From c192a626899460dbc8d37699634f86bffb9a9bb7 Mon Sep 17 00:00:00 2001 From: David Poltorak Date: Fri, 21 Jul 2023 14:33:39 +0100 Subject: [PATCH 1/8] feat: move agent helm chart into repo --- infrastructure/charts/agent/.helmignore | 23 +++ infrastructure/charts/agent/Chart.lock | 6 + infrastructure/charts/agent/Chart.yaml | 29 ++++ .../charts/agent/templates/_helpers.tpl | 22 +++ .../agent/templates/apisixconsumer.yaml | 18 +++ .../charts/agent/templates/apisixroute.yaml | 128 ++++++++++++++++ .../charts/agent/templates/apisixtls.yaml | 17 +++ .../charts/agent/templates/certificate.yaml | 20 +++ .../agent/templates/cloudwalletsecret.yaml | 11 ++ .../charts/agent/templates/deployment.yaml | 137 ++++++++++++++++++ .../agent/templates/externalsecret.yaml | 20 +++ .../charts/agent/templates/postgresql.yaml | 36 +++++ .../charts/agent/templates/service.yaml | 58 ++++++++ .../charts/agent/templates/stringsecret.yaml | 20 +++ .../charts/agent/templates/vault-unseal.yaml | 44 ++++++ infrastructure/charts/agent/values.yaml | 84 +++++++++++ 16 files changed, 673 insertions(+) create mode 100644 infrastructure/charts/agent/.helmignore create mode 100644 infrastructure/charts/agent/Chart.lock create mode 100644 infrastructure/charts/agent/Chart.yaml create mode 100644 infrastructure/charts/agent/templates/_helpers.tpl create mode 100644 infrastructure/charts/agent/templates/apisixconsumer.yaml create mode 100644 infrastructure/charts/agent/templates/apisixroute.yaml create mode 100644 infrastructure/charts/agent/templates/apisixtls.yaml create mode 100644 infrastructure/charts/agent/templates/certificate.yaml create mode 100644 infrastructure/charts/agent/templates/cloudwalletsecret.yaml create mode 100644 infrastructure/charts/agent/templates/deployment.yaml create mode 100644 infrastructure/charts/agent/templates/externalsecret.yaml create mode 100644 infrastructure/charts/agent/templates/postgresql.yaml create mode 100644 infrastructure/charts/agent/templates/service.yaml create mode 100644 infrastructure/charts/agent/templates/stringsecret.yaml create mode 100644 infrastructure/charts/agent/templates/vault-unseal.yaml create mode 100644 infrastructure/charts/agent/values.yaml diff --git a/infrastructure/charts/agent/.helmignore b/infrastructure/charts/agent/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/infrastructure/charts/agent/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/infrastructure/charts/agent/Chart.lock b/infrastructure/charts/agent/Chart.lock new file mode 100644 index 0000000000..bb4e27f18a --- /dev/null +++ b/infrastructure/charts/agent/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: vault + repository: https://helm.releases.hashicorp.com + version: 0.24.1 +digest: sha256:f9ee9a8708d36ff7fcf9334fe17404147be8c124ead65830ee72bd4f43c262cd +generated: "2023-06-16T14:40:33.224500592+10:00" diff --git a/infrastructure/charts/agent/Chart.yaml b/infrastructure/charts/agent/Chart.yaml new file mode 100644 index 0000000000..f7bcd64813 --- /dev/null +++ b/infrastructure/charts/agent/Chart.yaml @@ -0,0 +1,29 @@ +apiVersion: v2 +name: prism-agent +description: A Helm chart for deploying prism-agent + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.6.0" + +dependencies: + - name: "vault" + version: "0.24.1" + repository: "https://helm.releases.hashicorp.com" diff --git a/infrastructure/charts/agent/templates/_helpers.tpl b/infrastructure/charts/agent/templates/_helpers.tpl new file mode 100644 index 0000000000..c2b9bb2f7c --- /dev/null +++ b/infrastructure/charts/agent/templates/_helpers.tpl @@ -0,0 +1,22 @@ +{{- define "cors" }} + {{- if .Values.ingress.cors.enabled }} + - name: cors + enable: true + {{- if .Values.ingress.cors.allow_origins }} + config: + allow_origins: {{ .Values.ingress.cors.allow_origins | quote }} + {{- end }} + {{- end }} +{{- end -}} +{{- define "consumer-restriction" }} + - name: consumer-restriction + enable: true + config: + whitelist: + {{- range .Values.ingress.consumers }} + - {{ regexReplaceAll "-" $.Release.Name "_" }}_{{ regexReplaceAll "-" . "_" | lower }} + {{- end }} +{{- end -}} +{{- define "labels.common" -}} +app.kubernetes.io/part-of: prism-agent +{{- end -}} diff --git a/infrastructure/charts/agent/templates/apisixconsumer.yaml b/infrastructure/charts/agent/templates/apisixconsumer.yaml new file mode 100644 index 0000000000..dbf17985c1 --- /dev/null +++ b/infrastructure/charts/agent/templates/apisixconsumer.yaml @@ -0,0 +1,18 @@ +{{- if .Values.ingress.enabled }} +{{- $root := . -}} +{{- range $consumer := .Values.ingress.consumers }} +apiVersion: apisix.apache.org/v2 +kind: ApisixConsumer +metadata: + name: "{{ $consumer | lower }}" + namespace: "{{ $root.Release.Namespace }}" + labels: + {{ template "labels.common" . }} +spec: + authParameter: + keyAuth: + secretRef: + name: "{{ $root.Release.Namespace }}-{{ $consumer | lower }}" +--- +{{- end }} +{{- end }} diff --git a/infrastructure/charts/agent/templates/apisixroute.yaml b/infrastructure/charts/agent/templates/apisixroute.yaml new file mode 100644 index 0000000000..2bf0288414 --- /dev/null +++ b/infrastructure/charts/agent/templates/apisixroute.yaml @@ -0,0 +1,128 @@ +{{- if .Values.ingress.enabled }} +apiVersion: apisix.apache.org/v2 +kind: ApisixRoute +metadata: + name: agent-route + namespace: "{{ .Release.Namespace }}" + labels: + {{ template "labels.common" . }} +spec: + http: + - name: agent-rule + match: + hosts: + {{- range .Values.ingress.applicationUrls }} + - {{ . }} + {{- end }} + paths: + - /prism-agent/* + backends: + - serviceName: agent-server-tapir-service + servicePort: 8085 + authentication: + enable: true + type: keyAuth + plugins: + - name: proxy-rewrite + enable: true + config: + regex_uri: ["^/prism-agent/(.*)","/$1"] + - name: uri-blocker + enable: true + config: + block_rules: ["_system/metrics"] + rejected_message: "access to metrics resource is not allowed from an external location" + {{ template "cors" . }} + {{ template "consumer-restriction" . }} + +--- + +apiVersion: apisix.apache.org/v2 +kind: ApisixRoute +metadata: + name: agent-didcomm-route + namespace: "{{ .Release.Namespace }}" + labels: + {{ template "labels.common" . }} +spec: + http: + - name: agent-didcomm-rule + match: + hosts: + {{- range .Values.ingress.applicationUrls }} + - {{ . }} + {{- end }} + paths: + - /prism-agent/didcomm* + backends: + - serviceName: agent-server-didcomm-service + servicePort: 8090 + plugins: + - name: proxy-rewrite + enable: true + config: + regex_uri: ["^/prism-agent/didcomm(.*)", "/$1"] + {{ template "cors" . }} + +--- + +apiVersion: apisix.apache.org/v2 +kind: ApisixRoute +metadata: + name: agent-schema-registry-route + namespace: "{{ .Release.Namespace }}" + labels: + {{ template "labels.common" . }} +spec: + http: + - name: agent-schema-registry-rule + match: + hosts: + {{- range .Values.ingress.applicationUrls }} + - {{ . }} + {{- end }} + paths: + - /prism-agent/schema-registry/schemas/* + methods: + - GET + backends: + - serviceName: agent-server-tapir-service + servicePort: 8085 + plugins: + - name: proxy-rewrite + enable: true + config: + regex_uri: ["^/prism-agent/schema-registry/schemas/(.*)", "/schema-registry/schemas/$1"] + {{ template "cors" . }} + +--- + +apiVersion: apisix.apache.org/v2 +kind: ApisixRoute +metadata: + name: agent-docs-route + namespace: "{{ .Release.Namespace }}" + labels: + {{ template "labels.common" . }} +spec: + http: + - name: agent-docs-rule + match: + hosts: + {{- range .Values.ingress.applicationUrls }} + - {{ . }} + {{- end }} + paths: + - /prism-agent/docs/* + backends: + - serviceName: agent-server-tapir-service + servicePort: 8085 + plugins: + - name: proxy-rewrite + enable: true + config: + regex_uri: ["^/prism-agent/docs/(.*)","/docs/$1"] + {{ template "cors" . }} + +--- +{{- end }} diff --git a/infrastructure/charts/agent/templates/apisixtls.yaml b/infrastructure/charts/agent/templates/apisixtls.yaml new file mode 100644 index 0000000000..565c47052d --- /dev/null +++ b/infrastructure/charts/agent/templates/apisixtls.yaml @@ -0,0 +1,17 @@ +{{- if .Values.ingress.enabled }} +apiVersion: apisix.apache.org/v2 +kind: ApisixTls +metadata: + name: "prism-agent-base-path-tls" + namespace: "{{ .Release.Namespace }}" + labels: + {{ template "labels.common" . }} +spec: + hosts: + {{- range .Values.ingress.applicationUrls }} + - {{ . }} + {{- end }} + secret: + name: "prism-agent-base-path-secret" + namespace: "{{ .Release.Namespace }}" +{{- end }} \ No newline at end of file diff --git a/infrastructure/charts/agent/templates/certificate.yaml b/infrastructure/charts/agent/templates/certificate.yaml new file mode 100644 index 0000000000..14f8df7a3c --- /dev/null +++ b/infrastructure/charts/agent/templates/certificate.yaml @@ -0,0 +1,20 @@ +{{- if .Values.ingress.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: "prism-agent-base-path-cert" + namespace: "{{ .Release.Namespace }}" + labels: + {{ template "labels.common" . }} +spec: + secretName: "prism-agent-base-path-secret" + duration: 2160h0m0s # 90d + renewBefore: 360h0m0s # 15d + issuerRef: + name: letsencrypt + kind: ClusterIssuer + dnsNames: + {{- range .Values.ingress.applicationUrls }} + - {{ . }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/infrastructure/charts/agent/templates/cloudwalletsecret.yaml b/infrastructure/charts/agent/templates/cloudwalletsecret.yaml new file mode 100644 index 0000000000..70210c1a91 --- /dev/null +++ b/infrastructure/charts/agent/templates/cloudwalletsecret.yaml @@ -0,0 +1,11 @@ +apiVersion: "secretgenerator.mittwald.de/v1alpha1" +kind: StringSecret +metadata: + name: "prism-agent-server-wallet" + namespace: {{ .Release.Namespace }} +spec: + forceRegenerate: false + fields: + - fieldName: "seed" + encoding: "hex" + length: "128" diff --git a/infrastructure/charts/agent/templates/deployment.yaml b/infrastructure/charts/agent/templates/deployment.yaml new file mode 100644 index 0000000000..f7bd01957b --- /dev/null +++ b/infrastructure/charts/agent/templates/deployment.yaml @@ -0,0 +1,137 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: prism-agent-server + namespace: "{{ .Release.Namespace }}" + labels: + {{ template "labels.common" . }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: prism-agent-server + replicas: 1 + template: + metadata: + labels: + app.kubernetes.io/name: prism-agent-server + {{ template "labels.common" . }} + spec: + imagePullSecrets: + - name: atala-prism-dev-deployments-github-docker-registry-key + initContainers: + - name: wait-postgress-ready + image: busybox + command: ['sh', '-c', "until nc -z {{ .Values.database.postgres.managingTeam }}-prism-agent-postgres-cluster.{{.Release.Namespace}} 5432; do echo waiting for postgress-operator; sleep 2; done;"] + containers: + - name: prism-agent-server + image: "{{ .Values.server.image.repository }}/{{ .Values.server.image.tag }}:{{ .Values.server.image.version | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.server.image.pullPolicy }} + resources: + {{- toYaml .Values.server.resources | nindent 12 }} + ports: + - containerPort: 8085 + - containerPort: 8090 + env: + - name: CASTOR_DB_HOST + value: "{{ .Values.database.postgres.managingTeam }}-prism-agent-postgres-cluster.{{.Release.Namespace}}" + - name: CASTOR_DB_PORT + value: "5432" + - name: CASTOR_DB_NAME + value: castor + - name: CASTOR_DB_USER + valueFrom: + secretKeyRef: + name: castor-admin.{{ .Values.database.postgres.managingTeam }}-prism-agent-postgres-cluster.credentials.postgresql.acid.zalan.do + key: username + optional: false + - name: CASTOR_DB_PASSWORD + valueFrom: + secretKeyRef: + name: castor-admin.{{ .Values.database.postgres.managingTeam }}-prism-agent-postgres-cluster.credentials.postgresql.acid.zalan.do + key: password + optional: false + - name: POLLUX_DB_HOST + value: "{{ .Values.database.postgres.managingTeam }}-prism-agent-postgres-cluster.{{.Release.Namespace}}" + - name: POLLUX_DB_PORT + value: "5432" + - name: POLLUX_DB_NAME + value: pollux + - name: POLLUX_DB_USER + valueFrom: + secretKeyRef: + name: pollux-admin.{{ .Values.database.postgres.managingTeam }}-prism-agent-postgres-cluster.credentials.postgresql.acid.zalan.do + key: username + optional: false + - name: POLLUX_DB_PASSWORD + valueFrom: + secretKeyRef: + name: pollux-admin.{{ .Values.database.postgres.managingTeam }}-prism-agent-postgres-cluster.credentials.postgresql.acid.zalan.do + key: password + optional: false + - name: CONNECT_DB_HOST + value: "{{ .Values.database.postgres.managingTeam }}-prism-agent-postgres-cluster.{{.Release.Namespace}}" + - name: CONNECT_DB_PORT + value: "5432" + - name: CONNECT_DB_NAME + value: connect + - name: CONNECT_DB_USER + valueFrom: + secretKeyRef: + name: connect-admin.{{ .Values.database.postgres.managingTeam }}-prism-agent-postgres-cluster.credentials.postgresql.acid.zalan.do + key: username + optional: false + - name: CONNECT_DB_PASSWORD + valueFrom: + secretKeyRef: + name: connect-admin.{{ .Values.database.postgres.managingTeam }}-prism-agent-postgres-cluster.credentials.postgresql.acid.zalan.do + key: password + optional: false + - name: AGENT_DB_HOST + value: "{{ .Values.database.postgres.managingTeam }}-prism-agent-postgres-cluster.{{.Release.Namespace}}" + - name: AGENT_DB_PORT + value: "5432" + - name: AGENT_DB_NAME + value: agent + - name: AGENT_DB_USER + valueFrom: + secretKeyRef: + name: agent-admin.{{ .Values.database.postgres.managingTeam }}-prism-agent-postgres-cluster.credentials.postgresql.acid.zalan.do + key: username + optional: false + - name: AGENT_DB_PASSWORD + valueFrom: + secretKeyRef: + name: agent-admin.{{ .Values.database.postgres.managingTeam }}-prism-agent-postgres-cluster.credentials.postgresql.acid.zalan.do + key: password + optional: false + - name: DIDCOMM_SERVICE_URL + value: "https://{{ index .Values.ingress.applicationUrls 0 }}/prism-agent/didcomm" + - name: PRISM_NODE_HOST + value: {{ .Values.vdrManager.host | quote }} + - name: PRISM_NODE_PORT + value: {{ .Values.vdrManager.port | quote }} + {{- if .Values.server.devMode }} + - name: DEV_MODE + value: "true" + {{- else }} + - name: WALLET_SEED + valueFrom: + secretKeyRef: + name: prism-agent-server-wallet + key: seed + optional: false + {{- end }} + {{- if .Values.server.useVault }} + - name: VAULT_ADDR + value: "http://{{ .Release.Namespace }}-vault.{{ .Release.Namespace }}:8200" + - name: VAULT_TOKEN + valueFrom: + secretKeyRef: + name: vault-root-token + key: root-token + optional: false + {{- end }} + {{- range $key, $value := .Values.server.additionalEnvVariables }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} diff --git a/infrastructure/charts/agent/templates/externalsecret.yaml b/infrastructure/charts/agent/templates/externalsecret.yaml new file mode 100644 index 0000000000..22ddc72a76 --- /dev/null +++ b/infrastructure/charts/agent/templates/externalsecret.yaml @@ -0,0 +1,20 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: "atala-prism-dev-deployments-github-docker-registry-key" + namespace: {{ .Release.Namespace }} + labels: + {{ template "labels.common" . }} +spec: + refreshInterval: "0" + secretStoreRef: + name: {{ .Values.secrets.secretStore }} + kind: ClusterSecretStore + target: + template: + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: "{{ `{{ .dockerconfigjson | b64dec }}` }}" + dataFrom: + - extract: + key: {{ .Values.secrets.dockerRegistryToken }} \ No newline at end of file diff --git a/infrastructure/charts/agent/templates/postgresql.yaml b/infrastructure/charts/agent/templates/postgresql.yaml new file mode 100644 index 0000000000..c35aba30c9 --- /dev/null +++ b/infrastructure/charts/agent/templates/postgresql.yaml @@ -0,0 +1,36 @@ +apiVersion: "acid.zalan.do/v1" +kind: postgresql +metadata: + name: "{{ .Values.database.postgres.managingTeam }}-prism-agent-postgres-cluster" + namespace: {{ .Release.Namespace }} + labels: + {{ template "labels.common" . }} +spec: + teamId: "{{ .Values.database.postgres.managingTeam }}" + volume: + size: "{{ .Values.database.postgres.databaseSize }}" + numberOfInstances: {{ .Values.database.postgres.numberOfInstances }} + users: + castor-admin: + - superuser + - createdb + castor-application-user: [] + pollux-admin: + - superuser + - createdb + pollux-application-user: [] + connect-admin: + - superuser + - createdb + connect-application-user: [] + agent-admin: + - superuser + - createdb + agent-application-user: [] + databases: + castor: castor-admin + pollux: pollux-admin + connect: connect-admin + agent: agent-admin + postgresql: + version: "14" diff --git a/infrastructure/charts/agent/templates/service.yaml b/infrastructure/charts/agent/templates/service.yaml new file mode 100644 index 0000000000..47f9b74420 --- /dev/null +++ b/infrastructure/charts/agent/templates/service.yaml @@ -0,0 +1,58 @@ +apiVersion: v1 +kind: Service +metadata: + name: agent-server-tapir-service + namespace: "{{ .Release.Namespace }}" + labels: + app.kubernetes.io/name: prism-agent-server + app.kubernetes.io/service: prism-agent-server-main + {{ template "labels.common" . }} +spec: + selector: + app.kubernetes.io/name: prism-agent-server + ports: + - name: prism-agent-server-main + protocol: "TCP" + port: 8085 + targetPort: 8085 + type: ClusterIP + +--- + +apiVersion: v1 +kind: Service +metadata: + name: agent-server-didcomm-service + namespace: "{{ .Release.Namespace }}" + labels: + app.kubernetes.io/name: prism-agent-server + app.kubernetes.io/service: prism-agent-server-didcomm + {{ template "labels.common" . }} +spec: + selector: + app.kubernetes.io/name: prism-agent-server + ports: + - name: prism-agent-server-didcomm + protocol: "TCP" + port: 8090 + targetPort: 8090 + type: ClusterIP + +--- + +{{- if .Values.ingress.enabled }} +kind: Service +apiVersion: v1 +metadata: + name: agent-domain-name-fake-service + namespace: "{{ .Release.Namespace }}" + annotations: + external-dns.alpha.kubernetes.io/hostname: "{{ join ", " .Values.ingress.applicationUrls }}" + labels: + app.kubernetes.io/name: prism-agent-server + app.kubernetes.io/service: agent-server-domain-name-fake + {{ template "labels.common" . }} +spec: + type: ExternalName + externalName: {{ .Values.ingress.platformIngressUrl }} +{{- end }} diff --git a/infrastructure/charts/agent/templates/stringsecret.yaml b/infrastructure/charts/agent/templates/stringsecret.yaml new file mode 100644 index 0000000000..5b79e3cb87 --- /dev/null +++ b/infrastructure/charts/agent/templates/stringsecret.yaml @@ -0,0 +1,20 @@ +{{- if .Values.ingress.enabled }} +{{- $root := . -}} +{{- range $consumer := .Values.consumers }} +apiVersion: "secretgenerator.mittwald.de/v1alpha1" +kind: StringSecret +metadata: + name: "{{ $root.Release.Namespace }}-{{ $consumer | lower }}" + namespace: {{ $root.Release.Namespace }} + labels: + {{ template "labels.common" . }} +spec: + forceRegenerate: false + data: + username: {{ $consumer | lower }} + fields: + - fieldName: "key" + encoding: "base64" + length: "32" +{{- end }} +{{- end }} \ No newline at end of file diff --git a/infrastructure/charts/agent/templates/vault-unseal.yaml b/infrastructure/charts/agent/templates/vault-unseal.yaml new file mode 100644 index 0000000000..dee5ae650f --- /dev/null +++ b/infrastructure/charts/agent/templates/vault-unseal.yaml @@ -0,0 +1,44 @@ +# https://github.com/omegion/vault-unseal/blob/master/examples/kubernetes/cronjob.yaml +{{- if .Values.server.useVault }} +apiVersion: batch/v1 +kind: CronJob +metadata: + name: vault-unseal-cronjob +spec: + schedule: "*/30 * * * *" + successfulJobsHistoryLimit: 3 + jobTemplate: + spec: + template: + metadata: + labels: + app: vault-unseal-cronjob + spec: + restartPolicy: OnFailure + containers: + - name: vault-unseal-cronjob + image: "ghcr.io/omegion/vault-unseal:v0.9.0" + imagePullPolicy: IfNotPresent + env: + - name: VAULT_UNSEAL_KEY_0 + valueFrom: + secretKeyRef: + name: vault-unseal-key-0 + key: unseal-key + - name: VAULT_UNSEAL_KEY_1 + valueFrom: + secretKeyRef: + name: vault-unseal-key-1 + key: unseal-key + - name: VAULT_UNSEAL_KEY_2 + valueFrom: + secretKeyRef: + name: vault-unseal-key-2 + key: unseal-key + args: + - unseal + - --address=http://{{ .Release.Namespace }}-vault.{{ .Release.Namespace }}:8200 + - --shard=$(VAULT_UNSEAL_KEY_0) + - --shard=$(VAULT_UNSEAL_KEY_1) + - --shard=$(VAULT_UNSEAL_KEY_2) +{{- end }} \ No newline at end of file diff --git a/infrastructure/charts/agent/values.yaml b/infrastructure/charts/agent/values.yaml new file mode 100644 index 0000000000..70db311663 --- /dev/null +++ b/infrastructure/charts/agent/values.yaml @@ -0,0 +1,84 @@ +ingress: + enabled: true + applicationUrls: + - chart-base-prism-stack.atalaprism.io + platformIngressUrl: chart-base-platform-ingress.atalaprism.io + cors: + enabled: true + allow_origins: "*" + consumers: [] + +secrets: + secretStore: chart-base-secretstore + dockerRegistryToken: chart-base-docker-registry-token + +server: + image: + repository: ghcr.io + pullPolicy: IfNotPresent + tag: input-output-hk/prism-agent + resources: + limits: + cpu: 500m + memory: 1024Mi + requests: + cpu: 250m + memory: 512Mi + additionalEnvVariables: [] + devMode: false + useVault: true + +database: + postgres: + managingTeam: atala + databaseSize: 4Gi + numberOfInstances: 2 + +vdrManager: + host: chart-base-node-service + port: 50053 + +vault: + injector: + enabled: false + server: + standalone: + config: | + ui = true + + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + # Enable unauthenticated metrics access (necessary for Prometheus Operator) + #telemetry { + # unauthenticated_metrics_access = "true" + #} + } + storage "file" { + path = "/vault/data" + } + + # Example configuration for using auto-unseal, using Google Cloud KMS. The + # GKMS keys must already exist, and the cluster must have a service account + # that is authorized to access GCP KMS. + #seal "gcpckms" { + # project = "vault-helm-dev" + # region = "global" + # key_ring = "vault-helm-unseal-kr" + # crypto_key = "vault-helm-unseal-key" + #} + + # Example configuration for enabling Prometheus metrics in your config. + #telemetry { + # prometheus_retention_time = "30s" + # disable_hostname = true + #} + secrets { + enable = true + } + + path "secret/*" { + backend = "kv" + version = 2 + } From 0ba42e7e1056cf9c83b205b3128eaaafc7b32269 Mon Sep 17 00:00:00 2001 From: David Poltorak Date: Fri, 21 Jul 2023 17:05:12 +0100 Subject: [PATCH 2/8] chore: fixed new-lines at end of files, added release step to bump chart version --- .github/workflows/release.yml | 2 ++ infrastructure/charts/agent/templates/apisixtls.yaml | 2 +- infrastructure/charts/agent/templates/certificate.yaml | 2 +- infrastructure/charts/agent/templates/externalsecret.yaml | 2 +- infrastructure/charts/agent/templates/stringsecret.yaml | 2 +- infrastructure/charts/agent/templates/vault-unseal.yaml | 2 +- package.json | 6 ++++++ 7 files changed, 13 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d850b5b863..527e6f8eda 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -38,6 +38,8 @@ jobs: uses: actions/setup-node@v3 with: node-version: "lts/*" + - name: Setup yq - portable yaml processor + uses: mikefarah/yq@v4.34.2 - uses: crazy-max/ghaction-import-gpg@v3 id: import_gpg with: diff --git a/infrastructure/charts/agent/templates/apisixtls.yaml b/infrastructure/charts/agent/templates/apisixtls.yaml index 565c47052d..d38dca4692 100644 --- a/infrastructure/charts/agent/templates/apisixtls.yaml +++ b/infrastructure/charts/agent/templates/apisixtls.yaml @@ -14,4 +14,4 @@ spec: secret: name: "prism-agent-base-path-secret" namespace: "{{ .Release.Namespace }}" -{{- end }} \ No newline at end of file +{{- end }} diff --git a/infrastructure/charts/agent/templates/certificate.yaml b/infrastructure/charts/agent/templates/certificate.yaml index 14f8df7a3c..4af02f1238 100644 --- a/infrastructure/charts/agent/templates/certificate.yaml +++ b/infrastructure/charts/agent/templates/certificate.yaml @@ -17,4 +17,4 @@ spec: {{- range .Values.ingress.applicationUrls }} - {{ . }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/infrastructure/charts/agent/templates/externalsecret.yaml b/infrastructure/charts/agent/templates/externalsecret.yaml index 22ddc72a76..39ced22be0 100644 --- a/infrastructure/charts/agent/templates/externalsecret.yaml +++ b/infrastructure/charts/agent/templates/externalsecret.yaml @@ -17,4 +17,4 @@ spec: .dockerconfigjson: "{{ `{{ .dockerconfigjson | b64dec }}` }}" dataFrom: - extract: - key: {{ .Values.secrets.dockerRegistryToken }} \ No newline at end of file + key: {{ .Values.secrets.dockerRegistryToken }} diff --git a/infrastructure/charts/agent/templates/stringsecret.yaml b/infrastructure/charts/agent/templates/stringsecret.yaml index 5b79e3cb87..879b682590 100644 --- a/infrastructure/charts/agent/templates/stringsecret.yaml +++ b/infrastructure/charts/agent/templates/stringsecret.yaml @@ -17,4 +17,4 @@ spec: encoding: "base64" length: "32" {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/infrastructure/charts/agent/templates/vault-unseal.yaml b/infrastructure/charts/agent/templates/vault-unseal.yaml index dee5ae650f..ba858f0c52 100644 --- a/infrastructure/charts/agent/templates/vault-unseal.yaml +++ b/infrastructure/charts/agent/templates/vault-unseal.yaml @@ -41,4 +41,4 @@ spec: - --shard=$(VAULT_UNSEAL_KEY_0) - --shard=$(VAULT_UNSEAL_KEY_1) - --shard=$(VAULT_UNSEAL_KEY_2) -{{- end }} \ No newline at end of file +{{- end }} diff --git a/package.json b/package.json index c1b1e98b48..f3f4a2bbf9 100644 --- a/package.json +++ b/package.json @@ -56,6 +56,12 @@ "prepareCmd": "sbt \"release release-version ${nextRelease.version} next-version ${nextRelease.version}-SNAPSHOT with-defaults\"" } ], + [ + "@semantic-release/exec", + { + "prepareCmd": "yq -i '.appVersion = \"${nextRelease.version}\"' ./infrastructure/charts/agent/Chart.yaml" + } + ] [ "@semantic-release/exec", { From a4327d75fbca1de96337175c1ae5fa2d206e6750 Mon Sep 17 00:00:00 2001 From: Anton Baliasnikov Date: Mon, 24 Jul 2023 11:51:21 +0100 Subject: [PATCH 3/8] chore: update megalinter version to 7.1.0 Signed-off-by: Anton Baliasnikov --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index a3372307c5..1dd69f8e98 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -32,7 +32,7 @@ jobs: fetch-depth: 0 - name: Mega-Linter id: ml - uses: megalinter/megalinter@v6 + uses: megalinter/megalinter@v7.1.0 - name: Archive production artifacts if: success() || failure() uses: actions/upload-artifact@v3 From fe68898b2518fe32adb0941f4877817ca7c3c661 Mon Sep 17 00:00:00 2001 From: Anton Baliasnikov Date: Mon, 24 Jul 2023 12:04:10 +0100 Subject: [PATCH 4/8] chore: update package.json Co-authored-by: Moritz Angermann Signed-off-by: Anton Baliasnikov --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index f3f4a2bbf9..eb124ae408 100644 --- a/package.json +++ b/package.json @@ -61,7 +61,7 @@ { "prepareCmd": "yq -i '.appVersion = \"${nextRelease.version}\"' ./infrastructure/charts/agent/Chart.yaml" } - ] + ], [ "@semantic-release/exec", { From 32613e18a1aed959244edfc7410ede1c71fbae74 Mon Sep 17 00:00:00 2001 From: David Poltorak Date: Mon, 24 Jul 2023 12:44:57 +0100 Subject: [PATCH 5/8] ci: exclude helm-chart from yaml linter Signed-off-by: David Poltorak --- .mega-linter.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.mega-linter.yml b/.mega-linter.yml index 87d93756db..976e8c73db 100644 --- a/.mega-linter.yml +++ b/.mega-linter.yml @@ -46,3 +46,4 @@ PRE_COMMANDS: MARKDOWN_MARKDOWN_LINK_CHECK_FILTER_REGEX_EXCLUDE: "CHANGELOG.md" MARKDOWN_MARKDOWNLINT_FILTER_REGEX_EXCLUDE: "CHANGELOG.md" SQL_SQL_LINT_ARGUMENTS: -d postgres --ignore-errors=postgres-invalid-alter-option +YAML_YAMLLINT_FILTER_REGEX_EXCLUDE: "infrastructure/charts/agent/*" From 06fee47cc1e3db0887a3bb0812dc21dc73a0a01c Mon Sep 17 00:00:00 2001 From: David Poltorak Date: Mon, 24 Jul 2023 12:57:36 +0100 Subject: [PATCH 6/8] ci: exclude from all yaml linters Signed-off-by: David Poltorak --- .mega-linter.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.mega-linter.yml b/.mega-linter.yml index 976e8c73db..a41c384f5f 100644 --- a/.mega-linter.yml +++ b/.mega-linter.yml @@ -47,3 +47,5 @@ MARKDOWN_MARKDOWN_LINK_CHECK_FILTER_REGEX_EXCLUDE: "CHANGELOG.md" MARKDOWN_MARKDOWNLINT_FILTER_REGEX_EXCLUDE: "CHANGELOG.md" SQL_SQL_LINT_ARGUMENTS: -d postgres --ignore-errors=postgres-invalid-alter-option YAML_YAMLLINT_FILTER_REGEX_EXCLUDE: "infrastructure/charts/agent/*" +YAML_PRETTIER_FILTER_REGEX_EXCLUDE: "infrastructure/charts/agent/*" +YAML_V8R_FILTER_REGEX_EXCLUDE: "infrastructure/charts/agent/*" From 5d871f4e60d455622253388cb36d0a22967cc25c Mon Sep 17 00:00:00 2001 From: David Poltorak Date: Mon, 24 Jul 2023 13:25:20 +0100 Subject: [PATCH 7/8] ci: disable kicks linter Signed-off-by: David Poltorak --- .mega-linter.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.mega-linter.yml b/.mega-linter.yml index a41c384f5f..19d0711041 100644 --- a/.mega-linter.yml +++ b/.mega-linter.yml @@ -10,6 +10,7 @@ DISABLE_LINTERS: [ REPOSITORY_TRIVY, REPOSITORY_CHECKOV, REPOSITORY_SECRETLINT, + REPOSITORY_KICS, SCALA_SCALAFIX, SQL_TSQLLINT, C_CPPLINT, # For pollux/lib/anoncreds/src/main/c From b5ad994a3b9c462f3e3a467cf47d5f8ecb229d20 Mon Sep 17 00:00:00 2001 From: David Poltorak Date: Mon, 24 Jul 2023 13:28:00 +0100 Subject: [PATCH 8/8] ci: add to linter change log Signed-off-by: David Poltorak --- docs/guides/linting.md | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/docs/guides/linting.md b/docs/guides/linting.md index 99e57a8a05..495eae719b 100644 --- a/docs/guides/linting.md +++ b/docs/guides/linting.md @@ -285,3 +285,35 @@ Linter - Suggested Change: Enabled but pass even with error *Change detail* OPENAPI_SPECTRAL generates lots of errors for files which are quite large and have been generated by the openapi generator which is going to be replaced with Tapir in future work. Suggest change to enable but pass even with error. Can be re enabled when files can be reviewed as a specific task / they get removed + +#### YAML_PRETTIER, YAML_LINT, YAML_V8R for helm-chart files + +Date Added: 2023-07-24 + +Author: David Poltorak + +Date Added: 2023-07-24 + +Linter - Current Status: Enabled + +Linter - Suggested Change: Disable + +*Change detail* + +YAML linters will fail on helm charts so excluding the folder for these linters + +#### kics (Keeping Infrastructure as Code Secure) + +Date Added: 2023-07-24 + +Author: David Poltorak + +Date Added: 2023-07-24 + +Linter - Current Status: Enabled + +Linter - Suggested Change: Disable + +*Change detail* + +Kics creates an error log consisting of thousands of review items. This is a new linter in a newer version of megalinter and needs to be reviewed before being enabled. \ No newline at end of file