Merge pull request #41 from aserto-dev/ingress

Support native Kubernetes Ingress

Author: Ronen Hilewicz

.github/workflows/ci.yaml

@@ -89,9 +89,21 @@ jobs:
         name: Create k8s cluster
         with:
           cluster-name: "test"
-          args: >
+          args: >-
+            -p "9009:80@loadbalancer"
             --agents 1
             --k3s-arg "--disable=metrics-server@server:*"
+      -
+        name: Configure DNS
+        run: |
+          sudo tee -a /etc/hosts >/dev/null <<EOF
+          # Local self-host cluster
+          127.0.0.1 controller.local.test
+          127.0.0.1 grpc-controller.local.test
+          127.0.0.1 directory.local.test
+          127.0.0.1 grpc-directory.local.test
+          127.0.0.1 discovery.local.test
+          EOF
       -
         name: Test Topaz
         timeout-minutes: 10
@@ -110,14 +122,15 @@ jobs:
         name: Deploy Postgres
         run: |
           helm install postgresql oci://registry-1.docker.io/bitnamicharts/postgresql \
-            --namespace postgres --create-namespace \
+            --namespace postgresql --create-namespace \
+            --set fullnameOverride=postgres \
             --set auth.postgresPassword=${{ env.POSTGRES_PASSWORD }}
       -
         name: Wait for Postgres
         run: |
           echo "Waiting for postgres to be ready"
           kubectl wait pods --selector app.kubernetes.io/name=postgresql \
-            --for condition=Ready --namespace postgres --timeout=60s
+            --for condition=Ready --namespace postgresql --timeout=60s
       -
         name: Generate admin ssh key
         id: sshkey

README.md

@@ -162,7 +162,7 @@ global:
   aserto:
     ports:
       grpc: 8282
-      https: 8383
+      http: 8383
       health: 8484
       mertics: 8585
     ...
@@ -201,7 +201,7 @@ values for several required fields:
 
 - `global.aserto.oidc` holds the domain and client ID for your OpenID Connect application used
   to authenticate access to the management console.
-- `global.aserto.https.allowed_origins` should include the ingress domain where the management console
+- `global.aserto.http.allowed_origins` should include the ingress domain where the management console
   will be hosted.
 - `diretcory.rootDirectory.database.host` and `directory.tenantDirectory.database.host` should be set
   to the hostname of the PostgreSQL instance(s) for the root and tenant directories.

charts/aserto-lib/templates/_clusteraddr.tpl

@@ -18,9 +18,9 @@ Args: [scope, config, service]
 {{- else }}
 {{- $port := include "aserto-lib.ports" (list $scope $cfg) | fromYaml | dig $portType ""  | toYaml }}
 {{- if contains $svc $scope.Release.Name }}
-{{- printf "%s.%s.svc.cluster.local:%s" $scope.Release.Name $scope.Release.Namespace $port }}
+{{- printf "%s-%s.%s.svc.cluster.local:%s" $scope.Release.Name $portType $scope.Release.Namespace $port }}
 {{- else }}
-{{- printf "%s-%s.%s.svc.cluster.local:%s" $scope.Release.Name $svc $scope.Release.Namespace $port }}
+{{- printf "%s-%s-%s.%s.svc.cluster.local:%s" $scope.Release.Name $svc $portType $scope.Release.Namespace $port }}
 {{- end }}
 {{- end }}
 {{- end }}
@@ -43,6 +43,6 @@ Cluster address of the directory service
 Cluster address of the discovery service
 */}}
 {{- define "aserto-lib.discoveryAddress" }}
-{{- include "aserto-lib.svcClusterAddress" (list . "https" "discovery" )}}
+{{- include "aserto-lib.svcClusterAddress" (list . "http" "discovery" )}}
 {{- end }}
 

charts/aserto-lib/templates/_golangsvc.tpl

@@ -6,10 +6,10 @@ Returns gRPC service options.
 {{- end }}
 
 {{/*
-Returns HTTPS service options.
+Returns HTTP service options.
 */}}
-{{- define "aserto-lib.httpsConfig" }}
-{{ include "aserto-lib.mergeGlobal" (list . "https") }}
+{{- define "aserto-lib.httpConfig" }}
+{{ include "aserto-lib.mergeGlobal" (list . "http") }}
 {{- end }}
 
 {{/*
@@ -29,11 +29,11 @@ certs:
 {{- end }}
 
 {{/*
-Renders HTTPS service configuration.
+Renders HTTP service configuration.
 */}}
-{{- define "aserto-lib.httpsService" -}}
-listen_address: 0.0.0.0:{{ include "aserto-lib.httpsPort" . }}
-{{- with include "aserto-lib.httpsConfig" . | fromYaml }}
+{{- define "aserto-lib.httpService" -}}
+listen_address: 0.0.0.0:{{ include "aserto-lib.httpPort" . }}
+{{- with include "aserto-lib.httpConfig" . | fromYaml }}
 {{- with .allowed_origins }}
 allowed_origins:
 {{- . | toYaml | nindent 2 }}
@@ -44,9 +44,9 @@ write_timeout: {{ .write_timeout | default "2s" }}
 idle_timeout: {{ .idle_timeout | default "30s" }}
 {{- with .certSecret }}
 certs:
-  tls_key_path: '/https-certs/tls.key'
-  tls_cert_path: '/https-certs/tls.crt'
-  tls_ca_cert_path: '/https-certs/ca.crt'
+  tls_key_path: '/tls-certs/tls.key'
+  tls_cert_path: '/tls-certs/tls.crt'
+  tls_ca_cert_path: '/tls-certs/ca.crt'
 {{- end }}
 {{- end }}
 {{- end }}

charts/aserto-lib/templates/_ports.tpl

@@ -3,12 +3,12 @@ Returns port configuration.
 Values are selected with the following precedence:
 1. .Values.ports (chart specific overrides)
 2. .Values.global.aserto.ports (global overrides)
-3. default values ({grpc: 8282, https: 8383, health: 8484, metrics: 8585})
+3. default values ({grpc: 8282, http: 8383, health: 8484, metrics: 8585})
 */}}
 {{- define "aserto-lib.ports" }}
 {{- $scope := first . }}
 {{- $svc := last . }}
-{{- $defaults := dict "grpc" 8282 "https" 8383 "health" 8484 "metrics" 8585}}
+{{- $defaults := dict "grpc" 8282 "http" 8383 "health" 8484 "metrics" 8585}}
 {{- $global := ($scope.global).aserto | default dict | dig "ports" dict }}
 {{- $local := $svc | eq "self" | ternary $scope.ports (dig "global" "aserto" $svc "ports" dict $scope.AsMap) }}
 {{- merge $local $global $defaults | toYaml }}
@@ -22,8 +22,8 @@ Values are selected with the following precedence:
 {{- (include "aserto-lib.ports" (list . "self") | fromYaml).grpc }}
 {{- end }}
 
-{{- define "aserto-lib.httpsPort" }}
-{{- (include "aserto-lib.ports" (list . "self") | fromYaml).https }}
+{{- define "aserto-lib.httpPort" }}
+{{- (include "aserto-lib.ports" (list . "self") | fromYaml).http }}
 {{- end }}
 
 {{- define "aserto-lib.healthPort" }}
@@ -34,3 +34,17 @@ Values are selected with the following precedence:
 {{- (include "aserto-lib.ports" (list . "self") | fromYaml).metrics }}
 {{- end }}
 
+{{- define "aserto-lib.ingressDomain" -}}
+{{ (.Values.ingress).domain  | default (((.Values.global).aserto).ingress).domain }}
+{{- end }}
+
+{{- define "aserto-lib.ingressHost" -}}
+{{- $scope := first . -}}
+{{- $svc := last . -}}
+{{- $domain := include "aserto-lib.ingressDomain" $scope -}}
+{{- if $domain -}}
+  {{ printf "%s.%s" $svc.subdomain $domain | quote }}
+{{- else -}}
+  {{ $svc.host | quote | required "ingress.hosts[].host is required if ingress.domain is empty" }}
+{{- end -}}
+{{- end }}

charts/aserto/values.yaml

@@ -14,16 +14,16 @@ global:
     # Port configuration.
     ports:
       grpc: 8282
-      https: 8383
+      http: 8383
       health: 8484
       mertics: 8585
 
     # gRPC configuration.
     grpc:
       connectionTimeoutSec: 2
 
-    # HTTPS configuration.
-    https:
+    # HTTP configuration.
+    http:
       read_timeout: 2s
       read_header_timeout: 2s
       write_timeout: 2s
@@ -218,5 +218,8 @@ scim:
 #   groupMappings: []
 #   userMappings: []
 
+multi-tenant-scim:
+  enabled: false
+
 registry-proxy:
   enabled: false

charts/authorizer/Chart.yaml

@@ -27,7 +27,7 @@ version: 0.1.10
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: 0.15.8
+appVersion: 0.16.0
 
 dependencies:
   - name: aserto-lib

charts/authorizer/ci/test-values.yaml

@@ -2,3 +2,7 @@
 oidc:
   domain: oidc_domain
   audience: oidc_audience
+
+ingress:
+  enabled: true
+  domain: aserto.com

charts/authorizer/templates/_helpers.tpl

@@ -80,19 +80,19 @@ credentials:
 {{- with (include "aserto-lib.discoveryCfg" . | fromYaml) }}
 {{- if .disableTLSVerification }}
 allow_insecure_tls : true
-{{- else if .httpsCertSecret }}
+{{- else if .tlsCertSecret }}
 tls:
-  ca_cert: /discovery-https-certs/ca.crt
+  ca_cert: /discovery-tls-certs/ca.crt
 {{- else }}
 tls:
-  ca_cert: /https-certs/ca.crt
+  ca_cert: /tls-certs/ca.crt
 {{- end }}
 {{- end }}
 {{- end }}
 
 {{- define "authorizer.gatewayService" -}}
-{{ include "aserto-lib.httpsService" .  }}
-{{- $cfg := include "aserto-lib.httpsConfig" . | fromYaml }}
+{{ include "aserto-lib.httpService" .  }}
+{{- $cfg := include "aserto-lib.httpConfig" . | fromYaml }}
 allowed_headers:
 {{- $cfg.allowed_headers | default (list "Aserto-Tenant-Id" "Authorization" "Content-Type" "Depth") | toYaml | nindent 2 }}
 {{- end }}

charts/authorizer/templates/config.yaml

@@ -42,7 +42,6 @@ stringData:
       authenticators_enabled:
         root_key: true
         oidc: true
-        anonymous: true
         {{- if (.Values.authentication).machineAccounts }}
         machine_account: true
         {{- end }}
@@ -55,6 +54,13 @@ stringData:
         - key: ${AUTHORIZER_ROOT_KEY}
           account: root-key-authorizer@aserto.com
 
+      override:
+        - methods:
+            - /grpc.reflection.v1.ServerReflection/ServerReflectionInfo
+            - /grpc.reflection.v1alpha.ServerReflection/ServerReflectionInfo
+          authenticators_enabled:
+            anonymous: true
+
     opa:
       instance_id: "-"
       graceful_shutdown_period_seconds: 2