Merge branch 'master' into fix/fence_yaml_merge

.secrets.baseline

@@ -179,7 +179,7 @@
         "hashed_secret": "d84ce25b0f9bc2cc263006ae39453efb22cc2900",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 23,
+        "line_number": 25,
         "type": "Secret Keyword"
       }
     ],
@@ -346,14 +346,14 @@
         "hashed_secret": "7422c958ec5a8e5f87c9e81cdf426ef0e193332c",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 81,
+        "line_number": 83,
         "type": "Secret Keyword"
       },
       {
         "hashed_secret": "1740c48fa3141d4851b14f97e3bc0f46f7670672",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 115,
+        "line_number": 122,
         "type": "Secret Keyword"
       }
     ],
@@ -362,7 +362,7 @@
         "hashed_secret": "9b5925ea817163740dfb287a9894e8ab3aba2c18",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 190,
+        "line_number": 200,
         "type": "Secret Keyword"
       }
     ],

helm/common/Chart.yaml

@@ -15,7 +15,7 @@ type: library
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.10
+version: 0.1.11
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

helm/common/README.md

@@ -1,13 +1,15 @@
 # common
 
-![Version: 0.1.10](https://img.shields.io/badge/Version-0.1.10-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square)
+![Version: 0.1.11](https://img.shields.io/badge/Version-0.1.11-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square)
 
 A Helm chart for provisioning databases in gen3
 
 ## Values
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| global.aws | map | `{"region":"us-east-1"}` | AWS configuration |
+| global.aws.region | string | `"us-east-1"` | AWS region for this deployment |
 | global.ddEnabled | bool | `false` | Whether Datadog is enabled. |
 | global.dev | bool | `true` | Whether the deployment is for development purposes. |
 | global.dictionaryUrl | string | `"https://s3.amazonaws.com/dictionary-artifacts/datadictionary/develop/schema.json"` | URL of the data dictionary. |

helm/common/templates/_external_secrets.tpl

@@ -50,15 +50,21 @@ spec:
   provider:
     aws:
       service: SecretsManager
-      region: us-east-1
+      region: {{ .Values.global.aws.region }}
       auth:
+        {{- if .Values.global.aws.secretStoreServiceAccount.enabled }}
+        jwt:
+          serviceAccountRef:
+            name: {{ .Values.global.aws.secretStoreServiceAccount.name }}
+        {{- else }}
         secretRef:
           accessKeyIDSecretRef:
             name: {{.Chart.Name}}-aws-config
             key: access-key
           secretAccessKeySecretRef:
             name: {{.Chart.Name}}-aws-config
             key: secret-access-key
+        {{- end}}
 {{- end }}
 
 

helm/common/values.yaml

@@ -5,6 +5,10 @@
 
 # Global configuration
 global:
+  # -- (map) AWS configuration
+  aws:
+    # -- (string) AWS region for this deployment
+    region: us-east-1
   # -- (bool) Whether the deployment is for development purposes.
   dev: true
 

helm/gen3/Chart.yaml

@@ -25,7 +25,7 @@ dependencies:
   repository: "file://../aws-es-proxy"
   condition: aws-es-proxy.enabled
 - name: common
-  version: 0.1.10
+  version: 0.1.11
   repository: file://../common
 - name: etl
   version: 0.1.1
@@ -68,7 +68,7 @@ dependencies:
   repository: "file://../pidgin"
   condition: pidgin.enabled
 - name: portal
-  version: 0.1.12
+  version: 0.1.15
   repository: "file://../portal"
   condition: portal.enabled
 - name: requestor
@@ -95,6 +95,7 @@ dependencies:
   version: 0.1.13
   repository: "file://../wts"
   condition: wts.enabled
+
 - name: elasticsearch
   version: 7.10.2
   repository: "https://helm.elastic.co"
@@ -104,6 +105,16 @@ dependencies:
   repository: "https://charts.bitnami.com/bitnami"
   condition: global.dev
 
+# (optional) NeuVector Kubernetes Security Policy templates to protect Gen3
+#   NeuVector must be installed separately.
+#   Reference: https://open-docs.neuvector.com/basics/overview
+#   Reference: https://github.com/neuvector/neuvector-helm
+# For more information, please use the Gen3 community Slack.
+- name: neuvector
+  version: "0.1.0"
+  repository: "file://../neuvector"
+  condition: neuvector.enabled
+
 # A chart can be either an 'application' or a 'library' chart.
 #
 # Application charts are a collection of templates that can be packaged into versioned archives
@@ -117,7 +128,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.33
+version: 0.1.36
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

helm/gen3/README.md

@@ -1,6 +1,6 @@
 # gen3
 
-![Version: 0.1.33](https://img.shields.io/badge/Version-0.1.33-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square)
+![Version: 0.1.36](https://img.shields.io/badge/Version-0.1.36-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square)
 
 Helm chart to deploy Gen3 Data Commons
 
@@ -23,7 +23,7 @@ Helm chart to deploy Gen3 Data Commons
 | file://../argo-wrapper | argo-wrapper | 0.1.7 |
 | file://../audit | audit | 0.1.12 |
 | file://../aws-es-proxy | aws-es-proxy | 0.1.9 |
-| file://../common | common | 0.1.10 |
+| file://../common | common | 0.1.11 |
 | file://../etl | etl | 0.1.1 |
 | file://../fence | fence | 0.1.19 |
 | file://../frontend-framework | frontend-framework | 0.1.1 |
@@ -32,9 +32,10 @@ Helm chart to deploy Gen3 Data Commons
 | file://../indexd | indexd | 0.1.14 |
 | file://../manifestservice | manifestservice | 0.1.14 |
 | file://../metadata | metadata | 0.1.12 |
+| file://../neuvector | neuvector | 0.1.0 |
 | file://../peregrine | peregrine | 0.1.13 |
 | file://../pidgin | pidgin | 0.1.10 |
-| file://../portal | portal | 0.1.12 |
+| file://../portal | portal | 0.1.15 |
 | file://../requestor | requestor | 0.1.11 |
 | file://../revproxy | revproxy | 0.1.14 |
 | file://../sheepdog | sheepdog | 0.1.14 |
@@ -59,6 +60,7 @@ Helm chart to deploy Gen3 Data Commons
 | aws-es-proxy.secrets.awsSecretAccessKey | str | `""` | AWS secret access key for aws-es-proxy |
 | elasticsearch.clusterHealthCheckParams | string | `"wait_for_status=yellow&timeout=1s"` |  |
 | elasticsearch.clusterName | string | `"gen3-elasticsearch"` |  |
+| elasticsearch.esConfig."elasticsearch.yml" | string | `"# Here we can add elasticsearch config\n"` |  |
 | elasticsearch.maxUnavailable | int | `0` |  |
 | elasticsearch.replicas | int | `1` |  |
 | elasticsearch.singleNode | bool | `true` |  |
@@ -78,10 +80,15 @@ Helm chart to deploy Gen3 Data Commons
 | frontend-framework.image | map | `{"repository":"quay.io/cdis/frontend-framework","tag":"develop"}` | Docker image information. |
 | frontend-framework.image.repository | string | `"quay.io/cdis/frontend-framework"` | The Docker image repository for the frontend-framework. |
 | frontend-framework.image.tag | string | `"develop"` | Overrides the image tag whose default is the chart appVersion. |
-| global.aws | map | `{"awsAccessKeyId":null,"awsSecretAccessKey":null,"enabled":false,"useLocalSecret":{"enabled":false,"localSecretName":null}}` | AWS configuration |
+| global.aws | map | `{"awsAccessKeyId":null,"awsSecretAccessKey":null,"enabled":false,"region":"us-east-1","secretStoreServiceAccount":{"enabled":false,"name":"secret-store-sa","roleArn":null},"useLocalSecret":{"enabled":false,"localSecretName":null}}` | AWS configuration |
 | global.aws.awsAccessKeyId | string | `nil` | Credentials for AWS stuff. |
 | global.aws.awsSecretAccessKey | string | `nil` | Credentials for AWS stuff. |
 | global.aws.enabled | bool | `false` | Set to true if deploying to AWS. Controls ingress annotations. |
+| global.aws.region | string | `"us-east-1"` | AWS region for this deployment |
+| global.aws.secretStoreServiceAccount | map | `{"enabled":false,"name":"secret-store-sa","roleArn":null}` | Service account and AWS role for authentication to AWS Secrets Manager |
+| global.aws.secretStoreServiceAccount.enabled | bool | `false` | Set true if deploying to AWS and want to use service account and IAM role instead of aws keys. Must provide role-arn. |
+| global.aws.secretStoreServiceAccount.name | string | `"secret-store-sa"` | Name of the service account to create |
+| global.aws.secretStoreServiceAccount.roleArn | string | `nil` | AWS Role ARN for Secret Store to use |
 | global.aws.useLocalSecret | map | `{"enabled":false,"localSecretName":null}` | Local secret setting if using a pre-exising secret. |
 | global.aws.useLocalSecret.enabled | bool | `false` | Set to true if you would like to use a secret that is already running on your cluster. |
 | global.aws.useLocalSecret.localSecretName | string | `nil` | Name of the local secret. |
@@ -149,6 +156,14 @@ Helm chart to deploy Gen3 Data Commons
 | indexd.enabled | bool | `true` | Whether to deploy the indexd subchart. |
 | manifestservice.enabled | bool | `true` | Whether to deploy the manifest service subchart. |
 | metadata.enabled | bool | `true` | Whether to deploy the metadata subchart. |
+| neuvector.DB_HOST | string | `"development-gen3-postgresql"` |  |
+| neuvector.ES_HOST | string | `"gen3-elasticsearch-master"` |  |
+| neuvector.enabled | bool | `false` |  |
+| neuvector.ingress.class | string | `"nginx"` |  |
+| neuvector.ingress.controller | string | `"nginx-ingress-controller"` |  |
+| neuvector.ingress.namespace | string | `"nginx"` |  |
+| neuvector.policies.include | bool | `false` |  |
+| neuvector.policies.policyMode | string | `"Monitor"` |  |
 | peregrine.enabled | bool | `true` | Whether to deploy the peregrine subchart. |
 | pidgin.enabled | bool | `true` | Whether to deploy the pidgin subchart. |
 | portal.enabled | bool | `true` | Whether to deploy the portal subchart. |

helm/gen3/templates/cluster-secret-store.yaml

@@ -9,7 +9,7 @@ spec:
   provider:
     aws:
       service: SecretsManager
-      region: us-east-1
+      region: {{ .Values.global.aws.region }}
       auth:
         secretRef:
           accessKeyIDSecretRef:

helm/gen3/templates/secret-store-service-account.yaml

@@ -0,0 +1,29 @@
+{{- if .Values.global.aws.secretStoreServiceAccount.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.global.aws.secretStoreServiceAccount.name }}
+  annotations:
+    eks.amazonaws.com/role-arn: {{ .Values.global.aws.secretStoreServiceAccount.roleArn }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: external-secrets-role
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: external-secrets-rolebinding
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.global.aws.secretStoreServiceAccount.name }}
+roleRef:
+  kind: Role
+  name: external-secrets-role
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

helm/gen3/values.yaml

@@ -6,12 +6,22 @@
 global:
   # -- (map) AWS configuration
   aws:
+    # -- (string) AWS region for this deployment
+    region: us-east-1
     # -- (bool) Set to true if deploying to AWS. Controls ingress annotations.
     enabled: false
     # -- (string) Credentials for AWS stuff.
     awsAccessKeyId:
     # -- (string) Credentials for AWS stuff.
     awsSecretAccessKey:
+    # -- (map) Service account and AWS role for authentication to AWS Secrets Manager
+    secretStoreServiceAccount:
+      # -- (bool) Set true if deploying to AWS and want to use service account and IAM role instead of aws keys. Must provide role-arn.
+      enabled: false
+      # -- (string) Name of the service account to create
+      name: secret-store-sa
+      # -- (string) AWS Role ARN for Secret Store to use
+      roleArn:
     # -- (map) Local secret setting if using a pre-exising secret.
     useLocalSecret:
       # -- (bool) Set to true if you would like to use a secret that is already running on your cluster.
@@ -282,3 +292,32 @@ elasticsearch:
   singleNode: true
   replicas: 1
   clusterHealthCheckParams: "wait_for_status=yellow&timeout=1s"
+  esConfig:
+    elasticsearch.yml: |
+      # Here we can add elasticsearch config
+
+# (optional) NeuVector Kubernetes Security Policy templates to protect Gen3
+#   NeuVector must be installed separately.
+#   Reference: https://open-docs.neuvector.com/basics/overview
+#   Reference: https://github.com/neuvector/neuvector-helm
+# For more information, please use the Gen3 community Slack.
+neuvector:
+  # install Neuvector
+  enabled: false
+  policies:
+    # deploy predefined Neuvector policies for Gen3
+    include: false
+    # Discover, Monitor, or Protect
+    policyMode: Monitor
+  # Configure your ingress controller information for enabling ingress to containers
+  ingress:
+    # service name of your ingress controller
+    controller: nginx-ingress-controller
+    # installation namespace of your ingress controller
+    namespace: nginx
+    # classname of your ingress
+    class: nginx
+  # Required to allow egress to in-cluster database or external, managed database
+  DB_HOST: development-gen3-postgresql
+  # hostname/service name for our ElasitcSearch instance, used to allow egress from containers
+  ES_HOST: gen3-elasticsearch-master

helm/neuvector/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

helm/neuvector/Chart.yaml

@@ -0,0 +1,34 @@
+apiVersion: v2
+name: neuvector
+description: NeuVector Kubernetes Security Policy templates to protect Gen3
+
+# NeuVector must be installed separately.
+#   Reference: https://open-docs.neuvector.com/basics/overview
+#   Reference: https://github.com/neuvector/neuvector-helm
+# For more information, please use the Gen3 community Slack.
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"
+
+# Todo: Evaluate inclusion of NeuVector installation
+# dependencies:
+# - name: neuvector
+#   version: "5.2.2-s1"
+#   repository: "https://neuvector.github.io/neuvector-helm/core"

helm/neuvector/README.md

@@ -0,0 +1,21 @@
+# neuvector
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square)
+
+NeuVector Kubernetes Security Policy templates to protect Gen3
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| ARGOCD_PREFIX | string | `"development-gen3"` |  |
+| DB_HOST | string | `"development-gen3-postgresql"` |  |
+| ES_HOST | string | `"gen3-elasticsearch-master"` |  |
+| fullnameOverride | string | `""` |  |
+| ingress.class | string | `"nginx"` |  |
+| ingress.controller | string | `"nginx-ingress-controller"` |  |
+| ingress.namespace | string | `"nginx"` |  |
+| nameOverride | string | `""` |  |
+| policies.include | bool | `true` |  |
+| policies.policyMode | string | `"Monitor"` |  |
+