OSC · treydock · Jun 13, 2024 · Jun 10, 2024
diff --git a/charts/webservice/Chart.yaml b/charts/webservice/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: webservice
 description: OSC webservice bootstrap Helm Chart
 type: application
-version: 0.35.2
+version: 0.36.0
 appVersion: "0.1.0"
 maintainers:
   - name: treydock
@@ -13,6 +13,6 @@ dependencies:
     # repository: file://../database
     condition: database.mariadb.enable, database.postgresql.enable
   - name: osc-common
-    version: 0.5.0
+    version: 0.7.0
     repository: https://osc.github.io/osc-helm-charts/
     # repository: file://../common
diff --git a/charts/webservice/templates/auth-deployment.yaml b/charts/webservice/templates/auth-deployment.yaml
@@ -71,7 +71,7 @@ spec:
           {{- if ne $container.ingressPath "/" }}
             {{- $path = $container.ingressPath }}
           {{- end }}
-          - --upstream=http://{{ tpl $container.name $root }}.{{ $root.Release.Namespace }}.svc.cluster.local:{{ $container.port | default (add $root.Values.service.port $idx) }}{{ $path }}
+          - --upstream=http://{{ include "webservice.name" $root }}.{{ $root.Release.Namespace }}.svc.cluster.local:{{ $container.port | default (add $root.Values.service.port $idx) }}{{ $path }}
         {{- end }}
           - --metrics-address=:{{ .Values.auth.metricsService.port }}
           {{- if (include "webservice.idpHost" .) }}

diff --git a/charts/webservice/templates/auth-ingress.yaml b/charts/webservice/templates/auth-ingress.yaml
diff --git a/charts/webservice/templates/hooks/remove-auth-ingress.yaml b/charts/webservice/templates/hooks/remove-auth-ingress.yaml
@@ -0,0 +1,161 @@
+{{ if .Values.auth.enable }}
+{{ $name := printf "%s-remove-auth-ingress" (include "webservice.name" .) }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $name }}
+  labels:
+    {{- include "webservice.labels" . | nindent 4 }}
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-25"
+    "helm.sh/hook-delete-policy": hook-succeeded
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ template "osc.common.imagePullSecret" . }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $name }}
+  labels:
+    {{- include "webservice.labels" . | nindent 4 }}
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-20"
+    "helm.sh/hook-delete-policy": hook-succeeded
+imagePullSecrets:
+  - name: {{ $name }}
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ $name }}
+  labels:
+    {{- include "webservice.labels" . | nindent 4 }}
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-15"
+    "helm.sh/hook-delete-policy": hook-succeeded
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["delete"]
+- apiGroups: ["networking.k8s.io"]
+  resources: ["ingresses"]
+  verbs: ["delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $name }}
+  labels:
+    {{- include "webservice.labels" . | nindent 4 }}
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-10"
+    "helm.sh/hook-delete-policy": hook-succeeded
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $name }}
+subjects:
+- kind: ServiceAccount
+  name: {{ $name }}
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ $name }}
+  labels:
+    app: "remove-auth-ingress"
+    {{ include "osc.common.serviceAccount" . }}
+    {{- include "webservice.labels" . | nindent 4 }}
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  template:
+    metadata:
+      name: {{ $name }}
+      labels:
+        app: "remove-auth-ingress"
+        {{ include "osc.common.serviceAccount" . }}
+        {{- include "webservice.selectorLabels" . | nindent 8 }}
+    spec:
+      serviceAccountName: {{ $name }}
+      securityContext: {{ toYaml .Values.podSecurityContext | nindent 8 }}
+      restartPolicy: Never
+      containers:
+      - name: remove-auth-ingress
+        image: "{{ .Values.hook.image.repository }}:{{ .Values.hook.image.tag }}"
+        command:
+          - "kubectl"
+        args:
+          - "delete"
+          - "ingress"
+          - {{ include "webservice.auth.name" . | quote }}
+          {{- range $container := .Values.containers }}
+          - {{ printf "%s-%s" (include "webservice.name" $) (tpl $container.name $) | quote }}
+          {{- end }}
+          - "--namespace={{ .Release.Namespace }}"
+          - "--ignore-not-found=true"
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
+          privileged: false
+        resources:
+          limits:
+            cpu: 1
+            memory: 512Mi
+          requests:
+            cpu: 500m
+            memory: 265Mi
+      - name: remove-auth-secret
+        image: "{{ .Values.hook.image.repository }}:{{ .Values.hook.image.tag }}"
+        command:
+          - "kubectl"
+        args:
+          - "delete"
+          - "secret"
+          - {{ include "webservice.auth.name" . }}-cert
+          - "--namespace={{ .Release.Namespace }}"
+          - "--ignore-not-found=true"
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
+          privileged: false
+        resources:
+          limits:
+            cpu: 1
+            memory: 512Mi
+          requests:
+            cpu: 500m
+            memory: 265Mi
+      nodeSelector:
+        {{ include "osc.common.nodeSelectorRole" . }}
+      {{- with .Values.nodeSelector }}
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{ end }}
diff --git a/charts/webservice/templates/ingress.yaml b/charts/webservice/templates/ingress.yaml
@@ -1,59 +1,56 @@
-{{ $root := . }}
-{{ range $idx, $container := .Values.containers }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  {{- if eq (len $root.Values.containers) 1 }}
-  name: {{ include "webservice.name" $root }}
-  {{- else }}
-  name: {{ include "webservice.name" $root }}-{{ tpl $container.name $root }}
-  {{- end }}
+  name: {{ include "webservice.name" . }}
   labels:
-    {{- include "webservice.labels" $root | nindent 4 }}
-  {{- if (include "webservice.alert.receiver" $root) }}
-    receiver: {{ include "webservice.alert.receiver" $root }}
+    {{- include "webservice.labels" . | nindent 4 }}
+  {{- if (include "webservice.alert.receiver" .) }}
+    receiver: {{ include "webservice.alert.receiver" . }}
   {{- end }}
   annotations:
-    {{- if $root.Values.auth.enable }}
     prometheus.io/probe_scheme: 'https'
-    {{- end }}
-    {{- if not $root.Values.auth.enable }}
     cert-manager.io/cluster-issuer: letsencrypt
+    {{- with .Values.ingress.annotations }}
+      {{- toYaml . | nindent 4 }}
     {{- end }}
-    {{- with $root.Values.ingress.annotations }}
+    {{- if .Values.auth.enable }}
+    {{- with .Values.auth.ingress.annotations }}
       {{- toYaml . | nindent 4 }}
     {{- end }}
-    {{- if and (ne $container.auth false) (eq $root.Values.auth.enable true) }}
-    nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
-    nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
     {{- end }}
-    {{- if (include "webservice.ingressHostAlias" $root) }}
-    nginx.ingress.kubernetes.io/server-alias: {{ tpl (include "webservice.ingressHostAlias" $root) $root }}
+    {{- if (include "webservice.ingressHostAlias" .) }}
+    nginx.ingress.kubernetes.io/server-alias: {{ tpl (include "webservice.ingressHostAlias" .) . }}
     {{- end }}
-    {{- if eq $root.Values.appType "rshiny" }}
-      {{- toYaml $root.Values.ingress.rShinyAnnotations | nindent 4 }}
+    {{- if eq .Values.appType "rshiny" }}
+      {{- toYaml .Values.ingress.rShinyAnnotations | nindent 4 }}
     {{- end }}
 spec:
-  ingressClassName: {{ $root.Values.ingress.className }}
-{{- if or (eq $container.auth false) (eq $root.Values.auth.enable false) }}
+  ingressClassName: {{ .Values.ingress.className }}
   tls:
   - hosts:
-    - {{ required "Must provide ingress host" (tpl (include "webservice.ingressHost" $root) $root) | quote }}
-  {{- if (include "webservice.ingressHostAlias" $root) }}
-    - {{ tpl (include "webservice.ingressHostAlias" $root) $root | quote }}
+    - {{ required "Must provide ingress host" (tpl (include "webservice.ingressHost" .) .) | quote }}
+  {{- if (include "webservice.ingressHostAlias" .) }}
+    - {{ tpl (include "webservice.ingressHostAlias" .) . | quote }}
   {{- end }}
-    secretName: {{ include "webservice.name" $root }}-{{ tpl $container.name $root }}-cert
-{{- end }}
+    secretName: {{ include "webservice.name" . }}-cert
   rules:
+  {{ $root := . }}
+  {{- range $idx, $container := .Values.containers }}
   - host: {{ tpl (include "webservice.ingressHost" $root) $root | quote }}
     http:
       paths:
-      - path: {{ $container.ingressPath }}
+      - path: /
         pathType: Prefix
         backend:
           service:
+          {{- if $root.Values.auth.enable }}
+            name: {{ include "webservice.auth.name" $root }}
+            port:
+              number: {{ $root.Values.auth.service.port }}
+          {{- else }}
             name: {{ include "webservice.name" $root }}
             port:
               number: {{ $container.port | default (add $root.Values.service.port $idx) }}
-{{ end }}
+          {{- end }}
+  {{- end }}
diff --git a/charts/webservice/values.yaml b/charts/webservice/values.yaml
@@ -229,6 +229,10 @@ database:
           podSelector:
             app.kubernetes.io/name: '{{ include "webservice.name" . }}'
 
+hook:
+  image:
+    repository: docker-registry.osc.edu/kubernetes/bitnami/kubectl
+    tag: '1.27.14'
 # Used for network policies
 ingressName: ingress-nginx
 prometheusName: prometheus