openmfp · nexus49 · Dec 3, 2024 · Nov 29, 2024 · Nov 29, 2024 · Nov 29, 2024
diff --git a/.github/workflows/kcp.yaml b/.github/workflows/kcp.yaml
@@ -0,0 +1,28 @@
+name: Build kcp Workflow
+on:
+  push:
+    paths:
+      - 'charts/kcp/**'
+      - '.github/workflows/kcp.yaml'
+
+jobs:
+  pipeline:
+    concurrency:
+      group: kcp-${{ github.ref }}
+      cancel-in-progress: true
+    uses: openmfp/gha/.github/workflows/pipeline-chart.yml@main
+    with:
+      chartFolder: charts
+      chartName: kcp
+      additionalTestFilesCommand: ''
+      chartRepos: 'bitnami=https://charts.bitnami.com/bitnami,openfga=https://openfga.github.io/helm-charts'
+    secrets: inherit
+
+  updateVersionFile:
+    if: ${{ github.ref == 'refs/heads/main' }}
+    needs: [pipeline]
+    uses: openmfp/gha/.github/workflows/job-update-version-file.yml@main
+    secrets: inherit
+    with:
+      componentVersionKey: "kcp"
+      version: ${{ needs.pipeline.outputs.version }}
diff --git a/charts/infra/.helmignore b/charts/infra/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/infra/Chart.lock b/charts/infra/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: common
+  repository: file://../common
+  version: 0.1.5
+digest: sha256:22600e7bfcab429b2e013cb3ff4ad21252274de627cccb908c95cc025ef150ce
+generated: "2024-11-29T09:33:14.785839344+02:00"
diff --git a/charts/infra/Chart.yaml b/charts/infra/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+name: infra
+description: A Helm chart for Kubernetes
+type: application
+version: 0.57.2
+appVersion: "1.16.0"
+
+dependencies:
+  - name: common
+    version: 0.1.5
+    repository: file://../common
diff --git a/charts/infra/README.md b/charts/infra/README.md
@@ -0,0 +1,68 @@
+# infra
+
+A Helm chart for Kubernetes
+
+![Version: 0.57.2](https://img.shields.io/badge/Version-0.57.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square)
+
+## Configuration
+
+The chart supports the following configuration parameters in the table below. Additionally, default configuration parameters documented in [common/README.md](../common/README.md) are not explicitely listed in the table but are also supported.
+
+## Values
+
+Default configuration parameters, which can be overriden either globally or on a chart level are documented in [common/README.md](../common/README.md).
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| auth | string | `nil` |  |
+| certificate.gardener.enabled | bool | `false` |  |
+| clusterRole.enabled | bool | `false` |  |
+| externalSecrets.accountOperatorSaKubeconfig | string | `"account-operator-sa-kubeconfig"` |  |
+| gateway.annotations | object | `{}` |  |
+| gateway.apiVersion | string | `"networking.istio.io/v1"` |  |
+| gateway.name | string | `"gateway"` |  |
+| gateway.selector.istio | string | `"gateway"` |  |
+| gateway.servers[0].hosts[0] | string | `"*"` |  |
+| gateway.servers[0].port.name | string | `"http"` |  |
+| gateway.servers[0].port.number | int | `8080` |  |
+| gateway.servers[0].port.protocol | string | `"HTTP"` |  |
+| kcp.enabled | bool | `false` |  |
+| stores | list | `[]` |  |
+
+## Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+| file://../common | common | 0.1.5 |
+
+# infra
+
+![Version: 0.57.2](https://img.shields.io/badge/Version-0.57.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square)
+
+A Helm chart for Kubernetes
+
+## Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+| file://../common | common | 0.1.5 |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| auth | string | `nil` |  |
+| certificate.gardener.enabled | bool | `false` |  |
+| clusterRole.enabled | bool | `false` |  |
+| externalSecrets.accountOperatorSaKubeconfig | string | `"account-operator-sa-kubeconfig"` |  |
+| gateway.annotations | object | `{}` |  |
+| gateway.apiVersion | string | `"networking.istio.io/v1"` |  |
+| gateway.name | string | `"gateway"` |  |
+| gateway.selector.istio | string | `"gateway"` |  |
+| gateway.servers[0].hosts[0] | string | `"*"` |  |
+| gateway.servers[0].port.name | string | `"http"` |  |
+| gateway.servers[0].port.number | int | `8080` |  |
+| gateway.servers[0].port.protocol | string | `"HTTP"` |  |
+| kcp.enabled | bool | `false` |  |
+| stores | list | `[]` |  |
+
diff --git a/charts/infra/charts/common-0.1.5.tgz b/charts/infra/charts/common-0.1.5.tgz
diff --git a/charts/infra/templates/cluster-role.yaml b/charts/infra/templates/cluster-role.yaml
@@ -0,0 +1,30 @@
+{{- if ((.Values.rbac).clusterRole).enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: openmfp-cluster-reader
+rules:
+- apiGroups:
+  - core.openmfp.io
+  resources:
+  - '*'
+  verbs:
+  - get
+  - list
+  - watch
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: openmfp-cluster-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: gardener.cloud:system:read-only
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: /portal
+{{- end -}}
diff --git a/charts/infra/templates/external-secret-account-operator.yaml b/charts/infra/templates/external-secret-account-operator.yaml
@@ -0,0 +1,22 @@
+{{- if eq (include "common.hasNestedKey" (dict "Values" .Values "key" "externalSecrets.enabled")) "true" }}
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: account-operator-sa-kubeconfig
+  namespace: {{ .Release.Namespace }}
+spec:
+  refreshInterval: "10m"
+  secretStoreRef:
+    name: environment-store
+    kind: SecretStore
+  target:
+    name: account-operator-sa-kubeconfig
+    creationPolicy: Owner
+    deletionPolicy: Retain
+  data:
+    - secretKey: kubeconfig
+      remoteRef:
+        key: {{ .Values.externalSecrets.accountOperatorSaKubeconfig }}
+        property: kubeconfig
+        conversionStrategy: Default
+{{ end }}
diff --git a/charts/infra/templates/gateway.yaml b/charts/infra/templates/gateway.yaml
@@ -0,0 +1,14 @@
+apiVersion: {{ .Values.gateway.apiVersion }}
+kind: Gateway
+metadata:
+  name: {{ .Values.gateway.name}}
+  namespace: {{ .Release.Namespace }}
+{{- if .Values.gateway.annotations }}
+  annotations:
+    {{- toYaml .Values.gateway.annotations | nindent 4 }}
+{{- end }}
+spec:
+  selector:
+{{ .Values.gateway.selector | toYaml | indent 4 }}
+  servers:
+{{ toYaml .Values.gateway.servers | indent 4 }}
diff --git a/charts/infra/templates/kcp-service-entry.yaml b/charts/infra/templates/kcp-service-entry.yaml
@@ -0,0 +1,16 @@
+{{- if and .Values.kcp.enabled .Values.kcp.host -}}
+apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+  name: kcp-workspaces
+  namespace: {{ .Release.Namespace }}
+spec:
+  hosts:
+  - {{ .Values.kcp.host }}
+  location: MESH_EXTERNAL
+  ports:
+  - name: https
+    number: 443
+    protocol: TLS
+  resolution: DNS
+{{- end -}}
diff --git a/charts/infra/templates/keycloak-service-entry.yaml b/charts/infra/templates/keycloak-service-entry.yaml
@@ -0,0 +1,15 @@
+{{- if (.Values.keycloak).enabled -}}
+apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+  name: auth
+spec:
+  hosts:
+  {{- .Values.keycloak.hosts | toYaml | nindent 2 }}
+  location: MESH_EXTERNAL
+  ports:
+  - name: https
+    number: 443
+    protocol: TLS
+  resolution: DNS
+{{- end -}}
diff --git a/charts/infra/templates/store.yaml b/charts/infra/templates/store.yaml
@@ -0,0 +1,13 @@
+{{- if (.Values.fga).enabled }}
+{{- range .Values.fga.stores }}
+---
+apiVersion: core.openmfp.io/v1alpha1
+kind: Store
+metadata:
+  name: {{ .name }}
+  namespace: {{ .namespace }}
+spec:
+  coreModule: |
+    {{ .coreModuleName | nindent 4 }}
+{{- end}}
+{{- end }}
diff --git a/charts/infra/test-values.yaml b/charts/infra/test-values.yaml
@@ -0,0 +1,36 @@
+gateway:
+  apiVersion: networking.istio.io/v1
+  name: gateway
+  selector:
+    istio: gateway
+  servers:
+    - port:
+        number: 8080
+        name: http
+        protocol: HTTP
+      hosts:
+        - "*"
+
+kcp:
+  enabled: false
+#  host: ""
+
+auth:
+#  host: ""
+
+externalSecrets:
+  accountOperatorSaKubeconfig: account-operator-sa-kubeconfig
+  enabled: false
+
+stores:
+  - name: test
+    namespace: test
+    coreModuleName: |
+      module core
+
+      type user
+
+      type account
+        relations
+          define owner: [user]
+          define member: [user] or owner
diff --git a/charts/infra/tests/__snapshot__/snapshot_test.yaml.snap b/charts/infra/tests/__snapshot__/snapshot_test.yaml.snap
@@ -0,0 +1,76 @@
+disables externalsecrets:
+  1: |
+    apiVersion: external-secrets.io/v1beta1
+    kind: ExternalSecret
+    metadata:
+      name: account-operator-sa-kubeconfig
+      namespace: NAMESPACE
+    spec:
+      data:
+        - remoteRef:
+            conversionStrategy: Default
+            key: null
+            property: kubeconfig
+          secretKey: kubeconfig
+      refreshInterval: 10m
+      secretStoreRef:
+        kind: SecretStore
+        name: environment-store
+      target:
+        creationPolicy: Owner
+        deletionPolicy: Retain
+        name: account-operator-sa-kubeconfig
+  2: |
+    apiVersion: networking.istio.io/v1
+    kind: Gateway
+    metadata:
+      name: gateway
+      namespace: NAMESPACE
+    spec:
+      selector:
+        istio: gateway
+      servers:
+        - hosts:
+            - '*'
+          port:
+            name: http
+            number: 8080
+            protocol: HTTP
+matches the snapshot:
+  1: |
+    apiVersion: external-secrets.io/v1beta1
+    kind: ExternalSecret
+    metadata:
+      name: account-operator-sa-kubeconfig
+      namespace: NAMESPACE
+    spec:
+      data:
+        - remoteRef:
+            conversionStrategy: Default
+            key: account-operator-sa-kubeconfig
+            property: kubeconfig
+          secretKey: kubeconfig
+      refreshInterval: 10m
+      secretStoreRef:
+        kind: SecretStore
+        name: environment-store
+      target:
+        creationPolicy: Owner
+        deletionPolicy: Retain
+        name: account-operator-sa-kubeconfig
+  2: |
+    apiVersion: networking.istio.io/v1
+    kind: Gateway
+    metadata:
+      name: gateway
+      namespace: NAMESPACE
+    spec:
+      selector:
+        istio: gateway
+      servers:
+        - hosts:
+            - '*'
+          port:
+            name: http
+            number: 8080
+            protocol: HTTP
diff --git a/charts/infra/tests/snapshot_test.yaml b/charts/infra/tests/snapshot_test.yaml
@@ -0,0 +1,14 @@
+suite: snapshot
+values:
+  - ../test-values.yaml
+tests:
+  - it: matches the snapshot
+    asserts:
+      - matchSnapshot: {}
+  - it: disables externalsecrets
+    set:
+      externalSecrets:
+        accountOperatorSaKubeconfig: null
+    asserts:
+      - matchSnapshot: {}
+