Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Helm-Charts to make dbiam-server deployable #30

Merged
merged 79 commits into from
Oct 5, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
79 commits
Select commit Hold shift + click to select a range
c101068
Introduced base version of helm chart
kristoff-kiefer Sep 4, 2023
9bf4211
Dockerfile for dIAM backend
kristoff-kiefer Sep 5, 2023
812332b
Added configmap for db config
kristoff-kiefer Sep 5, 2023
076ddbb
Added config dir
kristoff-kiefer Sep 5, 2023
80aae14
Added ServiceMonitor for Prometheus
kristoff-kiefer Sep 11, 2023
39bbf15
Added basic infrastructure for probes
kristoff-kiefer Sep 19, 2023
664c10e
Health module added
kristoff-kiefer Sep 20, 2023
538be15
Added secrets-file
kristoff-kiefer Sep 20, 2023
d8510d5
Switched to secrets from config map
kristoff-kiefer Sep 20, 2023
7eb0470
Added deploy stage
kristoff-kiefer Sep 20, 2023
ae92865
Dev setup now runs with local k3s
kristoff-kiefer Sep 20, 2023
10de5cb
Added Probes, Secret and new ENV
kristoff-kiefer Sep 20, 2023
05e49c8
Added config file indirection
kristoff-kiefer Sep 20, 2023
e273f68
Integrated with main
kristoff-kiefer Sep 20, 2023
8465f8a
Introduced base version of helm chart
kristoff-kiefer Sep 4, 2023
51f23a1
Dockerfile for dIAM backend
kristoff-kiefer Sep 5, 2023
7a3cba0
Added configmap for db config
kristoff-kiefer Sep 5, 2023
5668c77
Added config dir
kristoff-kiefer Sep 5, 2023
4b1841a
Added ServiceMonitor for Prometheus
kristoff-kiefer Sep 11, 2023
aae48de
Added basic infrastructure for probes
kristoff-kiefer Sep 19, 2023
0a2ec62
Improved Coverage
kristoff-kiefer Sep 20, 2023
62da951
Removed Axios again until needed
kristoff-kiefer Sep 20, 2023
53a27c6
Removed Axios again until needed
kristoff-kiefer Sep 20, 2023
1f61bfd
Checking for KeyCloak availability
kristoff-kiefer Sep 20, 2023
43eac19
Including Keycloak
kristoff-kiefer Sep 20, 2023
cbc861c
Allow for secrets to be provided via parameter externally
kristoff-kiefer Sep 21, 2023
9890626
test gha
aimee-889 Sep 25, 2023
eec7507
use lowercase repo name
aimee-889 Sep 25, 2023
4800848
use lowercase repo name2
aimee-889 Sep 25, 2023
228636f
use lowercase repo name3
aimee-889 Sep 25, 2023
6675d57
use lowercase repo name4
aimee-889 Sep 25, 2023
4afb1e2
use lowercase repo name5
aimee-889 Sep 25, 2023
ee12eec
use lowercase repo name6
aimee-889 Sep 25, 2023
282058b
use lowercase repo name7
aimee-889 Sep 25, 2023
a3f44be
use lowercase repo name8
aimee-889 Sep 25, 2023
aa8028e
use lowercase repo name
aimee-889 Sep 25, 2023
0ac981e
use lowercase repo name2
aimee-889 Sep 25, 2023
6ad35f2
use lowercase repo name3
aimee-889 Sep 25, 2023
9059d23
upload iage
aimee-889 Sep 25, 2023
3c5d53d
add env
aimee-889 Sep 25, 2023
a0bbd85
add env2
aimee-889 Sep 25, 2023
70a5c2b
add env3
aimee-889 Sep 25, 2023
a6e1b36
Added Axios
kristoff-kiefer Sep 25, 2023
74fa75c
Added provisions for self hosted db
kristoff-kiefer Sep 25, 2023
b15e001
Added db service
kristoff-kiefer Sep 25, 2023
8f450bc
Added ingress
kristoff-kiefer Sep 25, 2023
706924c
Secret removed, it is assumed to be created beforehand
kristoff-kiefer Sep 26, 2023
cabd8c1
manual DB deployment removed
kristoff-kiefer Sep 26, 2023
15e6759
Enable DB-Encryption
kristoff-kiefer Sep 26, 2023
a9e3bc2
Enable DB-Encryption
kristoff-kiefer Sep 26, 2023
aef87e1
Removed Keycloak Health check since pings don't seem to go through
kristoff-kiefer Sep 26, 2023
591780e
Fixed service to actually find its pods
kristoff-kiefer Sep 26, 2023
e13f33a
Configure ingress
kristoff-kiefer Sep 27, 2023
78063c3
Add chart for dev-keycloak deployment
kristoff-kiefer Sep 27, 2023
5331a70
change docker image tag
aimee-889 Sep 27, 2023
8c2e099
disable trivy scan
aimee-889 Sep 27, 2023
da698fc
Change image name, add branch
kristoff-kiefer Sep 27, 2023
1a414b8
Change image name, add branch
kristoff-kiefer Sep 27, 2023
7346094
Change image name, changed separator to / and postfixed it
kristoff-kiefer Sep 27, 2023
082574a
Added API-Path-Prefix
kristoff-kiefer Oct 4, 2023
51ff6ed
Made the ingress serve the API under the correct path (/api)
kristoff-kiefer Oct 4, 2023
e4eba16
Hide the Health Endpoint
kristoff-kiefer Oct 4, 2023
e9599a0
Reformat
kristoff-kiefer Oct 4, 2023
7bfd73c
Set Pull Policy to "Always"
kristoff-kiefer Oct 4, 2023
e127bb6
DB-Setup now uses SSL
kristoff-kiefer Oct 4, 2023
d53ce9d
Pulling apart schema creation and deletion
kristoff-kiefer Oct 5, 2023
093f142
Disabled wrap
kristoff-kiefer Oct 5, 2023
c955326
Merge branch 'main' into feature/helm-integration
kristoff-kiefer Oct 5, 2023
3379560
Removed Config-Map
kristoff-kiefer Oct 5, 2023
d8285b4
Merge branch 'main' into feature/helm-integration
kristoff-kiefer Oct 5, 2023
a513c93
Merge package.json
kristoff-kiefer Oct 5, 2023
fcbfcfb
Cleaned up values
kristoff-kiefer Oct 5, 2023
dff3307
Job Chaining
kristoff-kiefer Oct 5, 2023
7e1e302
Job Chaining
kristoff-kiefer Oct 5, 2023
80e0166
Revert "Job Chaining"
kristoff-kiefer Oct 5, 2023
eea1d6f
Fix pattern to match /
kristoff-kiefer Oct 5, 2023
47604fa
Fixed tests because of changed properties
kristoff-kiefer Oct 5, 2023
3c7abaa
Removed job dependencies
kristoff-kiefer Oct 5, 2023
372b0a0
Merge branch 'main' into feature/helm-integration
kristoff-kiefer Oct 5, 2023
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
111 changes: 111 additions & 0 deletions .github/workflows/image-to-ghcr.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
name: Image to GHCR

on:
push:
branches-ignore:
- dependabot/**

permissions:
contents: read

jobs:
branch_meta:
runs-on: ubuntu-latest
outputs:
branch: ${{ steps.extract_branch_meta.outputs.branch }}
sha: ${{ steps.extract_branch_meta.outputs.sha }}
steps:
- name: Extract branch meta
shell: bash
id: extract_branch_meta
run: |
echo "lowercase_repo=${GITHUB_REPOSITORY,,}" >> $GITHUB_OUTPUT
if [ "${{ github.event_name }}" == 'pull_request' ]; then
echo "branch=${{ github.event.pull_request.head.ref }}" >> $GITHUB_OUTPUT
echo "sha=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT
else
echo "branch=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT
echo "sha=${{ github.sha }}" >> $GITHUB_OUTPUT
fi

build_and_push:
runs-on: ubuntu-latest
needs:
- branch_meta
permissions:
packages: write
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0

- name: Login to registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Lowercase REPO name
run: |
echo "LOWERCASE_REPO=${GITHUB_REPOSITORY,,}" >> $GITHUB_ENV

- name: Docker meta Service Name
id: docker_meta_img
uses: docker/metadata-action@v4
with:
images: ghcr.io/${{ env.LOWERCASE_REPO }}
tags: |
type=ref,event=branch,enable=false,priority=600
type=sha,enable=true,priority=600,prefix=

- name: Test existence of Image
run: |
echo "IMAGE_EXISTS=$(docker manifest inspect ghcr.io/${{ env.LOWERCASE_REPO }}/${{needs.branch_meta.outputs.branch}}:${{ needs.branch_meta.outputs.sha }} > /dev/null && echo 1 || echo 0)" >> $GITHUB_ENV

- name: Set up Docker Buildx
if: ${{ env.IMAGE_EXISTS == 0 }}
uses: docker/setup-buildx-action@v2

- name: Build and push ${{ github.repository }}
if: ${{ env.IMAGE_EXISTS == 0 }}
uses: docker/build-push-action@v4
with:
context: .
file: ./Dockerfile
platforms: linux/amd64
push: true
# temporarily change this to latest to make deployment
# tags: ghcr.io/${{ env.LOWERCASE_REPO }}:${{ needs.branch_meta.outputs.sha }}
tags: ghcr.io/${{ env.LOWERCASE_REPO }}/${{needs.branch_meta.outputs.branch}}:latest
labels: ${{ steps.docker_meta_img.outputs.labels }}

# trivy-vulnerability-scanning:
# needs:
# - build_and_push
# - branch_meta
# runs-on: ubuntu-latest
# permissions:
# actions: read
# contents: read
# security-events: write
# steps:
# - name: Lowercase REPO name
# run: |
# echo "LOWERCASE_REPO=${GITHUB_REPOSITORY,,}" >> $GITHUB_ENV

# - name: Run trivy vulnerability scanner
# uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
# with:
# # image-ref: 'ghcr.io/${{ env.LOWERCASE_REPO }}:${{ needs.branch_meta.outputs.sha }}'
# image-ref: 'ghcr.io/${{ env.LOWERCASE_REPO }}:latest'
# format: 'sarif'
# output: 'trivy-results.sarif'
# severity: 'CRITICAL,HIGH'
# ignore-unfixed: true

# - name: Upload trivy results
# if: ${{ always() }}
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: 'trivy-results.sarif'
26 changes: 26 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
ARG BASE_IMAGE=node:20.5.1-alpine3.17
FROM $BASE_IMAGE as deployment

WORKDIR /app

COPY tsconfig*.json ./
COPY package*.json ./

RUN npm ci

COPY src/ src/

RUN npm run build

FROM $BASE_IMAGE
ENV NODE_ENV=prod

WORKDIR /app
COPY package*.json ./
COPY config/ ./config/

RUN npm ci --omit-dev

COPY --from=deployment /app/dist/ ./dist/

CMD [ "node", "dist/src/server/main.js" ]
6 changes: 6 additions & 0 deletions charts/dbildungs-iam/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: v2
name: dbildungs-iam
version: 0.1.0

description: dBildungs-IAM
type: application
55 changes: 55 additions & 0 deletions charts/dbildungs-iam/templates/dbildungs-iam-deployment.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-deployment
labels:
app.kubernetes.io/name: dbildungs-iam
spec:
selector:
matchLabels:
layer: dbildungs-iam-backend
replicas: {{.Values.dbildungsIamReplications}}
template:
metadata:
name: dbildungs-iam
labels:
layer: dbildungs-iam-backend
spec:
containers:
- name: dbildungs-iam
image: {{.Values.dbildungsIamContainer}}
imagePullPolicy: Always
ports:
- name: web
containerPort: 8080
env:
- name: NODE_ENV
value: {{.Values.environment}}
- name: DEPLOY_STAGE
value: {{.Values.environment}}
volumeMounts:
- mountPath: /app/config/
name: config
readOnly: true
resources:
limits:
cpu: {{.Values.dbildungsIamCpuMax}}
memory: {{.Values.dbildungsIamMemMax}}
livenessProbe:
initialDelaySeconds: 10
httpGet:
port: 8080
scheme: 'HTTP'
path: '/health'
readinessProbe:
initialDelaySeconds: 10
httpGet:
port: 8080
scheme: 'HTTP'
path: '/health'
restartPolicy: Always
volumes:
- name: config
secret:
secretName: {{.Values.secrets.name | default (print .Release.Name "-secret")}}

26 changes: 26 additions & 0 deletions charts/dbildungs-iam/templates/dbildungs-iam-ingress.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{.Release.Name}}-backend
labels:
app.kubernetes.io/name: dbildungs-iam
spec:
ingressClassName: nginx
rules:
- host: {{.Values.backendHostname}}
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: dbiam
port:
number: 80
- path: /docs
pathType: Prefix
backend:
service:
name: dbiam
port:
number: 80
16 changes: 16 additions & 0 deletions charts/dbildungs-iam/templates/dbildungs-iam-service.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
name: dbiam
labels:
app.kubernetes.io/name: dbildungs-iam
spec:
selector:
layer: dbildungs-iam-backend
ports:
- protocol: TCP
name: web
port: {{.Values.dbildungsIamExternalPort}}
targetPort: web
type: ClusterIP

14 changes: 14 additions & 0 deletions charts/dbildungs-iam/templates/dbildungs-iam-servicemonitor.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{{if .Values.enableServiceMonitor}}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{.Release.Name}}-servicemonitor
spec:
namespaceSelector:
any: true
selector:
matchLabels:
app.kubernetes.io/name: dbildungs-iam
endpoints:
- port: web
{{end}}
23 changes: 23 additions & 0 deletions charts/dbildungs-iam/values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
dbildungsIamContainer: "ghcr.io/dbildungsplattform/dbildungs-iam-server/feature/helm-integration:latest"

dbildungsIamExternalPort: 80
dbildungsIamCpuMax: 2
dbildungsIamMemMax: 4G
dbildungsIamReplications: 1
environment: prod

backendHostname: helm.dev.spsh.dbildungsplattform.de

configfile:
secrets: 'config/secrets.json'
dev: 'config/config.dev.json'
test: 'config/config.test.json'
prod: 'config/config.prod.json'
local: 'config/config.local.json'

# Configuration of necessary secrets
# Name of the secrets to inject
secrets:
name: spsh-config
# If we're running inside an environment with a Prometheus-Operator installed we configure a service monitor
enableServiceMonitor: false
6 changes: 6 additions & 0 deletions charts/keycloak-dev/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: v2
name: dbildungs-iam-keycloak-dev
version: 0.1.0

description: dBildungs-IAM Keycloak for local deployment
type: application
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-keycloak-deployment
labels:
app.kubernetes.io/name: dbildungs-iam
spec:
selector:
matchLabels:
layer: dbildungs-iam-keycloak
replicas: 1
template:
metadata:
name: dbildungs-iam-keycloak
labels:
layer: dbildungs-iam-keycloak
spec:
containers:
- name: dbildungs-iam-keycloak
image: quay.io/keycloak/keycloak:22.0.3
args:
- start-dev
imagePullPolicy: IfNotPresent
ports:
- name: web
containerPort: 8080
env:
- name: KEYCLOAK_ADMIN
value: admin
- name: KEYCLOAK_ADMIN_PASSWORD
value: admin
restartPolicy: Always

16 changes: 16 additions & 0 deletions charts/keycloak-dev/templates/dbildungs-iam-service-keycloak.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
name: keycloak
labels:
app.kubernetes.io/name: dbildungs-iam
spec:
selector:
layer: dbildungs-iam-keycloak
ports:
- protocol: TCP
name: web
port: {{.Values.dbildungsIamExternalPort}}80
targetPort: web
type: ClusterIP

Loading