . }} {{- end }} +{{- end }} +--- +{{- with .Values.ingress.grpc }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-grpc + labels: + {{- include "directory.labels" $ | nindent 4 }} + {{- with .annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with .className }} + ingressClassName: {{ . }} + {{- end }} + {{- $host := include "aserto-lib.ingressHost" (list $ .) }} rules: - {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} + - host: {{ $host }} http: paths: - path: / - {{- if (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} pathType: Prefix - {{- end }} backend: - {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} service: - name: {{ $fullName }} + name: {{ $fullName }}-grpc port: - name: {{ .port }} - {{- else }} - serviceName: {{ $fullName }} - servicePort: {{ .port }} - {{- end }} - {{- end }} + name: grpc + {{- with .tlsSecret }} + tls: + - hosts: + - {{ $host }} + secretName: {{ . }} + {{- end }} +{{- end }} {{- end }} + diff --git a/charts/directory/templates/service.yaml b/charts/directory/templates/service.yaml index 5ba945f..22eff4a 100644 --- a/charts/directory/templates/service.yaml +++ b/charts/directory/templates/service.yaml @@ -1,20 +1,51 @@ +--- apiVersion: v1 kind: Service metadata: name: {{ include "directory.fullname" . }} labels: {{- include "directory.labels" . | nindent 4 }} + + {{- with .Values.service.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} spec: type: {{ .Values.service.type }} ports: - - name: https - port: {{ include "aserto-lib.httpsPort" . }} - targetPort: https - - name: grpc - port: {{ include "aserto-lib.grpcPort" . }} - targetPort: grpc + - name: http + port: {{ include "aserto-lib.httpPort" . }} + targetPort: http - name: metrics port: {{ include "aserto-lib.metricsPort" . }} targetPort: metrics + {{- if not .Values.ingress.enabled }} + - name: grpc + port: {{ include "aserto-lib.grpcPort" . }} + targetPort: grpc + {{- end }} + selector: + {{- include "directory.selectorLabels" . | nindent 4 }} + +{{- if .Values.ingress.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "directory.fullname" . }}-grpc + labels: + {{- include "directory.labels" . | nindent 4 }} + + {{- with .Values.service.grpc.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} +spec: + type: {{ .Values.service.grpc.type }} + ports: + - name: grpc + port: {{ include "aserto-lib.grpcPort" . }} + targetPort: grpc selector: {{- include "directory.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/directory/test/no-tls.values.yaml b/charts/directory/test/no-tls.values.yaml index 5627b0f..73bd36c 100644 --- a/charts/directory/test/no-tls.values.yaml +++ b/charts/directory/test/no-tls.values.yaml @@ -1,15 +1,24 @@ --- image: - tag: 0.33.13-ce1e7a05-amd64 + tag: 0.33.13-ce1e7a05-arm64 imagePullSecrets: - name: ghcr-creds database: - host: postgresql.postgres.svc.cluster.local + host: postgres.postgresql.svc.cluster.local dbName: test-directory sslMode: disable admin: credentialsSecret: pg-credentials reader: credentialsSecret: pg-directory-reader-credentials + +ingress: + enabled: true + domain: local.test + +service: + grpc: + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: h2c diff --git a/charts/directory/test/tests.yaml b/charts/directory/test/tests.yaml index c8a1487..4dc174c 100644 --- a/charts/directory/test/tests.yaml +++ b/charts/directory/test/tests.yaml @@ -25,24 +25,22 @@ tests: deployments: - chart: directory values: no-tls.values.yaml - ports: - 8282: 8282 run: # Create a tenant. - | ${GRPCURL:=grpcurl} -plaintext -H "Authorization: basic apikey_store_writer" \ -d '{"tenant": {"id": "3dbaa470-9c7e-11ef-bf36-00fcb2a75cb1", "name": "test-tenant"}}' \ - localhost:8282 aserto.directory.store.v2.Store.CreateTenant + grpc-directory.local.test:8008 aserto.directory.store.v2.Store.CreateTenant # Set a manifest for the new tenant. - | ${TOPAZ:-topaz} ds set manifest charts/directory/test/manifest.yaml \ - -H localhost:8282 --tenant-id 3dbaa470-9c7e-11ef-bf36-00fcb2a75cb1 \ + -H grpc-directory.local.test:8008 --tenant-id 3dbaa470-9c7e-11ef-bf36-00fcb2a75cb1 \ -k apikey_reader --plaintext # Get the tenant's manifest. - | - ${TOPAZ:-topaz} ds get manifest -H localhost:8282 --tenant-id 3dbaa470-9c7e-11ef-bf36-00fcb2a75cb1 \ + ${TOPAZ:-topaz} ds get manifest -H grpc-directory.local.test:8008 --tenant-id 3dbaa470-9c7e-11ef-bf36-00fcb2a75cb1 \ -k apikey_reader --plaintext $TMPDIR/manifest.yaml # Ensure the downloaded manifest has the expected content. @@ -52,7 +50,7 @@ tests: - | ${GRPCURL:=grpcurl} -plaintext -H "Authorization: basic apikey_store_writer" \ -d '{"id": "3dbaa470-9c7e-11ef-bf36-00fcb2a75cb1"}' \ - localhost:8282 aserto.directory.store.v2.Store.DeleteTenant + grpc-directory.local.test:8008 aserto.directory.store.v2.Store.DeleteTenant - name: directory-tls pull_secret: $GITHUB_TOKEN diff --git a/charts/directory/test/tls.values.yaml b/charts/directory/test/tls.values.yaml index d40b022..f3d84fd 100644 --- a/charts/directory/test/tls.values.yaml +++ b/charts/directory/test/tls.values.yaml @@ -1,12 +1,12 @@ --- image: - tag: 0.33.13-ce1e7a05-amd64 + tag: 0.33.13-ce1e7a05-arm64 imagePullSecrets: - name: ghcr-creds database: - host: postgresql.postgres.svc.cluster.local + host: postgres.postgresql.svc.cluster.local dbName: test-directory sslMode: disable admin: diff --git a/charts/directory/values.yaml b/charts/directory/values.yaml index ddfa5f8..410bb8b 100644 --- a/charts/directory/values.yaml +++ b/charts/directory/values.yaml @@ -11,7 +11,7 @@ image: # Optional: override default ports. # ports: # grpc: 8282 -# https: 8383 +# http: 8383 # health: 8484 # metrics: 8585 @@ -163,28 +163,34 @@ securityContext: {} service: type: ClusterIP + annotations: {} + # When ingress is enabled, the gRPC port is defined on a separate 'controller-grpc' service. + # This allows for configuration of ingresses using service annotations. In particular, the service + # scheme needs to be set to 'h2c'. + # When ingress is not enabled, these values are ignored. + grpc: + type: ClusterIP + annotations: {} + # With traefik ingress use: + # traefik.ingress.kubernetes.io/service.serversscheme: h2c + # + # With kong: + # konghq.com/protocol: grpc ingress: enabled: false - className: "" - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: directory.example.com - port: https - - host: grpc.directory.example.com - port: grpc - paths: - - path: / - pathType: Prefix - tls: [] - # - secretName: directory-example-com-tls - # hosts: - # - directory.example.com - # - secretName: grpc-directory-example-com-tls - # hosts: - # - grpc.directory.example.com + # The ingress domain can be set here or in global.aserto.ingress.domain + # domain: example.com + http: + subdomain: directory + className: "" + annotations: {} + # tlsSecret: directory-tls + grpc: + subdomain: grpc-directory + className: "" + annotations: {} + # tlsSecret: grpc-directory-tls resources: {} # We usually recommend not to specify default resources and to leave this as a conscious diff --git a/charts/discovery/templates/config.yaml b/charts/discovery/templates/config.yaml index edf2cd3..352624f 100644 --- a/charts/discovery/templates/config.yaml +++ b/charts/discovery/templates/config.yaml @@ -16,7 +16,7 @@ stringData: grpc: {{- include "aserto-lib.grpcService" . | nindent 8 }} gateway: - {{- include "aserto-lib.httpsService" . | nindent 8 }} + {{- include "aserto-lib.httpService" . | nindent 8 }} health: listen_address: 0.0.0.0:{{ include "aserto-lib.healthPort" . }} metrics: diff --git a/charts/discovery/templates/deployment.yaml b/charts/discovery/templates/deployment.yaml index f2a3582..891eef6 100644 --- a/charts/discovery/templates/deployment.yaml +++ b/charts/discovery/templates/deployment.yaml @@ -37,8 +37,8 @@ spec: secret: secretName: {{ . }} {{- end }} - {{- with (include "aserto-lib.httpsConfig" . | fromYaml).certSecret }} - - name: https-certs + {{- with (include "aserto-lib.httpConfig" . | fromYaml).certSecret }} + - name: tls-certs secret: secretName: {{ . }} {{- end }} @@ -61,8 +61,8 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} ports: {{- with (include "aserto-lib.selfPorts" . | fromYaml )}} - - name: https - containerPort: {{ .https }} + - name: http + containerPort: {{ .http }} - name: grpc containerPort: {{ .grpc }} {{- end }} @@ -75,9 +75,9 @@ spec: mountPath: /grpc-certs readOnly: true {{- end }} - {{- with (include "aserto-lib.httpsConfig" . | fromYaml).certSecret }} - - name: https-certs - mountPath: /https-certs + {{- with (include "aserto-lib.httpConfig" . | fromYaml).certSecret }} + - name: tls-certs + mountPath: /tls-certs readOnly: true {{- end }} diff --git a/charts/discovery/templates/service.yaml b/charts/discovery/templates/service.yaml index 4c3df5b..6bdaae1 100644 --- a/charts/discovery/templates/service.yaml +++ b/charts/discovery/templates/service.yaml @@ -7,9 +7,9 @@ metadata: spec: type: {{ .Values.service.type }} ports: - - name: https - port: {{ include "aserto-lib.httpsPort" . }} - targetPort: https + - name: http + port: {{ include "aserto-lib.httpPort" . }} + targetPort: http - name: grpc port: {{ include "aserto-lib.grpcPort" . }} targetPort: grpc diff --git a/charts/discovery/values.yaml b/charts/discovery/values.yaml index 01fb3c9..2f17dec 100644 --- a/charts/discovery/values.yaml +++ b/charts/discovery/values.yaml @@ -99,7 +99,7 @@ ingress: # kubernetes.io/tls-acme: "true" hosts: - host: directory.example.com - port: https + port: http - host: grpc.directory.example.com port: grpc paths: diff --git a/charts/multi-tenant-scim/templates/config.yaml b/charts/multi-tenant-scim/templates/config.yaml index d9511b6..6c1dcc8 100644 --- a/charts/multi-tenant-scim/templates/config.yaml +++ b/charts/multi-tenant-scim/templates/config.yaml @@ -16,9 +16,9 @@ stringData: listen_address: ":{{ include "multi-tenant-scim.port" . }}" {{- with .Values.certSecret -}} certs: - tls_key_path: '/https-certs/tls.key' - tls_cert_path: '/https-certs/tls.crt' - tls_ca_cert_path: '/https-certs/ca.crt' + tls_key_path: '/tls-certs/tls.key' + tls_cert_path: '/tls-certs/tls.crt' + tls_ca_cert_path: '/tls-certs/ca.crt' {{- end }} auth: basic: @@ -30,4 +30,4 @@ stringData: directory: {{- include "aserto-lib.directoryClient" . | nindent 6 }} controller: - {{- include "aserto-lib.controllerClient" . | nindent 6 }} \ No newline at end of file + {{- include "aserto-lib.controllerClient" . | nindent 6 }} diff --git a/charts/multi-tenant-scim/templates/deployment.yaml b/charts/multi-tenant-scim/templates/deployment.yaml index 48c850a..6083df1 100644 --- a/charts/multi-tenant-scim/templates/deployment.yaml +++ b/charts/multi-tenant-scim/templates/deployment.yaml @@ -31,8 +31,8 @@ spec: items: - key: config.yaml path: config.yaml - - name: https-certs - {{- with (include "aserto-lib.httpsConfig" . | fromYaml) }} + - name: tls-certs + {{- with (include "aserto-lib.httpConfig" . | fromYaml) }} {{- if .certSecret }} secret: secretName: {{ .certSecret }} @@ -41,13 +41,13 @@ spec: {{- end }} {{- end }} - {{- with ((include "aserto-lib.controllerClient" . | fromYaml).caCertSecret).name }} + {{- with ((include "aserto-lib.controllerClient" . | fromYaml).caCertSecret).name }} - name: controller-grpc-certs secret: secretName: {{ . }} items: - key: ca.crt - path: ca.crt + path: ca.crt {{- end }} containers: - name: {{ .Chart.Name }} @@ -64,16 +64,16 @@ spec: mountPath: /config readOnly: true {{- with .Values.certSecret }} - - name: https-certs - mountPath: /https-certs + - name: tls-certs + mountPath: /tls-certs readOnly: true {{- end }} - {{- with ((include "aserto-lib.directoryClientCfg" . | fromYaml).caCertSecret).name }} + {{- with ((include "aserto-lib.directoryClientCfg" . | fromYaml).caCertSecret).name }} - name: directory-grpc-certs mountPath: /directory-grpc-certs readOnly: true {{- end }} - {{- with ((include "aserto-lib.controllerClientCfg" . | fromYaml).caCertSecret).name }} + {{- with ((include "aserto-lib.controllerClientCfg" . | fromYaml).caCertSecret).name }} - name: controller-grpc-certs mountPath: /controller-grpc-certs readOnly: true diff --git a/charts/multi-tenant-scim/values.yaml b/charts/multi-tenant-scim/values.yaml index b0d52fa..4ae5f1c 100644 --- a/charts/multi-tenant-scim/values.yaml +++ b/charts/multi-tenant-scim/values.yaml @@ -70,7 +70,7 @@ ingress: # kubernetes.io/tls-acme: "true" hosts: - host: directory.example.com - port: https + port: http - host: grpc.directory.example.com port: grpc paths: diff --git a/charts/registry-proxy/templates/_helpers.tpl b/charts/registry-proxy/templates/_helpers.tpl index 7ef954e..5c6485c 100644 --- a/charts/registry-proxy/templates/_helpers.tpl +++ b/charts/registry-proxy/templates/_helpers.tpl @@ -70,8 +70,8 @@ Local cluster address {{- define "registry-proxy.gatewayService" }} -{{ include "aserto-lib.httpsService" . }} -{{- $cfg := include "aserto-lib.httpsConfig" . | fromYaml }} +{{ include "aserto-lib.httpService" . }} +{{- $cfg := include "aserto-lib.httpConfig" . | fromYaml }} allowed_headers: {{- $cfg.allowed_headers | default (list "Aserto-Tenant-Id" "Authorization" "Content-Type" "Depth") | toYaml | nindent 2 }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/registry-proxy/templates/deployment.yaml b/charts/registry-proxy/templates/deployment.yaml index a5185e1..367375a 100644 --- a/charts/registry-proxy/templates/deployment.yaml +++ b/charts/registry-proxy/templates/deployment.yaml @@ -40,8 +40,8 @@ spec: emptyDir: {} {{- end }} {{- end }} - - name: https-certs - {{- with (include "aserto-lib.httpsConfig" . | fromYaml) }} + - name: tls-certs + {{- with (include "aserto-lib.httpConfig" . | fromYaml) }} {{- if .certSecret }} secret: secretName: {{ .certSecret }} @@ -60,10 +60,10 @@ spec: {{- end }} {{- with (include "aserto-lib.discoveryCfg" . | fromYaml) }} - {{- if .httpsCertSecret }} - - name: discovery-https-certs + {{- if .tlsCertSecret }} + - name: discovery-tls-certs secret: - secretName: {{ .httpsCertSecret }} + secretName: {{ .tlsCertSecret }} items: - key: ca.crt path: ca.crt @@ -79,8 +79,8 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} ports: {{- with (include "aserto-lib.selfPorts" . | fromYaml )}} - - name: https - containerPort: {{ .https }} + - name: http + containerPort: {{ .http }} - name: metrics containerPort: {{ .metrics }} {{- end }} @@ -88,9 +88,9 @@ spec: - name: config mountPath: /config readOnly: true - - name: https-certs - mountPath: /https-certs - {{- if (include "aserto-lib.httpsConfig" . | fromYaml).certSecret }} + - name: tls-certs + mountPath: /tls-certs + {{- if (include "aserto-lib.httpConfig" . | fromYaml).certSecret }} readOnly: true {{- end }} {{- with ((include "aserto-lib.controllerClientCfg" . | fromYaml).caCertSecret).name }} diff --git a/charts/registry-proxy/templates/service.yaml b/charts/registry-proxy/templates/service.yaml index 0943e06..2b6ab29 100644 --- a/charts/registry-proxy/templates/service.yaml +++ b/charts/registry-proxy/templates/service.yaml @@ -7,9 +7,9 @@ metadata: spec: type: {{ .Values.service.type }} ports: - - name: https - port: {{ include "aserto-lib.httpsPort" . }} - targetPort: https + - name: http + port: {{ include "aserto-lib.httpPort" . }} + targetPort: http - name: grpc port: {{ include "aserto-lib.grpcPort" . }} targetPort: grpc diff --git a/charts/registry-proxy/values.yaml b/charts/registry-proxy/values.yaml index 2ae2976..93d9943 100644 --- a/charts/registry-proxy/values.yaml +++ b/charts/registry-proxy/values.yaml @@ -50,7 +50,7 @@ ingress: # kubernetes.io/tls-acme: "true" hosts: - host: registry-proxy.example.com - port: https + port: http - host: grpc.registry-proxy.example.com port: grpc paths: diff --git a/charts/scim/templates/config.yaml b/charts/scim/templates/config.yaml index 3bdf3cb..90b907e 100644 --- a/charts/scim/templates/config.yaml +++ b/charts/scim/templates/config.yaml @@ -16,9 +16,9 @@ stringData: listen_address: ":{{ include "scim.port" . }}" {{- with .Values.certSecret -}} certs: - tls_key_path: '/https-certs/tls.key' - tls_cert_path: '/https-certs/tls.crt' - tls_ca_cert_path: '/https-certs/ca.crt' + tls_key_path: '/tls-certs/tls.key' + tls_cert_path: '/tls-certs/tls.crt' + tls_ca_cert_path: '/tls-certs/ca.crt' {{- end }} auth: basic: diff --git a/charts/scim/templates/deployment.yaml b/charts/scim/templates/deployment.yaml index d13fc62..751005f 100644 --- a/charts/scim/templates/deployment.yaml +++ b/charts/scim/templates/deployment.yaml @@ -32,7 +32,7 @@ spec: - key: config.yaml path: config.yaml {{- with .Values.certSecret }} - - name: https-certs + - name: tls-certs secret: secretName: {{ . }} {{- end }} @@ -61,8 +61,8 @@ spec: mountPath: /config readOnly: true {{- with .Values.certSecret }} - - name: https-certs - mountPath: /https-certs + - name: tls-certs + mountPath: /tls-certs readOnly: true {{- end }} {{- with ((include "aserto-lib.controllerClientCfg" . | fromYaml).caCertSecret).name }} diff --git a/charts/scim/values.yaml b/charts/scim/values.yaml index bd576eb..235b384 100644 --- a/charts/scim/values.yaml +++ b/charts/scim/values.yaml @@ -99,7 +99,7 @@ ingress: # kubernetes.io/tls-acme: "true" hosts: - host: directory.example.com - port: https + port: http - host: grpc.directory.example.com port: grpc paths: diff --git a/charts/topaz/README.md b/charts/topaz/README.md index 7f95d89..80ad762 100644 --- a/charts/topaz/README.md +++ b/charts/topaz/README.md @@ -378,7 +378,7 @@ Topaz pods expose the following ports: | Protocol | Default Port | Description | |----------|--------------|-------------| | gRPC | 8282 | gRPC services | -| HTTPS | 8383 | REST endpoints and web console | +| HTTP | 8383 | REST endpoints and web console | | Health | 8484 | gRPC [health service](https://github.com/grpc/grpc/blob/master/doc/health-checking.md) | | Metrics | 8585 | Prometheus metrics [optional, enabled by default] | | Profiler | 8686 | Profiler service [optional, disabled by default] | @@ -388,7 +388,7 @@ The default ports can be overridden in `values.yaml`: ```yaml ports: grpc: 8282 - https: 8383 + http: 8383 health: 8484 metrics: 8585 profiler: 8686 @@ -444,5 +444,5 @@ of `values.yaml`: ```yaml tls: grpc: "" - https: "" + http: "" ``` diff --git a/charts/topaz/templates/_helpers.tpl b/charts/topaz/templates/_helpers.tpl index 17a6227..bab0fc1 100644 --- a/charts/topaz/templates/_helpers.tpl +++ b/charts/topaz/templates/_helpers.tpl @@ -235,7 +235,7 @@ certs: {{- $values := first . -}} {{- $svc := last . -}} {{- $cfg := merge (dig $svc "http" dict $values.serviceOverrides) $values.http -}} -listen_address: 0.0.0.0:{{ ($values.ports).https | default "8383" }} +listen_address: 0.0.0.0:{{ ($values.ports).http | default "8383" }} {{- if $cfg.domain }} fqdn: {{ $cfg.domain }} @@ -263,11 +263,11 @@ read_timeout: {{ $cfg.readTimeout | default "2s" }} read_header_timeout: {{ $cfg.readHeaderTimeout | default "2s" }} write_timeout: {{ $cfg.writeTimeout | default "2s" }} idle_timeout: {{ $cfg.idleTimeout | default "30s" }} -{{- with ($values.tls).https }} +{{- with ($values.tls).http }} certs: - tls_key_path: /https-certs/tls.key - tls_cert_path: /https-certs/tls.crt - tls_ca_cert_path: /https-certs/ca.crt + tls_key_path: /tls-certs/tls.key + tls_cert_path: /tls-certs/tls.crt + tls_ca_cert_path: /tls-certs/ca.crt {{- end }} {{- end }} diff --git a/charts/topaz/templates/deployment.yaml b/charts/topaz/templates/deployment.yaml index 696a1f1..b77c561 100644 --- a/charts/topaz/templates/deployment.yaml +++ b/charts/topaz/templates/deployment.yaml @@ -61,7 +61,7 @@ spec: containerPort: {{ (.Values.ports).grpc | default "8282" }} protocol: TCP - name: http - containerPort: {{ (.Values.ports).https | default "8383" }} + containerPort: {{ (.Values.ports).http | default "8383" }} protocol: TCP - name: health containerPort: {{ (.Values.ports).health | default "8484" }} @@ -108,9 +108,9 @@ spec: mountPath: /grpc-certs readOnly: true {{- end }} - {{- if (.Values.tls).https }} - - name: https-certs - mountPath: /https-certs + {{- if (.Values.tls).http }} + - name: tls-certs + mountPath: /tls-certs readOnly: true {{- end }} {{- with (.Values.directory).remote -}} @@ -154,8 +154,8 @@ spec: secret: secretName: {{ . }} {{- end }} - {{- with (.Values.tls).https }} - - name: https-certs + {{- with (.Values.tls).http }} + - name: tls-certs secret: secretName: {{ . }} {{- end }} diff --git a/charts/topaz/templates/service.yaml b/charts/topaz/templates/service.yaml index c57e334..c055e92 100644 --- a/charts/topaz/templates/service.yaml +++ b/charts/topaz/templates/service.yaml @@ -12,7 +12,7 @@ spec: targetPort: grpc protocol: TCP name: grpc - - port: {{ (.Values.ports).https | default "8383" }} + - port: {{ (.Values.ports).http | default "8383" }} targetPort: http protocol: TCP name: http diff --git a/charts/topaz/test/tls.values.yaml b/charts/topaz/test/tls.values.yaml index f75ee76..0af5692 100644 --- a/charts/topaz/test/tls.values.yaml +++ b/charts/topaz/test/tls.values.yaml @@ -1,7 +1,7 @@ --- tls: grpc: grpc-cert - https: gateway-cert + http: gateway-cert profiler: enabled: true diff --git a/charts/topaz/values.yaml b/charts/topaz/values.yaml index 338375a..f9379fd 100644 --- a/charts/topaz/values.yaml +++ b/charts/topaz/values.yaml @@ -196,7 +196,7 @@ ports: # gRPC services. grpc: 8282 # REST services and web UI. - https: 8383 + http: 8383 # gRPC Health service (https://github.com/grpc-ecosystem/grpc-health-probe). health: 8484 # Prometheus metrics (GET /metrics). @@ -209,7 +209,7 @@ ports: # If not provided, topaz runs without TLS. tls: # grpc: topaz-grpc-cert -# https: topaz-https-cert +# http: topaz-https-cert # Metrics configuration metrics: diff --git a/makefile b/makefile index 84612f9..bd47291 100644 --- a/makefile +++ b/makefile @@ -67,7 +67,7 @@ lint-%: .PHONY: test-% test-%: @echo -e "${ATTN_COLOR}==> test $* ${NO_COLOR}" - @uv run --project tools/ktest tools/ktest/ktest.py charts/$*/test/tests.yaml + @uv run --project tools/ktest tools/ktest/ktest.py charts/$*/test/tests.yaml --no-check .PHONY: update-% update-%: diff --git a/tools/ktest/ktest.py b/tools/ktest/ktest.py index 067c33d..891944e 100755 --- a/tools/ktest/ktest.py +++ b/tools/ktest/ktest.py @@ -3,6 +3,7 @@ import logging import subprocess +import time from contextlib import contextmanager, ExitStack from os import path from typing import Iterator, Sequence, TextIO @@ -58,12 +59,15 @@ def run(self, teardown: bool = True): with ExitStack() as stack: for deployment in self.test.deployments: - echo( - "🔀", - "Forwarding ports:", - f"{deployment.chart} - {deployment.ports}", - ) - stack.enter_context(ns.forward(deployment.chart, deployment.ports)) + if deployment.ports: + echo( + "🔀", + "Forwarding ports:", + f"{deployment.chart} - {deployment.ports}", + ) + stack.enter_context( + ns.forward(deployment.chart, deployment.ports) + ) try: self.execute_steps() @@ -101,6 +105,7 @@ def wait_for_deployments(self, deployments: Sequence[Deployment], ns: Namespace) try: echo("⏳", "Waiting for pod:", pod) ns.wait(pod) + time.sleep(2) # give ingresses time to become available except: echo( "🚨", @@ -172,7 +177,8 @@ def new_namespace(name: str, teardown: bool) -> Iterator["Namespace"]: @click.argument("specfile", type=click.File()) @click.option("--include", "-i", multiple=True, help="Only run specified test(s)") @click.option("--teardown/--no-teardown", default=True, show_default=True) -def main(specfile: TextIO, include: Sequence[str], teardown: bool): +@click.option("--check/--no-check", default=True, show_default=True) +def main(specfile: TextIO, include: Sequence[str], teardown: bool, check: bool): """Run tests in a kubernetes cluster. SPECFILE: path to a YAML file with test definitions. @@ -181,12 +187,13 @@ def main(specfile: TextIO, include: Sequence[str], teardown: bool): init_logging(logging.DEBUG) config.load_kube_config() - # Ensure that the current kubectl context has "test" in its name. - context = Namespace.current_context() - if "test" not in context: - raise click.ClickException( - f"Current kubernetes context ({context}) is not a test environemnt. Exiting." - ) + if check: + # Ensure that the current kubectl context has "test" in its name. + context = Namespace.current_context() + if "test" not in context: + raise click.ClickException( + f"Current kubernetes context ({context}) is not a test environemnt. Exiting." + ) spec = Spec(**yaml.safe_load(specfile)) spec_path = path.dirname(specfile.name) diff --git a/tools/ktest/model.py b/tools/ktest/model.py index 9b84a10..86455f7 100644 --- a/tools/ktest/model.py +++ b/tools/ktest/model.py @@ -23,7 +23,7 @@ class Secret(BaseModel): class Deployment(BaseModel): chart: str values: str = Field(default="") - ports: dict[int, int] + ports: dict[int, int] = Field(default_factory=lambda: {}) class Test(BaseModel): From 514af0f1c3b63887431244172c49784e584ca102 Mon Sep 17 00:00:00 2001 From: Ronen Hilewicz Date: Wed, 5 Mar 2025 15:55:37 -0500 Subject: [PATCH 2/8] Ingerss for authorizer, discovery, registry, console --- charts/authorizer/templates/ingress.yaml | 64 ++++++++++---- charts/authorizer/templates/service.yaml | 38 ++++++++- charts/authorizer/values.yaml | 40 +++++---- charts/console/templates/ingress.yaml | 54 ++++-------- charts/console/values.yaml | 21 +---- charts/discovery/templates/ingress.yaml | 83 +++++++++++-------- charts/discovery/templates/service.yaml | 32 +++++++ charts/discovery/test/no-tls.values.yaml | 9 ++ charts/discovery/test/tests.yaml | 6 +- charts/discovery/values.yaml | 44 +++++----- charts/registry-proxy/Chart.yaml | 2 +- charts/registry-proxy/templates/NOTES.txt | 22 ----- charts/registry-proxy/templates/config.yaml | 10 +-- charts/registry-proxy/test/test-values.yaml | 10 +++ .../registry-proxy/{tests => test}/tests.yaml | 7 +- charts/registry-proxy/tests/test-values.yaml | 2 - charts/registry-proxy/values.yaml | 5 +- 17 files changed, 270 insertions(+), 179 deletions(-) delete mode 100644 charts/registry-proxy/templates/NOTES.txt create mode 100644 charts/registry-proxy/test/test-values.yaml rename charts/registry-proxy/{tests => test}/tests.yaml (60%) delete mode 100644 charts/registry-proxy/tests/test-values.yaml diff --git a/charts/authorizer/templates/ingress.yaml b/charts/authorizer/templates/ingress.yaml index b7ac648..4c03551 100644 --- a/charts/authorizer/templates/ingress.yaml +++ b/charts/authorizer/templates/ingress.yaml @@ -1,40 +1,74 @@ {{- if .Values.ingress.enabled -}} {{- $fullName := include "authorizer.fullname" . -}} +--- +{{- with .Values.ingress.http }} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: {{ $fullName }} labels: - {{- include "authorizer.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} + {{- include "authorizer.labels" $ | nindent 4 }} + {{- with .annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{- with .Values.ingress.className }} + {{- with .className }} ingressClassName: {{ . }} {{- end }} - {{- with .Values.ingress.tls }} + {{- $host := include "aserto-lib.ingressHost" (list $ .) }} + rules: + - host: {{ $host }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ $fullName }} + port: + name: http + {{- with .tlsSecret }} tls: - {{- range . }} - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} + - {{ $host }} + secretName: {{ . }} {{- end }} +{{- end }} +--- +{{- with .Values.ingress.grpc }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-grpc + labels: + {{- include "authorizer.labels" $ | nindent 4 }} + {{- with .annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with .className }} + ingressClassName: {{ . }} + {{- end }} + {{- $host := include "aserto-lib.ingressHost" (list $ .) }} rules: - {{- range .Values.ingress.hosts }} - - host: {{ include "aserto-lib.ingressHost" (list $ .) }} + - host: {{ $host }} http: paths: - path: / pathType: Prefix backend: service: - name: {{ $fullName }} + name: {{ $fullName }}-grpc port: - name: {{ .port }} - {{- end }} + name: grpc + {{- with .tlsSecret }} + tls: + - hosts: + - {{ $host }} + secretName: {{ . }} + {{- end }} +{{- end }} {{- end }} + diff --git a/charts/authorizer/templates/service.yaml b/charts/authorizer/templates/service.yaml index dff1625..e4ed2f1 100644 --- a/charts/authorizer/templates/service.yaml +++ b/charts/authorizer/templates/service.yaml @@ -1,20 +1,52 @@ +--- apiVersion: v1 kind: Service metadata: name: {{ include "authorizer.fullname" . }} labels: {{- include "authorizer.labels" . | nindent 4 }} + + {{- with .Values.service.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} spec: type: {{ .Values.service.type }} ports: - name: http port: {{ include "aserto-lib.httpPort" . }} targetPort: http - - name: grpc - port: {{ include "aserto-lib.grpcPort" . }} - targetPort: grpc - name: metrics port: {{ include "aserto-lib.metricsPort" . }} targetPort: metrics + {{- if not .Values.ingress.enabled }} + - name: grpc + port: {{ include "aserto-lib.grpcPort" . }} + targetPort: grpc + {{- end }} + selector: + {{- include "authorizer.selectorLabels" . | nindent 4 }} + +{{- if .Values.ingress.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "authorizer.fullname" . }}-grpc + labels: + {{- include "authorizer.labels" . | nindent 4 }} + + {{- with .Values.service.grpc.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} +spec: + type: {{ .Values.service.grpc.type }} + ports: + - name: grpc + port: {{ include "aserto-lib.grpcPort" . }} + targetPort: grpc selector: {{- include "authorizer.selectorLabels" . | nindent 4 }} +{{- end }} + diff --git a/charts/authorizer/values.yaml b/charts/authorizer/values.yaml index 2cb863d..f327a9b 100644 --- a/charts/authorizer/values.yaml +++ b/charts/authorizer/values.yaml @@ -85,26 +85,34 @@ securityContext: {} service: type: ClusterIP + annotations: {} + # When ingress is enabled, the gRPC port is defined on a separate 'authorizer-grpc' service. + # This allows for configuration of ingresses using service annotations. In particular, the service + # scheme needs to be set to 'h2c'. + # When ingress is not enabled, these values are ignored. + grpc: + type: ClusterIP + annotations: {} + # With traefik ingress use: + # traefik.ingress.kubernetes.io/service.serversscheme: h2c + # + # With kong: + # konghq.com/protocol: grpc ingress: enabled: false + # The ingress domain can be set here or in global.aserto.ingress.domain # domain: example.com - className: "" - annotations: {} - hosts: - - subdomain: authorizer - port: http - # host: authorizer.example.com - - subdomain: grpc-authorizer - port: grpc - # host: grpc-authorizer.example.com - tls: [] - # - secretName: authorizer-tls - # subdomains: - # - authorizer - # - secretName: grpc-authorizer-tls - # subdomains: - # - grpc-authorizer + http: + subdomain: authorizer + className: "" + annotations: {} + # tlsSecret: authorizer-tls + grpc: + subdomain: grpc-authorizer + className: "" + annotations: {} + # tlsSecret: grpc-authorizer-tls resources: {} # limits: diff --git a/charts/console/templates/ingress.yaml b/charts/console/templates/ingress.yaml index 9ee03ac..3dbc2bd 100644 --- a/charts/console/templates/ingress.yaml +++ b/charts/console/templates/ingress.yaml @@ -1,58 +1,38 @@ {{- if .Values.ingress.enabled -}} {{- $fullName := include "console.fullname" . -}} -{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} - {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} - {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} - {{- end }} -{{- end }} -{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +--- +{{- with .Values.ingress }} apiVersion: networking.k8s.io/v1 -{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1beta1 -{{- else -}} -apiVersion: extensions/v1beta1 -{{- end }} kind: Ingress metadata: name: {{ $fullName }} labels: - {{- include "console.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} + {{- include "console.labels" $ | nindent 4 }} + {{- with .annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ .Values.ingress.className }} - {{- end }} - {{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} + {{- with .className }} + ingressClassName: {{ . }} {{- end }} + {{- $host := include "aserto-lib.ingressHost" (list $ .) }} rules: - {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} + - host: {{ $host }} http: paths: - path: / - {{- if (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} pathType: Prefix - {{- end }} backend: - {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} service: name: {{ $fullName }} port: - name: {{ .port }} - {{- else }} - serviceName: {{ $fullName }} - servicePort: {{ .port }} - {{- end }} - {{- end }} -{{- end }} \ No newline at end of file + name: http + {{- with .tlsSecret }} + tls: + - hosts: + - {{ $host }} + secretName: {{ . }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/console/values.yaml b/charts/console/values.yaml index 7749025..55c4f76 100644 --- a/charts/console/values.yaml +++ b/charts/console/values.yaml @@ -75,25 +75,12 @@ service: ingress: enabled: false + # The ingress domain can be set here or in global.aserto.ingress.domain + # domain: example.com + subdomain: console className: "" annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: directory.example.com - port: http - - host: grpc.directory.example.com - port: grpc - paths: - - path: / - pathType: Prefix - tls: [] - # - secretName: directory-example-com-tls - # hosts: - # - directory.example.com - # - secretName: grpc-directory-example-com-tls - # hosts: - # - grpc.directory.example.com + # tlsSecret: console-tls resources: {} # We usually recommend not to specify default resources and to leave this as a conscious diff --git a/charts/discovery/templates/ingress.yaml b/charts/discovery/templates/ingress.yaml index 39e905b..7fe3a0d 100644 --- a/charts/discovery/templates/ingress.yaml +++ b/charts/discovery/templates/ingress.yaml @@ -1,58 +1,73 @@ {{- if .Values.ingress.enabled -}} {{- $fullName := include "discovery.fullname" . -}} -{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} - {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} - {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} - {{- end }} -{{- end }} -{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +--- +{{- with .Values.ingress.http }} apiVersion: networking.k8s.io/v1 -{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1beta1 -{{- else -}} -apiVersion: extensions/v1beta1 -{{- end }} kind: Ingress metadata: name: {{ $fullName }} labels: - {{- include "discovery.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} + {{- include "discovery.labels" $ | nindent 4 }} + {{- with .annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ .Values.ingress.className }} + {{- with .className }} + ingressClassName: {{ . }} {{- end }} - {{- if .Values.ingress.tls }} + {{- $host := include "aserto-lib.ingressHost" (list $ .) }} + rules: + - host: {{ $host }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ $fullName }} + port: + name: http + {{- with .tlsSecret }} tls: - {{- range .Values.ingress.tls }} - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} + - {{ $host }} + secretName: {{ . }} {{- end }} +{{- end }} +--- +{{- with .Values.ingress.grpc }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-grpc + labels: + {{- include "discovery.labels" $ | nindent 4 }} + {{- with .annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with .className }} + ingressClassName: {{ . }} + {{- end }} + {{- $host := include "aserto-lib.ingressHost" (list $ .) }} rules: - {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} + - host: {{ $host }} http: paths: - path: / - {{- if (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} pathType: Prefix - {{- end }} backend: - {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} service: - name: {{ $fullName }} + name: {{ $fullName }}-grpc port: - name: {{ .port }} - {{- else }} - serviceName: {{ $fullName }} - servicePort: {{ .port }} - {{- end }} - {{- end }} + name: grpc + {{- with .tlsSecret }} + tls: + - hosts: + - {{ $host }} + secretName: {{ . }} + {{- end }} +{{- end }} {{- end }} diff --git a/charts/discovery/templates/service.yaml b/charts/discovery/templates/service.yaml index 6bdaae1..8f345a9 100644 --- a/charts/discovery/templates/service.yaml +++ b/charts/discovery/templates/service.yaml @@ -1,17 +1,49 @@ +--- apiVersion: v1 kind: Service metadata: name: {{ include "discovery.fullname" . }} labels: {{- include "discovery.labels" . | nindent 4 }} + + {{- with .Values.service.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} spec: type: {{ .Values.service.type }} ports: - name: http port: {{ include "aserto-lib.httpPort" . }} targetPort: http + {{- if not .Values.ingress.enabled }} - name: grpc port: {{ include "aserto-lib.grpcPort" . }} targetPort: grpc + {{- end }} selector: {{- include "discovery.selectorLabels" . | nindent 4 }} + +{{- if .Values.ingress.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "discovery.fullname" . }}-grpc + labels: + {{- include "discovery.labels" . | nindent 4 }} + + {{- with .Values.service.grpc.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} +spec: + type: {{ .Values.service.grpc.type }} + ports: + - name: grpc + port: {{ include "aserto-lib.grpcPort" . }} + targetPort: grpc + selector: + {{- include "discovery.selectorLabels" . | nindent 4 }} +{{- end }} + diff --git a/charts/discovery/test/no-tls.values.yaml b/charts/discovery/test/no-tls.values.yaml index a08d41b..1d6a75b 100644 --- a/charts/discovery/test/no-tls.values.yaml +++ b/charts/discovery/test/no-tls.values.yaml @@ -19,3 +19,12 @@ registries: scheme: bearer tokenSecretName: discovery-ghcr-token tokenSecretKey: token + +ingress: + enabled: true + domain: local.test + +service: + grpc: + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: h2c diff --git a/charts/discovery/test/tests.yaml b/charts/discovery/test/tests.yaml index 0708cb8..cbcca70 100644 --- a/charts/discovery/test/tests.yaml +++ b/charts/discovery/test/tests.yaml @@ -10,8 +10,6 @@ tests: 8383: 8383 - chart: discovery values: no-tls.values.yaml - ports: - 18383: 8383 secrets: - name: discovery-keys values: @@ -32,7 +30,7 @@ tests: - | ${TOPAZ:-topaz} ds import --directory charts/discovery/test/data \ -H localhost:8282 --api-key controller-root-key --plaintext - - curl http://localhost:18383/api/v1/info + - curl http://discovery.local.test:8008/api/v1/info - | curl -H "Authorization:basic discovery-root-key" -H "aserto-tenant-id:4f71c224-e742-11ee-86df-00ba61ff9342" \ - http://localhost:18383/api/v2/discovery/test-policy/test-policy/opa + http://discovery.local.test:8008/api/v2/discovery/test-policy/test-policy/opa diff --git a/charts/discovery/values.yaml b/charts/discovery/values.yaml index 2f17dec..9b75372 100644 --- a/charts/discovery/values.yaml +++ b/charts/discovery/values.yaml @@ -90,28 +90,34 @@ securityContext: {} service: type: ClusterIP + annotations: {} + # When ingress is enabled, the gRPC port is defined on a separate 'discovery-grpc' service. + # This allows for configuration of ingresses using service annotations. In particular, the service + # scheme needs to be set to 'h2c'. + # When ingress is not enabled, these values are ignored. + grpc: + type: ClusterIP + annotations: {} + # With traefik ingress use: + # traefik.ingress.kubernetes.io/service.serversscheme: h2c + # + # With kong: + # konghq.com/protocol: grpc ingress: enabled: false - className: "" - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: directory.example.com - port: http - - host: grpc.directory.example.com - port: grpc - paths: - - path: / - pathType: Prefix - tls: [] - # - secretName: directory-example-com-tls - # hosts: - # - directory.example.com - # - secretName: grpc-directory-example-com-tls - # hosts: - # - grpc.directory.example.com + # The ingress domain can be set here or in global.aserto.ingress.domain + # domain: example.com + http: + subdomain: discovery + className: "" + annotations: {} + # tlsSecret: discovery-tls + grpc: + subdomain: grpc-discovery + className: "" + annotations: {} + # tlsSecret: grpc-discovery-tls resources: {} # We usually recommend not to specify default resources and to leave this as a conscious diff --git a/charts/registry-proxy/Chart.yaml b/charts/registry-proxy/Chart.yaml index 1925731..53d0a79 100644 --- a/charts/registry-proxy/Chart.yaml +++ b/charts/registry-proxy/Chart.yaml @@ -27,7 +27,7 @@ version: 0.1.6 # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.14.8" +appVersion: "0.0.3" dependencies: - name: aserto-lib diff --git a/charts/registry-proxy/templates/NOTES.txt b/charts/registry-proxy/templates/NOTES.txt deleted file mode 100644 index 3d6e2dd..0000000 --- a/charts/registry-proxy/templates/NOTES.txt +++ /dev/null @@ -1,22 +0,0 @@ -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range $host := .Values.ingress.hosts }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "registry-proxy.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "registry-proxy.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "registry-proxy.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") - echo http://$SERVICE_IP:{{ .Values.service.port }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "registry-proxy.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - export HTTPS_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") - export GRPC_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[1].containerPort}") - echo "gRPC Service exposed on http://127.0.0.1:8282" - echo "REST Service exposed on http://127.0.0.1:8383" - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8282:$GRPC_PORT 8383:$HTTPS_PORT -{{- end }} diff --git a/charts/registry-proxy/templates/config.yaml b/charts/registry-proxy/templates/config.yaml index 85192a3..e6a95db 100644 --- a/charts/registry-proxy/templates/config.yaml +++ b/charts/registry-proxy/templates/config.yaml @@ -19,7 +19,7 @@ stringData: {{- include "aserto-lib.metricsService" . | nindent 8 }} service: {{- include "registry-proxy.gatewayService" . | nindent 8 }} - + remote_registry: endpoint: {{ .Values.remoteEndpointURL | required "registry endpoint URL is required" }} {{- if .Values.remoteEndpointScheme }} @@ -28,12 +28,12 @@ stringData: {{- if .Values.remoteEndpointToken }} token: {{.Values.remoteEndpointToken}} {{- end}} - + nats_listener: - enabled: false #set to true to enable manifest pushed notifications - + enabled: false + cache_settings: type: "freecache" cache_config: freecache_size: 5000000 - ttl: 900000000000 # 15 minutes \ No newline at end of file + ttl: 900000000000 # 15 minutes diff --git a/charts/registry-proxy/test/test-values.yaml b/charts/registry-proxy/test/test-values.yaml new file mode 100644 index 0000000..ccd0dc6 --- /dev/null +++ b/charts/registry-proxy/test/test-values.yaml @@ -0,0 +1,10 @@ +--- +image: + tag: 0.0.4-3f46f4a-arm64 +imagePullSecrets: + - name: ghcr-creds + +remoteEndpointURL: "ghcr.io" + +http: + certSecret: tls-cert diff --git a/charts/registry-proxy/tests/tests.yaml b/charts/registry-proxy/test/tests.yaml similarity index 60% rename from charts/registry-proxy/tests/tests.yaml rename to charts/registry-proxy/test/tests.yaml index fd1d20a..9454978 100644 --- a/charts/registry-proxy/tests/tests.yaml +++ b/charts/registry-proxy/test/tests.yaml @@ -2,12 +2,17 @@ tests: - name: registry-proxy-test pull_secret: $GITHUB_TOKEN + secrets: + - name: tls-cert + files: + tls.crt: $TOPAZ_CERTS_DIR/gateway.crt + tls.key: $TOPAZ_CERTS_DIR/gateway.key deployments: - chart: registry-proxy values: test-values.yaml ports: 8383: 8383 run: - - ${POLICY:-policy} login -s localhost:8383 -u $GITHUB_USER -p $GITHUB_TOKEN -d --insecure + - echo $GITHUB_TOKEN | ${POLICY:-policy} login -s localhost:8383 -u gh_user --password-stdin -d --insecure - time ${POLICY:-policy} pull localhost:8383/aserto-policies/policy-todo:latest --insecure - time ${POLICY:-policy} pull localhost:8383/aserto-policies/policy-todo:latest --insecure diff --git a/charts/registry-proxy/tests/test-values.yaml b/charts/registry-proxy/tests/test-values.yaml deleted file mode 100644 index c293a42..0000000 --- a/charts/registry-proxy/tests/test-values.yaml +++ /dev/null @@ -1,2 +0,0 @@ ---- -remoteEndpointURL: "ghcr.io" \ No newline at end of file diff --git a/charts/registry-proxy/values.yaml b/charts/registry-proxy/values.yaml index 93d9943..a4e61fe 100644 --- a/charts/registry-proxy/values.yaml +++ b/charts/registry-proxy/values.yaml @@ -1,11 +1,10 @@ -# Default values for directory. +# Default values for registry-proxy. # This is a YAML-formatted file. # Declare variables to be passed into your templates. - +--- image: repository: ghcr.io/aserto-dev/registry-proxy pullPolicy: IfNotPresent - tag: 0.0.2 # Overrides the image tag whose default is the chart appVersion. # tag: x.y.z From 502ec446849322ba845b25ba7a3d42112ca88156 Mon Sep 17 00:00:00 2001 From: Ronen Hilewicz Date: Fri, 7 Mar 2025 10:41:54 -0500 Subject: [PATCH 3/8] Separate http and grpc services --- charts/aserto-lib/templates/_clusteraddr.tpl | 4 +- charts/authorizer/templates/ingress.yaml | 4 +- charts/authorizer/templates/service.yaml | 10 +-- charts/controller/templates/ingress.yaml | 4 +- charts/controller/templates/service.yaml | 9 +- charts/controller/values.yaml | 4 - charts/directory/templates/ingress.yaml | 4 +- charts/directory/templates/service.yaml | 9 +- charts/directory/test/tls.values.yaml | 2 +- charts/directory/values.yaml | 2 +- charts/discovery/templates/_helpers.tpl | 43 ---------- charts/discovery/templates/config.yaml | 3 - charts/discovery/templates/deployment.yaml | 1 - charts/discovery/templates/ingress.yaml | 4 +- charts/discovery/templates/service.yaml | 10 +-- charts/discovery/values.yaml | 2 +- charts/registry-proxy/templates/ingress.yaml | 86 ++++++++++++-------- charts/registry-proxy/templates/service.yaml | 32 +++++++- charts/registry-proxy/values.yaml | 34 +++++--- 19 files changed, 117 insertions(+), 150 deletions(-) diff --git a/charts/aserto-lib/templates/_clusteraddr.tpl b/charts/aserto-lib/templates/_clusteraddr.tpl index 91e8747..698b64f 100644 --- a/charts/aserto-lib/templates/_clusteraddr.tpl +++ b/charts/aserto-lib/templates/_clusteraddr.tpl @@ -18,9 +18,9 @@ Args: [scope, config, service] {{- else }} {{- $port := include "aserto-lib.ports" (list $scope $cfg) | fromYaml | dig $portType "" | toYaml }} {{- if contains $svc $scope.Release.Name }} -{{- printf "%s.%s.svc.cluster.local:%s" $scope.Release.Name $scope.Release.Namespace $port }} +{{- printf "%s-%s.%s.svc.cluster.local:%s" $scope.Release.Name $portType $scope.Release.Namespace $port }} {{- else }} -{{- printf "%s-%s.%s.svc.cluster.local:%s" $scope.Release.Name $svc $scope.Release.Namespace $port }} +{{- printf "%s-%s-%s.%s.svc.cluster.local:%s" $scope.Release.Name $svc $portType $scope.Release.Namespace $port }} {{- end }} {{- end }} {{- end }} diff --git a/charts/authorizer/templates/ingress.yaml b/charts/authorizer/templates/ingress.yaml index 4c03551..4a7a56d 100644 --- a/charts/authorizer/templates/ingress.yaml +++ b/charts/authorizer/templates/ingress.yaml @@ -5,7 +5,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ $fullName }} + name: {{ $fullName }}-http labels: {{- include "authorizer.labels" $ | nindent 4 }} {{- with .annotations }} @@ -25,7 +25,7 @@ spec: pathType: Prefix backend: service: - name: {{ $fullName }} + name: {{ $fullName }}-http port: name: http {{- with .tlsSecret }} diff --git a/charts/authorizer/templates/service.yaml b/charts/authorizer/templates/service.yaml index e4ed2f1..d7c9b5a 100644 --- a/charts/authorizer/templates/service.yaml +++ b/charts/authorizer/templates/service.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "authorizer.fullname" . }} + name: {{ include "authorizer.fullname" . }}-http labels: {{- include "authorizer.labels" . | nindent 4 }} @@ -19,15 +19,9 @@ spec: - name: metrics port: {{ include "aserto-lib.metricsPort" . }} targetPort: metrics - {{- if not .Values.ingress.enabled }} - - name: grpc - port: {{ include "aserto-lib.grpcPort" . }} - targetPort: grpc - {{- end }} selector: {{- include "authorizer.selectorLabels" . | nindent 4 }} -{{- if .Values.ingress.enabled }} --- apiVersion: v1 kind: Service @@ -48,5 +42,3 @@ spec: targetPort: grpc selector: {{- include "authorizer.selectorLabels" . | nindent 4 }} -{{- end }} - diff --git a/charts/controller/templates/ingress.yaml b/charts/controller/templates/ingress.yaml index 717d3dd..2050dcd 100644 --- a/charts/controller/templates/ingress.yaml +++ b/charts/controller/templates/ingress.yaml @@ -5,7 +5,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ $fullName }} + name: {{ $fullName }}-http labels: {{- include "controller.labels" $ | nindent 4 }} {{- with .annotations }} @@ -25,7 +25,7 @@ spec: pathType: Prefix backend: service: - name: {{ $fullName }} + name: {{ $fullName }}-http port: name: http {{- with .tlsSecret }} diff --git a/charts/controller/templates/service.yaml b/charts/controller/templates/service.yaml index 81e0654..60425da 100644 --- a/charts/controller/templates/service.yaml +++ b/charts/controller/templates/service.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "controller.fullname" . }} + name: {{ include "controller.fullname" . }}-http labels: {{- include "controller.labels" . | nindent 4 }} @@ -19,15 +19,9 @@ spec: - name: metrics port: {{ include "aserto-lib.metricsPort" . }} targetPort: metrics - {{- if not .Values.ingress.enabled }} - - name: grpc - port: {{ include "aserto-lib.grpcPort" . }} - targetPort: grpc - {{- end }} selector: {{- include "controller.selectorLabels" . | nindent 4 }} -{{- if .Values.ingress.enabled }} --- apiVersion: v1 kind: Service @@ -48,4 +42,3 @@ spec: targetPort: grpc selector: {{- include "controller.selectorLabels" . | nindent 4 }} -{{- end }} diff --git a/charts/controller/values.yaml b/charts/controller/values.yaml index 3431a90..950b54c 100644 --- a/charts/controller/values.yaml +++ b/charts/controller/values.yaml @@ -158,10 +158,6 @@ securityContext: {} service: type: ClusterIP annotations: {} - # When ingress is enabled, the gRPC port is defined on a separate 'controller-grpc' service. - # This allows for configuration of ingresses using service annotations. In particular, the service - # scheme needs to be set to 'h2c'. - # When ingress is not enabled, these values are ignored. grpc: type: ClusterIP annotations: {} diff --git a/charts/directory/templates/ingress.yaml b/charts/directory/templates/ingress.yaml index 0482f89..7de8b8f 100644 --- a/charts/directory/templates/ingress.yaml +++ b/charts/directory/templates/ingress.yaml @@ -5,7 +5,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ $fullName }} + name: {{ $fullName }}-http labels: {{- include "directory.labels" $ | nindent 4 }} {{- with .annotations }} @@ -25,7 +25,7 @@ spec: pathType: Prefix backend: service: - name: {{ $fullName }} + name: {{ $fullName }}-http port: name: http {{- with .tlsSecret }} diff --git a/charts/directory/templates/service.yaml b/charts/directory/templates/service.yaml index 22eff4a..4f26a22 100644 --- a/charts/directory/templates/service.yaml +++ b/charts/directory/templates/service.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "directory.fullname" . }} + name: {{ include "directory.fullname" . }}-http labels: {{- include "directory.labels" . | nindent 4 }} @@ -19,15 +19,9 @@ spec: - name: metrics port: {{ include "aserto-lib.metricsPort" . }} targetPort: metrics - {{- if not .Values.ingress.enabled }} - - name: grpc - port: {{ include "aserto-lib.grpcPort" . }} - targetPort: grpc - {{- end }} selector: {{- include "directory.selectorLabels" . | nindent 4 }} -{{- if .Values.ingress.enabled }} --- apiVersion: v1 kind: Service @@ -48,4 +42,3 @@ spec: targetPort: grpc selector: {{- include "directory.selectorLabels" . | nindent 4 }} -{{- end }} diff --git a/charts/directory/test/tls.values.yaml b/charts/directory/test/tls.values.yaml index f3d84fd..d1ed383 100644 --- a/charts/directory/test/tls.values.yaml +++ b/charts/directory/test/tls.values.yaml @@ -17,5 +17,5 @@ database: grpc: certSecret: grpc-cert -https: +http: certSecret: gateway-cert diff --git a/charts/directory/values.yaml b/charts/directory/values.yaml index 410bb8b..f372a68 100644 --- a/charts/directory/values.yaml +++ b/charts/directory/values.yaml @@ -108,7 +108,7 @@ grpc: # runs without it, you must configure TLS at the ingress or gateway. certSecret: -# https: +# http: # allowed_origins: # - https://*.example.com # read_timeout: 2s diff --git a/charts/discovery/templates/_helpers.tpl b/charts/discovery/templates/_helpers.tpl index b35e8dc..047b54e 100644 --- a/charts/discovery/templates/_helpers.tpl +++ b/charts/discovery/templates/_helpers.tpl @@ -85,46 +85,3 @@ cache_config: {{- end }} {{- end }} {{- end }} - -{{/* -Converts a registry URL to an environment variable name. -*/}} -{{- define "discovery.registryTokenEnvVar" }} -{{- printf "REGISTRY_TOKEN_%s" (replace "." "_" . | upper) }} -{{- end }} - -{{/* -Returns a list of registries with their configuration. -*/}} -{{- define "discovery.registriesConfig" }} -{{- $regs := list }} -{{- range $url, $cfg := (.Values.registries | required "discovery must have at least one registry configured") }} -{{- $regs = append $regs (dict - "url" $url - "scheme" $cfg.scheme - "token" (printf "${%s}" (include "discovery.registryTokenEnvVar" $url))) -}} -{{- end }} -{{- $regs | toYaml }} -{{- end }} - -{{/* -Returns deployment environemt variables that mount registry credentials. -*/}} -{{- define "discovery.registriesEnv" }} -{{- $vars := list }} -{{- range $url, $cfg := (.Values.registries | default dict) }} -{{- $vars = append $vars (dict - "name" (include "discovery.registryTokenEnvVar" $url) - "valueFrom" (include "discovery.registryTokenValue" $cfg | fromYaml)) -}} -{{- end }} -{{- $vars | toYaml }} -{{- end }} - -{{- define "discovery.registryTokenValue" }} -secretKeyRef: - name: {{ .tokenSecretName }} - key: {{ .tokenSecretKey | default "token" }} -{{- end }} - diff --git a/charts/discovery/templates/config.yaml b/charts/discovery/templates/config.yaml index 352624f..06a15a6 100644 --- a/charts/discovery/templates/config.yaml +++ b/charts/discovery/templates/config.yaml @@ -31,9 +31,6 @@ stringData: cache_settings: {{- include "discovery.cacheSettings" . | nindent 6 }} - registries: - {{- include "discovery.registriesConfig" . | nindent 6 }} - ds0: {{- include "aserto-lib.controllerClient" . | nindent 6 }} diff --git a/charts/discovery/templates/deployment.yaml b/charts/discovery/templates/deployment.yaml index 891eef6..4660df5 100644 --- a/charts/discovery/templates/deployment.yaml +++ b/charts/discovery/templates/deployment.yaml @@ -101,7 +101,6 @@ spec: {{- . | nindent 14 }} {{- end }} - {{- include "discovery.registriesEnv" . | nindent 12 }} {{- with (include "aserto-lib.selfPorts" . | fromYaml )}} livenessProbe: grpc: diff --git a/charts/discovery/templates/ingress.yaml b/charts/discovery/templates/ingress.yaml index 7fe3a0d..fbacaa5 100644 --- a/charts/discovery/templates/ingress.yaml +++ b/charts/discovery/templates/ingress.yaml @@ -5,7 +5,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ $fullName }} + name: {{ $fullName }}-http labels: {{- include "discovery.labels" $ | nindent 4 }} {{- with .annotations }} @@ -25,7 +25,7 @@ spec: pathType: Prefix backend: service: - name: {{ $fullName }} + name: {{ $fullName }}-http port: name: http {{- with .tlsSecret }} diff --git a/charts/discovery/templates/service.yaml b/charts/discovery/templates/service.yaml index 8f345a9..79a9b80 100644 --- a/charts/discovery/templates/service.yaml +++ b/charts/discovery/templates/service.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "discovery.fullname" . }} + name: {{ include "discovery.fullname" . }}-http labels: {{- include "discovery.labels" . | nindent 4 }} @@ -16,15 +16,9 @@ spec: - name: http port: {{ include "aserto-lib.httpPort" . }} targetPort: http - {{- if not .Values.ingress.enabled }} - - name: grpc - port: {{ include "aserto-lib.grpcPort" . }} - targetPort: grpc - {{- end }} selector: {{- include "discovery.selectorLabels" . | nindent 4 }} -{{- if .Values.ingress.enabled }} --- apiVersion: v1 kind: Service @@ -45,5 +39,3 @@ spec: targetPort: grpc selector: {{- include "discovery.selectorLabels" . | nindent 4 }} -{{- end }} - diff --git a/charts/discovery/values.yaml b/charts/discovery/values.yaml index 9b75372..16f21be 100644 --- a/charts/discovery/values.yaml +++ b/charts/discovery/values.yaml @@ -48,7 +48,7 @@ cacheSettings: # # of type kubernetes.io/tls # certSecret: discovery-grpc-cert -# https: +# http: # allowed_origins: # - https://*.example.com # diff --git a/charts/registry-proxy/templates/ingress.yaml b/charts/registry-proxy/templates/ingress.yaml index 93c6ef8..189f585 100644 --- a/charts/registry-proxy/templates/ingress.yaml +++ b/charts/registry-proxy/templates/ingress.yaml @@ -1,58 +1,74 @@ {{- if .Values.ingress.enabled -}} {{- $fullName := include "registry-proxy.fullname" . -}} -{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} - {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} - {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} - {{- end }} -{{- end }} -{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +--- +{{- with .Values.ingress.http }} apiVersion: networking.k8s.io/v1 -{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1beta1 -{{- else -}} -apiVersion: extensions/v1beta1 -{{- end }} kind: Ingress metadata: - name: {{ $fullName }} + name: {{ $fullName }}-http labels: - {{- include "registry-proxy.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} + {{- include "registry-proxy.labels" $ | nindent 4 }} + {{- with .annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ .Values.ingress.className }} + {{- with .className }} + ingressClassName: {{ . }} {{- end }} - {{- if .Values.ingress.tls }} + {{- $host := include "aserto-lib.ingressHost" (list $ .) }} + rules: + - host: {{ $host }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ $fullName }}-http + port: + name: http + {{- with .tlsSecret }} tls: - {{- range .Values.ingress.tls }} - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} + - {{ $host }} + secretName: {{ . }} {{- end }} +{{- end }} +--- +{{- with .Values.ingress.grpc }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-grpc + labels: + {{- include "registry-proxy.labels" $ | nindent 4 }} + {{- with .annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with .className }} + ingressClassName: {{ . }} + {{- end }} + {{- $host := include "aserto-lib.ingressHost" (list $ .) }} rules: - {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} + - host: {{ $host }} http: paths: - path: / - {{- if (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} pathType: Prefix - {{- end }} backend: - {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} service: - name: {{ $fullName }} + name: {{ $fullName }}-grpc port: - name: {{ .port }} - {{- else }} - serviceName: {{ $fullName }} - servicePort: {{ .port }} - {{- end }} - {{- end }} + name: grpc + {{- with .tlsSecret }} + tls: + - hosts: + - {{ $host }} + secretName: {{ . }} + {{- end }} +{{- end }} {{- end }} + diff --git a/charts/registry-proxy/templates/service.yaml b/charts/registry-proxy/templates/service.yaml index 2b6ab29..e9994b6 100644 --- a/charts/registry-proxy/templates/service.yaml +++ b/charts/registry-proxy/templates/service.yaml @@ -1,20 +1,44 @@ +--- apiVersion: v1 kind: Service metadata: - name: {{ include "registry-proxy.fullname" . }} + name: {{ include "registry-proxy.fullname" . }}-http labels: {{- include "registry-proxy.labels" . | nindent 4 }} + + {{- with .Values.service.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} spec: type: {{ .Values.service.type }} ports: - name: http port: {{ include "aserto-lib.httpPort" . }} targetPort: http - - name: grpc - port: {{ include "aserto-lib.grpcPort" . }} - targetPort: grpc - name: metrics port: {{ include "aserto-lib.metricsPort" . }} targetPort: metrics selector: {{- include "registry-proxy.selectorLabels" . | nindent 4 }} + +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "registry-proxy.fullname" . }}-grpc + labels: + {{- include "registry-proxy.labels" . | nindent 4 }} + + {{- with .Values.service.grpc.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} +spec: + type: {{ .Values.service.grpc.type }} + ports: + - name: grpc + port: {{ include "aserto-lib.grpcPort" . }} + targetPort: grpc + selector: + {{- include "registry-proxy.selectorLabels" . | nindent 4 }} diff --git a/charts/registry-proxy/values.yaml b/charts/registry-proxy/values.yaml index a4e61fe..f0f8291 100644 --- a/charts/registry-proxy/values.yaml +++ b/charts/registry-proxy/values.yaml @@ -40,22 +40,30 @@ securityContext: {} service: type: ClusterIP + annotations: {} + grpc: + type: ClusterIP + annotations: {} + # With traefik ingress use: + # traefik.ingress.kubernetes.io/service.serversscheme: h2c + # + # With kong: + # konghq.com/protocol: grpc ingress: enabled: false - className: "" - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: registry-proxy.example.com - port: http - - host: grpc.registry-proxy.example.com - port: grpc - paths: - - path: / - pathType: Prefix - tls: [] + # The ingress domain can be set here or in global.aserto.ingress.domain + # domain: example.com + http: + subdomain: registry-proxy + className: "" + annotations: {} + # tlsSecret: registry-proxy-tls + grpc: + subdomain: grpc-registry-proxy + className: "" + annotations: {} + # tlsSecret: grpc-registry-proxy-tls resources: {} # We usually recommend not to specify default resources and to leave this as a conscious From 76b81ad009e92063408900eff139088eaa281b24 Mon Sep 17 00:00:00 2001 From: Ronen Hilewicz Date: Fri, 7 Mar 2025 12:01:44 -0500 Subject: [PATCH 4/8] Update app versions --- charts/aserto/values.yaml | 3 +++ charts/authorizer/Chart.yaml | 2 +- charts/console/Chart.yaml | 2 +- charts/controller/Chart.yaml | 2 +- charts/directory/Chart.yaml | 2 +- charts/discovery/Chart.yaml | 2 +- 6 files changed, 8 insertions(+), 5 deletions(-) diff --git a/charts/aserto/values.yaml b/charts/aserto/values.yaml index fe46d0e..dfc5c9d 100644 --- a/charts/aserto/values.yaml +++ b/charts/aserto/values.yaml @@ -218,5 +218,8 @@ scim: # groupMappings: [] # userMappings: [] +multi-tenant-scim: + enabled: false + registry-proxy: enabled: false diff --git a/charts/authorizer/Chart.yaml b/charts/authorizer/Chart.yaml index 4feac4c..2d7d0bf 100644 --- a/charts/authorizer/Chart.yaml +++ b/charts/authorizer/Chart.yaml @@ -27,7 +27,7 @@ version: 0.1.10 # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: 0.15.8 +appVersion: 0.15.15 dependencies: - name: aserto-lib diff --git a/charts/console/Chart.yaml b/charts/console/Chart.yaml index 74fa073..8f3ba7f 100644 --- a/charts/console/Chart.yaml +++ b/charts/console/Chart.yaml @@ -27,7 +27,7 @@ version: 0.1.8 # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.1.17" +appVersion: 0.1.23 dependencies: - name: aserto-lib diff --git a/charts/controller/Chart.yaml b/charts/controller/Chart.yaml index be81e28..c1dc6f4 100644 --- a/charts/controller/Chart.yaml +++ b/charts/controller/Chart.yaml @@ -27,7 +27,7 @@ version: 0.0.1 # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: 0.33.6 +appVersion: 0.34.1 dependencies: - name: aserto-lib diff --git a/charts/directory/Chart.yaml b/charts/directory/Chart.yaml index bd1066b..134f0f9 100644 --- a/charts/directory/Chart.yaml +++ b/charts/directory/Chart.yaml @@ -27,7 +27,7 @@ version: 0.2.2 # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: 0.33.6 +appVersion: 0.34.1 dependencies: - name: aserto-lib diff --git a/charts/discovery/Chart.yaml b/charts/discovery/Chart.yaml index 02abae9..4c3437f 100644 --- a/charts/discovery/Chart.yaml +++ b/charts/discovery/Chart.yaml @@ -27,7 +27,7 @@ version: 0.1.9 # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: 0.1.4 +appVersion: 0.1.5 dependencies: - name: aserto-lib From 809ccf6082ddb531e64d868b72403a8abbbe8f69 Mon Sep 17 00:00:00 2001 From: Ronen Hilewicz Date: Mon, 10 Mar 2025 09:39:23 -0400 Subject: [PATCH 5/8] Update all services to latest images --- charts/aserto-lib/templates/_clusteraddr.tpl | 2 +- charts/authorizer/Chart.yaml | 2 +- charts/authorizer/templates/config.yaml | 8 +++++++- charts/authorizer/templates/deployment.yaml | 3 ++- charts/controller/Chart.yaml | 2 +- charts/controller/test/no-tls.values.yaml | 3 --- charts/controller/test/tls.values.yaml | 3 --- charts/directory/Chart.yaml | 2 +- charts/directory/test/no-tls.values.yaml | 3 --- charts/directory/test/tls.values.yaml | 3 --- charts/discovery/Chart.yaml | 2 +- charts/discovery/templates/config.yaml | 6 +++--- charts/discovery/templates/deployment.yaml | 5 +++-- charts/discovery/test/no-tls.values.yaml | 3 --- charts/registry-proxy/Chart.yaml | 2 +- charts/registry-proxy/test/test-values.yaml | 2 -- 16 files changed, 21 insertions(+), 30 deletions(-) diff --git a/charts/aserto-lib/templates/_clusteraddr.tpl b/charts/aserto-lib/templates/_clusteraddr.tpl index 698b64f..517c4af 100644 --- a/charts/aserto-lib/templates/_clusteraddr.tpl +++ b/charts/aserto-lib/templates/_clusteraddr.tpl @@ -43,6 +43,6 @@ Cluster address of the directory service Cluster address of the discovery service */}} {{- define "aserto-lib.discoveryAddress" }} -{{- include "aserto-lib.svcClusterAddress" (list . "https" "discovery" )}} +{{- include "aserto-lib.svcClusterAddress" (list . "http" "discovery" )}} {{- end }} diff --git a/charts/authorizer/Chart.yaml b/charts/authorizer/Chart.yaml index 2d7d0bf..490c0a4 100644 --- a/charts/authorizer/Chart.yaml +++ b/charts/authorizer/Chart.yaml @@ -27,7 +27,7 @@ version: 0.1.10 # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: 0.15.15 +appVersion: 0.16.0 dependencies: - name: aserto-lib diff --git a/charts/authorizer/templates/config.yaml b/charts/authorizer/templates/config.yaml index cd0d7f2..268f262 100644 --- a/charts/authorizer/templates/config.yaml +++ b/charts/authorizer/templates/config.yaml @@ -42,7 +42,6 @@ stringData: authenticators_enabled: root_key: true oidc: true - anonymous: true {{- if (.Values.authentication).machineAccounts }} machine_account: true {{- end }} @@ -55,6 +54,13 @@ stringData: - key: ${AUTHORIZER_ROOT_KEY} account: root-key-authorizer@aserto.com + override: + - methods: + - /grpc.reflection.v1.ServerReflection/ServerReflectionInfo + - /grpc.reflection.v1alpha.ServerReflection/ServerReflectionInfo + authenticators_enabled: + anonymous: true + opa: instance_id: "-" graceful_shutdown_period_seconds: 2 diff --git a/charts/authorizer/templates/deployment.yaml b/charts/authorizer/templates/deployment.yaml index 12b1547..919da8e 100644 --- a/charts/authorizer/templates/deployment.yaml +++ b/charts/authorizer/templates/deployment.yaml @@ -13,8 +13,9 @@ spec: {{- include "authorizer.selectorLabels" . | nindent 6 }} template: metadata: - {{- with .Values.podAnnotations }} annotations: + checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} labels: diff --git a/charts/controller/Chart.yaml b/charts/controller/Chart.yaml index c1dc6f4..11ebc35 100644 --- a/charts/controller/Chart.yaml +++ b/charts/controller/Chart.yaml @@ -27,7 +27,7 @@ version: 0.0.1 # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: 0.34.1 +appVersion: 0.34.2 dependencies: - name: aserto-lib diff --git a/charts/controller/test/no-tls.values.yaml b/charts/controller/test/no-tls.values.yaml index eb2167e..1555b8a 100644 --- a/charts/controller/test/no-tls.values.yaml +++ b/charts/controller/test/no-tls.values.yaml @@ -1,7 +1,4 @@ --- -image: - tag: 0.33.13-ce1e7a05-arm64 - imagePullSecrets: - name: ghcr-creds diff --git a/charts/controller/test/tls.values.yaml b/charts/controller/test/tls.values.yaml index 80ef00f..98540a9 100644 --- a/charts/controller/test/tls.values.yaml +++ b/charts/controller/test/tls.values.yaml @@ -1,7 +1,4 @@ --- -image: - tag: 0.33.13-ce1e7a05-arm64 - imagePullSecrets: - name: ghcr-creds diff --git a/charts/directory/Chart.yaml b/charts/directory/Chart.yaml index 134f0f9..fa99465 100644 --- a/charts/directory/Chart.yaml +++ b/charts/directory/Chart.yaml @@ -27,7 +27,7 @@ version: 0.2.2 # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: 0.34.1 +appVersion: 0.34.2 dependencies: - name: aserto-lib diff --git a/charts/directory/test/no-tls.values.yaml b/charts/directory/test/no-tls.values.yaml index 73bd36c..4426198 100644 --- a/charts/directory/test/no-tls.values.yaml +++ b/charts/directory/test/no-tls.values.yaml @@ -1,7 +1,4 @@ --- -image: - tag: 0.33.13-ce1e7a05-arm64 - imagePullSecrets: - name: ghcr-creds diff --git a/charts/directory/test/tls.values.yaml b/charts/directory/test/tls.values.yaml index d1ed383..2ea052a 100644 --- a/charts/directory/test/tls.values.yaml +++ b/charts/directory/test/tls.values.yaml @@ -1,7 +1,4 @@ --- -image: - tag: 0.33.13-ce1e7a05-arm64 - imagePullSecrets: - name: ghcr-creds diff --git a/charts/discovery/Chart.yaml b/charts/discovery/Chart.yaml index 4c3437f..9a64dd9 100644 --- a/charts/discovery/Chart.yaml +++ b/charts/discovery/Chart.yaml @@ -27,7 +27,7 @@ version: 0.1.9 # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: 0.1.5 +appVersion: 0.2.0 dependencies: - name: aserto-lib diff --git a/charts/discovery/templates/config.yaml b/charts/discovery/templates/config.yaml index 06a15a6..40076cd 100644 --- a/charts/discovery/templates/config.yaml +++ b/charts/discovery/templates/config.yaml @@ -31,14 +31,14 @@ stringData: cache_settings: {{- include "discovery.cacheSettings" . | nindent 6 }} - ds0: + controller: {{- include "aserto-lib.controllerClient" . | nindent 6 }} authorization: enabled: {{ .Values.authorization.enabled }} ignored_methods: - /grpc.reflection.v1alpha.ServerReflection/ServerReflectionInfo - - /grpc.reflection.v1.ServerReflection.ServerReflectionInfo + - /grpc.reflection.v1.ServerReflection/ServerReflectionInfo - /aserto.common.info.v1.Info/Info authentication: @@ -61,7 +61,7 @@ stringData: override: - methods: - /grpc.reflection.v1alpha.ServerReflection/ServerReflectionInfo - - /grpc.reflection.v1.ServerReflection.ServerReflectionInfo + - /grpc.reflection.v1.ServerReflection/ServerReflectionInfo - /aserto.common.info.v1.Info/Info authenticators_enabled: anonymous: true diff --git a/charts/discovery/templates/deployment.yaml b/charts/discovery/templates/deployment.yaml index 4660df5..ba99a8a 100644 --- a/charts/discovery/templates/deployment.yaml +++ b/charts/discovery/templates/deployment.yaml @@ -14,8 +14,9 @@ spec: {{- include "discovery.selectorLabels" . | nindent 6 }} template: metadata: - {{- with .Values.podAnnotations }} annotations: + checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} labels: @@ -97,7 +98,7 @@ spec: {{- end }} {{- with include "aserto-lib.controllerKeyEnv" (list . "readStore") }} - - name: DISCOVERY_DS0_API_KEY + - name: DISCOVERY_CONTROLLER_API_KEY {{- . | nindent 14 }} {{- end }} diff --git a/charts/discovery/test/no-tls.values.yaml b/charts/discovery/test/no-tls.values.yaml index 1d6a75b..bf57773 100644 --- a/charts/discovery/test/no-tls.values.yaml +++ b/charts/discovery/test/no-tls.values.yaml @@ -1,7 +1,4 @@ --- -image: - tag: 0.1.4 - imagePullSecrets: - name: ghcr-creds diff --git a/charts/registry-proxy/Chart.yaml b/charts/registry-proxy/Chart.yaml index 53d0a79..ee89345 100644 --- a/charts/registry-proxy/Chart.yaml +++ b/charts/registry-proxy/Chart.yaml @@ -27,7 +27,7 @@ version: 0.1.6 # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.0.3" +appVersion: "0.0.4" dependencies: - name: aserto-lib diff --git a/charts/registry-proxy/test/test-values.yaml b/charts/registry-proxy/test/test-values.yaml index ccd0dc6..5fc9196 100644 --- a/charts/registry-proxy/test/test-values.yaml +++ b/charts/registry-proxy/test/test-values.yaml @@ -1,6 +1,4 @@ --- -image: - tag: 0.0.4-3f46f4a-arm64 imagePullSecrets: - name: ghcr-creds From 587b5be6cb3f63eb7a655ddf3ad033f12ef457ce Mon Sep 17 00:00:00 2001 From: Ronen Hilewicz Date: Mon, 10 Mar 2025 09:58:01 -0400 Subject: [PATCH 6/8] Configure *.local.test DNS names in CI --- .github/workflows/ci.yaml | 14 +++- 3e | 165 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 178 insertions(+), 1 deletion(-) create mode 100644 3e diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index feca858..35e26e9 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -89,9 +89,21 @@ jobs: name: Create k8s cluster with: cluster-name: "test" - args: > + args: >- + -p "8008:80@loadbalancer" --agents 1 --k3s-arg "--disable=metrics-server@server:*" + - + name: Configure DNS + run: | + sudo tee -a /etc/hosts >/dev/null <> "$GITHUB_ENV" + - + name: Create Temp Directory + run: | + echo "TMPDIR=$(mktemp -d)" >> "$GITHUB_ENV" + - + name: Install topaz CLI + run: | + gh release download v${{env.TOPAZ_VERSION}} --repo aserto-dev/topaz --pattern "topaz_linux_x86_64.zip" \ + --output ./ext/topaz.zip --clobber + unzip ./ext/topaz.zip -d bin + chmod +x ./bin/topaz + ./bin/topaz version + echo "TOPAZ=$(realpath ./bin/topaz)" >> "$GITHUB_ENV" + echo "TOPAZ_CERTS_DIR=$(./bin/topaz config info | jq '.config.topaz_certs_dir' -r)" >> "$GITHUB_ENV" + - + name: Install topazd container + run: | + ${TOPAZ} install --container-tag=${{ env.TOPAZ_VERSION }} + ${TOPAZ} version + - + name: Generate topaz certs + run: ${TOPAZ} certs generate + - + name: Install uv package manager + uses: astral-sh/setup-uv@v3 + with: + version: ${{ env.UV_VERSION }} + - + uses: AbsaOSS/k3d-action@v2 + name: Create k8s cluster + with: + cluster-name: "test" + args: > + --agents 1 + --k3s-arg "--disable=metrics-server@server:* -p '8008:80@loadbalancer'" + - + name: Configure DNS + run: | + sudo tee -a /etc/hosts >/dev/null <> "$GITHUB_OUTPUT" + echo "private_key=${HOME}/.ssh/admin_ed25519" >> "$GITHUB_OUTPUT" + + cat << EOF > ${HOME}/.ssh/config + Host localhost + StrictHostKeyChecking no + EOF + + chmod 400 ~/.ssh/config + - + name: Test Controller + timeout-minutes: 10 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SSH_PUBLIC_KEY: ${{ steps.sshkey.outputs.public_key }} + SSH_PRIVATE_KEY: ${{ steps.sshkey.outputs.private_key }} + TOPAZ_CERTS_DIR: ${{ env.TOPAZ_CERTS_DIR }} + run: | + make test-controller + - + name: Test Directory + timeout-minutes: 10 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SSH_PUBLIC_KEY: ${{ steps.sshkey.outputs.public_key }} + SSH_PRIVATE_KEY: ${{ steps.sshkey.outputs.private_key }} + TOPAZ_CERTS_DIR: ${{ env.TOPAZ_CERTS_DIR }} + run: | + make test-directory From b542fad7cfe2764926e5be1ed81b481b1c2f7dc3 Mon Sep 17 00:00:00 2001 From: Ronen Hilewicz Date: Mon, 10 Mar 2025 10:35:05 -0400 Subject: [PATCH 7/8] Fix postgres test config --- charts/console/Chart.yaml | 2 +- charts/controller/test/no-tls.values.yaml | 2 +- charts/controller/test/tls.values.yaml | 2 +- charts/directory/test/no-tls.values.yaml | 2 +- charts/directory/test/tls.values.yaml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/console/Chart.yaml b/charts/console/Chart.yaml index 8f3ba7f..c25646c 100644 --- a/charts/console/Chart.yaml +++ b/charts/console/Chart.yaml @@ -27,7 +27,7 @@ version: 0.1.8 # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: 0.1.23 +appVersion: 0.2.0 dependencies: - name: aserto-lib diff --git a/charts/controller/test/no-tls.values.yaml b/charts/controller/test/no-tls.values.yaml index 1555b8a..4a57097 100644 --- a/charts/controller/test/no-tls.values.yaml +++ b/charts/controller/test/no-tls.values.yaml @@ -3,7 +3,7 @@ imagePullSecrets: - name: ghcr-creds database: - host: postgres.postgresql.svc.cluster.local + host: postgresql.postgres.svc.cluster.local dbName: test-controller sslMode: disable admin: diff --git a/charts/controller/test/tls.values.yaml b/charts/controller/test/tls.values.yaml index 98540a9..980335f 100644 --- a/charts/controller/test/tls.values.yaml +++ b/charts/controller/test/tls.values.yaml @@ -3,7 +3,7 @@ imagePullSecrets: - name: ghcr-creds database: - host: postgres.postgresql.svc.cluster.local + host: postgresql.postgres.svc.cluster.local dbName: test-controller sslMode: disable admin: diff --git a/charts/directory/test/no-tls.values.yaml b/charts/directory/test/no-tls.values.yaml index 4426198..db0eb20 100644 --- a/charts/directory/test/no-tls.values.yaml +++ b/charts/directory/test/no-tls.values.yaml @@ -3,7 +3,7 @@ imagePullSecrets: - name: ghcr-creds database: - host: postgres.postgresql.svc.cluster.local + host: postgresql.postgres.svc.cluster.local dbName: test-directory sslMode: disable admin: diff --git a/charts/directory/test/tls.values.yaml b/charts/directory/test/tls.values.yaml index 2ea052a..8edb873 100644 --- a/charts/directory/test/tls.values.yaml +++ b/charts/directory/test/tls.values.yaml @@ -3,7 +3,7 @@ imagePullSecrets: - name: ghcr-creds database: - host: postgres.postgresql.svc.cluster.local + host: postgresql.postgres.svc.cluster.local dbName: test-directory sslMode: disable admin: From 150de362d56303b90efc5a1213f149735c6f6ed9 Mon Sep 17 00:00:00 2001 From: Ronen Hilewicz Date: Mon, 10 Mar 2025 12:58:52 -0400 Subject: [PATCH 8/8] Change test cluster port to 9009 --- .github/workflows/ci.yaml | 7 +- 3e | 165 ---------------------- charts/controller/test/no-tls.values.yaml | 2 +- charts/controller/test/tests.yaml | 4 +- charts/controller/test/tls.values.yaml | 2 +- charts/directory/test/no-tls.values.yaml | 2 +- charts/directory/test/tests.yaml | 8 +- charts/directory/test/tls.values.yaml | 2 +- charts/discovery/test/tests.yaml | 4 +- 9 files changed, 16 insertions(+), 180 deletions(-) delete mode 100644 3e diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 35e26e9..4dae05a 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -90,7 +90,7 @@ jobs: with: cluster-name: "test" args: >- - -p "8008:80@loadbalancer" + -p "9009:80@loadbalancer" --agents 1 --k3s-arg "--disable=metrics-server@server:*" - @@ -122,14 +122,15 @@ jobs: name: Deploy Postgres run: | helm install postgresql oci://registry-1.docker.io/bitnamicharts/postgresql \ - --namespace postgres --create-namespace \ + --namespace postgresql --create-namespace \ + --set fullnameOverride=postgres \ --set auth.postgresPassword=${{ env.POSTGRES_PASSWORD }} - name: Wait for Postgres run: | echo "Waiting for postgres to be ready" kubectl wait pods --selector app.kubernetes.io/name=postgresql \ - --for condition=Ready --namespace postgres --timeout=60s + --for condition=Ready --namespace postgresql --timeout=60s - name: Generate admin ssh key id: sshkey diff --git a/3e b/3e deleted file mode 100644 index 408e57a..0000000 --- a/3e +++ /dev/null @@ -1,165 +0,0 @@ ---- -name: ci - -on: - # Run on all PRs - pull_request: - -env: - GH_TOKEN: ${{ github.token }} - HELM_VERSION: v3.14.4 - PYTHON_VERSION: 3.13 - POSTGRES_PASSWORD: postgres - UV_VERSION: 0.5.3 - TOPAZ_VERSION: 0.32.36 - -jobs: - lint: - runs-on: ubuntu-latest - steps: - - - uses: actions/checkout@v4 - with: - # Fetch the full history so that we can diff against the target branch - fetch-depth: 0 - - - name: Set up Helm - uses: azure/setup-helm@v4 - with: - version: ${{ env.HELM_VERSION }} - - - uses: actions/setup-python@v5 - with: - python-version: ${{ env.PYTHON_VERSION }} - check-latest: true - - - name: Set up chart-testing - uses: helm/chart-testing-action@v2.6.0 - with: - version: v3.10.0 - - - name: Lint - run: | - ct lint --config ct.yaml --helm-repo-extra-args "aserto-helm=-u gh -p ${{ secrets.GITHUB_TOKEN }}" - - test: - runs-on: ubuntu-latest - steps: - - - uses: actions/checkout@v4 - - - name: Set up Helm - uses: azure/setup-helm@v4 - with: - version: ${{ env.HELM_VERSION }} - - - name: Install tools - run: | - make install-grpcurl - echo "GRPCURL=$(realpath .ext/bin/grpcurl)" >> "$GITHUB_ENV" - - - name: Create Temp Directory - run: | - echo "TMPDIR=$(mktemp -d)" >> "$GITHUB_ENV" - - - name: Install topaz CLI - run: | - gh release download v${{env.TOPAZ_VERSION}} --repo aserto-dev/topaz --pattern "topaz_linux_x86_64.zip" \ - --output ./ext/topaz.zip --clobber - unzip ./ext/topaz.zip -d bin - chmod +x ./bin/topaz - ./bin/topaz version - echo "TOPAZ=$(realpath ./bin/topaz)" >> "$GITHUB_ENV" - echo "TOPAZ_CERTS_DIR=$(./bin/topaz config info | jq '.config.topaz_certs_dir' -r)" >> "$GITHUB_ENV" - - - name: Install topazd container - run: | - ${TOPAZ} install --container-tag=${{ env.TOPAZ_VERSION }} - ${TOPAZ} version - - - name: Generate topaz certs - run: ${TOPAZ} certs generate - - - name: Install uv package manager - uses: astral-sh/setup-uv@v3 - with: - version: ${{ env.UV_VERSION }} - - - uses: AbsaOSS/k3d-action@v2 - name: Create k8s cluster - with: - cluster-name: "test" - args: > - --agents 1 - --k3s-arg "--disable=metrics-server@server:* -p '8008:80@loadbalancer'" - - - name: Configure DNS - run: | - sudo tee -a /etc/hosts >/dev/null <> "$GITHUB_OUTPUT" - echo "private_key=${HOME}/.ssh/admin_ed25519" >> "$GITHUB_OUTPUT" - - cat << EOF > ${HOME}/.ssh/config - Host localhost - StrictHostKeyChecking no - EOF - - chmod 400 ~/.ssh/config - - - name: Test Controller - timeout-minutes: 10 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SSH_PUBLIC_KEY: ${{ steps.sshkey.outputs.public_key }} - SSH_PRIVATE_KEY: ${{ steps.sshkey.outputs.private_key }} - TOPAZ_CERTS_DIR: ${{ env.TOPAZ_CERTS_DIR }} - run: | - make test-controller - - - name: Test Directory - timeout-minutes: 10 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SSH_PUBLIC_KEY: ${{ steps.sshkey.outputs.public_key }} - SSH_PRIVATE_KEY: ${{ steps.sshkey.outputs.private_key }} - TOPAZ_CERTS_DIR: ${{ env.TOPAZ_CERTS_DIR }} - run: | - make test-directory diff --git a/charts/controller/test/no-tls.values.yaml b/charts/controller/test/no-tls.values.yaml index 4a57097..1555b8a 100644 --- a/charts/controller/test/no-tls.values.yaml +++ b/charts/controller/test/no-tls.values.yaml @@ -3,7 +3,7 @@ imagePullSecrets: - name: ghcr-creds database: - host: postgresql.postgres.svc.cluster.local + host: postgres.postgresql.svc.cluster.local dbName: test-controller sslMode: disable admin: diff --git a/charts/controller/test/tests.yaml b/charts/controller/test/tests.yaml index c52d293..b383e5b 100644 --- a/charts/controller/test/tests.yaml +++ b/charts/controller/test/tests.yaml @@ -39,10 +39,10 @@ tests: localhost provision root-keys - sleep 1 - | - ${TOPAZ:-topaz} ds get manifest -H grpc-controller.local.test:8008 --tenant-id 00000000-0000-11ef-0000-000000000000 \ + ${TOPAZ:-topaz} ds get manifest -H grpc-controller.local.test:9009 --tenant-id 00000000-0000-11ef-0000-000000000000 \ -k controller_apikey_reader --stdout --plaintext - | - curl -f http://controller.local.test:8008/openapi.json + curl -f http://controller.local.test:9009/openapi.json - name: controller-tls pull_secret: $GITHUB_TOKEN diff --git a/charts/controller/test/tls.values.yaml b/charts/controller/test/tls.values.yaml index 980335f..98540a9 100644 --- a/charts/controller/test/tls.values.yaml +++ b/charts/controller/test/tls.values.yaml @@ -3,7 +3,7 @@ imagePullSecrets: - name: ghcr-creds database: - host: postgresql.postgres.svc.cluster.local + host: postgres.postgresql.svc.cluster.local dbName: test-controller sslMode: disable admin: diff --git a/charts/directory/test/no-tls.values.yaml b/charts/directory/test/no-tls.values.yaml index db0eb20..4426198 100644 --- a/charts/directory/test/no-tls.values.yaml +++ b/charts/directory/test/no-tls.values.yaml @@ -3,7 +3,7 @@ imagePullSecrets: - name: ghcr-creds database: - host: postgresql.postgres.svc.cluster.local + host: postgres.postgresql.svc.cluster.local dbName: test-directory sslMode: disable admin: diff --git a/charts/directory/test/tests.yaml b/charts/directory/test/tests.yaml index 4dc174c..2371c49 100644 --- a/charts/directory/test/tests.yaml +++ b/charts/directory/test/tests.yaml @@ -30,17 +30,17 @@ tests: - | ${GRPCURL:=grpcurl} -plaintext -H "Authorization: basic apikey_store_writer" \ -d '{"tenant": {"id": "3dbaa470-9c7e-11ef-bf36-00fcb2a75cb1", "name": "test-tenant"}}' \ - grpc-directory.local.test:8008 aserto.directory.store.v2.Store.CreateTenant + grpc-directory.local.test:9009 aserto.directory.store.v2.Store.CreateTenant # Set a manifest for the new tenant. - | ${TOPAZ:-topaz} ds set manifest charts/directory/test/manifest.yaml \ - -H grpc-directory.local.test:8008 --tenant-id 3dbaa470-9c7e-11ef-bf36-00fcb2a75cb1 \ + -H grpc-directory.local.test:9009 --tenant-id 3dbaa470-9c7e-11ef-bf36-00fcb2a75cb1 \ -k apikey_reader --plaintext # Get the tenant's manifest. - | - ${TOPAZ:-topaz} ds get manifest -H grpc-directory.local.test:8008 --tenant-id 3dbaa470-9c7e-11ef-bf36-00fcb2a75cb1 \ + ${TOPAZ:-topaz} ds get manifest -H grpc-directory.local.test:9009 --tenant-id 3dbaa470-9c7e-11ef-bf36-00fcb2a75cb1 \ -k apikey_reader --plaintext $TMPDIR/manifest.yaml # Ensure the downloaded manifest has the expected content. @@ -50,7 +50,7 @@ tests: - | ${GRPCURL:=grpcurl} -plaintext -H "Authorization: basic apikey_store_writer" \ -d '{"id": "3dbaa470-9c7e-11ef-bf36-00fcb2a75cb1"}' \ - grpc-directory.local.test:8008 aserto.directory.store.v2.Store.DeleteTenant + grpc-directory.local.test:9009 aserto.directory.store.v2.Store.DeleteTenant - name: directory-tls pull_secret: $GITHUB_TOKEN diff --git a/charts/directory/test/tls.values.yaml b/charts/directory/test/tls.values.yaml index 8edb873..2ea052a 100644 --- a/charts/directory/test/tls.values.yaml +++ b/charts/directory/test/tls.values.yaml @@ -3,7 +3,7 @@ imagePullSecrets: - name: ghcr-creds database: - host: postgresql.postgres.svc.cluster.local + host: postgres.postgresql.svc.cluster.local dbName: test-directory sslMode: disable admin: diff --git a/charts/discovery/test/tests.yaml b/charts/discovery/test/tests.yaml index cbcca70..1e70089 100644 --- a/charts/discovery/test/tests.yaml +++ b/charts/discovery/test/tests.yaml @@ -30,7 +30,7 @@ tests: - | ${TOPAZ:-topaz} ds import --directory charts/discovery/test/data \ -H localhost:8282 --api-key controller-root-key --plaintext - - curl http://discovery.local.test:8008/api/v1/info + - curl http://discovery.local.test:9009/api/v1/info - | curl -H "Authorization:basic discovery-root-key" -H "aserto-tenant-id:4f71c224-e742-11ee-86df-00ba61ff9342" \ - http://discovery.local.test:8008/api/v2/discovery/test-policy/test-policy/opa + http://discovery.local.test:9009/api/v2/discovery/test-policy/test-policy/opa