Split Tornjak Frontend into separate subchart (#179)

Signed-off-by: Marco Franssen <marco.franssen@gmail.com>
Co-authored-by: Marco Franssen <marco.franssen@gmail.com>

charts/spire/Chart.yaml

@@ -36,6 +36,10 @@ dependencies:
     condition: spiffe-oidc-discovery-provider.enabled
     repository: file://./charts/spiffe-oidc-discovery-provider
     version: 0.1.0
+  - name: tornjak-frontend
+    condition: tornjak-frontend.enabled
+    repository: file://./charts/tornjak-frontend
+    version: 0.1.0
 annotations:
   artifacthub.io/category: security
   artifacthub.io/license: Apache-2.0

charts/spire/README.md

@@ -103,6 +103,7 @@ Kubernetes: `>=1.21.0-0`
 | file://./charts/spiffe-oidc-discovery-provider | spiffe-oidc-discovery-provider | 0.1.0 |
 | file://./charts/spire-agent | spire-agent | 0.1.0 |
 | file://./charts/spire-server | spire-server | 0.1.0 |
+| file://./charts/tornjak-frontend | tornjak-frontend | 0.1.0 |
 
 ## Values
 
@@ -121,5 +122,6 @@ Kubernetes: `>=1.21.0-0`
 | spire-server.controllerManager.enabled | bool | `true` |  |
 | spire-server.enabled | bool | `true` |  |
 | spire-server.nameOverride | string | `"server"` |  |
+| tornjak-frontend.enabled | bool | `false` |  |
 
 ----------------------------------------------

charts/spire/charts/spire-server/README.md

@@ -69,7 +69,7 @@ A Helm chart to install the SPIRE server.
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.registry | string | `"ghcr.io"` |  |
 | image.repository | string | `"spiffe/spire-server"` |  |
-| image.version | string | `""` |  |
+| image.version | string | `""` | Overrides the image tag whose default is the chart appVersion. |
 | imagePullSecrets | list | `[]` |  |
 | initContainers | list | `[]` |  |
 | jwtIssuer | string | `"oidc-discovery.example.org"` |  |
@@ -97,14 +97,13 @@ A Helm chart to install the SPIRE server.
 | telemetry.prometheus.podMonitor.namespace | string | `""` | Override where to install the podMonitor, if not set will use the same namespace as the spire-server |
 | tolerations | list | `[]` |  |
 | topologySpreadConstraints | list | `[]` |  |
-| tornjak.config.backend.dataStore.driver | string | `"sqlite3"` |  |
-| tornjak.config.backend.dataStore.file | string | `"/run/spire/data/tornjak.sqlite3"` |  |
-| tornjak.config.frontend.apiServerURL | string | `"http://localhost:10000"` |  |
-| tornjak.enabled | bool | `false` |  |
-| tornjak.image.pullPolicy | string | `"IfNotPresent"` |  |
-| tornjak.image.registry | string | `"ghcr.io"` |  |
-| tornjak.image.repository | string | `"spiffe/tornjak"` |  |
-| tornjak.image.version | string | `"latest"` |  |
+| tornjak.config.dataStore | object | `{"driver":"sqlite3","file":"/run/spire/data/tornjak.sqlite3"}` | persistent DB for storing Tornjak specific information |
+| tornjak.enabled | bool | `false` | Deploys Tornjak API (backend) |
+| tornjak.image | object | `{"pullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"spiffe/tornjak-be","version":"v1.0.2"}` | Tornjak API image |
+| tornjak.image.version | string | `"v1.0.2"` | Overrides the image tag whose default is the chart appVersion. |
+| tornjak.service.annotations | object | `{}` |  |
+| tornjak.service.port | int | `10000` |  |
+| tornjak.service.type | string | `"ClusterIP"` |  |
 | trustDomain | string | `"example.org"` |  |
 | upstreamAuthority.certManager.enabled | bool | `false` |  |
 | upstreamAuthority.certManager.issuer_group | string | `"cert-manager.io"` |  |

charts/spire/charts/spire-server/templates/NOTES.txt

@@ -8,17 +8,14 @@ Installed {{ .Chart.Name }}…
 {{- if eq (.Values.tornjak.enabled | toString) "true" }}
 
 ### WARNING ###
+
 This Tornjak is configured without authentication and it is intended for
 testing only. Please do not use this version in production.
 
 Tornjak APIs (Backend):
-      kubectl -n {{ include "spire-server.namespace" . }} port-forward {{ include "spire-server.fullname" . }}-0 10000:10000
-
-Tornjak UI (Frontend):
-      kubectl -n {{ include "spire-server.namespace" . }} port-forward {{ include "spire-server.fullname" . }}-0 3000:3000
+      kubectl -n {{ include "spire-server.namespace" . }} port-forward {{ include "spire-server.fullname" . }}-0 {{ .Values.tornjak.service.port }}:10000
 
-Tornjak API access:  {{ include "tornjak.apiURL" . }}
-Tornjak UI access:   {{ include "tornjak.FrontendURL" . }}
+Open browser to: http://localhost:{{ .Values.tornjak.service.port }}
 
 Installed {{ include "spire-tornjak.fullname" . }}…
 {{- end }}

charts/spire/charts/spire-server/templates/_helpers.tpl

@@ -159,24 +159,6 @@ Tornjak specific section
 {{- define "spire-tornjak.config" -}}
 {{ include "spire-tornjak.fullname" . }}-config
 {{- end }}
-{{- define "spire-tornjak.frontend" -}}
-{{ include "spire-tornjak.fullname" . }}-fe
-{{- end }}
 {{- define "spire-tornjak.backend" -}}
 {{ include "spire-tornjak.fullname" . }}-be
 {{- end }}
-
-{{/*
-Create URL for accessing Tornjak Backend
-*/}}
-{{- define "tornjak.apiURL" -}}
-{{- default .Values.tornjak.config.frontend.apiServerURL }}
-{{- end }}
-
-{{/*
-Create URL for accessing Tornjak Frontend
-*/}}
-{{- define "tornjak.FrontendURL" -}}
-{{- $feurl := print "http://localhost:3000" }}
-{{- $feurl }}
-{{- end }}

charts/spire/charts/spire-server/templates/service.yaml

@@ -31,31 +31,22 @@ spec:
 ---
 apiVersion: v1
 kind: Service
-metadata:
-  namespace: {{ include "spire-server.namespace" . }}
-  name: {{ include "spire-tornjak.frontend" . }}
-spec:
-  type: {{ .Values.service.type }} # ClusterIP
-  selector:
-    {{- include "spire-server.selectorLabels" . | nindent 4 }}
-  ports:
-    - name: {{ include "spire-tornjak.frontend" . }}
-      port: 3000
-      targetPort: 3000
-      protocol: TCP
----
-apiVersion: v1
-kind: Service
 metadata:
   namespace: {{ include "spire-server.namespace" . }}
   name: {{ include "spire-tornjak.backend" . }}
+  {{- with .Values.tornjak.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 8 }}
+  {{- end }}
+  labels:
+    {{- include "spire-server.labels" . | nindent 4 }}
 spec:
-  type: {{ .Values.service.type }} # ClusterIP
+  type: {{ .Values.tornjak.service.type }}
   selector:
    {{- include "spire-server.selectorLabels" . | nindent 4 }}
   ports:
     - name: {{ include "spire-tornjak.backend" . }}
-      port: 10000
-      targetPort: 10000
+      port: {{ .Values.tornjak.service.port }}
+      targetPort: tornjak
       protocol: TCP
 {{- end }}

charts/spire/charts/spire-server/templates/statefulset.yaml

@@ -156,39 +156,35 @@ spec:
           startupProbe:
             httpGet:
               scheme: HTTP
-              port: 3000
-            failureThreshold: 6
-            initialDelaySeconds: 60
-            periodSeconds: 30
+              port: 10000
+            failureThreshold: 3
+            initialDelaySeconds: 5
+            periodSeconds: 10
             successThreshold: 1
-            timeoutSeconds: 10
-          env:
-          {{- if .Values.tornjak.config.frontend }}
-          - name: REACT_APP_API_SERVER_URI
-            value: {{ include "tornjak.apiURL" . | required "Either .Values.tornjak.config.backend.ingress or .Values.tornjak.config.frontend.apiServerURL is required." }}
-          {{- end }}
+            timeoutSeconds: 5
           args:
-          - -c
-          - /run/spire/config/server.conf
-          - -t
-          - /run/spire/tornjak-config/server.conf
+            - -c
+            - /run/spire/config/server.conf
+            - -t
+            - /run/spire/tornjak-config/server.conf
           ports:
-          - containerPort: 3000
-            protocol: TCP
+            - name: tornjak
+              containerPort: 10000
+              protocol: TCP
           volumeMounts:
-          - name: {{ include "spire-tornjak.config" . }}
-            mountPath: /run/spire/tornjak-config
-          - name: spire-server-socket
-            mountPath: /tmp/spire-server/private
-            readOnly: true
-          - name: spire-config
-            mountPath: /run/spire/config
-            readOnly: true
-          {{- if eq (.Values.dataStorage.enabled | toString) "true" }}
-          - name: spire-data
-            mountPath: /run/spire/data
-            readOnly: false
-          {{- end }}
+            - name: {{ include "spire-tornjak.config" . }}
+              mountPath: /run/spire/tornjak-config
+            - name: spire-server-socket
+              mountPath: /tmp/spire-server/private
+              readOnly: true
+            - name: spire-config
+              mountPath: /run/spire/config
+              readOnly: true
+            {{- if eq (.Values.dataStorage.enabled | toString) "true" }}
+            - name: spire-data
+              mountPath: /run/spire/data
+              readOnly: false
+            {{- end }}
         {{- end }}
 
         {{- if gt (len .Values.extraContainers) 0 }}

charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml

@@ -4,24 +4,19 @@ kind: Pod
 metadata:
   name: "{{ include "spire-tornjak.fullname" . }}-test-connection"
   namespace: {{ include "spire-server.namespace" . }}
-  labels:  
+  labels:
+    {{- include "spire-server.labels" . | nindent 4 }}
   annotations:
     "helm.sh/hook": test
 spec:
   securityContext:
     {{- toYaml .Values.podSecurityContext | nindent 4 }}
   containers:
     - name: wget-tornjak-backend
-      image: busybox
-      command: ['wget']
-      args: ['--no-check-certificate', '-O', '/dev/null', 'http://{{ include "spire-tornjak.backend" . }}:10000/api/tornjak/serverinfo']
-      securityContext:
-        {{- toYaml .Values.securityContext | nindent 8 }}
-    - name: wget-tornjak-frontend
-      image: busybox
-      command: ['wget']
-      args: ['--no-check-certificate', '-O', '/dev/null', 'http://{{ include "spire-tornjak.frontend" . }}:3000']
+      image: cgr.dev/chainguard/bash:latest
+      command: ['curl']
+      args: ['-k', '-s', '-f', 'http://{{ include "spire-tornjak.backend" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-server.cluster-domain" . }}:{{ .Values.tornjak.service.port }}']
       securityContext:
         {{- toYaml .Values.securityContext | nindent 8 }}
   restartPolicy: Never
-{{- end }}
+{{- end }}

charts/spire/charts/spire-server/templates/tornjak-config.yaml

@@ -11,11 +11,11 @@ data:
     }
 
     plugins {
-    {{- if .Values.tornjak.config.backend.dataStore }}
+    {{- if .Values.tornjak.config.dataStore }}
       DataStore "sql" {
         plugin_data {
-          drivername = "{{ .Values.tornjak.config.backend.dataStore.driver }}"
-          filename = "{{ .Values.tornjak.config.backend.dataStore.file }}"
+          drivername = "{{ .Values.tornjak.config.dataStore.driver }}"
+          filename = "{{ .Values.tornjak.config.dataStore.file }}"
         }
       }
     {{- end }}

charts/spire/charts/spire-server/values.yaml

@@ -6,12 +6,10 @@
 replicaCount: 1
 
 image:
-  # registry: gcr.io
-  # repository: spiffe-io/spire-server
   registry: ghcr.io
   repository: spiffe/spire-server
   pullPolicy: IfNotPresent
-  # Overrides the image tag whose default is the chart appVersion.
+  # -- Overrides the image tag whose default is the chart appVersion.
   version: ""
 
 imagePullSecrets: []
@@ -220,23 +218,21 @@ nodeAttestor:
 
 # tornjak - Tornjak specific configuration
 tornjak:
+  # -- Deploys Tornjak API (backend)
   enabled: false
-  # image - Tornjak image (frontend + backend) if not separated above
-  image: # ghcr.io/spiffe/tornjak
+  # -- Tornjak API image
+  image:
     registry: ghcr.io
-    repository: spiffe/tornjak
+    repository: spiffe/tornjak-be
     pullPolicy: IfNotPresent
-    # Overrides the image tag whose default is the chart appVersion.
-    # TODO we should use a specific Tornjak version instead of 'latest'
-    version: "latest"
+    # -- Overrides the image tag whose default is the chart appVersion.
+    version: "v1.0.2"
+  service:
+    type: ClusterIP
+    port: 10000
+    annotations: {}
   config:
-    # Front-end specific configuration:
-    frontend:
-      # apiServerURL - URL of the Tornjak back-end
-      apiServerURL: "http://localhost:10000"  # 👈 Use it for minikube or kind
-     # Back-end specific configuration
-    backend:
-      # dataStore - persistent DB for storing Tornjak specific information
-      dataStore:
-        driver: "sqlite3"
-        file: "/run/spire/data/tornjak.sqlite3"
+    # -- persistent DB for storing Tornjak specific information
+    dataStore:
+      driver: "sqlite3"
+      file: "/run/spire/data/tornjak.sqlite3"

charts/spire/charts/tornjak-frontend/Chart.yaml

@@ -0,0 +1,10 @@
+apiVersion: v2
+name: tornjak-frontend
+description: A Helm chart to deploy Tornjak frontend
+type: application
+version: 0.1.0
+appVersion: "v1.0.2"
+maintainers:
+  - name: mrsabath
+    email: mrsabath@gmail.com
+    url: https://mrsabath.github.io

charts/spire/charts/tornjak-frontend/README.md

@@ -0,0 +1,64 @@
+# tornjak-frontend
+
+<!-- This README.md is generated. Please edit README.md.gotmpl -->
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.2](https://img.shields.io/badge/AppVersion-v1.0.2-informational?style=flat-square)
+[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
+
+A Helm chart to deploy Tornjak frontend
+
+## Version support
+
+> **Note**: This Chart is still in development and still subject to change the API (`values.yaml`).
+> Until we reach a `1.0.0` version of the chart we can't guarantee backwards compatibility although
+> we do aim for as much stability as possible.
+
+| Dependency | Supported Versions |
+|:-----------|:-------------------|
+| SPIRE      | `1.5.3+`, `1.6.x`  |
+| Tornjak    | `1.0.x`            |
+| Helm       | `3.x`              |
+
+## Prerequisites
+
+This chart requires access to Tornjak Backend (`tornjakFrontend.apiServerURL`).
+This URL needs to be reachable from your webbrowser and can therefore not be a cluster internal URL.
+
+Obtain the URL for Tornjak APIs. If deployed in the same cluster, locally,
+Tornjak APIs are typically available at `http://localhost:10000`.
+Review Tornjak documentation for more details.
+
+## Usage
+
+Since this is just a demo version, to access Tornjak APIs you can use
+port forwarding. See the chart NOTES output for more details.
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| mrsabath | <mrsabath@gmail.com> | <https://mrsabath.github.io> |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| apiServerURL | string | `"http://localhost:10000/"` | URL of the Tornjak APIs (backend) Since Tornjak Frontend runs in the browser, this URL must be accessible from the machine running a browser. |
+| fullnameOverride | string | `""` |  |
+| image.pullPolicy | string | `"IfNotPresent"` |  |
+| image.registry | string | `"ghcr.io"` |  |
+| image.repository | string | `"spiffe/tornjak-fe"` |  |
+| image.version | string | `""` | Overrides the image tag whose default is the chart appVersion. |
+| imagePullSecrets | list | `[]` |  |
+| labels | object | `{}` |  |
+| nameOverride | string | `""` |  |
+| namespaceOverride | string | `""` |  |
+| podSecurityContext | object | `{}` |  |
+| securityContext | object | `{}` |  |
+| service.annotations | object | `{}` |  |
+| service.port | int | `3000` |  |
+| service.type | string | `"ClusterIP"` |  |
+| serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
+| serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
+| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
+----------------------------------------------