Merge pull request #22 from NBISweden/feature/update-helm

Feature/update helm

.github/workflows/manual_release.yml

@@ -0,0 +1,26 @@
+name: Manually Release Charts
+
+on: [workflow_dispatch]
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/[email protected]
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+      - name: Install Helm
+        uses: azure/[email protected]
+        with:
+          version: v3.4.0
+
+      - name: Run chart-releaser
+        uses: helm/[email protected]
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/publish_charts.yml

@@ -0,0 +1,30 @@
+name: Publish charts
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - name: Checkout
+        uses: actions/[email protected]
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+      - name: Install Helm
+        uses: azure/[email protected]
+        with:
+          version: v3.4.0
+
+      - name: Run chart-releaser
+        uses: helm/[email protected]
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

README.md

@@ -45,9 +45,25 @@ go run .
 The following configuration is required to run the service
 | Variable     | Description  | Example |
 | ------------ | :----------: | ------: |
+| crypt4ghKey | Path to public key | `../sda_crypt4gh.pub` |
+| expirationDays | Token validity duration in days | 14 |
 | iss | JWT issuer | `https://issuer.example.com` |
-| pathToKey | Path to private key | `../my_key.pem` |
+| jwtKey | Path to private key | `../my_key.pub` |
+| s3url | The URL to the s3Inbox | `s3.example.com` |
 | uppmaxUsername | Username for token requester | `some_username` |
 | uppmaxPassword | Password for token requester | `some_password` |
-| s3url | The URL to the s3Inbox | `s3.example.com` |
-| expirationDays | Token validity duration in days | 14 |
+
+## How to deploy
+To deploy the service without using vault (e.g. using minikube) in the `lega` namespace, build and push the image using
+```sh
+docker build -t harbor.nbis.se/uppmax/integration .
+docker push harbor.nbis.se/uppmax/integration
+```
+Create a secret using
+```sh
+kubectl -n lega create secret generic <secret_name> --from-file=<key_path> --from-file=<public_key_path>
+```
+The names of the files should be added in the values files in `jwt.keyName` and `crypt4ghKey` respectively in the `values.yaml`. Populate the rest of the `values.yaml` file with the correct values and then install using the local copy of the helm charts with
+```sh
+helm install --namespace lega uppmax charts/uppmax-integration
+```

charts/uppmax-integration/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/uppmax-integration/templates/_helpers.tpl

@@ -4,3 +4,15 @@ Expand the name of the chart.
 {{- define "uppmax-integration.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
+
+{{- define "TLSissuer" -}}
+    {{- if and .Values.global.tls.clusterIssuer .Values.global.tls.issuer }}
+        {{- fail "Only one of global.tls.issuer or global.tls.clusterIssuer should be set" }}
+    {{- end -}}
+
+    {{- if .Values.global.tls.issuer }}
+        {{- printf "%s" .Values.global.tls.issuer }}
+    {{- else if and .Values.global.tls.clusterIssuer }}
+        {{- printf "%s" .Values.global.tls.clusterIssuer }}
+    {{- end -}}
+{{- end -}}

charts/uppmax-integration/templates/certificate.yaml

@@ -0,0 +1,37 @@
+{{- if or .Values.global.tls.clusterIssuer .Values.global.tls.issuer }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "uppmax-integration.name" . }}-certs
+spec:
+  # Secret names are always required.
+  secretName: {{ template "uppmax-integration.name" . }}-certs
+
+  duration: 2160h # 90d
+
+  # The use of the common name field has been deprecated since 2000 and is
+  # discouraged from being used.
+  commonName: {{ template "uppmax-integration.name" . }}-certs
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  usages:
+    - server certs
+  # At least one of a DNS Name, URI, or IP address is required.
+  dnsNames:
+    - {{ template "uppmax-integration.name" . }}-certs
+    - {{ template "uppmax-integration.name" . }}-certs.{{ .Release.Namespace }}.svc
+    - {{ template "uppmax-integration.name" . }}-certs.{{ .Release.Namespace }}.svc.cluster.local
+  ipAddresses:
+    - 127.0.0.1
+  # Issuer references are always required.
+  issuerRef:
+    name: {{ template "TLSissuer" . }}
+    # We can reference ClusterIssuers by changing the kind here.
+    # The default value is Issuer (i.e. a locally namespaced Issuer)
+    kind: {{ ternary "Issuer" "ClusterIssuer" (empty .Values.global.tls.clusterIssuer )}}
+    # This is optional since cert-manager will default to this value however
+    # if you are using an external issuer, change this to that issuer group.
+    group: cert-manager.io
+{{- end -}}

charts/uppmax-integration/templates/deployment.yaml

@@ -37,19 +37,48 @@ spec:
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
         imagePullPolicy: {{ .Values.image.imagePullPolicy | quote }}
         env:
+        - name: GLOBAL_CRYPT4GHKEY
+          value: /secrets/{{ .Values.global.crypt4ghKey }}
+        - name: GLOBAL_EGAUSER
+          valueFrom: 
+            secretKeyRef:
+              name: {{ include "uppmax-integration.name" . }}-secret
+              key: egaUser
+        - name: GLOBAL_EXPIRATIONDAYS
+          value: {{ .Values.global.expirationDays | quote }}
         - name: GLOBAL_ISS
           value: {{ .Values.global.iss }}
-        - name: GLOBAL_PATHTOKEY
-          value: {{ .Values.global.pathToKey }}
-        - name: GLOBAL_UPPMAXUSERNAME 
-          value: {{ .Values.global.uppmaxUsername }}
-        - name: GLOBAL_UPPMAXPASSWORD
-          value: {{ .Values.global.uppmaxPassword }}
+        - name: GLOBAL_JWTKEY
+          value: /secrets/{{ .Values.global.jwt.keyName }}
         - name: GLOBAL_S3URL
           value: {{ .Values.global.s3url }}
-        - name: GLOBAL_EXPIRATIONDAYS
-          value: {{ .Values.global.expirationDays | quote }}
-        - name: GLOBAL_EGAUSER
-          value: {{ .Values.global.egaUser }}
+        - name: GLOBAL_UPPMAXUSERNAME 
+          valueFrom: 
+            secretKeyRef:
+              name: {{ include "uppmax-integration.name" . }}-secret
+              key: uppmaxUsername
+        - name: GLOBAL_UPPMAXPASSWORD
+          valueFrom: 
+            secretKeyRef:
+              name: {{ include "uppmax-integration.name" . }}-secret
+              key: uppmaxPassword
         securityContext:
           allowPrivilegeEscalation: false
+        volumeMounts:
+        - name: keys
+          mountPath: /secrets/
+      volumes:
+        - name: keys
+          projected:
+            defaultMode: 0440
+            sources:
+            - secret:
+                name: {{ required "A secret for the JWT signing key is needed" .Values.global.jwt.secretName }}
+                items:
+                  - key: {{ required "The name of the JWT signing key is needed" .Values.global.jwt.keyName }}
+                    path: {{ .Values.global.jwt.keyName }}
+            - secret:
+                name: {{ required "A secret for the crypt4gh public key is needed" .Values.global.jwt.secretName }}
+                items:
+                  - key: {{ .Values.global.crypt4ghKey }}
+                    path: {{ .Values.global.crypt4ghKey }}

charts/uppmax-integration/templates/ingress.yaml

@@ -9,6 +9,11 @@ metadata:
     {{- end }}
     {{- with .Values.ingress.annotations }}
     {{- toYaml . | nindent 4 }}
+    {{- if .Values.ingress.clusterIssuer }}
+    cert-manager.io/cluster-issuer: {{ .Values.ingress.clusterIssuer | quote }}
+    {{- else if .Values.ingress.issuer }}
+    cert-manager.io/issuer: {{ .Values.ingress.issuer | quote }}
+    {{- end }}
   {{- end }}
 spec:
 {{- if .Values.ingress.ingressClassName }}

charts/uppmax-integration/templates/secrets.yaml

@@ -4,11 +4,8 @@ metadata:
   name: {{ include "uppmax-integration.name" . }}-secret
 type: Opaque
 stringData:
-  iss: {{ .Values.global.iss | quote }}
-  pathToKey: {{ .Values.global.pathToKey | quote }}
   uppmaxUsername: {{ .Values.global.uppmaxUsername | quote }}
   uppmaxPassword: {{ .Values.global.uppmaxPassword | quote }}
-  s3url: {{ .Values.global.s3url | quote }}
-  expirationDays: {{ default 14 .Values.global.expirationDays | quote }}
   egaUser: {{ .Values.global.egaUser | quote }}
+  crypt4ghKey: {{ .Values.global.crypt4ghKey }}
 

charts/uppmax-integration/values.yaml

@@ -3,35 +3,22 @@
 # Declare variables to be passed into your templates.
 
 global:
-  iss: "https://login.test.ega.nbis.se"
-  pathToKey: "/vault/secrets/jwt.key"
-  uppmaxUsername: "uppmax"
-  uppmaxPassword: "uppmax"
-  s3url: "inbox.test.ega.nbis.se"
+  iss: ""
+  jwt:
+    keyName: ""
+    secretName: ""
+  uppmaxUsername: ""
+  uppmaxPassword: ""
+  s3url: ""
   expirationDays: "25"
-  egaUser: "ega-box-uppmax"
+  egaUser: ""
+  crypt4ghKey: ""
   tls:
     enabled: false
+    issuer: ""
+    clusterIssuer: ""
 
-podAnnotations:
-  "vault.hashicorp.com/agent-inject": "true"
-  "vault.hashicorp.com/role": "lega-auth"
-  "vault.hashicorp.com/agent-requests-cpu": "32m"
-  "vault.hashicorp.com/ca-cert": "/vault/tls/ca.crt"
-  "vault.hashicorp.com/tls-secret": "vault-ca"
-  "vault.hashicorp.com/agent-pre-populate": "false"
-  "vault.hashicorp.com/agent-run-as-user": "65534"
-  "vault.hashicorp.com/agent-inject-secret-ca.crt": "service-pki/cert/ca_chain"
-  "vault.hashicorp.com/agent-inject-template-ca.crt": |
-    {{- with secret "service-pki/cert/ca_chain" -}}
-    {{ .Data.certificate }}
-    {{- end -}}
-  "vault.hashicorp.com/agent-inject-secret-jwt.key": "transit/export/signing-key/jwt/1"
-  "vault.hashicorp.com/agent-inject-template-jwt.key": |
-    {{- with secret "transit/export/signing-key/jwt/1" -}}
-    {{ index .Data.keys "1" }}
-    {{- end -}}
-    
+podAnnotations: {}
 
 replicaCount: 1
 
@@ -52,7 +39,7 @@ serviceAccount:
   annotations: {}
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
-  name: "federated-sda"
+  name: ""
 
 service:
   type: ClusterIP
@@ -71,8 +58,8 @@ resources:
     memory: 128Mi
 
 ingress:
-  hostName: "uppmax.test.ega.nbis.se"
-  protocol: "https"
+  hostName: ""
+  protocol: ""
   ingressClassName: "nginx"
-  annotations:
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+  clusterIssuer: ""
+  issuer: ""

config.yaml

@@ -1,9 +1,9 @@
 global:
-  crypt4ghKeyPath: ""
+  crypt4ghKey: ""
   egaUser: ""
   expirationDays: 14
   iss: ""
-  pathToKey: ""
+  jwtKey: ""
   s3url: ""
   uppmaxUsername: ""
   uppmaxPassword: ""

helpers/helpers.go

@@ -26,16 +26,16 @@ var Config Conf
 
 // Conf describes the configuration of the service
 type Conf struct {
-	PathToKey       string
-	Iss             string
+	Crypt4ghKeyPath string
+	Crypt4ghKey     string
+	EgaUser         string
 	ExpirationDays  int
+	Iss             string
+	JwtKeyPath      string
+	JwtParsedKey    *ecdsa.PrivateKey
+	S3URL           string
 	Username        string
 	Password        string
-	S3URL           string
-	EgaUser         string
-	ParsedKey       *ecdsa.PrivateKey
-	Crypt4ghKeyPath string
-	Crypt4ghKey     string
 }
 
 // NewConf reads the configuration from the config.yaml file
@@ -64,7 +64,7 @@ func NewConf(conf *Conf) (err error) {
 	}
 
 	requiredConfVars := []string{
-		"global.iss", "global.pathToKey", "global.uppmaxUsername", "global.uppmaxPassword", "global.s3url", "global.egaUser",
+		"global.iss", "global.crypt4ghKey", "global.uppmaxUsername", "global.uppmaxPassword", "global.s3url", "global.egaUser", "global.jwtKey",
 	}
 
 	for _, s := range requiredConfVars {
@@ -74,19 +74,19 @@ func NewConf(conf *Conf) (err error) {
 	}
 
 	conf.Iss = viper.GetString("global.iss")
-	conf.PathToKey = viper.GetString("global.pathToKey")
+	conf.JwtKeyPath = viper.GetString("global.jwtKey")
 	conf.Username = viper.GetString("global.uppmaxUsername")
 	conf.Password = viper.GetString("global.uppmaxPassword")
 	conf.S3URL = viper.GetString("global.s3url")
 	conf.EgaUser = viper.GetString("global.egaUser")
-	conf.Crypt4ghKeyPath = viper.GetString("global.crypt4ghKeyPath")
+	conf.Crypt4ghKeyPath = viper.GetString("global.crypt4ghKey")
 
 	if !viper.IsSet("global.expirationDays") {
 		conf.ExpirationDays = 14
 	} else {
 		conf.ExpirationDays = viper.GetInt("global.expirationDays")
 	}
-	conf.ParsedKey, err = parsePrivateECKey(conf.PathToKey)
+	conf.JwtParsedKey, err = parsePrivateECKey(conf.JwtKeyPath)
 	if err != nil {
 		return fmt.Errorf("Could not parse ec key")
 	}