neicnordic · jbygdell · Aug 20, 2024 · Aug 2, 2024 · Jul 26, 2024 · Aug 15, 2024
diff --git a/.github/integration/scripts/charts/values.yaml b/.github/integration/scripts/charts/values.yaml
@@ -3,6 +3,7 @@ global:
   ingress:
     deploy: false
     hostName:
+      api: pipeline-sda-svc-api
       auth: pipeline-sda-svc-auth
       download: pipeline-sda-svc-download
       s3Inbox: pipeline-sda-svc-inbox
@@ -12,6 +13,13 @@ global:
     enabled: false
     issuer: ""
     clusterIssuer: "cert-issuer"
+  api:
+    adminsFileSecret:
+    adminUsers:
+      - [email protected]
+      - [email protected]
+    jwtPubKeyName: jwt.pub
+    jwtSecret: jwk
   archive:
     storageType: s3
     s3AccessKey: PLACEHOLDER_VALUE
@@ -102,6 +110,9 @@ global:
       port: "8080"
       password: "pass"
       user: "user"
+api:
+  replicaCount: 1
+  resources: null
 auth:
   replicaCount: 1
   resources: null

diff --git a/.github/workflows/build_pr_container.yaml b/.github/workflows/build_pr_container.yaml
@@ -285,7 +285,7 @@ jobs:
       - name: Check deployment
         run: |
           sleep 30
-          for n in auth download finalize inbox ingest mapper reencrypt sync syncapi verify; do
+          for n in api auth download finalize inbox ingest mapper reencrypt sync syncapi verify; do
             if [ ${{matrix.storage}} == "posix" ] && [ "$n" == "auth" ] || [ "$n" == "sync" ] || [ "$n" == "syncapi" ]; then
               continue
             fi
@@ -300,7 +300,7 @@ jobs:
         run: |
           kubectl get pods
           sleep 1
-          for svc in auth finalize inbox ingest mapper reencrypt sync syncapi verify; do
+          for svc in api auth finalize inbox ingest mapper reencrypt sync syncapi verify; do
             echo "## describe $svc" && kubectl describe pod -l role="$svc"
             sleep 1
             echo "## logs $svc" && kubectl logs -l role="$svc"

diff --git a/charts/sda-svc/Chart.yaml b/charts/sda-svc/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: sda-svc
-version: 0.27.7
+version: 0.28.0
 appVersion: v0.3.114
 kubeVersion: '>= 1.26.0'
 description: Components for Sensitive Data Archive (SDA) installation

diff --git a/charts/sda-svc/README.md b/charts/sda-svc/README.md
@@ -76,6 +76,10 @@ Parameter | Description | Default
 `global.backupArchive.volumePath` | Path to the mounted `posix` volume. |`/backup`
 `global.backupArchive.nfsServer` | URL or IP address to a NFS server. |`""`
 `global.backupArchive.nfsPath` | Path on the NFS server for the backup archive. |`""`
+`global.api.adminFileSecret` | A secret holding a JSON file named `admin.json` containg a list of identifiers |``
+`global.api.adminUsers` | A list of identifiers of the users with admin privileges |``
+`global.api.jwtPubKeyName` | Public key used to verify the JWT. |``
+`global.api.jwtSecret` | The name of the secret holding the JWT public key |``
 `global.auth.jwtAlg` | Key type to sign the JWT, available options are RS265 & ES256, Must match the key type |`"ES256"`
 `global.auth.jwtKey` | Private key used to sign the JWT. |`""`
 `global.auth.jwtPub` | Public key ues to verify the JWT. |`""`
@@ -171,6 +175,10 @@ If no shared credentials for the message broker and database are used these shou
 
 Parameter | Description | Default
 --------- | ----------- | -------
+`credentials.api.dbUser` | Database user for api | `""`
+`credentials.api.dbPassword` | Database password for api | `""`
+`credentials.api.mqUser` | Broker user for api | `""`
+`credentials.api.mqPassword` | Broker password for api | `""`
 `credentials.doa.dbUser` | Database user for doa | `""`
 `credentials.doa.dbPassword` | Database password for doa| `""`
 `credentials.download.dbUser` | Database user for download | `""`
@@ -206,6 +214,13 @@ Parameter | Description | Default
 
 Parameter | Description | Default
 --------- | ----------- | -------
+`api.replicaCount` | Desired number of replicas | `2`
+`api.annotations` | Specific annotation for the auth pod | `{}`
+`api.resources.requests.memory` | Memory request for container. |`128Mi`
+`api.resources.requests.cpu` | CPU request for container. |`100m`
+`api.resources.limits.memory` | Memory limit for container. |`256Mi`
+`api.resources.limits.cpu` | CPU limit for container. |`250m`
+`api.tls.secretName` | Secret holding the application TLS certificates |``
 `auth.replicaCount` | desired number of replicas | `2`
 `auth.annotations` | Specific annotation for the auth pod | `{}`
 `auth.resources.requests.memory` | Memory request for container. |`128Mi`

diff --git a/charts/sda-svc/templates/_helpers.yaml b/charts/sda-svc/templates/_helpers.yaml
@@ -133,6 +133,20 @@ Create chart name and version as used by the chart label.
   {{ end }}
 {{- end -}}
 
+{{/**/}}
+{{- define "dbUserAPI" -}}
+{{- ternary .Values.global.db.user .Values.credentials.api.dbUser (empty .Values.credentials.api.dbUser) -}}
+{{- end -}}
+{{- define "dbPassAPI" -}}
+{{- ternary .Values.global.db.password .Values.credentials.api.dbPassword (empty .Values.credentials.api.dbPassword) -}}
+{{- end -}}
+{{- define "mqUserAPI" -}}
+{{- ternary .Values.global.broker.username .Values.credentials.api.mqUser (empty .Values.credentials.api.mqUser) -}}
+{{- end -}}
+{{- define "mqPassAPI" -}}
+{{- ternary .Values.global.broker.password .Values.credentials.api.mqPassword (empty .Values.credentials.api.mqPassword) -}}
+{{- end -}}
+
 {{/**/}}
 {{- define "dbUserSync" -}}
 {{- ternary .Values.global.db.user .Values.credentials.sync.dbUser (empty .Values.credentials.sync.dbUser) -}}

diff --git a/charts/sda-svc/templates/api-certificate.yaml b/charts/sda-svc/templates/api-certificate.yaml
@@ -0,0 +1,39 @@
+{{- if .Values.global.tls.enabled }}
+{{- if or .Values.global.tls.clusterIssuer .Values.global.tls.issuer }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "sda.fullname" . }}-api-certs
+spec:
+  # Secret names are always required.
+  secretName: {{ template "sda.fullname" . }}-api-certs
+
+  duration: 2160h # 90d
+
+  # The use of the common name field has been deprecated since 2000 and is
+  # discouraged from being used. However, it is still needed for TLS based authentication  for Postgres and other services.
+  commonName: {{ template "sda.fullname" . }}-api
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+    size: 384
+  usages:
+    - client auth
+    - server auth
+  # At least one of a DNS Name, URI, or IP address is required.
+  dnsNames:
+    - {{ template "sda.fullname" . }}-api
+    - {{ template "sda.fullname" . }}-api.{{ .Release.Namespace }}.svc
+  ipAddresses:
+    - 127.0.0.1
+  # Issuer references are always required.
+  issuerRef:
+    name: {{ template "TLSissuer" . }}
+    # We can reference ClusterIssuers by changing the kind here.
+    # The default value is Issuer (i.e. a locally namespaced Issuer)
+    kind: {{ ternary "Issuer" "ClusterIssuer" (empty .Values.global.tls.clusterIssuer )}}
+    # This is optional since cert-manager will default to this value however
+    # if you are using an external issuer, change this to that issuer group.
+    group: cert-manager.io
+{{- end -}}
+{{- end -}}