diff --git a/charts/account-operator-crds/README.md b/charts/account-operator-crds/README.md index 36f4eeea9..74c5f21de 100644 --- a/charts/account-operator-crds/README.md +++ b/charts/account-operator-crds/README.md @@ -27,3 +27,16 @@ Example 3) .Values.deployment.resources.limits.memory = 1024MB 4) .Values.common.defaults.deployment.resources.limits.memory = default 512MB ``` +# account-operator-crds + +![Version: 0.1.12](https://img.shields.io/badge/Version-0.1.12-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0](https://img.shields.io/badge/AppVersion-0.0.0-informational?style=flat-square) + +A Helm chart for Kubernetes + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| kcp.enabled | bool | `false` | Enable KCP | +| kcp.identityHash | string | `""` | | + diff --git a/charts/account-operator/README.md b/charts/account-operator/README.md index ad156cdf2..472fdb064 100644 --- a/charts/account-operator/README.md +++ b/charts/account-operator/README.md @@ -4,8 +4,6 @@ A Helm chart to deploy OpenMFP Account-Operator ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) -![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) - ## Requirements | Repository | Name | Description | Sources | diff --git a/charts/common/README.md b/charts/common/README.md index 0f4a6de63..eb6760698 100644 --- a/charts/common/README.md +++ b/charts/common/README.md @@ -48,3 +48,37 @@ Example 3) .Values.deployment.resources.limits.memory = 1024MB 4) .Values.common.defaults.deployment.resources.limits.memory = default 512MB ``` +# common + +![Version: 0.2.8](https://img.shields.io/badge/Version-0.2.8-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) + +A Helm chart containing reuse templates + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| defaults.certManager.enabled | bool | `false` | toggle to enable/disable cert-manager | +| defaults.deployment.maxSurge | int | `5` | maxSurge | +| defaults.deployment.maxUnavailable | int | `0` | maxUnavailable | +| defaults.deployment.resources.limits | object | `{"cpu":"100m","memory":"512Mi"}` | cpu and memory limits for the deployment | +| defaults.deployment.resources.requests | object | `{"cpu":"40m","memory":"50Mi"}` | cpu and memory requests for the deployment | +| defaults.deployment.revisionHistoryLimit | int | `3` | deployment revision history limit | +| defaults.deployment.strategy | string | `"RollingUpdate"` | deployment strategy | +| defaults.externalSecrets.enabled | bool | `true` | toggle to enable/disable external-secrets | +| defaults.fga.enabled | bool | `false` | toggle to enable/disable experimental FGA features | +| defaults.health.liveness | object | `{"failureThreshold":1,"path":"/healthz"}` | liveness probe parameters | +| defaults.health.periodSeconds | int | `10` | health period | +| defaults.health.port | int | `8081` | health port | +| defaults.health.readiness | object | `{"initialDelaySeconds":5,"path":"/readyz","periodSeconds":10}` | readiness probe parameters | +| defaults.health.startup | object | `{"failureThreshold":30,"path":"/readyz"}` | startup probe parameters | +| defaults.imagePullPolicy | string | `"Always"` | imagePullPolicy is the policy to use when pulling images for all charts | +| defaults.imagePullSecret | string | `"github"` | imagePullSecret is the name of the secret that holds the docker registry credentials | +| defaults.istio.enabled | bool | `false` | toggle to enable/disable istio | +| defaults.istio.gateway.name | string | `"gateway"` | name of the gateway | +| defaults.metrics.port | int | `8080` | metrics port | +| defaults.port | int | `8080` | service port | +| defaults.securityContext.fsGroup | int | `2000` | fsGroup id to run the container | +| defaults.securityContext.runAsGroup | int | `3000` | group id to run the container | +| defaults.securityContext.runAsUser | int | `1000` | user id to run the container | + diff --git a/charts/extension-manager-operator-crds/README.md b/charts/extension-manager-operator-crds/README.md index 18942bbbe..b216dfc89 100644 --- a/charts/extension-manager-operator-crds/README.md +++ b/charts/extension-manager-operator-crds/README.md @@ -25,3 +25,9 @@ Example 3) .Values.deployment.resources.limits.memory = 1024MB 4) .Values.common.defaults.deployment.resources.limits.memory = default 512MB ``` +# extension-manager-operator-crds + +![Version: 0.1.8](https://img.shields.io/badge/Version-0.1.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0](https://img.shields.io/badge/AppVersion-0.0.0-informational?style=flat-square) + +A Helm chart for Kubernetes + diff --git a/charts/extension-manager-operator/README.md b/charts/extension-manager-operator/README.md index a742480e8..d9b3be211 100644 --- a/charts/extension-manager-operator/README.md +++ b/charts/extension-manager-operator/README.md @@ -4,12 +4,6 @@ A Helm chart for extension-manager-operator which manages resources like Content ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) -![Version: 0.22.41](https://img.shields.io/badge/Version-0.22.41-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.77.0](https://img.shields.io/badge/AppVersion-0.77.0-informational?style=flat-square) - -## Additional Information - -The `common` chart is a library of common resources that are shared across all other charts in the repository. It has no templates, but provides helm template functions and default values that can be used by other charts. - ## Requirements | Repository | Name | Description | Sources | diff --git a/charts/infra/templates/cluster-role.yaml b/charts/infra/templates/cluster-role.yaml deleted file mode 100644 index ec8339334..000000000 --- a/charts/infra/templates/cluster-role.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if ((.Values.rbac).clusterRole).enabled -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: openmfp-cluster-reader -rules: -- apiGroups: - - core.openmfp.io - resources: - - '*' - verbs: - - get - - list - - watch - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: openmfp-cluster-reader -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: gardener.cloud:system:read-only -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: /portal -{{- end -}} diff --git a/charts/infra/templates/external-secret-account-operator.yaml b/charts/infra/templates/external-secret-account-operator.yaml deleted file mode 100644 index 6bb0c566f..000000000 --- a/charts/infra/templates/external-secret-account-operator.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if eq (include "common.hasNestedKey" (dict "Values" .Values "key" "externalSecrets.enabled")) "true" }} -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: account-operator-sa-kubeconfig - namespace: {{ .Release.Namespace }} -spec: - refreshInterval: "10m" - secretStoreRef: - name: environment-store - kind: SecretStore - target: - name: account-operator-sa-kubeconfig - creationPolicy: Owner - deletionPolicy: Retain - data: - - secretKey: kubeconfig - remoteRef: - key: {{ .Values.externalSecrets.accountOperatorSaKubeconfig }} - property: kubeconfig - conversionStrategy: Default -{{ end }} diff --git a/charts/infra/templates/gateway.yaml b/charts/infra/templates/gateway.yaml index d8d1700a1..1c56a15fd 100644 --- a/charts/infra/templates/gateway.yaml +++ b/charts/infra/templates/gateway.yaml @@ -1,14 +1,16 @@ -apiVersion: {{ .Values.gateway.apiVersion }} +{{- if eq (include "common.getKeyValue" (dict "Values" .Values "key" "istio.enabled")) "true" -}} +apiVersion: {{ .Values.istio.networking.apiVersion }} kind: Gateway metadata: - name: {{ .Values.gateway.name}} + name: {{ .Values.istio.gateway.name}} namespace: {{ .Release.Namespace }} -{{- if .Values.gateway.annotations }} +{{- if .Values.istio.gateway.annotations }} annotations: - {{- toYaml .Values.gateway.annotations | nindent 4 }} + {{- toYaml .Values.istio.gateway.annotations | nindent 4 }} {{- end }} spec: selector: -{{ .Values.gateway.selector | toYaml | indent 4 }} +{{ .Values.istio.gateway.selector | toYaml | indent 4 }} servers: -{{ toYaml .Values.gateway.servers | indent 4 }} +{{ toYaml .Values.istio.gateway.servers | indent 4 }} +{{- end -}} \ No newline at end of file diff --git a/charts/infra/templates/kcp-service-entry.yaml b/charts/infra/templates/kcp-service-entry.yaml deleted file mode 100644 index 4f509e5e2..000000000 --- a/charts/infra/templates/kcp-service-entry.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if and .Values.kcp.enabled .Values.kcp.host -}} -apiVersion: networking.istio.io/v1beta1 -kind: ServiceEntry -metadata: - name: kcp-workspaces - namespace: {{ .Release.Namespace }} -spec: - hosts: - - {{ .Values.kcp.host }} - location: MESH_EXTERNAL - ports: - - name: https - number: 443 - protocol: TLS - resolution: DNS -{{- end -}} diff --git a/charts/infra/templates/keycloak-service-entry.yaml b/charts/infra/templates/keycloak-service-entry.yaml deleted file mode 100644 index e3b34d0e9..000000000 --- a/charts/infra/templates/keycloak-service-entry.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if (.Values.keycloak).enabled -}} -apiVersion: networking.istio.io/v1beta1 -kind: ServiceEntry -metadata: - name: auth -spec: - hosts: - {{- .Values.keycloak.hosts | toYaml | nindent 2 }} - location: MESH_EXTERNAL - ports: - - name: https - number: 443 - protocol: TLS - resolution: DNS -{{- end -}} diff --git a/charts/infra/templates/service-entries-https.yaml b/charts/infra/templates/service-entries-https.yaml index 980893628..84eee3a2a 100644 --- a/charts/infra/templates/service-entries-https.yaml +++ b/charts/infra/templates/service-entries-https.yaml @@ -13,4 +13,4 @@ spec: number: 443 protocol: TLS resolution: DNS -{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/infra/templates/store.yaml b/charts/infra/templates/store.yaml deleted file mode 100644 index 095a2989a..000000000 --- a/charts/infra/templates/store.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if (.Values.fga).enabled }} -{{- range .Values.fga.stores }} ---- -apiVersion: core.openmfp.io/v1alpha1 -kind: Store -metadata: - name: {{ .name }} - namespace: {{ .namespace }} -spec: - coreModule: | - {{ .coreModuleName | nindent 4 }} -{{- end}} -{{- end }} \ No newline at end of file diff --git a/charts/infra/tests/__snapshot__/snapshot_test.yaml.snap b/charts/infra/tests/__snapshot__/snapshot_test.yaml.snap index bcf69b6b6..1d8ece572 100644 --- a/charts/infra/tests/__snapshot__/snapshot_test.yaml.snap +++ b/charts/infra/tests/__snapshot__/snapshot_test.yaml.snap @@ -1,24 +1,44 @@ -matches the snapshot: +disables externalsecrets: 1: | apiVersion: core.openmfp.io/v1alpha1 kind: Store metadata: - name: test - namespace: test + name: tenant-demo-root + namespace: openmfp-system spec: coreModule: |2 module core type user + type role + relations + define assignee: [user,user:*] + type account relations - define owner: [user] - define member: [user] or owner + + define parent: [account] + define owner: [role#assignee] + define member: [role#assignee] or owner + + define get: member or get from parent + define update: member or update from parent + define delete: owner or delete from parent + + # org and account specific + define watch: member or watch from parent + + # org specific + define create: member or create from parent + define list: member or list from parent tuples: - - object: account:a - relation: owner - user: user:a + - object: role:authenticated + relation: assignee + user: user:* + - object: account:demo-root + relation: member + user: role:authenticated#assignee 2: | apiVersion: networking.istio.io/v1 kind: Gateway @@ -33,20 +53,62 @@ matches the snapshot: - '*' port: name: http - number: 8080 + number: 8000 protocol: HTTP - 3: | +matches the snapshot: + 1: | + apiVersion: core.openmfp.io/v1alpha1 + kind: Store + metadata: + name: tenant-demo-root + namespace: openmfp-system + spec: + coreModule: |2 + module core + + type user + + type role + relations + define assignee: [user,user:*] + + type account + relations + + define parent: [account] + define owner: [role#assignee] + define member: [role#assignee] or owner + + define get: member or get from parent + define update: member or update from parent + define delete: owner or delete from parent + + # org and account specific + define watch: member or watch from parent + + # org specific + define create: member or create from parent + define list: member or list from parent + tuples: + - object: role:authenticated + relation: assignee + user: user:* + - object: account:demo-root + relation: member + user: role:authenticated#assignee + 2: | apiVersion: networking.istio.io/v1 - kind: ServiceEntry + kind: Gateway metadata: - name: openmfp-https + name: gateway namespace: NAMESPACE spec: - hosts: - - example.com - location: MESH_EXTERNAL - ports: - - name: https - number: 443 - protocol: TLS - resolution: DNS + selector: + istio: gateway + servers: + - hosts: + - '*' + port: + name: http + number: 8000 + protocol: HTTP diff --git a/charts/keycloak/tests/__snapshot__/crossplane_test.yaml.snap b/charts/keycloak/tests/__snapshot__/crossplane_test.yaml.snap index 75beaab93..e2afa9645 100644 --- a/charts/keycloak/tests/__snapshot__/crossplane_test.yaml.snap +++ b/charts/keycloak/tests/__snapshot__/crossplane_test.yaml.snap @@ -98,13 +98,23 @@ matches the snapshot: apiVersion: oidc.keycloak.crossplane.io/v1alpha1 kind: IdentityProvider metadata: - name: trusted-openmfp-audiences + name: sap spec: forProvider: - includeInTokenScope: true - name: trusted-openmfp-audiences - realmIdRef: + alias: sap + authorizationUrl: https://login.microsoftonline.com/42f7676c-f455-423c-82f6-dc2d99791af7/oauth2/v2.0/authorize + clientId: 82b4c72c-ff99-4df6-ba4f-fb634d1fc491 + clientSecretSecretRef: + key: client-secret + name: sap-client-secret + namespace: openmfp-system + defaultScopes: openid email profile + hideOnLoginPage: true + issuer: https://login.microsoftonline.com/42f7676c-f455-423c-82f6-dc2d99791af7/v2.0 + realmRef: name: openmfp + tokenUrl: https://login.microsoftonline.com/42f7676c-f455-423c-82f6-dc2d99791af7/oauth2/v2.0/token + trustEmail: true providerConfigRef: name: keycloak-provider-config 8: | diff --git a/charts/keycloak/tests/__snapshot__/external-secrets_test.yaml.snap b/charts/keycloak/tests/__snapshot__/external-secrets_test.yaml.snap index 6845ce637..245155b14 100644 --- a/charts/keycloak/tests/__snapshot__/external-secrets_test.yaml.snap +++ b/charts/keycloak/tests/__snapshot__/external-secrets_test.yaml.snap @@ -41,3 +41,46 @@ matches the snapshot: creationPolicy: Owner deletionPolicy: Retain name: postgres-admin-password +matches the snapshot (no external secrets): + 1: | + apiVersion: external-secrets.io/v1beta1 + kind: ExternalSecret + metadata: + name: RELEASE-NAME-keycloak-admin + namespace: openmfp-system + spec: + data: + - remoteRef: + conversionStrategy: Default + key: keycloak-admin + property: password + secretKey: secret + refreshInterval: 10m + secretStoreRef: + kind: SecretStore + name: environment-store + target: + creationPolicy: Owner + deletionPolicy: Retain + name: keycloak-admin + 2: | + apiVersion: external-secrets.io/v1beta1 + kind: ExternalSecret + metadata: + name: RELEASE-NAME-keycloak-postgres + namespace: openmfp-system + spec: + data: + - remoteRef: + conversionStrategy: Default + key: null + property: password + secretKey: password + refreshInterval: 10m + secretStoreRef: + kind: SecretStore + name: environment-store + target: + creationPolicy: Owner + deletionPolicy: Retain + name: postgres-admin-password diff --git a/charts/openmfp-crds/charts/extension-manager-operator-crds-0.1.5.tgz b/charts/openmfp-crds/charts/extension-manager-operator-crds-0.1.5.tgz deleted file mode 100644 index 505b3eebf..000000000 Binary files a/charts/openmfp-crds/charts/extension-manager-operator-crds-0.1.5.tgz and /dev/null differ diff --git a/charts/openmfp/charts/example-content-0.112.0.tgz b/charts/openmfp/charts/example-content-0.112.0.tgz index 26c1c3ad4..3a6da3035 100644 Binary files a/charts/openmfp/charts/example-content-0.112.0.tgz and b/charts/openmfp/charts/example-content-0.112.0.tgz differ diff --git a/charts/openmfp/charts/extension-manager-operator-0.22.94.tgz b/charts/openmfp/charts/extension-manager-operator-0.22.94.tgz deleted file mode 100644 index 0382e5d0a..000000000 Binary files a/charts/openmfp/charts/extension-manager-operator-0.22.94.tgz and /dev/null differ diff --git a/charts/openmfp/charts/extension-manager-operator-0.23.0.tgz b/charts/openmfp/charts/extension-manager-operator-0.23.0.tgz index 19f2c665a..a67123779 100644 Binary files a/charts/openmfp/charts/extension-manager-operator-0.23.0.tgz and b/charts/openmfp/charts/extension-manager-operator-0.23.0.tgz differ diff --git a/charts/openmfp/charts/infra-0.61.0.tgz b/charts/openmfp/charts/infra-0.61.0.tgz index b9a033c5e..ed86c538b 100644 Binary files a/charts/openmfp/charts/infra-0.61.0.tgz and b/charts/openmfp/charts/infra-0.61.0.tgz differ diff --git a/charts/openmfp/charts/keycloak-0.60.17.tgz b/charts/openmfp/charts/keycloak-0.60.17.tgz deleted file mode 100644 index c1be92619..000000000 Binary files a/charts/openmfp/charts/keycloak-0.60.17.tgz and /dev/null differ diff --git a/charts/openmfp/charts/keycloak-0.61.0.tgz b/charts/openmfp/charts/keycloak-0.61.0.tgz index edfb89351..df9f9c852 100644 Binary files a/charts/openmfp/charts/keycloak-0.61.0.tgz and b/charts/openmfp/charts/keycloak-0.61.0.tgz differ diff --git a/charts/openmfp/charts/portal-0.71.41.tgz b/charts/openmfp/charts/portal-0.71.41.tgz deleted file mode 100644 index 36b4ae146..000000000 Binary files a/charts/openmfp/charts/portal-0.71.41.tgz and /dev/null differ diff --git a/charts/openmfp/charts/portal-0.72.0.tgz b/charts/openmfp/charts/portal-0.72.0.tgz index b72b9a746..2c48edb00 100644 Binary files a/charts/openmfp/charts/portal-0.72.0.tgz and b/charts/openmfp/charts/portal-0.72.0.tgz differ diff --git a/charts/portal/README.md b/charts/portal/README.md index e281dd341..d0f2724cd 100644 --- a/charts/portal/README.md +++ b/charts/portal/README.md @@ -2,12 +2,6 @@ Helm Chart for the openmfp Portal -![Version: 0.69.161](https://img.shields.io/badge/Version-0.69.161-informational?style=flat-square) ![AppVersion: 0.234.0](https://img.shields.io/badge/AppVersion-0.234.0-informational?style=flat-square) - -## Additional Information - -The `common` chart is a library of common resources that are shared across all other charts in the repository. It has no templates, but provides helm template functions and default values that can be used by other charts. - ## Requirements | Repository | Name | Description | Sources | @@ -33,7 +27,7 @@ The `common` chart is a library of common resources that are shared across all o | importContent | bool | `false` | import content toggle | | trust.openmfp.authDomain | string | `"http://localhost:8000/keycloak/realms/openmfp/protocol/openid-connect/auth"` | auth domain (if discoveryEndpoint is not specified) | | trust.openmfp.baseDomains | string | `"localhost"` | base domains | -| trust.openmfp.discoveryEndpoint | string | `""` | discovery endpoint. If specified (different than ""), authDomain and tokenUrl are not required | +| trust.openmfp.discoveryEndpoint | string | `"https://auth.provider.external/realms/master/.well-known/openid-configuration"` | discovery endpoint. If specified (different than ""), authDomain and tokenUrl are not required | | trust.openmfp.loginAudience | string | `"openmfp"` | login audience | | trust.openmfp.oidcClientSecretName | string | `"openmfp-client"` | oidc client secret name | | trust.openmfp.secretKeyRef | string | `"attribute.client_secret"` | secret key reference | diff --git a/charts/portal/tests/__snapshot__/deploy_test.yaml.snap b/charts/portal/tests/__snapshot__/deploy_test.yaml.snap index 01aed6cc6..2fcc39514 100644 --- a/charts/portal/tests/__snapshot__/deploy_test.yaml.snap +++ b/charts/portal/tests/__snapshot__/deploy_test.yaml.snap @@ -32,10 +32,8 @@ matches the snapshot: secretKeyRef: key: attribute.client_secret name: portal-client-secret-openmfp - - name: TOKEN_URL_OPENMFP - value: http://keycloak/keycloak/realms/openmfp/protocol/openid-connect/token - - name: AUTH_SERVER_URL_OPENMFP - value: http://localhost:8000/keycloak/realms/openmfp/protocol/openid-connect/auth + - name: DISCOVERY_ENDPOINT_OPENMFP + value: https://auth.provider.external/realms/master/.well-known/openid-configuration - name: BASE_DOMAINS_OPENMFP value: localhost - name: OIDC_CLIENT_ID_PORTAL diff --git a/charts/portal/tests/__snapshot__/istio_test.yaml.snap b/charts/portal/tests/__snapshot__/istio_test.yaml.snap index 463e8626f..b453a101d 100644 --- a/charts/portal/tests/__snapshot__/istio_test.yaml.snap +++ b/charts/portal/tests/__snapshot__/istio_test.yaml.snap @@ -32,10 +32,8 @@ matches the snapshot: secretKeyRef: key: attribute.client_secret name: portal-client-secret-openmfp - - name: TOKEN_URL_OPENMFP - value: http://keycloak/keycloak/realms/openmfp/protocol/openid-connect/token - - name: AUTH_SERVER_URL_OPENMFP - value: http://localhost:8000/keycloak/realms/openmfp/protocol/openid-connect/auth + - name: DISCOVERY_ENDPOINT_OPENMFP + value: https://auth.provider.external/realms/master/.well-known/openid-configuration - name: BASE_DOMAINS_OPENMFP value: localhost - name: OIDC_CLIENT_ID_PORTAL @@ -204,10 +202,8 @@ matches the snapshot with istio disabled: secretKeyRef: key: attribute.client_secret name: portal-client-secret-openmfp - - name: TOKEN_URL_OPENMFP - value: http://keycloak/keycloak/realms/openmfp/protocol/openid-connect/token - - name: AUTH_SERVER_URL_OPENMFP - value: http://localhost:8000/keycloak/realms/openmfp/protocol/openid-connect/auth + - name: DISCOVERY_ENDPOINT_OPENMFP + value: https://auth.provider.external/realms/master/.well-known/openid-configuration - name: BASE_DOMAINS_OPENMFP value: localhost - name: OIDC_CLIENT_ID_PORTAL