Add helm chart for token-validator deployment

meffmadd · meffmadd · commit 395ee0c46aaf · 2025-01-22T11:22:44.000+01:00
diff --git a/charts/token-validator/.helmignore b/charts/token-validator/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/token-validator/Chart.yaml b/charts/token-validator/Chart.yaml
@@ -0,0 +1,18 @@
+apiVersion: v2
+name: token-validator
+description: A Helm chart for a token-validator Deployment.
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
diff --git a/charts/token-validator/templates/deployment.yaml b/charts/token-validator/templates/deployment.yaml
@@ -0,0 +1,71 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: token-validator
+  namespace: {{ $.Release.Namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: token-validator
+  template:
+    metadata:
+      labels:
+        app: token-validator
+    spec:
+      volumes:
+        - name: db-storage
+          persistentVolumeClaim:
+            claimName: token-validator-db-pvc
+      initContainers:
+        - name: db-migrate
+          image: {{.Values.image.repository }}:{{.Values.image.tag }}
+          imagePullPolicy: {{ .Values.image.imagePullPolicy }}
+          command: [ "flask", "db", "upgrade" ]
+          env:
+            - name: DATABASE_URI
+              value: "sqlite:////db/token_validator.db"
+          volumeMounts:
+            - name: db-storage
+              mountPath: /db
+      containers:
+        - name: token-validator
+          image: {{.Values.image.repository }}:{{.Values.image.tag }}
+          imagePullPolicy: {{ .Values.image.imagePullPolicy }}
+          ports:
+            - containerPort: 5000
+          volumeMounts:
+            - name: db-storage
+              mountPath: /db
+          env:
+            - name: DATABASE_URI
+              value: "sqlite:////db/token_validator.db"
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.oidc.secrets.existingSecret.name }}
+                  key: {{ .Values.oidc.secrets.existingSecret.clientIdKey }}
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.oidc.secrets.existingSecret.name }}
+                  key: {{ .Values.oidc.secrets.existingSecret.clientSecretKey }}
+            - name: SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secretKey.existingSecret.name }}
+                  key: {{ .Values.secretKey.existingSecret.key }}
+            - name: ADMIN_GROUP
+              value: {{ .Values.oidc.adminGroup }}
+            - name: OIDC_AUTHORIZE_URL
+              value: {{ .Values.oidc.authorizeURL }}
+            - name: OIDC_CONFIGURATION_URL
+              value: {{ .Values.oidc.configurationURL }}
+            - name: OIDC_TOKEN_URL
+              value: {{ .Values.oidc.tokenURL }}
+            - name: OIDC_USERINFO_URL
+              value: {{ .Values.oidc.userinfoURL }}
+            - name: PREFERRED_URL_SCHEME
+              value: 'https'
+  strategy:
+    type: Recreate
diff --git a/charts/token-validator/templates/ingress.yaml b/charts/token-validator/templates/ingress.yaml
@@ -0,0 +1,26 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: token-validator-ingress
+  namespace: {{ $.Release.Namespace }}
+  annotations:
+    {{- toYaml .Values.ingress.annotations | nindent 4 }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            pathType: {{ .pathType }}
+            backend:
+              service:
+                name: token-validator
+                port:
+                  number: 5000
+          {{- end }}
+    {{- end }}
+  tls:
+    {{- toYaml .Values.ingress.tls | nindent 4 }}
diff --git a/charts/token-validator/templates/pvc.yaml b/charts/token-validator/templates/pvc.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: token-validator-db-pvc
+  namespace: {{ $.Release.Namespace }}
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
diff --git a/charts/token-validator/templates/service.yaml b/charts/token-validator/templates/service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: token-validator
+  namespace: {{ $.Release.Namespace }}
+spec:
+  selector:
+    app: token-validator
+  ports:
+  - name: http
+    port: 80
+    targetPort: 5000
+  type: ClusterIP
diff --git a/charts/token-validator/templates/token-validator-secret.yaml b/charts/token-validator/templates/token-validator-secret.yaml
@@ -0,0 +1,28 @@
+{{ if .Values.externalSecret.enabled }}
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: {{ .Values.externalSecret.key }}
+spec:
+  refreshInterval: "0"
+  secretStoreRef:
+    name: datalab-vault
+    kind: ClusterSecretStore
+  target:
+    name: {{ .Values.oidc.secrets.existingSecret.name }}
+  data:
+    - secretKey: {{ .Values.oidc.secrets.existingSecret.clientIdKey }}
+      remoteRef:
+        key: {{ .Values.externalSecret.key }}
+        property: OIDC_CLIENT_ID
+
+    - secretKey: {{ .Values.oidc.secrets.existingSecret.clientSecretKey }}
+      remoteRef:
+        key: {{ .Values.externalSecret.key }}
+        property: OIDC_CLIENT_SECRET
+
+    - secretKey: {{ .Values.secretKey.existingSecret.key }}
+      remoteRef:
+        key: {{ .Values.externalSecret.key }}
+        property: SECRET_KEY
+  {{ end }}
diff --git a/charts/token-validator/values.yaml b/charts/token-validator/values.yaml
@@ -0,0 +1,44 @@
+image:
+  repository: ghcr.io/tu-wien-datalab/token-validator
+  tag: main
+  imagePullPolicy: Always
+
+externalSecret:
+  enabled: true
+  key: token-validator-secrets
+
+oidc:
+  adminGroup: "ds-ray-cluster"
+  authorizeURL: https://login.datalab.tuwien.ac.at/application/o/authorize/
+  configurationURL: https://login.datalab.tuwien.ac.at/application/o/tgi/.well-known/openid-configuration
+  tokenURL: https://login.datalab.tuwien.ac.at/application/o/token/
+  userinfoURL: https://login.datalab.tuwien.ac.at/application/o/userinfo/
+  secrets:
+    existingSecret:
+      name: token-validator-secrets
+      clientIdKey: OIDC_CLIENT_ID
+      clientSecretKey: OIDC_CLIENT_SECRET
+
+
+secretKey:
+  existingSecret:
+    name: token-validator-secrets
+    key: SECRET_KEY
+
+
+ingress:
+  enabled: true
+  className: nginx
+  annotations:
+    # tls
+    kubernetes.io/tls-acme: "true"
+    cert-manager.io/cluster-issuer: datalab-issuer
+  hosts:
+    - host: tgi.mlops-staging.datalab.tuwien.ac.at
+      paths:
+        - path: "/"
+          pathType: "Prefix"
+  tls:
+    - secretName: token-validator-tls
+      hosts:
+        - tgi.mlops-staging.datalab.tuwien.ac.at
