From b436b3285c8b54b19585821384717749930ff079 Mon Sep 17 00:00:00 2001 From: Trey Dockendorf Date: Mon, 10 Jun 2024 14:19:46 -0400 Subject: [PATCH] Use single Ingress for webservices --- .github/workflows/test.yaml | 12 +- charts-private/emt-api/Chart.yaml | 8 +- charts-private/emt-api/values.yaml | 2 +- charts/webservice/Chart.yaml | 4 +- charts/webservice/templates/auth-ingress.yaml | 49 ------- .../templates/hooks/remove-auth-ingress.yaml | 133 ++++++++++++++++++ charts/webservice/templates/ingress.yaml | 57 ++++---- charts/webservice/values.yaml | 4 + 8 files changed, 181 insertions(+), 88 deletions(-) delete mode 100644 charts/webservice/templates/auth-ingress.yaml create mode 100644 charts/webservice/templates/hooks/remove-auth-ingress.yaml diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 2a8f899..fa24bb2 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -84,9 +84,10 @@ jobs: kubectl label node kind-worker node-role.kubernetes.io/test='' kubectl label node kind-worker2 node-role.kubernetes.io/test='' - name: Set image pull secret + if: matrix.chart != 'osc-common' run: | - sed -i 's|OSC-IMAGE-PULL-PASSWORD|${{ secrets.OSC_REGISTRY_ROBOT_READ_TOKEN}}|g' charts/*/ci/*.yaml - sed -i 's|IMAGE-PULL-PASSWORD|${{ secrets.OSC_REGISTRY_ROBOT_WEBSERVICES_READ_TOKEN}}|g' charts/*/ci/*.yaml + sed -i 's|OSC-IMAGE-PULL-PASSWORD|${{ secrets.OSC_REGISTRY_ROBOT_READ_TOKEN}}|g' charts/${{ matrix.chart }}/ci/*.yaml + sed -i 's|IMAGE-PULL-PASSWORD|${{ secrets.OSC_REGISTRY_ROBOT_WEBSERVICES_READ_TOKEN}}|g' charts/${{ matrix.chart }}/ci/*.yaml - name: Install Keycloak run: | helm repo add bitnami https://charts.bitnami.com/bitnami @@ -114,3 +115,10 @@ jobs: kubectl describe service -A kubectl describe daemonset -A kubectl logs -n kyverno -l app.kubernetes.io/component=admission-controller + kubectl logs -n webservice + if [ ${{ matrix.chart }} == "webservice" ]; then + kubectl describe job -n webservice + kubectl get pod -n webservice + kubectl get job -n webservice + kubectl logs -n webservice -l app=remove-auth-ingress + fi diff --git a/charts-private/emt-api/Chart.yaml b/charts-private/emt-api/Chart.yaml index 6c5d036..4cbe443 100644 --- a/charts-private/emt-api/Chart.yaml +++ b/charts-private/emt-api/Chart.yaml @@ -2,12 +2,12 @@ apiVersion: v2 name: emt-api description: OSC emt-api web service type: application -version: 0.2.1 +version: 0.2.2 appVersion: v0.1.0 maintainers: - name: treydock dependencies: - name: webservice - version: 0.35.2 - repository: https://osc.github.io/osc-helm-charts/ - # repository: file://../../charts/webservice + version: 0.36.0 + # repository: https://osc.github.io/osc-helm-charts/ + repository: file://../../charts/webservice diff --git a/charts-private/emt-api/values.yaml b/charts-private/emt-api/values.yaml index 93375b8..701f36e 100644 --- a/charts-private/emt-api/values.yaml +++ b/charts-private/emt-api/values.yaml @@ -37,7 +37,7 @@ webservice: auth: false auth: enable: true - skipAuthRoute: "/api/*" + skipAuthRoute: "^/api" idpHost: EXTERNAL-DATA clientSecret: EXTERNAL-SECRET cookieSecret: EXTERNAL-SECRET diff --git a/charts/webservice/Chart.yaml b/charts/webservice/Chart.yaml index d727a94..277912a 100644 --- a/charts/webservice/Chart.yaml +++ b/charts/webservice/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: webservice description: OSC webservice bootstrap Helm Chart type: application -version: 0.35.2 +version: 0.36.0 appVersion: "0.1.0" maintainers: - name: treydock @@ -13,6 +13,6 @@ dependencies: # repository: file://../database condition: database.mariadb.enable, database.postgresql.enable - name: osc-common - version: 0.5.0 + version: 0.7.0 repository: https://osc.github.io/osc-helm-charts/ # repository: file://../common diff --git a/charts/webservice/templates/auth-ingress.yaml b/charts/webservice/templates/auth-ingress.yaml deleted file mode 100644 index 4eeccb9..0000000 --- a/charts/webservice/templates/auth-ingress.yaml +++ /dev/null @@ -1,49 +0,0 @@ -{{ if .Values.auth.enable }} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ include "webservice.auth.name" . }} - labels: - {{- include "webservice.auth.labels" . | nindent 4 }} - {{- if (include "webservice.alert.receiver" .) }} - receiver: {{ include "webservice.alert.receiver" . }} - {{- end }} - annotations: - cert-manager.io/cluster-issuer: letsencrypt - {{- with .Values.ingress.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.auth.ingress.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- if (include "webservice.ingressHostAlias" .) }} - nginx.ingress.kubernetes.io/server-alias: {{ tpl (include "webservice.ingressHostAlias" .) . }} - {{- end }} -spec: - ingressClassName: {{ .Values.auth.ingress.className | default .Values.ingress.className }} - tls: - - hosts: - - {{ tpl (include "webservice.ingressHost" .) . | quote }} - {{- if (include "webservice.ingressHostAlias" .) }} - - {{ tpl (include "webservice.ingressHostAlias" .) . | quote }} - {{- end }} - secretName: {{ include "webservice.auth.name" . }}-cert - rules: - - host: {{ tpl (include "webservice.ingressHost" .) . | quote }} - http: - paths: - - path: /oauth2 - pathType: Prefix - backend: - service: - name: {{ include "webservice.auth.name" . }} - port: - number: {{ .Values.auth.service.port }} - - path: /ping - pathType: Prefix - backend: - service: - name: {{ include "webservice.auth.name" . }} - port: - number: {{ .Values.auth.service.port }} -{{ end }} diff --git a/charts/webservice/templates/hooks/remove-auth-ingress.yaml b/charts/webservice/templates/hooks/remove-auth-ingress.yaml new file mode 100644 index 0000000..7265bb1 --- /dev/null +++ b/charts/webservice/templates/hooks/remove-auth-ingress.yaml @@ -0,0 +1,133 @@ +{{ if .Values.auth.enable }} +{{ $name := printf "%s-remove-auth-ingress" (include "webservice.name" .) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $name }} + labels: + {{- include "webservice.labels" . | nindent 4 }} + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-25" + "helm.sh/hook-delete-policy": hook-succeeded +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ template "osc.common.imagePullSecret" . }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $name }} + labels: + {{- include "webservice.labels" . | nindent 4 }} + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-20" + "helm.sh/hook-delete-policy": hook-succeeded +imagePullSecrets: + - name: {{ $name }} +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ $name }} + labels: + {{- include "webservice.labels" . | nindent 4 }} + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-15" + "helm.sh/hook-delete-policy": hook-succeeded +rules: +- apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: ["delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $name }} + labels: + {{- include "webservice.labels" . | nindent 4 }} + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-10" + "helm.sh/hook-delete-policy": hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $name }} +subjects: +- kind: ServiceAccount + name: {{ $name }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ $name }} + labels: + app: "remove-auth-ingress" + {{ include "osc.common.serviceAccount" . }} + {{- include "webservice.labels" . | nindent 4 }} + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ $name }} + labels: + app: "remove-auth-ingress" + {{ include "osc.common.serviceAccount" . }} + {{- include "webservice.selectorLabels" . | nindent 8 }} + spec: + serviceAccountName: {{ $name }} + securityContext: {{ toYaml .Values.podSecurityContext | nindent 8 }} + restartPolicy: Never + containers: + - name: remove-auth-ingress + image: "{{ .Values.hook.image.repository }}:{{ .Values.hook.image.tag }}" + command: + - "kubectl" + args: + - "delete" + - "ingress" + - {{ include "webservice.auth.name" . | quote }} + {{- range $container := .Values.containers }} + - {{ printf "%s-%s" (include "webservice.name" $) (tpl $container.name $) | quote }} + {{- end }} + - "--namespace={{ .Release.Namespace }}" + - "--ignore-not-found=true" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + privileged: false + resources: + limits: + cpu: 1 + memory: 512Mi + requests: + cpu: 500m + memory: 265Mi + nodeSelector: + {{ include "osc.common.nodeSelectorRole" . }} + {{- with .Values.nodeSelector }} + {{- toYaml . | nindent 8 }} + {{- end }} +{{ end }} diff --git a/charts/webservice/templates/ingress.yaml b/charts/webservice/templates/ingress.yaml index 366592a..0216dd3 100644 --- a/charts/webservice/templates/ingress.yaml +++ b/charts/webservice/templates/ingress.yaml @@ -1,59 +1,56 @@ -{{ $root := . }} -{{ range $idx, $container := .Values.containers }} --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - {{- if eq (len $root.Values.containers) 1 }} - name: {{ include "webservice.name" $root }} - {{- else }} - name: {{ include "webservice.name" $root }}-{{ tpl $container.name $root }} - {{- end }} + name: {{ include "webservice.name" . }} labels: - {{- include "webservice.labels" $root | nindent 4 }} - {{- if (include "webservice.alert.receiver" $root) }} - receiver: {{ include "webservice.alert.receiver" $root }} + {{- include "webservice.labels" . | nindent 4 }} + {{- if (include "webservice.alert.receiver" .) }} + receiver: {{ include "webservice.alert.receiver" . }} {{- end }} annotations: - {{- if $root.Values.auth.enable }} prometheus.io/probe_scheme: 'https' - {{- end }} - {{- if not $root.Values.auth.enable }} cert-manager.io/cluster-issuer: letsencrypt + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} {{- end }} - {{- with $root.Values.ingress.annotations }} + {{- if .Values.auth.enable }} + {{- with .Values.auth.ingress.annotations }} {{- toYaml . | nindent 4 }} {{- end }} - {{- if and (ne $container.auth false) (eq $root.Values.auth.enable true) }} - nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth" - nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri" {{- end }} - {{- if (include "webservice.ingressHostAlias" $root) }} - nginx.ingress.kubernetes.io/server-alias: {{ tpl (include "webservice.ingressHostAlias" $root) $root }} + {{- if (include "webservice.ingressHostAlias" .) }} + nginx.ingress.kubernetes.io/server-alias: {{ tpl (include "webservice.ingressHostAlias" .) . }} {{- end }} - {{- if eq $root.Values.appType "rshiny" }} - {{- toYaml $root.Values.ingress.rShinyAnnotations | nindent 4 }} + {{- if eq .Values.appType "rshiny" }} + {{- toYaml .Values.ingress.rShinyAnnotations | nindent 4 }} {{- end }} spec: - ingressClassName: {{ $root.Values.ingress.className }} -{{- if or (eq $container.auth false) (eq $root.Values.auth.enable false) }} + ingressClassName: {{ .Values.ingress.className }} tls: - hosts: - - {{ required "Must provide ingress host" (tpl (include "webservice.ingressHost" $root) $root) | quote }} - {{- if (include "webservice.ingressHostAlias" $root) }} - - {{ tpl (include "webservice.ingressHostAlias" $root) $root | quote }} + - {{ required "Must provide ingress host" (tpl (include "webservice.ingressHost" .) .) | quote }} + {{- if (include "webservice.ingressHostAlias" .) }} + - {{ tpl (include "webservice.ingressHostAlias" .) . | quote }} {{- end }} - secretName: {{ include "webservice.name" $root }}-{{ tpl $container.name $root }}-cert -{{- end }} + secretName: {{ include "webservice.name" . }}-cert rules: + {{ $root := . }} + {{- range $idx, $container := .Values.containers }} - host: {{ tpl (include "webservice.ingressHost" $root) $root | quote }} http: paths: - - path: {{ $container.ingressPath }} + - path: / pathType: Prefix backend: service: + {{- if $root.Values.auth.enable }} + name: {{ include "webservice.auth.name" $root }} + port: + number: {{ $root.Values.auth.service.port }} + {{- else }} name: {{ include "webservice.name" $root }} port: number: {{ $container.port | default (add $root.Values.service.port $idx) }} -{{ end }} + {{- end }} + {{- end }} diff --git a/charts/webservice/values.yaml b/charts/webservice/values.yaml index 18fc731..ebec844 100644 --- a/charts/webservice/values.yaml +++ b/charts/webservice/values.yaml @@ -229,6 +229,10 @@ database: podSelector: app.kubernetes.io/name: '{{ include "webservice.name" . }}' +hook: + image: + repository: docker-registry.osc.edu/kubernetes/bitnami/kubectl + tag: '1.27.14' # Used for network policies ingressName: ingress-nginx prometheusName: prometheus