fix: Remove bitnami common chart and refactor deployment configuration

Author: DiamondJoseph

.gitignore

@@ -1 +1,2 @@
 site/
+**/charts/*.tgz

charts/apps/values.yaml

@@ -17,19 +17,50 @@ opa:
   targetRevision: HEAD
   path: charts/opa
   valuesObject:
-    orgData:
-      bundlerSecret:
-        name: token-authorization
-        key: bearer
-    orgPolicy:
-      enabled: true
+
+    extraEnvVars:
+    - name: BUNDLER_BEARER_TOKEN
+      valueFrom:
+        secretKeyRef:
+          name: token-authorization
+          key: bearer
+    - name: ISSUER
+      value: https://authn.diamond.ac.uk/realms/master
+
     autoscaling:
       enabled: true
       minReplicas: 2
+      maxReplicas: 10
+      targetMemoryUtilizationPercentage: 80
+
     ingress:
       enabled: true
       hosts:
         - host: authz.diamond.ac.uk
           paths:
             - path: /
               pathType: Prefix
+
+    config:
+      services:
+        diamond-bundler:
+          url: https://authz.diamond.ac.uk
+          credentials:
+            bearer:
+              token: ${BUNDLER_BEARER_TOKEN}
+        ghcr:
+          url: https://ghcr.io
+          type: oci
+      bundles:
+        diamond-permissionables:
+          service: diamond-bundler
+          resource: bundle.tar.gz
+          polling:
+            min_delay_seconds: 10
+            max_delay_seconds: 60
+        diamond-policies:
+          service: ghcr
+          resource: ghcr.io/zohebshaikh/authz-policy:0.0.19
+          polling:
+            min_delay_seconds: 30
+            max_delay_seconds: 120

charts/opa/.gitignore

@@ -1,13 +1,24 @@
 apiVersion: v2
 name: opa
-description: An OPA deployment to run alongside applications requiring authorization
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
-version: 0.6.5
-appVersion: 0.59.0
-maintainers:
-  - name: garryod
-    email: "garry.o'donnell@diamond.ac.uk"
-dependencies:
-  - name: common
-    version: 2.23.0
-    repository: oci://docker.io/bitnamicharts
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.11.0-dev"

charts/opa/Chart.lock

@@ -0,0 +1,22 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "opa.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "opa.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "opa.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "opa.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}

charts/opa/Chart.yaml

@@ -1,30 +1,62 @@
 {{/*
-Create the tag to be used to pull the chart
+Expand the name of the chart.
 */}}
-{{- define "opa.imageTag" -}}
-{{- if .Values.image.tagOverride }}
-{{- .Values.image.tagOverride }}
+{{- define "opa.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "opa.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
-{{- $version := default .Chart.AppVersion .Values.image.version }}
-{{- if .Values.image.envoy }}
-{{- print $version "-envoy" }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
 {{- else }}
-{{- $version }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{- end }}
 {{- end }}
 
 {{/*
-Determine the query port to be used
+Create chart name and version as used by the chart label.
 */}}
-{{- define "opa.queryPort" -}}
-{{- if .Values.portOverride }}
-{{- .Values.image.portOverride }}
-{{- else }}
-{{- if .Values.image.envoy }}
-{{- 9191 }}
-{{- else }}
-{{- 8181 }}
+{{- define "opa.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "opa.labels" -}}
+helm.sh/chart: {{ include "opa.chart" . }}
+{{ include "opa.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "opa.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "opa.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "opa.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "opa.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}

charts/opa/templates/NOTES.txt

@@ -1,98 +1,91 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "common.names.fullname" . }}
+  name: {{ include "opa.fullname" . }}
   labels:
-    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- include "opa.labels" . | nindent 4 }}
 spec:
   {{- if not .Values.autoscaling.enabled }}
   replicas: {{ .Values.replicaCount }}
   {{- end }}
   selector:
     matchLabels:
-      {{- include "common.labels.matchLabels" . | nindent 6 }}
+      {{- include "opa.selectorLabels" . | nindent 6 }}
   template:
     metadata:
+      {{- with .Values.podAnnotations }}
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/opa-config.yaml") . | sha256sum }}
-        {{- with .Values.podAnnotations }}
-          {{- toYaml . | nindent 8 }}
-        {{- end }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       labels:
-        {{- include "common.labels.matchLabels" . | nindent 8 }}
+        {{- include "opa.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- if .Values.serviceAccount.create }}
-      serviceAccountName: {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }}
-      {{- else }}
-      serviceAccountName: {{ default "default" .Values.serviceAccount.name }}
-      {{- end }}
+      serviceAccountName: {{ include "opa.serviceAccountName" . }}
+      {{- with .Values.podSecurityContext }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
-        - name: opa
+        - name: {{ .Chart.Name }}
+          {{- with .Values.securityContext }}
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ include "opa.imageTag" . }}"
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:
             - run
             - --server
             - --diagnostic-addr
             - 0.0.0.0:8282
+            - --addr
+            - 0.0.0.0:8181
             - --config-file
             - /etc/opa-config/config.yaml
             - --log-level
-            - {{ .Values.logLevel }}
-          {{- if .Values.envOverride }}
-          env:
-          {{- .Values.envOverride | toYaml | nindent 12 }}
-          {{- else if or .Values.orgData.bundlerSecret .Values.extraEnv }}
-          env:
-            {{- if and .Values.orgData.enabled .Values.orgData.bundlerSecret }}
-            - name: BUNDLER_BEARER_TOKEN
-              valueFrom:
-                secretKeyRef:
-                    name: {{ tpl .Values.orgData.bundlerSecret.name . }}
-                    key: {{ .Values.orgData.bundlerSecret.key }}
-            {{- end -}}
-            {{- if .Values.orgPolicy.enabled }}
-            {{- with .Values.orgPolicy.issuer }}
-            - name: ISSUER
-              value: {{ . }}
-            {{- end }}
-            {{- end }}
-            {{- if .Values.extraEnv }}
-              {{- .Values.extraEnv | toYaml | nindent 12 }}
-            {{- end }}
-          {{- end }}
-          volumeMounts:
-            - name: opa-config
-              mountPath: /etc/opa-config
+            - {{ default "info" .Values.logLevel }}
           ports:
-            - name: query
-              containerPort: {{ include "opa.queryPort" . }}
+            - name: http
+              containerPort: {{ .Values.service.port }}
               protocol: TCP
             - name: diagnostic
               containerPort: 8282
               protocol: TCP
+          {{- with .Values.livenessProbe }}
           livenessProbe:
-            httpGet:
-              path: /health
-              port: diagnostic
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.readinessProbe }}
           readinessProbe:
-            httpGet:
-              path: /health
-              port: diagnostic
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.resources }}
           resources:
-            {{- toYaml .Values.resources | nindent 12 }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            - name: opa-config
+              mountPath: /etc/opa-config
+          {{- with .Values.volumeMounts }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          env:
+            {{- toYaml .Values.extraEnvVars | nindent 12 }}
       volumes:
         - name: opa-config
           configMap:
-            name: opa-config
+            name: opa-config      
+      {{- with .Values.volumes }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/opa/templates/_helpers.tpl

@@ -1,15 +1,15 @@
-{{- if .Values.autoscaling.enabled -}}
+{{- if .Values.autoscaling.enabled }}
 apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
-  name: {{ include "common.names.fullname" . }}
+  name: {{ include "opa.fullname" . }}
   labels:
-    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- include "opa.labels" . | nindent 4 }}
 spec:
   scaleTargetRef:
     apiVersion: apps/v1
     kind: Deployment
-    name: {{ include "common.names.fullname" . }}
+    name: {{ include "opa.fullname" . }}
   minReplicas: {{ .Values.autoscaling.minReplicas }}
   maxReplicas: {{ .Values.autoscaling.maxReplicas }}
   metrics: