Skip to content

Add workload.yaml descriptors for OpenChoreo source builds #431

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
isala404 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add workload.yaml descriptors for OpenChoreo source builds #431

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9045685
Add workload.yaml descriptors for OpenChoreo source builds
isala404 Mar 10, 2026
c166efd
Fix GORM auto-migration FK constraint issue
isala404 Mar 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions audit-service/workload.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
apiVersion: openchoreo.dev/v1alpha1

metadata:
name: ndx-audit-service

endpoints:
- name: api
port: 3001
type: REST

configurations:
env:
- name: PORT
value: "3001"
- name: DB_TYPE
value: postgres
- name: DB_HOST
valueFrom:
secretKeyRef:
name: ndx-db-secrets
key: host
- name: DB_PORT
valueFrom:
secretKeyRef:
name: ndx-db-secrets
key: port
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: ndx-db-secrets
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: ndx-db-secrets
key: password
- name: DB_NAME
valueFrom:
secretKeyRef:
name: ndx-db-secrets
key: database
- name: LOG_LEVEL
value: info
56 changes: 56 additions & 0 deletions exchange/consent-engine/workload.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
apiVersion: openchoreo.dev/v1alpha1

metadata:
name: ndx-consent-engine

endpoints:
- name: api
port: 8081
type: REST

connections:
- component: ndx-audit-service
endpoint: api
visibility: project
envBindings:
address: AUDIT_SERVICE_URL

configurations:
env:
- name: PORT
value: "8081"
- name: ENVIRONMENT
value: production
- name: LOG_LEVEL
value: info
- name: LOG_FORMAT
value: json
- name: DB_HOST
valueFrom:
secretKeyRef:
name: ndx-db-secrets
key: host
- name: DB_PORT
valueFrom:
secretKeyRef:
name: ndx-db-secrets
key: port
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: ndx-db-secrets
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: ndx-db-secrets
key: password
- name: DB_NAME
valueFrom:
secretKeyRef:
name: ndx-db-secrets
key: database
- name: DB_SSLMODE
value: disable
Comment on lines +53 to +54
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

The database SSL mode is explicitly disabled (DB_SSLMODE: disable) while the environment is set to production. This is a significant security risk as it allows for potential eavesdropping and man-in-the-middle attacks on sensitive data. It is strongly recommended to enable SSL for all database connections in production.

      value: require

- name: RUN_MIGRATION
value: "false"
55 changes: 55 additions & 0 deletions exchange/orchestration-engine/workload.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
apiVersion: openchoreo.dev/v1alpha1

metadata:
name: ndx-orchestration-engine

endpoints:
- name: api
port: 4000
type: GraphQL
visibility:
- external

connections:
- component: ndx-consent-engine
endpoint: api
visibility: project
envBindings:
address: CONSENT_ENGINE_URL
- component: ndx-pdp
endpoint: api
visibility: project
envBindings:
address: PDP_URL
- component: ndx-audit-service
endpoint: api
visibility: project
envBindings:
address: AUDIT_SERVICE_URL

configurations:
env:
- name: SERVER_PORT
value: "4000"
- name: SERVER_HOST
value: 0.0.0.0
- name: LOG_LEVEL
value: info
- name: ENVIRONMENT
value: production
files:
- name: config.json
mountPath: /app
value: |
{
"environment": "production",
"ceUrl": "http://ndx-consent-engine:8081/internal/api/v1",
"pdpUrl": "http://ndx-pdp:8082",
"auditConfig": {
"serviceUrl": "http://ndx-audit-service:3001",
"actorType": "SERVICE",
"actorId": "orchestration-engine"
},
"providers": [],
"trustUpstream": true
}
Comment on lines +43 to +55
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The mounted config.json file contains hardcoded URLs for upstream services (ceUrl, pdpUrl, auditConfig.serviceUrl). This tightly couples the services and bypasses the service discovery mechanism provided by the connections section in this workload.yaml. The connections section correctly defines envBindings for CONSENT_ENGINE_URL, PDP_URL, and AUDIT_SERVICE_URL, but these are not being used. The orchestration engine application should be updated to consume these environment variables to configure its upstream service URLs, rather than relying on a static, hardcoded configuration file. This will make the deployment more flexible and maintainable.

51 changes: 51 additions & 0 deletions exchange/policy-decision-point/workload.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
apiVersion: openchoreo.dev/v1alpha1

metadata:
name: ndx-pdp

endpoints:
- name: api
port: 8082
type: REST

configurations:
env:
- name: PORT
value: "8082"
- name: ENVIRONMENT
value: production
- name: LOG_LEVEL
value: info
- name: LOG_FORMAT
value: json
- name: SERVICE_NAME
value: policy-decision-point
- name: DB_HOST
valueFrom:
secretKeyRef:
name: ndx-db-secrets
key: host
- name: DB_PORT
valueFrom:
secretKeyRef:
name: ndx-db-secrets
key: port
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: ndx-db-secrets
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: ndx-db-secrets
key: password
- name: DB_NAME
valueFrom:
secretKeyRef:
name: ndx-db-secrets
key: database
- name: DB_SSLMODE
value: disable
Comment on lines +48 to +49
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

The database SSL mode is explicitly disabled (DB_SSLMODE: disable) while the environment is set to production. This is a significant security risk as it allows for potential eavesdropping and man-in-the-middle attacks on sensitive data. Please enable SSL for the database connection.

      value: require

- name: RUN_MIGRATION
value: "true"
3 changes: 2 additions & 1 deletion portal-backend/v1/database.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,8 @@ func ConnectGormDB(config *DatabaseConfig) (*gorm.DB, error) {
gormLogger := logger.Default.LogMode(logger.Warn)

db, err := gorm.Open(postgres.Open(dsn), &gorm.Config{
Logger: gormLogger,
Logger: gormLogger,
DisableForeignKeyConstraintWhenMigrating: true,
})
if err != nil {
return nil, fmt.Errorf("failed to connect to database: %w", err)
Expand Down
73 changes: 73 additions & 0 deletions portal-backend/workload.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
apiVersion: openchoreo.dev/v1alpha1

metadata:
name: ndx-portal-backend

endpoints:
- name: api
port: 3000
type: REST
visibility:
- external

connections:
- component: ndx-pdp
endpoint: api
visibility: project
envBindings:
address: CHOREO_PDP_CONNECTION_SERVICEURL
- component: ndx-audit-service
endpoint: api
visibility: project
envBindings:
address: CHOREO_AUDIT_CONNECTION_SERVICEURL

configurations:
env:
- name: PORT
value: "3000"
- name: CHOREO_OPENDIF_DB_HOSTNAME
valueFrom:
secretKeyRef:
name: ndx-db-secrets
key: host
- name: CHOREO_OPENDIF_DB_PORT
valueFrom:
secretKeyRef:
name: ndx-db-secrets
key: port
- name: CHOREO_OPENDIF_DB_USERNAME
valueFrom:
secretKeyRef:
name: ndx-db-secrets
key: username
- name: CHOREO_OPENDIF_DB_PASSWORD
valueFrom:
secretKeyRef:
name: ndx-db-secrets
key: password
- name: CHOREO_OPENDIF_DB_DATABASENAME
valueFrom:
secretKeyRef:
name: ndx-db-secrets
key: database
- name: DB_SSLMODE
value: disable
Comment on lines +54 to +55
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

The database SSL mode is explicitly disabled (DB_SSLMODE: disable). Disabling SSL for database connections is a security risk as it allows for potential eavesdropping and man-in-the-middle attacks on sensitive data. In any environment handling sensitive data, SSL should be enabled. Please enable SSL for this connection.

      value: require

- name: RUN_MIGRATION
value: "true"
- name: AUTHORIZATION_MODE
value: fail_open_admin
Comment on lines +58 to +59
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

The authorization mode is set to fail_open_admin. "Fail-open" is a security anti-pattern where access is granted if the authorization check fails or cannot be completed. In a security-sensitive application, the system should always "fail-closed," denying access by default if an error occurs during the authorization process to prevent unauthorized access.

- name: LOG_LEVEL
value: info
- name: ASGARDEO_BASE_URL
value: http://thunder-service.thunder.svc.cluster.local:8090
- name: ASGARDEO_CLIENT_ID
value: NDX_ADMIN_PORTAL
- name: ASGARDEO_CLIENT_SECRET
value: placeholder
- name: CHOREO_PDP_CONNECTION_CHOREOAPIKEY
value: placeholder
Comment on lines +66 to +69
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The environment variables ASGARDEO_CLIENT_SECRET and CHOREO_PDP_CONNECTION_CHOREOAPIKEY are hardcoded with the value "placeholder". This is a critical security vulnerability. Secrets must not be hardcoded in configuration files. They should be injected securely at runtime by referencing a Kubernetes secret, similar to how database credentials are handled in this file. The secret names and keys in the suggestion below are examples and should be adjusted to match your actual secret definitions.

    - name: ASGARDEO_CLIENT_SECRET
      valueFrom:
        secretKeyRef:
          name: ndx-asgardeo-secrets
          key: client-secret
    - name: CHOREO_PDP_CONNECTION_CHOREOAPIKEY
      valueFrom:
        secretKeyRef:
          name: ndx-pdp-secrets
          key: api-key

- name: ASGARDEO_MEMBER_PORTAL_CLIENT_ID
value: NDX_MEMBER_PORTAL
- name: ASGARDEO_ADMIN_PORTAL_CLIENT_ID
value: NDX_ADMIN_PORTAL
37 changes: 37 additions & 0 deletions portals/admin-portal/workload.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
apiVersion: openchoreo.dev/v1alpha1

metadata:
name: ndx-admin-portal

endpoints:
- name: web
port: 80
type: HTTP
visibility:
- external

connections:
- component: ndx-portal-backend
endpoint: api
visibility: project
envBindings:
address: NDX_PORTAL_BACKEND_URL

configurations:
env:
- name: VITE_API_URL
value: ""
- name: VITE_LOGS_URL
value: ""
- name: VITE_IDP_CLIENT_ID
value: NDX_ADMIN_PORTAL
- name: VITE_IDP_BASE_URL
value: http://thunder-service.thunder.svc.cluster.local:8090
Comment on lines +28 to +29
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The VITE_IDP_BASE_URL is hardcoded to a Kubernetes internal service URL (http://thunder-service.thunder.svc.cluster.local:8090). This URL is not accessible from a user's browser, which will prevent authentication from working. This variable must be set to the public-facing URL of the identity provider.

      value: "https://your-public-idp.com" # Replace with the actual public URL

- name: VITE_IDP_SCOPE
value: "openid profile email groups"
- name: VITE_IDP_ADMIN_ROLE
value: admin
- name: VITE_SIGN_IN_REDIRECT_URL
value: ""
- name: VITE_SIGN_OUT_REDIRECT_URL
value: ""
Comment on lines +22 to +37
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Several configuration variables (VITE_API_URL, VITE_LOGS_URL, VITE_SIGN_IN_REDIRECT_URL, VITE_SIGN_OUT_REDIRECT_URL) are set to empty strings. This will likely render the portal non-functional. These values must be configured with appropriate URLs for the portal to work correctly. For example, VITE_API_URL should be populated using the NDX_PORTAL_BACKEND_URL from the connection definition, and the redirect URLs must be set to the portal's public address.

40 changes: 40 additions & 0 deletions portals/consent-portal/workload.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
apiVersion: openchoreo.dev/v1alpha1

metadata:
name: ndx-consent-portal

endpoints:
- name: web
port: 80
type: HTTP
visibility:
- external

connections:
- component: ndx-consent-engine
endpoint: api
visibility: project
envBindings:
address: NDX_CONSENT_ENGINE_URL
- component: ndx-portal-backend
endpoint: api
visibility: project
envBindings:
address: NDX_PORTAL_BACKEND_URL

configurations:
env:
- name: VITE_CONSENT_ENGINE_URL
value: ""
- name: VITE_API_URL
value: ""
- name: VITE_CLIENT_ID
value: NDX_CONSENT_PORTAL
- name: VITE_BASE_URL
value: http://thunder-service.thunder.svc.cluster.local:8090
Comment on lines +33 to +34
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The VITE_BASE_URL for the IDP is hardcoded to a Kubernetes internal service URL (http://thunder-service.thunder.svc.cluster.local:8090). This URL is not accessible from a user's browser, which will prevent authentication from working. This variable must be set to the public-facing URL of the identity provider.

      value: "https://your-public-idp.com" # Replace with the actual public URL

- name: VITE_SCOPE
value: "openid profile email"
- name: VITE_SIGN_IN_REDIRECT_URL
value: ""
- name: VITE_SIGN_OUT_REDIRECT_URL
value: ""
Comment on lines +27 to +40
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Several configuration variables (VITE_CONSENT_ENGINE_URL, VITE_API_URL, VITE_SIGN_IN_REDIRECT_URL, VITE_SIGN_OUT_REDIRECT_URL) are set to empty strings. This will likely render the portal non-functional. These values must be configured with appropriate URLs for the portal to work correctly. For example, VITE_API_URL should be populated using the NDX_PORTAL_BACKEND_URL from the connection definition, and the redirect URLs must be set to the portal's public address.

Loading