From 9fef22cb56339deceb8b622d328f61d2bcfc6b02 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Tue, 5 Apr 2022 17:14:39 -0700 Subject: [PATCH 1/3] [DM-34317] Default to admin auth Also fix a bug in the chart where when this was set. Without removing the following - then it would give this obscure error about converting yaml to json. --- charts/sherlock/Chart.yaml | 2 +- charts/sherlock/templates/ingress.yaml | 2 +- charts/sherlock/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/sherlock/Chart.yaml b/charts/sherlock/Chart.yaml index a2d248a6..de10e83a 100644 --- a/charts/sherlock/Chart.yaml +++ b/charts/sherlock/Chart.yaml @@ -3,6 +3,6 @@ appVersion: 0.1.4 description: A Helm chart for Kubernetes name: sherlock type: application -version: 0.1.7 +version: 0.1.8 maintainers: - name: cbanek diff --git a/charts/sherlock/templates/ingress.yaml b/charts/sherlock/templates/ingress.yaml index 3f5443e7..dd05da7e 100644 --- a/charts/sherlock/templates/ingress.yaml +++ b/charts/sherlock/templates/ingress.yaml @@ -8,7 +8,7 @@ metadata: {{- include "sherlock.labels" . | nindent 4 }} annotations: kubernetes.io/ingress.class: "nginx" - {{- if .Values.ingress.gafaelfawrAuthQuery -}} + {{- if .Values.ingress.gafaelfawrAuthQuery }} nginx.ingress.kubernetes.io/auth-method: GET nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Token nginx.ingress.kubernetes.io/auth-signin: "https://{{ .Values.ingress.host }}/login" diff --git a/charts/sherlock/values.yaml b/charts/sherlock/values.yaml index 92069c09..09d2b04a 100644 --- a/charts/sherlock/values.yaml +++ b/charts/sherlock/values.yaml @@ -42,7 +42,7 @@ ingress: host: "" # -- Gafaelfawr auth query string (default, unauthenticated) - gafaelfawrAuthQuery: "" + gafaelfawrAuthQuery: "scope=exec:admin" # -- Additional annotations for the ingress rule annotations: {} From 39752f2fe9e6cf4782e88c9425328c4b956a2074 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Tue, 5 Apr 2022 18:11:52 -0700 Subject: [PATCH 2/3] [DM-34317] Add sherlock vault-secret This will contain the publishing key --- charts/sherlock/templates/vault-secret.yaml | 9 +++++++++ charts/sherlock/values.yaml | 2 ++ 2 files changed, 11 insertions(+) create mode 100644 charts/sherlock/templates/vault-secret.yaml diff --git a/charts/sherlock/templates/vault-secret.yaml b/charts/sherlock/templates/vault-secret.yaml new file mode 100644 index 00000000..e9fe80f4 --- /dev/null +++ b/charts/sherlock/templates/vault-secret.yaml @@ -0,0 +1,9 @@ +apiVersion: ricoberger.de/v1alpha1 +kind: VaultSecret +metadata: + name: {{ include "sherlock.fullname" . }}-secret + labels: + {{- include "sherlock.labels" . | nindent 4 }} +spec: + path: {{ required "vaultSecretsPath must be set" .Values.vaultSecretsPath | quote }} + type: Opaque diff --git a/charts/sherlock/values.yaml b/charts/sherlock/values.yaml index 09d2b04a..31868efa 100644 --- a/charts/sherlock/values.yaml +++ b/charts/sherlock/values.yaml @@ -84,3 +84,5 @@ serviceAccount: # -- URL to push status to via HTTP PUTs. publish_url: "" + +vaultSecretsPath: "" From 5e63f94437fc92e1b919db0cb4517329fae4f534 Mon Sep 17 00:00:00 2001 From: Christine Banek Date: Tue, 5 Apr 2022 18:26:28 -0700 Subject: [PATCH 3/3] [DM-34317] Mount the sherlock secret This should get it to show up in the container. --- charts/sherlock/templates/deployment.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/charts/sherlock/templates/deployment.yaml b/charts/sherlock/templates/deployment.yaml index 46162e94..f92960cb 100644 --- a/charts/sherlock/templates/deployment.yaml +++ b/charts/sherlock/templates/deployment.yaml @@ -43,6 +43,13 @@ spec: env: - name: "PUBLISH_URL" value: {{ .Values.publish_url }} + {{- if .Values.publish_url }} + - name: "PUBLISH_KEY" + valueFrom: + secretKeyRef: + name: {{ include "sherlock.fullname" . }}-secret + key: "publish_key" + {{- end }} ports: - name: http containerPort: 8080