From 5b9d3557bc585c327b8f5d119c30f7550e261add Mon Sep 17 00:00:00 2001 From: David Monichi Date: Thu, 13 Feb 2025 23:36:20 +0100 Subject: [PATCH] feat: addes custom nginx to helm charts for CoMPAS services Signed-off-by: David Monichi --- .../resources/compas-realm.json | 50 ++--- helm/charts/compas-keycloak/values.yaml | 14 +- .../resources/authenticate.include | 24 +++ helm/charts/compas-nginx/resources/nginx.conf | 194 ++++++++++++++++++ .../compas-nginx/templates/_helpers.tpl | 2 +- .../compas-nginx/templates/configmap.yaml | 9 + .../compas-nginx/templates/ingress_2.testing | 19 -- helm/charts/compas-nginx/values.yaml | 73 ++++--- .../charts/compas-openscd/templates/NOTES.txt | 8 +- .../compas-openscd/templates/_helpers.tpl | 2 +- .../compas-openscd/templates/service.yaml | 6 +- .../templates/serviceaccount.yaml | 4 +- helm/charts/compas-openscd/values.yaml | 2 +- .../templates/NOTES.txt | 8 +- .../templates/_helpers.tpl | 2 +- .../templates/ingress.yaml | 6 +- .../templates/service.yaml | 6 +- .../templates/serviceaccount.yaml | 4 +- .../compas-scl-data-service/values.yaml | 30 ++- helm/kind/Readme.md | 18 ++ helm/kind/compas-nginx/Dockerfile | 20 ++ helm/kind/compas-nginx/build.sh | 4 + helm/kind/create-cluster.sh | 34 +++ helm/kind/manifests/kind-setup-config.yaml | 21 ++ helm/kind/manifests/registry-cm.yaml | 9 + helm/kind/teardown-cluster.sh | 5 + helm/stages/compas/keycloak.yaml | 3 + helm/stages/compas/nginx.yaml | 0 helm/stages/compas/postgres-compas.yaml | 5 + .../{local => compas}/postgres-keycloak.yaml | 0 helm/stages/compas/scl-data-service.yaml | 27 +++ helm/stages/compas/stage.yaml | 14 ++ helm/stages/helmfile-compas.yaml | 11 +- helm/stages/helmfile-database.yaml | 5 + helm/stages/helmfile-nginx.yaml | 9 + helm/stages/local/keycloak.yaml | 13 -- helm/stages/local/postgres-compas.yaml | 5 - helm/stages/local/stage.yaml | 4 - helm/stages/redeploy-cluster.sh | 4 + 39 files changed, 541 insertions(+), 133 deletions(-) create mode 100644 helm/charts/compas-nginx/resources/authenticate.include create mode 100644 helm/charts/compas-nginx/resources/nginx.conf create mode 100644 helm/charts/compas-nginx/templates/configmap.yaml delete mode 100644 helm/charts/compas-nginx/templates/ingress_2.testing create mode 100644 helm/kind/Readme.md create mode 100644 helm/kind/compas-nginx/Dockerfile create mode 100755 helm/kind/compas-nginx/build.sh create mode 100755 helm/kind/create-cluster.sh create mode 100644 helm/kind/manifests/kind-setup-config.yaml create mode 100644 helm/kind/manifests/registry-cm.yaml create mode 100755 helm/kind/teardown-cluster.sh create mode 100644 helm/stages/compas/keycloak.yaml create mode 100644 helm/stages/compas/nginx.yaml create mode 100644 helm/stages/compas/postgres-compas.yaml rename helm/stages/{local => compas}/postgres-keycloak.yaml (100%) create mode 100644 helm/stages/compas/scl-data-service.yaml create mode 100644 helm/stages/compas/stage.yaml create mode 100644 helm/stages/helmfile-nginx.yaml delete mode 100644 helm/stages/local/keycloak.yaml delete mode 100644 helm/stages/local/postgres-compas.yaml delete mode 100644 helm/stages/local/stage.yaml diff --git a/helm/charts/compas-keycloak/resources/compas-realm.json b/helm/charts/compas-keycloak/resources/compas-realm.json index 71bd159..733ee96 100644 --- a/helm/charts/compas-keycloak/resources/compas-realm.json +++ b/helm/charts/compas-keycloak/resources/compas-realm.json @@ -1248,17 +1248,17 @@ "clientId": "cim-mapping", "name": "CIM Mapping", "description": "CIM Mapping Service to convert CIM Data to SCL Data", - "rootUrl": "{{ .Values.global.keycloak.baseUrl }}/", - "adminUrl": "{{ .Values.global.keycloak.baseUrl }}/", + "rootUrl": "{{ .Values.public.keycloak.hostname }}/", + "adminUrl": "{{ .Values.public.keycloak.hostname }}/", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [ - "{{ .Values.global.keycloak.baseUrl }}/*" + "{{ .Values.public.keycloak.hostname }}/*" ], "webOrigins": [ - "{{ .Values.global.keycloak.baseUrl }}" + "{{ .Values.public.keycloak.hostname }}" ], "notBefore": 0, "bearerOnly": false, @@ -1328,17 +1328,17 @@ { "id": "ace17366-e696-4821-9f24-89b797acb736", "clientId": "openscd", - "rootUrl": "{{ .Values.global.keycloak.baseUrl }}/", - "adminUrl": "{{ .Values.global.keycloak.baseUrl }}/", + "rootUrl": "{{ .Values.public.keycloak.hostname }}/", + "adminUrl": "{{ .Values.public.keycloak.hostname }}/", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [ - "{{ .Values.global.keycloak.baseUrl }}/*" + "{{ .Values.public.keycloak.hostname }}/*" ], "webOrigins": [ - "{{ .Values.global.keycloak.baseUrl }}" + "{{ .Values.public.keycloak.hostname }}" ], "notBefore": 0, "bearerOnly": false, @@ -1447,17 +1447,17 @@ "clientId": "scl-auto-alignment", "name": "SCL Auto Alignment Service", "description": "The SCL Auto Alignment Service for calculating XY Coordinates", - "rootUrl": "{{ .Values.global.keycloak.baseUrl }}/", - "adminUrl": "{{ .Values.global.keycloak.baseUrl }}/", + "rootUrl": "{{ .Values.public.keycloak.hostname }}/", + "adminUrl": "{{ .Values.public.keycloak.hostname }}/", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [ - "{{ .Values.global.keycloak.baseUrl }}/*" + "{{ .Values.public.keycloak.hostname }}/*" ], "webOrigins": [ - "{{ .Values.global.keycloak.baseUrl }}" + "{{ .Values.public.keycloak.hostname }}" ], "notBefore": 0, "bearerOnly": false, @@ -1529,17 +1529,17 @@ "clientId": "scl-data-service", "name": "SCL Data Service", "description": "The SCL Data Service for storing / retrieving SCLs", - "rootUrl": "{{ .Values.global.keycloak.baseUrl }}/", - "adminUrl": "{{ .Values.global.keycloak.baseUrl }}/", + "rootUrl": "{{ .Values.public.keycloak.hostname }}/", + "adminUrl": "{{ .Values.public.keycloak.hostname }}/", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [ - "{{ .Values.global.keycloak.baseUrl }}/*" + "{{ .Values.public.keycloak.hostname }}/*" ], "webOrigins": [ - "{{ .Values.global.keycloak.baseUrl }}" + "{{ .Values.public.keycloak.hostname }}" ], "notBefore": 0, "bearerOnly": false, @@ -1611,17 +1611,17 @@ "clientId": "scl-validator", "name": "SCL Validator Service", "description": "The SCL Validator Service to validate SCL Files", - "rootUrl": "{{ .Values.global.keycloak.baseUrl }}/", - "adminUrl": "{{ .Values.global.keycloak.baseUrl }}/", + "rootUrl": "{{ .Values.public.keycloak.hostname }}/", + "adminUrl": "{{ .Values.public.keycloak.hostname }}/", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [ - "{{ .Values.global.keycloak.baseUrl }}/*" + "{{ .Values.public.keycloak.hostname }}/*" ], "webOrigins": [ - "{{ .Values.global.keycloak.baseUrl }}" + "{{ .Values.public.keycloak.hostname }}" ], "notBefore": 0, "bearerOnly": false, @@ -1693,17 +1693,17 @@ "clientId": "sitipe-service", "name": "Sitipe Service", "description": "The Sitipe Service to retrieve Sitipe related data", - "rootUrl": "{{ .Values.global.keycloak.baseUrl }}/", - "adminUrl": "{{ .Values.global.keycloak.baseUrl }}/", + "rootUrl": "{{ .Values.public.keycloak.hostname }}/", + "adminUrl": "{{ .Values.public.keycloak.hostname }}/", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [ - "{{ .Values.global.keycloak.baseUrl }}/*" + "{{ .Values.public.keycloak.hostname }}/*" ], "webOrigins": [ - "{{ .Values.global.keycloak.baseUrl }}" + "{{ .Values.public.keycloak.hostname }}" ], "notBefore": 0, "bearerOnly": false, @@ -3204,7 +3204,7 @@ "clientSessionIdleTimeout": "0", "parRequestUriLifespan": "60", "clientSessionMaxLifespan": "0", - "frontendUrl": "{{ .Values.global.keycloak.baseUrl }}/auth", + "frontendUrl": "{{ .Values.public.keycloak.hostname }}/auth", "clientOfflineSessionIdleTimeout": "0", "cibaInterval": "5" }, diff --git a/helm/charts/compas-keycloak/values.yaml b/helm/charts/compas-keycloak/values.yaml index bad8d3f..be4a4c1 100644 --- a/helm/charts/compas-keycloak/values.yaml +++ b/helm/charts/compas-keycloak/values.yaml @@ -1,7 +1,13 @@ config: keycloak: - keycloakUrl: "http://localhost/" - clientUrl: "http://localhost/" + keycloakUrl: "http://compas.local/" + clientUrl: "http://compas.local/" + +service: + environment: + public: + keycloak: + realm: compas keycloak: postgresql: @@ -9,10 +15,10 @@ keycloak: ingress: enabled: true; - hostname: "localhost" + hostname: "compas.local" annotations: alb.ingress.kubernetes.io/group.name: "openscd" - external-dns.alpha.kubernetes.io/hostname: localhost + external-dns.alpha.kubernetes.io/hostname: compas.local kubernetes.io/ingress.class: nginx extraEnvVars: diff --git a/helm/charts/compas-nginx/resources/authenticate.include b/helm/charts/compas-nginx/resources/authenticate.include new file mode 100644 index 0000000..34ad1cc --- /dev/null +++ b/helm/charts/compas-nginx/resources/authenticate.include @@ -0,0 +1,24 @@ +access_by_lua_block { + local opts = { + redirect_uri = "http://compas.local/redirect_uri", + discovery = "http://compas.local/realms/compas/.well-known/openid-configuration", + client_id = "openscd", + redirect_uri_scheme = "http", + logout_path = "/logout", + redirect_after_logout_uri = "http://compas.local/realms/compas/protocol/openid-connect/logout?redirect_uri=http://compas.local/", + redirect_after_logout_with_id_token_hint = false, + session_contents = {id_token=true, access_token=true}, + renew_access_token_on_expiry = true, + } + + -- call introspect for OAuth 2.0 Bearer Access Token validation + local res, err = require("resty.openidc").authenticate(opts) + + if err then + ngx.status = 403 + ngx.say(err) + ngx.exit(ngx.HTTP_FORBIDDEN) + end + + ngx.var.access_token = res.access_token +} diff --git a/helm/charts/compas-nginx/resources/nginx.conf b/helm/charts/compas-nginx/resources/nginx.conf new file mode 100644 index 0000000..40c332a --- /dev/null +++ b/helm/charts/compas-nginx/resources/nginx.conf @@ -0,0 +1,194 @@ +worker_processes 1; +error_log /var/log/nginx/error.log debug; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + # set search paths for pure Lua external libraries (';;' is the default path): + lua_package_path '/usr/local/openresty/lualib/?.lua;;'; + # cache for discovery metadata documents + lua_shared_dict discovery 1m; + # cache for JWKs + lua_shared_dict jwks 1m; + + resolver 127.0.0.11; + index index.html index.htm; + + server { + set $access_token ''; + set $session_cookie_samesite off; + set $session_name compas_session; + + listen 80 default_server; + listen [::]:80 default_server; + server_name reverse-proxy; + + # set client body size to 150M # + client_max_body_size 150M; + + # I disabled caching so the browser won't cache the site. + expires 0; + add_header Cache-Control private; + + # Default forward all web calls to the OpenSCD Container + location / { + include /etc/nginx/include/authenticate.include; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Port $server_port; + + proxy_pass http://compas-openscd/; + + proxy_set_header Host $http_host; + proxy_cache_bypass $http_upgrade; + proxy_redirect off; + } + + # Forwarding to KeyCloak container. + location /realms/ { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Port $server_port; + + proxy_pass http://compas-keycloak/realms/; + + proxy_set_header Host $http_host; + proxy_cache_bypass $http_upgrade; + proxy_redirect off; + } + + # Forwarding to KeyCloak container. + location /auth/ { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Port $server_port; + + proxy_pass http://compas-keycloak/auth/; + + proxy_set_header Host $http_host; + proxy_cache_bypass $http_upgrade; + proxy_redirect off; + } + + # Forwarding to the SCL Validator Service container (websockets). + location /compas-scl-data-service/scl-ws/ { + include /etc/nginx/include/authenticate.include; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header Authorization "Bearer ${access_token}"; + + proxy_pass http://compas-keycloak/compas-scl-data-service/scl-ws/; + } + + # Forwarding to the SCL Data Service container. + location /compas-scl-data-service/ { + include /etc/nginx/include/authenticate.include; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header Authorization "Bearer ${access_token}"; + + proxy_pass http://compas-keycloak/compas-scl-data-service/; + + proxy_set_header Host $http_host; + proxy_cache_bypass $http_upgrade; + proxy_redirect off; + } + + # Forwarding to the CIM Mapping Service container. + location /compas-cim-mapping/ { + include /etc/nginx/include/authenticate.include; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header Authorization "Bearer ${access_token}"; + + proxy_pass http://compas-keycloak/compas-cim-mapping/; + + proxy_set_header Host $http_host; + proxy_cache_bypass $http_upgrade; + proxy_redirect off; + } + + # Forwarding to the SCL Auto Alignment Service container. + location /compas-scl-auto-alignment/ { + include /etc/nginx/include/authenticate.include; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header Authorization "Bearer ${access_token}"; + + proxy_pass http://compas-keycloak/compas-scl-auto-alignment/; + + proxy_set_header Host $http_host; + proxy_cache_bypass $http_upgrade; + proxy_redirect off; + } + + # Forwarding to the SCL Validator Service container (websockets). + location /compas-scl-validator/validate-ws/ { + include /etc/nginx/include/authenticate.include; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header Authorization "Bearer ${access_token}"; + + proxy_pass http://compas-keycloak/compas-scl-validator/validate-ws/; + } + + # Forwarding to the SCL Validator Service container (http). + location /compas-scl-validator/ { + include /etc/nginx/include/authenticate.include; + + proxy_set_header Host $http_host; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header Authorization "Bearer ${access_token}"; + + proxy_pass http://compas-keycloak/compas-scl-validator/; + + proxy_cache_bypass $http_upgrade; + proxy_redirect off; + } + + # redirect server error pages to the static page /40x.html + error_page 404 /404.html; + location = /40x.html { + } + # redirect server error pages to the static page /50x.html + error_page 500 502 503 504 /50x.html; + location = /50x.html { + } + } +} diff --git a/helm/charts/compas-nginx/templates/_helpers.tpl b/helm/charts/compas-nginx/templates/_helpers.tpl index 8697784..511a71e 100644 --- a/helm/charts/compas-nginx/templates/_helpers.tpl +++ b/helm/charts/compas-nginx/templates/_helpers.tpl @@ -46,7 +46,7 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} Selector labels */}} {{- define "application.selectorLabels" -}} -app.kubernetes.io/name: {{ include ".Chart.name" . }} +app.kubernetes.io/name: {{ .Chart.Name }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} diff --git a/helm/charts/compas-nginx/templates/configmap.yaml b/helm/charts/compas-nginx/templates/configmap.yaml new file mode 100644 index 0000000..57324b9 --- /dev/null +++ b/helm/charts/compas-nginx/templates/configmap.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Chart.Name }}-configs +data: + authenticate.include: |- + {{ .Files.Get "resources/authenticate.include" | nindent 4 }} + nginx.conf: |- + {{ .Files.Get "resources/nginx.conf" | nindent 4 }} diff --git a/helm/charts/compas-nginx/templates/ingress_2.testing b/helm/charts/compas-nginx/templates/ingress_2.testing deleted file mode 100644 index deb12f5..0000000 --- a/helm/charts/compas-nginx/templates/ingress_2.testing +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: compas-ingres - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/proxy-buffer-size: 256k -spec: - ingressClassName: nginx - rules: - - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: reverse-proxy - port: - number: 80 \ No newline at end of file diff --git a/helm/charts/compas-nginx/values.yaml b/helm/charts/compas-nginx/values.yaml index aeba3a6..3ffb008 100644 --- a/helm/charts/compas-nginx/values.yaml +++ b/helm/charts/compas-nginx/values.yaml @@ -1,23 +1,7 @@ image: - name: quay.io/keycloak/keycloak - tag: "26.0" + repository: localhost:5001/compas-nginx + tag: "latest" pullPolicy: Always - pullSecret: docker-private-registry - -# service: -# port: 80 -# deployment: -# port: 8080 -# environment: -# public: -# keycloak: -# realm: compas -# keycloak: -# db: -# type: postgres -# database: keycloak -# username: keycloak -# password: weFSG7zn9VIOul3 runtime: replicas: 1 @@ -25,27 +9,54 @@ runtime: resources: requests: - cpu: 250m - memory: 512Mi + cpu: 50m + memory: 32Mi limits: - cpu: 500m - memory: 1024Mi - -global: - hostname: http://localhost:80 + cpu: 100m + memory: 256Mi ingress: - enabled: false + enabled: true className: "" annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" - hosts: [] - # - host: chart-example.local - # paths: - # - path: / - # pathType: ImplementationSpecific + hosts: + - host: compas.local + paths: + - path: / + pathType: ImplementationSpecific tls: [] # - secretName: chart-example-tls # hosts: # - chart-example.local + +serviceAccount: + create: false + +volumeMounts: + - name: compas-nginx-conf + mountPath: /etc/nginx/include/authenticate.include + subPath: authenticate.include + - name: compas-nginx-conf + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + +volumes: + - name: compas-nginx-conf + configMap: + name: compas-nginx-configs + +service: + type: ClusterIP + port: 80 + +global: + kubernetes: + hostname: + keycloak: http://compas-keycloak + openscd: http://compas-openscd + sclDataService: http://compas-scl-data-service + cimMapping: http://compas-cim-mapping + sclAutoAlignment: http://compas-scl-auto-alignment + sclValidator: http://compas-scl-validator diff --git a/helm/charts/compas-openscd/templates/NOTES.txt b/helm/charts/compas-openscd/templates/NOTES.txt index b2996f2..00eddd1 100644 --- a/helm/charts/compas-openscd/templates/NOTES.txt +++ b/helm/charts/compas-openscd/templates/NOTES.txt @@ -6,16 +6,16 @@ {{- end }} {{- end }} {{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "scl-data-service.fullname" . }}) + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "application.fullname" . }}) export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") echo http://$NODE_IP:$NODE_PORT {{- else if contains "LoadBalancer" .Values.service.type }} NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "scl-data-service.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "scl-data-service.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "application.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "application.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") echo http://$SERVICE_IP:{{ .Values.service.port }} {{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "scl-data-service.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "application.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") echo "Visit http://127.0.0.1:8080 to use your application" kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT diff --git a/helm/charts/compas-openscd/templates/_helpers.tpl b/helm/charts/compas-openscd/templates/_helpers.tpl index 8697784..511a71e 100644 --- a/helm/charts/compas-openscd/templates/_helpers.tpl +++ b/helm/charts/compas-openscd/templates/_helpers.tpl @@ -46,7 +46,7 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} Selector labels */}} {{- define "application.selectorLabels" -}} -app.kubernetes.io/name: {{ include ".Chart.name" . }} +app.kubernetes.io/name: {{ .Chart.Name }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} diff --git a/helm/charts/compas-openscd/templates/service.yaml b/helm/charts/compas-openscd/templates/service.yaml index b6d9393..10f338d 100644 --- a/helm/charts/compas-openscd/templates/service.yaml +++ b/helm/charts/compas-openscd/templates/service.yaml @@ -1,9 +1,9 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "scl-data-service.fullname" . }} + name: {{ include "application.fullname" . }} labels: - {{- include "scl-data-service.labels" . | nindent 4 }} + {{- include "application.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: @@ -12,4 +12,4 @@ spec: protocol: TCP name: http selector: - {{- include "scl-data-service.selectorLabels" . | nindent 4 }} + {{- include "application.selectorLabels" . | nindent 4 }} diff --git a/helm/charts/compas-openscd/templates/serviceaccount.yaml b/helm/charts/compas-openscd/templates/serviceaccount.yaml index b8c5459..bafed7e 100644 --- a/helm/charts/compas-openscd/templates/serviceaccount.yaml +++ b/helm/charts/compas-openscd/templates/serviceaccount.yaml @@ -2,9 +2,9 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "scl-data-service.serviceAccountName" . }} + name: {{ include "application.serviceAccountName" . }} labels: - {{- include "scl-data-service.labels" . | nindent 4 }} + {{- include "application.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/helm/charts/compas-openscd/values.yaml b/helm/charts/compas-openscd/values.yaml index 35e8abe..bbd2c4a 100644 --- a/helm/charts/compas-openscd/values.yaml +++ b/helm/charts/compas-openscd/values.yaml @@ -9,7 +9,7 @@ replicaCount: 1 image: repository: "lfenergy/compas-open-scd" pullPolicy: IfNotPresent - tag: "latest" + tag: "v0.36.0.3" # This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ imagePullSecrets: [] diff --git a/helm/charts/compas-scl-data-service/templates/NOTES.txt b/helm/charts/compas-scl-data-service/templates/NOTES.txt index b2996f2..00eddd1 100644 --- a/helm/charts/compas-scl-data-service/templates/NOTES.txt +++ b/helm/charts/compas-scl-data-service/templates/NOTES.txt @@ -6,16 +6,16 @@ {{- end }} {{- end }} {{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "scl-data-service.fullname" . }}) + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "application.fullname" . }}) export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") echo http://$NODE_IP:$NODE_PORT {{- else if contains "LoadBalancer" .Values.service.type }} NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "scl-data-service.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "scl-data-service.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "application.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "application.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") echo http://$SERVICE_IP:{{ .Values.service.port }} {{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "scl-data-service.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "application.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") echo "Visit http://127.0.0.1:8080 to use your application" kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT diff --git a/helm/charts/compas-scl-data-service/templates/_helpers.tpl b/helm/charts/compas-scl-data-service/templates/_helpers.tpl index 8697784..511a71e 100644 --- a/helm/charts/compas-scl-data-service/templates/_helpers.tpl +++ b/helm/charts/compas-scl-data-service/templates/_helpers.tpl @@ -46,7 +46,7 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} Selector labels */}} {{- define "application.selectorLabels" -}} -app.kubernetes.io/name: {{ include ".Chart.name" . }} +app.kubernetes.io/name: {{ .Chart.Name }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} diff --git a/helm/charts/compas-scl-data-service/templates/ingress.yaml b/helm/charts/compas-scl-data-service/templates/ingress.yaml index 5555598..1db3c58 100644 --- a/helm/charts/compas-scl-data-service/templates/ingress.yaml +++ b/helm/charts/compas-scl-data-service/templates/ingress.yaml @@ -2,9 +2,9 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ include "scl-data-service.fullname" . }} + name: {{ include "application.fullname" . }} labels: - {{- include "scl-data-service.labels" . | nindent 4 }} + {{- include "application.labels" . | nindent 4 }} {{- with .Values.ingress.annotations }} annotations: {{- toYaml . | nindent 4 }} @@ -35,7 +35,7 @@ spec: {{- end }} backend: service: - name: {{ include "scl-data-service.fullname" $ }} + name: {{ include "application.fullname" $ }} port: number: {{ $.Values.service.port }} {{- end }} diff --git a/helm/charts/compas-scl-data-service/templates/service.yaml b/helm/charts/compas-scl-data-service/templates/service.yaml index b6d9393..10f338d 100644 --- a/helm/charts/compas-scl-data-service/templates/service.yaml +++ b/helm/charts/compas-scl-data-service/templates/service.yaml @@ -1,9 +1,9 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "scl-data-service.fullname" . }} + name: {{ include "application.fullname" . }} labels: - {{- include "scl-data-service.labels" . | nindent 4 }} + {{- include "application.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: @@ -12,4 +12,4 @@ spec: protocol: TCP name: http selector: - {{- include "scl-data-service.selectorLabels" . | nindent 4 }} + {{- include "application.selectorLabels" . | nindent 4 }} diff --git a/helm/charts/compas-scl-data-service/templates/serviceaccount.yaml b/helm/charts/compas-scl-data-service/templates/serviceaccount.yaml index b8c5459..bafed7e 100644 --- a/helm/charts/compas-scl-data-service/templates/serviceaccount.yaml +++ b/helm/charts/compas-scl-data-service/templates/serviceaccount.yaml @@ -2,9 +2,9 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "scl-data-service.serviceAccountName" . }} + name: {{ include "application.serviceAccountName" . }} labels: - {{- include "scl-data-service.labels" . | nindent 4 }} + {{- include "application.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/helm/charts/compas-scl-data-service/values.yaml b/helm/charts/compas-scl-data-service/values.yaml index 4fe191b..8dc1f3d 100644 --- a/helm/charts/compas-scl-data-service/values.yaml +++ b/helm/charts/compas-scl-data-service/values.yaml @@ -9,7 +9,7 @@ replicaCount: 1 image: repository: lfenergy/compas-scl-data-service pullPolicy: IfNotPresent - tag: "latest" + tag: "0.15.6-postgresql" # This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ imagePullSecrets: [] @@ -48,9 +48,31 @@ service: # This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports port: 80 -env: [] -# - name: MY_ENV_VAR -# value: my-env-var-value +env: + - name: POSTGRESQL_HOST + value: postgres-compas + - name: POSTGRESQL_DB + value: compas + - name: JWT_VERIFY_KEY + value: http://keycloak:8080/auth/realms/compas/protocol/openid-connect/certs + - name: JWT_VERIFY_ISSUER + value: http://${COMPAS_HOSTNAME}/auth/realms/compas + - name: JWT_VERIFY_CLIENT_ID + value: scl-data-service + - name: JWT_GROUPS_PATH + value: resource_access/scl-data-service/roles + - name: USERINFO_NAME_CLAIMNAME + value: name + - name: USERINFO_WHO_CLAIMNAME + value: name + - name: USERINFO_SESSION_WARNING + value: "20" + - name: USERINFO_SESSION_EXPIRES + value: "30" + - name: POSTGRESQL_USERNAME + value: compas + - name: POSTGRESQL_PASSWORD + value: Xxunztz8y5Ffxu2 # This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/ ingress: diff --git a/helm/kind/Readme.md b/helm/kind/Readme.md new file mode 100644 index 0000000..7d5e6e9 --- /dev/null +++ b/helm/kind/Readme.md @@ -0,0 +1,18 @@ +# Local cluster with kind + +For details see: https://kind.sigs.k8s.io/ + +## Start local cluster with nginx + +``` + kind create cluster --config=kind-setup-config.yaml + kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml > /dev/null +``` + +## Stop and destroy local cluster + +``` + kind delete cluster + IMAGE=$(docker image ls kindest/node --format {{.ID}}) + docker image rm ${IMAGE} +``` diff --git a/helm/kind/compas-nginx/Dockerfile b/helm/kind/compas-nginx/Dockerfile new file mode 100644 index 0000000..80fe5f9 --- /dev/null +++ b/helm/kind/compas-nginx/Dockerfile @@ -0,0 +1,20 @@ +# SPDX-FileCopyrightText: 2024 BearingPoint GmbH +# +# SPDX-License-Identifier: Apache-2.0 + +# We want to go back to below image, but it seems to be broken. +# For now use fixed version which still works. +#FROM openresty/openresty:alpine-fat +FROM openresty/openresty:1.25.3.1-2-alpine-fat + +RUN mkdir /var/log/nginx + +RUN apk add --no-cache openssl-dev +RUN apk add --no-cache git +RUN apk add --no-cache gcc + +RUN luarocks install lua-resty-openidc + +RUN mkdir -p /etc/nginx/include + +ENTRYPOINT ["/usr/local/openresty/nginx/sbin/nginx", "-c", "/etc/nginx/nginx.conf", "-g", "daemon off;"] \ No newline at end of file diff --git a/helm/kind/compas-nginx/build.sh b/helm/kind/compas-nginx/build.sh new file mode 100755 index 0000000..39899d9 --- /dev/null +++ b/helm/kind/compas-nginx/build.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +docker build -t localhost:5001/compas-nginx:latest . +docker push localhost:5001/compas-nginx:latest diff --git a/helm/kind/create-cluster.sh b/helm/kind/create-cluster.sh new file mode 100755 index 0000000..48ba6df --- /dev/null +++ b/helm/kind/create-cluster.sh @@ -0,0 +1,34 @@ +#!/bin/bash + +# https://kind.sigs.k8s.io/docs/user/local-registry/ + +set -o errexit + +reg_name='kind-registry' +reg_port='5001' +if [ "$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)" != 'true' ]; then + docker run \ + -d --restart=always -p "127.0.0.1:${reg_port}:5000" --network bridge --name "${reg_name}" \ + registry:2 +fi + +kind create cluster --config=manifests/kind-setup-config.yaml + +REGISTRY_DIR="/etc/containerd/certs.d/localhost:${reg_port}" +for node in $(kind get nodes); do + docker exec "${node}" mkdir -p "${REGISTRY_DIR}" + cat < /dev/null + +if [ "$(docker inspect -f='{{json .NetworkSettings.Networks.kind}}' "${reg_name}")" = 'null' ]; then + docker network connect "kind" "${reg_name}" +fi + +kubectl create ns compas diff --git a/helm/kind/manifests/kind-setup-config.yaml b/helm/kind/manifests/kind-setup-config.yaml new file mode 100644 index 0000000..e84dad2 --- /dev/null +++ b/helm/kind/manifests/kind-setup-config.yaml @@ -0,0 +1,21 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +nodes: +- role: control-plane + kubeadmConfigPatches: + - | + kind: InitConfiguration + nodeRegistration: + kubeletExtraArgs: + node-labels: "ingress-ready=true" + extraPortMappings: + - containerPort: 80 + hostPort: 80 + protocol: TCP + - containerPort: 443 + hostPort: 443 + protocol: TCP +containerdConfigPatches: +- |- + [plugins."io.containerd.grpc.v1.cri".registry] + config_path = "/etc/containerd/certs.d" \ No newline at end of file diff --git a/helm/kind/manifests/registry-cm.yaml b/helm/kind/manifests/registry-cm.yaml new file mode 100644 index 0000000..3f6e3b9 --- /dev/null +++ b/helm/kind/manifests/registry-cm.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: local-registry-hosting + namespace: kube-public +data: + localRegistryHosting.v1: | + host: "localhost:5001" + help: "https://kind.sigs.k8s.io/docs/user/local-registry/" \ No newline at end of file diff --git a/helm/kind/teardown-cluster.sh b/helm/kind/teardown-cluster.sh new file mode 100755 index 0000000..76c8e25 --- /dev/null +++ b/helm/kind/teardown-cluster.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +kind delete cluster +IMAGE=$(docker image ls kindest/node --format {{.ID}}) +docker image rm ${IMAGE} \ No newline at end of file diff --git a/helm/stages/compas/keycloak.yaml b/helm/stages/compas/keycloak.yaml new file mode 100644 index 0000000..7e139b9 --- /dev/null +++ b/helm/stages/compas/keycloak.yaml @@ -0,0 +1,3 @@ +keycloak: + secrets: + dbPassword: "cfbrpSPZQJ7DhTExRs63an" diff --git a/helm/stages/compas/nginx.yaml b/helm/stages/compas/nginx.yaml new file mode 100644 index 0000000..e69de29 diff --git a/helm/stages/compas/postgres-compas.yaml b/helm/stages/compas/postgres-compas.yaml new file mode 100644 index 0000000..311381b --- /dev/null +++ b/helm/stages/compas/postgres-compas.yaml @@ -0,0 +1,5 @@ +service: + environment: + compas: + db: + password: 5OSvbcqvYeU1PI6FSh7i \ No newline at end of file diff --git a/helm/stages/local/postgres-keycloak.yaml b/helm/stages/compas/postgres-keycloak.yaml similarity index 100% rename from helm/stages/local/postgres-keycloak.yaml rename to helm/stages/compas/postgres-keycloak.yaml diff --git a/helm/stages/compas/scl-data-service.yaml b/helm/stages/compas/scl-data-service.yaml new file mode 100644 index 0000000..d27c61c --- /dev/null +++ b/helm/stages/compas/scl-data-service.yaml @@ -0,0 +1,27 @@ +env: + - name: COMPAS_HOSTNAME + value: compas-keycloak + - name: POSTGRESQL_HOST + value: postgres-compas + - name: POSTGRESQL_DB + value: compas + - name: JWT_VERIFY_KEY + value: http://keycloak:8080/auth/realms/compas/protocol/openid-connect/certs + - name: JWT_VERIFY_ISSUER + value: http://${COMPAS_HOSTNAME}/auth/realms/compas + - name: JWT_VERIFY_CLIENT_ID + value: scl-data-service + - name: JWT_GROUPS_PATH + value: resource_access/scl-data-service/roles + - name: USERINFO_NAME_CLAIMNAME + value: name + - name: USERINFO_WHO_CLAIMNAME + value: name + - name: USERINFO_SESSION_WARNING + value: "20" + - name: USERINFO_SESSION_EXPIRES + value: "30" + - name: POSTGRESQL_USERNAME + value: compas + - name: POSTGRESQL_PASSWORD + value: 5OSvbcqvYeU1PI6FSh7i diff --git a/helm/stages/compas/stage.yaml b/helm/stages/compas/stage.yaml new file mode 100644 index 0000000..d840327 --- /dev/null +++ b/helm/stages/compas/stage.yaml @@ -0,0 +1,14 @@ +public: + hostname: http://localhost:80 + keycloak: + hostname: http://localhost:80 + +global: + kubernetes: + hostname: + keycloak: http://compas-keycloak + openscd: http://compas-openscd + scl-data-service: http://compas-scl-data-service + cim-mapping: http://compas-cim-mapping + scl-auto-alignment: http://compas-scl-auto-alignment + scl-validator: http://compas-scl-validator diff --git a/helm/stages/helmfile-compas.yaml b/helm/stages/helmfile-compas.yaml index c1de171..030ae86 100644 --- a/helm/stages/helmfile-compas.yaml +++ b/helm/stages/helmfile-compas.yaml @@ -2,8 +2,13 @@ helmDefaults: createNamespace: false releases: - - name: keycloak - chart: ../charts/compas-keycloak + - name: compas-openscd + chart: ../charts/compas-openscd values: - ./{{ requiredEnv "STAGE_NAME" }}/stage.yaml - - ./{{ requiredEnv "STAGE_NAME" }}/keycloak.yaml + - name: compas-scl-data-service + chart: ../charts/compas-scl-data-service + values: + - ./{{ requiredEnv "STAGE_NAME" }}/stage.yaml + - ./{{ requiredEnv "STAGE_NAME" }}/scl-data-service.yaml + diff --git a/helm/stages/helmfile-database.yaml b/helm/stages/helmfile-database.yaml index 985e256..0f23006 100644 --- a/helm/stages/helmfile-database.yaml +++ b/helm/stages/helmfile-database.yaml @@ -12,3 +12,8 @@ releases: values: - ./{{ requiredEnv "STAGE_NAME" }}/stage.yaml - ./{{ requiredEnv "STAGE_NAME" }}/postgres-compas.yaml + - name: compas-keycloak + chart: ../charts/compas-keycloak + values: + - ./{{ requiredEnv "STAGE_NAME" }}/stage.yaml + - ./{{ requiredEnv "STAGE_NAME" }}/keycloak.yaml diff --git a/helm/stages/helmfile-nginx.yaml b/helm/stages/helmfile-nginx.yaml new file mode 100644 index 0000000..1c3deea --- /dev/null +++ b/helm/stages/helmfile-nginx.yaml @@ -0,0 +1,9 @@ +helmDefaults: + createNamespace: false + +releases: + - name: compas-nginx + chart: ../charts/compas-nginx + values: + - ./{{ requiredEnv "STAGE_NAME" }}/stage.yaml + - ./{{ requiredEnv "STAGE_NAME" }}/nginx.yaml diff --git a/helm/stages/local/keycloak.yaml b/helm/stages/local/keycloak.yaml deleted file mode 100644 index 620211b..0000000 --- a/helm/stages/local/keycloak.yaml +++ /dev/null @@ -1,13 +0,0 @@ -service: - environment: - public: - keycloak: - realm: compas - -keycloak: - secrets: - dbPassword: "cfbrpSPZQJ7DhTExRs63an" - -auth: - adminUser: admin - adminPassword: password \ No newline at end of file diff --git a/helm/stages/local/postgres-compas.yaml b/helm/stages/local/postgres-compas.yaml deleted file mode 100644 index fef0956..0000000 --- a/helm/stages/local/postgres-compas.yaml +++ /dev/null @@ -1,5 +0,0 @@ -service: - environment: - keycloak: - db: - password: MB6e5JU3wamDHPKgW9TSV2 diff --git a/helm/stages/local/stage.yaml b/helm/stages/local/stage.yaml deleted file mode 100644 index 120d056..0000000 --- a/helm/stages/local/stage.yaml +++ /dev/null @@ -1,4 +0,0 @@ -global: - hostname: http://localhost:80 - keycloak: - baseUrl: http://localhost:80 diff --git a/helm/stages/redeploy-cluster.sh b/helm/stages/redeploy-cluster.sh index 5cd6ccc..2f7a955 100755 --- a/helm/stages/redeploy-cluster.sh +++ b/helm/stages/redeploy-cluster.sh @@ -5,3 +5,7 @@ helmfile apply --namespace ${STAGE_NAME} --validate -f helmfile-database.yaml sleep 15 helmfile apply --namespace ${STAGE_NAME} --validate -f helmfile-compas.yaml + +sleep 15 + +helmfile apply --namespace ${STAGE_NAME} --validate -f helmfile-nginx.yaml