carbynestack · strieflin · Nov 13, 2024 · Sep 27, 2024 · Oct 25, 2024 · Oct 25, 2024
@@ -0,0 +1,79 @@
+#
+# Copyright (c) 2024 - for information on the respective copyright owner
+# see the NOTICE file and/or the repository https://github.com/carbynestack/thymus.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+name: Build and Test Services
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+  pull_request:
+    branches:
+      - 'master'
+jobs:
+  changes:
+    runs-on: ubuntu-22.04
+    permissions:
+      pull-requests: read
+    outputs:
+      service: ${{ steps.filter.outputs.services }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Check whether services codebase is affected
+        uses: dorny/paths-filter@v3
+        id: filter
+        with:
+          filters: |
+            services:
+              - 'services/**'
+  services-test:
+    runs-on: ubuntu-22.04
+    needs: changes
+    if: ${{ needs.changes.outputs.service == 'true' }}
+    env:
+      GOPATH: ${{ github.workspace }}
+      GO111MODULE: on
+      REGISTRY: ghcr.io
+    defaults:
+      run:
+        working-directory: ${{ env.GOPATH }}/src/github.com/${{ github.repository }}/services
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          path: ${{ env.GOPATH }}/src/github.com/${{ github.repository }}
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: ${{ env.GOPATH }}/src/github.com/${{ github.repository }}/services/go.mod
+          cache-dependency-path: ${{ env.GOPATH }}/src/github.com/${{ github.repository }}services/go.sum
+      - name: Perform Build
+        run: |
+          go build ./...
+      - name: Perform Tests
+        run: |
+          go test ./... -coverprofile coverage.txt
+      - name: Publishing Coverage
+        uses: codecov/codecov-action@v4
+        with:
+          name: codecov
+          files: ${{ env.GOPATH }}/src/github.com/${{ github.repository }}/services/coverage.txt
+          token: ${{ secrets.CODECOV_TOKEN }}
+          flags: services
+  # This is required to allow for setting the test job as required in scenarios
+  # where the tests are not actually run, e.g., when the helm chart is updated.
+  services-test-status:
+    runs-on: ubuntu-22.04
+    needs: services-test
+    if: '!cancelled()' # Makes the job run regardless whether 'test' succeeds or not but allows for cancellation
+    steps:
+      - name: Tests successful
+        if: ${{ !(contains(needs.services-test.result, 'failure')) }}
+        run: exit 0
+      - name: Tests failed
+        if: ${{ contains(needs.services-test.result, 'failure') }}
+        run: exit 1
@@ -0,0 +1,88 @@
+#
+# Copyright (c) 2024 - for information on the respective copyright owner
+# see the NOTICE file and/or the repository https://github.com/carbynestack/thymus.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+name: Publish Services
+on:
+  push:
+    tags:
+      - "services-v[0-9]+.[0-9]+.[0-9]+"
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: carbynestack/thymus
+jobs:
+  publish:
+    runs-on: ubuntu-22.04
+    env:
+      GOPATH: ${{ github.workspace }}
+      GO111MODULE: on
+      WORKING_DIRECTORY: ${{ github.workspace }}/src/github.com/${{ github.repository }}/services
+    defaults:
+      run:
+        working-directory: ${{ env.WORKING_DIRECTORY }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          path: ${{ env.GOPATH }}/src/github.com/${{ github.repository }}
+      - name: Retrieve license obligation resources
+        run: |
+          cd 3RD-PARTY-LICENSES
+          find . -maxdepth 1 -type d -not -path . | zip -r@ 3rd-party-copyrights
+          find . -iname origin.src | \
+          awk '{ \
+          split($0,b,"/"); \
+          system("xargs < " $0 " curl --create-dirs -Lo ./sources/" b[2] ".zip " $2)}' && \
+          find -regex './sources$' | awk '{system("zip -jr ./3rd-party-sources.zip " $0)}'
+          mkdir -p ../license-obligations && mv `find . -regex "^./3rd-party-.*.zip$"` ../license-obligations/
+      - name: Update Release with license obligations resources
+        uses: ncipollo/release-action@v1
+        with:
+          allowUpdates: true
+          artifacts: ${{ env.WORKING_DIRECTORY }}/license-obligations/*
+          artifactErrorsFailBuild: true
+          makeLatest: true
+          omitBodyDuringUpdate: true
+          omitNameDuringUpdate: true
+      - name: Log in to container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=match,pattern=services-v(\d+.\d+.\d+),group=1
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: ${{ env.GOPATH }}/src/github.com/${{ github.repository }}/services/go.mod
+          cache-dependency-path: ${{ env.GOPATH }}/src/github.com/${{ github.repository }}/services/go.sum
+      - name: Setup Ko
+        uses: imjasonh/[email protected]
+      - name: Publish Docker Images
+        run: |
+          # Generate tags flag (Metadata action output is newline delimited entries like
+          # 'ghcr.io/carbynestack/thymus:0.1.10' and we only need the part after the colon)
+          readarray -t tags < <( echo "${{ steps.meta.outputs.tags }}" )
+          for i in "${!tags[@]}"; do
+            readarray -d ":" -t parts < <( echo "${tags[i]}" )
+            tags[i]=$(echo "${parts[1]}" | tr -d '\n')
+          done
+          printf -v joined_tags "%s," "${tags[@]}"
+
+          # Generate label flags
+          readarray -t labels < <( echo "${{ steps.meta.outputs.labels }}" )
+          printf -v label_flags -- "--image-label=%s " "${labels[@]}"
+
+          # Publish using ko
+          ko publish -B \
+            --tags="${joined_tags%,}" \
+            "${label_flags}" \
+            github.com/carbynestack/thymus/services/cmd/catalogue
@@ -12,6 +12,7 @@ repos:
       - id: check-yaml
         exclude: ^charts/thymus/templates/.*$
       - id: end-of-file-fixer
+        exclude: ^services/3RD-PARTY-LICENSES/.*$
       - id: trailing-whitespace
       - id: mixed-line-ending
   - repo: https://github.com/tekwizely/pre-commit-golang
@@ -37,9 +38,9 @@ repos:
           - "80"
         additional_dependencies:
           - mdformat-gfm
-        exclude: ^3RD-PARTY-LICENSES/.*$
+        exclude: ^services/3RD-PARTY-LICENSES/.*$
   - repo: https://github.com/igorshubovych/markdownlint-cli
     rev: v0.33.0
     hooks:
       - id: markdownlint
-        exclude: ^3RD-PARTY-LICENSES/.*$
+        exclude: ^services/3RD-PARTY-LICENSES/.*$
@@ -1,4 +1,4 @@
 {
-  ".": "0.1.2",
+  "services": "0.1.2",
   "charts/thymus": "0.2.4"
 }
@@ -0,0 +1,65 @@
+#
+# Copyright (c) 2024 - for information on the respective copyright owner
+# see the NOTICE file and/or the repository https://github.com/carbynestack/thymus.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# Deployment for the policy catalogue
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "thymus.fullname" . }}-policy-catalogue
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "thymus.name" . }}-policy-catalogue
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+spec:
+  replicas: {{ .Values.policyCatalogue.replicaCount }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "thymus.name" . }}-policy-catalogue
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "thymus.name" . }}-policy-catalogue
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      {{- if .Values.policyCatalogue.image.pullSecrets }}
+      imagePullSecrets:
+        {{- range .Values.policyCatalogue.image.pullSecrets }}
+        - name: {{ . }}
+        {{- end}}
+      {{- end}}
+      containers:
+      - name: "{{ .Chart.Name }}-policy-catalogue"
+        image: "{{ .Values.policyCatalogue.image.registry }}/{{ .Values.policyCatalogue.image.repository }}:{{ .Values.policyCatalogue.image.tag }}"
+        imagePullPolicy: {{ .Values.policyCatalogue.image.pullPolicy }}
+        env:
+          # OPA service URL provided as configmap by OPA operator
+          - name: OPA_SERVICE_URL
+            valueFrom:
+              configMapKeyRef:
+                name: opa
+                key: OPA
+        ports:
+          - name: http
+            containerPort: 8080
+            protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /health
+            port: 8080
+          periodSeconds: {{ .Values.policyCatalogue.probes.liveness.period }}
+          initialDelaySeconds: {{ .Values.policyCatalogue.probes.liveness.initialDelay }}
+          failureThreshold: {{ .Values.policyCatalogue.probes.liveness.failureThreshold }}
+        readinessProbe:
+          httpGet:
+            path: /health
+            port: 8080
+          periodSeconds: {{ .Values.policyCatalogue.probes.readiness.period }}
+          initialDelaySeconds: {{ .Values.policyCatalogue.probes.readiness.initialDelay }}
+          failureThreshold: {{ .Values.policyCatalogue.probes.readiness.failureThreshold }}
@@ -0,0 +1,26 @@
+#
+# Copyright (c) 2024 - for information on the respective copyright owner
+# see the NOTICE file and/or the repository https://github.com/carbynestack/thymus.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# Service for exposing the policy catalogue
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "thymus.fullname" . }}-policy-catalogue
+  namespace: {{ .Release.Namespace }}
+  {{- if .Values.policyCatalogue.service.annotations }}
+  annotations:
+{{ .Values.policyCatalogue.service.annotations | toYaml | trim | indent 4 }}
+  {{- end}}
+spec:
+  selector:
+    app.kubernetes.io/name: {{ include "thymus.name" . }}-policy-catalogue
+    app.kubernetes.io/instance: {{ .Release.Name }}
+  ports:
+    - name: http
+      protocol: TCP
+      port: {{ .Values.policyCatalogue.service.port }}
+      targetPort: http
@@ -0,0 +1,31 @@
+#
+# Copyright (c) 2024 - for information on the respective copyright owner
+# see the NOTICE file and/or the repository https://github.com/carbynestack/thymus.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# Default OPA policies
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: default-policies
+  labels:
+    opa.stackable.tech/bundle: "true"
+data:
+  donor-read.rego: |
+    package play
+
+    import rego.v1
+
+    tags contains tag if {
+      tag := {"key": "derived-from", "value": input.inputs[_].owner}
+    }
+
+    default read := false
+
+    read if {
+      some i
+      tags[i].key == "derived-from"
+      tags[i].value == input.subject
+    }
@@ -0,0 +1,18 @@
+#
+# Copyright (c) 2024 - for information on the respective copyright owner
+# see the NOTICE file and/or the repository https://github.com/carbynestack/thymus.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# OPA cluster managed by the Stackable OPA Operator
+apiVersion: opa.stackable.tech/v1alpha1
+kind: OpaCluster
+metadata:
+  name: opa
+spec:
+  image:
+    productVersion: "0.66.0"
+  servers:
+    roleGroups:
+      default: {}
@@ -62,6 +62,17 @@ spec:
             port:
               number: 4444
             host: {{ include "thymus.fullname" . }}-hydra-public
+    - name: "Policy Catalogue route"
+      match:
+        - uri:
+            prefix: /iam/policies
+      rewrite:
+        uri: /policies
+      route:
+        - destination:
+            port:
+              number: {{ .Values.policyCatalogue.service.port }}
+            host: {{ include "thymus.fullname" . }}-policy-catalogue
     - name: "Kratos Public API route"
       match:
         - uri:

@@ -28,6 +28,28 @@ thymus:
         email: [email protected]
         password: "86KIo6<]!/V="
 
+# Policy Catalogue configuration
+policyCatalogue:
+  replicaCount: 1
+  service:
+    port: 8080
+    annotations: []
+  image:
+    registry: ghcr.io
+    repository: carbynestack/thymus/policy-catalogue
+    tag: latest
+    pullPolicy: "IfNotPresent"
+    pullSecrets: []
+  probes:
+    liveness:
+        period: 10
+        initialDelay: 10
+        failureThreshold: 3
+    readiness:
+        period: 10
+        initialDelay: 10
+        failureThreshold: 3
+
 # Overrides for the Kratos subchart
 kratos:
 

@@ -5,9 +5,9 @@
   "pull-request-header": ":package: Staging a new release",
   "skip-snapshot": true,
   "packages": {
-    ".": {
-      "package-name": "thymus",
-      "release-type": "simple"
+    "services": {
+      "package-name": "services",
+      "release-type": "go"
     },
     "charts/thymus": {
       "package-name": "chart",