Merge pull request #104 from neicnordic/features/svc_notls

Chart changes [ SVC ] [ part 4 of 4 ]
neicnordic · Jan 19, 2022 · c52c71b · c52c71b
2 parents 18e6a46 + 7ed3091
commit c52c71b
Show file tree

Hide file tree

Showing 52 changed files with 868 additions and 553 deletions.
diff --git a/.github/ci_tests/lint_helper.sh b/.github/ci_tests/lint_helper.sh
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -13,9 +13,7 @@ jobs:
         wget https://get.helm.sh/helm-v3.1.2-linux-amd64.tar.gz -O - | tar -xz
         sudo cp linux-amd64/helm /usr/local/bin/helm
     - name: Lint sda-db
-      run: |
-        bash .github/ci_tests/lint_helper.sh sda-db
-        helm lint charts/sda-db
+      run: helm lint charts/sda-db
 
   lint_sda-mq:
     name: Lint sda-mq
@@ -27,9 +25,7 @@ jobs:
         wget https://get.helm.sh/helm-v3.1.2-linux-amd64.tar.gz -O - | tar -xz
         sudo cp linux-amd64/helm /usr/local/bin/helm
     - name: Lint sda-mq
-      run: |
-        bash .github/ci_tests/lint_helper.sh sda-mq
-        helm lint charts/sda-mq
+      run: helm lint charts/sda-mq
 
   lint_sda-svc:
     name: Lint sda-svc
@@ -41,9 +37,7 @@ jobs:
         wget https://get.helm.sh/helm-v3.1.2-linux-amd64.tar.gz -O - | tar -xz
         sudo cp linux-amd64/helm /usr/local/bin/helm
     - name: Lint sda-svc
-      run: |
-        bash .github/ci_tests/lint_helper.sh sda-svc
-        helm lint charts/sda-svc
+      run: helm lint charts/sda-svc
 
   lint_sda-orch:
     name: Lint sda-orch
@@ -55,6 +49,4 @@ jobs:
         wget https://get.helm.sh/helm-v3.1.2-linux-amd64.tar.gz -O - | tar -xz
         sudo cp linux-amd64/helm /usr/local/bin/helm
     - name: Lint sda-orch
-      run: |
-        bash .github/ci_tests/lint_helper.sh sda-orch
-        helm lint charts/sda-orch
+      run: helm lint charts/sda-orch
diff --git a/.github/workflows/sda-notls.yml b/.github/workflows/sda-notls.yml
@@ -0,0 +1,49 @@
+name: Deployment without TLS
+
+on: [push,pull_request]
+
+env:
+  svc_list: 'auth backup finalize inbox ingest mapper verify'
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        test: [sda-notls]
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Install kube dependencies
+      run: bash ./dev_tools/scripts/install-kube-deps.sh
+    - name: Initialise k3d
+      run: bash ./dev_tools/scripts/init-k3d.sh
+    - name: Wait for k3d to become ready
+      run: bash ./dev_tools/scripts/wait-for-pods.sh metrics-server k8s-app kube-system
+    - name: Install sda dependencies
+      run: bash ./dev_tools/scripts/install-sda-deps.sh
+    - name: Create certificates
+      run: bash ./dev_tools/scripts/make-certs.sh
+    - name: Create secrets
+      run: bash ./dev_tools/scripts/create-secrets.sh
+    - name: Deploy SDA database
+      run: bash ./dev_tools/scripts/deploy-no-tls.sh database
+    - name: Wait for database to become ready
+      run: bash ./dev_tools/scripts/wait-for-pods.sh database
+    - name: Deploy SDA message broker
+      run: bash ./dev_tools/scripts/deploy-no-tls.sh broker
+    - name: Wait for broker to become ready
+      run: bash ./dev_tools/scripts/wait-for-pods.sh broker
+    - name: Deploy mock oidc server
+      run: bash ./dev_tools/scripts/deploy-oidc.sh
+    - name: Deploy minio
+      run: bash ./dev_tools/scripts/deploy-no-tls.sh minio
+    - name: Wait for minio to become ready
+      run: bash ./dev_tools/scripts/wait-for-pods.sh minio app
+    - name: Create s3 buckets
+      run: bash ./dev_tools/scripts/create-s3-buckets-no-tls.sh
+    - name: Deploy the SDA stack
+      run: bash ./dev_tools/scripts/deploy-no-tls.sh pipeline
+    - name: Wait for sda to become ready
+      run: bash ./dev_tools/scripts/wait-for-pods.sh "${{ env.svc_list }}"
+    - name: Run helm test
+      run: bash ./dev_tools/scripts/run-helm-test.sh
diff --git a/charts/sda-svc/Chart.yaml b/charts/sda-svc/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: sda-svc
-version: "0.14.2"
+version: "0.15.0"
 kubeVersion: ">= 1.19.0"
 description: Components for Sensitive Data Archive (SDA) installation
 home: https://neic-sda.readthedocs.io

diff --git a/charts/sda-svc/files/README.md b/charts/sda-svc/files/README.md
diff --git a/charts/sda-svc/templates/_helpers.yaml b/charts/sda-svc/templates/_helpers.yaml
@@ -246,3 +246,43 @@ Create chart name and version as used by the chart label.
 {{- ternary .Values.global.broker.password .Values.credentials.verify.mqPassword (empty .Values.credentials.verify.mqPassword) -}}
 {{- end -}}
 {{/**/}}
+
+{{- define "dbSSLmode" -}}
+{{- if .Values.global.tls.enabled }}
+  {{- printf "%s" .Values.global.db.sslMode }}
+{{- else }}
+  {{- print "disable" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "authRedirect" -}}
+{{- if .Values.global.tls.enabled }}
+  {{- printf "https://%s/elixir/login" .Values.global.ingress.hostName.auth }}
+{{- else }}
+  {{- printf "http://%s/elixir/login" .Values.global.ingress.hostName.auth }}
+{{- end -}}
+{{- end -}}
+
+{{- define "inboxServicePort" -}}
+  {{- if .Values.global.tls.enabled }}
+    {{- printf "%d" (ternary 2222 443 ( empty .Values.global.inbox.s3Url )) }}
+  {{- else }}
+    {{- printf "%d" (ternary 2222 80 ( empty .Values.global.inbox.s3Url )) }}
+  {{- end -}}
+{{- end -}}
+
+{{- define "S3InboxURL" -}}
+  {{- if .Values.global.inbox.s3Port }}
+    {{- printf "%s:%v" .Values.global.inbox.s3Url .Values.global.inbox.s3Port }}
+  {{- else }}
+    {{- printf "%s" .Values.global.inbox.s3Url }}
+  {{- end }}
+{{- end -}}
+
+{{- define "S3ArchiveURL" -}}
+  {{- if .Values.global.inbox.s3Port }}
+    {{- printf "%s:%v" .Values.global.inbox.s3Url .Values.global.inbox.s3Port }}
+  {{- else }}
+    {{- printf "%s" .Values.global.inbox.s3Url }}
+  {{- end }}
+{{- end -}}
diff --git a/charts/sda-svc/templates/auth-deploy.yaml b/charts/sda-svc/templates/auth-deploy.yaml
@@ -82,7 +82,7 @@ spec:
           value: {{ include "confFile" . }}
       {{- end }}
         - name: ELIXIR_REDIRECTURL
-          value: "https://{{ .Values.global.ingress.hostName.auth }}/elixir/login"
+          value: {{ template "authRedirect" .}}
         - name: ELIXIR_ISSUER
           value: "{{ .Values.global.elixir.oidcdHost }}"
         - name: ELIXIR_SCOPE
@@ -97,11 +97,11 @@ spec:
         - name: CEGA_JWTSIGNATUREALG
           value: {{ .Values.global.auth.jwtAlg | quote }}
         {{- end }}
-        {{- if .Values.global.auth.useTLS }}
+        {{- if .Values.global.tls.enabled}}
         - name: SERVER_CERT
-          value: "{{ template "tlsPath" . }}/auth.crt"
+          value: {{ template "tlsPath" . }}/{{.Values.auth.tls.certFile }}
         - name: SERVER_KEY
-          value: "{{ template "tlsPath" . }}/auth.key"
+          value: {{ template "tlsPath" . }}/{{.Values.auth.tls.keyFile }}
         {{- end }}
         - name: S3INBOX
           value: {{ .Values.global.ingress.hostName.s3Inbox }}
@@ -113,7 +113,7 @@ spec:
           httpGet:
             port: auth
             path: /
-            scheme: {{ ternary "HTTP" "HTTPS" ( empty .Values.global.auth.useTLS ) }}
+            scheme: {{ ternary "HTTPS" "HTTP" ( .Values.global.tls.enabled ) }}
             httpHeaders:
             - name: Host
               value: {{ .Values.global.ingress.hostName.auth }}
@@ -123,7 +123,7 @@ spec:
           httpGet:
             port: auth
             path: /
-            scheme: {{ ternary "HTTP" "HTTPS" ( empty .Values.global.auth.useTLS ) }}
+            scheme: {{ ternary "HTTPS" "HTTP" ( .Values.global.tls.enabled) }}
             httpHeaders:
             - name: Host
               value: {{ .Values.global.ingress.hostName.auth }}
@@ -132,7 +132,7 @@ spec:
         resources:
 {{ toYaml .Values.s3Inbox.resources | trim | indent 10 }}
         volumeMounts:
-      {{- if not .Values.global.pkiService }}
+      {{- if and .Values.global.pkiPermissions .Values.global.tls.enabled }}
         - name: tls
           mountPath: {{ include "tlsPath" . }}
       {{- end }}
@@ -147,16 +147,16 @@ spec:
             defaultMode: 0440
             sources:
             - secret:
-                name: {{ template "sda.fullname" . }}-auth
+                name: {{ .Values.global.auth.jwtSecret }}
                 items:
                   - key: {{ .Values.global.auth.jwtKey }}
                     path: {{ .Values.global.auth.jwtKey }}
       {{- end }}
-      {{- if not .Values.global.pkiService }}
+      {{- if and .Values.global.pkiPermissions .Values.global.tls.enabled }}
         - name: tls
           secret:
             defaultMode: 0440
-            secretName: {{ template "sda.fullname" . }}-auth-certs
+            secretName: {{ .Values.auth.tls.secretName }}
       {{- end }}
 {{- end }}
 {{- end }}
diff --git a/charts/sda-svc/templates/auth-ingress.yaml b/charts/sda-svc/templates/auth-ingress.yaml
@@ -15,7 +15,7 @@ metadata:
   annotations:
     kubernetes.io/ingress.class: "nginx"
     nginx.ingress.kubernetes.io/rewrite-target: "/"
-    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    nginx.ingress.kubernetes.io/backend-protocol: "{{ ternary "HTTPS" "HTTP" .Values.global.tls.enabled }}"
     {{- if .Values.global.ingress.issuer }}
     cert-manager.io/cluster-issuer: {{ .Values.global.ingress.issuer | quote }}
     {{- end }}
@@ -30,10 +30,12 @@ spec:
           service:
             name: {{ template "sda.fullname" . }}-auth
             port:
-              number:  {{ ternary 80 443 ( empty .Values.global.auth.useTLS ) }}
+              number:  {{ ternary 443 80 .Values.global.tls.enabled }}
+{{- if .Values.global.tls.enabled }}
   tls:
   - hosts:
     - {{ required "An ingress hostname is required!" .Values.global.ingress.hostName.auth }}
     secretName: {{ if .Values.global.ingress.secretNames.auth }}{{ .Values.global.ingress.secretNames.auth }}{{- else }}"{{ template "sda.fullname" . }}-ingress-auth"{{- end }}
 {{- end }}
 {{- end }}
+{{- end }}
diff --git a/charts/sda-svc/templates/auth-secrets.yaml b/charts/sda-svc/templates/auth-secrets.yaml
@@ -1,33 +1,18 @@
 {{- if or (or (eq "all" .Values.global.deploymentType) (eq "external" .Values.global.deploymentType) ) (not .Values.global.deploymentType) }}
 {{- if eq "s3" .Values.global.inbox.storageType }}
 {{- if not .Values.global.vaultSecrets }}
-{{- $jwtKey := .Files.Glob (printf "files/%s" .Values.global.auth.jwtKey) }}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ template "sda.fullname" . }}-auth
 type: Opaque
 data:
-{{- if $jwtKey }}
-{{ ( $jwtKey ).AsSecrets | indent 2 }}
-{{- end }}
   elixirID: {{ .Values.global.auth.elixirID | quote | trimall "\"" | b64enc }}
   elixirSecret: {{ .Values.global.auth.elixirSecret | quote | trimall "\"" | b64enc }}
   {{- if or ( eq "federated" .Values.global.schemaType) ( eq "" .Values.global.schemaType) }}
   cegaID: {{ .Values.global.cega.user | quote | trimall "\"" | b64enc }}
   cegaSecret: {{ .Values.global.cega.password | quote | trimall "\"" | b64enc }}
   {{- end }}
 {{- end }}
-{{- if and .Values.global.auth.useTLS (not .Values.global.pkiService) }}
----
-{{- $auth := .Files.Glob "files/auth*" }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ template "sda.fullname" . }}-auth-certs
-data:
-{{ ( .Files.Glob "files/ca.crt" ).AsSecrets | trim | indent 2 }}
-{{ ( $auth ).AsSecrets | indent 2 }}
-{{- end }}
 {{- end }}
 {{- end }}
diff --git a/charts/sda-svc/templates/auth-service.yaml b/charts/sda-svc/templates/auth-service.yaml
@@ -9,7 +9,7 @@ metadata:
 spec:
   ports:
   - name: auth
-    port: {{ ternary 80 443 ( empty .Values.global.auth.useTLS ) }}
+    port: {{ ternary 443 80 ( .Values.global.tls.enabled ) }}
     targetPort: auth
     protocol: TCP
   selector: