[charts/csm-authorization-v2.0] Move Authorization V2 to a new chart (#464)

* move authorization v2 to separate helm chart

* update v2 version in chart.yaml

* add new line

* remove storage secret

Author: shaynafinocchiaro

charts/csm-authorization-v2.0/.gitignore

@@ -0,0 +1,2 @@
+Chart.lock
+charts/*tgz

charts/csm-authorization-v2.0/.helmignore

@@ -0,0 +1,24 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+installer/

charts/csm-authorization-v2.0/Chart.yaml

@@ -0,0 +1,18 @@
+apiVersion: v2
+name: csm-authorization
+version: v2.0.0-alpha
+appVersion: v2.0.0-alpha
+type: application
+description: |
+  CSM for Authorization is part of the [Container Storage Modules](https://github.com/dell/csm) open source suite of Kubernetes
+  storage enablers for Dell EMC storage products.  CSM for Authorization provides storage and Kubernetes administrators the ability
+  to apply RBAC for Dell CSI Drivers.
+dependencies:
+  - name: cert-manager
+    version: 1.10.0
+    repository: https://charts.jetstack.io
+    condition: cert-manager.enabled
+  - name: ingress-nginx
+    version: 4.0.19
+    repository: https://kubernetes.github.io/ingress-nginx
+    condition: nginx.enabled

charts/csm-authorization-v2.0/README.md

@@ -0,0 +1,19 @@
+<!--
+Copyright (c) 2022 Dell Inc., or its subsidiaries. All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+-->
+
+# Container Storage Modules (CSM) for Authorization Dell Community Helm Chart
+
+CSM for Authorization V2 can be deployed using Helm.
+
+For complete deployment instructions, refer to the [Container Storage Modules documentation](https://dell.github.io/csm-docs/docs/authorization/deployment/helm).
+
+## Helm Chart Versioning
+
+For an explanation and examples on versioning/releasing the CSM for Authorization Helm chart, please see the [contributing guide](../../docs/CONTRIBUTING.md#helm-chart-release-strategy).

charts/csm-authorization-v2.0/charts/redis/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/csm-authorization-v2.0/charts/redis/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: redis-csm
+description: Helm Chart for Redis with Sentinels
+type: application
+version: 0.1.0
+appVersion: 0.1.0

charts/csm-authorization/charts/redis/templates/_helpers.tpl renamed to charts/csm-authorization-v2.0/charts/redis/templates/_helpers.tpl

@@ -0,0 +1,188 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Values.redis.name }}
+  namespace: {{ include "custom.namespace" . }}
+spec:
+  type:
+  clusterIP: None
+  selector:
+    app: {{ .Values.redis.name }}
+  ports:
+  - protocol: TCP
+    port: 6379
+    targetPort: 6379
+    name: {{ .Values.redis.name }}
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: {{ .Values.redis.name }}
+  namespace: {{ include "custom.namespace" . }}
+spec:
+  serviceName: {{ .Values.redis.name }}
+  replicas: {{ .Values.redis.replicas }}
+  selector:
+    matchLabels:
+      app: {{ .Values.redis.name }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Values.redis.name }}
+      annotations:
+        checksum/secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }}
+    spec:
+      initContainers:
+      - name: config
+        image: {{ .Values.redis.images.redis }}
+        env:
+          - name: REDIS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: redis-csm-secret
+                key: password
+
+        command: [ "sh", "-c" ]
+        args:
+          - |
+            cp /csm-auth-redis-cm/redis.conf /etc/redis/redis.conf
+            echo "masterauth $REDIS_PASSWORD" >> /etc/redis/redis.conf
+            echo "requirepass $REDIS_PASSWORD" >> /etc/redis/redis.conf
+            
+            echo "Finding master..."
+            MASTER_FDQN=`hostname  -f | sed -e 's/{{ .Values.redis.name }}-[0-9]\./{{ .Values.redis.name }}-0./'`
+            echo "Master at " $MASTER_FQDN
+            if [ "$(redis-cli -h sentinel -p 5000 ping)" != "PONG" ]; then
+              echo "No sentinel found..."
+              if [ "$(hostname)" = "{{ .Values.redis.name }}-0" ]; then
+                echo "This is Redis master, not updating redis.conf..."
+              else
+                echo "This is Redis replica, updating redis.conf..."               
+                echo "replicaof $MASTER_FDQN 6379" >> /etc/redis/redis.conf                
+              fi
+            else
+              echo "Sentinel found, finding master..."
+              MASTER="$(redis-cli -h sentinel -p 5000 sentinel get-master-addr-by-name mymaster | grep -E '(^redis-csm-\d{1,})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})')"              
+              echo "replicaof $MASTER_FDQN 6379" >> /etc/redis/redis.conf 
+            fi
+        volumeMounts: 
+        - name: redis-primary-volume
+          mountPath: /data
+        - name: configmap
+          mountPath: /csm-auth-redis-cm/
+        - name: config
+          mountPath: /etc/redis/
+      containers:
+      - name: {{ .Values.redis.name }}
+        image: {{ .Values.redis.images.redis }}
+        command: ["redis-server"]
+        args: ["/etc/redis/redis.conf"]
+        ports:
+        - containerPort: 6379
+          name: {{ .Values.redis.name }}
+        volumeMounts:
+        - name: redis-primary-volume
+          mountPath: /data
+        - name: configmap
+          mountPath: /csm-auth-redis-cm/
+        - name: config
+          mountPath: /etc/redis/
+      volumes:
+      - name: redis-primary-volume        
+        emptyDir: {}
+      - name: config 
+        emptyDir: {}
+      - name: configmap
+        configMap:
+          name: redis-csm-cm          
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Values.redis.rediscommander }}
+  namespace: {{ include "custom.namespace" . }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ .Values.redis.rediscommander }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Values.redis.rediscommander }}
+        tier: backend
+      annotations:
+        checksum/secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }}
+    spec:
+      containers:
+      - name: {{ .Values.redis.rediscommander }}
+        image: {{ .Values.redis.images.commander }}
+        imagePullPolicy: IfNotPresent
+        env:
+          {{- $str := "" -}}
+          {{- $ns := include "custom.namespace" . -}} 
+          {{- $replicas := .Values.redis.replicas | int }}
+          {{- $sentinel := .Values.redis.sentinel }}
+          {{- range $i, $e := until $replicas }} 
+          {{- if $i }}         
+          {{- $str = print $str "," -}}
+          {{- end }}           
+          {{- $str = printf "%s%s-%d.%s.%s.svc.cluster.local:5000" $str $sentinel $i $sentinel $ns -}}
+          {{- end }}
+        - name: SENTINELS        
+          value: {{ $str | quote }}                                     
+        - name: K8S_SIGTERM
+          value: "1"
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: redis-csm-secret
+              key: password  
+        - name: SENTINEL_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: redis-csm-secret
+              key: password          
+        - name: HTTP_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: redis-csm-secret
+              key: password          
+        - name: HTTP_USER
+          valueFrom:
+            secretKeyRef:
+              name: redis-csm-secret
+              key: commander_user         
+        ports:
+        - name: {{ .Values.redis.rediscommander }}
+          containerPort: 8081
+        livenessProbe:
+          httpGet:
+            path: /favicon.png
+            port: 8081
+          initialDelaySeconds: 10
+          timeoutSeconds: 5
+        resources:
+          limits:
+            cpu: "500m"
+            memory: "512M"
+        securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: false
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Values.redis.rediscommander }}
+  namespace: {{ include "custom.namespace" . }}
+spec:
+  selector:
+    app: {{ .Values.redis.rediscommander }}
+  ports:
+  - protocol: TCP
+    port: 8081
+    targetPort: 8081

charts/csm-authorization/charts/redis/templates/redis-cm.yaml renamed to charts/csm-authorization-v2.0/charts/redis/templates/redis-cm.yaml

@@ -0,0 +1,8 @@
+redis:
+  name: redis-csm
+  sentinel: sentinel
+  rediscommander: rediscommander
+  replicas: 5
+  images:
+    redis: amaas-eos-mw1.cec.lab.emc.com:5046/redis:7.2.4-alpine
+    commander: rediscommander/redis-commander:latest

charts/csm-authorization/charts/redis/templates/redis-secret.yaml renamed to charts/csm-authorization-v2.0/charts/redis/templates/redis-secret.yaml

@@ -0,0 +1,4 @@
+package karavi.common
+default roles = {}
+roles = {}
+

charts/csm-authorization-v2.0/charts/redis/templates/redis.yaml

@@ -0,0 +1,40 @@
+# Copyright © 2023 Dell Inc., or its subsidiaries. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+package karavi.sdc.approve
+
+import data.karavi.common
+
+# Allow requests by default.
+default allow = true
+
+default response = {
+	"allowed": true
+}
+response = {
+    "allowed": false,
+    "status": {
+        "reason": reason,
+    },
+} {
+    reason = concat(", ", deny)
+    reason != ""
+}
+
+default claims = {}
+claims = input.claims
+deny[msg] {
+  claims == {}
+  msg := sprintf("missing claims", [])
+}