Skip to content

Commit

Permalink
Merge pull request #2 from at88mph/security-fixes
Browse files Browse the repository at this point in the history
fix: add posix mapper chart with extra security context support
  • Loading branch information
at88mph authored Dec 11, 2024
2 parents 16abaa2 + 86c13c7 commit 618c1f7
Show file tree
Hide file tree
Showing 16 changed files with 412 additions and 0 deletions.
24 changes: 24 additions & 0 deletions helm/applications/posix-mapper/.helmignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
*-values.yaml
12 changes: 12 additions & 0 deletions helm/applications/posix-mapper/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# CHANGELOG for POSIX Mapper (Chart 0.2.0)

## 2024.12.11 (0.2.0)
- Added support for `securityContext`
- Added support to rename application to change endpoint
- Small fixes and error reporting

## 2023.11.02 (0.1.8)
- Swagger documentation fix (Bug)
- Properly authenticate Bearer tokens (Improvement)
- Now supports setting the `gmsID` and `oidcURI` configurations (was hard-coded to SKAO)
- Code cleanup
24 changes: 24 additions & 0 deletions helm/applications/posix-mapper/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
apiVersion: v2
name: posixmapper
description: "A Helm chart to install the UID/GID POSIX Mapper"

# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application

# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.2.0

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "0.2.1"
16 changes: 16 additions & 0 deletions helm/applications/posix-mapper/config/cadc-registry.properties
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
#
# local authority map
#
# <base standardID> = <authority>

ivo://ivoa.net/std/GMS#search-1.0 = {{ .Values.deployment.posixMapper.gmsID | required "Please ensure deployment.posixMapper.gmsID is set." }}
ivo://ivoa.net/std/GMS#users-1.0 = {{ .Values.deployment.posixMapper.gmsID | required "Please ensure deployment.posixMapper.gmsID is set." }}
ivo://ivoa.net/std/UMS#users-0.1 = {{ .Values.deployment.posixMapper.gmsID | required "Please ensure deployment.posixMapper.gmsID is set." }}
ivo://ivoa.net/std/UMS#users-1.0 = {{ .Values.deployment.posixMapper.gmsID | required "Please ensure deployment.posixMapper.gmsID is set." }}
ivo://ivoa.net/sso#OAuth = {{ .Values.deployment.posixMapper.oidcURI | required "Please ensure deployment.posixMapper.oidcURI is set." }}
ivo://ivoa.net/sso#OpenID = {{ .Values.deployment.posixMapper.oidcURI | required "Please ensure deployment.posixMapper.oidcURI is set." }}

http://www.opencadc.org/std/posix#group-mapping-0.1 = {{ .Values.deployment.posixMapper.resourceID | required "Please ensure deployment.posixMapper.resourceID is set." }}
http://www.opencadc.org/std/posix#user-mapping-0.1 = {{ .Values.deployment.posixMapper.resourceID | required "Please ensure deployment.posixMapper.resourceID is set." }}

ca.nrc.cadc.reg.client.RegistryClient.baseURL = {{ .Values.deployment.posixMapper.registryURL | required "Please ensure deployment.posixMapper.registryURL is set." }}
12 changes: 12 additions & 0 deletions helm/applications/posix-mapper/config/catalina.properties
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
tomcat.connector.scheme=https
tomcat.connector.proxyName={{ .Values.deployment.hostname }}
tomcat.connector.proxyPort=443
ca.nrc.cadc.auth.PrincipalExtractor.enableClientCertHeader=true
ca.nrc.cadc.util.Log4jInit.messageOnly=true
# (default: ca.nrc.cadc.auth.NoOpIdentityManager)
ca.nrc.cadc.auth.IdentityManager=org.opencadc.auth.StandardIdentityManager

org.opencadc.posix.mapper.maxActive={{ .Values.postgresql.maxActive | default 8 }}
org.opencadc.posix.mapper.username={{ .Values.postgresql.auth.username }}
org.opencadc.posix.mapper.password={{ .Values.postgresql.auth.password }}
org.opencadc.posix.mapper.url=jdbc:postgresql://posix-mapper-postgres.{{ .Values.skaha.namespace }}.svc.{{ .Values.kubernetesClusterDomain }}:5432/{{ .Values.postgresql.auth.database }}
9 changes: 9 additions & 0 deletions helm/applications/posix-mapper/config/posix-mapper.properties
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# service identity
org.opencadc.posix.mapper.resourceID={{ .Values.deployment.posixMapper.resourceID }}

# database schema
org.opencadc.posix.mapper.schema={{ .Values.postgresql.auth.schema }}

# ID ranges to allow some customization where administration is necessary
org.opencadc.posix.mapper.uid.start={{ .Values.deployment.posixMapper.minUID }}
org.opencadc.posix.mapper.gid.start={{ .Values.deployment.posixMapper.minGID }}
3 changes: 3 additions & 0 deletions helm/applications/posix-mapper/config/war-rename.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{{ with .Values.applicationName -}}
mv posix-mapper.war {{ . }}.war
{{- end }}
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: posix-mapper-config
namespace: {{ .Values.skaha.namespace }}
data:
{{ tpl (.Files.Glob "config/*").AsConfig . | indent 2 }}
19 changes: 19 additions & 0 deletions helm/applications/posix-mapper/templates/posix-mapper-ingress.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: posix-mapper-ingress
namespace: {{ .Values.skaha.namespace }}
annotations:
spec.ingressClassName: traefik
spec:
rules:
- host: {{ .Values.deployment.hostname }}
http:
paths:
- path: /{{ .Values.applicationName | default "posix-mapper" }}
pathType: Prefix
backend:
service:
name: posix-mapper-tomcat-svc
port:
number: 8080
13 changes: 13 additions & 0 deletions helm/applications/posix-mapper/templates/posix-mapper-secrets.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{{- range $secretIndex, $secretName := .Values.secrets }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretIndex }}
namespace: {{ $.Values.skaha.namespace }}
type: Opaque
data:
{{- range $certKey, $certValue := . }}
{{ $certKey }}: {{ $certValue | quote }}
{{- end }}
{{- end }}
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
run: posix-mapper-tomcat
name: posix-mapper-tomcat
namespace: {{ .Values.skaha.namespace }}
spec:
replicas: {{ default 1 .Values.replicaCount }}
selector:
matchLabels:
run: posix-mapper-tomcat
template:
metadata:
creationTimestamp: null
labels:
run: posix-mapper-tomcat
spec:
{{- with .Values.deployment.posixMapper.nodeAffinity }}
affinity:
nodeAffinity:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
imagePullSecrets:
- name: regcred
containers:
- image: {{ .Values.deployment.posixMapper.image }}
imagePullPolicy: {{ .Values.deployment.posixMapper.imagePullPolicy }}
name: posix-mapper-tomcat
resources:
requests:
memory: {{ .Values.deployment.posixMapper.resources.requests.memory }}
cpu: {{ .Values.deployment.posixMapper.resources.requests.cpu }}
limits:
memory: {{ .Values.deployment.posixMapper.resources.limits.memory }}
cpu: {{ .Values.deployment.posixMapper.resources.limits.cpu }}
{{- with .Values.deployment.posixMapper.extraEnv }}
env:
{{- toYaml . | nindent 8 }}
{{- end }}
ports:
- containerPort: 8080
protocol: TCP
{{- with .Values.deployment.posixMapper.extraPorts }}
{{- toYaml . | nindent 8 }}
{{- end }}
volumeMounts:
- mountPath: "/config"
name: config-volume
{{- with .Values.deployment.posixMapper.extraVolumeMounts }}
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
allowPrivilegeEscalation: false
{{- with .Values.deployment.extraHosts }}
hostAliases:
{{- range $extraHost := . }}
- ip: {{ $extraHost.ip }}
hostnames:
- {{ $extraHost.hostname }}
{{- end }}
{{- end }}
volumes:
- name: config-volume
configMap:
name: posix-mapper-config
{{- with .Values.deployment.posixMapper.extraVolumes }}
{{- toYaml . | nindent 6 }}
{{- end }}
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
apiVersion: v1
kind: Service
metadata:
name: posix-mapper-tomcat-svc
namespace: {{ .Values.skaha.namespace }}
labels:
run: posix-mapper-tomcat-svc
spec:
ports:
- port: 8080
name: http-connection
protocol: TCP
{{ with .Values.service }}
{{ with .reg }}
{{ with .extraPorts }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}
{{- end }}
selector:
run: posix-mapper-tomcat
22 changes: 22 additions & 0 deletions helm/applications/posix-mapper/templates/postgres-config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: posix-mapper-postgres-config
namespace: {{ .Values.skaha.namespace }}
labels:
app: posix-mapper-postgres
data:
POSTGRES_DB: {{ .Values.postgresql.auth.database }}
POSTGRES_USER: {{ .Values.postgresql.auth.username }}
POSTGRES_PASSWORD: {{ .Values.postgresql.auth.password }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: posix-mapper-postgres-init
namespace: {{ .Values.skaha.namespace }}
labels:
app: posix-mapper-postgres
data:
init_schema.sql: |
create schema {{ .Values.postgresql.auth.schema }};
35 changes: 35 additions & 0 deletions helm/applications/posix-mapper/templates/postgres-deploy.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: posix-mapper-postgres
namespace: {{ .Values.skaha.namespace }}
spec:
replicas: 1
selector:
matchLabels:
app: posix-mapper-postgres
template:
metadata:
labels:
app: posix-mapper-postgres
spec:
containers:
- name: postgres
image: postgres:13
imagePullPolicy: IfNotPresent
ports:
- containerPort: 5432 # Exposes container port
envFrom:
- configMapRef:
name: posix-mapper-postgres-config
volumeMounts:
- mountPath: /docker-entrypoint-initdb.d
name: postgresinit
- mountPath: /var/lib/postgresql/data
name: postgresdb
volumes:
- name: postgresdb
{{- toYaml .Values.postgresql.storage.spec | nindent 10 }}
- name: postgresinit
configMap:
name: posix-mapper-postgres-init
12 changes: 12 additions & 0 deletions helm/applications/posix-mapper/templates/postgres-service.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Service
metadata:
name: posix-mapper-postgres
namespace: {{ .Values.skaha.namespace }}
labels:
app: posix-mapper-postgres
spec:
ports:
- port: 5432
selector:
app: posix-mapper-postgres
Loading

0 comments on commit 618c1f7

Please sign in to comment.