Merge pull request #3 from at88mph/security-fixes

fix: add science portal chart

helm/applications/science-portal/.helmignore

@@ -0,0 +1,24 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+*-values.yaml

helm/applications/science-portal/CHANGELOG.md

@@ -0,0 +1,27 @@
+# CHANGELOG for Science Portal UI (Chart 0.5.0)
+
+## 2024.12.11 (0.5.0)
+- Added support for `securityContext`
+- Added support to rename application to change endpoint (`applicationName`)
+
+## 2024.12.04 (0.4.0)
+- Select by project enabled to constrain images in pull-down menu
+- Add Advanced tab to enable proprietary image support
+
+## 2024.09.05 (0.2.11)
+- Fix screen blanking when image selection not yet loaded
+- Remove all (or most) warnings in Browser Console
+
+## 2024.06.24 (0.2.7)
+- Fix to use tokens for APIs on a different host.
+
+## 2023.12.11 (0.2.2)
+- OpenID Connect login support
+
+## 2023.11.25 (0.1.2)
+- Properly report a missing configuration for a Skaha API
+- Application version correction to make in line with `main` branch
+
+## 2023.11.02 (0.1.1)
+- Fix remote registry lookup from JavaScript in favor of server side processing (Bug)
+- Code cleanup

helm/applications/science-portal/Chart.yaml

@@ -0,0 +1,32 @@
+apiVersion: v2
+name: scienceportal
+description: "A Helm chart to install the Science Portal UI"
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.5.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.5.3"
+
+dependencies:
+  - name: "redis"
+    version: "^18.19.0"
+    repository: "oci://registry-1.docker.io/bitnamicharts"
+  - name: "utils"
+    version: "^0.1.0"
+    repository: "file://../utils"

helm/applications/science-portal/README.md

@@ -0,0 +1,116 @@
+# Helm Chart for the Science Portal user interface
+
+See the [Deployment Guide](../README.md) for a better idea of the underlying APIs.
+
+## Dependencies
+
+- An existing Kubernetes cluster.
+- An IVOA Registry (See the [Current SKAO Registry](https://spsrc27.iaa.csic.es/reg))
+- A working Science Platform system
+
+## Install
+
+The Science Portal is a Single Page Application (SPA) with a rich Javascript client and DOM manager.  It uses React to power the various Dashboard elements, and is configurable for different OpenID Providers (OIdP).
+
+### Minimum Helm configuration
+
+See the full set of options in the [values.yaml](https://github.com/opencadc/science-platform/blob/SP-3544/deployment/helm/science-portal/values.yaml).  The deployed Redirect URI (`redirect_uri`) is `/science-portal/oidc-callback`, which handles
+receiving the `code` as part of the authorization code flow, and obtaining a token to put into a cookie.
+
+`my-science-portal-local-values-file.yaml`
+```yaml
+# @param securityContext - Optional security context for the container.  This is a security feature to restrict system calls.
+# securityContext: {}
+#
+# Example:
+# securityContext:
+#   seccompProfile:
+#     type: RuntimeDefault
+
+# @param applicationName - The name of the application.  This will rename the underlying WAR file, thus changing the endpoint.  Defaults to science-portal.
+# applicationName: science-portal
+
+deployment:
+  hostname: example.com # Change this!
+  sciencePortal:
+    # OIDC (IAM) server configuration.  These are required
+    oidc:
+      # Location of the OpenID Provider (OIdP), and where users will login
+      uri: https://ska-iam.stfc.ac.uk/
+
+      # The Client ID as listed on the OIdP.  Create one at the uri above.
+      clientID: 
+
+      # The Client Secret, which should be generated by the OIdP.
+      clientSecret: 
+
+      # Where the OIdP should send the User after successful authentication.  This is also known as the redirect_uri in OpenID.  This URI NEEDS
+      redirectURI: https://example.com/science-portal/oidc-callback
+
+      # Where to redirect to after the redirectURI callback has completed.  This will almost always be the URL to the /science-portal main page (https://example.com/science-portal).
+      callbackURI: https://example.com/science-portal/
+
+      # The standard OpenID scopes for token requests.  This is required, and if using the SKAO IAM, can be left as-is.
+      scope: "openid profile offline_access"
+
+    # Optionally mount a custom CA certificate
+    # extraVolumeMounts:
+    # - mountPath: "/config/cacerts"
+    #   name: cacert-volume
+
+    # Create the CA certificate volume to be mounted in extraVolumeMounts
+    # extraVolumes:
+    # - name: cacert-volume
+    #   secret:
+    #     defaultMode: 420
+    #     secretName: science-portal-cacert-secret
+
+    # The Resource ID of the Service that contains the URL of the Skaha service in the IVOA Registry
+    skahaResourceID: ivo://example.org/skaha
+
+    # Array of tab labels from left to right.  There are two supported tabs currently: Public (Standard) and Private (Advanced)
+    # Recommended is Standard and Advanced, but you do you.
+    # Example:
+    #
+    # tabLabels:
+    #   - Standard
+    #   - Advanced
+    #
+    tabLabels: []
+
+    # Theme to use
+    themeName: src
+
+    # The logo in the top left.  No link associated, just the image.  This can be relative, or absolute.
+    # Default is the SRCNet Logo.
+    # logoURL: /science-portal/images/SRCNetLogo.png
+
+# secrets:
+  # Uncomment to enable local or self-signed CA certificates for your domain to be trusted.
+  # science-portal-cacert-secret:
+    # ca.crt: <base64 encoded ca.crt blob>
+```
+
+### Run with configured values
+
+```bash
+helm repo update
+
+helm install -n skaha-system --values my-science-portal-local-values-file.yaml scienceportal science-platform/scienceportal
+
+Release "scienceportal" has been installed. Happy Helming!
+NAME: scienceportal
+LAST DEPLOYED: Thu Oct 19 11:59:15 2023
+NAMESPACE: skaha-system
+STATUS: deployed
+REVISION: 1
+TEST SUITE: None
+```
+
+## Authentication & Authorization
+
+A&A is handle by caching the Token Set server side and issuing a cookie to the browser to enable secure retrieval.  See the [Application Authentication Documentation](../../../docs/authentication/).
+
+## Endpoints
+
+The system will be available at the `/science-portal` endpoint, (i.e. https://example.com/science-portal).  Authenticating to the system is mandatory.

helm/applications/science-portal/config/cadc-log.properties

@@ -0,0 +1,3 @@
+{{- range $val := .Values.deployment.sciencePortal.loggingGroups }}
+group = {{ $val }}
+{{- end }}

helm/applications/science-portal/config/cadc-registry.properties

@@ -0,0 +1,22 @@
+#
+# local authority map
+#
+# <base standardID> = <authority>
+
+ivo://ivoa.net/std/GMS#search-1.0 = {{ .Values.deployment.sciencePortal.gmsID | required "Set the deployment.sciencePortal.gmsID value to the GMS service URI" }}
+ivo://ivoa.net/std/GMS#users-1.0 = {{ .Values.deployment.sciencePortal.gmsID }}
+ivo://ivoa.net/std/UMS#users-0.1 = {{ .Values.deployment.sciencePortal.gmsID }}
+ivo://ivoa.net/std/UMS#users-1.0 = {{ .Values.deployment.sciencePortal.gmsID }}
+ivo://ivoa.net/sso#tls-with-password = {{ .Values.deployment.sciencePortal.gmsID }}
+{{- if .Values.deployment.sciencePortal.oidc }}
+ivo://ivoa.net/sso#OAuth = {{ .Values.deployment.sciencePortal.oidc.uri }}
+ivo://ivoa.net/sso#OpenID = {{ .Values.deployment.sciencePortal.oidc.uri }}
+{{- else }}
+ivo://ivoa.net/sso#OAuth = {{ .Values.deployment.sciencePortal.gmsID }}
+ivo://ivoa.net/sso#OpenID = {{ .Values.deployment.sciencePortal.gmsID }}
+{{- end }}
+
+# Ignore this, it's only here to satisfy the availability check.
+ivo://ivoa.net/std/CDP#proxy-1.0 = ivo://cadc.nrc.ca/cred
+
+ca.nrc.cadc.reg.client.RegistryClient.baseURL = {{ .Values.deployment.sciencePortal.registryURL | required "Set the deployment.sciencePortal.registryURL value to the Registry URL" }}

helm/applications/science-portal/config/catalina.properties

@@ -0,0 +1,7 @@
+tomcat.connector.scheme=https
+tomcat.connector.proxyName={{ .Values.deployment.hostname }}
+tomcat.connector.proxyPort=443
+ca.nrc.cadc.auth.PrincipalExtractor.enableClientCertHeader=true
+ca.nrc.cadc.util.Log4jInit.messageOnly=true
+# (default: ca.nrc.cadc.auth.NoOpIdentityManager)
+ca.nrc.cadc.auth.IdentityManager={{ .Values.deployment.sciencePortal.identityManagerClass }}

helm/applications/science-portal/config/org.opencadc.science-portal.properties

@@ -0,0 +1,29 @@
+org.opencadc.science-portal.sessions.resourceID = {{ .Values.deployment.sciencePortal.skahaResourceID }}
+org.opencadc.science-portal.sessions.standard = vos://cadc.nrc.ca~vospace/CADC/std/Proc#sessions-1.0
+org.opencadc.science-portal.logoURL = {{ .Values.deployment.sciencePortal.logoURL }}
+org.opencadc.science-portal.themeName = {{ .Values.deployment.sciencePortal.themeName | required "Please set the deployment.sciencePortal.themeName to either src or canfar" }}
+
+{{- if empty .Values.deployment.sciencePortal.tabLabels }}
+  {{ required ".Values.deployment.sciencePortal.tabLabels is missing or empty" .Values.deployment.sciencePortal.tabLabels }}
+{{- else }}
+  org.opencadc.science-portal.tabLabels = {{ .Values.deployment.sciencePortal.tabLabels | join "," }}
+{{- end }}
+
+{{- with .Values.deployment.sciencePortal.oidc }}
+org.opencadc.science-portal.oidc.clientID = {{ .clientID }}
+
+{{ if .existingSecretName -}}
+  {{- $existingSecretName := .existingSecretName -}}
+  {{- $namespace := .Values.skaha.namespace -}}
+  {{- $clientSecret := include "getSecretKeyValue" (list $existingSecretName "clientSecret" $namespace) -}}
+org.opencadc.science-portal.oidc.clientSecret = {{ $clientSecret }}
+{{- else -}}
+org.opencadc.science-portal.oidc.clientSecret = {{ .clientSecret }}
+{{- end }}
+
+org.opencadc.science-portal.oidc.callbackURI = {{ .callbackURI }}
+org.opencadc.science-portal.oidc.redirectURI = {{ .redirectURI }}
+org.opencadc.science-portal.oidc.scope = {{ .scope }}
+{{- end }}
+
+org.opencadc.science-portal.tokenCache.url = redis://{{ $.Release.Name }}-redis-master.{{ $.Values.skaha.namespace }}.svc.{{ $.Values.kubernetesClusterDomain }}:6379

helm/applications/science-portal/config/war-rename.conf

@@ -0,0 +1,3 @@
+{{ with .Values.applicationName -}}
+mv science-portal.war {{ . }}.war
+{{- end }}

helm/applications/science-portal/templates/science-portal-config-configmap.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: science-portal-config
+  namespace: {{ .Values.skaha.namespace }}
+data:
+{{ tpl (.Files.Glob "config/*").AsConfig . | indent 2 }}
+{{- include "utils.extraConfig" (dict "extraConfigData" .Values.deployment.sciencePortal.extraConfigData) -}}

helm/applications/science-portal/templates/science-portal-ingress.yaml

@@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: science-portal-ingress
+  namespace: {{ .Values.skaha.namespace }}
+  annotations:
+    spec.ingressClassName: traefik
+spec:
+  rules:
+  - host: {{ .Values.deployment.hostname }}
+    http:
+      paths:
+      - path: /science-portal
+        pathType: Prefix
+        backend:
+          service:
+            name: science-portal-tomcat-svc
+            port:
+              number: 8080

helm/applications/science-portal/templates/science-portal-secrets.yaml

@@ -0,0 +1,13 @@
+{{- range $secretIndex, $secretName := .Values.secrets }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretIndex }}
+  namespace: {{ $.Values.skaha.namespace }}
+type: Opaque
+data:
+  {{- range $certKey, $certValue := . }}
+    {{ $certKey }}: {{ $certValue | quote }}
+  {{- end }}
+{{- end }}

helm/applications/science-portal/templates/science-portal-tomcat-deployment.yaml

@@ -0,0 +1,72 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    run: science-portal-tomcat
+  name: science-portal-tomcat
+  namespace: {{ .Values.skaha.namespace }}
+spec:
+  replicas: {{ default 1 .Values.replicaCount }}
+  selector:
+    matchLabels:
+      run: science-portal-tomcat
+  template:
+    metadata:
+      labels:
+        run: science-portal-tomcat
+    spec:
+      {{- with .Values.deployment.sciencePortal.nodeAffinity }}
+      affinity:
+        nodeAffinity:
+          {{- toYaml . | nindent 10 }}
+      {{- end }}
+      {{- with .Values.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      imagePullSecrets:
+        - name: regcred
+      containers:
+      - image: {{ .Values.deployment.sciencePortal.image }}
+        imagePullPolicy: {{ .Values.deployment.sciencePortal.imagePullPolicy }}
+        name: science-portal-tomcat
+        resources:
+          requests:
+            memory: {{ .Values.deployment.sciencePortal.resources.requests.memory }}
+            cpu: {{ .Values.deployment.sciencePortal.resources.requests.cpu }}
+          limits:
+            memory: {{ .Values.deployment.sciencePortal.resources.limits.memory }}
+            cpu: {{ .Values.deployment.sciencePortal.resources.limits.cpu }}
+        ports: 
+        - containerPort: 8080
+          protocol: TCP
+        {{- with .Values.deployment.sciencePortal.extraPorts }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        volumeMounts: 
+        - mountPath: "/config"
+          name: config-volume
+        {{- with .Values.deployment.sciencePortal.extraVolumeMounts }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        securityContext:
+          allowPrivilegeEscalation: false
+        {{- if .Values.deployment.sciencePortal.extraEnv }}
+        env:
+        {{- with .Values.deployment.sciencePortal.extraEnv }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- end }}
+    {{- range $extraHost := .Values.deployment.extraHosts }}
+      hostAliases:
+        - ip: {{ $extraHost.ip }}
+          hostnames:
+            - {{ $extraHost.hostname }}
+    {{- end }}
+      volumes:
+      - name: config-volume
+        configMap:
+          name: science-portal-config
+      {{- with .Values.deployment.sciencePortal.extraVolumes }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}