Commit d0559541 authored by Giuseppe Tudisco's avatar Giuseppe Tudisco
Browse files

argo: install gatekeeper

parent e1ffc11b

apps/gatekeeper/es-credentials.yaml

0 → 100644
+22 −0
Original line number Diff line number Diff line 
apiVersion: external-secrets.io/v1

kind: ExternalSecret

metadata:

  name: gatekeeper-es

  namespace: gatekeeper

spec:

  refreshInterval: 1h

  secretStoreRef:

    name: vault-backend

    kind: ClusterSecretStore

  target:

    name: client-credentials

    creationPolicy: Owner

  data:

  - secretKey: client_id

    remoteRef:

      key: gatekeeper

      property: clientId

  - secretKey: client_secret

    remoteRef:

      key: gatekeeper

      property: clientSecret

apps/gatekeeper/ingress-gatekeeper.yaml

0 → 100644
+26 −0
Original line number Diff line number Diff line 
apiVersion: networking.k8s.io/v1

kind: Ingress

metadata:

  name: gatekeeper-entrypoint

  namespace: gatekeeper

  annotations:

    cert-manager.io/cluster-issuer: letsencrypt-prod

    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

spec:

  ingressClassName: nginx

  rules:

  - host: gatekeeper.itsrc.ext.cineca.it

    http:

      paths:

      - path: /

        pathType: Prefix

        backend:

          service:

            name: gatekeeper-ingress-nginx-controller

            port:

              name: https

  tls:

  - hosts:

    - gatekeeper.itsrc.ext.cineca.it

    secretName: gatekeeper-tls

apps/gatekeeper/values-gatekeeper.yaml

0 → 100644
+116 −0
Original line number Diff line number Diff line 
echo:

  # Optionally create the Namespace if it does not exist.  This is useful if the deployer is not permitted

  # to query Namespaces, and therefore cannot automatically determine if the Namespace exists.

  # Alternatively, the Namespace could be provided by the Kubernetes Cluster administrator.

  namespace:

    create: true

    name: service-gatekeeper-echo

  image:

    registry: harbor.srcnet.skao.int/ska-src-dm-da-service-gatekeeper

    name: service-gatekeeper-echo

    tag: 1.0.1

  # Allow the deployer to NOT specify a spec.type value of the Echo service, and leave it up to the Kubernetes Cluster to determine type.

  # The default NodePort is set here to maintain the existing value.

  #

  # Examples:

  ### Specify ClusterIP type:

  #  service:

  #    type: ClusterIP

  #

  ### Omit type:

  #  service:

  #    type:

  service:

    type: ClusterIP

    port: 8080

gatekeeper:

  # the DNS server to use for lookups

  resolver: 8.8.8.8

  cache:

    # the time to life for the services cache

    ttl: 3600

  permissions:

    # the permissions API plugin authz endpoint

    pluginAuthzEndpoint: https://permissions.srcnet.skao.int/api/v1/authorise/plugin/

  ingress:

    proxyBodySize: 5000m

    proxyBuffering: "off"

    proxyRequestBuffering: "off"

    annotations: {} # adding cert manager annotation

  siteCapabilities:

    # the SKA IAM token endpoint

    tokenEndpoint: https://ska-iam.stfc.ac.uk/token

    # the site-capabilites API get service by id endpoint (to lookup services)

    getServiceEndpoint: https://site-capabilities.srcnet.skao.int/api/v1/services/

    # the client scopes requested by this node's site-capabilities gatekeeper service client

    clientScopes: site-capabilities-api-service

    # the client audience requested by this node's site-capabilities gatekeeper service client

    clientAudience: site-capabilities-api

    # the client id for this node's site-capabilities gatekeeper service client

    clientId: CLIENT_ID

    # the client secret for this node's site-capabilities gatekeeper service client

    clientSecret: CLIENT_SECRET

    # If .Values.gatekeeper.existingSecret is defined and set to true, the above clientId and clientSecret will be

    # ignored in favour of an existing secret. The existing secret's name needs to match the secretName in the

    # .Values.ingress-nginx.controller.extraVolume named client-credentials below.

    existingSecret: true

  services:

    - route: "/echo" # request route

      namespace: service-gatekeeper-echo # namespace the service will run in, can be different to gatekeeper ns

      prefix: "http://" # usually http:// assuming SSL termination occurs upstream

      service_name: "ska-src-dm-da-service-gatekeeper-echo" # to proxied address

      ingress_host: "gatekeeper.itsrc.ext.cineca.it" # host domain the Ingress rules will apply to

      port: 8080

      uuid: "5a03fafb-a0a7-408e-af1d-3f9ef7ae35e3" # generated by the site capabilities catalogue, corresponding entry must exist in iam

ingress-nginx:

  controller:

    replicaCount: 1

    service:

      type: ClusterIP

    metrics:

      enabled: true

    ingressClass: gatekeeper-nginx

    ingressClassResource:

      name: gatekeeper-nginx

      enabled: true

      default: false

      controllerValue: "skao.int/gatekeeper-nginx"

    allowSnippetAnnotations: true

    extraArgs:

      enable-ssl-passthrough: "true"

    extraVolumeMounts:

      - name: lua-scripts

        mountPath: /etc/nginx/lua/conf/response.lua

        subPath: response.lua

        readOnly: true

      - name: lua-scripts

        mountPath: /etc/nginx/lua/conf/backend.lua

        subPath: backend.lua

        readOnly: true

      - name: lua-scripts

        mountPath: /etc/nginx/lua/conf/mappings.lua

        subPath: mappings.lua

        readOnly: true

      - name: lua-scripts

        mountPath: /etc/nginx/lua/conf/permissions.lua

        subPath: permissions.lua

        readOnly: true

      - name: lua-scripts

        mountPath: /etc/nginx/lua/conf/site_capabilities.lua

        subPath: site-capabilities.lua

        readOnly: true

      - name: client-credentials

        mountPath: /etc/credentials

        readOnly: true

    extraVolumes:

      - name: lua-scripts

        configMap:

          name: lua-scripts

      - name: client-credentials

        secret:

          secretName: client-credentials

    podAnnotations:

      # this is calculated by taking the sum of sha256 checksums for templates/_*.tpl files

      # to ensure that changes to these configmaps cause pod restarts

      checksum/templates: ba6b2fbe

argocd-apps/gatekeeper.yaml

0 → 100644
+36 −0
Original line number Diff line number Diff line 
apiVersion: argoproj.io/v1alpha1

kind: Application

metadata:

  name: gatekeeper

  namespace: argocd

  finalizers:

    - resources-finalizer.argocd.argoproj.io

spec:

  project: default

  sources:

    - repoURL: https://gitlab.com/api/v4/projects/60950975/packages/helm/stable

      chart: ska-src-dm-da-service-gatekeeper

      targetRevision: 0.2.6

      helm:

        valueFiles:

          - $repo/apps/gatekeeper/values-gatekeeper.yaml

    - repoURL: https://www.ict.inaf.it/gitlab/itsrc/itsrc-services-cd.git

      path: apps/gatekeeper

      targetRevision: HEAD

      ref: repo

  destination:

    namespace: gatekeeper

    server: https://kubernetes.default.svc

  syncPolicy:

    automated:

      prune: true

      selfHeal: true

    retry:

      limit: 5

      backoff:

        duration: 10s

        maxDuration: 3m0s

        factor: 2

    syncOptions:

      - CreateNamespace=true