openmfp · nexus49 · Nov 21, 2024 · Nov 21, 2024 · Nov 21, 2024 · Nov 21, 2024
@@ -0,0 +1,28 @@
+name: Build portal Workflow
+on:
+  push:
+    paths:
+      - 'charts/portal/**'
+      - '.github/workflows/portal.yaml'
+
+jobs:
+  pipeline:
+    concurrency:
+      group: portal-${{ github.ref }}
+      cancel-in-progress: true
+    uses: openmfp/gha/.github/workflows/pipeline-chart.yml@main
+    with:
+      chartFolder: charts
+      chartName: portal
+      additionalTestFilesCommand: ''
+      chartRepos: 'bitnami=https://charts.bitnami.com/bitnami,openfga=https://openfga.github.io/helm-charts'
+    secrets: inherit
+
+  updateVersionFile:
+    if: ${{ github.ref == 'refs/heads/main' }}
+    needs: [pipeline]
+    uses: openmfp/gha/.github/workflows/job-update-version-file.yml@main
+    secrets: inherit
+    with:
+      componentVersionKey: "portal"
+      version: ${{ needs.pipeline.outputs.version }}
@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
diff --git a/charts/portal/Chart.lock b/charts/portal/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: common
+  repository: file://../common
+  version: 0.1.4
+digest: sha256:05e31c3eb487f942d4ac07ce0dfe4e0620779b589ef481cdd6534c73a7f0ca27
+generated: "2024-11-20T11:36:34.0773803+02:00"
diff --git a/charts/portal/Chart.yaml b/charts/portal/Chart.yaml
@@ -0,0 +1,9 @@
+apiVersion: v2
+appVersion: "0.164.0"
+description: Helm Chart for the openmfp Portal
+name: portal
+version: 0.69.88
+dependencies:
+  - name: common
+    repository: file://../common
+    version: 0.1.4
@@ -0,0 +1,12 @@
+# Helm chart of the jukebox
+
+## Execute the linting in the pipeline
+
+```shell
+helm lint -f test-values.yaml
+```
+
+## Debug the chart output
+```shell
+helm template --debug . -f test-values.yaml
+```
diff --git a/charts/portal/charts/common-0.1.4.tgz b/charts/portal/charts/common-0.1.4.tgz
@@ -0,0 +1,104 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "common.entity.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ include "common.entity.name" . }}
+spec:
+  strategy:
+    rollingUpdate:
+      maxSurge: {{ .Values.deployment.maxSurge }}
+      maxUnavailable: {{ .Values.deployment.maxUnavailable }}
+  revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app: {{ include "common.entity.name" . }}
+  template:
+    metadata:
+      labels:
+        app: {{ include "common.entity.name" . }}
+    spec:
+      serviceAccountName: {{ include "common.entity.name" . }}
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 3000
+        fsGroup: 2000
+      containers:
+      - name: {{ include "common.entity.name" . }}
+        image: {{ .Values.image.name }}:{{ .Chart.AppVersion }}
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        securityContext:
+          readOnlyRootFilesystem: true
+        env:
+        - name: HTTP_PROTOCOL
+          value: {{ .Values.http.protocol }}
+      {{- range $key, $idp := .Values.trust }}
+        - name: OIDC_CLIENT_ID_{{ $key | upper | replace "-" "_" }}
+          value: "{{ $idp.loginAudience | default $idp.audience }}"
+        - name: OIDC_CLIENT_SECRET_{{ $key | upper | replace "-" "_" }}
+          valueFrom:
+            secretKeyRef:
+              name: portal-client-secret-{{ $idp.secretKey | default $key }}
+              key: {{ $idp.secretKeyRef | default "secret" }}
+      {{ if $idp.discoveryEndpoint }}
+        - name: DISCOVERY_ENDPOINT_{{ $key | upper | replace "-" "_" }}
+          value: {{ $idp.discoveryEndpoint }}
+      {{- else }}
+        - name: TOKEN_URL_{{ $key | upper | replace "-" "_" }}
+          value: {{ $idp.tokenUrl | default $idp.trustedIssuer }}
+        - name: AUTH_SERVER_URL_{{ $key | upper | replace "-" "_" }}
+          value: {{ $idp.authDomain | default $idp.trustedIssuer }}
+      {{- end }}
+      {{- if $idp.baseDomains }}
+        - name: BASE_DOMAINS_{{ $key | upper | replace "-" "_" }}
+          value: {{ $idp.baseDomains }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.trust }}
+        - name: IDP_NAMES
+          {{- $keys := keys .Values.trust | sortAlpha }}
+          value: "{{ join "," $keys  }}"
+      {{- end }}
+        {{- if .Values.developmentLandcsape }}
+        - name: DEVELOPMENT_INSTANCE
+          value: "{{ .Values.developmentLandcsape }}"
+        {{- end }}
+        {{- if .Values.featureToggles }}
+        - name: FEATURE_TOGGLES
+          value: "{{ .Values.featureToggles }}"
+        {{- end }}
+        - name: PORT
+          value: "{{ .Values.port }}"
+        - name: REGION
+          value: {{ .Values.region }}
+        - name: IMAGE_TAG
+          value: "{{ .Chart.AppVersion }}"
+        - name: IMAGE_NAME
+          value: "{{ .Values.image.name }}"
+        {{- if .Values.cookieDomain }}
+        - name: COOKIE_DOMAIN
+          value: {{ .Values.cookieDomain }}
+        {{- end }}
+        {{- if .Values.frontendPort }}
+        - name: FRONTEND_PORT
+          value: "{{ .Values.frontendPort }}"
+        {{- end }}
+        {{- if .Values.environment }}
+        - name: ENVIRONMENT
+          value: "{{ .Values.environment }}"
+        {{- end }}
+        {{- if .Values.validWebcomponentUrls }}
+        - name: VALID_WEBCOMPONENT_URLS
+          value: '{{ .Values.validWebcomponentUrls }}'
+        {{- end }}
+        resources:
+          limits:
+            cpu: "1"
+            memory: 512Mi
+          requests:
+            cpu: 40m
+            memory: 50Mi
+        ports:
+          - name: http
+            containerPort: {{ .Values.port }}
@@ -0,0 +1,33 @@
+{{- if .Values.externalSecrets.enabled -}}
+{{- $namespace := .Release.Namespace}}
+{{- $secretKeys := list }}
+{{- range $key, $idp := .Values.trust }}
+  {{- $keyToAdd :=  $idp.secretKey | default $key }}
+  {{- if not (has $idp.secretKey $secretKeys) }}
+  {{- $secretKeys = append $secretKeys $keyToAdd }}
+  {{- end }}
+{{- end }}
+{{- range $key := $secretKeys }}
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: {{ $.Release.Name }}-portal-client-secret-{{ $key }}
+  namespace: {{ $namespace }}
+spec:
+  refreshInterval: 10m
+  secretStoreRef:
+    kind: SecretStore
+    name: environment-store
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: portal-client-secret-{{ $key }}
+  data:
+    - remoteRef:
+        conversionStrategy: Default
+        key: dxp-core-team/manual-secrets/portal-client-secrets
+        property: {{ $key }}
+      secretKey: secret
+---
+{{- end }}
+{{- end }}
@@ -0,0 +1,12 @@
+{{- if eq (include "common.istioEnabled" .) "true" -}}
+apiVersion: "networking.istio.io/v1alpha3"
+kind: "DestinationRule"
+metadata:
+  name: {{ include "common.entity.name" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  host: {{ include "common.entity.name" . }}.{{ .Release.Namespace }}.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL
+{{- end -}}
@@ -0,0 +1,13 @@
+{{- if eq (include "common.istioEnabled" .) "true" -}}
+apiVersion: "security.istio.io/v1beta1"
+kind: "PeerAuthentication"
+metadata:
+  name: {{ include "common.entity.name" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ include "common.entity.name" . }}
+  mtls:
+    mode: STRICT
+{{- end -}}
@@ -0,0 +1,37 @@
+{{- if eq (include "common.istioEnabled" .) "true" -}}
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: {{ include "common.entity.name" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  gateways:
+  - {{ .Release.Namespace }}/gateway
+  hosts:
+  {{- if (.Values.virtualService).hosts }}
+{{ .Values.virtualService.hosts | toYaml | nindent 2}}
+  {{- else }}
+  {{ range $domainName := .Values.baseDomains }}
+  - {{ $domainName }}
+  {{- range $key, $idp := $.Values.trust }}
+  - {{ $key }}.{{ $domainName }}
+  {{- end }}
+  {{- end }}
+  {{- end }}
+  http:
+  - corsPolicy:
+      allowHeaders:
+      - Authorization
+      - Content-Type
+      - '*'
+      allowMethods:
+      - GET
+      - POST
+      - PUT
+      - DELETE
+    route:
+    - destination:
+        host: {{ include "common.entity.name" . }}.{{ .Release.Namespace }}.svc.cluster.local
+        port:
+          number: 8080
+{{- end -}}
@@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: contentconfigurations-reader
+rules:
+  - apiGroups: ["core.openmfp.io"]
+    resources: ["contentconfigurations"]
+    verbs: ["get", "watch", "list"]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: read-contentconfigurations-global
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "common.entity.name" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: contentconfigurations-reader
+  apiGroup: rbac.authorization.k8s.io
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "common.entity.name" . }}
+  namespace: {{ .Release.Namespace }}
+{{- include "common.imagePullSecret" . }}
@@ -0,0 +1,13 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: {{ include "common.entity.name" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    app: {{ include "common.entity.name" . }}
+  ports:
+    - name: http
+      protocol: TCP
+      port: 8080
+  type: ClusterIP
@@ -0,0 +1,13 @@
+{{- if eq (include "common.istioEnabled" .) "true" -}}
+apiVersion: networking.istio.io/v1beta1
+kind: Sidecar
+metadata:
+  name: {{ include "common.entity.name" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  workloadSelector:
+    labels:
+      app: {{ include "common.entity.name" . }}
+  outboundTrafficPolicy:
+    mode: ALLOW_ANY
+{{- end -}}
@@ -0,0 +1,14 @@
+image:
+  tag: 12345
+
+baseDomains:
+  - portal.example.com
+  - portal2.example.com
+
+trust:
+  portal:
+    baseDomains: "portal.example.com,portal2.example.com"
+    authDomain: https://auth.example.com
+    discoveryEndpoint: https://auth.example.com/.well-known/openid-configuration
+    loginAudience: "12345"
+    oidcClientSecretName: portal