Making changes to optionally enable Al2 secure images

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-07-10T17:29:48Z",
+  "generated_at": "2024-07-11T20:52:08Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -321,7 +321,7 @@
         "hashed_secret": "5d07e1b80e448a213b392049888111e1779a52db",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1963,
+        "line_number": 1992,
         "type": "Secret Keyword"
       }
     ],
@@ -499,14 +499,14 @@
         "hashed_secret": "f09dd6e359833a12f48c4c4255d6e87a6e55cfe9",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 71,
+        "line_number": 75,
         "type": "Secret Keyword"
       },
       {
         "hashed_secret": "489e396b7c68f95c6018f7b98ef7b1b94587ef29",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 107,
+        "line_number": 114,
         "type": "Secret Keyword"
       }
     ],
@@ -586,14 +586,14 @@
         "hashed_secret": "d84ce25b0f9bc2cc263006ae39453efb22cc2900",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 64,
+        "line_number": 63,
         "type": "Secret Keyword"
       },
       {
         "hashed_secret": "f09dd6e359833a12f48c4c4255d6e87a6e55cfe9",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 87,
+        "line_number": 90,
         "type": "Secret Keyword"
       }
     ],
@@ -634,7 +634,7 @@
         "hashed_secret": "f09dd6e359833a12f48c4c4255d6e87a6e55cfe9",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 79,
+        "line_number": 83,
         "type": "Secret Keyword"
       }
     ],
@@ -727,7 +727,7 @@
         "hashed_secret": "f09dd6e359833a12f48c4c4255d6e87a6e55cfe9",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 74,
+        "line_number": 78,
         "type": "Secret Keyword"
       }
     ],

helm/audit/README.md

@@ -69,7 +69,12 @@ A Helm chart for Kubernetes
 | global.postgres.master.username | string | `"postgres"` | username of superuser in postgres. This is used to create or restore databases |
 | global.publicDataSets | bool | `true` | Whether public datasets are enabled. |
 | global.revproxyArn | string | `"arn:aws:acm:us-east-1:123456:certificate"` | ARN of the reverse proxy certificate. |
+| global.secureImage | map | `{"enabled":false,"sidecar":{"enabled":false}}` | Configuration settings for the secure AL2 based image. |
+| global.secureImage.enabled | bool | `false` | Enable the use of the secure AL2 based image. |
+| global.secureImage.sidecar | map | `{"enabled":false}` | Configuration for Nginx sidecar container to be deployed with gunicorn. |
+| global.secureImage.sidecar.enabled | bool | `false` | Enable the Nginx sidecar container. |
 | global.tierAccessLevel | string | `"libre"` | Access level for tiers. acceptable values for `tier_access_level` are: `libre`, `regular` and `private`. If omitted, by default common will be treated as `private` |
+| global.tierAccessLimit | int | `"1000"` | Only relevant if tireAccessLevel is set to "regular". Summary charts below this limit will not appear for aggregated data. |
 | image | map | `{"pullPolicy":"Always","repository":"quay.io/cdis/audit-service","tag":"master"}` | Docker image information. |
 | image.pullPolicy | string | `"Always"` | When to pull the image. This value should be "Always" to ensure the latest image is used. |
 | image.repository | string | `"quay.io/cdis/audit-service"` | The Docker image repository for the audit service |
@@ -104,6 +109,13 @@ A Helm chart for Kubernetes
 | secrets | map | `{"awsAccessKeyId":null,"awsSecretAccessKey":null}` | Secret information for External Secrets. |
 | secrets.awsAccessKeyId | str | `nil` | AWS access key ID. Overrides global key. |
 | secrets.awsSecretAccessKey | str | `nil` | AWS secret access key ID. Overrides global key. |
+| secureImage | map | `{"enabled":false,"sidecar":{"enabled":false,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}}` | Configuration settings for the secure AL2 based image. |
+| secureImage.enabled | bool | `false` | Enable the use of the secure AL2 based image. |
+| secureImage.sidecar | map | `{"enabled":false,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. |
+| secureImage.sidecar.enabled | bool | `false` | Enable the Nginx sidecar container. |
+| secureImage.sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx |
+| secureImage.sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. |
+| secureImage.sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. |
 | securityContext | map | `{}` | Security context for the containers in the pod |
 | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl |
 | server.AWS_CREDENTIALS | map | `{}` | AWS credentials to access SQS queue. |
@@ -112,20 +124,13 @@ A Helm chart for Kubernetes
 | server.sqs | map | `{"region":"us-east-1","url":"http://sqs.com"}` | AWS SQS queue information. |
 | server.sqs.region | string | `"us-east-1"` | SQS queue AWS region. |
 | server.sqs.url | string | `"http://sqs.com"` | The URL for the SQS queue. |
-| service | map | `{"port":80,"type":"ClusterIP"}` | Configuration for the service |
-| service.port | int | `80` | Port on which the service is exposed |
+| service | map | `{"port":[],"type":"ClusterIP"}` | Configuration for the service |
+| service.port | list | `[]` | Port on which the service is exposed |
 | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". |
 | serviceAccount | map | `{"annotations":{"eks.amazonaws.com/role-arn":null},"create":true,"name":"audit-service-sa"}` | Service account to use or create. |
 | serviceAccount.annotations."eks.amazonaws.com/role-arn" | string | `nil` | The Amazon Resource Name (ARN) of the role to associate with the service account |
 | serviceAccount.create | bool | `true` | Whether to create a service account |
 | serviceAccount.name | string | `"audit-service-sa"` | The name of the service account |
-| slimImage | map | `{"enabled":false,"sidecar":{"enabled":false,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}}` | Configuration settings for the slim AL2 based image. |
-| slimImage.enabled | bool | `false` | Enable the use of the slim AL2 based image. |
-| slimImage.sidecar | map | `{"enabled":false,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. |
-| slimImage.sidecar.enabled | bool | `false` | Enable the Nginx sidecar container. |
-| slimImage.sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx |
-| slimImage.sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. |
-| slimImage.sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. |
 | tolerations | list | `[]` | Tolerations for the pods |
 | volumeMounts | list | `[]` | Volumes to mount to the container. |
 | volumes | list | `[]` | Volumes to attach to the container. |

helm/audit/templates/deployment.yaml

@@ -26,7 +26,7 @@ spec:
         {{- include "common.datadogLabels" . | nindent 8 }}
         {{- end }}
     spec:
-      {{- if .Values.slimImage.enabled }}
+      {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }}
       securityContext:
         runAsUser: 1000
         runAsGroup: 1000
@@ -37,51 +37,51 @@ spec:
         - name: config-volume
           secret:
             secretName: "audit-g3auto"
-        {{- if .Values.slimImage.enabled }}
         - name: wsgi-config
           configMap:
             name: audit-wsgi
         - name: nginx-config
           configMap:
             name: audit-nginx-configmap
-        {{- end }}
         {{- with .Values.volumes }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
       containers:
         - name: audit
-          {{- if .Values.slimImage.enabled }}
+          {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }}
           image: "quay.io/cdis/audit-service:feat_GPE-1113"
           {{- else }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           {{- end }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
-          {{- if .Values.slimImage.enabled }}
-          - containerPort: 8000
-          {{- else }}
-          - containerPort: 80
-          {{- end }}
-            name: http
-            protocol: TCP
+            {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }}
+            - name: app
+              containerPort: 8000
+              protocol: TCP
+            {{- else }}
+            - name: http
+              containerPort: 80
+              protocol: TCP
+            {{- end }}
           livenessProbe:
             httpGet:
               path: /_status
-              {{- if .Values.slimImage.enabled }}
-              port: 8000
+              {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }}
+              port: app
               {{- else }}
-              port: 80
+              port: http
               {{- end }}
             initialDelaySeconds: 30
             periodSeconds: 60
             timeoutSeconds: 30
           readinessProbe:
             httpGet:
               path: /_status
-              {{- if .Values.slimImage.enabled }}
-              port: 8000
+              {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }}
+              port: app
               {{- else }}
-              port: 80
+              port: http
               {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
@@ -125,33 +125,33 @@ spec:
                 readOnly: true
                 mountPath: "/src/audit-service-config.yaml"
                 subPath: "audit-service-config.yaml"
-              {{- if .Values.slimImage.enabled }}
+              {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }}
               - name: "wsgi-config"
                 mountPath: "/audit-service/deployment/wsgi/gunicorn.conf.py"
                 subPath: gunicorn.conf.py
               {{- end }}
             {{- with .Values.volumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
-        {{- if .Values.slimImage.sidecar.enabled }}
+        {{- if .Values.secureImage.sidecar.enabled | default .Values.global.secureImage.sidecar.enabled }}
         - name: sidecar-nginx
-          image: {{ .Values.slimImage.sidecar.image }}:{{ .Values.slimImage.sidecar.tag }}
-          imagePullPolicy: {{ .Values.slimImage.sidecar.pullPolicy }}
+          image: "{{ .Values.secureImage.sidecar.image }}:{{ .Values.secureImage.sidecar.tag }}"
+          imagePullPolicy: {{ .Values.secureImage.sidecar.pullPolicy }}
           ports:
-            - name: http
+            - name: app
               containerPort: 8080
           readinessProbe:
             httpGet:
               path: /_status
-              port: http
+              port: app
           volumeMounts:
             - name: "nginx-config"
               mountPath: "/etc/nginx/conf.d/default.conf"
               subPath: default.conf
         {{- end }}  
       initContainers:
         - name: audit-init
-          {{- if .Values.slimImage.enabled }}
+          {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }}
           image: "quay.io/cdis/audit-service:feat_GPE-1113"
           {{- else }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
@@ -191,7 +191,7 @@ spec:
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           command: ["/bin/bash"]
-          {{- if .Values.slimImage.enabled }}
+          {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }}
           args:
             - "-c"
             - |

helm/audit/templates/nginx_config.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.secureImage.sidecar.enabled | default .Values.global.secureImage.sidecar.enabled }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -11,4 +12,5 @@ data:
           location / {
               proxy_pass http://127.0.0.1:8000;  # Gunicorn binds to this address
           }
-      }
+      }
+{{- end }}

helm/audit/templates/service.yaml

@@ -6,10 +6,18 @@ metadata:
     {{- include "audit.labels" . | nindent 4 }}
 spec:
   type: {{ .Values.service.type }}
+  {{- with .Values.service.port }}
   ports:
-    - port: {{ .Values.service.port }}
-      targetPort: http
-      protocol: TCP
-      name: http
+    {{- toYaml . | nindent 8 }}
+  {{- end }}
+  {{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }}
+  - name: app
+    containerPort: 8080
+    protocol: TCP
+  {{- else }}
+  - name: http
+    containerPort: 80
+    protocol: TCP
+  {{- end }}
   selector:
     {{- include "audit.selectorLabels" . | nindent 4 }}

helm/audit/templates/wsgi.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.secureImage.enabled | default .Values.global.secureImage.enabled }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -10,4 +11,5 @@ data:
     user = 'gen3'
     group = 'gen3'
     timeout = 300
-    worker_class = "uvicorn.workers.UvicornWorker"
+    worker_class = "uvicorn.workers.UvicornWorker"
+{{- end }}

helm/audit/values.yaml

@@ -48,6 +48,8 @@ global:
   publicDataSets: true
   # -- (string) Access level for tiers. acceptable values for `tier_access_level` are: `libre`, `regular` and `private`. If omitted, by default common will be treated as `private`
   tierAccessLevel: libre
+  # -- (int) Only relevant if tireAccessLevel is set to "regular". Summary charts below this limit will not appear for aggregated data.
+  tierAccessLimit: "1000"
   # -- (bool) Whether network policies are enabled.
   netPolicy: true
   # -- (int) Number of dispatcher jobs.
@@ -64,6 +66,14 @@ global:
     deploy: false
     # -- (string) Will deploy a separate External Secret Store for this service.
     separateSecretStore: false
+  # -- (map) Configuration settings for the secure AL2 based image.
+  secureImage:
+    # -- (bool) Enable the use of the secure AL2 based image.
+    enabled: false
+    # -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn.
+    sidecar:
+      # -- (bool) Enable the Nginx sidecar container.
+      enabled: false
 
 # -- (map) External Secrets settings.
 externalSecrets:
@@ -117,9 +127,9 @@ image:
   # -- (string) Overrides the image tag whose default is the chart appVersion.
   tag: "master"
 
-# -- (map) Configuration settings for the slim AL2 based image.
-slimImage:
-  # -- (bool) Enable the use of the slim AL2 based image.
+# -- (map) Configuration settings for the secure AL2 based image.
+secureImage:
+  # -- (bool) Enable the use of the secure AL2 based image.
   enabled: false
   # -- (map) Configuration for Nginx sidecar container to be deployed with gunicorn.
   sidecar:
@@ -175,8 +185,8 @@ securityContext: {}
 service:
   # -- (string) Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName".
   type: ClusterIP
-  # -- (int) Port on which the service is exposed
-  port: 80
+  # -- (list) Port on which the service is exposed
+  port: []
 
 # -- (map) Resource requests and limits for the containers in the pod
 resources: