remove istio helm templates and add integration in _helpers.tpl

5bd97549 · Kalin Daskalov · 590c90ca · 5bd97549 · 5bd97549 · 5bd97549
Commit 5bd97549 authored 1 year ago by Kalin Daskalov
--- a/README.md
+++ b/README.md
@@ -119,6 +119,20 @@ SIGNER_ADDR=https://{{SIGNER_ADDRESS}} go test

 [Dependencies](go.mod)

+## Deployment
+
+### Helm
+
+#### Istio intergration
+
+Optional Istio integration is done the following way in the `values.yaml` file:
+
+```yaml
+istio:
+  injection:
+    pod: true
+```
+
 ## License

 [Apache 2.0 license](LICENSE)
--- a/deployment/helm/.helmignore
+++ b/deployment/helm/.helmignore
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+
--- a/deployment/helm/Chart.yaml
+++ b/deployment/helm/Chart.yaml
 apiVersion: v1
-appVersion:  v1.0.7
+appVersion:  v1.1.1
 description: signer deployment
 name: signer
-version: 1.0.7
+version: 1.1.1
--- a/deployment/helm/templates/_helpers.tpl
+++ b/deployment/helm/templates/_helpers.tpl
@@ -40,6 +40,17 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}

 {{/*
+Istio labels
+*/}}
+{{- define "app.istioLabels" -}}
+{{- if ((.Values.istio).injection).pod -}}
+sidecar.istio.io/inject: "true"
+{{- else if eq (((.Values.istio).injection).pod) false -}}
+sidecar.istio.io/inject: "false"
+{{- end -}}
+{{- end -}}
+{{/*
+
 Selector labels
 */}}
 {{- define "app.selectorLabels" -}}

--- a/deployment/helm/templates/argocd/argo-application.yaml
+++ b/deployment/helm/templates/argocd/argo-application.yaml
--- a/deployment/helm/templates/argocd/argo-project.yaml
+++ b/deployment/helm/templates/argocd/argo-project.yaml
--- a/deployment/helm/templates/deployment.yaml
+++ b/deployment/helm/templates/deployment.yaml
@@ -7,6 +7,7 @@ metadata:
    {{- include "app.labels" . | nindent 4 }}
    app.kubernetes.io/instance: {{ include "app.revision" . }}
    app.kubernetes.io/part-of: rse
+    {{ include "app.istioLabels" . | nindent 4 }}
 spec:
  replicas: {{ .Values.replicaCount }}
  strategy:
@@ -54,10 +55,16 @@ spec:
            value: {{ .Values.signer.vault.addr | quote }}
          {{- if .Values.signer.vault.token }}
          - name: VAULT_TOKEN
-            value: {{ .Values.signer.vault.token | quote }}
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.signer.vault.token.secretName }}
+                key: {{ .Values.signer.vault.token.key }}
          {{- end }}
          - name: VAULT_SIGNING_KEY
-            value: {{ .Values.signer.vault.key.signing | quote }}
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.signer.vault.key.signing.secretName }}
+                key: {{ .Values.signer.vault.key.signing.key }}
          - name: VAULT_SUPPORTED_KEYS
            value: {{ .Values.signer.vault.key.supported | quote }}
          - name: CREDENTIAL_ISSUER

--- a/deployment/helm/templates/istio/autorization-rules.yaml
+++ b/deployment/helm/templates/istio/autorization-rules.yaml
-# templates/istio/authorization-rules.yaml
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: { { include "my_chart.fullname" . } }
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: { { include "my_chart.name" . } }
-      app.kubernetes.io/instance: { { .Release.Name } }
-  action: ALLOW
-  rules:
-    - from:
-        - source:
-            principals: ["cluster.local/ns/default/sa/default"]
-      to:
-        - operation:
-            methods: ["GET"]
--- a/deployment/helm/templates/istio/gateway.yaml
+++ b/deployment/helm/templates/istio/gateway.yaml
-# templates/istio/gateway.yaml
-apiVersion: networking.istio.io/v1alpha3
-kind: Gateway
-metadata:
-  name: my-chart-gateway
-spec:
-  selector:
-    istio: ingressgateway
-  servers:
-    - port:
-        number: 80
-        name: http
-        protocol: HTTP
-      hosts:
-        - "*"
--- a/deployment/helm/templates/istio/virtual-service.yaml
+++ b/deployment/helm/templates/istio/virtual-service.yaml
-# templates/istio/virtual-service.yaml
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: { { include "my_chart.fullname" . } }
-spec:
-  hosts:
-    - "*"
-  gateways:
-    - my-chart-gateway
-  http:
-    - route:
-        - destination:
-            host: { { include "my_chart.fullname" . } }
-            port:
-              number: 80
--- a/deployment/helm/values.yaml
+++ b/deployment/helm/values.yaml
@@ -73,12 +73,17 @@ signer:
      idle: 120s
      read: 10s
      write: 10s
+
  vault:
    addr: http://vault:8200
-    token: token
+    token:
+      secretName: vault-token
+      key: token
    key:
-      signing: key1
      supported: "ed25519,ecdsa-p256,ecdsa-p384,ecdsa-p521,rsa-2048"
+      signing:
+        secretName: vault-signing-key
+        key: signing-key
  credential:
    issuer: "did:web:tsa.xfsc.dev:tsa:policy:policy:example:returnDID:1.0:evaluation"

@@ -91,3 +96,6 @@ ingress:
  frontendDomain: tsa.xfsc.dev
  frontendTlsSecretName: cert-manager-tls

+istio:
+  injection:
+    pod: true