Merge pull request #24 from holaplex/mpw/hub-permisions-chart

add hub-permissions helm chart

Author: mpwsh

.github/workflows/linters/ct.yaml

@@ -6,6 +6,7 @@ chart-dirs:
 chart-repos:
   - holaplex=https://holaplex.github.io/helm-charts
   - apisix=https://charts.apiseven.com
+  - ory=https://k8s.ory.sh/helm/charts
 helm-extra-args: --timeout 600s
 validate-maintainers: false
 excluded-charts:

.github/workflows/release.yaml

@@ -34,6 +34,7 @@ jobs:
         run: |
           helm repo add holaplex https://holaplex.github.io/helm-charts
           helm repo add apisix https://charts.apiseven.com
+          helm repo add ory https://k8s.ory.sh/helm/charts
 
       - name: Run chart-releaser
         uses: helm/[email protected]

charts/hub-permissions/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/hub-permissions/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: keto
+  repository: https://k8s.ory.sh/helm/charts
+  version: 0.28.0
+digest: sha256:0e41623a2a26aa262e48f0323ef1eda5fbfa181d6047d70ac6b61c2f3b4c9402
+generated: "2023-02-27T17:08:48.89705-03:00"

charts/hub-permissions/Chart.yaml

@@ -0,0 +1,35 @@
+apiVersion: v2
+name: hub-permissions
+description: Helm chart for hub-permissions
+maintainers:
+  - name: Holaplex Engineering
+    email: [email protected]
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+
+version: "0.0.1"
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.1"
+sources:
+  - https://github.com/holaplex/helm-charts
+
+dependencies:
+  - name: keto
+    version: 0.28.0
+    repository: https://k8s.ory.sh/helm/charts

charts/hub-permissions/policies/namespaces.keto.ts

@@ -0,0 +1,48 @@
+import { Namespace, Context } from "@ory/keto-namespace-types"
+class User implements Namespace {}
+
+class Project implements Namespace {
+  related: {
+    owners: User[]
+    editors: User[]
+    viewers: User[]
+    parents: Organization[]
+  }
+
+  permits = {
+    view: (ctx: Context): boolean =>
+      this.related.viewers.includes(ctx.subject) ||
+      this.related.parents.traverse((parent) => parent.permits.view(ctx)) ||
+      this.permits.edit(ctx),
+    edit: (ctx: Context): boolean =>
+      this.related.editors.includes(ctx.subject) ||
+      this.related.parents.traverse((parent) => parent.permits.edit(ctx)) ||
+      this.permits.delete(ctx),
+    delete: (ctx: Context): boolean =>
+      this.related.owners.includes(ctx.subject) ||
+      this.related.parents.traverse((parent) => parent.permits.delete(ctx)),
+  }
+}
+
+class Organization implements Namespace {
+  related: {
+    owners: User[]
+    editors: User[]
+    viewers: User[]
+    parents: Organization[]
+  }
+
+  permits = {
+    view: (ctx: Context): boolean =>
+      this.related.viewers.includes(ctx.subject) ||
+      this.permits.edit(ctx),
+    edit: (ctx: Context): boolean =>
+      this.related.editors.includes(ctx.subject) ||
+      this.permits.delete(ctx),
+    invite: (ctx: Context): boolean =>
+      this.permits.view(ctx),
+    delete: (ctx: Context): boolean =>
+      this.related.owners.includes(ctx.subject) || 
+      this.related.parents.traverse((parent) => parent.permits.delete(ctx)),
+  }
+}

charts/hub-permissions/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "hub-permissions.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "hub-permissions.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "hub-permissions.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "hub-permissions.labels" -}}
+helm.sh/chart: {{ include "hub-permissions.chart" . }}
+{{ include "hub-permissions.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "hub-permissions.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "hub-permissions.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "hub-permissions.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "hub-permissions.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/hub-permissions/templates/configmap.yaml

@@ -0,0 +1,14 @@
+{{- $files := .Files }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: keto-namespaces
+  labels:
+    {{- include "hub-permissions.labels" $ | nindent 4 }}
+data:
+    {{- with .Values.customNamespaces.files}}
+      {{- range . }}
+        {{ (splitList "/" .) | last | nindent 2}}: |-
+        {{ $.Files.Get . | nindent 8 }}
+      {{- end }}
+    {{- end }} 

charts/hub-permissions/values.yaml

@@ -0,0 +1,53 @@
+customNamespaces:
+  files:
+    - policies/namespaces.keto.ts
+
+keto:
+  replicaCount: 1
+  image:
+    repository: oryd/keto
+    pullPolicy: Always
+    tag: v0.11.0-alpha.0
+
+  service:
+    metrics:
+      enabled: true
+
+  secret:
+    enabled: true
+
+  deployment:
+    extraVolumes:
+      - configMap:
+          defaultMode: 420
+          name: keto-namespaces
+        name: keto-namespaces-volume
+    extraVolumeMounts:
+      - mountPath: /app/namespaces
+        name: keto-namespaces-volume
+        readOnly: true
+
+  keto:
+    automigration:
+      enabled: true
+      type: initContainer
+    config:
+      dsn: memory
+      log:
+        level: info
+        format: json
+        leak_sensitive_values: false
+      serve:
+        read:
+          port: 4466
+        write:
+          port: 4467
+        metrics:
+          port: 4468
+      namespaces:
+        location: file:///app/namespaces/
+
+  pdb:
+    enabled: false
+    spec:
+      minAvailable: 1