From 4399bc39c2f6fa45b95ff89dcc712628b874dc87 Mon Sep 17 00:00:00 2001 From: Dejan Zele Pejchev Date: Wed, 8 Jan 2025 23:07:39 +0100 Subject: [PATCH] testkube-enterprise: add scim integration Signed-off-by: Dejan Zele Pejchev --- .../templates/deployment.yaml | 13 ++++ .../templates/ingress-scim.yaml | 69 +++++++++++++++++++ .../testkube-cloud-api/templates/service.yaml | 6 ++ charts/testkube-cloud-api/values.yaml | 17 +++++ charts/testkube-enterprise/values.yaml | 7 ++ 5 files changed, 112 insertions(+) create mode 100644 charts/testkube-cloud-api/templates/ingress-scim.yaml diff --git a/charts/testkube-cloud-api/templates/deployment.yaml b/charts/testkube-cloud-api/templates/deployment.yaml index 48291dd48..09dabb8d0 100644 --- a/charts/testkube-cloud-api/templates/deployment.yaml +++ b/charts/testkube-cloud-api/templates/deployment.yaml @@ -435,6 +435,14 @@ spec: value: "{{ .Values.api.storage.cleanup.maxStorageSizeGb }}" - name: MIGRATION_MIGRATE_DATABASE value: "{{ .Values.api.migrations.enabled }}" + {{- if .Values.scim.enabled }} + - name: SCIM_SERVER_ENABLED + value: "true" + - name: SCIM_SERVER_PORT + value: "{{ .Values.scim.port }}" + - name: SCIM_SERVER_DEFAULT_ORGANIZATION + value: "{{ .Values.scim.defaultOrganization }}" + {{- end }} ports: - name: {{ if .Values.api.tls.serveHTTPS }}https{{ else }}http{{ end }} containerPort: {{ if .Values.api.tls.serveHTTPS }}{{ .Values.api.tls.apiPort }}{{ else }}8090{{ end }} @@ -447,6 +455,11 @@ spec: containerPort: 9100 protocol: TCP {{- end }} + {{- if .Values.scim.enabled }} + - name: scim + containerPort: {{ .Values.scim.port }} + protocol: TCP + {{- end }} livenessProbe: httpGet: path: /health diff --git a/charts/testkube-cloud-api/templates/ingress-scim.yaml b/charts/testkube-cloud-api/templates/ingress-scim.yaml new file mode 100644 index 000000000..fd2b9e436 --- /dev/null +++ b/charts/testkube-cloud-api/templates/ingress-scim.yaml @@ -0,0 +1,69 @@ +{{- if and .Values.global.ingress.enabled .Values.scimIngress.enabled -}} +{{- $fullName := include "testkube-cloud-api.fullname" . -}} +{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.scimIngress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.scimIngress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }}-scim + labels: + {{- include "testkube-cloud-api.labels" . | nindent 4 }} + {{- with .Values.scimIngress.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- if eq .Values.ingress.className "nginx"}} + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/preserve-trailing-slash: "true" + nginx.ingress.kubernetes.io/backend-protocol: HTTP + # Enable use of a regular expression in the path definition + nginx.ingress.kubernetes.io/use-regex: "true" + # Rewrite /scim/v2/ to / + nginx.ingress.kubernetes.io/rewrite-target: "/$1" + {{- if and (not .Values.api.tls.serveHTTPS) (eq .Values.global.certificateProvider "cert-manager") }} + cert-manager.io/cluster-issuer: {{ required ".Values.global.certManager.issuerRef must be provided if provider is cert-manager" .Values.global.certManager.issuerRef }} + {{- end }} + {{- end }} + {{- with .Values.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.scimIngress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + tls: + - hosts: + - {{ include "testkube-cloud-api.ingress.restHost" . | quote }} + secretName: {{ .Values.api.tls.tlsSecret }} + rules: + {{- $tlsConfig := .Values.api.tls }} + - host: {{ include "testkube-cloud-api.ingress.restHost" . | quote }} + http: + paths: + - path: /scim/v2/(.*) + {{- if semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion }} + pathType: Prefix + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + name: scim + {{- else }} + serviceName: {{ $fullName }} + servicePort: scim + {{- end }} +{{- end }} diff --git a/charts/testkube-cloud-api/templates/service.yaml b/charts/testkube-cloud-api/templates/service.yaml index 80517593b..a1be466d6 100644 --- a/charts/testkube-cloud-api/templates/service.yaml +++ b/charts/testkube-cloud-api/templates/service.yaml @@ -28,5 +28,11 @@ spec: protocol: TCP name: metrics {{- end }} + {{- if .Values.scim.enabled }} + - port: {{ .Values.scim.port }} + targetPort: scim + protocol: TCP + name: scim + {{- end }} selector: {{- include "testkube-cloud-api.selectorLabels" . | nindent 4 }} diff --git a/charts/testkube-cloud-api/values.yaml b/charts/testkube-cloud-api/values.yaml index 97cbf9474..c675246e4 100644 --- a/charts/testkube-cloud-api/values.yaml +++ b/charts/testkube-cloud-api/values.yaml @@ -19,6 +19,8 @@ global: uiSubdomain: "cloud" # -- REST API subdomain which get prepended to the domain restApiSubdomain: "api" + # -- SCIM API subdomain which get prepended to the domain + scimApiSubdomain: "scim" # -- gRPC API subdomain which get prepended to the domain grpcApiSubdomain: "agent" # -- gRPC Logs subdomain which get prepended to the domain @@ -182,6 +184,13 @@ audit: cronInterval: "0 3 * * *" # -- Audit log retention period in days retentionPeriod: 30 +scim: + # -- Toggle whether to enable the SCIM server + enabled: false + # -- Default organization in which users will be provisioned (must be configured if SCIM server is enabled) + defaultOrganization: "" + # -- Port on which the SCIM server will listen + port: 8091 api: debug: # -- Toggle whether to enable debug logs by setting the GODEBUG=http2debug=2 @@ -409,6 +418,14 @@ restIngress: # kubernetes.io/ingress.class: nginx # -- Hostname for which to create rules and TLS certificates (if omitted, the host will be generated using the global subdomain and `domain` values) host: "" +scimIngress: + # -- Toggle whether to enable the SCIM Ingress + enabled: true + # -- Additional labels to add to the SCIM Ingress resource + labels: { } + # -- Additional annotations to add to the SCIM Ingress resource + annotations: { } + # kubernetes.io/ingress.class: nginx grpcIngress: # -- Toggle whether to enable the gRPC API Ingress enabled: true diff --git a/charts/testkube-enterprise/values.yaml b/charts/testkube-enterprise/values.yaml index 7d6358eeb..e7ca93bea 100644 --- a/charts/testkube-enterprise/values.yaml +++ b/charts/testkube-enterprise/values.yaml @@ -287,6 +287,13 @@ testkube-cloud-api: cronInterval: "0 3 * * *" # -- Audit log retention period in days retentionPeriod: 30 + scim: + # -- Toggle whether to enable the SCIM server + enabled: true + # -- Default organization in which users will be provisioned (must be configured if SCIM server is enabled) + defaultOrganization: "" + # -- Port on which the SCIM server will listen + port: 8091 api: storage: cleanup: