CORE-2512: Add mode and topology (#13)

add a new dropdown option `gatewayFlow` that
encompasses the topology and direction of the gateway

also:
* add `externalPort` variable for the external load balancer port
* add `billing-gateway` tag and apply it to the billing container so that we 
don't end up targeting the billing container with the load balancer

VERSION

@@ -1 +1 @@
-2.15.5
+3.4.2

chart/gateway/data-test/schema.yaml

@@ -33,6 +33,11 @@ properties:
     default: fake-gatewayApiSecret
     x-google-marketplace:
       type: STRING
+  gatewayFlow:
+    type: string
+    default: "Outbound - Data Loss Prevention"
+    x-google-marketplace:
+      type: STRING
   primaryMailingDomain:
     type: string
     default: example.com

chart/gateway/templates/NOTES.txt

@@ -13,7 +13,7 @@
      NOTE: It may take a few minutes for the LoadBalancer IP to be available.
            You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "gateway.fullname" . }}'
   export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "gateway.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
-  echo http://$SERVICE_IP:{{ .Values.service.port }}
+  echo http://$SERVICE_IP:{{ .Values.service.externalPort }}
 {{- else if contains "ClusterIP" .Values.service.type }}
   export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "gateway.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
   echo "Visit http://127.0.0.1:8080 to use your application"

chart/gateway/templates/_helpers.tpl

@@ -5,6 +5,10 @@ Expand the name of the chart.
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
+{{- define "billing.name" -}}
+{{- printf "billing-%s" (default .Chart.Name .Values.nameOverride) | trunc 63 | trimSuffix "-" }}
+{{- end}}
+
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
@@ -50,6 +54,11 @@ app.kubernetes.io/name: {{ include "gateway.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
+{{- define "billing.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "billing.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
 {{/*
 Create the name of the service account to use
 */}}

chart/gateway/templates/congifmap.yaml → chart/gateway/templates/configmap.yaml

@@ -9,9 +9,19 @@ data:
   GATEWAY_ACM_URL:  {{ .Values.gatewayAcmUrl }}
   GATEWAY_API_TOKEN_NAME:  {{ .Values.gatewayApiTokenName }}
   GATEWAY_HOSTNAME: {{ .Values.gatewayHostname }}
-  GATEWAY_MODE: {{ .Values.gatewayMode }}
   GATEWAY_ORGANIZATION_DOMAIN: {{ .Values.primaryMailingDomain }}
-  GATEWAY_TOPOLOGY: {{ .Values.gatewayTopology }}
+  {{- if contains "data loss prevention" (lower .Values.gatewayFlow) }}
+  GATEWAY_MODE: "dlp"
+  {{- else if contains "encrypt" (lower .Values.gatewayFlow) }}
+  GATEWAY_MODE: "encrypt-everything"
+  {{- else }}
+  GATEWAY_MODE: "decrypt-everything"
+  {{- end }}
+  {{- if contains "inbound" (lower .Values.gatewayFlow) }}
+  GATEWAY_TOPOLOGY: "inbound" 
+  {{- else }}
+  GATEWAY_TOPOLOGY: "outbound"
+  {{- end }}
   GATEWAY_REMOTE_CONTENT_BASE_URL: {{ .Values.gatewayRemoteContentBaseUrl }}
   GATEWAY_PROXY_PROTOCOL: "0"
   GATEWAY_TRANSPORT_MAPS: '*=>[smtp-relay.gmail.com]:587'

chart/gateway/templates/deployment-billing.yaml

@@ -7,7 +7,7 @@ metadata:
 spec:
   selector:
     matchLabels:
-      {{- include "gateway.selectorLabels" . | nindent 6 }}
+      {{- include "billing.selectorLabels" . | nindent 6 }}
   # Use a single replica. Multiple replicas may cause duplicate billing.
   replicas: 1
   strategy:
@@ -19,7 +19,7 @@ spec:
         {{- toYaml . | nindent 8 }}
     {{- end }}
       labels:
-        {{- include "gateway.selectorLabels" . | nindent 8 }}
+        {{- include "billing.selectorLabels" . | nindent 8 }}
     spec:
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:

chart/gateway/templates/service.yaml

@@ -11,7 +11,7 @@ metadata:
 spec:
   type: {{ .Values.service.type }}
   ports:
-    - port: {{ .Values.service.port }}
+    - port: {{ .Values.service.externalPort }}
       targetPort: {{ .Values.service.port }}
       protocol: TCP
   selector:

chart/gateway/values.yaml

@@ -30,7 +30,8 @@ securityContext: {}
 
 service:
   type: LoadBalancer
-  port: 2525
+  port: 25
+  externalPort: 2525
   annotations:
     external-dns.alpha.kubernetes.io/hostname: gateway-development.preprod.virtru.com
 
@@ -57,7 +58,5 @@ gatewayRemoteContentBaseUrl: https://secure.virtru.com/start
 gatewayHostname: my-domain.example.com
 gatewayApiTokenName: my-token
 gatewayApiSecret: my-secret
-gatewayMode: encrypt-everything
-gatewayTopology: outbound
 gatewayTransportMaps: '*=>[smtp-relay.gmail.com]:587'
 ubbagentImage: "gcr.io/cloud-marketplace-tools/metering/ubbagent:latest"

gke-deploy.sh

@@ -17,17 +17,43 @@
 
 set -eu
 
-export TAG=2.15.4;
-export DEPLOYER_VERSION=2.15;
-export REGISTRY=gcr.io/virtru-public/staging/gateway;
+if [[ "${ENVIRONMENT:-}" = 'production' ]]; then
+  export REGISTRY=gcr.io/virtru-public/gateway;
+  printf 'Deploying to production. Using registry [%s]\n' $REGISTRY
+else
+  export REGISTRY=gcr.io/virtru-public/staging/gateway;
+  printf 'Deploying to staging. Using registry [%s]\n' $REGISTRY
+fi
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+VERSION="$(< "${SCRIPT_DIR}/VERSION" )"
+
+export TAG="${VERSION}";
+export DEPLOYER_VERSION="$(echo "${VERSION}" | cut -d'.' -f 1-2)";
+
+printf 'Using container tag = [%s] and deployer version = [%s]\n' $TAG $DEPLOYER_VERSION
+
 docker build --no-cache --build-arg TAG=$TAG --build-arg REGISTRY=$REGISTRY \
-  -t "${REGISTRY}/deployer:${DEPLOYER_VERSION}" -f dev.Dockerfile .
+  -t "${REGISTRY}/deployer:${DEPLOYER_VERSION}" -f dev.Dockerfile "${SCRIPT_DIR}"
+
 docker push "${REGISTRY}/deployer:${DEPLOYER_VERSION}"
 
 # reportingSecret:
 # To actually report to the real Google ServiceControlEndpoint use "gateway-reportingsecret"
 # To make sure not to bill, use "gs://cloud-marketplace-tools/reporting_secrets/fake_reporting_secret.yaml"}'
+parameters=$(cat <<virtruparams
+{
+  "name": "gateway",
+  "namespace": "virtru",
+  "gatewayHostname": "gateway-development.virtru.com",
+  "gatewayApiTokenName": "token",
+  "gatewayApiSecret": "mysecret",
+  "numberOfLicenses":"10",
+  "primaryMailingDomain":"virtru.example.com",
+  "reportingSecret":"gs://cloud-marketplace-tools/reporting_secrets/fake_reporting_secret.yaml"
+}
+virtruparams
+)
 
 # mpdev install to install, mpdev verify to test
-mpdev install --deployer="${REGISTRY}/deployer:${DEPLOYER_VERSION}" \
---parameters='{"name": "gateway", "namespace": "virtru", "gatewayHostname": "gateway-development.virtru.com", "gatewayApiTokenName": "token", "gatewayApiSecret": "mysecret", "numberOfLicenses":"10", "primaryMailingDomain":"virtru.example.com", "reportingSecret":"gs://cloud-marketplace-tools/reporting_secrets/fake_reporting_secret.yaml"}'
+mpdev install --deployer="${REGISTRY}/deployer:${DEPLOYER_VERSION}" --parameters="${parameters}"

gke-verify.sh

@@ -8,12 +8,25 @@
 
 set -eu
 
-export TAG=2.15.4;
-export DEPLOYER_VERSION=2.15;
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+VERSION="$(< "${SCRIPT_DIR}/VERSION" )"
+
+export TAG="${VERSION}";
+export DEPLOYER_VERSION="$(echo "${VERSION}" | cut -d'.' -f 1-2)";
 export REGISTRY=gcr.io/virtru-public/staging/gateway;
-docker build --no-cache --build-arg TAG=$TAG --build-arg REGISTRY=$REGISTRY \
-  -t "${REGISTRY}/deployer:${DEPLOYER_VERSION}" -f dev.Dockerfile .
+
+printf 'Using container tag = [%s] and deployer version = [%s]\n' $TAG $DEPLOYER_VERSION
+
+# reportingSecret:
+# To actually report to the real Google ServiceControlEndpoint use "gateway-reportingsecret"
+# To make sure not to bill, use "gs://cloud-marketplace-tools/reporting_secrets/fake_reporting_secret.yaml"}'
+
+docker build --no-cache --build-arg TAG="${TAG}" --build-arg REGISTRY="${REGISTRY}" \
+  -t "${REGISTRY}/deployer:${DEPLOYER_VERSION}" -f dev.Dockerfile "${SCRIPT_DIR}" 
+
 docker push "${REGISTRY}/deployer:${DEPLOYER_VERSION}"
 
 # mpdev install to install, mpdev verify to test
-mpdev verify --deployer="${REGISTRY}/deployer:${DEPLOYER_VERSION}"
+# TODO: figure out how to get the parameter values into the app
+mpdev verify --deployer="${REGISTRY}/deployer:${DEPLOYER_VERSION}"

schema.yaml

@@ -90,6 +90,25 @@ properties:
     default: AMPLITUDE_TOKEN
     x-google-marketplace:
       type: STRING
+  gatewayFlow:
+    title: Gateway Usage
+    description: >
+      Select your Gateway Topology / Mode from the dropdown list of options. The
+      most common for a single gateway is the Outbound DLP, which is set up
+      for encrypting outgoing email messages based off a configurable set rules
+      (managed in the Virtru Control Center by your Admin). The other options are
+      more commonly used when setting up multiple gateways to accommodate additional
+      appliances in your email routing flows.
+    type: string
+    enum:
+      - "Outbound - Data Loss Prevention"
+      - "Outbound - Encrypt Everything"
+      - "Outbound - Decrypt Everything"
+      - "Inbound - Encrypt Everything"
+      - "Inbound - Decrypt Everything"
+    x-google-marketplace:
+      type: STRING
+    default: "Outbound - Data Loss Prevention"
   pricingPlan:
     type: string
     title: Virtru Pricing Plan
@@ -122,7 +141,8 @@ required:
 - gatewayHostname
 - gatewayApiTokenName
 - gatewayApiSecret
+- gatewayFlow
 - primaryMailingDomain
 - amplitudeToken
 - pricingPlan
-- numberOfLicenses
+- numberOfLicenses