Skip to content

Commit

Permalink
Merge remote-tracking branch 'origin/main' into SPSH-1275
Browse files Browse the repository at this point in the history
# Conflicts:
#	src/modules/privacy-idea-administration/privacy-idea-administration.controller.spec.ts
#	src/modules/privacy-idea-administration/privacy-idea-administration.controller.ts
  • Loading branch information
DeFi3298 committed Dec 11, 2024
2 parents 0aefe91 + eb0ae23 commit f61a24b
Show file tree
Hide file tree
Showing 132 changed files with 6,485 additions and 1,239 deletions.
12 changes: 6 additions & 6 deletions .github/workflows/create-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,14 +34,14 @@ jobs:
uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-nest-test-sonarcloud.yaml@5
with:
node_version: '18'
timeout_minutes: 15
timeout_minutes: 20
permissions:
contents: read
secrets: inherit

release_image:
name: "Publish image and scan with trivy"
needs:
needs:
- codeql_analyze
- nest_lint
- tests_and_sonarcloud
Expand All @@ -57,7 +57,7 @@ jobs:
container_registry: "ghcr.io"
fail_on_vulnerabilites: false
report_location: "Dockerfile"

# Helm Chart
scan_helm:
uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-helm-kics.yaml@5
Expand All @@ -70,8 +70,8 @@ jobs:
secrets: inherit
with:
chart_name: "dbildungs-iam-server"
helm_chart_version_generation: specified
image_tag_generation: specified
helm_chart_version_generation: specified
image_tag_generation: specified
helm_chart_version: "${{ github.ref_name }}"
image_tag: "${{ github.ref_name }}"
helm_repo_list: "bitnami,https://charts.bitnami.com/bitnami"
helm_repo_list: "bitnami,https://charts.bitnami.com/bitnami"
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -144,3 +144,4 @@ dist
.vscode/settings.json

mariadb/
test/secrets.test.json
7 changes: 1 addition & 6 deletions charts/dbildungs-iam-server/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,4 @@ name: dbildungs-iam-server
version: 0.2.0
description: dBildungs-IAM-server
type: application
appVersion: ""
dependencies:
- name: redis
repository: https://charts.bitnami.com/bitnami
version: 20.3.0
condition: redis.enabled
appVersion: ""
14 changes: 11 additions & 3 deletions charts/dbildungs-iam-server/config/config.json
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
"SERVICE_CLIENT_ID": "spsh-service"
},
"REDIS": {
"HOST": "dbildungs-iam-server-redis",
"HOST": "dbildungs-iam-redis-master.spsh.svc.cluster.local",
"PORT": 6379,
"USERNAME": "default",
"PASSWORD": "",
Expand All @@ -51,7 +51,7 @@
"BACKEND_FOR_FRONTEND_MODULE_LOG_LEVEL": "debug"
},
"ITSLEARNING": {
"ENABLED": "false",
"ENABLED": false,
"ENDPOINT": "https://itslearning.example.com",
"USERNAME": "username",
"PASSWORD": "password",
Expand All @@ -60,7 +60,7 @@
"ROOT_ERSATZ": "ersatz"
},
"OX": {
"ENABLED": "false",
"ENABLED": false,
"ENDPOINT": "https://ox_ip:ox_port/webservices/OXUserService",
"CONTEXT_ID": "1337",
"CONTEXT_NAME": "contextname",
Expand All @@ -81,5 +81,13 @@
"RENAME_WAITING_TIME_IN_SECONDS": 3,
"STEP_UP_TIMEOUT_ENABLED": "true",
"STEP_UP_TIMEOUT_IN_SECONDS": 10
},
"VIDIS": {
"BASE_URL": "https://service-stage.vidis.schule",
"USERNAME": "",
"PASSWORD": "",
"REGION_NAME": "test-region",
"KEYCLOAK_GROUP": "VIDIS-service",
"KEYCLOAK_ROLE": "VIDIS-user"
}
}
2 changes: 1 addition & 1 deletion charts/dbildungs-iam-server/config/secrets.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,4 @@
"REDIS": {
"PASSWORD": "password"
}
}
}
2 changes: 2 additions & 0 deletions charts/dbildungs-iam-server/cron/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
FROM alpine:3.19

ENV LOG_FILE_PATH=/var/log/cron.log

# Install necessary packages
RUN apk update && \
apk add --no-cache bash cronie jq openssl vim wget
Expand Down
20 changes: 10 additions & 10 deletions charts/dbildungs-iam-server/cron/scripts/get_access_token.sh
Original file line number Diff line number Diff line change
Expand Up @@ -53,13 +53,13 @@ elif [ -n "$JWKS_FILE_PATH" ] && [ -f "$JWKS_FILE_PATH" ]; then
# JWKS_FILE_PATH is set, use the file
jwks=$(cat "$JWKS_FILE_PATH")
else
echo "Error: No JWKS environment variable or JWKS file found." >> /var/log/cron.log
echo "Error: No JWKS environment variable or JWKS file found." >> "${LOG_FILE_PATH}"
exit 1
fi

# Check if environment variables are set
if [[ -z "$clientId" || -z "$kc_token_url" || -z "$jwks" ]]; then
echo "Error: CLIENT_ID, TOKEN_URL, and JWKS environment variables must be set." >> /var/log/cron.log
echo "Error: CLIENT_ID, TOKEN_URL, and JWKS environment variables must be set." >> "${LOG_FILE_PATH}"
exit 1
fi

Expand All @@ -68,7 +68,7 @@ key_json=$(echo "$jwks" | jq -c '.keys[0]')

# Check if key_json is empty
if [[ -z "$key_json" ]]; then
echo "Error: No keys found in JWKS." >> /var/log/cron.log
echo "Error: No keys found in JWKS." >> "${LOG_FILE_PATH}"
exit 1
fi

Expand Down Expand Up @@ -110,14 +110,14 @@ dq=INTEGER:0x$dq_dec
qi=INTEGER:0x$qi_dec
EOF

echo "Starting to generate PEM-formatted private key" >> /var/log/cron.log
echo "Starting to generate PEM-formatted private key" >> "${LOG_FILE_PATH}"

# Generate the PEM-formatted private key
temp_key_file=$(mktemp)
openssl asn1parse -genconf "$asn1_structure" -out "$temp_key_file" > /dev/null 2>&1
openssl rsa -in "$temp_key_file" -inform DER -outform PEM -out "$temp_key_file.pem" > /dev/null 2>&1

echo "Ending to generate PEM-formatted private key" >> /var/log/cron.log
echo "Ending to generate PEM-formatted private key" >> "${LOG_FILE_PATH}"

# Remove temporary files
rm "$asn1_structure" "$temp_key_file"
Expand Down Expand Up @@ -146,14 +146,14 @@ payload_base64=$(base64url_encode "$payload")
# Combine header and payload
header_payload="$header_base64.$payload_base64"

echo "Payload created" >> /var/log/cron.log
echo "Payload created" >> "${LOG_FILE_PATH}"

# Sign the JWT
signature=$(echo -n "$header_payload" | \
openssl dgst -sha256 -sign "$temp_key_file.pem" | \
openssl enc -base64 -A | tr '+/' '-_' | tr -d '=')

echo "Signed the JWT" >> /var/log/cron.log
echo "Signed the JWT" >> "${LOG_FILE_PATH}"

# Remove the temporary PEM key file
rm "$temp_key_file.pem"
Expand All @@ -166,15 +166,15 @@ response=$(wget -qO- --post-data "grant_type=client_credentials&client_id=$clien
--header "Content-Type: application/x-www-form-urlencoded" \
"$kc_token_url")

echo "Access token requested" >> /var/log/cron.log
echo "Access token requested" >> "${LOG_FILE_PATH}"

# Check if the response contains an access token
if echo "$response" | grep -q '"access_token"'; then
# Extract the access token from the response
access_token=$(echo "$response" | sed -n 's/.*"access_token":"\([^"]*\)".*/\1/p')
echo "$access_token"
else
echo "Failed to retrieve access token. Response:" >> /var/log/cron.log
echo "$response" >> /var/log/cron.log
echo "Failed to retrieve access token. Response:" >> "${LOG_FILE_PATH}"
echo "$response" >> "${LOG_FILE_PATH}"
exit 1
fi
Original file line number Diff line number Diff line change
Expand Up @@ -86,24 +86,39 @@
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: pi-user-realm
- name: SYSTEM_RENAME_WAITING_TIME_IN_SECONDS
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: system-rename-waiting-time-in-seconds
- name: SYSTEM_STEP_UP_TIMEOUT_IN_SECONDS
key: redis-password
- name: VIDIS_BASE_URL
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: system-step-up-timeout-in-seconds
- name: SYSTEM_STEP_UP_TIMEOUT_ENABLED
key: vidis-base-url
- name: VIDIS_USERNAME
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: system-step-up-timeout-enabled
- name: REDIS_PASSWORD
key: vidis-username
- name: VIDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: redis-password
key: vidis-password
- name: VIDIS_REGION_NAME
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: vidis-region-name
- name: VIDIS_KEYCLOAK_GROUP
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: vidis-keycloak-group
- name: VIDIS_KEYCLOAK_ROLE
valueFrom:
secretKeyRef:
name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
key: vidis-keycloak-role
{{- end}}
3 changes: 3 additions & 0 deletions charts/dbildungs-iam-server/templates/backend-ingress.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
tls:
- hosts:
- {{ .Values.backendHostname }}
ingressClassName: {{ .Values.backend.ingress.ingressClassName }}
rules:
- host: {{ .Values.backendHostname }}
Expand Down
30 changes: 30 additions & 0 deletions charts/dbildungs-iam-server/templates/backend-ingress2nd.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
{{if .Values.backend.ingress.enabled2nd }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ template "common.names.name" . }}-backend2nd
namespace: {{ template "common.names.namespace" . }}
labels:
{{- include "common.labels" . | nindent 4 }}
annotations:
nginx.ingress.kubernetes.io/cors-allow-origin: "https://{{ .Values.keycloak2ndHostname }},https://{{ .Values.keycloakHostname }}"
nginx.ingress.kubernetes.io/enable-cors: "true"
{{- with .Values.backend.ingress.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ingressClassName: {{ .Values.backend.ingress.ingressClassName }}
rules:
- host: {{ .Values.backend2ndHostname }}
http:
paths:
{{- range $path := .Values.backend.ingress.paths }}
- path: {{ $path }}
pathType: {{ $.Values.backend.ingress.pathType }}
backend:
service:
name: {{ template "common.names.name" $ }}-backend
port:
number: {{ $.Values.backend.service.ports.http }}
{{- end }}
{{ end }}
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
{{if .Values.backend.serviceMonitor.enabled }}
{{ if .Values.backend.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "common.names.name" . }}-backend
name: {{ template "common.names.name" . }}
namespace: {{ template "common.names.namespace" . }}
labels:
{{- include "common.labels" . | nindent 4 }}
Expand All @@ -13,9 +13,11 @@ spec:
- {{ include "common.names.namespace" . | quote }}
selector:
matchLabels:
app.kubernetes.io/name: {{ template "common.names.name" . }}-backend
app.kubernetes.io/name: {{ template "common.names.name" . }}
app.kubernetes.io/component: server-backend
endpoints:
- port: {{ (index .Values.backend.serviceMonitor.endpoints 0).port }}
path: {{ .Values.backend.serviceMonitor.path }}
interval: {{ .Values.backend.serviceMonitor.interval }}
{{ end }}

7 changes: 7 additions & 0 deletions charts/dbildungs-iam-server/templates/configmap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,15 @@ data:
FRONTEND_DEFAULT_LOGIN_REDIRECT: "https://{{ .Values.backendHostname }}/"
FRONTEND_LOGOUT_REDIRECT: "https://{{ .Values.backendHostname }}/"
BACKEND_HOSTNAME: "{{ .Values.backendHostname }}"
ERROR_PAGE_REDIRECT: "https://{{ .Values.backendHostname }}/login-error"
LDAP_URL: '{{ .Values.ldap.url | replace "spsh-xxx" .Release.Namespace }}'
LDAP_BIND_DN: "{{ .Values.ldap.bindDN }}"
LDAP_OEFFENTLICHE_SCHULEN_DOMAIN: "{{ .Values.ldap.oeffentlicheSchulenDomain }}"
LDAP_ERSATZSCHULEN_DOMAIN: "{{ .Values.ldap.ersatzschulenDomain }}"
STATUS_REDIRECT_URL: "{{ .Values.status.url }}"
SYSTEM_RENAME_WAITING_TIME_IN_SECONDS: "{{ .Values.backend.env.renameWaitingTimeInSeconds }}"
SYSTEM_STEP_UP_TIMEOUT_ENABLED: "{{ .Values.backend.env.stepUpTimeoutEnabled }}"
SYSTEM_STEP_UP_TIMEOUT_IN_SECONDS: "{{ .Values.backend.env.stepUpTimeoutInSeconds }}"
ITSLEARNING_ROOT: '{{ .Values.itslearning.root }}'
ITSLEARNING_ROOT_OEFFENTLICH: '{{ .Values.itslearning.rootOeffentlich }}'
ITSLEARNING_ROOT_ERSATZ: '{{ .Values.itslearning.rootErsatz }}'
22 changes: 12 additions & 10 deletions charts/dbildungs-iam-server/templates/cronjob.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ metadata:
spec:
schedule: {{ $job_options.schedule }}
startingDeadlineSeconds: 300
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 1
jobTemplate:
spec:
backoffLimit: 0
Expand All @@ -22,10 +24,9 @@ spec:
image: "{{ $.Values.cronjobs.image.repository }}:{{ $.Values.cronjobs.image.tag }}"
imagePullPolicy: {{ $.Values.cronjobs.image.pullPolicy | default "Always"}}
securityContext:
# not yet possible since we need to install some tools
# privileged: false
# runAsUser: 1000
# runAsNonRoot: true
privileged: false
runAsUser: 1000
runAsNonRoot: true
capabilities:
drop:
- ALL
Expand All @@ -41,6 +42,8 @@ spec:
value: "https://{{ $.Values.backendHostname }}{{ $job_options.endpoint }}"
- name: HTTP_METHOD
value: "{{ $job_options.httpMethod }}"
- name: LOG_FILE_PATH
value: "/tmp/log/cron.log"
resources:

Check warning on line 47 in charts/dbildungs-iam-server/templates/cronjob.yaml

View workflow job for this annotation

GitHub Actions / scan_helm / Kics Helm Chart Scan

[LOW] Container Requests Not Equal To It's Limits

Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively

Check warning on line 47 in charts/dbildungs-iam-server/templates/cronjob.yaml

View workflow job for this annotation

GitHub Actions / scan_helm / Kics Helm Chart Scan

[LOW] Container Requests Not Equal To It's Limits

Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively
limits:
memory: "128Mi"
Expand All @@ -52,11 +55,9 @@ spec:
- "sh"
- "-c"
- |
mkdir /scripts &&
cp /scripts_tmp/*.sh /scripts/ &&
chmod +x /scripts/*.sh &&
touch /var/log/cron.log &&
chmod 644 /var/log/cron.log &&
mkdir /tmp/log/ &&
touch /tmp/log/cron.log &&
chmod 644 /tmp/log/cron.log &&
cd {{ $.Values.cronjobs.scriptDir }} &&
bash {{ $job_options.script }}
volumeMounts:
Expand All @@ -65,7 +66,7 @@ spec:
subPath: jwks.json
readOnly: true
- name: script-volume
mountPath: /scripts_tmp
mountPath: /scripts
readOnly: false
ports:
- containerPort: {{ $.Values.cronjobs.port }}
Expand All @@ -74,6 +75,7 @@ spec:
- name: script-volume
configMap:
name: {{ template "common.names.name" $ }}-cronjob-scripts-configmap
defaultMode: 0555
- name: secret-volume-jwks
secret:
secretName: dbildungs-iam-server
Expand Down
Loading

0 comments on commit f61a24b

Please sign in to comment.