diff --git a/.github/workflows/account-operator-crds.yaml b/.github/workflows/account-operator-crds.yaml index f1155214c..258f82dfd 100644 --- a/.github/workflows/account-operator-crds.yaml +++ b/.github/workflows/account-operator-crds.yaml @@ -4,6 +4,10 @@ on: paths: - 'charts/account-operator-crds/**' - '.github/workflows/account-operator-crds.yaml' + pull_request: + paths: + - 'charts/account-operator-crds/**' + - '.github/workflows/account-operator-crds.yaml' jobs: pipeline: diff --git a/.github/workflows/account-operator.yaml b/.github/workflows/account-operator.yaml index ae256929a..c4840a5d6 100644 --- a/.github/workflows/account-operator.yaml +++ b/.github/workflows/account-operator.yaml @@ -4,6 +4,10 @@ on: paths: - 'charts/account-operator/**' - '.github/workflows/account-operator.yaml' + pull_request: + paths: + - 'charts/account-operator/**' + - '.github/workflows/account-operator.yaml' jobs: pipeline: diff --git a/.github/workflows/common.yaml b/.github/workflows/common.yaml index 0c6009415..40e3b3f5a 100644 --- a/.github/workflows/common.yaml +++ b/.github/workflows/common.yaml @@ -4,6 +4,10 @@ on: paths: - 'charts/common/**' - '.github/workflows/common.yaml' + pull_request: + paths: + - 'charts/common/**' + - '.github/workflows/common.yaml' jobs: pipeline: diff --git a/.github/workflows/example-content.yaml b/.github/workflows/example-content.yaml index 08787ed1b..dfb3457df 100644 --- a/.github/workflows/example-content.yaml +++ b/.github/workflows/example-content.yaml @@ -4,6 +4,10 @@ on: paths: - 'charts/example-content/**' - 'example-content.yaml' + pull_request: + paths: + - 'charts/example-content/**' + - 'example-content.yaml' jobs: pipeline: diff --git a/.github/workflows/extension-manager-operator-crds.yaml b/.github/workflows/extension-manager-operator-crds.yaml index cd3a3c47b..006e3bdb4 100644 --- a/.github/workflows/extension-manager-operator-crds.yaml +++ b/.github/workflows/extension-manager-operator-crds.yaml @@ -4,6 +4,10 @@ on: paths: - 'charts/extension-manager-operator-crds/**' - '.github/workflows/extension-manager-operator-crds.yaml' + pull_request: + paths: + - 'charts/extension-manager-operator-crds/**' + - '.github/workflows/extension-manager-operator-crds.yaml' jobs: pipeline: diff --git a/.github/workflows/extension-manager-operator.yaml b/.github/workflows/extension-manager-operator.yaml index 75c5e926b..d57c60583 100644 --- a/.github/workflows/extension-manager-operator.yaml +++ b/.github/workflows/extension-manager-operator.yaml @@ -4,6 +4,10 @@ on: paths: - 'charts/extension-manager-operator/**' - '.github/workflows/extension-manager-operator.yaml' + pull_request: + paths: + - 'charts/extension-manager-operator/**' + - '.github/workflows/extension-manager-operator.yaml' jobs: pipeline: diff --git a/.github/workflows/infra.yaml b/.github/workflows/infra.yaml index 05b6436d9..b8f3230b6 100644 --- a/.github/workflows/infra.yaml +++ b/.github/workflows/infra.yaml @@ -4,6 +4,10 @@ on: paths: - 'charts/infra/**' - '.github/workflows/infra.yaml' + pull_request: + paths: + - 'charts/infra/**' + - '.github/workflows/infra.yaml' jobs: pipeline: diff --git a/.github/workflows/keycloak.yaml b/.github/workflows/keycloak.yaml index 7acef9401..f81c0e702 100644 --- a/.github/workflows/keycloak.yaml +++ b/.github/workflows/keycloak.yaml @@ -4,6 +4,10 @@ on: paths: - 'charts/keycloak/**' - '.github/workflows/keycloak.yaml' + pull_request: + paths: + - 'charts/keycloak/**' + - '.github/workflows/keycloak.yaml' jobs: pipeline: diff --git a/.github/workflows/kind-localsetup.yaml b/.github/workflows/kind-localsetup.yaml index 90164d21f..d4d34d42f 100644 --- a/.github/workflows/kind-localsetup.yaml +++ b/.github/workflows/kind-localsetup.yaml @@ -1,11 +1,11 @@ name: Test local setup on: pull_request: - branches: - - '**' + paths: + - 'local-setup/**' concurrency: - group: localsetup-${{ github.ref }} + group: localsetup-${{ github.event.pull_request.number }} cancel-in-progress: false jobs: @@ -56,7 +56,7 @@ jobs: echo "Describe all helmreleases which are not Ready yet" kubectl get helmreleases -A -o json | jq -r '.items[] | select(.status.conditions[]? | select(.type == "Ready" and .status != "True")) | "\(.metadata.namespace) \(.metadata.name)"' | while read namespace name; do kubectl describe helmrelease $name -n $namespace; done echo "Print imagePullSecret" - kubectl get secret ghcr-credentials -n openmfp-system -o yaml + kubectl get secret github -n openmfp-system -o yaml echo "Test docker login and pull" docker login ghcr.io -u ${{ github.repository_owner }} -p ${{ steps.generate-token.outputs.token }} docker pull ghcr.io/openmfp/portal:0.287.0 @@ -64,7 +64,7 @@ jobs: # Step 4: Prepare the NodeJS/playwright environment - name: Cache node modules - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: ~/node_modules key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} @@ -73,7 +73,7 @@ jobs: # Step 5: Install NodeJS and dependencies - name: Node ${{ matrix.node-version }} - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: ${{ matrix.node-version }} cache: 'npm' diff --git a/.github/workflows/licenses.yml b/.github/workflows/licenses.yml deleted file mode 100644 index 54f033b46..000000000 --- a/.github/workflows/licenses.yml +++ /dev/null @@ -1,18 +0,0 @@ -name: "Update License Metadata" - -on: - push: - branches: [ "main" ] - schedule: - - cron: '32 16 * * 0' - -jobs: - license: - concurrency: - group: license-${{ github.ref }} - cancel-in-progress: true - permissions: - contents: write - pull-requests: write - uses: openmfp/gha/.github/workflows/job-license-metadata.yml@main - secrets: inherit \ No newline at end of file diff --git a/.github/workflows/openmfp-crds.yaml b/.github/workflows/openmfp-crds.yaml index 6c9dc372d..42508ec07 100644 --- a/.github/workflows/openmfp-crds.yaml +++ b/.github/workflows/openmfp-crds.yaml @@ -4,6 +4,10 @@ on: paths: - 'charts/openmfp-crds/**' - '.github/workflows/openmfp-crds.yaml' + pull_request: + paths: + - 'charts/openmfp-crds/**' + - '.github/workflows/openmfp-crds.yaml' jobs: pipeline: diff --git a/.github/workflows/openmfp.yaml b/.github/workflows/openmfp.yaml index fd32206c7..bb252ae06 100644 --- a/.github/workflows/openmfp.yaml +++ b/.github/workflows/openmfp.yaml @@ -4,6 +4,10 @@ on: paths: - 'charts/openmfp/**' - '.github/workflows/openmfp.yaml' + pull_request: + paths: + - 'charts/openmfp/**' + - '.github/workflows/openmfp.yaml' jobs: pipeline: diff --git a/.github/workflows/portal.yaml b/.github/workflows/portal.yaml index 63f6f3caf..60884509d 100644 --- a/.github/workflows/portal.yaml +++ b/.github/workflows/portal.yaml @@ -4,6 +4,10 @@ on: paths: - 'charts/portal/**' - '.github/workflows/portal.yaml' + pull_request: + paths: + - 'charts/portal/**' + - '.github/workflows/portal.yaml' jobs: pipeline: diff --git a/.gitignore b/.gitignore index eaf5d7f54..2838cf577 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,8 @@ +.DS_Store .idea .vscode/settings.json .secret bin/ node_modules/ -oci/ \ No newline at end of file +/oci/ +local-setup/e2e/test-results/.last-run.json diff --git a/.kube-linter.yaml b/.kube-linter.yaml new file mode 100644 index 000000000..a149c1ec7 --- /dev/null +++ b/.kube-linter.yaml @@ -0,0 +1,4 @@ +checks: + ignorePaths: + - charts/keycloak/charts/keycloak/** + - charts/openmfp/charts/** \ No newline at end of file diff --git a/.reuse/dep5 b/.reuse/dep5 index 07da47769..8aa6abaa7 100644 --- a/.reuse/dep5 +++ b/.reuse/dep5 @@ -4,6 +4,6 @@ Upstream-Contact: Source: https://github.com/openmfp/helm-charts Files: * -Copyright: 2024 SAP SE or an SAP affiliate company and openMFP contributors and helm-charts contributors. +Copyright: 2025 SAP SE or an SAP affiliate company and openMFP contributors and helm-charts contributors. License: Apache-2.0 diff --git a/CODEOWNERS b/CODEOWNERS index d201bd260..d9121ea43 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -3,3 +3,5 @@ Chart.lock Chart.yaml *.tgz +local-setup/kustomize/components/openmfp/repository.yaml +local-setup/kustomize/components/openmfp-crds/repository.yaml diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 93a2c81f5..f4dfe9983 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -20,6 +20,32 @@ You are welcome to contribute with your pull requests. These steps explain the c > **NOTE:** You should always add tests if you are adding code to our repository. To let chart tests run locally, run `helm unittest -u `. +To start bootstrapping using the local charts from a local oci repository, package the charts and run the string with the `oci` parameter: +```sh +task helmpackage +./local-setup/scripts/start.sh oci +``` + +Also ensure the proper chart versions are referenced in the OCIRepository patches, before running the start script. + +To reference local chart dependencies, change the Chart.yaml file to point to local chart folder like so: +```yaml +apiVersion: v2 +name: openmfp +description: The OpenMFP chart for Kubernetes +type: application +version: 0.0.194 +appVersion: "0.0.0" + +dependencies: + - name: keycloak + version: 0.61.0 + repository: file://../keycloak + condition: components.keycloak.enabled +``` + +After such change, Increment the `version` and make sure to run `helm dependency update` on to dependencies first and last on the top-level chart which links them. Update the patch versions to reflect your changes. + ## Issues We use GitHub issues to track bugs. Please ensure your description is clear and includes sufficient instructions to reproduce the issue. diff --git a/README.md b/README.md index 09305a08d..91e22fe3a 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,8 @@ # OpenMFP - helm-charts +[![REUSE status]( +https://api.reuse.software/badge/github.com/openmfp/helm-charts)](https://api.reuse.software/info/github.com/openmfp/helm-charts) + This repository contains public helm charts for the OpenMFP project. ## Github Actions @@ -31,5 +34,5 @@ Please refer to the [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md) file in this reposi ## Licensing -Copyright 2024 SAP SE or an SAP affiliate company and OpenMFP contributors. Please see our [LICENSE](LICENSE) for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available [via the REUSE tool](https://api.reuse.software/info/github.com/openmfp/helm-charts). +Copyright 2025 SAP SE or an SAP affiliate company and OpenMFP contributors. Please see our [LICENSE](LICENSE) for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available [via the REUSE tool](https://api.reuse.software/info/github.com/openmfp/helm-charts). diff --git a/REUSE.toml b/REUSE.toml new file mode 100644 index 000000000..517aa77f3 --- /dev/null +++ b/REUSE.toml @@ -0,0 +1,9 @@ +version = 1 +SPDX-PackageName = "helm-charts" +SPDX-PackageDownloadLocation = "https://github.com/openmfp/helm-charts" + +[[annotations]] +path = "**" +precedence = "aggregate" +SPDX-FileCopyrightText = "2025 SAP SE or an SAP affiliate company and openMFP contributors and helm-charts contributors." +SPDX-License-Identifier = "Apache-2.0" diff --git a/Taskfile.yaml b/Taskfile.yaml index b2a79836a..ed2844a72 100644 --- a/Taskfile.yaml +++ b/Taskfile.yaml @@ -43,10 +43,11 @@ tasks: - "for chart in $(echo {{.CHARTS}} | tr ',' ' '); do helm dependency update $chart; done" validate: cmds: - - task: lint - # - task: package - task: test - - task: vulnerability + - task: helm-docs + - task: update + - task: lint + - task: oci vulnerability: deps: - task: setup:kube-lint @@ -65,3 +66,7 @@ tasks: - task: helmpackage cmds: - "for chart in $(echo {{.PACKAGED_CHARTS}} | tr ',' ' '); do helm push $chart oci://localhost:5000/openmfp; done" + oci: + cmds: + - "rm oci/* || true" + - task: helmpackage \ No newline at end of file diff --git a/charts/account-operator/Chart.lock b/charts/account-operator/Chart.lock index 8eb4a04be..6aee494c4 100644 --- a/charts/account-operator/Chart.lock +++ b/charts/account-operator/Chart.lock @@ -4,6 +4,6 @@ dependencies: version: 0.1.11 - name: common repository: oci://ghcr.io/openmfp/helm-charts - version: 0.2.7 -digest: sha256:076f1128f18954e6b9b2e7fe39882197c683415ae2a089f0757e358e62a018b9 -generated: "2025-01-14T21:12:11.220820816Z" + version: 0.2.10 +digest: sha256:d51690d7efa7b0242f5822f35f89d8657ac1fafa8c888e36e07e9aa0c60b37c5 +generated: "2025-02-13T08:50:58.976440421+02:00" diff --git a/charts/account-operator/Chart.yaml b/charts/account-operator/Chart.yaml index 5698564f8..68ea23dd0 100644 --- a/charts/account-operator/Chart.yaml +++ b/charts/account-operator/Chart.yaml @@ -2,13 +2,13 @@ apiVersion: v2 name: account-operator description: A Helm chart to deploy OpenMFP Account-Operator type: application -version: 0.5.65 -appVersion: "0.153.0" +version: 0.6.9 +appVersion: "0.163.0" dependencies: - name: account-operator-crds version: 0.1.11 condition: crds.enabled repository: oci://ghcr.io/openmfp/helm-charts - name: common - version: 0.2.7 + version: 0.2.10 repository: oci://ghcr.io/openmfp/helm-charts diff --git a/charts/account-operator/README.md b/charts/account-operator/README.md index ce3da22b7..8810226ae 100644 --- a/charts/account-operator/README.md +++ b/charts/account-operator/README.md @@ -23,19 +23,19 @@ A Helm chart to deploy OpenMFP Account-Operator | kcp.enabled | bool | `false` | Enable KCP | | kcp.virtualWorkspaceUrl | string | `""` | The URL for the virtual workspace | | kubeconfigSecret | string | `""` | The secret for kubeconfig | -| logLevel | string | `"warn"` | The log level | | security.mountServiceAccountToken | bool | `true` | Mount the service account token | | subroutines.extension.enabled | bool | `true` | Enable extension subroutines | | subroutines.extensionReady.enabled | bool | `true` | Enable extension ready subroutines | | subroutines.fga.creatorRelation | string | `"owner"` | The creator relation for FGA | | subroutines.fga.enabled | bool | `true` | Enable FGA subroutines | -| subroutines.fga.grpcAddr | string | `""` | The gRPC address for FGA | +| subroutines.fga.grpcAddr | string | `"openmfp-openfga:8081"` | The gRPC address for FGA | | subroutines.fga.objectType | string | `"account"` | The object type for FGA | | subroutines.fga.parentRelation | string | `"parent"` | The parent relation for FGA | | subroutines.fga.rootNamespace | string | `"openmfp-root"` | The root namespace for FGA | | subroutines.namespace.enabled | bool | `true` | Enable namespace subroutines | | webhooks.certDir | string | `"/certs"` | The directory for webhook certificates | -| webhooks.enabled | bool | `false` | Enable webhooks | +| webhooks.enabled | bool | `true` | Enable webhooks | +| webhooks.register | bool | `false` | Register webhooks, flag to toggle if webhooks should be registered on the runtime cluster | ## Overriding Values diff --git a/charts/account-operator/charts/account-operator-crds-0.1.11.tgz b/charts/account-operator/charts/account-operator-crds-0.1.11.tgz index 799a2434c..a94f7e961 100644 Binary files a/charts/account-operator/charts/account-operator-crds-0.1.11.tgz and b/charts/account-operator/charts/account-operator-crds-0.1.11.tgz differ diff --git a/charts/account-operator/charts/common-0.2.10.tgz b/charts/account-operator/charts/common-0.2.10.tgz new file mode 100644 index 000000000..fed83c114 Binary files /dev/null and b/charts/account-operator/charts/common-0.2.10.tgz differ diff --git a/charts/account-operator/charts/common-0.2.7.tgz b/charts/account-operator/charts/common-0.2.7.tgz deleted file mode 100644 index 5749aba34..000000000 Binary files a/charts/account-operator/charts/common-0.2.7.tgz and /dev/null differ diff --git a/charts/account-operator/templates/deployment.yaml b/charts/account-operator/templates/deployment.yaml index 334845ac1..c106a3df8 100644 --- a/charts/account-operator/templates/deployment.yaml +++ b/charts/account-operator/templates/deployment.yaml @@ -32,7 +32,6 @@ spec: - args: - operator - --leader-elect - - --log-level={{ .Values.logLevel }} - '--health-probe-bind-address=:{{ include "common.getKeyValue" (dict "Values" .Values "key" "health.port") }}' image: {{ .Values.image.name }}:{{ .Chart.AppVersion }} name: manager @@ -47,6 +46,7 @@ spec: {{- include "common.operatorHealthAndReadyness" . | nindent 10 -}} {{- include "common.resources" . | nindent 10 }} env: + {{- include "common.basicEnvironment" . | nindent 10 }} - name: SUBROUTINES_NAMESPACE_ENABLED value: "{{ .Values.subroutines.namespace.enabled }}" - name: SUBROUTINES_FGA_ENABLED diff --git a/charts/account-operator/templates/webhook/mutation-webhook.yaml b/charts/account-operator/templates/webhook/mutation-webhook.yaml index 67d469527..f50c219a7 100644 --- a/charts/account-operator/templates/webhook/mutation-webhook.yaml +++ b/charts/account-operator/templates/webhook/mutation-webhook.yaml @@ -1,4 +1,4 @@ -{{- if .Values.webhooks.enabled -}} +{{- if and .Values.webhooks.enabled .Values.webhooks.register -}} apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: @@ -9,10 +9,7 @@ webhooks: - admissionReviewVersions: - v1 clientConfig: - service: - name: {{ include "common.entity.name" . }}-webhook - namespace: {{ .Release.Namespace }} - path: /mutate-core-openmfp-io-v1alpha1-account + url: {{ include "common.entity.name" . }}-webhook.{{ .Release.Namespace }}.svc:9443/mutate-core-openmfp-io-v1alpha1-account failurePolicy: Fail name: maccount.kb.io rules: diff --git a/charts/account-operator/templates/webhook/service.yaml b/charts/account-operator/templates/webhook/service.yaml index c42d42a78..c3e98738b 100644 --- a/charts/account-operator/templates/webhook/service.yaml +++ b/charts/account-operator/templates/webhook/service.yaml @@ -5,7 +5,7 @@ metadata: name: {{ include "common.entity.name" . }}-webhook spec: ports: - - port: 443 + - port: 9443 protocol: TCP targetPort: 9443 selector: diff --git a/charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap b/charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap index 9fd7469e4..e9ef05d1b 100644 --- a/charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap +++ b/charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap @@ -278,6 +278,8 @@ operator match the snapshot: apiVersion: apps/v1 kind: Deployment metadata: + annotations: + cert-manager.io/inject-ca-from: NAMESPACE/account-operator-serving-cert name: account-operator spec: revisionHistoryLimit: 3 @@ -286,7 +288,8 @@ operator match the snapshot: service: account-operator template: metadata: - annotations: null + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "9443" labels: control-plane: controller-manager service: account-operator @@ -296,15 +299,16 @@ operator match the snapshot: - args: - operator - --leader-elect - - --log-level=warn - --health-probe-bind-address=:8081 env: + - name: LOG_LEVEL + value: info - name: SUBROUTINES_NAMESPACE_ENABLED value: "true" - name: SUBROUTINES_FGA_ENABLED value: "true" - name: SUBROUTINES_FGA_GRPC_ADDR - value: "" + value: openmfp-openfga:8081 - name: SUBROUTINES_FGA_ROOT_NAMESPACE value: openmfp-root - name: SUBROUTINES_FGA_OBJECT_TYPE @@ -322,7 +326,7 @@ operator match the snapshot: - name: KCP_VIRTUAL_WORKSPACE_URL value: "" - name: WEBHOOKS_ENABLED - value: "false" + value: "true" - name: WEBHOOKS_CERT_DIR value: /certs image: ghcr.io/openmfp/account-operator:0.0.0 @@ -340,6 +344,9 @@ operator match the snapshot: - containerPort: 8081 name: health-port protocol: TCP + - containerPort: 9443 + name: webhook-port + protocol: TCP readinessProbe: httpGet: path: /readyz @@ -364,7 +371,10 @@ operator match the snapshot: path: /readyz port: 8081 periodSeconds: 10 - volumeMounts: null + volumeMounts: + - mountPath: /certs + name: cert + readOnly: true hostAliases: - hostnames: - kcp.dev.local @@ -375,7 +385,11 @@ operator match the snapshot: type: RuntimeDefault serviceAccountName: account-operator terminationGracePeriodSeconds: 10 - volumes: null + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: account-operator-webhook-server-cert 5: | apiVersion: v1 imagePullSecrets: @@ -383,6 +397,39 @@ operator match the snapshot: kind: ServiceAccount metadata: name: account-operator + 6: | + apiVersion: cert-manager.io/v1 + kind: Issuer + metadata: + name: account-operator-selfsigned-issuer + spec: + selfSigned: {} + 7: | + apiVersion: cert-manager.io/v1 + kind: Certificate + metadata: + name: account-operator-serving-cert + spec: + dnsNames: + - account-operator-webhook.NAMESPACE.svc + - account-operator-webhook.NAMESPACE.svc.cluster.local + issuerRef: + kind: Issuer + name: account-operator-selfsigned-issuer + secretName: account-operator-webhook-server-cert + 8: | + apiVersion: v1 + kind: Service + metadata: + name: account-operator-webhook + spec: + ports: + - port: 9443 + protocol: TCP + targetPort: 9443 + selector: + control-plane: controller-manager + service: account-operator operator match the snapshot (with kubeconfigSecret): 1: | apiVersion: apiextensions.k8s.io/v1 @@ -663,6 +710,8 @@ operator match the snapshot (with kubeconfigSecret): apiVersion: apps/v1 kind: Deployment metadata: + annotations: + cert-manager.io/inject-ca-from: NAMESPACE/account-operator-serving-cert name: account-operator spec: revisionHistoryLimit: 3 @@ -671,7 +720,8 @@ operator match the snapshot (with kubeconfigSecret): service: account-operator template: metadata: - annotations: null + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "9443" labels: control-plane: controller-manager service: account-operator @@ -681,15 +731,16 @@ operator match the snapshot (with kubeconfigSecret): - args: - operator - --leader-elect - - --log-level=warn - --health-probe-bind-address=:8081 env: + - name: LOG_LEVEL + value: info - name: SUBROUTINES_NAMESPACE_ENABLED value: "true" - name: SUBROUTINES_FGA_ENABLED value: "true" - name: SUBROUTINES_FGA_GRPC_ADDR - value: "" + value: openmfp-openfga:8081 - name: SUBROUTINES_FGA_ROOT_NAMESPACE value: openmfp-root - name: SUBROUTINES_FGA_OBJECT_TYPE @@ -707,7 +758,7 @@ operator match the snapshot (with kubeconfigSecret): - name: KCP_VIRTUAL_WORKSPACE_URL value: "" - name: WEBHOOKS_ENABLED - value: "false" + value: "true" - name: WEBHOOKS_CERT_DIR value: /certs - name: KUBECONFIG @@ -727,6 +778,9 @@ operator match the snapshot (with kubeconfigSecret): - containerPort: 8081 name: health-port protocol: TCP + - containerPort: 9443 + name: webhook-port + protocol: TCP readinessProbe: httpGet: path: /readyz @@ -754,6 +808,9 @@ operator match the snapshot (with kubeconfigSecret): volumeMounts: - mountPath: /api-kubeconfig name: external-api-server + - mountPath: /certs + name: cert + readOnly: true securityContext: runAsNonRoot: true seccompProfile: @@ -764,6 +821,10 @@ operator match the snapshot (with kubeconfigSecret): - name: external-api-server secret: secretName: kubeconfig + - name: cert + secret: + defaultMode: 420 + secretName: account-operator-webhook-server-cert 5: | apiVersion: v1 imagePullSecrets: @@ -771,6 +832,39 @@ operator match the snapshot (with kubeconfigSecret): kind: ServiceAccount metadata: name: account-operator + 6: | + apiVersion: cert-manager.io/v1 + kind: Issuer + metadata: + name: account-operator-selfsigned-issuer + spec: + selfSigned: {} + 7: | + apiVersion: cert-manager.io/v1 + kind: Certificate + metadata: + name: account-operator-serving-cert + spec: + dnsNames: + - account-operator-webhook.NAMESPACE.svc + - account-operator-webhook.NAMESPACE.svc.cluster.local + issuerRef: + kind: Issuer + name: account-operator-selfsigned-issuer + secretName: account-operator-webhook-server-cert + 8: | + apiVersion: v1 + kind: Service + metadata: + name: account-operator-webhook + spec: + ports: + - port: 9443 + protocol: TCP + targetPort: 9443 + selector: + control-plane: controller-manager + service: account-operator operator match the snapshot with webhook enabled: 1: | apiVersion: apiextensions.k8s.io/v1 @@ -1072,15 +1166,16 @@ operator match the snapshot with webhook enabled: - args: - operator - --leader-elect - - --log-level=warn - --health-probe-bind-address=:8081 env: + - name: LOG_LEVEL + value: info - name: SUBROUTINES_NAMESPACE_ENABLED value: "true" - name: SUBROUTINES_FGA_ENABLED value: "true" - name: SUBROUTINES_FGA_GRPC_ADDR - value: "" + value: openmfp-openfga:8081 - name: SUBROUTINES_FGA_ROOT_NAMESPACE value: openmfp-root - name: SUBROUTINES_FGA_OBJECT_TYPE @@ -1166,40 +1261,13 @@ operator match the snapshot with webhook enabled: metadata: name: account-operator 6: | - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: NAMESPACE/account-operator-serving-cert - name: account-operator-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - clientConfig: - service: - name: account-operator-webhook - namespace: NAMESPACE - path: /mutate-core-openmfp-io-v1alpha1-account - failurePolicy: Fail - name: maccount.kb.io - rules: - - apiGroups: - - core.openmfp.io - apiVersions: - - v1alpha1 - operations: - - CREATE - resources: - - accounts - sideEffects: None - 7: | apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: account-operator-selfsigned-issuer spec: selfSigned: {} - 8: | + 7: | apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -1212,14 +1280,14 @@ operator match the snapshot with webhook enabled: kind: Issuer name: account-operator-selfsigned-issuer secretName: account-operator-webhook-server-cert - 9: | + 8: | apiVersion: v1 kind: Service metadata: name: account-operator-webhook spec: ports: - - port: 443 + - port: 9443 protocol: TCP targetPort: 9443 selector: diff --git a/charts/account-operator/values.yaml b/charts/account-operator/values.yaml index 86ba12136..c75a0c78a 100644 --- a/charts/account-operator/values.yaml +++ b/charts/account-operator/values.yaml @@ -10,7 +10,10 @@ crds: webhooks: # -- Enable webhooks - enabled: false + enabled: true + + # -- Register webhooks, flag to toggle if webhooks should be registered on the runtime cluster + register: false # -- The directory for webhook certificates certDir: /certs @@ -29,7 +32,7 @@ subroutines: # -- Enable FGA subroutines enabled: true # -- The gRPC address for FGA - grpcAddr: "" + grpcAddr: openmfp-openfga:8081 # -- The root namespace for FGA rootNamespace: openmfp-root # -- The object type for FGA @@ -47,8 +50,6 @@ subroutines: # -- The secret for kubeconfig kubeconfigSecret: "" -# -- The log level -logLevel: warn security: # -- Mount the service account token diff --git a/charts/common/Chart.yaml b/charts/common/Chart.yaml index 3463935e2..b837b78e0 100644 --- a/charts/common/Chart.yaml +++ b/charts/common/Chart.yaml @@ -4,4 +4,4 @@ description: A Helm chart containing reuse templates type: library -version: 0.2.7 +version: 0.2.10 diff --git a/charts/common/README.md b/charts/common/README.md index 0f4a6de63..89cc2a7c7 100644 --- a/charts/common/README.md +++ b/charts/common/README.md @@ -13,16 +13,16 @@ A Helm chart containing reuse templates | defaults.deployment.resources.requests | object | `{"cpu":"40m","memory":"50Mi"}` | cpu and memory requests for the deployment | | defaults.deployment.revisionHistoryLimit | int | `3` | deployment revision history limit | | defaults.deployment.strategy | string | `"RollingUpdate"` | deployment strategy | -| defaults.externalSecrets.enabled | bool | `true` | toggle to enable/disable external-secrets | -| defaults.fga.enabled | bool | `false` | toggle to enable/disable experimental FGA features | +| defaults.externalSecrets.enabled | bool | `false` | toggle to enable/disable external-secrets | +| defaults.fga.enabled | bool | `true` | toggle to enable/disable experimental FGA features | | defaults.health.liveness | object | `{"failureThreshold":1,"path":"/healthz"}` | liveness probe parameters | | defaults.health.periodSeconds | int | `10` | health period | | defaults.health.port | int | `8081` | health port | | defaults.health.readiness | object | `{"initialDelaySeconds":5,"path":"/readyz","periodSeconds":10}` | readiness probe parameters | | defaults.health.startup | object | `{"failureThreshold":30,"path":"/readyz"}` | startup probe parameters | -| defaults.imagePullPolicy | string | `"Always"` | imagePullPolicy is the policy to use when pulling images for all charts | +| defaults.imagePullPolicy | string | `"IfNotPresent"` | imagePullPolicy is the policy to use when pulling images for all charts | | defaults.imagePullSecret | string | `"github"` | imagePullSecret is the name of the secret that holds the docker registry credentials | -| defaults.istio.enabled | bool | `false` | toggle to enable/disable istio | +| defaults.istio.enabled | bool | `true` | toggle to enable/disable istio | | defaults.istio.gateway.name | string | `"gateway"` | name of the gateway | | defaults.metrics.port | int | `8080` | metrics port | | defaults.port | int | `8080` | service port | diff --git a/charts/common/templates/_deploymentHelpers.tpl b/charts/common/templates/_deploymentHelpers.tpl index a36c0ec82..f0e704b7a 100644 --- a/charts/common/templates/_deploymentHelpers.tpl +++ b/charts/common/templates/_deploymentHelpers.tpl @@ -42,9 +42,8 @@ ports: {{- join "," $technicalIssuers }} {{- end}} -{{- define "common.basicEnvironment" }} -- name: LOG_LEVEL - value: {{ (.Values.log).level | default "info" }} +{{- define "common.sentry" }} +{{- if eq (include "common.getKeyValue" (dict "Values" .Values "key" "sentry.enabled")) "true" -}} - name: REGION value: {{ .Values.region }} - name: ENVIRONMENT @@ -52,17 +51,16 @@ ports: - name: SENTRY_ENVIRONMENT value: {{ .Values.sentry.environment | default .Values.environment }} - name: IMAGE_TAG - value: "{{ .Values.image.tag }}" + value: "{{ .Chart.AppVersion }}" - name: IMAGE_NAME value: "{{ .Values.image.name }}" -{{- $technicalIssuers := include "common.technicalIssuers" . }} -{{- if $technicalIssuers }} -- name: TECHNICAL_ISSUERS - value: {{ $technicalIssuers }} -{{- end }} -{{- include "common.sentry-env" . }} -- name: DIRECTIVES_AUTHORIZATION_ENABLED - value: "{{ ((.Values.directives).authorization).enabled | default false }}" +{{- end }} +{{- end}} + +{{- define "common.basicEnvironment" }} +- name: LOG_LEVEL + value: {{ (.Values.log).level | default "info" }} +{{ include "common.sentry" . }} {{- end }} {{- define "common.basicService" }} - name: PORT diff --git a/charts/common/test-chart/Chart.lock b/charts/common/test-chart/Chart.lock index feb48dfea..1ec44359b 100644 --- a/charts/common/test-chart/Chart.lock +++ b/charts/common/test-chart/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: file://.. - version: 0.2.0 -digest: sha256:7954fcb7393cd799f0e93e9e6a4cf9ddfdd234136a449dbb0c656945fd090528 -generated: "2024-12-13T08:25:57.253349+01:00" + version: 0.2.10 +digest: sha256:e9bb651f6644ed25148513b9195a45eda370076a4adc9993f7013ab252e276bb +generated: "2025-02-12T18:39:15.101554148+02:00" diff --git a/charts/common/test-chart/Chart.yaml b/charts/common/test-chart/Chart.yaml index 50cc8deb1..9cde8c389 100644 --- a/charts/common/test-chart/Chart.yaml +++ b/charts/common/test-chart/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.3 +version: 0.1.4 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -25,5 +25,5 @@ appVersion: "1.16.0" dependencies: - name: common - version: 0.2.4 + version: 0.2.10 repository: file://.. diff --git a/charts/common/test-chart/charts/common-0.2.0.tgz b/charts/common/test-chart/charts/common-0.2.0.tgz deleted file mode 100644 index 15f0fb7d0..000000000 Binary files a/charts/common/test-chart/charts/common-0.2.0.tgz and /dev/null differ diff --git a/charts/common/test-chart/charts/common-0.2.10.tgz b/charts/common/test-chart/charts/common-0.2.10.tgz new file mode 100644 index 000000000..815597725 Binary files /dev/null and b/charts/common/test-chart/charts/common-0.2.10.tgz differ diff --git a/charts/common/test-chart/templates/deployment.yaml b/charts/common/test-chart/templates/deployment.yaml index 421b94c7e..30df43a28 100644 --- a/charts/common/test-chart/templates/deployment.yaml +++ b/charts/common/test-chart/templates/deployment.yaml @@ -14,11 +14,13 @@ spec: spec: {{ include "common.container.securityContext" . | nindent 6 }} containers: - image: {{ include "common.image" . }} + - image: {{ include "common.image" . }} imagePullPolicy: {{ include "common.imagePullPolicy" . }} name: manager ports: {{ include "common.PortsMetricsHealth" . | nindent 10 }} {{ include "common.operatorHealthAndReadyness" . | nindent 10 }} {{ include "common.resources" . | nindent 10 }} + env: + {{- include "common.basicEnvironment" . | nindent 12 }} terminationGracePeriodSeconds: {{ include "common.terminationGracePeriodSeconds" .}} diff --git a/charts/common/test-chart/tests/__snapshot__/deployment_test.yaml.snap b/charts/common/test-chart/tests/__snapshot__/deployment_test.yaml.snap index 1b421c4a3..db744a80a 100644 --- a/charts/common/test-chart/tests/__snapshot__/deployment_test.yaml.snap +++ b/charts/common/test-chart/tests/__snapshot__/deployment_test.yaml.snap @@ -12,9 +12,11 @@ test name override: template: spec: containers: - automountServiceAccountToken: true + env: + - name: LOG_LEVEL + value: info image: my-image:0.1.0 - imagePullPolicy: Always + imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 1 httpGet: @@ -42,19 +44,17 @@ test name override: requests: cpu: 40m memory: 50Mi - securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - serviceAccountName: RELEASE-NAME startupProbe: failureThreshold: 30 httpGet: path: /readyz port: 8081 periodSeconds: 10 - serviceAccountName: RELEASE-NAME-test-chart + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault terminationGracePeriodSeconds: 10 test tag default: 1: | @@ -70,9 +70,11 @@ test tag default: template: spec: containers: - automountServiceAccountToken: true + env: + - name: LOG_LEVEL + value: info image: test-chart:0.1.0 - imagePullPolicy: Always + imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 1 httpGet: @@ -100,19 +102,17 @@ test tag default: requests: cpu: 40m memory: 50Mi - securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - serviceAccountName: RELEASE-NAME startupProbe: failureThreshold: 30 httpGet: path: /readyz port: 8081 periodSeconds: 10 - serviceAccountName: RELEASE-NAME-test-chart + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault terminationGracePeriodSeconds: 10 test tag override: 1: | @@ -128,9 +128,11 @@ test tag override: template: spec: containers: - automountServiceAccountToken: true + env: + - name: LOG_LEVEL + value: info image: test-chart:1.0.0 - imagePullPolicy: Always + imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 1 httpGet: @@ -158,17 +160,15 @@ test tag override: requests: cpu: 40m memory: 50Mi - securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - serviceAccountName: RELEASE-NAME startupProbe: failureThreshold: 30 httpGet: path: /readyz port: 8081 periodSeconds: 10 - serviceAccountName: RELEASE-NAME-test-chart + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault terminationGracePeriodSeconds: 10 diff --git a/charts/common/test-chart/tests/__snapshot__/istio_test.yaml.snap b/charts/common/test-chart/tests/__snapshot__/istio_test.yaml.snap index ebb28bc07..5ce981ed0 100644 --- a/charts/common/test-chart/tests/__snapshot__/istio_test.yaml.snap +++ b/charts/common/test-chart/tests/__snapshot__/istio_test.yaml.snap @@ -40,3 +40,24 @@ test local value: host: some.host port: number: 8080 +test test no value: + 1: | + apiVersion: networking.istio.io/v1beta1 + kind: VirtualService + metadata: + name: RELEASE-NAME-test-chart + spec: + gateways: + - NAMESPACE/gateway + hosts: + - some.domain + http: + match: + - uri: + exact: some.domain + name: default + route: + - destination: + host: some.host + port: + number: 8080 diff --git a/charts/common/test-chart/tests/deployment_test.yaml b/charts/common/test-chart/tests/deployment_test.yaml index 6ab33e6ce..9c9b8fd9a 100644 --- a/charts/common/test-chart/tests/deployment_test.yaml +++ b/charts/common/test-chart/tests/deployment_test.yaml @@ -22,3 +22,15 @@ tests: name: my-image asserts: - matchSnapshot: {} + - it: test sentry enabled + set: + image: + name: my-image + global: + sentry: + enabled: true + environment: "test" + sentry: + environment: "test" + asserts: + - matchSnapshot: {} diff --git a/charts/common/values.yaml b/charts/common/values.yaml index 7d13424f3..9f8283ea1 100644 --- a/charts/common/values.yaml +++ b/charts/common/values.yaml @@ -11,7 +11,7 @@ defaults: imagePullSecret: "github" # -- imagePullPolicy is the policy to use when pulling images for all charts - imagePullPolicy: Always + imagePullPolicy: IfNotPresent deployment: resources: @@ -57,14 +57,14 @@ defaults: istio: # -- toggle to enable/disable istio - enabled: false + enabled: true gateway: # -- name of the gateway name: gateway fga: # -- toggle to enable/disable experimental FGA features - enabled: false + enabled: true securityContext: # -- user id to run the container @@ -76,4 +76,4 @@ defaults: externalSecrets: # -- toggle to enable/disable external-secrets - enabled: true + enabled: false diff --git a/charts/example-content/Chart.lock b/charts/example-content/Chart.lock index a80706c55..4a700c042 100644 --- a/charts/example-content/Chart.lock +++ b/charts/example-content/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://ghcr.io/openmfp/helm-charts - version: 0.2.7 -digest: sha256:5774633903b218b0d938a3f441151b75fec603657defc139dddde6520fc91853 -generated: "2025-01-07T15:22:42.365175452Z" + version: 0.2.10 +digest: sha256:3c6cba33767bf37bf390d6f02de042c58f2f3c5d874f57dfbd030fe81e064034 +generated: "2025-02-13T08:51:05.634477154+02:00" diff --git a/charts/example-content/Chart.yaml b/charts/example-content/Chart.yaml index fe0749e04..98876aea4 100644 --- a/charts/example-content/Chart.yaml +++ b/charts/example-content/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 -appVersion: "0.140.0" +appVersion: "0.155.0" description: Helm Chart for the openmfp Portal name: example-content -version: 0.111.18 +version: 0.114.5 dependencies: - name: common - version: 0.2.7 + version: 0.2.10 repository: oci://ghcr.io/openmfp/helm-charts diff --git a/charts/example-content/README.md b/charts/example-content/README.md index 50f9b8182..4cae9ab8d 100644 --- a/charts/example-content/README.md +++ b/charts/example-content/README.md @@ -10,11 +10,15 @@ Helm Chart for the openmfp Portal ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| -| contentConfigurations.home | bool | `true` | This content configuration enables a basic homepage in the portal | +| contentConfigurations.ui | object | `{"enabled":true,"internalUrl":"http://openmfp-example-content.openmfp-system.svc.cluster.local:8080/ui/assets/config.json","url":"http://localhost:8000/ui/example-content/ui/assets/config.json"}` | This content configuration enables a basic homepage in the portal | +| contentConfigurations.wc.enabled | bool | `true` | | +| contentConfigurations.wc.internalUrl | string | `"http://openmfp-example-content.openmfp-system.svc.cluster.local:8080/wc/assets/config.json"` | | +| contentConfigurations.wc.url | string | `"http://localhost:8000/ui/example-content/wc/assets/config.json"` | | +| contentProtocolDomain | string | `"https://example-content.some-domain.com"` | | | image.name | string | `"ghcr.io/openmfp/example-content"` | The image name | -| istio.virtualService.hosts[0] | string | `"your-host.com"` | | -| istio.virtualService.matchers[0].match[0].uri.exact | string | `"/ui/example-content"` | | -| istio.virtualService.matchers[0].match[1].uri.prefix | string | `"/ui/example-content/"` | | +| istio.enabled | bool | `true` | | +| istio.virtualService.hosts[0] | string | `"*"` | | +| istio.virtualService.matchers[0].match[0].uri.prefix | string | `"/ui/example-content"` | | ## Overriding Values diff --git a/charts/example-content/charts/common-0.2.10.tgz b/charts/example-content/charts/common-0.2.10.tgz new file mode 100644 index 000000000..fed83c114 Binary files /dev/null and b/charts/example-content/charts/common-0.2.10.tgz differ diff --git a/charts/example-content/charts/common-0.2.7.tgz b/charts/example-content/charts/common-0.2.7.tgz deleted file mode 100644 index 5749aba34..000000000 Binary files a/charts/example-content/charts/common-0.2.7.tgz and /dev/null differ diff --git a/charts/example-content/templates/contentconfigurations.yaml b/charts/example-content/templates/contentconfigurations.yaml index 200ffbde8..69a55e00b 100644 --- a/charts/example-content/templates/contentconfigurations.yaml +++ b/charts/example-content/templates/contentconfigurations.yaml @@ -1,60 +1,34 @@ -{{- if .Values.contentConfigurations.home }} +{{- if .Values.contentConfigurations.ui.enabled }} apiVersion: core.openmfp.io/v1alpha1 kind: ContentConfiguration metadata: - name: home + name: {{ include "common.entity.name" . }}-ui namespace: {{ .Release.Namespace }} + labels: + portal.openmfp.org/entity: main spec: - inlineConfiguration: - content: |- - { - "name": "overview", - "creationTimestamp": "2022-05-17T11:37:17Z", - "luigiConfigFragment": { - "data": { - "nodes": [ - { - "entityType": "global", - "pathSegment": "home", - "hideFromNav": true, - "defineEntity": { - "id": "main" - }, - "children": [ - { - "pathSegment": "overview", - "label": "Overview", - "icon": "home", - "defineEntity": { - "id": "overview" - }, - "compound": { - "renderer": { - "use": "grid", - "config": { - "columns": "1fr 1fr 1fr 1fr" - } - } - } - } - ] - }, - { - "entityType": "main.overview::compound", - "url": "https://luigiwebcomponents.gitlab.io/layouts/panelHeader.js", - "context": { - "border": "shadow", - "title": "Welcome to OpenMFP Portal", - "description": " " - }, - "layoutConfig": { - "row": "1", - "column": "1 / -1" - } - } - ] - } - } - } + remoteConfiguration: + url: {{ .Values.contentConfigurations.ui.url }} + {{- if .Values.contentConfigurations.ui.internalUrl }} + internalUrl: {{ .Values.contentConfigurations.ui.internalUrl }} + {{- end }} + contentType: json +{{- end }} + +{{- if .Values.contentConfigurations.wc.enabled }} +--- +apiVersion: core.openmfp.io/v1alpha1 +kind: ContentConfiguration +metadata: + name: {{ include "common.entity.name" . }}-wc + namespace: {{ .Release.Namespace }} + labels: + portal.openmfp.org/entity: main +spec: + remoteConfiguration: + url: {{ .Values.contentConfigurations.wc.url }} + {{- if .Values.contentConfigurations.wc.internalUrl }} + internalUrl: {{ .Values.contentConfigurations.wc.internalUrl }} + {{- end }} contentType: json {{- end }} \ No newline at end of file diff --git a/charts/example-content/templates/deploy.yaml b/charts/example-content/templates/deploy.yaml index ca7bf5f22..540c7cc25 100644 --- a/charts/example-content/templates/deploy.yaml +++ b/charts/example-content/templates/deploy.yaml @@ -4,6 +4,7 @@ metadata: name: {{ include "common.entity.name" . }} labels: app: {{ include "common.entity.name" . }} + namespace: {{ .Release.Namespace }} spec: strategy: rollingUpdate: diff --git a/charts/example-content/tests/__snapshot__/snapshot_test.yaml.snap b/charts/example-content/tests/__snapshot__/snapshot_test.yaml.snap index d3a36823d..2195293a1 100644 --- a/charts/example-content/tests/__snapshot__/snapshot_test.yaml.snap +++ b/charts/example-content/tests/__snapshot__/snapshot_test.yaml.snap @@ -3,68 +3,36 @@ matches the snapshot: apiVersion: core.openmfp.io/v1alpha1 kind: ContentConfiguration metadata: - name: home + labels: + portal.openmfp.org/entity: main + name: RELEASE-NAME-example-content-ui namespace: NAMESPACE spec: - inlineConfiguration: - content: |- - { - "name": "overview", - "creationTimestamp": "2022-05-17T11:37:17Z", - "luigiConfigFragment": { - "data": { - "nodes": [ - { - "entityType": "global", - "pathSegment": "home", - "hideFromNav": true, - "defineEntity": { - "id": "main" - }, - "children": [ - { - "pathSegment": "overview", - "label": "Overview", - "icon": "home", - "defineEntity": { - "id": "overview" - }, - "compound": { - "renderer": { - "use": "grid", - "config": { - "columns": "1fr 1fr 1fr 1fr" - } - } - } - } - ] - }, - { - "entityType": "main.overview::compound", - "url": "https://luigiwebcomponents.gitlab.io/layouts/panelHeader.js", - "context": { - "border": "shadow", - "title": "Welcome to OpenMFP Portal", - "description": " " - }, - "layoutConfig": { - "row": "1", - "column": "1 / -1" - } - } - ] - } - } - } + remoteConfiguration: contentType: json + internalUrl: http://openmfp-example-content.openmfp-system.svc.cluster.local:8080/ui/assets/config.json + url: http://localhost:8000/ui/example-content/ui/assets/config.json 2: | + apiVersion: core.openmfp.io/v1alpha1 + kind: ContentConfiguration + metadata: + labels: + portal.openmfp.org/entity: main + name: RELEASE-NAME-example-content-wc + namespace: NAMESPACE + spec: + remoteConfiguration: + contentType: json + internalUrl: http://openmfp-example-content.openmfp-system.svc.cluster.local:8080/wc/assets/config.json + url: http://localhost:8000/ui/example-content/wc/assets/config.json + 3: | apiVersion: apps/v1 kind: Deployment metadata: labels: app: RELEASE-NAME-example-content name: RELEASE-NAME-example-content + namespace: NAMESPACE spec: revisionHistoryLimit: 3 selector: @@ -84,7 +52,7 @@ matches the snapshot: - name: PORT value: "8080" image: ghcr.io/openmfp/example-content:1.0.0 - imagePullPolicy: Always + imagePullPolicy: IfNotPresent name: RELEASE-NAME-example-content ports: - containerPort: 8080 @@ -125,7 +93,27 @@ matches the snapshot: name: tmp-volume - emptyDir: {} name: run-volume - 3: | + 4: | + apiVersion: networking.istio.io/v1alpha3 + kind: VirtualService + metadata: + name: RELEASE-NAME-example-content + namespace: NAMESPACE + spec: + gateways: + - NAMESPACE/gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: /ui/example-content + route: + - destination: + host: RELEASE-NAME-example-content.NAMESPACE.svc.cluster.local + port: + number: 8080 + 5: | apiVersion: v1 imagePullSecrets: - name: github @@ -133,7 +121,144 @@ matches the snapshot: metadata: name: RELEASE-NAME-example-content namespace: NAMESPACE + 6: | + apiVersion: v1 + kind: Service + metadata: + name: RELEASE-NAME-example-content + namespace: NAMESPACE + spec: + ports: + - name: http + port: 8080 + protocol: TCP + selector: + app: RELEASE-NAME-example-content + type: ClusterIP +matches the snapshot (internalUrl): + 1: | + apiVersion: core.openmfp.io/v1alpha1 + kind: ContentConfiguration + metadata: + labels: + portal.openmfp.org/entity: main + name: RELEASE-NAME-example-content-ui + namespace: NAMESPACE + spec: + remoteConfiguration: + contentType: json + internalUrl: http://example-content:8000/ui/assets/config.json + url: http://localhost:8000/ui/example-content/ui/assets/config.json + 2: | + apiVersion: core.openmfp.io/v1alpha1 + kind: ContentConfiguration + metadata: + labels: + portal.openmfp.org/entity: main + name: RELEASE-NAME-example-content-wc + namespace: NAMESPACE + spec: + remoteConfiguration: + contentType: json + internalUrl: http://openmfp-example-content.openmfp-system.svc.cluster.local:8080/wc/assets/config.json + url: http://localhost:8000/ui/example-content/wc/assets/config.json + 3: | + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app: RELEASE-NAME-example-content + name: RELEASE-NAME-example-content + namespace: NAMESPACE + spec: + revisionHistoryLimit: 3 + selector: + matchLabels: + app: RELEASE-NAME-example-content + strategy: + rollingUpdate: + maxSurge: 5 + maxUnavailable: 0 + template: + metadata: + labels: + app: RELEASE-NAME-example-content + spec: + containers: + - env: + - name: PORT + value: "8080" + image: ghcr.io/openmfp/example-content:1.0.0 + imagePullPolicy: IfNotPresent + name: RELEASE-NAME-example-content + ports: + - containerPort: 8080 + name: http + protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP + - containerPort: 8081 + name: health-port + protocol: TCP + resources: + limits: + cpu: 100m + memory: 512Mi + requests: + cpu: 40m + memory: 50Mi + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /var/cache/nginx + name: tmp-volume + readOnly: false + - mountPath: /var/run + name: run-volume + readOnly: false + securityContext: + fsGroup: 2000 + runAsGroup: 3000 + runAsUser: 1000 + serviceAccountName: RELEASE-NAME-example-content + volumes: + - emptyDir: {} + name: tmp-volume + - emptyDir: {} + name: run-volume 4: | + apiVersion: networking.istio.io/v1alpha3 + kind: VirtualService + metadata: + name: RELEASE-NAME-example-content + namespace: NAMESPACE + spec: + gateways: + - NAMESPACE/gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: /ui/example-content + route: + - destination: + host: RELEASE-NAME-example-content.NAMESPACE.svc.cluster.local + port: + number: 8080 + 5: | + apiVersion: v1 + imagePullSecrets: + - name: github + kind: ServiceAccount + metadata: + name: RELEASE-NAME-example-content + namespace: NAMESPACE + 6: | apiVersion: v1 kind: Service metadata: diff --git a/charts/example-content/tests/snapshot_test.yaml b/charts/example-content/tests/snapshot_test.yaml index bf0f9839a..51db865ea 100644 --- a/charts/example-content/tests/snapshot_test.yaml +++ b/charts/example-content/tests/snapshot_test.yaml @@ -5,5 +5,12 @@ tests: - it: matches the snapshot values: - ../test-values.yaml + asserts: + - matchSnapshot: {} + - it: matches the snapshot (internalUrl) + values: + - ../test-values.yaml + set: + contentConfigurations.ui.internalUrl: http://example-content:8000/ui/assets/config.json asserts: - matchSnapshot: {} \ No newline at end of file diff --git a/charts/example-content/values.yaml b/charts/example-content/values.yaml index e10456c85..2b5d204c1 100644 --- a/charts/example-content/values.yaml +++ b/charts/example-content/values.yaml @@ -3,16 +3,28 @@ image: name: ghcr.io/openmfp/example-content istio: + enabled: true virtualService: hosts: - - your-host.com + - "*" matchers: - match: - - uri: - exact: /ui/example-content - - uri: - prefix: /ui/example-content/ + - uri: + prefix: /ui/example-content contentConfigurations: # -- This content configuration enables a basic homepage in the portal - home: true + ui: + enabled: true + url: http://localhost:8000/ui/example-content/ui/assets/config.json + internalUrl: http://openmfp-example-content.openmfp-system.svc.cluster.local:8080/ui/assets/config.json +# Set internal url especially for local a setup where the url is not reachable from within the cluster +# internalUrl: null + wc: + enabled: true + url: http://localhost:8000/ui/example-content/wc/assets/config.json + internalUrl: http://openmfp-example-content.openmfp-system.svc.cluster.local:8080/wc/assets/config.json +# Set internal url especially for local a setup where the url is not reachable from within the cluster +# internalUrl: null + +contentProtocolDomain: https://example-content.some-domain.com diff --git a/charts/extension-manager-operator-crds/Chart.yaml b/charts/extension-manager-operator-crds/Chart.yaml index 95b8ef1e5..b8abef153 100644 --- a/charts/extension-manager-operator-crds/Chart.yaml +++ b/charts/extension-manager-operator-crds/Chart.yaml @@ -3,5 +3,5 @@ name: extension-manager-operator-crds description: A Helm chart for Kubernetes type: application -version: 0.1.7 +version: 0.2.1 appVersion: "0.0.0" diff --git a/charts/extension-manager-operator-crds/templates/core.openmfp.io_contentconfigurations.yaml b/charts/extension-manager-operator-crds/templates/core.openmfp.io_contentconfigurations.yaml index 7a6cd3a3e..d5b46dd38 100644 --- a/charts/extension-manager-operator-crds/templates/core.openmfp.io_contentconfigurations.yaml +++ b/charts/extension-manager-operator-crds/templates/core.openmfp.io_contentconfigurations.yaml @@ -58,6 +58,9 @@ spec: - yaml - json type: string + required: + - content + - contentType type: object remoteConfiguration: properties: @@ -87,8 +90,13 @@ spec: - yaml - json type: string + internalUrl: + type: string url: type: string + required: + - contentType + - url type: object type: object status: diff --git a/charts/extension-manager-operator-crds/tests/__snapshot__/deployment_test.yaml.snap b/charts/extension-manager-operator-crds/tests/__snapshot__/deployment_test.yaml.snap index 77346470a..54a22ac4c 100644 --- a/charts/extension-manager-operator-crds/tests/__snapshot__/deployment_test.yaml.snap +++ b/charts/extension-manager-operator-crds/tests/__snapshot__/deployment_test.yaml.snap @@ -58,6 +58,9 @@ operator match the snapshot: - yaml - json type: string + required: + - content + - contentType type: object remoteConfiguration: properties: @@ -87,8 +90,13 @@ operator match the snapshot: - yaml - json type: string + internalUrl: + type: string url: type: string + required: + - contentType + - url type: object type: object status: diff --git a/charts/extension-manager-operator/Chart.lock b/charts/extension-manager-operator/Chart.lock index 10358a7ad..9c298b324 100644 --- a/charts/extension-manager-operator/Chart.lock +++ b/charts/extension-manager-operator/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: extension-manager-operator-crds repository: oci://ghcr.io/openmfp/helm-charts - version: 0.1.7 + version: 0.2.1 - name: common repository: oci://ghcr.io/openmfp/helm-charts - version: 0.2.7 -digest: sha256:f4bff4623c04d61b6f6a5b54c08f5dc4df515451782887adb38bd90cad087e6f -generated: "2025-01-07T15:50:25.276707604Z" + version: 0.2.10 +digest: sha256:1051d572467ea8f794ece7b959e3166c36174cc444072c4a4cb52e600ef42fe2 +generated: "2025-02-13T15:55:05.759331455Z" diff --git a/charts/extension-manager-operator/Chart.yaml b/charts/extension-manager-operator/Chart.yaml index a8234793f..b1743d124 100644 --- a/charts/extension-manager-operator/Chart.yaml +++ b/charts/extension-manager-operator/Chart.yaml @@ -2,13 +2,13 @@ apiVersion: v2 name: extension-manager-operator description: A Helm chart for extension-manager-operator which manages resources like ContentConfigurations and exposes REST `/validate` endpoint type: application -version: 0.22.92 -appVersion: "0.109.0" +version: 0.24.14 +appVersion: "0.129.0" dependencies: - name: extension-manager-operator-crds - version: 0.1.7 + version: 0.2.1 condition: crds.enabled repository: oci://ghcr.io/openmfp/helm-charts - name: common - version: 0.2.7 + version: 0.2.10 repository: oci://ghcr.io/openmfp/helm-charts diff --git a/charts/extension-manager-operator/README.md b/charts/extension-manager-operator/README.md index 33925e1e1..fc68a793d 100644 --- a/charts/extension-manager-operator/README.md +++ b/charts/extension-manager-operator/README.md @@ -17,7 +17,7 @@ A Helm chart for extension-manager-operator which manages resources like Content | crds.enabled | bool | `true` | | | image.name | string | `"ghcr.io/openmfp/extension-manager-operator"` | | | image.tag | string | `"0.22.48"` | | -| validationServer.enabled | bool | `false` | enable the validation server | +| istio.enabled | bool | `false` | enable Istio VirtualService | | validationServer.host | string | `"*"` | host for the validation VirtualService | | validationServer.port | int | `8088` | port for the validation server | diff --git a/charts/extension-manager-operator/charts/common-0.2.10.tgz b/charts/extension-manager-operator/charts/common-0.2.10.tgz new file mode 100644 index 000000000..fed83c114 Binary files /dev/null and b/charts/extension-manager-operator/charts/common-0.2.10.tgz differ diff --git a/charts/extension-manager-operator/charts/common-0.2.7.tgz b/charts/extension-manager-operator/charts/common-0.2.7.tgz deleted file mode 100644 index 5749aba34..000000000 Binary files a/charts/extension-manager-operator/charts/common-0.2.7.tgz and /dev/null differ diff --git a/charts/extension-manager-operator/charts/extension-manager-operator-crds-0.1.7.tgz b/charts/extension-manager-operator/charts/extension-manager-operator-crds-0.1.7.tgz deleted file mode 100644 index 4de85fb24..000000000 Binary files a/charts/extension-manager-operator/charts/extension-manager-operator-crds-0.1.7.tgz and /dev/null differ diff --git a/charts/extension-manager-operator/charts/extension-manager-operator-crds-0.2.1.tgz b/charts/extension-manager-operator/charts/extension-manager-operator-crds-0.2.1.tgz new file mode 100644 index 000000000..89ba5008b Binary files /dev/null and b/charts/extension-manager-operator/charts/extension-manager-operator-crds-0.2.1.tgz differ diff --git a/charts/extension-manager-operator/templates/deployment.yaml b/charts/extension-manager-operator/templates/deployment.yaml index 2ce72d247..35911ddfa 100644 --- a/charts/extension-manager-operator/templates/deployment.yaml +++ b/charts/extension-manager-operator/templates/deployment.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "common.entity.name" . }} + namespace: {{ .Release.Namespace }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} @@ -34,20 +35,20 @@ spec: image: {{ .Values.image.name }}:{{ .Chart.AppVersion }} imagePullPolicy: {{ include "common.imagePullPolicy" . }} name: manager + {{- include "common.container.securityContext" . | nindent 10 }} ports: {{- include "common.PortsMetricsHealth" . | nindent 10 -}} {{- include "common.operatorHealthAndReadyness" . | nindent 10 -}} {{- include "common.resources" . | nindent 10 }} - {{- if .Values.validationServer.enabled }} - args: - server image: {{ .Values.image.name }}:{{ .Chart.AppVersion }} imagePullPolicy: {{ include "common.imagePullPolicy" . }} name: server + {{- include "common.resources" . | nindent 10 }} {{- include "common.container.securityContext" . | nindent 10 }} ports: - containerPort: {{ .Values.validationServer.port }} {{- include "common.PortsMetricsHealth" . | nindent 10 -}} {{ include "common.operatorHealthAndReadyness" . | nindent 10 }} - {{- end }} terminationGracePeriodSeconds: {{ include "common.terminationGracePeriodSeconds" .}} diff --git a/charts/extension-manager-operator/templates/service-account.yaml b/charts/extension-manager-operator/templates/service-account.yaml index 490c917a9..2eaf7c467 100644 --- a/charts/extension-manager-operator/templates/service-account.yaml +++ b/charts/extension-manager-operator/templates/service-account.yaml @@ -2,4 +2,5 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "common.entity.name" . }} + namespace: {{ .Release.Namespace }} {{- include "common.imagePullSecret" . }} diff --git a/charts/extension-manager-operator/templates/service.yaml b/charts/extension-manager-operator/templates/service.yaml index 11ddb7f75..3c075cfe0 100644 --- a/charts/extension-manager-operator/templates/service.yaml +++ b/charts/extension-manager-operator/templates/service.yaml @@ -1,4 +1,3 @@ -{{- if .Values.validationServer.enabled }} apiVersion: v1 kind: Service metadata: @@ -13,4 +12,3 @@ spec: - protocol: TCP port: {{ .Values.validationServer.port }} targetPort: {{ .Values.validationServer.port }} -{{- end }} diff --git a/charts/extension-manager-operator/templates/virtual-service.yaml b/charts/extension-manager-operator/templates/virtual-service.yaml index da7aa2ed7..dfaf7eeca 100644 --- a/charts/extension-manager-operator/templates/virtual-service.yaml +++ b/charts/extension-manager-operator/templates/virtual-service.yaml @@ -1,5 +1,4 @@ {{- if eq (include "common.getKeyValue" (dict "Values" .Values "key" "istio.enabled")) "true" -}} -{{- if .Values.validationServer.enabled }} apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: @@ -20,4 +19,3 @@ spec: port: number: {{ .Values.validationServer.port }} {{- end }} -{{- end }} diff --git a/charts/extension-manager-operator/tests/__snapshot__/deployment_test.yaml.snap b/charts/extension-manager-operator/tests/__snapshot__/deployment_test.yaml.snap index 2715a6bda..6ce8cff32 100644 --- a/charts/extension-manager-operator/tests/__snapshot__/deployment_test.yaml.snap +++ b/charts/extension-manager-operator/tests/__snapshot__/deployment_test.yaml.snap @@ -68,6 +68,7 @@ operator match the snapshot: kind: Deployment metadata: name: extension-manager-operator + namespace: NAMESPACE spec: revisionHistoryLimit: 3 selector: @@ -89,7 +90,7 @@ operator match the snapshot: - --log-level= - --health-probe-bind-address=:8081 image: ghcr.io/openmfp/extension-manager-operator:1.0.0 - imagePullPolicy: Always + imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 1 httpGet: @@ -117,6 +118,54 @@ operator match the snapshot: requests: cpu: 40m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /readyz + port: 8081 + periodSeconds: 10 + - args: + - server + image: ghcr.io/openmfp/extension-manager-operator:1.0.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1 + httpGet: + path: /readyz + port: 8081 + periodSeconds: 10 + name: server + ports: + - containerPort: 8088 + - containerPort: 8080 + name: metrics + protocol: TCP + - containerPort: 8081 + name: health-port + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 260m + memory: 512Mi + requests: + cpu: 40m + memory: 50Mi + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -136,3 +185,4 @@ operator match the snapshot: kind: ServiceAccount metadata: name: extension-manager-operator + namespace: NAMESPACE diff --git a/charts/extension-manager-operator/tests/deployment_test.yaml b/charts/extension-manager-operator/tests/deployment_test.yaml index 9a959a395..837bc686c 100644 --- a/charts/extension-manager-operator/tests/deployment_test.yaml +++ b/charts/extension-manager-operator/tests/deployment_test.yaml @@ -101,9 +101,6 @@ tests: - name: my-secret - it: with validationServer template: deployment.yaml - set: - validationServer: - enabled: true asserts: - equal: path: spec.template.spec.containers[1].name diff --git a/charts/extension-manager-operator/values.yaml b/charts/extension-manager-operator/values.yaml index fdd797767..b18546348 100644 --- a/charts/extension-manager-operator/values.yaml +++ b/charts/extension-manager-operator/values.yaml @@ -15,9 +15,11 @@ crds: commonAnnotations: {} validationServer: - # -- enable the validation server - enabled: false # -- port for the validation server port: 8088 # -- host for the validation VirtualService host: "*" + +istio: + # -- enable Istio VirtualService + enabled: false diff --git a/charts/infra/Chart.lock b/charts/infra/Chart.lock index a418bdcc9..bfb775c9f 100644 --- a/charts/infra/Chart.lock +++ b/charts/infra/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://ghcr.io/openmfp/helm-charts - version: 0.2.7 -digest: sha256:5774633903b218b0d938a3f441151b75fec603657defc139dddde6520fc91853 -generated: "2025-01-07T15:22:52.346255158Z" + version: 0.2.10 +digest: sha256:3c6cba33767bf37bf390d6f02de042c58f2f3c5d874f57dfbd030fe81e064034 +generated: "2025-02-13T08:51:17.369159469+02:00" diff --git a/charts/infra/Chart.yaml b/charts/infra/Chart.yaml index 70a29e85c..d0763d352 100644 --- a/charts/infra/Chart.yaml +++ b/charts/infra/Chart.yaml @@ -2,10 +2,10 @@ apiVersion: v2 name: infra description: The infra openmfp chart configures a number of common infrastructure components for the OpenMFP platform. type: application -version: 0.60.8 +version: 0.61.0 appVersion: "0.0.0" dependencies: - name: common - version: 0.2.7 + version: 0.2.10 repository: oci://ghcr.io/openmfp/helm-charts diff --git a/charts/infra/README.md b/charts/infra/README.md index bdbf9e58b..4f460604b 100644 --- a/charts/infra/README.md +++ b/charts/infra/README.md @@ -12,12 +12,26 @@ The infra openmfp chart configures a number of common infrastructure components ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| -| fga.stores | list | `[]` | The list of FGA stores to be created | -| istio.gateway.annotations | object | `{}` | Annotations to be applied to the istio gateway | -| istio.gateway.apiVersion | string | `nil` | The istio apiVersion of the gateway resource eg, networking.istio.io/v1, networking.istio.io/v1beta1 | -| istio.gateway.name | string | `"gateway"` | The name of the istio gateway resource | -| istio.gateway.selector.istio | string | `"gateway"` | The istio ingress gateway selector | -| istio.gateway.servers | list | `[{"hosts":["*"],"port":{"name":"http","number":8080,"protocol":"HTTP"}}]` | The "servers" section of the istio gateway. By default it is configured for a local kind setup. Adjust to be a https port for productive deployments | +| crossplane.enabled | bool | `true` | | +| fga.enabled | bool | `false` | | +| fga.stores[0].coreModuleName | string | `"module core\n\ntype user\n\ntype role\n relations\n define assignee: [user,user:*]\n\ntype account\n relations\n\n define parent: [account]\n define owner: [role#assignee]\n define member: [role#assignee] or owner\n\n define get: member or get from parent\n define update: member or update from parent\n define delete: owner or delete from parent\n\n # org and account specific\n define watch: member or watch from parent\n\n # org specific\n define create: member or create from parent\n define list: member or list from parent\n"` | | +| fga.stores[0].name | string | `"tenant-demo-root"` | | +| fga.stores[0].namespace | string | `"openmfp-system"` | | +| fga.stores[0].tuples[0].object | string | `"role:authenticated"` | | +| fga.stores[0].tuples[0].relation | string | `"assignee"` | | +| fga.stores[0].tuples[0].user | string | `"user:*"` | | +| fga.stores[0].tuples[1].object | string | `"account:demo-root"` | | +| fga.stores[0].tuples[1].relation | string | `"member"` | | +| fga.stores[0].tuples[1].user | string | `"role:authenticated#assignee"` | | +| istio.enabled | bool | `true` | | +| istio.gateway.annotations | object | `{}` | | +| istio.gateway.apiVersion | string | `"networking.istio.io/v1"` | | +| istio.gateway.name | string | `"gateway"` | | +| istio.gateway.selector.istio | string | `"gateway"` | | +| istio.gateway.servers[0].hosts[0] | string | `"*"` | | +| istio.gateway.servers[0].port.name | string | `"http"` | | +| istio.gateway.servers[0].port.number | int | `8000` | | +| istio.gateway.servers[0].port.protocol | string | `"HTTP"` | | | istio.networking.apiVersion | string | `"networking.istio.io/v1"` | The istio apiVersion used for networking resources in this chart eg. networking.istio.io/v1, networking.istio.io/v1beta1 | | istio.serviceEntries.https.enabled | bool | `false` | A toggle to enable the service entries for external https communication | | istio.serviceEntries.https.hosts | list | `[]` | The list of hosts to be added to the service entry | diff --git a/charts/infra/charts/common-0.2.10.tgz b/charts/infra/charts/common-0.2.10.tgz new file mode 100644 index 000000000..fed83c114 Binary files /dev/null and b/charts/infra/charts/common-0.2.10.tgz differ diff --git a/charts/infra/charts/common-0.2.7.tgz b/charts/infra/charts/common-0.2.7.tgz deleted file mode 100644 index 5749aba34..000000000 Binary files a/charts/infra/charts/common-0.2.7.tgz and /dev/null differ diff --git a/charts/infra/templates/gateway.yaml b/charts/infra/templates/gateway.yaml index c8ca3571b..1c56a15fd 100644 --- a/charts/infra/templates/gateway.yaml +++ b/charts/infra/templates/gateway.yaml @@ -13,4 +13,4 @@ spec: {{ .Values.istio.gateway.selector | toYaml | indent 4 }} servers: {{ toYaml .Values.istio.gateway.servers | indent 4 }} -{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/infra/templates/service-entries-https.yaml b/charts/infra/templates/service-entries-https.yaml index 980893628..84eee3a2a 100644 --- a/charts/infra/templates/service-entries-https.yaml +++ b/charts/infra/templates/service-entries-https.yaml @@ -13,4 +13,4 @@ spec: number: 443 protocol: TLS resolution: DNS -{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/infra/test-values.yaml b/charts/infra/test-values.yaml index e7262ee05..9e25d5473 100644 --- a/charts/infra/test-values.yaml +++ b/charts/infra/test-values.yaml @@ -1,37 +1,36 @@ -istio: - enabled: true - serviceEntries: - https: - enabled: true - hosts: [ "example.com" ] - gateway: - apiVersion: networking.istio.io/v1 - name: gateway - selector: - istio: gateway - servers: - - port: - number: 8080 - name: http - protocol: HTTP - hosts: - - "*" +gateway: + apiVersion: networking.istio.io/v1 + name: gateway + selector: + istio: gateway + servers: + - port: + number: 8080 + name: http + protocol: HTTP + hosts: + - "*" -fga: - enabled: true - stores: - - name: test - namespace: test - coreModuleName: | - module core - - type user - - type account - relations - define owner: [user] - define member: [user] or owner - tuples: - - object: account:a - relation: owner - user: user:a \ No newline at end of file +kcp: + enabled: false +# host: "" + +auth: +# host: "" + +externalSecrets: + accountOperatorSaKubeconfig: account-operator-sa-kubeconfig + enabled: false + +stores: + - name: test + namespace: test + coreModuleName: | + module core + + type user + + type account + relations + define owner: [user] + define member: [user] or owner diff --git a/charts/infra/tests/__snapshot__/snapshot_test.yaml.snap b/charts/infra/tests/__snapshot__/snapshot_test.yaml.snap index bcf69b6b6..8d3a74903 100644 --- a/charts/infra/tests/__snapshot__/snapshot_test.yaml.snap +++ b/charts/infra/tests/__snapshot__/snapshot_test.yaml.snap @@ -1,25 +1,5 @@ -matches the snapshot: +disables externalsecrets: 1: | - apiVersion: core.openmfp.io/v1alpha1 - kind: Store - metadata: - name: test - namespace: test - spec: - coreModule: |2 - module core - - type user - - type account - relations - define owner: [user] - define member: [user] or owner - tuples: - - object: account:a - relation: owner - user: user:a - 2: | apiVersion: networking.istio.io/v1 kind: Gateway metadata: @@ -33,20 +13,22 @@ matches the snapshot: - '*' port: name: http - number: 8080 + number: 8000 protocol: HTTP - 3: | +matches the snapshot: + 1: | apiVersion: networking.istio.io/v1 - kind: ServiceEntry + kind: Gateway metadata: - name: openmfp-https + name: gateway namespace: NAMESPACE spec: - hosts: - - example.com - location: MESH_EXTERNAL - ports: - - name: https - number: 443 - protocol: TLS - resolution: DNS + selector: + istio: gateway + servers: + - hosts: + - '*' + port: + name: http + number: 8000 + protocol: HTTP diff --git a/charts/infra/tests/snapshot_test.yaml b/charts/infra/tests/snapshot_test.yaml index 86e743578..895fa1414 100644 --- a/charts/infra/tests/snapshot_test.yaml +++ b/charts/infra/tests/snapshot_test.yaml @@ -5,5 +5,10 @@ tests: - it: matches the snapshot asserts: - matchSnapshot: {} - + - it: disables externalsecrets + set: + externalSecrets: + accountOperatorSaKubeconfig: null + asserts: + - matchSnapshot: {} diff --git a/charts/infra/values.yaml b/charts/infra/values.yaml index 2d7e1f7e7..6ad018eba 100644 --- a/charts/infra/values.yaml +++ b/charts/infra/values.yaml @@ -1,32 +1,65 @@ +crossplane: + enabled: true istio: networking: # -- The istio apiVersion used for networking resources in this chart eg. networking.istio.io/v1, networking.istio.io/v1beta1 apiVersion: networking.istio.io/v1 + serviceEntries: + https: + # -- A toggle to enable the service entries for external https communication + enabled: false + # -- The list of hosts to be added to the service entry + hosts: [] + enabled: true gateway: - # -- Annotations to be applied to the istio gateway annotations: {} - # -- The istio apiVersion of the gateway resource eg, networking.istio.io/v1, networking.istio.io/v1beta1 - apiVersion: - # -- The name of the istio gateway resource + apiVersion: networking.istio.io/v1 name: gateway selector: - # -- The istio ingress gateway selector istio: gateway - # -- The "servers" section of the istio gateway. By default it is configured for a local kind setup. Adjust to be a https port for productive deployments servers: - port: - number: 8080 + number: 8000 name: http protocol: HTTP hosts: - "*" - serviceEntries: - https: - # -- A toggle to enable the service entries for external https communication - enabled: false - # -- The list of hosts to be added to the service entry - hosts: [] fga: - # -- The list of FGA stores to be created - stores: [] + enabled: false + stores: + - name: tenant-demo-root + namespace: openmfp-system + tuples: + - object: role:authenticated + relation: assignee + user: user:* + - object: account:demo-root + relation: member + user: role:authenticated#assignee + coreModuleName: | + module core + + type user + + type role + relations + define assignee: [user,user:*] + + type account + relations + + define parent: [account] + define owner: [role#assignee] + define member: [role#assignee] or owner + + define get: member or get from parent + define update: member or update from parent + define delete: owner or delete from parent + + # org and account specific + define watch: member or watch from parent + + # org specific + define create: member or create from parent + define list: member or list from parent diff --git a/charts/keycloak/Chart.lock b/charts/keycloak/Chart.lock index 13a7ffca2..0000ca2f2 100644 --- a/charts/keycloak/Chart.lock +++ b/charts/keycloak/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: keycloak repository: oci://registry-1.docker.io/bitnamicharts - version: 24.4.7 + version: 24.4.10 - name: common repository: oci://ghcr.io/openmfp/helm-charts - version: 0.2.7 -digest: sha256:9c0fb9ab3540d0b2d308a96ce77048a4db2cdfd649aca0cb4b26335f96fd38a7 -generated: "2025-01-29T01:15:24.056590179Z" + version: 0.2.10 +digest: sha256:6151c3d96d129de91a0098f36b9195ea2d8a089d6d4e60a138c76f6d5d75786b +generated: "2025-02-17T13:23:16.145129105Z" diff --git a/charts/keycloak/Chart.yaml b/charts/keycloak/Chart.yaml index 3521cb14e..adef57f15 100644 --- a/charts/keycloak/Chart.yaml +++ b/charts/keycloak/Chart.yaml @@ -3,14 +3,14 @@ name: keycloak description: A Helm chart to deploy keycloak as OIDC provider in openmfp type: application -version: 0.60.15 +version: 0.62.1 appVersion: "1.16.0" dependencies: - name: keycloak alias: keycloak - version: 24.4.7 + version: 24.4.10 repository: oci://registry-1.docker.io/bitnamicharts - name: common - version: 0.2.7 + version: 0.2.10 repository: oci://ghcr.io/openmfp/helm-charts diff --git a/charts/keycloak/README.md b/charts/keycloak/README.md index 73259fe91..e1ae30e04 100644 --- a/charts/keycloak/README.md +++ b/charts/keycloak/README.md @@ -14,46 +14,46 @@ A Helm chart to deploy keycloak as OIDC provider in openmfp | Key | Type | Default | Description | |-----|------|---------|-------------| | crossplane.clients.openmfp.name | string | `"OpenMFP"` | name of the client | -| crossplane.clients.openmfp.validRedirectUris | list | `["http://localhost:8000/callback*"]` | valid redirect uris for the client | +| crossplane.clients.openmfp.validRedirectUris | list | `["http://localhost:8000/callback*","http://localhost:4300/callback*"]` | valid redirect uris for the client | | crossplane.clients.openmfp.validRedirectUris[0] | string | `"http://localhost:8000/callback*"` | keycloak callback url | -| crossplane.enabled | bool | `false` | toggle to enable/disable crossplane | -| crossplane.identityProviders | object | `{"sap":{"authorizationUrl":"https://login.microsoftonline.com/42f7676c-f455-423c-82f6-dc2d99791af7/oauth2/v2.0/authorize","clientId":"82b4c72c-ff99-4df6-ba4f-fb634d1fc491","clientSecretRef":{"key":"client-secret","name":"sap-client-secret","namespace":"openmfp-system"},"clientSecretRemoteRef":"dxp-core-team/manual-secrets/sap-client-secret","issuer":"https://login.microsoftonline.com/42f7676c-f455-423c-82f6-dc2d99791af7/v2.0","tokenUrl":"https://login.microsoftonline.com/42f7676c-f455-423c-82f6-dc2d99791af7/oauth2/v2.0/token"}}` | crossplane identity providers config | -| crossplane.identityProviders.sap | object | `{"authorizationUrl":"https://login.microsoftonline.com/42f7676c-f455-423c-82f6-dc2d99791af7/oauth2/v2.0/authorize","clientId":"82b4c72c-ff99-4df6-ba4f-fb634d1fc491","clientSecretRef":{"key":"client-secret","name":"sap-client-secret","namespace":"openmfp-system"},"clientSecretRemoteRef":"dxp-core-team/manual-secrets/sap-client-secret","issuer":"https://login.microsoftonline.com/42f7676c-f455-423c-82f6-dc2d99791af7/v2.0","tokenUrl":"https://login.microsoftonline.com/42f7676c-f455-423c-82f6-dc2d99791af7/oauth2/v2.0/token"}` | sap IDP | -| crossplane.identityProviders.sap.authorizationUrl | string | `"https://login.microsoftonline.com/42f7676c-f455-423c-82f6-dc2d99791af7/oauth2/v2.0/authorize"` | authorization URL | -| crossplane.identityProviders.sap.clientId | string | `"82b4c72c-ff99-4df6-ba4f-fb634d1fc491"` | client id | -| crossplane.identityProviders.sap.clientSecretRef | object | `{"key":"client-secret","name":"sap-client-secret","namespace":"openmfp-system"}` | client secret | -| crossplane.identityProviders.sap.clientSecretRef.key | string | `"client-secret"` | secret key | -| crossplane.identityProviders.sap.clientSecretRef.name | string | `"sap-client-secret"` | secret name | -| crossplane.identityProviders.sap.clientSecretRef.namespace | string | `"openmfp-system"` | secret namespace | -| crossplane.identityProviders.sap.clientSecretRemoteRef | string | `"dxp-core-team/manual-secrets/sap-client-secret"` | user info URL | -| crossplane.identityProviders.sap.issuer | string | `"https://login.microsoftonline.com/42f7676c-f455-423c-82f6-dc2d99791af7/v2.0"` | user info URL | -| crossplane.identityProviders.sap.tokenUrl | string | `"https://login.microsoftonline.com/42f7676c-f455-423c-82f6-dc2d99791af7/oauth2/v2.0/token"` | token URL | +| crossplane.enabled | bool | `true` | toggle to enable/disable crossplane | +| crossplane.identityProviders | object | `{}` | | | crossplane.providerConfig | object | `{"name":"keycloak-provider-config","namespace":"openmfp-system"}` | crossplane provider config | | crossplane.providerConfig.name | string | `"keycloak-provider-config"` | name of the client | | crossplane.providerConfig.namespace | string | `"openmfp-system"` | client namespace | -| crossplane.realm | object | `{"displayName":"OpenMFP","name":"openmfp","registrationAllowed":false}` | crossplane realm config | +| crossplane.realm | object | `{"displayName":"OpenMFP","name":"openmfp","registrationAllowed":true}` | crossplane realm config | | crossplane.realm.displayName | string | `"OpenMFP"` | realm display name | | crossplane.realm.name | string | `"openmfp"` | realm name | -| crossplane.realm.registrationAllowed | bool | `false` | realm registration allowed | +| crossplane.realm.registrationAllowed | bool | `true` | realm registration allowed | | crossplane.trustedAudiences | list | `[]` | | | debug | bool | `false` | debug mode | -| domain | object | `{"name":"openmfp.org","pathPrefix":""}` | domain configuration | +| domain | object | `{"name":"openmfp.org","pathPrefix":"/keycloak"}` | domain configuration | | domain.name | string | `"openmfp.org"` | domain name | -| domain.pathPrefix | string | `""` | path prefix | -| externalSecrets | object | `{"keycloakAdminRemoteRef":"dxp-core-team/manual-secrets/keycloak-admin","postgres-adminRemoteRef":"dxp-core-team/manual-secrets/postgres-admin-password"}` | external secrets configuration | -| externalSecrets.keycloakAdminRemoteRef | string | `"dxp-core-team/manual-secrets/keycloak-admin"` | keycloak admin secret | -| externalSecrets.postgres-adminRemoteRef | string | `"dxp-core-team/manual-secrets/postgres-admin-password"` | postgres admin secret | -| istio.virtualservice.hosts | list | `["auth.openmfp.org"]` | istio virtual service hosts | +| domain.pathPrefix | string | `"/keycloak"` | path prefix | +| externalSecrets | object | `{"keycloakAdminRemoteRef":"","postgres-adminRemoteRef":""}` | external secrets configuration | +| externalSecrets.keycloakAdminRemoteRef | string | `""` | keycloak admin secret | +| externalSecrets.postgres-adminRemoteRef | string | `""` | postgres admin secret | +| istio.https.enabled | bool | `false` | toggle to enable/disable https | +| istio.virtualservice.hosts | list | `["*"]` | istio virtual service hosts | | job | object | `{"annotations":{"argocd.argoproj.io/hook":"PostSync"},"serviceAccount":"keycloak-client-creation"}` | job configuration | | job.annotations | object | `{"argocd.argoproj.io/hook":"PostSync"}` | custom job annotations | | job.serviceAccount | string | `"keycloak-client-creation"` | job ServiceAccount name | -| keycloak | object | `{"extraEnvVars":"- name: KEYCLOAK_USER\n value: keycloak-admin\n- name: KEYCLOAK_PASSWORD\n valueFrom:\n secretKeyRef:\n name: keycloak-admin\n key: secret\n","postgresql":{"auth":{"existingSecret":"","secretKeys":{"adminPasswordKey":"password","userPasswordKey":"password"}}}}` | configuration passed to the child 'keyclaok' chart https://github.com/bitnami/charts/tree/main/bitnami/keycloak | -| keycloak.extraEnvVars | string | `"- name: KEYCLOAK_USER\n value: keycloak-admin\n- name: KEYCLOAK_PASSWORD\n valueFrom:\n secretKeyRef:\n name: keycloak-admin\n key: secret\n"` | keycloak environment variables (raw) | -| keycloak.postgresql | object | `{"auth":{"existingSecret":"","secretKeys":{"adminPasswordKey":"password","userPasswordKey":"password"}}}` | configuration for the postgresql sub-chart | -| keycloak.postgresql.auth | object | `{"existingSecret":"","secretKeys":{"adminPasswordKey":"password","userPasswordKey":"password"}}` | authorization configuration | +| keycloak | object | `{"auth":{"adminUser":"keycloak-admin","existingSecret":"keycloak-admin","passwordSecretKey":"secret"},"extraEnvVars":[{"name":"KEYCLOAK_USER","value":"keycloak-admin"},{"name":"KEYCLOAK_PASSWORD","valueFrom":{"secretKeyRef":{"key":"secret","name":"keycloak-admin"}}},{"name":"JAVA_OPTS_APPEND","value":"-Djgroups.dns.query=openmfp-keycloak-headless.openmfp-system.svc.cluster.local"}],"httpRelativePath":"/keycloak/","logging":{"level":"DEBUG"},"postgresql":{"auth":{"existingSecret":"","secretKeys":{"adminPasswordKey":"password","userPasswordKey":"password"},"username":"keycloak"},"nameOverride":"postgresql-keycloak","primary":{"resourcesPreset":"none"}},"resourcesPreset":"none"}` | configuration passed to the child 'keyclaok' chart https://github.com/bitnami/charts/tree/main/bitnami/keycloak | +| keycloak.auth.adminUser | string | `"keycloak-admin"` | keycloak admin user | +| keycloak.auth.existingSecret | string | `"keycloak-admin"` | keycloak admin secret | +| keycloak.auth.passwordSecretKey | string | `"secret"` | keycloak admin secret key | +| keycloak.extraEnvVars | list | `[{"name":"KEYCLOAK_USER","value":"keycloak-admin"},{"name":"KEYCLOAK_PASSWORD","valueFrom":{"secretKeyRef":{"key":"secret","name":"keycloak-admin"}}},{"name":"JAVA_OPTS_APPEND","value":"-Djgroups.dns.query=openmfp-keycloak-headless.openmfp-system.svc.cluster.local"}]` | keycloak environment variables (raw) For Arm64 arch (especially Apple M4), add -XX:UseSVE=0 to JAVA_OPTS_APPEND | +| keycloak.httpRelativePath | string | `"/keycloak/"` | keycloak http relative path | +| keycloak.logging.level | string | `"DEBUG"` | keycloak logging level | +| keycloak.postgresql | object | `{"auth":{"existingSecret":"","secretKeys":{"adminPasswordKey":"password","userPasswordKey":"password"},"username":"keycloak"},"nameOverride":"postgresql-keycloak","primary":{"resourcesPreset":"none"}}` | configuration for the postgresql sub-chart | +| keycloak.postgresql.auth | object | `{"existingSecret":"","secretKeys":{"adminPasswordKey":"password","userPasswordKey":"password"},"username":"keycloak"}` | authorization configuration | | keycloak.postgresql.auth.existingSecret | string | `""` | existing secret name | | keycloak.postgresql.auth.secretKeys.adminPasswordKey | string | `"password"` | admin password key | | keycloak.postgresql.auth.secretKeys.userPasswordKey | string | `"password"` | user password key | +| keycloak.postgresql.auth.username | string | `"keycloak"` | postgresql username | +| keycloak.postgresql.nameOverride | string | `"postgresql-keycloak"` | postgresql name override | +| keycloak.postgresql.primary.resourcesPreset | string | `"none"` | primary postgresql resources preset | +| keycloak.resourcesPreset | string | `"none"` | keycloak resources preset | | keycloakConfig.admin | object | `{"password":{"valueFrom":{"secretKeyRef":{"key":"secret","name":"keycloak-admin"}}},"username":{"value":"keycloak-admin"}}` | admin user configuration | | keycloakConfig.admin.password | object | `{"valueFrom":{"secretKeyRef":{"key":"secret","name":"keycloak-admin"}}}` | admin password | | keycloakConfig.admin.password.valueFrom.secretKeyRef.key | string | `"secret"` | key of the password in the secret | @@ -67,12 +67,12 @@ A Helm chart to deploy keycloak as OIDC provider in openmfp | keycloakConfig.client.tokenLifespan | int | `3600` | token lifespan | | keycloakConfig.realm | object | `{"name":"master"}` | realm configuration | | keycloakConfig.realm.name | string | `"master"` | realm name | -| keycloakConfig.redirectUrls | list | `[]` | redirect urls | -| keycloakConfig.url | string | `"http://keycloak-http.openmfp-system.svc.cluster.local:8080"` | url of the keycloak server | +| keycloakConfig.redirectUrls | list | `["http://localhost:8000/callback*"]` | redirect urls | +| keycloakConfig.url | string | `"http://openmfp-keycloak.openmfp-system.svc.cluster.local/keycloak"` | url of the keycloak server | | keycloakConfig.userRegistration.enabled | bool | `true` | toggle to enable/disable user registration | -| service | object | `{"name":"keycloak","port":8080}` | service configuration | -| service.name | string | `"keycloak"` | service name | -| service.port | int | `8080` | service port | +| service | object | `{"name":"openmfp-keycloak","port":80}` | service configuration | +| service.name | string | `"openmfp-keycloak"` | service name | +| service.port | int | `80` | service port | ## Overriding Values diff --git a/charts/keycloak/charts/common-0.2.10.tgz b/charts/keycloak/charts/common-0.2.10.tgz new file mode 100644 index 000000000..fed83c114 Binary files /dev/null and b/charts/keycloak/charts/common-0.2.10.tgz differ diff --git a/charts/keycloak/charts/common-0.2.7.tgz b/charts/keycloak/charts/common-0.2.7.tgz deleted file mode 100644 index 5749aba34..000000000 Binary files a/charts/keycloak/charts/common-0.2.7.tgz and /dev/null differ diff --git a/charts/keycloak/charts/keycloak-24.4.10.tgz b/charts/keycloak/charts/keycloak-24.4.10.tgz new file mode 100644 index 000000000..e068bb92c Binary files /dev/null and b/charts/keycloak/charts/keycloak-24.4.10.tgz differ diff --git a/charts/keycloak/charts/keycloak-24.4.7.tgz b/charts/keycloak/charts/keycloak-24.4.7.tgz deleted file mode 100644 index f3c99c6bc..000000000 Binary files a/charts/keycloak/charts/keycloak-24.4.7.tgz and /dev/null differ diff --git a/charts/keycloak/templates/crossplane/client.yaml b/charts/keycloak/templates/crossplane/client.yaml index 0fe1e068e..aa8f2f9ab 100644 --- a/charts/keycloak/templates/crossplane/client.yaml +++ b/charts/keycloak/templates/crossplane/client.yaml @@ -39,7 +39,7 @@ spec: - basic - acr - groups - - trusted-openmfp-auds + - trusted-openmfp-audiences realmIdRef: name: {{ $.Values.crossplane.realm.name }} providerConfigRef: diff --git a/charts/keycloak/templates/crossplane/external-secrets.yaml b/charts/keycloak/templates/crossplane/external-secrets.yaml index 9b830d58b..5639821fa 100644 --- a/charts/keycloak/templates/crossplane/external-secrets.yaml +++ b/charts/keycloak/templates/crossplane/external-secrets.yaml @@ -1,5 +1,5 @@ {{- if eq (include "common.getNestedValue" (dict "Values" .Values "key" "crossplane.enabled")) "true" -}} -{{- if eq (include "common.getNestedValue" (dict "Values" .Values "key" "externalSecrets.enabled")) "true" -}} +{{- if eq (include "common.getKeyValue" (dict "Values" .Values "key" "externalSecrets.enabled")) "true" -}} {{- range $key, $val := .Values.crossplane.identityProviders }} apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret diff --git a/charts/keycloak/templates/crossplane/oidc-audences.yaml b/charts/keycloak/templates/crossplane/oidc-audences.yaml index 6916b98a2..39a674b92 100644 --- a/charts/keycloak/templates/crossplane/oidc-audences.yaml +++ b/charts/keycloak/templates/crossplane/oidc-audences.yaml @@ -20,6 +20,7 @@ metadata: name: {{ $val }}-trust spec: forProvider: + name: {{ $val }}-trust clientScopeIdRef: name: trusted-openmfp-audiences protocol: openid-connect diff --git a/charts/keycloak/templates/crossplane/realm.yaml b/charts/keycloak/templates/crossplane/realm.yaml index 9444ef503..e3e11db91 100644 --- a/charts/keycloak/templates/crossplane/realm.yaml +++ b/charts/keycloak/templates/crossplane/realm.yaml @@ -1,11 +1,11 @@ -{{- if eq (include "common.getNestedValue" (dict "Values" .Values "key" "crossplane.enabled")) "true" -}} +{{- if eq (include "common.getKeyValue" (dict "Values" .Values "key" "crossplane.enabled")) "true" -}} apiVersion: realm.keycloak.crossplane.io/v1alpha1 kind: Realm metadata: name: {{ .Values.crossplane.realm.name}} spec: forProvider: - accessCodeLifespan: 1h + accessTokenLifespan: 1h attributes: organizationsEnabled: "true" displayName: {{ .Values.crossplane.realm.displayName }} diff --git a/charts/keycloak/templates/external-secrets.yaml b/charts/keycloak/templates/external-secrets.yaml index 523bb65ef..a0694be60 100644 --- a/charts/keycloak/templates/external-secrets.yaml +++ b/charts/keycloak/templates/external-secrets.yaml @@ -1,4 +1,4 @@ -{{- if eq (include "common.getNestedValue" (dict "Values" .Values "key" "externalSecrets.enabled")) "true" -}} +{{- if eq (include "common.getKeyValue" (dict "Values" .Values "key" "externalSecrets.enabled")) "true" }} apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: diff --git a/charts/keycloak/tests/__snapshot__/crossplane_test.yaml.snap b/charts/keycloak/tests/__snapshot__/crossplane_test.yaml.snap index cf34b5ca3..ccefb97b0 100644 --- a/charts/keycloak/tests/__snapshot__/crossplane_test.yaml.snap +++ b/charts/keycloak/tests/__snapshot__/crossplane_test.yaml.snap @@ -15,6 +15,7 @@ matches the snapshot: standardFlowEnabled: true validRedirectUris: - http://localhost:8000/callback* + - http://localhost:4300/callback* providerConfigRef: name: keycloak-provider-config writeConnectionSecretToRef: @@ -35,7 +36,7 @@ matches the snapshot: - basic - acr - groups - - trusted-openmfp-auds + - trusted-openmfp-audiences realmIdRef: name: openmfp providerConfigRef: @@ -95,65 +96,6 @@ matches the snapshot: providerConfigRef: name: keycloak-provider-config 7: | - apiVersion: oidc.keycloak.crossplane.io/v1alpha1 - kind: IdentityProvider - metadata: - name: sap - spec: - forProvider: - alias: sap - authorizationUrl: https://login.microsoftonline.com/42f7676c-f455-423c-82f6-dc2d99791af7/oauth2/v2.0/authorize - clientId: 82b4c72c-ff99-4df6-ba4f-fb634d1fc491 - clientSecretSecretRef: - key: client-secret - name: sap-client-secret - namespace: openmfp-system - defaultScopes: openid email profile - hideOnLoginPage: true - issuer: https://login.microsoftonline.com/42f7676c-f455-423c-82f6-dc2d99791af7/v2.0 - realmRef: - name: openmfp - tokenUrl: https://login.microsoftonline.com/42f7676c-f455-423c-82f6-dc2d99791af7/oauth2/v2.0/token - trustEmail: true - providerConfigRef: - name: keycloak-provider-config - 8: | - apiVersion: identityprovider.keycloak.crossplane.io/v1alpha1 - kind: IdentityProviderMapper - metadata: - name: lastname - spec: - forProvider: - extraConfig: - Claim: last_name - UserAttribute: lastName - syncMode: INHERIT - identityProviderAlias: sap - identityProviderMapper: oidc-user-attribute-idp-mapper - name: last_name - realmRef: - name: openmfp - providerConfigRef: - name: keycloak-provider-config - 9: | - apiVersion: identityprovider.keycloak.crossplane.io/v1alpha1 - kind: IdentityProviderMapper - metadata: - name: firstname - spec: - forProvider: - extraConfig: - Claim: first_name - UserAttribute: firstName - syncMode: INHERIT - identityProviderAlias: sap - identityProviderMapper: oidc-user-attribute-idp-mapper - name: first_name - realmRef: - name: openmfp - providerConfigRef: - name: keycloak-provider-config - 10: | apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 kind: ClientScope metadata: @@ -166,7 +108,7 @@ matches the snapshot: name: openmfp providerConfigRef: name: keycloak-provider-config - 11: | + 8: | apiVersion: keycloak.crossplane.io/v1beta1 kind: ProviderConfig metadata: @@ -179,7 +121,7 @@ matches the snapshot: name: keycloak-provider-config namespace: openmfp-system source: Secret - 12: | + 9: | apiVersion: v1 kind: Secret metadata: @@ -191,17 +133,17 @@ matches the snapshot: "client_id":"admin-cli", "username": "keycloak-admin", "password": "admin", - "url": "http://keycloak-http.openmfp-system.svc.cluster.local:8080", + "url": "http://openmfp-keycloak.openmfp-system.svc.cluster.local/keycloak", "realm": "master" } - 13: | + 10: | apiVersion: realm.keycloak.crossplane.io/v1alpha1 kind: Realm metadata: name: openmfp spec: forProvider: - accessCodeLifespan: 1h + accessTokenLifespan: 1h attributes: organizationsEnabled: "true" displayName: OpenMFP @@ -209,7 +151,7 @@ matches the snapshot: enabled: true loginWithEmailAllowed: true realm: openmfp - registrationAllowed: false + registrationAllowed: true registrationEmailAsUsername: true providerConfigRef: name: keycloak-provider-config diff --git a/charts/keycloak/tests/__snapshot__/external-secrets_test.yaml.snap b/charts/keycloak/tests/__snapshot__/external-secrets_test.yaml.snap index 3294e4bb5..dea6a65eb 100644 --- a/charts/keycloak/tests/__snapshot__/external-secrets_test.yaml.snap +++ b/charts/keycloak/tests/__snapshot__/external-secrets_test.yaml.snap @@ -9,7 +9,7 @@ matches the snapshot: data: - remoteRef: conversionStrategy: Default - key: dxp-core-team/manual-secrets/keycloak-admin + key: null property: password secretKey: secret refreshInterval: 10m diff --git a/charts/keycloak/tests/__snapshot__/istio_test.yaml.snap b/charts/keycloak/tests/__snapshot__/istio_test.yaml.snap index 3874f85e3..b96340dfb 100644 --- a/charts/keycloak/tests/__snapshot__/istio_test.yaml.snap +++ b/charts/keycloak/tests/__snapshot__/istio_test.yaml.snap @@ -10,11 +10,14 @@ matches the snapshot: hosts: - keycloak.openmfp.org http: - - route: + - match: + - uri: + prefix: /keycloak + route: - destination: - host: keycloak.openmfp-system.svc.cluster.local + host: openmfp-keycloak.openmfp-system.svc.cluster.local port: - number: 8080 + number: 80 matches the snapshot (with path prefix): 1: | apiVersion: networking.istio.io/v1beta1 @@ -32,6 +35,6 @@ matches the snapshot (with path prefix): prefix: /auth route: - destination: - host: keycloak.openmfp-system.svc.cluster.local + host: openmfp-keycloak.openmfp-system.svc.cluster.local port: - number: 8080 + number: 80 diff --git a/charts/keycloak/tests/__snapshot__/job_test.yaml.snap b/charts/keycloak/tests/__snapshot__/job_test.yaml.snap index 39fdf7272..2b6d5ec63 100644 --- a/charts/keycloak/tests/__snapshot__/job_test.yaml.snap +++ b/charts/keycloak/tests/__snapshot__/job_test.yaml.snap @@ -1,306 +1,5 @@ matches the snapshot: 1: | - apiVersion: batch/v1 - kind: Job - metadata: - annotations: - argocd.argoproj.io/hook: PostSync - name: RELEASE-NAME-keycloak-configuration - spec: - activeDeadlineSeconds: 1800 - imagePullSecrets: - - containers: - - args: - - | - #!/bin/sh - set +e - - REALM=master - - function quitIstio { - curl -s -X POST http://localhost:15000/quitquitquit - } - - MAX_RETRIES=15 - RETRY_DELAY=5 - - for i in $(seq 1 $MAX_RETRIES); do - # Get the admin token - TOKEN=$(curl -s --location --request POST "$KEYCLOAK_URL/realms/master/protocol/openid-connect/token" \ - --header 'Content-Type: application/x-www-form-urlencoded' \ - --data-urlencode "username=$KEYCLOAK_USER" \ - --data-urlencode "password=$KEYCLOAK_PASSWORD" \ - --data-urlencode 'grant_type=password' \ - --data-urlencode 'client_id=admin-cli' | jq -r '.access_token') - - if [ -n "$TOKEN" ]; then - break - elif [ $i -eq $MAX_RETRIES ]; then - echo "Failed to get token after $MAX_RETRIES attempts, exiting" - quitIstio - exit 1 - else - echo "Failed to get token, attempt $i/$MAX_RETRIES. Retrying in $RETRY_DELAY seconds..." - sleep $RETRY_DELAY - fi - done - echo "Patch the realm to allow for user registration" - curl -s -X PUT -H 'Content-Type: application/json' -H "Authorization: bearer $TOKEN" -d '{"registrationAllowed": true, "registrationEmailAsUsername": true}' $KEYCLOAK_URL/admin/realms/$REALM - - CLIENT_ID=$(curl -s -H "Authorization: Bearer $TOKEN" "$KEYCLOAK_URL/admin/realms/$REALM/clients" | jq -r '.[] | select(.clientId=="openmfp") | .id') - if [ -z "$CLIENT_ID" ]; then - echo "Creating client 'openmfp'" - CREATE_CLIENT_PAYLOAD=$(cat <