diff --git a/charts/tidepool/Chart.lock b/charts/tidepool/Chart.lock index cd01d065..89a1d37a 100644 --- a/charts/tidepool/Chart.lock +++ b/charts/tidepool/Chart.lock @@ -3,4 +3,4 @@ dependencies: repository: file://../keycloak version: 0.4.3 digest: sha256:9e8e11d23104da89789675b1676fe7299309fb7eeae7a22c0a2ba6ab169c3fa2 -generated: "2024-11-22T13:46:17.203655+02:00" +generated: "2024-11-13T11:22:02.195889+02:00" diff --git a/charts/tidepool/charts/auth/templates/1-deployment-private.yaml b/charts/tidepool/charts/auth/templates/1-deployment-private.yaml new file mode 100644 index 00000000..488a3367 --- /dev/null +++ b/charts/tidepool/charts/auth/templates/1-deployment-private.yaml @@ -0,0 +1,236 @@ + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: auth-private +{{ include "charts.labels.standard" .}} + name: auth-private + namespace: {{.Release.Namespace}} + annotations: + secret.reloader.stakater.com/reload: "server,{{ .Values.mongo.secretName }},dexcom,auth" + configmap.reloader.stakater.com/reload: "dexcom" +{{ if .Values.deployment.annotations }} + {{- .Values.deployment.annotations | toYaml | nindent 4 }} +{{- end }} +spec: + selector: + matchLabels: + app: auth + app.kubernetes.io/name: {{ include "charts.name" . }}-private + app.kubernetes.io/instance: {{ .Release.Name }} + replicas: {{ .Values.deployment.replicas | default 1 }} + strategy: {} + template: + metadata: + labels: + app: auth + app.kubernetes.io/name: {{ include "charts.name" . }}-private + app.kubernetes.io/instance: {{ .Release.Name }} +{{ if .Values.podAnnotations }} + annotations: + {{- .Values.podAnnotations | toYaml | nindent 8 }} +{{- end }} + spec: + initContainers: + {{ include "charts.init.shoreline" .}} + {{ if .Values.initContainers }} +{{- with .Values.initContainers }} +{{toYaml . | indent 6}}{{- end }} + {{- end }} + containers: + - env: + {{ include "charts.platform.env.mongo" .}} + {{ include "charts.platform.env.misc" .}} + {{ include "charts.platform.env.clients" .}} + {{ include "charts.kafka.common" .}} + {{ include "charts.kafka.cloudevents.client" (dict "Values" .Values "Release" .Release "client" "auth") }} + - name: TIDEPOOL_SERVICE_PROVIDER_DEXCOM_AUTHORIZE_URL + valueFrom: + configMapKeyRef: + name: dexcom + key: AuthorizeURL + optional: true + - name: TIDEPOOL_SERVICE_PROVIDER_DEXCOM_REDIRECT_URL + valueFrom: + configMapKeyRef: + name: dexcom + key: RedirectURL + optional: true + - name: TIDEPOOL_SERVICE_PROVIDER_DEXCOM_SCOPES + valueFrom: + configMapKeyRef: + name: dexcom + key: Scopes + optional: true + - name: TIDEPOOL_SERVICE_PROVIDER_DEXCOM_TOKEN_URL + valueFrom: + configMapKeyRef: + name: dexcom + key: TokenURL + optional: true + - name: TIDEPOOL_SERVICE_PROVIDER_DEXCOM_CLIENT_ID + valueFrom: + secretKeyRef: + name: dexcom + key: ClientId + optional: true + - name: TIDEPOOL_SERVICE_PROVIDER_DEXCOM_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: dexcom + key: ClientSecret + optional: true + - name: TIDEPOOL_SERVICE_PROVIDER_DEXCOM_STATE_SALT + valueFrom: + secretKeyRef: + name: dexcom + key: StateSalt + optional: true + - name: TIDEPOOL_AUTH_SERVICE_DOMAIN + value: {{ .Values.global.gateway.default.domain }} + - name: TIDEPOOL_AUTH_SERVICE_SERVER_ADDRESS + value: :{{.Values.global.ports.auth_private}} + - name: TIDEPOOL_AUTH_SERVICE_SECRET + valueFrom: + secretKeyRef: + name: auth + key: ServiceAuth + - name: TIDEPOOL_APPLE_DEVICE_CHECKER_PRIVATE_KEY + valueFrom: + secretKeyRef: + name: auth + key: AppleDeviceCheckKey + optional: true + - name: TIDEPOOL_APPLE_DEVICE_CHECKER_KEY_ID + valueFrom: + configMapKeyRef: + name: auth + key: AppleDeviceCheckKeyId + optional: true + - name: TIDEPOOL_APPLE_DEVICE_CHECKER_KEY_ISSUER + valueFrom: + configMapKeyRef: + name: auth + key: AppleDeviceCheckKeyIssuer + optional: true + - name: TIDEPOOL_APPLE_DEVICE_CHECKER_USE_DEVELOPMENT + valueFrom: + configMapKeyRef: + name: auth + key: AppleDeviceCheckUseDevelopment + optional: true + - name: TIDEPOOL_APPVALIDATION_USE_DEVELOPMENT + valueFrom: + configMapKeyRef: + name: auth + key: AppValidationUseDevelopment + optional: true + - name: TIDEPOOL_APPVALIDATION_APPLE_APP_IDS + valueFrom: + configMapKeyRef: + name: auth + key: AppValidationAppleAppIds + optional: true + - name: TIDEPOOL_APPVALIDATION_CHALLENGE_SIZE + valueFrom: + configMapKeyRef: + name: auth + key: AppValidationChallengeSize + optional: true + - name: COASTAL_API_KEY + valueFrom: + secretKeyRef: + name: coastal + key: apiKey + optional: true + - name: COASTAL_BASE_URL + valueFrom: + secretKeyRef: + name: coastal + key: baseUrl + optional: true + - name: COASTAL_CLIENT_ID + valueFrom: + secretKeyRef: + name: coastal + key: clientId + optional: true + - name: COASTAL_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: coastal + key: clientSecret + optional: true + - name: COASTAL_RC_TYPE_ID + valueFrom: + secretKeyRef: + name: coastal + key: rcTypeId + optional: true + - name: COASTAL_PRIVATE_KEY_DATA + valueFrom: + secretKeyRef: + name: coastal + key: privateKeyData + optional: true + - name: PALMTREE_BASE_URL + valueFrom: + secretKeyRef: + name: palmtree + key: baseUrl + optional: true + - name: PALMTREE_CAL_ID + valueFrom: + secretKeyRef: + name: palmtree + key: calId + optional: true + - name: PALMTREE_PROFILE_ID + valueFrom: + secretKeyRef: + name: palmtree + key: profileId + optional: true + - name: PALMTREE_TLS_CERT_DATA + valueFrom: + secretKeyRef: + name: palmtree + key: tlsCertData + optional: true + - name: PALMTREE_TLS_KEY_DATA + valueFrom: + secretKeyRef: + name: palmtree + key: tlsKeyData + optional: true + image: "{{ .Values.deployment.imagePrivate }}" + securityContext: + {{- .Values.podSecurityContext | toYaml | nindent 10 }} + {{ template "charts.platform.probes" .Values.global.ports.auth_private}} + name: auth + ports: + - containerPort: {{.Values.global.ports.auth_private}} + name: "http" + resources: + {{- toYaml .Values.resources | nindent 10 }} + {{ if .Values.deployment.imagePullSecretName }} + imagePullSecrets: + - name: {{ .Values.deployment.imagePullSecretName | quote }} + {{- end }} + securityContext: + {{- toYaml .Values.securityContext | nindent 8 }} + restartPolicy: Always + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} diff --git a/charts/tidepool/charts/auth/templates/2-service-private.yaml b/charts/tidepool/charts/auth/templates/2-service-private.yaml new file mode 100644 index 00000000..896e7365 --- /dev/null +++ b/charts/tidepool/charts/auth/templates/2-service-private.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: auth-private +{{ include "charts.labels.standard" .}} + name: auth-private + namespace: {{.Release.Namespace}} +spec: + ports: + - name: "http" + port: {{.Values.global.ports.auth_private}} + targetPort: "http" + selector: + app: auth + app.kubernetes.io/name: {{ include "charts.name" . }}-private + app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/tidepool/charts/auth/templates/4-routetable.yaml b/charts/tidepool/charts/auth/templates/4-routetable.yaml index 81a9f6e1..5e8e96d5 100644 --- a/charts/tidepool/charts/auth/templates/4-routetable.yaml +++ b/charts/tidepool/charts/auth/templates/4-routetable.yaml @@ -80,6 +80,35 @@ spec: options: extauth: disable: true + - matchers: + - methods: + - GET + - DELETE + exact: /v1/oauth/abbott/authorize + routeAction: + single: + kube: + ref: + name: auth-private + namespace: {{ .Release.Namespace }} + port: {{ .Values.global.ports.auth_private }} + options: + extauth: + disable: true + - matchers: + - methods: + - GET + exact: /v1/oauth/abbott/redirect + routeAction: + single: + kube: + ref: + name: auth-private + namespace: {{ .Release.Namespace }} + port: {{ .Values.global.ports.auth_private }} + options: + extauth: + disable: true - matchers: - methods: - GET diff --git a/charts/tidepool/charts/auth/values.yaml b/charts/tidepool/charts/auth/values.yaml index 1ee1d0f8..a6aa6ea7 100644 --- a/charts/tidepool/charts/auth/values.yaml +++ b/charts/tidepool/charts/auth/values.yaml @@ -15,6 +15,10 @@ configmap: deployment: # -- auth Docker image image: tidepool/platform-auth:master-latest + # -- auth Docker image + imagePrivate: tidepool/platform-private-auth:master-latest + # -- The name of the docker secret used for pulling the private images + imagePullSecretName: # -- number of replicas to deploy replicas: 1 initContainers: [] diff --git a/charts/tidepool/charts/data/templates/1-deployment-private.yaml b/charts/tidepool/charts/data/templates/1-deployment-private.yaml new file mode 100644 index 00000000..dc9cc1de --- /dev/null +++ b/charts/tidepool/charts/data/templates/1-deployment-private.yaml @@ -0,0 +1,86 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: data-private +{{ include "charts.labels.standard" .}} + name: data-private + namespace: {{.Release.Namespace}} + annotations: + secret.reloader.stakater.com/reload: "server,{{ .Values.mongo.secretName }},data" +{{ if .Values.deployment.annotations }} + {{- .Values.deployment.annotations | toYaml | nindent 4 }} +{{- end }} +spec: + selector: + matchLabels: + app: data-private + app.kubernetes.io/name: {{ include "charts.name" . }}-private + app.kubernetes.io/instance: {{ .Release.Name }} + replicas: {{ .Values.deployment.replicas }} + strategy: {} + template: + metadata: + labels: + app: data-private + app.kubernetes.io/name: {{ include "charts.name" . }}-private + app.kubernetes.io/instance: {{ .Release.Name }} +{{ if .Values.podAnnotations }} + annotations: + {{- .Values.podAnnotations | toYaml | nindent 8 }} +{{- end }} + spec: + initContainers: + {{ include "charts.init.shoreline" .}} + {{ if .Values.initContainers }} +{{- with .Values.initContainers }} +{{toYaml . | indent 6}}{{- end }} + {{- end }} + containers: + - env: + {{ include "charts.platform.env.mongo" .}} + {{ include "charts.platform.env.misc" .}} + {{ include "charts.platform.env.clients" .}} + {{ include "charts.kafka.common" .}} + {{ include "charts.kafka.cloudevents.client" (dict "Values" .Values "Release" .Release "client" "data") }} + - name: TIDEPOOL_DATA_SERVICE_SECRET + valueFrom: + secretKeyRef: + name: data + key: ServiceAuth + - name: TIDEPOOL_DATA_SERVICE_SERVER_ADDRESS + value: :{{ .Values.global.ports.data_private }} + - name: TIDEPOOL_DEPRECATED_DATA_STORE_DATABASE + value: data + - name: TIDEPOOL_SYNC_TASK_STORE_DATABASE + value: data + image: "{{ .Values.deployment.imagePrivate }}" + securityContext: + {{- .Values.podSecurityContext | toYaml | nindent 10 }} + {{ template "charts.platform.probes" .Values.global.ports.data_private }} + name: data-private + ports: + - containerPort: {{.Values.global.ports.data_private}} + name: "http" + resources: + {{- toYaml .Values.resources | nindent 10 }} + {{ if .Values.deployment.imagePullSecretName }} + imagePullSecrets: + - name: {{ .Values.deployment.imagePullSecretName | quote }} + {{- end }} + securityContext: + {{- toYaml .Values.securityContext | nindent 8 }} + restartPolicy: Always + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} diff --git a/charts/tidepool/charts/data/templates/2-service-private.yaml b/charts/tidepool/charts/data/templates/2-service-private.yaml new file mode 100644 index 00000000..b736ca01 --- /dev/null +++ b/charts/tidepool/charts/data/templates/2-service-private.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: data-private +{{ include "charts.labels.standard" .}} + name: data-private + namespace: {{.Release.Namespace}} +spec: + ports: + - name: "http" + port: {{.Values.global.ports.data_private}} + targetPort: "http" + selector: + app: data-private + app.kubernetes.io/name: {{ include "charts.name" . }}-private + app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/tidepool/charts/data/templates/3-upstream-private.yaml b/charts/tidepool/charts/data/templates/3-upstream-private.yaml new file mode 100644 index 00000000..82ed3b05 --- /dev/null +++ b/charts/tidepool/charts/data/templates/3-upstream-private.yaml @@ -0,0 +1,12 @@ +{{ if .Values.global.glooingress.enabled }} +apiVersion: gloo.solo.io/v1 +kind: Upstream +metadata: + name: data-private + namespace: {{ .Release.Namespace }} +spec: + kube: + serviceName: data-private + serviceNamespace: {{ .Release.Namespace }} + servicePort: {{ .Values.global.ports.data_private }} +{{- end }} diff --git a/charts/tidepool/charts/data/templates/4-routetable.yaml b/charts/tidepool/charts/data/templates/4-routetable.yaml index 3886e15e..158a3c91 100644 --- a/charts/tidepool/charts/data/templates/4-routetable.yaml +++ b/charts/tidepool/charts/data/templates/4-routetable.yaml @@ -427,6 +427,9 @@ spec: prefix: /v1/partners/ routeAction: single: - upstream: - name: data + kube: + ref: + name: data-private + namespace: {{ .Release.Namespace }} + port: {{ .Values.global.ports.data_private }} {{- end }} diff --git a/charts/tidepool/charts/data/values.yaml b/charts/tidepool/charts/data/values.yaml index 8089d4ca..4bed01d8 100644 --- a/charts/tidepool/charts/data/values.yaml +++ b/charts/tidepool/charts/data/values.yaml @@ -6,6 +6,10 @@ secret: deployment: # -- Docker image image: tidepool/platform-data:master-latest + # -- Docker image + imagePrivate: tidepool/platform-private-data:master-latest + # -- The name of the docker secret used for pulling the private images + imagePullSecretName: replicas: 1 # -- memory and cpu resources for pods diff --git a/charts/tidepool/values.yaml b/charts/tidepool/values.yaml index 43f9c7c4..8e8b00fa 100644 --- a/charts/tidepool/values.yaml +++ b/charts/tidepool/values.yaml @@ -81,10 +81,14 @@ global: messageapi: 9119 # -- auth service internal port auth: 9222 + # -- auth private service internal port + auth_private: 9223 # -- blob service internal port blob: 9225 # -- data service internal port data: 9220 + # -- data private service internal port + data_private: 9221 # -- image service internal port image: 9226 # -- mailer service internal port