Add helm chart

charts/.gitignore

@@ -0,0 +1,2 @@
+# Chart Bundles
+*.tgz

charts/sessions/Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+  - name: sessions
+    repository: ""
+    version: 0.1.0
+  - name: opa
+    repository: oci://ghcr.io/diamondlightsource/authz-opa
+    version: 0.1.1
+digest: sha256:95017c41b0ce1a885a24cbf1cb84ec8c933fe7cc0da54ec8ab8feb83067ee3a4
+generated: "2024-03-15T14:42:56.472367672Z"

charts/sessions/Chart.yaml

@@ -0,0 +1,15 @@
+apiVersion: v2
+name: sessions
+description: A deployment providing beamline session information as part of the graph federation
+type: application
+
+version: 0.1.0
+
+dependencies:
+  - name: sessions
+    version: 0.1.0
+    condition: sessions.enabled
+  - name: opa
+    version: 0.1.1
+    repository: oci://ghcr.io/diamondlightsource/authz-opa
+    condition: opa.enabled

charts/sessions/charts/sessions/Chart.yaml

@@ -0,0 +1,8 @@
+apiVersion: v2
+name: sessions
+description: A service providing beamline session information as part of the graph federation
+type: application
+
+version: 0.1.0
+
+appVersion: 0.1.0-rc3

charts/sessions/charts/sessions/templates/_helpers.tpl

@@ -0,0 +1,73 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "sessions.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "sessions.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "sessions.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "sessions.labels" -}}
+helm.sh/chart: {{ include "sessions.chart" . }}
+{{ include "sessions.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "sessions.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "sessions.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "sessions.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "sessions.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create the database URL string
+*/}}
+{{- define "sessions.databaseURL" -}}
+{{- $host_parts := urlParse .Values.database.host }}
+{{- $raw_user_info := printf "%s:$DATABASE_PASSWORD" .Values.database.user }}
+{{- $url_parts := set $host_parts "userinfo" $raw_user_info }}
+{{- $raw_database_url := urlJoin $url_parts }}
+{{- replace "$DATABASE_PASSWORD" "$(DATABASE_PASSWORD)" $raw_database_url }}
+{{- end }}

charts/sessions/charts/sessions/templates/deployment.yaml

@@ -0,0 +1,67 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "sessions.fullname" . }}
+  labels:
+    {{- include "sessions.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "sessions.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "sessions.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "sessions.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args: 
+            - serve
+          env:
+            - name: DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.database.password.secretName }}
+                  key: {{ .Values.database.password.secretKey }}
+            - name: DATABASE_URL
+              value: {{ include "sessions.databaseURL" . }}
+            - name: OPA_URL
+              value: {{ tpl .Values.opa.url . }}
+            - name: LOG_LEVEL
+              value: {{ .Values.logLevel }}
+            - name: OTEL_COLLECTOR_URL
+              value: {{ tpl .Values.otelCollectorUrl . }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/sessions/charts/sessions/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "sessions.fullname" . }}
+  labels:
+    {{- include "sessions.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "sessions.selectorLabels" . | nindent 4 }}

charts/sessions/charts/sessions/templates/serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "sessions.serviceAccountName" . }}
+  labels:
+    {{- include "sessions.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

charts/sessions/charts/sessions/values.yaml

@@ -0,0 +1,47 @@
+nameOverride: ""
+fullnameOverride: ""
+
+image:
+  repository: ghcr.io/diamondlightsource/graph-sessions
+  pullPolicy: Always
+  tag: ""
+
+imagePullSecrets: []
+
+logLevel: Warn
+otelCollectorUrl: ""
+
+database:
+  host: ""
+  user: ""
+  password:
+    secretName: ""
+    secretKey: ""
+
+opa:
+  url: ""
+
+replicaCount: 1
+
+service:
+  type: ClusterIP
+  port: 80
+
+serviceAccount:
+  create: true
+  annotations: {}
+  name: ""
+
+podAnnotations: {}
+
+podSecurityContext: {}
+
+securityContext: {}
+
+resources: {}
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}

charts/sessions/templates/bundler-secret.yaml

@@ -0,0 +1,15 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: bundler
+  namespace: graph
+spec:
+  encryptedData:
+    bearer-token: AgC5sw7J7xp39lnBhhJZ+hmWiPrAmCqoLt8SNxmWlM+CzxJSi4p1mdnNmbedpI13u9YztPpohW7g3JrnVzB4VXVndtsAX0Qg/rLh5ZmQz0uXUaGxyyTVSdLPXXONjJEKooRkXXkVRmo7mDKiXIsR6m28j5i6Xj57hR7cCKfdT25nbWBGkdPDTJBCbaUeHewTcNDLtCZu+T/ShXvExC9MVNTci6NfKzPs83AENtTJIkL836N+ATzlZIRN7a2lXfCjgJqENI0kn55W2Xq2+YuCJwJq2tFy7H4H57to4jRv4k+iqm4B5XJk6LnxAZAABud5nYU9jrVBCJ25V3jHx9z9g4DN0/1znQaTeYIHIPPkZPFSAUSQ9j9QoJ3Y1epy6n7ixyY1LTxe2AbsMj31ZEivafPcNRx8kyOyyuFInzPAS7tPPX8PRz9EZifs6K49szU1Cn/5uGWbEXZFaGxr7v6soxYBcZuTH9FAk4jPwr3c76QnPGJouO3tHLS1iZrsPqdzLWmeAT3m4trPysPveN8vou567t7lVtvnty/dIntCKsLxDo1nywigFAI9mnpCrbLzJBs0reNafEX/WKybFiuFvdmDDykwlLhB6i63virqpc0BxaVtX2EMoeq4JNDupuqGj9QKL4tgGUjdKP4zMS5EpZZm1Ft681q6y71qHI3ectzeXiK44WH9Lxhw+8T84x42bNsNfsAMfBLzbVaKyvcwCcriNV5OpFFGb8mWkjX0p7l0H75Squ4=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: bundler
+      namespace: graph
+

charts/sessions/templates/ispyb-secret.yaml

@@ -0,0 +1,15 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: ispyb
+  namespace: graph
+spec:
+  encryptedData:
+    password: AgBDmQTx19FQjg6HcynJbDV6Tz3kqFasD2og3OyX8MXqVmexGKGvj7bcv1EXmEjugjeBx6sQeuTLHLnZ7Y4ckG4bTx18tq++V8tG+D3qpkjoEilNDR6NeoRT3bw+l7s9G83TBZ5ZRwAZZ4WghTcQZXinOByVqYLe+xblB2JHfdD/dZE4HUmrFljIcDIOetc4AN3L2zpfYsYsO3XotQfu2JtTw4duM+Kxxstw+GsJjSILZoBhAiZfQTQ5NubeYHeKgOwyqF/T8QlyEYGY2to4p9W9QuPCtSNECG8bhOqQB9xQjCWVP/rmf5ZuHaUVH04UeRwxhw8z5z7e7uX0TddTLtQFzZmmbjUkHvrYoHJTWA0kM/4b6YiE0PoT6P5mLSR+Yova78zEu9hNmAT5X7QUxP9STDuxPyea0RguwNzX3Mja9ROZEKBTz9/WORRyBGK3v0MQKIK3pfYuur+rR4XFYQ7N1ekQyVso0uxXt6Rk6GTNpMhskfHYcYiOhWKPHipNITSBlXPEr3HEHQTAneSliUNFY+AeRgSaacCRXbCrkPrYCZhSrOZ6QXu3miLAxU4eE5ayVe08dpRkzjo4rfivHThMe385xHCr5ifOefw6E/nYPE4dintuYwFJBdgZQSSbDjOE5wogeIEs/UKioD2tVZmzrnRmF5fyFOyKRCCTi0JreG2+bMWvbv/+gRABwCmYuxPMo4wZsZfaEMr3aIM=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: ispyb
+      namespace: graph
+

charts/sessions/values.yaml

@@ -0,0 +1,48 @@
+sessions:
+  enabled: true
+  logLevel: Debug
+  database:
+    host: mysql://ispybdbproxy.diamond.ac.uk:4306/ispyb
+    user: ispyb_ro
+    password:
+      secretName: ispyb
+      secretKey: password
+  otelCollectorUrl: http://federation-opentelemetry-collector:4317
+  opa:
+    url: http://{{ .Release.Name }}-opa-opa
+
+opa:
+  opa:
+    enabled: true
+    configOverride:
+      decision_logs:
+        console: true
+      services:
+        diamond-bundler:
+          url: https://authz.diamond.ac.uk
+          credentials:
+            bearer:
+              token: ${BUNDLER_BEARER_TOKEN}
+        ghcr:
+          url: https://ghcr.io
+          type: oci
+      bundles:
+        diamond-permissionables:
+          service: diamond-bundler
+          resource: bundle.tar.gz
+          polling:
+            min_delay_seconds: 10
+            max_delay_seconds: 60
+        sessions-policy:
+          service: ghcr
+          resource: ghcr.io/diamondlightsource/graph-sessions-policy:0.1.0-rc3
+          polling:
+            min_delay_seconds: 30
+            max_delay_seconds: 120
+      distributed_tracing:
+        type: grpc
+        address: federation-opentelemetry-collector:4317
+        service_name: sessions-opa
+    extraEnv:
+      - name: JWKS_ENDPOINT
+        value: https://authn.diamond.ac.uk/realms/master/protocol/openid-connect/certs