Skip to content

Commit

Permalink
Files for the new grouper chart.
Browse files Browse the repository at this point in the history
  • Loading branch information
mar235av committed Nov 27, 2024
1 parent c7ee524 commit 9d889c2
Showing 7 changed files with 357 additions and 0 deletions.
23 changes: 23 additions & 0 deletions grouper/.helmignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
19 changes: 19 additions & 0 deletions grouper/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: v2
name: grouper
description: |
The Helm chart for the UW Grouper system deployment.
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application

# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 1.0.0
132 changes: 132 additions & 0 deletions grouper/templates/deployment.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,132 @@
####
# This is the configMap and deployment to deploy the Grouper system to our Kubernetes cluster.
#
# ------ Configuration ------
apiVersion: v1
kind: ConfigMap
metadata:
name: grouper-configmap
namespace: grouper
labels:
app.kubernetes.io/name: grouper-application
app.kubernetes.io/instance: grouper-application-1
data:
SERVER_NAME: {{ .Values.server_name }}
GROUPER_DB_HOST: {{ .Values.grouper_db_host }}
GROUPER_DB_NAME: {{ .Values.grouper_db_name }}
SSL_ROOT_CERT: {{ .Values.ssl_root_cert }}
SSL_CERT: {{ .Values.ssl_cert }}
SSL_KEY: {{ .Values.ssl_key }}
DB_SSL_PASSWORD_FILENAME: {{ .Values.db_ssl_password_filename }}
GROUPER_TOMCAT_AJP_PORT: {{ .Values.grouper_tomcat_ajp_port }}
enable-underscores-in-headers: "true"
---
# ------ Deployment ------
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
hello: Grouper
labels:
app.kubernetes.io/name: grouper-application
app.kubernetes.io/instance: grouper-application-1
name: grouper-deployment
namespace: grouper
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: grouper-application
app.kubernetes.io/instance: grouper-application-1
template:
metadata:
labels:
app.kubernetes.io/name: grouper-application
app.kubernetes.io/instance: grouper-application-1
spec:
# define a volume for each of our secrets
volumes:
- name: grouper-db-client-cert-to-file
secret:
secretName: grouper-db-client-cert
defaultMode: 0400
- name: grouper-db-client-key-password-to-file
secret:
secretName: grouper-db-client-key-password
defaultMode: 0400
- name: grouper-shib-keys-to-file
secret:
secretName: grouper-shib-keys
defaultMode: 0400
containers:
# The Apache/Shibboleth container
- name: grouper-shib
image: us-docker.pkg.dev/uwit-mci-iam/containers/{{ .Values.shibboleth_image_tag }}
imagePullPolicy: Always
ports:
- containerPort: 80
name: http
protocol: TCP
# Import configuration as environment variables
envFrom:
- configMapRef:
name: grouper-configmap
# mount shib keys as files into specific locations
volumeMounts:
- mountPath: /opt/mount/shib
name: grouper-shib-keys-to-file
readOnly: true
command: ["/bin/bash", "-c"]
args:
- cp -p /opt/mount/shib/* /etc/shibboleth;
chmod 400 /etc/shibboleth/sp-cert.pem /etc/shibboleth/sp-key.pem;
chmod 444 /etc/shibboleth/idp-ss.crt;
chown shibd:shibd /etc/shibboleth/idp-ss.crt /etc/shibboleth/sp-cert.pem /etc/shibboleth/sp-key.pem;
/usr/local/bin/startup.sh;
# The Grouper container
- name: grouper
image: us-docker.pkg.dev/uwit-mci-iam/containers/{{ .Values.grouper_image_tag }}
imagePullPolicy: Always
ports:
- containerPort: 8009
name: http
protocol: TCP
# Import configuration as environment variables
envFrom:
- configMapRef:
name: grouper-configmap
# map specific secrets to environment variables
env:
- name: GROUPER_DB_USERNAME
valueFrom:
secretKeyRef:
name: grouper-db-account
key: username
- name: GROUPER_DB_PASSWORD
valueFrom:
secretKeyRef:
name: grouper-db-account
key: password
- name: GROUPER_ENCRYPT_KEY
valueFrom:
secretKeyRef:
name: grouper-app-config
key: encrypt-key
# mount other secrets as files into specific locations
volumeMounts:
- mountPath: /opt/mount/db
name: grouper-db-client-cert-to-file
readOnly: true
- mountPath: /opt/mount/dbkey
name: grouper-db-client-key-password-to-file
readOnly: true
command: ["/bin/bash", "-c"]
args:
- cp -p /opt/mount/db/* /opt/secrets;
cp -p /opt/mount/dbkey/* /opt/secrets;
cat /opt/secrets/client-key.der.base64 | base64 --decode > /opt/secrets/client-key.der;
chmod 400 /opt/secrets/*;
chown -R tomcat:root /opt/secrets;
chown -R tomcat:root /opt/grouper/grouperWebapp/WEB-INF/classes/*.properties;
chmod 400 /opt/grouper/grouperWebapp/WEB-INF/classes/*.properties;
/usr/local/bin/entrypoint.sh ui-ws;
8 changes: 8 additions & 0 deletions grouper/templates/namespace.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# ------ Namespace ------
apiVersion: v1
kind: Namespace
metadata:
name: grouper
labels:
name: grouper
---
75 changes: 75 additions & 0 deletions grouper/templates/networking.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
####
# Defines the Ingress and Services for our Grouper deployment.
#
# ------ Ingress ------
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
labels:
app.kubernetes.io/namw: grouper-application
app.kubernetes.io/instance: grouper-application-1
name: grouper-ingress
namespace: grouper
spec:
ingressClassName: nginx
rules:
- host: {{ .Values.hostname }}
http:
paths:
- backend:
service:
name: grouper-shib-service
port:
number: 443
path: /
pathType: Prefix
tls:
- hosts:
- {{ .Values.hostname }}
#
# semi-manual; use the ExternalSecret definition below to get a Mosler secret to
# confirm to a kubernetes.io/tls secret definition
#
secretName: {{ .Values.tlsSecretName }}
---
# ------ Service ------
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: grouper-application
app.kubernetes.io/instance: grouper-application-1
name: grouper-shib-service
namespace: grouper
spec:
ports:
- name: https
port: 443
protocol: TCP
targetPort: 443
selector:
app.kubernetes.io/name: grouper-application
app.kubernetes.io/instance: grouper-application-1
---
# ------ Service ------
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: grouper-application
app.kubernetes.io/instance: grouper-application-1
name: grouper-app-service
namespace: grouper
spec:
ports:
- name: ajp
port: 8009
protocol: TCP
targetPort: 8009
selector:
app.kubernetes.io/name: grouper-application
app.kubernetes.io/instance: grouper-application-1
---
77 changes: 77 additions & 0 deletions grouper/templates/secrets.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
####
# Secret definitions for this deployment.
#
# --- database password ---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: grouper-db-account
namespace: grouper
spec:
refreshInterval: 1h
secretStoreRef:
name: mosler-iam
kind: ClusterSecretStore
dataFrom:
- extract:
key: {{ .Values.domain }}/grouper/db/APP_USER
---
# --- database certificate key password ---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: grouper-db-client-key-password
namespace: grouper
spec:
refreshInterval: 1h
secretStoreRef:
name: mosler-iam
kind: ClusterSecretStore
dataFrom:
- extract:
key: {{ .Values.domain }}/grouper/db/CERT_KEY_PASSWORD
---
# --- database client certificate and key ---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: grouper-db-client-cert
namespace: grouper
spec:
refreshInterval: 1h
secretStoreRef:
name: mosler-iam
kind: ClusterSecretStore
dataFrom:
- extract:
key: {{ .Values.domain }}/grouper/db/client_cert
---
# --- Shibboleth encryption keys ---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: grouper-shib-keys
namespace: grouper
spec:
refreshInterval: 1h
secretStoreRef:
name: mosler-iam
kind: ClusterSecretStore
dataFrom:
- extract:
key: {{ .Values.domain }}/grouper/shib
---
# --- Grouper encryption key ---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: grouper-app-config
namespace: grouper
spec:
refreshInterval: 1h
secretStoreRef:
name: mosler-iam
kind: ClusterSecretStore
dataFrom:
- extract:
key: {{ .Values.domain }}/grouper/app-config
23 changes: 23 additions & 0 deletions grouper/values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@

# The domain, either dev, eval, or prod.
domain: ""

# --- Networking configuration ---

# The host name, e.g. grouper.iamprod.s.uw.edu
hostname: ""
tlsSecretName: ""

# --- ConfigMap values ---
server_name: "localhost"
grouper_db_host: ""
grouper_db_name: ""
ssl_root_cert: "/opt/secrets/server-ca.pem"
ssl_cert: "/opt/secrets/client-cert.pem"
ssl_key: "/opt/secrets/client-key.der"
db_ssl_password_filename: "/opt/secrets/ssl-key-password.txt"
grouper_tomcat_ajp_port: "8009"

# --- container image tags
shibboleth_image_tag: ""
grouper_image_tag: ""

0 comments on commit 9d889c2

Please sign in to comment.