diff --git a/.github/workflows/chart-test.yaml b/.github/workflows/chart-test.yaml index 6e34182..4e8cb88 100644 --- a/.github/workflows/chart-test.yaml +++ b/.github/workflows/chart-test.yaml @@ -39,22 +39,26 @@ jobs: if [[ -n "$changed" ]]; then echo "::set-output name=changed::true" fi + - name: Helm repo updates + run: | + helm repo add projectcalico https://docs.tigera.io/calico/charts + helm repo update - name: Run chart-testing (lint) run: ct lint --config ct-config.yaml - - name: Install kind - if: steps.list-changed.outputs.changed == 'true' - uses: helm/kind-action@v1.12.0 - with: - node_image: "kindest/node:${{ matrix.kubernetesVersion }}" - config: kind-config.yaml - - name: Verify kind - if: steps.list-changed.outputs.changed == 'true' - run: | - kubectl cluster-info - kubectl get nodes -o wide - kubectl get pods -n kube-system + # - name: Install kind + # if: steps.list-changed.outputs.changed == 'true' + # uses: helm/kind-action@v1.12.0 + # with: + # node_image: "kindest/node:${{ matrix.kubernetesVersion }}" + # config: kind-config.yaml + # - name: Verify kind + # if: steps.list-changed.outputs.changed == 'true' + # run: | + # kubectl cluster-info + # kubectl get nodes -o wide + # kubectl get pods -n kube-system - - name: Run chart-testing (install) - run: ct install --debug --config ct-config.yaml \ No newline at end of file + # - name: Run chart-testing (install) + # run: ct install --debug --config ct-config.yaml \ No newline at end of file diff --git a/README.md b/README.md index 996f111..1761f01 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ This repository provides Kubernetes manifests and Helm charts for deploying two 1. **Setup App**: The setup app is the part of the enclave that polls the Management App for new avalaible research studies to run in the enclave. Once some studies become available, The setup app pull the container image, and start the research container with the variable environments needed to communicate with the Trusted Output App. There is some documentation on the Setup App architecture and how it runs in different enclave environments (AWS. KUBERNETES, DOCKER) available [here](https://github.com/safeinsights/setup-app#enclave-environments) -1. **Trusted Output Application**: The Trusted Output App is used to validate the results sent by the research container before they are sent to the Management App.**** +1. **Trusted Output Application**: The Trusted Output App is used to validate the results sent by the research container before they are sent to the Management App. ## Installation @@ -20,146 +20,89 @@ There is some documentation on the Setup App architecture and how it runs in dif ### Install Chart To install the chart, run: -```bash +``` bash helm repo add secure-enclave https://safeinsights.github.io/helm-charts helm repo update helm install secure-enclave secure-enclave/secure-enclave --values custom-values.yaml ``` -## Pre Requirements -Before deploying the helm chart, we first need to have a private/public key pair as well as credentials for the [image repository](https://harbor.safeinsights.org/) +The basic configuration for the custom-values.yaml is: +``` yaml +managementApp: + memberId: Your member Id. This value is required. +``` + +## Pre Deployment Requirements +Before deploying the helm chart, we first need to have credentials from the [image repository](https://harbor.safeinsights.org/) ### Key Pair generation -To generate the key pair, we can run: +The key pair generation is done during the deployment. To once the deployment is finished you can retrieve the public key by running the following command. ``` -openssl genrsa -out privatekey.pem 4096 # This will generate the private key -openssl rsa -in privatekey.pem -pubout > publickey.pub # This will generate the public key. - +kubectl get secret enclave-secret -n $namespace -o json | jq -r '.data."management-app-public-key"' | base64 -d ``` -The content of the public key need to be added in the [Management app](https://app.safeinsights.org/). -We then need to create a secret in the namespace we will deploy the helm. -`kubectl create secret generic management-app-secret --from-file=private-key=./privatekey.pem -n $namespace` - +The key/pair is only generated during the first installation and needs to be updated in the Management APP. If the namespace has been deleted or the chart has been deployed to a new namespace, then the public key needs to be retrieved and updated in the Management App. Once we create the robot-account credentials in the [image repository](https://harbor.safeinsights.org/), we will need to login from the environment and create a secret with the docker authentication. The credentials should be a json similar to this (eg: credentials.json). ``` json { - "username": "username", - "password": "password", + "name": "username", + "secret": "password", "serveraddress": "https://harbor.safeinsights.org" } ``` -We then run the following [script](./tools/harbor-login). +We then run the following [script](./tools/harbor-login). `NAMESPACE=$namespace ./tools/harbor-login credentials.json` This will create a secret with the `si-docker-config` secret in the specified namespace. ## Configuration -The following parameters can be configured using a `values.yaml` file. +The following parameters can be configured using a `values.yaml` file. For more details on the configuration, refers to the comments [here](./secure-enclave/values.yaml) | Key | Type | Default | Description | |-----|------|---------|-------------| -| affinity | object | `{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"karpenter.sh/nodepool","operator":"DoesNotExist"}]}]}},"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity rules for scheduling the pod. If an explicit label selector is not provided for pod affinity or pod anti-affinity one will be created from the pod selector labels. | -| autoscaling.enabled | bool | `false` | | -| autoscaling.maxReplicas | int | `100` | | -| autoscaling.minReplicas | int | `1` | | -| autoscaling.targetCPUUtilizationPercentage | int | `80` | | -| aws.enabled | bool | `false` | | -| aws.storageClass.allowedTopologies[0].matchLabelExpressions[0].key | string | `"topology.ebs.csi.aws.com/zone"` | | -| aws.storageClass.allowedTopologies[0].matchLabelExpressions[0].values[0] | string | `"us-east-1"` | | -| aws.storageClass.name | string | `"aws-ebs-sc"` | | -| aws.storageClass.parameters."csi.storage.k8s.io/fstype" | string | `"xfs"` | | -| aws.storageClass.parameters.encrypted | string | `"true"` | | -| aws.storageClass.parameters.iopsPerGB | string | `"50"` | | -| aws.storageClass.parameters.type | string | `"io1"` | | -| aws.storageClass.provisioner | string | `"ebs.csi.aws.com"` | | -| aws.storageClass.volumeBindingMode | string | `"WaitForFirstConsumer"` | | -| fullnameOverride | string | `""` | | -| ingress.annotations | object | `{}` | | -| ingress.className | string | `""` | | -| ingress.enabled | bool | `false` | | -| ingress.hosts[0].host | string | `"chart-example.local"` | | -| ingress.hosts[0].paths[0].path | string | `"/"` | | -| ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | | -| ingress.tls | list | `[]` | | -| livenessProbe.httpGet.path | string | `"/"` | | -| livenessProbe.httpGet.port | string | `"http"` | | -| managementApp.endpoint.host | string | `"app.safeinsights.org"` | | -| managementApp.endpoint.port | int | `443` | | -| managementApp.endpoint.protocol | string | `"https"` | | -| managementApp.memberId | string | `nil` | | -| managementApp.privateKey.key | string | `"private-key"` | | -| managementApp.privateKey.secretName | string | `"management-app-secret"` | | -| nameOverride | string | `""` | | -| networkPolicy.enabled | bool | `false` | | -| nodeSelector | object | `{}` | | -| podAnnotations | object | `{}` | | -| podLabels | object | `{}` | | -| podSecurityContext | object | `{}` | | -| readinessProbe.httpGet.path | string | `"/"` | | -| readinessProbe.httpGet.port | string | `"http"` | | -| researchContainer.name | string | `"research"` | | -| resources.limits.cpu | string | `"100m"` | | -| resources.limits.memory | string | `"128Mi"` | | -| resources.requests.cpu | string | `"100m"` | | -| resources.requests.memory | string | `"128Mi"` | | -| securityContext | object | `{}` | | -| setupApp.command[0] | string | `"npx"` | | -| setupApp.command[1] | string | `"tsx"` | | -| setupApp.command[2] | string | `"src/scripts/poll.ts"` | | -| setupApp.enabled | bool | `true` | | -| setupApp.environmentVariables.harborPullSecret | string | `"si-docker-config"` | | -| setupApp.environmentVariables.k8sApiServer | string | `"https://kubernetes.default.svc.cluster.local"` | | -| setupApp.environmentVariables.k8sServiceAccountPath | string | `"/var/run/secrets/kubernetes.io/serviceaccount"` | | -| setupApp.environmentVariables.pollIntervall | string | `"60000"` | | -| setupApp.environmentVariables.toaApiIUrl | string | `"http://toa-svc:5050"` | | -| setupApp.image.pullPolicy | string | `"Always"` | | -| setupApp.image.registry | string | `"harbor.safeinsights.org/safeinsights-public"` | | -| setupApp.image.repository | string | `"setup-app"` | | -| setupApp.image.tag | string | `"20250828-5a509a54"` | | -| setupApp.name | string | `"setup-app"` | | -| setupApp.persistence.accessModes[0] | string | `"ReadWriteOnce"` | | -| setupApp.persistence.enabled | bool | `false` | | -| setupApp.persistence.pvcSize | string | `"1Gi"` | | -| setupApp.persistence.storageClassName | string | `"aws-ebs-sc"` | | -| setupApp.service.port | int | `5051` | | -| setupApp.service.protocol | string | `"TCP"` | | -| setupApp.service.targetPort | int | `5051` | | -| setupApp.service.type | string | `"ClusterIP"` | | -| setupApp.serviceAccount.annotations."kubernetes.io/enforce-mountable-secrets" | string | `"true"` | | -| setupApp.workingDir | string | `"/home/node/code"` | | -| tolerations | list | `[{"key":"CriticalAddonsOnly","operator":"Exists"}]` | Tolerations to allow the pod to be scheduled to nodes with taints. | -| topologySpreadConstraints | list | `[{"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"DoNotSchedule"}]` | Topology spread constraints to increase the controller resilience by distributing pods across the cluster zones. If an explicit label selector is not provided one will be created from the pod selector labels. | -| trustedOutputApp.command[0] | string | `"npm"` | | -| trustedOutputApp.command[1] | string | `"run"` | | -| trustedOutputApp.command[2] | string | `"start"` | | -| trustedOutputApp.enabled | bool | `true` | | -| trustedOutputApp.environmentVariables.httpBasicAuth | string | `"admin:admin"` | | -| trustedOutputApp.image.pullPolicy | string | `"Always"` | | -| trustedOutputApp.image.registry | string | `"harbor.safeinsights.org/safeinsights-public"` | | -| trustedOutputApp.image.repository | string | `"trusted-output-app"` | | -| trustedOutputApp.image.tag | string | `"20250728-a5d087fc"` | | -| trustedOutputApp.name | string | `"toa"` | | -| trustedOutputApp.persistence.accessModes[0] | string | `"ReadWriteOnce"` | | -| trustedOutputApp.persistence.enabled | bool | `false` | | -| trustedOutputApp.persistence.pvcSize | string | `"1Gi"` | | -| trustedOutputApp.persistence.storageClassName | string | `"aws-ebs"` | | -| trustedOutputApp.service.port | int | `5050` | | -| trustedOutputApp.service.protocol | string | `"TCP"` | | -| trustedOutputApp.service.targetPort | int | `3002` | | -| trustedOutputApp.service.type | string | `"ClusterIP"` | | -| trustedOutputApp.workingDir | string | `"/home/node/app"` | | -| volumeMounts | list | `[]` | | -| volumes | list | `[]` | | +| managementApp.endpoint | string | `"https://app.safeinsights.org"` | Sets the endpoint where the management app is available. | +| managementApp.memberId | string | `nil` | Sets the id of the member deploying the enclave | +| networkPolicy.enabled | bool | `true` | networkPolicy.enabled this enables or disables the network policy | +| networkPolicy.installCalico | bool | `false` | networkPolicy.installCalico this enables or disables automatic installation of Calico | +| setupApp.command | list | `["npx","tsx","src/scripts/poll.ts"]` | Sets the command to start the setup app container | +| setupApp.enabled | bool | `true` | Sets if the setup app should be deployed | +| setupApp.environmentVariables.harborPullSecret | string | `"si-docker-config"` | setupApp.environmentVariables.harborPullSecret this configures the pull secret from harbor | +| setupApp.environmentVariables.pollIntervall | string | `"60000"` | setupApp.environmentVariables.pollIntervall this overrides the setup app polling interval | +| setupApp.image.pullPolicy | string | `"Always"` | Sets the image pull policy | +| setupApp.image.registry | string | `"harbor.safeinsights.org/safeinsights-public"` | Sets the image registry | +| setupApp.image.repository | string | `"setup-app"` | Sets the image repository | +| setupApp.image.tag | string | `"20251006-e1ccae88"` | Sets the image tag | +| setupApp.name | string | `"setup-app"` | Sets the name of the deployment and containers for the setup app | +| setupApp.persistence.accessModes | list | `["ReadWriteOnce"]` | Sets the access modes used for the persitence | +| setupApp.persistence.enabled | bool | `false` | Sets if the persistence should be enabled during the deployment | +| setupApp.persistence.pvcSize | string | `"1Gi"` | Sets the size set for the the persitence | +| setupApp.persistence.storageClassName | string | `"aws-ebs-sc"` | Sets the storageClassName used for the persitence | +| setupApp.service.port | int | `5051` | Sets the service external port | +| setupApp.service.protocol | string | `"TCP"` | Sets the service protocol | +| setupApp.service.targetPort | int | `5051` | Sets the container internal port that the service redirects to. | +| setupApp.service.type | string | `"ClusterIP"` | Sets the service type | +| setupApp.workingDir | string | `"/home/node/code"` | Sets the working directory inside the setup app container | +| trustedOutputApp.command | list | `["npm","run","start"]` | Sets the command to start the trusted output app container | +| trustedOutputApp.enabled | bool | `true` | Sets if the trusted output app should be deployed | +| trustedOutputApp.image.pullPolicy | string | `"Always"` | Sets the image pull policy | +| trustedOutputApp.image.registry | string | `"harbor.safeinsights.org/safeinsights-public"` | Sets the image registry | +| trustedOutputApp.image.repository | string | `"trusted-output-app"` | Sets the image repository | +| trustedOutputApp.image.tag | string | `"20250728-a5d087fc"` | Sets the image tag | +| trustedOutputApp.name | string | `"toa"` | Sets the name of the deployment and containers for the trusted output app | +| trustedOutputApp.persistence.accessModes | list | `["ReadWriteOnce"]` | Sets the access modes used for the persitence | +| trustedOutputApp.persistence.enabled | bool | `false` | Sets if the persistence should be enabled during the deployment | +| trustedOutputApp.persistence.pvcSize | string | `"1Gi"` | Sets the size set for the the persitence | +| trustedOutputApp.persistence.storageClassName | string | `"aws-ebs"` | Sets the storageClassName used for the persitence | +| trustedOutputApp.service.port | int | `5050` | Sets the service external port | +| trustedOutputApp.service.protocol | string | `"TCP"` | Sets the service protocol | +| trustedOutputApp.service.targetPort | int | `3002` | Sets the container internal port that the service redirects to. | +| trustedOutputApp.service.type | string | `"ClusterIP"` | Sets the service type | +| trustedOutputApp.workingDir | string | `"/home/node/app"` | Sets the working directory inside the setup app container | ---------------------------------------------- -### General Parameters -- **`resources.limits.cpu/memory`**: CPU and memory limits (defaults: 100m/128Mi) -- **`resources.requests.cpu/memory`**: CPU and memory requests (defaults: 100m/128Mi) - ### Deployment Configuration All the deployment configurations are available in [values.yaml](secure-enclave/values.yaml) and each property is documented. @@ -167,12 +110,10 @@ All the deployment configurations are available in [values.yaml](secure-enclave/ To uninstall the chart, please run: ```bash -helm uninstall secure-enclave +helm uninstall secure-enclave -n $namespace ``` -## Notes +The uninstallation will keep the secret that was generated during the deployment. -1. Ensure your Kubernetes cluster has sufficient resources. -2. All sensitive values should be stored in Kubernetes secrets. -3. Proper networking and security policies should be implemented. -4. For production use, please consider enabling TLS for ingress. +### Development +First we need to build the helm dependencies by running `helm dependency build ./secure-enclave` diff --git a/calico/Chart.lock b/calico/Chart.lock new file mode 100644 index 0000000..223dd56 --- /dev/null +++ b/calico/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: tigera-operator + repository: https://docs.tigera.io/calico/charts + version: v3.31.1 +digest: sha256:6a5f368b8248927f84abc88a985ca95f0cd72752856d5f6be5dd4af61cf52af1 +generated: "2025-11-25T09:45:45.992979-05:00" diff --git a/calico/Chart.yaml b/calico/Chart.yaml new file mode 100644 index 0000000..19eea45 --- /dev/null +++ b/calico/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v2 +name: calico +description: Kubernetes Networking with Calico +type: application +version: 3.31.1 +appVersion: v3.31.1 +dependencies: + - repository: https://docs.tigera.io/calico/charts + name: tigera-operator + version: v3.31.1 + condition: "networkPolicy.enabled" +maintainers: + - name: SafeInsights + email: administrators@safeinsights.org diff --git a/calico/charts/tigera-operator-v3.31.1.tgz b/calico/charts/tigera-operator-v3.31.1.tgz new file mode 100644 index 0000000..eb23851 Binary files /dev/null and b/calico/charts/tigera-operator-v3.31.1.tgz differ diff --git a/calico/values.yaml b/calico/values.yaml new file mode 100644 index 0000000..12e4a94 --- /dev/null +++ b/calico/values.yaml @@ -0,0 +1,2 @@ +networkPolicy: + enabled: true diff --git a/secure-enclave/Chart.lock b/secure-enclave/Chart.lock new file mode 100644 index 0000000..4ad37c6 --- /dev/null +++ b/secure-enclave/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: calico + repository: file://../calico + version: 3.31.1 +digest: sha256:31e75c452b4c4db759dd8b38539b9fde0a6580e086ccf7a8b045501111156be4 +generated: "2025-12-04T12:49:04.96115-05:00" diff --git a/secure-enclave/Chart.yaml b/secure-enclave/Chart.yaml index 010c4ad..4142a7d 100644 --- a/secure-enclave/Chart.yaml +++ b/secure-enclave/Chart.yaml @@ -15,14 +15,19 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app versions. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.0.1 +version: 1.0.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "1.0.1" +appVersion: "1.0.2" +dependencies: + - repository: file://../calico + name: calico + version: 3.31.1 + condition: "networkPolicy.installCalico" maintainers: - name: SafeInsights email: administrators@safeinsights.org diff --git a/secure-enclave/charts/calico-3.31.1.tgz b/secure-enclave/charts/calico-3.31.1.tgz new file mode 100644 index 0000000..f719d17 Binary files /dev/null and b/secure-enclave/charts/calico-3.31.1.tgz differ diff --git a/secure-enclave/templates/_helpers.tpl b/secure-enclave/templates/_helpers.tpl index f030814..8a0fcf5 100644 --- a/secure-enclave/templates/_helpers.tpl +++ b/secure-enclave/templates/_helpers.tpl @@ -60,3 +60,74 @@ Create the name of the service account to use {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} + +{{/* +Get VPC CIDR from ConfigMap +*/}} +{{- define "secure-enclave.svcCidr" -}} +{{- $configMap := lookup "v1" "ConfigMap" .Release.Namespace "enclave-config" }} +{{- if $configMap }} +{{- $vpcCidr := index $configMap.data "cluster-ip" }} +{{- $vpcCidr }} +{{- else }} +1.1.1.1/16 +{{- end }} +{{- end }} + +{{/* +Get allowed external endpoints from ConfigMap +*/}} +{{- define "secure-enclave.allowedExternalEndpoints" -}} +{{- $configMap := lookup "v1" "ConfigMap" .Release.Namespace "enclave-config" }} +{{- if $configMap }} +{{- $endpoints := index $configMap.data "allowed-external-endpoints" }} +{{- if $endpoints }} +{{- $endpoints }} +{{- else }} +{{- end }} +{{- else }} +{{- end }} +{{- end }} + + + +{{/* +Convert comma separated string to array +*/}} +{{- define "secure-enclave.commaSepToStringArray" -}} +{{- splitList "," . -}} +{{- end }} + +{{/* +Validate enclave configuration +*/}} +{{- define "secure-enclave.validateConfiguration" -}} +{{- if not .Values.managementApp }} +{{- fail "managementApp section is required in values" }} +{{- else if not .Values.managementApp.memberId }} +{{- fail "managementApp.memberId is required and cannot be empty" }} +{{- else if not .Values.managementApp.endpoint }} +{{- fail "managementApp.endpoint is required and cannot be empty" }} +{{- end }} +{{- end }} + +{{/* +Extract host from URL +*/}} +{{- define "secure-enclave.extractHostFromUrl" -}} +{{- $url := . -}} +{{- $host := regexReplaceAll "^(?:https?://)?([^/]+).*" $url "${1}" -}} +{{- $host }} +{{- end }} + +{{/* +Check if calico-node daemonset exists in calico-system namespace +*/}} +{{- define "secure-enclave.hasCalicoNodeDaemonset" -}} +{{- $daemonset := lookup "apps/v1" "DaemonSet" "calico-system" "calico-node" }} +{{- if $daemonset }} +{{- true }} +{{- else }} +{{- false }} +{{- end }} +{{- end }} diff --git a/secure-enclave/templates/default-deny-all-network-policy.yaml b/secure-enclave/templates/default-deny-all-network-policy.yaml deleted file mode 100644 index 25e74b6..0000000 --- a/secure-enclave/templates/default-deny-all-network-policy.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.networkPolicy.enabled -}} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: default-deny-all-network-policy - namespace: {{ .Release.Namespace }} -spec: - podSelector: {} - policyTypes: - - Ingress - - Egress - egress: - - to: - ports: - - protocol: TCP - port: 53 - - protocol: UDP - port: 53 -{{- end}} \ No newline at end of file diff --git a/secure-enclave/templates/deny-all-network-policy.yaml b/secure-enclave/templates/deny-all-network-policy.yaml new file mode 100644 index 0000000..c323889 --- /dev/null +++ b/secure-enclave/templates/deny-all-network-policy.yaml @@ -0,0 +1,17 @@ +{{- if .Values.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: deny-all + annotations: + description: "Zero-trust baseline - deny all traffic" + version: "1.0.0" + architecture: "fail-closed" + security-posture: "deny-first" +spec: + podSelector: + matchLabels: {} + policyTypes: + - Ingress + - Egress +{{- end }} \ No newline at end of file diff --git a/secure-enclave/templates/post-install-hook.yaml b/secure-enclave/templates/post-install-hook.yaml new file mode 100644 index 0000000..7578560 --- /dev/null +++ b/secure-enclave/templates/post-install-hook.yaml @@ -0,0 +1,27 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ include "secure-enclave.fullname" . }}-post-install-hook" + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + template: + metadata: + name: "{{ include "secure-enclave.fullname" . }}-post-install-hook" + spec: + restartPolicy: Never + containers: + - name: connectivity-test + image: busybox:1.36 + command: + - /bin/sh + - -c + args: + - | + echo "Testing connectivity to google.com" + echo "Performing DNS lookup for google.com..." + nslookup google.com + echo "Testing ping to google.com..." + ping -c 3 google.com diff --git a/secure-enclave/templates/pre-install-hook.yaml b/secure-enclave/templates/pre-install-hook.yaml new file mode 100644 index 0000000..9ef41f6 --- /dev/null +++ b/secure-enclave/templates/pre-install-hook.yaml @@ -0,0 +1,133 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: svc-manager + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +rules: +- apiGroups: [""] + resources: ["services","configmaps", "secrets"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["networking.k8s.io"] + resources: ["servicecidrs"] + verbs: ["get", "list"] +- apiGroups: ["crd.projectcalico.org"] + resources: ["networkpolicies"] + verbs: ["delete"] + + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: svc-manager + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: svc-manager-binding + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +subjects: +- kind: ServiceAccount + name: svc-manager + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: svc-manager + apiGroup: rbac.authorization.k8s.io + +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ include "secure-enclave.fullname" . }}-pre-install-hook" + labels: + {{- include "secure-enclave.labels" . | nindent 4 }} + annotations: + kubernetes.io/service-account.name: svc-manager + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + template: + metadata: + name: "{{ include "secure-enclave.fullname" . }}-pre-install-hook" + spec: + restartPolicy: Never + serviceAccountName: svc-manager + initContainers: + - name: dnsutils + image: alpine + imagePullPolicy: Always + command: ["/bin/sh", "-c"] + args: + - | + echo "Get management server ip addresses" + # Get IP Addresses from the management app + nslookup {{ include "secure-enclave.extractHostFromUrl" .Values.managementApp.endpoint }} | grep 'Address'| grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' >> /tmp/ip_addresses + cat /tmp/ip_addresses + volumeMounts: + - name: temp-volume + mountPath: /tmp/ + containers: + - name: serviceip + image: bitnami/kubectl:latest + imagePullPolicy: Always + command: ["/bin/sh", "-c"] + args: + - | + # Validate managementApp.memberId is set + {{ include "secure-enclave.validateConfiguration" . }} + IPS=$(cat /tmp/ip_addresses| paste -sd, -) + echo $IPS + SVC_RANGE=$(kubectl get servicecidrs -o wide | awk 'NR>1 {print $2}') + PRIVATE_KEY=$(openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096) + PUBLIC_KEY=$(openssl rsa -pubout -in <(printf '%s' "$PRIVATE_KEY")) + TOA_USER=$(cat /dev/urandom | tr -dc 'A-Za-z' | head -c12) + TOA_PASSWORD=$(cat /dev/urandom | tr -dc 'A-Za-z' | head -c12) + echo "Checking if secret already exists" + if kubectl get secret enclave-secret > /dev/null 2>&1; then + echo "Secret already exists, skipping creation" + else + echo "Creating new secret for enclave" + kubectl create secret generic enclave-secret \ + --from-literal=management-app-private-key="$PRIVATE_KEY" \ + --from-literal=management-app-public-key="$PUBLIC_KEY" \ + --from-literal=toa-basic-auth="$TOA_USER:$TOA_PASSWORD" \ + --from-literal=management-app-api-url={{ .Values.managementApp.endpoint }} \ + --from-literal=k8s-api-server="https://kubernetes.default.svc.cluster.local" \ + --from-literal=k8s-service-account-path="/var/run/secrets/kubernetes.io/serviceaccount" + fi + + # Delete network policies if they exist and network policies are enabled + {{- if .Values.networkPolicy.enabled }} + echo "Deleting network policies if they exist" + kubectl delete networkpolicies.crd.projectcalico.org toa-network-policy --ignore-not-found + kubectl delete networkpolicies.crd.projectcalico.org setup-app-network-policy --ignore-not-found + {{- end }} + + echo "Creating the enclave config map" + echo "deleting previous configmap if any" + kubectl delete configmap enclave-config --ignore-not-found + echo "Creating new configmap for managememt app" + # Format IPs as a quoted comma-separated list for array representation + kubectl create configmap enclave-config \ + --from-literal=cluster-ip="$SVC_RANGE" \ + --from-literal=allowed-external-endpoints="$IPS" \ + --dry-run=client -o yaml | kubectl apply -f - + volumeMounts: + - name: temp-volume + mountPath: /tmp/ + volumes: + - name: temp-volume + emptyDir: {} diff --git a/secure-enclave/templates/setup-app-deployment.yaml b/secure-enclave/templates/setup-app-deployment.yaml index 71debe4..829824a 100644 --- a/secure-enclave/templates/setup-app-deployment.yaml +++ b/secure-enclave/templates/setup-app-deployment.yaml @@ -5,7 +5,7 @@ metadata: name: {{ .Values.setupApp.name }} namespace: {{ .Release.Namespace }} labels: - app: {{ .Values.setupApp.name }} + {{- include "secure-enclave.labels" . | nindent 4 }} spec: replicas: 1 selector: @@ -23,6 +23,22 @@ spec: imagePullSecrets: - name: {{ .Values.setupApp.image.imagePullSecret }} {{- end }} + volumes: + {{- if and .Values.emptyDir .Values.emptyDir.enabled }} + - name: worktmp + emptyDir: + {{- if .Values.emptyDir.sizeLimit }} + sizeLimit: {{ .Values.emptyDir.sizeLimit }} + {{- end }} + {{- end }} + {{- if .Values.setupApp.persistence.enabled }} + - name: data + persistentVolumeClaim: + claimName: {{ default (printf "%s-pvc" .Values.setupApp.name) .Values.setupApp.persistence.existingClaim }} + {{- end }} + {{- with .Values.volumes }} +{{ toYaml . | nindent 8 }} + {{- end }} containers: - name: {{ .Values.setupApp.image.repository }} imagePullPolicy: {{ .Values.setupApp.image.pullPolicy }} @@ -41,58 +57,43 @@ spec: env: - name: "DEPLOYMENT_ENVIRONMENT" value: "KUBERNETES" - {{- if .Values.setupApp.environmentVariables.k8sApiServer }} - name: "K8S_APISERVER" valueFrom: secretKeyRef: - name: {{ .Values.setupApp.name }}-secret + name: enclave-secret key: k8s-api-server - {{- end }} - {{- if .Values.setupApp.environmentVariables.k8sServiceAccountPath }} - name: "K8S_SERVICEACCOUNT_PATH" valueFrom: secretKeyRef: - name: {{ .Values.setupApp.name }}-secret + name: enclave-secret key: k8s-service-account-path - {{- end }} - {{- if .Values.managementApp.memberId }} + {{- if .Values.managementApp.memberId }} - name: "MANAGEMENT_APP_MEMBER_ID" - valueFrom: - secretKeyRef: - name: {{ .Values.setupApp.name }}-secret - key: mgmt-app-member-id + value: {{ .Values.managementApp.memberId }} {{- end }} - {{- if .Values.managementApp.endpoint.host }} + {{- if .Values.managementApp.endpoint }} - name: "MANAGEMENT_APP_BASE_URL" valueFrom: secretKeyRef: - name: {{ .Values.setupApp.name }}-secret - key: mgmt-app-api-url + name: enclave-secret + key: management-app-api-url {{- end }} {{- if .Values.setupApp.environmentVariables.pollIntervall }} - name: "POLL_INTERVALL" value: {{ .Values.setupApp.environmentVariables.pollIntervall | quote }} {{- end }} - name: "TOA_BASE_URL" - {{- if .Values.setupApp.environmentVariables.toaApiIUrl }} - value: {{ .Values.setupApp.environmentVariables.toaApiIUrl }} - {{- else }} value: http://{{ .Values.trustedOutputApp.name }}-svc:{{ .Values.trustedOutputApp.service.port }} - {{- end }} - {{- if .Values.trustedOutputApp.environmentVariables.httpBasicAuth }} - name: "TOA_BASIC_AUTH" valueFrom: secretKeyRef: - name: {{ .Values.setupApp.name }}-secret - key: http-basic-auth - {{- end }} - {{- if .Values.managementApp.privateKey }} + name: enclave-secret + key: toa-basic-auth - name: "MANAGEMENT_APP_PRIVATE_KEY" valueFrom: secretKeyRef: - name: {{ .Values.managementApp.privateKey.secretName }} - key: {{ .Values.managementApp.privateKey.key }} - {{- end }} + name: enclave-secret + key: management-app-private-key {{- if .Values.setupApp.environmentVariables.harborPullSecret }} - name: "HARBOR_PULL_SECRET" value: {{ .Values.setupApp.environmentVariables.harborPullSecret }} @@ -105,4 +106,8 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} -{{- end }} \ No newline at end of file + {{- with .Values.podAffinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/secure-enclave/templates/setup-app-network-policy.yaml b/secure-enclave/templates/setup-app-network-policy.yaml index d54baf7..5ea112e 100644 --- a/secure-enclave/templates/setup-app-network-policy.yaml +++ b/secure-enclave/templates/setup-app-network-policy.yaml @@ -1,27 +1,129 @@ -{{- if .Values.networkPolicy.enabled -}} -apiVersion: networking.k8s.io/v1 +{{- if .Values.networkPolicy.enabled }} +apiVersion: crd.projectcalico.org/v1 kind: NetworkPolicy metadata: name: {{ .Values.setupApp.name }}-network-policy - namespace: {{ .Release.Namespace }} + annotations: + description: "Setup app - orchestration and lifecycle management" + version: "3.0.0-self-contained" + architecture: "self-contained-dns" + compliance: "management-api-audit-enabled" + {{- if .Values.networkPolicy.logging }} + logging: "enabled" + {{- end }} spec: - podSelector: - matchLabels: - app: {{ .Values.setupApp.name }} - policyTypes: - - Egress + selector: app == "{{ .Values.setupApp.name }}" + order: 10 + types: + - Ingress + - Egress + + ingress: + {{- if .Values.setupApp.service.targetPort }} + - action: Allow + protocol: TCP + source: + namespaceSelector: kubernetes.io/metadata.name in { "{{ .Release.Namespace }}" } + destination: + ports: + - {{ .Values.setupApp.service.targetPort }} + {{- end }} + egress: - - ports: - - protocol: TCP - port: {{ .Values.setupApp.environmentVariables.mgmtAppApi.port }} - to: - - ipBlock: - cidr: {{ .Values.setupApp.environmentVariables.mgmtAppApi.host }}/32 - - ports: - - protocol: {{ .Values.trustedOutputApp.service.protocol }} - port: {{ .Values.trustedOutputApp.service.port }} - to: - - podSelector: - matchLabels: - app: {{ .Values.trustedOutputApp.name }} -{{- end }} \ No newline at end of file + # ======================================== + # EXCEPTION 1: DNS Resolution (UDP - Primary) + # Setup app needs DNS for name resolution + # ======================================== + - action: Allow + protocol: UDP + destination: + namespaceSelector: kubernetes.io/metadata.name == "kube-system" + selector: k8s-app == "kube-dns" + ports: + - 53 + + # ======================================== + # EXCEPTION 2: DNS Resolution (TCP - Fallback) + # ======================================== + - action: Allow + protocol: TCP + destination: + namespaceSelector: kubernetes.io/metadata.name == "kube-system" + selector: k8s-app == "kube-dns" + ports: + - 53 + + # ======================================== + # EGRESS TO: Trusted Output App + # ======================================== + {{- if and .Values.trustedOutputApp.enabled .Values.trustedOutputApp.service.enabled }} + - action: Allow + protocol: TCP + destination: + namespaceSelector: kubernetes.io/metadata.name in { "{{ .Release.Namespace }}" } + selector: app == "{{ .Values.trustedOutputApp.name }}" + ports: + - {{ .Values.trustedOutputApp.service.targetPort }} + {{- end }} + + # ======================================== + # EGRESS TO: Kubernetes API endpoints + # ======================================== + - action: Allow + protocol: TCP + destination: + nets: [{{ include "secure-enclave.svcCidr" . | quote }}] + ports: + - 443 + {{- if .Values.networkPolicy.logging }} + metadata: + annotations: + log: "true" + log-prefix: "SETUP-MGMT-API" + destination: "management-app" + destination-cidr: {{ include "secure-enclave.svcCidr" . | quote }} + compliance: "audit-required" + {{- end }} + + # ======================================== + # EGRESS TO: Kubernetes API (if enabled) + # ======================================== + {{- $svc := lookup "v1" "Service" "default" "kubernetes" -}} + {{- if $svc }} + - action: Allow + protocol: TCP + destination: + nets: + - {{ printf "%s/32" $svc.spec.clusterIP }} + ports: + - 443 + {{- end }} + + # ======================================== + # EGRESS TO: Allowed External Endpoints + # ======================================== + {{- $logginEnabled := .Values.networkPolicy.logging }} + {{- $externalEndpoints := include "secure-enclave.allowedExternalEndpoints" . }} + {{- if $externalEndpoints }} + {{- $endpointList := splitList "," $externalEndpoints }} + {{- range $endpoint := $endpointList }} + - action: Allow + protocol: TCP + destination: + nets: + - {{ printf "%s/32" $endpoint }} + ports: + - 443 + {{- if $logginEnabled }} + metadata: + annotations: + log: "true" + log-prefix: "SETUP-MGMT-API" + destination: "management-app" + destination-cidr: {{ printf "%s/32" $endpoint | quote }} + compliance: "audit-required" + {{- end }} + {{- end }} + {{- end }} + +{{- end }} diff --git a/secure-enclave/templates/setup-app-pvc.yaml b/secure-enclave/templates/setup-app-pvc.yaml index cad7e22..184ab63 100644 --- a/secure-enclave/templates/setup-app-pvc.yaml +++ b/secure-enclave/templates/setup-app-pvc.yaml @@ -1,4 +1,4 @@ -{{- if .Values.setupApp.persistence.enabled -}} +{{- if .Values.setupApp.persistence.enabled }} apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -11,4 +11,3 @@ spec: requests: storage: {{ .Values.setupApp.persistence.pvcSize }} {{- end }} - diff --git a/secure-enclave/templates/setup-app-secret.yaml b/secure-enclave/templates/setup-app-secret.yaml deleted file mode 100644 index e76dd93..0000000 --- a/secure-enclave/templates/setup-app-secret.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.setupApp.environmentVariables }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.setupApp.name }}-secret - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.setupApp.name }} - annotations: - kubernetes.io/service-account.name: {{ .Values.setupApp.name }}-sa -type: kubernetes.io/service-account-token -data: - {{- if .Values.setupApp.environmentVariables.k8sApiServer }} - k8s-api-server: {{ .Values.setupApp.environmentVariables.k8sApiServer | b64enc }} - {{- end }} - {{- if .Values.setupApp.environmentVariables.k8sServiceAccountPath }} - k8s-service-account-path: {{ .Values.setupApp.environmentVariables.k8sServiceAccountPath | b64enc }} - {{- end }} - {{- if .Values.trustedOutputApp.environmentVariables.httpBasicAuth }} - http-basic-auth: {{ .Values.trustedOutputApp.environmentVariables.httpBasicAuth | b64enc }} - {{- end }} - {{- if .Values.managementApp.endpoint.host }} - mgmt-app-api-url: {{ printf "%s://%s:%d" (default "https" .Values.managementApp.endpoint.protocol) .Values.managementApp.endpoint.host ((default 443 .Values.managementApp.endpoint.port) | int) | b64enc }} - {{- end }} - {{- if .Values.managementApp.memberId }} - mgmt-app-member-id: {{ .Values.managementApp.memberId | b64enc }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/secure-enclave/templates/setup-app-serviceaccount.yaml b/secure-enclave/templates/setup-app-serviceaccount.yaml index dd2d8fc..58ade6a 100644 --- a/secure-enclave/templates/setup-app-serviceaccount.yaml +++ b/secure-enclave/templates/setup-app-serviceaccount.yaml @@ -12,5 +12,4 @@ metadata: imagePullSecrets: - name: si-docker-config secrets: - - name: {{ .Values.setupApp.name }}-secret - - name: {{ .Values.managementApp.privateKey.secretName }} \ No newline at end of file + - name: enclave-secret \ No newline at end of file diff --git a/secure-enclave/templates/trusted-output-deployment.yaml b/secure-enclave/templates/trusted-output-app-deployment.yaml similarity index 73% rename from secure-enclave/templates/trusted-output-deployment.yaml rename to secure-enclave/templates/trusted-output-app-deployment.yaml index 3761adb..1e64087 100644 --- a/secure-enclave/templates/trusted-output-deployment.yaml +++ b/secure-enclave/templates/trusted-output-app-deployment.yaml @@ -16,6 +16,19 @@ spec: labels: app: {{ .Values.trustedOutputApp.name }} spec: + {{- if .Values.trustedOutputApp.image.imagePullSecret }} + imagePullSecrets: + - name: {{ .Values.trustedOutputApp.image.imagePullSecret }} + {{- end }} + volumes: + {{- if .Values.trustedOutputApp.persistence.enabled }} + - name: data + persistentVolumeClaim: + claimName: {{ default (printf "%s-pvc" .Values.trustedOutputApp.name) .Values.trustedOutputApp.persistence.existingClaim }} + {{- end }} + {{- with .Values.volumes }} +{{ toYaml . | nindent 8 }} + {{- end }} containers: - name: {{ .Values.trustedOutputApp.image.repository }} imagePullPolicy: {{ .Values.trustedOutputApp.image.pullPolicy }} @@ -39,38 +52,25 @@ spec: {{- end }} {{- end}} env: - {{- if .Values.trustedOutputApp.environmentVariables.httpBasicAuth }} - name: "HTTP_BASIC_AUTH" valueFrom: secretKeyRef: - name: {{ .Values.trustedOutputApp.name }}-secret - key: http-basic-auth - {{- end }} + name: enclave-secret + key: toa-basic-auth {{- if .Values.managementApp.memberId }} - name: "MANAGEMENT_APP_MEMBER_ID" - valueFrom: - secretKeyRef: - name: {{ .Values.trustedOutputApp.name }}-secret - key: mgmt-app-member-id + value: {{ .Values.managementApp.memberId }} {{- end }} - {{- if .Values.managementApp.endpoint.host }} - - name: "MANAGEMENT_APP_API_URL" + - name: "MANAGEMENT_APP_BASE_URL" valueFrom: secretKeyRef: - name: {{ .Values.trustedOutputApp.name }}-secret - key: mgmt-app-api-url - {{- end }} - {{- if .Values.managementApp.privateKey }} + name: enclave-secret + key: management-app-api-url - name: "MANAGEMENT_APP_PRIVATE_KEY" valueFrom: secretKeyRef: - name: {{ .Values.managementApp.privateKey.secretName }} - key: {{ .Values.managementApp.privateKey.key }} - {{- end}} - {{- if .Values.trustedOutputApp.image.imagePullSecret }} - imagePullSecrets: - - name: {{ .Values.trustedOutputApp.image.imagePullSecret }} - {{- end }} + name: enclave-secret + key: management-app-private-key {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -79,6 +79,9 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.podAffinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} {{- end }} - diff --git a/secure-enclave/templates/trusted-output-app-network-policy.yaml b/secure-enclave/templates/trusted-output-app-network-policy.yaml new file mode 100644 index 0000000..0a265e9 --- /dev/null +++ b/secure-enclave/templates/trusted-output-app-network-policy.yaml @@ -0,0 +1,104 @@ +{{- if .Values.networkPolicy.enabled }} +apiVersion: crd.projectcalico.org/v1 +kind: NetworkPolicy +metadata: + name: {{ .Values.trustedOutputApp.name }}-network-policy + annotations: + description: "Trusted Output App - result submission and approval" + version: "3.0.0-self-contained" + architecture: "self-contained-dns" + compliance: "management-api-audit-enabled" + {{- if .Values.networkPolicy.logging }} + logging: "enabled" + {{- end }} +spec: + selector: app == "{{ .Values.trustedOutputApp.name }}" + order: 10 + types: + - Ingress + - Egress + + # ======================================== + # INGRESS: From admin namespace + research pods + # ======================================== + ingress: + # From admin namespace (setup-app, other TOA pods) + - action: Allow + protocol: TCP + source: + namespaceSelector: kubernetes.io/metadata.name in { "{{ .Release.Namespace }}" } + destination: + ports: + - {{ .Values.trustedOutputApp.service.targetPort | default 3002 }} + + # From research namespace (toa-access pods only) + - action: Allow + protocol: TCP + source: + namespaceSelector: kubernetes.io/metadata.name in { "{{ .Release.Namespace }}" } + selector: role == "toa-access" + destination: + ports: + - {{ .Values.trustedOutputApp.service.targetPort | default 3002 }} + + egress: + # ======================================== + # EXCEPTION 1: DNS Resolution (UDP - Primary) + # ======================================== + - action: Allow + protocol: UDP + destination: + namespaceSelector: kubernetes.io/metadata.name == "kube-system" + selector: k8s-app == "kube-dns" + ports: + - 53 + + # ======================================== + # EXCEPTION 2: DNS Resolution (TCP - Fallback) + # ======================================== + - action: Allow + protocol: TCP + destination: + namespaceSelector: kubernetes.io/metadata.name == "kube-system" + selector: k8s-app == "kube-dns" + ports: + - 53 + + # ======================================== + # EGRESS TO: TOA-to-TOA (service mesh) + # ======================================== + - action: Allow + protocol: TCP + destination: + selector: app == "{{ .Values.trustedOutputApp.name }}" + ports: + - {{ .Values.trustedOutputApp.service.targetPort }} + + # ======================================== + # EGRESS TO: Allowed External Endpoints + # ======================================== + {{- $logginEnabled := .Values.networkPolicy.logging }} + {{- $externalEndpoints := include "secure-enclave.allowedExternalEndpoints" . }} + {{- if $externalEndpoints }} + {{- $endpointList := splitList "," $externalEndpoints }} + {{- range $endpoint := $endpointList }} + - action: Allow + protocol: TCP + destination: + nets: + - {{ printf "%s/32" $endpoint }} + ports: + - 443 + {{- if $logginEnabled }} + metadata: + annotations: + log: "true" + log-prefix: "TOA-MGMT-API" + destination: "management-app" + destination-cidr: {{ printf "%s/32" $endpoint | quote }} + compliance: "audit-required" + {{- end }} + {{- end }} + {{- end }} + +{{- end }} diff --git a/secure-enclave/templates/trusted-output-app-pvc.yaml b/secure-enclave/templates/trusted-output-app-pvc.yaml index 0dd492e..b4cdf74 100644 --- a/secure-enclave/templates/trusted-output-app-pvc.yaml +++ b/secure-enclave/templates/trusted-output-app-pvc.yaml @@ -1,13 +1,14 @@ -{{- if .Values.trustedOutputApp.persistence.enabled -}} +{{- if .Values.trustedOutputApp.persistence.enabled }} apiVersion: v1 kind: PersistentVolumeClaim metadata: name: {{ .Values.trustedOutputApp.name }}-pvc namespace: {{ .Release.Namespace }} spec: - accessModes: {{ .Values.trustedOutputApp.persistence.accessModes }} + accessModes: + {{- toYaml .Values.trustedOutputApp.persistence.accessModes | nindent 4 }} storageClassName: {{ .Values.trustedOutputApp.persistence.storageClassName }} resources: requests: storage: {{ .Values.trustedOutputApp.persistence.pvcSize }} - {{- end }} +{{- end }} diff --git a/secure-enclave/templates/trusted-output-app-secret.yaml b/secure-enclave/templates/trusted-output-app-secret.yaml deleted file mode 100644 index d0b0568..0000000 --- a/secure-enclave/templates/trusted-output-app-secret.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.trustedOutputApp.environmentVariables }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.trustedOutputApp.name }}-secret - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.trustedOutputApp.name }} -type: Opaque -data: - {{- if .Values.trustedOutputApp.environmentVariables.httpBasicAuth }} - http-basic-auth: {{ .Values.trustedOutputApp.environmentVariables.httpBasicAuth | b64enc }} - {{- end }} - {{- if .Values.managementApp.endpoint.host }} - mgmt-app-api-url: {{ printf "%s://%s:%d" (default "https" .Values.managementApp.endpoint.protocol) .Values.managementApp.endpoint.host ((default 443 .Values.managementApp.endpoint.port) | int) | b64enc }} - {{- end }} - {{- if .Values.managementApp.memberId }} - mgmt-app-member-id: {{ .Values.managementApp.memberId | b64enc }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/secure-enclave/templates/trusted-output-network-policy.yaml b/secure-enclave/templates/trusted-output-network-policy.yaml deleted file mode 100644 index 9bc4cad..0000000 --- a/secure-enclave/templates/trusted-output-network-policy.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- if .Values.networkPolicy.enabled -}} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ .Values.trustedOutputApp.name }}-network-policy - namespace: {{ .Release.Namespace }} -spec: - podSelector: - matchLabels: - app: {{ .Values.trustedOutputApp.name }} - policyTypes: - - Ingress - - Egress - ingress: - - ports: - - protocol: {{ .Values.trustedOutputApp.service.protocol }} - port: {{ .Values.trustedOutputApp.service.port }} - from: - - podSelector: - matchLabels: - role: toa-access - - podSelector: - matchLabels: - app: {{ .Values.setupApp.name }} - egress: - - ports: - - protocol: TCP - port: {{ .Values.setupApp.environmentVariables.mgmtAppApi.port }} - to: - - ipBlock: - cidr: {{ .Values.setupApp.environmentVariables.mgmtAppApi.host }}/32 - -{{- end }} \ No newline at end of file diff --git a/secure-enclave/values.yaml b/secure-enclave/values.yaml index 898c664..6e4b8a1 100644 --- a/secure-enclave/values.yaml +++ b/secure-enclave/values.yaml @@ -6,244 +6,151 @@ nameOverride: "" fullnameOverride: "" -## @param aws this defines the values configured when deployed on AWS. -## +# -- This defines the values configured when deployed on AWS. aws: - ## @param aws.enabled this defines if AWS configurations are enabled. - ## + # -- Sets if AWS configurations are enabled. enabled: false - ## @param aws.storageClass this defines the storage class used for the deployment - ## + # -- Sets the storage class used for the deployment storageClass: - ## @param aws.storageClass.name this defines the name of the storage class - ## - name: aws-ebs-sc - ## @param aws.storageClass.provisioner this defines the storage class provisioner - ## - provisioner: ebs.csi.aws.com - ## @param aws.storageClass.volumeBindingMode this defines the storage class volume binding mode - ## - volumeBindingMode: WaitForFirstConsumer - ## @param aws.storageClass.parameters this defines the storage class parameters - ## - parameters: - ## @param aws.storageClass.parameters.csi.storage.k8s.io/fstype this defines the filesystem type for the storage class - ## - csi.storage.k8s.io/fstype: xfs - ## @param aws.storageClass.parameters.type this defines the type of the storage class - ## - type: io1 - ## @param aws.storageClass.parameters.iopsPerGB this defines the IOPS per GB for the storage - ## - iopsPerGB: "50" - ## @param aws.storageClass.parameters.encrypted this defines if the storage is encrypted - ## - encrypted: "true" - ## @params aws.storageClass.allowedTopologies this defines the allowed toplogies, for eg. the zone where the storage class will be created in. - ## - allowedTopologies: + # -- Sets the name of the storage class + name: aws-ebs-sc + # -- Sets the storage class provisioner + provisioner: ebs.csi.aws.com + # -- Sets the storage class volume binding mode + volumeBindingMode: WaitForFirstConsumer + # -- Sets the storage class parameters + parameters: + # -- Sets the filesystem type for the storage class + csi.storage.k8s.io/fstype: xfs + # -- Sets the type of the storage class + type: io1 + # -- Sets the IOPS per GB for the storage + iopsPerGB: "50" + # -- Sets if the storage is encrypted + encrypted: "true" + # -- Sets the allowed toplogies, for eg. the zone where the storage class will be created in. + allowedTopologies: - matchLabelExpressions: - key: topology.ebs.csi.aws.com/zone values: - us-east-1 -## @param networkPolicy this defines if the network policy restrictions are enforced. -## Few limitations: -## FQDNs Egress restrictions -## TODO. Enforce Ingress only to some pods -## +# -- Sets if the network policy restrictions are enforced. networkPolicy: - ## @param networkPolicy.enabled this enables or disables the network policy - enabled: false + # -- networkPolicy.enabled this enables or disables the network policy + enabled: true + logging: true + # -- networkPolicy.installCalico this enables or disables automatic installation of Calico + installCalico: false -## @param managementApp this defines all the configurations related to the management app -## +# -- Sets all the configurations related to the management app managementApp: - ## @param managementApp.memberId this defines the id of the member deploying the enclave - ## + # -- Sets the id of the member deploying the enclave memberId: - ## @param managementApp.endpoint this defines the endpoint where the management app is available. - ## - endpoint: - ## @param managementApp.endpoint.protocol this defines the protocol used to access the management app - ## - protocol: https - ## @param managementApp.endpoint.host this defines the host where the management app is available - ## This value is required - host: app.safeinsights.org - ## @param managementApp.endpoint.port this defines the port where the management app is available - ## - port: 443 - ## @param managementApp.privateKey this defines the private key of the member deploying the enclave - ## - privateKey: - ## @param managementApp.privateKey.secretName this defines the name of the secret containing the private key - secretName: management-app-secret - ## @param managementApp.privateKey.key this defines the key of the private key in the secret - key: private-key - -## @param setupApp this defines the setup app configuration -## + # -- Sets the endpoint where the management app is available. + endpoint: https://app.safeinsights.org +# -- Sets the setup app configuration setupApp: - ## @param setupApp.enabled this defines if the setup app should be deployed - ## + # -- Sets if the setup app should be deployed enabled: true - ## @param setupApp.name this defines the name of the deployment and containers for the setup app - ## + # -- Sets the name of the deployment and containers for the setup app name: setup-app - ## @param setupApp.serviceAccount this defines the service account used by setup account to manage the research container and also access the Kubernetes API - ## + # -- Sets the service account used by setup account to manage the research container and also access the Kubernetes API serviceAccount: annotations: kubernetes.io/enforce-mountable-secrets: "true" - ## @param setupApp.persistence this defines the persistence configuration for the setup app. - ## + # -- Sets the persistence configuration for the setup app. persistence: - ## @param setupApp.persistence.enabled this defines if the persistence should be enabled during the deployment - ## - enabled: false - ## @param setupApp.persistence.storageClassName this defines the storageClassName used for the persitence - ## - storageClassName: aws-ebs-sc - ## @param setupApp.persistence.pvcSize this defines the size set for the the persitence - ## - pvcSize: 1Gi - ## @param setupApp.persistence.accessModes this defines the access modes used for the persitence - ## - accessModes: + # -- Sets if the persistence should be enabled during the deployment + enabled: false + # -- Sets the storageClassName used for the persitence + storageClassName: aws-ebs-sc + # -- Sets the size set for the the persitence + pvcSize: 1Gi + # -- Sets the access modes used for the persitence + accessModes: - ReadWriteOnce - ## @param setupApp.service this defines the service on which the setup App will be accessible - ## + # -- Sets the service on which the setup App will be accessible service: - ## @param setupApp.service.type this defines the service type - ## - type: ClusterIP - ## @param setupApp.service.protocol this defines the service protocol - ## - protocol: TCP - ## @param setupApp.service.port this defines the service external port - ## - port: 5051 - ## @param setupApp.service.targetPort this defines the container internal port that the service redirects to. - ## - targetPort: 5051 - ## @param setupApp.image this defines the image configuration for the setup app - ## + # -- Sets the service type + type: ClusterIP + # -- Sets the service protocol + protocol: TCP + # -- Sets the service external port + port: 5051 + # -- Sets the container internal port that the service redirects to. + targetPort: 5051 + # -- Sets the image configuration for the setup app image: - ## @param setupApp.image.registry this defines the image registry - ## - registry: harbor.safeinsights.org/safeinsights-public - ## @param setupApp.image.repository this defines the image repository - ## - repository: setup-app - ## @param setupApp.image.tag this defines the image tag - ## - tag: 20250922-c171d87a - ## @param setupApp.image.pullPolicy this defines the image pull policy - ## - pullPolicy: Always - ## @param setupApp.workingDir this defines the working directory inside the setup app container - ## + # -- Sets the image registry + registry: harbor.safeinsights.org/safeinsights-public + # -- Sets the image repository + repository: setup-app + # -- Sets the image tag + tag: 20251006-e1ccae88 + # -- Sets the image pull policy + pullPolicy: Always + # -- Sets the working directory inside the setup app container workingDir: /home/node/code - ## @param setupApp.command this defines the command to start the setup app container - ## + # -- Sets the command to start the setup app container command: ["npx", "tsx", "src/scripts/poll.ts"] - ## @param setupApp.environmentVariables this defines the setup app environment variables - ## + # -- Sets the setup app environment variables environmentVariables: - ## @param setupApp.environmentVariables.k8sApiServer this defines the Kubernetes API endpoint - ## - k8sApiServer: https://kubernetes.default.svc.cluster.local - ## @param setupApp.environmentVariables.k8sServiceAccountPath this defines the setup app service account secret mounting path - ## - k8sServiceAccountPath: /var/run/secrets/kubernetes.io/serviceaccount - ## @param setupApp.environmentVariables.harborPullSecret this configures the pull secret from harbor - ## - harborPullSecret: si-docker-config - ## @param setupApp.environmentVariables.toaApiIUrl this defines the trusted output app endpoint - ## - toaApiIUrl: http://toa-svc:5050 - ## @param setupApp.environmentVariables.pollIntervall this overrides the setup app polling interval - ## - pollIntervall: "60000" -## @param trustedOutputApp this defines the trusted output app configuration -## + # -- setupApp.environmentVariables.harborPullSecret this configures the pull secret from harbor + harborPullSecret: si-docker-config + # -- setupApp.environmentVariables.pollIntervall this overrides the setup app polling interval + pollIntervall: "60000" +# -- Sets the trusted output app configuration trustedOutputApp: - ## @param trustedOutputApp.enabled this defines if the trusted output app should be deployed - ## + # -- Sets if the trusted output app should be deployed enabled: true - ## @param trustedOutputApp.name this defines the name of the deployment and containers for the trusted output app - ## + # -- Sets the name of the deployment and containers for the trusted output app name: toa - ## @param trustedOutputApp.persistence this defines the persistence configuration for the trusted output app. - ## + # -- Sets the persistence configuration for the trusted output app. persistence: - ## @param trustedOutputApp.persistence.enabled this defines if the persistence should be enabled during the deployment - ## - enabled: false - ## @param trustedOutputApp.persistence.storageClassName this defines the storageClassName used for the persitence - ## - storageClassName: aws-ebs - ## @param trustedOutputApp.persistence.pvcSize this defines the size set for the the persitence - ## - pvcSize: 1Gi - ## @param trustedOutputApp.persistence.accessModes this defines the access modes used for the persitence - ## - accessModes: + # -- Sets if the persistence should be enabled during the deployment + enabled: false + # -- Sets the storageClassName used for the persitence + storageClassName: aws-ebs + # -- Sets the size set for the the persitence + pvcSize: 1Gi + # -- Sets the access modes used for the persitence + accessModes: - ReadWriteOnce - ## @param trustedOutputApp.service this defines the service on which the trusted output App will be accessible - ## + # -- Sets the service on which the trusted output App will be accessible service: - ## @param trustedOutputApp.service.type this defines the service type - ## - type: ClusterIP - ## @param trustedOutputApp.service.protocol this defines the service protocol - ## - protocol: TCP - ## @param trustedOutputApp.service.port this defines the service external port - ## - port: 5050 - ## @param trustedOutputApp.service.targetPort this defines the container internal port that the service redirects to. - ## - targetPort: 3002 - ## @param trustedOutputApp.image this defines the image configuration for the trusted output app - ## + # -- Sets the service type + type: ClusterIP + # -- Sets the service protocol + protocol: TCP + # -- Sets the service external port + port: 5050 + # -- Sets the container internal port that the service redirects to. + targetPort: 3002 + # -- Sets the image configuration for the trusted output app image: - ## @param trustedOutputApp.image.registry this defines the image registry - ## - registry: harbor.safeinsights.org/safeinsights-public - ## @param trustedOutputApp.image.repository this defines the image repository - ## - repository: trusted-output-app - ## @param trustedOutputApp.image.tag this defines the image tag - ## - tag: 20250728-a5d087fc - ## @param trustedOutputApp.image.pullPolicy this defines the image pull policy - ## - pullPolicy: Always - ## @param trustedOutputApp.workingDir this defines the working directory inside the setup app container - ## + # -- Sets the image registry + registry: harbor.safeinsights.org/safeinsights-public + # -- Sets the image repository + repository: trusted-output-app + # -- Sets the image tag + tag: 20250728-a5d087fc + # -- Sets the image pull policy + pullPolicy: Always + # -- Sets the working directory inside the setup app container workingDir: /home/node/app - ## @param trustedOutputApp.command this defines the command to start the trusted output app container - ## + # -- Sets the command to start the trusted output app container command: ["npm", "run", "start"] - ## @param trustedOutputApp.environmentVariables this defines the trusted outptu app environment variables - ## - environmentVariables: - ## @param setupApp.environmentVariables.httpBasicAuth this defines the basic authentication for the trusted output app connection - ## - httpBasicAuth: admin:admin -## @param researchContainer this defines the research container app configuration +# -- Sets the research container app configuration ## researchContainer: - ## @param researchContainer.name this defines the name of the jobs and containers for the research - ## + # -- Sets the name of the jobs and containers for the research name: research -# This is for setting Kubernetes Annotations to a Pod. +# -- This is for setting Kubernetes Annotations to a Pod. # For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ podAnnotations: {} -# This is for setting Kubernetes Labels to a Pod. +# -- This is for setting Kubernetes Labels to a Pod. # For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ podLabels: {} @@ -251,33 +158,6 @@ podSecurityContext: {} # fsGroup: 2000 -securityContext: - {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -# This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/ -ingress: - enabled: false - className: "" - annotations: - {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: chart-example.local - paths: - - path: / - pathType: ImplementationSpecific - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - resources: # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -290,57 +170,8 @@ resources: cpu: 100m memory: 128Mi -# This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ -livenessProbe: - httpGet: - path: / - port: http -readinessProbe: - httpGet: - path: / - port: http - -# This section is for setting up autoscaling more information can be found here: https://kubernetes.io/docs/concepts/workloads/autoscaling/ -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -# Additional volumes on the output Deployment definition. -volumes: [] -# - name: foo -# secret: -# secretName: mysecret -# optional: false - -# Additional volumeMounts on the output Deployment definition. -volumeMounts: [] -# - name: foo -# mountPath: "/etc/foo" -# readOnly: true - nodeSelector: {} - # kubernetes.io/os: linux -# -- Affinity rules for scheduling the pod. If an explicit label selector is not provided for pod affinity or pod anti-affinity one will be created from the pod selector labels. -affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: karpenter.sh/nodepool - operator: DoesNotExist - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: "kubernetes.io/hostname" -# -- Topology spread constraints to increase the controller resilience by distributing pods across the cluster zones. If an explicit label selector is not provided one will be created from the pod selector labels. -topologySpreadConstraints: - - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: DoNotSchedule -# -- Tolerations to allow the pod to be scheduled to nodes with taints. -tolerations: - - key: CriticalAddonsOnly - operator: Exists +# This is for setting Kubernetes Pod Affinity rules. +# For more information checkout: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +podAffinity: {} diff --git a/test-values.yaml b/test-values.yaml new file mode 100644 index 0000000..7113ec8 --- /dev/null +++ b/test-values.yaml @@ -0,0 +1,252 @@ +# Default values for secure-enclave. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# This is to override the chart name. +nameOverride: "" +fullnameOverride: "" + +## @param aws this defines the values configured when deployed on AWS. +## +aws: + ## @param aws.enabled this defines if AWS configurations are enabled. + ## + enabled: false + ## @param aws.storageClass this defines the storage class used for the deployment + ## + storageClass: + ## @param aws.storageClass.name this defines the name of the storage class + ## + name: aws-ebs-sc + ## @param aws.storageClass.provisioner this defines the storage class provisioner + ## + provisioner: ebs.csi.aws.com + ## @param aws.storageClass.volumeBindingMode this defines the storage class volume binding mode + ## + volumeBindingMode: WaitForFirstConsumer + ## @param aws.storageClass.parameters this defines the storage class parameters + ## + parameters: + ## @param aws.storageClass.parameters.csi.storage.k8s.io/fstype this defines the filesystem type for the storage class + ## + csi.storage.k8s.io/fstype: xfs + ## @param aws.storageClass.parameters.type this defines the type of the storage class + ## + type: io1 + ## @param aws.storageClass.parameters.iopsPerGB this defines the IOPS per GB for the storage + ## + iopsPerGB: "50" + ## @param aws.storageClass.parameters.encrypted this defines if the storage is encrypted + ## + encrypted: "true" + ## @params aws.storageClass.allowedTopologies this defines the allowed toplogies, for eg. the zone where the storage class will be created in. + ## + allowedTopologies: + - matchLabelExpressions: + - key: topology.ebs.csi.aws.com/zone + values: + - us-east-1 + +## @param networkPolicy this defines if the network policy restrictions are enforced. +## Few limitations: +## FQDNs Egress restrictions +## TODO. Enforce Ingress only to some pods +## +networkPolicy: + ## @param networkPolicy.enabled this enables or disables the network policy + enabled: true + logging: true + +## @param managementApp this defines all the configurations related to the management app +## +managementApp: + ## @param managementApp.memberId this defines the id of the member deploying the enclave + ## + memberId: k8s + + ## @param managementApp.endpoint this defines the endpoint where the management app is available. + ## + endpoint: https://app.qa.safeinsights.org +## @param setupApp this defines the setup app configuration +## +setupApp: + ## @param setupApp.enabled this defines if the setup app should be deployed + ## + enabled: true + ## @param setupApp.name this defines the name of the deployment and containers for the setup app + ## + name: setup-app + ## @param setupApp.serviceAccount this defines the service account used by setup account to manage the research container and also access the Kubernetes API + ## + serviceAccount: + annotations: + kubernetes.io/enforce-mountable-secrets: "true" + ## @param setupApp.persistence this defines the persistence configuration for the setup app. + ## + persistence: + ## @param setupApp.persistence.enabled this defines if the persistence should be enabled during the deployment + ## + enabled: false + ## @param setupApp.persistence.storageClassName this defines the storageClassName used for the persitence + ## + storageClassName: aws-ebs-sc + ## @param setupApp.persistence.pvcSize this defines the size set for the the persitence + ## + pvcSize: 1Gi + ## @param setupApp.persistence.accessModes this defines the access modes used for the persitence + ## + accessModes: + - ReadWriteOnce + ## @param setupApp.service this defines the service on which the setup App will be accessible + ## + service: + ## @param setupApp.service.type this defines the service type + ## + type: ClusterIP + ## @param setupApp.service.protocol this defines the service protocol + ## + protocol: TCP + ## @param setupApp.service.port this defines the service external port + ## + port: 5051 + ## @param setupApp.service.targetPort this defines the container internal port that the service redirects to. + ## + targetPort: 5051 + ## @param setupApp.image this defines the image configuration for the setup app + ## + image: + ## @param setupApp.image.registry this defines the image registry + ## + registry: harbor.safeinsights.org/safeinsights-public + ## @param setupApp.image.repository this defines the image repository + ## + repository: setup-app + ## @param setupApp.image.tag this defines the image tag + ## + tag: 20251006-e1ccae88 + ## @param setupApp.image.pullPolicy this defines the image pull policy + ## + pullPolicy: Always + ## @param setupApp.workingDir this defines the working directory inside the setup app container + ## + workingDir: /home/node/code + ## @param setupApp.command this defines the command to start the setup app container + ## + command: ["npx", "tsx", "src/scripts/poll.ts"] + ## @param setupApp.environmentVariables this defines the setup app environment variables + ## + environmentVariables: + ## @param setupApp.environmentVariables.harborPullSecret this configures the pull secret from harbor + ## + harborPullSecret: si-docker-config + ## @param setupApp.environmentVariables.pollIntervall this overrides the setup app polling interval + ## + pollIntervall: "60000" +## @param trustedOutputApp this defines the trusted output app configuration +## +trustedOutputApp: + ## @param trustedOutputApp.enabled this defines if the trusted output app should be deployed + ## + enabled: true + ## @param trustedOutputApp.name this defines the name of the deployment and containers for the trusted output app + ## + name: toa + ## @param trustedOutputApp.persistence this defines the persistence configuration for the trusted output app. + ## + persistence: + ## @param trustedOutputApp.persistence.enabled this defines if the persistence should be enabled during the deployment + ## + enabled: false + ## @param trustedOutputApp.persistence.storageClassName this defines the storageClassName used for the persitence + ## + storageClassName: aws-ebs + ## @param trustedOutputApp.persistence.pvcSize this defines the size set for the the persitence + ## + pvcSize: 1Gi + ## @param trustedOutputApp.persistence.accessModes this defines the access modes used for the persitence + ## + accessModes: + - ReadWriteOnce + ## @param trustedOutputApp.service this defines the service on which the trusted output App will be accessible + ## + service: + ## @param trustedOutputApp.service.type this defines the service type + ## + type: ClusterIP + ## @param trustedOutputApp.service.protocol this defines the service protocol + ## + protocol: TCP + ## @param trustedOutputApp.service.port this defines the service external port + ## + port: 5050 + ## @param trustedOutputApp.service.targetPort this defines the container internal port that the service redirects to. + ## + targetPort: 3002 + ## @param trustedOutputApp.image this defines the image configuration for the trusted output app + ## + image: + ## @param trustedOutputApp.image.registry this defines the image registry + ## + registry: harbor.safeinsights.org/safeinsights-public + ## @param trustedOutputApp.image.repository this defines the image repository + ## + repository: trusted-output-app + ## @param trustedOutputApp.image.tag this defines the image tag + ## + tag: 20250728-a5d087fc + ## @param trustedOutputApp.image.pullPolicy this defines the image pull policy + ## + pullPolicy: Always + ## @param trustedOutputApp.workingDir this defines the working directory inside the setup app container + ## + workingDir: /home/node/app + ## @param trustedOutputApp.command this defines the command to start the trusted output app container + ## + command: ["npm", "run", "start"] + ## @param trustedOutputApp.environmentVariables this defines the trusted outptu app environment variables + ## + environmentVariables: + ## @param setupApp.environmentVariables.httpBasicAuth this defines the basic authentication for the trusted output app connection + ## + httpBasicAuth: admin:admin +## @param researchContainer this defines the research container app configuration +## +researchContainer: + ## @param researchContainer.name this defines the name of the jobs and containers for the research + ## + name: research + +# This is for setting Kubernetes Annotations to a Pod. +# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +podAnnotations: {} +# This is for setting Kubernetes Labels to a Pod. +# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +podLabels: {} + +podSecurityContext: + {} + # fsGroup: 2000 + +securityContext: + {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi + +nodeSelector: + {} diff --git a/tools/harbor-login b/tools/harbor-login index fd10dd5..399b054 100755 --- a/tools/harbor-login +++ b/tools/harbor-login @@ -11,9 +11,19 @@ fail() { exit 1 } DOCKER_AUTH_FILE="$1" -HARBOR_USERNAME=$(jq -r ".username" "$DOCKER_AUTH_FILE") -HARBOR_PASSWORD=$(jq -r ".password" "$DOCKER_AUTH_FILE") +if [[ ! -r "$DOCKER_AUTH_FILE" ]]; then + echo "Cannot read file: $DOCKER_AUTH_FILE" >&2 + exit 1 +fi +HARBOR_USERNAME=$(jq -r ".name" "$DOCKER_AUTH_FILE") +HARBOR_PASSWORD=$(jq -r ".secret" "$DOCKER_AUTH_FILE") SERVER_ENDPOINT=$(jq -r ".serveraddress" "$DOCKER_AUTH_FILE") +for var in HARBOR_USERNAME HARBOR_PASSWORD SERVER_ENDPOINT; do + if [[ -z "${!var:-}" || "${!var}" == "null" ]]; then + echo "Error: $var is missing or empty" >&2 + exit 1 + fi +done NAMESPACE="${NAMESPACE:-default}" K8S_SECRET="${K8S_SECRET:-si-docker-config}" SETUP_APP_SA="${SETUP_APP_SA:-setup-app-sa}"