From 703605111fa3123770d05973401637a4f3028135 Mon Sep 17 00:00:00 2001 From: Jan <46779261+98jan@users.noreply.github.com> Date: Sat, 16 Nov 2024 16:53:21 +0100 Subject: [PATCH 01/31] fix: upgrade jdk version for org and fin service --- backend/app.hopps.fin/src/main/docker/Dockerfile.jvm | 2 +- backend/app.hopps.fin/src/main/docker/Dockerfile.legacy-jar | 2 +- backend/app.hopps.org/src/main/docker/Dockerfile.jvm | 2 +- backend/app.hopps.org/src/main/docker/Dockerfile.legacy-jar | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/backend/app.hopps.fin/src/main/docker/Dockerfile.jvm b/backend/app.hopps.fin/src/main/docker/Dockerfile.jvm index d71753d6..2619c347 100644 --- a/backend/app.hopps.fin/src/main/docker/Dockerfile.jvm +++ b/backend/app.hopps.fin/src/main/docker/Dockerfile.jvm @@ -75,7 +75,7 @@ # accessed directly. (example: "foo.example.com,bar.example.com") # ### -FROM registry.access.redhat.com/ubi8/openjdk-17:1.14 +FROM registry.access.redhat.com/ubi8/openjdk-21:1.19 ENV LANGUAGE='en_US:en' diff --git a/backend/app.hopps.fin/src/main/docker/Dockerfile.legacy-jar b/backend/app.hopps.fin/src/main/docker/Dockerfile.legacy-jar index 3f6c4495..ecbc496f 100644 --- a/backend/app.hopps.fin/src/main/docker/Dockerfile.legacy-jar +++ b/backend/app.hopps.fin/src/main/docker/Dockerfile.legacy-jar @@ -75,7 +75,7 @@ # accessed directly. (example: "foo.example.com,bar.example.com") # ### -FROM registry.access.redhat.com/ubi8/openjdk-17:1.14 +FROM registry.access.redhat.com/ubi8/openjdk-21:1.19 ENV LANGUAGE='en_US:en' diff --git a/backend/app.hopps.org/src/main/docker/Dockerfile.jvm b/backend/app.hopps.org/src/main/docker/Dockerfile.jvm index d71753d6..2619c347 100644 --- a/backend/app.hopps.org/src/main/docker/Dockerfile.jvm +++ b/backend/app.hopps.org/src/main/docker/Dockerfile.jvm @@ -75,7 +75,7 @@ # accessed directly. (example: "foo.example.com,bar.example.com") # ### -FROM registry.access.redhat.com/ubi8/openjdk-17:1.14 +FROM registry.access.redhat.com/ubi8/openjdk-21:1.19 ENV LANGUAGE='en_US:en' diff --git a/backend/app.hopps.org/src/main/docker/Dockerfile.legacy-jar b/backend/app.hopps.org/src/main/docker/Dockerfile.legacy-jar index 3f6c4495..ecbc496f 100644 --- a/backend/app.hopps.org/src/main/docker/Dockerfile.legacy-jar +++ b/backend/app.hopps.org/src/main/docker/Dockerfile.legacy-jar @@ -75,7 +75,7 @@ # accessed directly. (example: "foo.example.com,bar.example.com") # ### -FROM registry.access.redhat.com/ubi8/openjdk-17:1.14 +FROM registry.access.redhat.com/ubi8/openjdk-21:1.19 ENV LANGUAGE='en_US:en' From aa7bc7816973904bebe107af2a676b3c33b9f05b Mon Sep 17 00:00:00 2001 From: Jan <46779261+98jan@users.noreply.github.com> Date: Wed, 20 Nov 2024 21:33:48 +0100 Subject: [PATCH 02/31] feat: initial draft of helm chart #64 --- .github/workflows/helm-release.yaml | 55 ++ charts/hopps/.helmignore | 23 + charts/hopps/Chart.lock | 21 + charts/hopps/Chart.yaml | 56 ++ charts/hopps/templates/_helpers.tpl | 199 +++++++ .../templates/az-document-ai/deployment.yaml | 77 +++ .../templates/az-document-ai/ingress.yaml | 43 ++ .../templates/az-document-ai/service.yaml | 15 + .../az-document-ai/serviceaccount.yaml | 13 + charts/hopps/templates/fin/deployment.yaml | 77 +++ charts/hopps/templates/fin/ingress.yaml | 43 ++ charts/hopps/templates/fin/service.yaml | 15 + .../hopps/templates/fin/serviceaccount.yaml | 13 + .../hopps/templates/frontend/deployment.yaml | 77 +++ charts/hopps/templates/frontend/ingress.yaml | 43 ++ charts/hopps/templates/frontend/service.yaml | 15 + .../templates/frontend/serviceaccount.yaml | 13 + charts/hopps/templates/org/deployment.yaml | 77 +++ charts/hopps/templates/org/ingress.yaml | 43 ++ charts/hopps/templates/org/service.yaml | 15 + .../hopps/templates/org/serviceaccount.yaml | 13 + charts/hopps/values.yaml | 521 ++++++++++++++++++ 22 files changed, 1467 insertions(+) create mode 100644 .github/workflows/helm-release.yaml create mode 100644 charts/hopps/.helmignore create mode 100644 charts/hopps/Chart.lock create mode 100644 charts/hopps/Chart.yaml create mode 100644 charts/hopps/templates/_helpers.tpl create mode 100644 charts/hopps/templates/az-document-ai/deployment.yaml create mode 100644 charts/hopps/templates/az-document-ai/ingress.yaml create mode 100644 charts/hopps/templates/az-document-ai/service.yaml create mode 100644 charts/hopps/templates/az-document-ai/serviceaccount.yaml create mode 100644 charts/hopps/templates/fin/deployment.yaml create mode 100644 charts/hopps/templates/fin/ingress.yaml create mode 100644 charts/hopps/templates/fin/service.yaml create mode 100644 charts/hopps/templates/fin/serviceaccount.yaml create mode 100644 charts/hopps/templates/frontend/deployment.yaml create mode 100644 charts/hopps/templates/frontend/ingress.yaml create mode 100644 charts/hopps/templates/frontend/service.yaml create mode 100644 charts/hopps/templates/frontend/serviceaccount.yaml create mode 100644 charts/hopps/templates/org/deployment.yaml create mode 100644 charts/hopps/templates/org/ingress.yaml create mode 100644 charts/hopps/templates/org/service.yaml create mode 100644 charts/hopps/templates/org/serviceaccount.yaml create mode 100644 charts/hopps/values.yaml diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml new file mode 100644 index 00000000..82f1e1d7 --- /dev/null +++ b/.github/workflows/helm-release.yaml @@ -0,0 +1,55 @@ +name: Release Charts + +on: + push: + paths: + - 'charts/hopps/**' + branches: + - main + workflow_dispatch: # allow manual trigger + +# depending on default permission settings for your org (contents being read-only or read-write for workloads), you will have to add permissions +# see: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token +permissions: + contents: read + packages: write + +jobs: + release: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Configure Git + run: | + git config user.name ${{ github.actor }} + git config user.email ${{ github.actor }}@users.noreply.github.com + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: 3.x + + - name: Install Python dependencies + run: pip install pyyaml yq + + - name: Get latest release version + id: get_latest_release + run: | + VERSION=$(yq '.version' charts/hopps/Chart.yaml) + echo "VERSION=$VERSION" >> $GITHUB_ENV + echo "Version: $VERSION" + + - name: Chart | push + uses: appany/helm-oci-chart-releaser@v0.4.2 + with: + name: hopps + repository: ${{ github.repository }} + path: charts/hopps + tag: ${{ env.VERSION }} + registry: ghcr.io + registry_username: ${{ github.actor }} + registry_password: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/charts/hopps/.helmignore b/charts/hopps/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/hopps/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/hopps/Chart.lock b/charts/hopps/Chart.lock new file mode 100644 index 00000000..0279d495 --- /dev/null +++ b/charts/hopps/Chart.lock @@ -0,0 +1,21 @@ +dependencies: +- name: keycloak + repository: https://charts.bitnami.com/bitnami + version: 24.1.0 +- name: openfga + repository: https://openfga.github.io/helm-charts + version: 0.2.16 +- name: kafka-ui + repository: https://provectus.github.io/kafka-ui-charts + version: 0.7.6 +- name: kafka + repository: https://charts.bitnami.com/bitnami + version: 31.0.0 +- name: postgresql + repository: https://charts.bitnami.com/bitnami + version: 16.2.1 +- name: postgresql + repository: https://charts.bitnami.com/bitnami + version: 16.2.1 +digest: sha256:805d67991326d972a826255b81c0d74ef488843631cbddeb463d89e77a03accb +generated: "2024-11-17T16:45:08.263515+01:00" diff --git a/charts/hopps/Chart.yaml b/charts/hopps/Chart.yaml new file mode 100644 index 00000000..e54eac9c --- /dev/null +++ b/charts/hopps/Chart.yaml @@ -0,0 +1,56 @@ +apiVersion: v2 +name: hopps +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.0.1 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "0.0.1" + +dependencies: + - condition: keycloak.enabled + name: keycloak + # ToDo: make version controllable by dependabot + version: 24.1.0 + repository: https://charts.bitnami.com/bitnami + - condition: openfga.enabled + name: openfga + # ToDo: make version controllable by dependabot + version: 0.2.16 + repository: https://openfga.github.io/helm-charts + - condition: kafka-ui.enabled + name: kafka-ui + # ToDo: make version controllable by dependabot + version: 0.7.6 + repository: https://provectus.github.io/kafka-ui-charts + - condition: kafka.enabled + name: kafka + version: 31.0.0 + repository: https://charts.bitnami.com/bitnami + - condition: postgresql-fin.enabled + alias: postgresql-fin + name: postgresql + version: 16.2.1 + repository: https://charts.bitnami.com/bitnami + - condition: postgresql-org.enabled + alias: postgresql-org + name: postgresql + version: 16.2.1 + repository: https://charts.bitnami.com/bitnami + diff --git a/charts/hopps/templates/_helpers.tpl b/charts/hopps/templates/_helpers.tpl new file mode 100644 index 00000000..c9bbefb7 --- /dev/null +++ b/charts/hopps/templates/_helpers.tpl @@ -0,0 +1,199 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "hopps.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "hopps.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "hopps.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "hopps.labels" -}} +helm.sh/chart: {{ include "hopps.chart" . }} +{{ include "hopps.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "hopps.selectorLabels" -}} +app.kubernetes.io/name: {{ include "hopps.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "hopps.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "hopps.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + + +{{/* +Common labels +*/}} +{{- define "hopps.commonLabels" -}} +helm.sh/chart: {{ include "hopps.chart" . }} +app.kubernetes.io/part-of: {{ include "hopps.name" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Common selector labels +*/}} +{{- define "hopps.commonSelectorLabels" -}} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + + +{{/* +azDocumentAi labels +*/}} +{{- define "hopps.azDocumentAiLabels" -}} +{{ include "hopps.commonLabels" . }} +{{ include "hopps.azDocumentAiSelectorLabels" . }} +app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} +{{/* +azDocumentAi selector labels +*/}} +{{- define "hopps.azDocumentAiSelectorLabels" -}} +{{ include "hopps.commonSelectorLabels" . }} +app.kubernetes.io/name: {{ printf "%s-az-document-ai" (include "hopps.name" .) }} +app.kubernetes.io/component: az-document-ai +{{- end -}} +{{/* +azDocumentAi name +*/}} +{{- define "hopps.azDocumentAiName" -}} +{{- printf "%s-az-document-ai" (include "hopps.name" .) -}} +{{- end -}} +{{/* +azDocumentAi fully qualified name +*/}} +{{- define "hopps.azDocumentAiFullname" -}} +{{- printf "%s-az-document-ai" (include "hopps.fullname" .) -}} +{{- end -}} + + +{{/* +org labels +*/}} +{{- define "hopps.orgLabels" -}} +{{ include "hopps.commonLabels" . }} +{{ include "hopps.orgSelectorLabels" . }} +app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} +{{/* +org selector labels +*/}} +{{- define "hopps.orgSelectorLabels" -}} +{{ include "hopps.commonSelectorLabels" . }} +app.kubernetes.io/name: {{ printf "%s-org" (include "hopps.name" .) }} +app.kubernetes.io/component: org +{{- end -}} +{{/* +org name +*/}} +{{- define "hopps.orgName" -}} +{{- printf "%s-org" (include "hopps.name" .) -}} +{{- end -}} +{{/* +org fully qualified name +*/}} +{{- define "hopps.orgFullname" -}} +{{- printf "%s-org" (include "hopps.fullname" .) -}} +{{- end -}} + + +{{/* +fin labels +*/}} +{{- define "hopps.finLabels" -}} +{{ include "hopps.commonLabels" . }} +{{ include "hopps.finSelectorLabels" . }} +app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} +{{/* +fin selector labels +*/}} +{{- define "hopps.finSelectorLabels" -}} +{{ include "hopps.commonSelectorLabels" . }} +app.kubernetes.io/name: {{ printf "%s-fin" (include "hopps.name" .) }} +app.kubernetes.io/component: fin +{{- end -}} +{{/* +fin name +*/}} +{{- define "hopps.finName" -}} +{{- printf "%s-fin" (include "hopps.name" .) -}} +{{- end -}} +{{/* +fin fully qualified name +*/}} +{{- define "hopps.finFullname" -}} +{{- printf "%s-fin" (include "hopps.fullname" .) -}} +{{- end -}} + + +{{/* +frontend labels +*/}} +{{- define "hopps.frontendLabels" -}} +{{ include "hopps.commonLabels" . }} +{{ include "hopps.frontendSelectorLabels" . }} +app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} +{{/* +frontend selector labels +*/}} +{{- define "hopps.frontendSelectorLabels" -}} +{{ include "hopps.commonSelectorLabels" . }} +app.kubernetes.io/name: {{ printf "%s-frontend" (include "hopps.name" .) }} +app.kubernetes.io/component: frontend +{{- end -}} +{{/* +frontend name +*/}} +{{- define "hopps.frontendName" -}} +{{- printf "%s-frontend" (include "hopps.name" .) -}} +{{- end -}} +{{/* +frontend fully qualified name +*/}} +{{- define "hopps.frontendFullname" -}} +{{- printf "%s-frontend" (include "hopps.fullname" .) -}} +{{- end -}} diff --git a/charts/hopps/templates/az-document-ai/deployment.yaml b/charts/hopps/templates/az-document-ai/deployment.yaml new file mode 100644 index 00000000..f92f1497 --- /dev/null +++ b/charts/hopps/templates/az-document-ai/deployment.yaml @@ -0,0 +1,77 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "hopps.azDocumentAiFullname" . }} + labels: + {{- include "hopps.azDocumentAiLabels" . | nindent 4 }} +spec: + {{- if not .Values.azDocumentAi.autoscaling.enabled }} + replicas: {{ .Values.azDocumentAi.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "hopps.azDocumentAiSelectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.azDocumentAi.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "hopps.azDocumentAiSelectorLabels" . | nindent 8 }} + {{- with .Values.azDocumentAi.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.azDocumentAi.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.azDocumentAi.serviceAccount.create }} + serviceAccountName: {{ .Values.azDocumentAi.serviceAccount.name | default (include "hopps.azDocumentAiFullname" .) }} + {{- end }} + securityContext: + {{- toYaml .Values.azDocumentAi.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + {{- if .Values.azDocumentAi.envVars }} + env: + {{- toYaml .Values.azDocumentAi.envVars | nindent 12 }} + {{- end }} + securityContext: + {{- toYaml .Values.azDocumentAi.securityContext | nindent 12 }} + image: "{{ .Values.azDocumentAi.image.repository }}:{{ .Values.azDocumentAi.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.azDocumentAi.image.pullPolicy }} + {{- with .Values.azDocumentAi.envFrom }} + envFrom: {{ toYaml . | nindent 8 }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.azDocumentAi.service.port }} + protocol: TCP + livenessProbe: + {{- toYaml .Values.azDocumentAi.livenessProbe | nindent 12 }} + readinessProbe: + {{- toYaml .Values.azDocumentAi.readinessProbe | nindent 12 }} + resources: + {{- toYaml .Values.azDocumentAi.resources | nindent 12 }} + {{- with .Values.azDocumentAi.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.azDocumentAi.volumes }} + volumes: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.azDocumentAi.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.azDocumentAi.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.azDocumentAi.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/hopps/templates/az-document-ai/ingress.yaml b/charts/hopps/templates/az-document-ai/ingress.yaml new file mode 100644 index 00000000..207bfb73 --- /dev/null +++ b/charts/hopps/templates/az-document-ai/ingress.yaml @@ -0,0 +1,43 @@ +{{- if .Values.azDocumentAi.ingress.enabled -}} +{{- $fullName := include "hopps.azDocumentAiFullname" . -}} +{{- $ingressPath := .Values.azDocumentAi.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "hopps.azDocumentAiLabels" . | nindent 4 }} +{{- with .Values.azDocumentAi.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + {{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/IngressClass") }} + {{- if .Values.azDocumentAi.ingress.ingressClassName }} + ingressClassName: {{ .Values.azDocumentAi.ingress.ingressClassName }} + {{- end }} + {{- end }} +{{- if .Values.azDocumentAi.ingress.tls }} + tls: + {{- range .Values.azDocumentAi.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.azDocumentAi.ingress.hosts }} + - host: {{ . | quote }} + http: + paths: + - pathType: Prefix + path: {{ $ingressPath }} + backend: + service: + name: {{ $fullName }} + port: + name: http + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hopps/templates/az-document-ai/service.yaml b/charts/hopps/templates/az-document-ai/service.yaml new file mode 100644 index 00000000..b1863911 --- /dev/null +++ b/charts/hopps/templates/az-document-ai/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "hopps.azDocumentAiFullname" . }} + labels: + {{- include "hopps.azDocumentAiLabels" . | nindent 4 }} +spec: + type: {{ .Values.azDocumentAi.service.type }} + ports: + - port: {{ .Values.azDocumentAi.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "hopps.azDocumentAiSelectorLabels" . | nindent 4 }} diff --git a/charts/hopps/templates/az-document-ai/serviceaccount.yaml b/charts/hopps/templates/az-document-ai/serviceaccount.yaml new file mode 100644 index 00000000..cf912a04 --- /dev/null +++ b/charts/hopps/templates/az-document-ai/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.azDocumentAi.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.azDocumentAi.serviceAccount.name | default (include "hopps.azDocumentAiFullname" .) }} + labels: + {{- include "hopps.azDocumentAiLabels" . | nindent 4 }} + {{- with .Values.azDocumentAi.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.azDocumentAi.serviceAccount.automount }} +{{- end }} diff --git a/charts/hopps/templates/fin/deployment.yaml b/charts/hopps/templates/fin/deployment.yaml new file mode 100644 index 00000000..3d6af411 --- /dev/null +++ b/charts/hopps/templates/fin/deployment.yaml @@ -0,0 +1,77 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "hopps.finFullname" . }} + labels: + {{- include "hopps.finLabels" . | nindent 4 }} +spec: + {{- if not .Values.fin.autoscaling.enabled }} + replicas: {{ .Values.fin.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "hopps.finSelectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.fin.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "hopps.finSelectorLabels" . | nindent 8 }} + {{- with .Values.fin.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.fin.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.fin.serviceAccount.create }} + serviceAccountName: {{ .Values.fin.serviceAccount.name | default (include "hopps.finFullname" .) }} + {{- end }} + securityContext: + {{- toYaml .Values.fin.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + {{- if .Values.fin.envVars }} + env: + {{- toYaml .Values.fin.envVars | nindent 12 }} + {{- end }} + securityContext: + {{- toYaml .Values.fin.securityContext | nindent 12 }} + image: "{{ .Values.fin.image.repository }}:{{ .Values.fin.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.fin.image.pullPolicy }} + {{- with .Values.fin.envFrom }} + envFrom: {{ toYaml . | nindent 8 }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.fin.service.port }} + protocol: TCP + livenessProbe: + {{- toYaml .Values.fin.livenessProbe | nindent 12 }} + readinessProbe: + {{- toYaml .Values.fin.readinessProbe | nindent 12 }} + resources: + {{- toYaml .Values.fin.resources | nindent 12 }} + {{- with .Values.fin.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.fin.volumes }} + volumes: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.fin.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.fin.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.fin.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/hopps/templates/fin/ingress.yaml b/charts/hopps/templates/fin/ingress.yaml new file mode 100644 index 00000000..27076084 --- /dev/null +++ b/charts/hopps/templates/fin/ingress.yaml @@ -0,0 +1,43 @@ +{{- if .Values.fin.ingress.enabled -}} +{{- $fullName := include "hopps.finFullname" . -}} +{{- $ingressPath := .Values.fin.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "hopps.finLabels" . | nindent 4 }} +{{- with .Values.fin.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + {{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/IngressClass") }} + {{- if .Values.fin.ingress.ingressClassName }} + ingressClassName: {{ .Values.fin.ingress.ingressClassName }} + {{- end }} + {{- end }} +{{- if .Values.fin.ingress.tls }} + tls: + {{- range .Values.fin.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.fin.ingress.hosts }} + - host: {{ . | quote }} + http: + paths: + - pathType: Prefix + path: {{ $ingressPath }} + backend: + service: + name: {{ $fullName }} + port: + name: http + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hopps/templates/fin/service.yaml b/charts/hopps/templates/fin/service.yaml new file mode 100644 index 00000000..e1cf175a --- /dev/null +++ b/charts/hopps/templates/fin/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "hopps.finFullname" . }} + labels: + {{- include "hopps.finLabels" . | nindent 4 }} +spec: + type: {{ .Values.fin.service.type }} + ports: + - port: {{ .Values.fin.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "hopps.finSelectorLabels" . | nindent 4 }} diff --git a/charts/hopps/templates/fin/serviceaccount.yaml b/charts/hopps/templates/fin/serviceaccount.yaml new file mode 100644 index 00000000..5d4e1f46 --- /dev/null +++ b/charts/hopps/templates/fin/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.fin.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.fin.serviceAccount.name | default (include "hopps.finFullname" .) }} + labels: + {{- include "hopps.finLabels" . | nindent 4 }} + {{- with .Values.fin.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.fin.serviceAccount.automount }} +{{- end }} diff --git a/charts/hopps/templates/frontend/deployment.yaml b/charts/hopps/templates/frontend/deployment.yaml new file mode 100644 index 00000000..42e3f858 --- /dev/null +++ b/charts/hopps/templates/frontend/deployment.yaml @@ -0,0 +1,77 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "hopps.frontendFullname" . }} + labels: + {{- include "hopps.frontendLabels" . | nindent 4 }} +spec: + {{- if not .Values.frontend.autoscaling.enabled }} + replicas: {{ .Values.org.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "hopps.frontendSelectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.frontend.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "hopps.frontendSelectorLabels" . | nindent 8 }} + {{- with .Values.frontend.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.frontend.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.frontend.serviceAccount.create }} + serviceAccountName: {{ .Values.frontend.serviceAccount.name | default (include "hopps.frontendFullname" .) }} + {{- end }} + securityContext: + {{- toYaml .Values.frontend.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + {{- if .Values.frontend.envVars }} + env: + {{- toYaml .Values.frontend.envVars | nindent 12 }} + {{- end }} + securityContext: + {{- toYaml .Values.frontend.securityContext | nindent 12 }} + image: "{{ .Values.frontend.image.repository }}:{{ .Values.frontend.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.frontend.image.pullPolicy }} + {{- with .Values.frontend.envFrom }} + envFrom: {{ toYaml . | nindent 8 }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.frontend.service.port }} + protocol: TCP + livenessProbe: + {{- toYaml .Values.frontend.livenessProbe | nindent 12 }} + readinessProbe: + {{- toYaml .Values.frontend.readinessProbe | nindent 12 }} + resources: + {{- toYaml .Values.frontend.resources | nindent 12 }} + {{- with .Values.frontend.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.frontend.volumes }} + volumes: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.frontend.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.frontend.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.frontend.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/hopps/templates/frontend/ingress.yaml b/charts/hopps/templates/frontend/ingress.yaml new file mode 100644 index 00000000..12ba4f76 --- /dev/null +++ b/charts/hopps/templates/frontend/ingress.yaml @@ -0,0 +1,43 @@ +{{- if .Values.frontend.ingress.enabled -}} +{{- $fullName := include "hopps.frontendFullname" . -}} +{{- $ingressPath := .Values.org.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "hopps.frontendLabels" . | nindent 4 }} +{{- with .Values.frontend.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + {{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/IngressClass") }} + {{- if .Values.org.ingress.ingressClassName }} + ingressClassName: {{ .Values.org.ingress.ingressClassName }} + {{- end }} + {{- end }} +{{- if .Values.frontend.ingress.tls }} + tls: + {{- range .Values.frontend.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.frontend.ingress.hosts }} + - host: {{ . | quote }} + http: + paths: + - pathType: Prefix + path: {{ $ingressPath }} + backend: + service: + name: {{ $fullName }} + port: + name: http + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hopps/templates/frontend/service.yaml b/charts/hopps/templates/frontend/service.yaml new file mode 100644 index 00000000..a77fcbbb --- /dev/null +++ b/charts/hopps/templates/frontend/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "hopps.frontendFullname" . }} + labels: + {{- include "hopps.frontendLabels" . | nindent 4 }} +spec: + type: {{ .Values.frontend.service.type }} + ports: + - port: {{ .Values.frontend.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "hopps.frontendSelectorLabels" . | nindent 4 }} diff --git a/charts/hopps/templates/frontend/serviceaccount.yaml b/charts/hopps/templates/frontend/serviceaccount.yaml new file mode 100644 index 00000000..0deacdcb --- /dev/null +++ b/charts/hopps/templates/frontend/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.frontend.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.frontend.serviceAccount.name | default (include "hopps.frontendFullname" .) }} + labels: + {{- include "hopps.frontendLabels" . | nindent 4 }} + {{- with .Values.frontend.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.frontend.serviceAccount.automount }} +{{- end }} diff --git a/charts/hopps/templates/org/deployment.yaml b/charts/hopps/templates/org/deployment.yaml new file mode 100644 index 00000000..dca06a4c --- /dev/null +++ b/charts/hopps/templates/org/deployment.yaml @@ -0,0 +1,77 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "hopps.orgFullname" . }} + labels: + {{- include "hopps.orgLabels" . | nindent 4 }} +spec: + {{- if not .Values.org.autoscaling.enabled }} + replicas: {{ .Values.org.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "hopps.orgSelectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.org.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "hopps.orgSelectorLabels" . | nindent 8 }} + {{- with .Values.org.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.org.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.org.serviceAccount.create }} + serviceAccountName: {{ .Values.org.serviceAccount.name | default (include "hopps.orgFullname" .) }} + {{- end }} + securityContext: + {{- toYaml .Values.org.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + {{- if .Values.org.envVars }} + env: + {{- toYaml .Values.org.envVars | nindent 12 }} + {{- end }} + securityContext: + {{- toYaml .Values.org.securityContext | nindent 12 }} + image: "{{ .Values.org.image.repository }}:{{ .Values.org.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.org.image.pullPolicy }} + {{- with .Values.org.envFrom }} + envFrom: {{ toYaml . | nindent 8 }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.org.service.port }} + protocol: TCP + livenessProbe: + {{- toYaml .Values.org.livenessProbe | nindent 12 }} + readinessProbe: + {{- toYaml .Values.org.readinessProbe | nindent 12 }} + resources: + {{- toYaml .Values.org.resources | nindent 12 }} + {{- with .Values.org.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.org.volumes }} + volumes: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.org.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.org.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.org.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/hopps/templates/org/ingress.yaml b/charts/hopps/templates/org/ingress.yaml new file mode 100644 index 00000000..36754e41 --- /dev/null +++ b/charts/hopps/templates/org/ingress.yaml @@ -0,0 +1,43 @@ +{{- if .Values.org.ingress.enabled -}} +{{- $fullName := include "hopps.orgFullname" . -}} +{{- $ingressPath := .Values.org.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "hopps.orgLabels" . | nindent 4 }} +{{- with .Values.org.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + {{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/IngressClass") }} + {{- if .Values.org.ingress.ingressClassName }} + ingressClassName: {{ .Values.org.ingress.ingressClassName }} + {{- end }} + {{- end }} +{{- if .Values.org.ingress.tls }} + tls: + {{- range .Values.org.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.org.ingress.hosts }} + - host: {{ . | quote }} + http: + paths: + - pathType: Prefix + path: {{ $ingressPath }} + backend: + service: + name: {{ $fullName }} + port: + name: http + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hopps/templates/org/service.yaml b/charts/hopps/templates/org/service.yaml new file mode 100644 index 00000000..4e4ef89d --- /dev/null +++ b/charts/hopps/templates/org/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "hopps.orgFullname" . }} + labels: + {{- include "hopps.orgLabels" . | nindent 4 }} +spec: + type: {{ .Values.org.service.type }} + ports: + - port: {{ .Values.org.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "hopps.orgSelectorLabels" . | nindent 4 }} diff --git a/charts/hopps/templates/org/serviceaccount.yaml b/charts/hopps/templates/org/serviceaccount.yaml new file mode 100644 index 00000000..3779df48 --- /dev/null +++ b/charts/hopps/templates/org/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.org.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.org.serviceAccount.name | default (include "hopps.orgFullname" .) }} + labels: + {{- include "hopps.orgLabels" . | nindent 4 }} + {{- with .Values.org.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.org.serviceAccount.automount }} +{{- end }} diff --git a/charts/hopps/values.yaml b/charts/hopps/values.yaml new file mode 100644 index 00000000..b8ac4923 --- /dev/null +++ b/charts/hopps/values.yaml @@ -0,0 +1,521 @@ +global: + test: value + +nameOverride: "" +fullnameOverride: "" + +azDocumentAi: + replicaCount: 1 + # ToDo: should also be globally configurable + # List of imagePullSecrets for private image repositories + imagePullSecrets: [] + image: + # ToDo: should also be globally configurable + #registry: ghcr.io + repository: ghcr.io/hopps-app/hopps/az-document-ai + tag: "" + pullPolicy: IfNotPresent + envFrom: [] + # - configMapRef: + # name: name + envVars: [] + #- name: ENV_VAR + # value: value + ingress: + enabled: false + annotations: {} + ingressClassName: ~ + path: / + hosts: + - chart-example.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + podAnnotations: {} + podLabels: {} + podSecurityContext: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1000 + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + service: + type: ClusterIP + annotations: {} + labels: {} + port: 8100 + strategy: {} + # type: Recreate + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + serviceMonitor: + enabled: false + namespace: ~ + scrapeInterval: 15s + scrapeTimeout: 15s + serviceAccount: + create: true + annotations: {} + # ToDo: make fallback name unique + name: az-document-ai + automount: false + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + resources: {} + # requests: + # cpu: 100m + # memory: 256Mi + # limits: + # cpu: 100m + # memory: 256Mi + # Node selector settings for scheduling the pod on specific nodes + nodeSelector: {} + # Tolerations settings for scheduling the pod based on node taints + tolerations: [] + # Affinity settings for controlling pod scheduling + affinity: {} + # ToDo: enable when endpoints are available + livenessProbe: {} + # failureThreshold: 3 + # httpGet: + # path: / + # port: http + # scheme: HTTP + # periodSeconds: 20 + # successThreshold: 1 + # timeoutSeconds: 2 + readinessProbe: {} + # failureThreshold: 3 + # httpGet: + # path: / + # port: http + # scheme: HTTP + # periodSeconds: 10 + # successThreshold: 1 + # timeoutSeconds: 1 + startupProbe: {} + # initialDelaySeconds: 1 + # periodSeconds: 5 + # timeoutSeconds: 1 + # successThreshold: 1 + # failureThreshold: 1 + # httpGet: + # scheme: HTTP + # path: / + # port: http + volumes: + - name: cache + emptyDir: {} + volumeMounts: + - name: cache + mountPath: /tmp +fin: + replicaCount: 1 + # ToDo: should also be globally configurable + # List of imagePullSecrets for private image repositories + imagePullSecrets: [] + image: + # ToDo: should also be globally configurable + #registry: ghcr.io + repository: ghcr.io/hopps-app/hopps/fin + tag: "" + pullPolicy: IfNotPresent + envFrom: [] + # - configMapRef: + # name: name + envVars: [] + #- name: ENV_VAR + # value: value + ingress: + enabled: false + annotations: {} + ingressClassName: ~ + path: / + hosts: + - chart-example.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + podAnnotations: {} + podLabels: {} + podSecurityContext: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1000 + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + service: + type: ClusterIP + annotations: {} + labels: {} + port: 8080 + strategy: {} + # type: Recreate + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + serviceMonitor: + enabled: false + namespace: ~ + scrapeInterval: 15s + scrapeTimeout: 15s + serviceAccount: + create: true + annotations: {} + name: "" + automount: false + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + resources: {} + # requests: + # cpu: 100m + # memory: 256Mi + # limits: + # cpu: 100m + # memory: 256Mi + # Node selector settings for scheduling the pod on specific nodes + nodeSelector: {} + # Tolerations settings for scheduling the pod based on node taints + tolerations: [] + # Affinity settings for controlling pod scheduling + affinity: {} + # ToDo: allow healhchecks to be disable + # ToDo: enable when endpoints are available + livenessProbe: {} + # failureThreshold: 3 + # httpGet: + # path: / + # port: http + # scheme: HTTP + # periodSeconds: 20 + # successThreshold: 1 + # timeoutSeconds: 2 + readinessProbe: {} + # failureThreshold: 3 + # httpGet: + # path: / + # port: http + # scheme: HTTP + # periodSeconds: 10 + # successThreshold: 1 + # timeoutSeconds: 1 + startupProbe: {} + # initialDelaySeconds: 1 + # periodSeconds: 5 + # timeoutSeconds: 1 + # successThreshold: 1 + # failureThreshold: 1 + # httpGet: + # scheme: HTTP + # path: / + # port: http + volumes: + - name: cache + emptyDir: {} + volumeMounts: + - name: cache + mountPath: /tmp + +postgresql-fin: + enabled: true + nameOverride: fin-postgresql + auth: + database: fin + +org: + replicaCount: 1 + # ToDo: should also be globally configurable + # List of imagePullSecrets for private image repositories + imagePullSecrets: [] + image: + # ToDo: should also be globally configurable + #registry: ghcr.io + repository: ghcr.io/hopps-app/hopps/org + tag: "" + pullPolicy: IfNotPresent + envFrom: [] + # - configMapRef: + # name: name + envVars: [] + #- name: ENV_VAR + # value: value + ingress: + enabled: false + annotations: {} + ingressClassName: ~ + path: / + hosts: + - chart-example.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + podAnnotations: {} + podLabels: {} + podSecurityContext: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1000 + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + service: + type: ClusterIP + annotations: {} + labels: {} + port: 8080 + strategy: {} + # type: Recreate + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + serviceMonitor: + enabled: false + namespace: ~ + scrapeInterval: 15s + scrapeTimeout: 15s + serviceAccount: + create: true + annotations: {} + name: "" + automount: false + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + resources: {} + # requests: + # cpu: 100m + # memory: 256Mi + # limits: + # cpu: 100m + # memory: 256Mi + # Node selector settings for scheduling the pod on specific nodes + nodeSelector: {} + # Tolerations settings for scheduling the pod based on node taints + tolerations: [] + # Affinity settings for controlling pod scheduling + affinity: {} + # ToDo: allow healhchecks to be disable + # ToDo: enable when endpoints are available + livenessProbe: {} + # failureThreshold: 3 + # httpGet: + # path: / + # port: http + # scheme: HTTP + # periodSeconds: 20 + # successThreshold: 1 + # timeoutSeconds: 2 + readinessProbe: {} + # failureThreshold: 3 + # httpGet: + # path: / + # port: http + # scheme: HTTP + # periodSeconds: 10 + # successThreshold: 1 + # timeoutSeconds: 1 + startupProbe: {} + # initialDelaySeconds: 1 + # periodSeconds: 5 + # timeoutSeconds: 1 + # successThreshold: 1 + # failureThreshold: 1 + # httpGet: + # scheme: HTTP + # path: / + # port: http + volumes: + - name: cache + emptyDir: {} + volumeMounts: + - name: cache + mountPath: /tmp + +postgresql-org: + enabled: true + nameOverride: org-postgresql + auth: + database: org + +frontend: + replicaCount: 1 + # ToDo: should also be globally configurable + # List of imagePullSecrets for private image repositories + imagePullSecrets: [] + image: + # ToDo: should also be globally configurable + #registry: ghcr.io + repository: ghcr.io/hopps-app/hopps/frontend + tag: "" + pullPolicy: IfNotPresent + envFrom: [] + # - configMapRef: + # name: name + envVars: [] + #- name: ENV_VAR + # value: value + ingress: + enabled: false + annotations: {} + ingressClassName: ~ + path: / + hosts: + - chart-example.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + podAnnotations: {} + podLabels: {} + podSecurityContext: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1000 + # ToDo: check if can be run with readonly root filesystem, following access is needed + # - /var/cache/nginx + # - /etc/nginx/config.d + # - /var/run/nginx.pid + readOnlyRootFilesystem: false + seccompProfile: + type: RuntimeDefault + service: + type: ClusterIP + annotations: {} + labels: {} + port: 8080 + strategy: {} + # type: Recreate + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + serviceMonitor: + enabled: false + namespace: ~ + scrapeInterval: 15s + scrapeTimeout: 15s + serviceAccount: + create: true + annotations: {} + name: "" + automount: false + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + resources: {} + # requests: + # cpu: 100m + # memory: 256Mi + # limits: + # cpu: 100m + # memory: 256Mi + # Node selector settings for scheduling the pod on specific nodes + nodeSelector: {} + # Tolerations settings for scheduling the pod based on node taints + tolerations: [] + # Affinity settings for controlling pod scheduling + affinity: { } + # ToDo: allow healhchecks to be disable + # ToDo: enable when endpoints are available + livenessProbe: {} + # failureThreshold: 3 + # httpGet: + # path: / + # port: http + # scheme: HTTP + # periodSeconds: 20 + # successThreshold: 1 + # timeoutSeconds: 2 + readinessProbe: {} + # failureThreshold: 3 + # httpGet: + # path: / + # port: http + # scheme: HTTP + # periodSeconds: 10 + # successThreshold: 1 + # timeoutSeconds: 1 + startupProbe: {} + # initialDelaySeconds: 1 + # periodSeconds: 5 + # timeoutSeconds: 1 + # successThreshold: 1 + # failureThreshold: 1 + # httpGet: + # scheme: HTTP + # path: / + # port: http + volumes: + - name: cache + emptyDir: {} + volumeMounts: + - name: cache + mountPath: /var/cache/nginx + +# external dependencies +keycloak: + enabled: false + +kafka-ui: + enabled: false + #yamlApplicationConfig: + # kafka: + # clusters: + # - name: yaml + # # ToDo: url should automatically be calculated, dependent on the name of the release-name + # bootstrapServers: hopps-kafka:9092 + # auth: + # type: disabled + # management: + # health: + # ldap: + # enabled: false + # ingress: + # enabled: true + # ingressClassName: nginx + # annotations: {} + # # cert-manager.io/cluster-issuer: letsencrypt-prod + # tls: + # enabled: true + # secretName: kafka-tls + # # ToDo: mask domain + # host: kafka-ui. From 7ac6d12b1c3d5e101d08bd4198a38b643f0c6345 Mon Sep 17 00:00:00 2001 From: Jan <46779261+98jan@users.noreply.github.com> Date: Mon, 25 Nov 2024 21:14:38 +0100 Subject: [PATCH 03/31] feat: first draft of saas installation #64 --- .gitignore | 7 + .../hopps/base/hopps/helm-repository.yaml | 8 + .../hopps/base/hopps/kustomization.yaml | 4 + kubernetes/hopps/base/hopps/postgresql.yaml | 24 +++ kubernetes/hopps/overlays/.sops.yaml | 6 + .../dev/az-document-ai-secret-encrypted.env | 8 + .../hopps/overlays/dev/helm-release.yaml | 190 ++++++++++++++++++ .../hopps/overlays/dev/kustomization.yaml | 28 +++ kubernetes/hopps/overlays/dev/namespace.yaml | 11 + kubernetes/hopps/overlays/dev/postgresql.yaml | 14 ++ 10 files changed, 300 insertions(+) create mode 100644 kubernetes/hopps/base/hopps/helm-repository.yaml create mode 100644 kubernetes/hopps/base/hopps/kustomization.yaml create mode 100644 kubernetes/hopps/base/hopps/postgresql.yaml create mode 100644 kubernetes/hopps/overlays/.sops.yaml create mode 100644 kubernetes/hopps/overlays/dev/az-document-ai-secret-encrypted.env create mode 100644 kubernetes/hopps/overlays/dev/helm-release.yaml create mode 100644 kubernetes/hopps/overlays/dev/kustomization.yaml create mode 100644 kubernetes/hopps/overlays/dev/namespace.yaml create mode 100644 kubernetes/hopps/overlays/dev/postgresql.yaml diff --git a/.gitignore b/.gitignore index ff13bd65..b0776c75 100644 --- a/.gitignore +++ b/.gitignore @@ -193,3 +193,10 @@ $RECYCLE.BIN/ # Drawio *.drawio.bkp + +# helm +./charts/hopps/charts + +# unencrypted secrets +*decrypted.env +age.agekey diff --git a/kubernetes/hopps/base/hopps/helm-repository.yaml b/kubernetes/hopps/base/hopps/helm-repository.yaml new file mode 100644 index 00000000..4651bfa1 --- /dev/null +++ b/kubernetes/hopps/base/hopps/helm-repository.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: hopps +spec: + interval: 1h + url: oci://ghcr.io/hopps-app/hopps + type: oci diff --git a/kubernetes/hopps/base/hopps/kustomization.yaml b/kubernetes/hopps/base/hopps/kustomization.yaml new file mode 100644 index 00000000..305e2fff --- /dev/null +++ b/kubernetes/hopps/base/hopps/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - helm-repository.yaml \ No newline at end of file diff --git a/kubernetes/hopps/base/hopps/postgresql.yaml b/kubernetes/hopps/base/hopps/postgresql.yaml new file mode 100644 index 00000000..9b8d923c --- /dev/null +++ b/kubernetes/hopps/base/hopps/postgresql.yaml @@ -0,0 +1,24 @@ +apiVersion: "acid.zalan.do/v1" +kind: postgresql +metadata: + name: postgres-cluster +spec: + teamId: "hopps" + postgresql: + version: "16" + parameters: + # depending on application that can cause issues + password_encryption: scram-sha-256 + numberOfInstances: 1 + volume: + size: "10Gi" + storageClass: "longhorn" + allowedSourceRanges: # load balancers' source ranges for both master and replica services + - 10.0.0.0/16 + resources: + requests: + cpu: 100m + memory: 100Mi + limits: + cpu: 500m + memory: 500Mi diff --git a/kubernetes/hopps/overlays/.sops.yaml b/kubernetes/hopps/overlays/.sops.yaml new file mode 100644 index 00000000..dae27393 --- /dev/null +++ b/kubernetes/hopps/overlays/.sops.yaml @@ -0,0 +1,6 @@ +creation_rules: + - path_regex: .*.yaml + encrypted_regex: ^(data|stringData)$ + age: age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s + - age: >- + age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s diff --git a/kubernetes/hopps/overlays/dev/az-document-ai-secret-encrypted.env b/kubernetes/hopps/overlays/dev/az-document-ai-secret-encrypted.env new file mode 100644 index 00000000..15ec640c --- /dev/null +++ b/kubernetes/hopps/overlays/dev/az-document-ai-secret-encrypted.env @@ -0,0 +1,8 @@ +app.hopps.az-document-ai.azure.endpoint=ENC[AES256_GCM,data:braLHAtxl8OAbsw4tuaSr7ye7GGy2dzXfSnwCFC9/Vr9FSOvA0Yjh812iOVA01E/I0NZ9PAZbQ==,iv:GmlQxcKyqpP5lUcT+cTgb83G5vTYs4NAE0e1U1XkVlk=,tag:yZnCC6qltuYPAM84ltUQqw==,type:str] +app.hopps.az-document-ai.azure.key=ENC[AES256_GCM,data:wV84KfFPmne99cstGeuxlRtpJq9TCKP8/bwmHvSNRdw=,iv:yCi5OwHVve4PRpsaZYi71Bp7pJiImb1P3FDESR4G8qo=,tag:xRJM9Poa59RDSNQH03HhmA==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SDZQclYrLzg4TzNkSDJQ\nTFhmaXY0d2lGTUR6RDQ4YTJXTU9PbDMyOGc0ClFpQ21JbTE2OWdIdHg2UVdiSFFm\na1lMaC9mQ3dYVGYxRGVvQ0tQNGlqNG8KLS0tIENSWERsMVd5YTduUWdVeEtkTnlu\naXVNbS9XOUhzYjRmdlV3ckJoaUp6ODQKC18hlojw/9B8N8FoOEvvgtWzwRX8/OaU\n0focTJHVxVvA57kKams9kavmvDiYy9JLMDKHAHnOu0V/GGFX2FRw0A==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s +sops_lastmodified=2024-11-25T19:42:39Z +sops_mac=ENC[AES256_GCM,data:Zi5oeZGz3OBpLbC0lmopcXHHu9gsFbGsOv0oPg8fEfqKCEupC+XgfkBPd0K8wtcTeZO/v0VInfPebEnvhO21mlUEV5a3N/zFYRtixlsWPDoC1MjdnI5Dsz+HNPEOREoKSEJC/HE7AI9KZZ/0aFwxzus6z/yby1Kl71ZezzDi/e8=,iv:2gI+1Js3p6gpOEwJkqAKwy/yv/w/MSHVfi/SJ+fheo0=,tag:v4xXTgclvfAzmedXIXKUdQ==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.8.1 diff --git a/kubernetes/hopps/overlays/dev/helm-release.yaml b/kubernetes/hopps/overlays/dev/helm-release.yaml new file mode 100644 index 00000000..7c0dd618 --- /dev/null +++ b/kubernetes/hopps/overlays/dev/helm-release.yaml @@ -0,0 +1,190 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: hopps +spec: + chart: + spec: + chart: hopps + sourceRef: + kind: HelmRepository + name: hopps + version: 0.0.1 + interval: 1m0s + values: + azDocumentAi: + image: + tag: upgrade-jdk + envFrom: + - secretRef: + name: az-document-ai + envVars: + # ToDo: url should automatically be calculated, dependent on the name of the release-name + - name: kafka.bootstrap.servers + value: hopps-kafka:9092 + org: + image: + tag: upgrade-jdk + envFrom: + - secretRef: + name: org + envVars: + # ToDo: url should automatically be calculated, dependent on the name of the release-name + # OpenFGA + - name: QUARKUS_OPENFGA_URL + value: http://openfga:8080 + - name: QUARKUS_OPENFGA_STORE + value: hopps + # Database secrets + - name: quarkus.datasource.jdbc.url + value: jdbc:postgresql://postgres-cluster:5432/org?loggerLevel=OFF&sslmode=require + - name: quarkus.datasource.username + valueFrom: + secretKeyRef: + name: org.hopps-dev.postgres-cluster.credentials.postgresql.acid.zalan.do + key: username + - name: quarkus.datasource.password + valueFrom: + secretKeyRef: + name: org.hopps-dev.postgres-cluster.credentials.postgresql.acid.zalan.do + key: password + ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + ingressClassName: nginx + hosts: + - org.${DOMAIN_2} + tls: + - secretName: fin-tls + hosts: + - org.${DOMAIN_2} + postgresql-org: + enabled: false + fin: + image: + tag: upgrade-jdk + envFrom: + - secretRef: + name: fin + envVars: + # ToDo: url should automatically be calculated, dependent on the name of the release-name + # OpenFGA + - name: QUARKUS_OPENFGA_URL + value: http://openfga:8080 + - name: QUARKUS_OPENFGA_STORE + value: hopps + # Database secrets + - name: quarkus.datasource.jdbc.url + value: jdbc:postgresql://postgres-cluster:5432/fin?loggerLevel=OFF&sslmode=require + - name: quarkus.datasource.username + valueFrom: + secretKeyRef: + name: fin.hopps-dev.postgres-cluster.credentials.postgresql.acid.zalan.do + key: username + - name: quarkus.datasource.password + valueFrom: + secretKeyRef: + name: fin.hopps-dev.postgres-cluster.credentials.postgresql.acid.zalan.do + key: password + ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + ingressClassName: nginx + hosts: + - fin.${DOMAIN_2} + tls: + - secretName: fin-tls + hosts: + - fin.${DOMAIN_2} + postgresql-fin: + enabled: false + frontend: + image: + tag: 118 + envFrom: + - secretRef: + name: frontend + ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + ingressClassName: nginx + hosts: + - frontend.${DOMAIN_2} + tls: + - secretName: fin-tls + hosts: + - frontend.${DOMAIN_2} + kafka-ui: + enabled: true + yamlApplicationConfig: + kafka: + clusters: + - name: yaml + # ToDo: url should automatically be calculated, dependent on the name of the release-name + bootstrapServers: hopps-kafka:9092 + auth: + type: disabled + management: + health: + ldap: + enabled: false + ingress: + enabled: true + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + # configure oauth2-proxy security + nginx.ingress.kubernetes.io/auth-response-headers: x-auth-request-user, x-auth-request-email + nginx.ingress.kubernetes.io/auth-signin: https://${OAUTH_PROXY_DOMAIN}/oauth2/start?rd=$scheme://$host$request_uri + nginx.ingress.kubernetes.io/auth-url: https://${OAUTH_PROXY_DOMAIN}/oauth2/auth + tls: + enabled: true + secretName: kafka-tls + # ToDo: mask domain + host: kafka-ui.${DOMAIN_2} + openfga: + # ToDo: check why enabled attribute isn't working + #enabled: true + # configure securityContext + podSecurityContext: + fsGroup: 2000 + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + allowPrivilegeEscalation: false + # use postgresql-database + datastore: + engine: postgres + uriSecret: openfga + # needed, else the + migrationType: "job" + postgresql: + enabled: false + # use already available keycloak + keycloak: + enabled: true + postgresql: + enabled: false + externalDatabase: + host: postgres-cluster + database: keycloak + post: 5432 + existingSecret: keycloak.hopps-dev.postgres-cluster.credentials.postgresql.acid.zalan.do + existingSecretUserKey: "username" + existingSecretPasswordKey: "password" + ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + hostname: keycloak.${DOMAIN_2} + ingressClassName: nginx + tls: true diff --git a/kubernetes/hopps/overlays/dev/kustomization.yaml b/kubernetes/hopps/overlays/dev/kustomization.yaml new file mode 100644 index 00000000..34f08449 --- /dev/null +++ b/kubernetes/hopps/overlays/dev/kustomization.yaml @@ -0,0 +1,28 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: hopps-dev +resources: + - ../../base/hopps + - namespace.yaml + - helm-release.yaml +patches: + - path: postgresql.yaml +# create all needed secrets with fix name +generatorOptions: + disableNameSuffixHash: true +secretGenerator: + - name: fin + envs: + - fin-secret-encrypted.env + - name: org + envs: + - org-secret-encrypted.env + - name: az-document-ai + envs: + - az-document-ai-secret-encrypted.env + - name: frontend + envs: + - frontend-secret-encrypted.env + - name: openfga + envs: + - openfga-secret-encrypted.env diff --git a/kubernetes/hopps/overlays/dev/namespace.yaml b/kubernetes/hopps/overlays/dev/namespace.yaml new file mode 100644 index 00000000..da7d5d5b --- /dev/null +++ b/kubernetes/hopps/overlays/dev/namespace.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: hopps-dev + labels: + pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/enforce-version: v1.31 + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/audit-version: v1.31 + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: v1.31 diff --git a/kubernetes/hopps/overlays/dev/postgresql.yaml b/kubernetes/hopps/overlays/dev/postgresql.yaml new file mode 100644 index 00000000..3fb63ad6 --- /dev/null +++ b/kubernetes/hopps/overlays/dev/postgresql.yaml @@ -0,0 +1,14 @@ +# create users +users: + # namespace.name: roles + hopps-dev.org: [] + hopps-dev.fin: [] + hopps-dev.openfga: [] + hopps-dev.keycloak: [] +databases: + # name: owner (namespace.name) + # namespace notation is part of user name + org: hopps-dev.org + fin: hopps-dev.fin + openfga: hopps-dev.openfga + keycloak: hopps-dev.keycloak From 43aa1c16759a0ea1bcbc2a721834ce2e631f61ac Mon Sep 17 00:00:00 2001 From: Jan <46779261+98jan@users.noreply.github.com> Date: Mon, 25 Nov 2024 21:21:08 +0100 Subject: [PATCH 04/31] fix: disable secrets for keycloak bootstrap --- .../hopps/overlays/dev/kustomization.yaml | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/kubernetes/hopps/overlays/dev/kustomization.yaml b/kubernetes/hopps/overlays/dev/kustomization.yaml index 34f08449..959f66c0 100644 --- a/kubernetes/hopps/overlays/dev/kustomization.yaml +++ b/kubernetes/hopps/overlays/dev/kustomization.yaml @@ -11,18 +11,18 @@ patches: generatorOptions: disableNameSuffixHash: true secretGenerator: - - name: fin - envs: - - fin-secret-encrypted.env - - name: org - envs: - - org-secret-encrypted.env + #- name: fin + # envs: + # - fin-secret-encrypted.env + #- name: org + # envs: + # - org-secret-encrypted.env - name: az-document-ai envs: - az-document-ai-secret-encrypted.env - - name: frontend - envs: - - frontend-secret-encrypted.env - - name: openfga - envs: - - openfga-secret-encrypted.env + #- name: frontend + # envs: + # - frontend-secret-encrypted.env + #- name: openfga + # envs: + # - openfga-secret-encrypted.env From 73e0fc55d434719bdaf0b0153ada04c88f4bc074 Mon Sep 17 00:00:00 2001 From: Jan <46779261+98jan@users.noreply.github.com> Date: Mon, 25 Nov 2024 21:25:16 +0100 Subject: [PATCH 05/31] fix: update postgresql configuration --- kubernetes/hopps/overlays/dev/postgresql.yaml | 33 +++++++++++-------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/kubernetes/hopps/overlays/dev/postgresql.yaml b/kubernetes/hopps/overlays/dev/postgresql.yaml index 3fb63ad6..98a5833d 100644 --- a/kubernetes/hopps/overlays/dev/postgresql.yaml +++ b/kubernetes/hopps/overlays/dev/postgresql.yaml @@ -1,14 +1,19 @@ -# create users -users: - # namespace.name: roles - hopps-dev.org: [] - hopps-dev.fin: [] - hopps-dev.openfga: [] - hopps-dev.keycloak: [] -databases: - # name: owner (namespace.name) - # namespace notation is part of user name - org: hopps-dev.org - fin: hopps-dev.fin - openfga: hopps-dev.openfga - keycloak: hopps-dev.keycloak +apiVersion: "acid.zalan.do/v1" +kind: postgresql +metadata: + name: postgres-cluster +spec: + # create users + users: + # namespace.name: roles + hopps-dev.org: [] + hopps-dev.fin: [] + hopps-dev.openfga: [] + hopps-dev.keycloak: [] + databases: + # name: owner (namespace.name) + # namespace notation is part of user name + org: hopps-dev.org + fin: hopps-dev.fin + openfga: hopps-dev.openfga + keycloak: hopps-dev.keycloak From 03b260db7b0bd23f2353c4a18634e424004502df Mon Sep 17 00:00:00 2001 From: Jan <46779261+98jan@users.noreply.github.com> Date: Mon, 25 Nov 2024 21:26:56 +0100 Subject: [PATCH 06/31] fix: patching of postgresql --- kubernetes/hopps/overlays/dev/postgresql.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/kubernetes/hopps/overlays/dev/postgresql.yaml b/kubernetes/hopps/overlays/dev/postgresql.yaml index 98a5833d..67a67553 100644 --- a/kubernetes/hopps/overlays/dev/postgresql.yaml +++ b/kubernetes/hopps/overlays/dev/postgresql.yaml @@ -2,6 +2,7 @@ apiVersion: "acid.zalan.do/v1" kind: postgresql metadata: name: postgres-cluster + namespace: hopps-dev spec: # create users users: From 06e8b01ba3d9a8abdb0405cdd1282d44bfcbdf40 Mon Sep 17 00:00:00 2001 From: Jan <46779261+98jan@users.noreply.github.com> Date: Mon, 25 Nov 2024 21:29:30 +0100 Subject: [PATCH 07/31] fix: patching of postgresql --- kubernetes/hopps/base/hopps/postgresql.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/kubernetes/hopps/base/hopps/postgresql.yaml b/kubernetes/hopps/base/hopps/postgresql.yaml index 9b8d923c..68f6e23c 100644 --- a/kubernetes/hopps/base/hopps/postgresql.yaml +++ b/kubernetes/hopps/base/hopps/postgresql.yaml @@ -2,6 +2,7 @@ apiVersion: "acid.zalan.do/v1" kind: postgresql metadata: name: postgres-cluster + namespace: hopps-dev spec: teamId: "hopps" postgresql: From 66c7b9998df1970290f5f45d42e795bbe6e7c536 Mon Sep 17 00:00:00 2001 From: Jan <46779261+98jan@users.noreply.github.com> Date: Mon, 25 Nov 2024 21:34:43 +0100 Subject: [PATCH 08/31] fix: patching of postgresql --- kubernetes/hopps/base/hopps/postgresql.yaml | 25 ----------------- .../hopps/overlays/dev/kustomization.yaml | 3 +- kubernetes/hopps/overlays/dev/postgresql.yaml | 28 +++++++++++++++---- 3 files changed, 24 insertions(+), 32 deletions(-) delete mode 100644 kubernetes/hopps/base/hopps/postgresql.yaml diff --git a/kubernetes/hopps/base/hopps/postgresql.yaml b/kubernetes/hopps/base/hopps/postgresql.yaml deleted file mode 100644 index 68f6e23c..00000000 --- a/kubernetes/hopps/base/hopps/postgresql.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: "acid.zalan.do/v1" -kind: postgresql -metadata: - name: postgres-cluster - namespace: hopps-dev -spec: - teamId: "hopps" - postgresql: - version: "16" - parameters: - # depending on application that can cause issues - password_encryption: scram-sha-256 - numberOfInstances: 1 - volume: - size: "10Gi" - storageClass: "longhorn" - allowedSourceRanges: # load balancers' source ranges for both master and replica services - - 10.0.0.0/16 - resources: - requests: - cpu: 100m - memory: 100Mi - limits: - cpu: 500m - memory: 500Mi diff --git a/kubernetes/hopps/overlays/dev/kustomization.yaml b/kubernetes/hopps/overlays/dev/kustomization.yaml index 959f66c0..e3695ba8 100644 --- a/kubernetes/hopps/overlays/dev/kustomization.yaml +++ b/kubernetes/hopps/overlays/dev/kustomization.yaml @@ -5,8 +5,7 @@ resources: - ../../base/hopps - namespace.yaml - helm-release.yaml -patches: - - path: postgresql.yaml + - postgresql.yaml # create all needed secrets with fix name generatorOptions: disableNameSuffixHash: true diff --git a/kubernetes/hopps/overlays/dev/postgresql.yaml b/kubernetes/hopps/overlays/dev/postgresql.yaml index 67a67553..fe0eb928 100644 --- a/kubernetes/hopps/overlays/dev/postgresql.yaml +++ b/kubernetes/hopps/overlays/dev/postgresql.yaml @@ -2,15 +2,33 @@ apiVersion: "acid.zalan.do/v1" kind: postgresql metadata: name: postgres-cluster - namespace: hopps-dev spec: + teamId: "hopps" + postgresql: + version: "16" + parameters: + # depending on application that can cause issues + password_encryption: scram-sha-256 + numberOfInstances: 1 + volume: + size: "10Gi" + storageClass: "longhorn" + allowedSourceRanges: # load balancers' source ranges for both master and replica services + - 10.0.0.0/16 + resources: + requests: + cpu: 100m + memory: 100Mi + limits: + cpu: 500m + memory: 500Mi # create users users: # namespace.name: roles - hopps-dev.org: [] - hopps-dev.fin: [] - hopps-dev.openfga: [] - hopps-dev.keycloak: [] + hopps-dev.org: [ ] + hopps-dev.fin: [ ] + hopps-dev.openfga: [ ] + hopps-dev.keycloak: [ ] databases: # name: owner (namespace.name) # namespace notation is part of user name From 96e7162e0041a0a4d067a7c924cc94fa145b6d0d Mon Sep 17 00:00:00 2001 From: Jan <46779261+98jan@users.noreply.github.com> Date: Mon, 25 Nov 2024 21:50:57 +0100 Subject: [PATCH 09/31] fix: reduce running pods --- kubernetes/hopps/overlays/dev/helm-release.yaml | 5 +++++ kubernetes/hopps/overlays/dev/namespace.yaml | 3 ++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/kubernetes/hopps/overlays/dev/helm-release.yaml b/kubernetes/hopps/overlays/dev/helm-release.yaml index 7c0dd618..8131dc76 100644 --- a/kubernetes/hopps/overlays/dev/helm-release.yaml +++ b/kubernetes/hopps/overlays/dev/helm-release.yaml @@ -117,6 +117,9 @@ spec: - secretName: fin-tls hosts: - frontend.${DOMAIN_2} + kafka: + controller: + replicaCount: 1 kafka-ui: enabled: true yamlApplicationConfig: @@ -148,6 +151,8 @@ spec: openfga: # ToDo: check why enabled attribute isn't working #enabled: true + # only run one pod for now + replicaCount: 1 # configure securityContext podSecurityContext: fsGroup: 2000 diff --git a/kubernetes/hopps/overlays/dev/namespace.yaml b/kubernetes/hopps/overlays/dev/namespace.yaml index da7d5d5b..77a03634 100644 --- a/kubernetes/hopps/overlays/dev/namespace.yaml +++ b/kubernetes/hopps/overlays/dev/namespace.yaml @@ -3,7 +3,8 @@ kind: Namespace metadata: name: hopps-dev labels: - pod-security.kubernetes.io/enforce: restricted + # postgres-cluster can't be configured to be pss "restricted" profile + pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/enforce-version: v1.31 pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/audit-version: v1.31 From 4b910e5f1eee6a1339ea316fb554f9b8c90a1dfc Mon Sep 17 00:00:00 2001 From: Jan <46779261+98jan@users.noreply.github.com> Date: Mon, 25 Nov 2024 21:56:01 +0100 Subject: [PATCH 10/31] fix: reduce running pods --- kubernetes/hopps/overlays/dev/helm-release.yaml | 2 ++ kubernetes/hopps/overlays/dev/postgresql.yaml | 14 +++++++------- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/kubernetes/hopps/overlays/dev/helm-release.yaml b/kubernetes/hopps/overlays/dev/helm-release.yaml index 8131dc76..13f2e980 100644 --- a/kubernetes/hopps/overlays/dev/helm-release.yaml +++ b/kubernetes/hopps/overlays/dev/helm-release.yaml @@ -120,6 +120,7 @@ spec: kafka: controller: replicaCount: 1 + resourcesPreset: "none" kafka-ui: enabled: true yamlApplicationConfig: @@ -177,6 +178,7 @@ spec: # use already available keycloak keycloak: enabled: true + resourcesPreset: "none" postgresql: enabled: false externalDatabase: diff --git a/kubernetes/hopps/overlays/dev/postgresql.yaml b/kubernetes/hopps/overlays/dev/postgresql.yaml index fe0eb928..5004bab1 100644 --- a/kubernetes/hopps/overlays/dev/postgresql.yaml +++ b/kubernetes/hopps/overlays/dev/postgresql.yaml @@ -15,13 +15,13 @@ spec: storageClass: "longhorn" allowedSourceRanges: # load balancers' source ranges for both master and replica services - 10.0.0.0/16 - resources: - requests: - cpu: 100m - memory: 100Mi - limits: - cpu: 500m - memory: 500Mi + resources: {} + # requests: + # cpu: 100m + # memory: 100Mi + # limits: + # cpu: 500m + # memory: 500Mi # create users users: # namespace.name: roles From 402bdb250527aea5c7adef921e0b7bfb9ad03ee4 Mon Sep 17 00:00:00 2001 From: Jan <46779261+98jan@users.noreply.github.com> Date: Mon, 25 Nov 2024 21:59:32 +0100 Subject: [PATCH 11/31] fix: reduce running pods --- kubernetes/hopps/overlays/dev/postgresql.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/kubernetes/hopps/overlays/dev/postgresql.yaml b/kubernetes/hopps/overlays/dev/postgresql.yaml index 5004bab1..45c8b028 100644 --- a/kubernetes/hopps/overlays/dev/postgresql.yaml +++ b/kubernetes/hopps/overlays/dev/postgresql.yaml @@ -15,7 +15,6 @@ spec: storageClass: "longhorn" allowedSourceRanges: # load balancers' source ranges for both master and replica services - 10.0.0.0/16 - resources: {} # requests: # cpu: 100m # memory: 100Mi From efc5fe03e39f6b28c357278175f3a08e06c2df0d Mon Sep 17 00:00:00 2001 From: Jan <46779261+98jan@users.noreply.github.com> Date: Mon, 25 Nov 2024 22:08:42 +0100 Subject: [PATCH 12/31] fix: add missing secret for postgresl-cluster --- kubernetes/hopps/overlays/dev/kustomization.yaml | 3 +++ .../overlays/dev/postgres-cluster-secret-encrypted.env | 8 ++++++++ 2 files changed, 11 insertions(+) create mode 100644 kubernetes/hopps/overlays/dev/postgres-cluster-secret-encrypted.env diff --git a/kubernetes/hopps/overlays/dev/kustomization.yaml b/kubernetes/hopps/overlays/dev/kustomization.yaml index e3695ba8..97ad90ca 100644 --- a/kubernetes/hopps/overlays/dev/kustomization.yaml +++ b/kubernetes/hopps/overlays/dev/kustomization.yaml @@ -25,3 +25,6 @@ secretGenerator: #- name: openfga # envs: # - openfga-secret-encrypted.env + - name: postgres-operator-secret + envs: + - postgres-secret-encrypted.env diff --git a/kubernetes/hopps/overlays/dev/postgres-cluster-secret-encrypted.env b/kubernetes/hopps/overlays/dev/postgres-cluster-secret-encrypted.env new file mode 100644 index 00000000..24674e17 --- /dev/null +++ b/kubernetes/hopps/overlays/dev/postgres-cluster-secret-encrypted.env @@ -0,0 +1,8 @@ +AWS_ACCESS_KEY_ID=ENC[AES256_GCM,data:8g==,iv:vs285td1wKGv5q/1NSv3rkwm/Dz00jWOUaHYPXPHC40=,tag:CECroZh5x7J03ja8UBFcXQ==,type:str] +AWS_SECRET_ACCESS_KEY= +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEN3JRUTJkWHNOZWNrYjZ3\nY3B5bHg0dlhsWHpKK0EweDdEN0U4UlhaV1FnCkNrM2UvWm1IZ1I5bGZyRVhyMnBG\nMEQ5VnJLMGQydTJUbEU4Z3B5MDZGSXcKLS0tIGhoR1NQanhydVRxVEI1Mk9BWFYr\nVllKQmR0QUVISDBybWN1NkY2ck5OaGsK6wiyqIAQh8R5hvs85bAIMBK30QY/nZjf\nL8m7NJ8/xW1t+0TLNj1w3xFSnhZ8fOoOVqJXv39wIvu3sp+QIoQmCQ==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s +sops_lastmodified=2024-11-25T21:07:37Z +sops_mac=ENC[AES256_GCM,data:9YmNxKJMPncAG2DUwfnudEkrp4VFl0gto/oyRM/BtiHITIV1mHRj1x+6L/9WFhbAJQWmT49KetMkywvCH5e/XOe/9mxPm2L1zwCml+QKa7hMAG41KOV7X2A1e07w4NcOD5+6fNV3YoqMKQzfMPUD2FalGUX35yH+bgC4VuBqZL0=,iv:EAD8vTA75Gsjd5PHI+lIiy4IxI3dJCwX+fFTOWVUFYc=,tag:+l1Ai1LopNYlINEwjmPW9g==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.8.1 From d54eb9063168b351ac7c374da37ccf47c2be0046 Mon Sep 17 00:00:00 2001 From: Jan <46779261+98jan@users.noreply.github.com> Date: Mon, 25 Nov 2024 22:15:50 +0100 Subject: [PATCH 13/31] fix: add missing secret for postgresl-cluster and openfga --- kubernetes/hopps/overlays/dev/kustomization.yaml | 8 ++++---- .../hopps/overlays/dev/openfga-secret-encrypted.env | 7 +++++++ 2 files changed, 11 insertions(+), 4 deletions(-) create mode 100644 kubernetes/hopps/overlays/dev/openfga-secret-encrypted.env diff --git a/kubernetes/hopps/overlays/dev/kustomization.yaml b/kubernetes/hopps/overlays/dev/kustomization.yaml index 97ad90ca..075f4879 100644 --- a/kubernetes/hopps/overlays/dev/kustomization.yaml +++ b/kubernetes/hopps/overlays/dev/kustomization.yaml @@ -22,9 +22,9 @@ secretGenerator: #- name: frontend # envs: # - frontend-secret-encrypted.env - #- name: openfga - # envs: - # - openfga-secret-encrypted.env + - name: openfga + envs: + - openfga-secret-encrypted.env - name: postgres-operator-secret envs: - - postgres-secret-encrypted.env + - postgres-cluster-secret-encrypted.env diff --git a/kubernetes/hopps/overlays/dev/openfga-secret-encrypted.env b/kubernetes/hopps/overlays/dev/openfga-secret-encrypted.env new file mode 100644 index 00000000..3ba62521 --- /dev/null +++ b/kubernetes/hopps/overlays/dev/openfga-secret-encrypted.env @@ -0,0 +1,7 @@ +uri=ENC[AES256_GCM,data:2DPudSRROl7ECpui938OcWmxzLNtaxpPy4b3ww2OtE5D4wMMUKZNlh3DYvk774a3LqLbScOjmSrIC4SgSLdf1W5CwZyXocAaVbd/VEdffZydmGKeBisozPhR3hvWNrqmgiSkV6Uuva5PpMAibjD36CVXSW7gvC85d6JuPqQhNtP/RLYgGTSLdVkw5w==,iv:rm8azi6y765zP4nOsgvH9Lkqa53rLdQAMMJ2H2UIGMA=,tag:t88aXyZAoREujOn7gstRww==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyRzFhOTQrcG5sZ3FucUFU\nMm1vc1JwZmN1bDRXL0owcXVhekplcTNWU0ZBCkhVT3phMFJCZldCTm81U21abFhn\nRFdSblNFT1M5MlVnNlRZbjNwdiswYTgKLS0tIHdRM1FkdU1KN0x2YklISitKR01W\nTlRENFUvQkdQU2xvR3BzMXFKaTdsR1UKYWIgrxYOMQVVNlXCsCLIGxUHAH4SeHxZ\nZwjH8eq5xUNFh9tshDJ1PQZ8QT9NWZKkyNvzp67H8udL8hve3Hujog==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s +sops_lastmodified=2024-11-25T21:11:35Z +sops_mac=ENC[AES256_GCM,data:ELg0s8d4ItMFWs7umjBWsyLtbaILmOjShSnmOmkMj1lHWGkmm2hZMp1V0FI5dZbR5MenAY2rrnPPcKnGHe17X/YCZCE2iUyIQS0QxxJOfn3Fieanj3sFhEyWNv8ZOOZA8c4l7yCZH2shAh3B6P36H8TYfMOuEbcU+7Eq6Hffjqo=,iv:OsaDMjAx93QrwtwHB84HwnGB3Bj1R12/30vl/nxJjVQ=,tag:rvqSk2a0w1Jhx16i+uJcLw==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.8.1 From f2bcf582e3d0ba8ccd5e2a4d3ef387e6253a0af8 Mon Sep 17 00:00:00 2001 From: Jan <46779261+98jan@users.noreply.github.com> Date: Tue, 26 Nov 2024 21:20:51 +0100 Subject: [PATCH 14/31] fix: update secrets for hopps implementation --- .../overlays/dev/fin-secret-encrypted.env | 9 ++ .../dev/frontend-secret-encrypted.env | 9 ++ .../hopps/overlays/dev/helm-release.yaml | 127 +++++++++++++++--- .../hopps/overlays/dev/kustomization.yaml | 18 +-- .../overlays/dev/org-secret-encrypted.env | 9 ++ 5 files changed, 145 insertions(+), 27 deletions(-) create mode 100644 kubernetes/hopps/overlays/dev/fin-secret-encrypted.env create mode 100644 kubernetes/hopps/overlays/dev/frontend-secret-encrypted.env create mode 100644 kubernetes/hopps/overlays/dev/org-secret-encrypted.env diff --git a/kubernetes/hopps/overlays/dev/fin-secret-encrypted.env b/kubernetes/hopps/overlays/dev/fin-secret-encrypted.env new file mode 100644 index 00000000..b1375b5f --- /dev/null +++ b/kubernetes/hopps/overlays/dev/fin-secret-encrypted.env @@ -0,0 +1,9 @@ +QUARKUS_OIDC_AUTH_SERVER_URL=ENC[AES256_GCM,data:2xRpxlXV+XluqpxArGsEk6PgQ82qdaJOnaD7ef+RfacLQoy/I2h9,iv:etpPuKiv27grS6t1Q+rYVEyy9+FFn8zHimVzIeNxF0w=,tag:UXfFXxovNk9Y07iI6A2i5g==,type:str] +QUARKUS_OIDC_CLIENT_ID=ENC[AES256_GCM,data:JTJ3U+Xh,iv:eXl6vyPSgHufQjp48WDK0JRwqonFsCSGCHNXY4FUShg=,tag:kXTQGFfTqjR3wdoGZ8Rw0g==,type:str] +QUARKUS_OIDC_CREDENTIALS_SECRET=ENC[AES256_GCM,data:zPYR46a1HmkklmAm/DXCRxDt2O5kcTOlLXZ+yf/tjC0=,iv:jPBuecMqx4w4Dp8PfdM3QMAulxrwI0KRtRO/AYn5RUg=,tag:Aby4GXnMjjXZZHewPtKSTw==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0L1R4N1kvb0JhM0ZURmVO\nNTlnbDB0NmNOV29qZFI0T3F3L04vYWR1Y2ljCk1ReHM0Q3JaYnh3SXczYlFWOXhr\nTGhRQjVjc2dDclZhV1I4SGhXbkNIb0UKLS0tIDJCbGhmKzk5MFM4TU1rUGJiaTV6\nVC9XRko5U3AyVmhqN21DUEYvYzFKSlEKrcH/iLia3Z94uu3Nt3wBWukHE20RHWSL\n3swuSZVQOdtOgMYx0/QP/kZFJBFIe4jReRnkmF3j6Nb9AEgYmBYcCg==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s +sops_lastmodified=2024-11-26T20:12:58Z +sops_mac=ENC[AES256_GCM,data:+8YWmPbpDyEINQXLdtd7conv5+Hw/SSfCM9sq1IhnNKXSzQfc/uD5MPetK9JTWxrWAy4/jJNkcF9RaCLR8dh/zOVXgBvmTYHwhyRk7F82JE2k4li4BdAM9pavTiNcrmkSJ6uqL5Sv266s0bVOFkAaU94gntKgz9QUkMckQurBWU=,iv:CGAG/kkWiqLbW9ODxfQzmD0n8s3Li/QcQ35OGVk3srQ=,tag:P0PiOqdWrTGAWUnu+UBEAw==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.8.1 diff --git a/kubernetes/hopps/overlays/dev/frontend-secret-encrypted.env b/kubernetes/hopps/overlays/dev/frontend-secret-encrypted.env new file mode 100644 index 00000000..4016a8cc --- /dev/null +++ b/kubernetes/hopps/overlays/dev/frontend-secret-encrypted.env @@ -0,0 +1,9 @@ +VITE_KEYCLOAK_URL=ENC[AES256_GCM,data:lb9iIszpwbolSwua6I8jmuwu2spc1SUoFEE=,iv:jumK9rtWLYgF5XlAMd6sJYvwzgWktH6FrxW08Sy0GDQ=,tag:C1iVTAp5VOKl+xtPSI890g==,type:str] +VITE_KEYCLOAK_REALM=ENC[AES256_GCM,data:/xI17jsN,iv:5DcJ4Frv/E4172xxYETlhoXLY5IlBrBmGDb+cYWj8CA=,tag:8G8CQkFWGgLT40HJKQJIyw==,type:str] +VITE_KEYCLOAK_CLIENT_ID=ENC[AES256_GCM,data:8m5zxhg=,iv:750TFU/wjnSlyJUwIJeOdktBigB7FdbEVfe4E3P8NL8=,tag:PCaJ9Sz4OZIyHjgVLzY2/Q==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5OTdwMndFYzArNW9GWkJP\nN3pVQlVuQ3ZnZ3JXb0J6OE85YnVIaU9YUlJFCmcvMnlVQTBEaEFoVG5NQlZnczZP\nV21ra2ltaDZxR3g1ZmZRZVFhQys2WTAKLS0tIG1vNGtCZ1NQcHVmQzVsOW5uZVdE\ncXZGc1BQV0F2bVppTGFJQ0lMRUJqYVkKguktUYFAi83ZB9NZ96BPMkatfXuW6Vr7\n9jFHZ/yZEB96L7uDJBPaQkUsw4E3GnStuV1WY2JJthoQJycpsVQ2xw==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s +sops_lastmodified=2024-11-26T20:13:37Z +sops_mac=ENC[AES256_GCM,data:sBz5ALi0EGpK53spN4wLWsIho0YGDihHW/21Ffd/zGAEmxW5/pJ1hWYXhfWLoJQ+uVAzVU47SWsBc+3TMrZ23fTEO7R69I85hCiUh08qVnDpOvx66F3vE3u0LGg2Tien7XD6ij3uXbo10EjgYi1/JW4JVZFbd9OD7oTovBQ4znk=,iv:N5gUvKnvq4z0LqOqJsXJA/ko9ylC8zOTtMShXPvgvk4=,tag:fVQUpcJQTs3GwfRDkiOwdw==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.8.1 diff --git a/kubernetes/hopps/overlays/dev/helm-release.yaml b/kubernetes/hopps/overlays/dev/helm-release.yaml index 13f2e980..2bea0329 100644 --- a/kubernetes/hopps/overlays/dev/helm-release.yaml +++ b/kubernetes/hopps/overlays/dev/helm-release.yaml @@ -15,19 +15,37 @@ spec: azDocumentAi: image: tag: upgrade-jdk - envFrom: - - secretRef: - name: az-document-ai + #envFrom: + # - secretRef: + # name: az-document-ai envVars: + - name: app.hopps.az-document-ai.azure.endpoint + valueFrom: + secretKeyRef: + name: az-document-ai + key: app.hopps.az-document-ai.azure.endpoint + - name: app.hopps.az-document-ai.azure.key + valueFrom: + secretKeyRef: + name: az-document-ai + key: app.hopps.az-document-ai.azure.key # ToDo: url should automatically be calculated, dependent on the name of the release-name - name: kafka.bootstrap.servers value: hopps-kafka:9092 + livenessProbe: + exec: + command: + - "true" + readinessProbe: + exec: + command: + - "true" org: image: tag: upgrade-jdk - envFrom: - - secretRef: - name: org + #envFrom: + # - secretRef: + # name: org envVars: # ToDo: url should automatically be calculated, dependent on the name of the release-name # OpenFGA @@ -41,13 +59,29 @@ spec: - name: quarkus.datasource.username valueFrom: secretKeyRef: - name: org.hopps-dev.postgres-cluster.credentials.postgresql.acid.zalan.do + name: hopps-dev.org.postgres-cluster.credentials.postgresql.acid.zalan.do key: username - name: quarkus.datasource.password valueFrom: secretKeyRef: - name: org.hopps-dev.postgres-cluster.credentials.postgresql.acid.zalan.do + name: hopps-dev.org.postgres-cluster.credentials.postgresql.acid.zalan.do key: password + # OIDC + - name: QUARKUS_OIDC_AUTH_SERVER_URL + valueFrom: + secretKeyRef: + name: org + key: QUARKUS_OIDC_AUTH_SERVER_URL + - name: QUARKUS_OIDC_CLIENT_ID + valueFrom: + secretKeyRef: + name: org + key: QUARKUS_OIDC_CLIENT_ID + - name: QUARKUS_OIDC_CREDENTIALS_SECRET + valueFrom: + secretKeyRef: + name: org + key: QUARKUS_OIDC_CREDENTIALS_SECRET ingress: enabled: true annotations: @@ -59,14 +93,22 @@ spec: - secretName: fin-tls hosts: - org.${DOMAIN_2} + livenessProbe: + exec: + command: + - "true" + readinessProbe: + exec: + command: + - "true" postgresql-org: enabled: false fin: image: tag: upgrade-jdk - envFrom: - - secretRef: - name: fin + #envFrom: + # - secretRef: + # name: fin envVars: # ToDo: url should automatically be calculated, dependent on the name of the release-name # OpenFGA @@ -80,13 +122,29 @@ spec: - name: quarkus.datasource.username valueFrom: secretKeyRef: - name: fin.hopps-dev.postgres-cluster.credentials.postgresql.acid.zalan.do + name: hopps-dev.fin.postgres-cluster.credentials.postgresql.acid.zalan.do key: username - name: quarkus.datasource.password valueFrom: secretKeyRef: - name: fin.hopps-dev.postgres-cluster.credentials.postgresql.acid.zalan.do + name: hopps-dev.fin.postgres-cluster.credentials.postgresql.acid.zalan.do key: password + # OIDC + - name: QUARKUS_OIDC_AUTH_SERVER_URL + valueFrom: + secretKeyRef: + name: fin + key: QUARKUS_OIDC_AUTH_SERVER_URL + - name: QUARKUS_OIDC_CLIENT_ID + valueFrom: + secretKeyRef: + name: fin + key: QUARKUS_OIDC_CLIENT_ID + - name: QUARKUS_OIDC_CREDENTIALS_SECRET + valueFrom: + secretKeyRef: + name: fin + key: QUARKUS_OIDC_CREDENTIALS_SECRET ingress: enabled: true annotations: @@ -98,14 +156,39 @@ spec: - secretName: fin-tls hosts: - fin.${DOMAIN_2} + livenessProbe: + exec: + command: + - "true" + readinessProbe: + exec: + command: + - "true" postgresql-fin: enabled: false frontend: image: tag: 118 - envFrom: - - secretRef: - name: frontend + #envFrom: + # - secretRef: + # name: frontend + env: + # OIDC + - name: VITE_KEYCLOAK_URL + valueFrom: + secretKeyRef: + name: frontend + key: VITE_KEYCLOAK_URL + - name: VITE_KEYCLOAK_REALM + valueFrom: + secretKeyRef: + name: frontend + key: VITE_KEYCLOAK_REALM + - name: VITE_KEYCLOAK_CLIENT_ID + valueFrom: + secretKeyRef: + name: frontend + key: VITE_KEYCLOAK_CLIENT_ID ingress: enabled: true annotations: @@ -117,6 +200,14 @@ spec: - secretName: fin-tls hosts: - frontend.${DOMAIN_2} + livenessProbe: + exec: + command: + - "true" + readinessProbe: + exec: + command: + - "true" kafka: controller: replicaCount: 1 @@ -171,7 +262,7 @@ spec: datastore: engine: postgres uriSecret: openfga - # needed, else the + # needed, else the migration won't work migrationType: "job" postgresql: enabled: false @@ -185,7 +276,7 @@ spec: host: postgres-cluster database: keycloak post: 5432 - existingSecret: keycloak.hopps-dev.postgres-cluster.credentials.postgresql.acid.zalan.do + existingSecret: hopps-dev.keycloak.postgres-cluster.credentials.postgresql.acid.zalan.do existingSecretUserKey: "username" existingSecretPasswordKey: "password" ingress: diff --git a/kubernetes/hopps/overlays/dev/kustomization.yaml b/kubernetes/hopps/overlays/dev/kustomization.yaml index 075f4879..87a5e489 100644 --- a/kubernetes/hopps/overlays/dev/kustomization.yaml +++ b/kubernetes/hopps/overlays/dev/kustomization.yaml @@ -10,18 +10,18 @@ resources: generatorOptions: disableNameSuffixHash: true secretGenerator: - #- name: fin - # envs: - # - fin-secret-encrypted.env - #- name: org - # envs: - # - org-secret-encrypted.env + - name: fin + envs: + - fin-secret-encrypted.env + - name: org + envs: + - org-secret-encrypted.env - name: az-document-ai envs: - az-document-ai-secret-encrypted.env - #- name: frontend - # envs: - # - frontend-secret-encrypted.env + - name: frontend + envs: + - frontend-secret-encrypted.env - name: openfga envs: - openfga-secret-encrypted.env diff --git a/kubernetes/hopps/overlays/dev/org-secret-encrypted.env b/kubernetes/hopps/overlays/dev/org-secret-encrypted.env new file mode 100644 index 00000000..550cd487 --- /dev/null +++ b/kubernetes/hopps/overlays/dev/org-secret-encrypted.env @@ -0,0 +1,9 @@ +QUARKUS_OIDC_AUTH_SERVER_URL=ENC[AES256_GCM,data:IdlrDLPsqyjySS5B0gudQduUPBuF7xtDgdLGc2LdOWxzoVRt0C3v,iv:TyNyfDxj6QevH3rQyFAJL2JbsIMPve9vr7/NotzHqbQ=,tag:yVJR1XcMQ9akOIEqT1zq4A==,type:str] +QUARKUS_OIDC_CLIENT_ID=ENC[AES256_GCM,data:8uCdmBNP,iv:CyI4OBdkSBA02LLlJaOId4cRk25gN2cGiKf6PGxFGgc=,tag:M15UYsbjuRSo87uuqUdVhQ==,type:str] +QUARKUS_OIDC_CREDENTIALS_SECRET=ENC[AES256_GCM,data:oQQ+BIe1BFbcPqaUb65WyJ7lICisA/s5XNPwAKt1cTo=,iv:MKwdvWorT6iMZFyHPOjD3r7jtJB8zF6LoGf6qXm9f1g=,tag:VSmYZUUq7TB+PqSon+d5Fw==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkTXpqS0hjR0hEUnZxMnB2\nS0RDeHVyRlJFUzdyWWQ4cEd5QkpLck5ndFFzCi9WKzNEM3hoWmd5Snd5LzA4cjBo\nUURZNEJrV2dIb0tQQkNGRmZ6bGpscVkKLS0tIGFxL3VzM0ZEMk9zNEtQZWY0cGla\nRTlxbkNBY3Z0YjVSajJvZ214TDBHYlkKSb6+03+9/yYcxaUDWOeuThThJ7tsPZS7\n9Vej66E5R43Zxu6r16u/y0LRnKeGsbnUFfq4Q0WAbYEOdurqvFcvMA==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s +sops_lastmodified=2024-11-26T20:13:07Z +sops_mac=ENC[AES256_GCM,data:PN527XzaqxF7DcfVM5xkjNhOmfzYh2Ldpky4fsK0joFI3IFVZyL3U40ilm5K6Wj+EtQg6sHZp4HYGTHwfZT+gycmJw8WMuITUqt1i7Px37dAMeWDe+XfcPuI+kGC9OXAsju0aYXc8gaFHHcDYbY5egJLcM+i69p/VUriNB4pY4g=,iv:Vr8ssysGUBLSvtsZGvvFwttydH3f5WIHJX05PvKuDLc=,tag:J4hoyjn6Gl5MJpPkkdlEcA==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.8.1 From 2fdd26f6ee3a5b4b44913364e1d28acd050fa766 Mon Sep 17 00:00:00 2001 From: Jan <46779261+98jan@users.noreply.github.com> Date: Tue, 26 Nov 2024 21:44:41 +0100 Subject: [PATCH 15/31] fix: update helm-release --- kubernetes/hopps/overlays/dev/helm-release.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/hopps/overlays/dev/helm-release.yaml b/kubernetes/hopps/overlays/dev/helm-release.yaml index 2bea0329..8e080e05 100644 --- a/kubernetes/hopps/overlays/dev/helm-release.yaml +++ b/kubernetes/hopps/overlays/dev/helm-release.yaml @@ -67,7 +67,7 @@ spec: name: hopps-dev.org.postgres-cluster.credentials.postgresql.acid.zalan.do key: password # OIDC - - name: QUARKUS_OIDC_AUTH_SERVER_URL + - name: quarkus.oidc.auth-server-url valueFrom: secretKeyRef: name: org @@ -130,7 +130,7 @@ spec: name: hopps-dev.fin.postgres-cluster.credentials.postgresql.acid.zalan.do key: password # OIDC - - name: QUARKUS_OIDC_AUTH_SERVER_URL + - name: quarkus.oidc.auth-server-url valueFrom: secretKeyRef: name: fin From 16db7738bc3cbda5d30995c430032ba4fdd05a88 Mon Sep 17 00:00:00 2001 From: Jan <46779261+98jan@users.noreply.github.com> Date: Tue, 26 Nov 2024 22:08:07 +0100 Subject: [PATCH 16/31] fix: update helm-release --- kubernetes/hopps/overlays/dev/helm-release.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kubernetes/hopps/overlays/dev/helm-release.yaml b/kubernetes/hopps/overlays/dev/helm-release.yaml index 8e080e05..7b2f65c1 100644 --- a/kubernetes/hopps/overlays/dev/helm-release.yaml +++ b/kubernetes/hopps/overlays/dev/helm-release.yaml @@ -211,7 +211,9 @@ spec: kafka: controller: replicaCount: 1 - resourcesPreset: "none" + resourcesPreset: "none" + volumePermissions: + resourcesPreset: "none" kafka-ui: enabled: true yamlApplicationConfig: From 67039a4426fb7f1c0a5e71f3b61f4e79d8be5c95 Mon Sep 17 00:00:00 2001 From: Jan <46779261+98jan@users.noreply.github.com> Date: Tue, 26 Nov 2024 22:27:40 +0100 Subject: [PATCH 17/31] fix: update keycloak url in secret --- .../hopps/overlays/dev/fin-secret-encrypted.env | 12 ++++++------ .../hopps/overlays/dev/frontend-secret-encrypted.env | 12 ++++++------ .../hopps/overlays/dev/org-secret-encrypted.env | 12 ++++++------ 3 files changed, 18 insertions(+), 18 deletions(-) diff --git a/kubernetes/hopps/overlays/dev/fin-secret-encrypted.env b/kubernetes/hopps/overlays/dev/fin-secret-encrypted.env index b1375b5f..cab34ff2 100644 --- a/kubernetes/hopps/overlays/dev/fin-secret-encrypted.env +++ b/kubernetes/hopps/overlays/dev/fin-secret-encrypted.env @@ -1,9 +1,9 @@ -QUARKUS_OIDC_AUTH_SERVER_URL=ENC[AES256_GCM,data:2xRpxlXV+XluqpxArGsEk6PgQ82qdaJOnaD7ef+RfacLQoy/I2h9,iv:etpPuKiv27grS6t1Q+rYVEyy9+FFn8zHimVzIeNxF0w=,tag:UXfFXxovNk9Y07iI6A2i5g==,type:str] -QUARKUS_OIDC_CLIENT_ID=ENC[AES256_GCM,data:JTJ3U+Xh,iv:eXl6vyPSgHufQjp48WDK0JRwqonFsCSGCHNXY4FUShg=,tag:kXTQGFfTqjR3wdoGZ8Rw0g==,type:str] -QUARKUS_OIDC_CREDENTIALS_SECRET=ENC[AES256_GCM,data:zPYR46a1HmkklmAm/DXCRxDt2O5kcTOlLXZ+yf/tjC0=,iv:jPBuecMqx4w4Dp8PfdM3QMAulxrwI0KRtRO/AYn5RUg=,tag:Aby4GXnMjjXZZHewPtKSTw==,type:str] -sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0L1R4N1kvb0JhM0ZURmVO\nNTlnbDB0NmNOV29qZFI0T3F3L04vYWR1Y2ljCk1ReHM0Q3JaYnh3SXczYlFWOXhr\nTGhRQjVjc2dDclZhV1I4SGhXbkNIb0UKLS0tIDJCbGhmKzk5MFM4TU1rUGJiaTV6\nVC9XRko5U3AyVmhqN21DUEYvYzFKSlEKrcH/iLia3Z94uu3Nt3wBWukHE20RHWSL\n3swuSZVQOdtOgMYx0/QP/kZFJBFIe4jReRnkmF3j6Nb9AEgYmBYcCg==\n-----END AGE ENCRYPTED FILE-----\n +QUARKUS_OIDC_AUTH_SERVER_URL=ENC[AES256_GCM,data:5bNHuU4JUdAcUeit/dDECg0QnQXEyrJzF9W1y9PRym+318nw3KJCLHDI,iv:SoO2BD7ssK60AW0g7odrKUoOmxNbmKi6QfQ26ErVOSM=,tag:7EENgEh85IEvIjvgQk318g==,type:str] +QUARKUS_OIDC_CLIENT_ID=ENC[AES256_GCM,data:nZELclNr,iv:VeKFi/LcWI5zcL8CfD/PDvr47vni7wT9bVIJSyJkUgo=,tag:vF9h9YKSxp/y1Avpi7G2/Q==,type:str] +QUARKUS_OIDC_CREDENTIALS_SECRET=ENC[AES256_GCM,data:4ZRCeQ4jnJtRac28OjTMph41SvtvDM/C38w74Dnlbcw=,iv:OifUqjxjzow2CUv0q7qEY/WEc72c9/iE4v9II+DsBjg=,tag:N+7VgY4vIN2nv/I76XWDnw==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0dWYvNjhDSkJFR1BSd1FC\neDZDeE1pZjVybHhWTmtXWHNnMjU4RjJRY2cwCmQ4MVB6NlZQM1hwWGNSZTJ5aHJo\nOUR0REhaZXJTMm9rd3VTSTRQMmhBSWcKLS0tIEZReUQwNS9oSVpheVcwTHVSWDlQ\nSlJXUEJVTkprald4UW1hVkdkRnd3YmMKlv8jU1LlyZVm2zBs1/jHbWWuebEXoY6S\ni+SOIOMotqbqcNLGmbJ8tuewSMiJRfjeKQG9gjHNYxE5pn1Pf1O0iQ==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s -sops_lastmodified=2024-11-26T20:12:58Z -sops_mac=ENC[AES256_GCM,data:+8YWmPbpDyEINQXLdtd7conv5+Hw/SSfCM9sq1IhnNKXSzQfc/uD5MPetK9JTWxrWAy4/jJNkcF9RaCLR8dh/zOVXgBvmTYHwhyRk7F82JE2k4li4BdAM9pavTiNcrmkSJ6uqL5Sv266s0bVOFkAaU94gntKgz9QUkMckQurBWU=,iv:CGAG/kkWiqLbW9ODxfQzmD0n8s3Li/QcQ35OGVk3srQ=,tag:P0PiOqdWrTGAWUnu+UBEAw==,type:str] +sops_lastmodified=2024-11-26T21:27:22Z +sops_mac=ENC[AES256_GCM,data:bm+JluAVq8L7nnjFYqw+qPdHjRSWwzUnOyHVgh4HM910l23Au1uI2uGOVAiBDv5zAoz8SjuBK2h9U+MsZirdbsRV3rpIA3H39LXvFvuhyf8qWV79OdQzbhUHdnkeZh4zWpcLR4QlBoBhF9k6GkN8qN7e6dFAm5WYQBtxwfqnttU=,iv:UwnAPS+/Oy1H4dVx0sTFsQn1B1C+6EgF72Mrfe+HmFk=,tag:3dZbXs39qz5CKcXeIia+Rw==,type:str] sops_unencrypted_suffix=_unencrypted sops_version=3.8.1 diff --git a/kubernetes/hopps/overlays/dev/frontend-secret-encrypted.env b/kubernetes/hopps/overlays/dev/frontend-secret-encrypted.env index 4016a8cc..2f4c832a 100644 --- a/kubernetes/hopps/overlays/dev/frontend-secret-encrypted.env +++ b/kubernetes/hopps/overlays/dev/frontend-secret-encrypted.env @@ -1,9 +1,9 @@ -VITE_KEYCLOAK_URL=ENC[AES256_GCM,data:lb9iIszpwbolSwua6I8jmuwu2spc1SUoFEE=,iv:jumK9rtWLYgF5XlAMd6sJYvwzgWktH6FrxW08Sy0GDQ=,tag:C1iVTAp5VOKl+xtPSI890g==,type:str] -VITE_KEYCLOAK_REALM=ENC[AES256_GCM,data:/xI17jsN,iv:5DcJ4Frv/E4172xxYETlhoXLY5IlBrBmGDb+cYWj8CA=,tag:8G8CQkFWGgLT40HJKQJIyw==,type:str] -VITE_KEYCLOAK_CLIENT_ID=ENC[AES256_GCM,data:8m5zxhg=,iv:750TFU/wjnSlyJUwIJeOdktBigB7FdbEVfe4E3P8NL8=,tag:PCaJ9Sz4OZIyHjgVLzY2/Q==,type:str] -sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5OTdwMndFYzArNW9GWkJP\nN3pVQlVuQ3ZnZ3JXb0J6OE85YnVIaU9YUlJFCmcvMnlVQTBEaEFoVG5NQlZnczZP\nV21ra2ltaDZxR3g1ZmZRZVFhQys2WTAKLS0tIG1vNGtCZ1NQcHVmQzVsOW5uZVdE\ncXZGc1BQV0F2bVppTGFJQ0lMRUJqYVkKguktUYFAi83ZB9NZ96BPMkatfXuW6Vr7\n9jFHZ/yZEB96L7uDJBPaQkUsw4E3GnStuV1WY2JJthoQJycpsVQ2xw==\n-----END AGE ENCRYPTED FILE-----\n +VITE_KEYCLOAK_URL=ENC[AES256_GCM,data:nq72UfZcfviAPujDtjlC7+l7M6+Fuh4/5ufrrv8=,iv:JxaRHBMk/Oh/wvOTjkhrrQPvh/qoj6ni3BtPVmMv/8A=,tag:DjtirKxBw7VudYfjM5upHw==,type:str] +VITE_KEYCLOAK_REALM=ENC[AES256_GCM,data:oPjdd+4Q,iv:ceoli4a7S7WlpMkG3AJ6ZqOzHvQ+M7U9p5ScEptkh9c=,tag:dHSZLS5BFxTqm+mUBQf8VA==,type:str] +VITE_KEYCLOAK_CLIENT_ID=ENC[AES256_GCM,data:uClgb18=,iv:bn8VWhKgfiqmDsF2pNkIpS67Bas78hDrqoyNaEBxM0g=,tag:ljJR8FkcxygPvFDTlSiw0A==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhNTVaYkwzVCtFL1hvKzZE\nRlZlb1FFSDVoblRVb2tFMlR4dEsvQ0llTEM4CldtZ3h0U0dDejRUMGNKcHNpYllU\nSE1JNUc4LzFvYzNFZ1JBWWRrNWZUcmMKLS0tIEtXRE9Ia05jOHlwcS9hUzdNNVRS\nbDdGRmF2dHNtRFNRZ0VlWjc2OHdKejQKV/Ca1UcvYsQJ0rAuaWRe1BFbN4MdHI1u\ntT0Idc64IOgcdm6kmpOnflaNrnWtfUUytmTaGxRfCFFn1WRk6ICRnA==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s -sops_lastmodified=2024-11-26T20:13:37Z -sops_mac=ENC[AES256_GCM,data:sBz5ALi0EGpK53spN4wLWsIho0YGDihHW/21Ffd/zGAEmxW5/pJ1hWYXhfWLoJQ+uVAzVU47SWsBc+3TMrZ23fTEO7R69I85hCiUh08qVnDpOvx66F3vE3u0LGg2Tien7XD6ij3uXbo10EjgYi1/JW4JVZFbd9OD7oTovBQ4znk=,iv:N5gUvKnvq4z0LqOqJsXJA/ko9ylC8zOTtMShXPvgvk4=,tag:fVQUpcJQTs3GwfRDkiOwdw==,type:str] +sops_lastmodified=2024-11-26T21:27:17Z +sops_mac=ENC[AES256_GCM,data:+1u3WjU67/CCzSxnI3SqLFjm9Selb1gpzfFB/m8OVWBuzbNPqYyTS9EBrRu4GgGL7kMZyNlzwiawnUr4FoyUU/wCcAHPRkFtOb1p2i+KOyEAPIEwVyFkgHry+QcJm2dwn4FWHjJD7ISMMX4QFtR0B5QxkoDHzBJu8hPrZhYj3g8=,iv:HnLrLrkySGzEJclH4uw94GWAJWTLC4LJbCZp6RZpD4M=,tag:SjL6gu/XyEWATaOHEg44JA==,type:str] sops_unencrypted_suffix=_unencrypted sops_version=3.8.1 diff --git a/kubernetes/hopps/overlays/dev/org-secret-encrypted.env b/kubernetes/hopps/overlays/dev/org-secret-encrypted.env index 550cd487..f41555ca 100644 --- a/kubernetes/hopps/overlays/dev/org-secret-encrypted.env +++ b/kubernetes/hopps/overlays/dev/org-secret-encrypted.env @@ -1,9 +1,9 @@ -QUARKUS_OIDC_AUTH_SERVER_URL=ENC[AES256_GCM,data:IdlrDLPsqyjySS5B0gudQduUPBuF7xtDgdLGc2LdOWxzoVRt0C3v,iv:TyNyfDxj6QevH3rQyFAJL2JbsIMPve9vr7/NotzHqbQ=,tag:yVJR1XcMQ9akOIEqT1zq4A==,type:str] -QUARKUS_OIDC_CLIENT_ID=ENC[AES256_GCM,data:8uCdmBNP,iv:CyI4OBdkSBA02LLlJaOId4cRk25gN2cGiKf6PGxFGgc=,tag:M15UYsbjuRSo87uuqUdVhQ==,type:str] -QUARKUS_OIDC_CREDENTIALS_SECRET=ENC[AES256_GCM,data:oQQ+BIe1BFbcPqaUb65WyJ7lICisA/s5XNPwAKt1cTo=,iv:MKwdvWorT6iMZFyHPOjD3r7jtJB8zF6LoGf6qXm9f1g=,tag:VSmYZUUq7TB+PqSon+d5Fw==,type:str] -sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkTXpqS0hjR0hEUnZxMnB2\nS0RDeHVyRlJFUzdyWWQ4cEd5QkpLck5ndFFzCi9WKzNEM3hoWmd5Snd5LzA4cjBo\nUURZNEJrV2dIb0tQQkNGRmZ6bGpscVkKLS0tIGFxL3VzM0ZEMk9zNEtQZWY0cGla\nRTlxbkNBY3Z0YjVSajJvZ214TDBHYlkKSb6+03+9/yYcxaUDWOeuThThJ7tsPZS7\n9Vej66E5R43Zxu6r16u/y0LRnKeGsbnUFfq4Q0WAbYEOdurqvFcvMA==\n-----END AGE ENCRYPTED FILE-----\n +QUARKUS_OIDC_AUTH_SERVER_URL=ENC[AES256_GCM,data:S9zyrexKLkqYy+qtwTOKUS/qSh+A1m8ErKUKx+Goz/wb1/J2oypWQmmM,iv:dKblIxMN7bvk0vV9CT1iC/DZuzim14OPW8jRjlkagok=,tag:VpvW4dvK0UM+eU8VKk9p4Q==,type:str] +QUARKUS_OIDC_CLIENT_ID=ENC[AES256_GCM,data:9K++UX88,iv:kTr8q5d+OYNmy83L0oBiawBlX45r71Cx2K8ou6rGPr4=,tag:/B7GSi2YN8pa5N8q3LXbAA==,type:str] +QUARKUS_OIDC_CREDENTIALS_SECRET=ENC[AES256_GCM,data:drNPMTCzROgXQV2Gh0fNU7Ju5TwY2FjXxGwpaclkK2s=,iv:umA0A38UCyBCfaeIBfsALoQ2oqMEIrx54DprHewFz3w=,tag:/irDFWGAenbCJTuGQoGPiA==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSmFZU05UcE5Sb3BqUldS\ndkc2Z1lmMUxXZzNxUUV5ZkF4SzVGNGVkZUc0CmRJWFBsWmszOHA1QUR5MUthdlpt\nMUZFenJ4ell6MHdOSVRkWTJtSHlMelEKLS0tIFVzVWhhcEdiaHVQcHN0TEJnbzRm\nQ05BZHlJWTlhaGVzNEE5TEhXQXlLemcKmHQEyb6MtxyzJ+twpZkZQ8nHTE1igSO5\n/l7IwEqmQcruZCpb/6YIt93oZGVk2BTyCIWiRjKGH392P+ztMExtjA==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s -sops_lastmodified=2024-11-26T20:13:07Z -sops_mac=ENC[AES256_GCM,data:PN527XzaqxF7DcfVM5xkjNhOmfzYh2Ldpky4fsK0joFI3IFVZyL3U40ilm5K6Wj+EtQg6sHZp4HYGTHwfZT+gycmJw8WMuITUqt1i7Px37dAMeWDe+XfcPuI+kGC9OXAsju0aYXc8gaFHHcDYbY5egJLcM+i69p/VUriNB4pY4g=,iv:Vr8ssysGUBLSvtsZGvvFwttydH3f5WIHJX05PvKuDLc=,tag:J4hoyjn6Gl5MJpPkkdlEcA==,type:str] +sops_lastmodified=2024-11-26T21:27:19Z +sops_mac=ENC[AES256_GCM,data:TKVefMlvg1VMf14o80K1UUs1Z5iJz4Y7BvZmb314SoHD+Vtk8SScf1eV9Z9+GqChPsZohV+j/Uu0SzL1wk9F/ESjDA9l/8oSTZ5Mi9ATXlZapmOHBn+zx6M202ZzyYs6X2QL7WZcMUE/KQnV5ZC07bhzsc5HwVrDte15E7uU7Js=,iv:g3trWmbph9uEnP2A4iLxCMwXluTDJj2qmI9E+DAUSoQ=,tag:2Y0GsxQ2Skff0/y3N4DNxw==,type:str] sops_unencrypted_suffix=_unencrypted sops_version=3.8.1 From 4eddf5e4fac4c16f0bceabd47052cf2e1361bd0c Mon Sep 17 00:00:00 2001 From: Jan <46779261+98jan@users.noreply.github.com> Date: Tue, 26 Nov 2024 23:01:36 +0100 Subject: [PATCH 18/31] fix: add openfga job manually for migration --- kubernetes/hopps/overlays/dev/job.yaml | 49 +++++++++++++++++++ .../hopps/overlays/dev/kustomization.yaml | 1 + 2 files changed, 50 insertions(+) create mode 100644 kubernetes/hopps/overlays/dev/job.yaml diff --git a/kubernetes/hopps/overlays/dev/job.yaml b/kubernetes/hopps/overlays/dev/job.yaml new file mode 100644 index 00000000..fd6a335a --- /dev/null +++ b/kubernetes/hopps/overlays/dev/job.yaml @@ -0,0 +1,49 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: hopps-openfga-migrate + labels: + helm.sh/chart: openfga-0.2.16 + app.kubernetes.io/name: openfga + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.8.0" + app.kubernetes.io/managed-by: Helm + annotations: + helm.sh/hook: post-install, post-upgrade, post-rollback, post-delete + helm.sh/hook-delete-policy: before-hook-creation + helm.sh/hook-weight: "-5" +spec: + template: + metadata: + annotations: + helm.sh/hook: post-install, post-upgrade, post-rollback, post-delete + helm.sh/hook-delete-policy: before-hook-creation + helm.sh/hook-weight: "-5" + spec: + serviceAccountName: release-name-openfga + containers: + - name: migrate-database + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + image: "openfga/openfga:v1.8.0" + args: ["migrate"] + env: + - name: OPENFGA_DATASTORE_ENGINE + value: "postgres" + - name: OPENFGA_DATASTORE_URI + valueFrom: + secretKeyRef: + name: "openfga" + key: "uri" + resources: + {} + restartPolicy: Never + backoffLimit: 1 \ No newline at end of file diff --git a/kubernetes/hopps/overlays/dev/kustomization.yaml b/kubernetes/hopps/overlays/dev/kustomization.yaml index 87a5e489..f4e6ec01 100644 --- a/kubernetes/hopps/overlays/dev/kustomization.yaml +++ b/kubernetes/hopps/overlays/dev/kustomization.yaml @@ -6,6 +6,7 @@ resources: - namespace.yaml - helm-release.yaml - postgresql.yaml + - job.yaml # create all needed secrets with fix name generatorOptions: disableNameSuffixHash: true From 5139bb3027ac81a67f798953002c3532bd33a4f3 Mon Sep 17 00:00:00 2001 From: Jan <46779261+98jan@users.noreply.github.com> Date: Tue, 26 Nov 2024 23:05:26 +0100 Subject: [PATCH 19/31] fix: add openfga job manually for migration --- kubernetes/hopps/overlays/dev/helm-release.yaml | 4 ++-- kubernetes/hopps/overlays/dev/job.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/kubernetes/hopps/overlays/dev/helm-release.yaml b/kubernetes/hopps/overlays/dev/helm-release.yaml index 7b2f65c1..f7d4b8af 100644 --- a/kubernetes/hopps/overlays/dev/helm-release.yaml +++ b/kubernetes/hopps/overlays/dev/helm-release.yaml @@ -50,7 +50,7 @@ spec: # ToDo: url should automatically be calculated, dependent on the name of the release-name # OpenFGA - name: QUARKUS_OPENFGA_URL - value: http://openfga:8080 + value: http://hopps-openfga:8080 - name: QUARKUS_OPENFGA_STORE value: hopps # Database secrets @@ -113,7 +113,7 @@ spec: # ToDo: url should automatically be calculated, dependent on the name of the release-name # OpenFGA - name: QUARKUS_OPENFGA_URL - value: http://openfga:8080 + value: http://hopps-openfga:8080 - name: QUARKUS_OPENFGA_STORE value: hopps # Database secrets diff --git a/kubernetes/hopps/overlays/dev/job.yaml b/kubernetes/hopps/overlays/dev/job.yaml index fd6a335a..2ff7eac0 100644 --- a/kubernetes/hopps/overlays/dev/job.yaml +++ b/kubernetes/hopps/overlays/dev/job.yaml @@ -5,7 +5,7 @@ metadata: labels: helm.sh/chart: openfga-0.2.16 app.kubernetes.io/name: openfga - app.kubernetes.io/instance: release-name + app.kubernetes.io/instance: hopps-openfga app.kubernetes.io/version: "v1.8.0" app.kubernetes.io/managed-by: Helm annotations: @@ -20,7 +20,7 @@ spec: helm.sh/hook-delete-policy: before-hook-creation helm.sh/hook-weight: "-5" spec: - serviceAccountName: release-name-openfga + serviceAccountName: hopps-openfga containers: - name: migrate-database securityContext: From cd9c3bd76bf8bdf39b8e31350bea841d2d520bb7 Mon Sep 17 00:00:00 2001 From: Jan <46779261+98jan@users.noreply.github.com> Date: Tue, 26 Nov 2024 23:29:25 +0100 Subject: [PATCH 20/31] fix: intendation of kafka-ui ingress config --- .../hopps/overlays/dev/helm-release.yaml | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/kubernetes/hopps/overlays/dev/helm-release.yaml b/kubernetes/hopps/overlays/dev/helm-release.yaml index f7d4b8af..655c6f37 100644 --- a/kubernetes/hopps/overlays/dev/helm-release.yaml +++ b/kubernetes/hopps/overlays/dev/helm-release.yaml @@ -228,20 +228,20 @@ spec: health: ldap: enabled: false - ingress: + ingress: + enabled: true + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + # configure oauth2-proxy security + nginx.ingress.kubernetes.io/auth-response-headers: x-auth-request-user, x-auth-request-email + nginx.ingress.kubernetes.io/auth-signin: https://${OAUTH_PROXY_DOMAIN}/oauth2/start?rd=$scheme://$host$request_uri + nginx.ingress.kubernetes.io/auth-url: https://${OAUTH_PROXY_DOMAIN}/oauth2/auth + tls: enabled: true - ingressClassName: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - # configure oauth2-proxy security - nginx.ingress.kubernetes.io/auth-response-headers: x-auth-request-user, x-auth-request-email - nginx.ingress.kubernetes.io/auth-signin: https://${OAUTH_PROXY_DOMAIN}/oauth2/start?rd=$scheme://$host$request_uri - nginx.ingress.kubernetes.io/auth-url: https://${OAUTH_PROXY_DOMAIN}/oauth2/auth - tls: - enabled: true - secretName: kafka-tls - # ToDo: mask domain - host: kafka-ui.${DOMAIN_2} + secretName: kafka-tls + # ToDo: mask domain + host: kafka-ui.${DOMAIN_2} openfga: # ToDo: check why enabled attribute isn't working #enabled: true From 0ee124e8a8e2a82fe1609539c662f7f3ea4fca39 Mon Sep 17 00:00:00 2001 From: Jan <46779261+98jan@users.noreply.github.com> Date: Tue, 26 Nov 2024 23:39:15 +0100 Subject: [PATCH 21/31] fix: tls configuration --- kubernetes/hopps/overlays/dev/helm-release.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/hopps/overlays/dev/helm-release.yaml b/kubernetes/hopps/overlays/dev/helm-release.yaml index 655c6f37..7f2d187d 100644 --- a/kubernetes/hopps/overlays/dev/helm-release.yaml +++ b/kubernetes/hopps/overlays/dev/helm-release.yaml @@ -90,7 +90,7 @@ spec: hosts: - org.${DOMAIN_2} tls: - - secretName: fin-tls + - secretName: org-tls hosts: - org.${DOMAIN_2} livenessProbe: @@ -197,7 +197,7 @@ spec: hosts: - frontend.${DOMAIN_2} tls: - - secretName: fin-tls + - secretName: frontend-tls hosts: - frontend.${DOMAIN_2} livenessProbe: From f77d22c1b463af978b1032adbe1b4b6b4409431a Mon Sep 17 00:00:00 2001 From: Jan <46779261+98jan@users.noreply.github.com> Date: Tue, 10 Dec 2024 18:16:20 +0000 Subject: [PATCH 22/31] fix: increase storage for database --- kubernetes/hopps/overlays/dev/postgresql.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/hopps/overlays/dev/postgresql.yaml b/kubernetes/hopps/overlays/dev/postgresql.yaml index 45c8b028..ee41284f 100644 --- a/kubernetes/hopps/overlays/dev/postgresql.yaml +++ b/kubernetes/hopps/overlays/dev/postgresql.yaml @@ -11,7 +11,7 @@ spec: password_encryption: scram-sha-256 numberOfInstances: 1 volume: - size: "10Gi" + size: "25Gi" storageClass: "longhorn" allowedSourceRanges: # load balancers' source ranges for both master and replica services - 10.0.0.0/16 From 73ff65f8737c56d01d9f02074a67e069bfead833 Mon Sep 17 00:00:00 2001 From: Jan <46779261+98jan@users.noreply.github.com> Date: Wed, 11 Dec 2024 23:35:01 +0100 Subject: [PATCH 23/31] fix: update helm chart and use new healthcheck endpoints --- .../hopps/overlays/dev/helm-release.yaml | 62 +++++++------------ 1 file changed, 24 insertions(+), 38 deletions(-) diff --git a/kubernetes/hopps/overlays/dev/helm-release.yaml b/kubernetes/hopps/overlays/dev/helm-release.yaml index 7f2d187d..d93732de 100644 --- a/kubernetes/hopps/overlays/dev/helm-release.yaml +++ b/kubernetes/hopps/overlays/dev/helm-release.yaml @@ -9,12 +9,12 @@ spec: sourceRef: kind: HelmRepository name: hopps - version: 0.0.1 + version: 0.0.2 interval: 1m0s values: azDocumentAi: image: - tag: upgrade-jdk + tag: 239 #envFrom: # - secretRef: # name: az-document-ai @@ -32,17 +32,17 @@ spec: # ToDo: url should automatically be calculated, dependent on the name of the release-name - name: kafka.bootstrap.servers value: hopps-kafka:9092 - livenessProbe: - exec: - command: - - "true" - readinessProbe: - exec: - command: - - "true" + #livenessProbe: + # exec: + # command: + # - "true" + #readinessProbe: + # exec: + # command: + # - "true" org: image: - tag: upgrade-jdk + tag: 239 #envFrom: # - secretRef: # name: org @@ -87,25 +87,18 @@ spec: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod ingressClassName: nginx + path: /org hosts: - - org.${DOMAIN_2} + - api.${DOMAIN_2} tls: - - secretName: org-tls + - secretName: api-tls hosts: - - org.${DOMAIN_2} - livenessProbe: - exec: - command: - - "true" - readinessProbe: - exec: - command: - - "true" + - api.${DOMAIN_2} postgresql-org: enabled: false fin: image: - tag: upgrade-jdk + tag: 239 #envFrom: # - secretRef: # name: fin @@ -150,25 +143,18 @@ spec: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod ingressClassName: nginx + path: /fin hosts: - - fin.${DOMAIN_2} + - api.${DOMAIN_2} tls: - - secretName: fin-tls + - secretName: api-tls hosts: - - fin.${DOMAIN_2} - livenessProbe: - exec: - command: - - "true" - readinessProbe: - exec: - command: - - "true" + - api.${DOMAIN_2} postgresql-fin: enabled: false frontend: image: - tag: 118 + tag: 138 #envFrom: # - secretRef: # name: frontend @@ -195,11 +181,11 @@ spec: cert-manager.io/cluster-issuer: letsencrypt-prod ingressClassName: nginx hosts: - - frontend.${DOMAIN_2} + - ${DOMAIN_2} tls: - secretName: frontend-tls hosts: - - frontend.${DOMAIN_2} + - ${DOMAIN_2} livenessProbe: exec: command: @@ -285,6 +271,6 @@ spec: enabled: true annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - hostname: keycloak.${DOMAIN_2} + hostname: id.${DOMAIN_2} ingressClassName: nginx tls: true From fccc082493885b1f343c957d7505c484719d04ac Mon Sep 17 00:00:00 2001 From: Jan <46779261+98jan@users.noreply.github.com> Date: Wed, 18 Dec 2024 22:26:27 +0100 Subject: [PATCH 24/31] fix: update to newest helm chart, configure kafka integration --- .../hopps/overlays/dev/helm-release.yaml | 42 +++++++++---------- .../dev/kafka-ui-secret-encrypted.env | 7 ++++ .../hopps/overlays/dev/kustomization.yaml | 4 ++ 3 files changed, 30 insertions(+), 23 deletions(-) create mode 100644 kubernetes/hopps/overlays/dev/kafka-ui-secret-encrypted.env diff --git a/kubernetes/hopps/overlays/dev/helm-release.yaml b/kubernetes/hopps/overlays/dev/helm-release.yaml index d93732de..a1f938b7 100644 --- a/kubernetes/hopps/overlays/dev/helm-release.yaml +++ b/kubernetes/hopps/overlays/dev/helm-release.yaml @@ -9,7 +9,7 @@ spec: sourceRef: kind: HelmRepository name: hopps - version: 0.0.2 + version: 0.0.3 interval: 1m0s values: azDocumentAi: @@ -32,14 +32,6 @@ spec: # ToDo: url should automatically be calculated, dependent on the name of the release-name - name: kafka.bootstrap.servers value: hopps-kafka:9092 - #livenessProbe: - # exec: - # command: - # - "true" - #readinessProbe: - # exec: - # command: - # - "true" org: image: tag: 239 @@ -67,7 +59,7 @@ spec: name: hopps-dev.org.postgres-cluster.credentials.postgresql.acid.zalan.do key: password # OIDC - - name: quarkus.oidc.auth-server-url + - name: QUARKUS_OIDC_AUTH_SERVER_URL valueFrom: secretKeyRef: name: org @@ -123,7 +115,7 @@ spec: name: hopps-dev.fin.postgres-cluster.credentials.postgresql.acid.zalan.do key: password # OIDC - - name: quarkus.oidc.auth-server-url + - name: QUARKUS_OIDC_AUTH_SERVER_URL valueFrom: secretKeyRef: name: fin @@ -138,6 +130,10 @@ spec: secretKeyRef: name: fin key: QUARKUS_OIDC_CREDENTIALS_SECRET + # kafka + # ToDo: url should automatically be calculated, dependent on the name of the release-name + - name: kafka.bootstrap.servers + value: hopps-kafka:9092 ingress: enabled: true annotations: @@ -186,20 +182,16 @@ spec: - secretName: frontend-tls hosts: - ${DOMAIN_2} - livenessProbe: - exec: - command: - - "true" - readinessProbe: - exec: - command: - - "true" kafka: controller: replicaCount: 1 resourcesPreset: "none" volumePermissions: resourcesPreset: "none" + # disable authentication for kafka for now + listeners: + client: + protocol: PLAINTEXT kafka-ui: enabled: true yamlApplicationConfig: @@ -219,10 +211,14 @@ spec: ingressClassName: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - # configure oauth2-proxy security - nginx.ingress.kubernetes.io/auth-response-headers: x-auth-request-user, x-auth-request-email - nginx.ingress.kubernetes.io/auth-signin: https://${OAUTH_PROXY_DOMAIN}/oauth2/start?rd=$scheme://$host$request_uri - nginx.ingress.kubernetes.io/auth-url: https://${OAUTH_PROXY_DOMAIN}/oauth2/auth + # basic auth + nginx.ingress.kubernetes.io/auth-type: basic + nginx.ingress.kubernetes.io/auth-secret: kafka-ui-auth + nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - Kafka' + # configure oauth2-proxy security ToDo: waiting for keycloak GitHub integration for SSO + #nginx.ingress.kubernetes.io/auth-response-headers: x-auth-request-user, x-auth-request-email + #nginx.ingress.kubernetes.io/auth-signin: https://${OAUTH_PROXY_DOMAIN}/oauth2/start?rd=$scheme://$host$request_uri + #nginx.ingress.kubernetes.io/auth-url: https://${OAUTH_PROXY_DOMAIN}/oauth2/auth tls: enabled: true secretName: kafka-tls diff --git a/kubernetes/hopps/overlays/dev/kafka-ui-secret-encrypted.env b/kubernetes/hopps/overlays/dev/kafka-ui-secret-encrypted.env new file mode 100644 index 00000000..69d263ac --- /dev/null +++ b/kubernetes/hopps/overlays/dev/kafka-ui-secret-encrypted.env @@ -0,0 +1,7 @@ +auth=ENC[AES256_GCM,data:kwhxfFdp3+EgCYtNUJwvn2lPF1s2bt9B2hMZJHujiA/M+199olW+Emnx0A==,iv:3OfPMTFsZjKkJIjUOdat1jBWrovV1NReEJXRScLTejw=,tag:ONko/NriMNfAxMh9vKoCOg==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlMDRub0l4SWdkeVVOcjBO\nYUEwQzFHbjc4RjdNRnZqV3VaZ1cxcyt6ZXdvCmhtbnhjeHUrbHV0K3gvekZGc2lK\nZWtmNEZLa3gyek95YlBVNHVGWVdzdlUKLS0tIDBNdXN0elVFQlhFR28xVjRGcjBr\nbnFzS3dXWW4reHlxd3k5MFFudnYyM0kKuu5eP0SELJeISAUC4Cl4jagICrh0gumS\ngCwE+HrzHIVMdLHLGGSCp6aWd0GgBXIUYdY9y3vNA7VVmJNhfhHnXg==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s +sops_lastmodified=2024-12-18T21:13:15Z +sops_mac=ENC[AES256_GCM,data:f4JbURgxgRaFPmzELjLqLAeBc2ITDO2II5BNHDQ8mEqPFvi/0tSzjh0Z/L7ZWQd4+ADRHQZMHZ3n8sHKl+6bC4I8OnkvKLExQ+zhSPQoyLJ0H5X0nXRrXsql4hOM1W2Wd8DcNlIyUgA1f8ZB7qFoAtpHuPmhHn5N5YBNI70gwMs=,iv:qnDOOThcTkC+5y6h2nBrYyjwxkfYrjb9a6zX8EGm//k=,tag:DJ5yeROIMBCKxKXmdPqkzg==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.8.1 diff --git a/kubernetes/hopps/overlays/dev/kustomization.yaml b/kubernetes/hopps/overlays/dev/kustomization.yaml index f4e6ec01..1805e6bd 100644 --- a/kubernetes/hopps/overlays/dev/kustomization.yaml +++ b/kubernetes/hopps/overlays/dev/kustomization.yaml @@ -29,3 +29,7 @@ secretGenerator: - name: postgres-operator-secret envs: - postgres-cluster-secret-encrypted.env + # basic auth for kafka-ui + - name: kafka-ui-auth + envs: + - kafka-ui-secret-encrypted.env From 8853d3ed553801b8c9cf00dbc8b5ff91739eccf1 Mon Sep 17 00:00:00 2001 From: Manuel Hummler Date: Mon, 23 Dec 2024 17:16:02 +0100 Subject: [PATCH 25/31] :sparkles: deploy new frontend version --- .../dev/frontend-secret-encrypted.env | 7 +++--- .../hopps/overlays/dev/helm-release.yaml | 25 +++---------------- 2 files changed, 8 insertions(+), 24 deletions(-) diff --git a/kubernetes/hopps/overlays/dev/frontend-secret-encrypted.env b/kubernetes/hopps/overlays/dev/frontend-secret-encrypted.env index 2f4c832a..47a86c6f 100644 --- a/kubernetes/hopps/overlays/dev/frontend-secret-encrypted.env +++ b/kubernetes/hopps/overlays/dev/frontend-secret-encrypted.env @@ -1,9 +1,10 @@ -VITE_KEYCLOAK_URL=ENC[AES256_GCM,data:nq72UfZcfviAPujDtjlC7+l7M6+Fuh4/5ufrrv8=,iv:JxaRHBMk/Oh/wvOTjkhrrQPvh/qoj6ni3BtPVmMv/8A=,tag:DjtirKxBw7VudYfjM5upHw==,type:str] +VITE_KEYCLOAK_URL=ENC[AES256_GCM,data:su4kkI8Kqel2HZk4MbCEruvCnVK0uDE=,iv:5nJu2oOQlpT2SIYBSwW/bITmKE0k/kM1esB52soeswk=,tag:jRl32lyNhBwEpkTNQjnR9g==,type:str] VITE_KEYCLOAK_REALM=ENC[AES256_GCM,data:oPjdd+4Q,iv:ceoli4a7S7WlpMkG3AJ6ZqOzHvQ+M7U9p5ScEptkh9c=,tag:dHSZLS5BFxTqm+mUBQf8VA==,type:str] VITE_KEYCLOAK_CLIENT_ID=ENC[AES256_GCM,data:uClgb18=,iv:bn8VWhKgfiqmDsF2pNkIpS67Bas78hDrqoyNaEBxM0g=,tag:ljJR8FkcxygPvFDTlSiw0A==,type:str] +VITE_API_URL=ENC[AES256_GCM,data:iNJCh86zRndPen+kAJ3/QSAsMKwS8JfqE35g,iv:2WOUJ20cTIBgc17kkPacqnIcjy2deLM1gceqVE4VrLw=,tag:9mU4YBNvCP/j+v0e/Nf1Aw==,type:str] sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhNTVaYkwzVCtFL1hvKzZE\nRlZlb1FFSDVoblRVb2tFMlR4dEsvQ0llTEM4CldtZ3h0U0dDejRUMGNKcHNpYllU\nSE1JNUc4LzFvYzNFZ1JBWWRrNWZUcmMKLS0tIEtXRE9Ia05jOHlwcS9hUzdNNVRS\nbDdGRmF2dHNtRFNRZ0VlWjc2OHdKejQKV/Ca1UcvYsQJ0rAuaWRe1BFbN4MdHI1u\ntT0Idc64IOgcdm6kmpOnflaNrnWtfUUytmTaGxRfCFFn1WRk6ICRnA==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s -sops_lastmodified=2024-11-26T21:27:17Z -sops_mac=ENC[AES256_GCM,data:+1u3WjU67/CCzSxnI3SqLFjm9Selb1gpzfFB/m8OVWBuzbNPqYyTS9EBrRu4GgGL7kMZyNlzwiawnUr4FoyUU/wCcAHPRkFtOb1p2i+KOyEAPIEwVyFkgHry+QcJm2dwn4FWHjJD7ISMMX4QFtR0B5QxkoDHzBJu8hPrZhYj3g8=,iv:HnLrLrkySGzEJclH4uw94GWAJWTLC4LJbCZp6RZpD4M=,tag:SjL6gu/XyEWATaOHEg44JA==,type:str] +sops_lastmodified=2024-12-23T16:14:24Z +sops_mac=ENC[AES256_GCM,data:WqtzkLYhiO+/u4oDSaeP1IFihgMcGNb4a7ZXG10NYJ9E77lCcEVZc5m1LuLdFH0gopsVjrY3xE1poCB4YzckxGsroRLKLtOFafEEG3pxVYGFS77m7DEprBoog/jk6C4ijgiIzcMfw7gUexke2GVbG8F2ch7xXgJcdek/x7e5Oc8=,iv:bzG+sItrOSAJa4Q/iBA/VOlvJbX3L+sLDW7N13p9LNk=,tag:aFPbbz3JIuoPSbC/LbOIAg==,type:str] sops_unencrypted_suffix=_unencrypted sops_version=3.8.1 diff --git a/kubernetes/hopps/overlays/dev/helm-release.yaml b/kubernetes/hopps/overlays/dev/helm-release.yaml index a1f938b7..3833479f 100644 --- a/kubernetes/hopps/overlays/dev/helm-release.yaml +++ b/kubernetes/hopps/overlays/dev/helm-release.yaml @@ -150,27 +150,10 @@ spec: enabled: false frontend: image: - tag: 138 - #envFrom: - # - secretRef: - # name: frontend - env: - # OIDC - - name: VITE_KEYCLOAK_URL - valueFrom: - secretKeyRef: - name: frontend - key: VITE_KEYCLOAK_URL - - name: VITE_KEYCLOAK_REALM - valueFrom: - secretKeyRef: - name: frontend - key: VITE_KEYCLOAK_REALM - - name: VITE_KEYCLOAK_CLIENT_ID - valueFrom: - secretKeyRef: - name: frontend - key: VITE_KEYCLOAK_CLIENT_ID + tag: 153 + envFrom: + - secretRef: + name: frontend ingress: enabled: true annotations: From 2dba825d10b3fa35a528774bc80a1a8f3105419c Mon Sep 17 00:00:00 2001 From: Manuel Hummler Date: Mon, 23 Dec 2024 17:33:52 +0100 Subject: [PATCH 26/31] :bug: fix startup script in frontend --- kubernetes/hopps/overlays/dev/helm-release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/hopps/overlays/dev/helm-release.yaml b/kubernetes/hopps/overlays/dev/helm-release.yaml index 3833479f..a030ca52 100644 --- a/kubernetes/hopps/overlays/dev/helm-release.yaml +++ b/kubernetes/hopps/overlays/dev/helm-release.yaml @@ -150,7 +150,7 @@ spec: enabled: false frontend: image: - tag: 153 + tag: 155 envFrom: - secretRef: name: frontend From 6b28d6f13b703ba46ce4e9dc897ff576e57aa9a8 Mon Sep 17 00:00:00 2001 From: Manuel Hummler Date: Mon, 23 Dec 2024 17:42:24 +0100 Subject: [PATCH 27/31] :bug: fix file permission issue for sed command --- kubernetes/hopps/overlays/dev/helm-release.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kubernetes/hopps/overlays/dev/helm-release.yaml b/kubernetes/hopps/overlays/dev/helm-release.yaml index a030ca52..68acd341 100644 --- a/kubernetes/hopps/overlays/dev/helm-release.yaml +++ b/kubernetes/hopps/overlays/dev/helm-release.yaml @@ -9,7 +9,7 @@ spec: sourceRef: kind: HelmRepository name: hopps - version: 0.0.3 + version: 0.0.4 interval: 1m0s values: azDocumentAi: @@ -154,6 +154,8 @@ spec: envFrom: - secretRef: name: frontend + podSecurityContext: + fsGroup: 1000 ingress: enabled: true annotations: From 752107187b5f0280f97557a87271f56b031e49e5 Mon Sep 17 00:00:00 2001 From: Manuel Hummler Date: Mon, 23 Dec 2024 17:51:09 +0100 Subject: [PATCH 28/31] :bug: fix group for sed command --- kubernetes/hopps/overlays/dev/helm-release.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/kubernetes/hopps/overlays/dev/helm-release.yaml b/kubernetes/hopps/overlays/dev/helm-release.yaml index 68acd341..e841ffb9 100644 --- a/kubernetes/hopps/overlays/dev/helm-release.yaml +++ b/kubernetes/hopps/overlays/dev/helm-release.yaml @@ -156,6 +156,21 @@ spec: name: frontend podSecurityContext: fsGroup: 1000 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + # ToDo: check if can be run with readonly root filesystem, following access is needed + # - /var/cache/nginx + # - /etc/nginx/config.d + # - /var/run/nginx.pid + readOnlyRootFilesystem: false + seccompProfile: + type: RuntimeDefault ingress: enabled: true annotations: From 75df7fac9e1b8cacbeeef903cfe85419a261d019 Mon Sep 17 00:00:00 2001 From: Manuel Hummler Date: Mon, 23 Dec 2024 18:55:10 +0100 Subject: [PATCH 29/31] :bug: fix symbol issue in frontend secret --- .../hopps/overlays/dev/frontend-secret-encrypted.env | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/kubernetes/hopps/overlays/dev/frontend-secret-encrypted.env b/kubernetes/hopps/overlays/dev/frontend-secret-encrypted.env index 47a86c6f..51eadd92 100644 --- a/kubernetes/hopps/overlays/dev/frontend-secret-encrypted.env +++ b/kubernetes/hopps/overlays/dev/frontend-secret-encrypted.env @@ -1,10 +1,10 @@ -VITE_KEYCLOAK_URL=ENC[AES256_GCM,data:su4kkI8Kqel2HZk4MbCEruvCnVK0uDE=,iv:5nJu2oOQlpT2SIYBSwW/bITmKE0k/kM1esB52soeswk=,tag:jRl32lyNhBwEpkTNQjnR9g==,type:str] -VITE_KEYCLOAK_REALM=ENC[AES256_GCM,data:oPjdd+4Q,iv:ceoli4a7S7WlpMkG3AJ6ZqOzHvQ+M7U9p5ScEptkh9c=,tag:dHSZLS5BFxTqm+mUBQf8VA==,type:str] +VITE_KEYCLOAK_URL=ENC[AES256_GCM,data:147LeWlWNEyg12U4b/Sg1Hece5FOvg==,iv:uL0WRRc0VLkkQYsj2XrBmObYXYyRQrz5FXM0gBUS8XQ=,tag:yGBlslqjqrhv9PxOSVZd/w==,type:str] +VITE_KEYCLOAK_REALM=ENC[AES256_GCM,data:1iM3vDA=,iv:INjUDhyJbd5jx5qKEN+VEwnOstsioGD1DZnvKAQfLig=,tag:AktUVebCjSAaZn5mFu5jIg==,type:str] VITE_KEYCLOAK_CLIENT_ID=ENC[AES256_GCM,data:uClgb18=,iv:bn8VWhKgfiqmDsF2pNkIpS67Bas78hDrqoyNaEBxM0g=,tag:ljJR8FkcxygPvFDTlSiw0A==,type:str] VITE_API_URL=ENC[AES256_GCM,data:iNJCh86zRndPen+kAJ3/QSAsMKwS8JfqE35g,iv:2WOUJ20cTIBgc17kkPacqnIcjy2deLM1gceqVE4VrLw=,tag:9mU4YBNvCP/j+v0e/Nf1Aw==,type:str] sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhNTVaYkwzVCtFL1hvKzZE\nRlZlb1FFSDVoblRVb2tFMlR4dEsvQ0llTEM4CldtZ3h0U0dDejRUMGNKcHNpYllU\nSE1JNUc4LzFvYzNFZ1JBWWRrNWZUcmMKLS0tIEtXRE9Ia05jOHlwcS9hUzdNNVRS\nbDdGRmF2dHNtRFNRZ0VlWjc2OHdKejQKV/Ca1UcvYsQJ0rAuaWRe1BFbN4MdHI1u\ntT0Idc64IOgcdm6kmpOnflaNrnWtfUUytmTaGxRfCFFn1WRk6ICRnA==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s -sops_lastmodified=2024-12-23T16:14:24Z -sops_mac=ENC[AES256_GCM,data:WqtzkLYhiO+/u4oDSaeP1IFihgMcGNb4a7ZXG10NYJ9E77lCcEVZc5m1LuLdFH0gopsVjrY3xE1poCB4YzckxGsroRLKLtOFafEEG3pxVYGFS77m7DEprBoog/jk6C4ijgiIzcMfw7gUexke2GVbG8F2ch7xXgJcdek/x7e5Oc8=,iv:bzG+sItrOSAJa4Q/iBA/VOlvJbX3L+sLDW7N13p9LNk=,tag:aFPbbz3JIuoPSbC/LbOIAg==,type:str] +sops_lastmodified=2024-12-23T17:54:21Z +sops_mac=ENC[AES256_GCM,data:JLzKnGsi/ECdsZoYG9W9dwQr5dYDm3DnK2AIR/cc9CYTy3Twqx24GluzzhvFYJJCYKSarGrrYnTtbzfGRNNmI2pr2D30dPvo9zkSzTqEDsCn0wk0vmUa2LJ+DdjfojiW16w0ZgWyzwd5BQ5nk3/EfCVsk+en6lXqlC7rXit6IMM=,iv:tvozwVTEBVV2tyvlk+M9Gk+BljCTwhr0bjm+9L4Y9b8=,tag:xTSAuTiqw0okZBxpVRv8AQ==,type:str] sops_unencrypted_suffix=_unencrypted sops_version=3.8.1 From 3234edd1d2c4ea8f9a92d15dd4c8ca8cbeb5965e Mon Sep 17 00:00:00 2001 From: Manuel Hummler Date: Thu, 2 Jan 2025 15:50:05 +0100 Subject: [PATCH 30/31] =?UTF-8?q?=F0=9F=94=96=20(spa)=20deploy=20171?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- kubernetes/hopps/overlays/dev/helm-release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/hopps/overlays/dev/helm-release.yaml b/kubernetes/hopps/overlays/dev/helm-release.yaml index e841ffb9..d7ab43b5 100644 --- a/kubernetes/hopps/overlays/dev/helm-release.yaml +++ b/kubernetes/hopps/overlays/dev/helm-release.yaml @@ -150,7 +150,7 @@ spec: enabled: false frontend: image: - tag: 155 + tag: 171 envFrom: - secretRef: name: frontend From 088ae42ffcb8bdd5a281d8466d05c643b1dc0f38 Mon Sep 17 00:00:00 2001 From: Manuel Hummler Date: Thu, 2 Jan 2025 16:13:53 +0100 Subject: [PATCH 31/31] =?UTF-8?q?=F0=9F=9A=80=20deploy=20frontend=20with?= =?UTF-8?q?=20new=20environment=20variables=20fin=20and=20org=20service?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../hopps/overlays/dev/frontend-secret-encrypted.env | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/kubernetes/hopps/overlays/dev/frontend-secret-encrypted.env b/kubernetes/hopps/overlays/dev/frontend-secret-encrypted.env index 51eadd92..d04bfba1 100644 --- a/kubernetes/hopps/overlays/dev/frontend-secret-encrypted.env +++ b/kubernetes/hopps/overlays/dev/frontend-secret-encrypted.env @@ -1,10 +1,11 @@ VITE_KEYCLOAK_URL=ENC[AES256_GCM,data:147LeWlWNEyg12U4b/Sg1Hece5FOvg==,iv:uL0WRRc0VLkkQYsj2XrBmObYXYyRQrz5FXM0gBUS8XQ=,tag:yGBlslqjqrhv9PxOSVZd/w==,type:str] VITE_KEYCLOAK_REALM=ENC[AES256_GCM,data:1iM3vDA=,iv:INjUDhyJbd5jx5qKEN+VEwnOstsioGD1DZnvKAQfLig=,tag:AktUVebCjSAaZn5mFu5jIg==,type:str] VITE_KEYCLOAK_CLIENT_ID=ENC[AES256_GCM,data:uClgb18=,iv:bn8VWhKgfiqmDsF2pNkIpS67Bas78hDrqoyNaEBxM0g=,tag:ljJR8FkcxygPvFDTlSiw0A==,type:str] -VITE_API_URL=ENC[AES256_GCM,data:iNJCh86zRndPen+kAJ3/QSAsMKwS8JfqE35g,iv:2WOUJ20cTIBgc17kkPacqnIcjy2deLM1gceqVE4VrLw=,tag:9mU4YBNvCP/j+v0e/Nf1Aw==,type:str] +VITE_API_FIN_URL=ENC[AES256_GCM,data:cmv2dCWIa+hjHQtDadADth3fg+ruEMBhPPBq,iv:GT+c6LjAQXg/6rzAQ/PA118Hw0c0cyptZ73q2G0gYl4=,tag:qLbYxThLTgqr08+U6NBsig==,type:str] +VITE_API_ORG_URL=ENC[AES256_GCM,data:TfkDzuzg1FacV3CtxiPAn5As61BCvG8ALdzIbA==,iv:A4UgUrcQaftAosGhUWgUZsm4abZ1Z486xSSRxG0Ip0o=,tag:n8pOBitnSWEwhx0O7XlSnA==,type:str] sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhNTVaYkwzVCtFL1hvKzZE\nRlZlb1FFSDVoblRVb2tFMlR4dEsvQ0llTEM4CldtZ3h0U0dDejRUMGNKcHNpYllU\nSE1JNUc4LzFvYzNFZ1JBWWRrNWZUcmMKLS0tIEtXRE9Ia05jOHlwcS9hUzdNNVRS\nbDdGRmF2dHNtRFNRZ0VlWjc2OHdKejQKV/Ca1UcvYsQJ0rAuaWRe1BFbN4MdHI1u\ntT0Idc64IOgcdm6kmpOnflaNrnWtfUUytmTaGxRfCFFn1WRk6ICRnA==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s -sops_lastmodified=2024-12-23T17:54:21Z -sops_mac=ENC[AES256_GCM,data:JLzKnGsi/ECdsZoYG9W9dwQr5dYDm3DnK2AIR/cc9CYTy3Twqx24GluzzhvFYJJCYKSarGrrYnTtbzfGRNNmI2pr2D30dPvo9zkSzTqEDsCn0wk0vmUa2LJ+DdjfojiW16w0ZgWyzwd5BQ5nk3/EfCVsk+en6lXqlC7rXit6IMM=,iv:tvozwVTEBVV2tyvlk+M9Gk+BljCTwhr0bjm+9L4Y9b8=,tag:xTSAuTiqw0okZBxpVRv8AQ==,type:str] +sops_lastmodified=2025-01-02T15:12:57Z +sops_mac=ENC[AES256_GCM,data:iDycz5q7bO7buN0uyNqCH7qyp0++hbDP9LYar8GBKxB8ppieaX8ALIt14RXUVUnFeA3PtsGSXC6XW1N3LLhKlY0MkJBafwHZeucscdgVGwPtPtS223PONOYbuUHP5bzu3h8KfMTLsMwUMiF7VkYSwcFDJE9kWFZVZBsu47Zf8LI=,iv:ftNMEhvYltPje7FvA5JLKbglSFH6TCCsKbGzeCPudLQ=,tag:ItCTbLLrIIcpUZllnGcBcA==,type:str] sops_unencrypted_suffix=_unencrypted sops_version=3.8.1