Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support running services without TLS + test harness #29

Merged
merged 22 commits into from
Nov 27, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
103 changes: 91 additions & 12 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,23 +6,17 @@ on:
pull_request:

env:
GH_TOKEN: ${{ github.token }}
HELM_VERSION: v3.14.4
PYTHON_VERSION: 3.x
PYTHON_VERSION: 3.13
POSTGRES_PASSWORD: postgres
UV_VERSION: 0.5.3
TOPAZ_VERSION: 0.32.36

jobs:
lint:
runs-on: ubuntu-latest
steps:
-
name: Read Configuration
uses: hashicorp/vault-action@v3
id: vault
with:
url: https://vault.eng.aserto.com/
token: ${{ secrets.VAULT_TOKEN }}
secrets: |
kv/data/github "USERNAME" | DOCKER_USERNAME;
kv/data/github "READ_WRITE_TOKEN" | READ_WRITE_TOKEN;
-
uses: actions/checkout@v4
with:
Expand All @@ -46,4 +40,89 @@ jobs:
-
name: Lint
run: |
ct lint --config ct.yaml --helm-repo-extra-args "aserto-helm=-u gh -p ${READ_WRITE_TOKEN}"
ct lint --config ct.yaml --helm-repo-extra-args "aserto-helm=-u gh -p ${{ secrets.GITHUB_TOKEN }}"

test:
runs-on: ubuntu-latest
steps:
-
uses: actions/checkout@v4
-
name: Set up Helm
uses: azure/setup-helm@v4
with:
version: ${{ env.HELM_VERSION }}
-
name: Install topaz CLI
run: |
gh release download v${{env.TOPAZ_VERSION}} --repo aserto-dev/topaz --pattern "topaz_linux_x86_64.zip" \
--output ./ext/topaz.zip --clobber
unzip ./ext/topaz.zip -d bin
chmod +x ./bin/topaz
./bin/topaz version
echo "TOPAZ=$(realpath ./bin/topaz)" >> "$GITHUB_ENV"
echo "TOPAZ_CERTS_DIR=$(./bin/topaz config info | jq '.config.topaz_certs_dir' -r)" >> "$GITHUB_ENV"
-
name: Install topazd container
run: |
${TOPAZ} install --container-tag=${{ env.TOPAZ_VERSION }}
${TOPAZ} version
-
name: Generate topaz certs
run: ${TOPAZ} certs generate
-
name: Install uv package manager
uses: astral-sh/setup-uv@v3
with:
version: ${{ env.UV_VERSION }}
-
uses: AbsaOSS/k3d-action@v2
name: Create k8s cluster
with:
cluster-name: "test"
args: >
--agents 1
--k3s-arg "--disable=metrics-server@server:*"
-
name: Test Topaz
timeout-minutes: 10
env:
TOPAZ_CERTS_DIR: ${{ env.TOPAZ_CERTS_DIR }}
run: |
uv run --project tools/ktest tools/ktest/ktest.py charts/topaz/test/tests.yaml
-
name: Deploy Postgres
run: |
helm install postgresql oci://registry-1.docker.io/bitnamicharts/postgresql \
--namespace postgres --create-namespace \
--set auth.postgresPassword=${{ env.POSTGRES_PASSWORD }}
-
name: Wait for Postgres
run: |
echo "Waiting for postgres to be ready"
kubectl wait pods --selector app.kubernetes.io/name=postgresql \
--for condition=Ready --namespace postgres --timeout=60s
-
name: Generate admin ssh key
id: sshkey
run: |
ssh-keygen -t ed25519 -N "" -f ${HOME}/.ssh/admin_ed25519
echo "public_key=${HOME}/.ssh/admin_ed25519.pub" >> "$GITHUB_OUTPUT"
echo "private_key=${HOME}/.ssh/admin_ed25519" >> "$GITHUB_OUTPUT"

cat << EOF > ${HOME}/.ssh/config
Host localhost
StrictHostKeyChecking no
EOF

chmod 400 ~/.ssh/config
-
name: Test Directory
timeout-minutes: 10
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SSH_PUBLIC_KEY: ${{ steps.sshkey.outputs.public_key }}
SSH_PRIVATE_KEY: ${{ steps.sshkey.outputs.private_key }}
TOPAZ_CERTS_DIR: ${{ env.TOPAZ_CERTS_DIR }}
run: |
uv run --project tools/ktest tools/ktest/ktest.py charts/directory/test/tests.yaml
7 changes: 7 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
.ext/
/charts/*/build/
/charts/*/charts/

# python
**/__pycache__/
.venv-path

# env
.envrc
2 changes: 1 addition & 1 deletion charts/aserto-lib/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ type: library
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.5
version: 0.2.0

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
Expand Down
19 changes: 11 additions & 8 deletions charts/aserto-lib/templates/_client.tpl
Original file line number Diff line number Diff line change
@@ -1,22 +1,25 @@
{{- define "aserto-lib.clientCA" }}
{{- if .disableTLSVerification }}
{{- define "aserto-lib.clientTLS" }}
{{- if .noVerify | and .noTLS -}}
{{- fail "'noVerify' and 'noTLS' are mutually exclusive." }}
{{- end }}
{{- if .noTLS }}
no_tls: true
{{- else if .skipVerify }}
insecure : true
{{- else if .grpcCertSecret }}
{{- else if .caCertSecret }}
ca_cert_path: /{{ .certVolume }}/ca.crt
{{- else }}
ca_cert_path: /grpc-certs/ca.crt
{{- end }}
{{- end }}

{{- define "aserto-lib.rootDirectoryClient" -}}
address: {{ include "aserto-lib.rootDirectoryAddress" . }}
tenant_id: {{ include "aserto-lib.rootDirectoryTenantID" . }}
{{- $cfg := include "aserto-lib.rootDirectoryCfg" . | fromYaml }}
{{- include "aserto-lib.clientCA" (mergeOverwrite $cfg (dict "certVolume" "root-ds-grpc-certs")) -}}
{{- $cfg := include "aserto-lib.rootClientCfg" . | fromYaml }}
{{- include "aserto-lib.clientTLS" (mergeOverwrite $cfg (dict "certVolume" "root-ds-grpc-certs")) -}}
{{- end }}

{{- define "aserto-lib.directoryClient" -}}
address: {{ include "aserto-lib.directoryAddress" . }}
{{- $cfg := include "aserto-lib.mergeGlobal" (list . "directory") | fromYaml }}
{{- include "aserto-lib.clientCA" (mergeOverwrite $cfg (dict "certVolume" "ds-grpc-certs")) -}}
{{- include "aserto-lib.clientTLS" (mergeOverwrite $cfg (dict "certVolume" "ds-grpc-certs")) -}}
{{- end }}
2 changes: 1 addition & 1 deletion charts/aserto-lib/templates/_clusteraddr.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ Args: [scope, config, service]
Cluster address of the root directory service
*/}}
{{- define "aserto-lib.rootDirectoryAddress" }}
{{- include "aserto-lib.svcClusterAddress" (list . "grpc" "rootDirectory" "directory")}}
{{- include "aserto-lib.svcClusterAddress" (list . "grpc" "rootDS" "directory")}}
{{- end }}

{{/*
Expand Down
20 changes: 14 additions & 6 deletions charts/aserto-lib/templates/_config.tpl
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{{- define "aserto-lib.rootDirectoryCfg" }}
{{- include "aserto-lib.mergeGlobal" (list . "rootDirectory") }}
{{- define "aserto-lib.rootClientCfg" }}
{{- include "aserto-lib.mergeGlobal" (list . "rootDS") }}
{{- end }}

{{- define "aserto-lib.directoryCfg" }}
Expand All @@ -10,9 +10,17 @@
{{- include "aserto-lib.mergeGlobal" (list . "discovery") }}
{{- end }}

{{- define "aserto-lib.rootDirectoryApiKey" }}
{{- (include "aserto-lib.rootDirectoryCfg" . | fromYaml).apiKey |
default (dict "secretName" "root-ds-keys" "secretKey" "api-key") | toYaml -}}
{{- define "aserto-lib.rootApiKeyEnv" }}
{{- with include "aserto-lib.rootClientCfg" . | fromYaml -}}
{{- if .apiKey -}}
value: {{ .apiKey }}
{{- else -}}
valueFrom:
secretKeyRef:
name: {{ (.apiKeySecret).name | default "root-ds-keys" }}
key: {{ (.apiKeySecret).key | default "api-key" }}
{{- end }}
{{- end }}
{{- end }}

{{- define "aserto-lib.directoryApiKeys" }}
Expand All @@ -30,6 +38,6 @@
Root directory tenant ID
*/}}
{{- define "aserto-lib.rootDirectoryTenantID" -}}
{{- (include "aserto-lib.rootDirectoryCfg" . | fromYaml).tenantID |
{{- (include "aserto-lib.rootClientCfg" . | fromYaml).tenantID |
default "00000000-0000-11ef-0000-000000000000" -}}
{{- end }}
26 changes: 16 additions & 10 deletions charts/aserto-lib/templates/_golangsvc.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -17,32 +17,38 @@ Renders gRPC service configuration.
*/}}
{{- define "aserto-lib.grpcService" -}}
listen_address: 0.0.0.0:{{ include "aserto-lib.grpcPort" . }}
connection_timeout_seconds: {{ (include "aserto-lib.grpcConfig" . | fromYaml).connectionTimeoutSec | default "2" }}
{{- with include "aserto-lib.grpcConfig" . | fromYaml }}
connection_timeout_seconds: {{ .connectionTimeoutSec }}
{{- if .certSecret }}
certs:
tls_key_path: '/grpc-certs/tls.key'
tls_cert_path: '/grpc-certs/tls.crt'
tls_ca_cert_path: '/grpc-certs/ca.crt'
{{- end }}
{{- end }}
{{- end }}

{{/*
Renders HTTPS service configuration.
*/}}
{{- define "aserto-lib.httpsService" -}}
listen_address: 0.0.0.0:{{ include "aserto-lib.httpsPort" . }}
{{- with include "aserto-lib.httpsConfig" . | fromYaml }}
{{- with .allowed_origins }}
allowed_origins:
{{- . | toYaml | nindent 2 }}
{{- end }}
read_timeout: {{ .read_timeout | default "2s"}}
read_header_timeout: {{ .read_header_timeout | default "2s" }}
write_timeout: {{ .write_timeout | default "2s" }}
idle_timeout: {{ .idle_timeout | default "30s" }}
{{- with .cerSecret }}
certs:
tls_key_path: '/https-certs/tls.key'
tls_cert_path: '/https-certs/tls.crt'
tls_ca_cert_path: '/https-certs/ca.crt'

{{- $cfg := include "aserto-lib.httpsConfig" . | fromYaml }}
{{- if $cfg.allowed_origins }}
allowed_origins:
{{- $cfg.allowed_origins | toYaml | nindent 2 }}
{{- end }}
read_timeout: {{ $cfg.read_timeout | default "2s"}}
read_header_timeout: {{ $cfg.read_header_timeout | default "2s" }}
write_timeout: {{ $cfg.write_timeout | default "2s" }}
idle_timeout: {{ $cfg.idle_timeout | default "30s" }}
{{- end }}
{{- end }}

{{/*
Expand Down
27 changes: 15 additions & 12 deletions charts/aserto/Chart.lock
Original file line number Diff line number Diff line change
@@ -1,18 +1,21 @@
dependencies:
- name: aserto-lib
repository: file://../aserto-lib
version: 0.2.0
- name: directory
repository: oci://ghcr.io/aserto-dev/helm
version: 0.1.9
repository: file://../directory
version: 0.2.0
- name: authorizer
repository: oci://ghcr.io/aserto-dev/helm
version: 0.1.7
repository: file://../authorizer
version: 0.1.8
- name: discovery
repository: oci://ghcr.io/aserto-dev/helm
version: 0.1.6
repository: file://../discovery
version: 0.1.7
- name: console
repository: oci://ghcr.io/aserto-dev/helm
version: 0.1.6
repository: file://../console
version: 0.1.7
- name: scim
repository: oci://ghcr.io/aserto-dev/helm
version: 0.1.5
digest: sha256:980022ba59e0ff9d2eef12e29607db9c7f579ded5286bf71e63d4181863d530d
generated: "2024-11-12T16:41:28.881217-05:00"
repository: file://../scim
version: 0.1.6
digest: sha256:d188c2319b1f908c0a8618ad44e8953a62e86230842c85ddbcd1f1966b67c4b5
generated: "2024-11-26T12:56:40.605962-05:00"
25 changes: 14 additions & 11 deletions charts/aserto/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.10
version: 0.1.11

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
Expand All @@ -30,18 +30,21 @@ version: 0.1.10
appVersion: "0.1.0"

dependencies:
- name: aserto-lib
version: 0.2.0
repository: file://../aserto-lib
- name: directory
version: ~0.1.9
repository: oci://ghcr.io/aserto-dev/helm
version: 0.2.0
repository: file://../directory
- name: authorizer
version: ~0.1.7
repository: oci://ghcr.io/aserto-dev/helm
version: 0.1.8
repository: file://../authorizer
- name: discovery
version: ~0.1.6
repository: oci://ghcr.io/aserto-dev/helm
version: 0.1.7
repository: file://../discovery
- name: console
version: ~0.1.6
repository: oci://ghcr.io/aserto-dev/helm
version: 0.1.7
repository: file://../console
- name: scim
version: ~0.1.5
repository: oci://ghcr.io/aserto-dev/helm
version: 0.1.6
repository: file://../scim
8 changes: 6 additions & 2 deletions charts/aserto/ci/test-values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,20 +4,24 @@ global:
oidc:
domain: oidc_domain
audience: oidc_audience

console:
authorizerURL: https://authorizer.aserto.example.com
directoryURL: https://directory.aserto.example.com

discovery:
registries:
ghcr.io:
scheme: bearer
tokenSecretName: ghcr-token-secret

directory:
rootDirectory:
database:
host: root-db-host
tenantDirectory:
database:
host: tenant-db-host
sshAdminKeys: |
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDf6
sshAdminKeys:
keys: |
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDf6
22 changes: 22 additions & 0 deletions charts/aserto/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,28 @@ global:
# durations: false
# gateway: false

rootDS:
# Address and port of the root directory's gRPC service.
# Default: directory.<namespace>.svc.cluster.local:8282
address: ""
# [Optiona] API key for the remote directory
apiKey: ""
# [Optional] Kubernetes secret containing the API key for the remote directory
apiKeySecret:
# Secret name
name: ""
# Secret key
key: "api-key"
# [Optional] Kubernetes secret containing the CA certificate of the root directory.
caCertSecret:
name: ""
key: ""
# Skip verification of remote TLS certificate
noVerify: false
# Connect over a plain-text connection.
# INSECURE: credentials are sent unencrypted within the cluster.
noTLS: false

rootDirectory:
# Disable TLS verification on
disableTLSVerification: true
Expand Down
Loading