opentdf · strantalis · Aug 14, 2024 · Aug 7, 2024 · Aug 10, 2024 · Aug 10, 2024
@@ -0,0 +1,49 @@
+# k3d configuration file, saved as e.g. /home/me/myk3dcluster.yaml
+apiVersion: k3d.io/v1alpha5 # this will change in the future as we make everything more stable
+kind: Simple # internally, we also have a Cluster config, which is not yet available externally
+metadata:
+  name: cluster # name that you want to give to your cluster (will still be prefixed with `k3d-`)
+# servers: 1 # same as `--servers 1`
+# agents: 2 # same as `--agents 2`
+network: platform-k3d
+kubeAPI: # same as `--api-port myhost.my.domain:6445` (where the name would resolve to 127.0.0.1)
+  hostIP: "0.0.0.0" # where the Kubernetes API will be listening on
+  hostPort: "6445" # where the Kubernetes API listening port will be mapped to on your host system
+ports:
+  - port: 80:80 # same as `--port '8080:80@loadbalancer'`
+    nodeFilters:
+      - loadbalancer
+  - port: 443:443 # same as `--port '8080:80@loadbalancer'`
+    nodeFilters:
+      - loadbalancer
+hostAliases: # /etc/hosts style entries to be injected into /etc/hosts in the node containers and in the NodeHosts section in CoreDNS
+  - ip: 10.255.127.1
+    hostnames: 
+      - keycloak.opentdf.local
+registries: # define how registries should be created or used
+  create: # creates a default registry to be used with the cluster; same as `--registry-create registry.localhost`
+    name: k3d.registry
+    host: "0.0.0.0"
+    hostPort: "5000"
+  # define contents of the `registries.yaml` file (or reference a file); same as `--registry-config /path/to/config.yaml`
+  config: |
+    mirrors:
+      "k3d.registry:5000":
+        endpoint:
+          - http://k3d.registry:5000
+options:
+  k3d: # k3d runtime settings
+    wait: true # wait for cluster to be usable before returning; same as `--wait` (default: true)
+    timeout: "60s" # wait timeout before aborting; same as `--timeout 60s`
+  k3s: # options passed on to K3s itself
+    extraArgs: # additional arguments passed to the `k3s server|agent` command; same as `--k3s-arg`
+      #      - arg: "--disable=traefik"
+      #        nodeFilters:
+      #          - server:*
+      - arg: "--prefer-bundled-bin"
+        nodeFilters:
+          - server:*
+          - agent:*
+  kubeconfig:
+    updateDefaultKubeconfig: true # add new cluster to your default Kubeconfig; same as `--kubeconfig-update-default` (default: true)
+    switchCurrentContext: true # also set current-context to the new cluster's context; same as `--kubeconfig-switch-context` (default: true)
@@ -0,0 +1,79 @@
+name: Helm Chart Checks
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  platform_unit:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
+        with:
+          cache-dependency-path: |
+            tests/go.sum
+      - run: go test -short ./
+        working-directory: tests
+  platform_integration:
+    strategy:
+      matrix:
+        k3s_image: ["latest", "v1.28.12-k3s1","v1.27.16-k3s1","v1.26.15-k3s1"]
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
+        with:
+          repository: opentdf/otdfctl
+          path: otdfctl
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
+        with:
+          repository: opentdf/platform
+          path: platform
+          sparse-checkout: |
+            service/cmd/keycloak_data.yaml
+          sparse-checkout-cone-mode: false
+      - run: |
+          sed -e "s/http:\/\/localhost:8888/https:\/\/keycloak.opentdf.local/g" platform/service/cmd/keycloak_data.yaml -i
+          cat platform/service/cmd/keycloak_data.yaml
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
+        with:
+          cache-dependency-path: |
+            tests/go.sum
+            otdfctl/go.sum
+      - name: "Build otdfctl"
+        run: |
+          mkdir -p $HOME/.local/bin
+          go build -o $HOME/.local/bin/otdfctl .
+        working-directory: otdfctl
+      - uses: bats-core/bats-action@472edde1138d59aca53ff162fb8d996666d21e4a
+      - name: "Install mkcert"
+        run: go install filippo.io/mkcert@2a46726cebac0ff4e1f133d90b4e4c42f1edf44a
+      - run: |
+          mkcert -install
+          mkcert -cert-file tls.crt -key-file tls.key opentdf.local keycloak.opentdf.local platform.opentdf.local
+      - name: "Download k3d"
+        id: "download-k3d"
+        shell: bash
+        env:
+          K3D_VERSION: "v5.7.3"
+          K3D_SHA256SUM: "0fe23b8c0a151e9c41d16f9d861be26df65e5ab7f35115424220aad5a83c566b"
+        run: |
+          curl -sSLO "https://github.com/k3d-io/k3d/releases/download/${K3D_VERSION}/k3d-linux-amd64"
+          echo "${K3D_SHA256SUM}  k3d-linux-amd64" | sha256sum -c --quiet --strict
+          chmod +x k3d-linux-amd64
+          mkdir -p $HOME/.local/bin
+          mv ./k3d-linux-amd64 "$HOME/.local/bin/k3d"
+
+          k3d version
+      - name: "Create k3d cluster"
+        id: "create-k3d-cluster"
+        run: |
+          echo "127.0.0.1 platform.opentdf.local keycloak.opentdf.local" | sudo tee -a /etc/hosts
+          echo "127.0.0.1 k3d.registry" | sudo tee -a /etc/hosts
+          docker network create platform-k3d --subnet 10.255.127.0/24 --ip-range 10.255.127.192/26 --gateway 10.255.127.1
+          k3d cluster create --config ".github/k3d-config.yaml" --image "rancher/k3s:${{ matrix.k3s_image }}" --wait --timeout 60s
+          sleep 30 # wait for the cluster to be ready
+      - run: go test ./
+        working-directory: tests
@@ -1,9 +1,9 @@
 dependencies:
 - name: postgresql
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 15.2.4
+  version: 15.5.21
 - name: keycloak
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 21.0.3
-digest: sha256:6ef4a57275edd84099476b12b23bcb5cda473f35d7d63921671b29ce9028f132
-generated: "2024-04-25T08:22:33.368962-04:00"
+  version: 22.1.1
+digest: sha256:7741275ddf6e8a40e63aea3765e9b5cc083f97886bb3cde6280b206ea6726d86
+generated: "2024-08-13T18:33:44.875096-04:00"
@@ -28,10 +28,10 @@ maintainers:
 
 dependencies:
   - name: postgresql
-    version: 15.2.4
+    version: 15.5.21
     repository: oci://registry-1.docker.io/bitnamicharts
     condition: playground
   - name: keycloak
-    version: 21.0.3
+    version: 22.1.1
     repository: oci://registry-1.docker.io/bitnamicharts
     condition: playground
@@ -1,6 +1,6 @@
 # platform
 
-![Version: 0.6.1](https://img.shields.io/badge/Version-0.6.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: nightly](https://img.shields.io/badge/AppVersion-nightly-informational?style=flat-square)
+![Version: 0.6.2](https://img.shields.io/badge/Version-0.6.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: nightly](https://img.shields.io/badge/AppVersion-nightly-informational?style=flat-square)
 
 A Helm Chart for OpenTDF Platform
 
@@ -230,8 +230,8 @@ realms:
 
 | Repository | Name | Version |
 |------------|------|---------|
-| oci://registry-1.docker.io/bitnamicharts | keycloak | 21.0.3 |
-| oci://registry-1.docker.io/bitnamicharts | postgresql | 15.2.4 |
+| oci://registry-1.docker.io/bitnamicharts | keycloak | 22.1.1 |
+| oci://registry-1.docker.io/bitnamicharts | postgresql | 15.5.21 |
 
 ## Values
 
@@ -279,12 +279,13 @@ realms:
 | keycloak.keycloakConfigCli.configuration."opentdf.json" | string | `"{\n  \"realm\":\"opentdf\",\n  \"enabled\": true,\n  \"clients\": []\n}\n"` |  |
 | keycloak.keycloakConfigCli.enabled | bool | `true` |  |
 | keycloak.postgresql.enabled | bool | `false` |  |
-| keycloak.proxy | string | `"edge"` |  |
+| keycloak.proxyHeaders | string | `"xforwarded"` |  |
 | keycloak.tls.autoGenerated | bool | `true` |  |
 | keycloak.tls.enabled | bool | `true` |  |
 | logger.level | string | `"info"` | The platform log level ( debug, info, warn, error ) |
 | logger.output | string | `"stdout"` | The platform log output |
 | logger.type | string | `"json"` | The platform log format ( json, text ) |
+| mode | string | `"all"` | Mode defines the set of services to run (all, core, kas). Example mode: core,kas |
 | nameOverride | string | `""` | Overrides the chart name |
 | nodeSelector | object | `{}` | Target specific nodes in the cluster |
 | playground | bool | `false` |  |
@@ -302,13 +303,22 @@ realms:
 | postgresql.tls.enabled | bool | `true` |  |
 | replicaCount | int | `1` | The number of Platform pods to run |
 | resources | object | `{}` | Resources to allocate to the container |
+| sdk_config.clientid | string | `""` | Oauth2 Client Id |
+| sdk_config.clientsecret | string | `""` | Oauth2 Client Secret |
+| sdk_config.endpoint | string | `""` | The core platform endpoint |
+| sdk_config.existingSecret | object | `{"key":"","name":""}` | Oauth2 Client Secret Kubernetes Secret |
+| sdk_config.existingSecret.key | string | `""` | The key in the secret containing the client secret |
+| sdk_config.existingSecret.name | string | `""` | The kubernetes secret containing the client secret |
+| sdk_config.plaintext | bool | `false` | Plaintext Insecure Connection |
 | securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | The container security context (https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) |
 | server.auth.audience | string | `"http://localhost:8080"` | Audience of provided by the identity provider |
+| server.auth.dpopskew | string | `"1h"` | The amount of drift allowed between the server and the client for the DPoP Proof Token |
 | server.auth.issuer | string | `"http://platform-keycloak/realms/opentdf"` | Identity provider issuer |
 | server.auth.policy.claim | string | `nil` |  |
 | server.auth.policy.csv | string | `nil` |  |
 | server.auth.policy.default | string | `nil` |  |
 | server.auth.policy.map | string | `nil` |  |
+| server.auth.skew | string | `"1m"` | The amount of drift allowed between the server and the client for the Access Token |
 | server.cors.allowcredentials | bool | `true` | Allow credentials |
 | server.cors.allowedheaders | list | `["Accept","Authorization","Content-Type","X-CSRF-Token","X-Request-ID"]` | The allowed request headers |
 | server.cors.allowedmethods | list | `["GET","POST","PUT","DELETE","OPTIONS"]` | The allowed request methods |
@@ -331,22 +341,18 @@ realms:
 | serviceAccount.automount | bool | `true` | Automatically mount a ServiceAccount's API credentials |
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
 | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
-| services.authorization.clientid | string | `nil` | Client id for the external entity store |
-| services.authorization.clientsecret | string | `nil` | Client secret for the external entity store |
-| services.authorization.enabled | bool | `true` | Authorization service enabled |
-| services.authorization.ersurl | string | `"http://localhost:9000/entityresolution/resolve"` | External entity store (currently only keycloak is supported) |
-| services.authorization.tokenendpoint | string | `nil` | Oauth2 Server Token Endpoint  |
+| services.authorization | object | `{}` |  |
 | services.entityresolution.clientid | string | `nil` | Client Id for Entity Resolver |
 | services.entityresolution.clientsecret | string | `nil` | Client Secret for Entity Resolver |
-| services.entityresolution.enabled | bool | `false` | Entity Resolver service enabled |
 | services.entityresolution.realm | string | `nil` | Entity Resolver Realm |
 | services.entityresolution.subgroups | bool | `false` | Subgroups  |
 | services.entityresolution.url | string | `nil` | Identity Provider Entity Resolver |
 | services.extraServices | object | `{}` | Additional services |
-| services.kas.config | object | `{"enabled":true,"keyring":[{"alg":"ec:secp256r1","kid":"e1"},{"alg":"rsa:2048","kid":"r1"}]}` | KAS service Configuration as yaml |
-| services.kas.config.enabled | bool | `true` | KAS service enabled |
+| services.kas.config | object | `{"keyring":[{"alg":"ec:secp256r1","kid":"e1"},{"alg":"rsa:2048","kid":"r1"}]}` | KAS service Configuration as yaml |
 | services.kas.config.keyring | list | `[{"alg":"ec:secp256r1","kid":"e1"},{"alg":"rsa:2048","kid":"r1"}]` | Default keys for clients to use |
 | services.kas.privateKeysSecret | string | `"kas-private-keys"` | KAS secret containing keys kas-private.pem , kas-cert.pem , kas-ec-private.pem , kas-ec-cert.pem |
 | tolerations | list | `[]` | Tolerations to apply to the pod (https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
+| volumeMountTemplate | string | `"platform.volumeMountsEmpty.tpl"` | Add ability for downstream chart to merge additional volumeMounts |
 | volumeMounts | list | `[]` | Additional volumeMounts on the output Deployment definition. |
+| volumeTemplate | string | `"platform.volumesEmpty.tpl"` | Add ability for downstream chart to merge additional volumes |
 | volumes | list | `[]` | Additional volumes on the output Deployment definition. |
@@ -73,4 +73,37 @@ Create the name of the service account to use
 
 {{- define "platform.envVarPrefix" -}}
 {{- printf "%s" ( .Values.configFileKey | default "opentdf" | upper ) }}
+{{- end -}}
+
+{{- define "sdk_config.validate" -}}
+{{- if and ( .Values.sdk_config.clientsecret) ( .Values.sdk_config.existingSecret.name) ( .Values.sdk_config.existingSecret.key)}}
+{{- fail "You cannot set both clientsecret and existingSecret in sdk_config." }}
+{{- end -}}
+{{- end -}}
+
+{{- /*
+platform.util.merge will merge two YAML templates and output the result.
+This takes an array of three values:
+- the top context
+- the template name of the overrides (destination)
+- the template name of the base (source)
+*/ -}}
+{{- define "platform.util.merge.list" -}}
+{{- $top := first . -}}
+{{- $filterKey := (index . 1) }}
+{{- $overrides := fromYaml (include (index . 2) $top) | default (dict) -}}
+{{- $tpl := fromYaml (include (index . 3) $top) | default (dict) -}}
+
+{{- $mergedList := index $tpl $filterKey | default (list) -}}
+
+{{- range $key, $values := $overrides -}}
+  {{- if kindIs "slice" $values }}
+    {{- range $key2, $value := $values }}
+        {{- $mergedList = append $mergedList $value -}}
+    {{- end }}
+  {{- end -}}
+{{- end -}}
+
+{{- (dict $filterKey $mergedList) | toYaml }}
+
 {{- end -}}
@@ -0,0 +1,64 @@
+{{ define "platform.volumesEmpty.tpl" }}
+{{ end }}
+{{ define "platform.volumes.tpl" }}
+volumes:
+  - name: config
+    configMap:
+      name: {{ include "chart.fullname" . }}
+  {{- if or (contains "all" .Values.mode) (contains "kas" .Values.mode) }}
+  - name: kas-private-keys
+    secret:
+      secretName: {{ .Values.services.kas.privateKeysSecret }}
+    {{- if .Values.server.tls.enabled }}
+  {{- end }}
+  - name: tls
+    secret:
+      secretName: {{ .Values.server.tls.secret | default (printf "%s-tls" (include "chart.fullname" .)) }}
+    {{- end }}
+    {{- if or (and .Values.playground .Values.keycloak.ingress.enabled .Values.keycloak.ingress.tls) .Values.server.tls.additionalTrustedCerts }}
+  - name: trusted-certs
+    projected:
+      sources:
+      {{- if and .Values.playground .Values.keycloak.ingress.enabled .Values.keycloak.ingress.tls }}
+        - secret:
+            name: {{ .Values.keycloak.ingress.hostname }}-tls # If the fullnameOverride is set, this will break
+            optional: false
+            items:
+              - key: ca.crt
+                path: kc-ca.crt
+        {{- end -}}
+        {{- with .Values.server.tls.additionalTrustedCerts }}
+        {{- toYaml . | nindent 12 }}
+        {{- end }}
+    {{- end }}
+  {{- with .Values.volumes }}
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{ end }}
+
+
+{{ define "platform.volumeMountsEmpty.tpl" }}
+{{ end }}
+
+{{ define "platform.volumeMounts.tpl" }}
+volumeMounts:
+  - name: config
+    readOnly: true
+    mountPath: /etc/platform/config
+  {{- if or (contains "all" .Values.mode ) (contains "kas" .Values.mode) }}
+  - name: kas-private-keys
+    readOnly: true
+    mountPath: /etc/platform/kas
+  {{- end }}
+  - name: trusted-certs
+    readOnly: true
+    mountPath: /etc/ssl/certs/platform
+  {{- if .Values.server.tls.enabled }}
+  - name: tls
+    readOnly: true
+    mountPath: /etc/platform/certs
+  {{- end -}}
+  {{- with .Values.volumeMounts }}
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{ end }}
@@ -1,3 +1,4 @@
+{{ include "sdk_config.validate" . }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -12,13 +13,27 @@ data:
     db:
       {{- omit .Values.db "password" | toYaml | nindent 6 }}
       password: # loaded from env
+    mode: {{ .Values.mode | quote }}
+    sdk_config:
+      endpoint: {{ .Values.sdk_config.endpoint | quote }}
+      plaintext: {{ .Values.sdk_config.plaintext }}
+      clientid: {{ .Values.sdk_config.clientid | quote }}
+      {{- if .Values.sdk_config.clientsecret }}
+      clientsecret: {{ .Values.sdk_config.clientsecret | quote }}
+      {{- end }}
     services:
+      {{- if or (contains .Values.mode "all") (contains .Values.mode "core") }}
       entityresolution: 
         {{- .Values.services.entityresolution | toYaml | nindent 8 }}
+      {{- end }}
+      {{- if or (contains .Values.mode "all") (contains .Values.mode "core") (contains .Values.mode "kas") }}
       kas:
         {{- .Values.services.kas.config | toYaml | nindent 8 }}
+      {{- end }}
+      {{- if or (contains .Values.mode "all") (contains .Values.mode "core") }}
       authorization:
         {{- .Values.services.authorization | toYaml | nindent 8 }}
+      {{- end }}
       {{- with .Values.services.extraServices }}
       {{- toYaml . | nindent 6 }}
       {{- end }}
@@ -47,4 +62,4 @@ data:
         enabled: true
         {{- .Values.server.auth | toYaml | nindent 8 }}
       cryptoProvider:
-        {{- .Values.server.cryptoProvider | toYaml | nindent 8 }}
+        {{- .Values.server.cryptoProvider | toYaml | nindent 8 }}