Merge pull request #29 from aserto-dev/directory/no-tls

Support running services without TLS + test harness

.github/workflows/ci.yaml

@@ -6,23 +6,17 @@ on:
   pull_request:
 
 env:
+  GH_TOKEN: ${{ github.token }}
   HELM_VERSION: v3.14.4
-  PYTHON_VERSION: 3.x
+  PYTHON_VERSION: 3.13
+  POSTGRES_PASSWORD: postgres
+  UV_VERSION: 0.5.3
+  TOPAZ_VERSION: 0.32.36
 
 jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      -
-        name: Read Configuration
-        uses: hashicorp/vault-action@v3
-        id: vault
-        with:
-          url: https://vault.eng.aserto.com/
-          token: ${{ secrets.VAULT_TOKEN }}
-          secrets: |
-            kv/data/github  "USERNAME"            | DOCKER_USERNAME;
-            kv/data/github  "READ_WRITE_TOKEN"    | READ_WRITE_TOKEN;
       -
         uses: actions/checkout@v4
         with:
@@ -46,4 +40,89 @@ jobs:
       -
         name: Lint
         run: |
-          ct lint --config ct.yaml --helm-repo-extra-args "aserto-helm=-u gh -p ${READ_WRITE_TOKEN}"
+          ct lint --config ct.yaml --helm-repo-extra-args "aserto-helm=-u gh -p ${{ secrets.GITHUB_TOKEN }}"
+
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        uses: actions/checkout@v4
+      -
+        name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: ${{ env.HELM_VERSION }}
+      -
+        name: Install topaz CLI
+        run: |
+          gh release download v${{env.TOPAZ_VERSION}} --repo aserto-dev/topaz --pattern "topaz_linux_x86_64.zip" \
+            --output ./ext/topaz.zip --clobber
+          unzip ./ext/topaz.zip -d bin
+          chmod +x ./bin/topaz
+          ./bin/topaz version
+          echo "TOPAZ=$(realpath ./bin/topaz)" >> "$GITHUB_ENV"
+          echo "TOPAZ_CERTS_DIR=$(./bin/topaz config info | jq '.config.topaz_certs_dir' -r)" >> "$GITHUB_ENV"
+      -
+        name: Install topazd container
+        run: |
+          ${TOPAZ} install --container-tag=${{ env.TOPAZ_VERSION }}
+          ${TOPAZ} version
+      -
+        name: Generate topaz certs
+        run: ${TOPAZ} certs generate
+      -
+        name: Install uv package manager
+        uses: astral-sh/setup-uv@v3
+        with:
+          version: ${{ env.UV_VERSION }}
+      -
+        uses: AbsaOSS/k3d-action@v2
+        name: Create k8s cluster
+        with:
+          cluster-name: "test"
+          args: >
+            --agents 1
+            --k3s-arg "--disable=metrics-server@server:*"
+      -
+        name: Test Topaz
+        timeout-minutes: 10
+        env:
+          TOPAZ_CERTS_DIR: ${{ env.TOPAZ_CERTS_DIR }}
+        run: |
+          uv run --project tools/ktest tools/ktest/ktest.py charts/topaz/test/tests.yaml
+      -
+        name: Deploy Postgres
+        run: |
+          helm install postgresql oci://registry-1.docker.io/bitnamicharts/postgresql \
+            --namespace postgres --create-namespace \
+            --set auth.postgresPassword=${{ env.POSTGRES_PASSWORD }}
+      -
+        name: Wait for Postgres
+        run: |
+          echo "Waiting for postgres to be ready"
+          kubectl wait pods --selector app.kubernetes.io/name=postgresql \
+            --for condition=Ready --namespace postgres --timeout=60s
+      -
+        name: Generate admin ssh key
+        id: sshkey
+        run: |
+          ssh-keygen -t ed25519 -N "" -f ${HOME}/.ssh/admin_ed25519
+          echo "public_key=${HOME}/.ssh/admin_ed25519.pub" >> "$GITHUB_OUTPUT"
+          echo "private_key=${HOME}/.ssh/admin_ed25519" >> "$GITHUB_OUTPUT"
+
+          cat << EOF > ${HOME}/.ssh/config
+          Host localhost
+            StrictHostKeyChecking no
+          EOF
+
+          chmod 400 ~/.ssh/config
+      -
+        name: Test Directory
+        timeout-minutes: 10
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SSH_PUBLIC_KEY: ${{ steps.sshkey.outputs.public_key }}
+          SSH_PRIVATE_KEY: ${{ steps.sshkey.outputs.private_key }}
+          TOPAZ_CERTS_DIR: ${{ env.TOPAZ_CERTS_DIR }}
+        run: |
+          uv run --project tools/ktest tools/ktest/ktest.py charts/directory/test/tests.yaml

.gitignore

@@ -1,3 +1,10 @@
 .ext/
 /charts/*/build/
 /charts/*/charts/
+
+# python
+**/__pycache__/
+.venv-path
+
+# env
+.envrc

charts/aserto-lib/Chart.yaml

@@ -21,7 +21,7 @@ type: library
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.5
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/aserto-lib/templates/_client.tpl

@@ -1,22 +1,25 @@
-{{- define "aserto-lib.clientCA" }}
-{{- if .disableTLSVerification }}
+{{- define "aserto-lib.clientTLS" }}
+{{- if .noVerify | and .noTLS -}}
+  {{- fail "'noVerify' and 'noTLS' are mutually exclusive." }}
+{{- end }}
+{{- if .noTLS }}
+no_tls: true
+{{- else if .skipVerify }}
 insecure : true
-{{- else if .grpcCertSecret }}
+{{- else if .caCertSecret }}
 ca_cert_path: /{{ .certVolume }}/ca.crt
-{{- else }}
-ca_cert_path: /grpc-certs/ca.crt
 {{- end }}
 {{- end }}
 
 {{- define "aserto-lib.rootDirectoryClient" -}}
 address: {{ include "aserto-lib.rootDirectoryAddress" . }}
 tenant_id: {{ include "aserto-lib.rootDirectoryTenantID" . }}
-{{- $cfg := include "aserto-lib.rootDirectoryCfg" . | fromYaml }}
-{{- include "aserto-lib.clientCA" (mergeOverwrite $cfg (dict "certVolume" "root-ds-grpc-certs")) -}}
+{{- $cfg := include "aserto-lib.rootClientCfg" . | fromYaml }}
+{{- include "aserto-lib.clientTLS" (mergeOverwrite $cfg (dict "certVolume" "root-ds-grpc-certs")) -}}
 {{- end }}
 
 {{- define "aserto-lib.directoryClient" -}}
 address: {{ include "aserto-lib.directoryAddress" . }}
 {{- $cfg := include "aserto-lib.mergeGlobal" (list . "directory") | fromYaml }}
-{{- include "aserto-lib.clientCA" (mergeOverwrite $cfg (dict "certVolume" "ds-grpc-certs")) -}}
+{{- include "aserto-lib.clientTLS" (mergeOverwrite $cfg (dict "certVolume" "ds-grpc-certs")) -}}
 {{- end }}

charts/aserto-lib/templates/_clusteraddr.tpl

@@ -29,7 +29,7 @@ Args: [scope, config, service]
 Cluster address of the root directory service
 */}}
 {{- define "aserto-lib.rootDirectoryAddress" }}
-{{- include "aserto-lib.svcClusterAddress" (list . "grpc" "rootDirectory" "directory")}}
+{{- include "aserto-lib.svcClusterAddress" (list . "grpc" "rootDS" "directory")}}
 {{- end }}
 
 {{/*

charts/aserto-lib/templates/_config.tpl

@@ -1,5 +1,5 @@
-{{- define "aserto-lib.rootDirectoryCfg" }}
-{{- include "aserto-lib.mergeGlobal" (list . "rootDirectory") }}
+{{- define "aserto-lib.rootClientCfg" }}
+{{- include "aserto-lib.mergeGlobal" (list . "rootDS") }}
 {{- end }}
 
 {{- define "aserto-lib.directoryCfg" }}
@@ -10,9 +10,17 @@
 {{- include "aserto-lib.mergeGlobal" (list . "discovery") }}
 {{- end }}
 
-{{- define "aserto-lib.rootDirectoryApiKey" }}
-{{- (include "aserto-lib.rootDirectoryCfg" . | fromYaml).apiKey |
-  default (dict "secretName" "root-ds-keys" "secretKey" "api-key") | toYaml -}}
+{{- define "aserto-lib.rootApiKeyEnv" }}
+{{- with include "aserto-lib.rootClientCfg" . | fromYaml -}}
+{{- if .apiKey -}}
+value: {{ .apiKey }}
+{{- else -}}
+valueFrom:
+  secretKeyRef:
+    name: {{ (.apiKeySecret).name | default "root-ds-keys" }}
+    key: {{ (.apiKeySecret).key | default "api-key" }}
+{{- end }}
+{{- end }}
 {{- end }}
 
 {{- define "aserto-lib.directoryApiKeys" }}
@@ -30,6 +38,6 @@
 Root directory tenant ID
 */}}
 {{- define "aserto-lib.rootDirectoryTenantID" -}}
-{{- (include "aserto-lib.rootDirectoryCfg" . | fromYaml).tenantID |
+{{- (include "aserto-lib.rootClientCfg" . | fromYaml).tenantID |
 	default "00000000-0000-11ef-0000-000000000000" -}}
 {{- end }}

charts/aserto-lib/templates/_golangsvc.tpl

@@ -17,32 +17,38 @@ Renders gRPC service configuration.
 */}}
 {{- define "aserto-lib.grpcService" -}}
 listen_address: 0.0.0.0:{{ include "aserto-lib.grpcPort" . }}
-connection_timeout_seconds: {{ (include "aserto-lib.grpcConfig" . | fromYaml).connectionTimeoutSec | default "2" }}
+{{- with include "aserto-lib.grpcConfig" . | fromYaml }}
+connection_timeout_seconds: {{ .connectionTimeoutSec }}
+{{- if .certSecret }}
 certs:
   tls_key_path: '/grpc-certs/tls.key'
   tls_cert_path: '/grpc-certs/tls.crt'
   tls_ca_cert_path: '/grpc-certs/ca.crt'
 {{- end }}
+{{- end }}
+{{- end }}
 
 {{/*
 Renders HTTPS service configuration.
 */}}
 {{- define "aserto-lib.httpsService" -}}
 listen_address: 0.0.0.0:{{ include "aserto-lib.httpsPort" . }}
+{{- with include "aserto-lib.httpsConfig" . | fromYaml }}
+{{- with .allowed_origins }}
+allowed_origins:
+{{- . | toYaml | nindent 2 }}
+{{- end }}
+read_timeout: {{ .read_timeout | default "2s"}}
+read_header_timeout: {{ .read_header_timeout | default "2s" }}
+write_timeout: {{ .write_timeout | default "2s" }}
+idle_timeout: {{ .idle_timeout | default "30s" }}
+{{- with .cerSecret }}
 certs:
   tls_key_path: '/https-certs/tls.key'
   tls_cert_path: '/https-certs/tls.crt'
   tls_ca_cert_path: '/https-certs/ca.crt'
-
-{{- $cfg := include "aserto-lib.httpsConfig" . | fromYaml }}
-{{- if $cfg.allowed_origins }}
-allowed_origins:
-{{- $cfg.allowed_origins | toYaml | nindent 2 }}
 {{- end }}
-read_timeout: {{ $cfg.read_timeout | default "2s"}}
-read_header_timeout: {{ $cfg.read_header_timeout | default "2s" }}
-write_timeout: {{ $cfg.write_timeout | default "2s" }}
-idle_timeout: {{ $cfg.idle_timeout | default "30s" }}
+{{- end }}
 {{- end }}
 
 {{/*

charts/aserto/Chart.lock

@@ -1,18 +1,21 @@
 dependencies:
+- name: aserto-lib
+  repository: file://../aserto-lib
+  version: 0.2.0
 - name: directory
-  repository: oci://ghcr.io/aserto-dev/helm
-  version: 0.1.9
+  repository: file://../directory
+  version: 0.2.0
 - name: authorizer
-  repository: oci://ghcr.io/aserto-dev/helm
-  version: 0.1.7
+  repository: file://../authorizer
+  version: 0.1.8
 - name: discovery
-  repository: oci://ghcr.io/aserto-dev/helm
-  version: 0.1.6
+  repository: file://../discovery
+  version: 0.1.7
 - name: console
-  repository: oci://ghcr.io/aserto-dev/helm
-  version: 0.1.6
+  repository: file://../console
+  version: 0.1.7
 - name: scim
-  repository: oci://ghcr.io/aserto-dev/helm
-  version: 0.1.5
-digest: sha256:980022ba59e0ff9d2eef12e29607db9c7f579ded5286bf71e63d4181863d530d
-generated: "2024-11-12T16:41:28.881217-05:00"
+  repository: file://../scim
+  version: 0.1.6
+digest: sha256:d188c2319b1f908c0a8618ad44e8953a62e86230842c85ddbcd1f1966b67c4b5
+generated: "2024-11-26T12:56:40.605962-05:00"

charts/aserto/Chart.yaml

@@ -21,7 +21,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.10
+version: 0.1.11
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
@@ -30,18 +30,21 @@ version: 0.1.10
 appVersion: "0.1.0"
 
 dependencies:
+  - name: aserto-lib
+    version: 0.2.0
+    repository: file://../aserto-lib
   - name: directory
-    version: ~0.1.9
-    repository: oci://ghcr.io/aserto-dev/helm
+    version: 0.2.0
+    repository: file://../directory
   - name: authorizer
-    version: ~0.1.7
-    repository: oci://ghcr.io/aserto-dev/helm
+    version: 0.1.8
+    repository: file://../authorizer
   - name: discovery
-    version: ~0.1.6
-    repository: oci://ghcr.io/aserto-dev/helm
+    version: 0.1.7
+    repository: file://../discovery
   - name: console
-    version: ~0.1.6
-    repository: oci://ghcr.io/aserto-dev/helm
+    version: 0.1.7
+    repository: file://../console
   - name: scim
-    version: ~0.1.5
-    repository: oci://ghcr.io/aserto-dev/helm
+    version: 0.1.6
+    repository: file://../scim

charts/aserto/ci/test-values.yaml

@@ -4,20 +4,24 @@ global:
     oidc:
       domain: oidc_domain
       audience: oidc_audience
+
 console:
   authorizerURL: https://authorizer.aserto.example.com
   directoryURL: https://directory.aserto.example.com
+
 discovery:
   registries:
     ghcr.io:
       scheme: bearer
       tokenSecretName: ghcr-token-secret
+
 directory:
   rootDirectory:
     database:
       host: root-db-host
   tenantDirectory:
     database:
       host: tenant-db-host
-  sshAdminKeys: |
-    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDf6
+  sshAdminKeys:
+    keys: |
+      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDf6

charts/aserto/values.yaml

@@ -43,6 +43,28 @@ global:
     #     durations: false
     #     gateway: false
 
+    rootDS:
+      # Address and port of the root directory's gRPC service.
+      # Default: directory.<namespace>.svc.cluster.local:8282
+      address: ""
+      # [Optiona] API key for the remote directory
+      apiKey: ""
+      # [Optional] Kubernetes secret containing the API key for the remote directory
+      apiKeySecret:
+        # Secret name
+        name: ""
+        # Secret key
+        key: "api-key"
+      # [Optional] Kubernetes secret containing the CA certificate of the root directory.
+      caCertSecret:
+        name: ""
+        key: ""
+      # Skip verification of remote TLS certificate
+      noVerify: false
+      # Connect over a plain-text connection.
+      # INSECURE: credentials are sent unencrypted within the cluster.
+      noTLS: false
+
     rootDirectory:
       # Disable TLS verification on
       disableTLSVerification: true