From 51a8c9b2fe18112de44d50dd5b67ab772403321a Mon Sep 17 00:00:00 2001
From: Elena Viter <elena.viter-cs@aiola.com>
Date: Thu, 6 Jul 2023 15:18:50 +0200
Subject: [PATCH 1/8] FlowForge helm: 1. Editors: optional service account
 provisioning. 2. broker: propagate ingress definitions to broker helm. 3.
 remove secrets from referent values.yml, adding ref for service account
 definition. 4. Update README.md with IAM section

---
 helm/flowforge/README.md                      | 17 ++++++++++
 helm/flowforge/templates/broker.yaml          |  6 ++++
 helm/flowforge/templates/deployment.yaml      |  4 +++
 helm/flowforge/templates/service-account.yaml | 20 +++++++++--
 helm/flowforge/values.yaml                    | 34 +++++++++++++------
 5 files changed, 69 insertions(+), 12 deletions(-)

diff --git a/helm/flowforge/README.md b/helm/flowforge/README.md
index c9a561a9..f4cf472d 100644
--- a/helm/flowforge/README.md
+++ b/helm/flowforge/README.md
@@ -121,3 +121,20 @@ Enables FlowForge Telemetry
  ### Ingress
  - `ingress.annotations` ingress annotations (default is `{}`). This value is also applied to Editor instances created by FlowForge.
  - `ingress.className` ingress class name (default is `"""`). This value is also applied to Editor instances created by FlowForge. 
+
+### Editors IAM
+   Provision default service account for Editors if `editors.serviceAccount.create` is `true`.
+
+- `editors.serviceAccount.create` flag, indicates whether default Editors service account is going to be provisioned.
+- `editors.serviceAccount.annotations` k8s service account annotations.
+- `editors.serviceAccount.name` name of the service account for Editors.
+
+Example for <i>AWS</i>:
+```yaml
+editors:
+  serviceAccount:
+    annotations:
+      eks.amazonaws.com/role-arn: arn:aws:iam::${ACCOUNT_ID}:role/${ROLE_NAME}
+    create: true
+    name: editors
+```
diff --git a/helm/flowforge/templates/broker.yaml b/helm/flowforge/templates/broker.yaml
index a4b1a606..28f02a2d 100644
--- a/helm/flowforge/templates/broker.yaml
+++ b/helm/flowforge/templates/broker.yaml
@@ -131,7 +131,13 @@ metadata:
   labels:
     app: flowforge-broker
   annotations:
+  {{- if .Values.ingress.annotations }}
+    {{- toYaml .Values.ingress.annotations | nindent 4 }}
+  {{- end }}
 spec:
+  {{- if $.Values.ingress.className }}
+  ingressClassName: {{ $.Values.ingress.className }}
+  {{- end }}
   rules:
     - host: mqtt.{{ .Values.forge.domain }}
       http:
diff --git a/helm/flowforge/templates/deployment.yaml b/helm/flowforge/templates/deployment.yaml
index 870c2e89..f10a14a3 100644
--- a/helm/flowforge/templates/deployment.yaml
+++ b/helm/flowforge/templates/deployment.yaml
@@ -36,6 +36,10 @@ spec:
         - name: INGRESS_CLASS_NAME
           value: {{ .Values.ingress.className }}
         {{- end }}
+        {{- if .Values.editors.serviceAccount }}
+        - name: EDITOR_SERVICE_ACCOUNT
+          value: {{ .Values.editors.serviceAccount.name }}
+        {{- end }}
         {{- if .Values.forge.projectDeploymentTolerations }}
         - name: DEPLOYMENT_TOLERATIONS
           value: {{ .Values.forge.projectDeploymentTolerations | toJson | quote }}
diff --git a/helm/flowforge/templates/service-account.yaml b/helm/flowforge/templates/service-account.yaml
index 2b244db4..a9ec261f 100644
--- a/helm/flowforge/templates/service-account.yaml
+++ b/helm/flowforge/templates/service-account.yaml
@@ -9,11 +9,27 @@ metadata:
     eks.amazonaws.com/sts-regional-endpoints: "true"
   {{- end }}
   {{- end }}
+
+
+{{- if .Values.editors.serviceAccount.create }}
 ---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.editors.serviceAccount.name }}
+  namespace: {{ .Values.forge.projectNamespace }}
+  {{- with .Values.editors.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- end }}
+
+---
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: create-pod
+  name: {{ .Release.Name }}-create-pod
 rules:
 - apiGroups: [""]
   resources: ["pods", "pods/log", "pods/exec", "pods/status"]
@@ -45,5 +61,5 @@ subjects:
   namespace: {{ .Release.Namespace }}
 roleRef:
   kind: ClusterRole
-  name: create-pod
+  name: {{ .Release.Name }}-create-pod
   apiGroup: rbac.authorization.k8s.io
diff --git a/helm/flowforge/values.yaml b/helm/flowforge/values.yaml
index a464fa61..025adeeb 100644
--- a/helm/flowforge/values.yaml
+++ b/helm/flowforge/values.yaml
@@ -1,18 +1,17 @@
 forge:
   dbUsername: forge
-  dbPassword: Zai1Wied
+  dbPassword: ""
   dbName: flowforge
   localPostgresql: true
   https: true
   projectNamespace: flowforge
   projectSelector:
     role: projects
-
   projectDeploymentTolerations: []
-#    - key: purpose
-#      operator: Equal
-#      value: flowforge-projects
-#      effect: NoSchedule
+  #    - key: purpose
+  #      operator: Equal
+  #      value: flowforge-projects
+  #      effect: NoSchedule
   managementSelector:
     role: management
   telemetry:
@@ -32,17 +31,32 @@ forge:
         type: postgres
         host: flowforge-postgresql
         username: forge
-        password: Zai1Wied
+        password: ""
         database: ff-context
   support:
     enabled: false
 
+  domain: ""
+  entryPoint: ""
+  environment: {}
+  image: 355908013639.dkr.ecr.eu-west-1.amazonaws.com/flowforge/forge-k8s:1.5.0
+  registry: 355908013639.dkr.ecr.eu-west-1.amazonaws.com
+
 postgresql:
-  postgresqlPostgresPassword: Moomiet0
-  postgresqlUsername: forge
-  postgresqlPassword: Zai1Wied
   postgresqlDatabase: flowforge
+  postgresqlPassword: ""
+  postgresqlPostgresPassword: ""
+  postgresqlUsername: forge
+  global:
+    storageClass: default
 
 ingress:
   annotations: {}
   className: ""
+
+editors:
+  serviceAccount:
+    create: true
+    annotations: {}
+    name: editors
+    namespace:
\ No newline at end of file

From 3c60935e371db6475d89a28e6d80eaa3e06db4be Mon Sep 17 00:00:00 2001
From: Elena Viter <elena.viter-cs@aiola.com>
Date: Thu, 6 Jul 2023 15:45:51 +0200
Subject: [PATCH 2/8] values.yaml: remove non-needed attribite
 editors.serviceAccount.namespace

---
 helm/flowforge/values.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/helm/flowforge/values.yaml b/helm/flowforge/values.yaml
index 025adeeb..40b88cad 100644
--- a/helm/flowforge/values.yaml
+++ b/helm/flowforge/values.yaml
@@ -58,5 +58,4 @@ editors:
   serviceAccount:
     create: true
     annotations: {}
-    name: editors
-    namespace:
\ No newline at end of file
+    name: editors
\ No newline at end of file

From 1506a49c35a7fda9e4f775dcdce7f58494395dfb Mon Sep 17 00:00:00 2001
From: Elena Viter <elena.viter-cs@aiola.com>
Date: Thu, 6 Jul 2023 18:30:12 +0200
Subject: [PATCH 3/8] revert the default secrets in values.yaml

---
 helm/flowforge/values.yaml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/helm/flowforge/values.yaml b/helm/flowforge/values.yaml
index 40b88cad..dca54c37 100644
--- a/helm/flowforge/values.yaml
+++ b/helm/flowforge/values.yaml
@@ -1,6 +1,6 @@
 forge:
   dbUsername: forge
-  dbPassword: ""
+  dbPassword: Zai1Wied
   dbName: flowforge
   localPostgresql: true
   https: true
@@ -39,14 +39,14 @@ forge:
   domain: ""
   entryPoint: ""
   environment: {}
-  image: 355908013639.dkr.ecr.eu-west-1.amazonaws.com/flowforge/forge-k8s:1.5.0
-  registry: 355908013639.dkr.ecr.eu-west-1.amazonaws.com
+  image: ""
+  registry: ""
 
 postgresql:
-  postgresqlDatabase: flowforge
-  postgresqlPassword: ""
-  postgresqlPostgresPassword: ""
+  postgresqlPostgresPassword: Moomiet0
   postgresqlUsername: forge
+  postgresqlPassword: Zai1Wied
+  postgresqlDatabase: flowforge
   global:
     storageClass: default
 

From 7687f2b167a36274cd058e2fdeb949453227aeac Mon Sep 17 00:00:00 2001
From: Ben Hardill <ben@flowforge.com>
Date: Mon, 24 Jul 2023 13:26:24 +0100
Subject: [PATCH 4/8] Allow DB connection to use SSL

part of #151
---
 helm/flowforge/templates/configmap.yaml | 3 +++
 helm/flowforge/values.schema.json       | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/helm/flowforge/templates/configmap.yaml b/helm/flowforge/templates/configmap.yaml
index 1f840c7d..16ce5077 100644
--- a/helm/flowforge/templates/configmap.yaml
+++ b/helm/flowforge/templates/configmap.yaml
@@ -25,6 +25,9 @@ data:
       user: {{ .Values.forge.dbUsername }}
       password: {{ .Values.forge.dbPassword }}
       db: {{ .Values.forge.dbName }}
+      {{- if and (hasKey .Values.forge "postgres") (hasKey .Values.forge.postgres "ssl") }}
+      ssl: {{ .Values.forge.postgres.ssl }}
+      {{- end }}
     driver:
       type: kubernetes
       options:
diff --git a/helm/flowforge/values.schema.json b/helm/flowforge/values.schema.json
index ae749c8f..d0f5d070 100644
--- a/helm/flowforge/values.schema.json
+++ b/helm/flowforge/values.schema.json
@@ -101,6 +101,9 @@
                         },
                         "port": {
                             "type": "integer"
+                        },
+                        "ssl": {
+                            "type": "boolean"
                         }
                     },
                     "required": [

From 8272559c2a8c1db740d8c0a74d0e354b1a3b8383 Mon Sep 17 00:00:00 2001
From: Ben Hardill <ben@flowforge.com>
Date: Wed, 26 Jul 2023 10:26:45 +0100
Subject: [PATCH 5/8] Add Docs

---
 helm/flowforge/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/helm/flowforge/README.md b/helm/flowforge/README.md
index f4cf472d..67acc634 100644
--- a/helm/flowforge/README.md
+++ b/helm/flowforge/README.md
@@ -32,6 +32,7 @@ If using an external PostgreSQL Database you will need to create the database an
  - `forge.localPostrgresql` Deploy a PostgreSQL v14 Database into Kubernetes cluster (default `true`)
  - `forge.postgres.host` the hostname of an external PostgreSQL database (default not set)
  - `forge.postgres.port` the port of an external PostgreSQL database (default `5432`)
+ - `forge.postgres.ssl` sets the connection to the database to use SSL/TLS (default `false`)
  - `forge.cloudProvider` currently only accepts `aws` but will include more as needed (default not set)
  - `forge.projectSelector` a collection of labels and values to filter nodes that Project Pods will run on (default `role: projects`)
  - `forge.managementSelector` a collection of labels and values to filter nodes the Forge App will run on (default `role: management`)

From a8236e3533a94852c4da836efad07d3b13409a56 Mon Sep 17 00:00:00 2001
From: Elena Viter <elena.viter-cs@aiola.com>
Date: Mon, 31 Jul 2023 12:44:08 +0200
Subject: [PATCH 6/8] PR #148: add Editors.service account definition to values
 schema

---
 helm/flowforge/values.schema.json | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/helm/flowforge/values.schema.json b/helm/flowforge/values.schema.json
index d0f5d070..94f1d95d 100644
--- a/helm/flowforge/values.schema.json
+++ b/helm/flowforge/values.schema.json
@@ -309,6 +309,32 @@
                     "type": "string"
                 }
             }
+        },
+        "editors": {
+            "type": "object",
+            "properties": {
+                "serviceAccount": {
+                    "type": "object",
+                    "properties": {
+                        "annotations": {
+                            "type": "object",
+                            "minProperties": 1,
+                            "additionalProperties": {
+                                "type": "string"
+                            }
+                        },
+                        "create": {
+                            "type": "boolean"
+                        },
+                        "name": {
+                            "type": "string",
+                            "description": "Name of service account (scope of uniqueness is a 'Projects' namespace)"
+                        }
+                    },
+                    "required": ["annotations", "name"]
+                }
+            },
+            "required": ["serviceAccount"]
         }
     },
     "required": [

From 2c85d8a0fd60a43955d5642279d2396aebdd9fd5 Mon Sep 17 00:00:00 2001
From: Elena Viter <elena.viter-cs@aiola.com>
Date: Mon, 31 Jul 2023 12:50:36 +0200
Subject: [PATCH 7/8] PR #148: allow zero properties in annotations in
 Editors.service account definition schema to align with default values.yaml

---
 helm/flowforge/values.schema.json | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/helm/flowforge/values.schema.json b/helm/flowforge/values.schema.json
index 94f1d95d..36c276a9 100644
--- a/helm/flowforge/values.schema.json
+++ b/helm/flowforge/values.schema.json
@@ -318,10 +318,7 @@
                     "properties": {
                         "annotations": {
                             "type": "object",
-                            "minProperties": 1,
-                            "additionalProperties": {
-                                "type": "string"
-                            }
+                            "minProperties": 0
                         },
                         "create": {
                             "type": "boolean"

From 046d6c29f69eb7379f951f0aa71236e42261054e Mon Sep 17 00:00:00 2001
From: Elena Viter <elena.viter-cs@aiola.com>
Date: Mon, 31 Jul 2023 12:56:25 +0200
Subject: [PATCH 8/8] PR #148: documenting forge.projectDeploymentTolerations
 in values schema

---
 helm/flowforge/values.schema.json | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/helm/flowforge/values.schema.json b/helm/flowforge/values.schema.json
index 36c276a9..34d2b7c6 100644
--- a/helm/flowforge/values.schema.json
+++ b/helm/flowforge/values.schema.json
@@ -116,6 +116,28 @@
                 "projectSelector": {
                     "type": "object"
                 },
+                "projectDeploymentTolerations": {
+                    "type": "array",
+                    "items": {
+                        "type": "object",
+                        "properties": {
+                            "effect": {
+                                "type": "string"
+                            },
+                            "key": {
+                                "type": "string"
+                            },
+                            "operator": {
+                                "type": "string"
+                            },
+                            "value": {
+                                "type": "string"
+                            }
+                        },
+                        "required": ["effect", "key", "operator", "value"]
+                    },
+                    "default": []
+                },
                 "managementSelector": {
                     "type": "object"
                 },