Add helm chart (#13)

.dockerignore

@@ -0,0 +1,6 @@
+*
+!Cargo.lock
+!Cargo.toml
+!src
+!sqlx-data.json
+!migrations

.editorconfig

@@ -11,7 +11,7 @@ trim_trailing_whitespace = true
 [*.md]
 trim_trailing_whitespace = false
 
-[*.yml]
+[{*.yml,*.yaml}]
 indent_size = 2
 
 [*.json]

.env.example

@@ -0,0 +1,3 @@
+APP_AGENT_LABEL=presence-1
+DATABASE_URL=postgres://postgres:postgres@localhost/presence_dev
+RUST_LOG=info

.github/workflows/ci.yml

@@ -25,3 +25,12 @@ jobs:
       - run: cargo test --all-features --verbose
         env:
           RUST_BACKTRACE: 1
+
+  dotenv-linter:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: dotenv-linter/action-dotenv-linter@v2
+        with:
+          reporter: github-pr-review
+          fail_on_error: true

.gitignore

@@ -1,4 +1,4 @@
 /target
 .idea
-presence.toml
+App.toml
 /.env

presence.sample.toml → App.sample.toml

@@ -1,5 +1,6 @@
 id = "presence.dev.svc.example.org"
 listener_address = "0.0.0.0:3000"
+metrics_listener_address = "0.0.0.0:3001"
 svc_audience = "svc.example.org"
 
 [websocket]

chart/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

chart/Chart.yaml

@@ -0,0 +1,25 @@
+apiVersion: v2
+name: presence
+description: User presence service
+home: https://github.com/foxford/presence
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "v0.1.0"

chart/README.md

@@ -0,0 +1,29 @@
+# Presence helm chart
+
+Helm chart for [presence](https://github.com/foxford/presence)
+
+## Prerequisites
+
+`.der` keys for each audience should exist to authenticate tokens
+(see `.audiences.*.authn.key` and `.container.{volumes,volumeMounts}` in `values.yaml`)
+
+## Installation
+
+To install presence cd into this dir and run
+```
+helm install presence . --atomic -n testing01
+```
+
+## Tests
+
+You can check that installation completed (somewhat) successfully with
+```
+helm test presence -n testing01
+```
+
+## Removal
+
+To get rid of this chart run
+```
+helm uninstall presence -n helm-test-shkh
+```

chart/templates/NOTES.txt

@@ -0,0 +1,8 @@
+The app is deployed at
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ .Values.ingress.host }}{{ include "presence.ingressPath" . }}
+
+You can confirm that its running by visiting
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ .Values.ingress.host }}{{ include "presence.ingressPath" . }}/healthz
+or by running helm tests:
+  helm test -n {{ .Release.Namespace }} {{ .Release.Name }} %chart_dir%
+

chart/templates/_helpers.tpl

@@ -0,0 +1,119 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "presence.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Service name.
+*/}}
+{{- define "presence.serviceName" -}}
+{{- list (default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-") "service" | join "-" }}
+{{- end }}
+
+
+{{/*
+Short namespace.
+*/}}
+{{- define "presence.shortNamespace" -}}
+{{- $shortns := regexSplit "-" .Release.Namespace -1 | first }}
+{{- if has $shortns (list "production" "p") }}
+{{- else }}
+{{- $shortns }}
+{{- end }}
+{{- end }}
+
+{{/*
+Namespace in ingress path.
+converts as follows:
+- testing01 -> t01
+- staging01-classroom-ng -> s01/classroom-ng
+- producion-webinar-ng -> webinar-foxford
+*/}}
+{{- define "presence.ingressPathNamespace" -}}
+{{- $ns_head := regexSplit "-" .Release.Namespace -1 | first }}
+{{- $ns_tail := regexSplit "-" .Release.Namespace -1 | rest | join "-" }}
+{{- if eq $ns_head "production" }}
+{{- regexReplaceAll "(.*)-ng(.*)" $ns_tail "${1}-foxford${2}" }}
+{{- else }}
+{{- $v := list (regexReplaceAll "(.)[^\\d]*(.+)" $ns_head "${1}${2}") $ns_tail | compact | join "/" }}
+{{- regexReplaceAll "(.*)-ng(.*)" $v "${1}-foxford${2}" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Ingress path.
+*/}}
+{{- define "presence.ingressPath" -}}
+{{- $shortns := regexSplit "-" .Release.Namespace -1 | first }}
+{{- list "" (include "presence.ingressPathNamespace" .) (include "presence.name" .) | join "/" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "presence.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "presence.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "presence.labels" -}}
+helm.sh/chart: {{ include "presence.chart" . }}
+app.kubernetes.io/name: {{ include "presence.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+k8s-app: {{ include "presence.name" . }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "presence.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "presence.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app: {{ include "presence.name" . }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "presence.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "presence.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create volumeMount name from audience and secret name
+*/}}
+{{- define "presence.volumeMountName" -}}
+{{- $audience := index . 0 -}}
+{{- $secret := index . 1 -}}
+{{- printf "%s-%s-secret" $audience $secret | replace "." "-" | trunc 63 }}
+{{- end }}

chart/templates/configmap.yaml

@@ -0,0 +1,116 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    {{- include "presence.labels" . | nindent 4 }}
+  name: {{ include "presence.name" . }}-config
+data:
+  App.toml: |
+    {{- $id := list (include "presence.name" . ) (include "presence.shortNamespace" .) .Values.svc.audience | compact | join "." }}
+    id = {{ $id | quote }}
+    listener_address = "0.0.0.0:{{ get .Values.service.ports "http" }}"
+    metrics_listener_address = "0.0.0.0:{{ get .Values.service.ports "metrics" }}"
+    {{- $svc_audience := list (include "presence.shortNamespace" $) .Values.svc.audience | compact | join "." }}
+    svc_audience = {{ $svc_audience | quote }}
+
+    [websocket]
+    ping_interval = {{ .Values.config.websocket.ping_interval | quote }}
+    pong_expiration_interval = {{ .Values.config.websocket.pong_expiration_interval | quote }}
+    authentication_timeout = {{ .Values.config.websocket.authentication_timeout | quote }}
+    check_old_connection_interval = {{ .Values.config.websocket.check_old_connection_interval | quote }}
+
+    [sentry]
+    dsn = {{ .Values.sentry.dsn | quote }}
+    environment = {{ .Release.Namespace | quote }}
+
+    {{- println "" }}
+
+    {{- with .Values.svc }}
+    ##
+    ## SVC
+    ##
+    {{- $svc_audience := list (include "presence.shortNamespace" $) .audience | compact | join "." }}
+    {{- with .authn }}
+    [authn.{{ $svc_audience | quote }}]
+    audience = [{{ $svc_audience | quote }}]
+    algorithm = "ES256"
+    key = {{ "key" | get . | quote }}
+    {{- end }}
+
+    {{- println "" }}
+
+    {{- with .authz }}
+    [authz.{{ $svc_audience | quote }}]
+    type = {{ .type | quote }}
+    {{- if eq "local" .type }}
+    trusted = [
+      {{- range $account_label := .trusted }}
+        {{ list $account_label | join "." | quote }},
+      {{- end }}
+    ]
+    {{- end }}
+    {{- if eq "localwhitelist" .type }}
+    [[authz.{{ $svc_audience | quote }}.records]]
+    {{- range $record := .records }}
+    subject_account_id = {{ get $record "subject_account_id" | quote }}
+    object = [
+      {{- range $o := get $record "object" }}
+      {{ $o | quote }},
+      {{- end}}
+    ]
+    action = {{ get $record "action" | quote }}
+    {{- end }}
+    {{- end }}
+    {{- end }}
+    {{- end }}
+
+    {{- println "" }}
+
+    {{- range .Values.audiences }}
+    ##
+    ## {{ .audience }}
+    ##
+    {{- $svc_audience := list (include "presence.shortNamespace" $) "svc" .audience | compact | join "." }}
+    {{- $usr_audience := list (include "presence.shortNamespace" $) "usr" .audience | compact | join "." }}
+    {{- with "authn" | get . }}
+    [authn.{{ list "iam" $svc_audience | join "." | quote }}]
+    audience = [{{ $svc_audience | quote }}, {{ $usr_audience | quote }}]
+    algorithm = "ES256"
+    key = {{ "key" | get . | quote }}
+    {{- end }}
+
+    {{- $ns_audience := list (include "presence.shortNamespace" $) .audience | compact | join "."  }}
+    {{- println "" }}
+
+    {{- with "authz" | get . }}
+    [authz.{{ $ns_audience | quote }}]
+    type = {{ .type | quote }}
+    {{- if eq "http" .type }}
+    uri = {{ $ns_audience | list "http://dispatcher-service:8080/api/v1/authz/" | join "" | default .uri | quote }}
+    algorithm = {{ default "ES256" .algorithm | quote }}
+    key = {{ default "data/keys/svc.private_key.p8.der" .key | quote }}
+    user_agent = {{ default $id .user_agent | quote }}
+    max_retries = {{ default 3 .max_retries }}
+    {{- end }}
+    {{- if eq "local" .type }}
+    trusted = [
+      {{- range $account_label := .trusted }}
+        {{ $ns_audience | list $account_label | join "." | quote }},
+      {{- end }}
+    ]
+    {{- end }}
+    {{- if eq "localwhitelist" .type }}
+    [[authz.{{ $ns_audience | quote }}.records]]
+    {{- range $record := .records }}
+    subject_account_id = {{ get $record "subject_account_id" | quote }}
+    object = [
+      {{- range $o := get $record "object" }}
+      {{ $o | quote }},
+      {{- end}}
+    ]
+    action = {{ get $record "action" | quote }}
+    {{- end }}
+    {{- end }}
+    {{- end }}
+    {{- println "" }}
+    {{- end }}

chart/templates/env.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  annotations: {}
+  labels:
+    {{- include "presence.labels" . | nindent 4 }}
+  name: {{ include "presence.name" . }}-environment
+data:
+  {{- range $key, $value := .Values.env }}
+  {{ $key }}: {{ $value | quote }}
+  {{- end }}