diff --git a/charts/apps/Chart.yaml b/charts/apps/Chart.yaml index 3fb96010..a8b3f7fe 100644 --- a/charts/apps/Chart.yaml +++ b/charts/apps/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v2 name: authz description: ArgoCD Apps used to deploy Authorization infrastructure type: application -version: 0.3.0 +version: 0.4.0 diff --git a/charts/apps/templates/opa-authn-app.yaml b/charts/apps/templates/opa-authn-app.yaml new file mode 100644 index 00000000..b36d8655 --- /dev/null +++ b/charts/apps/templates/opa-authn-app.yaml @@ -0,0 +1,28 @@ +{{ if .Values.opa-authn.enabled }} +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: opa-authn + namespace: {{ .Release.Namespace }} + finalizers: + - resources-finalizer.argocd.arogproj.io +spec: + project: {{ default .Release.Namespace .Values.project }} + source: + repoURL: {{ .Values.opa-authn.repoUrl }} + targetRevision: {{ .Values.opa-authn.targetRevision }} + path: {{ .Values.opa-authn.path }} + {{- if .Values.opa-authn.valuesObject }} + helm: + valuesObject: + {{ .Values.opa-authn.valuesObject | toYaml | nindent 10 }} + {{- end }} + destination: + name: {{ .Values.destination.name }} + server: {{ .Values.destination.server }} + namespace: {{ default .Release.Namespace .Values.destination.namespace }} + syncPolicy: + automated: + prune: true + selfHeal: true +{{- end }} diff --git a/charts/apps/templates/opa-app.yaml b/charts/apps/templates/opa-id-app.yaml similarity index 65% rename from charts/apps/templates/opa-app.yaml rename to charts/apps/templates/opa-id-app.yaml index f46a6c87..e623e9ec 100644 --- a/charts/apps/templates/opa-app.yaml +++ b/charts/apps/templates/opa-id-app.yaml @@ -1,21 +1,21 @@ -{{ if .Values.opa.enabled }} +{{ if .Values.opa-id.enabled }} apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: opa + name: opa-id namespace: {{ .Release.Namespace }} finalizers: - resources-finalizer.argocd.arogproj.io spec: project: {{ default .Release.Namespace .Values.project }} source: - repoURL: {{ .Values.opa.repoUrl }} - targetRevision: {{ .Values.opa.targetRevision }} - path: {{ .Values.opa.path }} - {{- if .Values.opa.valuesObject }} + repoURL: {{ .Values.opa-id.repoUrl }} + targetRevision: {{ .Values.opa-id.targetRevision }} + path: {{ .Values.opa-id.path }} + {{- if .Values.opa-id.valuesObject }} helm: valuesObject: - {{ .Values.opa.valuesObject | toYaml | nindent 10 }} + {{ .Values.opa-id.valuesObject | toYaml | nindent 10 }} {{- end }} destination: name: {{ .Values.destination.name }} diff --git a/charts/apps/values.yaml b/charts/apps/values.yaml index 4a864e5d..2b8e2ae8 100644 --- a/charts/apps/values.yaml +++ b/charts/apps/values.yaml @@ -50,7 +50,7 @@ bundler: - path: /bundle.tar.gz pathType: Prefix -opa: +opa-authn: enabled: true repoUrl: https://github.com/DiamondLightSource/authz.git targetRevision: HEAD @@ -111,3 +111,65 @@ opa: limits: cpu: 1000m memory: 2Gi + +opa-id: + enabled: true + repoUrl: https://github.com/DiamondLightSource/authz.git + targetRevision: HEAD + path: charts/opa + valuesObject: + + env: + - name: BUNDLER_BEARER_TOKEN + valueFrom: + secretKeyRef: + name: token-authorization + key: bearer + - name: ISSUER + value: https://identity.diamond.ac.uk/realms/dls + + autoscaling: + enabled: true + minReplicas: 2 + maxReplicas: 10 + targetMemoryUtilizationPercentage: 80 + + ingress: + enabled: true + hosts: + - host: authz.diamond.ac.uk + paths: + - path: /id + pathType: Prefix + + config: + services: + diamond-bundler: + url: https://authz.diamond.ac.uk + credentials: + bearer: + token: ${BUNDLER_BEARER_TOKEN} + ghcr: + url: https://ghcr.io + type: oci + bundles: + diamond-permissionables: + service: diamond-bundler + resource: bundle.tar.gz + polling: + min_delay_seconds: 10 + max_delay_seconds: 60 + diamond-policies: + service: ghcr + resource: ghcr.io/diamondlightsource/authz-policy:0.0.16 + polling: + min_delay_seconds: 30 + max_delay_seconds: 120 + + resources: + requests: + cpu: 1000m + memory: 2Gi + limits: + cpu: 1000m + memory: 2Gi