Saas installation

.gitignore

@@ -193,3 +193,10 @@ $RECYCLE.BIN/
 
 # Drawio
 *.drawio.bkp
+
+# helm
+./charts/hopps/charts
+
+# unencrypted secrets
+*decrypted.env
+age.agekey

kubernetes/hopps/base/hopps/helm-repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: hopps
+spec:
+  interval: 1h
+  url: oci://ghcr.io/hopps-app/hopps
+  type: oci

kubernetes/hopps/base/hopps/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helm-repository.yaml

kubernetes/hopps/overlays/.sops.yaml

@@ -0,0 +1,6 @@
+creation_rules:
+  - path_regex: .*.yaml
+    encrypted_regex: ^(data|stringData)$
+    age: age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s
+  - age: >-
+      age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s

kubernetes/hopps/overlays/dev/az-document-ai-secret-encrypted.env

@@ -0,0 +1,8 @@
+app.hopps.az-document-ai.azure.endpoint=ENC[AES256_GCM,data:braLHAtxl8OAbsw4tuaSr7ye7GGy2dzXfSnwCFC9/Vr9FSOvA0Yjh812iOVA01E/I0NZ9PAZbQ==,iv:GmlQxcKyqpP5lUcT+cTgb83G5vTYs4NAE0e1U1XkVlk=,tag:yZnCC6qltuYPAM84ltUQqw==,type:str]
+app.hopps.az-document-ai.azure.key=ENC[AES256_GCM,data:wV84KfFPmne99cstGeuxlRtpJq9TCKP8/bwmHvSNRdw=,iv:yCi5OwHVve4PRpsaZYi71Bp7pJiImb1P3FDESR4G8qo=,tag:xRJM9Poa59RDSNQH03HhmA==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SDZQclYrLzg4TzNkSDJQ\nTFhmaXY0d2lGTUR6RDQ4YTJXTU9PbDMyOGc0ClFpQ21JbTE2OWdIdHg2UVdiSFFm\na1lMaC9mQ3dYVGYxRGVvQ0tQNGlqNG8KLS0tIENSWERsMVd5YTduUWdVeEtkTnlu\naXVNbS9XOUhzYjRmdlV3ckJoaUp6ODQKC18hlojw/9B8N8FoOEvvgtWzwRX8/OaU\n0focTJHVxVvA57kKams9kavmvDiYy9JLMDKHAHnOu0V/GGFX2FRw0A==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s
+sops_lastmodified=2024-11-25T19:42:39Z
+sops_mac=ENC[AES256_GCM,data:Zi5oeZGz3OBpLbC0lmopcXHHu9gsFbGsOv0oPg8fEfqKCEupC+XgfkBPd0K8wtcTeZO/v0VInfPebEnvhO21mlUEV5a3N/zFYRtixlsWPDoC1MjdnI5Dsz+HNPEOREoKSEJC/HE7AI9KZZ/0aFwxzus6z/yby1Kl71ZezzDi/e8=,iv:2gI+1Js3p6gpOEwJkqAKwy/yv/w/MSHVfi/SJ+fheo0=,tag:v4xXTgclvfAzmedXIXKUdQ==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.8.1

kubernetes/hopps/overlays/dev/helm-release.yaml

@@ -0,0 +1,197 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: hopps
+spec:
+  chart:
+    spec:
+      chart: hopps
+      sourceRef:
+        kind: HelmRepository
+        name: hopps
+      version: 0.0.1
+  interval: 1m0s
+  values:
+    azDocumentAi:
+      image:
+        tag: upgrade-jdk
+      envFrom:
+        - secretRef:
+            name: az-document-ai
+      envVars:
+        # ToDo: url should automatically be calculated, dependent on the name of the release-name
+        - name: kafka.bootstrap.servers
+          value: hopps-kafka:9092
+    org:
+      image:
+        tag: upgrade-jdk
+      envFrom:
+        - secretRef:
+            name: org
+      envVars:
+        # ToDo: url should automatically be calculated, dependent on the name of the release-name
+        # OpenFGA
+        - name: QUARKUS_OPENFGA_URL
+          value: http://openfga:8080
+        - name: QUARKUS_OPENFGA_STORE
+          value: hopps
+        # Database secrets
+        - name: quarkus.datasource.jdbc.url
+          value: jdbc:postgresql://postgres-cluster:5432/org?loggerLevel=OFF&sslmode=require
+        - name: quarkus.datasource.username
+          valueFrom:
+            secretKeyRef:
+              name: org.hopps-dev.postgres-cluster.credentials.postgresql.acid.zalan.do
+              key: username
+        - name: quarkus.datasource.password
+          valueFrom:
+            secretKeyRef:
+              name: org.hopps-dev.postgres-cluster.credentials.postgresql.acid.zalan.do
+              key: password
+      ingress:
+        enabled: true
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-prod
+        ingressClassName: nginx
+        hosts:
+          - org.${DOMAIN_2}
+        tls:
+          - secretName: fin-tls
+            hosts:
+              - org.${DOMAIN_2}
+    postgresql-org:
+      enabled: false
+    fin:
+      image:
+        tag: upgrade-jdk
+      envFrom:
+        - secretRef:
+            name: fin
+      envVars:
+        # ToDo: url should automatically be calculated, dependent on the name of the release-name
+        # OpenFGA
+        - name: QUARKUS_OPENFGA_URL
+          value: http://openfga:8080
+        - name: QUARKUS_OPENFGA_STORE
+          value: hopps
+        # Database secrets
+        - name: quarkus.datasource.jdbc.url
+          value: jdbc:postgresql://postgres-cluster:5432/fin?loggerLevel=OFF&sslmode=require
+        - name: quarkus.datasource.username
+          valueFrom:
+            secretKeyRef:
+              name: fin.hopps-dev.postgres-cluster.credentials.postgresql.acid.zalan.do
+              key: username
+        - name: quarkus.datasource.password
+          valueFrom:
+            secretKeyRef:
+              name: fin.hopps-dev.postgres-cluster.credentials.postgresql.acid.zalan.do
+              key: password
+      ingress:
+        enabled: true
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-prod
+        ingressClassName: nginx
+        hosts:
+          - fin.${DOMAIN_2}
+        tls:
+          - secretName: fin-tls
+            hosts:
+              - fin.${DOMAIN_2}
+    postgresql-fin:
+      enabled: false
+    frontend:
+      image:
+        tag: 118
+      envFrom:
+        - secretRef:
+            name: frontend
+      ingress:
+        enabled: true
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-prod
+        ingressClassName: nginx
+        hosts:
+          - frontend.${DOMAIN_2}
+        tls:
+          - secretName: fin-tls
+            hosts:
+              - frontend.${DOMAIN_2}
+    kafka:
+      controller:
+        replicaCount: 1
+      resourcesPreset: "none"
+    kafka-ui:
+      enabled: true
+      yamlApplicationConfig:
+        kafka:
+          clusters:
+            - name: yaml
+              # ToDo: url should automatically be calculated, dependent on the name of the release-name
+              bootstrapServers: hopps-kafka:9092
+        auth:
+          type: disabled
+        management:
+          health:
+            ldap:
+              enabled: false
+        ingress:
+          enabled: true
+          ingressClassName: nginx
+          annotations:
+            cert-manager.io/cluster-issuer: letsencrypt-prod
+            # configure oauth2-proxy security
+            nginx.ingress.kubernetes.io/auth-response-headers: x-auth-request-user, x-auth-request-email
+            nginx.ingress.kubernetes.io/auth-signin: https://${OAUTH_PROXY_DOMAIN}/oauth2/start?rd=$scheme://$host$request_uri
+            nginx.ingress.kubernetes.io/auth-url: https://${OAUTH_PROXY_DOMAIN}/oauth2/auth
+          tls:
+            enabled: true
+            secretName: kafka-tls
+          # ToDo: mask domain
+          host: kafka-ui.${DOMAIN_2}
+    openfga:
+      # ToDo: check why enabled attribute isn't working
+      #enabled: true
+      # only run one pod for now
+      replicaCount: 1
+      # configure securityContext
+      podSecurityContext:
+        fsGroup: 2000
+      securityContext:
+        capabilities:
+          drop:
+            - ALL
+        readOnlyRootFilesystem: true
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+        allowPrivilegeEscalation: false
+      # use postgresql-database
+      datastore:
+        engine: postgres
+        uriSecret: openfga
+        # needed, else the
+        migrationType: "job"
+      postgresql:
+        enabled: false
+    # use already available keycloak
+    keycloak:
+      enabled: true
+      resourcesPreset: "none"
+      postgresql:
+        enabled: false
+      externalDatabase:
+        host: postgres-cluster
+        database: keycloak
+        post: 5432
+        existingSecret: keycloak.hopps-dev.postgres-cluster.credentials.postgresql.acid.zalan.do
+        existingSecretUserKey: "username"
+        existingSecretPasswordKey: "password"
+      ingress:
+        enabled: true
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-prod
+        hostname: keycloak.${DOMAIN_2}
+        ingressClassName: nginx
+        tls: true

kubernetes/hopps/overlays/dev/kustomization.yaml

@@ -0,0 +1,30 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: hopps-dev
+resources:
+  - ../../base/hopps
+  - namespace.yaml
+  - helm-release.yaml
+  - postgresql.yaml
+# create all needed secrets with fix name
+generatorOptions:
+  disableNameSuffixHash: true
+secretGenerator:
+  #- name: fin
+  #  envs:
+  #    - fin-secret-encrypted.env
+  #- name: org
+  #  envs:
+  #    - org-secret-encrypted.env
+  - name: az-document-ai
+    envs:
+      - az-document-ai-secret-encrypted.env
+  #- name: frontend
+  #  envs:
+  #    - frontend-secret-encrypted.env
+  - name: openfga
+    envs:
+      - openfga-secret-encrypted.env
+  - name: postgres-operator-secret
+    envs:
+      - postgres-cluster-secret-encrypted.env

kubernetes/hopps/overlays/dev/namespace.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: hopps-dev
+  labels:
+    # postgres-cluster can't be configured to be pss "restricted" profile
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/enforce-version: v1.31
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/audit-version: v1.31
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/warn-version: v1.31

kubernetes/hopps/overlays/dev/openfga-secret-encrypted.env

@@ -0,0 +1,7 @@
+uri=ENC[AES256_GCM,data:2DPudSRROl7ECpui938OcWmxzLNtaxpPy4b3ww2OtE5D4wMMUKZNlh3DYvk774a3LqLbScOjmSrIC4SgSLdf1W5CwZyXocAaVbd/VEdffZydmGKeBisozPhR3hvWNrqmgiSkV6Uuva5PpMAibjD36CVXSW7gvC85d6JuPqQhNtP/RLYgGTSLdVkw5w==,iv:rm8azi6y765zP4nOsgvH9Lkqa53rLdQAMMJ2H2UIGMA=,tag:t88aXyZAoREujOn7gstRww==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyRzFhOTQrcG5sZ3FucUFU\nMm1vc1JwZmN1bDRXL0owcXVhekplcTNWU0ZBCkhVT3phMFJCZldCTm81U21abFhn\nRFdSblNFT1M5MlVnNlRZbjNwdiswYTgKLS0tIHdRM1FkdU1KN0x2YklISitKR01W\nTlRENFUvQkdQU2xvR3BzMXFKaTdsR1UKYWIgrxYOMQVVNlXCsCLIGxUHAH4SeHxZ\nZwjH8eq5xUNFh9tshDJ1PQZ8QT9NWZKkyNvzp67H8udL8hve3Hujog==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s
+sops_lastmodified=2024-11-25T21:11:35Z
+sops_mac=ENC[AES256_GCM,data:ELg0s8d4ItMFWs7umjBWsyLtbaILmOjShSnmOmkMj1lHWGkmm2hZMp1V0FI5dZbR5MenAY2rrnPPcKnGHe17X/YCZCE2iUyIQS0QxxJOfn3Fieanj3sFhEyWNv8ZOOZA8c4l7yCZH2shAh3B6P36H8TYfMOuEbcU+7Eq6Hffjqo=,iv:OsaDMjAx93QrwtwHB84HwnGB3Bj1R12/30vl/nxJjVQ=,tag:rvqSk2a0w1Jhx16i+uJcLw==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.8.1

kubernetes/hopps/overlays/dev/postgres-cluster-secret-encrypted.env

@@ -0,0 +1,8 @@
+AWS_ACCESS_KEY_ID=ENC[AES256_GCM,data:8g==,iv:vs285td1wKGv5q/1NSv3rkwm/Dz00jWOUaHYPXPHC40=,tag:CECroZh5x7J03ja8UBFcXQ==,type:str]
+AWS_SECRET_ACCESS_KEY=
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEN3JRUTJkWHNOZWNrYjZ3\nY3B5bHg0dlhsWHpKK0EweDdEN0U4UlhaV1FnCkNrM2UvWm1IZ1I5bGZyRVhyMnBG\nMEQ5VnJLMGQydTJUbEU4Z3B5MDZGSXcKLS0tIGhoR1NQanhydVRxVEI1Mk9BWFYr\nVllKQmR0QUVISDBybWN1NkY2ck5OaGsK6wiyqIAQh8R5hvs85bAIMBK30QY/nZjf\nL8m7NJ8/xW1t+0TLNj1w3xFSnhZ8fOoOVqJXv39wIvu3sp+QIoQmCQ==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s
+sops_lastmodified=2024-11-25T21:07:37Z
+sops_mac=ENC[AES256_GCM,data:9YmNxKJMPncAG2DUwfnudEkrp4VFl0gto/oyRM/BtiHITIV1mHRj1x+6L/9WFhbAJQWmT49KetMkywvCH5e/XOe/9mxPm2L1zwCml+QKa7hMAG41KOV7X2A1e07w4NcOD5+6fNV3YoqMKQzfMPUD2FalGUX35yH+bgC4VuBqZL0=,iv:EAD8vTA75Gsjd5PHI+lIiy4IxI3dJCwX+fFTOWVUFYc=,tag:+l1Ai1LopNYlINEwjmPW9g==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.8.1

kubernetes/hopps/overlays/dev/postgresql.yaml

@@ -0,0 +1,37 @@
+apiVersion: "acid.zalan.do/v1"
+kind: postgresql
+metadata:
+  name: postgres-cluster
+spec:
+  teamId: "hopps"
+  postgresql:
+    version: "16"
+    parameters:
+      # depending on application that can cause issues
+      password_encryption: scram-sha-256
+  numberOfInstances: 1
+  volume:
+    size: "10Gi"
+    storageClass: "longhorn"
+  allowedSourceRanges: # load balancers' source ranges for both master and replica services
+    - 10.0.0.0/16
+  #  requests:
+  #    cpu: 100m
+  #    memory: 100Mi
+  #  limits:
+  #    cpu: 500m
+  #    memory: 500Mi
+  # create users
+  users:
+    # namespace.name: roles
+    hopps-dev.org: [ ]
+    hopps-dev.fin: [ ]
+    hopps-dev.openfga: [ ]
+    hopps-dev.keycloak: [ ]
+  databases:
+    # name: owner (namespace.name)
+    # namespace notation is part of user name
+    org: hopps-dev.org
+    fin: hopps-dev.fin
+    openfga: hopps-dev.openfga
+    keycloak: hopps-dev.keycloak