From e85f1f8bac66cfd7adfb974fc484b60b6d3f5c29 Mon Sep 17 00:00:00 2001 From: Kirill Salnikov Date: Fri, 10 Jan 2025 17:52:05 +0300 Subject: [PATCH 1/2] =?UTF-8?q?GEFEST-813=20=D0=92=20=D1=87=D0=B0=D1=80?= =?UTF-8?q?=D1=82=20Keys=20=D0=B4=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB=D0=B5?= =?UTF-8?q?=D0=BD=D0=B0=20=D0=BA=D0=BE=D0=BD=D1=84=D0=B8=D0=B3=D1=83=D1=80?= =?UTF-8?q?=D0=B0=D1=86=D0=B8=D1=8F=20=D0=B4=D0=BB=D1=8F=20b2b=20auth?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- charts/keys/Chart.yaml | 2 +- charts/keys/README.md | 11 ++++++++++- charts/keys/templates/helpers.tpl | 18 ++++++++++++++++++ charts/keys/values.yaml | 23 ++++++++++++++++++++++- 4 files changed, 51 insertions(+), 3 deletions(-) diff --git a/charts/keys/Chart.yaml b/charts/keys/Chart.yaml index 2ac35fa4..4e797a61 100644 --- a/charts/keys/Chart.yaml +++ b/charts/keys/Chart.yaml @@ -4,7 +4,7 @@ type: application description: A Helm chart for Kubernetes to deploy API Keys service version: 1.33.1 -appVersion: 1.105.0 +appVersion: 1.108.2 maintainers: - name: 2gis diff --git a/charts/keys/README.md b/charts/keys/README.md index 8e4912f1..4674410f 100644 --- a/charts/keys/README.md +++ b/charts/keys/README.md @@ -31,7 +31,7 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about | `imagePullSecrets` | Kubernetes image pull secrets. | `[]` | | `imagePullPolicy` | Pull policy. | `IfNotPresent` | | `backend.image.repository` | Backend service image repository. | `2gis-on-premise/keys-backend` | -| `backend.image.tag` | Backend service image tag. | `1.105.0` | +| `backend.image.tag` | Backend service image tag. | `1.108.2` | | `admin.image.repository` | Admin service image repository. | `2gis-on-premise/keys-ui` | | `admin.image.tag` | Admin service image tag. | `0.10.3` | | `redis.image.repository` | Redis image repository. | `2gis-on-premise/keys-redis` | @@ -88,6 +88,15 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about | `api.adminSessionTTL` | TTL of the admin users sessions. Duration string is a sequence of decimal numbers with optional fraction and unit suffix, like `100ms`, `2.3h` or `4h35m`. Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. | `336h` | | `api.logLevel` | Log level for the service. Can be: `trace`, `debug`, `info`, `warning`, `error`, `fatal`. | `warning` | | `api.signPrivateKey` | RSA-PSS 2048 private key (in PKCS#1 format) for signing responses in Public API. | `""` | +| `api.oidc.enable` | If OIDC authentication is enabled. | `false` | +| `api.oidc.enableSignlePartnerMode` | Enable single partner mode: all users are binded to the preconfigured partner (needed when external OIDC provider is used). | `false` | +| `api.oidc.url` | URL of the OIDC provider. | `""` | +| `api.oidc.retryCount` | Maximum number of retries for requests to OIDC provider. | `3` | +| `api.oidc.timeout` | Timeout for requests to OIDC provider. | `3s` | +| `api.oidc.defaultPartner` | **Settings for single partner mode feature. Info specified here will be returned in responses from Auth API** | | +| `api.oidc.defaultPartner.id` | Default partner's Id. | `""` | +| `api.oidc.defaultPartner.name` | Default partner's Name. | `""` | +| `api.oidc.defaultPartner.role` | Role of the user in the default partner. Can be: 'user', 'admin'. | `""` | | `api.replicas` | A replica count for the pod. | `1` | | `api.revisionHistoryLimit` | Revision history limit (used for [rolling back](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) a deployment). | `3` | | `api.strategy.type` | Type of Kubernetes deployment. Can be `Recreate` or `RollingUpdate`. | `RollingUpdate` | diff --git a/charts/keys/templates/helpers.tpl b/charts/keys/templates/helpers.tpl index a346fd3a..9e7f1996 100644 --- a/charts/keys/templates/helpers.tpl +++ b/charts/keys/templates/helpers.tpl @@ -125,6 +125,10 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} value: "{{ .Values.featureFlags.enableAudit }}" - name: KEYS_FEATURE_FLAGS_PUBLIC_API_SIGN value: "{{ .Values.featureFlags.enablePublicAPISign }}" +- name: KEYS_FEATURE_FLAGS_EXTERNAL_COMPANIES + value: "{{ .Values.api.oidc.enableSignlePartnerMode }}" +- name: KEYS_FEATURE_FLAGS_OIDC + value: "{{ .Values.api.oidc.enable }}" {{- end }} {{- define "keys.env.api" -}} @@ -137,6 +141,20 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} name: {{ include "keys.secret.deploys.name" . }} key: signPrivateKey {{- end }} +{{- if .Values.featureFlags.enableOIDC }} +- name: KEYS_OIDC_ENDPOINT + value: "{{ required "A valid .Values.api.oidc.url required" .Values.api.oidc.url }}" +- name: KEYS_OIDC_CLIENT_TIMEOUT + value: "{{ .Values.api.oidc.timeout }}" +- name: KEYS_OIDC_CLIENT_RETRY_COUNT + value: "{{ .Values.api.oidc.retryCount }}" +- name: KEYS_OIDC_DEFAULT_PARTNER_ID + value: "{{ required "A valid .Values.api.oidc.defaultPartner.id required" .Values.api.oidc.defaultPartner.id }}" +- name: KEYS_OIDC_DEFAULT_PARTNER_NAME + value: "{{ required "A valid .Values.api.oidc.defaultPartner.name required" .Values.api.oidc.defaultPartner.name }}" +- name: KEYS_OIDC_DEFAULT_ROLE + value: "{{ required "A valid .Values.api.oidc.defaultPartner.role required" .Values.api.oidc.defaultPartner.role }}" +{{- end }} {{- end }} {{- define "keys.env.import" -}} diff --git a/charts/keys/values.yaml b/charts/keys/values.yaml index 18b3a6d1..fc51d6d8 100644 --- a/charts/keys/values.yaml +++ b/charts/keys/values.yaml @@ -31,7 +31,7 @@ featureFlags: backend: image: repository: 2gis-on-premise/keys-backend - tag: 1.105.0 + tag: 1.108.2 # @section Admin service settings @@ -156,6 +156,27 @@ api: # ... # -----END CERTIFICATE----- + # @param api.oidc.enable If OIDC authentication is enabled. + # @param api.oidc.enableSignlePartnerMode Enable single partner mode: all users are binded to the preconfigured partner (needed when external OIDC provider is used). + # @param api.oidc.url URL of the OIDC provider. + # @param api.oidc.retryCount Maximum number of retries for requests to OIDC provider. + # @param api.oidc.timeout Timeout for requests to OIDC provider. + # @extra api.oidc.defaultPartner **Settings for single partner mode feature. Info specified here will be returned in responses from Auth API** + # @param api.oidc.defaultPartner.id Default partner's Id. + # @param api.oidc.defaultPartner.name Default partner's Name. + # @param api.oidc.defaultPartner.role Role of the user in the default partner. Can be: 'user', 'admin'. + + oidc: + enable: false + enableSignlePartnerMode: false + url: '' + retryCount: 3 + timeout: 3s + defaultPartner: + id: '' + name: '' + role: '' + # @param api.replicas A replica count for the pod. replicas: 1 From 68222de4b350d8b8b1a194eb9bd23fcaedd956de Mon Sep 17 00:00:00 2001 From: Kirill Salnikov Date: Fri, 10 Jan 2025 19:33:38 +0300 Subject: [PATCH 2/2] =?UTF-8?q?GEFEST-1341=20=D0=92=20=D1=87=D0=B0=D1=80?= =?UTF-8?q?=D1=82=20Keys=20=D0=B2=20=D0=B4=D0=B6=D0=BE=D0=B1=D1=83=20?= =?UTF-8?q?=D0=B8=D0=BC=D0=BF=D0=BE=D1=80=D1=82=D0=B0=20=D0=B4=D0=BE=D0=B1?= =?UTF-8?q?=D0=B0=D0=B2=D0=BB=D0=B5=D0=BD=20=D0=B2=D1=80=D0=B5=D0=BC=D0=B5?= =?UTF-8?q?=D0=BD=D0=BD=D1=8B=D0=B9=20=D1=84=D0=BB=D0=B0=D0=B3=20=D0=B4?= =?UTF-8?q?=D0=BB=D1=8F=20=D0=B4=D0=B0=D1=82=D0=B0-=D0=BC=D0=B8=D0=B3?= =?UTF-8?q?=D1=80=D0=B0=D1=86=D0=B8=D0=B8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Breaking-Changes.md | 8 +++++++- charts/keys/templates/import/job.yaml | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/Breaking-Changes.md b/Breaking-Changes.md index 50f48a8f..8bba6428 100644 --- a/Breaking-Changes.md +++ b/Breaking-Changes.md @@ -1,9 +1,15 @@ # 2GIS On-Premise Breaking-Changes +## [1.34.0] + +### keys +- A temporary flag, `--migrate-data`, has been added for this release. This flag triggers the data migration required for the Routing API data in the service. +- Ensure that `keys` service is upgraded prior to upgrading any of the `navi` services. + ## [1.33.0] ### pro-api -- permissions.settings.enabled was removed, permissions api is now always mandatory +- permissions.settings.enabled was removed, permissions api is now always mandatory - postgres.connectionString, postgres.connectionStringReadonly, postgres.password were changed to postgres.api.rw / postgres.api.ro settings diff --git a/charts/keys/templates/import/job.yaml b/charts/keys/templates/import/job.yaml index c090a4d0..438bdabe 100644 --- a/charts/keys/templates/import/job.yaml +++ b/charts/keys/templates/import/job.yaml @@ -25,7 +25,7 @@ spec: - name: migrate image: {{ required "A valid .Values.dgctlDockerRegistry entry required" .Values.dgctlDockerRegistry }}/{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag }} imagePullPolicy: {{ .Values.imagePullPolicy }} - command: [ "keysctl", "import" ] + command: [ "keysctl", "import", "--migrate-data" ] resources: {{- toYaml .Values.import.resources | nindent 12 }} env: