diff --git a/.github/ct.yaml b/.github/ct.yaml index 9c2b57c..75295ae 100644 --- a/.github/ct.yaml +++ b/.github/ct.yaml @@ -5,3 +5,4 @@ check-version-increment: true debug: true helm-extra-args: --timeout 600s target-branch: main +upgrade: true diff --git a/charts/visual-regression-tracker/Chart.yaml b/charts/visual-regression-tracker/Chart.yaml index 14775a4..66d1ba4 100644 --- a/charts/visual-regression-tracker/Chart.yaml +++ b/charts/visual-regression-tracker/Chart.yaml @@ -6,7 +6,7 @@ sources: - https://github.com/Visual-Regression-Tracker/Visual-Regression-Tracker - https://github.com/kokuwaio/helm-charts/tree/main/charts/visual-regression-tracker type: application -version: 3.2.0 +version: 4.0.0 appVersion: "5.0.4" maintainers: - name: monotek diff --git a/charts/visual-regression-tracker/README.md b/charts/visual-regression-tracker/README.md index 5d45069..cbb7b98 100644 --- a/charts/visual-regression-tracker/README.md +++ b/charts/visual-regression-tracker/README.md @@ -49,6 +49,16 @@ helm upgrade vrt kokuwa/visual-regression-tracker _See [`helm upgrade`](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ +### From 3.0.x to 4.0.0 + +This version adds a proxy in fornt of the API server which protects it via basic auth. The configuration can be done via `authProxy.basicAuth.username`, `authProxy.basicAuth.password`. The password can also be populated by predefined secret via `secrets.authProxy`. + +The `secrets.apiUrl` secrets has been removed. + +The `reactAppApiUrl` variables has been split up into `reactAppApi.protocol` & `reactAppApi.url`. + +The `vrtComponents.api.ingress` config has been moved to `authProxy.ingress`. + ### From 2.0.x to 3.0.0 This updates Visual Regression Tracker to 5.0.3. Please follow the [official migration steps](https://github.com/Visual-Regression-Tracker/Visual-Regression-Tracker/releases/tag/5.0.0): diff --git a/charts/visual-regression-tracker/templates/_helpers.tpl b/charts/visual-regression-tracker/templates/_helpers.tpl index f64b5c2..6c31884 100644 --- a/charts/visual-regression-tracker/templates/_helpers.tpl +++ b/charts/visual-regression-tracker/templates/_helpers.tpl @@ -105,13 +105,14 @@ vrt secret name {{- end -}} {{- end -}} + {{/* -vrt api url secret name +vrt auth proxy secret name */}} -{{- define "visual-regression-tracker.vrtApiUrlSecretName" -}} -{{- if .Values.secrets.apiUrl.useExisting -}} -{{ .Values.secrets.apiUrl.secretName }} +{{- define "visual-regression-tracker.authProxySecretName" -}} +{{- if .Values.secrets.authProxy.useExisting -}} +{{ .Values.secrets.authProxy.secretName }} {{- else -}} -{{ template "visual-regression-tracker.fullname" . }}-{{ .Values.secrets.apiUrl.secretName }} +{{ template "visual-regression-tracker.fullname" . }}-{{ .Values.secrets.authProxy.secretName }} {{- end -}} {{- end -}} diff --git a/charts/visual-regression-tracker/templates/auth-proxy-configmap.yaml b/charts/visual-regression-tracker/templates/auth-proxy-configmap.yaml new file mode 100644 index 0000000..5151014 --- /dev/null +++ b/charts/visual-regression-tracker/templates/auth-proxy-configmap.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "visual-regression-tracker.fullname" . }}-auth + labels: + {{- include "visual-regression-tracker.labels" . | nindent 4 }} + component: auth-proxy +data: + default.conf: | + server { + listen 8080; + + server_name _; + + location /health { + return 200 'ok\n'; + } + + location / { + auth_basic "restricted"; + auth_basic_user_file /tmp/htpass; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host; + proxy_pass "http://{{ include "visual-regression-tracker.fullname" . }}-api:4200"; + proxy_http_version 1.1; + } + } diff --git a/charts/visual-regression-tracker/templates/auth-proxy-deployment.yaml b/charts/visual-regression-tracker/templates/auth-proxy-deployment.yaml new file mode 100644 index 0000000..cb5ed45 --- /dev/null +++ b/charts/visual-regression-tracker/templates/auth-proxy-deployment.yaml @@ -0,0 +1,104 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "visual-regression-tracker.fullname" . }}-auth + labels: + {{- include "visual-regression-tracker.labels" . | nindent 4 }} + component: auth-proxy +spec: + replicas: {{ .Values.authProxy.replicaCount }} + selector: + matchLabels: + {{- include "visual-regression-tracker.selectorLabels" . | nindent 6 }} + component: auth-proxy + template: + metadata: + {{- with .Values.authProxy.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "visual-regression-tracker.labels" . | nindent 8 }} + {{- with .Values.authProxy.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + component: auth-proxy + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "visual-regression-tracker.serviceAccountName" . }} + initContainers: + - name: create-basic-auth + command: + - htpasswd + - -b + - -c + - /tmp/htpass + - {{ .Values.authProxy.basicAuth.username }} + - $(AUTH_SECRET) + env: + - name: AUTH_SECRET + valueFrom: + secretKeyRef: + name: {{ template "visual-regression-tracker.authProxySecretName" . }} + key: {{ .Values.secrets.authProxy.secretKey }} + securityContext: + {{- toYaml .Values.authProxy.initContainer.securityContext | nindent 12 }} + image: "{{ .Values.authProxy.initContainer.image.repository }}:{{ .Values.authProxy.initContainer.image.tag }}" + imagePullPolicy: {{ .Values.authProxy.image.pullPolicy }} + resources: + {{- toYaml .Values.authProxy.initContainer.resources | nindent 12 }} + volumeMounts: + - mountPath: /tmp + name: tmpdir + containers: + - name: auth-proxy + securityContext: + {{- toYaml .Values.authProxy.securityContext | nindent 12 }} + image: "{{ .Values.authProxy.image.repository }}:{{ .Values.authProxy.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.authProxy.image.pullPolicy }} + ports: + - name: http + containerPort: {{ .Values.authProxy.service.port }} + protocol: TCP + livenessProbe: + httpGet: + path: /health + port: 8080 + failureThreshold: 10 + readinessProbe: + httpGet: + path: /health + port: 8080 + failureThreshold: 3 + resources: + {{- toYaml .Values.authProxy.resources | nindent 12 }} + volumeMounts: + - mountPath: /tmp + name: tmpdir + - name: auth + mountPath: /etc/nginx/conf.d/default.conf + subPath: default.conf + readOnly: true + volumes: + - name: tmpdir + emptyDir: + sizeLimit: {{ .Values.authProxy.tmpDirSizeLimit }} + - name: auth + configMap: + defaultMode: 420 + name: {{ include "visual-regression-tracker.fullname" . }}-auth + {{- with .Values.authProxy.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.authProxy.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.authProxy.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/visual-regression-tracker/templates/ingress-api.yaml b/charts/visual-regression-tracker/templates/auth-proxy-ingress.yaml similarity index 60% rename from charts/visual-regression-tracker/templates/ingress-api.yaml rename to charts/visual-regression-tracker/templates/auth-proxy-ingress.yaml index dfd3b22..54518af 100644 --- a/charts/visual-regression-tracker/templates/ingress-api.yaml +++ b/charts/visual-regression-tracker/templates/auth-proxy-ingress.yaml @@ -1,9 +1,9 @@ -{{- if .Values.vrtComponents.api.ingress.enabled -}} +{{- if .Values.authProxy.ingress.enabled -}} {{- $fullName := include "visual-regression-tracker.fullname" . -}} -{{- $svcPort := .Values.vrtComponents.api.service.port -}} -{{- if and .Values.vrtComponents.api.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} - {{- if not (hasKey .Values.vrtComponents.api.ingress.annotations "kubernetes.io/ingress.class") }} - {{- $_ := set .Values.vrtComponents.api.ingress.annotations "kubernetes.io/ingress.class" .Values.vrtComponents.api.ingress.className}} +{{- $svcPort := .Values.authProxy.service.port -}} +{{- if and .Values.authProxy.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.authProxy.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.authProxy.ingress.annotations "kubernetes.io/ingress.class" .Values.authProxy.ingress.className}} {{- end }} {{- end }} {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} @@ -15,20 +15,20 @@ apiVersion: extensions/v1beta1 {{- end }} kind: Ingress metadata: - name: {{ $fullName }} + name: "{{ $fullName }}-auth" labels: {{- include "visual-regression-tracker.labels" . | nindent 4 }} - {{- with .Values.vrtComponents.api.ingress.annotations }} + {{- with .Values.authProxy.ingress.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{- if and .Values.vrtComponents.api.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ .Values.vrtComponents.api.ingress.className }} + {{- if and .Values.authProxy.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.authProxy.ingress.className }} {{- end }} - {{- if .Values.vrtComponents.api.ingress.tls }} + {{- if .Values.authProxy.ingress.tls }} tls: - {{- range .Values.vrtComponents.api.ingress.tls }} + {{- range .Values.authProxy.ingress.tls }} - hosts: {{- range .hosts }} - {{ . | quote }} @@ -37,7 +37,7 @@ spec: {{- end }} {{- end }} rules: - {{- range .Values.vrtComponents.api.ingress.hosts }} + {{- range .Values.authProxy.ingress.hosts }} - host: {{ .host | quote }} http: paths: diff --git a/charts/visual-regression-tracker/templates/auth-proxy-secret.yaml b/charts/visual-regression-tracker/templates/auth-proxy-secret.yaml new file mode 100644 index 0000000..318ab5f --- /dev/null +++ b/charts/visual-regression-tracker/templates/auth-proxy-secret.yaml @@ -0,0 +1,13 @@ +{{ if and .Values.authProxy.basicAuth.password (not .Values.secrets.authProxy.useExisting) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "visual-regression-tracker.fullname" . }}-auth + labels: + {{- include "visual-regression-tracker.labels" . | nindent 4 }} + component: auth-proxy +type: Opaque +data: + {{ .Values.secrets.authProxy.secretKey }}: {{ .Values.authProxy.basicAuth.password | b64enc | quote }} +{{ end }} diff --git a/charts/visual-regression-tracker/templates/auth-proxy-service.yaml b/charts/visual-regression-tracker/templates/auth-proxy-service.yaml new file mode 100644 index 0000000..4e0a1ed --- /dev/null +++ b/charts/visual-regression-tracker/templates/auth-proxy-service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "visual-regression-tracker.fullname" . }}-auth + labels: + {{- include "visual-regression-tracker.labels" . | nindent 4 }} + component: auth-proxy +spec: + type: {{ .Values.authProxy.service.type }} + ports: + - port: {{ .Values.authProxy.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "visual-regression-tracker.selectorLabels" . | nindent 4 }} + component: auth-proxy diff --git a/charts/visual-regression-tracker/templates/configmap.yaml b/charts/visual-regression-tracker/templates/configmap.yaml index 7f0a859..fe26488 100644 --- a/charts/visual-regression-tracker/templates/configmap.yaml +++ b/charts/visual-regression-tracker/templates/configmap.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: env-config + name: {{ include "visual-regression-tracker.fullname" . }}-env-config labels: {{- include "visual-regression-tracker.labels" . | nindent 4 }} data: diff --git a/charts/visual-regression-tracker/templates/ingress-ui.yaml b/charts/visual-regression-tracker/templates/ingress-ui.yaml index 6370455..ea25a30 100644 --- a/charts/visual-regression-tracker/templates/ingress-ui.yaml +++ b/charts/visual-regression-tracker/templates/ingress-ui.yaml @@ -15,7 +15,7 @@ apiVersion: extensions/v1beta1 {{- end }} kind: Ingress metadata: - name: {{ $fullName }} + name: "{{ $fullName }}-ui" labels: {{- include "visual-regression-tracker.labels" . | nindent 4 }} {{- with .Values.vrtComponents.ui.ingress.annotations }} diff --git a/charts/visual-regression-tracker/templates/secrets.yaml b/charts/visual-regression-tracker/templates/secrets.yaml index a1fa2cb..d5c0c3d 100644 --- a/charts/visual-regression-tracker/templates/secrets.yaml +++ b/charts/visual-regression-tracker/templates/secrets.yaml @@ -46,15 +46,3 @@ type: Opaque data: {{ .Values.secrets.defaults.secretKey }}: {{ tpl (.Files.Get "files/seed.ts") $ | b64enc }} {{ end }} -{{ if and .Values.vrtConfig.reactAppApiUrl (not .Values.secrets.apiUrl.useExisting) }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "visual-regression-tracker.vrtApiUrlSecretName" . }} - labels: - {{- include "visual-regression-tracker.labels" . | nindent 4 }} -type: Opaque -data: - {{ .Values.secrets.apiUrl.secretKey }}: {{ .Values.vrtConfig.reactAppApiUrl | b64enc | quote }} -{{ end }} diff --git a/charts/visual-regression-tracker/templates/statefulset.yaml b/charts/visual-regression-tracker/templates/statefulset.yaml index 073116f..9b3aab1 100644 --- a/charts/visual-regression-tracker/templates/statefulset.yaml +++ b/charts/visual-regression-tracker/templates/statefulset.yaml @@ -121,11 +121,13 @@ spec: mountPath: /imageUploads - name: {{ .Chart.Name }}-ui env: - - name: REACT_APP_API_URL + - name: BASIC_AUTH_PASSWORD valueFrom: secretKeyRef: - name: {{ template "visual-regression-tracker.vrtApiUrlSecretName" . }} - key: {{ .Values.secrets.apiUrl.secretKey }} + name: {{ template "visual-regression-tracker.authProxySecretName" . }} + key: {{ .Values.secrets.authProxy.secretKey }} + - name: REACT_APP_API_URL + value: "{{ .Values.vrtConfig.reactAppApi.protocol }}://{{ .Values.authProxy.basicAuth.username }}:$(BASIC_AUTH_PASSWORD)@{{ .Values.vrtConfig.reactAppApi.url }}" - name: VRT_VERSION value: "{{ .Chart.AppVersion }}" image: "{{ .Values.vrtComponents.ui.image.repository }}:{{ .Values.vrtComponents.ui.image.tag }}" @@ -148,7 +150,7 @@ spec: securityContext: {{- toYaml .Values.vrtComponents.ui.securityContext | nindent 12 }} volumeMounts: - - name: {{ template "visual-regression-tracker.fullname" . }} + - name: env-config mountPath: /usr/share/nginx/html/static/imageUploads - name: env-config mountPath: /usr/share/nginx/html/env.sh @@ -179,7 +181,7 @@ spec: volumes: - name: env-config configMap: - name: env-config + name: {{ include "visual-regression-tracker.fullname" . }}-env-config defaultMode: 0777 - name: tmp {{- toYaml .Values.vrtComponents.ui.tmpDirVolume | nindent 10 }} diff --git a/charts/visual-regression-tracker/values.yaml b/charts/visual-regression-tracker/values.yaml index 008b2da..5fcd9d0 100644 --- a/charts/visual-regression-tracker/values.yaml +++ b/charts/visual-regression-tracker/values.yaml @@ -3,6 +3,86 @@ fullnameOverride: "" imagePullSecrets: [] +authProxy: + replicaCount: 1 + + basicAuth: + username: api-user + password: "ChangeTheApiPassword!" + + initContainer: + image: + repository: httpd + pullPolicy: IfNotPresent + tag: "2.4.59" + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + + image: + repository: nginxinc/nginx-unprivileged + pullPolicy: IfNotPresent + tag: "1.27.0-alpine3.19" + + ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + podAnnotations: {} + + podLabels: {} + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + + service: + type: ClusterIP + port: 8080 + + tmpDirSizeLimit: 100Mi + vrtConfig: appFrontendUrl: "http://localhost:8080" bodyParserJsonLimit: "5mb" @@ -32,7 +112,10 @@ vrtConfig: port: 5432 # needs to be the same as the postgresql.auth.username user: vrt - reactAppApiUrl: "http://localhost:4200" + reactAppApi: + # the basic auth username & password are included automaticaly + protocol: "http" + url: "localhost:4200" vrtComponents: api: @@ -41,22 +124,6 @@ vrtComponents: pullPolicy: IfNotPresent tag: "5.0.5" - ingress: - enabled: false - className: "" - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: chart-example.local - paths: - - path: / - pathType: ImplementationSpecific - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -171,14 +238,14 @@ persistence: annotations: {} secrets: - apiUrl: + authProxy: useExisting: false - secretKey: api-url - secretName: vrt-api-url + secretKey: password + secretName: auth defaults: useExisting: false - secretName: vrt secretKey: seed.ts + secretName: vrt elasticsearch: useExisting: false secretKey: es-pass