diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3b0d9cb8..b27926a4 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -71,7 +71,7 @@ env: AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }} AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }} AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }} - AZCLIVERSION: 2.63.0 # https://github.com/Azure/azure-cli/issues/29828 + AZCLIVERSION: 2.73.0 # https://github.com/Azure/azure-cli/issues/29828 ParamFilePath: ".github/parameters.json" DEPNAME: "dep${{ github.run_number }}" diff --git a/bicep/main.bicep b/bicep/main.bicep index a5d0af57..513276dc 100644 --- a/bicep/main.bicep +++ b/bicep/main.bicep @@ -158,7 +158,7 @@ var configuration = { } var rg_unique_id = '${replace(configuration.name, '-', '')}${uniqueString(resourceGroup().id, configuration.name)}' - +var dnsName = uniqueString(resourceGroup().id, configuration.name) /* __ _______ _______ .__ __. .___________. __ .___________.____ ____ @@ -605,7 +605,7 @@ var vaultSecrets = [ module keyvault 'br/public:avm/res/key-vault/vault:0.11.2' = { name: '${configuration.name}-keyvault' params: { - name: length(name) > 24 ? substring(name, 0, 24) : name + name: length(name) > 17 ? substring(name, 0, 17) : name location: location enableTelemetry: enableTelemetry @@ -940,7 +940,7 @@ module gitOpsUpload 'br/public:avm/res/resources/deployment-script:0.5.1' = [for runOnce: true managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ stampIdentity.outputs.resourceId ] } @@ -1051,6 +1051,8 @@ module configBlade 'modules/blade_configuration.bicep' = { location: location + dnsName: dnsName + osduVersion: clusterSoftware.osduVersion == '' ? 'master' : clusterSoftware.osduVersion enableSoftwareLoad: clusterSoftware.enable == 'false' ? false : true enableOsduCore: clusterSoftware.osduCore == 'false' ? false : true diff --git a/bicep/main.parameters.json b/bicep/main.parameters.json index e1cfbced..b9f6fcb4 100644 --- a/bicep/main.parameters.json +++ b/bicep/main.parameters.json @@ -2,6 +2,9 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { + "location": { + "value": "${AZURE_LOCATION}" + }, "applicationClientId": { "value": "${AZURE_CLIENT_ID}" }, diff --git a/bicep/modules/blade_configuration.bicep b/bicep/modules/blade_configuration.bicep index 546f2014..6d96b6bc 100644 --- a/bicep/modules/blade_configuration.bicep +++ b/bicep/modules/blade_configuration.bicep @@ -11,6 +11,9 @@ param location string @description('The tags to apply to the resources') param tags object = {} +@description('The unique identifier for the deployment') +param dnsName string + @description('The name of the Key Vault where the secret exists') param kvName string @@ -407,6 +410,9 @@ values.yaml: | appOid: {7} resourceGroup: {8} storageAccountName: {11} + subscription: {12} + aksName: {13} + dnsName: {14} ingress: internalGateway: enabled: {9} @@ -452,7 +458,10 @@ module appConfigMap './aks-config-map/main.bicep' = { resourceGroup().name, clusterIngress == 'Internal' || clusterIngress == 'Both' ? 'true' : 'false', clusterIngress == 'External' || clusterIngress == 'Both' ? 'true' : 'false', - storageAccountName) + storageAccountName, + subscription().subscriptionId, + clusterName, + dnsName) ] } } diff --git a/bicep/modules/blade_partition.bicep b/bicep/modules/blade_partition.bicep index 1b7ed5d1..4881c991 100644 --- a/bicep/modules/blade_partition.bicep +++ b/bicep/modules/blade_partition.bicep @@ -648,7 +648,7 @@ var topicsWithSubscriptions = [for topic in partitionLayerConfig.servicebus.topi }] // Then use this variable in the module -module partitonNamespace 'br/public:avm/res/service-bus/namespace:0.9.1' = [for (partition, index) in partitions: { +module partitonNamespace 'br/public:avm/res/service-bus/namespace:0.14.1' = [for (partition, index) in partitions: { name: '${bladeConfig.sectionName}-service-bus-${index}' params: { name: '${replace('data${index}${substring(uniqueString(partition.name), 0, 6)}', '-', '')}${uniqueString(resourceGroup().id, 'data${index}${substring(uniqueString(partition.name), 0, 6)}')}' @@ -680,6 +680,16 @@ module partitonNamespace 'br/public:avm/res/service-bus/namespace:0.9.1' = [for disableLocalAuth: false + roleAssignments: [ + { + name: guid('Custom seed ${bladeConfig.sectionName}') + principalId: stampIdentity.properties.principalId + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Azure Service Bus Data Receiver' + } + + ] + authorizationRules: [ { name: 'RootManageSharedAccessKey' diff --git a/charts/dns-configuration/Chart.yaml b/charts/dns-configuration/Chart.yaml new file mode 100644 index 00000000..2a136158 --- /dev/null +++ b/charts/dns-configuration/Chart.yaml @@ -0,0 +1,27 @@ +apiVersion: v2 +name: dns-configuration +description: A Helm chart for configuring DNS labels on AKS LoadBalancer IPs + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.0.1 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: 0.0.1 + +maintainers: + - name: Microsoft OSDU + url: https://github.com/Azure/osdu-developer \ No newline at end of file diff --git a/charts/dns-configuration/README.md b/charts/dns-configuration/README.md new file mode 100644 index 00000000..1fb2f06e --- /dev/null +++ b/charts/dns-configuration/README.md @@ -0,0 +1,110 @@ +# DNS Configuration Helm Chart + +This chart configures DNS labels for Azure Kubernetes Service (AKS) LoadBalancer IPs, enabling automatic FQDN assignment for OSDU services. + +-------------------------------------------------------------------------------- +## Prerequisites + +- Azure Kubernetes Service (AKS) cluster with workload identity enabled +- Istio service mesh deployed +- Azure CLI and kubectl access configured + +-------------------------------------------------------------------------------- +## Install Process + +Either manually modify the `values.yaml` for the chart or generate a `custom_values.yaml` to use. + +_The following commands can help generate a prepopulated custom values file._ + +```bash +# Setup Variables +GROUP= + +SUBSCRIPTION=$(az account show --query id -otsv) +AKS_NAME=$(az aks list --resource-group $GROUP --query "[0].name" -otsv) + +cat > custom_values.yaml << EOF +################################################################################ +# Azure environment specific values +# +azure: + tenantId: $(az account show --query tenantId -otsv) + clientId: $(az identity list --resource-group $GROUP --query "[?contains(name, 'osdu-identity')].clientId" -otsv) + configEndpoint: $(az appconfig list --resource-group $GROUP --query "[0].endpoint" -otsv) + keyvaultName: $(az keyvault list --resource-group $GROUP --query "[0].name" -otsv) + keyvaultUri: $(az keyvault list --resource-group $GROUP --query "[0].properties.vaultUri" -otsv) + subscription: $SUBSCRIPTION + resourceGroup: $GROUP + aksName: $AKS_NAME +EOF +``` + +-------------------------------------------------------------------------------- +## Manual Testing + +Test the chart locally: + +```bash +helm template dns-configuration . -f custom_values.yaml +``` + +-------------------------------------------------------------------------------- +## Install Helm Chart + +```bash +# Create the release in the osdu-system namespace where the ServiceAccount exists +NAMESPACE=osdu-system +helm upgrade --install dns-configuration . -n $NAMESPACE -f custom_values.yaml + +# For testing with custom values +helm upgrade --install dns-configuration . -n $NAMESPACE \ + --set azure.subscription=$(az account show --query id -otsv) \ + --set azure.aksName="$(az aks list --query "[0].name" -otsv)" + +# Verify the job completed +kubectl get jobs -n $NAMESPACE +kubectl get pods -n $NAMESPACE | grep dns-configuration + +# Check job logs +POD_NAME=$(kubectl get pods -n $NAMESPACE -l app.kubernetes.io/name=dns-configuration -o jsonpath='{.items[0].metadata.name}') +kubectl logs $POD_NAME -n $NAMESPACE + +# Check the created ConfigMap +kubectl get configmap dns-config -n $NAMESPACE -o yaml +``` + +-------------------------------------------------------------------------------- +## Uninstall + +```bash +# Uninstall the release +helm uninstall dns-configuration -n $NAMESPACE + +# Manually clean up ConfigMap if needed +kubectl delete configmap dns-config -n $NAMESPACE +``` + +-------------------------------------------------------------------------------- +## Configuration Options + +| Parameter | Description | Default | +|--------------------------|------------------------------------------|------------------------| +| `serviceAccount.create` | Create a new service account | `false` | +| `serviceAccount.name` | Service account name to use | `workload-identity-sa` | +| `azure.tenantId` | Azure tenant ID | `` | +| `azure.clientId` | Azure client ID for workload identity | `` | +| `azure.subscription` | Azure subscription ID | `` | +| `azure.resourceGroup` | Resource group containing the AKS cluster| `` | +| `azure.aksName` | AKS cluster name | `` | +| `azure.uniqueId` | Unique ID for the cluster | `""` | + +-------------------------------------------------------------------------------- +## Output + +The chart creates a ConfigMap named `dns-config` in the release namespace containing: + +- `external_ip`: The LoadBalancer external IP address +- `fqdn`: The fully qualified domain name +- `dns_label`: The DNS label assigned + +Other services can reference this ConfigMap to obtain the FQDN for certificate generation and gateway configuration. \ No newline at end of file diff --git a/charts/dns-configuration/templates/_helpers.tpl b/charts/dns-configuration/templates/_helpers.tpl new file mode 100644 index 00000000..fe93e505 --- /dev/null +++ b/charts/dns-configuration/templates/_helpers.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "dns-configuration.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "dns-configuration.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "dns-configuration.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "dns-configuration.labels" -}} +helm.sh/chart: {{ include "dns-configuration.chart" . }} +{{ include "dns-configuration.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "dns-configuration.selectorLabels" -}} +app.kubernetes.io/name: {{ include "dns-configuration.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "dns-configuration.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "dns-configuration.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/dns-configuration/templates/clusterrole.yaml b/charts/dns-configuration/templates/clusterrole.yaml new file mode 100644 index 00000000..b63b2aab --- /dev/null +++ b/charts/dns-configuration/templates/clusterrole.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: dns-config-job-cluster-reader +rules: +- apiGroups: [""] + resources: ["services"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: dns-config-job-cluster-reader-binding +subjects: +- kind: ServiceAccount + name: workload-identity-sa + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: dns-config-job-cluster-reader + apiGroup: rbac.authorization.k8s.io diff --git a/charts/dns-configuration/templates/configmap.yaml b/charts/dns-configuration/templates/configmap.yaml new file mode 100644 index 00000000..44b34260 --- /dev/null +++ b/charts/dns-configuration/templates/configmap.yaml @@ -0,0 +1,144 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "dns-configuration.fullname" . }}-script + namespace: {{ .Release.Namespace }} + labels: + {{- include "dns-configuration.labels" . | nindent 4 }} +data: + configure-dns.sh: | + #!/bin/bash + set -euo pipefail + + echo "=================================================================" + echo " Starting DNS Configuration for AKS LoadBalancer" + echo "=================================================================" + + # Function to install kubectl + install_kubectl() { + echo "Installing kubectl..." + curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" + chmod +x kubectl + mv kubectl /usr/local/bin/ + kubectl version --client + } + + # Function to login to Azure + login_azure() { + echo "Logging into Azure with workload identity..." + az login --federated-token "$(cat ${AZURE_FEDERATED_TOKEN_FILE})" \ + --service-principal \ + -u ${AZURE_CLIENT_ID} \ + -t ${AZURE_TENANT_ID} \ + --allow-no-subscriptions + + az account set --subscription ${AZURE_SUBSCRIPTION} + echo "Azure login successful" + } + + # Function to wait for LoadBalancer IP + wait_for_loadbalancer() { + echo "Waiting for LoadBalancer IP from ${ISTIO_SERVICE_NAME} in ${ISTIO_NAMESPACE}..." + local retry_count=0 + + while [ $retry_count -lt $MAX_RETRIES ]; do + EXTERNAL_IP=$(kubectl get svc ${ISTIO_SERVICE_NAME} \ + -n ${ISTIO_NAMESPACE} \ + -o jsonpath='{.status.loadBalancer.ingress[0].ip}' 2>/dev/null || echo "") + + if [ -n "$EXTERNAL_IP" ]; then + echo "External IP obtained: $EXTERNAL_IP" + return 0 + fi + + echo "External IP not ready. Retrying in ${RETRY_INTERVAL}s... (Attempt $((retry_count + 1))/$MAX_RETRIES)" + sleep $RETRY_INTERVAL + retry_count=$((retry_count + 1)) + done + + echo "ERROR: Failed to get external IP after $MAX_RETRIES attempts" + return 1 + } + + # Function to configure DNS + configure_dns() { + echo "Configuring DNS for IP: $EXTERNAL_IP" + + # Get node resource group + NODE_RG=$(az aks show --resource-group ${RESOURCE_GROUP} --name ${AKS_NAME} --query nodeResourceGroup -o tsv) + echo "Node Resource Group: $NODE_RG" + + # Find public IP resource + IP_NAME=$(az network public-ip list --resource-group $NODE_RG --query "[?ipAddress=='$EXTERNAL_IP'].name" -o tsv) + + if [ -z "$IP_NAME" ]; then + echo "ERROR: Could not find public IP resource for $EXTERNAL_IP" + return 1 + fi + + echo "Public IP Resource: $IP_NAME" + + # Set DNS label to DNS_NAME only + DNS_LABEL="${DNS_NAME}" + echo "Setting DNS label: $DNS_LABEL" + + az network public-ip update \ + --resource-group $NODE_RG \ + --name $IP_NAME \ + --dns-name $DNS_LABEL + + # Get FQDN + LOCATION=$(az network public-ip show \ + --resource-group $NODE_RG \ + --name $IP_NAME \ + --query location -o tsv) + + FQDN=$(az network public-ip show \ + --resource-group $NODE_RG \ + --name $IP_NAME \ + --query dnsSettings.fqdn -o tsv) + + if [ -z "$FQDN" ] || [ "$FQDN" == "null" ]; then + FQDN="${DNS_LABEL}.${LOCATION}.cloudapp.azure.com" + fi + + echo "FQDN: $FQDN" + } + # Function to create ConfigMap + create_configmap() { + echo "Creating ConfigMap with DNS information..." + + CURRENT_NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace) + kubectl create configmap dns-config \ + --from-literal=external_ip=$EXTERNAL_IP \ + --from-literal=fqdn=$FQDN \ + --from-literal=dns_label=$DNS_LABEL \ + --namespace=$CURRENT_NAMESPACE \ + --dry-run=client -o yaml | kubectl apply -f - + echo "ConfigMap created in $CURRENT_NAMESPACE namespace" + kubectl get configmap dns-config -n $CURRENT_NAMESPACE + } + + # Main execution + echo "Starting DNS configuration process..." + + install_kubectl + login_azure + + if ! wait_for_loadbalancer; then + exit 1 + fi + + if ! configure_dns; then + exit 1 + fi + + create_configmap + + echo "=================================================================" + echo " DNS Configuration Completed Successfully" + echo "=================================================================" + echo "FQDN: $FQDN" + echo "External IP: $EXTERNAL_IP" + echo "DNS Label: $DNS_LABEL" + echo "=================================================================" \ No newline at end of file diff --git a/charts/dns-configuration/templates/job.yaml b/charts/dns-configuration/templates/job.yaml new file mode 100644 index 00000000..95cc2c9d --- /dev/null +++ b/charts/dns-configuration/templates/job.yaml @@ -0,0 +1,73 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "dns-configuration.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "dns-configuration.labels" . | nindent 4 }} +spec: + ttlSecondsAfterFinished: 300 + backoffLimit: 3 + template: + metadata: + labels: + {{- include "dns-configuration.selectorLabels" . | nindent 8 }} + azure.workload.identity/use: "true" + spec: + serviceAccountName: {{ include "dns-configuration.serviceAccountName" . }} + restartPolicy: Never + volumes: + - name: script + configMap: + name: {{ include "dns-configuration.fullname" . }}-script + defaultMode: 0755 + - name: azure-identity-token + projected: + sources: + - serviceAccountToken: + path: azure-identity-token + expirationSeconds: 3600 + audience: api://AzureADTokenExchange + containers: + - name: dns-config + image: "mcr.microsoft.com/azure-cli:latest" + imagePullPolicy: IfNotPresent + command: ["/scripts/configure-dns.sh"] + volumeMounts: + - name: script + mountPath: /scripts + - name: azure-identity-token + mountPath: /var/run/secrets/azure/tokens + readOnly: true + resources: + limits: + memory: 512Mi + cpu: 500m + requests: + memory: 256Mi + cpu: 100m + env: + - name: AZURE_CLIENT_ID + value: {{ .Values.azure.clientId | quote }} + - name: AZURE_TENANT_ID + value: {{ .Values.azure.tenantId | quote }} + - name: AZURE_SUBSCRIPTION + value: {{ .Values.azure.subscription | quote }} + - name: AZURE_FEDERATED_TOKEN_FILE + value: /var/run/secrets/azure/tokens/azure-identity-token + - name: RESOURCE_GROUP + value: {{ .Values.azure.resourceGroup | quote }} + - name: AKS_NAME + value: {{ .Values.azure.aksName | quote }} + - name: DNS_NAME + value: {{ .Values.azure.dnsName | quote }} + - name: MAX_RETRIES + value: "60" + - name: RETRY_INTERVAL + value: "10" + - name: ISTIO_SERVICE_NAME + value: "istio-ingress-external" + - name: ISTIO_NAMESPACE + value: "istio-system" + - name: AZURE_AUTHORITY_HOST + value: "https://login.microsoftonline.com/" \ No newline at end of file diff --git a/charts/dns-configuration/templates/role-configmap.yaml b/charts/dns-configuration/templates/role-configmap.yaml new file mode 100644 index 00000000..7cfb88d4 --- /dev/null +++ b/charts/dns-configuration/templates/role-configmap.yaml @@ -0,0 +1,23 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: dns-configmap-manager + namespace: {{ .Release.Namespace }} +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "create", "update", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: dns-configmap-manager-binding + namespace: {{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: workload-identity-sa + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: dns-configmap-manager + apiGroup: rbac.authorization.k8s.io diff --git a/charts/dns-configuration/values.yaml b/charts/dns-configuration/values.yaml new file mode 100644 index 00000000..c5d5ee8b --- /dev/null +++ b/charts/dns-configuration/values.yaml @@ -0,0 +1,28 @@ + +# Default values for dns-configuration + +################################################################################ +# Chart name overrides +# +nameOverride: "" +fullnameOverride: "" + +################################################################################ +# Service account for workload identity +# +serviceAccount: + create: false + # The name of the service account to use. + # If create is false, a service account with this name must already exist + name: "workload-identity-sa" + +################################################################################ +# Azure environment specific values +# +azure: + tenantId: # Azure tenant ID + clientId: # Managed identity client ID + subscription: # Azure subscription ID + resourceGroup: # Resource group containing the AKS cluster + aksName: # AKS cluster name + dnsName: "" # Unique ID for the cluster diff --git a/charts/osdu-developer-init/templates/schema-init.yaml b/charts/osdu-developer-init/templates/schema-init.yaml index f32ea282..4504bfb4 100644 --- a/charts/osdu-developer-init/templates/schema-init.yaml +++ b/charts/osdu-developer-init/templates/schema-init.yaml @@ -9,6 +9,7 @@ metadata: namespace: {{ $namespace }} spec: ttlSecondsAfterFinished: 120 + activeDeadlineSeconds: 600 template: metadata: labels: diff --git a/docs/src/design_software.md b/docs/src/design_software.md index 81e01ab8..bfa60d76 100644 --- a/docs/src/design_software.md +++ b/docs/src/design_software.md @@ -43,7 +43,7 @@ flowchart TD FluxSystemComponents("flux-system-components") Certs("component-certs") CertsCA("component-certs-ca") - CertsCAIssuer("component-certs-ca-issuer") + CertsCAIssuer("component-certs-issuer") OSDUSystem("component-osdu-system") Cache("component-cache") Database("component-database") @@ -86,7 +86,7 @@ flowchart TD │   └── source.yaml ├── certs-ca │   └── certificate.yaml - ├── certs-ca-issuer + ├── certs-issuer │   └── issuer.yaml ├── database │   ├── namespace.yaml diff --git a/software/components/README.md b/software/components/README.md index 288620ec..5c935015 100644 --- a/software/components/README.md +++ b/software/components/README.md @@ -6,7 +6,7 @@ flowchart TD Airflow("component-airflow") Certs("component-certs") CertsCA("component-certs-ca") - CertsCAIssuer("component-certs-ca-issuer") + CertsCAIssuer("component-certs-issuer") Cache("component-cache") ConfigMap("component-configmap") Elastic("component-elastic") diff --git a/software/components/certs-ca-issuer/issuer.yaml b/software/components/certs-issuer/issuer.yaml similarity index 100% rename from software/components/certs-ca-issuer/issuer.yaml rename to software/components/certs-issuer/issuer.yaml diff --git a/software/components/certs-issuer/lets-encrypt.yaml b/software/components/certs-issuer/lets-encrypt.yaml new file mode 100644 index 00000000..66862d99 --- /dev/null +++ b/software/components/certs-issuer/lets-encrypt.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: admin@mail.com + privateKeySecretRef: + name: letsencrypt-staging + solvers: + - http01: + ingress: + class: istio +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: admin@mail.com + privateKeySecretRef: + name: letsencrypt-production + solvers: + - http01: + ingress: + class: istio \ No newline at end of file diff --git a/software/components/osdu-system/dns.yaml b/software/components/osdu-system/dns.yaml new file mode 100644 index 00000000..ca730c02 --- /dev/null +++ b/software/components/osdu-system/dns.yaml @@ -0,0 +1,26 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: dns-configuration + namespace: default +spec: + targetNamespace: osdu-system + dependsOn: + - name: istio-ingress-external + namespace: flux-system + chart: + spec: + chart: ./charts/dns-configuration + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + interval: 5m0s + timeout: 10m + install: + remediation: + retries: 3 + valuesFrom: + - kind: ConfigMap + name: config-map-values + valuesKey: values.yaml \ No newline at end of file diff --git a/stamp/components/kustomize.yaml b/stamp/components/kustomize.yaml index 2d707034..ed88ecdb 100644 --- a/stamp/components/kustomize.yaml +++ b/stamp/components/kustomize.yaml @@ -75,7 +75,7 @@ spec: apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 kind: Kustomization metadata: - name: component-certs-ca-issuer + name: component-certs-issuer namespace: flux-system spec: dependsOn: @@ -86,7 +86,7 @@ spec: sourceRef: kind: GitRepository name: flux-system - path: ./software/components/certs-ca-issuer + path: ./software/components/certs-issuer prune: true wait: true @@ -101,7 +101,7 @@ metadata: namespace: flux-system spec: dependsOn: - - name: component-certs-ca-issuer + - name: component-certs-issuer interval: 1h retryInterval: 1m timeout: 5m