diff --git a/helm/modelix/templates/_helpers.tpl b/helm/modelix/templates/_helpers.tpl index 1cb45a3..904964e 100644 --- a/helm/modelix/templates/_helpers.tpl +++ b/helm/modelix/templates/_helpers.tpl @@ -81,17 +81,10 @@ https://{{ .Values.ingress.hostname }}{{ if .Values.ingress.port }}:{{ .Values.i http://{{ include "modelix.fullname" . }}-keycloak:8080/ {{- end }} -{{- define "modelix.keycloakEnv" -}} -- name: KEYCLOAK_CLIENT_SECRET - valueFrom: - secretKeyRef: - key: keycloak-client-secret - name: "{{ include "modelix.fullname" . }}-keycloak-client-secret" -- name: KEYCLOAK_CLIENT_ID - value: "{{ .Values.keycloak.clientId }}" -- name: KEYCLOAK_REALM - value: "{{ .Values.keycloak.realm }}" -- name: KEYCLOAK_BASE_URL - value: "{{ include "modelix.internalKeycloakUrl" . }}" +{{- define "modelix.authorizationConfig" -}} +- name: MODELIX_JWK_URI_KEYCLOAK + value: "{{ include "modelix.internalKeycloakUrl" . }}realms/{{ .Values.keycloak.realm }}/protocol/openid-connect/certs" +- name: MODELIX_PERMISSION_CHECKS_ENABLED + value: "{{ .Values.authorization.enabled }}" {{- end }} diff --git a/helm/modelix/templates/common/instances-manager-deployment.yaml b/helm/modelix/templates/common/instances-manager-deployment.yaml index ba719b2..aa85550 100644 --- a/helm/modelix/templates/common/instances-manager-deployment.yaml +++ b/helm/modelix/templates/common/instances-manager-deployment.yaml @@ -40,7 +40,11 @@ spec: value: "{{ include "modelix.fullname" . }}-wsclt-" - name: WORKSPACE_CLIENT_IMAGE value: "modelix/modelix-workspace-client:{{ .Values.imageTags.wsClient | default .Chart.AppVersion }}" - {{- include "modelix.keycloakEnv" . | nindent 10 }} + - name: "MODELIX_JWK_FILE" + value: /secrets/jwk/ + - name: MODELIX_WORKSPACE_SERVER + value: http://{{ include "modelix.fullname" . }}-workspace-manager:28104/ + {{- include "modelix.authorizationConfig" . | nindent 10 }} ports: - containerPort: 33332 - containerPort: 5005 @@ -65,6 +69,17 @@ spec: initialDelaySeconds: 60 periodSeconds: 15 timeoutSeconds: 10 + volumeMounts: + - name: "{{ include "modelix.fullname" . }}-instances-manager-rsa-keys" + mountPath: /secrets/jwk/wsmanager + readOnly: true restartPolicy: Always + volumes: + - name: "{{ include "modelix.fullname" . }}-instances-manager-rsa-keys" + secret: + secretName: "{{ include "modelix.fullname" . }}-instances-manager-rsa-keys" + items: + - key: private + path: private.pem {{- include "modelix.pullSecret" . | nindent 6 }} {{- end -}} diff --git a/helm/modelix/templates/common/instances-manager-rsa-keys.yaml b/helm/modelix/templates/common/instances-manager-rsa-keys.yaml new file mode 100644 index 0000000..1346adb --- /dev/null +++ b/helm/modelix/templates/common/instances-manager-rsa-keys.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "{{ include "modelix.fullname" . }}-instances-manager-rsa-keys" +type: Opaque +data: + {{ $cert := genSelfSignedCert "instances-manager" nil nil 36524 -}} + public: {{ $cert.Cert | b64enc }} + private: {{ $cert.Key | b64enc }} diff --git a/helm/modelix/templates/common/model-deployment.yaml b/helm/modelix/templates/common/model-deployment.yaml index 5b2424c..2c01f04 100644 --- a/helm/modelix/templates/common/model-deployment.yaml +++ b/helm/modelix/templates/common/model-deployment.yaml @@ -27,7 +27,9 @@ spec: - env: - name: jdbc_url value: jdbc:postgresql://{{ include "modelix.fullname" . }}-db:5432/ - {{- include "modelix.keycloakEnv" . | nindent 12 }} + - name: "MODELIX_JWK_FILE" + value: /secrets/jwk/ + {{- include "modelix.authorizationConfig" . | nindent 12 }} image: "{{ .Values.dockerProxy.prefix }}modelix/modelix-model:{{ .Values.imageTags.model | default .Values.versions.modelix.core }}" imagePullPolicy: IfNotPresent name: model @@ -56,5 +58,25 @@ spec: initialDelaySeconds: 60 periodSeconds: 15 timeoutSeconds: 10 + volumeMounts: + - name: "{{ include "modelix.fullname" . }}-workspace-manager-rsa-keys" + mountPath: /secrets/jwk/wsmanager + readOnly: true + - name: "{{ include "modelix.fullname" . }}-instances-manager-rsa-keys" + mountPath: /secrets/jwk/instancesmanager + readOnly: true restartPolicy: Always + volumes: + - name: "{{ include "modelix.fullname" . }}-workspace-manager-rsa-keys" + secret: + secretName: "{{ include "modelix.fullname" . }}-workspace-manager-rsa-keys" + items: + - key: public + path: workspace-manager-public.pem + - name: "{{ include "modelix.fullname" . }}-instances-manager-rsa-keys" + secret: + secretName: "{{ include "modelix.fullname" . }}-instances-manager-rsa-keys" + items: + - key: public + path: instances-manager-public.pem {{- include "modelix.pullSecret" . | nindent 6 }} diff --git a/helm/modelix/templates/common/oauth-deployment.yaml b/helm/modelix/templates/common/oauth-deployment.yaml index 140cbbb..fd8057c 100644 --- a/helm/modelix/templates/common/oauth-deployment.yaml +++ b/helm/modelix/templates/common/oauth-deployment.yaml @@ -81,7 +81,7 @@ spec: - --silence-ping-logging=true - --upstream=http://{{ include "modelix.fullname" . }}-proxy/ - --skip-auth-regex=\/(resources|admin|js|realms|keycloak)\/.* # keycloak - - --skip-auth-regex=\/model\/.* # Model server checks there bearer token itself. Model client needs the 401. + - --skip-auth-regex=\/model\/.* # Model server checks the bearer token itself. Model client needs the 401. - --skip-auth-regex=^\/$ - --skip-auth-regex=\/public\/.* - --skip-jwt-bearer-tokens=true diff --git a/helm/modelix/templates/common/workspace-config-persistentvolumeclaim.yaml b/helm/modelix/templates/common/workspace-config-persistentvolumeclaim.yaml new file mode 100644 index 0000000..0ef1a00 --- /dev/null +++ b/helm/modelix/templates/common/workspace-config-persistentvolumeclaim.yaml @@ -0,0 +1,15 @@ +{{- if .Values.workspaces.enabled -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + component: workspace-uploads + {{- include "modelix.labels" . | nindent 4 }} + name: "{{ include "modelix.fullname" . }}-workspace-config" +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 100Mi +{{- end -}} diff --git a/helm/modelix/templates/common/workspace-manager-deployment.yaml b/helm/modelix/templates/common/workspace-manager-deployment.yaml index a5880ce..9f213f5 100644 --- a/helm/modelix/templates/common/workspace-manager-deployment.yaml +++ b/helm/modelix/templates/common/workspace-manager-deployment.yaml @@ -39,7 +39,9 @@ spec: value: "{{ include "modelix.fullname" . }}-" - name: MODELIX_MAX_BODY_SIZE value: "{{ .Values.maxBodySize }}" - {{- include "modelix.keycloakEnv" . | nindent 10 }} + - name: "MODELIX_JWK_FILE" + value: /secrets/jwk/ + {{- include "modelix.authorizationConfig" . | nindent 10 }} image: "{{ .Values.dockerProxy.prefix }}modelix/modelix-workspace-manager:{{ .Values.imageTags.wsManager | default .Values.versions.modelix.workspaces }}" imagePullPolicy: IfNotPresent name: workspace-manager @@ -71,19 +73,42 @@ spec: volumeMounts: - mountPath: "/workspace-manager/modelix-workspaces/uploads" name: "{{ include "modelix.fullname" . }}-workspace-uploads" + - mountPath: "/workspace-manager/config" + name: "{{ include "modelix.fullname" . }}-workspace-config" - name: "{{ include "modelix.fullname" . }}-workspace-secret" mountPath: /secrets/workspacesecret readOnly: true + - name: "{{ include "modelix.fullname" . }}-workspace-manager-rsa-keys" + mountPath: /secrets/jwk/wsmanager + readOnly: true + - name: "{{ include "modelix.fullname" . }}-instances-manager-rsa-keys" + mountPath: /secrets/jwk/instancesmanager + readOnly: true restartPolicy: Always volumes: - name: "{{ include "modelix.fullname" . }}-workspace-uploads" persistentVolumeClaim: claimName: "{{ include "modelix.fullname" . }}-workspace-uploads" + - name: "{{ include "modelix.fullname" . }}-workspace-config" + persistentVolumeClaim: + claimName: "{{ include "modelix.fullname" . }}-workspace-config" - name: "{{ include "modelix.fullname" . }}-workspace-secret" secret: secretName: "{{ include "modelix.fullname" . }}-workspace-secret" items: - key: workspace-secret path: workspace-credentials-key.txt + - name: "{{ include "modelix.fullname" . }}-workspace-manager-rsa-keys" + secret: + secretName: "{{ include "modelix.fullname" . }}-workspace-manager-rsa-keys" + items: + - key: private + path: private.pem + - name: "{{ include "modelix.fullname" . }}-instances-manager-rsa-keys" + secret: + secretName: "{{ include "modelix.fullname" . }}-instances-manager-rsa-keys" + items: + - key: public + path: instances-manager-public.pem {{- include "modelix.pullSecret" . | nindent 6 }} {{- end -}} diff --git a/helm/modelix/templates/common/workspace-manager-rsa-keys.yaml b/helm/modelix/templates/common/workspace-manager-rsa-keys.yaml new file mode 100644 index 0000000..6e5f452 --- /dev/null +++ b/helm/modelix/templates/common/workspace-manager-rsa-keys.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "{{ include "modelix.fullname" . }}-workspace-manager-rsa-keys" +type: Opaque +data: + {{ $cert := genSelfSignedCert "workspace-manager" nil nil 36524 -}} + public: {{ $cert.Cert | b64enc }} + private: {{ $cert.Key | b64enc }} diff --git a/helm/modelix/values.yaml b/helm/modelix/values.yaml index 0bcb6d7..b228a79 100644 --- a/helm/modelix/values.yaml +++ b/helm/modelix/values.yaml @@ -4,10 +4,10 @@ fullnameOverride: "" versions: modelix: - workspaces: "0.3.2" - core: "4.11.5" - kubernetes: "0.1.2-dirty" - vncBaseImage: "0.6.0" + workspaces: "0.4.4-pr194-655a1216" + core: "10.1.0-pr1190-c6ab4b78" + kubernetes: "0.3.1" + vncBaseImage: "0.7.0" imageTags: db: "" @@ -75,3 +75,6 @@ dockerProxy: secret64: "" serviceAccount: "" + +authorization: + enabled: true diff --git a/versions.properties b/versions.properties index a901987..521088a 100644 --- a/versions.properties +++ b/versions.properties @@ -1,4 +1,4 @@ # Modelix core version. -modelixCoreVersion=4.11.5 +modelixCoreVersion=10.1.0-pr1190-c6ab4b78 # Modelix Workspaces versions -modelixWorkspacesVersion=0.3.4 +modelixWorkspacesVersion=0.4.4-pr194-655a1216