diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..e69de29 diff --git a/.gitignore b/.gitignore index 68bc17f..a458a08 100644 --- a/.gitignore +++ b/.gitignore @@ -158,3 +158,5 @@ cython_debug/ # and can be added to the global gitignore or merged into this file. For a more nuclear # option (not recommended) you can uncomment the following to ignore the entire idea folder. #.idea/ + +nginx/certs/ \ No newline at end of file diff --git a/charts/eric-oss-hello-world-python-app/Chart.yaml b/charts/eric-oss-hello-world-python-app/Chart.yaml index 2f6aa4f..609660e 100644 --- a/charts/eric-oss-hello-world-python-app/Chart.yaml +++ b/charts/eric-oss-hello-world-python-app/Chart.yaml @@ -3,4 +3,4 @@ appVersion: "2.0.0" description: IDUN SDK Hello World App name: eric-oss-hello-world-python-app type: application -version: VERSION +version: "0.0.1-0" diff --git a/charts/eric-oss-hello-world-python-app/templates/authorization-policy/authorization_policy.yaml b/charts/eric-oss-hello-world-python-app/templates/authorization-policy/authorization_policy.yaml new file mode 100644 index 0000000..4b2013c --- /dev/null +++ b/charts/eric-oss-hello-world-python-app/templates/authorization-policy/authorization_policy.yaml @@ -0,0 +1,24 @@ +apiVersion: security.istio.io/v1 +kind: AuthorizationPolicy +metadata: + name: {{ include "eric-oss-hello-world-python-app.name" . }}-ap + labels: + {{- include "eric-oss-hello-world-python-app.labels" . | indent 4 }} + {{- if .Values.labels }} + {{ .Values.labels | toYaml | indent 4 }} + {{- end }} + annotations: + {{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }} +spec: + selector: + matchLabels: + app: eric-oss-hello-world-python-app + rules: + - to: + - operation: + ports: ["80"] + paths: ["/sample-app/python/metrics", "/sample-app/python/health"] + - to: + - operation: + ports: ["443"] + paths: ["/sample-app/python/hello"] diff --git a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml index 4aaea3c..2da1e63 100644 --- a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml @@ -9,6 +9,7 @@ metadata: {{- end }} annotations: {{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }} + sidecar.istio.io/inject: "true" spec: replicas: {{ .Values.replicaCount }} selector: @@ -37,7 +38,7 @@ spec: service.cleartext/scraping: "true" annotations: {{- if not (semverCompare ">=1.30.0" .Capabilities.KubeVersion.GitVersion) }} - container.apparmor.security.beta.kubernetes.io/eric-oss-hello-world-python-app: {{ include "eric-oss-hello-world-python-app.appArmorProfileAnnotation" . | default "runtime/default" }} +{{/* container.apparmor.security.beta.kubernetes.io/eric-oss-hello-world-python-app: {{ include "eric-oss-hello-world-python-app.appArmorProfileAnnotation" . | default "runtime/default" }}*/}} {{- end }} prometheus.io/port: "{{ .Values.service.port }}" prometheus.io/scrape: "{{ .Values.prometheus.scrape }}" @@ -55,27 +56,27 @@ spec: items: - key: LOG_CTRL_FILE path: logcontrol.json - - name: platform-cacerts - secret: - secretName: {{ index .Values "platformCaCertSecretName" | quote }} - defaultMode: 420 - - name: app-certs - secret: - secretName: {{ index .Values "appSecretName" | quote }} - defaultMode: 420 - - name: client-creds - secret: - secretName: {{ include "eric-oss-hello-world-python-app.clientSecret" . | quote }} - defaultMode: 420 +{{/* - name: platform-cacerts*/}} +{{/* secret:*/}} +{{/* secretName: {{ index .Values "platformCaCertSecretName" | quote }}*/}} +{{/* defaultMode: 420*/}} +{{/* - name: app-certs*/}} +{{/* secret:*/}} +{{/* secretName: {{ index .Values "appSecretName" | quote }}*/}} +{{/* defaultMode: 420*/}} +{{/* - name: client-creds*/}} +{{/* secret:*/}} +{{/* secretName: {{ include "eric-oss-hello-world-python-app.clientSecret" . | quote }}*/}} +{{/* defaultMode: 420*/}} containers: - name: eric-oss-hello-world-python-app - image: {{ template "eric-oss-hello-world-python-app.imagePath" (dict "imageId" "eric-oss-hello-world-python-app" "values" .Values "files" .Files) }} + image: python-sample-app-eric-oss-hello-world-python-app imagePullPolicy: {{ include "eric-oss-hello-world-python-app.registryImagePullPolicy" . | quote }} securityContext: - {{- if semverCompare ">=1.30.0" .Capabilities.KubeVersion.GitVersion }} - appArmorProfile: - type: {{ include "eric-oss-hello-world-python-app.appArmorProfile.type" . | default "RuntimeDefault" }} - {{- end }} +{{/* {{- if semverCompare ">=1.30.0" .Capabilities.KubeVersion.GitVersion }} */}} +{{/* appArmorProfile:*/}} +{{/* type: {{ include "eric-oss-hello-world-python-app.appArmorProfile.type" . | default "RuntimeDefault" }}*/}} +{{/* {{- end }}*/}} allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true @@ -87,15 +88,15 @@ spec: volumeMounts: - name: config-volume mountPath: /etc/adp - - name: platform-cacerts - mountPath: {{ index .Values "platformCaCertMountPath" | default .Values.instantiationDefaults.platformCaCertMountPath | quote }} - readOnly: true - - name: app-certs - mountPath: {{ index .Values "appCertMountPath" | default .Values.instantiationDefaults.appCertMountPath | quote }} - readOnly: true - - name: client-creds - mountPath: {{ index .Values "clientCredsMountPath" | default .Values.instantiationDefaults.clientCredsMountPath | quote }} - readOnly: true +{{/* - name: platform-cacerts*/}} +{{/* mountPath: {{ index .Values "platformCaCertMountPath" | default .Values.instantiationDefaults.platformCaCertMountPath | quote }}*/}} +{{/* readOnly: true*/}} +{{/* - name: app-certs*/}} +{{/* mountPath: {{ index .Values "appCertMountPath" | default .Values.instantiationDefaults.appCertMountPath | quote }}*/}} +{{/* readOnly: true*/}} +{{/* - name: client-creds*/}} +{{/* mountPath: {{ index .Values "clientCredsMountPath" | default .Values.instantiationDefaults.clientCredsMountPath | quote }}*/}} +{{/* readOnly: true*/}} env: - name: IAM_CLIENT_ID value: {{ index .Values "clientId" | quote }} diff --git a/charts/eric-oss-hello-world-python-app/templates/destination-rule/destination_rule.yaml b/charts/eric-oss-hello-world-python-app/templates/destination-rule/destination_rule.yaml new file mode 100644 index 0000000..dc72e1a --- /dev/null +++ b/charts/eric-oss-hello-world-python-app/templates/destination-rule/destination_rule.yaml @@ -0,0 +1,23 @@ +{{/*apiVersion: networking.istio.io/v1*/}} +{{/*kind: DestinationRule*/}} +{{/*metadata:*/}} +{{/* name: {{ include "eric-oss-hello-world-python-app.name" . }}-pa*/}} +{{/* labels:*/}} +{{/* {{- include "eric-oss-hello-world-python-app.labels" . | indent 4 }}*/}} +{{/* {{- if .Values.labels }}*/}} +{{/* {{ .Values.labels | toYaml | indent 4 }}*/}} +{{/* {{- end }}*/}} +{{/* annotations:*/}} +{{/* {{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }}*/}} +{{/*spec:*/}} +{{/* host: eric-oss-hello-world-python-app*/}} +{{/* trafficPolicy:*/}} +{{/* portLevelSettings:*/}} +{{/* - port:*/}} +{{/* number: 80*/}} +{{/* tls:*/}} +{{/* mode: DISABLE*/}} +{{/* - port:*/}} +{{/* number: 443*/}} +{{/* tls:*/}} +{{/* mode: ISTIO_MUTUAL*/}} \ No newline at end of file diff --git a/charts/eric-oss-hello-world-python-app/templates/ingress/ingress.yaml b/charts/eric-oss-hello-world-python-app/templates/ingress/ingress.yaml deleted file mode 100644 index ca297c9..0000000 --- a/charts/eric-oss-hello-world-python-app/templates/ingress/ingress.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{- if .Values.ingress.enabled -}} -{{- $fullName := include "eric-oss-hello-world-python-app.name" . -}} -{{- $servicePort := .Values.service.port -}} ---- -apiVersion: networking.k8s.io/v1beta1 -kind: Ingress -metadata: - name: {{ $fullName }} - labels: - {{- include "eric-oss-hello-world-python-app.labels" . | indent 4 }} - {{- if .Values.labels }} - {{ .Values.labels | toYaml | indent 4 }} - {{- end }} - {{- with .Values.ingress }} - annotations: - {{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }} - {{- if .annotations }} - {{ .annotations | toYaml | indent 4 }} - {{- end }} - {{- if .ingressClass }} - kubernetes.io/ingress.class: {{.ingressClass }} - {{- end -}} - {{- end }} -spec: -{{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} -{{- end }} - rules: - - host: {{ .Values.ingress.host }} - http: - paths: - - path: / - backend: - serviceName: {{ $fullName }} - servicePort: {{ $servicePort }} -{{- end }} diff --git a/charts/eric-oss-hello-world-python-app/templates/peer-authentication/peer_authentication.yaml b/charts/eric-oss-hello-world-python-app/templates/peer-authentication/peer_authentication.yaml new file mode 100644 index 0000000..e9d1e0f --- /dev/null +++ b/charts/eric-oss-hello-world-python-app/templates/peer-authentication/peer_authentication.yaml @@ -0,0 +1,20 @@ +{{/*apiVersion: security.istio.io/v1*/}} +{{/*kind: PeerAuthentication*/}} +{{/*metadata:*/}} +{{/* name: {{ include "eric-oss-hello-world-python-app.name" . }}-pa*/}} +{{/* labels:*/}} +{{/* {{- include "eric-oss-hello-world-python-app.labels" . | indent 4 }}*/}} +{{/* {{- if .Values.labels }}*/}} +{{/* {{ .Values.labels | toYaml | indent 4 }}*/}} +{{/* {{- end }}*/}} +{{/* annotations:*/}} +{{/* {{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }}*/}} +{{/*spec:*/}} +{{/* selector:*/}} +{{/* matchLabels:*/}} +{{/* app: eric-oss-hello-world-python-app*/}} +{{/* mtls:*/}} +{{/* mode: STRICT*/}} +{{/* portLevelMtls:*/}} +{{/* 80:*/}} +{{/* mode: DISABLE*/}} diff --git a/charts/eric-oss-hello-world-python-app/templates/service-account/service_account.yaml b/charts/eric-oss-hello-world-python-app/templates/service-account/service_account.yaml index f8950c7..8d6ef8d 100644 --- a/charts/eric-oss-hello-world-python-app/templates/service-account/service_account.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/service-account/service_account.yaml @@ -8,5 +8,5 @@ metadata: {{ .Values.labels | toYaml | indent 4 }} {{- end }} annotations: - {{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }} + {{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }} automountServiceAccountToken: false diff --git a/charts/eric-oss-hello-world-python-app/templates/service/service.yaml b/charts/eric-oss-hello-world-python-app/templates/service/service.yaml index d90cef5..d4ffd97 100644 --- a/charts/eric-oss-hello-world-python-app/templates/service/service.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/service/service.yaml @@ -8,17 +8,21 @@ metadata: {{ .Values.labels | toYaml | indent 4 }} {{- end }} annotations: -{{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }} + {{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }} spec: type: {{ .Values.service.type }} {{- if .Values.global.internalIPFamily }} ipFamilies: [{{ .Values.global.internalIPFamily }}] {{- end }} ports: - - port: {{ .Values.service.port }} - targetPort: 8050 + - port: 80 + targetPort: 80 protocol: TCP name: http + - port: 443 + targetPort: 443 + protocol: TCP + name: https selector: app.kubernetes.io/name: {{ include "eric-oss-hello-world-python-app.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/eric-oss-hello-world-python-app/templates/sidecar/sidecar.yaml b/charts/eric-oss-hello-world-python-app/templates/sidecar/sidecar.yaml new file mode 100644 index 0000000..902e336 --- /dev/null +++ b/charts/eric-oss-hello-world-python-app/templates/sidecar/sidecar.yaml @@ -0,0 +1,24 @@ +apiVersion: networking.istio.io/v1 +kind: Sidecar +metadata: + name: {{ include "eric-oss-hello-world-python-app.name" . }}-sc + labels: + {{- include "eric-oss-hello-world-python-app.labels" . | indent 4 }} + {{- if .Values.labels }} + {{ .Values.labels | toYaml | indent 4 }} + {{- end }} + annotations: + {{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }} +spec: + workloadSelector: + labels: + app: eric-oss-hello-world-python-app + ingress: + - port: + number: 80 + protocol: HTTP + defaultEndpoint: 127.0.0.1:8050 + - port: + number: 443 + protocol: HTTP + defaultEndpoint: 127.0.0.1:8050 diff --git a/charts/eric-oss-hello-world-python-app/templates/virtual-service/virtual_service.yaml b/charts/eric-oss-hello-world-python-app/templates/virtual-service/virtual_service.yaml new file mode 100644 index 0000000..08f6b74 --- /dev/null +++ b/charts/eric-oss-hello-world-python-app/templates/virtual-service/virtual_service.yaml @@ -0,0 +1,36 @@ +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: {{ include "eric-oss-hello-world-python-app.name" . }}-pa + labels: + {{- include "eric-oss-hello-world-python-app.labels" . | indent 4 }} + {{- if .Values.labels }} + {{ .Values.labels | toYaml | indent 4 }} + {{- end }} + annotations: + {{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }} +spec: + hosts: + - eric-oss-hello-world-python-app + http: + - match: + - port: 80 + uri: + prefix: /sample-app/python/metrics + - port: 80 + uri: + prefix: /sample-app/python/health + route: + - destination: + host: eric-oss-hello-world-python-app + port: + number: 80 + - match: + - port: 443 + uri: + prefix: /sample-app/python/hello + route: + - destination: + host: eric-oss-hello-world-python-app + port: + number: 443 diff --git a/charts/eric-oss-hello-world-python-app/values.yaml b/charts/eric-oss-hello-world-python-app/values.yaml index 2c4b392..c921228 100644 --- a/charts/eric-oss-hello-world-python-app/values.yaml +++ b/charts/eric-oss-hello-world-python-app/values.yaml @@ -34,8 +34,8 @@ fullnameOverride: "" # unconfined - Indicates that there is no profile loaded. # runtime/default - Applies the default profile of the container engine. # localhost - Applies a specific profile loaded on the host -appArmorProfile: - type: "RuntimeDefault" +#appArmorProfile: +# type: "RuntimeDefault" seccompProfile: type: "RuntimeDefault" @@ -45,18 +45,6 @@ service: type: ClusterIP port: 8050 -ingress: - enabled: false - ingressClass: OAM-IngressClass - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - host: "" - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - resources: helloWorld: limits: diff --git a/docker-compose.yaml b/docker-compose.yaml new file mode 100644 index 0000000..0f5389b --- /dev/null +++ b/docker-compose.yaml @@ -0,0 +1,17 @@ +services: + nginx: + image: nginx:stable + ports: + - "80:80" + - "443:443" + volumes: + - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro + - ./nginx/certs:/etc/nginx/certs:ro + depends_on: + - eric-oss-hello-world-python-app + + eric-oss-hello-world-python-app: + build: + context: . + ports: + - "8050:8050"