diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 4dae05a..4c63bcb 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -11,7 +11,7 @@ env: PYTHON_VERSION: 3.13 POSTGRES_PASSWORD: postgres UV_VERSION: 0.5.3 - TOPAZ_VERSION: 0.32.36 + TOPAZ_VERSION: 0.32.59 jobs: lint: diff --git a/.gitignore b/.gitignore index faf8b63..2967b40 100644 --- a/.gitignore +++ b/.gitignore @@ -4,6 +4,7 @@ # python **/__pycache__/ +**/.dmypy.json .venv-path # env diff --git a/charts/aserto-lib/Chart.yaml b/charts/aserto-lib/Chart.yaml index 30f0ac6..824a4f5 100644 --- a/charts/aserto-lib/Chart.yaml +++ b/charts/aserto-lib/Chart.yaml @@ -21,7 +21,7 @@ type: library # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.0 +version: 0.2.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/aserto-lib/templates/_client.tpl b/charts/aserto-lib/templates/_client.tpl index 3689329..7e71c9b 100644 --- a/charts/aserto-lib/templates/_client.tpl +++ b/charts/aserto-lib/templates/_client.tpl @@ -2,13 +2,19 @@ {{- if .noVerify | and .noTLS -}} {{- fail "'noVerify' and 'noTLS' are mutually exclusive." }} {{- end }} +{{- if .skipTLSVerification | and .noTLS -}} + {{- fail "'skipTLSVerification' and 'noTLS' are mutually exclusive." }} +{{- end }} {{- if .noTLS }} no_tls: true -{{- else if .skipVerify }} +{{- else if .noVerify | or .skipTLSVerification }} insecure : true -{{- else if .caCertSecret }} +{{- else if .caCertSecret | or .caCert }} ca_cert_path: /{{ .certVolume }}/ca.crt {{- end }} +{{- if .noProxy }} +no_proxy: true +{{- end }} {{- end }} {{- define "aserto-lib.controllerClient" -}} diff --git a/charts/aserto/Chart.lock b/charts/aserto/Chart.lock index 5da94a7..ea42c14 100644 --- a/charts/aserto/Chart.lock +++ b/charts/aserto/Chart.lock @@ -1,30 +1,30 @@ dependencies: - name: aserto-lib repository: file://../aserto-lib - version: 0.2.0 + version: 0.2.1 - name: authorizer repository: file://../authorizer - version: 0.2.0 + version: 0.2.1 - name: controller repository: file://../controller - version: 0.0.1 + version: 0.0.2 - name: console repository: file://../console - version: 0.1.7 + version: 0.1.8 - name: directory repository: file://../directory - version: 0.2.0 + version: 0.2.1 - name: discovery repository: file://../discovery - version: 0.2.0 + version: 0.2.1 - name: multi-tenant-scim repository: file://../multi-tenant-scim - version: 0.0.1 + version: 0.0.2 - name: registry-proxy repository: file://../registry-proxy - version: 0.1.0 + version: 0.1.1 - name: scim repository: file://../scim - version: 0.2.0 -digest: sha256:e933b20c19dda16e7ef644de07eed18b2e214f1f89a8dbfe9fdeac2262b5ca64 -generated: "2025-03-28T12:23:20.763001-04:00" + version: 0.2.1 +digest: sha256:f57ef96b77dd43cd56145479dc82fe7f151d4e0c55168d955d4a5e83bb667031 +generated: "2025-04-16T14:09:33.544401-04:00" diff --git a/charts/aserto/Chart.yaml b/charts/aserto/Chart.yaml index b1419ca..a52906c 100644 --- a/charts/aserto/Chart.yaml +++ b/charts/aserto/Chart.yaml @@ -21,7 +21,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.0 +version: 0.2.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -31,35 +31,35 @@ appVersion: "0.1.0" dependencies: - name: aserto-lib - version: 0.2.0 + version: 0.2.1 repository: file://../aserto-lib - name: authorizer - version: 0.2.0 + version: 0.2.1 repository: file://../authorizer condition: authorizer.enabled - name: controller - version: 0.0.1 + version: 0.0.2 repository: file://../controller - name: console - version: 0.1.7 + version: 0.1.8 repository: file://../console condition: console.enabled - name: directory - version: 0.2.0 + version: 0.2.1 repository: file://../directory - name: discovery - version: 0.2.0 + version: 0.2.1 repository: file://../discovery condition: discovery.enabled - name: multi-tenant-scim - version: 0.0.1 + version: 0.0.2 repository: file://../multi-tenant-scim condition: multi-tenant-scim.enabled - name: registry-proxy - version: 0.1.0 + version: 0.1.1 repository: file://../registry-proxy condition: registry-proxy.enabled - name: scim - version: 0.2.0 + version: 0.2.1 repository: file://../scim condition: scim.enabled diff --git a/charts/authorizer/Chart.lock b/charts/authorizer/Chart.lock index 34fe706..f1bc4f0 100644 --- a/charts/authorizer/Chart.lock +++ b/charts/authorizer/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: aserto-lib repository: file://../aserto-lib - version: 0.2.0 -digest: sha256:e847ea16d4c0c170655af988461152ab61eed5372f1639769dd7d198346da272 -generated: "2025-03-28T11:27:37.668307-04:00" + version: 0.2.1 +digest: sha256:83c950a4ee60c07dbc8e045f6645365ca35eced4f1aa329f51c8e2de1de28f93 +generated: "2025-04-16T14:07:47.019477-04:00" diff --git a/charts/authorizer/Chart.yaml b/charts/authorizer/Chart.yaml index 24d7ef6..f065cf5 100644 --- a/charts/authorizer/Chart.yaml +++ b/charts/authorizer/Chart.yaml @@ -21,7 +21,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.0 +version: 0.2.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -31,5 +31,5 @@ appVersion: 0.16.1 dependencies: - name: aserto-lib - version: 0.2.0 + version: 0.2.1 repository: file://../aserto-lib diff --git a/charts/console/Chart.lock b/charts/console/Chart.lock index 6214c25..1e51ade 100644 --- a/charts/console/Chart.lock +++ b/charts/console/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: aserto-lib repository: file://../aserto-lib - version: 0.2.0 -digest: sha256:e847ea16d4c0c170655af988461152ab61eed5372f1639769dd7d198346da272 -generated: "2025-03-28T11:27:43.142209-04:00" + version: 0.2.1 +digest: sha256:83c950a4ee60c07dbc8e045f6645365ca35eced4f1aa329f51c8e2de1de28f93 +generated: "2025-04-16T14:07:47.201231-04:00" diff --git a/charts/console/Chart.yaml b/charts/console/Chart.yaml index 0c8701d..7f4bbd8 100644 --- a/charts/console/Chart.yaml +++ b/charts/console/Chart.yaml @@ -21,7 +21,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.7 +version: 0.1.8 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -31,5 +31,5 @@ appVersion: 0.2.8 dependencies: - name: aserto-lib - version: 0.2.0 + version: 0.2.1 repository: file://../aserto-lib diff --git a/charts/controller/Chart.lock b/charts/controller/Chart.lock index a2d66c9..ddac91b 100644 --- a/charts/controller/Chart.lock +++ b/charts/controller/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: aserto-lib repository: file://../aserto-lib - version: 0.2.0 -digest: sha256:e847ea16d4c0c170655af988461152ab61eed5372f1639769dd7d198346da272 -generated: "2025-03-28T11:27:47.329975-04:00" + version: 0.2.1 +digest: sha256:83c950a4ee60c07dbc8e045f6645365ca35eced4f1aa329f51c8e2de1de28f93 +generated: "2025-04-16T14:07:47.384657-04:00" diff --git a/charts/controller/Chart.yaml b/charts/controller/Chart.yaml index 7f8eeee..a14a0e3 100644 --- a/charts/controller/Chart.yaml +++ b/charts/controller/Chart.yaml @@ -21,7 +21,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.0.1 +version: 0.0.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -31,5 +31,5 @@ appVersion: 0.34.5 dependencies: - name: aserto-lib - version: 0.2.0 + version: 0.2.1 repository: file://../aserto-lib diff --git a/charts/directory/Chart.lock b/charts/directory/Chart.lock index 1b01508..713b154 100644 --- a/charts/directory/Chart.lock +++ b/charts/directory/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: aserto-lib repository: file://../aserto-lib - version: 0.2.0 -digest: sha256:e847ea16d4c0c170655af988461152ab61eed5372f1639769dd7d198346da272 -generated: "2025-03-28T11:27:51.069954-04:00" + version: 0.2.1 +digest: sha256:83c950a4ee60c07dbc8e045f6645365ca35eced4f1aa329f51c8e2de1de28f93 +generated: "2025-04-16T14:07:47.568517-04:00" diff --git a/charts/directory/Chart.yaml b/charts/directory/Chart.yaml index 4f5c51a..873f790 100644 --- a/charts/directory/Chart.yaml +++ b/charts/directory/Chart.yaml @@ -21,7 +21,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.0 +version: 0.2.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -31,5 +31,5 @@ appVersion: 0.34.5 dependencies: - name: aserto-lib - version: 0.2.0 + version: 0.2.1 repository: file://../aserto-lib diff --git a/charts/discovery/Chart.lock b/charts/discovery/Chart.lock index a50c947..e2446b6 100644 --- a/charts/discovery/Chart.lock +++ b/charts/discovery/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: aserto-lib repository: file://../aserto-lib - version: 0.2.0 -digest: sha256:e847ea16d4c0c170655af988461152ab61eed5372f1639769dd7d198346da272 -generated: "2025-03-28T11:27:54.42612-04:00" + version: 0.2.1 +digest: sha256:83c950a4ee60c07dbc8e045f6645365ca35eced4f1aa329f51c8e2de1de28f93 +generated: "2025-04-16T14:07:47.750253-04:00" diff --git a/charts/discovery/Chart.yaml b/charts/discovery/Chart.yaml index f70aac8..f617ea5 100644 --- a/charts/discovery/Chart.yaml +++ b/charts/discovery/Chart.yaml @@ -21,7 +21,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.0 +version: 0.2.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -31,5 +31,5 @@ appVersion: 0.2.0 dependencies: - name: aserto-lib - version: 0.2.0 + version: 0.2.1 repository: file://../aserto-lib diff --git a/charts/multi-tenant-scim/Chart.lock b/charts/multi-tenant-scim/Chart.lock index 671bdcc..b199f7a 100644 --- a/charts/multi-tenant-scim/Chart.lock +++ b/charts/multi-tenant-scim/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: aserto-lib repository: file://../aserto-lib - version: 0.2.0 -digest: sha256:e847ea16d4c0c170655af988461152ab61eed5372f1639769dd7d198346da272 -generated: "2025-03-28T11:28:02.278561-04:00" + version: 0.2.1 +digest: sha256:83c950a4ee60c07dbc8e045f6645365ca35eced4f1aa329f51c8e2de1de28f93 +generated: "2025-04-16T14:07:47.934847-04:00" diff --git a/charts/multi-tenant-scim/Chart.yaml b/charts/multi-tenant-scim/Chart.yaml index 615c0b4..913331e 100644 --- a/charts/multi-tenant-scim/Chart.yaml +++ b/charts/multi-tenant-scim/Chart.yaml @@ -21,7 +21,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.0.1 +version: 0.0.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -31,5 +31,5 @@ appVersion: "0.0.1" dependencies: - name: aserto-lib - version: 0.2.0 + version: 0.2.1 repository: file://../aserto-lib diff --git a/charts/registry-proxy/Chart.lock b/charts/registry-proxy/Chart.lock index 7fa9f18..2fd3a4c 100644 --- a/charts/registry-proxy/Chart.lock +++ b/charts/registry-proxy/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: aserto-lib repository: file://../aserto-lib - version: 0.2.0 -digest: sha256:e847ea16d4c0c170655af988461152ab61eed5372f1639769dd7d198346da272 -generated: "2025-03-28T11:28:09.295919-04:00" + version: 0.2.1 +digest: sha256:83c950a4ee60c07dbc8e045f6645365ca35eced4f1aa329f51c8e2de1de28f93 +generated: "2025-04-16T14:07:48.115397-04:00" diff --git a/charts/registry-proxy/Chart.yaml b/charts/registry-proxy/Chart.yaml index 54a6aa2..07f67c6 100644 --- a/charts/registry-proxy/Chart.yaml +++ b/charts/registry-proxy/Chart.yaml @@ -21,7 +21,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 +version: 0.1.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -31,5 +31,5 @@ appVersion: "0.0.4" dependencies: - name: aserto-lib - version: 0.2.0 + version: 0.2.1 repository: file://../aserto-lib diff --git a/charts/scim/Chart.lock b/charts/scim/Chart.lock index 1d08388..ae94058 100644 --- a/charts/scim/Chart.lock +++ b/charts/scim/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: aserto-lib repository: file://../aserto-lib - version: 0.2.0 -digest: sha256:e847ea16d4c0c170655af988461152ab61eed5372f1639769dd7d198346da272 -generated: "2025-03-28T11:28:15.15139-04:00" + version: 0.2.1 +digest: sha256:83c950a4ee60c07dbc8e045f6645365ca35eced4f1aa329f51c8e2de1de28f93 +generated: "2025-04-16T14:07:48.296161-04:00" diff --git a/charts/scim/Chart.yaml b/charts/scim/Chart.yaml index f2ad5b8..8116a69 100644 --- a/charts/scim/Chart.yaml +++ b/charts/scim/Chart.yaml @@ -21,7 +21,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.0 +version: 0.2.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -31,5 +31,5 @@ appVersion: 0.1.0 dependencies: - name: aserto-lib - version: 0.2.0 + version: 0.2.1 repository: file://../aserto-lib diff --git a/charts/topaz/Chart.lock b/charts/topaz/Chart.lock index 42e1b84..bc3f889 100644 --- a/charts/topaz/Chart.lock +++ b/charts/topaz/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: aserto-lib repository: file://../aserto-lib - version: 0.2.0 -digest: sha256:e847ea16d4c0c170655af988461152ab61eed5372f1639769dd7d198346da272 -generated: "2025-03-28T11:17:23.844098-04:00" + version: 0.2.1 +digest: sha256:83c950a4ee60c07dbc8e045f6645365ca35eced4f1aa329f51c8e2de1de28f93 +generated: "2025-04-16T13:19:21.494833-04:00" diff --git a/charts/topaz/Chart.yaml b/charts/topaz/Chart.yaml index 67a88c3..a42b028 100644 --- a/charts/topaz/Chart.yaml +++ b/charts/topaz/Chart.yaml @@ -21,15 +21,15 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.4 +version: 0.2.5 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: 0.32.56 +appVersion: 0.32.59 dependencies: - name: aserto-lib - version: 0.2.0 + version: 0.2.1 repository: file://../aserto-lib diff --git a/charts/topaz/templates/NOTES.txt b/charts/topaz/templates/NOTES.txt index 5b392da..de14b46 100644 --- a/charts/topaz/templates/NOTES.txt +++ b/charts/topaz/templates/NOTES.txt @@ -1,18 +1,34 @@ +{{- $grpcPort := .Values.ports.grpc | int -}} +{{- $tlsOption := empty (.Values.tls).grpc | ternary "--plaintext" "--insecure" -}} +{{- $topazOptions := printf "-H localhost:%d %s --no-check" $grpcPort $tlsOption -}} + To access the service using the topaz CLI: 1. Forward the gRPC port to your local machine: - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "topaz.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - export GRPC_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[?(@.name=='grpc')].containerPort}") - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8282:$GRPC_PORT -2. Use the topaz CLI with the `-i -H localhost:8282 --no-check` options. For example, to set a directory manifest: - topaz ds set manifest -i --no-check -H localhost:8282 manifest.yaml + + POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} \ + -l "app.kubernetes.io/name={{ include "topaz.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" \ + -o jsonpath="{.items[0].metadata.name}") \ + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME {{ print $grpcPort ":" $grpcPort }} + +2. Use the topaz CLI with the '{{ $topazOptions }}' options. For example, to print the directory manifest: + + topaz ds get manifest --stdout {{ $topazOptions }} +{{ $httpPort := .Values.ports.http | int -}} To access the topaz web console: 1. Forward the HTTP port to your local machine: - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "topaz.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - export HTTP_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[?(@.name=='http')].containerPort}") - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8383:$HTTP_PORT -2. Download the topaz self-signed certificate: - openssl s_client -showcerts -connect localhost:8383 /dev/null | openssl x509 -text > topaz-gw.crt -3. Add 'topaz-gw.crt' to your system's trusted certificates. -4. Open your browser and navigate to https://localhost:8383 + + POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} \ + -l "app.kubernetes.io/name={{ include "topaz.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" \ + -o jsonpath="{.items[0].metadata.name}") \ + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME {{ print $httpPort ":" $httpPort }} + +{{- if (.Values.tls).http }} + +2. Make sure the certificate provided in the 'tls.http' value is trusted on your machine. +3. Open your browser and navigate to https://localhost:{{ $httpPort }} +{{- else }} + +2. Open your browser and navigate to http://localhost:{{ $httpPort }} +{{- end }} diff --git a/charts/topaz/templates/_helpers.tpl b/charts/topaz/templates/_helpers.tpl index bab0fc1..c782d89 100644 --- a/charts/topaz/templates/_helpers.tpl +++ b/charts/topaz/templates/_helpers.tpl @@ -75,12 +75,7 @@ api_key: {{ .apiKey }} {{- else if (.apiKeySecret).name }} api_key: "${DIRECTORY_API_KEY}" {{- end }} -{{- if .skipTLSVerification }} -insecure: true -{{- end }} -{{- if not (empty .caCert | and (empty .caCertSecret)) }} -ca_cert_path: /directory-certs/{{ (.caCertSecret).key | default "tls.crt" }} -{{- end }} +{{- include "aserto-lib.clientTLS" (merge (dict "certVolume" "remote-directory-ca-cert") .) -}} {{- with .additionalHeaders }} headers: {{- toYaml . | toYaml | nindent 2 }} @@ -102,11 +97,11 @@ headers: {{- $name := printf "%s-remote-ca" (include "topaz.fullname" .) -}} {{- with (.Values.directory).remote -}} {{- if .caCert -}} -- name: remote-certs +- name: remote-directory-certs configMap: name: {{ $name }} {{- else if (.caCertSecret).name -}} -- name: remote-certs +- name: remote-directory-certs secret: secretName: {{ .caCertSecret.name }} {{- end }} @@ -116,8 +111,32 @@ headers: {{- define "topaz.remoteDirectoryCertVolumeMount" -}} {{- if .caCert | or (.caCertSecret).name -}} -- name: remote-certs - mountPath: /directory-certs +- name: remote-directory-certs + mountPath: /remote-directory-ca-cert + readOnly: true +{{- end }} +{{- end }} + +{{- define "topaz.edgeSyncCertVolume" -}} +{{- $name := printf "%s-edge-sync-ca" (include "topaz.fullname" .) -}} +{{- with ((.Values.directory).edge).sync -}} +{{- if .caCert -}} +- name: edge-sync-certs + configMap: + name: {{ $name }} +{{- else if (.caCertSecret).name -}} +- name: edge-sync-certs + secret: + secretName: {{ .caCertSecret.name }} +{{- end }} +{{- end }} +{{- end }} + + +{{- define "topaz.edgeSyncCertVolumeMount" -}} +{{- if .caCert | or (.caCertSecret).name -}} +- name: edge-sync-certs + mountPath: /edge-sync-ca-cert readOnly: true {{- end }} {{- end }} @@ -405,7 +424,7 @@ aserto_edge: apikey: {{ . }} {{- end }} enabled: true - insecure: {{ .skipTLSVerification | default false | toString }} + {{- include "aserto-lib.clientTLS" (merge (dict "certVolume" "edge-sync-ca-cert") .) -}} sync_interval: {{ .intervalMinutes | default "1" }} timeout: {{ .timeoutSeconds | default "5" }} {{- end }} diff --git a/charts/topaz/templates/configmap-edge-sync-ca.yaml b/charts/topaz/templates/configmap-edge-sync-ca.yaml new file mode 100644 index 0000000..d06c08d --- /dev/null +++ b/charts/topaz/templates/configmap-edge-sync-ca.yaml @@ -0,0 +1,10 @@ +{{- if (((.Values.directory).edge).sync).caCert }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "topaz.fullname" . }}-edge-sync-ca +data: + ca.crt: | + {{- .Values.directory.edge.sync.caCert | nindent 4 }} +{{- end }} diff --git a/charts/topaz/templates/configmap-remote-ca.yaml b/charts/topaz/templates/configmap-remote-ca.yaml index 68e929c..4365ade 100644 --- a/charts/topaz/templates/configmap-remote-ca.yaml +++ b/charts/topaz/templates/configmap-remote-ca.yaml @@ -5,6 +5,6 @@ kind: ConfigMap metadata: name: {{ include "topaz.fullname" . }}-remote-ca data: - tls.crt: | + ca.crt: | {{- .Values.directory.remote.caCert | nindent 4 }} {{- end }} diff --git a/charts/topaz/templates/deployment.yaml b/charts/topaz/templates/deployment.yaml index a380b02..324fc30 100644 --- a/charts/topaz/templates/deployment.yaml +++ b/charts/topaz/templates/deployment.yaml @@ -79,18 +79,22 @@ spec: containerPort: {{ (.Values.ports).profiler | default "8686"}} protocol: TCP {{- end }} - startupProbe: - grpc: - port: {{ (.Values.ports).health | default "8484" }} - {{- toYaml .Values.startupProbe | nindent 12 }} - livenessProbe: - grpc: - port: {{ (.Values.ports).health | default "8484" }} - {{- toYaml .Values.livenessProbe | nindent 12 }} readinessProbe: grpc: port: {{ (.Values.ports).health | default "8484" }} {{- toYaml .Values.readinessProbe | nindent 12 }} + {{- with .Values.startupProbe }} + startupProbe: + grpc: + port: {{ ($.Values.ports).health | default "8484" }} + {{- . | toYaml | nindent 12 }} + {{- end }} + {{- with .Values.livenessProbe }} + livenessProbe: + grpc: + port: {{ ($.Values.ports).health | default "8484" }} + {{- . | toYaml | nindent 12 }} + {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} volumeMounts: @@ -119,6 +123,9 @@ spec: {{- with (.Values.directory).remote -}} {{ include "topaz.remoteDirectoryCertVolumeMount" . | nindent 12 }} {{- end }} + {{- with ((.Values.directory).edge).sync -}} + {{ include "topaz.edgeSyncCertVolumeMount" . | nindent 12 }} + {{- end }} {{- if (.Values.decisionLogs).remote }} - name: scribe-cert mountPath: /scribe-cert @@ -165,6 +172,9 @@ spec: {{- if ((.Values.directory).remote).address -}} {{ include "topaz.remoteDirectoryCertVolume" . | nindent 8 }} {{- end }} + {{- if (((.Values.directory).edge).sync).address -}} + {{ include "topaz.edgeSyncCertVolume" . | nindent 8 }} + {{- end }} {{- if not $persistDB }} - name: db emptyDir: {} diff --git a/charts/topaz/templates/ingress.yaml b/charts/topaz/templates/ingress.yaml index 64070bd..64f4ab3 100644 --- a/charts/topaz/templates/ingress.yaml +++ b/charts/topaz/templates/ingress.yaml @@ -1,61 +1,3 @@ {{- if .Values.ingress.enabled -}} -{{- $fullName := include "topaz.fullname" . -}} -{{- $svcPort := .Values.service.port -}} -{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} - {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} - {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} - {{- end }} -{{- end }} -{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1 -{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1beta1 -{{- else -}} -apiVersion: extensions/v1beta1 -{{- end }} -kind: Ingress -metadata: - name: {{ $fullName }} - labels: - {{- include "topaz.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ .Values.ingress.className }} - {{- end }} - {{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} - {{- end }} - rules: - {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} - http: - paths: - {{- range .paths }} - - path: {{ .path }} - {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} - pathType: {{ .pathType }} - {{- end }} - backend: - {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} - service: - name: {{ $fullName }} - port: - number: {{ $svcPort }} - {{- else }} - serviceName: {{ $fullName }} - servicePort: {{ $svcPort }} - {{- end }} - {{- end }} - {{- end }} +{{ fail "Ingress is not currently supported by the topaz chart. You can include topaz in a parent chart and add your ingress resource there." }} {{- end }} diff --git a/charts/topaz/values.yaml b/charts/topaz/values.yaml index 8057b10..a55b918 100644 --- a/charts/topaz/values.yaml +++ b/charts/topaz/values.yaml @@ -57,8 +57,21 @@ directory: # name: "" # # Secret key # key: "api-key" + # [Optional] CA certificate for the sync source + # caCert: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # # [Optional] Kubernetes secret containing the CA certificate for the sync source + # caCertSecret: + # name: "" + # key: "ca.crt" # # Skip verification of remote TLS certificate # skipTLSVerification: false + # # Connect without TLS + # noTLS: false + # # Bypass any configured HTTP proxies + # noProxy: false # # The frequency of syncs in minutes. # intervalMinutes: 1 # # Request timeout @@ -87,9 +100,13 @@ directory: # # [Optional] Kubernetes secret containing the CA certificate for the remote directory # caCertSecret: # name: "" - # key: "api-key" + # key: "ca.crt" # [Optional] Skip verification of remote TLS certificate # skipTLSVerification: false + # # Connect without TLS + # noTLS: false + # # Bypass any configured HTTP proxies + # noProxy: false # # [Optional] Request timeout # timeoutSeconds: 5 # [Optional] Additional headers to include in requests to the remote directory @@ -116,6 +133,8 @@ controller: # mtlsCertSecretName: "" # # Skip verification of server certificate # skipTLSVerification: false + # # Bypass any configured HTTP proxies + # noProxy: false # # [Optional] Additional headers to include in requests to the controller. # additionalHeaders: # "header-name": header-value @@ -164,6 +183,8 @@ decisionLogs: # mtlsCertSecretName: "" # # Skip verification of server certificate # skipTLSVerification: false + # # Bypass any configured HTTP proxies + # noProxy: false # # additionslHeaders: # # "header-name": header-value # # [Optional] Duration to wait for a batch of decisions to be acknowledged by the server. @@ -411,16 +432,16 @@ resources: {} # cpu: 100m # memory: 128Mi -livenessProbe: - failureThreshold: 1 - periodSeconds: 10 - readinessProbe: - periodSeconds: 5 - -startupProbe: - failureThreshold: 30 - periodSeconds: 10 + periodSeconds: 1 + +# livenessProbe: +# failureThreshold: 1 +# periodSeconds: 10 +# +# startupProbe: +# failureThreshold: 30 +# periodSeconds: 10 autoscaling: enabled: false diff --git a/tools/ktest/ktest.py b/tools/ktest/ktest.py index 891944e..2bfc442 100755 --- a/tools/ktest/ktest.py +++ b/tools/ktest/ktest.py @@ -121,6 +121,7 @@ def wait_for_deployments(self, deployments: Sequence[Deployment], ns: Namespace) def execute_steps(self): echo("๐Ÿƒ", "Running tests", nl=True) + time.sleep(2) # give services time to fully start for step in self.test.run: echo("๐Ÿงช", step, cl=COLOR_STEP) self.subprocess(step)