From b060d6fd176df503c6be0112405312e6de2fb847 Mon Sep 17 00:00:00 2001 From: Sabine Schaller Date: Mon, 5 Jun 2023 11:36:09 +0200 Subject: [PATCH] feat: add rafiki auth chart (#4) --- charts/rafiki-auth/Chart.yaml | 26 ++++++ charts/rafiki-auth/templates/_helpers.tpl | 81 +++++++++++++++++++ charts/rafiki-auth/templates/configmap.yaml | 21 +++++ charts/rafiki-auth/templates/deployment.yaml | 77 ++++++++++++++++++ charts/rafiki-auth/templates/secret.yaml | 10 +++ charts/rafiki-auth/templates/service.yaml | 27 +++++++ .../rafiki-auth/templates/serviceaccount.yaml | 8 ++ charts/rafiki-auth/values.yaml | 49 +++++++++++ 8 files changed, 299 insertions(+) create mode 100644 charts/rafiki-auth/Chart.yaml create mode 100644 charts/rafiki-auth/templates/_helpers.tpl create mode 100644 charts/rafiki-auth/templates/configmap.yaml create mode 100644 charts/rafiki-auth/templates/deployment.yaml create mode 100644 charts/rafiki-auth/templates/secret.yaml create mode 100644 charts/rafiki-auth/templates/service.yaml create mode 100644 charts/rafiki-auth/templates/serviceaccount.yaml create mode 100644 charts/rafiki-auth/values.yaml diff --git a/charts/rafiki-auth/Chart.yaml b/charts/rafiki-auth/Chart.yaml new file mode 100644 index 0000000..7c95620 --- /dev/null +++ b/charts/rafiki-auth/Chart.yaml @@ -0,0 +1,26 @@ +apiVersion: v2 +name: rafiki-auth +description: Rafiki Auth Service - Helm chart +maintainers: + - name: sabineschaller + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: 'v1.0.0-alpha.1' diff --git a/charts/rafiki-auth/templates/_helpers.tpl b/charts/rafiki-auth/templates/_helpers.tpl new file mode 100644 index 0000000..730b28f --- /dev/null +++ b/charts/rafiki-auth/templates/_helpers.tpl @@ -0,0 +1,81 @@ + +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "rafiki-auth.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "rafiki-auth.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "auth.postgresqlUrl" -}} +postgresql://{{ .Values.postgresql.username }}:{{ .Values.postgresql.password }}@{{ .Values.postgresql.host }}:{{ .Values.postgresql.port | int}}/{{ .Values.postgresql.database }} +{{- end -}} +{{- define "auth.grantUrl" -}} +http://{{ include "rafiki-auth.fullname" . }}:{{ .Values.port.auth }} +{{- end -}} +{{- define "auth.introspectionUrl" -}} +http://{{ include "rafiki-auth.fullname" . }}:{{ .Values.port.introspection }} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "rafiki-auth.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "rafiki-auth.labels" -}} +app: {{ include "rafiki-auth.name" . }} +app.kubernetes.io/name: {{ include "rafiki-auth.name" . }} +helm.sh/chart: {{ include "rafiki-auth.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the auth service account to use +*/}} +{{- define "auth.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "rafiki-auth.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the auth image +*/}} +{{- define "auth.image" -}} +{{ if .Values.image.tag }} +{{- .Values.image.repository -}}:{{- .Values.image.tag -}} +{{ else if .Values.image.digest }} +{{- .Values.image.repository -}}@{{- .Values.image.digest -}} +{{ else }} +{{- .Values.image.repository -}}:latest +{{ end }} +{{- end -}} \ No newline at end of file diff --git a/charts/rafiki-auth/templates/configmap.yaml b/charts/rafiki-auth/templates/configmap.yaml new file mode 100644 index 0000000..4d529ce --- /dev/null +++ b/charts/rafiki-auth/templates/configmap.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "rafiki-auth.fullname" . }} + labels: +{{ include "rafiki-auth.labels" . | indent 4 }} +data: + ACCESS_TOKEN_DELETION_DAYS: "{{ .Values.accessToken.deletionDays }}" + ACCESS_TOKEN_EXPIRY_SECONDS: "{{ .Values.accessToken.expirySeconds }}" + ADMIN_PORT: "{{ .Values.port.admin }}" + AUTH_PORT: "{{ .Values.port.auth }}" + AUTH_SERVER_DOMAIN: {{ include "auth.grantUrl" . | quote }} + DATABASE_CLEANUP_WORKERS: "{{ .Values.workers.cleanup }}" + IDENTITY_SERVER_DOMAIN: "{{ .Values.identityServer.domain }}" + INCOMING_PAYMENT_INTERACTION: "{{ .Values.interaction.incomingPayment }}" + QUOTE_INTERACTION: "{{ .Values.interaction.quote }}" + INTROSPECTION_PORT: "{{ .Values.port.introspection }}" + LOG_LEVEL: "{{ .Values.logLevel }}" + NODE_ENV: "{{ .Values.nodeEnv }}" + PORT: "{{ .Values.port.auth }}" + WAIT_SECONDS: "{{ .Values.grant.waitSeconds }}" diff --git a/charts/rafiki-auth/templates/deployment.yaml b/charts/rafiki-auth/templates/deployment.yaml new file mode 100644 index 0000000..38e90fe --- /dev/null +++ b/charts/rafiki-auth/templates/deployment.yaml @@ -0,0 +1,77 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "rafiki-auth.fullname" . }} + labels: +{{ include "rafiki-auth.labels" . | indent 4 }} +spec: + replicas: {{ .Values.replicas }} + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: {{ .Values.rollingUpdate.maxSurge }} + maxUnavailable: {{ .Values.rollingUpdate.maxUnavailable }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "rafiki-auth.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "rafiki-auth.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{ if .Values.serviceAccount.create }} + serviceAccountName: {{ template "auth.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{ end }} + volumes: + {{ if .Values.serviceAccount.create }} + - name: {{ include "rafiki-auth.fullname" . }}-sa-key + secret: + secretName: {{ include "rafiki-auth.fullname" . }}-sa-key + {{ end }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: {{ include "auth.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + envFrom: + - configMapRef: + name: {{ include "rafiki-auth.fullname" . }} + - secretRef: + name: {{ include "rafiki-auth.fullname" . }}-secrets + ports: + - name: auth + containerPort: {{ .Values.port.auth }} + protocol: TCP + - name: admin + containerPort: {{ .Values.port.admin }} + protocol: TCP + - name: introspection + containerPort: {{ .Values.port.introspection }} + protocol: TCP + #livenessProbe: + # failureThreshold: 15 + # initialDelaySeconds: 30 + # periodSeconds: 10 + # timeoutSeconds: 10 + # httpGet: + # path: /healthz + # port: admin + #readinessProbe: + # failureThreshold: 3 + # initialDelaySeconds: 5 + # periodSeconds: 5 + # timeoutSeconds: 5 + # httpGet: + # path: /healthz + # port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} diff --git a/charts/rafiki-auth/templates/secret.yaml b/charts/rafiki-auth/templates/secret.yaml new file mode 100644 index 0000000..67c3594 --- /dev/null +++ b/charts/rafiki-auth/templates/secret.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "rafiki-auth.fullname" . }}-secrets + labels: +{{ include "rafiki-auth.labels" . | indent 4 }} +data: + AUTH_DATABASE_URL: {{ include "auth.postgresqlUrl" . | b64enc | quote }} + COOKIE_KEY: "{{ .Values.cookieKey | b64enc }}" + IDENTITY_SERVER_SECRET: "{{ .Values.identityServer.secret | b64enc }}" \ No newline at end of file diff --git a/charts/rafiki-auth/templates/service.yaml b/charts/rafiki-auth/templates/service.yaml new file mode 100644 index 0000000..deb6eec --- /dev/null +++ b/charts/rafiki-auth/templates/service.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "rafiki-auth.fullname" . }} + labels: + app: {{ include "rafiki-auth.name" . }} + chart: {{ include "rafiki-auth.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + type: ClusterIP + ports: + - port: {{ .Values.port.auth }} + targetPort: {{ .Values.port.auth }} + protocol: TCP + name: auth + - port: {{ .Values.port.admin }} + targetPort: {{ .Values.port.admin }} + protocol: TCP + name: admin + - port: {{ .Values.port.introspection }} + targetPort: {{ .Values.port.introspection }} + protocol: TCP + name: introspection + selector: + app.kubernetes.io/name: {{ include "rafiki-auth.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/rafiki-auth/templates/serviceaccount.yaml b/charts/rafiki-auth/templates/serviceaccount.yaml new file mode 100644 index 0000000..bc7a388 --- /dev/null +++ b/charts/rafiki-auth/templates/serviceaccount.yaml @@ -0,0 +1,8 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "auth.serviceAccountName" . }} + labels: +{{ include "rafiki-auth.labels" . | indent 4 }} +{{- end -}} diff --git a/charts/rafiki-auth/values.yaml b/charts/rafiki-auth/values.yaml new file mode 100644 index 0000000..adc3231 --- /dev/null +++ b/charts/rafiki-auth/values.yaml @@ -0,0 +1,49 @@ +nodeEnv: development +logLevel: debug +postgresql: + host: "postgres.example.com" + port: 5432 + username: "auth" + database: "auth" + password: "overridethisValue" +port: + admin: 3003 + auth: 3006 + introspection: 3007 +identityServer: + domain: "http://cloud-nine-wallet/idp" + secret: "changeme" +interaction: + incomingPayment: "false" + quote: "false" +grant: + waitSeconds: 5 +accessToken: + deletionDays: 30 + expirySeconds: 600 +cookieKey: '' +workers: + cleanup: 1 +image: + repository: ghcr.io/interledger/rafiki-auth + tag: 'v1.0.0-alpha.1' + digest: '' + pullPolicy: IfNotPresent +rollingUpdate: + maxSurge: 100% + maxUnavailable: 50% +serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: '' +securityContext: + {} +# resources: +# limits: +# memory: 1Gi +# cpu: 450m +# requests: +# memory: 800Mi +# cpu: 300m