From 411306858a09cdc4ee5a2408e7352e326960681e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roger=20Westerb=C3=B8?= Date: Sun, 12 Jan 2025 16:18:22 +0100 Subject: [PATCH 01/13] Adding ror.nhn.no ingress --- charts/ror-webapp/templates/configmap.yaml | 30 +++++++++++++++++++ charts/ror-webapp/templates/deployment.yaml | 2 +- .../templates/ingress-helsenett.yaml | 12 ++++++++ charts/ror-webapp/values.yaml | 2 ++ 4 files changed, 45 insertions(+), 1 deletion(-) diff --git a/charts/ror-webapp/templates/configmap.yaml b/charts/ror-webapp/templates/configmap.yaml index aa78ed2..c81b787 100644 --- a/charts/ror-webapp/templates/configmap.yaml +++ b/charts/ror-webapp/templates/configmap.yaml @@ -26,3 +26,33 @@ data: "timeout": 30000 } } + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: ror-web-cm-config2 +data: + config.json: | + { + "auth": { + "issuer": "{{ .Values.web.authUrl }}", + "clientId": "ror.nhn.no", + "redirectUri": "/auth/callback", + "scope": "profile email groups", + "response_type": "id_token token", + "requireHttps": true, + "strictDiscoveryDocumentValidation": true + }, + "regex": { + "forms": "^[@()\\/:?\\r\\n.,a-zA-Z æøåÆØÅ0-9_-]+$" + }, + "rowsPerPage": [10, 25, 50, 75, 100], + "rows": 25, + "rorApi": "{{ .Values.web.apiUrl2 }}", + "sse": { + "postfixUrl": "/v1/events/listen", + "method": "GET", + "timeout": 30000 + } + } diff --git a/charts/ror-webapp/templates/deployment.yaml b/charts/ror-webapp/templates/deployment.yaml index 607101a..b609e17 100644 --- a/charts/ror-webapp/templates/deployment.yaml +++ b/charts/ror-webapp/templates/deployment.yaml @@ -69,6 +69,6 @@ spec: volumes: - name: json-configmap-volume configMap: - name: ror-web-cm-config + name: ror-web-cm-config2 - name: tmp-volume emptyDir: {} diff --git a/charts/ror-webapp/templates/ingress-helsenett.yaml b/charts/ror-webapp/templates/ingress-helsenett.yaml index 6f89da4..755426e 100644 --- a/charts/ror-webapp/templates/ingress-helsenett.yaml +++ b/charts/ror-webapp/templates/ingress-helsenett.yaml @@ -17,10 +17,22 @@ spec: number: {{ .Values.service.port }} path: {{ .Values.ingress.path }} pathType: {{ .Values.ingress.pathType }} + - host: {{ .Values.web.host2 }} + http: + paths: + - backend: + service: + name: {{ include "ror-admin.fullname" . }} + port: + number: {{ .Values.service.port }} + path: {{ .Values.ingress.path }} + pathType: {{ .Values.ingress.pathType }} tls: - hosts: - {{ .Values.web.host }} secretName: nhn-ror-admin-tls + - {{ .Values.web.host2 }} + secretName: nhn-ror-admin-tls --- apiVersion: ako.vmware.com/v1alpha1 kind: HostRule diff --git a/charts/ror-webapp/values.yaml b/charts/ror-webapp/values.yaml index 2712ddb..3456d4d 100644 --- a/charts/ror-webapp/values.yaml +++ b/charts/ror-webapp/values.yaml @@ -4,7 +4,9 @@ enabled: true web: host: ror.sky.test.nhn.no + host2: ror.nhn.no apiUrl: https://api.ror.sky.test.nhn.no + apiUrl2: https://api.ror.nhn.no authUrl: https://auth.sky.nhn.no/dex replicaCount: 3 image: From ea0d3f8e0e13ba62074274347a9398d0b846da02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roger=20Westerb=C3=B8?= Date: Sun, 12 Jan 2025 16:28:47 +0100 Subject: [PATCH 02/13] fixing helm lint error --- charts/ror-webapp/templates/ingress-helsenett.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/charts/ror-webapp/templates/ingress-helsenett.yaml b/charts/ror-webapp/templates/ingress-helsenett.yaml index 755426e..33d9c71 100644 --- a/charts/ror-webapp/templates/ingress-helsenett.yaml +++ b/charts/ror-webapp/templates/ingress-helsenett.yaml @@ -29,10 +29,11 @@ spec: pathType: {{ .Values.ingress.pathType }} tls: - hosts: - - {{ .Values.web.host }} - secretName: nhn-ror-admin-tls - - {{ .Values.web.host2 }} - secretName: nhn-ror-admin-tls + - secretName: nhn-ror-admin-tls + host: {{ .Values.web.host }} + - secretName: nhn-ror-webapp-tls + host: {{ .Values.web.host2 }} + --- apiVersion: ako.vmware.com/v1alpha1 kind: HostRule From 2cde86356293207077b0fca9c9ed4cb994b0cf02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roger=20Westerb=C3=B8?= Date: Sun, 12 Jan 2025 16:39:00 +0100 Subject: [PATCH 03/13] Trying to fix ingress --- charts/ror-webapp/templates/ingress-helsenett.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/charts/ror-webapp/templates/ingress-helsenett.yaml b/charts/ror-webapp/templates/ingress-helsenett.yaml index 33d9c71..cfc4e41 100644 --- a/charts/ror-webapp/templates/ingress-helsenett.yaml +++ b/charts/ror-webapp/templates/ingress-helsenett.yaml @@ -29,10 +29,11 @@ spec: pathType: {{ .Values.ingress.pathType }} tls: - hosts: - - secretName: nhn-ror-admin-tls - host: {{ .Values.web.host }} - - secretName: nhn-ror-webapp-tls - host: {{ .Values.web.host2 }} + - {{ .Values.web.host }} + secretName: nhn-ror-admin-tls + - hosts: + - {{ .Values.web.host2 }} + secretName: nhn-ror-webapp-tls --- apiVersion: ako.vmware.com/v1alpha1 From 143e8bf20571b17067d55900dc64c7d59e2bc13e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roger=20Westerb=C3=B8?= Date: Sun, 12 Jan 2025 16:57:32 +0100 Subject: [PATCH 04/13] Removing if prod for config --- src/app/core/services/config.service.ts | 8 -------- 1 file changed, 8 deletions(-) diff --git a/src/app/core/services/config.service.ts b/src/app/core/services/config.service.ts index 100fd65..ca67895 100644 --- a/src/app/core/services/config.service.ts +++ b/src/app/core/services/config.service.ts @@ -66,14 +66,6 @@ export class ConfigService { }, }; - if (environment.production) { - config.auth.clientId = 'ror.sky.test.nhn.no'; - config.auth.issuer = 'https://auth.sky.nhn.no/dex'; - config.rorApi = 'https://ror.sky.nhn.no'; - config.auth.requireHttps = true; - config.auth.strictDiscoveryDocumentValidation = true; - } - return config; } } From 72930a12d2bf7f82a100f3d590176b05ebf11fe7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roger=20Westerb=C3=B8?= Date: Sun, 12 Jan 2025 17:29:46 +0100 Subject: [PATCH 05/13] Helm cleanup --- charts/ror-webapp/Chart.yaml | 2 +- charts/ror-webapp/templates/NOTES.txt | 8 ++++---- charts/ror-webapp/templates/_helpers.tpl | 20 +++++++++---------- charts/ror-webapp/templates/deployment.yaml | 10 +++++----- charts/ror-webapp/templates/hpa.yaml | 8 ++++---- .../templates/ingress-helsenett.yaml | 8 ++++---- charts/ror-webapp/templates/rolebinding.yaml | 4 ++-- charts/ror-webapp/templates/service.yaml | 6 +++--- .../ror-webapp/templates/serviceaccount.yaml | 4 ++-- .../templates/tests/test-connection.yaml | 6 +++--- charts/ror-webapp/values.yaml | 2 +- src/app/core/services/config.service.ts | 8 ++++++++ 12 files changed, 47 insertions(+), 39 deletions(-) diff --git a/charts/ror-webapp/Chart.yaml b/charts/ror-webapp/Chart.yaml index f003cd7..062656d 100644 --- a/charts/ror-webapp/Chart.yaml +++ b/charts/ror-webapp/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: ror-webapp -description: ROR web +description: ROR webapp type: application version: 0.1.0 diff --git a/charts/ror-webapp/templates/NOTES.txt b/charts/ror-webapp/templates/NOTES.txt index 7e290af..51c8527 100644 --- a/charts/ror-webapp/templates/NOTES.txt +++ b/charts/ror-webapp/templates/NOTES.txt @@ -6,16 +6,16 @@ {{- end }} {{- end }} {{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "ror-admin.fullname" . }}) + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "ror-webapp.fullname" . }}) export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") echo http://$NODE_IP:$NODE_PORT {{- else if contains "LoadBalancer" .Values.service.type }} NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "ror-admin.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "ror-admin.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "ror-webapp.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "ror-webapp.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") echo http://$SERVICE_IP:{{ .Values.service.port }} {{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "ror-admin.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "ror-webapp.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") echo "Visit http://127.0.0.1:8080 to use your application" kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT diff --git a/charts/ror-webapp/templates/_helpers.tpl b/charts/ror-webapp/templates/_helpers.tpl index 7848d10..6e47561 100644 --- a/charts/ror-webapp/templates/_helpers.tpl +++ b/charts/ror-webapp/templates/_helpers.tpl @@ -1,7 +1,7 @@ {{/* Expand the name of the chart. */}} -{{- define "ror-admin.name" -}} +{{- define "ror-webapp.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} @@ -10,7 +10,7 @@ Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). If release name contains chart name it will be used as a full name. */}} -{{- define "ror-admin.fullname" -}} +{{- define "ror-webapp.fullname" -}} {{- if .Values.fullnameOverride }} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} {{- else }} @@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "ror-admin.chart" -}} +{{- define "ror-webapp.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} {{/* Common labels */}} -{{- define "ror-admin.labels" -}} -helm.sh/chart: {{ include "ror-admin.chart" . }} -{{ include "ror-admin.selectorLabels" . }} +{{- define "ror-webapp.labels" -}} +helm.sh/chart: {{ include "ror-webapp.chart" . }} +{{ include "ror-webapp.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} @@ -45,17 +45,17 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{/* Selector labels */}} -{{- define "ror-admin.selectorLabels" -}} -app.kubernetes.io/name: {{ include "ror-admin.name" . }} +{{- define "ror-webapp.selectorLabels" -}} +app.kubernetes.io/name: {{ include "ror-webapp.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} {{/* Create the name of the service account to use */}} -{{- define "ror-admin.serviceAccountName" -}} +{{- define "ror-webapp.serviceAccountName" -}} {{- if .Values.serviceAccount.create }} -{{- default (include "ror-admin.fullname" .) .Values.serviceAccount.name }} +{{- default (include "ror-webapp.fullname" .) .Values.serviceAccount.name }} {{- else }} {{- default "default" .Values.serviceAccount.name }} {{- end }} diff --git a/charts/ror-webapp/templates/deployment.yaml b/charts/ror-webapp/templates/deployment.yaml index b609e17..4a2b005 100644 --- a/charts/ror-webapp/templates/deployment.yaml +++ b/charts/ror-webapp/templates/deployment.yaml @@ -1,9 +1,9 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "ror-admin.fullname" . }} + name: {{ include "ror-webapp.fullname" . }} labels: - {{- include "ror-admin.labels" . | nindent 4 }} + {{- include "ror-webapp.labels" . | nindent 4 }} spec: {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} @@ -11,7 +11,7 @@ spec: revisionHistoryLimit: 2 selector: matchLabels: - {{- include "ror-admin.selectorLabels" . | nindent 6 }} + {{- include "ror-webapp.selectorLabels" . | nindent 6 }} template: metadata: {{- with .Values.podAnnotations }} @@ -19,13 +19,13 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} labels: - {{- include "ror-admin.selectorLabels" . | nindent 8 }} + {{- include "ror-webapp.selectorLabels" . | nindent 8 }} spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - serviceAccountName: {{ include "ror-admin.serviceAccountName" . }} + serviceAccountName: {{ include "ror-webapp.serviceAccountName" . }} securityContext: {{- toYaml .Values.securityContext | nindent 8 }} containers: diff --git a/charts/ror-webapp/templates/hpa.yaml b/charts/ror-webapp/templates/hpa.yaml index 13c49b8..184322e 100644 --- a/charts/ror-webapp/templates/hpa.yaml +++ b/charts/ror-webapp/templates/hpa.yaml @@ -2,14 +2,14 @@ apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: - name: {{ include "ror-admin.fullname" . }} + name: {{ include "ror-webapp.fullname" . }} labels: - {{- include "ror-admin.labels" . | nindent 4 }} + {{- include "ror-webapp.labels" . | nindent 4 }} spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment - name: {{ include "ror-admin.fullname" . }} + name: {{ include "ror-webapp.fullname" . }} minReplicas: {{ .Values.autoscaling.minReplicas }} maxReplicas: {{ .Values.autoscaling.maxReplicas }} metrics: @@ -28,6 +28,6 @@ spec: target: type: Utilization averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - + {{- end }} {{- end }} diff --git a/charts/ror-webapp/templates/ingress-helsenett.yaml b/charts/ror-webapp/templates/ingress-helsenett.yaml index cfc4e41..2076756 100644 --- a/charts/ror-webapp/templates/ingress-helsenett.yaml +++ b/charts/ror-webapp/templates/ingress-helsenett.yaml @@ -3,7 +3,7 @@ kind: Ingress metadata: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - name: admin-helsenett-ingress + name: {{ include "ror-webapp.fullname" . }}helm-ingress spec: ingressClassName: avi-ingress-class-helsenett rules: @@ -12,7 +12,7 @@ spec: paths: - backend: service: - name: {{ include "ror-admin.fullname" . }} + name: {{ include "ror-webapp.fullname" . }} port: number: {{ .Values.service.port }} path: {{ .Values.ingress.path }} @@ -22,7 +22,7 @@ spec: paths: - backend: service: - name: {{ include "ror-admin.fullname" . }} + name: {{ include "ror-webapp.fullname" . }} port: number: {{ .Values.service.port }} path: {{ .Values.ingress.path }} @@ -30,7 +30,7 @@ spec: tls: - hosts: - {{ .Values.web.host }} - secretName: nhn-ror-admin-tls + secretName: nhn-ror-webapp-tls - hosts: - {{ .Values.web.host2 }} secretName: nhn-ror-webapp-tls diff --git a/charts/ror-webapp/templates/rolebinding.yaml b/charts/ror-webapp/templates/rolebinding.yaml index c473738..b77750d 100644 --- a/charts/ror-webapp/templates/rolebinding.yaml +++ b/charts/ror-webapp/templates/rolebinding.yaml @@ -1,11 +1,11 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ include "ror-admin.fullname" . }}-rolebindings + name: {{ include "ror-webapp.fullname" . }}-rolebindings roleRef: kind: ClusterRole name: psp:vmware-system-restricted #Kan erstattes med: "psp:vmware-system-privileged" for root access apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount - name: {{ include "ror-admin.serviceAccountName" . }} \ No newline at end of file + name: {{ include "ror-webapp.serviceAccountName" . }} diff --git a/charts/ror-webapp/templates/service.yaml b/charts/ror-webapp/templates/service.yaml index 759297f..7447e7c 100644 --- a/charts/ror-webapp/templates/service.yaml +++ b/charts/ror-webapp/templates/service.yaml @@ -1,9 +1,9 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "ror-admin.fullname" . }} + name: {{ include "ror-webapp.fullname" . }} labels: - {{- include "ror-admin.labels" . | nindent 4 }} + {{- include "ror-webapp.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: @@ -12,4 +12,4 @@ spec: protocol: TCP name: http selector: - {{- include "ror-admin.selectorLabels" . | nindent 4 }} + {{- include "ror-webapp.selectorLabels" . | nindent 4 }} diff --git a/charts/ror-webapp/templates/serviceaccount.yaml b/charts/ror-webapp/templates/serviceaccount.yaml index a5bac0a..ec0e0d5 100644 --- a/charts/ror-webapp/templates/serviceaccount.yaml +++ b/charts/ror-webapp/templates/serviceaccount.yaml @@ -2,9 +2,9 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "ror-admin.serviceAccountName" . }} + name: {{ include "ror-webapp.serviceAccountName" . }} labels: - {{- include "ror-admin.labels" . | nindent 4 }} + {{- include "ror-webapp.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/ror-webapp/templates/tests/test-connection.yaml b/charts/ror-webapp/templates/tests/test-connection.yaml index b82036d..ada6a89 100644 --- a/charts/ror-webapp/templates/tests/test-connection.yaml +++ b/charts/ror-webapp/templates/tests/test-connection.yaml @@ -1,9 +1,9 @@ apiVersion: v1 kind: Pod metadata: - name: "{{ include "ror-admin.fullname" . }}-test-connection" + name: "{{ include "ror-webapp.fullname" . }}-test-connection" labels: - {{- include "ror-admin.labels" . | nindent 4 }} + {{- include "ror-webapp.labels" . | nindent 4 }} annotations: "helm.sh/hook": test spec: @@ -11,5 +11,5 @@ spec: - name: wget image: busybox command: ['wget'] - args: ['{{ include "ror-admin.fullname" . }}:{{ .Values.service.port }}'] + args: ['{{ include "ror-webapp.fullname" . }}:{{ .Values.service.port }}'] restartPolicy: Never diff --git a/charts/ror-webapp/values.yaml b/charts/ror-webapp/values.yaml index 3456d4d..a16c371 100644 --- a/charts/ror-webapp/values.yaml +++ b/charts/ror-webapp/values.yaml @@ -1,4 +1,4 @@ -# Default values for ror-admin. +# Default values for ror-webapp. # This is a YAML-formatted file. # Declare variables to be passed into your templates. enabled: true diff --git a/src/app/core/services/config.service.ts b/src/app/core/services/config.service.ts index ca67895..e3b9603 100644 --- a/src/app/core/services/config.service.ts +++ b/src/app/core/services/config.service.ts @@ -66,6 +66,14 @@ export class ConfigService { }, }; + if (environment.production) { + config.auth.clientId = 'ror.nhn.no'; + config.auth.issuer = 'https://auth.sky.nhn.no/dex'; + config.rorApi = 'https://ror.nhn.no'; + config.auth.requireHttps = true; + config.auth.strictDiscoveryDocumentValidation = true; + } + return config; } } From f8c0f86c105d3df3e5dad640588f84a0644eb7f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roger=20Westerb=C3=B8?= Date: Sun, 12 Jan 2025 17:30:52 +0100 Subject: [PATCH 06/13] fixing apiurl --- src/app/core/services/config.service.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/app/core/services/config.service.ts b/src/app/core/services/config.service.ts index e3b9603..9d521c3 100644 --- a/src/app/core/services/config.service.ts +++ b/src/app/core/services/config.service.ts @@ -69,7 +69,7 @@ export class ConfigService { if (environment.production) { config.auth.clientId = 'ror.nhn.no'; config.auth.issuer = 'https://auth.sky.nhn.no/dex'; - config.rorApi = 'https://ror.nhn.no'; + config.rorApi = 'https://api.ror.nhn.no'; config.auth.requireHttps = true; config.auth.strictDiscoveryDocumentValidation = true; } From c60e702e6d46553c596577fb22c0f99b2635bd3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=A5vard=20Elnan?= Date: Sun, 12 Jan 2025 18:15:39 +0100 Subject: [PATCH 07/13] fix helms --- charts/ror-webapp/templates/configmap.yaml | 34 +-------- charts/ror-webapp/templates/deployment.yaml | 2 +- .../templates/ingress-helsenett.yaml | 76 +++++-------------- charts/ror-webapp/values.yaml | 9 ++- 4 files changed, 29 insertions(+), 92 deletions(-) diff --git a/charts/ror-webapp/templates/configmap.yaml b/charts/ror-webapp/templates/configmap.yaml index c81b787..ff40121 100644 --- a/charts/ror-webapp/templates/configmap.yaml +++ b/charts/ror-webapp/templates/configmap.yaml @@ -1,13 +1,13 @@ apiVersion: v1 kind: ConfigMap metadata: - name: ror-web-cm-config + name: {{ include "ror-webapp.fullname" . }}-cm-config data: config.json: | { "auth": { "issuer": "{{ .Values.web.authUrl }}", - "clientId": "ror.sky.test.nhn.no", + "clientId": "{{ .Values.web.authClientId}}", "redirectUri": "/auth/callback", "scope": "profile email groups", "response_type": "id_token token", @@ -26,33 +26,3 @@ data: "timeout": 30000 } } - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: ror-web-cm-config2 -data: - config.json: | - { - "auth": { - "issuer": "{{ .Values.web.authUrl }}", - "clientId": "ror.nhn.no", - "redirectUri": "/auth/callback", - "scope": "profile email groups", - "response_type": "id_token token", - "requireHttps": true, - "strictDiscoveryDocumentValidation": true - }, - "regex": { - "forms": "^[@()\\/:?\\r\\n.,a-zA-Z æøåÆØÅ0-9_-]+$" - }, - "rowsPerPage": [10, 25, 50, 75, 100], - "rows": 25, - "rorApi": "{{ .Values.web.apiUrl2 }}", - "sse": { - "postfixUrl": "/v1/events/listen", - "method": "GET", - "timeout": 30000 - } - } diff --git a/charts/ror-webapp/templates/deployment.yaml b/charts/ror-webapp/templates/deployment.yaml index 4a2b005..898a834 100644 --- a/charts/ror-webapp/templates/deployment.yaml +++ b/charts/ror-webapp/templates/deployment.yaml @@ -69,6 +69,6 @@ spec: volumes: - name: json-configmap-volume configMap: - name: ror-web-cm-config2 + name: {{ include "ror-webapp.fullname" . }}-cm-config - name: tmp-volume emptyDir: {} diff --git a/charts/ror-webapp/templates/ingress-helsenett.yaml b/charts/ror-webapp/templates/ingress-helsenett.yaml index 2076756..61ffaa1 100644 --- a/charts/ror-webapp/templates/ingress-helsenett.yaml +++ b/charts/ror-webapp/templates/ingress-helsenett.yaml @@ -3,62 +3,28 @@ kind: Ingress metadata: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - name: {{ include "ror-webapp.fullname" . }}helm-ingress + name: {{ include "ror-webapp.fullname" . }}-ingress spec: ingressClassName: avi-ingress-class-helsenett rules: - - host: {{ .Values.web.host }} - http: - paths: - - backend: - service: - name: {{ include "ror-webapp.fullname" . }} - port: - number: {{ .Values.service.port }} - path: {{ .Values.ingress.path }} - pathType: {{ .Values.ingress.pathType }} - - host: {{ .Values.web.host2 }} - http: - paths: - - backend: - service: - name: {{ include "ror-webapp.fullname" . }} - port: - number: {{ .Values.service.port }} - path: {{ .Values.ingress.path }} - pathType: {{ .Values.ingress.pathType }} + {{- $outer := . -}} + {{- range $idx, $host := .Values.web.hosts }} + {{- with $outer }} + - host: {{ $host }} + http: + paths: + - backend: + service: + name: {{ include "ror-webapp.fullname" . }} + port: + number: {{ .Values.service.port }} + path: {{ .Values.ingress.path }} + pathType: {{ .Values.ingress.pathType }} + {{- end }} + {{- end }} tls: - - hosts: - - {{ .Values.web.host }} - secretName: nhn-ror-webapp-tls - - hosts: - - {{ .Values.web.host2 }} - secretName: nhn-ror-webapp-tls - ---- -apiVersion: ako.vmware.com/v1alpha1 -kind: HostRule -metadata: - name: admin-allow-dcn-paw - namespace: {{ .Release.namespace}} -spec: - virtualhost: - datascripts: - - expose-nhn-office-isp - - expose-nhn-office-client - - expose-nhn-office-devops - - expose-nsg-amk-paws - - expose-nhn-dc-any - - expose-nsg-cloud-paws - - expose-nsg-container-paws - - expose-nsg-soc-paws - - expose-nsg-mon-paws - - expose-nhn-office-devops - - expose-nsg-esm-paws - - bottom-deny-rule - fqdn: ror.sky.test.nhn.no - analyticsProfile: NHN-System-Analytics-Profile - analyticsPolicy: - fullClientLogs: - enabled: false - throttle: DISABLED + - hosts: + {{- range $idx, $host := .Values.web.hosts }} + - {{ $host }} + {{- end }} + secretName: {{ include "ror-webapp.fullname" . }}-tls diff --git a/charts/ror-webapp/values.yaml b/charts/ror-webapp/values.yaml index a16c371..9526397 100644 --- a/charts/ror-webapp/values.yaml +++ b/charts/ror-webapp/values.yaml @@ -3,11 +3,12 @@ # Declare variables to be passed into your templates. enabled: true web: - host: ror.sky.test.nhn.no - host2: ror.nhn.no - apiUrl: https://api.ror.sky.test.nhn.no - apiUrl2: https://api.ror.nhn.no + hosts: + - ror.sky.test.nhn.no + - ror.nhn.no + apiUrl: https://api.ror.nhn.no authUrl: https://auth.sky.nhn.no/dex + authClientId: ror.nhn.no replicaCount: 3 image: repository: ghcr.io/norskhelsenett/ror-webapp From b0d902279c64dad9e170aab4338a7731cd300474 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=A5vard=20Elnan?= Date: Sun, 12 Jan 2025 23:21:08 +0100 Subject: [PATCH 08/13] make nginx configurable --- charts/ror-webapp/templates/deployment.yaml | 10 ++++++++++ charts/ror-webapp/values.yaml | 5 +++++ 2 files changed, 15 insertions(+) diff --git a/charts/ror-webapp/templates/deployment.yaml b/charts/ror-webapp/templates/deployment.yaml index 898a834..d7d7947 100644 --- a/charts/ror-webapp/templates/deployment.yaml +++ b/charts/ror-webapp/templates/deployment.yaml @@ -38,6 +38,11 @@ spec: - mountPath: /app/assets/config/config.json name: json-configmap-volume subPath: config.json + {{- if .Values.web.nginxCM }} + - mountPath: /etc/nginx/conf.d/default.conf + name: nginx-cm + subPath: {{ .Values.web.nginxCM.subPath | default "default.conf"}} + {{- end }} - mountPath: /tmp name: tmp-volume ports: @@ -70,5 +75,10 @@ spec: - name: json-configmap-volume configMap: name: {{ include "ror-webapp.fullname" . }}-cm-config + {{- if .Values.web.nginxCM }} + - name: nginx-cm + configMap: + name: {{ .Values.web.nginxCM.name | default "nginx-cm" }} + {{- end }} - name: tmp-volume emptyDir: {} diff --git a/charts/ror-webapp/values.yaml b/charts/ror-webapp/values.yaml index 9526397..3413ad1 100644 --- a/charts/ror-webapp/values.yaml +++ b/charts/ror-webapp/values.yaml @@ -9,6 +9,11 @@ web: apiUrl: https://api.ror.nhn.no authUrl: https://auth.sky.nhn.no/dex authClientId: ror.nhn.no + # ConfigMap for nginx + # nginxCM: + # name: nginx-cm + # subPath: default.conf + nginxCM: [] replicaCount: 3 image: repository: ghcr.io/norskhelsenett/ror-webapp From e09311ba76753e372ae4c1d73f49a169b5b2610d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=A5vard=20Elnan?= Date: Sun, 12 Jan 2025 23:21:24 +0100 Subject: [PATCH 09/13] remove nhn-config from containerimage --- nginx/http_prod.conf | 153 +++++++++++++++++++++---------------------- 1 file changed, 76 insertions(+), 77 deletions(-) diff --git a/nginx/http_prod.conf b/nginx/http_prod.conf index 1397562..8ad8fb5 100644 --- a/nginx/http_prod.conf +++ b/nginx/http_prod.conf @@ -1,87 +1,86 @@ -server { - listen 8080 default_server; - server_name _; + server { + listen 8080 default_server; + server_name _; - proxy_read_timeout 300; - proxy_connect_timeout 300; - proxy_send_timeout 300; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_send_timeout 300; - proxy_set_header Connection ''; - proxy_buffering off; - proxy_cache off; + proxy_set_header Connection ''; + proxy_buffering off; + proxy_cache off; - chunked_transfer_encoding off; + chunked_transfer_encoding off; - include /etc/nginx/mime.types; - root /app; + include /etc/nginx/mime.types; + root /app; - index index.html; + index index.html; - gzip on; - gzip_vary on; - gzip_min_length 10240; - gzip_proxied expired no-cache no-store private auth; - gzip_disable "MSIE [1-6]\."; - gzip_types - application/atom+xml - application/javascript - application/json - application/rss+xml - application/vnd.ms-fontobject - application/x-font-ttf - application/x-web-app-manifest+json - application/xhtml+xml - application/xml - font/opentype - image/svg+xml - image/x-icon - text/css - text/plain - text/x-component; + gzip on; + gzip_vary on; + gzip_min_length 10240; + gzip_proxied expired no-cache no-store private auth; + gzip_disable "MSIE [1-6]\."; + gzip_types + application/atom+xml + application/javascript + application/json + application/rss+xml + application/vnd.ms-fontobject + application/x-font-ttf + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + font/opentype + image/svg+xml + image/x-icon + text/css + text/plain + text/x-component; - location / { - index index.html; + location / { + index index.html; - add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always; - add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; - add_header Expect-CT "max-age=86400, enforce, report-uri=\"https://ror.sky.test.nhn.no\"" always; - add_header Referrer-Policy 'same-origin'; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "0" always; - #add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'"; - add_header X-Frame-Options "SAMEORIGIN" always; + add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always; + add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; + add_header Referrer-Policy 'same-origin'; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "0" always; + #add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'"; + add_header X-Frame-Options "SAMEORIGIN" always; - # kill cache - add_header Last-Modified $date_gmt; - add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; - if_modified_since off; - expires off; - etag off; + # kill cache + add_header Last-Modified $date_gmt; + add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + if_modified_since off; + expires off; + etag off; - location ~ \.css { - add_header Content-Type text/css; - add_header Last-Modified $date_gmt; - add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; - if_modified_since off; - expires off; - etag off; - } - location ~ \.js { - add_header Content-Type application/x-javascript; - add_header Last-Modified $date_gmt; - add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; - if_modified_since off; - expires off; - etag off; - } - location ~ \.json { - add_header Content-Type application/json; - add_header Last-Modified $date_gmt; - add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; - if_modified_since off; - expires off; - etag off; - } - try_files $uri $uri/ /index.html =404; - } -} + location ~ \.css { + add_header Content-Type text/css; + add_header Last-Modified $date_gmt; + add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + if_modified_since off; + expires off; + etag off; + } + location ~ \.js { + add_header Content-Type application/x-javascript; + add_header Last-Modified $date_gmt; + add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + if_modified_since off; + expires off; + etag off; + } + location ~ \.json { + add_header Content-Type application/json; + add_header Last-Modified $date_gmt; + add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + if_modified_since off; + expires off; + etag off; + } + try_files $uri $uri/ /index.html =404; + } + } \ No newline at end of file From 5034b80398fa788b8cffa72da1be9e6b52f31afb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=A5vard=20Elnan?= Date: Sun, 12 Jan 2025 23:24:13 +0100 Subject: [PATCH 10/13] make indentation great again --- nginx/http_prod.conf | 152 +++++++++++++++++++++---------------------- 1 file changed, 76 insertions(+), 76 deletions(-) diff --git a/nginx/http_prod.conf b/nginx/http_prod.conf index 8ad8fb5..148b9fc 100644 --- a/nginx/http_prod.conf +++ b/nginx/http_prod.conf @@ -1,86 +1,86 @@ - server { - listen 8080 default_server; - server_name _; +server { + listen 8080 default_server; + server_name _; - proxy_read_timeout 300; - proxy_connect_timeout 300; - proxy_send_timeout 300; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_send_timeout 300; - proxy_set_header Connection ''; - proxy_buffering off; - proxy_cache off; + proxy_set_header Connection ''; + proxy_buffering off; + proxy_cache off; - chunked_transfer_encoding off; + chunked_transfer_encoding off; - include /etc/nginx/mime.types; - root /app; + include /etc/nginx/mime.types; + root /app; - index index.html; + index index.html; - gzip on; - gzip_vary on; - gzip_min_length 10240; - gzip_proxied expired no-cache no-store private auth; - gzip_disable "MSIE [1-6]\."; - gzip_types - application/atom+xml - application/javascript - application/json - application/rss+xml - application/vnd.ms-fontobject - application/x-font-ttf - application/x-web-app-manifest+json - application/xhtml+xml - application/xml - font/opentype - image/svg+xml - image/x-icon - text/css - text/plain - text/x-component; + gzip on; + gzip_vary on; + gzip_min_length 10240; + gzip_proxied expired no-cache no-store private auth; + gzip_disable "MSIE [1-6]\."; + gzip_types + application/atom+xml + application/javascript + application/json + application/rss+xml + application/vnd.ms-fontobject + application/x-font-ttf + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + font/opentype + image/svg+xml + image/x-icon + text/css + text/plain + text/x-component; - location / { - index index.html; + location / { + index index.html; - add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always; - add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; - add_header Referrer-Policy 'same-origin'; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "0" always; - #add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'"; - add_header X-Frame-Options "SAMEORIGIN" always; + add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always; + add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; + add_header Referrer-Policy 'same-origin'; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "0" always; + #add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'"; + add_header X-Frame-Options "SAMEORIGIN" always; - # kill cache - add_header Last-Modified $date_gmt; - add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; - if_modified_since off; - expires off; - etag off; + # kill cache + add_header Last-Modified $date_gmt; + add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + if_modified_since off; + expires off; + etag off; - location ~ \.css { - add_header Content-Type text/css; - add_header Last-Modified $date_gmt; - add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; - if_modified_since off; - expires off; - etag off; - } - location ~ \.js { - add_header Content-Type application/x-javascript; - add_header Last-Modified $date_gmt; - add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; - if_modified_since off; - expires off; - etag off; - } - location ~ \.json { - add_header Content-Type application/json; - add_header Last-Modified $date_gmt; - add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; - if_modified_since off; - expires off; - etag off; - } - try_files $uri $uri/ /index.html =404; - } - } \ No newline at end of file + location ~ \.css { + add_header Content-Type text/css; + add_header Last-Modified $date_gmt; + add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + if_modified_since off; + expires off; + etag off; + } + location ~ \.js { + add_header Content-Type application/x-javascript; + add_header Last-Modified $date_gmt; + add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + if_modified_since off; + expires off; + etag off; + } + location ~ \.json { + add_header Content-Type application/json; + add_header Last-Modified $date_gmt; + add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + if_modified_since off; + expires off; + etag off; + } + try_files $uri $uri/ /index.html =404; + } +} \ No newline at end of file From 65d7d8ba221f35e415c1b64cd4bf57b8acaadfc9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=A5vard=20Elnan?= Date: Sun, 12 Jan 2025 23:26:40 +0100 Subject: [PATCH 11/13] add newline at end of file --- nginx/http_prod.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/http_prod.conf b/nginx/http_prod.conf index 148b9fc..6def372 100644 --- a/nginx/http_prod.conf +++ b/nginx/http_prod.conf @@ -83,4 +83,4 @@ server { } try_files $uri $uri/ /index.html =404; } -} \ No newline at end of file +} From 6f5de237c91342b1724e14a1718dae2049377f1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=A5vard=20Elnan?= Date: Sun, 12 Jan 2025 23:41:27 +0100 Subject: [PATCH 12/13] remove references to nhn --- charts/ror-webapp/values.yaml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/charts/ror-webapp/values.yaml b/charts/ror-webapp/values.yaml index 3413ad1..57be261 100644 --- a/charts/ror-webapp/values.yaml +++ b/charts/ror-webapp/values.yaml @@ -3,12 +3,15 @@ # Declare variables to be passed into your templates. enabled: true web: + # hosts is a list of hosts that the webapp should be available on hosts: - - ror.sky.test.nhn.no - - ror.nhn.no - apiUrl: https://api.ror.nhn.no - authUrl: https://auth.sky.nhn.no/dex - authClientId: ror.nhn.no + - host.ror.io + # apiUrl is the url of the ror api + apiUrl: https://api.ror.io + # authUrl is the url of the auth server + authUrl: https://auth.ror.io/dex + # authClientId is the client id of the application registered in the auth server + authClientId: clientId # ConfigMap for nginx # nginxCM: # name: nginx-cm From f6d77a0ce748adb3a99549eac4c8605dbc8b72ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=A5vard=20Elnan?= Date: Mon, 13 Jan 2025 00:20:02 +0100 Subject: [PATCH 13/13] fix authconfig --- src/app/core/services/config.service.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/app/core/services/config.service.ts b/src/app/core/services/config.service.ts index 9d521c3..dcb6839 100644 --- a/src/app/core/services/config.service.ts +++ b/src/app/core/services/config.service.ts @@ -67,7 +67,7 @@ export class ConfigService { }; if (environment.production) { - config.auth.clientId = 'ror.nhn.no'; + config.auth.clientId = 'ror.sky.test.nhn.no'; config.auth.issuer = 'https://auth.sky.nhn.no/dex'; config.rorApi = 'https://api.ror.nhn.no'; config.auth.requireHttps = true;