Skip to content

Commit

Permalink
Merge branch 'main' into karavi-observability-release
Browse files Browse the repository at this point in the history
  • Loading branch information
forrestxia authored Sep 21, 2022
2 parents dd98439 + 4579622 commit d6caae2
Show file tree
Hide file tree
Showing 33 changed files with 1,698 additions and 0 deletions.
1 change: 1 addition & 0 deletions .github/workflows/helm-validations.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ on:
branches:
- main
- karavi-observability-release
- csm-authorization-release

jobs:
# This job will check to see if any .yaml file is modified
Expand Down
2 changes: 2 additions & 0 deletions charts/csm-authorization/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Chart.lock
charts/*tgz
24 changes: 24 additions & 0 deletions charts/csm-authorization/.helmignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
installer/
15 changes: 15 additions & 0 deletions charts/csm-authorization/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: v2
name: csm-authorization
version: 1.3.0
appVersion: 1.3.0
type: application
description: CSM for Authorization is part of the [Container Storage Modules](https://github.com/dell/csm) open source suite of Kubernetes storage enablers for Dell EMC storage products. CSM for Authorization provides storage and Kubernetes administrators the ability to apply RBAC for Dell CSI Drivers.
dependencies:
- name: cert-manager
version: 1.6.1
repository: https://charts.jetstack.io
condition: cert-manager.enabled
- name: ingress-nginx
version: 4.0.19
repository: https://kubernetes.github.io/ingress-nginx
condition: ingress-nginx.enabled
19 changes: 19 additions & 0 deletions charts/csm-authorization/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
<!--
Copyright (c) 2022 Dell Inc., or its subsidiaries. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
-->

# Container Storage Modules (CSM) for Authorization Dell Community Helm Chart

CSM for Authorization can be deployed using Helm.

For complete deployment instructions, refer to the [Container Storage Modules documentation](https://dell.github.io/csm-docs/docs/authorization/deployment/helm).

## Helm Chart Versioning

For an explanation and examples on versioning/releasing the CSM for Authorization Helm chart, please see the [contributing guide](../../docs/CONTRIBUTING.md#helm-chart-release-strategy).
23 changes: 23 additions & 0 deletions charts/csm-authorization/charts/redis/.helmignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
6 changes: 6 additions & 0 deletions charts/csm-authorization/charts/redis/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: v2
name: redis
description: A Helm chart for Redis
type: application
version: 0.1.0
appVersion: 0.1.0
128 changes: 128 additions & 0 deletions charts/csm-authorization/charts/redis/templates/redis.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis-primary
namespace: {{ .Release.Namespace }}
labels:
app: redis
spec:
selector:
matchLabels:
app: redis
role: primary
tier: backend
replicas: 1
template:
metadata:
labels:
app: redis
role: primary
tier: backend
spec:
containers:
- name: primary
image: {{ .Values.images.redis }}
imagePullPolicy: IfNotPresent
args: ["--appendonly", "yes", "--appendfsync", "always"]
resources:
requests:
cpu: 100m
memory: 100Mi
ports:
- containerPort: 6379
volumeMounts:
- name: redis-primary-volume
mountPath: /data
volumes:
- name: redis-primary-volume
persistentVolumeClaim:
claimName: redis-primary-pv-claim
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: redis-primary-pv-claim
namespace: {{ .Release.Namespace }}
labels:
app: redis-primary
spec:
accessModes:
- ReadWriteOnce
{{- if (.Values.storageClass) }}
storageClassName: {{.Values.storageClass }}
{{- end}}
resources:
requests:
storage: 8Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis-commander
namespace: {{ .Release.Namespace }}
spec:
replicas: 1
selector:
matchLabels:
app: redis-commander
template:
metadata:
labels:
app: redis-commander
tier: backend
spec:
containers:
- name: redis-commander
image: {{ .Values.images.commander }}
imagePullPolicy: IfNotPresent
env:
- name: REDIS_HOSTS
value: "rbac:redis.{{ .Release.Namespace }}.svc.cluster.local:6379"
- name: K8S_SIGTERM
value: "1"
ports:
- name: redis-commander
containerPort: 8081
livenessProbe:
httpGet:
path: /favicon.png
port: 8081
initialDelaySeconds: 10
timeoutSeconds: 5
resources:
limits:
cpu: "500m"
memory: "512M"
securityContext:
runAsNonRoot: true
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
---
apiVersion: v1
kind: Service
metadata:
name: redis
namespace: {{ .Release.Namespace }}
spec:
selector:
app: redis
ports:
- protocol: TCP
port: 6379
targetPort: 6379
---
apiVersion: v1
kind: Service
metadata:
name: redis-commander
namespace: {{ .Release.Namespace }}
spec:
selector:
app: redis-commander
ports:
- protocol: TCP
port: 8081
targetPort: 8081
Empty file.
4 changes: 4 additions & 0 deletions charts/csm-authorization/policies/common.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
package karavi.common
default roles = {}
roles = {}

47 changes: 47 additions & 0 deletions charts/csm-authorization/policies/powermax-url.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http:#www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

package karavi.authz.powermax.url

allowlist = [
"GET /univmax/restapi/version",
"GET /univmax/restapi/(90|91)/system/symmetrix/[a-f0-9A-F]+",
"GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/srp",
"GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/storagegroup",
"POST /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/storagegroup",
"GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/storagegroup/(.+)",
"PUT /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/storagegroup/(.+)",
"GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/volume",
"GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/volume/[a-f0-9A-F]+",
"PUT /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/volume/[a-f0-9A-F]+",
"DELETE /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/volume/[a-f0-9A-F]+",
"DELETE /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/storagegroup/[a-f0-9A-F]+",
"GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/volume/[a-f0-9A-F]+/snapshot",
"GET /univmax/restapi/91/sloprovisioning/symmetrix/[a-f0-9A-F]+/portgroup/(.+)",
"GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/initiator",
"GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/host/(.+)",
"GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/maskingview/(.+)",
"GET /univmax/restapi/(90|91)/system/symmetrix",
"GET /univmax/restapi/private/(90|91)/replication/symmetrix/[a-f0-9A-F]+/volume/[a-f0-9A-F]+/snapshot",
"GET /univmax/restapi/private/(90|91)/replication/symmetrix/[a-f0-9A-F]+/volume/",
"DELETE /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/maskingview/(.+)",
"GET /univmax/restapi/(90|91)/replication/capabilities/symmetrix/",
"POST /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/maskingview",
]

default allow = true

allow {
regex.match(allowlist[_], sprintf("%s %s", [input.method, input.url]))
}
42 changes: 42 additions & 0 deletions charts/csm-authorization/policies/powerscale-url.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http:#www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

package karavi.authz.powerscale.url

allowlist = [
"GET /platform/latest/",
"GET /platform/[0-9]/cluster/config/",
"GET /namespace/(.+)",
"GET /platform/[0-9]/protocols/nfs/exports/?(.+)",
"PUT /namespace/(.+)",
"GET /platform/[0-9]/quota/license/",
"POST /platform/[0-9]/quota/quotas/",
"POST /platform/[0-9]/protocols/nfs/exports/?(.+)",
"GET /platform/[0-9]/protocols/nfs/exports/[0-9]+?(.+)",
"PUT /platform/[0-9]/protocols/nfs/exports/[0-9]+?(.+)",
"DELETE /platform/[0-9]/quota/quotas/[a-z0-9A-Z]+/",
"DELETE /platform/[0-9]/protocols/nfs/exports/[0-9]+?(.+)",
"DELETE /namespace/(.+)",
"GET /platform/[0-9]/snapshot/snapshots/(.+)",
"POST /platform/[0-9]/snapshot/snapshots",
"DELETE /platform/[0-9]/snapshot/snapshots/(.+)",
"POST /session/[0-9]/session/",
"GET /session/[0-9]/session/",
"POST /proxy/refresh-token/"
]

default allow = true
allow {
regex.match(allowlist[_], sprintf("%s %s", [input.method, input.url]))
}
63 changes: 63 additions & 0 deletions charts/csm-authorization/policies/url-test.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http:#www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

package karavi.authz.url

test_get_api_login_allowed {
allow with input as {"method": "GET", "url": "/api/login/"}
}

test_post_proxy_refresh_token_allowed {
allow with input as {"method": "POST", "url": "/proxy/refresh-token/"}
}

test_get_api_version_allowed {
allow with input as {"method": "GET", "url": "/api/version/"}
}

test_get_system_instances_allowed {
allow with input as {"method": "GET", "url": "/api/types/System/instances/"}
}

test_get_storagpool_instances_allowed {
allow with input as {"method": "GET", "url": "/api/types/StoragePool/instances/"}
}

test_post_volume_instances_allowed {
allow with input as {"method": "POST", "url": "/api/types/Volume/instances/"}
}

test_get_volume_instance_allowed {
allow with input as {"method": "GET", "url": "/api/instances/Volume::2a3814c600000003/"}
}

test_post_volume_instances_queryIdByKey_allowed {
allow with input as {"method": "POST", "url": "/api/types/Volume/instances/action/queryIdByKey/"}
}

test_get_system_sdc_allowed {
allow with input as {"method": "GET", "url": "/api/instances/System::7045c4cc20dffc0f/relationships/Sdc/"}
}

test_post_volume_add_sdc_allowed {
allow with input as {"method": "POST", "url": "/api/instances/Volume::2a3814c600000003/action/addMappedSdc/"}
}

test_post_volume_remove_sdc_allowed {
allow with input as {"method": "POST", "url": "/api/instances/Volume::2a3814c600000003/action/removeMappedSdc/"}
}

test_post_volume_remove_allowed {
allow with input as {"method": "POST", "url": "/api/instances/Volume::2a3814c600000003/action/removeVolume/"}
}
Loading

0 comments on commit d6caae2

Please sign in to comment.