From 86c13c7d93c0a28e4ee821ed516a94f392304c65 Mon Sep 17 00:00:00 2001 From: Dustin Jenkins Date: Wed, 11 Dec 2024 19:53:48 +0000 Subject: [PATCH] fix: add posix mapper chart with extra security context support --- helm/applications/posix-mapper/.helmignore | 24 ++++ helm/applications/posix-mapper/CHANGELOG.md | 12 ++ helm/applications/posix-mapper/Chart.yaml | 24 ++++ .../config/cadc-registry.properties | 16 +++ .../posix-mapper/config/catalina.properties | 12 ++ .../config/posix-mapper.properties | 9 ++ .../posix-mapper/config/war-rename.conf | 3 + .../templates/posix-mapper-configmap.yaml | 7 ++ .../templates/posix-mapper-ingress.yaml | 19 +++ .../templates/posix-mapper-secrets.yaml | 13 +++ .../posix-mapper-tomcat-deployment.yaml | 73 ++++++++++++ .../templates/posix-mapper-tomcat-expose.yaml | 21 ++++ .../templates/postgres-config.yaml | 22 ++++ .../templates/postgres-deploy.yaml | 35 ++++++ .../templates/postgres-service.yaml | 12 ++ helm/applications/posix-mapper/values.yaml | 110 ++++++++++++++++++ 16 files changed, 412 insertions(+) create mode 100644 helm/applications/posix-mapper/.helmignore create mode 100644 helm/applications/posix-mapper/CHANGELOG.md create mode 100644 helm/applications/posix-mapper/Chart.yaml create mode 100644 helm/applications/posix-mapper/config/cadc-registry.properties create mode 100644 helm/applications/posix-mapper/config/catalina.properties create mode 100644 helm/applications/posix-mapper/config/posix-mapper.properties create mode 100644 helm/applications/posix-mapper/config/war-rename.conf create mode 100644 helm/applications/posix-mapper/templates/posix-mapper-configmap.yaml create mode 100644 helm/applications/posix-mapper/templates/posix-mapper-ingress.yaml create mode 100644 helm/applications/posix-mapper/templates/posix-mapper-secrets.yaml create mode 100644 helm/applications/posix-mapper/templates/posix-mapper-tomcat-deployment.yaml create mode 100644 helm/applications/posix-mapper/templates/posix-mapper-tomcat-expose.yaml create mode 100644 helm/applications/posix-mapper/templates/postgres-config.yaml create mode 100644 helm/applications/posix-mapper/templates/postgres-deploy.yaml create mode 100644 helm/applications/posix-mapper/templates/postgres-service.yaml create mode 100644 helm/applications/posix-mapper/values.yaml diff --git a/helm/applications/posix-mapper/.helmignore b/helm/applications/posix-mapper/.helmignore new file mode 100644 index 0000000..8380f28 --- /dev/null +++ b/helm/applications/posix-mapper/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +*-values.yaml diff --git a/helm/applications/posix-mapper/CHANGELOG.md b/helm/applications/posix-mapper/CHANGELOG.md new file mode 100644 index 0000000..244ebec --- /dev/null +++ b/helm/applications/posix-mapper/CHANGELOG.md @@ -0,0 +1,12 @@ +# CHANGELOG for POSIX Mapper (Chart 0.2.0) + +## 2024.12.11 (0.2.0) +- Added support for `securityContext` +- Added support to rename application to change endpoint +- Small fixes and error reporting + +## 2023.11.02 (0.1.8) +- Swagger documentation fix (Bug) +- Properly authenticate Bearer tokens (Improvement) +- Now supports setting the `gmsID` and `oidcURI` configurations (was hard-coded to SKAO) +- Code cleanup \ No newline at end of file diff --git a/helm/applications/posix-mapper/Chart.yaml b/helm/applications/posix-mapper/Chart.yaml new file mode 100644 index 0000000..bfc79d9 --- /dev/null +++ b/helm/applications/posix-mapper/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: posixmapper +description: "A Helm chart to install the UID/GID POSIX Mapper" + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.2.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "0.2.1" diff --git a/helm/applications/posix-mapper/config/cadc-registry.properties b/helm/applications/posix-mapper/config/cadc-registry.properties new file mode 100644 index 0000000..108d749 --- /dev/null +++ b/helm/applications/posix-mapper/config/cadc-registry.properties @@ -0,0 +1,16 @@ +# +# local authority map +# +# = + +ivo://ivoa.net/std/GMS#search-1.0 = {{ .Values.deployment.posixMapper.gmsID | required "Please ensure deployment.posixMapper.gmsID is set." }} +ivo://ivoa.net/std/GMS#users-1.0 = {{ .Values.deployment.posixMapper.gmsID | required "Please ensure deployment.posixMapper.gmsID is set." }} +ivo://ivoa.net/std/UMS#users-0.1 = {{ .Values.deployment.posixMapper.gmsID | required "Please ensure deployment.posixMapper.gmsID is set." }} +ivo://ivoa.net/std/UMS#users-1.0 = {{ .Values.deployment.posixMapper.gmsID | required "Please ensure deployment.posixMapper.gmsID is set." }} +ivo://ivoa.net/sso#OAuth = {{ .Values.deployment.posixMapper.oidcURI | required "Please ensure deployment.posixMapper.oidcURI is set." }} +ivo://ivoa.net/sso#OpenID = {{ .Values.deployment.posixMapper.oidcURI | required "Please ensure deployment.posixMapper.oidcURI is set." }} + +http://www.opencadc.org/std/posix#group-mapping-0.1 = {{ .Values.deployment.posixMapper.resourceID | required "Please ensure deployment.posixMapper.resourceID is set." }} +http://www.opencadc.org/std/posix#user-mapping-0.1 = {{ .Values.deployment.posixMapper.resourceID | required "Please ensure deployment.posixMapper.resourceID is set." }} + +ca.nrc.cadc.reg.client.RegistryClient.baseURL = {{ .Values.deployment.posixMapper.registryURL | required "Please ensure deployment.posixMapper.registryURL is set." }} \ No newline at end of file diff --git a/helm/applications/posix-mapper/config/catalina.properties b/helm/applications/posix-mapper/config/catalina.properties new file mode 100644 index 0000000..bd40827 --- /dev/null +++ b/helm/applications/posix-mapper/config/catalina.properties @@ -0,0 +1,12 @@ +tomcat.connector.scheme=https +tomcat.connector.proxyName={{ .Values.deployment.hostname }} +tomcat.connector.proxyPort=443 +ca.nrc.cadc.auth.PrincipalExtractor.enableClientCertHeader=true +ca.nrc.cadc.util.Log4jInit.messageOnly=true +# (default: ca.nrc.cadc.auth.NoOpIdentityManager) +ca.nrc.cadc.auth.IdentityManager=org.opencadc.auth.StandardIdentityManager + +org.opencadc.posix.mapper.maxActive={{ .Values.postgresql.maxActive | default 8 }} +org.opencadc.posix.mapper.username={{ .Values.postgresql.auth.username }} +org.opencadc.posix.mapper.password={{ .Values.postgresql.auth.password }} +org.opencadc.posix.mapper.url=jdbc:postgresql://posix-mapper-postgres.{{ .Values.skaha.namespace }}.svc.{{ .Values.kubernetesClusterDomain }}:5432/{{ .Values.postgresql.auth.database }} diff --git a/helm/applications/posix-mapper/config/posix-mapper.properties b/helm/applications/posix-mapper/config/posix-mapper.properties new file mode 100644 index 0000000..2752faa --- /dev/null +++ b/helm/applications/posix-mapper/config/posix-mapper.properties @@ -0,0 +1,9 @@ +# service identity +org.opencadc.posix.mapper.resourceID={{ .Values.deployment.posixMapper.resourceID }} + +# database schema +org.opencadc.posix.mapper.schema={{ .Values.postgresql.auth.schema }} + +# ID ranges to allow some customization where administration is necessary +org.opencadc.posix.mapper.uid.start={{ .Values.deployment.posixMapper.minUID }} +org.opencadc.posix.mapper.gid.start={{ .Values.deployment.posixMapper.minGID }} \ No newline at end of file diff --git a/helm/applications/posix-mapper/config/war-rename.conf b/helm/applications/posix-mapper/config/war-rename.conf new file mode 100644 index 0000000..94f64cb --- /dev/null +++ b/helm/applications/posix-mapper/config/war-rename.conf @@ -0,0 +1,3 @@ +{{ with .Values.applicationName -}} +mv posix-mapper.war {{ . }}.war +{{- end }} diff --git a/helm/applications/posix-mapper/templates/posix-mapper-configmap.yaml b/helm/applications/posix-mapper/templates/posix-mapper-configmap.yaml new file mode 100644 index 0000000..450d665 --- /dev/null +++ b/helm/applications/posix-mapper/templates/posix-mapper-configmap.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: posix-mapper-config + namespace: {{ .Values.skaha.namespace }} +data: +{{ tpl (.Files.Glob "config/*").AsConfig . | indent 2 }} diff --git a/helm/applications/posix-mapper/templates/posix-mapper-ingress.yaml b/helm/applications/posix-mapper/templates/posix-mapper-ingress.yaml new file mode 100644 index 0000000..d656244 --- /dev/null +++ b/helm/applications/posix-mapper/templates/posix-mapper-ingress.yaml @@ -0,0 +1,19 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: posix-mapper-ingress + namespace: {{ .Values.skaha.namespace }} + annotations: + spec.ingressClassName: traefik +spec: + rules: + - host: {{ .Values.deployment.hostname }} + http: + paths: + - path: /{{ .Values.applicationName | default "posix-mapper" }} + pathType: Prefix + backend: + service: + name: posix-mapper-tomcat-svc + port: + number: 8080 diff --git a/helm/applications/posix-mapper/templates/posix-mapper-secrets.yaml b/helm/applications/posix-mapper/templates/posix-mapper-secrets.yaml new file mode 100644 index 0000000..68361ba --- /dev/null +++ b/helm/applications/posix-mapper/templates/posix-mapper-secrets.yaml @@ -0,0 +1,13 @@ +{{- range $secretIndex, $secretName := .Values.secrets }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretIndex }} + namespace: {{ $.Values.skaha.namespace }} +type: Opaque +data: + {{- range $certKey, $certValue := . }} + {{ $certKey }}: {{ $certValue | quote }} + {{- end }} +{{- end }} diff --git a/helm/applications/posix-mapper/templates/posix-mapper-tomcat-deployment.yaml b/helm/applications/posix-mapper/templates/posix-mapper-tomcat-deployment.yaml new file mode 100644 index 0000000..a2d9b26 --- /dev/null +++ b/helm/applications/posix-mapper/templates/posix-mapper-tomcat-deployment.yaml @@ -0,0 +1,73 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + run: posix-mapper-tomcat + name: posix-mapper-tomcat + namespace: {{ .Values.skaha.namespace }} +spec: + replicas: {{ default 1 .Values.replicaCount }} + selector: + matchLabels: + run: posix-mapper-tomcat + template: + metadata: + creationTimestamp: null + labels: + run: posix-mapper-tomcat + spec: + {{- with .Values.deployment.posixMapper.nodeAffinity }} + affinity: + nodeAffinity: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + imagePullSecrets: + - name: regcred + containers: + - image: {{ .Values.deployment.posixMapper.image }} + imagePullPolicy: {{ .Values.deployment.posixMapper.imagePullPolicy }} + name: posix-mapper-tomcat + resources: + requests: + memory: {{ .Values.deployment.posixMapper.resources.requests.memory }} + cpu: {{ .Values.deployment.posixMapper.resources.requests.cpu }} + limits: + memory: {{ .Values.deployment.posixMapper.resources.limits.memory }} + cpu: {{ .Values.deployment.posixMapper.resources.limits.cpu }} + {{- with .Values.deployment.posixMapper.extraEnv }} + env: + {{- toYaml . | nindent 8 }} + {{- end }} + ports: + - containerPort: 8080 + protocol: TCP + {{- with .Values.deployment.posixMapper.extraPorts }} + {{- toYaml . | nindent 8 }} + {{- end }} + volumeMounts: + - mountPath: "/config" + name: config-volume + {{- with .Values.deployment.posixMapper.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + allowPrivilegeEscalation: false +{{- with .Values.deployment.extraHosts }} + hostAliases: +{{- range $extraHost := . }} + - ip: {{ $extraHost.ip }} + hostnames: + - {{ $extraHost.hostname }} +{{- end }} +{{- end }} + volumes: + - name: config-volume + configMap: + name: posix-mapper-config + {{- with .Values.deployment.posixMapper.extraVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} diff --git a/helm/applications/posix-mapper/templates/posix-mapper-tomcat-expose.yaml b/helm/applications/posix-mapper/templates/posix-mapper-tomcat-expose.yaml new file mode 100644 index 0000000..01845b7 --- /dev/null +++ b/helm/applications/posix-mapper/templates/posix-mapper-tomcat-expose.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + name: posix-mapper-tomcat-svc + namespace: {{ .Values.skaha.namespace }} + labels: + run: posix-mapper-tomcat-svc +spec: + ports: + - port: 8080 + name: http-connection + protocol: TCP + {{ with .Values.service }} + {{ with .reg }} + {{ with .extraPorts }} + {{- toYaml . | nindent 2 }} + {{- end }} + {{- end }} + {{- end }} + selector: + run: posix-mapper-tomcat diff --git a/helm/applications/posix-mapper/templates/postgres-config.yaml b/helm/applications/posix-mapper/templates/postgres-config.yaml new file mode 100644 index 0000000..2cf36aa --- /dev/null +++ b/helm/applications/posix-mapper/templates/postgres-config.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: posix-mapper-postgres-config + namespace: {{ .Values.skaha.namespace }} + labels: + app: posix-mapper-postgres +data: + POSTGRES_DB: {{ .Values.postgresql.auth.database }} + POSTGRES_USER: {{ .Values.postgresql.auth.username }} + POSTGRES_PASSWORD: {{ .Values.postgresql.auth.password }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: posix-mapper-postgres-init + namespace: {{ .Values.skaha.namespace }} + labels: + app: posix-mapper-postgres +data: + init_schema.sql: | + create schema {{ .Values.postgresql.auth.schema }}; \ No newline at end of file diff --git a/helm/applications/posix-mapper/templates/postgres-deploy.yaml b/helm/applications/posix-mapper/templates/postgres-deploy.yaml new file mode 100644 index 0000000..6527fde --- /dev/null +++ b/helm/applications/posix-mapper/templates/postgres-deploy.yaml @@ -0,0 +1,35 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: posix-mapper-postgres + namespace: {{ .Values.skaha.namespace }} +spec: + replicas: 1 + selector: + matchLabels: + app: posix-mapper-postgres + template: + metadata: + labels: + app: posix-mapper-postgres + spec: + containers: + - name: postgres + image: postgres:13 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 5432 # Exposes container port + envFrom: + - configMapRef: + name: posix-mapper-postgres-config + volumeMounts: + - mountPath: /docker-entrypoint-initdb.d + name: postgresinit + - mountPath: /var/lib/postgresql/data + name: postgresdb + volumes: + - name: postgresdb + {{- toYaml .Values.postgresql.storage.spec | nindent 10 }} + - name: postgresinit + configMap: + name: posix-mapper-postgres-init diff --git a/helm/applications/posix-mapper/templates/postgres-service.yaml b/helm/applications/posix-mapper/templates/postgres-service.yaml new file mode 100644 index 0000000..8d60140 --- /dev/null +++ b/helm/applications/posix-mapper/templates/postgres-service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: posix-mapper-postgres + namespace: {{ .Values.skaha.namespace }} + labels: + app: posix-mapper-postgres +spec: + ports: + - port: 5432 + selector: + app: posix-mapper-postgres \ No newline at end of file diff --git a/helm/applications/posix-mapper/values.yaml b/helm/applications/posix-mapper/values.yaml new file mode 100644 index 0000000..170df17 --- /dev/null +++ b/helm/applications/posix-mapper/values.yaml @@ -0,0 +1,110 @@ +kubernetesClusterDomain: cluster.local + +# Tell Kubernetes to spin up multiple instances. Defaults to 1. +replicaCount: 1 + +# It's best to keep these set as such, unless you're willing to change these in several places. +skaha: + namespace: skaha-system + +# @param securityContext - Optional security context for the container. This is a security feature to restrict system calls. +# securityContext: {} +# +# Example: +# securityContext: +# seccompProfile: +# type: RuntimeDefault + +# @param applicationName - The name of the application. This will rename the underlying WAR file, thus changing the endpoint. Defaults to posix-mapper. +# applicationName: posix-mapper + +# POSIX Mapper web service deployment +deployment: + hostname: example.org # Change this! + posixMapper: + image: images.opencadc.org/platform/posix-mapper:0.2.1 + imagePullPolicy: Always + resourceID: ivo://opencadc.org/posix-mapper + + # URI or URL of the OIDC (IAM) server. Used to validate incoming tokens. + # oidcURI: https://iam.example.org + oidcURI: + + # ID (URI) of the GMS Service. + # gmsID: ivo://example.org/gms + gmsID: + + # Optionally set the DEBUG port. + # extraEnv: + # - name: CATALINA_OPTS + # value: "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=0.0.0.0:5555" + # - name: JAVA_OPTS + # value: "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=0.0.0.0:5555" + + # Uncomment to debug. Requires options above as well as service port exposure below. + # extraPorts: + # - containerPort: 5555 + # protocol: TCP + + # Resources provided to the Skaha service. + resources: + requests: + memory: "1Gi" + cpu: "500m" + limits: + memory: "1Gi" + cpu: "500m" + + minUID: 10000 + minGID: 900000 + + # The IVOA Registry location. + # registryURL: https://spsrc27.iaa.csic.es/reg + registryURL: + + # This applies to the POSIX Mapper itself. Meaning, this Pod will be scheduled as described + # by the nodeAffinity clause. + # See https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/ + # nodeAffinity: {} + + # Optionally mount a custom CA certificate + # extraVolumeMounts: + # - mountPath: "/config/cacerts" + # name: cacert-volume + + # Create the CA certificate volume to be mounted in extraVolumeMounts + # extraVolumes: + # - name: cacert-volume + # secret: + # defaultMode: 420 + # secretName: posix-manager-cacert-secret + + # Specify extra hostnames that will be added to the Pod's /etc/hosts file. Note that this is in the + # deployment object, not the posixMapper one. + # + # These entries get added as hostAliases entries to the Deployment. + # + # Example: + # extraHosts: + # - ip: 127.3.34.5 + # hostname: myhost.example.org + # + # extraHosts: [] +secrets: + # Uncomment to enable local or self-signed CA certificates for your domain to be trusted. + # posix-manager-cacert-secret: + # ca.crt: + +# These values are preset in the catalina.properties, and this default database only exists beside this service. +# It's usually safe to leave these as-is, but make sure they match the values in catalina.properties. +postgresql: + maxActive: 8 + auth: + username: posixmapper + password: posixmapperpwd + database: mapping + schema: mapping + storage: + spec: + hostPath: + path: "/posix-mapper/data"