diff --git a/files/control-plane/control-plane-helm-chart/templates/cm-subscription-service.yaml b/files/control-plane/control-plane-helm-chart/templates/cm-subscription-service.yaml index 9cee699d..91b29ca8 100644 --- a/files/control-plane/control-plane-helm-chart/templates/cm-subscription-service.yaml +++ b/files/control-plane/control-plane-helm-chart/templates/cm-subscription-service.yaml @@ -12,6 +12,7 @@ data: BASE_PATH: '{{ .Values.subscriptionService.base_path }}' SITE: '{{ .Values.subscriptionService.site }}' API_KEY: '{{ .Values.subscriptionService.api_key }}' + PAYMENT_GATEWAY_ID: '{{ .Values.subscriptionService.payment_gateway_id }}' WEBHOOK_USERNAME: '{{ .Values.tenantMgmtFacade.webhook_user }}' WEBHOOK_PASSWORD: '{{ .Values.tenantMgmtFacade.webhook_password }}' {{- end}} \ No newline at end of file diff --git a/files/control-plane/control-plane-helm-chart/templates/cm-tenant-mgmt-facade.yaml b/files/control-plane/control-plane-helm-chart/templates/cm-tenant-mgmt-facade.yaml index 9efa02fe..5b37146b 100644 --- a/files/control-plane/control-plane-helm-chart/templates/cm-tenant-mgmt-facade.yaml +++ b/files/control-plane/control-plane-helm-chart/templates/cm-tenant-mgmt-facade.yaml @@ -20,4 +20,6 @@ data: GATEWAY_ACCOUNT_ID: '{{ .Values.tenantMgmtFacade.gateway_id }}' WEBHOOK_USERNAME: '{{ .Values.tenantMgmtFacade.webhook_user }}' WEBHOOK_PASSWORD: '{{ .Values.tenantMgmtFacade.webhook_password }}' + AUTH0_DOMAIN: '{{ .Values.tenantMgmtService.auth0_domain }}' + AUTH0_CLIENT_ID: '{{ .Values.tenantMgmtService.auth0_client_id }}' {{- end}} diff --git a/files/control-plane/control-plane-helm-chart/templates/cm-tenant-mgmt-service.yaml b/files/control-plane/control-plane-helm-chart/templates/cm-tenant-mgmt-service.yaml index 145a488a..68ea4ff3 100644 --- a/files/control-plane/control-plane-helm-chart/templates/cm-tenant-mgmt-service.yaml +++ b/files/control-plane/control-plane-helm-chart/templates/cm-tenant-mgmt-service.yaml @@ -20,4 +20,7 @@ data: SYSTEM_USER_ID: '{{ .Values.adminUserTenantId }}' EVENT_BUS_NAME: '{{ .Values.projectName }}-{{ .Values.environment }}-DecouplingEventBus' EVENT_BUS_REGION: '{{ .Values.region }}' + AUTH0_DOMAIN: '{{ .Values.tenantMgmtService.auth0_domain }}' + AUTH0_CLIENT_ID: '{{ .Values.tenantMgmtService.auth0_client_id }}' + WEBHOOK_SECRET_EXPIRY: '{{ .Values.tenantMgmtService.webhookSecretExpiry }}' {{- end}} \ No newline at end of file diff --git a/files/control-plane/control-plane-helm-chart/templates/secret-provider-class-and-sa.yaml b/files/control-plane/control-plane-helm-chart/templates/secret-provider-class-and-sa.yaml index d7dd1676..041552a8 100644 --- a/files/control-plane/control-plane-helm-chart/templates/secret-provider-class-and-sa.yaml +++ b/files/control-plane/control-plane-helm-chart/templates/secret-provider-class-and-sa.yaml @@ -73,6 +73,8 @@ spec: key: PRIVATE_KEY - objectName: public_key key: PUBLIC_KEY + - objectName: auth0_client_secret + key: AUTH0_CLIENT_SECRET {{- if .Values.ses.enabled }} - objectName: ses_access_key key: SMTP_USER @@ -148,6 +150,9 @@ spec: - objectName: {{ .Values.publicKey }} objectType: ssmparameter objectAlias: public_key + - objectName: {{ .Values.auth0ClientSecret }} + objectType: ssmparameter + objectAlias: auth0_client_secret {{- if .Values.ses.enabled }} - objectName: "/{{ .Values.projectName }}/ses_access_key" objectType: ssmparameter diff --git a/files/control-plane/control-plane-helm-chart/templates/tenant-mgmt-facade-deployment.yaml b/files/control-plane/control-plane-helm-chart/templates/tenant-mgmt-facade-deployment.yaml index d0ff94b4..04ea80de 100644 --- a/files/control-plane/control-plane-helm-chart/templates/tenant-mgmt-facade-deployment.yaml +++ b/files/control-plane/control-plane-helm-chart/templates/tenant-mgmt-facade-deployment.yaml @@ -168,6 +168,11 @@ spec: secretKeyRef: name: api-token key: PUBLIC_KEY + - name: AUTH0_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: api-token + key: AUTH0_CLIENT_SECRET {{- if .Values.imagePullSecret.enabled }} imagePullSecrets: - name: {{ .Values.imagePullSecret.name }} diff --git a/files/control-plane/control-plane-helm-chart/templates/tenant-mgmt-service-deployment.yaml b/files/control-plane/control-plane-helm-chart/templates/tenant-mgmt-service-deployment.yaml index 512acf7f..6283c25a 100644 --- a/files/control-plane/control-plane-helm-chart/templates/tenant-mgmt-service-deployment.yaml +++ b/files/control-plane/control-plane-helm-chart/templates/tenant-mgmt-service-deployment.yaml @@ -128,6 +128,11 @@ spec: secretKeyRef: name: api-token key: JWT_ISSUER + - name: AUTH0_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: api-token + key: AUTH0_CLIENT_SECRET {{- if .Values.imagePullSecret.enabled }} imagePullSecrets: diff --git a/files/control-plane/control-plane-helm-chart/values.yaml.template b/files/control-plane/control-plane-helm-chart/values.yaml.template index 4b79deb4..72fa0b95 100644 --- a/files/control-plane/control-plane-helm-chart/values.yaml.template +++ b/files/control-plane/control-plane-helm-chart/values.yaml.template @@ -27,7 +27,7 @@ frontend: enabled: true repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-control-plane-ui pullPolicy: Always - tag: "0.0.6" + tag: "0.0.11" log_level: "info" home_path: "/main/home" replicaCount: 1 @@ -62,7 +62,7 @@ tenantMgmtFacade: enabled: true repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-control-plane-tenant-management-facade pullPolicy: Always - tag: "0.0.4" + tag: "0.0.6" replicaCount: 1 port: 3000 node_env: "production" @@ -138,7 +138,7 @@ authenticationService: enabled: true repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-control-plane-authentication-service pullPolicy: Always - tag: "0.0.1" + tag: "0.0.3" replicaCount: 1 port: 3000 node_env: "production" @@ -211,13 +211,14 @@ subscriptionService: enabled: true repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-control-plane-subscription-service pullPolicy: Always - tag: "0.0.3" + tag: "0.0.4" replicaCount: 1 port: 3000 node_env: "production" log_level: "info" - site: "sunnytyagiplus6-test" - api_key: "test_dw4pcuXuEqQ1cufcdg6GfeRUZpCSRHxOW37" + site: "sourcefuse-arc-test" + api_key: "test_U3Ac7r41QHHc54O7SZucdndPmaJVBFcuNn" + payment_gateway_id: "gw_16CcLPUQmL1KGV41" affinity: {} allowed_origins: "*" imagePullPolicy: @@ -283,7 +284,7 @@ tenantMgmtService: enabled: true repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-control-plane-tenant-management-service pullPolicy: Always - tag: "0.0.4" + tag: "0.0.6" replicaCount: 1 port: 3000 node_env: "production" @@ -291,18 +292,14 @@ tenantMgmtService: from_email: ${FROM_EMAIL} system_user_id: "" app_login_url: "" + auth0_domain: "dev-db7dz4wg6ccbguer.us.auth0.com" + auth0_client_id: "pluqd6RqaLilAn7p1kUFkNo20bxuwUK5" + webhookSecretExpiry: "86400000" affinity: {} allowed_origins: "*" imagePullPolicy: enabled: "yes" name: regcred - resources: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "2048Mi" - cpu: "1" service: type: NodePort port: 3000 @@ -323,7 +320,7 @@ migrationJob: enabled: true repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-control-plane-migration pullPolicy: Always - tag: "0.0.3" + tag: "0.0.4" replicaCount: 1 affinity: {} allowed_origins: "*" @@ -460,3 +457,4 @@ cognitoid: ${COGNITO_ID} cognitosecret: ${COGNITO_SECRET} privateKey: ${PRIVATE_KEY} publicKey: ${PUBLIC_KEY} +auth0ClientSecret: ${AUTH0_CLIENT_SECRET} diff --git a/files/tenant-samples/bridge/buildspec.yaml b/files/tenant-samples/bridge/buildspec.yaml index 854c0ecc..d55aae66 100644 --- a/files/tenant-samples/bridge/buildspec.yaml +++ b/files/tenant-samples/bridge/buildspec.yaml @@ -45,6 +45,8 @@ phases: - export TENANT_ADMIN_EMAIL=$(echo $tenant | jq -r '.contacts[] | select(.isPrimary == true) | .email') - export USERNAME=$(echo $tenant | jq -r '.key') - export KEY=$(echo $tenant | jq -r '.key') + - export IdP=$(echo $tenant | jq -r '.identityProvider') + #- export IdP="cognito" - export TIER=$(echo "${tier}" | tr '[:upper:]' '[:lower:]') # Webhook Envs @@ -75,6 +77,7 @@ phases: - export TF_VAR_karpenter_role="${KARPENTER_ROLE}" - export TF_VAR_tenant_host_domain="${KEY}.${DOMAIN_NAME}" - export TF_VAR_jwt_issuer="${KEY}" + - export TF_VAR_IdP="${IdP}" - export TF_VAR_rds_instance_allocated_storage="${POSTGRES_SIZE}" - export TF_VAR_tenant_client_id="${KEY}"-$(echo "$TENANT_ID" | cut -c 10-)-"${TENANT_CLIENT_ID}" - export TF_VAR_tenant_client_secret=$(echo "$TENANT_ID" | cut -c 10-)-"${TENANT_CLIENT_SECRET}" @@ -117,8 +120,8 @@ phases: - ./push-values.sh - kubectl apply -f ${TIER}-argo-workflow.yaml --namespace argo-workflows || true - kubectl apply -f argocd-application.yaml --namespace argocd || true - - sleep 240 # waiting time to spin up tenant pods - - terraform apply -auto-approve --refresh=false # refresh is false to avoid unnecessary API hitting + - sleep 300 # waiting time to spin up tenant pods + #- terraform apply -auto-approve --refresh=false # refresh is false to avoid unnecessary API hitting - kubectl apply -f argo-workflow.yaml --namespace argo-workflows || true diff --git a/files/tenant-samples/bridge/tenant-helm-chart/.helmignore b/files/tenant-samples/bridge/tenant-helm-chart/auth0/.helmignore similarity index 100% rename from files/tenant-samples/bridge/tenant-helm-chart/.helmignore rename to files/tenant-samples/bridge/tenant-helm-chart/auth0/.helmignore diff --git a/files/tenant-samples/bridge/tenant-helm-chart/Chart.yaml b/files/tenant-samples/bridge/tenant-helm-chart/auth0/Chart.yaml similarity index 100% rename from files/tenant-samples/bridge/tenant-helm-chart/Chart.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/auth0/Chart.yaml diff --git a/files/tenant-samples/bridge/tenant-helm-chart/README.md b/files/tenant-samples/bridge/tenant-helm-chart/auth0/README.md similarity index 100% rename from files/tenant-samples/bridge/tenant-helm-chart/README.md rename to files/tenant-samples/bridge/tenant-helm-chart/auth0/README.md diff --git a/files/tenant-samples/bridge/tenant-helm-chart/templates/_helpers.tpl b/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/_helpers.tpl similarity index 100% rename from files/tenant-samples/bridge/tenant-helm-chart/templates/_helpers.tpl rename to files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/_helpers.tpl diff --git a/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/authentication-service-deployment.yaml b/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/authentication-service-deployment.yaml new file mode 100644 index 00000000..a04c99e0 --- /dev/null +++ b/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/authentication-service-deployment.yaml @@ -0,0 +1,249 @@ +{{- if .Values.authenticationService.enabled }} +--- +#Deployment + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "helm.fullname" . }}-authentication-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + replicas: {{ .Values.authenticationService.replicaCount }} + strategy: + type: {{ .Values.strategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.strategy.maxUnavailable }} + maxSurge: {{ .Values.strategy.maxSurge }} + selector: + matchLabels: + app: {{ include "helm.fullname" . }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/cm-authentication-service.yaml") . | sha256sum }} + prometheus.io/path: {{ .Values.app.basePath }}/authentication-service/obf/metrics +{{- if .Values.extraAnnotations }} +{{ toYaml .Values.extraAnnotations | indent 8 }} +{{- end }} + labels: + app: {{ include "helm.fullname" . }} + component: authentication-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} + spec: + serviceAccountName: {{ .Values.tier }}-{{ .Values.tenant }} + containers: + - imagePullPolicy: {{ .Values.authenticationService.pullPolicy }} + resources: + {{- toYaml .Values.authenticationService.resources | nindent 12 }} +{{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.app.basePath }}/authentication-service + port: 3000 + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} +{{- end }} +{{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.app.basePath }}/authentication-service + port: 3000 + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} +{{- end }} + name: {{ include "helm.fullname" . }}-authentication-service + image: {{ .Values.authenticationService.repository }}:{{ .Values.authenticationService.tag }} + volumeMounts: + - name: my-api-token + mountPath: /mnt/api-token + readOnly: true + envFrom: + - configMapRef: + name: {{ include "helm.fullname" . }}-cm-authentication-service + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: AUTHENTICATION_SERVICE_DB_DATABASE + - name: DB_SCHEMA + valueFrom: + secretKeyRef: + name: api-token + key: DB_SCHEMA + - name: FEATURE_DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: FEATURE_DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: FEATURE_DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: FEATURE_DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: FEATURE_DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: FEATURE_DB_DATABASE + - name: FEATURE_DB_SCHEMA + valueFrom: + secretKeyRef: + name: api-token + key: DB_SCHEMA + - name: REDIS_HOST + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PORT + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_PORT + - name: REDIS_URL + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PASSWORD + value: "" + - name: REDIS_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_DATABASE + - name: JWT_SECRET + valueFrom: + secretKeyRef: + name: api-token + key: JWT_SECRET + - name: JWT_ISSUER + valueFrom: + secretKeyRef: + name: api-token + key: JWT_ISSUER + - name: AUTH0_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: api-token + key: AUTH0_CLIENT_SECRET +{{- if .Values.imagePullSecret.enabled }} + imagePullSecrets: + - name: {{ .Values.imagePullSecret.name }} +{{- end }} + + nodeSelector: + pooled-node: {{ .Values.tier }} +{{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + volumes: + - name: my-api-token + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: {{ .Values.tier }}-{{ .Values.tenant }}-aws-secrets +{{- with .Values.authenticationService.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} + +--- +#HPA + +{{- if .Values.authenticationService.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "helm.fullname" . }}-authentication-service + labels: + app: {{ include "helm.fullname" . }} + component: authentication-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "helm.fullname" . }}-authentication-service + minReplicas: {{ .Values.authenticationService.autoscaling.minReplicas }} + maxReplicas: {{ .Values.authenticationService.autoscaling.maxReplicas }} + metrics: + {{- with .Values.authenticationService.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- with .Values.authenticationService.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: AverageValue + averageValue: {{ . }} + {{- end }} +{{- end }} +--- +#Service +apiVersion: v1 +kind: Service +metadata: + name: {{ include "helm.fullname" . }}-authentication-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + type: {{ .Values.authenticationService.service.type }} + ports: + - port: {{ .Values.authenticationService.service.port }} + targetPort: {{ .Values.authenticationService.service.targetPort }} + protocol: {{ .Values.authenticationService.service.protocol }} + name: web + selector: + app: {{ include "helm.fullname" . }} + component: authentication-service +--- +{{- end }} \ No newline at end of file diff --git a/files/tenant-samples/bridge/tenant-helm-chart/templates/authorization-policy.yaml b/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/authorization-policy.yaml similarity index 100% rename from files/tenant-samples/bridge/tenant-helm-chart/templates/authorization-policy.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/authorization-policy.yaml diff --git a/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/cm-authentication-service.yaml b/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/cm-authentication-service.yaml new file mode 100644 index 00000000..a1cfd761 --- /dev/null +++ b/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/cm-authentication-service.yaml @@ -0,0 +1,19 @@ +{{- if .Values.authenticationService.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "helm.fullname" . }}-cm-authentication-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +data: + PORT: '{{ .Values.authenticationService.port }}' + NODE_ENV: '{{ .Values.authenticationService.node_env }}' + LOG_LEVEL: '{{ .Values.authenticationService.log_level }}' + BASE_PATH: '{{ .Values.authenticationService.base_path }}' + DB_SSL: '{{ .Values.authenticationService.db_ssl }}' + AUTH0_DOMAIN: "dev-db7dz4wg6ccbguer.us.auth0.com" + AUTH0_CLIENT_ID: "pluqd6RqaLilAn7p1kUFkNo20bxuwUK5" + AUTH0_CALLBACK_URL: "https://{{ .Values.hostname }}/authentication-service/auth/auth0-auth-redirect" +{{- end}} \ No newline at end of file diff --git a/files/tenant-samples/bridge/tenant-helm-chart/templates/cm-feature-service.yaml b/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/cm-feature-service.yaml similarity index 100% rename from files/tenant-samples/bridge/tenant-helm-chart/templates/cm-feature-service.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/cm-feature-service.yaml diff --git a/files/tenant-samples/bridge/tenant-helm-chart/templates/cm-frontend-service.yaml b/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/cm-frontend-service.yaml similarity index 100% rename from files/tenant-samples/bridge/tenant-helm-chart/templates/cm-frontend-service.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/cm-frontend-service.yaml diff --git a/files/tenant-samples/bridge/tenant-helm-chart/templates/cm-notification-service.yaml b/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/cm-notification-service.yaml similarity index 100% rename from files/tenant-samples/bridge/tenant-helm-chart/templates/cm-notification-service.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/cm-notification-service.yaml diff --git a/files/tenant-samples/bridge/tenant-helm-chart/templates/cm-user-tenant-service.yaml b/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/cm-user-tenant-service.yaml similarity index 100% rename from files/tenant-samples/bridge/tenant-helm-chart/templates/cm-user-tenant-service.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/cm-user-tenant-service.yaml diff --git a/files/tenant-samples/bridge/tenant-helm-chart/templates/cm-video-confrencing-service.yaml b/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/cm-video-confrencing-service.yaml similarity index 100% rename from files/tenant-samples/bridge/tenant-helm-chart/templates/cm-video-confrencing-service.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/cm-video-confrencing-service.yaml diff --git a/files/tenant-samples/bridge/tenant-helm-chart/templates/feature-service-deployment.yaml b/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/feature-service-deployment.yaml similarity index 100% rename from files/tenant-samples/bridge/tenant-helm-chart/templates/feature-service-deployment.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/feature-service-deployment.yaml diff --git a/files/tenant-samples/bridge/tenant-helm-chart/templates/frontend-service-deployment.yaml b/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/frontend-service-deployment.yaml similarity index 100% rename from files/tenant-samples/bridge/tenant-helm-chart/templates/frontend-service-deployment.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/frontend-service-deployment.yaml diff --git a/files/tenant-samples/bridge/tenant-helm-chart/templates/gateway.yaml b/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/gateway.yaml similarity index 100% rename from files/tenant-samples/bridge/tenant-helm-chart/templates/gateway.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/gateway.yaml diff --git a/files/tenant-samples/bridge/tenant-helm-chart/templates/hooks/migration-job.yaml b/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/hooks/migration-job.yaml similarity index 100% rename from files/tenant-samples/bridge/tenant-helm-chart/templates/hooks/migration-job.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/hooks/migration-job.yaml diff --git a/files/tenant-samples/bridge/tenant-helm-chart/templates/imagePullSecret.yaml b/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/imagePullSecret.yaml similarity index 100% rename from files/tenant-samples/bridge/tenant-helm-chart/templates/imagePullSecret.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/imagePullSecret.yaml diff --git a/files/tenant-samples/bridge/tenant-helm-chart/templates/kuberhealthy-http-checker.yaml b/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/kuberhealthy-http-checker.yaml similarity index 100% rename from files/tenant-samples/bridge/tenant-helm-chart/templates/kuberhealthy-http-checker.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/kuberhealthy-http-checker.yaml diff --git a/files/tenant-samples/bridge/tenant-helm-chart/templates/notification-service-deployment.yaml b/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/notification-service-deployment.yaml similarity index 100% rename from files/tenant-samples/bridge/tenant-helm-chart/templates/notification-service-deployment.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/notification-service-deployment.yaml diff --git a/files/tenant-samples/bridge/tenant-helm-chart/templates/provisioner.yaml b/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/provisioner.yaml similarity index 97% rename from files/tenant-samples/bridge/tenant-helm-chart/templates/provisioner.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/provisioner.yaml index 5ed47914..b7036946 100644 --- a/files/tenant-samples/bridge/tenant-helm-chart/templates/provisioner.yaml +++ b/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/provisioner.yaml @@ -54,6 +54,7 @@ spec: "aws:eks:cluster-name": {{ .Values.eksClusterName }} tags: Tenant: "pooled" + Project: {{ .Values.project }} diff --git a/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/secret-provider-class-and-sa.yaml b/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/secret-provider-class-and-sa.yaml new file mode 100644 index 00000000..2cdefeff --- /dev/null +++ b/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/secret-provider-class-and-sa.yaml @@ -0,0 +1,123 @@ +--- +#namespace specific service account for +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.tier }}-{{ .Values.tenant }} + labels: + {{- include "helm.labels" . | nindent 4 }} + annotations: + eks.amazonaws.com/role-arn: {{ .Values.arn }} + +--- +#custom resource to fetch the secrets from paramter store +apiVersion: secrets-store.csi.x-k8s.io/v1alpha1 +kind: SecretProviderClass +metadata: + name: {{ .Values.tier }}-{{ .Values.tenant }}-aws-secrets + labels: + {{- include "helm.labels" . | nindent 4 }} +spec: + provider: aws + secretObjects: + - secretName: api-token + type: Opaque + data: + - objectName: db_host + key: DB_HOST + - objectName: db_port + key: DB_PORT + - objectName: db_user + key: DB_USER + - objectName: db_password + key: DB_PASSWORD + - objectName: db_schema + key: DB_SCHEMA + - objectName: redis_host + key: REDIS_HOST + - objectName: redis_port + key: REDIS_PORT + - objectName: redis_database + key: REDIS_DATABASE + - objectName: jwt_secret + key: JWT_SECRET + - objectName: jwt_issuer + key: JWT_ISSUER + - objectName: authentication_service_db_database + key: AUTHENTICATION_SERVICE_DB_DATABASE + - objectName: feature_db_database + key: FEATURE_DB_DATABASE + - objectName: video_confrencing_service_db_database + key: VIDEO_CONFRENCING_SERVICE_DB_DATABASE + - objectName: notification_service_db_database + key: NOTIFICATION_SERVICE_DB_DATABASE + - objectName: vonage-api-key-secret + key: VONAGE_API_KEY_SECRET + - objectName: pubnub-pub-key + key: PUBNUB_PUB_KEY + - objectName: pubnub-sub-key + key: PUBNUB_SUB_KEY + - objectName: pubnub-secret-key + key: PUBNUB_SECRET_KEY + - objectName: auth0-client-secret + key: AUTH0_CLIENT_SECRET + parameters: +# region: us-west-2 + objects: | + - objectName: {{ .Values.dbhost }} + objectType: ssmparameter + objectAlias: db_host + - objectName: {{ .Values.dbport }} + objectType: ssmparameter + objectAlias: db_port + - objectName: {{ .Values.dbuser }} + objectType: ssmparameter + objectAlias: db_user + - objectName: {{ .Values.dbpassword }} + objectType: ssmparameter + objectAlias: db_password + - objectName: {{ .Values.dbschema }} + objectType: ssmparameter + objectAlias: db_schema + - objectName: {{ .Values.redishost }} + objectType: ssmparameter + objectAlias: redis_host + - objectName: {{ .Values.redisport }} + objectType: ssmparameter + objectAlias: redis_port + - objectName: {{ .Values.redisdatabase }} + objectType: ssmparameter + objectAlias: redis_database + - objectName: {{ .Values.jwtsecret }} + objectType: ssmparameter + objectAlias: jwt_secret + - objectName: {{ .Values.jwtissuer }} + objectType: ssmparameter + objectAlias: jwt_issuer + - objectName: {{ .Values.authenticationdbdatabase }} + objectType: ssmparameter + objectAlias: authentication_service_db_database + - objectName: {{ .Values.featuredbdatabase }} + objectType: ssmparameter + objectAlias: feature_db_database + - objectName: {{ .Values.notificationdbdatabase }} + objectType: ssmparameter + objectAlias: notification_service_db_database + - objectName: {{ .Values.videoconfrencingdbdatabase }} + objectType: ssmparameter + objectAlias: video_confrencing_service_db_database + - objectName: {{ .Values.vonageSecret }} + objectType: ssmparameter + objectAlias: vonage-api-key-secret + - objectName: {{ .Values.pubnubPubKey }} + objectType: ssmparameter + objectAlias: pubnub-pub-key + - objectName: {{ .Values.pubnubSubKey }} + objectType: ssmparameter + objectAlias: pubnub-sub-key + - objectName: {{ .Values.pubnubSecretKey }} + objectType: ssmparameter + objectAlias: pubnub-secret-key + - objectName: {{ .Values.auth0ClientSecret }} + objectType: ssmparameter + objectAlias: auth0-client-secret \ No newline at end of file diff --git a/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/user-tenant-service-deployment.yaml b/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/user-tenant-service-deployment.yaml new file mode 100644 index 00000000..aa8a3a07 --- /dev/null +++ b/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/user-tenant-service-deployment.yaml @@ -0,0 +1,214 @@ +{{- if .Values.userTenantService.enabled }} +--- +#Deployment + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "helm.fullname" . }}-user-tenant-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + replicas: {{ .Values.userTenantService.replicaCount }} + strategy: + type: {{ .Values.strategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.strategy.maxUnavailable }} + maxSurge: {{ .Values.strategy.maxSurge }} + selector: + matchLabels: + app: {{ include "helm.fullname" . }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/cm-user-tenant-service.yaml") . | sha256sum }} + prometheus.io/path: {{ .Values.app.basePath }}/user-tenant-service/obf/metrics +{{- if .Values.extraAnnotations }} +{{ toYaml .Values.extraAnnotations | indent 8 }} +{{- end }} + labels: + app: {{ include "helm.fullname" . }} + component: user-tenant-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} + spec: + serviceAccountName: {{ .Values.tier }}-{{ .Values.tenant }} + containers: + - imagePullPolicy: {{ .Values.userTenantService.pullPolicy }} + resources: + {{- toYaml .Values.userTenantService.resources | nindent 12 }} +{{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.app.basePath }}/user-tenant-service + port: 3000 + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} +{{- end }} +{{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.app.basePath }}/user-tenant-service + port: 3000 + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} +{{- end }} + name: {{ include "helm.fullname" . }}-user-tenant-service + image: {{ .Values.userTenantService.repository }}:{{ .Values.userTenantService.tag }} + volumeMounts: + - name: my-api-token + mountPath: /mnt/api-token + readOnly: true + envFrom: + - configMapRef: + name: {{ include "helm.fullname" . }}-cm-user-tenant-service + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: AUTHENTICATION_SERVICE_DB_DATABASE + - name: DB_SCHEMA + valueFrom: + secretKeyRef: + name: api-token + key: DB_SCHEMA + - name: REDIS_HOST + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PORT + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_PORT + - name: REDIS_URL + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PASSWORD + value: "" + - name: REDIS_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_DATABASE + - name: JWT_SECRET + valueFrom: + secretKeyRef: + name: api-token + key: JWT_SECRET + - name: JWT_ISSUER + valueFrom: + secretKeyRef: + name: api-token + key: JWT_ISSUER +{{- if .Values.imagePullSecret.enabled }} + imagePullSecrets: + - name: {{ .Values.imagePullSecret.name }} +{{- end }} + + nodeSelector: + pooled-node: {{ .Values.tier }} +{{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + volumes: + - name: my-api-token + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: {{ .Values.tier }}-{{ .Values.tenant }}-aws-secrets +{{- with .Values.userTenantService.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} + +--- +#HPA + +{{- if .Values.userTenantService.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "helm.fullname" . }}-user-tenant-service + labels: + app: {{ include "helm.fullname" . }} + component: user-tenant-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "helm.fullname" . }}-user-tenant-service + minReplicas: {{ .Values.userTenantService.autoscaling.minReplicas }} + maxReplicas: {{ .Values.userTenantService.autoscaling.maxReplicas }} + metrics: + {{- with .Values.userTenantService.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- with .Values.userTenantService.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: AverageValue + averageValue: {{ . }} + {{- end }} +{{- end }} +--- +#Service +apiVersion: v1 +kind: Service +metadata: + name: {{ include "helm.fullname" . }}-user-tenant-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + type: {{ .Values.userTenantService.service.type }} + ports: + - port: {{ .Values.userTenantService.service.port }} + targetPort: {{ .Values.userTenantService.service.targetPort }} + protocol: {{ .Values.userTenantService.service.protocol }} + name: web + selector: + app: {{ include "helm.fullname" . }} + component: user-tenant-service +--- +{{- end }} \ No newline at end of file diff --git a/files/tenant-samples/bridge/tenant-helm-chart/templates/video-conferencing-service-deployment.yaml b/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/video-conferencing-service-deployment.yaml similarity index 100% rename from files/tenant-samples/bridge/tenant-helm-chart/templates/video-conferencing-service-deployment.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/video-conferencing-service-deployment.yaml diff --git a/files/tenant-samples/bridge/tenant-helm-chart/templates/virtual-service.yaml b/files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/virtual-service.yaml similarity index 100% rename from files/tenant-samples/bridge/tenant-helm-chart/templates/virtual-service.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/auth0/templates/virtual-service.yaml diff --git a/files/tenant-samples/bridge/tenant-helm-chart/auth0/values.yaml.template b/files/tenant-samples/bridge/tenant-helm-chart/auth0/values.yaml.template new file mode 100644 index 00000000..29a3532d --- /dev/null +++ b/files/tenant-samples/bridge/tenant-helm-chart/auth0/values.yaml.template @@ -0,0 +1,373 @@ +# Default values for helm. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +strategy: + type: RollingUpdate + maxUnavailable: 0 + maxSurge: 1 +app: + url: "" + basePath: "" +livenessProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 7 +readinessProbe: + enabled: false + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + +frontend: + enabled: true + repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-ui + pullPolicy: Always + tag: "0.0.5" + log_level: "info" + home_path: "/home" + replicaCount: 1 + affinity: {} + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "512Mi" + cpu: "2" + Service: + type: NodePort + port: 80 + targetPort: 80 + protocol: TCP + extraAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "3000" + sidecar.istio.io/inject: "false" + enabled: "1" + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 20 + targetCPUUtilizationPercentage: 75 + targetMemoryUtilizationPercentage: 80 + + +#Services +#featureService +featureService: + enabled: true + repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-feature-toggle-service + pullPolicy: Always + tag: "0.0.2" + replicaCount: 1 + port: 3000 + node_env: "production" + log_level: "info" + db_ssl: false + timestamp_tolerance: 300 + affinity: {} + allowed_origins: "*" + imagePullPolicy: + enabled: "yes" + name: regcred + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "2048Mi" + cpu: "1" + service: + type: NodePort + port: 3000 + targetPort: 3000 + protocol: TCP + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 1 + targetCPUUtilizationPercentage: 75 + targetMemoryUtilizationPercentage: 80 + base_path: /feature-service + +#authenticationService +authenticationService: + enabled: true + repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-authentication-service + pullPolicy: Always + tag: "0.0.3" + replicaCount: 1 + port: 3000 + node_env: "production" + log_level: "info" + db_ssl: false + affinity: {} + allowed_origins: "*" + imagePullPolicy: + enabled: "yes" + name: regcred + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "2048Mi" + cpu: "1" + service: + type: NodePort + port: 3000 + targetPort: 3000 + protocol: TCP + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 1 + targetCPUUtilizationPercentage: 75 + targetMemoryUtilizationPercentage: 80 + base_path: /authentication-service + +#notificationService +notificationService: + enabled: true + repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-notification-service + pullPolicy: Always + tag: "0.0.3" + replicaCount: 1 + port: 3000 + node_env: "production" + log_level: "info" + db_ssl: false + affinity: {} + allowed_origins: "*" + imagePullPolicy: + enabled: "yes" + name: regcred + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "2048Mi" + cpu: "1" + service: + type: NodePort + port: 3000 + targetPort: 3000 + protocol: TCP + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 1 + targetCPUUtilizationPercentage: 75 + targetMemoryUtilizationPercentage: 80 + base_path: /notification-service + +#userTenantService +userTenantService: + enabled: true + repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-user-tenant-service + pullPolicy: Always + tag: "0.0.4" + replicaCount: 1 + port: 3000 + node_env: "production" + log_level: "info" + db_ssl: false + affinity: {} + allowed_origins: "*" + imagePullPolicy: + enabled: "yes" + name: regcred + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "2048Mi" + cpu: "1" + service: + type: NodePort + port: 3000 + targetPort: 3000 + protocol: TCP + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 1 + targetCPUUtilizationPercentage: 75 + targetMemoryUtilizationPercentage: 80 + base_path: /user-tenant-service + +videoConfrencingService: + enabled: true + repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-video-conferencing-service + pullPolicy: Always + tag: "0.0.2" + replicaCount: 1 + port: 3000 + node_env: "production" + log_level: "info" + db_ssl: false + affinity: {} + allowed_origins: "*" + imagePullPolicy: + enabled: "yes" + name: regcred + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "2048Mi" + cpu: "1" + service: + type: NodePort + port: 3000 + targetPort: 3000 + protocol: TCP + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 1 + targetCPUUtilizationPercentage: 75 + targetMemoryUtilizationPercentage: 80 + base_path: /video-confrencing-service + +#migrationJob +migrationJob: +#enable it when correct image has been provided + enabled: true + repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-migration + pullPolicy: Always + tag: "0.0.1" + replicaCount: 1 + port: 3000 + node_env: "production" + log_level: "info" + affinity: {} + allowed_origins: "*" + imagePullPolicy: + enabled: "yes" + name: regcred + service: + type: NodePort + port: 3000 + targetPort: 3000 + protocol: TCP + +##Common env's + +#Common URL'S + +imagePullSecret: +#enable it and pass the correct parameters below + enabled: false + name: regcred + registry: https://index.docker.io/v1/ + username: '' + password: '' + email: sfdevops@sourcefuse.com + +nameOverride: "" + +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: {} +# fsGroup: 2000 + +securityContext: {} +# capabilities: +# drop: +# - ALL +# readOnlyRootFilesystem: true +# runAsNonRoot: true +# runAsUser: 1000 + +resources: {} +# We usually recommend not to specify default resources and to leave this as a conscious +# choice for the user. This also increases chances charts run on environments with little +# resources, such as Minikube. If you do want to specify resources, uncomment the following +# lines, adjust them as necessary, and remove the curly braces after 'resources:'. +# limits: +# cpu: 100m +# memory: 128Mi +# requests: +# cpu: 100m +# memory: 128Mi + +extraAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "3000" + sidecar.istio.io/inject: "true" + enabled: "1" + +nodeSelector: {} + +tolerations: + - effect: NoSchedule + key: pooled-node + operator: Equal + value: "pooled" + +affinity: {} + +#Migration Job Variable +tenantKey: ${TENANT_KEY} +tenantName: ${TENANT_NAME} +tenantSecret: ${TENANT_SECRET} +tenantID: ${TENANT_ID} +tenantEmail: ${TENANT_EMAIL} +adminUserTenantId: "b439829b-57e7-49d8-bb23-8ccb2ca56435" +#userCallbackSecret: "yugeyifgweyfgy" +userCallbackSecret: ${USER_CALLBACK_SECRET} + +# Frontend variable +clientId: ${TENANT_CLIENT_ID} +publicKey: ${TENANT_CLIENT_SECRET} + +tier: ${TIER} +namespace: ${NAMESPACE} +project: ${PROJECT} +region: ${REGION} +karpenterRoleName: ${KARPENTER_ROLE} +eksClusterName: ${EKS_CLUSTER_NAME} +hostname: ${TENANT_HOST_NAME} +tenant: ${TENANT_KEY} +arn: ${WEB_IDENTITY_ROLE_ARN} +dbhost: ${DB_HOST} +dbport: ${DB_PORT} +dbuser: ${DB_USER} +dbpassword: ${DB_PASSWORD} +dbschema: ${DB_SCHEMA} +redishost: ${REDIS_HOST} +redisport: ${REDIS_PORT} +redisdatabase: ${REDIS_DATABASE} +jwtsecret: ${JWT_SECRET} +jwtissuer: ${JWT_ISSUER} +authenticationdbdatabase: ${AUTH_DATABASE} +featuredbdatabase: ${FEATURE_DATABASE} +notificationdbdatabase: ${NOTIFICATION_DATABASE} +videoconfrencingdbdatabase: ${VIDEO_CONFRENCING_DATABASE} + +# pubnub config +vonageSecret: /pubnub/vonage-api-key-secret +pubnubPubKey: /pubnub/public-key +pubnubSubKey: /pubnub/subscribe-key +pubnubSecretKey: /pubnub/secret-key +auth0ClientSecret: /sf-arc-saas/dev/auth0-client-secret \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/.helmignore b/files/tenant-samples/bridge/tenant-helm-chart/cognito/.helmignore similarity index 100% rename from files/tenant-samples/pooled/tenant-helm-chart/.helmignore rename to files/tenant-samples/bridge/tenant-helm-chart/cognito/.helmignore diff --git a/files/tenant-samples/pooled/tenant-helm-chart/Chart.yaml b/files/tenant-samples/bridge/tenant-helm-chart/cognito/Chart.yaml similarity index 100% rename from files/tenant-samples/pooled/tenant-helm-chart/Chart.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/cognito/Chart.yaml diff --git a/files/tenant-samples/pooled/tenant-helm-chart/README.md b/files/tenant-samples/bridge/tenant-helm-chart/cognito/README.md similarity index 100% rename from files/tenant-samples/pooled/tenant-helm-chart/README.md rename to files/tenant-samples/bridge/tenant-helm-chart/cognito/README.md diff --git a/files/tenant-samples/pooled/tenant-helm-chart/templates/_helpers.tpl b/files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/_helpers.tpl similarity index 100% rename from files/tenant-samples/pooled/tenant-helm-chart/templates/_helpers.tpl rename to files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/_helpers.tpl diff --git a/files/tenant-samples/bridge/tenant-helm-chart/templates/authentication-service-deployment.yaml b/files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/authentication-service-deployment.yaml similarity index 100% rename from files/tenant-samples/bridge/tenant-helm-chart/templates/authentication-service-deployment.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/authentication-service-deployment.yaml diff --git a/files/tenant-samples/pooled/tenant-helm-chart/templates/authorization-policy.yaml b/files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/authorization-policy.yaml similarity index 100% rename from files/tenant-samples/pooled/tenant-helm-chart/templates/authorization-policy.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/authorization-policy.yaml diff --git a/files/tenant-samples/bridge/tenant-helm-chart/templates/cm-authentication-service.yaml b/files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/cm-authentication-service.yaml similarity index 100% rename from files/tenant-samples/bridge/tenant-helm-chart/templates/cm-authentication-service.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/cm-authentication-service.yaml diff --git a/files/tenant-samples/pooled/tenant-helm-chart/templates/cm-feature-service.yaml b/files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/cm-feature-service.yaml similarity index 100% rename from files/tenant-samples/pooled/tenant-helm-chart/templates/cm-feature-service.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/cm-feature-service.yaml diff --git a/files/tenant-samples/pooled/tenant-helm-chart/templates/cm-frontend-service.yaml b/files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/cm-frontend-service.yaml similarity index 100% rename from files/tenant-samples/pooled/tenant-helm-chart/templates/cm-frontend-service.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/cm-frontend-service.yaml diff --git a/files/tenant-samples/pooled/tenant-helm-chart/templates/cm-notification-service.yaml b/files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/cm-notification-service.yaml similarity index 100% rename from files/tenant-samples/pooled/tenant-helm-chart/templates/cm-notification-service.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/cm-notification-service.yaml diff --git a/files/tenant-samples/pooled/tenant-helm-chart/templates/cm-user-tenant-service.yaml b/files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/cm-user-tenant-service.yaml similarity index 100% rename from files/tenant-samples/pooled/tenant-helm-chart/templates/cm-user-tenant-service.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/cm-user-tenant-service.yaml diff --git a/files/tenant-samples/pooled/tenant-helm-chart/templates/cm-video-confrencing-service.yaml b/files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/cm-video-confrencing-service.yaml similarity index 100% rename from files/tenant-samples/pooled/tenant-helm-chart/templates/cm-video-confrencing-service.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/cm-video-confrencing-service.yaml diff --git a/files/tenant-samples/pooled/tenant-helm-chart/templates/feature-service-deployment.yaml b/files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/feature-service-deployment.yaml similarity index 100% rename from files/tenant-samples/pooled/tenant-helm-chart/templates/feature-service-deployment.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/feature-service-deployment.yaml diff --git a/files/tenant-samples/pooled/tenant-helm-chart/templates/frontend-service-deployment.yaml b/files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/frontend-service-deployment.yaml similarity index 100% rename from files/tenant-samples/pooled/tenant-helm-chart/templates/frontend-service-deployment.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/frontend-service-deployment.yaml diff --git a/files/tenant-samples/pooled/tenant-helm-chart/templates/gateway.yaml b/files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/gateway.yaml similarity index 100% rename from files/tenant-samples/pooled/tenant-helm-chart/templates/gateway.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/gateway.yaml diff --git a/files/tenant-samples/pooled/tenant-helm-chart/templates/hooks/migration-job.yaml b/files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/hooks/migration-job.yaml similarity index 100% rename from files/tenant-samples/pooled/tenant-helm-chart/templates/hooks/migration-job.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/hooks/migration-job.yaml diff --git a/files/tenant-samples/pooled/tenant-helm-chart/templates/imagePullSecret.yaml b/files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/imagePullSecret.yaml similarity index 100% rename from files/tenant-samples/pooled/tenant-helm-chart/templates/imagePullSecret.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/imagePullSecret.yaml diff --git a/files/tenant-samples/pooled/tenant-helm-chart/templates/kuberhealthy-http-checker.yaml b/files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/kuberhealthy-http-checker.yaml similarity index 100% rename from files/tenant-samples/pooled/tenant-helm-chart/templates/kuberhealthy-http-checker.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/kuberhealthy-http-checker.yaml diff --git a/files/tenant-samples/pooled/tenant-helm-chart/templates/notification-service-deployment.yaml b/files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/notification-service-deployment.yaml similarity index 100% rename from files/tenant-samples/pooled/tenant-helm-chart/templates/notification-service-deployment.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/notification-service-deployment.yaml diff --git a/files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/provisioner.yaml b/files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/provisioner.yaml new file mode 100644 index 00000000..b7036946 --- /dev/null +++ b/files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/provisioner.yaml @@ -0,0 +1,62 @@ +apiVersion: karpenter.sh/v1beta1 +kind: NodePool +metadata: + name: {{ .Values.tier }}-{{ .Values.tenant }} + annotations: + kubernetes.io/description: "NodePool to restrict the number of cpus provisioned to 100" +spec: + template: + metadata: + labels: + pooled-node: {{ .Values.tier }} + spec: + requirements: + - key: kubernetes.io/arch + operator: In + values: ["amd64"] + - key: kubernetes.io/os + operator: In + values: ["linux"] + - key: karpenter.sh/capacity-type + operator: In + values: ["on-demand"] + - key: karpenter.k8s.aws/instance-category + operator: In + values: ["t"] + - key: karpenter.k8s.aws/instance-generation + operator: Gt + values: ["2"] + nodeClassRef: + name: {{ .Values.tier }}-{{ .Values.tenant }} + taints: + - key: pooled-node + value: "pooled" + effect: NoSchedule + + limits: + cpu: 100 + memory: 1000Gi +--- +apiVersion: karpenter.k8s.aws/v1beta1 +kind: EC2NodeClass +metadata: + name: {{ .Values.tier }}-{{ .Values.tenant }} + annotations: + kubernetes.io/description: "General purpose EC2NodeClass for running Amazon Linux 2 nodes" +spec: + amiFamily: AL2 # Amazon Linux 2 + role: {{ .Values.karpenterRoleName }} + subnetSelectorTerms: + - tags: + Type: "private" + securityGroupSelectorTerms: + - tags: + "aws:eks:cluster-name": {{ .Values.eksClusterName }} + tags: + Tenant: "pooled" + Project: {{ .Values.project }} + + + + + diff --git a/files/tenant-samples/pooled/tenant-helm-chart/templates/secret-provider-class-and-sa.yaml b/files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/secret-provider-class-and-sa.yaml similarity index 100% rename from files/tenant-samples/pooled/tenant-helm-chart/templates/secret-provider-class-and-sa.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/secret-provider-class-and-sa.yaml diff --git a/files/tenant-samples/bridge/tenant-helm-chart/templates/user-tenant-service-deployment.yaml b/files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/user-tenant-service-deployment.yaml similarity index 100% rename from files/tenant-samples/bridge/tenant-helm-chart/templates/user-tenant-service-deployment.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/user-tenant-service-deployment.yaml diff --git a/files/tenant-samples/pooled/tenant-helm-chart/templates/video-conferencing-service-deployment.yaml b/files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/video-conferencing-service-deployment.yaml similarity index 100% rename from files/tenant-samples/pooled/tenant-helm-chart/templates/video-conferencing-service-deployment.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/video-conferencing-service-deployment.yaml diff --git a/files/tenant-samples/pooled/tenant-helm-chart/templates/virtual-service.yaml b/files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/virtual-service.yaml similarity index 100% rename from files/tenant-samples/pooled/tenant-helm-chart/templates/virtual-service.yaml rename to files/tenant-samples/bridge/tenant-helm-chart/cognito/templates/virtual-service.yaml diff --git a/files/tenant-samples/pooled/tenant-helm-chart/values.yaml.template b/files/tenant-samples/bridge/tenant-helm-chart/cognito/values.yaml.template similarity index 99% rename from files/tenant-samples/pooled/tenant-helm-chart/values.yaml.template rename to files/tenant-samples/bridge/tenant-helm-chart/cognito/values.yaml.template index 25239673..a70c3076 100644 --- a/files/tenant-samples/pooled/tenant-helm-chart/values.yaml.template +++ b/files/tenant-samples/bridge/tenant-helm-chart/cognito/values.yaml.template @@ -63,7 +63,7 @@ featureService: enabled: true repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-feature-toggle-service pullPolicy: Always - tag: "0.0.1" + tag: "0.0.2" replicaCount: 1 port: 3000 node_env: "production" @@ -100,7 +100,7 @@ authenticationService: enabled: true repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-authentication-service pullPolicy: Always - tag: "0.0.2" + tag: "0.0.3" replicaCount: 1 port: 3000 node_env: "production" @@ -136,7 +136,7 @@ notificationService: enabled: true repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-notification-service pullPolicy: Always - tag: "0.0.2" + tag: "0.0.3" replicaCount: 1 port: 3000 node_env: "production" @@ -172,7 +172,7 @@ userTenantService: enabled: true repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-user-tenant-service pullPolicy: Always - tag: "0.0.3" + tag: "0.0.4" replicaCount: 1 port: 3000 node_env: "production" @@ -207,7 +207,7 @@ videoConfrencingService: enabled: true repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-video-conferencing-service pullPolicy: Always - tag: "0.0.1" + tag: "0.0.2" replicaCount: 1 port: 3000 node_env: "production" @@ -343,6 +343,7 @@ publicKey: ${TENANT_CLIENT_SECRET} tier: ${TIER} namespace: ${NAMESPACE} +project: ${PROJECT} region: ${REGION} cognitodomain: ${COGNITO_DOMAIN} cognitoid: ${COGNITO_ID} diff --git a/files/tenant-samples/bridge/terraform/canary.tf b/files/tenant-samples/bridge/terraform/canary.tf index 58e5439f..2c0d5739 100644 --- a/files/tenant-samples/bridge/terraform/canary.tf +++ b/files/tenant-samples/bridge/terraform/canary.tf @@ -22,6 +22,7 @@ resource "aws_synthetics_canary" "main" { schedule { expression = "rate(6 minutes)" } + tags = module.tags.tags } diff --git a/files/tenant-samples/bridge/terraform/cognito-client.tf b/files/tenant-samples/bridge/terraform/cognito-client.tf index aa2b4a95..e66d3417 100644 --- a/files/tenant-samples/bridge/terraform/cognito-client.tf +++ b/files/tenant-samples/bridge/terraform/cognito-client.tf @@ -1,22 +1,10 @@ -###################################################################### -## Create Cognito User -###################################################################### -# module "cognito_password" { -# source = "../modules/random-password" -# length = 12 -# is_special = true -# min_upper = 1 -# min_numeric = 1 -# min_special = 1 -# min_lower = 1 -# } - ##################################################################################### ## Cognito App Client ##################################################################################### resource "aws_cognito_user_pool_client" "app_client" { + count = var.IdP == "cognito" ? 1 : 0 name = var.tenant - user_pool_id = data.aws_ssm_parameter.cognito_user_pool_id.value + user_pool_id = data.aws_ssm_parameter.cognito_user_pool_id[0].value allowed_oauth_flows = ["code"] allowed_oauth_flows_user_pool_client = true allowed_oauth_scopes = ["phone", "email", "openid", "aws.cognito.signin.user.admin"] @@ -38,45 +26,28 @@ resource "aws_cognito_user_pool_client" "app_client" { } } -# resource "aws_cognito_user" "cognito_user" { -# user_pool_id = data.aws_ssm_parameter.cognito_user_pool_id.value -# username = var.user_name - -# attributes = { -# email = var.tenant_email -# email_verified = true -# } -# temporary_password = module.cognito_password.result - -# } - ###################################################################### ## Store Congito output to SSM parameneter store ###################################################################### module "cognito_ssm_parameters" { + count = var.IdP == "cognito" ? 1 : 0 source = "../modules/ssm-parameter" ssm_parameters = [ { name = "/${var.namespace}/${var.environment}/${var.tenant_tier}/cognito_id" - value = resource.aws_cognito_user_pool_client.app_client.id + value = resource.aws_cognito_user_pool_client.app_client[count.index].id type = "SecureString" overwrite = "true" description = "Tenant Cognito Domain ID" }, { name = "/${var.namespace}/${var.environment}/${var.tenant_tier}/cognito_secret" - value = resource.aws_cognito_user_pool_client.app_client.client_secret + value = resource.aws_cognito_user_pool_client.app_client[count.index].client_secret type = "SecureString" overwrite = "true" description = "Tenant Cognito Domain Secret" } - # { - # name = "/${var.namespace}/${var.environment}/${var.tenant_tier}/${var.tenant}/${var.user_name}/user_sub" - # value = aws_cognito_user.cognito_user.sub - # type = "SecureString" - # overwrite = "true" - # description = "${var.tenant} User Cognito Sub" - # } + ] tags = module.tags.tags } \ No newline at end of file diff --git a/files/tenant-samples/bridge/terraform/data.tf b/files/tenant-samples/bridge/terraform/data.tf index 4176fd94..73db10ca 100644 --- a/files/tenant-samples/bridge/terraform/data.tf +++ b/files/tenant-samples/bridge/terraform/data.tf @@ -94,6 +94,7 @@ data "aws_iam_policy_document" "ssm_policy" { ] resources = ["arn:aws:ssm:${var.region}:${local.sts_caller_arn}:parameter/${var.namespace}/${var.environment}/${var.tenant_tier}/*", "arn:aws:ssm:${var.region}:${local.sts_caller_arn}:parameter/pubnub/*", + "arn:aws:ssm:${var.region}:${local.sts_caller_arn}:parameter/${var.namespace}/${var.environment}/auth0-client-secret", "arn:aws:cognito-idp:${var.region}:${local.sts_caller_arn}:*"] } } @@ -107,19 +108,23 @@ data "aws_route53_zone" "selected" { } data "aws_ssm_parameter" "cognito_user_pool_id" { + count = var.IdP == "cognito" ? 1 : 0 name = "/${var.namespace}/${var.environment}/${var.tenant_tier}/cognito_user_pool_id" } data "aws_ssm_parameter" "cognito_domain" { + count = var.IdP == "cognito" ? 1 : 0 name = "/${var.namespace}/${var.environment}/${var.tenant_tier}/cognito_domain" } data "aws_ssm_parameter" "cognito_id" { + count = var.IdP == "cognito" ? 1 : 0 name = "/${var.namespace}/${var.environment}/${var.tenant_tier}/cognito_id" depends_on = [module.cognito_ssm_parameters] } data "aws_ssm_parameter" "cognito_secret" { + count = var.IdP == "cognito" ? 1 : 0 name = "/${var.namespace}/${var.environment}/${var.tenant_tier}/cognito_secret" depends_on = [module.cognito_ssm_parameters] } diff --git a/files/tenant-samples/bridge/terraform/eks.tf b/files/tenant-samples/bridge/terraform/eks.tf index 4b3ae9ed..8c111a03 100644 --- a/files/tenant-samples/bridge/terraform/eks.tf +++ b/files/tenant-samples/bridge/terraform/eks.tf @@ -102,25 +102,63 @@ resource "kubernetes_namespace" "my_namespace" { # generate tenant specific helm values.yaml -data "template_file" "helm_values_template" { - template = file("${path.module}/../tenant-helm-chart/values.yaml.template") +data "template_file" "cognito_helm_values_template" { + count = var.IdP == "cognito" ? 1 : 0 + template = file("${path.module}/../tenant-helm-chart/cognito/values.yaml.template") vars = { NAMESPACE = local.kubernetes_ns + PROJECT = var.namespace TENANT_NAME = var.tenant_name TENANT_KEY = var.tenant TENANT_EMAIL = var.tenant_email TENANT_SECRET = var.tenant_secret TENANT_ID = var.tenant_id - # COGNITO_USER = var.user_name - # COGNITO_USER_SUB = aws_cognito_user.cognito_user.sub + TIER = var.tenant_tier + TENANT_CLIENT_ID = var.tenant_client_id + TENANT_CLIENT_SECRET = var.tenant_client_secret + REGION = var.region + COGNITO_DOMAIN = var.IdP == "cognito" && length(data.aws_ssm_parameter.cognito_domain) > 0 ? data.aws_ssm_parameter.cognito_domain[count.index].name : null + COGNITO_ID = var.IdP == "cognito" && length(data.aws_ssm_parameter.cognito_id) > 0 ? data.aws_ssm_parameter.cognito_id[count.index].name : null + COGNITO_SECRET = var.IdP == "cognito" && length(data.aws_ssm_parameter.cognito_secret) > 0 ? data.aws_ssm_parameter.cognito_secret[count.index].name : null + KARPENTER_ROLE = var.karpenter_role + EKS_CLUSTER_NAME = var.cluster_name + TENANT_HOST_NAME = var.tenant_host_domain + USER_CALLBACK_SECRET = var.user_callback_secret + WEB_IDENTITY_ROLE_ARN = module.tenant_iam_role.arn + DB_HOST = data.aws_ssm_parameter.db_host.name + DB_PORT = data.aws_ssm_parameter.db_port.name + DB_USER = data.aws_ssm_parameter.db_user.name + DB_PASSWORD = data.aws_ssm_parameter.db_password.name + DB_SCHEMA = data.aws_ssm_parameter.db_schema.name + REDIS_HOST = data.aws_ssm_parameter.redis_host.name + REDIS_PORT = data.aws_ssm_parameter.redis_port.name + REDIS_DATABASE = data.aws_ssm_parameter.redis_database.name + JWT_SECRET = data.aws_ssm_parameter.jwt_secret.name + JWT_ISSUER = data.aws_ssm_parameter.jwt_issuer.name + AUTH_DATABASE = data.aws_ssm_parameter.authenticationdbdatabase.name + FEATURE_DATABASE = data.aws_ssm_parameter.featuredbdatabase.name + NOTIFICATION_DATABASE = data.aws_ssm_parameter.notificationdbdatabase.name + VIDEO_CONFRENCING_DATABASE = data.aws_ssm_parameter.videoconfrencingdbdatabase.name + COGNITO_USER_POOL_ID = var.IdP == "cognito" && length(data.aws_ssm_parameter.cognito_user_pool_id) > 0 ? data.aws_ssm_parameter.cognito_user_pool_id[count.index].name : null + } +} + +data "template_file" "auth0_helm_values_template" { + count = var.IdP == "auth0" ? 1 : 0 + template = file("${path.module}/../tenant-helm-chart/auth0/values.yaml.template") + vars = { + NAMESPACE = local.kubernetes_ns + PROJECT = var.namespace + TENANT_NAME = var.tenant_name + TENANT_KEY = var.tenant + TENANT_EMAIL = var.tenant_email + TENANT_SECRET = var.tenant_secret + TENANT_ID = var.tenant_id TIER = var.tenant_tier TENANT_CLIENT_ID = var.tenant_client_id TENANT_CLIENT_SECRET = var.tenant_client_secret REGION = var.region - COGNITO_DOMAIN = data.aws_ssm_parameter.cognito_domain.name - COGNITO_ID = data.aws_ssm_parameter.cognito_id.name - COGNITO_SECRET = data.aws_ssm_parameter.cognito_secret.name KARPENTER_ROLE = var.karpenter_role EKS_CLUSTER_NAME = var.cluster_name TENANT_HOST_NAME = var.tenant_host_domain @@ -140,19 +178,25 @@ data "template_file" "helm_values_template" { FEATURE_DATABASE = data.aws_ssm_parameter.featuredbdatabase.name NOTIFICATION_DATABASE = data.aws_ssm_parameter.notificationdbdatabase.name VIDEO_CONFRENCING_DATABASE = data.aws_ssm_parameter.videoconfrencingdbdatabase.name - COGNITO_USER_POOL_ID = data.aws_ssm_parameter.cognito_user_pool_id.name } } -resource "local_file" "helm_values" { - filename = "${path.module}/output/${var.tenant}-values.yaml" - content = data.template_file.helm_values_template.rendered +resource "local_file" "cognito_helm_values" { + count = var.IdP == "cognito" ? 1 : 0 + filename = "${path.module}/output/cognito/${var.tenant}-values.yaml" + content = data.template_file.cognito_helm_values_template[count.index].rendered } +resource "local_file" "auth0_helm_values" { + count = var.IdP == "auth0" ? 1 : 0 + filename = "${path.module}/output/auth0/${var.tenant}-values.yaml" + content = data.template_file.auth0_helm_values_template[count.index].rendered +} ############################################################################################### ## Register Tenant Helm App on ArgoCD ############################################################################################### -resource "local_file" "argocd_application" { +resource "local_file" "cognito_argocd_application" { + count = var.IdP == "cognito" ? 1 : 0 content = <<-EOT apiVersion: argoproj.io/v1alpha1 kind: Application @@ -167,7 +211,7 @@ spec: namespace: ${var.tenant_tier}-${var.tenant} server: 'https://kubernetes.default.svc' source: - path: onboarded-tenants/bridge/application + path: onboarded-tenants/bridge/application/cognito repoURL: 'https://${data.aws_ssm_parameter.github_user.value}@github.com/${data.aws_ssm_parameter.github_repo.value}.git' targetRevision: main helm: @@ -190,6 +234,44 @@ spec: filename = "${path.module}/argocd-application.yaml" } +resource "local_file" "auth0_argocd_application" { + count = var.IdP == "auth0" ? 1 : 0 + content = <<-EOT +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: ${var.tenant_tier}-${var.tenant} + namespace: argocd + labels: + Tenant: ${var.tenant} + Tenant_ID: ${var.tenant_id} +spec: + destination: + namespace: ${var.tenant_tier}-${var.tenant} + server: 'https://kubernetes.default.svc' + source: + path: onboarded-tenants/bridge/application/auth0 + repoURL: 'https://${data.aws_ssm_parameter.github_user.value}@github.com/${data.aws_ssm_parameter.github_repo.value}.git' + targetRevision: main + helm: + valueFiles: + - ${var.tenant}-values.yaml + project: default + syncPolicy: + syncOptions: + - ApplyOutOfSyncOnly=true + retry: + limit: 2 + backoff: + duration: 5s + maxDuration: 3m0s + factor: 2 + automated: + prune: false + selfHeal: true + EOT + filename = "${path.module}/argocd-application.yaml" +} ####################################################################################### ## Register Pooled Terraform Workflow on Argo ####################################################################################### diff --git a/files/tenant-samples/bridge/terraform/pool-infra/tfvariables.txt b/files/tenant-samples/bridge/terraform/pool-infra/tfvariables.txt index 0e4121f5..cd54794c 100644 --- a/files/tenant-samples/bridge/terraform/pool-infra/tfvariables.txt +++ b/files/tenant-samples/bridge/terraform/pool-infra/tfvariables.txt @@ -15,4 +15,5 @@ jwt_issuer = "${TF_VAR_jwt_issuer}" tenant_client_id = "${TF_VAR_tenant_client_id}" tenant_client_secret = "${TF_VAR_tenant_client_secret}" alb_url = "${TF_VAR_alb_url}" -tenant_tier = "${TF_VAR_tenant_tier}" \ No newline at end of file +tenant_tier = "${TF_VAR_tenant_tier}" +IdP = "${TF_VAR_IdP}" \ No newline at end of file diff --git a/files/tenant-samples/bridge/terraform/pool-infra/variables.tf b/files/tenant-samples/bridge/terraform/pool-infra/variables.tf index 1f816a46..5257f782 100644 --- a/files/tenant-samples/bridge/terraform/pool-infra/variables.tf +++ b/files/tenant-samples/bridge/terraform/pool-infra/variables.tf @@ -16,6 +16,16 @@ variable "namespace" { description = "Namespace for the resources." } +variable "IdP" { + type = string + description = "Tenant Identity Provider" + default = "cognito" + validation { + condition = contains(["cognito", "auth0", "keycloak"], var.IdP) + error_message = "The idp must be either 'cognito', 'auth0', or 'keycloak'." + } +} + variable "tenant_tier" { type = string description = "Tenant Tier" diff --git a/files/tenant-samples/bridge/terraform/push-values.sh b/files/tenant-samples/bridge/terraform/push-values.sh index 5fc3f06d..cd69c809 100644 --- a/files/tenant-samples/bridge/terraform/push-values.sh +++ b/files/tenant-samples/bridge/terraform/push-values.sh @@ -43,12 +43,23 @@ git clone "${GITHUB_REPO_URL}" || { echo "Failed to clone GitHub repository"; ex cd "${NAMESPACE}-saas-management-repository" || { echo "Failed to change directory to cloned repository"; exit 1; } # Copy tenant values.yaml to silo directory -if [ -d "../output" ]; then - cp -r ../output/* onboarded-tenants/bridge/application/ || { echo "Failed to copy files"; exit 1; } +# if [ -d "../output" ]; then +# cp -r ../output/* onboarded-tenants/bridge/application/ || { echo "Failed to copy files"; exit 1; } +# else +# echo "'output' folder does not exist. Skipping file copy." +# fi + +if [ -d "../output/cognito" ]; then + cp -r ../output/cognito/* onboarded-tenants/bridge/application/cognito/ || { echo "Failed to copy cognito files"; exit 1; } else - echo "'output' folder does not exist. Skipping file copy." + echo "'cognito' folder does not exist. Skipping cognito file copy." fi +if [ -d "../output/auth0" ]; then + cp -r ../output/auth0/* onboarded-tenants/bridge/application/auth0/ || { echo "Failed to copy auth0 files"; exit 1; } +else + echo "'auth0' folder does not exist. Skipping auth0 file copy." +fi # Copy tenant specific tfvars and config file to repository cp -r ../*.tfvars onboarded-tenants/bridge/infra/terraform/ || { echo "Failed to copy files"; exit 1; } diff --git a/files/tenant-samples/bridge/terraform/tfvariables.txt b/files/tenant-samples/bridge/terraform/tfvariables.txt index b2a18540..1908a0a1 100644 --- a/files/tenant-samples/bridge/terraform/tfvariables.txt +++ b/files/tenant-samples/bridge/terraform/tfvariables.txt @@ -17,6 +17,7 @@ alb_url = "${TF_VAR_alb_url}" user_callback_secret = "${TF_VAR_user_callback_secret}" rds_instance_allocated_storage = "${TF_VAR_rds_instance_allocated_storage}" tenant_tier = "${TF_VAR_tenant_tier}" +IdP = "${TF_VAR_IdP}" diff --git a/files/tenant-samples/bridge/terraform/variables.tf b/files/tenant-samples/bridge/terraform/variables.tf index 95e34407..a31b56eb 100644 --- a/files/tenant-samples/bridge/terraform/variables.tf +++ b/files/tenant-samples/bridge/terraform/variables.tf @@ -26,6 +26,16 @@ variable "tenant_id" { description = "Tenat unique ID" } +variable "IdP" { + type = string + description = "Tenant Identity Provider" + default = "cognito" + validation { + condition = contains(["cognito", "auth0", "keycloak"], var.IdP) + error_message = "The idp must be either 'cognito', 'auth0', or 'keycloak'." + } +} + variable "domain_name" { description = "Enter Defeault Redirect URL" type = string diff --git a/files/tenant-samples/pooled/buildspec.yaml b/files/tenant-samples/pooled/buildspec.yaml index 7e849965..93db3116 100644 --- a/files/tenant-samples/pooled/buildspec.yaml +++ b/files/tenant-samples/pooled/buildspec.yaml @@ -45,6 +45,8 @@ phases: - export TENANT_ADMIN_EMAIL=$(echo $tenant | jq -r '.contacts[] | select(.isPrimary == true) | .email') - export USERNAME=$(echo $tenant | jq -r '.key') - export KEY=$(echo $tenant | jq -r '.key') + - export IdP=$(echo $tenant | jq -r '.identityProvider') + #- export IdP="cognito" - export TIER=$(echo "${tier}" | tr '[:upper:]' '[:lower:]') # Webhook Envs @@ -75,6 +77,7 @@ phases: - export TF_VAR_karpenter_role="${KARPENTER_ROLE}" - export TF_VAR_tenant_host_domain="${KEY}.${DOMAIN_NAME}" - export TF_VAR_jwt_issuer="${KEY}" + - export TF_VAR_IdP="${IdP}" - export TF_VAR_tenant_client_id="${KEY}"-$(echo "$TENANT_ID" | cut -c 10-)-"${TENANT_CLIENT_ID}" - export TF_VAR_tenant_client_secret=$(echo "$TENANT_ID" | cut -c 10-)-"${TENANT_CLIENT_SECRET}" - export ALB_DNS=$(aws elbv2 describe-load-balancers --query 'LoadBalancers[?Type==`application`] | [0].DNSName' --output text) @@ -117,7 +120,7 @@ phases: - kubectl apply -f ${TIER}-argo-workflow.yaml --namespace argo-workflows || true - kubectl apply -f argocd-application.yaml --namespace argocd || true - sleep 240 # waiting time to spin up tenant pods - - terraform apply -auto-approve --refresh=false # refresh is false to avoid unnecessary API hitting + #- terraform apply -auto-approve --refresh=false # refresh is false to avoid unnecessary API hitting - kubectl apply -f argo-workflow.yaml --namespace argo-workflows || true finally: diff --git a/files/tenant-samples/silo/tenant-helm-chart/.helmignore b/files/tenant-samples/pooled/tenant-helm-chart/auth0/.helmignore similarity index 100% rename from files/tenant-samples/silo/tenant-helm-chart/.helmignore rename to files/tenant-samples/pooled/tenant-helm-chart/auth0/.helmignore diff --git a/files/tenant-samples/silo/tenant-helm-chart/Chart.yaml b/files/tenant-samples/pooled/tenant-helm-chart/auth0/Chart.yaml similarity index 100% rename from files/tenant-samples/silo/tenant-helm-chart/Chart.yaml rename to files/tenant-samples/pooled/tenant-helm-chart/auth0/Chart.yaml diff --git a/files/tenant-samples/silo/tenant-helm-chart/README.md b/files/tenant-samples/pooled/tenant-helm-chart/auth0/README.md similarity index 100% rename from files/tenant-samples/silo/tenant-helm-chart/README.md rename to files/tenant-samples/pooled/tenant-helm-chart/auth0/README.md diff --git a/files/tenant-samples/silo/tenant-helm-chart/templates/_helpers.tpl b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/_helpers.tpl similarity index 100% rename from files/tenant-samples/silo/tenant-helm-chart/templates/_helpers.tpl rename to files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/_helpers.tpl diff --git a/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/authentication-service-deployment.yaml b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/authentication-service-deployment.yaml new file mode 100644 index 00000000..a04c99e0 --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/authentication-service-deployment.yaml @@ -0,0 +1,249 @@ +{{- if .Values.authenticationService.enabled }} +--- +#Deployment + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "helm.fullname" . }}-authentication-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + replicas: {{ .Values.authenticationService.replicaCount }} + strategy: + type: {{ .Values.strategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.strategy.maxUnavailable }} + maxSurge: {{ .Values.strategy.maxSurge }} + selector: + matchLabels: + app: {{ include "helm.fullname" . }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/cm-authentication-service.yaml") . | sha256sum }} + prometheus.io/path: {{ .Values.app.basePath }}/authentication-service/obf/metrics +{{- if .Values.extraAnnotations }} +{{ toYaml .Values.extraAnnotations | indent 8 }} +{{- end }} + labels: + app: {{ include "helm.fullname" . }} + component: authentication-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} + spec: + serviceAccountName: {{ .Values.tier }}-{{ .Values.tenant }} + containers: + - imagePullPolicy: {{ .Values.authenticationService.pullPolicy }} + resources: + {{- toYaml .Values.authenticationService.resources | nindent 12 }} +{{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.app.basePath }}/authentication-service + port: 3000 + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} +{{- end }} +{{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.app.basePath }}/authentication-service + port: 3000 + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} +{{- end }} + name: {{ include "helm.fullname" . }}-authentication-service + image: {{ .Values.authenticationService.repository }}:{{ .Values.authenticationService.tag }} + volumeMounts: + - name: my-api-token + mountPath: /mnt/api-token + readOnly: true + envFrom: + - configMapRef: + name: {{ include "helm.fullname" . }}-cm-authentication-service + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: AUTHENTICATION_SERVICE_DB_DATABASE + - name: DB_SCHEMA + valueFrom: + secretKeyRef: + name: api-token + key: DB_SCHEMA + - name: FEATURE_DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: FEATURE_DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: FEATURE_DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: FEATURE_DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: FEATURE_DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: FEATURE_DB_DATABASE + - name: FEATURE_DB_SCHEMA + valueFrom: + secretKeyRef: + name: api-token + key: DB_SCHEMA + - name: REDIS_HOST + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PORT + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_PORT + - name: REDIS_URL + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PASSWORD + value: "" + - name: REDIS_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_DATABASE + - name: JWT_SECRET + valueFrom: + secretKeyRef: + name: api-token + key: JWT_SECRET + - name: JWT_ISSUER + valueFrom: + secretKeyRef: + name: api-token + key: JWT_ISSUER + - name: AUTH0_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: api-token + key: AUTH0_CLIENT_SECRET +{{- if .Values.imagePullSecret.enabled }} + imagePullSecrets: + - name: {{ .Values.imagePullSecret.name }} +{{- end }} + + nodeSelector: + pooled-node: {{ .Values.tier }} +{{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + volumes: + - name: my-api-token + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: {{ .Values.tier }}-{{ .Values.tenant }}-aws-secrets +{{- with .Values.authenticationService.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} + +--- +#HPA + +{{- if .Values.authenticationService.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "helm.fullname" . }}-authentication-service + labels: + app: {{ include "helm.fullname" . }} + component: authentication-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "helm.fullname" . }}-authentication-service + minReplicas: {{ .Values.authenticationService.autoscaling.minReplicas }} + maxReplicas: {{ .Values.authenticationService.autoscaling.maxReplicas }} + metrics: + {{- with .Values.authenticationService.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- with .Values.authenticationService.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: AverageValue + averageValue: {{ . }} + {{- end }} +{{- end }} +--- +#Service +apiVersion: v1 +kind: Service +metadata: + name: {{ include "helm.fullname" . }}-authentication-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + type: {{ .Values.authenticationService.service.type }} + ports: + - port: {{ .Values.authenticationService.service.port }} + targetPort: {{ .Values.authenticationService.service.targetPort }} + protocol: {{ .Values.authenticationService.service.protocol }} + name: web + selector: + app: {{ include "helm.fullname" . }} + component: authentication-service +--- +{{- end }} \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/authorization-policy.yaml b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/authorization-policy.yaml new file mode 100644 index 00000000..ebb14452 --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/authorization-policy.yaml @@ -0,0 +1,14 @@ +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: deny-traffic-from-cross-namespace + namespace: {{ .Values.namespace }} + labels: + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: ["{{ .Values.namespace }}","kube-system","prometheus-node-exporter", "adot-collector-kubeprometheus","istio-system","karpenter","kubecost", "kuberhealthy", "argocd", "argo-workflows"] \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/cm-authentication-service.yaml b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/cm-authentication-service.yaml new file mode 100644 index 00000000..a1cfd761 --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/cm-authentication-service.yaml @@ -0,0 +1,19 @@ +{{- if .Values.authenticationService.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "helm.fullname" . }}-cm-authentication-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +data: + PORT: '{{ .Values.authenticationService.port }}' + NODE_ENV: '{{ .Values.authenticationService.node_env }}' + LOG_LEVEL: '{{ .Values.authenticationService.log_level }}' + BASE_PATH: '{{ .Values.authenticationService.base_path }}' + DB_SSL: '{{ .Values.authenticationService.db_ssl }}' + AUTH0_DOMAIN: "dev-db7dz4wg6ccbguer.us.auth0.com" + AUTH0_CLIENT_ID: "pluqd6RqaLilAn7p1kUFkNo20bxuwUK5" + AUTH0_CALLBACK_URL: "https://{{ .Values.hostname }}/authentication-service/auth/auth0-auth-redirect" +{{- end}} \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/cm-feature-service.yaml b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/cm-feature-service.yaml new file mode 100644 index 00000000..f6f18490 --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/cm-feature-service.yaml @@ -0,0 +1,19 @@ +{{- if .Values.featureService.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "helm.fullname" . }}-cm-feature-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +data: + PORT: '{{ .Values.featureService.port }}' + NODE_ENV: '{{ .Values.featureService.node_env }}' + LOG_LEVEL: '{{ .Values.featureService.log_level }}' + BASE_PATH: '{{ .Values.featureService.base_path }}' + DB_SSL: '{{ .Values.featureService.db_ssl }}' + USER_CALLBACK_SECRET: '{{ .Values.userCallbackSecret }}' + TIMESTAMP_TOLERANCE: '{{ .Values.featureService.timestamp_tolerance}}' + ADMIN_USER_TENANT_ID: '{{ .Values.adminUserTenantId }}' +{{- end}} \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/templates/cm-frontend-service.yaml b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/cm-frontend-service.yaml similarity index 100% rename from files/tenant-samples/silo/tenant-helm-chart/templates/cm-frontend-service.yaml rename to files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/cm-frontend-service.yaml diff --git a/files/tenant-samples/silo/tenant-helm-chart/templates/cm-notification-service.yaml b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/cm-notification-service.yaml similarity index 100% rename from files/tenant-samples/silo/tenant-helm-chart/templates/cm-notification-service.yaml rename to files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/cm-notification-service.yaml diff --git a/files/tenant-samples/silo/tenant-helm-chart/templates/cm-user-tenant-service.yaml b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/cm-user-tenant-service.yaml similarity index 100% rename from files/tenant-samples/silo/tenant-helm-chart/templates/cm-user-tenant-service.yaml rename to files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/cm-user-tenant-service.yaml diff --git a/files/tenant-samples/silo/tenant-helm-chart/templates/cm-video-confrencing-service.yaml b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/cm-video-confrencing-service.yaml similarity index 100% rename from files/tenant-samples/silo/tenant-helm-chart/templates/cm-video-confrencing-service.yaml rename to files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/cm-video-confrencing-service.yaml diff --git a/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/feature-service-deployment.yaml b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/feature-service-deployment.yaml new file mode 100644 index 00000000..abaaa2d9 --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/feature-service-deployment.yaml @@ -0,0 +1,244 @@ +{{- if .Values.featureService.enabled }} +--- +#Deployment + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "helm.fullname" . }}-feature-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + replicas: {{ .Values.featureService.replicaCount }} + strategy: + type: {{ .Values.strategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.strategy.maxUnavailable }} + maxSurge: {{ .Values.strategy.maxSurge }} + selector: + matchLabels: + app: {{ include "helm.fullname" . }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/cm-feature-service.yaml") . | sha256sum }} + prometheus.io/path: {{ .Values.app.basePath }}/feature-service/obf/metrics +{{- if .Values.extraAnnotations }} +{{ toYaml .Values.extraAnnotations | indent 8 }} +{{- end }} + labels: + app: {{ include "helm.fullname" . }} + component: feature-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} + spec: + serviceAccountName: {{ .Values.tier }}-{{ .Values.tenant }} + containers: + - imagePullPolicy: {{ .Values.featureService.pullPolicy }} + resources: + {{- toYaml .Values.featureService.resources | nindent 12 }} +{{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.app.basePath }}/feature-service + port: 3000 + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} +{{- end }} +{{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.app.basePath }}/feature-service + port: 3000 + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} +{{- end }} + name: {{ include "helm.fullname" . }}-feature-service + image: {{ .Values.featureService.repository }}:{{ .Values.featureService.tag }} + volumeMounts: + - name: my-api-token + mountPath: /mnt/api-token + readOnly: true + envFrom: + - configMapRef: + name: {{ include "helm.fullname" . }}-cm-feature-service + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: FEATURE_DB_DATABASE + - name: DB_SCHEMA + valueFrom: + secretKeyRef: + name: api-token + key: DB_SCHEMA + - name: FEATURE_DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: FEATURE_DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: FEATURE_DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: FEATURE_DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: FEATURE_DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: FEATURE_DB_DATABASE + - name: FEATURE_DB_SCHEMA + valueFrom: + secretKeyRef: + name: api-token + key: DB_SCHEMA + - name: REDIS_HOST + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PORT + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_PORT + - name: REDIS_URL + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PASSWORD + value: "" + - name: REDIS_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_DATABASE + - name: JWT_SECRET + valueFrom: + secretKeyRef: + name: api-token + key: JWT_SECRET + - name: JWT_ISSUER + valueFrom: + secretKeyRef: + name: api-token + key: JWT_ISSUER +{{- if .Values.imagePullSecret.enabled }} + imagePullSecrets: + - name: {{ .Values.imagePullSecret.name }} +{{- end }} + + nodeSelector: + pooled-node: {{ .Values.tier }} +{{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + volumes: + - name: my-api-token + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: {{ .Values.tier }}-{{ .Values.tenant }}-aws-secrets +{{- with .Values.featureService.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} + +--- +#HPA + +{{- if .Values.featureService.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "helm.fullname" . }}-feature-service + labels: + app: {{ include "helm.fullname" . }} + component: feature-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "helm.fullname" . }}-feature-service + minReplicas: {{ .Values.featureService.autoscaling.minReplicas }} + maxReplicas: {{ .Values.featureService.autoscaling.maxReplicas }} + metrics: + {{- with .Values.featureService.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- with .Values.featureService.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: AverageValue + averageValue: {{ . }} + {{- end }} +{{- end }} +--- +#Service +apiVersion: v1 +kind: Service +metadata: + name: {{ include "helm.fullname" . }}-feature-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + type: {{ .Values.featureService.service.type }} + ports: + - port: {{ .Values.featureService.service.port }} + targetPort: {{ .Values.featureService.service.targetPort }} + protocol: {{ .Values.featureService.service.protocol }} + name: web + selector: + app: {{ include "helm.fullname" . }} + component: feature-service +--- +{{- end }} \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/frontend-service-deployment.yaml b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/frontend-service-deployment.yaml new file mode 100644 index 00000000..b4fd696f --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/frontend-service-deployment.yaml @@ -0,0 +1,129 @@ +--- +#Deployment +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "helm.fullname" . }}-frontend + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + replicas: {{ .Values.frontend.replicaCount }} + strategy: + type: {{ .Values.strategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.strategy.maxUnavailable }} + maxSurge: {{ .Values.strategy.maxSurge }} + selector: + matchLabels: + app: {{ include "helm.fullname" . }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/cm-frontend-service.yaml") . | sha256sum }} + prometheus.io/path: {{ .Values.app.basePath }}/frontend/obf/metrics +{{- if .Values.frontend.extraAnnotations }} +{{ toYaml .Values.frontend.extraAnnotations | indent 8 }} +{{- end }} + labels: + app: {{ include "helm.fullname" . }} + component: frontend + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} + spec: + serviceAccountName: {{ .Values.tier }}-{{ .Values.tenant }} + containers: + - imagePullPolicy: {{ .Values.frontend.pullPolicy }} + resources: + {{- toYaml .Values.frontend.resources | nindent 12 }} +{{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.app.basePath }}/frontend + port: 80 + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} +{{- end }} +{{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.app.basePath }}/frontend + port: 80 + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} +{{- end }} + name: {{ include "helm.fullname" . }}-frontend + image: {{ .Values.frontend.repository }}:{{ .Values.frontend.tag }} + ports: + - containerPort: 80 + volumeMounts: + - name: env-var + mountPath: /usr/share/nginx/html/config.json + subPath: config.json + - name: my-api-token + mountPath: /mnt/api-token + readOnly: true + env: + - name: pubnubPublishKey + valueFrom: + secretKeyRef: + name: api-token + key: PUBNUB_PUB_KEY + - name: pubnubSubscribeKey + valueFrom: + secretKeyRef: + name: api-token + key: PUBNUB_SUB_KEY +{{- if .Values.imagePullSecret.enabled }} + imagePullSecrets: + - name: {{ .Values.imagePullSecret.name }} +{{- end }} + + nodeSelector: + pooled-node: {{ .Values.tier }} +{{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + volumes: + - name: env-var + configMap: + name: {{ include "helm.fullname" . }}-cm-frontend + items: + - key: env + path: config.json + - name: my-api-token + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: {{ .Values.tier }}-{{ .Values.tenant }}-aws-secrets +{{- with .Values.frontend.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} + +--- +#Service +apiVersion: v1 +kind: Service +metadata: + name: {{ include "helm.fullname" . }}-frontend + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + type: {{ .Values.frontend.Service.type }} + ports: + - port: {{ .Values.frontend.Service.port }} + targetPort: {{ .Values.frontend.Service.targetPort }} + protocol: {{ .Values.frontend.Service.protocol }} + name: web + selector: + app: {{ include "helm.fullname" . }} + component: frontend +--- \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/gateway.yaml b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/gateway.yaml new file mode 100644 index 00000000..b534262f --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/gateway.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: {{ .Values.tier }}-{{ .Values.tenant }} + labels: + app: {{ include "helm.name" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + selector: + istio: ingressgateway # use istio default controller + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - {{ .Values.hostname }} \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/hooks/migration-job.yaml b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/hooks/migration-job.yaml new file mode 100644 index 00000000..81f2dbcc --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/hooks/migration-job.yaml @@ -0,0 +1,164 @@ +{{- if .Values.migrationJob.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ template "helm.fullname" . }}-migration-job" + annotations: + argocd.argoproj.io/hook: PostSync +spec: + backoffLimit: 20 + activeDeadlineSeconds: 600 + ttlSecondsAfterFinished: 3600 + parallelism: 1 + completions: 1 + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: {{ .Values.tier }}-{{ .Values.tenant }} + volumes: + - name: my-api-token + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: {{ .Values.tier }}-{{ .Values.tenant }}-aws-secrets + restartPolicy: 'OnFailure' + imagePullSecrets: + - name: {{ .Values.imagePullSecret.name }} + containers: + - name: init + image: {{ .Values.migrationJob.repository }}:{{ .Values.migrationJob.tag }} + imagePullPolicy: {{ .Values.migrationJob.pullPolicy }} + resources: +{{ toYaml .Values.migrationJob.resources | indent 10 }} + command: ["/bin/sh", "-c"] + args: ["cd packages/migrations; npm run db:migrate"] + volumeMounts: + - name: my-api-token + mountPath: /mnt/api-token + readOnly: true + env: + - name: AUTH_DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: AUTH_DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: AUTH_DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: AUTH_DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: AUTH_DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: AUTHENTICATION_SERVICE_DB_DATABASE + - name: FEATURE_DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: FEATURE_DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: FEATURE_DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: FEATURE_DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: FEATURE_DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: FEATURE_DB_DATABASE + - name: NOTIF_DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: NOTIF_DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: NOTIF_DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: NOTIF_DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: NOTIF_DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: NOTIFICATION_SERVICE_DB_DATABASE + - name: VIDEO_DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: VIDEO_DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: VIDEO_DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: VIDEO_DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: VIDEO_DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: VIDEO_CONFRENCING_SERVICE_DB_DATABASE + + - name: TENANT_NAME + value: {{ .Values.tenantName }} + - name: TENANT_KEY + value: {{ .Values.tenantKey }} + - name: SECRET + value: {{ .Values.tenantSecret }} + - name: TENANT_EMAIL + value: {{ .Values.tenantEmail }} + - name: CLIENT_ID + value: {{ .Values.clientId }} + - name: CLIENT_SECRET + value: {{ .Values.publicKey }} + - name: ADMIN_USER_TENANT_ID + value: {{ .Values.adminUserTenantId }} + - name: REDIRECT_URL + value: "https://{{ .Values.hostname }}{{ .Values.frontend.home_path }}" + # - name: USERNAME + # value: {{ .Values.cognitoUser }} + # - name: USER_SUB + # value: {{ .Values.cognitoSub }} +{{- end }} \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/templates/imagePullSecret.yaml b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/imagePullSecret.yaml similarity index 100% rename from files/tenant-samples/silo/tenant-helm-chart/templates/imagePullSecret.yaml rename to files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/imagePullSecret.yaml diff --git a/files/tenant-samples/silo/tenant-helm-chart/templates/kuberhealhty-http-checker.yaml b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/kuberhealthy-http-checker.yaml similarity index 100% rename from files/tenant-samples/silo/tenant-helm-chart/templates/kuberhealhty-http-checker.yaml rename to files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/kuberhealthy-http-checker.yaml diff --git a/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/notification-service-deployment.yaml b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/notification-service-deployment.yaml new file mode 100644 index 00000000..6de67db6 --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/notification-service-deployment.yaml @@ -0,0 +1,229 @@ +{{- if .Values.notificationService.enabled }} +--- +#Deployment + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "helm.fullname" . }}-notification-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + replicas: {{ .Values.notificationService.replicaCount }} + strategy: + type: {{ .Values.strategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.strategy.maxUnavailable }} + maxSurge: {{ .Values.strategy.maxSurge }} + selector: + matchLabels: + app: {{ include "helm.fullname" . }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/cm-notification-service.yaml") . | sha256sum }} + prometheus.io/path: {{ .Values.app.basePath }}/notification-service/obf/metrics +{{- if .Values.extraAnnotations }} +{{ toYaml .Values.extraAnnotations | indent 8 }} +{{- end }} + labels: + app: {{ include "helm.fullname" . }} + component: notification-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} + spec: + serviceAccountName: {{ .Values.tier }}-{{ .Values.tenant }} + containers: + - imagePullPolicy: {{ .Values.notificationService.pullPolicy }} + resources: + {{- toYaml .Values.notificationService.resources | nindent 12 }} +{{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.app.basePath }}/notification-service + port: 3000 + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} +{{- end }} +{{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.app.basePath }}/notification-service + port: 3000 + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} +{{- end }} + name: {{ include "helm.fullname" . }}-notification-service + image: {{ .Values.notificationService.repository }}:{{ .Values.notificationService.tag }} + volumeMounts: + - name: my-api-token + mountPath: /mnt/api-token + readOnly: true + envFrom: + - configMapRef: + name: {{ include "helm.fullname" . }}-cm-notification-service + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: NOTIFICATION_SERVICE_DB_DATABASE + - name: DB_SCHEMA + valueFrom: + secretKeyRef: + name: api-token + key: DB_SCHEMA + - name: REDIS_HOST + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PORT + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_PORT + - name: REDIS_URL + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PASSWORD + value: "" + - name: REDIS_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_DATABASE + - name: JWT_SECRET + valueFrom: + secretKeyRef: + name: api-token + key: JWT_SECRET + - name: JWT_ISSUER + valueFrom: + secretKeyRef: + name: api-token + key: JWT_ISSUER + - name: PUBNUB_PUBLISH_KEY + valueFrom: + secretKeyRef: + name: api-token + key: PUBNUB_PUB_KEY + - name: PUBNUB_SUBSCRIBE_KEY + valueFrom: + secretKeyRef: + name: api-token + key: PUBNUB_SUB_KEY + - name: PUBNUB_SECRET_KEY + valueFrom: + secretKeyRef: + name: api-token + key: PUBNUB_SECRET_KEY +{{- if .Values.imagePullSecret.enabled }} + imagePullSecrets: + - name: {{ .Values.imagePullSecret.name }} +{{- end }} + + nodeSelector: + pooled-node: {{ .Values.tier }} +{{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + volumes: + - name: my-api-token + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: {{ .Values.tier }}-{{ .Values.tenant }}-aws-secrets +{{- with .Values.notificationService.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} + +--- +#HPA + +{{- if .Values.notificationService.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "helm.fullname" . }}-notification-service + labels: + app: {{ include "helm.fullname" . }} + component: notification-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "helm.fullname" . }}-notification-service + minReplicas: {{ .Values.notificationService.autoscaling.minReplicas }} + maxReplicas: {{ .Values.notificationService.autoscaling.maxReplicas }} + metrics: + {{- with .Values.notificationService.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- with .Values.notificationService.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: AverageValue + averageValue: {{ . }} + {{- end }} +{{- end }} +--- +#Service +apiVersion: v1 +kind: Service +metadata: + name: {{ include "helm.fullname" . }}-notification-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + type: {{ .Values.notificationService.service.type }} + ports: + - port: {{ .Values.notificationService.service.port }} + targetPort: {{ .Values.notificationService.service.targetPort }} + protocol: {{ .Values.notificationService.service.protocol }} + name: web + selector: + app: {{ include "helm.fullname" . }} + component: notification-service +--- +{{- end }} \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/templates/provisioner.yaml b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/provisioner.yaml similarity index 97% rename from files/tenant-samples/pooled/tenant-helm-chart/templates/provisioner.yaml rename to files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/provisioner.yaml index 49843c8a..69004de9 100644 --- a/files/tenant-samples/pooled/tenant-helm-chart/templates/provisioner.yaml +++ b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/provisioner.yaml @@ -54,6 +54,7 @@ spec: "aws:eks:cluster-name": {{ .Values.eksClusterName }} tags: Tenant: "pooled" + Project: {{ .Values.project }} diff --git a/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/secret-provider-class-and-sa.yaml b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/secret-provider-class-and-sa.yaml new file mode 100644 index 00000000..2cdefeff --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/secret-provider-class-and-sa.yaml @@ -0,0 +1,123 @@ +--- +#namespace specific service account for +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.tier }}-{{ .Values.tenant }} + labels: + {{- include "helm.labels" . | nindent 4 }} + annotations: + eks.amazonaws.com/role-arn: {{ .Values.arn }} + +--- +#custom resource to fetch the secrets from paramter store +apiVersion: secrets-store.csi.x-k8s.io/v1alpha1 +kind: SecretProviderClass +metadata: + name: {{ .Values.tier }}-{{ .Values.tenant }}-aws-secrets + labels: + {{- include "helm.labels" . | nindent 4 }} +spec: + provider: aws + secretObjects: + - secretName: api-token + type: Opaque + data: + - objectName: db_host + key: DB_HOST + - objectName: db_port + key: DB_PORT + - objectName: db_user + key: DB_USER + - objectName: db_password + key: DB_PASSWORD + - objectName: db_schema + key: DB_SCHEMA + - objectName: redis_host + key: REDIS_HOST + - objectName: redis_port + key: REDIS_PORT + - objectName: redis_database + key: REDIS_DATABASE + - objectName: jwt_secret + key: JWT_SECRET + - objectName: jwt_issuer + key: JWT_ISSUER + - objectName: authentication_service_db_database + key: AUTHENTICATION_SERVICE_DB_DATABASE + - objectName: feature_db_database + key: FEATURE_DB_DATABASE + - objectName: video_confrencing_service_db_database + key: VIDEO_CONFRENCING_SERVICE_DB_DATABASE + - objectName: notification_service_db_database + key: NOTIFICATION_SERVICE_DB_DATABASE + - objectName: vonage-api-key-secret + key: VONAGE_API_KEY_SECRET + - objectName: pubnub-pub-key + key: PUBNUB_PUB_KEY + - objectName: pubnub-sub-key + key: PUBNUB_SUB_KEY + - objectName: pubnub-secret-key + key: PUBNUB_SECRET_KEY + - objectName: auth0-client-secret + key: AUTH0_CLIENT_SECRET + parameters: +# region: us-west-2 + objects: | + - objectName: {{ .Values.dbhost }} + objectType: ssmparameter + objectAlias: db_host + - objectName: {{ .Values.dbport }} + objectType: ssmparameter + objectAlias: db_port + - objectName: {{ .Values.dbuser }} + objectType: ssmparameter + objectAlias: db_user + - objectName: {{ .Values.dbpassword }} + objectType: ssmparameter + objectAlias: db_password + - objectName: {{ .Values.dbschema }} + objectType: ssmparameter + objectAlias: db_schema + - objectName: {{ .Values.redishost }} + objectType: ssmparameter + objectAlias: redis_host + - objectName: {{ .Values.redisport }} + objectType: ssmparameter + objectAlias: redis_port + - objectName: {{ .Values.redisdatabase }} + objectType: ssmparameter + objectAlias: redis_database + - objectName: {{ .Values.jwtsecret }} + objectType: ssmparameter + objectAlias: jwt_secret + - objectName: {{ .Values.jwtissuer }} + objectType: ssmparameter + objectAlias: jwt_issuer + - objectName: {{ .Values.authenticationdbdatabase }} + objectType: ssmparameter + objectAlias: authentication_service_db_database + - objectName: {{ .Values.featuredbdatabase }} + objectType: ssmparameter + objectAlias: feature_db_database + - objectName: {{ .Values.notificationdbdatabase }} + objectType: ssmparameter + objectAlias: notification_service_db_database + - objectName: {{ .Values.videoconfrencingdbdatabase }} + objectType: ssmparameter + objectAlias: video_confrencing_service_db_database + - objectName: {{ .Values.vonageSecret }} + objectType: ssmparameter + objectAlias: vonage-api-key-secret + - objectName: {{ .Values.pubnubPubKey }} + objectType: ssmparameter + objectAlias: pubnub-pub-key + - objectName: {{ .Values.pubnubSubKey }} + objectType: ssmparameter + objectAlias: pubnub-sub-key + - objectName: {{ .Values.pubnubSecretKey }} + objectType: ssmparameter + objectAlias: pubnub-secret-key + - objectName: {{ .Values.auth0ClientSecret }} + objectType: ssmparameter + objectAlias: auth0-client-secret \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/user-tenant-service-deployment.yaml b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/user-tenant-service-deployment.yaml new file mode 100644 index 00000000..aa8a3a07 --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/user-tenant-service-deployment.yaml @@ -0,0 +1,214 @@ +{{- if .Values.userTenantService.enabled }} +--- +#Deployment + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "helm.fullname" . }}-user-tenant-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + replicas: {{ .Values.userTenantService.replicaCount }} + strategy: + type: {{ .Values.strategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.strategy.maxUnavailable }} + maxSurge: {{ .Values.strategy.maxSurge }} + selector: + matchLabels: + app: {{ include "helm.fullname" . }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/cm-user-tenant-service.yaml") . | sha256sum }} + prometheus.io/path: {{ .Values.app.basePath }}/user-tenant-service/obf/metrics +{{- if .Values.extraAnnotations }} +{{ toYaml .Values.extraAnnotations | indent 8 }} +{{- end }} + labels: + app: {{ include "helm.fullname" . }} + component: user-tenant-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} + spec: + serviceAccountName: {{ .Values.tier }}-{{ .Values.tenant }} + containers: + - imagePullPolicy: {{ .Values.userTenantService.pullPolicy }} + resources: + {{- toYaml .Values.userTenantService.resources | nindent 12 }} +{{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.app.basePath }}/user-tenant-service + port: 3000 + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} +{{- end }} +{{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.app.basePath }}/user-tenant-service + port: 3000 + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} +{{- end }} + name: {{ include "helm.fullname" . }}-user-tenant-service + image: {{ .Values.userTenantService.repository }}:{{ .Values.userTenantService.tag }} + volumeMounts: + - name: my-api-token + mountPath: /mnt/api-token + readOnly: true + envFrom: + - configMapRef: + name: {{ include "helm.fullname" . }}-cm-user-tenant-service + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: AUTHENTICATION_SERVICE_DB_DATABASE + - name: DB_SCHEMA + valueFrom: + secretKeyRef: + name: api-token + key: DB_SCHEMA + - name: REDIS_HOST + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PORT + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_PORT + - name: REDIS_URL + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PASSWORD + value: "" + - name: REDIS_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_DATABASE + - name: JWT_SECRET + valueFrom: + secretKeyRef: + name: api-token + key: JWT_SECRET + - name: JWT_ISSUER + valueFrom: + secretKeyRef: + name: api-token + key: JWT_ISSUER +{{- if .Values.imagePullSecret.enabled }} + imagePullSecrets: + - name: {{ .Values.imagePullSecret.name }} +{{- end }} + + nodeSelector: + pooled-node: {{ .Values.tier }} +{{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + volumes: + - name: my-api-token + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: {{ .Values.tier }}-{{ .Values.tenant }}-aws-secrets +{{- with .Values.userTenantService.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} + +--- +#HPA + +{{- if .Values.userTenantService.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "helm.fullname" . }}-user-tenant-service + labels: + app: {{ include "helm.fullname" . }} + component: user-tenant-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "helm.fullname" . }}-user-tenant-service + minReplicas: {{ .Values.userTenantService.autoscaling.minReplicas }} + maxReplicas: {{ .Values.userTenantService.autoscaling.maxReplicas }} + metrics: + {{- with .Values.userTenantService.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- with .Values.userTenantService.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: AverageValue + averageValue: {{ . }} + {{- end }} +{{- end }} +--- +#Service +apiVersion: v1 +kind: Service +metadata: + name: {{ include "helm.fullname" . }}-user-tenant-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + type: {{ .Values.userTenantService.service.type }} + ports: + - port: {{ .Values.userTenantService.service.port }} + targetPort: {{ .Values.userTenantService.service.targetPort }} + protocol: {{ .Values.userTenantService.service.protocol }} + name: web + selector: + app: {{ include "helm.fullname" . }} + component: user-tenant-service +--- +{{- end }} \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/video-conferencing-service-deployment.yaml b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/video-conferencing-service-deployment.yaml new file mode 100644 index 00000000..4707073a --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/video-conferencing-service-deployment.yaml @@ -0,0 +1,219 @@ +{{- if .Values.videoConfrencingService.enabled }} +--- +#Deployment + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "helm.fullname" . }}-video-confrencing-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + replicas: {{ .Values.videoConfrencingService.replicaCount }} + strategy: + type: {{ .Values.strategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.strategy.maxUnavailable }} + maxSurge: {{ .Values.strategy.maxSurge }} + selector: + matchLabels: + app: {{ include "helm.fullname" . }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/cm-video-confrencing-service.yaml") . | sha256sum }} + prometheus.io/path: {{ .Values.app.basePath }}/video-confrencing-service/obf/metrics +{{- if .Values.extraAnnotations }} +{{ toYaml .Values.extraAnnotations | indent 8 }} +{{- end }} + labels: + app: {{ include "helm.fullname" . }} + component: video-confrencing-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} + spec: + serviceAccountName: {{ .Values.tier }}-{{ .Values.tenant }} + containers: + - imagePullPolicy: {{ .Values.videoConfrencingService.pullPolicy }} + resources: + {{- toYaml .Values.videoConfrencingService.resources | nindent 12 }} +{{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.app.basePath }}/video-confrencing-service + port: 3000 + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} +{{- end }} +{{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.app.basePath }}/video-confrencing-service + port: 3000 + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} +{{- end }} + name: {{ include "helm.fullname" . }}-video-confrencing-service + image: {{ .Values.videoConfrencingService.repository }}:{{ .Values.videoConfrencingService.tag }} + volumeMounts: + - name: my-api-token + mountPath: /mnt/api-token + readOnly: true + envFrom: + - configMapRef: + name: {{ include "helm.fullname" . }}-cm-video-confrencing-service + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: VIDEO_CONFRENCING_SERVICE_DB_DATABASE + - name: DB_SCHEMA + valueFrom: + secretKeyRef: + name: api-token + key: DB_SCHEMA + - name: REDIS_HOST + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PORT + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_PORT + - name: REDIS_URL + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PASSWORD + value: "" + - name: REDIS_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_DATABASE + - name: JWT_SECRET + valueFrom: + secretKeyRef: + name: api-token + key: JWT_SECRET + - name: JWT_ISSUER + valueFrom: + secretKeyRef: + name: api-token + key: JWT_ISSUER + - name: VONAGE_API_SECRET + valueFrom: + secretKeyRef: + name: api-token + key: VONAGE_API_KEY_SECRET +{{- if .Values.imagePullSecret.enabled }} + imagePullSecrets: + - name: {{ .Values.imagePullSecret.name }} +{{- end }} + + nodeSelector: + pooled-node: {{ .Values.tier }} +{{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + volumes: + - name: my-api-token + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: {{ .Values.tier }}-{{ .Values.tenant }}-aws-secrets +{{- with .Values.videoConfrencingService.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} + +--- +#HPA + +{{- if .Values.videoConfrencingService.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "helm.fullname" . }}-video-confrencing-service + labels: + app: {{ include "helm.fullname" . }} + component: video-confrencing-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "helm.fullname" . }}-video-confrencing-service + minReplicas: {{ .Values.videoConfrencingService.autoscaling.minReplicas }} + maxReplicas: {{ .Values.videoConfrencingService.autoscaling.maxReplicas }} + metrics: + {{- with .Values.videoConfrencingService.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- with .Values.videoConfrencingService.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: AverageValue + averageValue: {{ . }} + {{- end }} +{{- end }} +--- +#Service +apiVersion: v1 +kind: Service +metadata: + name: {{ include "helm.fullname" . }}-video-confrencing-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + type: {{ .Values.videoConfrencingService.service.type }} + ports: + - port: {{ .Values.videoConfrencingService.service.port }} + targetPort: {{ .Values.videoConfrencingService.service.targetPort }} + protocol: {{ .Values.videoConfrencingService.service.protocol }} + name: web + selector: + app: {{ include "helm.fullname" . }} + component: video-confrencing-service +--- +{{- end }} \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/virtual-service.yaml b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/virtual-service.yaml new file mode 100644 index 00000000..f46c6b4a --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/auth0/templates/virtual-service.yaml @@ -0,0 +1,63 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Values.tier }}-{{ .Values.tenant }} + labels: + app: {{ include "helm.name" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + hosts: + - {{ .Values.hostname }} + gateways: + - {{ .Values.tier }}-{{ .Values.tenant }} #create gateway with name as tenant name + http: + - match: + - uri: + prefix: {{ .Values.app.basePath }}/authentication-service + route: + - destination: + host: "{{ include "helm.fullname" . }}-authentication-service" + port: + number: 3000 + - match: + - uri: + prefix: {{ .Values.app.basePath }}/feature-service + route: + - destination: + host: "{{ include "helm.fullname" . }}-feature-service" + port: + number: 3000 + - match: + - uri: + prefix: {{ .Values.app.basePath }}/notification-service + route: + - destination: + host: "{{ include "helm.fullname" . }}-notification-service" + port: + number: 3000 + - match: + - uri: + prefix: {{ .Values.app.basePath }}/user-tenant-service + route: + - destination: + host: "{{ include "helm.fullname" . }}-user-tenant-service" + port: + number: 3000 + - match: + - uri: + prefix: {{ .Values.app.basePath }}/video-confrencing-service + route: + - destination: + host: "{{ include "helm.fullname" . }}-video-confrencing-service" + port: + number: 3000 + - match: + - uri: + prefix: / + route: + - destination: + host: "{{ include "helm.fullname" . }}-frontend" + port: + number: 80 \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/auth0/values.yaml.template b/files/tenant-samples/pooled/tenant-helm-chart/auth0/values.yaml.template new file mode 100644 index 00000000..29a3532d --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/auth0/values.yaml.template @@ -0,0 +1,373 @@ +# Default values for helm. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +strategy: + type: RollingUpdate + maxUnavailable: 0 + maxSurge: 1 +app: + url: "" + basePath: "" +livenessProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 7 +readinessProbe: + enabled: false + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + +frontend: + enabled: true + repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-ui + pullPolicy: Always + tag: "0.0.5" + log_level: "info" + home_path: "/home" + replicaCount: 1 + affinity: {} + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "512Mi" + cpu: "2" + Service: + type: NodePort + port: 80 + targetPort: 80 + protocol: TCP + extraAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "3000" + sidecar.istio.io/inject: "false" + enabled: "1" + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 20 + targetCPUUtilizationPercentage: 75 + targetMemoryUtilizationPercentage: 80 + + +#Services +#featureService +featureService: + enabled: true + repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-feature-toggle-service + pullPolicy: Always + tag: "0.0.2" + replicaCount: 1 + port: 3000 + node_env: "production" + log_level: "info" + db_ssl: false + timestamp_tolerance: 300 + affinity: {} + allowed_origins: "*" + imagePullPolicy: + enabled: "yes" + name: regcred + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "2048Mi" + cpu: "1" + service: + type: NodePort + port: 3000 + targetPort: 3000 + protocol: TCP + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 1 + targetCPUUtilizationPercentage: 75 + targetMemoryUtilizationPercentage: 80 + base_path: /feature-service + +#authenticationService +authenticationService: + enabled: true + repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-authentication-service + pullPolicy: Always + tag: "0.0.3" + replicaCount: 1 + port: 3000 + node_env: "production" + log_level: "info" + db_ssl: false + affinity: {} + allowed_origins: "*" + imagePullPolicy: + enabled: "yes" + name: regcred + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "2048Mi" + cpu: "1" + service: + type: NodePort + port: 3000 + targetPort: 3000 + protocol: TCP + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 1 + targetCPUUtilizationPercentage: 75 + targetMemoryUtilizationPercentage: 80 + base_path: /authentication-service + +#notificationService +notificationService: + enabled: true + repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-notification-service + pullPolicy: Always + tag: "0.0.3" + replicaCount: 1 + port: 3000 + node_env: "production" + log_level: "info" + db_ssl: false + affinity: {} + allowed_origins: "*" + imagePullPolicy: + enabled: "yes" + name: regcred + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "2048Mi" + cpu: "1" + service: + type: NodePort + port: 3000 + targetPort: 3000 + protocol: TCP + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 1 + targetCPUUtilizationPercentage: 75 + targetMemoryUtilizationPercentage: 80 + base_path: /notification-service + +#userTenantService +userTenantService: + enabled: true + repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-user-tenant-service + pullPolicy: Always + tag: "0.0.4" + replicaCount: 1 + port: 3000 + node_env: "production" + log_level: "info" + db_ssl: false + affinity: {} + allowed_origins: "*" + imagePullPolicy: + enabled: "yes" + name: regcred + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "2048Mi" + cpu: "1" + service: + type: NodePort + port: 3000 + targetPort: 3000 + protocol: TCP + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 1 + targetCPUUtilizationPercentage: 75 + targetMemoryUtilizationPercentage: 80 + base_path: /user-tenant-service + +videoConfrencingService: + enabled: true + repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-video-conferencing-service + pullPolicy: Always + tag: "0.0.2" + replicaCount: 1 + port: 3000 + node_env: "production" + log_level: "info" + db_ssl: false + affinity: {} + allowed_origins: "*" + imagePullPolicy: + enabled: "yes" + name: regcred + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "2048Mi" + cpu: "1" + service: + type: NodePort + port: 3000 + targetPort: 3000 + protocol: TCP + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 1 + targetCPUUtilizationPercentage: 75 + targetMemoryUtilizationPercentage: 80 + base_path: /video-confrencing-service + +#migrationJob +migrationJob: +#enable it when correct image has been provided + enabled: true + repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-migration + pullPolicy: Always + tag: "0.0.1" + replicaCount: 1 + port: 3000 + node_env: "production" + log_level: "info" + affinity: {} + allowed_origins: "*" + imagePullPolicy: + enabled: "yes" + name: regcred + service: + type: NodePort + port: 3000 + targetPort: 3000 + protocol: TCP + +##Common env's + +#Common URL'S + +imagePullSecret: +#enable it and pass the correct parameters below + enabled: false + name: regcred + registry: https://index.docker.io/v1/ + username: '' + password: '' + email: sfdevops@sourcefuse.com + +nameOverride: "" + +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: {} +# fsGroup: 2000 + +securityContext: {} +# capabilities: +# drop: +# - ALL +# readOnlyRootFilesystem: true +# runAsNonRoot: true +# runAsUser: 1000 + +resources: {} +# We usually recommend not to specify default resources and to leave this as a conscious +# choice for the user. This also increases chances charts run on environments with little +# resources, such as Minikube. If you do want to specify resources, uncomment the following +# lines, adjust them as necessary, and remove the curly braces after 'resources:'. +# limits: +# cpu: 100m +# memory: 128Mi +# requests: +# cpu: 100m +# memory: 128Mi + +extraAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "3000" + sidecar.istio.io/inject: "true" + enabled: "1" + +nodeSelector: {} + +tolerations: + - effect: NoSchedule + key: pooled-node + operator: Equal + value: "pooled" + +affinity: {} + +#Migration Job Variable +tenantKey: ${TENANT_KEY} +tenantName: ${TENANT_NAME} +tenantSecret: ${TENANT_SECRET} +tenantID: ${TENANT_ID} +tenantEmail: ${TENANT_EMAIL} +adminUserTenantId: "b439829b-57e7-49d8-bb23-8ccb2ca56435" +#userCallbackSecret: "yugeyifgweyfgy" +userCallbackSecret: ${USER_CALLBACK_SECRET} + +# Frontend variable +clientId: ${TENANT_CLIENT_ID} +publicKey: ${TENANT_CLIENT_SECRET} + +tier: ${TIER} +namespace: ${NAMESPACE} +project: ${PROJECT} +region: ${REGION} +karpenterRoleName: ${KARPENTER_ROLE} +eksClusterName: ${EKS_CLUSTER_NAME} +hostname: ${TENANT_HOST_NAME} +tenant: ${TENANT_KEY} +arn: ${WEB_IDENTITY_ROLE_ARN} +dbhost: ${DB_HOST} +dbport: ${DB_PORT} +dbuser: ${DB_USER} +dbpassword: ${DB_PASSWORD} +dbschema: ${DB_SCHEMA} +redishost: ${REDIS_HOST} +redisport: ${REDIS_PORT} +redisdatabase: ${REDIS_DATABASE} +jwtsecret: ${JWT_SECRET} +jwtissuer: ${JWT_ISSUER} +authenticationdbdatabase: ${AUTH_DATABASE} +featuredbdatabase: ${FEATURE_DATABASE} +notificationdbdatabase: ${NOTIFICATION_DATABASE} +videoconfrencingdbdatabase: ${VIDEO_CONFRENCING_DATABASE} + +# pubnub config +vonageSecret: /pubnub/vonage-api-key-secret +pubnubPubKey: /pubnub/public-key +pubnubSubKey: /pubnub/subscribe-key +pubnubSecretKey: /pubnub/secret-key +auth0ClientSecret: /sf-arc-saas/dev/auth0-client-secret \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/cognito/.helmignore b/files/tenant-samples/pooled/tenant-helm-chart/cognito/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/cognito/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/files/tenant-samples/pooled/tenant-helm-chart/cognito/Chart.yaml b/files/tenant-samples/pooled/tenant-helm-chart/cognito/Chart.yaml new file mode 100644 index 00000000..fc389922 --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/cognito/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: helm +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/files/tenant-samples/pooled/tenant-helm-chart/cognito/README.md b/files/tenant-samples/pooled/tenant-helm-chart/cognito/README.md new file mode 100644 index 00000000..524ebf64 --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/cognito/README.md @@ -0,0 +1 @@ +# ARC-SAAS Application Plane Helm \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/_helpers.tpl b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/_helpers.tpl new file mode 100644 index 00000000..69baf8f2 --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "helm.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "helm.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "helm.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "helm.labels" -}} +helm.sh/chart: {{ include "helm.chart" . }} +{{ include "helm.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "helm.selectorLabels" -}} +app: {{ include "helm.name" . }} + +{{- end }} + + +{{/* +Configuring .dockerconfigjson +*/}} +{{- define "imagePullSecret" }} +{{- with .Values.imagePullSecret }} +{{- printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}" .registry .username .password .email (printf "%s:%s" .username .password | b64enc) | b64enc }} +{{- end }} +{{- end }} + diff --git a/files/tenant-samples/pooled/tenant-helm-chart/templates/authentication-service-deployment.yaml b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/authentication-service-deployment.yaml similarity index 100% rename from files/tenant-samples/pooled/tenant-helm-chart/templates/authentication-service-deployment.yaml rename to files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/authentication-service-deployment.yaml diff --git a/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/authorization-policy.yaml b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/authorization-policy.yaml new file mode 100644 index 00000000..ebb14452 --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/authorization-policy.yaml @@ -0,0 +1,14 @@ +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: deny-traffic-from-cross-namespace + namespace: {{ .Values.namespace }} + labels: + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: ["{{ .Values.namespace }}","kube-system","prometheus-node-exporter", "adot-collector-kubeprometheus","istio-system","karpenter","kubecost", "kuberhealthy", "argocd", "argo-workflows"] \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/templates/cm-authentication-service.yaml b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/cm-authentication-service.yaml similarity index 100% rename from files/tenant-samples/pooled/tenant-helm-chart/templates/cm-authentication-service.yaml rename to files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/cm-authentication-service.yaml diff --git a/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/cm-feature-service.yaml b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/cm-feature-service.yaml new file mode 100644 index 00000000..f6f18490 --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/cm-feature-service.yaml @@ -0,0 +1,19 @@ +{{- if .Values.featureService.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "helm.fullname" . }}-cm-feature-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +data: + PORT: '{{ .Values.featureService.port }}' + NODE_ENV: '{{ .Values.featureService.node_env }}' + LOG_LEVEL: '{{ .Values.featureService.log_level }}' + BASE_PATH: '{{ .Values.featureService.base_path }}' + DB_SSL: '{{ .Values.featureService.db_ssl }}' + USER_CALLBACK_SECRET: '{{ .Values.userCallbackSecret }}' + TIMESTAMP_TOLERANCE: '{{ .Values.featureService.timestamp_tolerance}}' + ADMIN_USER_TENANT_ID: '{{ .Values.adminUserTenantId }}' +{{- end}} \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/cm-frontend-service.yaml b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/cm-frontend-service.yaml new file mode 100644 index 00000000..13352de3 --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/cm-frontend-service.yaml @@ -0,0 +1,26 @@ +{{- if .Values.frontend.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "helm.fullname" . }}-cm-frontend + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +data: + env: |- + { + "baseApiUrl": "https://{{ .Values.hostname }}", + "authApiBaseUrl": "https://{{ .Values.hostname }}/authentication-service", + "notificationApiBaseUrl" :"https://{{ .Values.hostname }}/notification-service", + "homePath": "{{ .Values.frontend.home_path }}", + "videoApiBaseUrl": "https://{{ .Values.hostname }}/video-confrencing-service", + "notificationChannelUuid": "9f7360f6-5c1a-4354-ad68-0e62b2a1200b", + "chatChannelUuid": "ad0cac27-972e-4b69-9188-3685f7eeb8bb", + "vonageApiKey": "47793071", + "logLevel": "{{ .Values.frontend.log_level }}", + "clientId": "{{ .Values.clientId }}", + "clientSecret": "{{ .Values.publicKey }}", + "loginTitle": "Welcome to the Telemed App" + } +{{- end}} \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/cm-notification-service.yaml b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/cm-notification-service.yaml new file mode 100644 index 00000000..87d683da --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/cm-notification-service.yaml @@ -0,0 +1,16 @@ +{{- if .Values.notificationService.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "helm.fullname" . }}-cm-notification-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +data: + PORT: '{{ .Values.notificationService.port }}' + NODE_ENV: '{{ .Values.notificationService.node_env }}' + LOG_LEVEL: '{{ .Values.notificationService.log_level }}' + BASE_PATH: '{{ .Values.notificationService.base_path }}' + DB_SSL: '{{ .Values.notificationService.db_ssl }}' +{{- end}} \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/cm-user-tenant-service.yaml b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/cm-user-tenant-service.yaml new file mode 100644 index 00000000..e429bc25 --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/cm-user-tenant-service.yaml @@ -0,0 +1,19 @@ +{{- if .Values.userTenantService.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "helm.fullname" . }}-cm-user-tenant-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +data: + PORT: '{{ .Values.userTenantService.port }}' + NODE_ENV: '{{ .Values.userTenantService.node_env }}' + LOG_LEVEL: '{{ .Values.userTenantService.log_level }}' + BASE_PATH: '{{ .Values.userTenantService.base_path }}' + ADMIN_USER_TENANT_ID: '{{ .Values.adminUserTenantId }}' + USER_CALLBACK_SECRET: '{{ .Values.userCallbackSecret }}' + DB_SSL: '{{ .Values.userTenantService.db_ssl }}' + AWS_REGION: '{{ .Values.region }}' +{{- end}} \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/cm-video-confrencing-service.yaml b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/cm-video-confrencing-service.yaml new file mode 100644 index 00000000..df67fa42 --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/cm-video-confrencing-service.yaml @@ -0,0 +1,17 @@ +{{- if .Values.videoConfrencingService.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "helm.fullname" . }}-cm-video-confrencing-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +data: + PORT: '{{ .Values.videoConfrencingService.port }}' + NODE_ENV: '{{ .Values.videoConfrencingService.node_env }}' + LOG_LEVEL: '{{ .Values.videoConfrencingService.log_level }}' + BASE_PATH: '{{ .Values.videoConfrencingService.base_path }}' + DB_SSL: '{{ .Values.videoConfrencingService.db_ssl }}' + VONAGE_API_KEY: '47793071' +{{- end}} \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/feature-service-deployment.yaml b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/feature-service-deployment.yaml new file mode 100644 index 00000000..abaaa2d9 --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/feature-service-deployment.yaml @@ -0,0 +1,244 @@ +{{- if .Values.featureService.enabled }} +--- +#Deployment + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "helm.fullname" . }}-feature-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + replicas: {{ .Values.featureService.replicaCount }} + strategy: + type: {{ .Values.strategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.strategy.maxUnavailable }} + maxSurge: {{ .Values.strategy.maxSurge }} + selector: + matchLabels: + app: {{ include "helm.fullname" . }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/cm-feature-service.yaml") . | sha256sum }} + prometheus.io/path: {{ .Values.app.basePath }}/feature-service/obf/metrics +{{- if .Values.extraAnnotations }} +{{ toYaml .Values.extraAnnotations | indent 8 }} +{{- end }} + labels: + app: {{ include "helm.fullname" . }} + component: feature-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} + spec: + serviceAccountName: {{ .Values.tier }}-{{ .Values.tenant }} + containers: + - imagePullPolicy: {{ .Values.featureService.pullPolicy }} + resources: + {{- toYaml .Values.featureService.resources | nindent 12 }} +{{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.app.basePath }}/feature-service + port: 3000 + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} +{{- end }} +{{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.app.basePath }}/feature-service + port: 3000 + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} +{{- end }} + name: {{ include "helm.fullname" . }}-feature-service + image: {{ .Values.featureService.repository }}:{{ .Values.featureService.tag }} + volumeMounts: + - name: my-api-token + mountPath: /mnt/api-token + readOnly: true + envFrom: + - configMapRef: + name: {{ include "helm.fullname" . }}-cm-feature-service + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: FEATURE_DB_DATABASE + - name: DB_SCHEMA + valueFrom: + secretKeyRef: + name: api-token + key: DB_SCHEMA + - name: FEATURE_DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: FEATURE_DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: FEATURE_DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: FEATURE_DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: FEATURE_DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: FEATURE_DB_DATABASE + - name: FEATURE_DB_SCHEMA + valueFrom: + secretKeyRef: + name: api-token + key: DB_SCHEMA + - name: REDIS_HOST + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PORT + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_PORT + - name: REDIS_URL + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PASSWORD + value: "" + - name: REDIS_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_DATABASE + - name: JWT_SECRET + valueFrom: + secretKeyRef: + name: api-token + key: JWT_SECRET + - name: JWT_ISSUER + valueFrom: + secretKeyRef: + name: api-token + key: JWT_ISSUER +{{- if .Values.imagePullSecret.enabled }} + imagePullSecrets: + - name: {{ .Values.imagePullSecret.name }} +{{- end }} + + nodeSelector: + pooled-node: {{ .Values.tier }} +{{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + volumes: + - name: my-api-token + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: {{ .Values.tier }}-{{ .Values.tenant }}-aws-secrets +{{- with .Values.featureService.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} + +--- +#HPA + +{{- if .Values.featureService.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "helm.fullname" . }}-feature-service + labels: + app: {{ include "helm.fullname" . }} + component: feature-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "helm.fullname" . }}-feature-service + minReplicas: {{ .Values.featureService.autoscaling.minReplicas }} + maxReplicas: {{ .Values.featureService.autoscaling.maxReplicas }} + metrics: + {{- with .Values.featureService.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- with .Values.featureService.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: AverageValue + averageValue: {{ . }} + {{- end }} +{{- end }} +--- +#Service +apiVersion: v1 +kind: Service +metadata: + name: {{ include "helm.fullname" . }}-feature-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + type: {{ .Values.featureService.service.type }} + ports: + - port: {{ .Values.featureService.service.port }} + targetPort: {{ .Values.featureService.service.targetPort }} + protocol: {{ .Values.featureService.service.protocol }} + name: web + selector: + app: {{ include "helm.fullname" . }} + component: feature-service +--- +{{- end }} \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/frontend-service-deployment.yaml b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/frontend-service-deployment.yaml new file mode 100644 index 00000000..b4fd696f --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/frontend-service-deployment.yaml @@ -0,0 +1,129 @@ +--- +#Deployment +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "helm.fullname" . }}-frontend + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + replicas: {{ .Values.frontend.replicaCount }} + strategy: + type: {{ .Values.strategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.strategy.maxUnavailable }} + maxSurge: {{ .Values.strategy.maxSurge }} + selector: + matchLabels: + app: {{ include "helm.fullname" . }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/cm-frontend-service.yaml") . | sha256sum }} + prometheus.io/path: {{ .Values.app.basePath }}/frontend/obf/metrics +{{- if .Values.frontend.extraAnnotations }} +{{ toYaml .Values.frontend.extraAnnotations | indent 8 }} +{{- end }} + labels: + app: {{ include "helm.fullname" . }} + component: frontend + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} + spec: + serviceAccountName: {{ .Values.tier }}-{{ .Values.tenant }} + containers: + - imagePullPolicy: {{ .Values.frontend.pullPolicy }} + resources: + {{- toYaml .Values.frontend.resources | nindent 12 }} +{{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.app.basePath }}/frontend + port: 80 + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} +{{- end }} +{{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.app.basePath }}/frontend + port: 80 + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} +{{- end }} + name: {{ include "helm.fullname" . }}-frontend + image: {{ .Values.frontend.repository }}:{{ .Values.frontend.tag }} + ports: + - containerPort: 80 + volumeMounts: + - name: env-var + mountPath: /usr/share/nginx/html/config.json + subPath: config.json + - name: my-api-token + mountPath: /mnt/api-token + readOnly: true + env: + - name: pubnubPublishKey + valueFrom: + secretKeyRef: + name: api-token + key: PUBNUB_PUB_KEY + - name: pubnubSubscribeKey + valueFrom: + secretKeyRef: + name: api-token + key: PUBNUB_SUB_KEY +{{- if .Values.imagePullSecret.enabled }} + imagePullSecrets: + - name: {{ .Values.imagePullSecret.name }} +{{- end }} + + nodeSelector: + pooled-node: {{ .Values.tier }} +{{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + volumes: + - name: env-var + configMap: + name: {{ include "helm.fullname" . }}-cm-frontend + items: + - key: env + path: config.json + - name: my-api-token + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: {{ .Values.tier }}-{{ .Values.tenant }}-aws-secrets +{{- with .Values.frontend.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} + +--- +#Service +apiVersion: v1 +kind: Service +metadata: + name: {{ include "helm.fullname" . }}-frontend + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + type: {{ .Values.frontend.Service.type }} + ports: + - port: {{ .Values.frontend.Service.port }} + targetPort: {{ .Values.frontend.Service.targetPort }} + protocol: {{ .Values.frontend.Service.protocol }} + name: web + selector: + app: {{ include "helm.fullname" . }} + component: frontend +--- \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/gateway.yaml b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/gateway.yaml new file mode 100644 index 00000000..b534262f --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/gateway.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: {{ .Values.tier }}-{{ .Values.tenant }} + labels: + app: {{ include "helm.name" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + selector: + istio: ingressgateway # use istio default controller + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - {{ .Values.hostname }} \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/hooks/migration-job.yaml b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/hooks/migration-job.yaml new file mode 100644 index 00000000..81f2dbcc --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/hooks/migration-job.yaml @@ -0,0 +1,164 @@ +{{- if .Values.migrationJob.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ template "helm.fullname" . }}-migration-job" + annotations: + argocd.argoproj.io/hook: PostSync +spec: + backoffLimit: 20 + activeDeadlineSeconds: 600 + ttlSecondsAfterFinished: 3600 + parallelism: 1 + completions: 1 + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: {{ .Values.tier }}-{{ .Values.tenant }} + volumes: + - name: my-api-token + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: {{ .Values.tier }}-{{ .Values.tenant }}-aws-secrets + restartPolicy: 'OnFailure' + imagePullSecrets: + - name: {{ .Values.imagePullSecret.name }} + containers: + - name: init + image: {{ .Values.migrationJob.repository }}:{{ .Values.migrationJob.tag }} + imagePullPolicy: {{ .Values.migrationJob.pullPolicy }} + resources: +{{ toYaml .Values.migrationJob.resources | indent 10 }} + command: ["/bin/sh", "-c"] + args: ["cd packages/migrations; npm run db:migrate"] + volumeMounts: + - name: my-api-token + mountPath: /mnt/api-token + readOnly: true + env: + - name: AUTH_DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: AUTH_DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: AUTH_DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: AUTH_DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: AUTH_DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: AUTHENTICATION_SERVICE_DB_DATABASE + - name: FEATURE_DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: FEATURE_DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: FEATURE_DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: FEATURE_DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: FEATURE_DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: FEATURE_DB_DATABASE + - name: NOTIF_DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: NOTIF_DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: NOTIF_DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: NOTIF_DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: NOTIF_DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: NOTIFICATION_SERVICE_DB_DATABASE + - name: VIDEO_DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: VIDEO_DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: VIDEO_DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: VIDEO_DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: VIDEO_DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: VIDEO_CONFRENCING_SERVICE_DB_DATABASE + + - name: TENANT_NAME + value: {{ .Values.tenantName }} + - name: TENANT_KEY + value: {{ .Values.tenantKey }} + - name: SECRET + value: {{ .Values.tenantSecret }} + - name: TENANT_EMAIL + value: {{ .Values.tenantEmail }} + - name: CLIENT_ID + value: {{ .Values.clientId }} + - name: CLIENT_SECRET + value: {{ .Values.publicKey }} + - name: ADMIN_USER_TENANT_ID + value: {{ .Values.adminUserTenantId }} + - name: REDIRECT_URL + value: "https://{{ .Values.hostname }}{{ .Values.frontend.home_path }}" + # - name: USERNAME + # value: {{ .Values.cognitoUser }} + # - name: USER_SUB + # value: {{ .Values.cognitoSub }} +{{- end }} \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/imagePullSecret.yaml b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/imagePullSecret.yaml new file mode 100644 index 00000000..d40fa6ab --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/imagePullSecret.yaml @@ -0,0 +1,12 @@ +{{- if .Values.imagePullSecret.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.imagePullSecret.name }} + labels: + {{- include "helm.labels" . | nindent 4 }} + component: {{ include "helm.name" . }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ template "imagePullSecret" . }} +{{- end }} \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/kuberhealthy-http-checker.yaml b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/kuberhealthy-http-checker.yaml new file mode 100644 index 00000000..b793f40d --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/kuberhealthy-http-checker.yaml @@ -0,0 +1,27 @@ +apiVersion: comcast.github.io/v1 +kind: KuberhealthyCheck +metadata: + name: {{ .Values.tier }}-{{ .Values.tenant }}-http-check + namespace: kuberhealthy + labels: + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + runInterval: 5m + timeout: 10m + podSpec: + containers: + - name: main + image: kuberhealthy/http-check:latest + imagePullPolicy: IfNotPresent + env: + - name: CHECK_URL + value: "https://{{ .Values.hostname }}/" + - name: COUNT + value: "5" + - name: SECONDS + value: "1" + - name: REQUEST_TYPE + value: "GET" + - name: PASSING + value: "80" \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/notification-service-deployment.yaml b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/notification-service-deployment.yaml new file mode 100644 index 00000000..6de67db6 --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/notification-service-deployment.yaml @@ -0,0 +1,229 @@ +{{- if .Values.notificationService.enabled }} +--- +#Deployment + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "helm.fullname" . }}-notification-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + replicas: {{ .Values.notificationService.replicaCount }} + strategy: + type: {{ .Values.strategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.strategy.maxUnavailable }} + maxSurge: {{ .Values.strategy.maxSurge }} + selector: + matchLabels: + app: {{ include "helm.fullname" . }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/cm-notification-service.yaml") . | sha256sum }} + prometheus.io/path: {{ .Values.app.basePath }}/notification-service/obf/metrics +{{- if .Values.extraAnnotations }} +{{ toYaml .Values.extraAnnotations | indent 8 }} +{{- end }} + labels: + app: {{ include "helm.fullname" . }} + component: notification-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} + spec: + serviceAccountName: {{ .Values.tier }}-{{ .Values.tenant }} + containers: + - imagePullPolicy: {{ .Values.notificationService.pullPolicy }} + resources: + {{- toYaml .Values.notificationService.resources | nindent 12 }} +{{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.app.basePath }}/notification-service + port: 3000 + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} +{{- end }} +{{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.app.basePath }}/notification-service + port: 3000 + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} +{{- end }} + name: {{ include "helm.fullname" . }}-notification-service + image: {{ .Values.notificationService.repository }}:{{ .Values.notificationService.tag }} + volumeMounts: + - name: my-api-token + mountPath: /mnt/api-token + readOnly: true + envFrom: + - configMapRef: + name: {{ include "helm.fullname" . }}-cm-notification-service + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: NOTIFICATION_SERVICE_DB_DATABASE + - name: DB_SCHEMA + valueFrom: + secretKeyRef: + name: api-token + key: DB_SCHEMA + - name: REDIS_HOST + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PORT + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_PORT + - name: REDIS_URL + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PASSWORD + value: "" + - name: REDIS_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_DATABASE + - name: JWT_SECRET + valueFrom: + secretKeyRef: + name: api-token + key: JWT_SECRET + - name: JWT_ISSUER + valueFrom: + secretKeyRef: + name: api-token + key: JWT_ISSUER + - name: PUBNUB_PUBLISH_KEY + valueFrom: + secretKeyRef: + name: api-token + key: PUBNUB_PUB_KEY + - name: PUBNUB_SUBSCRIBE_KEY + valueFrom: + secretKeyRef: + name: api-token + key: PUBNUB_SUB_KEY + - name: PUBNUB_SECRET_KEY + valueFrom: + secretKeyRef: + name: api-token + key: PUBNUB_SECRET_KEY +{{- if .Values.imagePullSecret.enabled }} + imagePullSecrets: + - name: {{ .Values.imagePullSecret.name }} +{{- end }} + + nodeSelector: + pooled-node: {{ .Values.tier }} +{{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + volumes: + - name: my-api-token + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: {{ .Values.tier }}-{{ .Values.tenant }}-aws-secrets +{{- with .Values.notificationService.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} + +--- +#HPA + +{{- if .Values.notificationService.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "helm.fullname" . }}-notification-service + labels: + app: {{ include "helm.fullname" . }} + component: notification-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "helm.fullname" . }}-notification-service + minReplicas: {{ .Values.notificationService.autoscaling.minReplicas }} + maxReplicas: {{ .Values.notificationService.autoscaling.maxReplicas }} + metrics: + {{- with .Values.notificationService.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- with .Values.notificationService.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: AverageValue + averageValue: {{ . }} + {{- end }} +{{- end }} +--- +#Service +apiVersion: v1 +kind: Service +metadata: + name: {{ include "helm.fullname" . }}-notification-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + type: {{ .Values.notificationService.service.type }} + ports: + - port: {{ .Values.notificationService.service.port }} + targetPort: {{ .Values.notificationService.service.targetPort }} + protocol: {{ .Values.notificationService.service.protocol }} + name: web + selector: + app: {{ include "helm.fullname" . }} + component: notification-service +--- +{{- end }} \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/provisioner.yaml b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/provisioner.yaml new file mode 100644 index 00000000..69004de9 --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/provisioner.yaml @@ -0,0 +1,61 @@ +apiVersion: karpenter.sh/v1beta1 +kind: NodePool +metadata: + name: {{ .Values.tier }}-{{ .Values.tenant }} + annotations: + kubernetes.io/description: "NodePool to restrict the number of cpus provisioned to 100" +spec: + template: + metadata: + labels: + pooled-node: {{ .Values.tier }} + spec: + requirements: + - key: kubernetes.io/arch + operator: In + values: ["amd64"] + - key: kubernetes.io/os + operator: In + values: ["linux"] + - key: karpenter.sh/capacity-type + operator: In + values: ["on-demand"] + - key: karpenter.k8s.aws/instance-category + operator: In + values: ["t"] + - key: karpenter.k8s.aws/instance-generation + operator: Gt + values: ["2"] + nodeClassRef: + name: {{ .Values.tier }}-{{ .Values.tenant }} + taints: + - key: pooled-node + value: "pooled" + effect: NoSchedule + + limits: + cpu: 100 + memory: 1000Gi +--- +apiVersion: karpenter.k8s.aws/v1beta1 +kind: EC2NodeClass +metadata: + name: {{ .Values.tier }}-{{ .Values.tenant }} + annotations: + kubernetes.io/description: "General purpose EC2NodeClass for running Amazon Linux 2 nodes" +spec: + amiFamily: AL2 # Amazon Linux 2 + role: {{ .Values.karpenterRoleName }} + subnetSelectorTerms: + - tags: + Type: "private" + securityGroupSelectorTerms: + - tags: + "aws:eks:cluster-name": {{ .Values.eksClusterName }} + tags: + Tenant: "pooled" + Project: {{ .Values.project }} + + + + diff --git a/files/tenant-samples/bridge/tenant-helm-chart/templates/secret-provider-class-and-sa.yaml b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/secret-provider-class-and-sa.yaml similarity index 99% rename from files/tenant-samples/bridge/tenant-helm-chart/templates/secret-provider-class-and-sa.yaml rename to files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/secret-provider-class-and-sa.yaml index 2c12fced..9e578df4 100644 --- a/files/tenant-samples/bridge/tenant-helm-chart/templates/secret-provider-class-and-sa.yaml +++ b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/secret-provider-class-and-sa.yaml @@ -57,7 +57,6 @@ spec: key: COGNITO_AUTH_CLIENT_ID - objectName: cognito_client_secret key: COGNITO_AUTH_CLIENT_SECRET - - objectName: cognito_user_pool_id key: COGNITO_USER_POOL_ID - objectName: vonage-api-key-secret @@ -122,7 +121,6 @@ spec: - objectName: {{ .Values.cognitosecret }} objectType: ssmparameter objectAlias: cognito_client_secret - - objectName: {{ .Values.cognitoUserPoolID }} objectType: ssmparameter objectAlias: cognito_user_pool_id diff --git a/files/tenant-samples/pooled/tenant-helm-chart/templates/user-tenant-service-deployment.yaml b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/user-tenant-service-deployment.yaml similarity index 100% rename from files/tenant-samples/pooled/tenant-helm-chart/templates/user-tenant-service-deployment.yaml rename to files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/user-tenant-service-deployment.yaml diff --git a/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/video-conferencing-service-deployment.yaml b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/video-conferencing-service-deployment.yaml new file mode 100644 index 00000000..4707073a --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/video-conferencing-service-deployment.yaml @@ -0,0 +1,219 @@ +{{- if .Values.videoConfrencingService.enabled }} +--- +#Deployment + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "helm.fullname" . }}-video-confrencing-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + replicas: {{ .Values.videoConfrencingService.replicaCount }} + strategy: + type: {{ .Values.strategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.strategy.maxUnavailable }} + maxSurge: {{ .Values.strategy.maxSurge }} + selector: + matchLabels: + app: {{ include "helm.fullname" . }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/cm-video-confrencing-service.yaml") . | sha256sum }} + prometheus.io/path: {{ .Values.app.basePath }}/video-confrencing-service/obf/metrics +{{- if .Values.extraAnnotations }} +{{ toYaml .Values.extraAnnotations | indent 8 }} +{{- end }} + labels: + app: {{ include "helm.fullname" . }} + component: video-confrencing-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} + spec: + serviceAccountName: {{ .Values.tier }}-{{ .Values.tenant }} + containers: + - imagePullPolicy: {{ .Values.videoConfrencingService.pullPolicy }} + resources: + {{- toYaml .Values.videoConfrencingService.resources | nindent 12 }} +{{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.app.basePath }}/video-confrencing-service + port: 3000 + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} +{{- end }} +{{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.app.basePath }}/video-confrencing-service + port: 3000 + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} +{{- end }} + name: {{ include "helm.fullname" . }}-video-confrencing-service + image: {{ .Values.videoConfrencingService.repository }}:{{ .Values.videoConfrencingService.tag }} + volumeMounts: + - name: my-api-token + mountPath: /mnt/api-token + readOnly: true + envFrom: + - configMapRef: + name: {{ include "helm.fullname" . }}-cm-video-confrencing-service + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: VIDEO_CONFRENCING_SERVICE_DB_DATABASE + - name: DB_SCHEMA + valueFrom: + secretKeyRef: + name: api-token + key: DB_SCHEMA + - name: REDIS_HOST + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PORT + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_PORT + - name: REDIS_URL + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PASSWORD + value: "" + - name: REDIS_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_DATABASE + - name: JWT_SECRET + valueFrom: + secretKeyRef: + name: api-token + key: JWT_SECRET + - name: JWT_ISSUER + valueFrom: + secretKeyRef: + name: api-token + key: JWT_ISSUER + - name: VONAGE_API_SECRET + valueFrom: + secretKeyRef: + name: api-token + key: VONAGE_API_KEY_SECRET +{{- if .Values.imagePullSecret.enabled }} + imagePullSecrets: + - name: {{ .Values.imagePullSecret.name }} +{{- end }} + + nodeSelector: + pooled-node: {{ .Values.tier }} +{{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + volumes: + - name: my-api-token + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: {{ .Values.tier }}-{{ .Values.tenant }}-aws-secrets +{{- with .Values.videoConfrencingService.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} + +--- +#HPA + +{{- if .Values.videoConfrencingService.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "helm.fullname" . }}-video-confrencing-service + labels: + app: {{ include "helm.fullname" . }} + component: video-confrencing-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "helm.fullname" . }}-video-confrencing-service + minReplicas: {{ .Values.videoConfrencingService.autoscaling.minReplicas }} + maxReplicas: {{ .Values.videoConfrencingService.autoscaling.maxReplicas }} + metrics: + {{- with .Values.videoConfrencingService.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- with .Values.videoConfrencingService.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: AverageValue + averageValue: {{ . }} + {{- end }} +{{- end }} +--- +#Service +apiVersion: v1 +kind: Service +metadata: + name: {{ include "helm.fullname" . }}-video-confrencing-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + type: {{ .Values.videoConfrencingService.service.type }} + ports: + - port: {{ .Values.videoConfrencingService.service.port }} + targetPort: {{ .Values.videoConfrencingService.service.targetPort }} + protocol: {{ .Values.videoConfrencingService.service.protocol }} + name: web + selector: + app: {{ include "helm.fullname" . }} + component: video-confrencing-service +--- +{{- end }} \ No newline at end of file diff --git a/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/virtual-service.yaml b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/virtual-service.yaml new file mode 100644 index 00000000..f46c6b4a --- /dev/null +++ b/files/tenant-samples/pooled/tenant-helm-chart/cognito/templates/virtual-service.yaml @@ -0,0 +1,63 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Values.tier }}-{{ .Values.tenant }} + labels: + app: {{ include "helm.name" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + hosts: + - {{ .Values.hostname }} + gateways: + - {{ .Values.tier }}-{{ .Values.tenant }} #create gateway with name as tenant name + http: + - match: + - uri: + prefix: {{ .Values.app.basePath }}/authentication-service + route: + - destination: + host: "{{ include "helm.fullname" . }}-authentication-service" + port: + number: 3000 + - match: + - uri: + prefix: {{ .Values.app.basePath }}/feature-service + route: + - destination: + host: "{{ include "helm.fullname" . }}-feature-service" + port: + number: 3000 + - match: + - uri: + prefix: {{ .Values.app.basePath }}/notification-service + route: + - destination: + host: "{{ include "helm.fullname" . }}-notification-service" + port: + number: 3000 + - match: + - uri: + prefix: {{ .Values.app.basePath }}/user-tenant-service + route: + - destination: + host: "{{ include "helm.fullname" . }}-user-tenant-service" + port: + number: 3000 + - match: + - uri: + prefix: {{ .Values.app.basePath }}/video-confrencing-service + route: + - destination: + host: "{{ include "helm.fullname" . }}-video-confrencing-service" + port: + number: 3000 + - match: + - uri: + prefix: / + route: + - destination: + host: "{{ include "helm.fullname" . }}-frontend" + port: + number: 80 \ No newline at end of file diff --git a/files/tenant-samples/bridge/tenant-helm-chart/values.yaml.template b/files/tenant-samples/pooled/tenant-helm-chart/cognito/values.yaml.template similarity index 99% rename from files/tenant-samples/bridge/tenant-helm-chart/values.yaml.template rename to files/tenant-samples/pooled/tenant-helm-chart/cognito/values.yaml.template index 25239673..a70c3076 100644 --- a/files/tenant-samples/bridge/tenant-helm-chart/values.yaml.template +++ b/files/tenant-samples/pooled/tenant-helm-chart/cognito/values.yaml.template @@ -63,7 +63,7 @@ featureService: enabled: true repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-feature-toggle-service pullPolicy: Always - tag: "0.0.1" + tag: "0.0.2" replicaCount: 1 port: 3000 node_env: "production" @@ -100,7 +100,7 @@ authenticationService: enabled: true repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-authentication-service pullPolicy: Always - tag: "0.0.2" + tag: "0.0.3" replicaCount: 1 port: 3000 node_env: "production" @@ -136,7 +136,7 @@ notificationService: enabled: true repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-notification-service pullPolicy: Always - tag: "0.0.2" + tag: "0.0.3" replicaCount: 1 port: 3000 node_env: "production" @@ -172,7 +172,7 @@ userTenantService: enabled: true repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-user-tenant-service pullPolicy: Always - tag: "0.0.3" + tag: "0.0.4" replicaCount: 1 port: 3000 node_env: "production" @@ -207,7 +207,7 @@ videoConfrencingService: enabled: true repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-video-conferencing-service pullPolicy: Always - tag: "0.0.1" + tag: "0.0.2" replicaCount: 1 port: 3000 node_env: "production" @@ -343,6 +343,7 @@ publicKey: ${TENANT_CLIENT_SECRET} tier: ${TIER} namespace: ${NAMESPACE} +project: ${PROJECT} region: ${REGION} cognitodomain: ${COGNITO_DOMAIN} cognitoid: ${COGNITO_ID} diff --git a/files/tenant-samples/pooled/terraform/canary.tf b/files/tenant-samples/pooled/terraform/canary.tf index 58e5439f..2c0d5739 100644 --- a/files/tenant-samples/pooled/terraform/canary.tf +++ b/files/tenant-samples/pooled/terraform/canary.tf @@ -22,6 +22,7 @@ resource "aws_synthetics_canary" "main" { schedule { expression = "rate(6 minutes)" } + tags = module.tags.tags } diff --git a/files/tenant-samples/pooled/terraform/cognito-client.tf b/files/tenant-samples/pooled/terraform/cognito-client.tf index aa2b4a95..e66d3417 100644 --- a/files/tenant-samples/pooled/terraform/cognito-client.tf +++ b/files/tenant-samples/pooled/terraform/cognito-client.tf @@ -1,22 +1,10 @@ -###################################################################### -## Create Cognito User -###################################################################### -# module "cognito_password" { -# source = "../modules/random-password" -# length = 12 -# is_special = true -# min_upper = 1 -# min_numeric = 1 -# min_special = 1 -# min_lower = 1 -# } - ##################################################################################### ## Cognito App Client ##################################################################################### resource "aws_cognito_user_pool_client" "app_client" { + count = var.IdP == "cognito" ? 1 : 0 name = var.tenant - user_pool_id = data.aws_ssm_parameter.cognito_user_pool_id.value + user_pool_id = data.aws_ssm_parameter.cognito_user_pool_id[0].value allowed_oauth_flows = ["code"] allowed_oauth_flows_user_pool_client = true allowed_oauth_scopes = ["phone", "email", "openid", "aws.cognito.signin.user.admin"] @@ -38,45 +26,28 @@ resource "aws_cognito_user_pool_client" "app_client" { } } -# resource "aws_cognito_user" "cognito_user" { -# user_pool_id = data.aws_ssm_parameter.cognito_user_pool_id.value -# username = var.user_name - -# attributes = { -# email = var.tenant_email -# email_verified = true -# } -# temporary_password = module.cognito_password.result - -# } - ###################################################################### ## Store Congito output to SSM parameneter store ###################################################################### module "cognito_ssm_parameters" { + count = var.IdP == "cognito" ? 1 : 0 source = "../modules/ssm-parameter" ssm_parameters = [ { name = "/${var.namespace}/${var.environment}/${var.tenant_tier}/cognito_id" - value = resource.aws_cognito_user_pool_client.app_client.id + value = resource.aws_cognito_user_pool_client.app_client[count.index].id type = "SecureString" overwrite = "true" description = "Tenant Cognito Domain ID" }, { name = "/${var.namespace}/${var.environment}/${var.tenant_tier}/cognito_secret" - value = resource.aws_cognito_user_pool_client.app_client.client_secret + value = resource.aws_cognito_user_pool_client.app_client[count.index].client_secret type = "SecureString" overwrite = "true" description = "Tenant Cognito Domain Secret" } - # { - # name = "/${var.namespace}/${var.environment}/${var.tenant_tier}/${var.tenant}/${var.user_name}/user_sub" - # value = aws_cognito_user.cognito_user.sub - # type = "SecureString" - # overwrite = "true" - # description = "${var.tenant} User Cognito Sub" - # } + ] tags = module.tags.tags } \ No newline at end of file diff --git a/files/tenant-samples/pooled/terraform/data.tf b/files/tenant-samples/pooled/terraform/data.tf index e5dfa447..1c33564e 100644 --- a/files/tenant-samples/pooled/terraform/data.tf +++ b/files/tenant-samples/pooled/terraform/data.tf @@ -81,6 +81,7 @@ data "aws_iam_policy_document" "ssm_policy" { ] resources = ["arn:aws:ssm:${var.region}:${local.sts_caller_arn}:parameter/${var.namespace}/${var.environment}/${var.tenant_tier}/*", "arn:aws:ssm:${var.region}:${local.sts_caller_arn}:parameter/pubnub/*", + "arn:aws:ssm:${var.region}:${local.sts_caller_arn}:parameter/${var.namespace}/${var.environment}/auth0-client-secret", "arn:aws:cognito-idp:${var.region}:${local.sts_caller_arn}:*"] } } @@ -94,19 +95,23 @@ data "aws_route53_zone" "selected" { } data "aws_ssm_parameter" "cognito_user_pool_id" { + count = var.IdP == "cognito" ? 1 : 0 name = "/${var.namespace}/${var.environment}/${var.tenant_tier}/cognito_user_pool_id" } data "aws_ssm_parameter" "cognito_domain" { + count = var.IdP == "cognito" ? 1 : 0 name = "/${var.namespace}/${var.environment}/${var.tenant_tier}/cognito_domain" } data "aws_ssm_parameter" "cognito_id" { + count = var.IdP == "cognito" ? 1 : 0 name = "/${var.namespace}/${var.environment}/${var.tenant_tier}/cognito_id" depends_on = [module.cognito_ssm_parameters] } data "aws_ssm_parameter" "cognito_secret" { + count = var.IdP == "cognito" ? 1 : 0 name = "/${var.namespace}/${var.environment}/${var.tenant_tier}/cognito_secret" depends_on = [module.cognito_ssm_parameters] } diff --git a/files/tenant-samples/pooled/terraform/eks.tf b/files/tenant-samples/pooled/terraform/eks.tf index 7d3c67bb..ef4b34ed 100644 --- a/files/tenant-samples/pooled/terraform/eks.tf +++ b/files/tenant-samples/pooled/terraform/eks.tf @@ -102,25 +102,62 @@ resource "kubernetes_namespace" "my_namespace" { # generate tenant specific helm values.yaml -data "template_file" "helm_values_template" { - template = file("${path.module}/../tenant-helm-chart/values.yaml.template") +data "template_file" "cognito_helm_values_template" { + count = var.IdP == "cognito" ? 1 : 0 + template = file("${path.module}/../tenant-helm-chart/cognito/values.yaml.template") vars = { NAMESPACE = local.kubernetes_ns + PROJECT = var.namespace TENANT_NAME = var.tenant_name TENANT_KEY = var.tenant TENANT_EMAIL = var.tenant_email TENANT_SECRET = var.tenant_secret TENANT_ID = var.tenant_id - # COGNITO_USER = var.user_name - # COGNITO_USER_SUB = aws_cognito_user.cognito_user.sub + TIER = var.tenant_tier + TENANT_CLIENT_ID = var.tenant_client_id + TENANT_CLIENT_SECRET = var.tenant_client_secret + REGION = var.region + COGNITO_DOMAIN = var.IdP == "cognito" && length(data.aws_ssm_parameter.cognito_domain) > 0 ? data.aws_ssm_parameter.cognito_domain[count.index].name : null + COGNITO_ID = var.IdP == "cognito" && length(data.aws_ssm_parameter.cognito_id) > 0 ? data.aws_ssm_parameter.cognito_id[count.index].name : null + COGNITO_SECRET = var.IdP == "cognito" && length(data.aws_ssm_parameter.cognito_secret) > 0 ? data.aws_ssm_parameter.cognito_secret[count.index].name : null + COGNITO_USER_POOL_ID = var.IdP == "cognito" && length(data.aws_ssm_parameter.cognito_user_pool_id) > 0 ? data.aws_ssm_parameter.cognito_user_pool_id[count.index].name : null + KARPENTER_ROLE = var.karpenter_role + EKS_CLUSTER_NAME = var.cluster_name + TENANT_HOST_NAME = var.tenant_host_domain + USER_CALLBACK_SECRET = var.user_callback_secret + WEB_IDENTITY_ROLE_ARN = module.tenant_iam_role.arn + DB_HOST = data.aws_ssm_parameter.db_host.name + DB_PORT = data.aws_ssm_parameter.db_port.name + DB_USER = data.aws_ssm_parameter.db_user.name + DB_PASSWORD = data.aws_ssm_parameter.db_password.name + DB_SCHEMA = data.aws_ssm_parameter.db_schema.name + REDIS_HOST = data.aws_ssm_parameter.redis_host.name + REDIS_PORT = data.aws_ssm_parameter.redis_port.name + REDIS_DATABASE = data.aws_ssm_parameter.redis_database.name + JWT_SECRET = data.aws_ssm_parameter.jwt_secret.name + JWT_ISSUER = data.aws_ssm_parameter.jwt_issuer.name + AUTH_DATABASE = data.aws_ssm_parameter.authenticationdbdatabase.name + FEATURE_DATABASE = data.aws_ssm_parameter.featuredbdatabase.name + NOTIFICATION_DATABASE = data.aws_ssm_parameter.notificationdbdatabase.name + VIDEO_CONFRENCING_DATABASE = data.aws_ssm_parameter.videoconfrencingdbdatabase.name + } +} +data "template_file" "auth0_helm_values_template" { + count = var.IdP == "auth0" ? 1 : 0 + template = file("${path.module}/../tenant-helm-chart/auth0/values.yaml.template") + vars = { + NAMESPACE = local.kubernetes_ns + PROJECT = var.namespace + TENANT_NAME = var.tenant_name + TENANT_KEY = var.tenant + TENANT_EMAIL = var.tenant_email + TENANT_SECRET = var.tenant_secret + TENANT_ID = var.tenant_id TIER = var.tenant_tier TENANT_CLIENT_ID = var.tenant_client_id TENANT_CLIENT_SECRET = var.tenant_client_secret REGION = var.region - COGNITO_DOMAIN = data.aws_ssm_parameter.cognito_domain.name - COGNITO_ID = data.aws_ssm_parameter.cognito_id.name - COGNITO_SECRET = data.aws_ssm_parameter.cognito_secret.name KARPENTER_ROLE = var.karpenter_role EKS_CLUSTER_NAME = var.cluster_name TENANT_HOST_NAME = var.tenant_host_domain @@ -140,19 +177,27 @@ data "template_file" "helm_values_template" { FEATURE_DATABASE = data.aws_ssm_parameter.featuredbdatabase.name NOTIFICATION_DATABASE = data.aws_ssm_parameter.notificationdbdatabase.name VIDEO_CONFRENCING_DATABASE = data.aws_ssm_parameter.videoconfrencingdbdatabase.name - COGNITO_USER_POOL_ID = data.aws_ssm_parameter.cognito_user_pool_id.name + } } -resource "local_file" "helm_values" { - filename = "${path.module}/output/${var.tenant}-values.yaml" - content = data.template_file.helm_values_template.rendered +resource "local_file" "cognito_helm_values" { + count = var.IdP == "cognito" ? 1 : 0 + filename = "${path.module}/output/cognito/${var.tenant}-values.yaml" + content = data.template_file.cognito_helm_values_template[count.index].rendered +} + +resource "local_file" "auth0_helm_values" { + count = var.IdP == "auth0" ? 1 : 0 + filename = "${path.module}/output/auth0/${var.tenant}-values.yaml" + content = data.template_file.auth0_helm_values_template[count.index].rendered } ############################################################################################### ## Register Tenant Helm App on ArgoCD ############################################################################################### -resource "local_file" "argocd_application" { +resource "local_file" "cognito_argocd_application" { + count = var.IdP == "cognito" ? 1 : 0 content = <<-EOT apiVersion: argoproj.io/v1alpha1 kind: Application @@ -167,7 +212,7 @@ spec: namespace: ${var.tenant_tier}-${var.tenant} server: 'https://kubernetes.default.svc' source: - path: onboarded-tenants/pooled/application + path: onboarded-tenants/pooled/application/cognito repoURL: 'https://${data.aws_ssm_parameter.github_user.value}@github.com/${data.aws_ssm_parameter.github_repo.value}.git' targetRevision: main helm: @@ -190,6 +235,44 @@ spec: filename = "${path.module}/argocd-application.yaml" } +resource "local_file" "auth0_argocd_application" { + count = var.IdP == "auth0" ? 1 : 0 + content = <<-EOT +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: ${var.tenant_tier}-${var.tenant} + namespace: argocd + labels: + Tenant: ${var.tenant} + Tenant_ID: ${var.tenant_id} +spec: + destination: + namespace: ${var.tenant_tier}-${var.tenant} + server: 'https://kubernetes.default.svc' + source: + path: onboarded-tenants/pooled/application/auth0 + repoURL: 'https://${data.aws_ssm_parameter.github_user.value}@github.com/${data.aws_ssm_parameter.github_repo.value}.git' + targetRevision: main + helm: + valueFiles: + - ${var.tenant}-values.yaml + project: default + syncPolicy: + syncOptions: + - ApplyOutOfSyncOnly=true + retry: + limit: 2 + backoff: + duration: 5s + maxDuration: 3m0s + factor: 2 + automated: + prune: false + selfHeal: true + EOT + filename = "${path.module}/argocd-application.yaml" +} ####################################################################################### ## Register Pooled Terraform Workflow on Argo ####################################################################################### diff --git a/files/tenant-samples/pooled/terraform/pool-infra/tfvariables.txt b/files/tenant-samples/pooled/terraform/pool-infra/tfvariables.txt index 0e4121f5..1df2525a 100644 --- a/files/tenant-samples/pooled/terraform/pool-infra/tfvariables.txt +++ b/files/tenant-samples/pooled/terraform/pool-infra/tfvariables.txt @@ -15,4 +15,5 @@ jwt_issuer = "${TF_VAR_jwt_issuer}" tenant_client_id = "${TF_VAR_tenant_client_id}" tenant_client_secret = "${TF_VAR_tenant_client_secret}" alb_url = "${TF_VAR_alb_url}" -tenant_tier = "${TF_VAR_tenant_tier}" \ No newline at end of file +tenant_tier = "${TF_VAR_tenant_tier}" +IdP = "${TF_VAR_IdP}" \ No newline at end of file diff --git a/files/tenant-samples/pooled/terraform/pool-infra/variables.tf b/files/tenant-samples/pooled/terraform/pool-infra/variables.tf index 3c38f9d7..9c47fcb3 100644 --- a/files/tenant-samples/pooled/terraform/pool-infra/variables.tf +++ b/files/tenant-samples/pooled/terraform/pool-infra/variables.tf @@ -21,6 +21,16 @@ variable "tenant_tier" { description = "Tenant Tier" } +variable "IdP" { + type = string + description = "Tenant Identity Provider" + default = "cognito" + validation { + condition = contains(["cognito", "auth0", "keycloak"], var.IdP) + error_message = "The idp must be either 'cognito', 'auth0', or 'keycloak'." + } +} + ################################################################################## ## database ################################################################################## diff --git a/files/tenant-samples/pooled/terraform/push-values.sh b/files/tenant-samples/pooled/terraform/push-values.sh index 8c39281a..bea8c43e 100644 --- a/files/tenant-samples/pooled/terraform/push-values.sh +++ b/files/tenant-samples/pooled/terraform/push-values.sh @@ -43,12 +43,23 @@ git clone "${GITHUB_REPO_URL}" || { echo "Failed to clone GitHub repository"; ex cd "${NAMESPACE}-saas-management-repository" || { echo "Failed to change directory to cloned repository"; exit 1; } # Copy tenant values.yaml to silo directory -if [ -d "../output" ]; then - cp -r ../output/* onboarded-tenants/pooled/application/ || { echo "Failed to copy files"; exit 1; } +# if [ -d "../output" ]; then +# cp -r ../output/* onboarded-tenants/pooled/application/ || { echo "Failed to copy files"; exit 1; } +# else +# echo "'output' folder does not exist. Skipping file copy." +# fi + +if [ -d "../output/cognito" ]; then + cp -r ../output/cognito/* onboarded-tenants/pooled/application/cognito/ || { echo "Failed to copy cognito files"; exit 1; } else - echo "'output' folder does not exist. Skipping file copy." + echo "'cognito' folder does not exist. Skipping cognito file copy." fi +if [ -d "../output/auth0" ]; then + cp -r ../output/auth0/* onboarded-tenants/pooled/application/auth0/ || { echo "Failed to copy auth0 files"; exit 1; } +else + echo "'auth0' folder does not exist. Skipping auth0 file copy." +fi # Copy tenant specific tfvars and config file to repository cp -r ../*.tfvars onboarded-tenants/pooled/infra/terraform/ || { echo "Failed to copy files"; exit 1; } diff --git a/files/tenant-samples/pooled/terraform/tfvariables.txt b/files/tenant-samples/pooled/terraform/tfvariables.txt index eab15fce..dcbab025 100644 --- a/files/tenant-samples/pooled/terraform/tfvariables.txt +++ b/files/tenant-samples/pooled/terraform/tfvariables.txt @@ -16,6 +16,7 @@ tenant_client_secret = "${TF_VAR_tenant_client_secret}" alb_url = "${TF_VAR_alb_url}" user_callback_secret = "${TF_VAR_user_callback_secret}" tenant_tier = "${TF_VAR_tenant_tier}" +IdP = "${TF_VAR_IdP}" diff --git a/files/tenant-samples/pooled/terraform/variables.tf b/files/tenant-samples/pooled/terraform/variables.tf index 64e4b7f1..111d6504 100644 --- a/files/tenant-samples/pooled/terraform/variables.tf +++ b/files/tenant-samples/pooled/terraform/variables.tf @@ -26,6 +26,16 @@ variable "tenant_id" { description = "Tenat unique ID" } +variable "IdP" { + type = string + description = "Tenant Identity Provider" + default = "cognito" + validation { + condition = contains(["cognito", "auth0", "keycloak"], var.IdP) + error_message = "The idp must be either 'cognito', 'auth0', or 'keycloak'." + } +} + variable "domain_name" { description = "Enter Defeault Redirect URL" type = string diff --git a/files/tenant-samples/silo/buildspec.yaml b/files/tenant-samples/silo/buildspec.yaml index 2d99ca1f..7d2d3ecd 100644 --- a/files/tenant-samples/silo/buildspec.yaml +++ b/files/tenant-samples/silo/buildspec.yaml @@ -48,11 +48,13 @@ phases: - export TENANT_ADMIN_EMAIL=$(echo $tenant | jq -r '.contacts[] | select(.isPrimary == true) | .email') - export USERNAME=$(echo $tenant | jq -r '.key') - export KEY=$(echo $tenant | jq -r '.key') + - export IdP=$(echo $tenant | jq -r '.identityProvider') - export TIER=$(echo "${tier}" | tr '[:upper:]' '[:lower:]') # Exporting Webhook Envs - export API_ENDPOINT="${CONTROL_PLANE_HOST}/tenant-mgmt-facade/webhook" - export REDIRECT_URL="${CONTROL_PLANE_HOST}/main/home" + - export TENANT_MGMT_ENDPOINT="${CONTROL_PLANE_HOST}/tenant-mgmt-service" - export APP_PLANE_REDIRECT_URL="https://${KEY}.${DOMAIN_NAME}/home" - export USER_CALLBACK_ENDPOINT="https://${KEY}.${DOMAIN_NAME}/user-tenant-service/user-callback" - export APP_PLANE_ENDPOINT_FEATURE_SERVICE="https://${KEY}.${DOMAIN_NAME}/feature-service" @@ -80,6 +82,7 @@ phases: - export TF_VAR_jwt_issuer="${KEY}" - export TF_VAR_rds_instance_allocated_storage="${POSTGRES_SIZE}" - export TF_VAR_karpenter_instance_category="${INSTANCE_CATEGORY}" + - export TF_VAR_IdP="${IdP}" - export TF_VAR_tenant_client_id="${KEY}"-$(echo "$TENANT_ID" | cut -c 10-)-"${TENANT_CLIENT_ID}" - export TF_VAR_tenant_client_secret=$(echo "$TENANT_ID" | cut -c 10-)-"${TENANT_CLIENT_SECRET}" - export ALB_DNS=$(aws elbv2 describe-load-balancers --query 'LoadBalancers[?Type==`application`] | [0].DNSName' --output text) @@ -105,15 +108,14 @@ phases: - export TF_KEY=${KEY}/${KEY}.tfstate - envsubst < config.txt > config.${KEY}.hcl - envsubst ${KEY}.tfvars - # Run Terraform to create infra and apply helm - terraform init --backend-config=config.${KEY}.hcl - terraform apply --var=canary_enabled=false -auto-approve # as tenant application is not up so canary will be run afterwards - chmod +x push-values.sh - ./push-values.sh # push values to tenant management gitops repository - kubectl apply -f argocd-application.yaml --namespace argocd || true - - sleep 240 # waiting time to spin up tenant pods - - terraform apply -auto-approve --refresh=false # refresh is false to avoid API hitting + - sleep 300 # waiting time to spin up tenant pods + #- terraform apply -auto-approve --refresh=false # refresh is false to avoid API hitting - kubectl apply -f argo-workflow.yaml --namespace argo-workflows || true finally: - node $WEBHOOK_PATH diff --git a/files/tenant-samples/silo/tenant-helm-chart/auth0/.helmignore b/files/tenant-samples/silo/tenant-helm-chart/auth0/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/auth0/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/files/tenant-samples/silo/tenant-helm-chart/auth0/Chart.yaml b/files/tenant-samples/silo/tenant-helm-chart/auth0/Chart.yaml new file mode 100644 index 00000000..fc389922 --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/auth0/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: helm +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/files/tenant-samples/silo/tenant-helm-chart/auth0/README.md b/files/tenant-samples/silo/tenant-helm-chart/auth0/README.md new file mode 100644 index 00000000..524ebf64 --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/auth0/README.md @@ -0,0 +1 @@ +# ARC-SAAS Application Plane Helm \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/_helpers.tpl b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/_helpers.tpl new file mode 100644 index 00000000..69baf8f2 --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "helm.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "helm.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "helm.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "helm.labels" -}} +helm.sh/chart: {{ include "helm.chart" . }} +{{ include "helm.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "helm.selectorLabels" -}} +app: {{ include "helm.name" . }} + +{{- end }} + + +{{/* +Configuring .dockerconfigjson +*/}} +{{- define "imagePullSecret" }} +{{- with .Values.imagePullSecret }} +{{- printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}" .registry .username .password .email (printf "%s:%s" .username .password | b64enc) | b64enc }} +{{- end }} +{{- end }} + diff --git a/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/authentication-service-deployment.yaml b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/authentication-service-deployment.yaml new file mode 100644 index 00000000..a450cce3 --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/authentication-service-deployment.yaml @@ -0,0 +1,249 @@ +{{- if .Values.authenticationService.enabled }} +--- +#Deployment + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "helm.fullname" . }}-authentication-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + replicas: {{ .Values.authenticationService.replicaCount }} + strategy: + type: {{ .Values.strategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.strategy.maxUnavailable }} + maxSurge: {{ .Values.strategy.maxSurge }} + selector: + matchLabels: + app: {{ include "helm.fullname" . }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/cm-authentication-service.yaml") . | sha256sum }} + prometheus.io/path: {{ .Values.app.basePath }}/authentication-service/obf/metrics +{{- if .Values.extraAnnotations }} +{{ toYaml .Values.extraAnnotations | indent 8 }} +{{- end }} + labels: + app: {{ include "helm.fullname" . }} + component: authentication-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} + spec: + serviceAccountName: {{ .Values.tier }}-{{ .Values.tenant }} + containers: + - imagePullPolicy: {{ .Values.authenticationService.pullPolicy }} + resources: + {{- toYaml .Values.authenticationService.resources | nindent 12 }} +{{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.app.basePath }}/authentication-service + port: 3000 + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} +{{- end }} +{{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.app.basePath }}/authentication-service + port: 3000 + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} +{{- end }} + name: {{ include "helm.fullname" . }}-authentication-service + image: {{ .Values.authenticationService.repository }}:{{ .Values.authenticationService.tag }} + volumeMounts: + - name: my-api-token + mountPath: /mnt/api-token + readOnly: true + envFrom: + - configMapRef: + name: {{ include "helm.fullname" . }}-cm-authentication-service + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: AUTHENTICATION_SERVICE_DB_DATABASE + - name: DB_SCHEMA + valueFrom: + secretKeyRef: + name: api-token + key: DB_SCHEMA + - name: FEATURE_DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: FEATURE_DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: FEATURE_DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: FEATURE_DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: FEATURE_DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: FEATURE_DB_DATABASE + - name: FEATURE_DB_SCHEMA + valueFrom: + secretKeyRef: + name: api-token + key: DB_SCHEMA + - name: REDIS_HOST + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PORT + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_PORT + - name: REDIS_URL + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PASSWORD + value: "" + - name: REDIS_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_DATABASE + - name: JWT_SECRET + valueFrom: + secretKeyRef: + name: api-token + key: JWT_SECRET + - name: JWT_ISSUER + valueFrom: + secretKeyRef: + name: api-token + key: JWT_ISSUER + - name: AUTH0_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: api-token + key: AUTH0_CLIENT_SECRET +{{- if .Values.imagePullSecret.enabled }} + imagePullSecrets: + - name: {{ .Values.imagePullSecret.name }} +{{- end }} + + nodeSelector: + silo-node: {{ .Values.tier }}-{{ .Values.tenant }} +{{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + volumes: + - name: my-api-token + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: {{ .Values.tier }}-{{ .Values.tenant }}-aws-secrets +{{- with .Values.authenticationService.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} + +--- +#HPA + +{{- if .Values.authenticationService.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "helm.fullname" . }}-authentication-service + labels: + app: {{ include "helm.fullname" . }} + component: authentication-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "helm.fullname" . }}-authentication-service + minReplicas: {{ .Values.authenticationService.autoscaling.minReplicas }} + maxReplicas: {{ .Values.authenticationService.autoscaling.maxReplicas }} + metrics: + {{- with .Values.authenticationService.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- with .Values.authenticationService.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: AverageValue + averageValue: {{ . }} + {{- end }} +{{- end }} +--- +#Service +apiVersion: v1 +kind: Service +metadata: + name: {{ include "helm.fullname" . }}-authentication-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + type: {{ .Values.authenticationService.service.type }} + ports: + - port: {{ .Values.authenticationService.service.port }} + targetPort: {{ .Values.authenticationService.service.targetPort }} + protocol: {{ .Values.authenticationService.service.protocol }} + name: web + selector: + app: {{ include "helm.fullname" . }} + component: authentication-service +--- +{{- end }} \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/templates/authorization-policy.yaml b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/authorization-policy.yaml similarity index 100% rename from files/tenant-samples/silo/tenant-helm-chart/templates/authorization-policy.yaml rename to files/tenant-samples/silo/tenant-helm-chart/auth0/templates/authorization-policy.yaml diff --git a/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/cm-authentication-service.yaml b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/cm-authentication-service.yaml new file mode 100644 index 00000000..a1cfd761 --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/cm-authentication-service.yaml @@ -0,0 +1,19 @@ +{{- if .Values.authenticationService.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "helm.fullname" . }}-cm-authentication-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +data: + PORT: '{{ .Values.authenticationService.port }}' + NODE_ENV: '{{ .Values.authenticationService.node_env }}' + LOG_LEVEL: '{{ .Values.authenticationService.log_level }}' + BASE_PATH: '{{ .Values.authenticationService.base_path }}' + DB_SSL: '{{ .Values.authenticationService.db_ssl }}' + AUTH0_DOMAIN: "dev-db7dz4wg6ccbguer.us.auth0.com" + AUTH0_CLIENT_ID: "pluqd6RqaLilAn7p1kUFkNo20bxuwUK5" + AUTH0_CALLBACK_URL: "https://{{ .Values.hostname }}/authentication-service/auth/auth0-auth-redirect" +{{- end}} \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/templates/cm-feature-service.yaml b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/cm-feature-service.yaml similarity index 100% rename from files/tenant-samples/silo/tenant-helm-chart/templates/cm-feature-service.yaml rename to files/tenant-samples/silo/tenant-helm-chart/auth0/templates/cm-feature-service.yaml diff --git a/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/cm-frontend-service.yaml b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/cm-frontend-service.yaml new file mode 100644 index 00000000..13352de3 --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/cm-frontend-service.yaml @@ -0,0 +1,26 @@ +{{- if .Values.frontend.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "helm.fullname" . }}-cm-frontend + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +data: + env: |- + { + "baseApiUrl": "https://{{ .Values.hostname }}", + "authApiBaseUrl": "https://{{ .Values.hostname }}/authentication-service", + "notificationApiBaseUrl" :"https://{{ .Values.hostname }}/notification-service", + "homePath": "{{ .Values.frontend.home_path }}", + "videoApiBaseUrl": "https://{{ .Values.hostname }}/video-confrencing-service", + "notificationChannelUuid": "9f7360f6-5c1a-4354-ad68-0e62b2a1200b", + "chatChannelUuid": "ad0cac27-972e-4b69-9188-3685f7eeb8bb", + "vonageApiKey": "47793071", + "logLevel": "{{ .Values.frontend.log_level }}", + "clientId": "{{ .Values.clientId }}", + "clientSecret": "{{ .Values.publicKey }}", + "loginTitle": "Welcome to the Telemed App" + } +{{- end}} \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/cm-notification-service.yaml b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/cm-notification-service.yaml new file mode 100644 index 00000000..87d683da --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/cm-notification-service.yaml @@ -0,0 +1,16 @@ +{{- if .Values.notificationService.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "helm.fullname" . }}-cm-notification-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +data: + PORT: '{{ .Values.notificationService.port }}' + NODE_ENV: '{{ .Values.notificationService.node_env }}' + LOG_LEVEL: '{{ .Values.notificationService.log_level }}' + BASE_PATH: '{{ .Values.notificationService.base_path }}' + DB_SSL: '{{ .Values.notificationService.db_ssl }}' +{{- end}} \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/cm-user-tenant-service.yaml b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/cm-user-tenant-service.yaml new file mode 100644 index 00000000..e429bc25 --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/cm-user-tenant-service.yaml @@ -0,0 +1,19 @@ +{{- if .Values.userTenantService.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "helm.fullname" . }}-cm-user-tenant-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +data: + PORT: '{{ .Values.userTenantService.port }}' + NODE_ENV: '{{ .Values.userTenantService.node_env }}' + LOG_LEVEL: '{{ .Values.userTenantService.log_level }}' + BASE_PATH: '{{ .Values.userTenantService.base_path }}' + ADMIN_USER_TENANT_ID: '{{ .Values.adminUserTenantId }}' + USER_CALLBACK_SECRET: '{{ .Values.userCallbackSecret }}' + DB_SSL: '{{ .Values.userTenantService.db_ssl }}' + AWS_REGION: '{{ .Values.region }}' +{{- end}} \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/cm-video-confrencing-service.yaml b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/cm-video-confrencing-service.yaml new file mode 100644 index 00000000..df67fa42 --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/cm-video-confrencing-service.yaml @@ -0,0 +1,17 @@ +{{- if .Values.videoConfrencingService.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "helm.fullname" . }}-cm-video-confrencing-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +data: + PORT: '{{ .Values.videoConfrencingService.port }}' + NODE_ENV: '{{ .Values.videoConfrencingService.node_env }}' + LOG_LEVEL: '{{ .Values.videoConfrencingService.log_level }}' + BASE_PATH: '{{ .Values.videoConfrencingService.base_path }}' + DB_SSL: '{{ .Values.videoConfrencingService.db_ssl }}' + VONAGE_API_KEY: '47793071' +{{- end}} \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/templates/feature-service-deployment.yaml b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/feature-service-deployment.yaml similarity index 100% rename from files/tenant-samples/silo/tenant-helm-chart/templates/feature-service-deployment.yaml rename to files/tenant-samples/silo/tenant-helm-chart/auth0/templates/feature-service-deployment.yaml diff --git a/files/tenant-samples/silo/tenant-helm-chart/templates/frontend-service-deployment.yaml b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/frontend-service-deployment.yaml similarity index 100% rename from files/tenant-samples/silo/tenant-helm-chart/templates/frontend-service-deployment.yaml rename to files/tenant-samples/silo/tenant-helm-chart/auth0/templates/frontend-service-deployment.yaml diff --git a/files/tenant-samples/silo/tenant-helm-chart/templates/gateway.yaml b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/gateway.yaml similarity index 100% rename from files/tenant-samples/silo/tenant-helm-chart/templates/gateway.yaml rename to files/tenant-samples/silo/tenant-helm-chart/auth0/templates/gateway.yaml diff --git a/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/hooks/migration-job.yaml b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/hooks/migration-job.yaml new file mode 100644 index 00000000..41410f15 --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/hooks/migration-job.yaml @@ -0,0 +1,160 @@ +{{- if .Values.migrationJob.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ template "helm.fullname" . }}-migration-job" + annotations: + argocd.argoproj.io/hook: PostSync +spec: + backoffLimit: 20 + activeDeadlineSeconds: 600 + ttlSecondsAfterFinished: 3600 + parallelism: 1 + completions: 1 + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: {{ .Values.tier }}-{{ .Values.tenant }} + volumes: + - name: my-api-token + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: {{ .Values.tier }}-{{ .Values.tenant }}-aws-secrets + restartPolicy: 'OnFailure' + imagePullSecrets: + - name: {{ .Values.imagePullSecret.name }} + containers: + - name: init + image: {{ .Values.migrationJob.repository }}:{{ .Values.migrationJob.tag }} + imagePullPolicy: {{ .Values.migrationJob.pullPolicy }} + resources: +{{ toYaml .Values.migrationJob.resources | indent 10 }} + command: ["/bin/sh", "-c"] + args: ["cd packages/migrations; npm run db:migrate"] + volumeMounts: + - name: my-api-token + mountPath: /mnt/api-token + readOnly: true + env: + - name: AUTH_DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: AUTH_DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: AUTH_DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: AUTH_DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: AUTH_DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: AUTHENTICATION_SERVICE_DB_DATABASE + - name: FEATURE_DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: FEATURE_DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: FEATURE_DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: FEATURE_DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: FEATURE_DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: FEATURE_DB_DATABASE + - name: NOTIF_DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: NOTIF_DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: NOTIF_DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: NOTIF_DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: NOTIF_DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: NOTIFICATION_SERVICE_DB_DATABASE + - name: VIDEO_DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: VIDEO_DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: VIDEO_DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: VIDEO_DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: VIDEO_DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: VIDEO_CONFRENCING_SERVICE_DB_DATABASE + + - name: TENANT_NAME + value: {{ .Values.tenantName }} + - name: TENANT_KEY + value: {{ .Values.tenantKey }} + - name: TENANT_SECRET + value: {{ .Values.tenantSecret }} + - name: TENANT_EMAIL + value: {{ .Values.tenantEmail }} + - name: TENANT_CLIENT_ID + value: {{ .Values.clientId }} + - name: TENANT_CLIENT_SECRET + value: {{ .Values.publicKey }} + - name: ADMIN_USER_TENANT_ID + value: {{ .Values.adminUserTenantId }} + - name: REDIRECT_URL + value: "https://{{ .Values.hostname }}/{{ .Values.frontend.home_path }}" +{{- end }} \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/imagePullSecret.yaml b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/imagePullSecret.yaml new file mode 100644 index 00000000..d40fa6ab --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/imagePullSecret.yaml @@ -0,0 +1,12 @@ +{{- if .Values.imagePullSecret.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.imagePullSecret.name }} + labels: + {{- include "helm.labels" . | nindent 4 }} + component: {{ include "helm.name" . }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ template "imagePullSecret" . }} +{{- end }} \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/kuberhealhty-http-checker.yaml b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/kuberhealhty-http-checker.yaml new file mode 100644 index 00000000..b793f40d --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/kuberhealhty-http-checker.yaml @@ -0,0 +1,27 @@ +apiVersion: comcast.github.io/v1 +kind: KuberhealthyCheck +metadata: + name: {{ .Values.tier }}-{{ .Values.tenant }}-http-check + namespace: kuberhealthy + labels: + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + runInterval: 5m + timeout: 10m + podSpec: + containers: + - name: main + image: kuberhealthy/http-check:latest + imagePullPolicy: IfNotPresent + env: + - name: CHECK_URL + value: "https://{{ .Values.hostname }}/" + - name: COUNT + value: "5" + - name: SECONDS + value: "1" + - name: REQUEST_TYPE + value: "GET" + - name: PASSING + value: "80" \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/templates/notification-service-deployment.yaml b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/notification-service-deployment.yaml similarity index 100% rename from files/tenant-samples/silo/tenant-helm-chart/templates/notification-service-deployment.yaml rename to files/tenant-samples/silo/tenant-helm-chart/auth0/templates/notification-service-deployment.yaml diff --git a/files/tenant-samples/silo/tenant-helm-chart/templates/provisioner.yaml b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/provisioner.yaml similarity index 97% rename from files/tenant-samples/silo/tenant-helm-chart/templates/provisioner.yaml rename to files/tenant-samples/silo/tenant-helm-chart/auth0/templates/provisioner.yaml index 365db940..9c93e3ef 100644 --- a/files/tenant-samples/silo/tenant-helm-chart/templates/provisioner.yaml +++ b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/provisioner.yaml @@ -59,6 +59,7 @@ spec: tags: Tenant: {{ .Values.tenant }} Tenant_ID: {{ .Values.tenantID }} + Project: {{ .Values.project }} diff --git a/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/secret-provider-class-and-sa.yaml b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/secret-provider-class-and-sa.yaml new file mode 100644 index 00000000..1838961c --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/secret-provider-class-and-sa.yaml @@ -0,0 +1,123 @@ +--- +#namespace specific service account for +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.tier }}-{{ .Values.tenant }} + labels: + {{- include "helm.labels" . | nindent 4 }} + annotations: + eks.amazonaws.com/role-arn: {{ .Values.arn }} + +--- +#custom resource to fetch the secrets from paramter store +apiVersion: secrets-store.csi.x-k8s.io/v1alpha1 +kind: SecretProviderClass +metadata: + name: {{ .Values.tier }}-{{ .Values.tenant }}-aws-secrets + labels: + {{- include "helm.labels" . | nindent 4 }} +spec: + provider: aws + secretObjects: + - secretName: api-token + type: Opaque + data: + - objectName: db_host + key: DB_HOST + - objectName: db_port + key: DB_PORT + - objectName: db_user + key: DB_USER + - objectName: db_password + key: DB_PASSWORD + - objectName: db_schema + key: DB_SCHEMA + - objectName: redis_host + key: REDIS_HOST + - objectName: redis_port + key: REDIS_PORT + - objectName: redis_database + key: REDIS_DATABASE + - objectName: jwt_secret + key: JWT_SECRET + - objectName: jwt_issuer + key: JWT_ISSUER + - objectName: authentication_service_db_database + key: AUTHENTICATION_SERVICE_DB_DATABASE + - objectName: feature_db_database + key: FEATURE_DB_DATABASE + - objectName: notification_service_db_database + key: NOTIFICATION_SERVICE_DB_DATABASE + - objectName: video_confrencing_service_db_database + key: VIDEO_CONFRENCING_SERVICE_DB_DATABASE + - objectName: vonage-api-key-secret + key: VONAGE_API_KEY_SECRET + - objectName: pubnub-pub-key + key: PUBNUB_PUB_KEY + - objectName: pubnub-sub-key + key: PUBNUB_SUB_KEY + - objectName: pubnub-secret-key + key: PUBNUB_SECRET_KEY + - objectName: auth0-client-secret + key: AUTH0_CLIENT_SECRET + parameters: +# region: us-west-2 + objects: | + - objectName: {{ .Values.dbhost }} + objectType: ssmparameter + objectAlias: db_host + - objectName: {{ .Values.dbport }} + objectType: ssmparameter + objectAlias: db_port + - objectName: {{ .Values.dbuser }} + objectType: ssmparameter + objectAlias: db_user + - objectName: {{ .Values.dbpassword }} + objectType: ssmparameter + objectAlias: db_password + - objectName: {{ .Values.dbschema }} + objectType: ssmparameter + objectAlias: db_schema + - objectName: {{ .Values.redishost }} + objectType: ssmparameter + objectAlias: redis_host + - objectName: {{ .Values.redisport }} + objectType: ssmparameter + objectAlias: redis_port + - objectName: {{ .Values.redisdatabase }} + objectType: ssmparameter + objectAlias: redis_database + - objectName: {{ .Values.jwtsecret }} + objectType: ssmparameter + objectAlias: jwt_secret + - objectName: {{ .Values.jwtissuer }} + objectType: ssmparameter + objectAlias: jwt_issuer + - objectName: {{ .Values.authenticationdbdatabase }} + objectType: ssmparameter + objectAlias: authentication_service_db_database + - objectName: {{ .Values.featuredbdatabase }} + objectType: ssmparameter + objectAlias: feature_db_database + - objectName: {{ .Values.notificationdbdatabase }} + objectType: ssmparameter + objectAlias: notification_service_db_database + - objectName: {{ .Values.videoconfrencingdbdatabase }} + objectType: ssmparameter + objectAlias: video_confrencing_service_db_database + - objectName: {{ .Values.vonageSecret }} + objectType: ssmparameter + objectAlias: vonage-api-key-secret + - objectName: {{ .Values.pubnubPubKey }} + objectType: ssmparameter + objectAlias: pubnub-pub-key + - objectName: {{ .Values.pubnubSubKey }} + objectType: ssmparameter + objectAlias: pubnub-sub-key + - objectName: {{ .Values.pubnubSecretKey }} + objectType: ssmparameter + objectAlias: pubnub-secret-key + - objectName: {{ .Values.auth0ClientSecret }} + objectType: ssmparameter + objectAlias: auth0-client-secret \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/user-tenant-service-deployment.yaml b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/user-tenant-service-deployment.yaml new file mode 100644 index 00000000..1a0c5174 --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/user-tenant-service-deployment.yaml @@ -0,0 +1,214 @@ +{{- if .Values.userTenantService.enabled }} +--- +#Deployment + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "helm.fullname" . }}-user-tenant-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + replicas: {{ .Values.userTenantService.replicaCount }} + strategy: + type: {{ .Values.strategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.strategy.maxUnavailable }} + maxSurge: {{ .Values.strategy.maxSurge }} + selector: + matchLabels: + app: {{ include "helm.fullname" . }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/cm-user-tenant-service.yaml") . | sha256sum }} + prometheus.io/path: {{ .Values.app.basePath }}/user-tenant-service/obf/metrics +{{- if .Values.extraAnnotations }} +{{ toYaml .Values.extraAnnotations | indent 8 }} +{{- end }} + labels: + app: {{ include "helm.fullname" . }} + component: user-tenant-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} + spec: + serviceAccountName: {{ .Values.tier }}-{{ .Values.tenant }} + containers: + - imagePullPolicy: {{ .Values.userTenantService.pullPolicy }} + resources: + {{- toYaml .Values.userTenantService.resources | nindent 12 }} +{{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.app.basePath }}/user-tenant-service + port: 3000 + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} +{{- end }} +{{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.app.basePath }}/user-tenant-service + port: 3000 + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} +{{- end }} + name: {{ include "helm.fullname" . }}-user-tenant-service + image: {{ .Values.userTenantService.repository }}:{{ .Values.userTenantService.tag }} + volumeMounts: + - name: my-api-token + mountPath: /mnt/api-token + readOnly: true + envFrom: + - configMapRef: + name: {{ include "helm.fullname" . }}-cm-user-tenant-service + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: AUTHENTICATION_SERVICE_DB_DATABASE + - name: DB_SCHEMA + valueFrom: + secretKeyRef: + name: api-token + key: DB_SCHEMA + - name: REDIS_HOST + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PORT + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_PORT + - name: REDIS_URL + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PASSWORD + value: "" + - name: REDIS_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_DATABASE + - name: JWT_SECRET + valueFrom: + secretKeyRef: + name: api-token + key: JWT_SECRET + - name: JWT_ISSUER + valueFrom: + secretKeyRef: + name: api-token + key: JWT_ISSUER +{{- if .Values.imagePullSecret.enabled }} + imagePullSecrets: + - name: {{ .Values.imagePullSecret.name }} +{{- end }} + + nodeSelector: + silo-node: {{ .Values.tier }}-{{ .Values.tenant }} +{{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + volumes: + - name: my-api-token + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: {{ .Values.tier }}-{{ .Values.tenant }}-aws-secrets +{{- with .Values.userTenantService.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} + +--- +#HPA + +{{- if .Values.userTenantService.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "helm.fullname" . }}-user-tenant-service + labels: + app: {{ include "helm.fullname" . }} + component: user-tenant-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "helm.fullname" . }}-user-tenant-service + minReplicas: {{ .Values.userTenantService.autoscaling.minReplicas }} + maxReplicas: {{ .Values.userTenantService.autoscaling.maxReplicas }} + metrics: + {{- with .Values.userTenantService.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- with .Values.userTenantService.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: AverageValue + averageValue: {{ . }} + {{- end }} +{{- end }} +--- +#Service +apiVersion: v1 +kind: Service +metadata: + name: {{ include "helm.fullname" . }}-user-tenant-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + type: {{ .Values.userTenantService.service.type }} + ports: + - port: {{ .Values.userTenantService.service.port }} + targetPort: {{ .Values.userTenantService.service.targetPort }} + protocol: {{ .Values.userTenantService.service.protocol }} + name: web + selector: + app: {{ include "helm.fullname" . }} + component: user-tenant-service +--- +{{- end }} \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/templates/video-confrencing-service-deployment.yaml b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/video-confrencing-service-deployment.yaml similarity index 100% rename from files/tenant-samples/silo/tenant-helm-chart/templates/video-confrencing-service-deployment.yaml rename to files/tenant-samples/silo/tenant-helm-chart/auth0/templates/video-confrencing-service-deployment.yaml diff --git a/files/tenant-samples/silo/tenant-helm-chart/templates/virtual-service.yaml b/files/tenant-samples/silo/tenant-helm-chart/auth0/templates/virtual-service.yaml similarity index 100% rename from files/tenant-samples/silo/tenant-helm-chart/templates/virtual-service.yaml rename to files/tenant-samples/silo/tenant-helm-chart/auth0/templates/virtual-service.yaml diff --git a/files/tenant-samples/silo/tenant-helm-chart/auth0/values.yaml.template b/files/tenant-samples/silo/tenant-helm-chart/auth0/values.yaml.template new file mode 100644 index 00000000..8eb5a59a --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/auth0/values.yaml.template @@ -0,0 +1,373 @@ +# Default values for helm. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +strategy: + type: RollingUpdate + maxUnavailable: 0 + maxSurge: 1 +app: + url: "" + basePath: "" +livenessProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 7 +readinessProbe: + enabled: false + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + +frontend: + enabled: true + repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-ui + pullPolicy: Always + tag: "0.0.5" + log_level: "info" + home_path: "/home" + replicaCount: 1 + affinity: {} + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "512Mi" + cpu: "2" + Service: + type: NodePort + port: 80 + targetPort: 80 + protocol: TCP + extraAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "3000" + sidecar.istio.io/inject: "false" + enabled: "1" + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 20 + targetCPUUtilizationPercentage: 75 + targetMemoryUtilizationPercentage: 80 + + +#Services +#featureService +featureService: + enabled: true + repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-feature-toggle-service + pullPolicy: Always + tag: "0.0.2" + replicaCount: 1 + port: 3000 + node_env: "production" + log_level: "info" + db_ssl: false + timestamp_tolerance: 300 + affinity: {} + allowed_origins: "*" + imagePullPolicy: + enabled: "yes" + name: regcred + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "2048Mi" + cpu: "1" + service: + type: NodePort + port: 3000 + targetPort: 3000 + protocol: TCP + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 1 + targetCPUUtilizationPercentage: 75 + targetMemoryUtilizationPercentage: 80 + base_path: /feature-service + +#authenticationService +authenticationService: + enabled: true + repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-authentication-service + pullPolicy: Always + tag: "0.0.3" + replicaCount: 1 + port: 3000 + node_env: "production" + log_level: "info" + db_ssl: false + affinity: {} + allowed_origins: "*" + imagePullPolicy: + enabled: "yes" + name: regcred + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "2048Mi" + cpu: "1" + service: + type: NodePort + port: 3000 + targetPort: 3000 + protocol: TCP + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 1 + targetCPUUtilizationPercentage: 75 + targetMemoryUtilizationPercentage: 80 + base_path: /authentication-service + +#notificationService +notificationService: + enabled: true + repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-notification-service + pullPolicy: Always + tag: "0.0.3" + replicaCount: 1 + port: 3000 + node_env: "production" + log_level: "info" + db_ssl: false + affinity: {} + allowed_origins: "*" + imagePullPolicy: + enabled: "yes" + name: regcred + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "2048Mi" + cpu: "1" + service: + type: NodePort + port: 3000 + targetPort: 3000 + protocol: TCP + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 1 + targetCPUUtilizationPercentage: 75 + targetMemoryUtilizationPercentage: 80 + base_path: /notification-service + +#userTenantService +userTenantService: + enabled: true + repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-user-tenant-service + pullPolicy: Always + tag: "0.0.4" + replicaCount: 1 + port: 3000 + node_env: "production" + log_level: "info" + db_ssl: false + affinity: {} + allowed_origins: "*" + imagePullPolicy: + enabled: "yes" + name: regcred + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "2048Mi" + cpu: "1" + service: + type: NodePort + port: 3000 + targetPort: 3000 + protocol: TCP + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 1 + targetCPUUtilizationPercentage: 75 + targetMemoryUtilizationPercentage: 80 + base_path: /user-tenant-service + +videoConfrencingService: + enabled: true + repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-video-conferencing-service + pullPolicy: Always + tag: "0.0.2" + replicaCount: 1 + port: 3000 + node_env: "production" + log_level: "info" + db_ssl: false + affinity: {} + allowed_origins: "*" + imagePullPolicy: + enabled: "yes" + name: regcred + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "2048Mi" + cpu: "1" + service: + type: NodePort + port: 3000 + targetPort: 3000 + protocol: TCP + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 1 + targetCPUUtilizationPercentage: 75 + targetMemoryUtilizationPercentage: 80 + base_path: /video-confrencing-service + +#migrationJob +migrationJob: +#enable it when correct image has been provided + enabled: true + repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-migration + pullPolicy: Always + tag: "0.0.1" + replicaCount: 1 + port: 3000 + node_env: "production" + log_level: "info" + affinity: {} + allowed_origins: "*" + imagePullPolicy: + enabled: "yes" + name: regcred + service: + type: NodePort + port: 3000 + targetPort: 3000 + protocol: TCP + +##Common env's + +#Common URL'S + +imagePullSecret: +#enable it and pass the correct parameters below + enabled: false + name: regcred + registry: https://index.docker.io/v1/ + username: '' + password: '' + email: sfdevops@sourcefuse.com + +nameOverride: "" + +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: {} +# fsGroup: 2000 + +securityContext: {} +# capabilities: +# drop: +# - ALL +# readOnlyRootFilesystem: true +# runAsNonRoot: true +# runAsUser: 1000 + +resources: {} +# We usually recommend not to specify default resources and to leave this as a conscious +# choice for the user. This also increases chances charts run on environments with little +# resources, such as Minikube. If you do want to specify resources, uncomment the following +# lines, adjust them as necessary, and remove the curly braces after 'resources:'. +# limits: +# cpu: 100m +# memory: 128Mi +# requests: +# cpu: 100m +# memory: 128Mi + +extraAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "3000" + sidecar.istio.io/inject: "true" + enabled: "1" + +nodeSelector: {} + +tolerations: + - effect: NoSchedule + key: silo-node + operator: Equal + value: ${TENANT_KEY} + +affinity: {} + +#Migration Job Variable +tenantKey: ${TENANT_KEY} +tenantName: ${TENANT_NAME} +tenantSecret: ${TENANT_SECRET} +tenantID: ${TENANT_ID} +tenantEmail: ${TENANT_EMAIL} +adminUserTenantId: "b439829b-57e7-49d8-bb23-8ccb2ca56435" +userCallbackSecret: ${USER_CALLBACK_SECRET} + +# Frontend variable +clientId: ${TENANT_CLIENT_ID} +publicKey: ${TENANT_CLIENT_SECRET} + +tier: ${TIER} +namespace: ${NAMESPACE} +project: ${PROJECT} +region: ${REGION} +karpenterRoleName: ${KARPENTER_ROLE} +eksClusterName: ${EKS_CLUSTER_NAME} +hostname: ${TENANT_HOST_NAME} +tenant: ${TENANT_KEY} +arn: ${WEB_IDENTITY_ROLE_ARN} +dbhost: ${DB_HOST} +dbport: ${DB_PORT} +dbuser: ${DB_USER} +dbpassword: ${DB_PASSWORD} +dbschema: ${DB_SCHEMA} +redishost: ${REDIS_HOST} +redisport: ${REDIS_PORT} +redisdatabase: ${REDIS_DATABASE} +jwtsecret: ${JWT_SECRET} +jwtissuer: ${JWT_ISSUER} +authenticationdbdatabase: ${AUTH_DATABASE} +featuredbdatabase: ${FEATURE_DATABASE} +notificationdbdatabase: ${NOTIFICATION_DATABASE} +videoconfrencingdbdatabase: ${VIDEO_CONFRENCING_DATABASE} +instance_category: ${INSTANCE_CATEGORY} + +# pubnub config +vonageSecret: /pubnub/vonage-api-key-secret +pubnubPubKey: /pubnub/public-key +pubnubSubKey: /pubnub/subscribe-key +pubnubSecretKey: /pubnub/secret-key +auth0ClientSecret: /sf-arc-saas/dev/auth0-client-secret \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/cognito/.helmignore b/files/tenant-samples/silo/tenant-helm-chart/cognito/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/cognito/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/files/tenant-samples/silo/tenant-helm-chart/cognito/Chart.yaml b/files/tenant-samples/silo/tenant-helm-chart/cognito/Chart.yaml new file mode 100644 index 00000000..fc389922 --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/cognito/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: helm +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/files/tenant-samples/silo/tenant-helm-chart/cognito/README.md b/files/tenant-samples/silo/tenant-helm-chart/cognito/README.md new file mode 100644 index 00000000..524ebf64 --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/cognito/README.md @@ -0,0 +1 @@ +# ARC-SAAS Application Plane Helm \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/_helpers.tpl b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/_helpers.tpl new file mode 100644 index 00000000..69baf8f2 --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "helm.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "helm.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "helm.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "helm.labels" -}} +helm.sh/chart: {{ include "helm.chart" . }} +{{ include "helm.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "helm.selectorLabels" -}} +app: {{ include "helm.name" . }} + +{{- end }} + + +{{/* +Configuring .dockerconfigjson +*/}} +{{- define "imagePullSecret" }} +{{- with .Values.imagePullSecret }} +{{- printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}" .registry .username .password .email (printf "%s:%s" .username .password | b64enc) | b64enc }} +{{- end }} +{{- end }} + diff --git a/files/tenant-samples/silo/tenant-helm-chart/templates/authentication-service-deployment.yaml b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/authentication-service-deployment.yaml similarity index 100% rename from files/tenant-samples/silo/tenant-helm-chart/templates/authentication-service-deployment.yaml rename to files/tenant-samples/silo/tenant-helm-chart/cognito/templates/authentication-service-deployment.yaml diff --git a/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/authorization-policy.yaml b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/authorization-policy.yaml new file mode 100644 index 00000000..18c94518 --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/authorization-policy.yaml @@ -0,0 +1,14 @@ +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: deny-traffic-from-cross-namespace + namespace: {{ .Values.namespace }} + labels: + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: ["{{ .Values.namespace }}","kube-system","prometheus-node-exporter", "adot-collector-kubeprometheus", "istio-system", "karpenter", "kubecost", "kuberhealthy", "argocd", "argo-workflows"] \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/templates/cm-authentication-service.yaml b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/cm-authentication-service.yaml similarity index 100% rename from files/tenant-samples/silo/tenant-helm-chart/templates/cm-authentication-service.yaml rename to files/tenant-samples/silo/tenant-helm-chart/cognito/templates/cm-authentication-service.yaml diff --git a/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/cm-feature-service.yaml b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/cm-feature-service.yaml new file mode 100644 index 00000000..8d2d0191 --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/cm-feature-service.yaml @@ -0,0 +1,19 @@ +{{- if .Values.featureService.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "helm.fullname" . }}-cm-feature-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +data: + PORT: '{{ .Values.featureService.port }}' + NODE_ENV: '{{ .Values.featureService.node_env }}' + LOG_LEVEL: '{{ .Values.featureService.log_level }}' + BASE_PATH: '{{ .Values.featureService.base_path }}' + DB_SSL: '{{ .Values.featureService.db_ssl}}' + USER_CALLBACK_SECRET: '{{ .Values.userCallbackSecret }}' + TIMESTAMP_TOLERANCE: '{{ .Values.featureService.timestamp_tolerance}}' + ADMIN_USER_TENANT_ID: '{{ .Values.adminUserTenantId }}' +{{- end}} \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/cm-frontend-service.yaml b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/cm-frontend-service.yaml new file mode 100644 index 00000000..13352de3 --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/cm-frontend-service.yaml @@ -0,0 +1,26 @@ +{{- if .Values.frontend.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "helm.fullname" . }}-cm-frontend + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +data: + env: |- + { + "baseApiUrl": "https://{{ .Values.hostname }}", + "authApiBaseUrl": "https://{{ .Values.hostname }}/authentication-service", + "notificationApiBaseUrl" :"https://{{ .Values.hostname }}/notification-service", + "homePath": "{{ .Values.frontend.home_path }}", + "videoApiBaseUrl": "https://{{ .Values.hostname }}/video-confrencing-service", + "notificationChannelUuid": "9f7360f6-5c1a-4354-ad68-0e62b2a1200b", + "chatChannelUuid": "ad0cac27-972e-4b69-9188-3685f7eeb8bb", + "vonageApiKey": "47793071", + "logLevel": "{{ .Values.frontend.log_level }}", + "clientId": "{{ .Values.clientId }}", + "clientSecret": "{{ .Values.publicKey }}", + "loginTitle": "Welcome to the Telemed App" + } +{{- end}} \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/cm-notification-service.yaml b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/cm-notification-service.yaml new file mode 100644 index 00000000..87d683da --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/cm-notification-service.yaml @@ -0,0 +1,16 @@ +{{- if .Values.notificationService.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "helm.fullname" . }}-cm-notification-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +data: + PORT: '{{ .Values.notificationService.port }}' + NODE_ENV: '{{ .Values.notificationService.node_env }}' + LOG_LEVEL: '{{ .Values.notificationService.log_level }}' + BASE_PATH: '{{ .Values.notificationService.base_path }}' + DB_SSL: '{{ .Values.notificationService.db_ssl }}' +{{- end}} \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/cm-user-tenant-service.yaml b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/cm-user-tenant-service.yaml new file mode 100644 index 00000000..e429bc25 --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/cm-user-tenant-service.yaml @@ -0,0 +1,19 @@ +{{- if .Values.userTenantService.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "helm.fullname" . }}-cm-user-tenant-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +data: + PORT: '{{ .Values.userTenantService.port }}' + NODE_ENV: '{{ .Values.userTenantService.node_env }}' + LOG_LEVEL: '{{ .Values.userTenantService.log_level }}' + BASE_PATH: '{{ .Values.userTenantService.base_path }}' + ADMIN_USER_TENANT_ID: '{{ .Values.adminUserTenantId }}' + USER_CALLBACK_SECRET: '{{ .Values.userCallbackSecret }}' + DB_SSL: '{{ .Values.userTenantService.db_ssl }}' + AWS_REGION: '{{ .Values.region }}' +{{- end}} \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/cm-video-confrencing-service.yaml b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/cm-video-confrencing-service.yaml new file mode 100644 index 00000000..df67fa42 --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/cm-video-confrencing-service.yaml @@ -0,0 +1,17 @@ +{{- if .Values.videoConfrencingService.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "helm.fullname" . }}-cm-video-confrencing-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +data: + PORT: '{{ .Values.videoConfrencingService.port }}' + NODE_ENV: '{{ .Values.videoConfrencingService.node_env }}' + LOG_LEVEL: '{{ .Values.videoConfrencingService.log_level }}' + BASE_PATH: '{{ .Values.videoConfrencingService.base_path }}' + DB_SSL: '{{ .Values.videoConfrencingService.db_ssl }}' + VONAGE_API_KEY: '47793071' +{{- end}} \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/feature-service-deployment.yaml b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/feature-service-deployment.yaml new file mode 100644 index 00000000..139aabe7 --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/feature-service-deployment.yaml @@ -0,0 +1,214 @@ +{{- if .Values.featureService.enabled }} +--- +#Deployment + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "helm.fullname" . }}-feature-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + replicas: {{ .Values.featureService.replicaCount }} + strategy: + type: {{ .Values.strategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.strategy.maxUnavailable }} + maxSurge: {{ .Values.strategy.maxSurge }} + selector: + matchLabels: + app: {{ include "helm.fullname" . }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/cm-feature-service.yaml") . | sha256sum }} + prometheus.io/path: {{ .Values.app.basePath }}/feature-service/obf/metrics +{{- if .Values.extraAnnotations }} +{{ toYaml .Values.extraAnnotations | indent 8 }} +{{- end }} + labels: + app: {{ include "helm.fullname" . }} + component: feature-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} + spec: + serviceAccountName: {{ .Values.tier }}-{{ .Values.tenant }} + containers: + - imagePullPolicy: {{ .Values.featureService.pullPolicy }} + resources: + {{- toYaml .Values.featureService.resources | nindent 12 }} +{{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.app.basePath }}/feature-service + port: 3000 + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} +{{- end }} +{{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.app.basePath }}/feature-service + port: 3000 + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} +{{- end }} + name: {{ include "helm.fullname" . }}-feature-service + image: {{ .Values.featureService.repository }}:{{ .Values.featureService.tag }} + volumeMounts: + - name: my-api-token + mountPath: /mnt/api-token + readOnly: true + envFrom: + - configMapRef: + name: {{ include "helm.fullname" . }}-cm-feature-service + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: FEATURE_DB_DATABASE + - name: DB_SCHEMA + valueFrom: + secretKeyRef: + name: api-token + key: DB_SCHEMA + - name: REDIS_HOST + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PORT + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_PORT + - name: REDIS_URL + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PASSWORD + value: "" + - name: REDIS_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_DATABASE + - name: JWT_SECRET + valueFrom: + secretKeyRef: + name: api-token + key: JWT_SECRET + - name: JWT_ISSUER + valueFrom: + secretKeyRef: + name: api-token + key: JWT_ISSUER +{{- if .Values.imagePullSecret.enabled }} + imagePullSecrets: + - name: {{ .Values.imagePullSecret.name }} +{{- end }} + + nodeSelector: + silo-node: {{ .Values.tier }}-{{ .Values.tenant }} +{{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + volumes: + - name: my-api-token + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: {{ .Values.tier }}-{{ .Values.tenant }}-aws-secrets +{{- with .Values.featureService.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} + +--- +#HPA + +{{- if .Values.featureService.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "helm.fullname" . }}-feature-service + labels: + app: {{ include "helm.fullname" . }} + component: feature-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "helm.fullname" . }}-feature-service + minReplicas: {{ .Values.featureService.autoscaling.minReplicas }} + maxReplicas: {{ .Values.featureService.autoscaling.maxReplicas }} + metrics: + {{- with .Values.featureService.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- with .Values.featureService.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: AverageValue + averageValue: {{ . }} + {{- end }} +{{- end }} +--- +#Service +apiVersion: v1 +kind: Service +metadata: + name: {{ include "helm.fullname" . }}-feature-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + type: {{ .Values.featureService.service.type }} + ports: + - port: {{ .Values.featureService.service.port }} + targetPort: {{ .Values.featureService.service.targetPort }} + protocol: {{ .Values.featureService.service.protocol }} + name: web + selector: + app: {{ include "helm.fullname" . }} + component: feature-service +--- +{{- end }} \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/frontend-service-deployment.yaml b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/frontend-service-deployment.yaml new file mode 100644 index 00000000..e615d8ca --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/frontend-service-deployment.yaml @@ -0,0 +1,129 @@ +--- +#Deployment +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "helm.fullname" . }}-frontend + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + replicas: {{ .Values.frontend.replicaCount }} + strategy: + type: {{ .Values.strategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.strategy.maxUnavailable }} + maxSurge: {{ .Values.strategy.maxSurge }} + selector: + matchLabels: + app: {{ include "helm.fullname" . }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/cm-frontend-service.yaml") . | sha256sum }} + prometheus.io/path: {{ .Values.app.basePath }}/frontend/obf/metrics +{{- if .Values.frontend.extraAnnotations }} +{{ toYaml .Values.frontend.extraAnnotations | indent 8 }} +{{- end }} + labels: + app: {{ include "helm.fullname" . }} + component: frontend + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} + spec: + serviceAccountName: {{ .Values.tier }}-{{ .Values.tenant }} + containers: + - imagePullPolicy: {{ .Values.frontend.pullPolicy }} + resources: + {{- toYaml .Values.frontend.resources | nindent 12 }} +{{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.app.basePath }}/frontend + port: 80 + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} +{{- end }} +{{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.app.basePath }}/frontend + port: 80 + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} +{{- end }} + name: {{ include "helm.fullname" . }}-frontend + image: {{ .Values.frontend.repository }}:{{ .Values.frontend.tag }} + ports: + - containerPort: 80 + volumeMounts: + - name: env-var + mountPath: /usr/share/nginx/html/config.json + subPath: config.json + - name: my-api-token + mountPath: /mnt/api-token + readOnly: true + env: + - name: pubnubPublishKey + valueFrom: + secretKeyRef: + name: api-token + key: PUBNUB_PUB_KEY + - name: pubnubSubscribeKey + valueFrom: + secretKeyRef: + name: api-token + key: PUBNUB_SUB_KEY +{{- if .Values.imagePullSecret.enabled }} + imagePullSecrets: + - name: {{ .Values.imagePullSecret.name }} +{{- end }} + + nodeSelector: + silo-node: {{ .Values.tier }}-{{ .Values.tenant }} +{{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + volumes: + - name: env-var + configMap: + name: {{ include "helm.fullname" . }}-cm-frontend + items: + - key: env + path: config.json + - name: my-api-token + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: {{ .Values.tier }}-{{ .Values.tenant }}-aws-secrets +{{- with .Values.frontend.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} + +--- +#Service +apiVersion: v1 +kind: Service +metadata: + name: {{ include "helm.fullname" . }}-frontend + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + type: {{ .Values.frontend.Service.type }} + ports: + - port: {{ .Values.frontend.Service.port }} + targetPort: {{ .Values.frontend.Service.targetPort }} + protocol: {{ .Values.frontend.Service.protocol }} + name: web + selector: + app: {{ include "helm.fullname" . }} + component: frontend +--- \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/gateway.yaml b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/gateway.yaml new file mode 100644 index 00000000..47f7909e --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/gateway.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: {{ .Values.tier }}-{{ .Values.tenant }} + labels: + app: {{ include "helm.name" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + selector: + istio: ingressgateway # use istio default controller + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - {{ .Values.hostname }} \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/templates/hooks/migration-job.yaml b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/hooks/migration-job.yaml similarity index 100% rename from files/tenant-samples/silo/tenant-helm-chart/templates/hooks/migration-job.yaml rename to files/tenant-samples/silo/tenant-helm-chart/cognito/templates/hooks/migration-job.yaml diff --git a/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/imagePullSecret.yaml b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/imagePullSecret.yaml new file mode 100644 index 00000000..d40fa6ab --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/imagePullSecret.yaml @@ -0,0 +1,12 @@ +{{- if .Values.imagePullSecret.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.imagePullSecret.name }} + labels: + {{- include "helm.labels" . | nindent 4 }} + component: {{ include "helm.name" . }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ template "imagePullSecret" . }} +{{- end }} \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/kuberhealhty-http-checker.yaml b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/kuberhealhty-http-checker.yaml new file mode 100644 index 00000000..b793f40d --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/kuberhealhty-http-checker.yaml @@ -0,0 +1,27 @@ +apiVersion: comcast.github.io/v1 +kind: KuberhealthyCheck +metadata: + name: {{ .Values.tier }}-{{ .Values.tenant }}-http-check + namespace: kuberhealthy + labels: + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + runInterval: 5m + timeout: 10m + podSpec: + containers: + - name: main + image: kuberhealthy/http-check:latest + imagePullPolicy: IfNotPresent + env: + - name: CHECK_URL + value: "https://{{ .Values.hostname }}/" + - name: COUNT + value: "5" + - name: SECONDS + value: "1" + - name: REQUEST_TYPE + value: "GET" + - name: PASSING + value: "80" \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/notification-service-deployment.yaml b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/notification-service-deployment.yaml new file mode 100644 index 00000000..bc90435a --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/notification-service-deployment.yaml @@ -0,0 +1,229 @@ +{{- if .Values.notificationService.enabled }} +--- +#Deployment + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "helm.fullname" . }}-notification-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + replicas: {{ .Values.notificationService.replicaCount }} + strategy: + type: {{ .Values.strategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.strategy.maxUnavailable }} + maxSurge: {{ .Values.strategy.maxSurge }} + selector: + matchLabels: + app: {{ include "helm.fullname" . }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/cm-notification-service.yaml") . | sha256sum }} + prometheus.io/path: {{ .Values.app.basePath }}/notification-service/obf/metrics +{{- if .Values.extraAnnotations }} +{{ toYaml .Values.extraAnnotations | indent 8 }} +{{- end }} + labels: + app: {{ include "helm.fullname" . }} + component: notification-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} + spec: + serviceAccountName: {{ .Values.tier }}-{{ .Values.tenant }} + containers: + - imagePullPolicy: {{ .Values.notificationService.pullPolicy }} + resources: + {{- toYaml .Values.notificationService.resources | nindent 12 }} +{{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.app.basePath }}/notification-service + port: 3000 + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} +{{- end }} +{{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.app.basePath }}/notification-service + port: 3000 + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} +{{- end }} + name: {{ include "helm.fullname" . }}-notification-service + image: {{ .Values.notificationService.repository }}:{{ .Values.notificationService.tag }} + volumeMounts: + - name: my-api-token + mountPath: /mnt/api-token + readOnly: true + envFrom: + - configMapRef: + name: {{ include "helm.fullname" . }}-cm-notification-service + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: NOTIFICATION_SERVICE_DB_DATABASE + - name: DB_SCHEMA + valueFrom: + secretKeyRef: + name: api-token + key: DB_SCHEMA + - name: REDIS_HOST + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PORT + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_PORT + - name: REDIS_URL + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PASSWORD + value: "" + - name: REDIS_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_DATABASE + - name: JWT_SECRET + valueFrom: + secretKeyRef: + name: api-token + key: JWT_SECRET + - name: JWT_ISSUER + valueFrom: + secretKeyRef: + name: api-token + key: JWT_ISSUER + - name: PUBNUB_PUBLISH_KEY + valueFrom: + secretKeyRef: + name: api-token + key: PUBNUB_PUB_KEY + - name: PUBNUB_SUBSCRIBE_KEY + valueFrom: + secretKeyRef: + name: api-token + key: PUBNUB_SUB_KEY + - name: PUBNUB_SECRET_KEY + valueFrom: + secretKeyRef: + name: api-token + key: PUBNUB_SECRET_KEY +{{- if .Values.imagePullSecret.enabled }} + imagePullSecrets: + - name: {{ .Values.imagePullSecret.name }} +{{- end }} + + nodeSelector: + silo-node: {{ .Values.tier }}-{{ .Values.tenant }} +{{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + volumes: + - name: my-api-token + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: {{ .Values.tier }}-{{ .Values.tenant }}-aws-secrets +{{- with .Values.notificationService.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} + +--- +#HPA + +{{- if .Values.notificationService.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "helm.fullname" . }}-notification-service + labels: + app: {{ include "helm.fullname" . }} + component: notification-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "helm.fullname" . }}-notification-service + minReplicas: {{ .Values.notificationService.autoscaling.minReplicas }} + maxReplicas: {{ .Values.notificationService.autoscaling.maxReplicas }} + metrics: + {{- with .Values.notificationService.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- with .Values.notificationService.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: AverageValue + averageValue: {{ . }} + {{- end }} +{{- end }} +--- +#Service +apiVersion: v1 +kind: Service +metadata: + name: {{ include "helm.fullname" . }}-notification-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + type: {{ .Values.notificationService.service.type }} + ports: + - port: {{ .Values.notificationService.service.port }} + targetPort: {{ .Values.notificationService.service.targetPort }} + protocol: {{ .Values.notificationService.service.protocol }} + name: web + selector: + app: {{ include "helm.fullname" . }} + component: notification-service +--- +{{- end }} \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/provisioner.yaml b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/provisioner.yaml new file mode 100644 index 00000000..9c93e3ef --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/provisioner.yaml @@ -0,0 +1,65 @@ +apiVersion: karpenter.sh/v1beta1 +kind: NodePool +metadata: + name: {{ .Values.tier }}-{{ .Values.tenant }} + annotations: + kubernetes.io/description: "NodePool to restrict the number of cpus provisioned to 100" + labels: + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + template: + metadata: + labels: + silo-node: {{ .Values.tier }}-{{ .Values.tenant }} + spec: + requirements: + - key: kubernetes.io/arch + operator: In + values: ["amd64"] + - key: kubernetes.io/os + operator: In + values: ["linux"] + - key: karpenter.sh/capacity-type + operator: In + values: ["on-demand"] + - key: karpenter.k8s.aws/instance-category + operator: In + values: + - "{{ .Values.instance_category }}" + - key: karpenter.k8s.aws/instance-generation + operator: Gt + values: ["2"] + nodeClassRef: + name: {{ .Values.tier }}-{{ .Values.tenant }} + taints: + - key: silo-node + value: {{ .Values.tenant }} + effect: NoSchedule + + limits: + cpu: 100 + memory: 1000Gi +--- +apiVersion: karpenter.k8s.aws/v1beta1 +kind: EC2NodeClass +metadata: + name: {{ .Values.tier }}-{{ .Values.tenant }} + annotations: + kubernetes.io/description: "General purpose EC2NodeClass for running Amazon Linux 2 nodes" +spec: + amiFamily: AL2 # Amazon Linux 2 + role: {{ .Values.karpenterRoleName }} + subnetSelectorTerms: + - tags: + Type: "private" + securityGroupSelectorTerms: + - tags: + "aws:eks:cluster-name": {{ .Values.eksClusterName }} + tags: + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} + Project: {{ .Values.project }} + + + diff --git a/files/tenant-samples/silo/tenant-helm-chart/templates/secret-provider-class-and-sa.yaml b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/secret-provider-class-and-sa.yaml similarity index 100% rename from files/tenant-samples/silo/tenant-helm-chart/templates/secret-provider-class-and-sa.yaml rename to files/tenant-samples/silo/tenant-helm-chart/cognito/templates/secret-provider-class-and-sa.yaml diff --git a/files/tenant-samples/silo/tenant-helm-chart/templates/user-tenant-service-deployment.yaml b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/user-tenant-service-deployment.yaml similarity index 100% rename from files/tenant-samples/silo/tenant-helm-chart/templates/user-tenant-service-deployment.yaml rename to files/tenant-samples/silo/tenant-helm-chart/cognito/templates/user-tenant-service-deployment.yaml diff --git a/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/video-confrencing-service-deployment.yaml b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/video-confrencing-service-deployment.yaml new file mode 100644 index 00000000..db826e04 --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/video-confrencing-service-deployment.yaml @@ -0,0 +1,219 @@ +{{- if .Values.videoConfrencingService.enabled }} +--- +#Deployment + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "helm.fullname" . }}-video-confrencing-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + replicas: {{ .Values.videoConfrencingService.replicaCount }} + strategy: + type: {{ .Values.strategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.strategy.maxUnavailable }} + maxSurge: {{ .Values.strategy.maxSurge }} + selector: + matchLabels: + app: {{ include "helm.fullname" . }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/cm-video-confrencing-service.yaml") . | sha256sum }} + prometheus.io/path: {{ .Values.app.basePath }}/video-confrencing-service/obf/metrics +{{- if .Values.extraAnnotations }} +{{ toYaml .Values.extraAnnotations | indent 8 }} +{{- end }} + labels: + app: {{ include "helm.fullname" . }} + component: video-confrencing-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} + spec: + serviceAccountName: {{ .Values.tier }}-{{ .Values.tenant }} + containers: + - imagePullPolicy: {{ .Values.videoConfrencingService.pullPolicy }} + resources: + {{- toYaml .Values.videoConfrencingService.resources | nindent 12 }} +{{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.app.basePath }}/video-confrencing-service + port: 3000 + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} +{{- end }} +{{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.app.basePath }}/video-confrencing-service + port: 3000 + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} +{{- end }} + name: {{ include "helm.fullname" . }}-video-confrencing-service + image: {{ .Values.videoConfrencingService.repository }}:{{ .Values.videoConfrencingService.tag }} + volumeMounts: + - name: my-api-token + mountPath: /mnt/api-token + readOnly: true + envFrom: + - configMapRef: + name: {{ include "helm.fullname" . }}-cm-video-confrencing-service + env: + - name: DB_HOST + valueFrom: + secretKeyRef: + name: api-token + key: DB_HOST + - name: DB_PORT + valueFrom: + secretKeyRef: + name: api-token + key: DB_PORT + - name: DB_USER + valueFrom: + secretKeyRef: + name: api-token + key: DB_USER + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: api-token + key: DB_PASSWORD + - name: DB_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: VIDEO_CONFRENCING_SERVICE_DB_DATABASE + - name: DB_SCHEMA + valueFrom: + secretKeyRef: + name: api-token + key: DB_SCHEMA + - name: REDIS_HOST + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PORT + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_PORT + - name: REDIS_URL + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_HOST + - name: REDIS_PASSWORD + value: "" + - name: REDIS_DATABASE + valueFrom: + secretKeyRef: + name: api-token + key: REDIS_DATABASE + - name: JWT_SECRET + valueFrom: + secretKeyRef: + name: api-token + key: JWT_SECRET + - name: JWT_ISSUER + valueFrom: + secretKeyRef: + name: api-token + key: JWT_ISSUER + - name: VONAGE_API_SECRET + valueFrom: + secretKeyRef: + name: api-token + key: VONAGE_API_KEY_SECRET +{{- if .Values.imagePullSecret.enabled }} + imagePullSecrets: + - name: {{ .Values.imagePullSecret.name }} +{{- end }} + + nodeSelector: + silo-node: {{ .Values.tier }}-{{ .Values.tenant }} +{{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + volumes: + - name: my-api-token + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: {{ .Values.tier }}-{{ .Values.tenant }}-aws-secrets +{{- with .Values.videoConfrencingService.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} + +--- +#HPA + +{{- if .Values.videoConfrencingService.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "helm.fullname" . }}-video-confrencing-service + labels: + app: {{ include "helm.fullname" . }} + component: video-confrencing-service + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "helm.fullname" . }}-video-confrencing-service + minReplicas: {{ .Values.videoConfrencingService.autoscaling.minReplicas }} + maxReplicas: {{ .Values.videoConfrencingService.autoscaling.maxReplicas }} + metrics: + {{- with .Values.videoConfrencingService.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- with .Values.videoConfrencingService.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: AverageValue + averageValue: {{ . }} + {{- end }} +{{- end }} +--- +#Service +apiVersion: v1 +kind: Service +metadata: + name: {{ include "helm.fullname" . }}-video-confrencing-service + labels: + app: {{ include "helm.fullname" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + type: {{ .Values.videoConfrencingService.service.type }} + ports: + - port: {{ .Values.videoConfrencingService.service.port }} + targetPort: {{ .Values.videoConfrencingService.service.targetPort }} + protocol: {{ .Values.videoConfrencingService.service.protocol }} + name: web + selector: + app: {{ include "helm.fullname" . }} + component: video-confrencing-service +--- +{{- end }} \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/virtual-service.yaml b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/virtual-service.yaml new file mode 100644 index 00000000..ce50fcbe --- /dev/null +++ b/files/tenant-samples/silo/tenant-helm-chart/cognito/templates/virtual-service.yaml @@ -0,0 +1,63 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Values.tier }}-{{ .Values.tenant }} + labels: + app: {{ include "helm.name" . }} + Tenant: {{ .Values.tenant }} + Tenant_ID: {{ .Values.tenantID }} +spec: + hosts: + - {{ .Values.hostname }} + gateways: + - {{ .Values.tier }}-{{ .Values.tenant }} #create gateway with name as tenant name + http: + - match: + - uri: + prefix: {{ .Values.app.basePath }}/authentication-service + route: + - destination: + host: "{{ include "helm.fullname" . }}-authentication-service" + port: + number: 3000 + - match: + - uri: + prefix: {{ .Values.app.basePath }}/feature-service + route: + - destination: + host: "{{ include "helm.fullname" . }}-feature-service" + port: + number: 3000 + - match: + - uri: + prefix: {{ .Values.app.basePath }}/notification-service + route: + - destination: + host: "{{ include "helm.fullname" . }}-notification-service" + port: + number: 3000 + - match: + - uri: + prefix: {{ .Values.app.basePath }}/user-tenant-service + route: + - destination: + host: "{{ include "helm.fullname" . }}-user-tenant-service" + port: + number: 3000 + - match: + - uri: + prefix: {{ .Values.app.basePath }}/video-confrencing-service + route: + - destination: + host: "{{ include "helm.fullname" . }}-video-confrencing-service" + port: + number: 3000 + - match: + - uri: + prefix: / + route: + - destination: + host: "{{ include "helm.fullname" . }}-frontend" + port: + number: 80 \ No newline at end of file diff --git a/files/tenant-samples/silo/tenant-helm-chart/values.yaml.template b/files/tenant-samples/silo/tenant-helm-chart/cognito/values.yaml.template similarity index 99% rename from files/tenant-samples/silo/tenant-helm-chart/values.yaml.template rename to files/tenant-samples/silo/tenant-helm-chart/cognito/values.yaml.template index e186aa95..f94b3e05 100644 --- a/files/tenant-samples/silo/tenant-helm-chart/values.yaml.template +++ b/files/tenant-samples/silo/tenant-helm-chart/cognito/values.yaml.template @@ -63,7 +63,7 @@ featureService: enabled: true repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-feature-toggle-service pullPolicy: Always - tag: "0.0.1" + tag: "0.0.2" replicaCount: 1 port: 3000 node_env: "production" @@ -100,7 +100,7 @@ authenticationService: enabled: true repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-authentication-service pullPolicy: Always - tag: "0.0.2" + tag: "0.0.3" replicaCount: 1 port: 3000 node_env: "production" @@ -136,7 +136,7 @@ notificationService: enabled: true repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-notification-service pullPolicy: Always - tag: "0.0.2" + tag: "0.0.3" replicaCount: 1 port: 3000 node_env: "production" @@ -172,7 +172,7 @@ userTenantService: enabled: true repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-user-tenant-service pullPolicy: Always - tag: "0.0.3" + tag: "0.0.4" replicaCount: 1 port: 3000 node_env: "production" @@ -207,7 +207,7 @@ videoConfrencingService: enabled: true repository: public.ecr.aws/p1a1c8p2/sourcefuse-arc-saas-application-plane-video-conferencing-service pullPolicy: Always - tag: "0.0.1" + tag: "0.0.2" replicaCount: 1 port: 3000 node_env: "production" @@ -342,6 +342,7 @@ publicKey: ${TENANT_CLIENT_SECRET} tier: ${TIER} namespace: ${NAMESPACE} +project: ${PROJECT} region: ${REGION} cognitodomain: ${COGNITO_DOMAIN} cognitoid: ${COGNITO_ID} diff --git a/files/tenant-samples/silo/terraform/canary.tf b/files/tenant-samples/silo/terraform/canary.tf index 58e5439f..aa064d3b 100644 --- a/files/tenant-samples/silo/terraform/canary.tf +++ b/files/tenant-samples/silo/terraform/canary.tf @@ -22,7 +22,7 @@ resource "aws_synthetics_canary" "main" { schedule { expression = "rate(6 minutes)" } - + tags = module.tags.tags } data "archive_file" "canary_zip_inline" { diff --git a/files/tenant-samples/silo/terraform/cognito.tf b/files/tenant-samples/silo/terraform/cognito.tf index bab3cd55..cafabef3 100644 --- a/files/tenant-samples/silo/terraform/cognito.tf +++ b/files/tenant-samples/silo/terraform/cognito.tf @@ -12,10 +12,9 @@ module "cognito_domain_string" { ## Cognito User Pool ###################################################################### module "aws_cognito_user_pool" { - + enabled = var.IdP == "cognito" ? true : false source = "lgallard/cognito-user-pool/aws" version = "0.24.0" - user_pool_name = "${var.namespace}-${var.environment}-${var.tenant_tier}-${var.tenant}-cognito-user-pool" alias_attributes = var.alias_attributes auto_verified_attributes = var.auto_verified_attributes @@ -115,6 +114,7 @@ module "aws_cognito_user_pool" { ## Store Congito output to SSM parameneter store ###################################################################### module "cognito_ssm_parameters" { + count = var.IdP == "cognito" ? 1 : 0 source = "../modules/ssm-parameter" ssm_parameters = [ { @@ -145,6 +145,8 @@ module "cognito_ssm_parameters" { overwrite = "true" description = "Cognito User Pool ID" } + + # { # name = "/${var.namespace}/${var.environment}/${var.tenant_tier}/${var.tenant}/${var.user_name}/user_sub" # value = aws_cognito_user.cognito_user.sub diff --git a/files/tenant-samples/silo/terraform/data.tf b/files/tenant-samples/silo/terraform/data.tf index a88aea3a..291029ce 100644 --- a/files/tenant-samples/silo/terraform/data.tf +++ b/files/tenant-samples/silo/terraform/data.tf @@ -94,6 +94,7 @@ data "aws_iam_policy_document" "ssm_policy" { ] resources = ["arn:aws:ssm:${var.region}:${local.sts_caller_arn}:parameter/${var.namespace}/${var.environment}/${var.tenant_tier}/${var.tenant}/*", "arn:aws:ssm:${var.region}:${local.sts_caller_arn}:parameter/pubnub/*", + "arn:aws:ssm:${var.region}:${local.sts_caller_arn}:parameter/${var.namespace}/${var.environment}/auth0-client-secret", "arn:aws:cognito-idp:${var.region}:${local.sts_caller_arn}:*"] } } @@ -107,21 +108,25 @@ data "aws_route53_zone" "selected" { } data "aws_ssm_parameter" "cognito_domain" { + count = var.IdP == "cognito" ? 1 : 0 name = "/${var.namespace}/${var.environment}/${var.tenant_tier}/${var.tenant}/cognito_domain" depends_on = [module.cognito_ssm_parameters] } data "aws_ssm_parameter" "cognito_id" { + count = var.IdP == "cognito" ? 1 : 0 name = "/${var.namespace}/${var.environment}/${var.tenant_tier}/${var.tenant}/cognito_id" depends_on = [module.cognito_ssm_parameters] } data "aws_ssm_parameter" "cognito_secret" { + count = var.IdP == "cognito" ? 1 : 0 name = "/${var.namespace}/${var.environment}/${var.tenant_tier}/${var.tenant}/cognito_secret" depends_on = [module.cognito_ssm_parameters] } data "aws_ssm_parameter" "cognito_user_pool_id" { + count = var.IdP == "cognito" ? 1 : 0 name = "/${var.namespace}/${var.environment}/${var.tenant_tier}/${var.tenant}/cognito_user_pool_id" depends_on = [module.cognito_ssm_parameters] } diff --git a/files/tenant-samples/silo/terraform/eks.tf b/files/tenant-samples/silo/terraform/eks.tf index db5dc962..4e36909c 100644 --- a/files/tenant-samples/silo/terraform/eks.tf +++ b/files/tenant-samples/silo/terraform/eks.tf @@ -103,27 +103,26 @@ resource "kubernetes_namespace" "my_namespace" { } } -# generate tenant specific helm values.yaml file +# generate tenant specific helm values.yaml file based on IdP configuration -data "template_file" "helm_values_template" { - template = file("${path.module}/../tenant-helm-chart/values.yaml.template") +data "template_file" "cognito_helm_values_template" { + count = var.IdP == "cognito" ? 1 : 0 + template = file("${path.module}/../tenant-helm-chart/cognito/values.yaml.template") vars = { - NAMESPACE = local.kubernetes_ns - TENANT_NAME = var.tenant_name - TENANT_KEY = var.tenant - TENANT_EMAIL = var.tenant_email - TENANT_SECRET = var.tenant_secret - TENANT_ID = var.tenant_id - # COGNITO_USER = var.user_name - # COGNITO_USER_SUB = aws_cognito_user.cognito_user.sub - - TIER = var.tenant_tier + NAMESPACE = local.kubernetes_ns + PROJECT = var.namespace + TENANT_NAME = var.tenant_name + TENANT_KEY = var.tenant + TENANT_EMAIL = var.tenant_email + TENANT_SECRET = var.tenant_secret + TENANT_ID = var.tenant_id + TIER = var.tenant_tier TENANT_CLIENT_ID = var.tenant_client_id TENANT_CLIENT_SECRET = var.tenant_client_secret REGION = var.region - COGNITO_DOMAIN = data.aws_ssm_parameter.cognito_domain.name - COGNITO_ID = data.aws_ssm_parameter.cognito_id.name - COGNITO_SECRET = data.aws_ssm_parameter.cognito_secret.name + COGNITO_DOMAIN = var.IdP == "cognito" && length(data.aws_ssm_parameter.cognito_domain) > 0 ? data.aws_ssm_parameter.cognito_domain[count.index].name : null + COGNITO_ID = var.IdP == "cognito" && length(data.aws_ssm_parameter.cognito_id) > 0 ? data.aws_ssm_parameter.cognito_id[count.index].name : null + COGNITO_SECRET = var.IdP == "cognito" && length(data.aws_ssm_parameter.cognito_secret) > 0 ? data.aws_ssm_parameter.cognito_secret[count.index].name : null KARPENTER_ROLE = var.karpenter_role EKS_CLUSTER_NAME = var.cluster_name TENANT_HOST_NAME = var.tenant_host_domain @@ -140,24 +139,70 @@ data "template_file" "helm_values_template" { JWT_SECRET = data.aws_ssm_parameter.jwt_secret.name JWT_ISSUER = data.aws_ssm_parameter.jwt_issuer.name AUTH_DATABASE = data.aws_ssm_parameter.authenticationdbdatabase.name - FEATURE_DATABASE = data.aws_ssm_parameter.featuredbdatabase.name + FEATURE_DATABASE = data.aws_ssm_parameter.featuredbdatabase.name NOTIFICATION_DATABASE = data.aws_ssm_parameter.notificationdbdatabase.name VIDEO_CONFRENCING_DATABASE = data.aws_ssm_parameter.videoconfrencingdbdatabase.name - INSTANCE_CATEGORY = var.karpenter_instance_category - COGNITO_USER_POOL_ID = data.aws_ssm_parameter.cognito_user_pool_id.name + INSTANCE_CATEGORY = var.karpenter_instance_category + COGNITO_USER_POOL_ID = var.IdP == "cognito" && length(data.aws_ssm_parameter.cognito_user_pool_id) > 0 ? data.aws_ssm_parameter.cognito_user_pool_id[count.index].name : null } } +data "template_file" "auth0_helm_values_template" { + count = var.IdP == "auth0" ? 1 : 0 + template = file("${path.module}/../tenant-helm-chart/auth0/values.yaml.template") + vars = { + NAMESPACE = local.kubernetes_ns + PROJECT = var.namespace + TENANT_NAME = var.tenant_name + TENANT_KEY = var.tenant + TENANT_EMAIL = var.tenant_email + TENANT_SECRET = var.tenant_secret + TENANT_ID = var.tenant_id + TIER = var.tenant_tier + TENANT_CLIENT_ID = var.tenant_client_id + TENANT_CLIENT_SECRET = var.tenant_client_secret + REGION = var.region + KARPENTER_ROLE = var.karpenter_role + EKS_CLUSTER_NAME = var.cluster_name + TENANT_HOST_NAME = var.tenant_host_domain + USER_CALLBACK_SECRET = var.user_callback_secret + WEB_IDENTITY_ROLE_ARN = module.tenant_iam_role.arn + DB_HOST = data.aws_ssm_parameter.db_host.name + DB_PORT = data.aws_ssm_parameter.db_port.name + DB_USER = data.aws_ssm_parameter.db_user.name + DB_PASSWORD = data.aws_ssm_parameter.db_password.name + DB_SCHEMA = data.aws_ssm_parameter.db_schema.name + REDIS_HOST = data.aws_ssm_parameter.redis_host.name + REDIS_PORT = data.aws_ssm_parameter.redis_port.name + REDIS_DATABASE = data.aws_ssm_parameter.redis_database.name + JWT_SECRET = data.aws_ssm_parameter.jwt_secret.name + JWT_ISSUER = data.aws_ssm_parameter.jwt_issuer.name + AUTH_DATABASE = data.aws_ssm_parameter.authenticationdbdatabase.name + FEATURE_DATABASE = data.aws_ssm_parameter.featuredbdatabase.name + NOTIFICATION_DATABASE = data.aws_ssm_parameter.notificationdbdatabase.name + VIDEO_CONFRENCING_DATABASE = data.aws_ssm_parameter.videoconfrencingdbdatabase.name + INSTANCE_CATEGORY = var.karpenter_instance_category + } +} + +resource "local_file" "cognito_helm_values" { + count = var.IdP == "cognito" ? 1 : 0 + filename = "${path.module}/output/cognito/${var.tenant}-values.yaml" + content = data.template_file.cognito_helm_values_template[count.index].rendered +} -resource "local_file" "helm_values" { - filename = "${path.module}/output/${var.tenant}-values.yaml" - content = data.template_file.helm_values_template.rendered +resource "local_file" "auth0_helm_values" { + count = var.IdP == "auth0" ? 1 : 0 + filename = "${path.module}/output/auth0/${var.tenant}-values.yaml" + content = data.template_file.auth0_helm_values_template[count.index].rendered } + ############################################################################################### ## Register Tenant Helm App on ArgoCD ############################################################################################### -resource "local_file" "argocd_application" { +resource "local_file" "cognito_argocd_application" { + count = var.IdP == "cognito" ? 1 : 0 content = <<-EOT apiVersion: argoproj.io/v1alpha1 kind: Application @@ -172,7 +217,7 @@ spec: namespace: ${var.tenant_tier}-${var.tenant} server: 'https://kubernetes.default.svc' source: - path: onboarded-tenants/silo/application + path: onboarded-tenants/silo/application/cognito repoURL: 'https://${data.aws_ssm_parameter.github_user.value}@github.com/${data.aws_ssm_parameter.github_repo.value}.git' targetRevision: main helm: @@ -195,6 +240,44 @@ spec: filename = "${path.module}/argocd-application.yaml" } +resource "local_file" "auth0_argocd_application" { + count = var.IdP == "auth0" ? 1 : 0 + content = <<-EOT +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: ${var.tenant_tier}-${var.tenant} + namespace: argocd + labels: + Tenant: ${var.tenant} + Tenant_ID: ${var.tenant_id} +spec: + destination: + namespace: ${var.tenant_tier}-${var.tenant} + server: 'https://kubernetes.default.svc' + source: + path: onboarded-tenants/silo/application/auth0 + repoURL: 'https://${data.aws_ssm_parameter.github_user.value}@github.com/${data.aws_ssm_parameter.github_repo.value}.git' + targetRevision: main + helm: + valueFiles: + - ${var.tenant}-values.yaml + project: default + syncPolicy: + syncOptions: + - ApplyOutOfSyncOnly=true + retry: + limit: 2 + backoff: + duration: 5s + maxDuration: 3m0s + factor: 2 + automated: + prune: false + selfHeal: true + EOT + filename = "${path.module}/argocd-application.yaml" +} ####################################################################################### ## Register Tenant Terraform Workflow on Argo ####################################################################################### diff --git a/files/tenant-samples/silo/terraform/push-values.sh b/files/tenant-samples/silo/terraform/push-values.sh index 1072bd3e..37e5d53a 100644 --- a/files/tenant-samples/silo/terraform/push-values.sh +++ b/files/tenant-samples/silo/terraform/push-values.sh @@ -43,10 +43,21 @@ git clone "${GITHUB_REPO_URL}" || { echo "Failed to clone GitHub repository"; ex cd "${NAMESPACE}-saas-management-repository" || { echo "Failed to change directory to cloned repository"; exit 1; } # Copy tenant values.yaml to silo directory -if [ -d "../output" ]; then - cp -r ../output/* onboarded-tenants/silo/application/ || { echo "Failed to copy files"; exit 1; } +# if [ -d "../output" ]; then +# cp -r ../output/* onboarded-tenants/silo/application/ || { echo "Failed to copy files"; exit 1; } +# else +# echo "'output' folder does not exist. Skipping file copy." +# fi +if [ -d "../output/cognito" ]; then + cp -r ../output/cognito/* onboarded-tenants/silo/application/cognito/ || { echo "Failed to copy cognito files"; exit 1; } else - echo "'output' folder does not exist. Skipping file copy." + echo "'cognito' folder does not exist. Skipping cognito file copy." +fi + +if [ -d "../output/auth0" ]; then + cp -r ../output/auth0/* onboarded-tenants/silo/application/auth0/ || { echo "Failed to copy auth0 files"; exit 1; } +else + echo "'auth0' folder does not exist. Skipping auth0 file copy." fi # Copy tenant specific terraform tfvars and config file to repository diff --git a/files/tenant-samples/silo/terraform/tfvariables.txt b/files/tenant-samples/silo/terraform/tfvariables.txt index 0de6465d..33ac917c 100644 --- a/files/tenant-samples/silo/terraform/tfvariables.txt +++ b/files/tenant-samples/silo/terraform/tfvariables.txt @@ -18,6 +18,7 @@ user_callback_secret = "${TF_VAR_user_callback_secret}" rds_instance_allocated_storage = "${TF_VAR_rds_instance_allocated_storage}" karpenter_instance_category = "${TF_VAR_karpenter_instance_category}" tenant_tier = "${TF_VAR_tenant_tier}" +IdP = "${TF_VAR_IdP}" diff --git a/files/tenant-samples/silo/terraform/variables.tf b/files/tenant-samples/silo/terraform/variables.tf index 848b8db5..f7349dbf 100644 --- a/files/tenant-samples/silo/terraform/variables.tf +++ b/files/tenant-samples/silo/terraform/variables.tf @@ -26,6 +26,15 @@ variable "tenant_id" { description = "Tenat unique ID" } +variable "IdP" { + type = string + description = "Tenant Identity Provider" + default = "cognito" + validation { + condition = contains(["cognito", "auth0", "keycloak"], var.IdP) + error_message = "The idp must be either 'cognito', 'auth0', or 'keycloak'." + } +} ################################################################################## ## database ################################################################################## diff --git a/terraform/control-plane-application/buildspec.yaml b/terraform/control-plane-application/buildspec.yaml index 28da9398..9b55882f 100644 --- a/terraform/control-plane-application/buildspec.yaml +++ b/terraform/control-plane-application/buildspec.yaml @@ -45,6 +45,15 @@ phases: - chmod +x push-helm-values.sh - ./push-helm-values.sh # push control-plane values yaml to tenant management gitops repository - kubectl apply -f control-plane-argocd-application.yaml --namespace argocd || true + - cd .. + # To run keycloak + - cd keycloak + - rm config.hcl + - sed -i 's/aws_region/${var.region}/g' config.txt + - envsubst < config.txt > config.${var.environment}.hcl + - terraform init --backend-config=config.${var.environment}.hcl + - terraform plan + - terraform apply --auto-approve post_build: commands: diff --git a/terraform/control-plane-application/data.tf b/terraform/control-plane-application/data.tf index 7cafd826..8113d7a4 100644 --- a/terraform/control-plane-application/data.tf +++ b/terraform/control-plane-application/data.tf @@ -25,6 +25,10 @@ data "aws_ssm_parameter" "private_key" { data "aws_ssm_parameter" "public_key" { name = "/sf-arc-saas/dev/public-key" } + +data "aws_ssm_parameter" "auth0_client_secret" { + name = "/sf-arc-saas/dev/auth0-client-secret" +} ############################################################################ ## EKS data ############################################################################ diff --git a/terraform/control-plane-application/main.tf b/terraform/control-plane-application/main.tf index 80674a33..f3f2ea71 100644 --- a/terraform/control-plane-application/main.tf +++ b/terraform/control-plane-application/main.tf @@ -205,6 +205,7 @@ data "template_file" "helm_values_template" { FROM_EMAIL = var.from_email PRIVATE_KEY = data.aws_ssm_parameter.private_key.name PUBLIC_KEY = data.aws_ssm_parameter.public_key.name + AUTH0_CLIENT_SECRET = data.aws_ssm_parameter.auth0_client_secret.name } } diff --git a/terraform/db-ops/main.tf b/terraform/db-ops/main.tf index 45ec87c8..249b9e7e 100644 --- a/terraform/db-ops/main.tf +++ b/terraform/db-ops/main.tf @@ -77,6 +77,10 @@ module "postgresql_provider" { "feature_db" = { db_name = var.featuretoggledbdatabase allow_connections = true + }, + "keycloak_db" = { + db_name = var.keycloakdbdatabase + allow_connections = true } } @@ -147,6 +151,13 @@ module "db_ops_ssm_parameters" { type = "SecureString" overwrite = "true" description = "Feature Toggle Database Name" + }, + { + name = "/${var.namespace}/${var.environment}/keycloakdbdatabase" + value = var.keycloakdbdatabase + type = "SecureString" + overwrite = "true" + description = "Keycloak Database Name" } ] tags = module.tags.tags diff --git a/terraform/db-ops/variables.tf b/terraform/db-ops/variables.tf index 193139b7..ecfb0107 100644 --- a/terraform/db-ops/variables.tf +++ b/terraform/db-ops/variables.tf @@ -69,4 +69,9 @@ variable "tenantmgmtdbdatabase" { variable "featuretoggledbdatabase" { type = string default = "feature" +} + +variable "keycloakdbdatabase" { + type = string + default = "keycloak" } \ No newline at end of file diff --git a/terraform/eks/main.tf b/terraform/eks/main.tf index 20ba92fd..b54bab55 100644 --- a/terraform/eks/main.tf +++ b/terraform/eks/main.tf @@ -107,6 +107,7 @@ module "eks_cluster" { ] map_additional_iam_users = var.map_additional_iam_users allowed_cidr_blocks = [data.aws_vpc.vpc.cidr_block] + tags = module.tags.tags } ################################################################################# diff --git a/terraform/keycloak/.terraform-version b/terraform/keycloak/.terraform-version new file mode 100644 index 00000000..c180eb67 --- /dev/null +++ b/terraform/keycloak/.terraform-version @@ -0,0 +1 @@ +latest:^1.4 \ No newline at end of file diff --git a/terraform/keycloak/.terraform.lock.hcl b/terraform/keycloak/.terraform.lock.hcl new file mode 100644 index 00000000..623d298a --- /dev/null +++ b/terraform/keycloak/.terraform.lock.hcl @@ -0,0 +1,158 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/gavinbunney/kubectl" { + version = "1.14.0" + constraints = "~> 1.14" + hashes = [ + "h1:gLFn+RvP37sVzp9qnFCwngRjjFV649r6apjxvJ1E/SE=", + "zh:0350f3122ff711984bbc36f6093c1fe19043173fad5a904bce27f86afe3cc858", + "zh:07ca36c7aa7533e8325b38232c77c04d6ef1081cb0bac9d56e8ccd51f12f2030", + "zh:0c351afd91d9e994a71fe64bbd1662d0024006b3493bb61d46c23ea3e42a7cf5", + "zh:39f1a0aa1d589a7e815b62b5aa11041040903b061672c4cfc7de38622866cbc4", + "zh:428d3a321043b78e23c91a8d641f2d08d6b97f74c195c654f04d2c455e017de5", + "zh:4baf5b1de2dfe9968cc0f57fd4be5a741deb5b34ee0989519267697af5f3eee5", + "zh:6131a927f9dffa014ab5ca5364ac965fe9b19830d2bbf916a5b2865b956fdfcf", + "zh:c62e0c9fd052cbf68c5c2612af4f6408c61c7e37b615dc347918d2442dd05e93", + "zh:f0beffd7ce78f49ead612e4b1aefb7cb6a461d040428f514f4f9cc4e5698ac65", + ] +} + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.4.0" + constraints = "5.4.0" + hashes = [ + "h1:Jol4lNIzMrREQzUBSveCLX0iQLy7dm0OF+IYY2GKrhY=", + "zh:1db5f81089216831bb0fdff9ddc3772efa133397c66ec276bc75b96eec06e23f", + "zh:26fe5fdf399192b5724d21854fbec650c158f8ee9eb1dc52a50f7da0f2bc07ac", + "zh:2946d9e333b1efe01588ee9f9771169fd3c3a4a7cb78ed8f91e8b3efd1a73850", + "zh:36ed69e8d3029332c8a52a70940f714fd579b9fd95f5569cc010ef11162f5bf7", + "zh:46ba5ad1c3a3ef98c346356cfa4bdd9c2501c661c2513bb92f4413f2482fb24b", + "zh:46c10aaa9672b54a14b0e0effdd6ecd9b8a539b3bfe273ac54111e7352a7bb4b", + "zh:47d7f57bcbe4fba2f960ab6c4228c5e9e586be2f233a8baa8962b51a63337179", + "zh:47e41c198439ba1c4d933f808b6f47e518f8f0aae25ca42abcac97f149121e90", + "zh:526c5834de71654ee14039cb973322bf5032cb684a2a113b48fb48a0584f46f3", + "zh:6169316517b95677819ba2904dcea204fb9b55e868348e906af9164104fe7198", + "zh:7c063ef2b8d69a8db7e8bf0dcd45793ede22b259b30464ed114d330df304cdbb", + "zh:87c4f2faca636715a08be3121d26b3354415401eab89349077ca9436a0822c23", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:b184b8a268f45258edd27d389ca793708f1bc3ee4d6706d154a45e93deaddde1", + "zh:ba1a998cbf4b639fa3e04b9069f0f5a289662457940726a8a51c81df400aa852", + ] +} + +provider "registry.terraform.io/hashicorp/helm" { + version = "2.16.1" + constraints = "~> 2.0" + hashes = [ + "h1:TerRBdq69SxIWg3ET2VE0bcP0BYRIWZOp1QxXj/14Fk=", + "zh:0003f6719a32aee9afaeeb001687fc0cfc8c2d5f54861298cf1dc5711f3b4e65", + "zh:16cd5bfee09e7bb081b8b4470f31a9af508e52220fd97fd81c6dda725d9422fe", + "zh:51817de8fdc2c2e36785f23fbf4ec022111bd1cf7679498c16ad0ad7471c16db", + "zh:51b95829b2873be40a65809294bffe349e40cfccc3ff6fee0f471d01770e0ebd", + "zh:56b158dde897c47e1460181fc472c3e920aa23db40579fdc2aad333c1456d2dd", + "zh:916641d26c386959eb982e680028aa677b787687ef7c1283241e45620bc8df50", + "zh:aec15ca8605babba77b283f2ca35daca53e006d567e1c3a3daf50497035b820b", + "zh:c2cecf710b87c8f3a4d186da2ea12cf08041f97ae0c6db82649720d6ed929d65", + "zh:dbdd96f17aea25c7db2d516ab8172a5e683c6686c72a1a44173d2fe96319be39", + "zh:de11e180368434a796b1ab6f20fde7554dc74f7800e063b8e4c8ec3a86d0be63", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f827a9c1540d210c56053a2d5d5a6abda924896ffa8eeedc94054cf6d44c5f60", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.33.0" + constraints = "~> 2.0" + hashes = [ + "h1:Z2R1cnALV1BgzldRWir/TUvg10gkWSdEGsYJHFqD3bc=", + "zh:255b35790b706d405e987750190658dcaefb663741b96803a9529ba5d7435329", + "zh:362feba1aa820a8e02869ec71d1a08e87243dbce43671dc0995fa6c5a2fafa1d", + "zh:39332abcf75b5dd9c78c79c7c0c094f7d4ca908d1b76bbd2aae67e8e3516710c", + "zh:3e8e7f758bb09a9b5b613c8866e77541f8f00b521070cc86bc095ce61f010baf", + "zh:427883b889b9c36630c3eec4d5c07bc4ae12cc0d358fc17ea42a8049bf8d5275", + "zh:69bfc4ed067a5e4844db1a1809343652ff239aa0a8da089b1671524c44e8740a", + "zh:6b9f731062b945c5020e0930ed9a1b1b50afd2caf751f0e70a282d165c970979", + "zh:6faf9ec006af7ee7014a9c3251d65b701792abb823f149b0b7e4ac4433848201", + "zh:b706f76d695104a47682ee6ab842870f9c70a680f979fa9e7efe34278c0831bc", + "zh:b9bca48de2c92f57389ed58dd2fac564deaccd79a92cafd08edeed3ba6b91d4d", + "zh:bbd3336dbee5aed9880f98e36fb8340e0c6d8f0399a05787521af599ccb3dac4", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/local" { + version = "2.5.2" + hashes = [ + "h1:JlMZD6nYqJ8sSrFfEAH0Vk/SL8WLZRmFaMUF9PJK5wM=", + "zh:136299545178ce281c56f36965bf91c35407c11897f7082b3b983d86cb79b511", + "zh:3b4486858aa9cb8163378722b642c57c529b6c64bfbfc9461d940a84cd66ebea", + "zh:4855ee628ead847741aa4f4fc9bed50cfdbf197f2912775dd9fe7bc43fa077c0", + "zh:4b8cd2583d1edcac4011caafe8afb7a95e8110a607a1d5fb87d921178074a69b", + "zh:52084ddaff8c8cd3f9e7bcb7ce4dc1eab00602912c96da43c29b4762dc376038", + "zh:71562d330d3f92d79b2952ffdda0dad167e952e46200c767dd30c6af8d7c0ed3", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:805f81ade06ff68fa8b908d31892eaed5c180ae031c77ad35f82cb7a74b97cf4", + "zh:8b6b3ebeaaa8e38dd04e56996abe80db9be6f4c1df75ac3cccc77642899bd464", + "zh:ad07750576b99248037b897de71113cc19b1a8d0bc235eb99173cc83d0de3b1b", + "zh:b9f1c3bfadb74068f5c205292badb0661e17ac05eb23bfe8bd809691e4583d0e", + "zh:cc4cbcd67414fefb111c1bf7ab0bc4beb8c0b553d01719ad17de9a047adff4d1", + ] +} + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.3" + hashes = [ + "h1:+AnORRgFbRO6qqcfaQyeX80W0eX3VmjadjnUFUJTiXo=", + "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2", + "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d", + "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3", + "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f", + "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301", + "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670", + "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed", + "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65", + "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd", + "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.6.3" + hashes = [ + "h1:Fnaec9vA8sZ8BXVlN3Xn9Jz3zghSETIKg7ch8oXhxno=", + "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451", + "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8", + "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe", + "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1", + "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36", + "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30", + "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615", + "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad", + "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556", + "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0", + ] +} + +provider "registry.terraform.io/hashicorp/tls" { + version = "3.1.0" + constraints = "~> 3.1.0" + hashes = [ + "h1:fUJX8Zxx38e2kBln+zWr1Tl41X+OuiE++REjrEyiOM4=", + "zh:3d46616b41fea215566f4a957b6d3a1aa43f1f75c26776d72a98bdba79439db6", + "zh:623a203817a6dafa86f1b4141b645159e07ec418c82fe40acd4d2a27543cbaa2", + "zh:668217e78b210a6572e7b0ecb4134a6781cc4d738f4f5d09eb756085b082592e", + "zh:95354df03710691773c8f50a32e31fca25f124b7f3d6078265fdf3c4e1384dca", + "zh:9f97ab190380430d57392303e3f36f4f7835c74ea83276baa98d6b9a997c3698", + "zh:a16f0bab665f8d933e95ca055b9c8d5707f1a0dd8c8ecca6c13091f40dc1e99d", + "zh:be274d5008c24dc0d6540c19e22dbb31ee6bfdd0b2cddd4d97f3cd8a8d657841", + "zh:d5faa9dce0a5fc9d26b2463cea5be35f8586ab75030e7fa4d4920cd73ee26989", + "zh:e9b672210b7fb410780e7b429975adcc76dd557738ecc7c890ea18942eb321a5", + "zh:eb1f8368573d2370605d6dbf60f9aaa5b64e55741d96b5fb026dbfe91de67c0d", + "zh:fc1e12b713837b85daf6c3bb703d7795eaf1c5177aebae1afcf811dd7009f4b0", + ] +} diff --git a/terraform/keycloak/config.hcl b/terraform/keycloak/config.hcl new file mode 100644 index 00000000..da79a041 --- /dev/null +++ b/terraform/keycloak/config.hcl @@ -0,0 +1,5 @@ +region = "us-west-2" +key = "keycloak/terraform.tfstate" +bucket = "sf-arc-saas-dev-terraform-state-ot6cv1" +dynamodb_table = "sf-arc-saas-dev-terraform-state-lock" +encrypt = true \ No newline at end of file diff --git a/terraform/keycloak/config.txt b/terraform/keycloak/config.txt new file mode 100644 index 00000000..2a07788d --- /dev/null +++ b/terraform/keycloak/config.txt @@ -0,0 +1,5 @@ +region = "aws_region" +key = "keycloak/terraform.tfstate" +bucket = "${tf_state_bucket}" +dynamodb_table = "${tf_state_table}" +encrypt = true \ No newline at end of file diff --git a/terraform/keycloak/data.tf b/terraform/keycloak/data.tf new file mode 100644 index 00000000..904ff535 --- /dev/null +++ b/terraform/keycloak/data.tf @@ -0,0 +1,28 @@ +data "aws_ssm_parameter" "db_host" { + name = "/${var.namespace}/${var.environment}/db_host" +} + +data "aws_ssm_parameter" "db_user" { + name = "/${var.namespace}/${var.environment}/db_user" +} + +data "aws_ssm_parameter" "db_password" { + name = "/${var.namespace}/${var.environment}/db_password" +} + +data "aws_ssm_parameter" "db_port" { + name = "/${var.namespace}/${var.environment}/db_port" +} + +data "aws_ssm_parameter" "keycloak_db_name" { + name = "/${var.namespace}/${var.environment}/keycloakdbdatabase" +} + + +data "aws_eks_cluster" "cluster" { + name = "${var.namespace}-${var.environment}-eks-cluster" +} + +data "aws_eks_cluster_auth" "cluster" { + name = "${var.namespace}-${var.environment}-eks-cluster" +} diff --git a/terraform/keycloak/keycloak-manifest-files/README.md b/terraform/keycloak/keycloak-manifest-files/README.md new file mode 100644 index 00000000..8bd0f0b3 --- /dev/null +++ b/terraform/keycloak/keycloak-manifest-files/README.md @@ -0,0 +1 @@ +## Keycloak Manifest files are placed here diff --git a/terraform/keycloak/keycloak-manifest-files/keycloak_gateway.yaml b/terraform/keycloak/keycloak-manifest-files/keycloak_gateway.yaml new file mode 100755 index 00000000..7f1914bc --- /dev/null +++ b/terraform/keycloak/keycloak-manifest-files/keycloak_gateway.yaml @@ -0,0 +1,15 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: keycloak + namespace: keycloak +spec: + selector: + istio: ingressgateway # use istio default controller + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "keycloak.arc-saas.net" diff --git a/terraform/keycloak/keycloak-manifest-files/keycloak_virtual_service.yaml b/terraform/keycloak/keycloak-manifest-files/keycloak_virtual_service.yaml new file mode 100755 index 00000000..cd9654a9 --- /dev/null +++ b/terraform/keycloak/keycloak-manifest-files/keycloak_virtual_service.yaml @@ -0,0 +1,19 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: keycloak + namespace: keycloak +spec: + hosts: + - "keycloak.arc-saas.net" + gateways: + - keycloak + http: + - match: + - uri: + prefix: / + route: + - destination: + host: keycloak + port: + number: 80 diff --git a/terraform/keycloak/keycloak-manifest.tf b/terraform/keycloak/keycloak-manifest.tf new file mode 100644 index 00000000..3acc8d14 --- /dev/null +++ b/terraform/keycloak/keycloak-manifest.tf @@ -0,0 +1,50 @@ + +resource "local_file" "keycloak_gateway" { + content = <<-EOT +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: keycloak + namespace: ${local.kubernetes_ns} +spec: + selector: + istio: ingressgateway # use istio default controller + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "keycloak.${var.domain_name}" + EOT + filename = "${path.module}/keycloak-manifest-files/keycloak_gateway.yaml" +} + + + + + +resource "local_file" "keycloak_virtual_service" { + content = <<-EOT +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: keycloak + namespace: ${local.kubernetes_ns} +spec: + hosts: + - "keycloak.${var.domain_name}" + gateways: + - keycloak + http: + - match: + - uri: + prefix: / + route: + - destination: + host: keycloak + port: + number: 80 + EOT + filename = "${path.module}/keycloak-manifest-files/keycloak_virtual_service.yaml" +} diff --git a/terraform/keycloak/locals.tf b/terraform/keycloak/locals.tf new file mode 100644 index 00000000..a8fd4639 --- /dev/null +++ b/terraform/keycloak/locals.tf @@ -0,0 +1,3 @@ +locals { + kubernetes_ns = "keycloak" +} \ No newline at end of file diff --git a/terraform/keycloak/main.tf b/terraform/keycloak/main.tf new file mode 100644 index 00000000..9d2448bb --- /dev/null +++ b/terraform/keycloak/main.tf @@ -0,0 +1,156 @@ +############################################################################### +## tags +############################################################################### +module "tags" { + source = "sourcefuse/arc-tags/aws" + version = "1.2.5" + + environment = var.environment + project = var.namespace + +} + +############################################################################### +## keycloak password +############################################################################### +module "keycloak_password" { + source = "../../modules/random-password" + length = 10 + is_special = true + override_special = "!#$%&*=+" +} + +############################################################################### +## keycloak helm +############################################################################### +resource "kubernetes_namespace" "keycloak_namespace" { + metadata { + name = local.kubernetes_ns + + labels = { + istio-injection = "enabled" + } + } + + lifecycle { + prevent_destroy = false # Allows Terraform to delete the namespace + } +} + +resource "helm_release" "keycloak" { + name = "keycloak" + namespace = "${local.kubernetes_ns}" + chart = "keycloak" + version = "21.7.4" + repository = "https://charts.bitnami.com/bitnami" + + set { + name = "auth.adminUser" + value = "admin" + } + + set { + name = "auth.adminPassword" + value = "${module.keycloak_password.result}" + } + + set { + name = "postgresql.enabled" + value = false + } + + set { + name = "externalDatabase.host" + value = "${data.aws_ssm_parameter.db_host.value}" + } + + set { + name = "externalDatabase.user" + value = "${data.aws_ssm_parameter.db_user.value}" + } + + set { + name = "externalDatabase.password" + value = "${data.aws_ssm_parameter.db_password.value}" + } + + set { + name = "externalDatabase.database" + value = "${data.aws_ssm_parameter.keycloak_db_name.value}" + } + + + set { + name = "proxy" + value = "edge" + } + + set { + name = "proxyHeaders" + value = "forwarded" + } + + set { + name = "httpRelativePath" + value = "/" + } + +values = [ + <