From 5bd97549d2373f3e33c5c7e227f555317686ca72 Mon Sep 17 00:00:00 2001
From: Kalin Daskalov <kalin.daskalov@vereign.com>
Date: Wed, 31 Jan 2024 18:20:45 +0200
Subject: [PATCH] remove istio helm templates and add integration in
 _helpers.tpl

---
 README.md                                     | 14 +++++++++++
 deployment/helm/.helmignore                   | 24 +++++++++++++++++++
 deployment/helm/Chart.yaml                    |  4 ++--
 deployment/helm/templates/_helpers.tpl        | 11 +++++++++
 .../templates/argocd/argo-application.yaml    |  0
 .../helm/templates/argocd/argo-project.yaml   |  0
 deployment/helm/templates/deployment.yaml     | 11 +++++++--
 .../templates/istio/autorization-rules.yaml   | 18 --------------
 deployment/helm/templates/istio/gateway.yaml  | 15 ------------
 .../helm/templates/istio/virtual-service.yaml | 16 -------------
 deployment/helm/values.yaml                   | 12 ++++++++--
 11 files changed, 70 insertions(+), 55 deletions(-)
 create mode 100644 deployment/helm/.helmignore
 delete mode 100644 deployment/helm/templates/argocd/argo-application.yaml
 delete mode 100644 deployment/helm/templates/argocd/argo-project.yaml
 delete mode 100644 deployment/helm/templates/istio/autorization-rules.yaml
 delete mode 100644 deployment/helm/templates/istio/gateway.yaml
 delete mode 100644 deployment/helm/templates/istio/virtual-service.yaml

diff --git a/README.md b/README.md
index bd917fb..84c1c17 100644
--- a/README.md
+++ b/README.md
@@ -119,6 +119,20 @@ SIGNER_ADDR=https://{{SIGNER_ADDRESS}} go test
 
 [Dependencies](go.mod)
 
+## Deployment
+
+### Helm
+
+#### Istio intergration
+
+Optional Istio integration is done the following way in the `values.yaml` file:
+
+```yaml
+istio:
+  injection:
+    pod: true
+```
+
 ## License
 
 [Apache 2.0 license](LICENSE)
diff --git a/deployment/helm/.helmignore b/deployment/helm/.helmignore
new file mode 100644
index 0000000..898df48
--- /dev/null
+++ b/deployment/helm/.helmignore
@@ -0,0 +1,24 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+
diff --git a/deployment/helm/Chart.yaml b/deployment/helm/Chart.yaml
index e8bebd2..eea70db 100644
--- a/deployment/helm/Chart.yaml
+++ b/deployment/helm/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v1
-appVersion:  v1.0.7
+appVersion:  v1.1.1
 description: signer deployment
 name: signer
-version: 1.0.7
+version: 1.1.1
diff --git a/deployment/helm/templates/_helpers.tpl b/deployment/helm/templates/_helpers.tpl
index 6955ccb..a0429b9 100644
--- a/deployment/helm/templates/_helpers.tpl
+++ b/deployment/helm/templates/_helpers.tpl
@@ -40,6 +40,17 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
 
 {{/*
+Istio labels
+*/}}
+{{- define "app.istioLabels" -}}
+{{- if ((.Values.istio).injection).pod -}}
+sidecar.istio.io/inject: "true"
+{{- else if eq (((.Values.istio).injection).pod) false -}}
+sidecar.istio.io/inject: "false"
+{{- end -}}
+{{- end -}}
+{{/*
+
 Selector labels
 */}}
 {{- define "app.selectorLabels" -}}
diff --git a/deployment/helm/templates/argocd/argo-application.yaml b/deployment/helm/templates/argocd/argo-application.yaml
deleted file mode 100644
index e69de29..0000000
diff --git a/deployment/helm/templates/argocd/argo-project.yaml b/deployment/helm/templates/argocd/argo-project.yaml
deleted file mode 100644
index e69de29..0000000
diff --git a/deployment/helm/templates/deployment.yaml b/deployment/helm/templates/deployment.yaml
index 4ea1a70..21e82c0 100644
--- a/deployment/helm/templates/deployment.yaml
+++ b/deployment/helm/templates/deployment.yaml
@@ -7,6 +7,7 @@ metadata:
     {{- include "app.labels" . | nindent 4 }}
     app.kubernetes.io/instance: {{ include "app.revision" . }}
     app.kubernetes.io/part-of: rse
+    {{ include "app.istioLabels" . | nindent 4 }}
 spec:
   replicas: {{ .Values.replicaCount }}
   strategy:
@@ -54,10 +55,16 @@ spec:
             value: {{ .Values.signer.vault.addr | quote }}
           {{- if .Values.signer.vault.token }}
           - name: VAULT_TOKEN
-            value: {{ .Values.signer.vault.token | quote }}
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.signer.vault.token.secretName }}
+                key: {{ .Values.signer.vault.token.key }}
           {{- end }}
           - name: VAULT_SIGNING_KEY
-            value: {{ .Values.signer.vault.key.signing | quote }}
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.signer.vault.key.signing.secretName }}
+                key: {{ .Values.signer.vault.key.signing.key }}
           - name: VAULT_SUPPORTED_KEYS
             value: {{ .Values.signer.vault.key.supported | quote }}
           - name: CREDENTIAL_ISSUER
diff --git a/deployment/helm/templates/istio/autorization-rules.yaml b/deployment/helm/templates/istio/autorization-rules.yaml
deleted file mode 100644
index 9800b2d..0000000
--- a/deployment/helm/templates/istio/autorization-rules.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-# templates/istio/authorization-rules.yaml
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: { { include "my_chart.fullname" . } }
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: { { include "my_chart.name" . } }
-      app.kubernetes.io/instance: { { .Release.Name } }
-  action: ALLOW
-  rules:
-    - from:
-        - source:
-            principals: ["cluster.local/ns/default/sa/default"]
-      to:
-        - operation:
-            methods: ["GET"]
diff --git a/deployment/helm/templates/istio/gateway.yaml b/deployment/helm/templates/istio/gateway.yaml
deleted file mode 100644
index 65dfaa3..0000000
--- a/deployment/helm/templates/istio/gateway.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-# templates/istio/gateway.yaml
-apiVersion: networking.istio.io/v1alpha3
-kind: Gateway
-metadata:
-  name: my-chart-gateway
-spec:
-  selector:
-    istio: ingressgateway
-  servers:
-    - port:
-        number: 80
-        name: http
-        protocol: HTTP
-      hosts:
-        - "*"
diff --git a/deployment/helm/templates/istio/virtual-service.yaml b/deployment/helm/templates/istio/virtual-service.yaml
deleted file mode 100644
index 28307d4..0000000
--- a/deployment/helm/templates/istio/virtual-service.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-# templates/istio/virtual-service.yaml
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: { { include "my_chart.fullname" . } }
-spec:
-  hosts:
-    - "*"
-  gateways:
-    - my-chart-gateway
-  http:
-    - route:
-        - destination:
-            host: { { include "my_chart.fullname" . } }
-            port:
-              number: 80
diff --git a/deployment/helm/values.yaml b/deployment/helm/values.yaml
index 0fe5900..672a8ab 100644
--- a/deployment/helm/values.yaml
+++ b/deployment/helm/values.yaml
@@ -73,12 +73,17 @@ signer:
       idle: 120s
       read: 10s
       write: 10s
+
   vault:
     addr: http://vault:8200
-    token: token
+    token:
+      secretName: vault-token
+      key: token
     key:
-      signing: key1
       supported: "ed25519,ecdsa-p256,ecdsa-p384,ecdsa-p521,rsa-2048"
+      signing:
+        secretName: vault-signing-key
+        key: signing-key
   credential:
     issuer: "did:web:tsa.xfsc.dev:tsa:policy:policy:example:returnDID:1.0:evaluation"
 
@@ -91,3 +96,6 @@ ingress:
   frontendDomain: tsa.xfsc.dev
   frontendTlsSecretName: cert-manager-tls
 
+istio:
+  injection:
+    pod: true
-- 
GitLab