Update charts to latest service versions with no TLS

.github/workflows/ci.yaml

@@ -89,14 +89,14 @@ jobs:
         env:
           TOPAZ_CERTS_DIR: ${{ env.TOPAZ_CERTS_DIR }}
         run: |
-          uv run --project tools/ktest tools/ktest/ktest.py charts/topaz/test/tests.yaml
+          make test-topaz
       -
         name: Test Discovery
         timeout-minutes: 10
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          uv run --project tools/ktest tools/ktest/ktest.py charts/discovery/test/tests.yaml
+          make test-discovery
       -
         name: Deploy Postgres
         run: |
@@ -132,4 +132,4 @@ jobs:
           SSH_PRIVATE_KEY: ${{ steps.sshkey.outputs.private_key }}
           TOPAZ_CERTS_DIR: ${{ env.TOPAZ_CERTS_DIR }}
         run: |
-          uv run --project tools/ktest tools/ktest/ktest.py charts/directory/test/tests.yaml
+          make test-directory

charts/aserto-lib/templates/_config.tpl

@@ -41,3 +41,18 @@ Root directory tenant ID
 {{- (include "aserto-lib.rootClientCfg" . | fromYaml).tenantID |
 	default "00000000-0000-11ef-0000-000000000000" -}}
 {{- end }}
+
+{{/*
+Takes a k8s resource retrieved using the `lookup` function and returns true
+if the resource is managed by the current helm release. False otherwise.
+*/}}
+{{- define "aserto-lib.isManagedResource" -}}
+{{- $resource := first . | default dict }}
+{{- $releaseName := last . }}
+{{- if $resource | dig "metadata" "labels" "app.kubernetes.io/managed-by" "" | eq "Helm" | and
+       ($resource | dig "metadata" "annotations" "meta.helm.sh/release-name" "" | eq $releaseName) -}}
+true
+{{- else -}}
+false
+{{- end }}
+{{- end }}

charts/aserto/Chart.lock

@@ -7,7 +7,7 @@ dependencies:
   version: 0.2.2
 - name: authorizer
   repository: file://../authorizer
-  version: 0.1.9
+  version: 0.1.10
 - name: discovery
   repository: file://../discovery
   version: 0.1.9
@@ -20,5 +20,5 @@ dependencies:
 - name: registry-proxy
   repository: file://../registry-proxy
   version: 0.1.6
-digest: sha256:aa36828e3a9be09c32aca35e76785be6fea7a9cce866cf929effed6c38216635
-generated: "2025-01-08T18:26:30.831721-05:00"
+digest: sha256:a416841691e59b989714a06b49fdb540de61094d3ebbc5e935eb85b53f11387e
+generated: "2025-01-10T12:41:01.715504-05:00"

charts/aserto/Chart.yaml

@@ -38,7 +38,7 @@ dependencies:
     repository: file://../directory
     condition: directory.enabled
   - name: authorizer
-    version: 0.1.9
+    version: 0.1.10
     repository: file://../authorizer
     condition: authorizer.enabled
   - name: discovery

charts/aserto/values.yaml

@@ -135,7 +135,7 @@ discovery:
     #   tokenSecretKey: token
 
 console:
-  enabled: false
+  enabled: true
   # Kubernetes pull secret for private Aserto images.
   # imagePullSecrets:
   #   - name: ghcr-creds

charts/authorizer/Chart.yaml

@@ -21,13 +21,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.9
+version: 0.1.10
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.14.8"
+appVersion: 0.15.8
 
 dependencies:
   - name: aserto-lib

charts/authorizer/templates/api_keys.yaml

@@ -1,13 +1,18 @@
+{{- with .Values.apiKey -}}
+{{- $secret :=  lookup "v1" "Secret" $.Release.Namespace .secretName }}
+{{- if empty $secret | or (include "aserto-lib.isManagedResource" (list $secret $.Release.Name) | eq "true" ) -}}
+
 ---
-{{- $cfg := .Values.apiKey -}}
-{{- $data :=  (lookup "v1" "Secret" .Release.Namespace $cfg.secretName).data }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ $cfg.secretName }}
+  name: {{ .secretName }}
 data:
-  {{- if $data }}
-  {{ $cfg.secretKey }}: {{ get $data $cfg.secretKey }}
-  {{- else }}
-  {{ $cfg.secretKey }}: {{ randAlphaNum 20 | b64enc }}
-  {{- end }}
+{{- if ($secret).data }}
+  {{ .secretKey }}: {{ get $secret.data .secretKey }}
+{{- else }}
+  {{ .secretKey }}: {{ randAlphaNum 20 | b64enc }}
+{{- end }}
+
+{{- end }}
+{{- end }}

charts/authorizer/templates/deployment.yaml

@@ -31,44 +31,36 @@ spec:
             items:
               - key: config.yaml
                 path: config.yaml
+
+        {{- with (include "aserto-lib.grpcConfig" . | fromYaml).certSecret }}
         - name: grpc-certs
-          {{- with include "aserto-lib.grpcConfig" . | fromYaml }}
-          {{- if .certSecret  }}
           secret:
-            secretName: {{ .certSecret }}
-          {{- else }}
-          emptyDir: {}
-          {{- end }}
-          {{- end }}
+            secretName: {{ . }}
+        {{- end }}
+
+        {{- with (include "aserto-lib.httpsConfig" . | fromYaml).certSecret }}
         - name: https-certs
-          {{- with (include "aserto-lib.httpsConfig" . | fromYaml) }}
-          {{- if .certSecret }}
           secret:
-            secretName: {{ .certSecret }}
-          {{- else }}
-          emptyDir: {}
-          {{- end }}
-          {{- end }}
+            secretName: {{ . }}
+        {{- end }}
 
-        {{- with ((include "aserto-lib.rootClientCfg" . | fromYaml).caCertSecret).name }}        
+        {{- with ((include "aserto-lib.rootClientCfg" . | fromYaml).caCertSecret).name }}
         - name: root-ds-grpc-certs
           secret:
             secretName: {{ . }}
             items:
               - key: ca.crt
-                path: ca.crt        
+                path: ca.crt
         {{- end }}
 
-        {{- with (include "aserto-lib.discoveryCfg" . | fromYaml) }}
-        {{- if .httpsCertSecret }}
+        {{- with (include "aserto-lib.discoveryCfg" . | fromYaml).httpsCertSecret }}
         - name: discovery-https-certs
           secret:
-            secretName: {{ .httpsCertSecret }}
+            secretName: {{ . }}
             items:
               - key: ca.crt
                 path: ca.crt
         {{- end }}
-        {{- end }}
 
       containers:
         - name: {{ .Chart.Name }}
@@ -90,18 +82,20 @@ spec:
             - name: config
               mountPath: /config
               readOnly: true
+
+          {{- with (include "aserto-lib.grpcConfig" . | fromYaml).certSecret }}
             - name: grpc-certs
               mountPath: /grpc-certs
-            {{- if (include "aserto-lib.grpcConfig" . | fromYaml).certSecret  }}
               readOnly: true
-            {{- end }}
+          {{- end }}
+
+          {{- with (include "aserto-lib.httpsConfig" . | fromYaml).certSecret }}
             - name: https-certs
               mountPath: /https-certs
-            {{- if (include "aserto-lib.httpsConfig" . | fromYaml).certSecret  }}
               readOnly: true
-            {{- end }}
+          {{- end }}
 
-          {{- with ((include "aserto-lib.rootClientCfg" . | fromYaml).caCertSecret).name }}        
+          {{- with ((include "aserto-lib.rootClientCfg" . | fromYaml).caCertSecret).name }}
             - name: root-ds-grpc-certs
               mountPath: /root-ds-grpc-certs
               readOnly: true
@@ -115,6 +109,7 @@ spec:
           env:
             - name: AUTHORIZER_DS0_API_KEY
               {{ include "aserto-lib.rootApiKeyEnv" . | nindent 14 }}
+
           {{- with .Values.apiKey }}
             - name: AUTHORIZER_ROOT_KEY
               valueFrom:

charts/console/Chart.yaml

@@ -27,7 +27,7 @@ version: 0.1.8
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.1.14"
+appVersion: "0.1.17"
 
 dependencies:
   - name: aserto-lib

charts/directory/Chart.yaml

@@ -27,7 +27,7 @@ version: 0.2.2
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.33.5"
+appVersion: 0.33.6
 
 dependencies:
   - name: aserto-lib

charts/directory/templates/api_keys.yaml

@@ -1,18 +1,23 @@
 {{- if .Values.rootDirectory.runService }}
 {{- $cfg := include "aserto-lib.directoryApiKeys" . | fromYaml -}}
-{{- $data :=  (lookup "v1" "Secret" .Release.Namespace $cfg.secretName).data }}
+{{- $secret :=  lookup "v1" "Secret" .Release.Namespace $cfg.secretName }}
+{{- if empty $secret | or
+    (include "aserto-lib.isManagedResource" (list $secret .Release.Name) | eq "true")
+-}}
+
 ---
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ $cfg.secretName }}
 data:
-  {{- if $data }}
-  {{ $cfg.writerSecretKey }}: {{ get $data $cfg.writerSecretKey }}
-  {{ $cfg.readerSecretKey }}: {{ get $data $cfg.readerSecretKey }}
-  {{- else }}
+{{- if ($secret).data }}
+  {{ $cfg.writerSecretKey }}: {{ get $secret.data $cfg.writerSecretKey }}
+  {{ $cfg.readerSecretKey }}: {{ get $secret.data $cfg.readerSecretKey }}
+{{- else }}
   {{ $cfg.writerSecretKey }}: {{ randAlphaNum 20 | b64enc }}
   {{ $cfg.readerSecretKey }}: {{ randAlphaNum 20 | b64enc }}
-  {{- end }}
 {{- end }}
 
+{{- end }}
+{{- end }}

charts/directory/templates/config.yaml

@@ -109,12 +109,14 @@ stringData:
     authentication:
       authenticators_enabled:
         root_key: true
-        {{- with .Values.oidc }}
+
+      {{- with include "aserto-lib.oidcConfig" . }}
         oidc: true
-        {{- end }}
-        {{- if (.Values.authentication).machineAccounts }}
+      {{- end }}
+
+      {{- if (.Values.authentication).machineAccounts }}
         machine_account: true
-        {{- end }}
+      {{- end }}
 
       root_keys:
       {{- if .Values.tenantDirectory.runService }}
@@ -143,10 +145,10 @@ stringData:
             account: "root-ds"
       {{- end }}
 
-      {{- with .Values.oidc -}}
+    {{- with include "aserto-lib.oidcConfig" . }}
       oidc:
-        {{- include "aserto-lib.oidcConfig" . | nindent 8 }}
-      {{- end }}
+        {{- . | nindent 8 }}
+    {{- end }}
 
       override:
         - methods:

charts/directory/templates/db_credentials.yaml

@@ -1,23 +1,34 @@
-{{- $rootData := (lookup "v1" "Secret" .Release.Namespace .Values.rootDirectory.database.reader.credentialsSecret).data -}}
-{{- if empty $rootData }}
 ---
+{{- $rootSecret := lookup "v1" "Secret" .Release.Namespace .Values.rootDirectory.database.reader.credentialsSecret | default dict -}}
+{{- if empty $rootSecret | or (include "aserto-lib.isManagedResource" (list $rootSecret .Release.Name) | eq "true") }}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ .Values.rootDirectory.database.reader.credentialsSecret }}
 data:
+{{- if ($rootSecret).data }}
+  username: {{ $rootSecret.data.username }}
+  password: {{ $rootSecret.data.password }}
+{{- else }}
   username: {{ "root_reader" | b64enc }}
   password: {{ randAlphaNum 20 | b64enc}}
 {{- end }}
 
-{{- $tenantData := (lookup "v1" "Secret" .Release.Namespace .Values.tenantDirectory.database.reader.credentialsSecret).data -}}
-{{- if empty $tenantData }}
+{{- end }}
 ---
+{{- $tenantSecret := lookup "v1" "Secret" .Release.Namespace .Values.tenantDirectory.database.reader.credentialsSecret }}
+{{- if empty $tenantSecret | or (include "aserto-lib.isManagedResource" (list $tenantSecret .Release.Name) | eq "true") }}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ .Values.tenantDirectory.database.reader.credentialsSecret }}
 data:
+{{- if ($tenantSecret).data }}
+  username: {{ $tenantSecret.data.username }}
+  password: {{ $tenantSecret.data.password }}
+{{- else }}
   username: {{ "tenant_reader" | b64enc }}
   password: {{ randAlphaNum 20 | b64enc }}
 {{- end }}
+
+{{- end }}

charts/directory/templates/root_key.yaml

@@ -5,18 +5,22 @@
 
 {{- $apiKey := $cfg.apiKey -}}
 {{- if empty $apiKey -}}
-  {{- $current :=  (lookup "v1" "Secret" $.Release.Namespace $secretName).data }}
-  {{- if $current }}
-    {{- $apiKey = get $current $secretKey }}
-  {{- else -}}
+  {{- $secret :=  lookup "v1" "Secret" $.Release.Namespace $secretName }}
+  {{- if empty $secret }}
     {{- $apiKey = randAlphaNum 32 | b64enc }}
+  {{- else if (include "aserto-lib.isManagedResource" (list $secret .Release.Name) | eq "true") -}}
+    {{- $apiKey = get ($secret).data $secretKey }}
   {{- end }}
 {{- end -}}
+
+{{- with $apiKey }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ $secretName }}
 data:
-  {{ $secretKey }}: {{ $apiKey }}
+  {{ $secretKey }}: {{ . }}
+{{- end }}
+
 {{- end }}

charts/discovery/Chart.yaml

@@ -27,7 +27,7 @@ version: 0.1.9
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.1.4"
+appVersion: 0.1.4
 
 dependencies:
   - name: aserto-lib

charts/discovery/templates/api_keys.yaml

@@ -1,10 +1,17 @@
----
 {{- $cfg := .Values.apiKey -}}
-{{- if empty (lookup "v1" "Secret" .Release.Namespace $cfg.secretName).data }}
+{{- $secret :=  lookup "v1" "Secret" .Release.Namespace $cfg.secretName }}
+{{- if empty $secret | or (include "aserto-lib.isManagedResource" (list $secret .Release.Name) | eq "true") -}}
+
+---
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ $cfg.secretName }}
-data:  
-  {{ $cfg.secretKey }}: {{ randAlphaNum 20 | b64enc }}  
-{{- end }}
+data:
+{{- if ($secret).data }}
+  {{ $cfg.secretKey }}: {{ get $secret.data $cfg.secretKey }}
+{{- else }}
+  {{ $cfg.secretKey }}: {{ randAlphaNum 20 | b64enc }}
+{{- end }}
+
+{{- end }}