Merge pull request #66 from aldbr/main_FEAT_IAM

feat: integrate indigo IAM and restructure the chart

README.md

@@ -163,6 +163,15 @@ Depending on the installation you perform, some tasks may be necessary or not. T
 | global.images.web.repository | string | `"ghcr.io/diracgrid/diracx-web/static"` |  |
 | global.images.web.tag | string | `"latest"` |  |
 | global.storageClassName | string | `"standard"` |  |
+| indigoiam.config.initial_client.id | string | `nil` |  |
+| indigoiam.config.initial_client.secret | string | `nil` |  |
+| indigoiam.config.issuer | string | `"http://anything:32003"` |  |
+| indigoiam.enabled | bool | `false` |  |
+| indigoiam.image.repository | string | `"indigoiam/iam-login-service"` |  |
+| indigoiam.image.tag | string | `"v1.8.3.rc.20231211"` |  |
+| indigoiam.service.nodePort | int | `32003` |  |
+| indigoiam.service.port | int | `8080` |  |
+| indigoiam.service.type | string | `"NodePort"` |  |
 | ingress.annotations | object | `{}` |  |
 | ingress.className | string | `"nginx"` |  |
 | ingress.enabled | bool | `true` |  |

demo/demo_cluster_conf.tpl.yaml

@@ -32,3 +32,6 @@ nodes:
   - containerPort: 32002
     hostPort: 32002
     protocol: TCP
+  - containerPort: 32003
+    hostPort: 32003
+    protocol: TCP

demo/values.tpl.yaml

@@ -8,25 +8,12 @@ developer:
     diracx: https://{{ hostname }}:8000
     minio: http://{{ hostname }}:32000
     dex: http://{{ hostname }}:32002
+    iam: http://{{ hostname }}:32003
   demoDir: {{ demo_dir }}
   mountedPythonModulesToInstall: {{ mounted_python_modules }}
   editableMountedPythonModules: {{ editable_mounted_modules }}
   mountedNodeModuleToInstall: {{ node_module_to_mount }}
 
-init-cs:
-  VOs:
-    - name: diracAdmin
-      IdP:
-        idp_url: http://{{ hostname }}:32002
-        idp_client_id: d396912e-2f04-439b-8ae7-d8c585a34790
-      defaultGroup: admin
-      Users:
-      - sub: EgVsb2NhbA
-        preferredUsername: admin
-        groups:
-          - admin
-        # TODO: Integrate with dex
-
 diracx:
   hostname: {{ hostname }}
   settings:
@@ -65,3 +52,40 @@ dex:
       - email: "[email protected]"
         hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
         username: "admin"
+
+indigoiam:
+  config:
+    issuer: http://{{ hostname }}:32003
+
+    admin_user:
+      username: admin
+      password: password
+    initial_client:
+      name: "Admin client (read-write)"
+      id: admin-client-rw
+      secret: secret
+
+    users:
+      - username: jane_doe
+        given_name: Jane
+        family_name: Doe
+        password: password
+
+    clients:
+      - name: "Test client"
+        id: client
+        grant_types:
+          - refresh_token
+          - authorization_code
+          - urn:ietf:params:oauth:grant-type:device_code
+        scope:
+          - offline
+          - openid
+          - profile
+        redirect_uris:
+          - https://{{ hostname }}:8000/api/auth/device/complete
+          - https://{{ hostname }}:8000/api/auth/authorize/complete
+
+    groups:
+      dirac:
+        user: [jane_doe]

diracx/templates/deployment-cli.yaml → diracx/templates/diracx/deployment-cli.yaml

@@ -16,7 +16,7 @@ spec:
         {{- with .Values.podAnnotations }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
-        checksum/entrypoint: {{ include (print $.Template.BasePath "/diracx-container-entrypoint.yaml") . | sha256sum }}
+        checksum/entrypoint: {{ include (print $.Template.BasePath "/diracx/diracx-container-entrypoint.yaml") . | sha256sum }}
       labels:
         {{- include "diracxCli.selectorLabels" . | nindent 8 }}
     spec:

diracx/templates/deployment.yaml → diracx/templates/diracx/deployment.yaml

@@ -15,9 +15,9 @@ spec:
         {{- with .Values.podAnnotations }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
-        checksum/settings: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
-        checksum/init-settings: {{ include (print $.Template.BasePath "/init-secrets/configmap.yaml") . | sha256sum }}
-        checksum/entrypoint: {{ include (print $.Template.BasePath "/diracx-container-entrypoint.yaml") . | sha256sum }}
+        checksum/settings: {{ include (print $.Template.BasePath "/diracx/secrets.yaml") . | sha256sum }}
+        checksum/init-settings: {{ include (print $.Template.BasePath "/diracx/init-secrets/configmap.yaml") . | sha256sum }}
+        checksum/entrypoint: {{ include (print $.Template.BasePath "/diracx/diracx-container-entrypoint.yaml") . | sha256sum }}
       labels:
         {{- include "diracx.selectorLabels" . | nindent 8 }}
     spec:

diracx/templates/init-cs/configmap.yaml → diracx/templates/diracx/init-cs/configmap.yaml

@@ -11,5 +11,5 @@ metadata:
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
 data:
   init-cs: |
-    {{- include (print $.Template.BasePath "/init-cs/_init-cs.sh.tpl") . | nindent 4 }}
+    {{- include (print $.Template.BasePath "/diracx/init-cs/_init-cs.sh.tpl") . | nindent 4 }}
 {{- end -}}

diracx/templates/init-os/configmap.yaml → diracx/templates/diracx/init-os/configmap.yaml

@@ -10,5 +10,5 @@ metadata:
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
 data:
   init-os: |
-    {{- include (print $.Template.BasePath "/init-os/_init-os.sh.tpl") . | nindent 4 }}
+    {{- include (print $.Template.BasePath "/diracx/init-os/_init-os.sh.tpl") . | nindent 4 }}
 {{- end -}}

diracx/templates/init-secrets/configmap.yaml → diracx/templates/diracx/init-secrets/configmap.yaml

@@ -11,5 +11,5 @@ metadata:
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
 data:
   init-secrets: |
-    {{- include (print $.Template.BasePath "/init-secrets/_init-secrets.sh.tpl") . | nindent 4 }}
+    {{- include (print $.Template.BasePath "/diracx/init-secrets/_init-secrets.sh.tpl") . | nindent 4 }}
 {{- end -}}

diracx/templates/init-sql/configmap.yaml → diracx/templates/diracx/init-sql/configmap.yaml

@@ -11,5 +11,5 @@ metadata:
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
 data:
   init-sql: |
-    {{- include (print $.Template.BasePath "/init-sql/_init-sql.sh.tpl") . | nindent 4 }}
+    {{- include (print $.Template.BasePath "/diracx/init-sql/_init-sql.sh.tpl") . | nindent 4 }}
 {{- end -}}

diracx/templates/tests/indigo-iam/deployment.yaml

@@ -0,0 +1,51 @@
+{{- if .Values.indigoiam.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: indigo-iam
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: iam
+  template:
+    metadata:
+      labels:
+        app: iam
+      annotations:
+        checksum/init-iam: {{ include (print $.Template.BasePath "/tests/indigo-iam/init-iam/_init-iam.py.tpl") . | sha256sum }}
+    spec:
+      volumes:
+        - name: iam-secret
+          secret:
+            secretName: indigo-iam-init-secrets
+      containers:
+        - name: indigo-iam
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.indigoiam.image.repository }}:{{ .Values.indigoiam.image.tag }}"
+          imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.indigoiam.service.port }}
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /.well-known/openid-configuration
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /.well-known/openid-configuration
+              port: http
+          env:
+          - name: IAM_KEY_STORE_LOCATION
+            value: "file:///etc/indigo-iam/keystore/iam-keystore.jwks"
+          - name: IAM_BASE_URL
+            value: "{{ .Values.indigoiam.config.issuer }}"
+          - name: IAM_ISSUER
+            value: "{{ .Values.indigoiam.config.issuer }}"
+          volumeMounts:
+          - name: iam-secret
+            mountPath: "/etc/indigo-iam/keystore"
+            readOnly: true
+{{- end }}