Merge pull request #4 from eurostat/sync/helm-chart

Synchronize Helm Chart version 0.2.0

charts/datalab/Chart.lock

@@ -8,5 +8,20 @@ dependencies:
 - name: onyxia
   repository: https://inseefrlab.github.io/helm-charts
   version: 2.0.0
-digest: sha256:2a05b60e73f62549bc4a7d55e6443919fba365b50577cc7defe457773c92577f
-generated: "2021-12-02T09:12:43.7993088Z"
+- name: vault
+  repository: https://helm.releases.hashicorp.com
+  version: 0.18.0
+- name: prometheus
+  repository: https://prometheus-community.github.io/helm-charts
+  version: 15.0.1
+- name: grafana
+  repository: https://grafana.github.io/helm-charts
+  version: 6.17.10
+- name: postgresql
+  repository: https://charts.bitnami.com/bitnami
+  version: 10.13.8
+- name: ckan
+  repository: https://keitaro-charts.storage.googleapis.com
+  version: 1.0.1
+digest: sha256:dc07a4a79604cda9f6f34272c3678e1ced25e99fe7e911241dfa924959f1f986
+generated: "2021-12-06T16:36:10.8375608Z"

charts/datalab/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
@@ -34,4 +34,20 @@ dependencies:
   - name: onyxia
     version: 2.0.0
     repository: https://inseefrlab.github.io/helm-charts
+  - name: vault
+    version: 0.18.0
+    repository: https://helm.releases.hashicorp.com
+  - name: prometheus
+    version: 15.0.1
+    repository: https://prometheus-community.github.io/helm-charts
+  - name: grafana
+    version: 6.17.10
+    repository: https://grafana.github.io/helm-charts
+  - name: postgresql
+    version: 10.13.8
+    repository: https://charts.bitnami.com/bitnami
+    condition: postgresql.enabled
+  - name: ckan
+    version: 1.0.1
+    repository: https://keitaro-charts.storage.googleapis.com
 

charts/datalab/helpers/vault-groups-config.sh

@@ -0,0 +1,69 @@
+# To associate groups with the jwt provider use the API to:
+# 1. Create a policy for the group
+# 2. Create a group
+# 3. Associate alias that matches group in token
+# (pre-defined in the role cration) Use the groups_claim from the token in the role
+
+# With VAULT_TOKEN and VAULT_ADDR in environment variables given when calling this script
+
+# (pre-step, jwt acessor) 2.
+JWT_ACESSOR=$(curl --header "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/sys/auth | jq -r '.["jwt/"].accessor')
+
+# Given a list of existing group ids (written the same way as in Keycloak)
+declare -a GROUP_LIST=("g1" "g2" "demo")
+
+for GROUP in "${GROUP_LIST[@]}"
+do
+
+# 1. 
+tee payload-pol.json <<EOF 
+{
+    "policy": "path \"onyxia-kv/projet-$GROUP/*\" {\n capabilities = [\"create\",\"update\",\"read\",\"delete\",\"list\"]\n}\n\n path \"onyxia-kv/data/projet-$GROUP/*\" {\n capabilities = [\"create\",\"update\",\"read\"]\n}\n\n path \"onyxia-kv/metadata/projet-$GROUP/*\" {\n capabilities = [\"delete\", \"list\", \"read\"]\n }"
+}
+EOF
+
+curl --header "X-Vault-Token: $VAULT_TOKEN" \
+   --request PUT \
+   --data @payload-pol.json \
+   $VAULT_ADDR/v1/sys/policies/acl/$GROUP
+
+rm payload-pol.json
+
+
+# 2.
+tee payload-grp.json <<EOF
+{
+  "name": "$GROUP",
+  "policies": ["$GROUP"],
+  "type": "external",
+  "metadata": {
+    "origin": "onyxia"
+  }
+}
+EOF
+
+GROUP_ID=$(curl --header "X-Vault-Token: $VAULT_TOKEN" \
+    --request POST \
+    --data @payload-grp.json \
+    $VAULT_ADDR/v1/identity/group | jq -r ".data.id")
+
+rm payload-grp.json
+
+
+# 3.
+tee payload-grp-alias.json <<EOF
+{
+  "canonical_id": "$GROUP_ID",
+  "mount_accessor": "$JWT_ACESSOR",
+  "name": "$GROUP"
+}
+EOF
+
+curl --header "X-Vault-Token: $VAULT_TOKEN" \
+    --request POST \
+    --data @payload-grp-alias.json \
+    $VAULT_ADDR/v1/identity/group-alias 
+
+rm payload-grp-alias.json
+
+done

charts/datalab/templates/_realm-config.tpl

@@ -31,6 +31,7 @@
     ,{
       "username" : "{{ .name }}",
       "enabled": true,
+      "email": "{{ .name }}@example-demo.test",
       "credentials" : [
         { 
           "type" : "password",
@@ -129,9 +130,49 @@
             "id.token.claim": "false",
             "access.token.claim": "true"
           }
+        },
+        {
+          "name": "audience-vault-onyxia-client",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-audience-mapper",
+          "consentRequired": false,
+          "config": {
+            "included.client.audience": "{{ .Values.onyxia.ui.env.OIDC_CLIENT_ID }}",
+            "id.token.claim": "false",
+            "access.token.claim": "true"
+          }
         }
       ]
-    } 
+    },
+    {
+      "clientId": "ckan",
+      "rootUrl": "https://ckan.clouddatalab.eu/",
+      "adminUrl": "https://ckan.clouddatalab.eu/",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "secret": "{{ .Values.ckan.clientsecret }}",
+      "redirectUris": [
+        "https://ckan.clouddatalab.eu/*"
+      ],
+      "webOrigins": [
+        "https://ckan.clouddatalab.eu"
+      ],
+      "notBefore": 0,
+      "bearerOnly": false,
+      "consentRequired": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "serviceAccountsEnabled": false,
+      "publicClient": false,
+      "frontchannelLogout": false,
+      "protocol": "openid-connect",
+      "attributes": {
+        "oauth2.device.authorization.grant.enabled": "true"
+      }
+    }
 	  {{- if .Values.minio.enabled -}}
 	  ,
     {
@@ -182,6 +223,26 @@
         }
       ]
     }
+    {{- end -}}
+	  {{- if .Values.grafana.enabled -}}
+	  ,
+    {
+      "clientId": "grafana",
+      "rootUrl": "https://grafana.{{ .Values.domainName }}",
+      "baseUrl": "",
+      "enabled": true,
+      "publicClient": true,
+      "redirectUris": [
+        "https://grafana.{{ .Values.domainName }}/*"
+      ],
+      "webOrigins": [
+        "*"
+      ],
+      "attributes": {
+        "oauth2.device.authorization.grant.enabled": "true",
+        "use.refresh.tokens": "true"
+      }
+    }
     {{- end -}}
   ]
 }

charts/datalab/templates/post-install-job.yaml

@@ -23,7 +23,7 @@ spec:
       - name: minio-mc
         image: "minio/mc"
         command: ["/bin/sh","-c"]
-        args: ["mc alias set minio https://{{ .Values.minio.apiIngress.hostname }} {{ .Values.minio.accessKey.password }} {{ .Values.minio.secretKey.password }} --api S3v4 && mc admin policy add minio stsonly /tmp/configs/stsonly.json && mc admin service restart minio"]
+        args: ["mc alias set minio http://{{ .Release.Name }}-minio.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.minio.service.ports.api }} {{ .Values.minio.accessKey.password }} {{ .Values.minio.secretKey.password }} --api S3v4 && mc admin policy add minio stsonly /tmp/configs/stsonly.json && mc admin service restart minio"]
         volumeMounts:
           - name: configs
             mountPath: /tmp/configs

charts/datalab/templates/postgres-secret.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: secret-basic-auth
+  annotations:
+    "helm.sh/hook": pre-install
+type: Opaque   
+stringData:
+  my_init_script.sh: |
+    #!/bin/sh
+    psql postgresql://postgres:{{.Values.postgresql.postgresqlPostgresPassword}}@localhost:5432/user << EOF
+        CREATE DATABASE keycloak WITH ENCODING 'UTF8' LC_COLLATE='en_US.UTF-8' LC_CTYPE='en_US.UTF-8';
+        CREATE USER keycloak WITH ENCRYPTED PASSWORD 'keycloak';
+        GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;
+
+        CREATE DATABASE ckan WITH ENCODING 'UTF8' LC_COLLATE='en_US.UTF-8' LC_CTYPE='en_US.UTF-8';
+        GRANT ALL PRIVILEGES ON DATABASE ckan TO postgres;
+        
+        CREATE DATABASE ckan_default WITH ENCODING 'UTF8' LC_COLLATE='en_US.UTF-8' LC_CTYPE='en_US.UTF-8';
+        CREATE USER ckan_default WITH ENCRYPTED PASSWORD 'ckan_default';
+        GRANT ALL PRIVILEGES ON DATABASE ckan_default TO ckan_default;
+
+        CREATE DATABASE datastore_default WITH ENCODING 'UTF8' LC_COLLATE='en_US.UTF-8' LC_CTYPE='en_US.UTF-8';
+        CREATE USER datastorerw WITH ENCRYPTED PASSWORD 'datastorerw';
+        GRANT ALL PRIVILEGES ON DATABASE datastore_default TO datastorerw;
+
+        CREATE DATABASE datastore_default WITH ENCODING 'UTF8' LC_COLLATE='en_US.UTF-8' LC_CTYPE='en_US.UTF-8';
+        CREATE USER datastorerw WITH ENCRYPTED PASSWORD 'datastorerw';
+        GRANT ALL PRIVILEGES ON DATABASE datastore_default TO datastorerw;
+      EOF
+