diff --git a/README.md b/README.md index bd917fb456dab00e370590aa6ffa60fe42deebe0..84c1c17465179ccf1d715a5b1d777bf7475c60de 100644 --- a/README.md +++ b/README.md @@ -119,6 +119,20 @@ SIGNER_ADDR=https://{{SIGNER_ADDRESS}} go test [Dependencies](go.mod) +## Deployment + +### Helm + +#### Istio intergration + +Optional Istio integration is done the following way in the `values.yaml` file: + +```yaml +istio: + injection: + pod: true +``` + ## License [Apache 2.0 license](LICENSE) diff --git a/deployment/helm/.helmignore b/deployment/helm/.helmignore new file mode 100644 index 0000000000000000000000000000000000000000..898df48862b94319e7d688373d5768d01a6a0e1f --- /dev/null +++ b/deployment/helm/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + diff --git a/deployment/helm/Chart.yaml b/deployment/helm/Chart.yaml index e8bebd2c9b2e245435f56ea6c9aa2cf028259432..eea70dbb91a4149d7dd21363cec961751713380d 100644 --- a/deployment/helm/Chart.yaml +++ b/deployment/helm/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: v1.0.7 +appVersion: v1.1.1 description: signer deployment name: signer -version: 1.0.7 +version: 1.1.1 diff --git a/deployment/helm/templates/_helpers.tpl b/deployment/helm/templates/_helpers.tpl index 6955ccba19a0e68b2918305e46546f4741fea0aa..a0429b991bf4a4f03bc16fe02ed5f309017ff4c4 100644 --- a/deployment/helm/templates/_helpers.tpl +++ b/deployment/helm/templates/_helpers.tpl @@ -40,6 +40,17 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end -}} {{/* +Istio labels +*/}} +{{- define "app.istioLabels" -}} +{{- if ((.Values.istio).injection).pod -}} +sidecar.istio.io/inject: "true" +{{- else if eq (((.Values.istio).injection).pod) false -}} +sidecar.istio.io/inject: "false" +{{- end -}} +{{- end -}} +{{/* + Selector labels */}} {{- define "app.selectorLabels" -}} diff --git a/deployment/helm/templates/argocd/argo-application.yaml b/deployment/helm/templates/argocd/argo-application.yaml deleted file mode 100644 index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..0000000000000000000000000000000000000000 diff --git a/deployment/helm/templates/argocd/argo-project.yaml b/deployment/helm/templates/argocd/argo-project.yaml deleted file mode 100644 index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..0000000000000000000000000000000000000000 diff --git a/deployment/helm/templates/deployment.yaml b/deployment/helm/templates/deployment.yaml index 4ea1a708c1380cdc92c110dc2f1545ce5b3dffd9..21e82c0ef7d3929c9f2c3d0b0c5d706e155b5476 100644 --- a/deployment/helm/templates/deployment.yaml +++ b/deployment/helm/templates/deployment.yaml @@ -7,6 +7,7 @@ metadata: {{- include "app.labels" . | nindent 4 }} app.kubernetes.io/instance: {{ include "app.revision" . }} app.kubernetes.io/part-of: rse + {{ include "app.istioLabels" . | nindent 4 }} spec: replicas: {{ .Values.replicaCount }} strategy: @@ -54,10 +55,16 @@ spec: value: {{ .Values.signer.vault.addr | quote }} {{- if .Values.signer.vault.token }} - name: VAULT_TOKEN - value: {{ .Values.signer.vault.token | quote }} + valueFrom: + secretKeyRef: + name: {{ .Values.signer.vault.token.secretName }} + key: {{ .Values.signer.vault.token.key }} {{- end }} - name: VAULT_SIGNING_KEY - value: {{ .Values.signer.vault.key.signing | quote }} + valueFrom: + secretKeyRef: + name: {{ .Values.signer.vault.key.signing.secretName }} + key: {{ .Values.signer.vault.key.signing.key }} - name: VAULT_SUPPORTED_KEYS value: {{ .Values.signer.vault.key.supported | quote }} - name: CREDENTIAL_ISSUER diff --git a/deployment/helm/templates/istio/autorization-rules.yaml b/deployment/helm/templates/istio/autorization-rules.yaml deleted file mode 100644 index 9800b2de4c0401fd41c2a49ca842cfd7cb905a38..0000000000000000000000000000000000000000 --- a/deployment/helm/templates/istio/autorization-rules.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# templates/istio/authorization-rules.yaml -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: { { include "my_chart.fullname" . } } -spec: - selector: - matchLabels: - app.kubernetes.io/name: { { include "my_chart.name" . } } - app.kubernetes.io/instance: { { .Release.Name } } - action: ALLOW - rules: - - from: - - source: - principals: ["cluster.local/ns/default/sa/default"] - to: - - operation: - methods: ["GET"] diff --git a/deployment/helm/templates/istio/gateway.yaml b/deployment/helm/templates/istio/gateway.yaml deleted file mode 100644 index 65dfaa3545bab83e5064d7f7f7d222d48bdf66e6..0000000000000000000000000000000000000000 --- a/deployment/helm/templates/istio/gateway.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# templates/istio/gateway.yaml -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: my-chart-gateway -spec: - selector: - istio: ingressgateway - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - "*" diff --git a/deployment/helm/templates/istio/virtual-service.yaml b/deployment/helm/templates/istio/virtual-service.yaml deleted file mode 100644 index 28307d401c7d3232454db523645c09e93977d789..0000000000000000000000000000000000000000 --- a/deployment/helm/templates/istio/virtual-service.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# templates/istio/virtual-service.yaml -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: { { include "my_chart.fullname" . } } -spec: - hosts: - - "*" - gateways: - - my-chart-gateway - http: - - route: - - destination: - host: { { include "my_chart.fullname" . } } - port: - number: 80 diff --git a/deployment/helm/values.yaml b/deployment/helm/values.yaml index 0fe5900c966d04f77aeaf3656b91fcc1106c710a..672a8ab29906c82a3dc56710f64bdb85028f23fa 100644 --- a/deployment/helm/values.yaml +++ b/deployment/helm/values.yaml @@ -73,12 +73,17 @@ signer: idle: 120s read: 10s write: 10s + vault: addr: http://vault:8200 - token: token + token: + secretName: vault-token + key: token key: - signing: key1 supported: "ed25519,ecdsa-p256,ecdsa-p384,ecdsa-p521,rsa-2048" + signing: + secretName: vault-signing-key + key: signing-key credential: issuer: "did:web:tsa.xfsc.dev:tsa:policy:policy:example:returnDID:1.0:evaluation" @@ -91,3 +96,6 @@ ingress: frontendDomain: tsa.xfsc.dev frontendTlsSecretName: cert-manager-tls +istio: + injection: + pod: true