diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml index 96437def..d11a9a60 100644 --- a/.github/workflows/lint-test.yaml +++ b/.github/workflows/lint-test.yaml @@ -22,9 +22,6 @@ concurrency: permissions: contents: read -env: - HELM_VERSION: 3.9.2 # Also update in release.yaml - jobs: lint-charts: runs-on: ubuntu-latest @@ -37,9 +34,7 @@ jobs: fetch-depth: 0 - name: Set up Helm - uses: azure/setup-helm@v3 - with: - version: ${{ env.HELM_VERSION }} + uses: azure/setup-helm@v4.2.0 - name: Set up Python uses: actions/setup-python@v4 @@ -50,7 +45,7 @@ jobs: uses: dcarbone/install-jq-action@v1.0.1 - name: Set up chart-testing - uses: helm/chart-testing-action@v2.1.0 + uses: helm/chart-testing-action@v2.7.0 - name: Run chart-testing (list-changed) id: list-changed @@ -124,9 +119,7 @@ jobs: fetch-depth: 0 - name: Set up Helm - uses: azure/setup-helm@v3 - with: - version: ${{ env.HELM_VERSION }} + uses: azure/setup-helm@v4.2.0 - name: Run unit tests run: | @@ -151,9 +144,7 @@ jobs: fetch-depth: 0 - name: Set up Helm - uses: azure/setup-helm@v3 - with: - version: v3.8.2 + uses: azure/setup-helm@v4.2.0 - name: Set up yq uses: chrisdickinson/setup-yq@latest diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ddacec1c..257f5f86 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -10,9 +10,6 @@ on: concurrency: group: helm-release -env: - HELM_VERSION: 3.9.2 # Also update in lint-test.yaml - jobs: publish: permissions: @@ -25,9 +22,7 @@ jobs: fetch-depth: 0 - name: Set up Helm - uses: azure/setup-helm@v3 - with: - version: ${{ env.HELM_VERSION }} + uses: azure/setup-helm@v4.2.0 - name: Configure Git run: | diff --git a/charts/internal-gateway/Chart.yaml b/charts/internal-gateway/Chart.yaml index c4c5fb5e..e818fa27 100644 --- a/charts/internal-gateway/Chart.yaml +++ b/charts/internal-gateway/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: v0.0.0 description: A Helm chart for Codefresh Internal Gateway name: internal-gateway -version: 0.9.0 +version: 0.10.0 home: https://github.com/codefresh-io/helm-charts keywords: - codefresh @@ -13,4 +13,4 @@ maintainers: dependencies: - name: cf-common repository: oci://quay.io/codefresh/charts - version: "0.16.0" + version: "0.21.0" diff --git a/charts/internal-gateway/README.md b/charts/internal-gateway/README.md index 47bdf83d..91b52415 100644 --- a/charts/internal-gateway/README.md +++ b/charts/internal-gateway/README.md @@ -1,6 +1,6 @@ # internal-gateway -![Version: 0.9.0](https://img.shields.io/badge/Version-0.9.0-informational?style=flat-square) ![AppVersion: v0.0.0](https://img.shields.io/badge/AppVersion-v0.0.0-informational?style=flat-square) +![Version: 0.10.0](https://img.shields.io/badge/Version-0.10.0-informational?style=flat-square) ![AppVersion: v0.0.0](https://img.shields.io/badge/AppVersion-v0.0.0-informational?style=flat-square) A Helm chart for Codefresh Internal Gateway @@ -16,7 +16,7 @@ A Helm chart for Codefresh Internal Gateway | Repository | Name | Version | |------------|------|---------| -| oci://quay.io/codefresh/charts | cf-common | 0.16.0 | +| oci://quay.io/codefresh/charts | cf-common | 0.21.0 | ## Values @@ -33,7 +33,8 @@ A Helm chart for Codefresh Internal Gateway | global.dnsService | string | `"kube-dns"` | configures DNS service name | | hpa | object | See below | HPA parameters | | ingress | object | See below | Ingress parameters | -| libraryMode | bool | `true` | | +| keda.enabled | bool | `false` | | +| libraryMode | bool | `false` | | | nginx.config.accessLogEnabled | bool | `true` | Enables NGINX access logs | | nginx.config.errorLogLevel | string | `"error"` | Sets the log level of the NGINX error log. One of `debug`, `info`, `notice`, `warn`, `error`, `crit`, `alert`, or `emerg` | | nginx.config.file | string | See below | Config file contents for Nginx. Passed through the `tpl` function to allow templating. !! Moved into separate template at `templates/nginx/configmap.yaml` | @@ -44,12 +45,16 @@ A Helm chart for Codefresh Internal Gateway | nginx.config.locations | object | `{}` | Allow add custom locations | | nginx.config.logFormat | string | `"main escape=json '{ \"time\": \"$time_iso8601\", \"remote_addr\": \"$proxy_protocol_addr\", \"x-forward-for\": \"$proxy_add_x_forwarded_for\", \"remote_user\": \"$remote_user\", \"bytes_sent\": $bytes_sent, \"request_time\": $request_time, \"status\": $status, \"vhost\": \"$host\", \"request_proto\": \"$server_protocol\", \"path\": \"$uri\", \"request_query\": \"$args\", \"request_length\": $request_length, \"duration\": $request_time, \"method\": \"$request_method\", \"http_referrer\": \"$http_referer\", \"http_user_agent\": \"$http_user_agent\", \"http_x_github_delivery\": \"$http_x_github_delivery\", \"http_x_hook_uuid\": \"$http_x_hook_uuid\", \"metadata\": { \"correlationId\": \"$request_id\", \"service\": \"ingress\", \"time\": \"$time_iso8601\" } }';"` | NGINX log format | | nginx.config.resolver | string | `nil` | Allows to set a custom resolver | +| nginx.config.rootDirectives | object | `{"load_module":"modules/ngx_http_js_module.so"}` | Allows appending custom directives to the root block (map) | +| nginx.config.rootSnippet | string | `""` | Allows appending custom directives to the root block (string) | | nginx.config.serverDirectives | object | `{}` | Allows appending custom directives to the server block (map) | | nginx.config.serverSnippet | string | `""` | Allows appending custom configuration to the server block (string) | | nginx.config.verboseLogging | bool | `false` | Enable logging of 2xx and 3xx HTTP requests | | nginx.config.workerConnections | string | `"16384"` | Sets the maximum number of simultaneous connections that can be opened by a worker process. | | nginx.config.workerProcesses | string | `"8"` | Defines the number of worker processes. | | nginx.config.workerRlimitNofile | string | `"1047552"` | Changes the limit on the largest size of a core file (RLIMIT_CORE) for worker processes. Used to increase the limit without restarting the main process. | +| nginx.extraConfigsPatterns[0] | string | `"files/conf.d/**"` | | +| nginx.scriptFilesPatterns | list | `["files/njs/**"]` | Path to NJS scripts | | pdb | object | See below | PDB parameters | | podAnnotations | object | See below | Pod annotations | | podSecurityContext | object | See below | Pod Security Context parameters | diff --git a/charts/internal-gateway/files/conf.d/s3-gateway.conf b/charts/internal-gateway/files/conf.d/s3-gateway.conf new file mode 100644 index 00000000..1a24fd0b --- /dev/null +++ b/charts/internal-gateway/files/conf.d/s3-gateway.conf @@ -0,0 +1,41 @@ +{{- $vals := include "internal-gateway.default-values" . | fromYaml -}} +{{- $mergedValues := mergeOverwrite $vals .Values -}} +{{- $_ := set . "Values" $mergedValues -}} +server { + listen 8080; + server_name {{ index $vals "codefresh" "serviceEndpoints" "workflow-logs-s3-proxy" "domain" }}; + + js_import scripts/auth.js; + location ~ /(.+) { + client_body_buffer_size 32k; + client_max_body_size 10M; + proxy_buffer_size 128k; + proxy_buffers 4 128k; + proxy_connect_timeout 5s; + proxy_read_timeout 60s; + proxy_send_timeout 60s; + + auth_request /api/auth/authenticate; + auth_request_set $auth_entity $upstream_http_x_cf_auth_entity; + + js_set $account_id auth.account_id; + + proxy_pass http://{{ index $vals "codefresh" "serviceEndpoints" "workflow-logs-s3-proxy" "svc" }}:{{ index $vals "codefresh" "serviceEndpoints" "workflow-logs-s3-proxy" "port" }}/logs/$account_id/$1; + } + + location = /api/auth/authenticate { + client_body_buffer_size 32k; + client_max_body_size 10M; + proxy_buffer_size 128k; + proxy_buffers 4 128k; + proxy_connect_timeout 5s; + proxy_read_timeout 60s; + proxy_send_timeout 60s; + + js_set $auth_header auth.setAuthHeader; + + proxy_set_header Authorization $auth_header; + + proxy_pass http://{{ index $vals "codefresh" "serviceEndpoints" "cfapi-auth" "svc" }}:{{ index $vals "codefresh" "serviceEndpoints" "cfapi-auth" "port" }}; + } +} diff --git a/charts/internal-gateway/files/njs/auth.js b/charts/internal-gateway/files/njs/auth.js new file mode 100644 index 00000000..81ebae1c --- /dev/null +++ b/charts/internal-gateway/files/njs/auth.js @@ -0,0 +1,28 @@ +function account_id(r) { + try { + const auth_entity = r.variables["auth_entity"]; + const b64decoded = Buffer.from(auth_entity, 'base64'); + const json = JSON.parse(b64decoded); + const account_id = json.account.id; + + return account_id; + } catch (e) { + r.error('Failed to extract account id', e); + return ""; + } +} + + +function setAuthHeader(r) { + let auth = r.headersIn['authorization']; + if (auth) { + // Look for the pattern: Credential=/... + let matches = auth.match(/Credential=([^\/]+)\//); + if (matches && matches.length > 1) { + return matches[1]; + } + } + return ""; +} + +export default { account_id, setAuthHeader }; \ No newline at end of file diff --git a/charts/internal-gateway/templates/_components/_configmap.tpl b/charts/internal-gateway/templates/_components/_configmap.tpl index 49160985..040a90e9 100644 --- a/charts/internal-gateway/templates/_components/_configmap.tpl +++ b/charts/internal-gateway/templates/_components/_configmap.tpl @@ -19,6 +19,14 @@ data: pid /tmp/nginx.pid; worker_rlimit_nofile {{ $nginxConfig.workerRlimitNofile }}; + {{- with $nginxConfig.rootSnippet }} + {{ . | nindent 4 }} + {{- end }} + + {{- range $key, $val := $nginxConfig.rootDirectives }} + {{ printf "%s %s;" $key $val }} + {{- end }} + events { worker_connections {{ $nginxConfig.workerConnections }}; } @@ -117,5 +125,6 @@ data: {{- end }} {{- end }} } + include /etc/nginx/conf.d/*.conf; } {{- end }} diff --git a/charts/internal-gateway/templates/_default_values.tpl b/charts/internal-gateway/templates/_default_values.tpl index c86af24a..515d9d70 100644 --- a/charts/internal-gateway/templates/_default_values.tpl +++ b/charts/internal-gateway/templates/_default_values.tpl @@ -58,4 +58,8 @@ codefresh: jira-addon: svc: '{{ .Release.Name }}-{{ index .Values.codefresh "jira-addon-svc" }}.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}' port: {{ index .Values.codefresh "jira-addon-port" }} + workflow-logs-s3-proxy: + domain: logs.sandbox-1.codefresh.io + svc: '{{ .Release.Name }}-{{ index .Values.codefresh "workflow-logs-s3-proxy-svc" }}.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}' + port: {{ index .Values.codefresh "workflow-logs-s3-proxy-port" }} {{- end }} diff --git a/charts/internal-gateway/templates/_location_map.tpl b/charts/internal-gateway/templates/_location_map.tpl index 55c0e291..186bcef1 100644 --- a/charts/internal-gateway/templates/_location_map.tpl +++ b/charts/internal-gateway/templates/_location_map.tpl @@ -26,78 +26,8 @@ locationDirectives: proxy_read_timeout: "60s" {{- end }} -{{- define "internal-gateway.platform-endpoints-defaults" }} -serviceEndpoints: - cfapi-auth: - svc: cfapi-auth - port: 80 - cfapi-endpoints: - svc: cfapi-endpoints - port: 80 - cfapi-environments: - svc: cfapi-environments - port: 80 - cfapi-downloadlogmanager: - svc: cfapi-downloadlogmanager - port: 80 - cfapi-gitops-resource-receiver: - svc: cfapi-gitops-resource-receiver - port: 80 - cfapi-test-reporting: - svc: cfapi-test-reporting - port: 80 - cfapi-kubernetesresourcemonitor: - svc: cfapi-kubernetesresourcemonitor - port: 80 - cfapi-kubernetes-endpoints: - svc: cfapi-kubernetes-endpoints - port: 80 - cfapi-admin: - svc: cfapi-admin - port: 80 - cfapi-teams: - svc: cfapi-teams - port: 80 - cfapi-ws: - svc: cfapi-ws - port: 80 - cfui: - svc: cfui - port: 80 - argo-platform-api-graphql: - svc: argo-platform-api-graphql - port: 80 - argo-platform-api-events: - svc: argo-platform-api-events - port: 80 - argo-platform-broadcaster: - svc: argo-platform-broadcaster - port: 80 - argo-platform-ui: - svc: argo-platform-ui - port: 4200 - argo-hub: - svc: argo-hub-platform - port: 80 - nomios: - svc: nomios - port: 80 - jira-addon: - svc: cf-jira-addon - port: 9000 -{{- end }} - -{{- define "internal-gateway.platform-endpoints" }} -{{- $endpointDefaults := include "internal-gateway.platform-endpoints-defaults" . | fromYaml}} -{{- $mergedEndpoints := deepCopy $endpointDefaults }} - {{- if .Values.codefresh.serviceEndpoints }} - {{- $mergedEndpoints = mergeOverwrite $endpointDefaults .Values.codefresh }} - {{- end }} -{{ $mergedEndpoints | toYaml }} -{{- end }} - -{{- define "internal-gateway.nginx-config-defaults"}} - {{- $endpoints := include "internal-gateway.platform-endpoints" . | fromYaml }} +{{- define "internal-gateway.nginx-config-defaults" }} + {{- $endpoints := .Values.codefresh }} {{- $presets := include "internal-gateway.location-presets" . | fromYaml }} {{- $_ := set $presets "locationDirectives" (mergeOverwrite $presets.locationDirectives .Values.nginx.config.locationDirectives) }} nginx: @@ -353,7 +283,7 @@ nginx: {{- end }} {{- define "internal-gateway.nginx-config" }} -{{- $configDefaults := include "internal-gateway.nginx-config-defaults" . | fromYaml}} +{{- $configDefaults := include "internal-gateway.nginx-config-defaults" . | fromYaml }} {{- $mergedConfig := deepCopy $configDefaults }} {{- if .Values.nginx }} {{- $mergedConfig = mergeOverwrite $configDefaults .Values }} diff --git a/charts/internal-gateway/templates/extra-configs.yaml b/charts/internal-gateway/templates/extra-configs.yaml new file mode 100644 index 00000000..d0badfd0 --- /dev/null +++ b/charts/internal-gateway/templates/extra-configs.yaml @@ -0,0 +1,13 @@ +{{- if not .Values.libraryMode }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "internal-gateway.fullname" . }}-extra-configs +data: + {{- $rootContext := $ }} + {{- range $globPattern := $rootContext.Values.nginx.extraConfigsPatterns }} + {{- range $path, $_ := $rootContext.Files.Glob $globPattern }} + {{ base $path }}: {{ tpl ($rootContext.Files.Get $path) $rootContext | toYaml | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/internal-gateway/templates/njs-scripts.yaml b/charts/internal-gateway/templates/njs-scripts.yaml new file mode 100644 index 00000000..ada6dcdc --- /dev/null +++ b/charts/internal-gateway/templates/njs-scripts.yaml @@ -0,0 +1,13 @@ +{{- if not .Values.libraryMode }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "internal-gateway.fullname" . }}-njs-scripts +data: + {{- $rootContext := . }} + {{- range $globPattern := $rootContext.Values.nginx.scriptFilesPatterns }} + {{- range $path, $_ := $rootContext.Files.Glob $globPattern }} + {{ base $path }}: {{ $rootContext.Files.Get $path | toYaml | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/internal-gateway/values.yaml b/charts/internal-gateway/values.yaml index 0c4746b3..00f35d5d 100644 --- a/charts/internal-gateway/values.yaml +++ b/charts/internal-gateway/values.yaml @@ -1,6 +1,6 @@ # Defines if library mode is used for the chart. No templates are generated when using this mode. # Added to support usage in Codefresh On-Premise Helm chart -libraryMode: true +libraryMode: false # -- Codefresh platform settings # List of services endpoints and port @@ -63,6 +63,10 @@ codefresh: jira-addon-svc: cf-jira-addon jira-addon-port: 9000 + workflow-logs-s3-proxy-domain: logs.sandbox-1.codefresh.io + workflow-logs-s3-proxy-svc: workflow-logs-s3-proxy + workflow-logs-s3-proxy-port: 80 + # -- Override defaults here! serviceEndpoints: cfapi-auth: {} @@ -128,6 +132,11 @@ nginx: errorLogLevel: error # -- Enables NGINX access logs accessLogEnabled: true + # -- Allows appending custom directives to the root block (string) + rootSnippet: "" + # -- Allows appending custom directives to the root block (map) + rootDirectives: + load_module: modules/ngx_http_js_module.so # -- Allows appending custom configuration to the server block (string) serverSnippet: "" # -- Allows appending custom directives to the server block (map) @@ -148,6 +157,11 @@ nginx: # !! Moved into separate template at `templates/nginx/configmap.yaml` # @default -- See below file: "" + # -- Path to NJS scripts + scriptFilesPatterns: + - files/njs/** + extraConfigsPatterns: + - files/conf.d/** # -- Misc signadot configuration signadot: false @@ -192,7 +206,14 @@ container: volumeMounts: config: path: - - mountPath: /etc/nginx + - mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + # extra-configs: + # path: + # - mountPath: /etc/nginx/conf.d + njs-scripts: + path: + - mountPath: /etc/nginx/scripts resources: requests: @@ -260,6 +281,12 @@ volumes: config: enabled: true type: configMap + extra-configs: + enabled: true + type: configMap + njs-scripts: + enabled: true + type: configMap # -- HPA parameters # @default -- See below @@ -301,3 +328,6 @@ serviceAccount: # @default -- See below rbac: enabled: false + +keda: + enabled: false diff --git a/scripts/helm-docs.sh b/scripts/helm-docs.sh index 2e7312ef..2b88c33a 100755 --- a/scripts/helm-docs.sh +++ b/scripts/helm-docs.sh @@ -6,6 +6,7 @@ echo "$REPO_ROOT" echo "Running Helm-Docs" docker run \ + --rm \ -v "$REPO_ROOT:/helm-docs" \ -u $(id -u) \ --entrypoint /bin/sh \