diff --git a/.github/workflows/portal.yaml b/.github/workflows/portal.yaml new file mode 100644 index 000000000..63f6f3caf --- /dev/null +++ b/.github/workflows/portal.yaml @@ -0,0 +1,28 @@ +name: Build portal Workflow +on: + push: + paths: + - 'charts/portal/**' + - '.github/workflows/portal.yaml' + +jobs: + pipeline: + concurrency: + group: portal-${{ github.ref }} + cancel-in-progress: true + uses: openmfp/gha/.github/workflows/pipeline-chart.yml@main + with: + chartFolder: charts + chartName: portal + additionalTestFilesCommand: '' + chartRepos: 'bitnami=https://charts.bitnami.com/bitnami,openfga=https://openfga.github.io/helm-charts' + secrets: inherit + + updateVersionFile: + if: ${{ github.ref == 'refs/heads/main' }} + needs: [pipeline] + uses: openmfp/gha/.github/workflows/job-update-version-file.yml@main + secrets: inherit + with: + componentVersionKey: "portal" + version: ${{ needs.pipeline.outputs.version }} diff --git a/charts/portal/.helmignore b/charts/portal/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/portal/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/portal/Chart.lock b/charts/portal/Chart.lock new file mode 100644 index 000000000..fa76da0ce --- /dev/null +++ b/charts/portal/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: common + repository: file://../common + version: 0.1.4 +digest: sha256:05e31c3eb487f942d4ac07ce0dfe4e0620779b589ef481cdd6534c73a7f0ca27 +generated: "2024-11-20T11:36:34.0773803+02:00" diff --git a/charts/portal/Chart.yaml b/charts/portal/Chart.yaml new file mode 100644 index 000000000..03b4b89dd --- /dev/null +++ b/charts/portal/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +appVersion: "0.164.0" +description: Helm Chart for the openmfp Portal +name: portal +version: 0.69.88 +dependencies: + - name: common + repository: file://../common + version: 0.1.4 diff --git a/charts/portal/README.MD b/charts/portal/README.MD new file mode 100644 index 000000000..0de306dd9 --- /dev/null +++ b/charts/portal/README.MD @@ -0,0 +1,12 @@ +# Helm chart of the jukebox + +## Execute the linting in the pipeline + +```shell +helm lint -f test-values.yaml +``` + +## Debug the chart output +```shell +helm template --debug . -f test-values.yaml +``` diff --git a/charts/portal/charts/common-0.1.4.tgz b/charts/portal/charts/common-0.1.4.tgz new file mode 100644 index 000000000..29a625d47 Binary files /dev/null and b/charts/portal/charts/common-0.1.4.tgz differ diff --git a/charts/portal/templates/deploy.yaml b/charts/portal/templates/deploy.yaml new file mode 100644 index 000000000..6fa839a41 --- /dev/null +++ b/charts/portal/templates/deploy.yaml @@ -0,0 +1,104 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "common.entity.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ include "common.entity.name" . }} +spec: + strategy: + rollingUpdate: + maxSurge: {{ .Values.deployment.maxSurge }} + maxUnavailable: {{ .Values.deployment.maxUnavailable }} + revisionHistoryLimit: 3 + selector: + matchLabels: + app: {{ include "common.entity.name" . }} + template: + metadata: + labels: + app: {{ include "common.entity.name" . }} + spec: + serviceAccountName: {{ include "common.entity.name" . }} + securityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + containers: + - name: {{ include "common.entity.name" . }} + image: {{ .Values.image.name }}:{{ .Chart.AppVersion }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + readOnlyRootFilesystem: true + env: + - name: HTTP_PROTOCOL + value: {{ .Values.http.protocol }} + {{- range $key, $idp := .Values.trust }} + - name: OIDC_CLIENT_ID_{{ $key | upper | replace "-" "_" }} + value: "{{ $idp.loginAudience | default $idp.audience }}" + - name: OIDC_CLIENT_SECRET_{{ $key | upper | replace "-" "_" }} + valueFrom: + secretKeyRef: + name: portal-client-secret-{{ $idp.secretKey | default $key }} + key: {{ $idp.secretKeyRef | default "secret" }} + {{ if $idp.discoveryEndpoint }} + - name: DISCOVERY_ENDPOINT_{{ $key | upper | replace "-" "_" }} + value: {{ $idp.discoveryEndpoint }} + {{- else }} + - name: TOKEN_URL_{{ $key | upper | replace "-" "_" }} + value: {{ $idp.tokenUrl | default $idp.trustedIssuer }} + - name: AUTH_SERVER_URL_{{ $key | upper | replace "-" "_" }} + value: {{ $idp.authDomain | default $idp.trustedIssuer }} + {{- end }} + {{- if $idp.baseDomains }} + - name: BASE_DOMAINS_{{ $key | upper | replace "-" "_" }} + value: {{ $idp.baseDomains }} + {{- end }} + {{- end }} + {{- if .Values.trust }} + - name: IDP_NAMES + {{- $keys := keys .Values.trust | sortAlpha }} + value: "{{ join "," $keys }}" + {{- end }} + {{- if .Values.developmentLandcsape }} + - name: DEVELOPMENT_INSTANCE + value: "{{ .Values.developmentLandcsape }}" + {{- end }} + {{- if .Values.featureToggles }} + - name: FEATURE_TOGGLES + value: "{{ .Values.featureToggles }}" + {{- end }} + - name: PORT + value: "{{ .Values.port }}" + - name: REGION + value: {{ .Values.region }} + - name: IMAGE_TAG + value: "{{ .Chart.AppVersion }}" + - name: IMAGE_NAME + value: "{{ .Values.image.name }}" + {{- if .Values.cookieDomain }} + - name: COOKIE_DOMAIN + value: {{ .Values.cookieDomain }} + {{- end }} + {{- if .Values.frontendPort }} + - name: FRONTEND_PORT + value: "{{ .Values.frontendPort }}" + {{- end }} + {{- if .Values.environment }} + - name: ENVIRONMENT + value: "{{ .Values.environment }}" + {{- end }} + {{- if .Values.validWebcomponentUrls }} + - name: VALID_WEBCOMPONENT_URLS + value: '{{ .Values.validWebcomponentUrls }}' + {{- end }} + resources: + limits: + cpu: "1" + memory: 512Mi + requests: + cpu: 40m + memory: 50Mi + ports: + - name: http + containerPort: {{ .Values.port }} \ No newline at end of file diff --git a/charts/portal/templates/external-secrets.yaml b/charts/portal/templates/external-secrets.yaml new file mode 100644 index 000000000..21248179d --- /dev/null +++ b/charts/portal/templates/external-secrets.yaml @@ -0,0 +1,33 @@ +{{- if .Values.externalSecrets.enabled -}} +{{- $namespace := .Release.Namespace}} +{{- $secretKeys := list }} +{{- range $key, $idp := .Values.trust }} + {{- $keyToAdd := $idp.secretKey | default $key }} + {{- if not (has $idp.secretKey $secretKeys) }} + {{- $secretKeys = append $secretKeys $keyToAdd }} + {{- end }} +{{- end }} +{{- range $key := $secretKeys }} +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: {{ $.Release.Name }}-portal-client-secret-{{ $key }} + namespace: {{ $namespace }} +spec: + refreshInterval: 10m + secretStoreRef: + kind: SecretStore + name: environment-store + target: + creationPolicy: Owner + deletionPolicy: Retain + name: portal-client-secret-{{ $key }} + data: + - remoteRef: + conversionStrategy: Default + key: dxp-core-team/manual-secrets/portal-client-secrets + property: {{ $key }} + secretKey: secret +--- +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/portal/templates/istio-destination-rule.yaml b/charts/portal/templates/istio-destination-rule.yaml new file mode 100644 index 000000000..cbfa097fc --- /dev/null +++ b/charts/portal/templates/istio-destination-rule.yaml @@ -0,0 +1,12 @@ +{{- if eq (include "common.istioEnabled" .) "true" -}} +apiVersion: "networking.istio.io/v1alpha3" +kind: "DestinationRule" +metadata: + name: {{ include "common.entity.name" . }} + namespace: {{ .Release.Namespace }} +spec: + host: {{ include "common.entity.name" . }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end -}} \ No newline at end of file diff --git a/charts/portal/templates/istio-peerauthentication.yaml b/charts/portal/templates/istio-peerauthentication.yaml new file mode 100644 index 000000000..57be5b47c --- /dev/null +++ b/charts/portal/templates/istio-peerauthentication.yaml @@ -0,0 +1,13 @@ +{{- if eq (include "common.istioEnabled" .) "true" -}} +apiVersion: "security.istio.io/v1beta1" +kind: "PeerAuthentication" +metadata: + name: {{ include "common.entity.name" . }} + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + app: {{ include "common.entity.name" . }} + mtls: + mode: STRICT +{{- end -}} \ No newline at end of file diff --git a/charts/portal/templates/istio-virtual-service.yaml b/charts/portal/templates/istio-virtual-service.yaml new file mode 100644 index 000000000..f9a7262f0 --- /dev/null +++ b/charts/portal/templates/istio-virtual-service.yaml @@ -0,0 +1,37 @@ +{{- if eq (include "common.istioEnabled" .) "true" -}} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ include "common.entity.name" . }} + namespace: {{ .Release.Namespace }} +spec: + gateways: + - {{ .Release.Namespace }}/gateway + hosts: + {{- if (.Values.virtualService).hosts }} +{{ .Values.virtualService.hosts | toYaml | nindent 2}} + {{- else }} + {{ range $domainName := .Values.baseDomains }} + - {{ $domainName }} + {{- range $key, $idp := $.Values.trust }} + - {{ $key }}.{{ $domainName }} + {{- end }} + {{- end }} + {{- end }} + http: + - corsPolicy: + allowHeaders: + - Authorization + - Content-Type + - '*' + allowMethods: + - GET + - POST + - PUT + - DELETE + route: + - destination: + host: {{ include "common.entity.name" . }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 +{{- end -}} \ No newline at end of file diff --git a/charts/portal/templates/rbac.yaml b/charts/portal/templates/rbac.yaml new file mode 100644 index 000000000..443444e1f --- /dev/null +++ b/charts/portal/templates/rbac.yaml @@ -0,0 +1,23 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: contentconfigurations-reader +rules: + - apiGroups: ["core.openmfp.io"] + resources: ["contentconfigurations"] + verbs: ["get", "watch", "list"] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: read-contentconfigurations-global +subjects: + - kind: ServiceAccount + name: {{ include "common.entity.name" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: contentconfigurations-reader + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/charts/portal/templates/sa.yaml b/charts/portal/templates/sa.yaml new file mode 100644 index 000000000..2eaf7c467 --- /dev/null +++ b/charts/portal/templates/sa.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "common.entity.name" . }} + namespace: {{ .Release.Namespace }} +{{- include "common.imagePullSecret" . }} diff --git a/charts/portal/templates/service.yaml b/charts/portal/templates/service.yaml new file mode 100644 index 000000000..94190ee6a --- /dev/null +++ b/charts/portal/templates/service.yaml @@ -0,0 +1,13 @@ +kind: Service +apiVersion: v1 +metadata: + name: {{ include "common.entity.name" . }} + namespace: {{ .Release.Namespace }} +spec: + selector: + app: {{ include "common.entity.name" . }} + ports: + - name: http + protocol: TCP + port: 8080 + type: ClusterIP diff --git a/charts/portal/templates/sidecar.yaml b/charts/portal/templates/sidecar.yaml new file mode 100644 index 000000000..3d172bd63 --- /dev/null +++ b/charts/portal/templates/sidecar.yaml @@ -0,0 +1,13 @@ +{{- if eq (include "common.istioEnabled" .) "true" -}} +apiVersion: networking.istio.io/v1beta1 +kind: Sidecar +metadata: + name: {{ include "common.entity.name" . }} + namespace: {{ .Release.Namespace }} +spec: + workloadSelector: + labels: + app: {{ include "common.entity.name" . }} + outboundTrafficPolicy: + mode: ALLOW_ANY +{{- end -}} \ No newline at end of file diff --git a/charts/portal/test-values.yaml b/charts/portal/test-values.yaml new file mode 100644 index 000000000..2ae9544b5 --- /dev/null +++ b/charts/portal/test-values.yaml @@ -0,0 +1,14 @@ +image: + tag: 12345 + +baseDomains: + - portal.example.com + - portal2.example.com + +trust: + portal: + baseDomains: "portal.example.com,portal2.example.com" + authDomain: https://auth.example.com + discoveryEndpoint: https://auth.example.com/.well-known/openid-configuration + loginAudience: "12345" + oidcClientSecretName: portal \ No newline at end of file diff --git a/charts/portal/tests/__snapshot__/deploy_test.yaml.snap b/charts/portal/tests/__snapshot__/deploy_test.yaml.snap new file mode 100644 index 000000000..176a2317e --- /dev/null +++ b/charts/portal/tests/__snapshot__/deploy_test.yaml.snap @@ -0,0 +1,72 @@ +matches the snapshot: + 1: | + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app: RELEASE-NAME-portal + name: RELEASE-NAME-portal + namespace: NAMESPACE + spec: + revisionHistoryLimit: 3 + selector: + matchLabels: + app: RELEASE-NAME-portal + strategy: + rollingUpdate: + maxSurge: 5 + maxUnavailable: 0 + template: + metadata: + labels: + app: RELEASE-NAME-portal + spec: + containers: + - env: + - name: HTTP_PROTOCOL + value: https + - name: OIDC_CLIENT_ID_PORTAL + value: "12345" + - name: OIDC_CLIENT_SECRET_PORTAL + valueFrom: + secretKeyRef: + key: secret + name: portal-client-secret-portal + - name: DISCOVERY_ENDPOINT_PORTAL + value: https://auth.example.com/.well-known/openid-configuration + - name: BASE_DOMAINS_PORTAL + value: portal.example.com,portal2.example.com + - name: IDP_NAMES + value: portal + - name: FEATURE_TOGGLES + value: enableSessionAutoRefresh=true + - name: PORT + value: "8080" + - name: REGION + value: null + - name: IMAGE_TAG + value: 1.0.0 + - name: IMAGE_NAME + value: ghcr.io/openmfp/portal + - name: VALID_WEBCOMPONENT_URLS + value: .? + image: ghcr.io/openmfp/portal:1.0.0 + imagePullPolicy: IfNotPresent + name: RELEASE-NAME-portal + ports: + - containerPort: 8080 + name: http + resources: + limits: + cpu: "1" + memory: 512Mi + requests: + cpu: 40m + memory: 50Mi + securityContext: + readOnlyRootFilesystem: true + securityContext: + fsGroup: 2000 + runAsGroup: 3000 + runAsUser: 1000 + serviceAccountName: RELEASE-NAME-portal diff --git a/charts/portal/tests/__snapshot__/external-secrets_test.yaml.snap b/charts/portal/tests/__snapshot__/external-secrets_test.yaml.snap new file mode 100644 index 000000000..9af794cf2 --- /dev/null +++ b/charts/portal/tests/__snapshot__/external-secrets_test.yaml.snap @@ -0,0 +1,22 @@ +matches the snapshot: + 1: | + apiVersion: external-secrets.io/v1beta1 + kind: ExternalSecret + metadata: + name: RELEASE-NAME-portal-client-secret-portal + namespace: NAMESPACE + spec: + data: + - remoteRef: + conversionStrategy: Default + key: dxp-core-team/manual-secrets/portal-client-secrets + property: portal + secretKey: secret + refreshInterval: 10m + secretStoreRef: + kind: SecretStore + name: environment-store + target: + creationPolicy: Owner + deletionPolicy: Retain + name: portal-client-secret-portal diff --git a/charts/portal/tests/__snapshot__/istio-virtual_service_test.yaml.snap b/charts/portal/tests/__snapshot__/istio-virtual_service_test.yaml.snap new file mode 100644 index 000000000..61a6bfb54 --- /dev/null +++ b/charts/portal/tests/__snapshot__/istio-virtual_service_test.yaml.snap @@ -0,0 +1,31 @@ +virtual service match the snapshot: + 1: | + apiVersion: networking.istio.io/v1alpha3 + kind: VirtualService + metadata: + name: RELEASE-NAME-portal + namespace: NAMESPACE + spec: + gateways: + - NAMESPACE/gateway + hosts: + - portal.example.com + - portal.portal.example.com + - portal2.example.com + - portal.portal2.example.com + http: + - corsPolicy: + allowHeaders: + - Authorization + - Content-Type + - '*' + allowMethods: + - GET + - POST + - PUT + - DELETE + route: + - destination: + host: RELEASE-NAME-portal.NAMESPACE.svc.cluster.local + port: + number: 8080 diff --git a/charts/portal/tests/__snapshot__/istio_test.yaml.snap b/charts/portal/tests/__snapshot__/istio_test.yaml.snap new file mode 100644 index 000000000..749ad78d9 --- /dev/null +++ b/charts/portal/tests/__snapshot__/istio_test.yaml.snap @@ -0,0 +1,284 @@ +matches the snapshot: + 1: | + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app: RELEASE-NAME-portal + name: RELEASE-NAME-portal + namespace: NAMESPACE + spec: + revisionHistoryLimit: 3 + selector: + matchLabels: + app: RELEASE-NAME-portal + strategy: + rollingUpdate: + maxSurge: 5 + maxUnavailable: 0 + template: + metadata: + labels: + app: RELEASE-NAME-portal + spec: + containers: + - env: + - name: HTTP_PROTOCOL + value: https + - name: OIDC_CLIENT_ID_PORTAL + value: "12345" + - name: OIDC_CLIENT_SECRET_PORTAL + valueFrom: + secretKeyRef: + key: secret + name: portal-client-secret-portal + - name: DISCOVERY_ENDPOINT_PORTAL + value: https://auth.example.com/.well-known/openid-configuration + - name: BASE_DOMAINS_PORTAL + value: portal.example.com,portal2.example.com + - name: IDP_NAMES + value: portal + - name: FEATURE_TOGGLES + value: enableSessionAutoRefresh=true + - name: PORT + value: "8080" + - name: REGION + value: null + - name: IMAGE_TAG + value: 1.0.0 + - name: IMAGE_NAME + value: ghcr.io/openmfp/portal + - name: VALID_WEBCOMPONENT_URLS + value: .? + image: ghcr.io/openmfp/portal:1.0.0 + imagePullPolicy: IfNotPresent + name: RELEASE-NAME-portal + ports: + - containerPort: 8080 + name: http + resources: + limits: + cpu: "1" + memory: 512Mi + requests: + cpu: 40m + memory: 50Mi + securityContext: + readOnlyRootFilesystem: true + securityContext: + fsGroup: 2000 + runAsGroup: 3000 + runAsUser: 1000 + serviceAccountName: RELEASE-NAME-portal + 2: | + apiVersion: external-secrets.io/v1beta1 + kind: ExternalSecret + metadata: + name: RELEASE-NAME-portal-client-secret-portal + namespace: NAMESPACE + spec: + data: + - remoteRef: + conversionStrategy: Default + key: dxp-core-team/manual-secrets/portal-client-secrets + property: portal + secretKey: secret + refreshInterval: 10m + secretStoreRef: + kind: SecretStore + name: environment-store + target: + creationPolicy: Owner + deletionPolicy: Retain + name: portal-client-secret-portal + 3: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: contentconfigurations-reader + rules: + - apiGroups: + - core.openmfp.io + resources: + - contentconfigurations + verbs: + - get + - watch + - list + 4: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: read-contentconfigurations-global + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: contentconfigurations-reader + subjects: + - kind: ServiceAccount + name: RELEASE-NAME-portal + namespace: NAMESPACE + 5: | + apiVersion: v1 + imagePullSecrets: + - name: github + kind: ServiceAccount + metadata: + name: RELEASE-NAME-portal + namespace: NAMESPACE + 6: | + apiVersion: v1 + kind: Service + metadata: + name: RELEASE-NAME-portal + namespace: NAMESPACE + spec: + ports: + - name: http + port: 8080 + protocol: TCP + selector: + app: RELEASE-NAME-portal + type: ClusterIP +matches the snapshot with istio disabled: + 1: | + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app: RELEASE-NAME-portal + name: RELEASE-NAME-portal + namespace: NAMESPACE + spec: + revisionHistoryLimit: 3 + selector: + matchLabels: + app: RELEASE-NAME-portal + strategy: + rollingUpdate: + maxSurge: 5 + maxUnavailable: 0 + template: + metadata: + labels: + app: RELEASE-NAME-portal + spec: + containers: + - env: + - name: HTTP_PROTOCOL + value: https + - name: OIDC_CLIENT_ID_PORTAL + value: "12345" + - name: OIDC_CLIENT_SECRET_PORTAL + valueFrom: + secretKeyRef: + key: secret + name: portal-client-secret-portal + - name: DISCOVERY_ENDPOINT_PORTAL + value: https://auth.example.com/.well-known/openid-configuration + - name: BASE_DOMAINS_PORTAL + value: portal.example.com,portal2.example.com + - name: IDP_NAMES + value: portal + - name: FEATURE_TOGGLES + value: enableSessionAutoRefresh=true + - name: PORT + value: "8080" + - name: REGION + value: null + - name: IMAGE_TAG + value: 1.0.0 + - name: IMAGE_NAME + value: ghcr.io/openmfp/portal + - name: VALID_WEBCOMPONENT_URLS + value: .? + image: ghcr.io/openmfp/portal:1.0.0 + imagePullPolicy: IfNotPresent + name: RELEASE-NAME-portal + ports: + - containerPort: 8080 + name: http + resources: + limits: + cpu: "1" + memory: 512Mi + requests: + cpu: 40m + memory: 50Mi + securityContext: + readOnlyRootFilesystem: true + securityContext: + fsGroup: 2000 + runAsGroup: 3000 + runAsUser: 1000 + serviceAccountName: RELEASE-NAME-portal + 2: | + apiVersion: external-secrets.io/v1beta1 + kind: ExternalSecret + metadata: + name: RELEASE-NAME-portal-client-secret-portal + namespace: NAMESPACE + spec: + data: + - remoteRef: + conversionStrategy: Default + key: dxp-core-team/manual-secrets/portal-client-secrets + property: portal + secretKey: secret + refreshInterval: 10m + secretStoreRef: + kind: SecretStore + name: environment-store + target: + creationPolicy: Owner + deletionPolicy: Retain + name: portal-client-secret-portal + 3: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: contentconfigurations-reader + rules: + - apiGroups: + - core.openmfp.io + resources: + - contentconfigurations + verbs: + - get + - watch + - list + 4: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: read-contentconfigurations-global + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: contentconfigurations-reader + subjects: + - kind: ServiceAccount + name: RELEASE-NAME-portal + namespace: NAMESPACE + 5: | + apiVersion: v1 + imagePullSecrets: + - name: github + kind: ServiceAccount + metadata: + name: RELEASE-NAME-portal + namespace: NAMESPACE + 6: | + apiVersion: v1 + kind: Service + metadata: + name: RELEASE-NAME-portal + namespace: NAMESPACE + spec: + ports: + - name: http + port: 8080 + protocol: TCP + selector: + app: RELEASE-NAME-portal + type: ClusterIP diff --git a/charts/portal/tests/__snapshot__/virtual_service_test.yaml.snap b/charts/portal/tests/__snapshot__/virtual_service_test.yaml.snap new file mode 100644 index 000000000..0967ef424 --- /dev/null +++ b/charts/portal/tests/__snapshot__/virtual_service_test.yaml.snap @@ -0,0 +1 @@ +{} diff --git a/charts/portal/tests/deploy_test.yaml b/charts/portal/tests/deploy_test.yaml new file mode 100644 index 000000000..2472af1b5 --- /dev/null +++ b/charts/portal/tests/deploy_test.yaml @@ -0,0 +1,13 @@ +suite: deploy +templates: + - deploy.yaml +chart: + version: 1.0.0 + appVersion: 1.0.0 +tests: + - it: matches the snapshot + values: + - ../test-values.yaml + template: deploy.yaml + asserts: + - matchSnapshot: {} diff --git a/charts/portal/tests/external-secrets_test.yaml b/charts/portal/tests/external-secrets_test.yaml new file mode 100644 index 000000000..01123e39e --- /dev/null +++ b/charts/portal/tests/external-secrets_test.yaml @@ -0,0 +1,10 @@ +suite: external-secrets +templates: + - external-secrets.yaml +tests: + - it: matches the snapshot + values: + - ../test-values.yaml + template: external-secrets.yaml + asserts: + - matchSnapshot: {} diff --git a/charts/portal/tests/istio-virtual_service_test.yaml b/charts/portal/tests/istio-virtual_service_test.yaml new file mode 100644 index 000000000..2d302f27a --- /dev/null +++ b/charts/portal/tests/istio-virtual_service_test.yaml @@ -0,0 +1,13 @@ +suite: virtual service +templates: + - istio-virtual-service.yaml +values: + - ../test-values.yaml +tests: + - it: virtual service match the snapshot + set: + global: + istio: + enabled: true + asserts: + - matchSnapshot: {} diff --git a/charts/portal/tests/istio_test.yaml b/charts/portal/tests/istio_test.yaml new file mode 100644 index 000000000..fe1897498 --- /dev/null +++ b/charts/portal/tests/istio_test.yaml @@ -0,0 +1,21 @@ +suite: deploy +chart: + version: 1.0.0 + appVersion: 1.0.0 +tests: + - it: matches the snapshot + set: + istio: + enabled: false + values: + - ../test-values.yaml + asserts: + - matchSnapshot: {} + - it: matches the snapshot with istio disabled + values: + - ../test-values.yaml + set: + istio: + enabled: false + asserts: + - matchSnapshot: {} diff --git a/charts/portal/values.yaml b/charts/portal/values.yaml new file mode 100644 index 000000000..b2db85e0a --- /dev/null +++ b/charts/portal/values.yaml @@ -0,0 +1,25 @@ +image: + name: ghcr.io/openmfp/portal + pullPolicy: IfNotPresent + +imagePullSecret: github + +deployment: + maxUnavailable: 0 + maxSurge: 5 + +port: 8080 + +istio: + enabled: true + +externalSecrets: + enabled: true + +http: + protocol: https + +importContent: true + +validWebcomponentUrls: ".?" +featureToggles: "enableSessionAutoRefresh=true"