[vrt ]add basic auth proxy to api (#186)

* add auth proxy Signed-off-by: André Bauer <[email protected]> * readme Signed-off-by: André Bauer <[email protected]> * wording Signed-off-by: André Bauer <[email protected]> * cm Signed-off-by: André Bauer <[email protected]> * format Signed-off-by: André Bauer <[email protected]> * fix Signed-off-by: André Bauer <[email protected]> * info Signed-off-by: André Bauer <[email protected]> * try upgrad again Signed-off-by: André Bauer <[email protected]> --------- Signed-off-by: André Bauer <[email protected]>
kokuwaio · Jun 27, 2024 · 8e7b2c6 · 8e7b2c6
1 parent 4ffa84a
commit 8e7b2c6
Show file tree

Hide file tree

Showing 14 changed files with 289 additions and 58 deletions.
diff --git a/.github/ct.yaml b/.github/ct.yaml
@@ -5,3 +5,4 @@ check-version-increment: true
 debug: true
 helm-extra-args: --timeout 600s
 target-branch: main
+upgrade: true
diff --git a/charts/visual-regression-tracker/Chart.yaml b/charts/visual-regression-tracker/Chart.yaml
@@ -6,7 +6,7 @@ sources:
  - https://github.com/Visual-Regression-Tracker/Visual-Regression-Tracker
  - https://github.com/kokuwaio/helm-charts/tree/main/charts/visual-regression-tracker
 type: application
-version: 3.2.0
+version: 4.0.0
 appVersion: "5.0.4"
 maintainers:
  - name: monotek

diff --git a/charts/visual-regression-tracker/README.md b/charts/visual-regression-tracker/README.md
@@ -49,6 +49,16 @@ helm upgrade vrt kokuwa/visual-regression-tracker
 
 _See [`helm upgrade`](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._
 
+### From 3.0.x to 4.0.0
+
+This version adds a proxy in fornt of the API server which protects it via basic auth. The configuration can be done via `authProxy.basicAuth.username`, `authProxy.basicAuth.password`. The password can also be populated by predefined secret via `secrets.authProxy`.
+
+The `secrets.apiUrl` secrets has been removed.
+
+The `reactAppApiUrl` variables has been split up into `reactAppApi.protocol` & `reactAppApi.url`.
+
+The `vrtComponents.api.ingress` config has been moved to `authProxy.ingress`.
+
 ### From 2.0.x to 3.0.0
 
 This updates Visual Regression Tracker to 5.0.3. Please follow the [official migration steps](https://github.com/Visual-Regression-Tracker/Visual-Regression-Tracker/releases/tag/5.0.0):

diff --git a/charts/visual-regression-tracker/templates/_helpers.tpl b/charts/visual-regression-tracker/templates/_helpers.tpl
@@ -105,13 +105,14 @@ vrt secret name
 {{- end -}}
 {{- end -}}
 
+
 {{/*
-vrt api url secret name
+vrt auth proxy secret name
 */}}
-{{- define "visual-regression-tracker.vrtApiUrlSecretName" -}}
-{{- if .Values.secrets.apiUrl.useExisting -}}
-{{ .Values.secrets.apiUrl.secretName }}
+{{- define "visual-regression-tracker.authProxySecretName" -}}
+{{- if .Values.secrets.authProxy.useExisting -}}
+{{ .Values.secrets.authProxy.secretName }}
 {{- else -}}
-{{ template "visual-regression-tracker.fullname" . }}-{{ .Values.secrets.apiUrl.secretName }}
+{{ template "visual-regression-tracker.fullname" . }}-{{ .Values.secrets.authProxy.secretName }}
 {{- end -}}
 {{- end -}}
diff --git a/charts/visual-regression-tracker/templates/auth-proxy-configmap.yaml b/charts/visual-regression-tracker/templates/auth-proxy-configmap.yaml
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "visual-regression-tracker.fullname" . }}-auth
+ labels:
+ {{- include "visual-regression-tracker.labels" . | nindent 4 }}
+ component: auth-proxy
+data:
+ default.conf: |
+ server {
+ listen 8080;
+
+ server_name _;
+
+ location /health {
+ return 200 'ok\n';
+ }
+
+ location / {
+ auth_basic "restricted";
+ auth_basic_user_file /tmp/htpass;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header Host $host;
+ proxy_pass "http://{{ include "visual-regression-tracker.fullname" . }}-api:4200";
+ proxy_http_version 1.1;
+ }
+ }
diff --git a/charts/visual-regression-tracker/templates/auth-proxy-deployment.yaml b/charts/visual-regression-tracker/templates/auth-proxy-deployment.yaml
@@ -0,0 +1,104 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ include "visual-regression-tracker.fullname" . }}-auth
+ labels:
+ {{- include "visual-regression-tracker.labels" . | nindent 4 }}
+ component: auth-proxy
+spec:
+ replicas: {{ .Values.authProxy.replicaCount }}
+ selector:
+ matchLabels:
+ {{- include "visual-regression-tracker.selectorLabels" . | nindent 6 }}
+ component: auth-proxy
+ template:
+ metadata:
+ {{- with .Values.authProxy.podAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ labels:
+ {{- include "visual-regression-tracker.labels" . | nindent 8 }}
+ {{- with .Values.authProxy.podLabels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ component: auth-proxy
+ spec:
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ serviceAccountName: {{ include "visual-regression-tracker.serviceAccountName" . }}
+ initContainers:
+ - name: create-basic-auth
+ command: 
+ - htpasswd
+ - -b
+ - -c
+ - /tmp/htpass
+ - {{ .Values.authProxy.basicAuth.username }}
+ - $(AUTH_SECRET)
+ env:
+ - name: AUTH_SECRET
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "visual-regression-tracker.authProxySecretName" . }}
+ key: {{ .Values.secrets.authProxy.secretKey }}
+ securityContext:
+ {{- toYaml .Values.authProxy.initContainer.securityContext | nindent 12 }}
+ image: "{{ .Values.authProxy.initContainer.image.repository }}:{{ .Values.authProxy.initContainer.image.tag }}"
+ imagePullPolicy: {{ .Values.authProxy.image.pullPolicy }}
+ resources:
+ {{- toYaml .Values.authProxy.initContainer.resources | nindent 12 }}
+ volumeMounts:
+ - mountPath: /tmp
+ name: tmpdir
+ containers:
+ - name: auth-proxy
+ securityContext:
+ {{- toYaml .Values.authProxy.securityContext | nindent 12 }}
+ image: "{{ .Values.authProxy.image.repository }}:{{ .Values.authProxy.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.authProxy.image.pullPolicy }}
+ ports:
+ - name: http
+ containerPort: {{ .Values.authProxy.service.port }}
+ protocol: TCP
+ livenessProbe:
+ httpGet:
+ path: /health
+ port: 8080
+ failureThreshold: 10
+ readinessProbe:
+ httpGet:
+ path: /health
+ port: 8080
+ failureThreshold: 3
+ resources:
+ {{- toYaml .Values.authProxy.resources | nindent 12 }}
+ volumeMounts:
+ - mountPath: /tmp
+ name: tmpdir
+ - name: auth
+ mountPath: /etc/nginx/conf.d/default.conf
+ subPath: default.conf
+ readOnly: true
+ volumes:
+ - name: tmpdir
+ emptyDir:
+ sizeLimit: {{ .Values.authProxy.tmpDirSizeLimit }}
+ - name: auth
+ configMap:
+ defaultMode: 420
+ name: {{ include "visual-regression-tracker.fullname" . }}-auth
+ {{- with .Values.authProxy.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.authProxy.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.authProxy.tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
diff --git a/...ession-tracker/templates/ingress-api.yaml → ...tracker/templates/auth-proxy-ingress.yaml b/...ession-tracker/templates/ingress-api.yaml → ...tracker/templates/auth-proxy-ingress.yaml
@@ -1,9 +1,9 @@
-{{- if .Values.vrtComponents.api.ingress.enabled -}}
+{{- if .Values.authProxy.ingress.enabled -}}
 {{- $fullName := include "visual-regression-tracker.fullname" . -}}
-{{- $svcPort := .Values.vrtComponents.api.service.port -}}
-{{- if and .Values.vrtComponents.api.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
- {{- if not (hasKey .Values.vrtComponents.api.ingress.annotations "kubernetes.io/ingress.class") }}
- {{- $_ := set .Values.vrtComponents.api.ingress.annotations "kubernetes.io/ingress.class" .Values.vrtComponents.api.ingress.className}}
+{{- $svcPort := .Values.authProxy.service.port -}}
+{{- if and .Values.authProxy.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+ {{- if not (hasKey .Values.authProxy.ingress.annotations "kubernetes.io/ingress.class") }}
+ {{- $_ := set .Values.authProxy.ingress.annotations "kubernetes.io/ingress.class" .Values.authProxy.ingress.className}}
  {{- end }}
 {{- end }}
 {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
@@ -15,20 +15,20 @@ apiVersion: extensions/v1beta1
 {{- end }}
 kind: Ingress
 metadata:
- name: {{ $fullName }}
+ name: "{{ $fullName }}-auth"
  labels:
  {{- include "visual-regression-tracker.labels" . | nindent 4 }}
- {{- with .Values.vrtComponents.api.ingress.annotations }}
+ {{- with .Values.authProxy.ingress.annotations }}
  annotations:
  {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
- {{- if and .Values.vrtComponents.api.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
- ingressClassName: {{ .Values.vrtComponents.api.ingress.className }}
+ {{- if and .Values.authProxy.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+ ingressClassName: {{ .Values.authProxy.ingress.className }}
  {{- end }}
- {{- if .Values.vrtComponents.api.ingress.tls }}
+ {{- if .Values.authProxy.ingress.tls }}
  tls:
- {{- range .Values.vrtComponents.api.ingress.tls }}
+ {{- range .Values.authProxy.ingress.tls }}
  - hosts:
  {{- range .hosts }}
  - {{ . | quote }}
@@ -37,7 +37,7 @@ spec:
  {{- end }}
  {{- end }}
  rules:
- {{- range .Values.vrtComponents.api.ingress.hosts }}
+ {{- range .Values.authProxy.ingress.hosts }}
  - host: {{ .host | quote }}
  http:
  paths:

diff --git a/charts/visual-regression-tracker/templates/auth-proxy-secret.yaml b/charts/visual-regression-tracker/templates/auth-proxy-secret.yaml
@@ -0,0 +1,13 @@
+{{ if and .Values.authProxy.basicAuth.password (not .Values.secrets.authProxy.useExisting) }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ include "visual-regression-tracker.fullname" . }}-auth
+ labels:
+ {{- include "visual-regression-tracker.labels" . | nindent 4 }}
+ component: auth-proxy
+type: Opaque
+data:
+ {{ .Values.secrets.authProxy.secretKey }}: {{ .Values.authProxy.basicAuth.password | b64enc | quote }}
+{{ end }}
diff --git a/charts/visual-regression-tracker/templates/auth-proxy-service.yaml b/charts/visual-regression-tracker/templates/auth-proxy-service.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "visual-regression-tracker.fullname" . }}-auth
+ labels:
+ {{- include "visual-regression-tracker.labels" . | nindent 4 }}
+ component: auth-proxy
+spec:
+ type: {{ .Values.authProxy.service.type }}
+ ports:
+ - port: {{ .Values.authProxy.service.port }}
+ targetPort: http
+ protocol: TCP
+ name: http
+ selector:
+ {{- include "visual-regression-tracker.selectorLabels" . | nindent 4 }}
+ component: auth-proxy
diff --git a/charts/visual-regression-tracker/templates/configmap.yaml b/charts/visual-regression-tracker/templates/configmap.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
- name: env-config
+ name: {{ include "visual-regression-tracker.fullname" . }}-env-config
  labels:
  {{- include "visual-regression-tracker.labels" . | nindent 4 }}
 data:

diff --git a/charts/visual-regression-tracker/templates/ingress-ui.yaml b/charts/visual-regression-tracker/templates/ingress-ui.yaml
@@ -15,7 +15,7 @@ apiVersion: extensions/v1beta1
 {{- end }}
 kind: Ingress
 metadata:
- name: {{ $fullName }}
+ name: "{{ $fullName }}-ui"
  labels:
  {{- include "visual-regression-tracker.labels" . | nindent 4 }}
  {{- with .Values.vrtComponents.ui.ingress.annotations }}

diff --git a/charts/visual-regression-tracker/templates/secrets.yaml b/charts/visual-regression-tracker/templates/secrets.yaml
@@ -46,15 +46,3 @@ type: Opaque
 data:
  {{ .Values.secrets.defaults.secretKey }}: {{ tpl (.Files.Get "files/seed.ts") $ | b64enc }}
 {{ end }}
-{{ if and .Values.vrtConfig.reactAppApiUrl (not .Values.secrets.apiUrl.useExisting) }}
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ template "visual-regression-tracker.vrtApiUrlSecretName" . }}
- labels:
- {{- include "visual-regression-tracker.labels" . | nindent 4 }}
-type: Opaque
-data:
- {{ .Values.secrets.apiUrl.secretKey }}: {{ .Values.vrtConfig.reactAppApiUrl | b64enc | quote }}
-{{ end }}
diff --git a/charts/visual-regression-tracker/templates/statefulset.yaml b/charts/visual-regression-tracker/templates/statefulset.yaml
@@ -121,11 +121,13 @@ spec:
  mountPath: /imageUploads
  - name: {{ .Chart.Name }}-ui
  env:
- - name: REACT_APP_API_URL
+ - name: BASIC_AUTH_PASSWORD
  valueFrom:
  secretKeyRef:
- name: {{ template "visual-regression-tracker.vrtApiUrlSecretName" . }}
- key: {{ .Values.secrets.apiUrl.secretKey }}
+ name: {{ template "visual-regression-tracker.authProxySecretName" . }}
+ key: {{ .Values.secrets.authProxy.secretKey }}
+ - name: REACT_APP_API_URL
+ value: "{{ .Values.vrtConfig.reactAppApi.protocol }}://{{ .Values.authProxy.basicAuth.username }}:$(BASIC_AUTH_PASSWORD)@{{ .Values.vrtConfig.reactAppApi.url }}"
  - name: VRT_VERSION
  value: "{{ .Chart.AppVersion }}"
  image: "{{ .Values.vrtComponents.ui.image.repository }}:{{ .Values.vrtComponents.ui.image.tag }}"
@@ -148,7 +150,7 @@ spec:
  securityContext:
  {{- toYaml .Values.vrtComponents.ui.securityContext | nindent 12 }}
  volumeMounts:
- - name: {{ template "visual-regression-tracker.fullname" . }}
+ - name: env-config
  mountPath: /usr/share/nginx/html/static/imageUploads
  - name: env-config
  mountPath: /usr/share/nginx/html/env.sh
@@ -179,7 +181,7 @@ spec:
  volumes:
  - name: env-config
  configMap:
- name: env-config
+ name: {{ include "visual-regression-tracker.fullname" . }}-env-config
  defaultMode: 0777
  - name: tmp
  {{- toYaml .Values.vrtComponents.ui.tmpDirVolume | nindent 10 }}