From 3d0c623471b740167e93f3f6518f0ea678300f7d Mon Sep 17 00:00:00 2001 From: Christophe Serafin Date: Tue, 11 Jan 2022 14:40:18 -0800 Subject: [PATCH 1/6] add: helm chart for a3s server --- helm/a3s/Chart.yaml | 4 + helm/a3s/templates/deployment.yaml | 141 +++++++++++++++++++++++++++++ helm/a3s/templates/secrets.yaml | 24 +++++ helm/a3s/templates/service.yaml | 30 ++++++ helm/a3s/values.yaml | 39 ++++++++ helm/test/values.yaml | 39 ++++++++ 6 files changed, 277 insertions(+) create mode 100644 helm/a3s/Chart.yaml create mode 100644 helm/a3s/templates/deployment.yaml create mode 100644 helm/a3s/templates/secrets.yaml create mode 100644 helm/a3s/templates/service.yaml create mode 100644 helm/a3s/values.yaml create mode 100644 helm/test/values.yaml diff --git a/helm/a3s/Chart.yaml b/helm/a3s/Chart.yaml new file mode 100644 index 0000000..e088698 --- /dev/null +++ b/helm/a3s/Chart.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +description: Authentication As A Service +name: a3s +version: 0.0.0-dev diff --git a/helm/a3s/templates/deployment.yaml b/helm/a3s/templates/deployment.yaml new file mode 100644 index 0000000..a0c6a97 --- /dev/null +++ b/helm/a3s/templates/deployment.yaml @@ -0,0 +1,141 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: a3s +spec: + replicas: 1 + strategy: + type: RollingUpdate + selector: + matchLabels: + app: a3s + type: core + template: + metadata: + labels: + app: a3s + type: core + spec: + terminationGracePeriodSeconds: 60 + containers: + - name: a3s + image: {{ required "global.imageRegistry is required" .Values.global.imageRegistry }}/a3s:test + imagePullPolicy: "Always" + env: + # General + - name: A3S_LISTEN + value: ":1443" + - name: A3S_ENCODING + value: "msgpack" + # - name: A3S_CORS_DEFAULT_ORIGIN + # value: "https://127.0.0.1:44443" + # - name: A3S_CORS_ADDITIONAL_ORIGINS + # value: "http://localhost:8080" + + # Log + - name: A3S_LOG_FORMAT + value: {{ .Values.log.format | default .Values.global.log.format | quote }} + - name: A3S_LOG_LEVEL + value: {{ .Values.log.level | default .Values.global.log.level | quote }} + + # Health + - name: A3S_HEALTH_LISTEN + value: ":1080" + - name: A3S_HEALTH_ENABLED + value: "true" + + # Profiling + {{- if .Values.global.profiling.enabled }} + - name: A3S_PROFILING_ENABLED + value: "true" + - name: A3S_PROFILING_LISTEN + value: {{ required "global.profiling.listen is required" .Values.global.profiling.listen | quote }} + {{- end }} + + # TLS + - name: A3S_TLS_CERT + value: /certs/a3s-tls-cert.pem + - name: A3S_TLS_KEY + value: /certs/a3s-tls-key.pem + - name: A3S_TLS_KEY_PASS + value: file:///certs/a3s-tls-key.pass + + # JWT + - name: A3S_JWT_CERT + value: /certs/jwt-cert.pem + - name: A3S_JWT_KEY + value: /certs/jwt-key.pem + - name: A3S_JWT_KEY_PASS + value: file:///certs/jwt-key.pass + - name: A3S_JWT_ISSUER + value: {{ required "global.issuer is required" .Values.global.issuer }} + - name: A3S_JWT_AUDIENCE + value: {{ required "global.audience is required" .Values.global.audience }} + + # Mongo + - name: A3S_MONGO_URL + {{- if .Values.global.mongo.sharded }} + value: mongodb://{{ required "global.mongo.host is required" .Values.global.mongo.host }}?authMechanism=MONGODB-X509 + {{- else }} + value: mongodb://{{ required "global.mongo.host is required" .Values.global.mongo.host }}?replicaSet=rs0&authMechanism=MONGODB-X509 + {{- end }} + - name: A3S_MONGO_AUTH_DB + value: "$external" + - name: A3S_MONGO_USER + value: "CN=mongodb-admin,OU=users,O=mongodb" + # - name: A3S_MONGO_PASS + # value: "a3s" + - name: A3S_MONGO_ENCRYPTION_KEY + value: file:///certs/attribute-encryption-key.pass + - name: A3S_MONGO_TLS_DISABLE + value: "true" + - name: A3S_MONGO_TLS_CERT + value: "" + - name: A3S_MONGO_TLS_KEY + value: "" + - name: A3S_MONGO_TLS_KEY_PASS + value: "" + + # Nats + - name: A3S_NATS_URL + value: "nats://nats:4222" + - name: A3S_NATS_USER + value: file:///certs/nats.user + - name: A3S_NATS_PASS + value: file:///certs/nats.user + - name: A3S_NATS_TLS_DISABLE + value: "true" + + volumeMounts: + - name: certs + mountPath: /certs + volumes: + - name: certs + secret: + secretName: a3s-secrets + items: + # TLS + - key: a3s-tls-cert.pem + path: a3s-tls-cert.pem + - key: a3s-tls-key.pem + path: a3s-tls-key.pem + - key: a3s-tls-key.pass + path: a3s-tls-key.pass + + # JWT + - key: jwt-cert.pem + path: jwt-cert.pem + - key: jwt-key.pem + path: jwt-key.pem + - key: jwt-key.pass + path: jwt-key.pass + + # Mongo + - key: attribute-encryption-key.pass + path: attribute-encryption-key.pass + + # Nats + - key: nats.user + path: nats.user + - key: nats.pass + path: nats.pass \ No newline at end of file diff --git a/helm/a3s/templates/secrets.yaml b/helm/a3s/templates/secrets.yaml new file mode 100644 index 0000000..d57db68 --- /dev/null +++ b/helm/a3s/templates/secrets.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: a3s-secrets +data: + # TLS + a3s-tls-cert.pem: {{ required "global.server.cert is required" .Values.global.server.cert | quote }} + a3s-tls-key.pem: {{ required "global.server.key is required" .Values.global.server.key | quote }} + a3s-tls-key.pass: {{ required "global.server.pass is required" .Values.global.server.pass | b64enc | quote }} + + # JWT + jwt-cert.pem: {{ required "global.server.cert is required" .Values.global.server.cert | quote }} + jwt-key.pem: {{ required "global.server.key is required" .Values.global.server.key | quote }} + jwt-key.pass: {{ required "global.server.pass is required" .Values.global.server.pass | b64enc | quote }} + + # Mongo + attribute-encryption-key.pass: {{ required "global.mongo.attributeEncryptionKey is required" .Values.global.mongo.attributeEncryptionKey | b64enc | quote }} + + # Nats + nats.user: {{ required "global.nats.user is required" .Values.global.nats.user | b64enc | quote }} + nats.pass: {{ required "global.nats.pass is required" .Values.global.nats.pass | b64enc | quote }} + + diff --git a/helm/a3s/templates/service.yaml b/helm/a3s/templates/service.yaml new file mode 100644 index 0000000..7e74e90 --- /dev/null +++ b/helm/a3s/templates/service.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + name: a3s + labels: + app: a3s + type: core +spec: + selector: + app: a3s + clusterIP: None + ports: + - port: 1443 + name: app +--- +apiVersion: v1 +kind: Service +metadata: + name: health-a3s + labels: + app: a3s + type: core +spec: + selector: + app: a3s + clusterIP: None + ports: + - port: 1080 + name: health +--- diff --git a/helm/a3s/values.yaml b/helm/a3s/values.yaml new file mode 100644 index 0000000..a1d66e0 --- /dev/null +++ b/helm/a3s/values.yaml @@ -0,0 +1,39 @@ +replicas: 1 + +log: + level: info + format: console + +global: + audience: + issuer: + imageRegistry: gcr.io/aporetodev + log: + level: info + format: stackdriver + + server: + cert: + key: + pass: + + mongo: + cert: + key: + pass: + host: mongodb-shard-router-0.mongodb-shard-router,mongodb-shard-router-1.mongodb-shard-router,mongodb-shard-router-2.mongodb-shard-router + sharded: true + readConsistency: nearest + attributeEncryptionKey: + + nats: + # cert: + # key: + # pass: + user: + pass: + + profiling: + enabled: false + listen: ":6060" + \ No newline at end of file diff --git a/helm/test/values.yaml b/helm/test/values.yaml new file mode 100644 index 0000000..07da788 --- /dev/null +++ b/helm/test/values.yaml @@ -0,0 +1,39 @@ +replicas: 1 + +log: + level: info + format: console + +global: + audience: "a3s.com" + issuer: https://issuer.a3s.com + imageRegistry: gcr.io/aporetodev + log: + level: info + format: stackdriver + + server: + cert: server-cert + key: server-key + pass: server-key-pass + + mongo: + cert: mongo-cert + key: mongo-key + pass: mongo-key-pass + host: mongodb-shard-router-0.mongodb-shard-router,mongodb-shard-router-1.mongodb-shard-router,mongodb-shard-router-2.mongodb-shard-router + sharded: true + readConsistency: nearest + attributeEncryptionKey: "abcdefghijkl" + + nats: + # cert: + # key: + # pass: + user: username + pass: password + + profiling: + enabled: false + listen: ":6060" + \ No newline at end of file From 6f70ce6a99761c8930c28e23b571af6f417423ef Mon Sep 17 00:00:00 2001 From: Christophe Serafin Date: Fri, 21 Jan 2022 16:39:32 -0800 Subject: [PATCH 2/6] fix: add missing values --- .gitignore | 1 + Makefile | 3 ++ helm/Makefile | 9 ++++++ helm/a3s/templates/deployment.yaml | 52 +++++++++++++++++++++--------- helm/a3s/templates/secrets.yaml | 7 ++++ helm/a3s/templates/service.yaml | 2 +- helm/a3s/values.yaml | 15 +++++++-- helm/test/values.yaml | 23 +++++++++---- 8 files changed, 86 insertions(+), 26 deletions(-) create mode 100644 helm/Makefile diff --git a/.gitignore b/.gitignore index c5c4371..e7ecc76 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,4 @@ remod.dev .remod .data docker/in +helm/**.tgz diff --git a/Makefile b/Makefile index 14923f3..0e7f880 100644 --- a/Makefile +++ b/Makefile @@ -72,3 +72,6 @@ package_ca_certs: mkdir -p docker/in extract-nss-root-certs > docker/in/ca-certificates.pem rm -f certdata.txt + +charts: + cd helm && make all \ No newline at end of file diff --git a/helm/Makefile b/helm/Makefile new file mode 100644 index 0000000..4b89e69 --- /dev/null +++ b/helm/Makefile @@ -0,0 +1,9 @@ +export PROJECT_VERSION ?= v0.0.0-dev + +all: lint charts + +lint: + helm lint ./a3s --values ./test/values.yaml + +charts: lint + helm package a3s --version $(PROJECT_VERSION) -d . \ No newline at end of file diff --git a/helm/a3s/templates/deployment.yaml b/helm/a3s/templates/deployment.yaml index a0c6a97..fdac8a9 100644 --- a/helm/a3s/templates/deployment.yaml +++ b/helm/a3s/templates/deployment.yaml @@ -3,9 +3,9 @@ kind: Deployment metadata: name: a3s spec: - replicas: 1 + replicas: {{ .Values.replicas | default 1}} strategy: - type: RollingUpdate + type: {{ required "updateStrategy is required" .Values.updateStrategy }} selector: matchLabels: app: a3s @@ -16,10 +16,10 @@ spec: app: a3s type: core spec: - terminationGracePeriodSeconds: 60 + terminationGracePeriodSeconds: {{ required "global.terminationGracePeriodSeconds is required" .Values.global.terminationGracePeriodSeconds }} containers: - name: a3s - image: {{ required "global.imageRegistry is required" .Values.global.imageRegistry }}/a3s:test + image: {{ required "global.imageRegistry is required" .Values.global.imageRegistry }}/a3s:{{ required "global.imageTag is required" .Values.global.imageTag }} imagePullPolicy: "Always" env: # General @@ -80,31 +80,39 @@ spec: value: mongodb://{{ required "global.mongo.host is required" .Values.global.mongo.host }}?replicaSet=rs0&authMechanism=MONGODB-X509 {{- end }} - name: A3S_MONGO_AUTH_DB - value: "$external" + value: {{ required "global.mongo.authdb is required" .Values.global.mongo.authdb | quote }} - name: A3S_MONGO_USER - value: "CN=mongodb-admin,OU=users,O=mongodb" - # - name: A3S_MONGO_PASS - # value: "a3s" + value: {{ required "global.mongo.user is required" .Values.global.mongo.user | quote}} - name: A3S_MONGO_ENCRYPTION_KEY value: file:///certs/attribute-encryption-key.pass - name: A3S_MONGO_TLS_DISABLE - value: "true" + value: {{ .Values.global.mongo.tls.disable | default "false" | quote }} + {{- if not .Values.global.mongo.tls.disabled }} - name: A3S_MONGO_TLS_CERT - value: "" + value: file:///certs/mongo-cert.pem - name: A3S_MONGO_TLS_KEY - value: "" + value: file:///certs/mongo-key.pem - name: A3S_MONGO_TLS_KEY_PASS - value: "" + value: file:///certs/mongo-key.pass + {{- end }} # Nats - name: A3S_NATS_URL - value: "nats://nats:4222" + value: {{ required "global.nats.host is required" .Values.global.nats.host }} - name: A3S_NATS_USER value: file:///certs/nats.user - name: A3S_NATS_PASS - value: file:///certs/nats.user + value: file:///certs/nats.pass - name: A3S_NATS_TLS_DISABLE - value: "true" + value: {{ required "global.nats.tls.disabled is required" .Values.global.nats.tls.disabled }} + {{- if not .Values.global.mongo.tls.disabled }} + - name: A3S_NATS_TLS_CERT + value: file:///certs/nats-cert.pem + - name: A3S_NATS_TLS_KEY + value: file:///certs/nats-key.pem + - name: A3S_NATS_TLS_KEY_PASS + value: file:///certs/nats-key.pass + {{- end }} volumeMounts: - name: certs @@ -131,6 +139,12 @@ spec: path: jwt-key.pass # Mongo + - key: mongo-cert.pem + path: mongo-cert.pem + - key: mongo-key.pem + path: mongo-key.pem + - key: mongo-key.pass + path: mongo-key.pass - key: attribute-encryption-key.pass path: attribute-encryption-key.pass @@ -138,4 +152,10 @@ spec: - key: nats.user path: nats.user - key: nats.pass - path: nats.pass \ No newline at end of file + path: nats.pass + - key: nats-cert.pem + path: nats-cert.pem + - key: nats-key.pem + path: nats-key.pem + - key: nats-key.pass + path: nats-key.pass \ No newline at end of file diff --git a/helm/a3s/templates/secrets.yaml b/helm/a3s/templates/secrets.yaml index d57db68..9fb8289 100644 --- a/helm/a3s/templates/secrets.yaml +++ b/helm/a3s/templates/secrets.yaml @@ -15,10 +15,17 @@ data: jwt-key.pass: {{ required "global.server.pass is required" .Values.global.server.pass | b64enc | quote }} # Mongo + mongo-cert.pem: {{ .Values.global.mongo.tls.cert | quote }} + mongo-key.pem: {{ .Values.global.mongo.tls.key | quote }} + mongo-key.pass: {{ .Values.global.mongo.tls.pass | b64enc | quote }} attribute-encryption-key.pass: {{ required "global.mongo.attributeEncryptionKey is required" .Values.global.mongo.attributeEncryptionKey | b64enc | quote }} # Nats nats.user: {{ required "global.nats.user is required" .Values.global.nats.user | b64enc | quote }} nats.pass: {{ required "global.nats.pass is required" .Values.global.nats.pass | b64enc | quote }} + nats-cert.pem: {{ .Values.global.nats.tls.cert | quote }} + nats-key.pem: {{ .Values.global.nats.tls.key | quote }} + nats-key.pass: {{ .Values.global.nats.tls.pass | b64enc | quote }} + diff --git a/helm/a3s/templates/service.yaml b/helm/a3s/templates/service.yaml index 7e74e90..95cf361 100644 --- a/helm/a3s/templates/service.yaml +++ b/helm/a3s/templates/service.yaml @@ -23,7 +23,7 @@ metadata: spec: selector: app: a3s - clusterIP: None + clusterIP: {{ required "clusterIP is required" .Values.clusterIP }} ports: - port: 1080 name: health diff --git a/helm/a3s/values.yaml b/helm/a3s/values.yaml index a1d66e0..8d8eb1d 100644 --- a/helm/a3s/values.yaml +++ b/helm/a3s/values.yaml @@ -1,4 +1,6 @@ replicas: 1 +updateStrategy: RollingUpdate +clusterIP: None log: level: info @@ -8,6 +10,8 @@ global: audience: issuer: imageRegistry: gcr.io/aporetodev + imageTag: latest + terminationGracePeriodSeconds: 60 log: level: info format: stackdriver @@ -18,9 +22,14 @@ global: pass: mongo: - cert: - key: - pass: + tls: + disable: + cert: + key: + pass: + authdb: "$external" + user: "CN=mongodb-admin,OU=users,O=mongodb" + host: mongodb-shard-router-0.mongodb-shard-router,mongodb-shard-router-1.mongodb-shard-router,mongodb-shard-router-2.mongodb-shard-router sharded: true readConsistency: nearest diff --git a/helm/test/values.yaml b/helm/test/values.yaml index 07da788..2bd67d3 100644 --- a/helm/test/values.yaml +++ b/helm/test/values.yaml @@ -1,4 +1,6 @@ replicas: 1 +updateStrategy: RollingUpdate +clusterIP: None log: level: info @@ -8,6 +10,8 @@ global: audience: "a3s.com" issuer: https://issuer.a3s.com imageRegistry: gcr.io/aporetodev + imageTag: latest + terminationGracePeriodSeconds: 60 log: level: info format: stackdriver @@ -18,20 +22,27 @@ global: pass: server-key-pass mongo: - cert: mongo-cert - key: mongo-key - pass: mongo-key-pass + tls: + disable: false + cert: mongo-cert + key: mongo-key + pass: mongo-key-pass + authdb: "$external" + user: "CN=mongodb-admin,OU=users,O=mongodb" host: mongodb-shard-router-0.mongodb-shard-router,mongodb-shard-router-1.mongodb-shard-router,mongodb-shard-router-2.mongodb-shard-router sharded: true readConsistency: nearest attributeEncryptionKey: "abcdefghijkl" nats: - # cert: - # key: - # pass: + tls: + disabled: false + cert: nats-cert + key: nats-key + pass: nats-key-pass user: username pass: password + host: "nats://nats:4222" profiling: enabled: false From bcf749548c6edc815454b0b4db1749ee15bf2b17 Mon Sep 17 00:00:00 2001 From: Christophe Serafin Date: Sun, 23 Jan 2022 19:45:13 -0800 Subject: [PATCH 3/6] fix: naming and tls --- .gitignore | 1 + helm/Makefile | 4 +- helm/a3s/templates/deployment.yaml | 69 ++++++++++++++++-------------- helm/a3s/templates/secrets.yaml | 21 +++++---- helm/a3s/templates/service.yaml | 1 - helm/a3s/values.yaml | 17 ++++++-- helm/test/values.yaml | 11 ++++- pkgs/bootstrap/clients.go | 2 +- 8 files changed, 75 insertions(+), 51 deletions(-) diff --git a/.gitignore b/.gitignore index e7ecc76..411bdf2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +.DS_Store cmd/a3s/a3s cmd/a3sctl/a3sctl coverage.xml diff --git a/helm/Makefile b/helm/Makefile index 4b89e69..2af89fd 100644 --- a/helm/Makefile +++ b/helm/Makefile @@ -6,4 +6,6 @@ lint: helm lint ./a3s --values ./test/values.yaml charts: lint - helm package a3s --version $(PROJECT_VERSION) -d . \ No newline at end of file + helm package a3s --version $(PROJECT_VERSION) -d . + helm push --force ./a3s-$(PROJECT_VERSION).tgz local; + helm repo update \ No newline at end of file diff --git a/helm/a3s/templates/deployment.yaml b/helm/a3s/templates/deployment.yaml index fdac8a9..608a813 100644 --- a/helm/a3s/templates/deployment.yaml +++ b/helm/a3s/templates/deployment.yaml @@ -27,10 +27,6 @@ spec: value: ":1443" - name: A3S_ENCODING value: "msgpack" - # - name: A3S_CORS_DEFAULT_ORIGIN - # value: "https://127.0.0.1:44443" - # - name: A3S_CORS_ADDITIONAL_ORIGINS - # value: "http://localhost:8080" # Log - name: A3S_LOG_FORMAT @@ -54,11 +50,11 @@ spec: # TLS - name: A3S_TLS_CERT - value: /certs/a3s-tls-cert.pem + value: /certs/server-cert.pem - name: A3S_TLS_KEY - value: /certs/a3s-tls-key.pem + value: /certs/server-key.pem - name: A3S_TLS_KEY_PASS - value: file:///certs/a3s-tls-key.pass + value: file:///certs/server-key.pass # JWT - name: A3S_JWT_CERT @@ -68,30 +64,28 @@ spec: - name: A3S_JWT_KEY_PASS value: file:///certs/jwt-key.pass - name: A3S_JWT_ISSUER - value: {{ required "global.issuer is required" .Values.global.issuer }} + value: {{ required "global.issuer is required" .Values.global.issuer | quote }} - name: A3S_JWT_AUDIENCE - value: {{ required "global.audience is required" .Values.global.audience }} + value: {{ required "global.audience is required" .Values.global.audience | quote }} # Mongo - name: A3S_MONGO_URL - {{- if .Values.global.mongo.sharded }} - value: mongodb://{{ required "global.mongo.host is required" .Values.global.mongo.host }}?authMechanism=MONGODB-X509 - {{- else }} - value: mongodb://{{ required "global.mongo.host is required" .Values.global.mongo.host }}?replicaSet=rs0&authMechanism=MONGODB-X509 - {{- end }} + value: {{ required "global.mongo.host is required" .Values.global.mongo.host }} - name: A3S_MONGO_AUTH_DB - value: {{ required "global.mongo.authdb is required" .Values.global.mongo.authdb | quote }} + value: {{ required "global.mongo.db is required" .Values.global.mongo.db | quote }} - name: A3S_MONGO_USER value: {{ required "global.mongo.user is required" .Values.global.mongo.user | quote}} - name: A3S_MONGO_ENCRYPTION_KEY value: file:///certs/attribute-encryption-key.pass - name: A3S_MONGO_TLS_DISABLE value: {{ .Values.global.mongo.tls.disable | default "false" | quote }} - {{- if not .Values.global.mongo.tls.disabled }} + {{- if eq .Values.global.mongo.tls.disable false }} + - name: A3S_MONGO_CUSTOM_CA + value: /certs/mongo-ca.pem - name: A3S_MONGO_TLS_CERT - value: file:///certs/mongo-cert.pem + value: /certs/mongo-full.pem - name: A3S_MONGO_TLS_KEY - value: file:///certs/mongo-key.pem + value: /certs/mongo-key.pem - name: A3S_MONGO_TLS_KEY_PASS value: file:///certs/mongo-key.pass {{- end }} @@ -104,12 +98,14 @@ spec: - name: A3S_NATS_PASS value: file:///certs/nats.pass - name: A3S_NATS_TLS_DISABLE - value: {{ required "global.nats.tls.disabled is required" .Values.global.nats.tls.disabled }} - {{- if not .Values.global.mongo.tls.disabled }} + value: {{ required "global.nats.tls.disable is required" .Values.global.nats.tls.disable | quote }} + {{- if eq .Values.global.mongo.tls.disable false }} + - name: A3S_NATS_TLS_CA + value: /certs/nats-ca.pem - name: A3S_NATS_TLS_CERT - value: file:///certs/nats-cert.pem + value: /certs/nats-cert.pem - name: A3S_NATS_TLS_KEY - value: file:///certs/nats-key.pem + value: /certs/nats-key.pem - name: A3S_NATS_TLS_KEY_PASS value: file:///certs/nats-key.pass {{- end }} @@ -117,18 +113,19 @@ spec: volumeMounts: - name: certs mountPath: /certs + readOnly: true volumes: - name: certs secret: secretName: a3s-secrets items: # TLS - - key: a3s-tls-cert.pem - path: a3s-tls-cert.pem - - key: a3s-tls-key.pem - path: a3s-tls-key.pem - - key: a3s-tls-key.pass - path: a3s-tls-key.pass + - key: server-cert.pem + path: server-cert.pem + - key: server-key.pem + path: server-key.pem + - key: server-key.pass + path: server-key.pass # JWT - key: jwt-cert.pem @@ -139,6 +136,10 @@ spec: path: jwt-key.pass # Mongo + - key: mongo-ca.pem + path: mongo-ca.pem + - key: mongo-full.pem + path: mongo-full.pem - key: mongo-cert.pem path: mongo-cert.pem - key: mongo-key.pem @@ -149,13 +150,15 @@ spec: path: attribute-encryption-key.pass # Nats - - key: nats.user - path: nats.user - - key: nats.pass - path: nats.pass + - key: nats-ca.pem + path: nats-ca.pem - key: nats-cert.pem path: nats-cert.pem - key: nats-key.pem path: nats-key.pem - key: nats-key.pass - path: nats-key.pass \ No newline at end of file + path: nats-key.pass + - key: nats.user + path: nats.user + - key: nats.pass + path: nats.pass \ No newline at end of file diff --git a/helm/a3s/templates/secrets.yaml b/helm/a3s/templates/secrets.yaml index 9fb8289..ad2024d 100644 --- a/helm/a3s/templates/secrets.yaml +++ b/helm/a3s/templates/secrets.yaml @@ -5,27 +5,30 @@ metadata: name: a3s-secrets data: # TLS - a3s-tls-cert.pem: {{ required "global.server.cert is required" .Values.global.server.cert | quote }} - a3s-tls-key.pem: {{ required "global.server.key is required" .Values.global.server.key | quote }} - a3s-tls-key.pass: {{ required "global.server.pass is required" .Values.global.server.pass | b64enc | quote }} + server-cert.pem: {{ required "global.server.cert is required" .Values.global.server.cert | quote }} + server-key.pem: {{ required "global.server.key is required" .Values.global.server.key | quote }} + server-key.pass: {{ required "global.server.pass is required" .Values.global.server.pass | b64enc | quote }} # JWT - jwt-cert.pem: {{ required "global.server.cert is required" .Values.global.server.cert | quote }} - jwt-key.pem: {{ required "global.server.key is required" .Values.global.server.key | quote }} - jwt-key.pass: {{ required "global.server.pass is required" .Values.global.server.pass | b64enc | quote }} + jwt-cert.pem: {{ required "global.jwt.cert is required" .Values.global.jwt.cert | quote }} + jwt-key.pem: {{ required "global.jwt.key is required" .Values.global.jwt.key | quote }} + jwt-key.pass: {{ required "global.jwt.pass is required" .Values.global.jwt.pass | b64enc | quote }} # Mongo + mongo-ca.pem: {{ .Values.global.mongo.tls.ca | quote }} + mongo-full.pem: {{ .Values.global.mongo.tls.full | quote }} mongo-cert.pem: {{ .Values.global.mongo.tls.cert | quote }} mongo-key.pem: {{ .Values.global.mongo.tls.key | quote }} mongo-key.pass: {{ .Values.global.mongo.tls.pass | b64enc | quote }} attribute-encryption-key.pass: {{ required "global.mongo.attributeEncryptionKey is required" .Values.global.mongo.attributeEncryptionKey | b64enc | quote }} # Nats + nats-ca.pem: {{ required "global.nats.tls.ca is required" .Values.global.nats.tls.ca | quote }} + nats-cert.pem: {{ required "global.nats.tls.cert is required" .Values.global.nats.tls.cert | quote }} + nats-key.pem: {{ required "global.nats.tls.key is required" .Values.global.nats.tls.key | quote }} + nats-key.pass: {{ required "global.nats.tls.pass is required" .Values.global.nats.tls.pass | b64enc | quote }} nats.user: {{ required "global.nats.user is required" .Values.global.nats.user | b64enc | quote }} nats.pass: {{ required "global.nats.pass is required" .Values.global.nats.pass | b64enc | quote }} - nats-cert.pem: {{ .Values.global.nats.tls.cert | quote }} - nats-key.pem: {{ .Values.global.nats.tls.key | quote }} - nats-key.pass: {{ .Values.global.nats.tls.pass | b64enc | quote }} diff --git a/helm/a3s/templates/service.yaml b/helm/a3s/templates/service.yaml index 95cf361..741b963 100644 --- a/helm/a3s/templates/service.yaml +++ b/helm/a3s/templates/service.yaml @@ -8,7 +8,6 @@ metadata: spec: selector: app: a3s - clusterIP: None ports: - port: 1443 name: app diff --git a/helm/a3s/values.yaml b/helm/a3s/values.yaml index 8d8eb1d..72f7350 100644 --- a/helm/a3s/values.yaml +++ b/helm/a3s/values.yaml @@ -21,13 +21,19 @@ global: key: pass: + jwt: + cert: jwt-cert + key: jwt-key + pass: jwt-pass + mongo: tls: disable: + ca: cert: key: pass: - authdb: "$external" + db: "$external" user: "CN=mongodb-admin,OU=users,O=mongodb" host: mongodb-shard-router-0.mongodb-shard-router,mongodb-shard-router-1.mongodb-shard-router,mongodb-shard-router-2.mongodb-shard-router @@ -36,9 +42,12 @@ global: attributeEncryptionKey: nats: - # cert: - # key: - # pass: + tls: + disable: + ca: + cert: + key: + pass: user: pass: diff --git a/helm/test/values.yaml b/helm/test/values.yaml index 2bd67d3..9fd8036 100644 --- a/helm/test/values.yaml +++ b/helm/test/values.yaml @@ -21,13 +21,19 @@ global: key: server-key pass: server-key-pass + jwt: + cert: jwt-cert + key: jwt-key + pass: jwt-pass + mongo: tls: disable: false + ca: mongo-ca cert: mongo-cert key: mongo-key pass: mongo-key-pass - authdb: "$external" + db: "$external" user: "CN=mongodb-admin,OU=users,O=mongodb" host: mongodb-shard-router-0.mongodb-shard-router,mongodb-shard-router-1.mongodb-shard-router,mongodb-shard-router-2.mongodb-shard-router sharded: true @@ -36,7 +42,8 @@ global: nats: tls: - disabled: false + disable: false + ca: nats-ca cert: nats-cert key: nats-key pass: nats-key-pass diff --git a/pkgs/bootstrap/clients.go b/pkgs/bootstrap/clients.go index 8dfb664..cf73da4 100644 --- a/pkgs/bootstrap/clients.go +++ b/pkgs/bootstrap/clients.go @@ -93,7 +93,7 @@ func MakeMongoManipulator(cfg conf.MongoConf, hasher sharder.Hasher, additionalO tlscfg, err := cfg.TLSConfig() if err != nil { - zap.L().Fatal("Unable to prepare TLS config for nats", zap.Error(err)) + zap.L().Fatal("Unable to prepare TLS config for mongo", zap.Error(err)) } if tlscfg != nil { From 2994fa1597e933c888f32f954a1a9cfc8cbe8aed Mon Sep 17 00:00:00 2001 From: Christophe Serafin Date: Mon, 24 Jan 2022 15:53:16 -0800 Subject: [PATCH 4/6] fix: more configuration options --- helm/Makefile | 2 +- helm/a3s/templates/deployment.yaml | 33 ++++++++++++++++++------------ helm/a3s/templates/service.yaml | 20 +++++++++--------- helm/a3s/values.yaml | 17 +++++++++------ helm/test/values.yaml | 20 ++++++++++-------- 5 files changed, 54 insertions(+), 38 deletions(-) diff --git a/helm/Makefile b/helm/Makefile index 2af89fd..e7aa538 100644 --- a/helm/Makefile +++ b/helm/Makefile @@ -1,6 +1,6 @@ export PROJECT_VERSION ?= v0.0.0-dev -all: lint charts +default: lint charts lint: helm lint ./a3s --values ./test/values.yaml diff --git a/helm/a3s/templates/deployment.yaml b/helm/a3s/templates/deployment.yaml index 608a813..c353da3 100644 --- a/helm/a3s/templates/deployment.yaml +++ b/helm/a3s/templates/deployment.yaml @@ -1,42 +1,49 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: a3s + name: {{ .Values.labels.name | default "a3s" }} spec: replicas: {{ .Values.replicas | default 1}} strategy: - type: {{ required "updateStrategy is required" .Values.updateStrategy }} + type: {{ .Values.updateStrategy | default "RollingUpdate" }} selector: matchLabels: - app: a3s - type: core + app: {{ .Values.labels.name | default "a3s" }} + type: {{ .Values.labels.type | default "core" }} template: metadata: labels: - app: a3s - type: core + app: {{ .Values.labels.name | default "a3s" }} + type: {{ .Values.labels.type | default "core" }} spec: - terminationGracePeriodSeconds: {{ required "global.terminationGracePeriodSeconds is required" .Values.global.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds | default 60 }} containers: - name: a3s image: {{ required "global.imageRegistry is required" .Values.global.imageRegistry }}/a3s:{{ required "global.imageTag is required" .Values.global.imageTag }} - imagePullPolicy: "Always" + imagePullPolicy: {{ .Values.imagePullPolicy | default "Always" }} env: # General - name: A3S_LISTEN - value: ":1443" + value: ":{{ .Values.service.port | default 1443 }}" + + {{- if .Values.global.encoding }} - name: A3S_ENCODING - value: "msgpack" + value: {{ .Values.global.encoding | quote }} + {{- end }} # Log + {{- if .Values.log.format }} - name: A3S_LOG_FORMAT - value: {{ .Values.log.format | default .Values.global.log.format | quote }} + value: {{ .Values.log.format | quote }} + {{- end }} + {{- if .Values.log.level }} - name: A3S_LOG_LEVEL - value: {{ .Values.log.level | default .Values.global.log.level | quote }} + value: {{ .Values.log.level | quote }} + {{- end }} # Health - name: A3S_HEALTH_LISTEN - value: ":1080" + value: ":{{ .Values.service.healthPort | default 1080 }}" - name: A3S_HEALTH_ENABLED value: "true" diff --git a/helm/a3s/templates/service.yaml b/helm/a3s/templates/service.yaml index 741b963..36f5112 100644 --- a/helm/a3s/templates/service.yaml +++ b/helm/a3s/templates/service.yaml @@ -1,29 +1,29 @@ apiVersion: v1 kind: Service metadata: - name: a3s + name: {{ .Values.labels.name | default "a3s" }} labels: - app: a3s - type: core + app: {{ .Values.labels.name | default "a3s" }} + type: {{ .Values.labels.type | default "core" }} spec: selector: - app: a3s + app: {{ .Values.labels.name | default "a3s" }} ports: - - port: 1443 - name: app + - port: {{ .Values.service.port | default "1443" }} + name: {{ .Values.labels.name | default "a3s" }} --- apiVersion: v1 kind: Service metadata: name: health-a3s labels: - app: a3s - type: core + app: {{ .Values.labels.name | default "a3s" }} + type: {{ .Values.labels.name | default "core" }} spec: selector: - app: a3s + app: {{ .Values.labels.name | default "a3s" }} clusterIP: {{ required "clusterIP is required" .Values.clusterIP }} ports: - - port: 1080 + - port: {{ .Values.service.healthPort | default 1080 }} name: health --- diff --git a/helm/a3s/values.yaml b/helm/a3s/values.yaml index 72f7350..e1c4172 100644 --- a/helm/a3s/values.yaml +++ b/helm/a3s/values.yaml @@ -1,20 +1,25 @@ replicas: 1 -updateStrategy: RollingUpdate clusterIP: None +service: + port: + healthPort: + +labels: + name: + type: + log: - level: info - format: console + level: + format: global: + encoding: audience: issuer: imageRegistry: gcr.io/aporetodev imageTag: latest terminationGracePeriodSeconds: 60 - log: - level: info - format: stackdriver server: cert: diff --git a/helm/test/values.yaml b/helm/test/values.yaml index 9fd8036..7ac2e3a 100644 --- a/helm/test/values.yaml +++ b/helm/test/values.yaml @@ -1,21 +1,25 @@ replicas: 1 -updateStrategy: RollingUpdate clusterIP: None +service: + port: + healthPort: + +labels: + name: + type: + log: - level: info - format: console + level: + format: global: + encoding: audience: "a3s.com" issuer: https://issuer.a3s.com imageRegistry: gcr.io/aporetodev imageTag: latest - terminationGracePeriodSeconds: 60 - log: - level: info - format: stackdriver - + server: cert: server-cert key: server-key From d6e7d047bd7f06ae5e6506ea1268dd86e9548cd3 Mon Sep 17 00:00:00 2001 From: Christophe Serafin Date: Tue, 25 Jan 2022 17:53:57 -0800 Subject: [PATCH 5/6] fix: service configuration --- helm/Makefile | 6 +++--- helm/a3s/templates/deployment.yaml | 14 ++++++++++++++ helm/a3s/templates/secrets.yaml | 3 +++ helm/a3s/templates/service.yaml | 6 ++++-- helm/a3s/values.yaml | 7 +++++++ helm/test/values.yaml | 10 +++++++++- 6 files changed, 40 insertions(+), 6 deletions(-) diff --git a/helm/Makefile b/helm/Makefile index e7aa538..a3104f9 100644 --- a/helm/Makefile +++ b/helm/Makefile @@ -1,4 +1,4 @@ -export PROJECT_VERSION ?= v0.0.0-dev +export DOCKER_TAG ?= v0.0.0-dev default: lint charts @@ -6,6 +6,6 @@ lint: helm lint ./a3s --values ./test/values.yaml charts: lint - helm package a3s --version $(PROJECT_VERSION) -d . - helm push --force ./a3s-$(PROJECT_VERSION).tgz local; + helm package a3s --version $(DOCKER_TAG) -d . + helm push --force ./a3s-$(DOCKER_TAG).tgz local; helm repo update \ No newline at end of file diff --git a/helm/a3s/templates/deployment.yaml b/helm/a3s/templates/deployment.yaml index c353da3..f84189e 100644 --- a/helm/a3s/templates/deployment.yaml +++ b/helm/a3s/templates/deployment.yaml @@ -22,6 +22,16 @@ spec: image: {{ required "global.imageRegistry is required" .Values.global.imageRegistry }}/a3s:{{ required "global.imageTag is required" .Values.global.imageTag }} imagePullPolicy: {{ .Values.imagePullPolicy | default "Always" }} env: + # Init + - name: A3S_INIT + value: "{{ .Values.init.run | default "false" }}" + + - name: A3S_INIT_CONTINUE + value: "{{ .Values.init.continue | default "false" }}" + + - name: A3S_INIT_CONTINUE + value: /certs/init-root-ca.pem + # General - name: A3S_LISTEN value: ":{{ .Values.service.port | default 1443 }}" @@ -126,6 +136,10 @@ spec: secret: secretName: a3s-secrets items: + # Init + - key: init-root-ca.pem + path: init-root-ca.pem + # TLS - key: server-cert.pem path: server-cert.pem diff --git a/helm/a3s/templates/secrets.yaml b/helm/a3s/templates/secrets.yaml index ad2024d..93bf901 100644 --- a/helm/a3s/templates/secrets.yaml +++ b/helm/a3s/templates/secrets.yaml @@ -4,6 +4,9 @@ type: Opaque metadata: name: a3s-secrets data: + # Init + init-root-ca.pem: {{ required "init.ca is required" .Values.init.ca | quote }} + # TLS server-cert.pem: {{ required "global.server.cert is required" .Values.global.server.cert | quote }} server-key.pem: {{ required "global.server.key is required" .Values.global.server.key | quote }} diff --git a/helm/a3s/templates/service.yaml b/helm/a3s/templates/service.yaml index 36f5112..3fec83b 100644 --- a/helm/a3s/templates/service.yaml +++ b/helm/a3s/templates/service.yaml @@ -6,11 +6,13 @@ metadata: app: {{ .Values.labels.name | default "a3s" }} type: {{ .Values.labels.type | default "core" }} spec: + type: {{ .Values.service.type | default "LoadBalancer" }} selector: app: {{ .Values.labels.name | default "a3s" }} ports: - - port: {{ .Values.service.port | default "1443" }} - name: {{ .Values.labels.name | default "a3s" }} + - targetPort: {{ .Values.service.targetPort | default "1443" }} + port: {{ .Values.service.port | default "443" }} + name: https --- apiVersion: v1 kind: Service diff --git a/helm/a3s/values.yaml b/helm/a3s/values.yaml index e1c4172..a42e641 100644 --- a/helm/a3s/values.yaml +++ b/helm/a3s/values.yaml @@ -2,7 +2,9 @@ replicas: 1 clusterIP: None service: + type: port: + targetPort: healthPort: labels: @@ -13,6 +15,11 @@ log: level: format: +init: + run: + continue: + ca: init-root-ca + global: encoding: audience: diff --git a/helm/test/values.yaml b/helm/test/values.yaml index 7ac2e3a..2554715 100644 --- a/helm/test/values.yaml +++ b/helm/test/values.yaml @@ -2,8 +2,11 @@ replicas: 1 clusterIP: None service: + type: port: - healthPort: + targetPort: + healthPort: + labels: name: @@ -13,6 +16,11 @@ log: level: format: +init: + run: + continue: + ca: init-root-ca + global: encoding: audience: "a3s.com" From fb2be7b718da7748fae04bb3326f7dd0a74bbf45 Mon Sep 17 00:00:00 2001 From: Christophe Serafin Date: Tue, 25 Jan 2022 17:58:27 -0800 Subject: [PATCH 6/6] fix: typo --- helm/a3s/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/a3s/templates/deployment.yaml b/helm/a3s/templates/deployment.yaml index f84189e..7df0d56 100644 --- a/helm/a3s/templates/deployment.yaml +++ b/helm/a3s/templates/deployment.yaml @@ -29,7 +29,7 @@ spec: - name: A3S_INIT_CONTINUE value: "{{ .Values.init.continue | default "false" }}" - - name: A3S_INIT_CONTINUE + - name: A3S_INIT_ROOT_CA value: /certs/init-root-ca.pem # General