Feat/external secrets

docs/portal/Dockerfile

@@ -42,4 +42,4 @@ COPY --from=builder /data-portal/src/img/ /usr/share/nginx/html/src/img/
 COPY --from=builder /data-portal/src/css/ /usr/share/nginx/html/src/css/
 
 COPY overrides/dockerStart.sh dockerStart.sh
-CMD bash ./dockerStart.sh
+CMD bash ./dockerStart.sh

helm/arborist/templates/db-init.yaml

@@ -1,6 +1,12 @@
-{{ include "common.db_setup_job" . }}
+{{- if .Values.global.cloudsecrets.enabled | default false }}
+  {{ include "common.cloud_db_setup_job" . }}
 ---
-{{ include "common.db-secret" . }}
+  {{ include "common.cloud_db_setup_sa" . }}
 ---
-{{ include "common.db_setup_sa" . }}
+{{- else }}
+  {{ include "common.db_setup_job" . }}
 ---
+  {{ include "common.db-secret" . }}
+---
+  {{ include "common.db_setup_sa" . }}
+{{- end }}

helm/audit/templates/db-init.yaml

@@ -1,6 +1,12 @@
-{{ include "common.db_setup_job" . }}
+{{- if .Values.global.cloudsecrets.enabled | default false }}
+  {{ include "common.cloud_db_setup_job" . }}
 ---
-{{ include "common.db-secret" . }}
+  {{ include "common.cloud_db_setup_sa" . }}
 ---
-{{ include "common.db_setup_sa" . }}
----
+{{- else }}
+  {{ include "common.db_setup_job" . }}
+---
+  {{ include "common.db-secret" . }}
+---
+  {{ include "common.db_setup_sa" . }}
+{{- end }}

helm/common/templates/_cloud_db_setup_job.tpl

@@ -0,0 +1,139 @@
+# DB Setup ServiceAccount
+# Needs to update/ create secrets to signal that db is ready for use.
+{{- define "common.cloud_db_setup_sa" -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Chart.Name }}-dbcreate-sa
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Chart.Name }}-dbcreate-role
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Chart.Name }}-dbcreate-rolebinding
+subjects:
+- kind: ServiceAccount
+  name: {{ .Chart.Name }}-dbcreate-sa
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ .Chart.Name }}-dbcreate-role
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+
+# DB Setup Job
+{{- define "common.cloud_db_setup_job" -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Chart.Name }}-dbcreate
+spec:
+  template:
+    metadata:
+      labels:
+      # TODO : READ FROM CENTRAL FUNCTION TOO?
+        app: gen3job
+    spec:
+      serviceAccountName: {{ .Chart.Name }}-dbcreate-sa
+      restartPolicy: Never
+      containers:
+      - name: db-setup
+        # TODO: READ THIS IMAGE FROM GLOBAL VALUES?
+        image: quay.io/cdis/awshelper:master
+        imagePullPolicy: Always
+        command: ["/bin/bash", "-c"]
+        env:
+          - name: PGPASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Chart.Name }}-dbcreds
+                key: password
+                optional: false            
+          - name: PGUSER
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Chart.Name }}-dbcreds
+                key: username
+                optional: false            
+          - name: PGPORT
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Chart.Name }}-dbcreds
+                key: port
+                optional: false            
+          - name: PGHOST
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Chart.Name }}-dbcreds
+                key: host
+                optional: false            
+          - name: SERVICE_PGUSER
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Chart.Name }}-dbcreds
+                key: serviceusername
+                optional: false
+          - name: SERVICE_PGDB
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Chart.Name }}-dbcreds
+                key: database
+                optional: false
+          - name: SERVICE_PGPASS
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Chart.Name }}-dbcreds
+                key: servicepassword
+                optional: false
+          - name: GEN3_HOME
+            value: /home/ubuntu/cloud-automation
+        args:
+          - |
+            #!/bin/bash
+            set -e
+
+            source "${GEN3_HOME}/gen3/lib/utils.sh"
+            gen3_load "gen3/gen3setup"
+
+            echo "PGHOST=$PGHOST"
+            echo "PGPORT=$PGPORT"
+            echo "PGUSER=$PGUSER"
+
+            echo "SERVICE_PGDB=$SERVICE_PGDB"
+            echo "SERVICE_PGUSER=$SERVICE_PGUSER"
+
+            until pg_isready -h $PGHOST -p $PGPORT -U $SERVICE_PGUSER -d template1
+            do
+              >&2 echo "Postgres is unavailable - sleeping"
+              sleep 5
+            done
+            >&2 echo "Postgres is up - executing command"
+
+
+            if psql -lqt | cut -d \| -f 1 | grep -qw $SERVICE_PGDB; then
+              gen3_log_info "Database exists"
+              PGPASSWORD=$SERVICE_PGPASS psql -d $SERVICE_PGDB -h $PGHOST -p $PGPORT -U $SERVICE_PGUSER -c "\conninfo"
+
+              # Update secret to signal that db is ready, and services can start
+              kubectl patch secret/{{ .Chart.Name }}-dbcreds -p '{"data":{"dbcreated":"dHJ1ZQo="}}'
+            else
+              echo "database does not exist"
+              psql -tc "SELECT 1 FROM pg_database WHERE datname = '$SERVICE_PGDB'" | grep -q 1 || psql -c "CREATE DATABASE \"$SERVICE_PGDB\";"
+              gen3_log_info psql -tc "SELECT 1 FROM pg_user WHERE usename = '$SERVICE_PGUSER'" | grep -q 1 || psql -c "CREATE USER \"$SERVICE_PGUSER\" WITH PASSWORD '$SERVICE_PGPASS';"
+              psql -tc "SELECT 1 FROM pg_user WHERE usename = '$SERVICE_PGUSER'" | grep -q 1 || psql -c "CREATE USER \"$SERVICE_PGUSER\" WITH PASSWORD '$SERVICE_PGPASS';"
+              psql -c "GRANT ALL ON DATABASE \"$SERVICE_PGDB\" TO \"$SERVICE_PGUSER\" WITH GRANT OPTION;"
+              psql -d $SERVICE_PGDB -c "CREATE EXTENSION ltree; ALTER ROLE \"$SERVICE_PGUSER\" WITH LOGIN"
+              PGPASSWORD=$SERVICE_PGPASS psql -d $SERVICE_PGDB -h $PGHOST -p $PGPORT -U $SERVICE_PGUSER -c "\conninfo"
+
+              # Update secret to signal that db has been created, and services can start
+              kubectl patch secret/{{ .Chart.Name }}-dbcreds -p '{"data":{"dbcreated":"dHJ1ZQo="}}'
+            fi
+{{- end }}

helm/fence/templates/db-init.yaml

@@ -1,6 +1,12 @@
-{{ include "common.db_setup_job" . }}
+{{- if .Values.global.cloudsecrets.enabled | default false }}
+  {{ include "common.cloud_db_setup_job" . }}
 ---
-{{ include "common.db-secret" . }}
+  {{ include "common.cloud_db_setup_sa" . }}
 ---
-{{ include "common.db_setup_sa" . }}
+{{- else }}
+  {{ include "common.db_setup_job" . }}
 ---
+  {{ include "common.db-secret" . }}
+---
+  {{ include "common.db_setup_sa" . }}
+{{- end }}

helm/fence/templates/fence-config.yaml

@@ -1,10 +1,12 @@
 apiVersion: v1
-kind: Secret
+kind: ConfigMap
 metadata:
   name: fence-config
-stringData:
+data:
   fence-config.yaml: |
     BASE_URL: https://{{ .Values.global.hostname }}/user
+    DEFAULT_CLIENT_ID: 'REPLACEME-OPENID-CID'
+    DEFAULT_CLIENT_SECRET: 'REPLACEME-OPENID-SECRET'
     {{- with .Values.FENCE_CONFIG }}
     {{- toYaml . | nindent 4 }}
     {{ end }}

helm/fence/templates/fence-creds.yaml

@@ -1,3 +1,4 @@
+{{- if not .Values.global.cloudsecrets.enabled | default true }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -16,4 +17,4 @@ stringData:
         "google_client_id": "YOUR.GOOGLE.CLIENT",
         "hmac_key": ""
       }
-
+{{- end }}

helm/fence/templates/fence-deployment.yaml

@@ -61,8 +61,13 @@ spec:
           args:
             - "-c"
             - |
-              echo "${FENCE_PUBLIC_CONFIG:-""}" > "/var/www/fence/fence-config-public.yaml"
-              python /var/www/fence/yaml_merge.py /var/www/fence/fence-config-public.yaml /var/www/fence/fence-config-secret.yaml > /var/www/fence/fence-config.yaml
+              #echo "${FENCE_PUBLIC_CONFIG:-""}" > "/var/www/fence/fence-config-public.yaml"
+              #python /var/www/fence/yaml_merge.py /var/www/fence/fence-config-public.yaml /var/www/fence/fence-init-config.yaml > /var/www/fence/fence-config.yaml
+              cp /var/tmp/fence-config.yaml /var/www/fence/fence-config.yaml
+              CLIENT_ID=(`cat /var/www/fence/openid-creds/client_id`)
+              CLIENT_SECRET=(`cat /var/www/fence/openid-creds/client_secret`)
+              sed -i -e "s@REPLACEME-OPENID-CID@$CLIENT_ID@g" /var/www/fence/fence-config.yaml
+              sed -i -e "s@REPLACEME-OPENID-SECRET@$CLIENT_SECRET@g" /var/www/fence/fence-config.yaml
               if [[ -f /fence/keys/key/jwt_private_key.pem ]]; then
                 openssl rsa -in /fence/keys/key/jwt_private_key.pem -pubout > /fence/keys/key/jwt_public_key.pem
               fi
@@ -94,10 +99,10 @@ spec:
           args:
             - "-c"
             - |
-              # echo "${FENCE_PUBLIC_CONFIG:-""}" > "/var/www/fence/fence-config-public.yaml"
-              # python /var/www/fence/yaml_merge.py /var/www/fence/fence-config-public.yaml /var/www/fence/fence-config-secret.yaml > /var/www/fence/fence-config.yaml
+              #echo "${FENCE_PUBLIC_CONFIG:-""}" > "/var/www/fence/fence-config-public.yaml"
+              #python /var/www/fence/yaml_merge.py /var/www/fence/fence-config-public.yaml /var/tmp/fence-config.yaml > /var/www/fence/fence-config.yaml
               if fence-create migrate --help > /dev/null 2>&1; then
-                if ! grep -E 'ENABLE_DB_MIGRATION"?: *false' /var/www/fence/fence-config.yaml; then
+                if ! grep -E 'ENABLE_DB_MIGRATION"?: *false' /var/tmp/fence-config.yaml; then
                   echo "Running db migration: fence-create migrate"
                   cd /fence
                   fence-create migrate

helm/fence/values.yaml

@@ -308,15 +308,15 @@ volumes:
     secret:
       secretName: "fence-creds"
   - name: config-helper
-    configMap:
-      name: config-helper
+    secret:
+      secretName: fence-secret
       optional: true
   - name: logo-volume
     configMap:
       name: "logo-config"
   - name: config-volume
-    secret:
-      secretName: "fence-config"
+    configMap:
+      name: "fence-config"
   - name: fence-google-app-creds-secret-volume
     secret:
       secretName: "fence-google-app-creds-secret"
@@ -333,13 +333,16 @@ volumes:
     configMap:
       name: "fence-yaml-merge"
       optional: true
+  - name: openid-creds
+    secret:
+      secretName: "openid-creds"
 
 # -- (list) Volumes to mount to the container.
 volumeMounts:
   - name: "old-config-volume"
     readOnly: true
-    mountPath: "/var/www/fence/local_settings.py"
-    subPath: local_settings.py
+    mountPath: "/var/www/fence/fence_settings.py"
+    subPath: fence_settings.py
   - name: "json-secret-volume"
     readOnly: true
     mountPath: "/var/www/fence/fence_credentials.json"
@@ -362,8 +365,8 @@ volumeMounts:
     subPath: "privacy_policy.md"
   - name: "config-volume"
     readOnly: true
-    mountPath: "/var/www/fence/fence-config.yaml"
-    subPath: fence-config.yaml
+    mountPath: "/var/tmp/fence-config.yaml"
+    subPath: "fence-config.yaml"
   - name: "yaml-merge"
     readOnly: true
     mountPath: "/var/www/fence/yaml_merge.py"
@@ -380,12 +383,17 @@ volumeMounts:
     readOnly: true
     mountPath: "/fence/keys/key/jwt_private_key.pem"
     subPath: "jwt_private_key.pem"
+  - name: "openid-creds"
+    readOnly: true
+    mountPath: "/var/www/fence/openid-creds"
+
+
 
 # -- (list) Volumes to mount to the init container.
 initVolumeMounts:
   - name: "config-volume"
     readOnly: true
-    mountPath: "/var/www/fence/fence-config.yaml"
+    mountPath: "/var/tmp/fence-config.yaml"
     subPath: fence-config.yaml
   - name: "yaml-merge"
     readOnly: true
@@ -1595,8 +1603,9 @@ FENCE_CONFIG:
     # Free tier users may request OIDC clients at https://cilogon.org/oauth2/register
     cilogon:
       discovery_url: 'https://cilogon.org/.well-known/openid-configuration'
-      client_id: ''
-      client_secret: ''
+      # DEFAULT_CLIENT_ID and DEFAULT_CLIENT_SECRET is added by fence-config configMap
+      client_id: '{{DEFAULT_CLIENT_ID}}'
+      client_secret: '{{DEFAULT_CLIENT_SECRET}}'
       # When registering the Callback URLs for your CILogon OIDC client be
       # sure to include the FULL url for this deployment, including the https:// scheme
       # and server FQDN.

helm/gen3-external-secrets/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

helm/gen3-external-secrets/Chart.yaml

@@ -0,0 +1,28 @@
+apiVersion: v2
+name: gen3-external-secrets
+description: A Helm chart for installing ClusterSecretStore and external secrets
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"
+dependencies:
+- name: external-secrets
+  version: 0.9.11
+  repository: https://charts.external-secrets.io