diff --git a/.dev/aserto-local.yaml b/.dev/aserto-local.yaml new file mode 100644 index 0000000..e69de29 diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index e6f5e74..2dc7d8a 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -90,6 +90,13 @@ jobs: TOPAZ_CERTS_DIR: ${{ env.TOPAZ_CERTS_DIR }} run: | uv run --project tools/ktest tools/ktest/ktest.py charts/topaz/test/tests.yaml + - + name: Test Discovery + timeout-minutes: 10 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + uv run --project tools/ktest tools/ktest/ktest.py charts/discovery/test/tests.yaml - name: Deploy Postgres run: | diff --git a/charts/aserto-lib/Chart.yaml b/charts/aserto-lib/Chart.yaml index 30f0ac6..824a4f5 100644 --- a/charts/aserto-lib/Chart.yaml +++ b/charts/aserto-lib/Chart.yaml @@ -21,7 +21,7 @@ type: library # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.0 +version: 0.2.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/aserto-lib/templates/_global.tpl b/charts/aserto-lib/templates/_global.tpl index c02ba1e..4565e4a 100644 --- a/charts/aserto-lib/templates/_global.tpl +++ b/charts/aserto-lib/templates/_global.tpl @@ -12,6 +12,6 @@ Local values take precedence over global values. {{- $scope := first . }} {{- $key := index . 1}} {{- $global := (($scope.Values).global).aserto | default dict | dig $key dict }} -{{- $chart := $scope.Values.AsMap | dig $key dict }} +{{- $chart := ($scope.Values).AsMap | default dict | dig $key dict }} {{- merge $chart $global | toYaml }} {{- end }} diff --git a/charts/aserto-lib/templates/_golangsvc.tpl b/charts/aserto-lib/templates/_golangsvc.tpl index 236fee1..f600594 100644 --- a/charts/aserto-lib/templates/_golangsvc.tpl +++ b/charts/aserto-lib/templates/_golangsvc.tpl @@ -42,7 +42,7 @@ read_timeout: {{ .read_timeout | default "2s"}} read_header_timeout: {{ .read_header_timeout | default "2s" }} write_timeout: {{ .write_timeout | default "2s" }} idle_timeout: {{ .idle_timeout | default "30s" }} -{{- with .cerSecret }} +{{- with .certSecret }} certs: tls_key_path: '/https-certs/tls.key' tls_cert_path: '/https-certs/tls.crt' diff --git a/charts/aserto/Chart.lock b/charts/aserto/Chart.lock index b39b060..3ee6599 100644 --- a/charts/aserto/Chart.lock +++ b/charts/aserto/Chart.lock @@ -1,21 +1,24 @@ dependencies: - name: aserto-lib repository: file://../aserto-lib - version: 0.2.0 + version: 0.2.1 - name: directory repository: file://../directory - version: 0.2.0 + version: 0.2.2 - name: authorizer repository: file://../authorizer - version: 0.1.8 + version: 0.1.9 - name: discovery repository: file://../discovery - version: 0.1.7 + version: 0.1.9 - name: console repository: file://../console - version: 0.1.7 + version: 0.1.8 - name: scim repository: file://../scim + version: 0.1.7 +- name: registry-proxy + repository: file://../registry-proxy version: 0.1.6 -digest: sha256:d188c2319b1f908c0a8618ad44e8953a62e86230842c85ddbcd1f1966b67c4b5 -generated: "2024-11-26T12:56:40.605962-05:00" +digest: sha256:aa36828e3a9be09c32aca35e76785be6fea7a9cce866cf929effed6c38216635 +generated: "2025-01-08T18:26:30.831721-05:00" diff --git a/charts/aserto/Chart.yaml b/charts/aserto/Chart.yaml index edde19d..5a95b2d 100644 --- a/charts/aserto/Chart.yaml +++ b/charts/aserto/Chart.yaml @@ -21,7 +21,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.11 +version: 0.1.12 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -31,20 +31,29 @@ appVersion: "0.1.0" dependencies: - name: aserto-lib - version: 0.2.0 + version: 0.2.1 repository: file://../aserto-lib - name: directory - version: 0.2.0 + version: 0.2.2 repository: file://../directory + condition: directory.enabled - name: authorizer - version: 0.1.8 + version: 0.1.9 repository: file://../authorizer + condition: authorizer.enabled - name: discovery - version: 0.1.7 + version: 0.1.9 repository: file://../discovery + condition: discovery.enabled - name: console - version: 0.1.7 + version: 0.1.8 repository: file://../console + condition: console.enabled - name: scim - version: 0.1.6 + version: 0.1.7 repository: file://../scim + condition: scim.enabled + - name: registry-proxy + version: 0.1.6 + repository: file://../registry-proxy + condition: registry-proxy.enabled diff --git a/charts/aserto/values.yaml b/charts/aserto/values.yaml index 4c82c01..2feb0ff 100644 --- a/charts/aserto/values.yaml +++ b/charts/aserto/values.yaml @@ -73,6 +73,7 @@ global: disableTLSVerification: true directory: + enabled: true # Kubernetes pull secret for private Aserto images. # imagePullSecrets: # - name: ghcr-creds @@ -116,6 +117,7 @@ directory: credentialsSecret: pg-ds-credentials discovery: + enabled: true # Kubernetes pull secret for private Aserto images. # imagePullSecrets: # - name: ghcr-creds @@ -133,6 +135,7 @@ discovery: # tokenSecretKey: token console: + enabled: false # Kubernetes pull secret for private Aserto images. # imagePullSecrets: # - name: ghcr-creds @@ -154,7 +157,8 @@ console: # e.g. https://directory.aserto.example.com directoryURL: "" -# authorizer: +authorizer: + enabled: true # # Kubernetes pull secret for private Aserto images. # imagePullSecrets: # - name: ghcr-creds @@ -165,7 +169,8 @@ console: # tag: x.y.z # pullPolicy: IfNotPresent -# scim: +scim: + enabled: false # # Kubernetes pull secret for private Aserto images. # imagePullSecrets: # - name: ghcr-creds @@ -203,3 +208,6 @@ console: # groupMemberRelation: memeber # groupMappings: [] # userMappings: [] + +registry-proxy: + enabled: false diff --git a/charts/authorizer/Chart.lock b/charts/authorizer/Chart.lock index 45a677d..3dc1eba 100644 --- a/charts/authorizer/Chart.lock +++ b/charts/authorizer/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: aserto-lib repository: file://../aserto-lib - version: 0.2.0 -digest: sha256:e847ea16d4c0c170655af988461152ab61eed5372f1639769dd7d198346da272 -generated: "2024-11-26T12:20:11.279944-05:00" + version: 0.2.1 +digest: sha256:83c950a4ee60c07dbc8e045f6645365ca35eced4f1aa329f51c8e2de1de28f93 +generated: "2024-12-17T16:09:37.112996+02:00" diff --git a/charts/authorizer/Chart.yaml b/charts/authorizer/Chart.yaml index eb03047..28f8621 100644 --- a/charts/authorizer/Chart.yaml +++ b/charts/authorizer/Chart.yaml @@ -21,7 +21,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.8 +version: 0.1.9 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -31,5 +31,5 @@ appVersion: "0.14.8" dependencies: - name: aserto-lib - version: 0.2.0 + version: 0.2.1 repository: file://../aserto-lib diff --git a/charts/authorizer/templates/deployment.yaml b/charts/authorizer/templates/deployment.yaml index 685ad47..9461da9 100644 --- a/charts/authorizer/templates/deployment.yaml +++ b/charts/authorizer/templates/deployment.yaml @@ -50,15 +50,13 @@ spec: {{- end }} {{- end }} - {{- with (include "aserto-lib.rootClientCfg" . | fromYaml) }} - {{- if .caCertSecret }} + {{- with ((include "aserto-lib.rootClientCfg" . | fromYaml).caCertSecret).name }} - name: root-ds-grpc-certs secret: - secretName: {{ .caCertSecret }} + secretName: {{ . }} items: - key: ca.crt - path: ca.crt - {{- end }} + path: ca.crt {{- end }} {{- with (include "aserto-lib.discoveryCfg" . | fromYaml) }} @@ -103,7 +101,7 @@ spec: readOnly: true {{- end }} - {{- if (include "aserto-lib.rootClientCfg" . | fromYaml).caCertSecret }} + {{- with ((include "aserto-lib.rootClientCfg" . | fromYaml).caCertSecret).name }} - name: root-ds-grpc-certs mountPath: /root-ds-grpc-certs readOnly: true diff --git a/charts/console/Chart.lock b/charts/console/Chart.lock index baad547..47e355a 100644 --- a/charts/console/Chart.lock +++ b/charts/console/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: aserto-lib repository: file://../aserto-lib - version: 0.2.0 -digest: sha256:e847ea16d4c0c170655af988461152ab61eed5372f1639769dd7d198346da272 -generated: "2024-11-26T12:31:22.063478-05:00" + version: 0.2.1 +digest: sha256:83c950a4ee60c07dbc8e045f6645365ca35eced4f1aa329f51c8e2de1de28f93 +generated: "2024-12-17T16:09:37.348401+02:00" diff --git a/charts/console/Chart.yaml b/charts/console/Chart.yaml index 7058779..a45a204 100644 --- a/charts/console/Chart.yaml +++ b/charts/console/Chart.yaml @@ -21,7 +21,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.7 +version: 0.1.8 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -31,5 +31,5 @@ appVersion: "0.1.14" dependencies: - name: aserto-lib - version: 0.2.0 + version: 0.2.1 repository: file://../aserto-lib diff --git a/charts/console/templates/deployment.yaml b/charts/console/templates/deployment.yaml index 50730f5..6cd87bb 100644 --- a/charts/console/templates/deployment.yaml +++ b/charts/console/templates/deployment.yaml @@ -55,12 +55,9 @@ spec: - name: DS0_TENANT_ID value: {{ .tenant_id }} {{- end }} - {{- with (include "aserto-lib.rootApiKeyEnv" . | fromYaml) }} + {{- with (include "aserto-lib.rootApiKeyEnv" .) }} - name: DS0_ROOT_KEY - valueFrom: - secretKeyRef: - name: {{ .secretName }} - key: {{ .secretKey }} + {{ . | nindent 14 }} {{- end }} livenessProbe: httpGet: diff --git a/charts/directory/Chart.lock b/charts/directory/Chart.lock index a090ca4..ee9df3f 100644 --- a/charts/directory/Chart.lock +++ b/charts/directory/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: aserto-lib repository: file://../aserto-lib - version: 0.2.0 -digest: sha256:e847ea16d4c0c170655af988461152ab61eed5372f1639769dd7d198346da272 -generated: "2024-11-25T13:09:10.771435-05:00" + version: 0.2.1 +digest: sha256:83c950a4ee60c07dbc8e045f6645365ca35eced4f1aa329f51c8e2de1de28f93 +generated: "2024-12-17T16:09:37.673499+02:00" diff --git a/charts/directory/Chart.yaml b/charts/directory/Chart.yaml index fca0e77..e6ac77d 100644 --- a/charts/directory/Chart.yaml +++ b/charts/directory/Chart.yaml @@ -21,15 +21,15 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.0 +version: 0.2.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.33.1" +appVersion: "0.33.5" dependencies: - name: aserto-lib - version: 0.2.0 + version: 0.2.1 repository: file://../aserto-lib diff --git a/charts/directory/templates/_helpers.tpl b/charts/directory/templates/_helpers.tpl index f3bc67d..7d5316a 100644 --- a/charts/directory/templates/_helpers.tpl +++ b/charts/directory/templates/_helpers.tpl @@ -67,14 +67,14 @@ Create the name of the service account to use {{- end -}} {{- if .keysSecret -}} - key: {{ printf "${TENANT_%s_WRITER_KEY}" (replace "." "_" .name | upper) }} - account: directory-client-writer@{{ .id }}.aserto.com + account: ma:{{ .id }}:directory-client-writer - key: {{ printf "${TENANT_%s_READER_KEY}" (replace "." "_" .name | upper) }} - account: directory-client-reader@{{ .id }}.aserto.com + account: ma:{{ .id }}:directory-client-reader {{- else if .keys -}} - key: {{ .keys.writer | required "tenants[].keys.writer is required" }} - account: directory-client-writer@{{ .id }}.aserto.com + account: ma:{{ .id }}:directory-client-writer - key: {{ .keys.reader | required "tenants[].keys.reader is required" }} - account: directory-client-reader@{{ .id }}.aserto.com + account: ma:{{ .id }}:directory-client-reader {{- else -}} {{ fail "all tenants must include either 'keys' or 'keysSecret'" }} {{- end }} diff --git a/charts/directory/templates/db_credentials.yaml b/charts/directory/templates/db_credentials.yaml index a8a7bc2..ae2e899 100644 --- a/charts/directory/templates/db_credentials.yaml +++ b/charts/directory/templates/db_credentials.yaml @@ -1,5 +1,5 @@ {{- $rootData := (lookup "v1" "Secret" .Release.Namespace .Values.rootDirectory.database.reader.credentialsSecret).data -}} -{{- if empty $rootData -}} +{{- if empty $rootData }} --- apiVersion: v1 kind: Secret @@ -11,7 +11,7 @@ data: {{- end }} {{- $tenantData := (lookup "v1" "Secret" .Release.Namespace .Values.tenantDirectory.database.reader.credentialsSecret).data -}} -{{- if empty $tenantData -}} +{{- if empty $tenantData }} --- apiVersion: v1 kind: Secret diff --git a/charts/directory/test/no-tls.values.yaml b/charts/directory/test/no-tls.values.yaml index d08d30c..3b62eae 100644 --- a/charts/directory/test/no-tls.values.yaml +++ b/charts/directory/test/no-tls.values.yaml @@ -1,6 +1,6 @@ --- image: - tag: 0.33.2-3e32438c-amd64 + tag: 0.33.5 imagePullSecrets: - name: ghcr-creds diff --git a/charts/directory/test/tls.values.yaml b/charts/directory/test/tls.values.yaml index 95ded50..9216267 100644 --- a/charts/directory/test/tls.values.yaml +++ b/charts/directory/test/tls.values.yaml @@ -1,6 +1,6 @@ --- image: - tag: 0.33.2-3e32438c-amd64 + tag: 0.33.5 imagePullSecrets: - name: ghcr-creds diff --git a/charts/discovery/Chart.lock b/charts/discovery/Chart.lock index a386b76..75256a3 100644 --- a/charts/discovery/Chart.lock +++ b/charts/discovery/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: aserto-lib repository: file://../aserto-lib - version: 0.2.0 -digest: sha256:e847ea16d4c0c170655af988461152ab61eed5372f1639769dd7d198346da272 -generated: "2024-11-26T12:31:46.527788-05:00" + version: 0.2.1 +digest: sha256:83c950a4ee60c07dbc8e045f6645365ca35eced4f1aa329f51c8e2de1de28f93 +generated: "2024-12-17T16:09:37.936693+02:00" diff --git a/charts/discovery/Chart.yaml b/charts/discovery/Chart.yaml index c212734..3f81ffd 100644 --- a/charts/discovery/Chart.yaml +++ b/charts/discovery/Chart.yaml @@ -21,15 +21,15 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.7 +version: 0.1.9 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.1.3" +appVersion: "0.1.4" dependencies: - name: aserto-lib - version: 0.2.0 + version: 0.2.1 repository: file://../aserto-lib diff --git a/charts/discovery/templates/api_keys.yaml b/charts/discovery/templates/api_keys.yaml index eebb233..3c7b98b 100644 --- a/charts/discovery/templates/api_keys.yaml +++ b/charts/discovery/templates/api_keys.yaml @@ -1,13 +1,10 @@ --- {{- $cfg := .Values.apiKey -}} -{{- $data := (lookup "v1" "Secret" .Release.Namespace $cfg.secretName).data }} +{{- if empty (lookup "v1" "Secret" .Release.Namespace $cfg.secretName).data }} apiVersion: v1 kind: Secret metadata: name: {{ $cfg.secretName }} -data: - {{- if $data }} - {{ $cfg.secretKey }}: {{ get $data $cfg.secretKey }} - {{- else }} - {{ $cfg.secretKey }}: {{ randAlphaNum 20 | b64enc }} - {{- end }} +data: + {{ $cfg.secretKey }}: {{ randAlphaNum 20 | b64enc }} +{{- end }} \ No newline at end of file diff --git a/charts/discovery/templates/config.yaml b/charts/discovery/templates/config.yaml index e018dc2..6a8fa36 100644 --- a/charts/discovery/templates/config.yaml +++ b/charts/discovery/templates/config.yaml @@ -37,13 +37,25 @@ stringData: ds0: {{- include "aserto-lib.rootDirectoryClient" . | nindent 6 }} + authorization: + enabled: {{ .Values.authorization.enabled }} + ignored_methods: + - /grpc.reflection.v1alpha.ServerReflection/ServerReflectionInfo + - /grpc.reflection.v1.ServerReflection.ServerReflectionInfo + - /aserto.common.info.v1.Info/Info + authentication: authenticators_enabled: root_key: true + {{- with .Values.oidc }} oidc: true + {{- end }} + {{- with .Values.oidc -}} + foobar: no oidc: {{- include "aserto-lib.oidcConfig" . | nindent 8 }} + {{- end }} root_keys: keys: diff --git a/charts/discovery/templates/deployment.yaml b/charts/discovery/templates/deployment.yaml index 8b43179..6b5a30a 100644 --- a/charts/discovery/templates/deployment.yaml +++ b/charts/discovery/templates/deployment.yaml @@ -50,15 +50,13 @@ spec: {{- end }} {{- end }} - {{- with (include "aserto-lib.rootClientCfg" . | fromYaml) }} - {{- if .caCertSecret }} + {{- with ((include "aserto-lib.rootClientCfg" . | fromYaml).caCertSecret).name }} - name: root-ds-grpc-certs secret: - secretName: {{ .caCertSecret }} + secretName: {{ . }} items: - key: ca.crt - path: ca.crt - {{- end }} + path: ca.crt {{- end }} containers: @@ -90,7 +88,7 @@ spec: readOnly: true {{- end }} - {{- if (include "aserto-lib.rootClientCfg" . | fromYaml).caCertSecret }} + {{- with ((include "aserto-lib.rootClientCfg" . | fromYaml).caCertSecret).name }} - name: root-ds-grpc-certs mountPath: /root-ds-grpc-certs readOnly: true @@ -106,10 +104,7 @@ spec: {{- with (include "aserto-lib.rootApiKeyEnv" . | fromYaml) }} - name: DISCOVERY_DS0_API_KEY - valueFrom: - secretKeyRef: - name: {{ .secretName }} - key: {{ .secretKey }} + {{ . | toYaml | nindent 14 }} {{- end }} {{- include "discovery.registriesEnv" . | nindent 12 }} diff --git a/charts/discovery/templates/hpa.yaml b/charts/discovery/templates/hpa.yaml index 47f9a8a..f642ba9 100644 --- a/charts/discovery/templates/hpa.yaml +++ b/charts/discovery/templates/hpa.yaml @@ -2,14 +2,14 @@ apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: - name: {{ include "authorizer.fullname" . }} + name: {{ include "discovery.fullname" . }} labels: - {{- include "authorizer.labels" . | nindent 4 }} + {{- include "discovery.labels" . | nindent 4 }} spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment - name: {{ include "authorizer.fullname" . }} + name: {{ include "discovery.fullname" . }} minReplicas: {{ .Values.autoscaling.minReplicas }} maxReplicas: {{ .Values.autoscaling.maxReplicas }} metrics: diff --git a/charts/discovery/templates/ingress.yaml b/charts/discovery/templates/ingress.yaml index 29238b7..39e905b 100644 --- a/charts/discovery/templates/ingress.yaml +++ b/charts/discovery/templates/ingress.yaml @@ -1,5 +1,5 @@ {{- if .Values.ingress.enabled -}} -{{- $fullName := include "authorizer.fullname" . -}} +{{- $fullName := include "discovery.fullname" . -}} {{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} @@ -16,7 +16,7 @@ kind: Ingress metadata: name: {{ $fullName }} labels: - {{- include "authorizer.labels" . | nindent 4 }} + {{- include "discovery.labels" . | nindent 4 }} {{- with .Values.ingress.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/discovery/templates/serviceaccount.yaml b/charts/discovery/templates/serviceaccount.yaml index 58df5d5..a13f5fc 100644 --- a/charts/discovery/templates/serviceaccount.yaml +++ b/charts/discovery/templates/serviceaccount.yaml @@ -2,9 +2,9 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "authorizer.serviceAccountName" . }} + name: {{ include "discovery.serviceAccountName" . }} labels: - {{- include "authorizer.labels" . | nindent 4 }} + {{- include "discovery.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/discovery/test/data/objects.json b/charts/discovery/test/data/objects.json new file mode 100644 index 0000000..da5c85a --- /dev/null +++ b/charts/discovery/test/data/objects.json @@ -0,0 +1,25 @@ +{ + "objects": [ + { + "type": "tenant", + "id": "4f71c224-e742-11ee-86df-00ba61ff9342" + }, + { + "type": "policy-instance", + "id": "4f71c224-e742-11ee-86df-00ba61ff9342/test-policy", + "display_name": "test policy instance", + "properties": { + "policy": { + "instance_label": "test-policy", + "name": "test-policy" + }, + "registry": { + "host": "ghcr.io", + "org": "aserto-policies", + "repo": "policy-peoplefinder-rbac", + "tag": "latest" + } + } + } + ] +} diff --git a/charts/discovery/test/data/relations.json b/charts/discovery/test/data/relations.json new file mode 100644 index 0000000..eece706 --- /dev/null +++ b/charts/discovery/test/data/relations.json @@ -0,0 +1,11 @@ +{ + "relations": [ + { + "object_type": "tenant", + "object_id": "4f71c224-e742-11ee-86df-00ba61ff9342", + "relation": "policy", + "subject_type": "policy-instance", + "subject_id": "4f71c224-e742-11ee-86df-00ba61ff9342/test-policy" + } + ] +} diff --git a/charts/discovery/test/manifest.yaml b/charts/discovery/test/manifest.yaml new file mode 100644 index 0000000..6db1979 --- /dev/null +++ b/charts/discovery/test/manifest.yaml @@ -0,0 +1,14 @@ +# yaml-language-server: $schema=https://www.topaz.sh/schema/manifest.json +--- + +# model +model: + version: 3 + +# object type definitions +types: + tenant: + relations: + policy: policy-instance + + policy-instance: {} diff --git a/charts/discovery/test/no-tls.values.yaml b/charts/discovery/test/no-tls.values.yaml new file mode 100644 index 0000000..1a2116a --- /dev/null +++ b/charts/discovery/test/no-tls.values.yaml @@ -0,0 +1,21 @@ +--- +image: + tag: 0.1.4 + +imagePullSecrets: + - name: ghcr-creds + +apiKey: + secretName: discovery-keys + secretKey: api-key + +rootDS: + address: "topaz.discovery-no-tls.svc.cluster.local:8282" + apiKey: " " + noTLS: true + +registries: + ghcr.io: + scheme: bearer + tokenSecretName: discovery-ghcr-token + tokenSecretKey: token diff --git a/charts/discovery/test/tests.yaml b/charts/discovery/test/tests.yaml new file mode 100644 index 0000000..47d4024 --- /dev/null +++ b/charts/discovery/test/tests.yaml @@ -0,0 +1,35 @@ +--- +tests: + - name: discovery-no-tls + pull_secret: $GITHUB_TOKEN + deployments: + - chart: topaz + ports: + 8282: 8282 + 8383: 8383 + - chart: discovery + values: no-tls.values.yaml + ports: + 18383: 8383 + secrets: + - name: discovery-keys + values: + api-key: discovery-root-key + - name: discovery-ghcr-token + values: + token: ghuser:$GITHUB_TOKEN + run: + - > + ${TOPAZ:-topaz} ds set manifest charts/discovery/test/manifest.yaml + -H localhost:8282 --plaintext + - > + ${TOPAZ:-topaz} ds import --directory charts/discovery/test/data + -H localhost:8282 --plaintext + - > + curl http://localhost:18383/api/v1/info + - > + curl -H "Authorization:basic discovery-root-key" -H "aserto-tenant-id:4f71c224-e742-11ee-86df-00ba61ff9342" + http://localhost:18383/api/v2/discovery/test-policy/test-policy/opa + cleanup: + - > + exit 0 diff --git a/charts/discovery/values.yaml b/charts/discovery/values.yaml index 3906d14..01fb3c9 100644 --- a/charts/discovery/values.yaml +++ b/charts/discovery/values.yaml @@ -1,3 +1,4 @@ +--- # Default values for directory. # This is a YAML-formatted file. # Declare variables to be passed into your templates. @@ -8,10 +9,10 @@ image: # Overrides the image tag whose default is the chart appVersion. # tag: x.y.z -# REQUIRED: specify and OIDC domain and audience +# Optional: OpenID Connect domain and audience. oidc: - domain: "" - audience: "" +# domain: "" +# audience: "" apiKey: secretName: discovery-keys @@ -24,6 +25,8 @@ registries: # tokenSecretName: discovery-ghcr-token # tokenSecretKey: token +authorization: + enabled: false bundleDefaults: responseHeaderTimeoutSeconds: 60 diff --git a/charts/registry-proxy/Chart.lock b/charts/registry-proxy/Chart.lock new file mode 100644 index 0000000..df14422 --- /dev/null +++ b/charts/registry-proxy/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: aserto-lib + repository: file://../aserto-lib + version: 0.2.1 +digest: sha256:83c950a4ee60c07dbc8e045f6645365ca35eced4f1aa329f51c8e2de1de28f93 +generated: "2024-12-17T16:14:52.214206+02:00" diff --git a/charts/registry-proxy/Chart.yaml b/charts/registry-proxy/Chart.yaml new file mode 100644 index 0000000..1925731 --- /dev/null +++ b/charts/registry-proxy/Chart.yaml @@ -0,0 +1,35 @@ +--- +apiVersion: v2 +name: registry-proxy +description: A Helm chart for the Aserto Registry Proxy service +icon: https://www.aserto.com/images/aserto-logo.png + +maintainers: + - name: Aserto + url: https://github.com/aserto-dev + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.6 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "0.14.8" + +dependencies: + - name: aserto-lib + version: 0.2.1 + repository: file://../aserto-lib diff --git a/charts/registry-proxy/templates/NOTES.txt b/charts/registry-proxy/templates/NOTES.txt new file mode 100644 index 0000000..3d6e2dd --- /dev/null +++ b/charts/registry-proxy/templates/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "registry-proxy.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "registry-proxy.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "registry-proxy.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "registry-proxy.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export HTTPS_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + export GRPC_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[1].containerPort}") + echo "gRPC Service exposed on http://127.0.0.1:8282" + echo "REST Service exposed on http://127.0.0.1:8383" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8282:$GRPC_PORT 8383:$HTTPS_PORT +{{- end }} diff --git a/charts/registry-proxy/templates/_helpers.tpl b/charts/registry-proxy/templates/_helpers.tpl new file mode 100644 index 0000000..7ef954e --- /dev/null +++ b/charts/registry-proxy/templates/_helpers.tpl @@ -0,0 +1,77 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "registry-proxy.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "registry-proxy.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "registry-proxy.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "registry-proxy.labels" -}} +helm.sh/chart: {{ include "registry-proxy.chart" . }} +{{ include "registry-proxy.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "registry-proxy.selectorLabels" -}} +app.kubernetes.io/name: {{ include "registry-proxy.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "registry-proxy.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "registry-proxy.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Local cluster address +*/}} +{{- define "registry-proxy.clusterAddress" -}} +{{ include "registry-proxy.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ include "aserto-lib.grpcPort" . }} +{{- end }} + + +{{- define "registry-proxy.gatewayService" }} +{{ include "aserto-lib.httpsService" . }} +{{- $cfg := include "aserto-lib.httpsConfig" . | fromYaml }} +allowed_headers: +{{- $cfg.allowed_headers | default (list "Aserto-Tenant-Id" "Authorization" "Content-Type" "Depth") | toYaml | nindent 2 }} +{{- end }} \ No newline at end of file diff --git a/charts/registry-proxy/templates/config.yaml b/charts/registry-proxy/templates/config.yaml new file mode 100644 index 0000000..85192a3 --- /dev/null +++ b/charts/registry-proxy/templates/config.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "registry-proxy.fullname" . }}-config + labels: + {{- include "registry-proxy.labels" . | nindent 4 }} +stringData: + config.yaml: | + --- + version: 1 + logging: + prod: true + log_level: {{ .Values.logLevel | default "info" }} + api: + health: + listen_address: "0.0.0.0:{{ include "aserto-lib.healthPort" . }}" + metrics: + {{- include "aserto-lib.metricsService" . | nindent 8 }} + service: + {{- include "registry-proxy.gatewayService" . | nindent 8 }} + + remote_registry: + endpoint: {{ .Values.remoteEndpointURL | required "registry endpoint URL is required" }} + {{- if .Values.remoteEndpointScheme }} + scheme: {{.Values.remoteEndpointScheme }} + {{- end }} + {{- if .Values.remoteEndpointToken }} + token: {{.Values.remoteEndpointToken}} + {{- end}} + + nats_listener: + enabled: false #set to true to enable manifest pushed notifications + + cache_settings: + type: "freecache" + cache_config: + freecache_size: 5000000 + ttl: 900000000000 # 15 minutes \ No newline at end of file diff --git a/charts/registry-proxy/templates/deployment.yaml b/charts/registry-proxy/templates/deployment.yaml new file mode 100644 index 0000000..d719723 --- /dev/null +++ b/charts/registry-proxy/templates/deployment.yaml @@ -0,0 +1,123 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "registry-proxy.fullname" . }} + labels: + {{- include "registry-proxy.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "registry-proxy.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "registry-proxy.selectorLabels" . | nindent 8 }} + spec: + {{- include "aserto-lib.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ include "registry-proxy.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + volumes: + - name: config + secret: + secretName: {{ include "registry-proxy.fullname" . }}-config + items: + - key: config.yaml + path: config.yaml + - name: grpc-certs + {{- with include "aserto-lib.grpcConfig" . | fromYaml }} + {{- if .certSecret }} + secret: + secretName: {{ .certSecret }} + {{- else }} + emptyDir: {} + {{- end }} + {{- end }} + - name: https-certs + {{- with (include "aserto-lib.httpsConfig" . | fromYaml) }} + {{- if .certSecret }} + secret: + secretName: {{ .certSecret }} + {{- else }} + emptyDir: {} + {{- end }} + {{- end }} + + {{- with ((include "aserto-lib.rootClientCfg" . | fromYaml).caCertSecret).name }} + - name: root-ds-grpc-certs + secret: + secretName: {{ . }} + items: + - key: ca.crt + path: ca.crt + {{- end }} + + {{- with (include "aserto-lib.discoveryCfg" . | fromYaml) }} + {{- if .httpsCertSecret }} + - name: discovery-https-certs + secret: + secretName: {{ .httpsCertSecret }} + items: + - key: ca.crt + path: ca.crt + {{- end }} + {{- end }} + + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + args: ["run", "--config", "/config/config.yaml"] + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + {{- with (include "aserto-lib.selfPorts" . | fromYaml )}} + - name: https + containerPort: {{ .https }} + - name: metrics + containerPort: {{ .metrics }} + {{- end }} + volumeMounts: + - name: config + mountPath: /config + readOnly: true + - name: https-certs + mountPath: /https-certs + {{- if (include "aserto-lib.httpsConfig" . | fromYaml).certSecret }} + readOnly: true + {{- end }} + {{- with ((include "aserto-lib.rootClientCfg" . | fromYaml).caCertSecret).name }} + - name: root-ds-grpc-certs + mountPath: /root-ds-grpc-certs + readOnly: true + {{- end }} + + {{- with (include "aserto-lib.selfPorts" . | fromYaml )}} + livenessProbe: + grpc: + port: {{ .health }} + readinessProbe: + grpc: + port: {{ .health }} + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/registry-proxy/templates/hpa.yaml b/charts/registry-proxy/templates/hpa.yaml new file mode 100644 index 0000000..3804f1c --- /dev/null +++ b/charts/registry-proxy/templates/hpa.yaml @@ -0,0 +1,28 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "registry-proxy.fullname" . }} + labels: + {{- include "registry-proxy.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "registry-proxy.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/charts/registry-proxy/templates/ingress.yaml b/charts/registry-proxy/templates/ingress.yaml new file mode 100644 index 0000000..93c6ef8 --- /dev/null +++ b/charts/registry-proxy/templates/ingress.yaml @@ -0,0 +1,58 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "registry-proxy.fullname" . -}} +{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "registry-proxy.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + - path: / + {{- if (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: Prefix + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + name: {{ .port }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ .port }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/registry-proxy/templates/service.yaml b/charts/registry-proxy/templates/service.yaml new file mode 100644 index 0000000..0943e06 --- /dev/null +++ b/charts/registry-proxy/templates/service.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "registry-proxy.fullname" . }} + labels: + {{- include "registry-proxy.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - name: https + port: {{ include "aserto-lib.httpsPort" . }} + targetPort: https + - name: grpc + port: {{ include "aserto-lib.grpcPort" . }} + targetPort: grpc + - name: metrics + port: {{ include "aserto-lib.metricsPort" . }} + targetPort: metrics + selector: + {{- include "registry-proxy.selectorLabels" . | nindent 4 }} diff --git a/charts/registry-proxy/templates/serviceaccount.yaml b/charts/registry-proxy/templates/serviceaccount.yaml new file mode 100644 index 0000000..ccfbbb1 --- /dev/null +++ b/charts/registry-proxy/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "registry-proxy.serviceAccountName" . }} + labels: + {{- include "registry-proxy.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/registry-proxy/tests/test-values.yaml b/charts/registry-proxy/tests/test-values.yaml new file mode 100644 index 0000000..c293a42 --- /dev/null +++ b/charts/registry-proxy/tests/test-values.yaml @@ -0,0 +1,2 @@ +--- +remoteEndpointURL: "ghcr.io" \ No newline at end of file diff --git a/charts/registry-proxy/tests/tests.yaml b/charts/registry-proxy/tests/tests.yaml new file mode 100644 index 0000000..c21b0b0 --- /dev/null +++ b/charts/registry-proxy/tests/tests.yaml @@ -0,0 +1,19 @@ +--- +tests: + - name: registry-proxy-test + pull_secret: $GITHUB_TOKEN + deployments: + - chart: registry-proxy + values: test-values.yaml + ports: + 8383: 8383 + run: + - > + ${POLICY:-policy} login -s localhost:8383 -u $GITHUB_USER -p $GITHUB_TOKEN -d --insecure + - > + time ${POLICY:-policy} pull localhost:8383/aserto-policies/policy-todo:latest --insecure + - > + time ${POLICY:-policy} pull localhost:8383/aserto-policies/policy-todo:latest --insecure + cleanup: + - > + exit 0 diff --git a/charts/registry-proxy/values.yaml b/charts/registry-proxy/values.yaml new file mode 100644 index 0000000..2ae2976 --- /dev/null +++ b/charts/registry-proxy/values.yaml @@ -0,0 +1,88 @@ +# Default values for directory. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +image: + repository: ghcr.io/aserto-dev/registry-proxy + pullPolicy: IfNotPresent + tag: 0.0.2 + # Overrides the image tag whose default is the chart appVersion. + # tag: x.y.z + +# Set the service log level (trace/debug/info/warn/error) +# logLevel: info + +replicaCount: 1 + +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: false + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: registry-proxy.example.com + port: https + - host: grpc.registry-proxy.example.com + port: grpc + paths: + - path: / + pathType: Prefix + tls: [] + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +remoteEndpointURL: "ghcr.io" +# remoteEndpointScheme: "basic" +# remoteEndpointToken: "" diff --git a/charts/scim/Chart.lock b/charts/scim/Chart.lock index 2cd0254..0f036de 100644 --- a/charts/scim/Chart.lock +++ b/charts/scim/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: aserto-lib repository: file://../aserto-lib - version: 0.2.0 -digest: sha256:e847ea16d4c0c170655af988461152ab61eed5372f1639769dd7d198346da272 -generated: "2024-11-26T12:32:19.496426-05:00" + version: 0.2.1 +digest: sha256:83c950a4ee60c07dbc8e045f6645365ca35eced4f1aa329f51c8e2de1de28f93 +generated: "2024-12-17T16:14:52.436288+02:00" diff --git a/charts/scim/Chart.yaml b/charts/scim/Chart.yaml index 9293e21..a433ec5 100644 --- a/charts/scim/Chart.yaml +++ b/charts/scim/Chart.yaml @@ -21,7 +21,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.6 +version: 0.1.7 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -31,5 +31,5 @@ appVersion: "0.0.7" dependencies: - name: aserto-lib - version: 0.2.0 + version: 0.2.1 repository: file://../aserto-lib diff --git a/charts/scim/templates/deployment.yaml b/charts/scim/templates/deployment.yaml index 40b0789..2c9614a 100644 --- a/charts/scim/templates/deployment.yaml +++ b/charts/scim/templates/deployment.yaml @@ -41,15 +41,13 @@ spec: {{- end }} {{- end }} - {{- with (include "aserto-lib.rootClientCfg" . | fromYaml) }} - {{- if .caCertSecret }} + {{- with ((include "aserto-lib.rootClientCfg" . | fromYaml).caCertSecret).name }} - name: root-ds-grpc-certs secret: - secretName: {{ .caCertSecret }} + secretName: {{ . }} items: - key: ca.crt - path: ca.crt - {{- end }} + path: ca.crt {{- end }} containers: @@ -72,7 +70,7 @@ spec: readOnly: true {{- end }} - {{- if (include "aserto-lib.rootClientCfg" . | fromYaml).caCertSecret }} + {{- with ((include "aserto-lib.rootClientCfg" . | fromYaml).caCertSecret).name }} - name: root-ds-grpc-certs mountPath: /root-ds-grpc-certs readOnly: true @@ -90,10 +88,7 @@ spec: key: {{ include "scim.auth.secretKey" . }} {{- with (include "aserto-lib.rootApiKeyEnv" . | fromYaml) }} - name: ASERTO_SCIM_DIRECTORY_API_KEY - valueFrom: - secretKeyRef: - name: {{ .secretName }} - key: {{ .secretKey }} + {{ . | toYaml | nindent 14 }} {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} diff --git a/charts/topaz/Chart.lock b/charts/topaz/Chart.lock index a8c8296..7fa2f0c 100644 --- a/charts/topaz/Chart.lock +++ b/charts/topaz/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: aserto-lib repository: file://../aserto-lib - version: 0.2.0 -digest: sha256:e847ea16d4c0c170655af988461152ab61eed5372f1639769dd7d198346da272 -generated: "2024-11-25T15:54:03.190999-05:00" + version: 0.2.1 +digest: sha256:83c950a4ee60c07dbc8e045f6645365ca35eced4f1aa329f51c8e2de1de28f93 +generated: "2024-12-17T16:14:52.687946+02:00" diff --git a/charts/topaz/Chart.yaml b/charts/topaz/Chart.yaml index 86d6081..516fe1b 100644 --- a/charts/topaz/Chart.yaml +++ b/charts/topaz/Chart.yaml @@ -21,7 +21,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.2 +version: 0.2.3 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -31,5 +31,5 @@ appVersion: "0.32.38" dependencies: - name: aserto-lib - version: 0.2.0 + version: 0.2.1 repository: file://../aserto-lib diff --git a/tools/ktest/ktest.py b/tools/ktest/ktest.py index f88ebb4..7c396bd 100755 --- a/tools/ktest/ktest.py +++ b/tools/ktest/ktest.py @@ -65,18 +65,19 @@ def run(self, teardown: bool = True): ) stack.enter_context(ns.forward(deployment.chart, deployment.ports)) - try: - self.execute_steps() - echo("✅", "Tests complete.", nl=True) - except: - echo("🚨", "Test failed.", nl=True, cl=COLOR_ERROR) + try: + self.execute_steps() + echo("✅", "Tests complete.", nl=True) + except: + echo("🚨", "Test failed.", nl=True, cl=COLOR_ERROR) + for deployment in self.test.deployments: pod = ns.svc_pod(deployment.chart) echo("📋", "Pod logs:", pod) ns.logs(pod) click.echo() - raise - finally: - self.execute_cleanup() + raise + finally: + self.execute_cleanup() def deploy_chart(self, deployment: Deployment, ns: Namespace): chart_path = path.join(self.git_root, "charts", deployment.chart)