feat: add helm-chart for agent (#603)

* feat: move agent helm chart into repo

* chore: fixed new-lines at end of files, added release step to bump chart version

* chore: update megalinter version to 7.1.0

Signed-off-by: Anton Baliasnikov <[email protected]>

* chore: update package.json

Co-authored-by: Moritz Angermann <[email protected]>
Signed-off-by: Anton Baliasnikov <[email protected]>

* ci: exclude helm-chart from yaml linter

Signed-off-by: David Poltorak <[email protected]>

* ci: exclude from all yaml linters

Signed-off-by: David Poltorak <[email protected]>

* ci: disable kicks linter

Signed-off-by: David Poltorak <[email protected]>

* ci: add to linter change log

Signed-off-by: David Poltorak <[email protected]>

---------

Signed-off-by: Anton Baliasnikov <[email protected]>
Signed-off-by: David Poltorak <[email protected]>
Co-authored-by: Anton Baliasnikov <[email protected]>
Co-authored-by: Moritz Angermann <[email protected]>

.github/workflows/lint.yml

@@ -32,7 +32,7 @@ jobs:
           fetch-depth: 0
       - name: Mega-Linter
         id: ml
-        uses: megalinter/megalinter@v6
+        uses: megalinter/megalinter@v7.1.0
       - name: Archive production artifacts
         if: success() || failure()
         uses: actions/upload-artifact@v3

.github/workflows/release.yml

@@ -38,6 +38,8 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: "lts/*"
+      - name: Setup yq - portable yaml processor
+        uses: mikefarah/[email protected]
       - uses: crazy-max/ghaction-import-gpg@v3
         id: import_gpg
         with:

.mega-linter.yml

@@ -10,6 +10,7 @@ DISABLE_LINTERS: [
     REPOSITORY_TRIVY,
     REPOSITORY_CHECKOV,
     REPOSITORY_SECRETLINT,
+    REPOSITORY_KICS,
     SCALA_SCALAFIX,
     SQL_TSQLLINT,
     C_CPPLINT, # For pollux/lib/anoncreds/src/main/c
@@ -46,3 +47,6 @@ PRE_COMMANDS:
 MARKDOWN_MARKDOWN_LINK_CHECK_FILTER_REGEX_EXCLUDE: "CHANGELOG.md"
 MARKDOWN_MARKDOWNLINT_FILTER_REGEX_EXCLUDE: "CHANGELOG.md"
 SQL_SQL_LINT_ARGUMENTS: -d postgres --ignore-errors=postgres-invalid-alter-option
+YAML_YAMLLINT_FILTER_REGEX_EXCLUDE: "infrastructure/charts/agent/*"
+YAML_PRETTIER_FILTER_REGEX_EXCLUDE: "infrastructure/charts/agent/*"
+YAML_V8R_FILTER_REGEX_EXCLUDE: "infrastructure/charts/agent/*"

docs/guides/linting.md

@@ -285,3 +285,35 @@ Linter - Suggested Change: Enabled but pass even with error
 *Change detail*
 
 OPENAPI_SPECTRAL generates lots of errors for files which are quite large and have been generated by the openapi generator which is going to be replaced with Tapir in future work. Suggest change to enable but pass even with error. Can be re enabled when files can be reviewed as a specific task / they get removed
+
+#### YAML_PRETTIER, YAML_LINT, YAML_V8R for helm-chart files
+
+Date Added: 2023-07-24
+
+Author: David Poltorak
+
+Date Added: 2023-07-24
+
+Linter - Current Status: Enabled
+
+Linter - Suggested Change: Disable
+
+*Change detail*
+
+YAML linters will fail on helm charts so excluding the folder for these linters
+
+#### kics (Keeping Infrastructure as Code Secure)
+
+Date Added: 2023-07-24
+
+Author: David Poltorak
+
+Date Added: 2023-07-24
+
+Linter - Current Status: Enabled
+
+Linter - Suggested Change: Disable
+
+*Change detail*
+
+Kics creates an error log consisting of thousands of review items. This is a new linter in a newer version of megalinter and needs to be reviewed before being enabled.

infrastructure/charts/agent/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

infrastructure/charts/agent/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: vault
+  repository: https://helm.releases.hashicorp.com
+  version: 0.24.1
+digest: sha256:f9ee9a8708d36ff7fcf9334fe17404147be8c124ead65830ee72bd4f43c262cd
+generated: "2023-06-16T14:40:33.224500592+10:00"

infrastructure/charts/agent/Chart.yaml

@@ -0,0 +1,29 @@
+apiVersion: v2
+name: prism-agent
+description: A Helm chart for deploying prism-agent
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.6.0"
+
+dependencies:
+  - name: "vault"
+    version: "0.24.1"
+    repository: "https://helm.releases.hashicorp.com"

infrastructure/charts/agent/templates/_helpers.tpl

@@ -0,0 +1,22 @@
+{{- define "cors" }}
+    {{- if .Values.ingress.cors.enabled }}
+    - name: cors
+      enable: true
+      {{- if .Values.ingress.cors.allow_origins }}
+      config:
+        allow_origins: {{ .Values.ingress.cors.allow_origins | quote }}
+      {{- end }}
+    {{- end }}
+{{- end -}}
+{{- define "consumer-restriction" }}
+    - name: consumer-restriction
+      enable: true
+      config:
+        whitelist:
+        {{- range .Values.ingress.consumers }}
+          -  {{ regexReplaceAll "-" $.Release.Name "_" }}_{{ regexReplaceAll "-" . "_" | lower }}
+        {{- end }}
+{{- end -}}
+{{- define "labels.common" -}}
+app.kubernetes.io/part-of: prism-agent
+{{- end -}}

infrastructure/charts/agent/templates/apisixconsumer.yaml

@@ -0,0 +1,18 @@
+{{- if .Values.ingress.enabled }}
+{{- $root := . -}}
+{{- range $consumer := .Values.ingress.consumers }}
+apiVersion: apisix.apache.org/v2
+kind: ApisixConsumer
+metadata:
+  name: "{{ $consumer | lower }}"
+  namespace: "{{ $root.Release.Namespace }}"
+  labels:
+    {{ template "labels.common" . }}
+spec:
+  authParameter:
+    keyAuth:
+      secretRef:
+        name: "{{ $root.Release.Namespace }}-{{ $consumer | lower }}"
+---
+{{- end }}
+{{- end }}

infrastructure/charts/agent/templates/apisixroute.yaml

@@ -0,0 +1,128 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+  name: agent-route
+  namespace: "{{ .Release.Namespace }}"
+  labels:
+    {{ template "labels.common" . }}
+spec:
+  http:
+  - name: agent-rule
+    match:
+      hosts:
+      {{- range .Values.ingress.applicationUrls }}
+        - {{ . }}
+      {{- end }}
+      paths:
+      - /prism-agent/*
+    backends:
+       - serviceName: agent-server-tapir-service
+         servicePort: 8085
+    authentication:
+      enable: true
+      type: keyAuth
+    plugins:
+    - name: proxy-rewrite
+      enable: true
+      config:
+        regex_uri: ["^/prism-agent/(.*)","/$1"]
+    - name: uri-blocker
+      enable: true
+      config:
+        block_rules: ["_system/metrics"]
+        rejected_message: "access to metrics resource is not allowed from an external location"
+    {{ template "cors" . }}
+    {{ template "consumer-restriction" . }}
+
+---
+
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+  name: agent-didcomm-route
+  namespace: "{{ .Release.Namespace }}"
+  labels:
+    {{ template "labels.common" . }}
+spec:
+  http:
+  - name: agent-didcomm-rule
+    match:
+      hosts:
+      {{- range .Values.ingress.applicationUrls }}
+        - {{ . }}
+      {{- end }}
+      paths:
+      - /prism-agent/didcomm*
+    backends:
+      - serviceName: agent-server-didcomm-service
+        servicePort: 8090
+    plugins:
+    - name: proxy-rewrite
+      enable: true
+      config:
+        regex_uri: ["^/prism-agent/didcomm(.*)", "/$1"]
+    {{ template "cors" . }}
+
+---
+
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+  name: agent-schema-registry-route
+  namespace: "{{ .Release.Namespace }}"
+  labels:
+    {{ template "labels.common" . }}
+spec:
+  http:
+  - name: agent-schema-registry-rule
+    match:
+      hosts:
+      {{- range .Values.ingress.applicationUrls }}
+        - {{ . }}
+      {{- end }}
+      paths:
+      - /prism-agent/schema-registry/schemas/*
+      methods:
+      - GET
+    backends:
+      - serviceName: agent-server-tapir-service
+        servicePort: 8085
+    plugins:
+    - name: proxy-rewrite
+      enable: true
+      config:
+        regex_uri: ["^/prism-agent/schema-registry/schemas/(.*)", "/schema-registry/schemas/$1"]
+    {{ template "cors" . }}
+
+---
+
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+  name: agent-docs-route
+  namespace: "{{ .Release.Namespace }}"
+  labels:
+    {{ template "labels.common" . }}
+spec:
+  http:
+  - name: agent-docs-rule
+    match:
+      hosts:
+      {{- range .Values.ingress.applicationUrls }}
+        - {{ . }}
+      {{- end }}
+      paths:
+      - /prism-agent/docs/*
+    backends:
+      - serviceName: agent-server-tapir-service
+        servicePort: 8085
+    plugins:
+    - name: proxy-rewrite
+      enable: true
+      config:
+        regex_uri: ["^/prism-agent/docs/(.*)","/docs/$1"]
+    {{ template "cors" . }}
+
+---
+{{- end }}

infrastructure/charts/agent/templates/apisixtls.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: apisix.apache.org/v2
+kind: ApisixTls
+metadata:
+  name: "prism-agent-base-path-tls"
+  namespace: "{{ .Release.Namespace }}"
+  labels:
+    {{ template "labels.common" . }}
+spec:
+  hosts:
+  {{- range .Values.ingress.applicationUrls }}
+    - {{ . }}
+  {{- end }}
+  secret:
+    name: "prism-agent-base-path-secret"
+    namespace: "{{ .Release.Namespace }}"
+{{- end }}

infrastructure/charts/agent/templates/certificate.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: "prism-agent-base-path-cert"
+  namespace: "{{ .Release.Namespace }}"
+  labels:
+    {{ template "labels.common" . }}
+spec:
+  secretName: "prism-agent-base-path-secret"
+  duration: 2160h0m0s # 90d
+  renewBefore: 360h0m0s # 15d
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+  dnsNames:
+  {{- range .Values.ingress.applicationUrls }}
+    - {{ . }}
+  {{- end }}
+{{- end }}

infrastructure/charts/agent/templates/cloudwalletsecret.yaml

@@ -0,0 +1,11 @@
+apiVersion: "secretgenerator.mittwald.de/v1alpha1"
+kind: StringSecret
+metadata:
+  name: "prism-agent-server-wallet"
+  namespace: {{ .Release.Namespace }}
+spec:
+  forceRegenerate: false
+  fields:
+    - fieldName: "seed"
+      encoding: "hex"
+      length: "128"