Skip to content

Commit

Permalink
add auth-service
Browse files Browse the repository at this point in the history 
Signed-off-by: jkoberg <[email protected]>
  • Loading branch information
@kobergj
kobergj committed Sep 29, 2023
1 parent 7b1b3e6 commit b85da50
Show file tree
Hide file tree
Showing 16 changed files with 203 additions and 1 deletion.
4 changes: 4 additions & 0 deletions charts/ocis/templates/_common/_configvalues.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,10 @@ All take the scope as the first and only parameter.
{{ .Values.secretRefs.machineAuthApiKeySecretRef | default "machine-auth-api-key" | quote }}
{{- end -}}

{{- define "secrets.serviceAccountSecret" -}}
{{ .Values.secretRefs.serviceAccountSecretRef | default "service-account-secret" | quote }}
{{- end -}}

{{- define "secrets.messagingSystemCASecret" -}}
{{ required "messagingSystemCASecret can't be autogenerated" .Values.secretRefs.messagingSystemCaRef | quote }}
{{- end -}}
Expand Down
1 change: 1 addition & 0 deletions charts/ocis/templates/_common/_tplvalues.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ Adds the app names to the scope and set the name of the app based on the input p
{{- $_ := set .scope "appNameAudit" "audit" -}}
{{- $_ := set .scope "appNameAuthBasic" "authbasic" -}}
{{- $_ := set .scope "appNameAuthMachine" "authmachine" -}}
{{- $_ := set .scope "appNameAuthService" "authservice" -}}
{{- $_ := set .scope "appNameAntivirus" "antivirus" -}}
{{- $_ := set .scope "appNameClientlog" "clientlog" -}}
{{- $_ := set .scope "appNameEventhistory" "eventhistory" -}}
Expand Down
90 changes: 90 additions & 0 deletions charts/ocis/templates/authservice/deployment.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
{{- include "ocis.basicServiceTemplates" (dict "scope" . "appName" "appNameAuthService" "appNameSuffix" "") -}}
apiVersion: apps/v1
kind: Deployment
{{ include "ocis.metadata" . }}
spec:
{{- include "ocis.selector" . | nindent 2 }}
{{- if and (not .Values.autoscaling.enabled) (.Values.replicas) }}
replicas: {{ .Values.replicas }}
{{- end }}
{{- include "ocis.deploymentStrategy" . | nindent 2 }}
template:
{{- include "ocis.templateMetadata" (dict "scope" $ "configCheck" false) | nindent 4 }}
spec:
{{- include "ocis.serviceAccount" . | nindent 6 }}
{{- include "ocis.affinity" .Values.services.authservice | nindent 6 }}
{{- include "ocis.securityContextAndtopologySpreadConstraints" . | nindent 6 }}
{{- include "ocis.priorityClassName" $.priorityClassName | nindent 6 }}
{{- include "ocis.hostAliases" $ | nindent 6 }}
nodeSelector: {{ toYaml $.nodeSelector | nindent 8 }}
containers:
- name: {{ .appName }}
{{- include "ocis.image" $ | nindent 10 }}
command: ["ocis"]
args: ["auth-service", "server"]
{{- include "ocis.containerSecurityContext" . | nindent 10 }}
env:
{{- include "ocis.serviceRegistry" . | nindent 12 }}

- name: AUTH_SERVICE_LOG_COLOR
value: {{ .Values.logging.color | quote }}
- name: AUTH_SERVICE_LOG_LEVEL
value: {{ .Values.logging.level | quote }}
- name: AUTH_SERVICE_LOG_PRETTY
value: {{ .Values.logging.pretty | quote }}

- name: AUTH_SERVICE_TRACING_ENABLED
value: "{{ .Values.tracing.enabled }}"
- name: AUTH_SERVICE_TRACING_TYPE
value: {{ .Values.tracing.type | quote }}
- name: AUTH_SERVICE_TRACING_ENDPOINT
value: {{ .Values.tracing.endpoint | quote }}
- name: AUTH_SERVICE_TRACING_COLLECTOR
value: {{ .Values.tracing.collector | quote }}

- name: AUTH_SERVICE_DEBUG_PPROF
value: {{ .Values.debug.profiling | quote }}

- name: AUTH_SERVICE_GRPC_ADDR
value: 0.0.0.0:9616
- name: AUTH_SERVICE_DEBUG_ADDR
value: 0.0.0.0:9617

- name: AUTH_MACHINE_JWT_SECRET
valueFrom:
secretKeyRef:
name: {{ include "secrets.jwtSecret" . }}
key: jwt-secret

- name: AUTH_SERVICE_API_KEY
valueFrom:
secretKeyRef:
name: {{ include "secrets.machineAuthAPIKeySecret" . }}
key: machine-auth-api-key

- name: AUTH_SERVICE_SERVICE_ACCOUNT_ID
value: .Values.features.serviceAccountID
- name: AUTH_SERVICE_SERVICE_ACCOUNT_SECRET
valueFrom:
secretKeyRef:
name: {{ include "secrets.serviceAccountSecret" . }}
key: service-account-secret

{{- include "ocis.livenessProbe" . | nindent 10 }}

resources: {{ toYaml .resources | nindent 12 }}

ports:
- name: grpc
containerPort: 9616
- name: metrics-debug
containerPort: 9617

volumeMounts:
- name: tmp-volume
mountPath: /tmp

{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
- name: tmp-volume
emptyDir: {}
3 changes: 3 additions & 0 deletions charts/ocis/templates/authservice/hpa.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{{- include "ocis.basicServiceTemplates" (dict "scope" . "appName" "appNameAuthService" "appNameSuffix" "") -}}
{{- $_ := set . "autoscaling" (default (default (dict) .Values.autoscaling) .Values.services.authservice.autoscaling) -}}
{{ include "ocis.hpa" . }}
2 changes: 2 additions & 0 deletions charts/ocis/templates/authservice/pdb.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
{{- include "ocis.basicServiceTemplates" (dict "scope" . "appName" "appNameAuthService" "appNameSuffix" "") -}}
{{ include "ocis.pdb" . }}
5 changes: 5 additions & 0 deletions charts/ocis/templates/authservice/secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{{- if or (not .Values.secretRefs.serviceAccountSecretRef) }}
{{- $params := (dict)}}
{{- $_ := set $params "service-account-secret" (randAlphaNum 30) }}
{{- include "ocis.secret" (dict "scope" . "name" "service-account-secret" "params" $params)}}
{{- end }}
20 changes: 20 additions & 0 deletions charts/ocis/templates/authservice/service.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
{{- include "ocis.basicServiceTemplates" (dict "scope" . "appName" "appNameAuthService" "appNameSuffix" "") -}}
apiVersion: v1
kind: Service
metadata:
name: {{ .appName }}
namespace: {{ template "ocis.namespace" . }}
labels:
app: {{ .appName }}
ocis-metrics: enabled
{{- include "ocis.labels" . | nindent 4 }}
spec:
selector:
app: {{ .appName }}
ports:
- name: grpc
port: 9616
protocol: TCP
- name: metrics-debug
port: 9617
protocol: TCP
8 changes: 8 additions & 0 deletions charts/ocis/templates/graph/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,14 @@ spec:
value: {{ .Values.features.gdprReport.integrations.keycloak.insecure | quote }}
{{- end }}

- name: GRAPH_SERVICE_ACCOUNT_ID
value: .Values.features.serviceAccountID
- name: GRAPH_SERVICE_ACCOUNT_SECRET
valueFrom:
secretKeyRef:
name: {{ include "secrets.serviceAccountSecret" . }}
key: service-account-secret

{{- include "ocis.cors" . |nindent 12 }}


Expand Down
8 changes: 8 additions & 0 deletions charts/ocis/templates/notifications/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,14 @@ spec:
name: {{ include "secrets.machineAuthAPIKeySecret" . }}
key: machine-auth-api-key

- name: NOTIFICATIONS_SERVICE_ACCOUNT_ID
value: .Values.features.serviceAccountID
- name: NOTIFICATIONS_SERVICE_ACCOUNT_SECRET
valueFrom:
secretKeyRef:
name: {{ include "secrets.serviceAccountSecret" . }}
key: service-account-secret

{{- if .Values.features.emailNotifications.branding.enabled }}
# Mail theming
- name: NOTIFICATIONS_EMAIL_TEMPLATE_PATH
Expand Down
8 changes: 8 additions & 0 deletions charts/ocis/templates/proxy/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,14 @@ spec:
name: {{ include "secrets.machineAuthAPIKeySecret" . }}
key: machine-auth-api-key

- name: PROXY_SERVICE_ACCOUNT_ID
value: .Values.features.serviceAccountID
- name: PROXY_SERVICE_ACCOUNT_SECRET
valueFrom:
secretKeyRef:
name: {{ include "secrets.serviceAccountSecret" . }}
key: service-account-secret

{{- if .Values.features.policies.enabled }}
- name: PROXY_POLICIES_QUERY
value: data.proxy.granted
Expand Down
8 changes: 8 additions & 0 deletions charts/ocis/templates/search/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,14 @@ spec:
name: {{ include "secrets.machineAuthAPIKeySecret" . }}
key: machine-auth-api-key

- name: SEARCH_SERVICE_ACCOUNT_ID
value: .Values.features.serviceAccountID
- name: SEARCH_SERVICE_ACCOUNT_SECRET
valueFrom:
secretKeyRef:
name: {{ include "secrets.serviceAccountSecret" . }}
key: service-account-secret

- name: OCIS_ASYNC_UPLOADS
value: "true"

Expand Down
2 changes: 1 addition & 1 deletion charts/ocis/templates/sse/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ spec:
{{- include "ocis.cors" . |nindent 12 }}


{{- include "ocis.livenessProbe" . | nindent 10 }}
# {{- include "ocis.livenessProbe" . | nindent 10 }}

This comment has been minimized.

Sign in to view

Copy link
@d7oc

d7oc Aug 30, 2024

Contributor

@kobergj Why was the livenessProbe disabled for sse?

This comment has been minimized.

Sign in to view

Copy link
@wkloucek

wkloucek Sep 2, 2024

Contributor

@d7oc I'd just enable it and see if the service dies. If not, then it should be fine. Code looks like the /healthz endpoint was implemented right from the beginning

This comment has been minimized.

Sign in to view

Copy link
@kobergj

kobergj Sep 17, 2024

Author Contributor

@d7oc actually I don't remember. Maybe was a mistake. If it runs properly it should be fine 😎

This comment has been minimized.

Sign in to view

Copy link
@d7oc

d7oc Sep 17, 2024

Contributor

Ok I will give it a try and enable it.

resources: {{ toYaml .resources | nindent 12 }}

Expand Down
8 changes: 8 additions & 0 deletions charts/ocis/templates/storageusers/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,14 @@ spec:
name: {{ include "secrets.machineAuthAPIKeySecret" . }}
key: machine-auth-api-key

- name: STORAGE_USERS_SERVICE_ACCOUNT_ID
value: .Values.features.serviceAccountID
- name: STORAGE_USERS_SERVICE_ACCOUNT_SECRET
valueFrom:
secretKeyRef:
name: {{ include "secrets.serviceAccountSecret" . }}
key: service-account-secret

# cache
- name: STORAGE_USERS_FILEMETADATA_CACHE_STORE
value: {{ default "noop" .Values.cache.type | quote }}
Expand Down
8 changes: 8 additions & 0 deletions charts/ocis/templates/userlog/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,14 @@ spec:
name: {{ include "secrets.machineAuthAPIKeySecret" . }}
key: machine-auth-api-key

- name: USERLOG_SERVICE_ACCOUNT_ID
value: .Values.features.serviceAccountID
- name: USERLOG_SERVICE_ACCOUNT_SECRET
valueFrom:
secretKeyRef:
name: {{ include "secrets.serviceAccountSecret" . }}
key: service-account-secret

- name: USERLOG_JWT_SECRET
valueFrom:
secretKeyRef:
Expand Down
5 changes: 5 additions & 0 deletions charts/ocis/templates/web/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,11 @@ spec:
value: {{ . | quote }}
{{- end }}

{{- with .Values.services.web.config.loginURL }}
- name: WEB_OPTION_LOGIN_URL
value: {{ . | quote }}
{{- end }}

{{- with .Values.services.web.config.privacyURL }}
- name: WEB_OPTION_PRIVACY_URL
value: {{ . | quote }}
Expand Down
24 changes: 24 additions & 0 deletions charts/ocis/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,8 @@ features:
# -- Create demo users on the first startup.
# Not recommended for production installations.
demoUsers: false
# ID of the service account
serviceAccountID: "7641d020-719c-408d-be9b-dd0c2713fb9c"
emailNotifications:
# -- Enables email notifications.
enabled: false
Expand Down Expand Up @@ -567,6 +569,8 @@ secretRefs:
# -- Reference to an existing s3 secret (see ref:Secrets#secrets)
# If not filled in, will attempt to use values in `.storageusers.storageBackend.s3.driverConfig.s3ng` instead.
s3CredentialsSecretRef: ""
# -- Reference to an existing service account secret (see ref:Secrets#secrets)
serviceAccountSecretRef: ""

# Security context options.
securityContext:
Expand Down Expand Up @@ -811,6 +815,24 @@ services:
# -- Per-service custom labels
extraLabels: {}

# -- AUTH SERVICE service.
# @default -- see detailed service configuration options below
authservice:
# -- Per-service resources configuration. Overrides the default setting from `resources` if set.
resources: {}
# -- Per-service nodeSelector configuration. Overrides the default setting from `nodeSelector` if set.
nodeSelector: {}
# -- Per-service priorityClassName configuration. Overrides the default setting from `priorityClassName` if set.
priorityClassName: ""
# -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
podDisruptionBudget: {}
# -- Per-service autoscaling. Overrides the default setting from `autoscaling` if set.
autoscaling: {}
# -- Affinity settings for the authservice service. See the documentation of this setting in approvider for examples.
affinity: {}
# -- Per-service custom labels
extraLabels: {}

# -- ANTIVIRUS service. Not used if `features.virusscan.enabled` equals `false`.
# @default -- see detailed service configuration options below
antivirus:
Expand Down Expand Up @@ -1755,6 +1777,8 @@ services:
imprintURL:
# Specifies the target url for the privacy link in the account menu.
privacyURL:
# Specifies the login url
loginURL:

# -- Persistence settings.
# @default -- see detailed persistence configuration options below
Expand Down

0 comments on commit b85da50

Please sign in to comment.