ci(tilt): Replace quickstart with backend helm chart

.github/workflows/build.yaml

@@ -144,10 +144,7 @@ jobs:
         with:
           name: opentdf-client-lib
           path: lib/
-      - name: Git clone backend
-        run: |
-          git clone https://github.com/opentdf/opentdf.git
-      - uses: yokawasa/action-setup-kube-tools@v0.9.2
+      - uses: yokawasa/action-setup-kube-tools@v0.11.1
         with:
           setup-tools: |
             kubectl
@@ -170,13 +167,10 @@ jobs:
           kubernetes-version: 1.30.0
       - name: Run tilt ci
         env:
-          #path relative to the quickstart Tiltfile
-          TEST_SCRIPT: ../../wait-and-test.sh
+          TEST_SCRIPT: ./wait-and-test.sh
           OPENTDF_INGRESS_HOST_PORT: "5432"
-          OPENTDF_LOAD_FRONTEND: "false"
           PLAYWRIGHT_TESTS_TO_RUN: roundtrip
-        run: |-
-          tilt ci --file opentdf/quickstart/Tiltfile
+        run: tilt ci
 
   deliver-ghp:
     needs: [lib, web-app, scripts, backend-roundtrip]

.github/workflows/roundtrip/Tiltfile

@@ -0,0 +1,132 @@
+load("ext://helm_remote", "helm_remote")
+load("ext://helm_resource", "helm_resource", "helm_repo")
+
+BACKEND_CHART_TAG = "1.6.0"
+
+EXTERNAL_URL = os.getenv("OPENTDF_EXTERNAL_URL", "http://localhost:65432")
+INGRESS_HOST_PORT = os.getenv("OPENTDF_INGRESS_HOST_PORT", "65432")
+
+CONTAINER_REGISTRY = os.environ.get("CONTAINER_REGISTRY", "ghcr.io")
+POSTGRES_PASSWORD = "myPostgresPassword"
+OIDC_CLIENT_SECRET = "myclientsecret"
+opaPolicyPullSecret = os.environ.get("CR_PAT")
+
+
+TESTS_DIR = os.getcwd()
+
+
+def from_dotenv(path, key):
+    # Read a variable from a `.env` file
+    return str(local('. "{}" && echo "${}"'.format(path, key))).strip()
+
+
+all_secrets = read_yaml("./mocks/mock-secrets.yaml")
+
+
+def prefix_list(prefix, list):
+    return [x for y in zip([prefix] * len(list), list) for x in y]
+
+
+def dict_to_equals_list(dict):
+    return ["%s=%s" % (k, v) for k, v in dict.items()]
+
+
+def dict_to_helm_set_list(dict):
+    combined = dict_to_equals_list(dict)
+    return prefix_list("--set", combined)
+
+
+
+
+def ingress(external_port="65432"):
+    helm_repo(
+        "k8s-in",
+        "https://kubernetes.github.io/ingress-nginx",
+        labels="utility",
+    )
+    helm_resource(
+        "ingress-nginx",
+        "k8s-in/ingress-nginx",
+        flags=[
+            "--version",
+            "4.0.16",
+        ]
+        + dict_to_helm_set_list(
+            {
+                "controller.config.large-client-header-buffers": "20 32k",
+                "controller.admissionWebhooks.enabled": "false",
+            }
+        ),
+        labels="third-party",
+        port_forwards="{}:80".format(external_port),
+        resource_deps=["k8s-in"],
+    )
+
+# values: list of values files
+# set: dictionary of value_name: value pairs
+# extra_helm_parameters: only valid when devmode=False; passed to underlying `helm update` command
+def backend(values=[], set={}, resource_deps=[]):
+    set_values = {
+        "entity-resolution.secret.keycloak.clientSecret": "123-456",
+        "secrets.opaPolicyPullSecret": opaPolicyPullSecret,
+        "secrets.oidcClientSecret": OIDC_CLIENT_SECRET,
+        "secrets.postgres.dbPassword": POSTGRES_PASSWORD,
+        "kas.auth.http://localhost:65432/auth/realms/tdf.discoveryBaseUrl": "http://keycloak-http/auth/realms/tdf",
+        "kas.envConfig.ecCert": all_secrets["KAS_EC_SECP256R1_CERTIFICATE"],
+        "kas.envConfig.cert": all_secrets["KAS_CERTIFICATE"],
+        "kas.envConfig.ecPrivKey": all_secrets["KAS_EC_SECP256R1_PRIVATE_KEY"],
+        "kas.envConfig.privKey": all_secrets["KAS_PRIVATE_KEY"],
+        "kas.extraConfigMapData.KAS_URL": "http://localhost:65432/api/kas",
+    }
+    set_values.update(set)
+
+    helm_remote(
+        "backend",
+        repo_name="oci://ghcr.io/opentdf/charts",
+        values=values,
+        version=BACKEND_CHART_TAG,
+        set=dict_to_equals_list(set_values),
+    )
+    for x in ["attributes", "entitlement-store"]:
+        k8s_resource(x, labels="opentdf", resource_deps=["postgresql"])
+    k8s_resource(
+        "kas",
+        labels="opentdf",
+        resource_deps=["attributes", "keycloak"],
+        port_forwards="9000:5000"
+    )
+
+def opentdf_cluster_with_ingress(external_port=65432):
+    ingress(external_port=external_port)
+
+    backend(
+        set={
+            ("%s.ingress.enabled" % s): "true"
+            for s in [
+                "attributes",
+                "entitlements",
+                "kas",
+                "keycloak",
+                "entitlement-store",
+            ]
+        },
+        values=[TESTS_DIR + "/mocks/values.yaml"],
+        resource_deps=["ingress-nginx"],
+    )
+
+
+
+opentdf_cluster_with_ingress(
+    external_port=INGRESS_HOST_PORT,
+)
+
+
+# ability to pass in custom test script with path to script as env var
+# e.g.: CI=1 TEST_SCRIPT=tests/wait-and-test.sh tilt up
+if "TEST_SCRIPT" in os.environ and os.environ.get("CI"):
+    local_resource(
+        "passed-in-test-script",
+        os.environ.get("TEST_SCRIPT"),
+        labels="tests",
+        resource_deps=["ingress-nginx", "kas", "keycloak-bootstrap"],
+    )

.github/workflows/roundtrip/mocks/frontend-ingress-values.yaml

@@ -0,0 +1,13 @@
+ingress:
+  enabled: true
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /$1
+    kubernetes.io/ingress.class:
+  className: nginx
+  hosts:
+    - host: localhost
+      paths: &paths
+        - path: /(.*)
+          pathType: Prefix
+    - host: opentdf.local
+      paths: *paths

.github/workflows/roundtrip/mocks/mock-secrets.yaml

@@ -0,0 +1,62 @@
+KAS_CERTIFICATE: |
+    -----BEGIN CERTIFICATE-----
+    MIICmDCCAYACCQC3BCaSANRhYzANBgkqhkiG9w0BAQsFADAOMQwwCgYDVQQDDANr
+    YXMwHhcNMjEwOTE1MTQxMTQ4WhcNMjIwOTE1MTQxMTQ4WjAOMQwwCgYDVQQDDANr
+    YXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOpiotrvV2i5h6clHM
+    zDGgh3h/kMa0LoGx2OkDPd8jogycUh7pgE5GNiN2lpSmFkjxwYMXnyrwr9ExyczB
+    WJ7sRGDCDaQg5fjVUIloZ8FJVbn+sEcfQ9iX6vmI9/S++oGK79QM3V8M8cp41r/T
+    1YVmuzUHE1say/TLHGhjtGkxHDF8qFy6Z2rYFTCVJQHNqGmwNVGd0qG7gim86Haw
+    u/CMYj4jG9oITlj8rJtQOaJ6ZqemQVoNmb3j1LkyeUKzRIt+86aoBiz+T3TfOEvX
+    F6xgBj3XoiOhPYK+abFPYcrArvb6oubT8NjjQoj3j0sXWUnIIMg+e4f+XNVU54Zz
+    DaLZAgMBAAEwDQYJKoZIhvcNAQELBQADggEBABewfZOJ4/KNRE8IQ5TsW/AVn7C1
+    l5ty6tUUBSVi8/df7WYts0bHEdQh9yl9agEU5i4rj43y8vMVZNzSeHcurtV/+C0j
+    fbkHQHeiQ1xn7cq3Sbh4UVRyuu4C5PklEH4AN6gxmgXC3kT15uWw8I4nm/plzYLs
+    I099IoRfC5djHUYYLMU/VkOIHuPC3sb7J65pSN26eR8bTMVNagk187V/xNwUuvkf
+    +NUxDO615/5BwQKnAu5xiIVagYnDZqKCOtYS5qhxF33Nlnwlm7hH8iVZ1RI+n52l
+    wVyElqp317Ksz+GtTIc+DE6oryxK3tZd4hrj9fXT4KiJvQ4pcRjpePgH7B8=
+    -----END CERTIFICATE-----
+KAS_EC_SECP256R1_CERTIFICATE: |
+    -----BEGIN CERTIFICATE-----
+    MIIBCzCBsgIJAL1qc/lWpG3HMAoGCCqGSM49BAMCMA4xDDAKBgNVBAMMA2thczAe
+    Fw0yMTA5MTUxNDExNDlaFw0yMjA5MTUxNDExNDlaMA4xDDAKBgNVBAMMA2thczBZ
+    MBMGByqGSM49AgEGCCqGSM49AwEHA0IABH2VM7Ws9SVr19rywr/o3fewDBj+170/
+    6y8zo4leVaJqCl76Nd9QfDNy4KjNCtmmjo6ftTS+iFAhnPCeugAJOWUwCgYIKoZI
+    zj0EAwIDSAAwRQIhAIFdrqhwvgL8ctPjUtmULXmg2ii0PFKg/Mox2GiCVXQdAiAW
+    UDdeafEoprE+qc4paMmbWoEpRXLlo+3S7rnc5T12Kw==
+    -----END CERTIFICATE-----
+KAS_EC_SECP256R1_PRIVATE_KEY: |
+    -----BEGIN PRIVATE KEY-----
+    MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgOK47RufwyqeWbDdC
+    ojHYxzkZ+VphXbNzZOt2seMavk2hRANCAAR9lTO1rPUla9fa8sK/6N33sAwY/te9
+    P+svM6OJXlWiagpe+jXfUHwzcuCozQrZpo6On7U0vohQIZzwnroACTll
+    -----END PRIVATE KEY-----
+KAS_PRIVATE_KEY: |
+    -----BEGIN PRIVATE KEY-----
+    MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDOpiotrvV2i5h6
+    clHMzDGgh3h/kMa0LoGx2OkDPd8jogycUh7pgE5GNiN2lpSmFkjxwYMXnyrwr9Ex
+    yczBWJ7sRGDCDaQg5fjVUIloZ8FJVbn+sEcfQ9iX6vmI9/S++oGK79QM3V8M8cp4
+    1r/T1YVmuzUHE1say/TLHGhjtGkxHDF8qFy6Z2rYFTCVJQHNqGmwNVGd0qG7gim8
+    6Hawu/CMYj4jG9oITlj8rJtQOaJ6ZqemQVoNmb3j1LkyeUKzRIt+86aoBiz+T3Tf
+    OEvXF6xgBj3XoiOhPYK+abFPYcrArvb6oubT8NjjQoj3j0sXWUnIIMg+e4f+XNVU
+    54ZzDaLZAgMBAAECggEBALb0yK0PlMUyzHnEUwXV1y5AIoAWhsYp0qvJ1msHUVKz
+    +yQ/VJz4+tQQxI8OvGbbnhNkd5LnWdYkYzsIZl7b/kBCPcQw3Zo+4XLCzhUAn1E1
+    M+n42c8le1LtN6Z7mVWoZh7DPONy7t+ABvm7b7S1+1i78DPmgCeWYZGeAhIcPXG6
+    5AxWIV3jigxksE6kYY9Y7DmtsZgMRrdV7SU8VtgPtT7tua8z5/U3Av0WINyKBSoM
+    0yDHsAg57KnM8znx2JWLtHd0Mk5bBuu2DLbtyKNrVUAUuMPzrLGBh9S9QRd934KU
+    uFAi1TEfgEachnGgSHJpzVzr2ur1tifABnQ7GNXObe0CgYEA6KowK0subdDY+uGW
+    ciP2XDAMerbJJeL0/UIGPb/LUmskniio2493UBGgY2FsRyvbzJ+/UAOjIPyIxhj7
+    78ZyVG8BmIzKan1RRVh//O+5yvks/eTOYjWeQ1Lcgqs3q4YAO13CEBZgKWKTUomg
+    mskFJq04tndeSIyhDaW+BuWaXA8CgYEA42ABz3pql+DH7oL5C4KYBymK6wFBBOqk
+    dVk+ftyJQ6PzuZKpfsu4aPIjKm71lkTgK6O9o08s3SckAdu6vLukq2TZFF+a+9OI
+    lu5ww7GvfdMTgLAaFchD4bPlOInh1KVjBc1MwGXpl0ROde5pi8+WUrv9QJuoQfB/
+    4rhYdbJLSpcCgYA41mqSCPm8pgp7r2RbWeGzP6Gs0L5u3PTQcbKonxQCfF4jrPcj
+    O/b/vm6aGJClClfVsyi/WUQeqNKY4j2Zo7cGXV/cbnh8b0TNVgNePQn8Rcbx91Vb
+    tJGHDNUFruIYqtGfrxXbbDvtoEExJqHvbjAt9J8oJB0KSCCH/vdfI/QDjQKBgQCD
+    xLPH5Y24js/O7aAeh4RLQkv7fTKNAt5kE2AgbPYveOhZ9yC7Fpy8VPcENGGmwCuZ
+    nr7b0ZqSX4iCezBxB92aZktXf0B2CFT0AyLehi7JoHWA8o1rai/MsVB5v45ciawl
+    RKDiLy18OF2wAoawO5FGSSOvOYX9EL9MSMEbFESF6QKBgCVlZ9pPC+55rGT6AcEL
+    tUpDs+/wZvcmfsFd8xC5mMUN0DatAVzVAUI95+tQaWU3Uj+bqHq0lC6Wy2VceG0D
+    D+7EicjdGFN/2WVPXiYX1fblkxasZY+wChYBrPLjA9g0qOzzmXbRBph5QxDuQjJ6
+    qcddVKB624a93ZBssn7OivnR
+    -----END PRIVATE KEY-----
+

.github/workflows/roundtrip/mocks/values.yaml

@@ -0,0 +1,23 @@
+attributes:
+  postgres:
+    password: bXlQb3N0Z3Jlc1Bhc3N3b3Jk
+entitlementstore:
+  postgres:
+    password: bXlQb3N0Z3Jlc1Bhc3N3b3Jk
+entitlements:
+  postgres:
+    password: bXlQb3N0Z3Jlc1Bhc3N3b3Jk
+imageCredentials:
+  registry: ghcr.io
+  username: my-gh-username
+  password: my-pat
+  email: my@github.profile.email
+keycloak:
+  postgres:
+    password: bXlQb3N0Z3Jlc1Bhc3N3b3Jk
+kas:
+  auth:
+    "http://localhost:65432/auth/realms/tdf":
+      discoveryBaseUrl: "http://keycloak-http/auth/realms/tdf"
+entitlementpdp:
+  opaPolicyPullSecret: my-pat