Merge pull request #3 from linuxfoundation/bramwelt/httproute

[LFXV2 - 135] Replace Ingress resource with HTTPRoute + Chart Updates

Author: bramwelt

.github/workflows/license-header-check.yml

@@ -13,7 +13,7 @@ permissions:
 jobs:
   license-header-check:
     name: License Header Check
-    uses: linuxfoundation/lfx-public-workflows/.github/workflows/license-header-check.yml@main
+    uses: linuxfoundation/lfx-public-workflows/.github/workflows/license-header-check.yml@c465d6571fa0b8be9d551d902955164ea04a00af
     with:
       copyright_line: "Copyright The Linux Foundation and each contributor to LFX."
       exclude_pattern: "gen/*"

.yamllint.yml

@@ -1,7 +1,7 @@
 # YAML Lint configuration
 # Copyright The Linux Foundation and each contributor to LFX.
 # SPDX-License-Identifier: MIT
-
+---
 extends: default
 
 rules:
@@ -21,7 +21,7 @@ rules:
 
   # Document start
   document-start:
-    present: false
+    present: true
 
   # Empty lines
   empty-lines:
@@ -49,6 +49,6 @@ rules:
 # Ignore certain files
 ignore: |
   .github/workflows/
-  charts/*/templates/
+  charts/*/templates/**
   vendor/
   node_modules/

README.md

@@ -118,7 +118,7 @@ The service is configured via environment variables:
 | `PORT` | Server port | `8080` |
 | `DEBUG` | Enable debug logging | `false` |
 | `JWKS_URL` | Heimdall JWKS endpoint | `http://heimdall:4457/.well-known/jwks` |
-| `AUDIENCE` | JWT audience | `access-check` |
+| `AUDIENCE` | JWT audience | `lfx-v2-access-check` |
 | `ISSUER` | JWT issuer | `heimdall` |
 | `NATS_URL` | NATS server URL | `nats://nats:4222` |
 

charts/lfx-v2-access-check/Chart.yaml

@@ -1,6 +1,6 @@
 # Copyright The Linux Foundation and each contributor to LFX.
 # SPDX-License-Identifier: MIT
-
+---
 apiVersion: v2
 name: lfx-v2-access-check
 description: LFX Platform V2 Access Check Service chart

charts/lfx-v2-access-check/templates/deployment.yaml

@@ -5,7 +5,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: lfx-v2-access-check
-  namespace: lfx
+  namespace: {{ .Release.Namespace }}
 spec:
   replicas: {{ .Values.replicaCount }}
   selector:
@@ -19,13 +19,13 @@ spec:
       containers:
         - name: app
           image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
-          imagePullPolicy: Never
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
-            - containerPort: {{ .Values.app.port }}
+            - containerPort: {{ .Values.app.port | int }}
               name: web
           env:
             - name: PORT
-              value: {{ .Values.app.port }}
+              value: "{{ .Values.app.port }}"
             - name: HOST
               value: "{{ .Values.app.host }}"
             - name: DEBUG

charts/lfx-v2-access-check/templates/httproute.yaml

@@ -0,0 +1,35 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+{{- if .Values.traefik.enabled }}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: lfx-v2-access-check
+  namespace: {{ .Release.Namespace }}
+spec:
+  parentRefs:
+    - name: {{ .Values.traefik.gateway.name }}
+      namespace: {{ .Values.traefik.gateway.namespace }}
+  hostnames:
+    - "lfx-api.{{ .Values.lfx.domain }}"
+  rules:
+    - matches:
+        - path:
+            type: Exact
+            value: /access-check
+        - path:
+            type: PathPrefix
+            value: /access-check/
+      {{- if .Values.heimdall.enabled }}
+      filters:
+        - type: ExtensionRef
+          extensionRef:
+            group: traefik.io
+            kind: Middleware
+            name: heimdall
+      {{- end }}
+      backendRefs:
+        - name: lfx-v2-access-check
+          port: {{ .Values.app.port | int }}
+{{- end }}

charts/lfx-v2-access-check/templates/ingress.yaml

@@ -1,28 +1,14 @@
 # Copyright The Linux Foundation and each contributor to LFX.
 # SPDX-License-Identifier: MIT
-
+{{- if .Values.heimdall.enabled }}
 ---
 apiVersion: heimdall.dadrus.github.com/v1alpha4
 kind: RuleSet
 metadata:
   name: lfx-v2-access-check
-  namespace: lfx
+  namespace: {{ .Release.Namespace }}
 spec:
   rules:
-    - id: "rule:lfx-v2-access-check:health"
-      match:
-        methods:
-          - GET
-        routes:
-          - path: /livez
-          - path: /readyz
-      execute:
-        - authenticator: anonymous_authenticator
-        - authorizer: allow_all
-        - finalizer: create_jwt
-          config:
-            values:
-              aud: lfx-v2-access-check
     - id: "rule:lfx-v2-access-check:access-check"
       match:
         methods:
@@ -35,4 +21,5 @@ spec:
         - finalizer: create_jwt
           config:
             values:
-              aud: lfx-v2-access-check
+              aud: {{ .Values.app.audience }}
+{{- end }}

charts/lfx-v2-access-check/templates/ruleset.yaml

@@ -1,15 +1,15 @@
 # Copyright The Linux Foundation and each contributor to LFX.
 # SPDX-License-Identifier: MIT
-
+---
 apiVersion: v1
 kind: Service
 metadata:
   name: lfx-v2-access-check
-  namespace: lfx
+  namespace: {{ .Release.Namespace }}
 spec:
   ports:
     - name: web
-      port: 8080
+      port: {{ .Values.app.port | int }}
       targetPort: web
   selector:
     app: lfx-v2-access-check

charts/lfx-v2-access-check/templates/service.yaml

@@ -1,27 +1,34 @@
 # Copyright The Linux Foundation and each contributor to LFX.
 # SPDX-License-Identifier: MIT
-
+---
 replicaCount: 1
 
+lfx:
+  domain: k8s.orb.local
+
 # Override from CLI/CI: --set image.tag=<git-sha>, etc.
 image:
   tag: "0.1.0"
   repository: linuxfoundation/lfx-access-check
+  pullPolicy: IfNotPresent
 
 # Application configuration
 app:
   # Server configuration
-  port: "8080"
+  port: 8080
   host: "*"
   debug: false
 
   # JWT/Auth configuration
-  audience: "access-svc"
+  audience: "lfx-v2-access-check"
   issuer: "heimdall"
 
-# ingress is the configuration for the ingress routing
-ingress:
-  hostname: lfx-api.k8s.orb.local
+# HTTP routing configuration
+traefik:
+  enabled: true
+  gateway:
+    name: lfx-platform-gateway
+    namespace: lfx
 
 # nats is the configuration for the NATS server
 nats:
@@ -31,4 +38,4 @@ nats:
 # heimdall is the configuration for the heimdall middleware
 heimdall:
   enabled: true
-  url: http://heimdall.lfx.svc.cluster.local:4456
+  url: http://lfx-platform-heimdall.lfx.svc.cluster.local:4456