diff --git a/.github/workflows/build-images-manifests.yml b/.github/workflows/build-images-manifests.yml new file mode 100644 index 0000000..4c23268 --- /dev/null +++ b/.github/workflows/build-images-manifests.yml @@ -0,0 +1,95 @@ +name: Presidio Docker Build + +on: + push: + branches: [ main ] + workflow_dispatch: + +env: + REGISTRY_NAME: ghcr.io # SDSC ADD-ON + USERNAME: ${{ github.repository_owner }} + TAG: gha${{ github.run_number }} + +jobs: + build-platform-images: + name: Build ${{ matrix.image }} (${{ matrix.platform }}) + runs-on: ${{ matrix.runner }} + strategy: + matrix: + include: + - image: presidio-anonymizer + platform: linux/amd64 + runner: ubuntu-latest + - image: presidio-analyzer + platform: linux/amd64 + runner: ubuntu-latest + # Note: do we want this part of presidio ? Maybe future feature ? + # - image: presidio-image-redactor + # platform: linux/amd64 + # runner: ubuntu-latest + steps: + # SDSC ADD-ON + - name: Get latest Presidio release tag + id: presidio_release + run: | + tag=$(curl -s https://api.github.com/repos/microsoft/presidio/releases/latest | jq -r .tag_name) + echo "tag=$tag" >> $GITHUB_OUTPUT + + # SDSC ADD-ON + - name: Checkout Presidio (latest release) + uses: actions/checkout@v5 + with: + repository: microsoft/presidio + ref: ${{ steps.presidio_release.outputs.tag }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + # SDSC ADD-ON + # https://github.com/docker/login-action + - name: Log in to the Container registry + uses: docker/login-action@v3.0.0 + with: + registry: ${{ env.REGISTRY_NAME }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and Push ${{ matrix.image }} for ${{ matrix.platform }} + run: | + # Create platform-specific tag + PLATFORM_TAG=$(echo "${{ matrix.platform }}" | sed 's/\//-/g') + docker buildx build \ + --platform ${{ matrix.platform }} \ + --push \ + --tag ${{ env.REGISTRY_NAME }}/${{ env.USERNAME }}/${{ matrix.image }}:${{ env.TAG }}-${PLATFORM_TAG} \ + --cache-from type=registry,ref=${{ env.REGISTRY_NAME }}/${{ env.USERNAME }}/${{ matrix.image }}:latest \ + --cache-to type=inline \ + ./${{ matrix.image }} + + create-manifests: + name: Create Multi-Platform Manifests + runs-on: ubuntu-latest + needs: build-platform-images + steps: + # SDSC ADD-ON + # https://github.com/docker/login-action + - name: Log in to the Container registry + uses: docker/login-action@v3.0.0 + with: + registry: ${{ env.REGISTRY_NAME }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Create all multi-platform manifests + run: | + IMAGES=("presidio-anonymizer" "presidio-analyzer" "presidio-image-redactor") + + for image in "${IMAGES[@]}"; do + echo "Creating manifest for $image" + docker buildx imagetools create \ + --tag ${{ env.REGISTRY_NAME }}/${{ env.USERNAME }}/${image}:${{ env.TAG }} \ + ${{ env.REGISTRY_NAME }}/${{ env.USERNAME }}/${image}:${{ env.TAG }}-linux-amd64 + done diff --git a/.gitignore b/.gitignore index 5add120..8f28196 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,10 @@ .direnv/ + +# third party manifests +external/helm/* +external/ytt/* +external/.vendir* + # Byte-compiled / optimized / DLL files __pycache__/ *.py[codz] diff --git a/docs/presidio-poc.md b/docs/presidio-poc.md index 51c8e86..8713cba 100644 --- a/docs/presidio-poc.md +++ b/docs/presidio-poc.md @@ -8,14 +8,17 @@ - can be deployed as an API server using a compose stack ## API usage + 2-steps: + - analyze: NER from raw text using models - anonymize: config (rule) based processing of pre-detected PII ### analyze + - Minimal requirements: text + language. By default, all recognizers for that language are enabled. ```sh - $ curl http://localhost:5002/analyze -s --header "Content-Type: application/json" --request POST --data '{"text": "John Smith drivers license is AC432223","language": "en"}' | jq + $ curl http://localhost:5002/analyze -s --header "Content-Type: application/json" --request POST --data '{"text": "John Smith drivers license is AC432223","language": "en"}' | jq [ { "analysis_explanation": null, @@ -33,11 +36,12 @@ } ] ``` -- analysis can be controlled by setting detection score, selecting entities, adding context words and adding a correlation id(?) +- analysis can be controlled by setting detection score, selecting entities, adding context words and adding a correlation id(?) - ad-hoc pattern (regex) recognizers can be provided as json objects - a correlation-id (hash) can be given to append to logs for easier grouping of analyses in logs / traces. ### anonymize + - By default, the anonymization replaces all detected identifies by their type (e.g. ) in the input text. - An anonymizer dictionary can be provided to associate specific anonymization procedure to specific entity types. - Two inputs must be given to the endpoint: @@ -45,7 +49,9 @@ - the response from the analyze step (detected entities and their positions) ### artificial sample + Input: + ``` Prof. Gérard Waeber, Chef de service Tél: +41 21 314 68 85 / Fax: +41 21 314 08 95 @@ -77,8 +83,10 @@ jfldéijf Dr Médecin 00 Formateur Chef de clinique ``` + - ## initial tests -Works with example artifical lettre de sortie. + Works with example artifical lettre de sortie. + ```python import json import requests @@ -129,7 +137,9 @@ print( ## limitations ### potential improvements + Model configuration + ```yaml # config.yaml nlp_engine_name: spacy @@ -157,30 +167,28 @@ ner_model_configuration: ``` Recognizer configuration + ```yaml # recognizers.yaml recognizers: - - - name: "Swiss Zip code Recognizer" + - name: "Swiss Zip code Recognizer" supported_languages: - language: fr context: [adresse, postal] - language: de - context: [ort,] + context: [ort] - language: it context: [...] patterns: - - - name: "zip code (weak)" - regex: "(\\b\\d{5}(?:\\-\\d{4})?\\b)" - score: 0.01 + - name: "zip code (weak)" + regex: "(\\b\\d{5}(?:\\-\\d{4})?\\b)" + score: 0.01 context: - - zip - - code + - zip + - code supported_entity: "ZIP" - - - name: "Titles recognizer" + - name: "Titles recognizer" supported_language: "en" supported_entity: "TITLE" deny_list: @@ -190,5 +198,4 @@ recognizers: - Miss - Dr. - Prof. - ``` diff --git a/docs/services.md b/docs/services.md new file mode 100644 index 0000000..1c349cc --- /dev/null +++ b/docs/services.md @@ -0,0 +1,88 @@ +# Services management + +The deployment defines multiple service (or application), each being a +collection of kubernetes manifests located in `src//`. + +## Structure + +- `external/`: third party resources +- `src/`: deployable manifests +- secrets are encrypted with sops+age and persisted in `src/secrets/` + +Each service is structured as follows (supported tools are `ytt` and `helm`): + +```text +├── external +│ └── +│ └── /... # <- third party templates +└── src + └── + ├── additional-manifest.yaml # <- custom manifests for this deployment + ├── kustomization.yaml # <- kustomization file to select resources + └── + ├── out/... # <- rendered manifests + └── values.yaml # <- values used for templating +``` + +## Templating + +[ytt](https://carvel.dev/ytt) is the preferred rendering engine, but helm is +also supported as many upstream templates are distributed with +[helm](https://helm.sh). + +When running `just render`, we attempt to render each service with helm and then +with ytt and save the rendered manifests in the repository. + +## Deployment + +When deploying with `just deploy`, deployment is done with kustomize +(`kubectl -k`). This means that the `src` and each of its subdirectories contain +a `kustomization.yaml` file which determine what manifests are included in the +deployment. + +For example, running `just deploy src/` will recursively parse +`src/kustomization.yaml` and the `kustomization.yaml` from each resources +declared in that file. This allows to simply exclude services or manifests by +commenting them out of `kustomization.yaml`. + +## Updating a service + +Here is the typical workflow to re-deploy a service that has been updated +upstream. + +1. Update the external manifest templates. This will update the `vendir` lock + file and fetch the latest templates into `external//`. + +```bash +just external::refresh +``` + +2. Render the manifests with the new templates. + +```bash +just render +``` + +> [!NOTE] +> This may fail if the new templates broke compatibility with existing values, +> in which case you will need to update your values in +> `src///values.yaml`. Also watch out in case the upstream added +> new template files, as you may need to include them in the service +> `kustomization.yaml`. + +3. Deploy the updated manifests. + +```bash +just deploy src/ +``` + +> [!IMPORTANT] +> In some cases, you may want to manually delete resources related to the +> service. You can achieve that with `just delete src/` or use +> `kubectl delete` to delete specific resoruces. + +## Adding custom manifests + +Custom manifests (e.g. additional volumes) can be added inside `src//`, +but they need to be added as a resource in `kustomization.yaml` file in the same +directory. diff --git a/external/vendir.lock.yml b/external/vendir.lock.yml new file mode 100644 index 0000000..6db55bf --- /dev/null +++ b/external/vendir.lock.yml @@ -0,0 +1,11 @@ +apiVersion: vendir.k14s.io/v1alpha1 +directories: +- contents: + - git: + commitTitle: Add label to external PRs (#1707)... + sha: af1c524460ad62e17313520a3cbb618b062b75cb + tags: + - 2.2.360 + path: . + path: ytt/presidio +kind: LockConfig diff --git a/external/vendir.yaml b/external/vendir.yaml new file mode 100644 index 0000000..89c6020 --- /dev/null +++ b/external/vendir.yaml @@ -0,0 +1,20 @@ +apiVersion: vendir.k14s.io/v1alpha1 +kind: Config +directories: + - path: ytt/presidio + contents: + - path: . + git: + url: https://github.com/microsoft/presidio + ref: refs/tags/2.2.360 + newRootPath: docs/samples/deployments/k8s/charts/presidio + # - path: helm/presidio + # contents: + # - path: . + # helmChart: + # name: presidio + # version: 2.2.360 + # git: + # url: https://github.com/microsoft/presidio + # ref: refs/tags/2.2.360 + # subPath: docs/samples/deployments/k8s/charts/presidio diff --git a/justfile b/justfile index 6618ef1..5940e2c 100644 --- a/justfile +++ b/justfile @@ -33,11 +33,18 @@ render-ytt dir="src": fd '^ytt$' {{dir}} \ -x sh -c 'ytt -f {}/values.yaml -f external/ytt/$(basename {//}) --output-files {}/out' +# Render when the code was pulled in via ytt but is a helm template +[private] +render-ytt-extract-helm-template dir="src": + # render mixed ytt + helm templates with our values into src//mix/out + fd '^helm$' {{dir}} \ + -x sh -c 'helm template $(basename {//}) external/ytt/$(basename {//}) -f {}/values.yaml --output-dir {}/out' + # Render manifests render dir="src": just fetch && \ - just render-helm {{dir}} && \ just render-ytt {{dir}} && \ + just render-ytt-extract-helm-template {{dir}} && \ just format # Apply manifests in dir to the cluster. diff --git a/src/kustomization.yaml b/src/kustomization.yaml new file mode 100644 index 0000000..158097d --- /dev/null +++ b/src/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./presidio diff --git a/src/presidio/conf/presidio-analyzer/default-analyzer.yaml b/src/presidio/conf/presidio-analyzer/default-analyzer.yaml new file mode 100644 index 0000000..8cdc5e5 --- /dev/null +++ b/src/presidio/conf/presidio-analyzer/default-analyzer.yaml @@ -0,0 +1,3 @@ +supported_languages: + - en +default_score_threshold: 0 \ No newline at end of file diff --git a/src/presidio/conf/presidio-analyzer/default-recognizers.yaml b/src/presidio/conf/presidio-analyzer/default-recognizers.yaml new file mode 100644 index 0000000..0b3f02f --- /dev/null +++ b/src/presidio/conf/presidio-analyzer/default-recognizers.yaml @@ -0,0 +1,201 @@ +supported_languages: + - en +global_regex_flags: 26 + +recognizers: + # Recognizers listed here can either be loaded from the recognizers defined in code (type: predefined), + # or created based on the provided configuration (type: custom). + # For predefined: + # - If only a recognizer name is provided, a predefined recognizer with this name and default parameters will be loaded. + # - If a parameter isn't provided, the default one would be loaded. + # For custom: + # - See an example configuration here: https://github.com/microsoft/presidio/blob/main/presidio-analyzer/presidio_analyzer/conf/example_recognizers.yaml + # - Custom pattern recognizers with this configuration can be added to this file, with type: custom + # For recognizers supporting more than one language, an instance of the recognizer for each language will be created. + # For example, see the CreditCardRecognizer definition below: + - name: CreditCardRecognizer + supported_languages: + - language: en + context: [credit, card, visa, mastercard, cc, amex, discover, jcb, diners, maestro, instapayment] + - language: es + context: [tarjeta, credito, visa, mastercard, cc, amex, discover, jcb, diners, maestro, instapayment] + - language: it + - language: pl + type: predefined + + - name: UsBankRecognizer + supported_languages: + - en + type: predefined + + - name: UsLicenseRecognizer + supported_languages: + - en + type: predefined + + - name: UsItinRecognizer + supported_languages: + - en + type: predefined + + - name: UsPassportRecognizer + supported_languages: + - en + type: predefined + + - name: UsSsnRecognizer + supported_languages: + - en + type: predefined + + - name: NhsRecognizer + supported_languages: + - en + type: predefined + + - name: UkNinoRecognizer + supported_languages: + - en + type: predefined + enabled: false + + - name: SgFinRecognizer + supported_languages: + - en + type: predefined + enabled: false + + - name: AuAbnRecognizer + supported_languages: + - en + type: predefined + enabled: false + + - name: AuAcnRecognizer + supported_languages: + - en + type: predefined + enabled: false + + - name: AuTfnRecognizer + supported_languages: + - en + type: predefined + enabled: false + + - name: AuMedicareRecognizer + supported_languages: + - en + type: predefined + enabled: false + + - name: InPanRecognizer + supported_languages: + - en + type: predefined + enabled: false + + - name: InAadhaarRecognizer + supported_languages: + - en + type: predefined + enabled: false + + - name: InVehicleRegistrationRecognizer + supported_languages: + - en + type: predefined + enabled: false + + - name: InPassportRecognizer + supported_languages: + - en + type: predefined + enabled: false + + - name: EsNifRecognizer + supported_languages: + - es + type: predefined + + - name: EsNieRecognizer + supported_languages: + - es + type: predefined + + - name: ItDriverLicenseRecognizer + supported_languages: + - it + type: predefined + + - name: ItFiscalCodeRecognizer + supported_languages: + - it + type: predefined + + - name: ItVatCodeRecognizer + supported_languages: + - it + type: predefined + + - name: ItIdentityCardRecognizer + supported_languages: + - it + type: predefined + + - name: ItPassportRecognizer + supported_languages: + - it + type: predefined + + - name: PlPeselRecognizer + supported_languages: + - pl + type: predefined + + - name: KrRrnRecognizer + supported_languages: + - ko + - kr + type: predefined + enabled: false + + - name: ThTninRecognizer + supported_languages: + - th + type: predefined + enabled: false + + - name: CryptoRecognizer + type: predefined + + - name: DateRecognizer + type: predefined + + - name: EmailRecognizer + type: predefined + + - name: IbanRecognizer + type: predefined + + - name: IpRecognizer + type: predefined + + - name: MedicalLicenseRecognizer + type: predefined + + - name: PhoneRecognizer + type: predefined + + - name: UrlRecognizer + type: predefined + + - name: InVoterRecognizer + type: predefined + enabled: false + + - name: InGstinRecognizer + supported_languages: + - en + type: predefined + enabled: false \ No newline at end of file diff --git a/src/presidio/configmap-analyzer.yaml b/src/presidio/configmap-analyzer.yaml new file mode 100644 index 0000000..dd6478b --- /dev/null +++ b/src/presidio/configmap-analyzer.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: presidio-analyzer-config +data: + default-analyzer.yaml: + |- + {{ .Files.Get "conf/presidio-analyzer/default-analyzer.yaml" | indent 2 }} diff --git a/src/presidio/helm/out/presidio/templates/analyzer-deployment.yaml b/src/presidio/helm/out/presidio/templates/analyzer-deployment.yaml new file mode 100644 index 0000000..a5d3185 --- /dev/null +++ b/src/presidio/helm/out/presidio/templates/analyzer-deployment.yaml @@ -0,0 +1,37 @@ +--- +# Source: presidio/templates/analyzer-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: presidio-presidio-analyzer + labels: + app: presidio-presidio-analyzer + chart: "presidio-2" + release: "presidio" + heritage: "Helm" +spec: + replicas: 1 + selector: + matchLabels: + app: presidio-presidio-analyzer + template: + metadata: + labels: + app: presidio-presidio-analyzer + spec: + containers: + - name: presidio + image: "ghcr.io/presidio-analyzer:latest" + imagePullPolicy: Always + ports: + - containerPort: 8080 + resources: + requests: + memory: 1500Mi + cpu: 1500m + limits: + memory: 3000Mi + cpu: 2000m + env: + - name: PORT + value: "8080" diff --git a/src/presidio/helm/out/presidio/templates/analyzer-service.yaml b/src/presidio/helm/out/presidio/templates/analyzer-service.yaml new file mode 100644 index 0000000..ca2003d --- /dev/null +++ b/src/presidio/helm/out/presidio/templates/analyzer-service.yaml @@ -0,0 +1,21 @@ +--- +# Source: presidio/templates/analyzer-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: presidio-presidio-analyzer + labels: + app: presidio-presidio-analyzer + service: presidio-presidio-analyzer + chart: "presidio-2" + release: "presidio" + heritage: "Helm" +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: 8080 + protocol: TCP + name: http + selector: + app: presidio-presidio-analyzer diff --git a/src/presidio/helm/out/presidio/templates/anonymizer-deployment.yaml b/src/presidio/helm/out/presidio/templates/anonymizer-deployment.yaml new file mode 100644 index 0000000..597e5fd --- /dev/null +++ b/src/presidio/helm/out/presidio/templates/anonymizer-deployment.yaml @@ -0,0 +1,37 @@ +--- +# Source: presidio/templates/anonymizer-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: presidio-presidio-anonymizer + labels: + app: presidio-presidio-anonymizer + chart: "presidio-2" + release: "presidio" + heritage: "Helm" +spec: + replicas: 1 + selector: + matchLabels: + app: presidio-presidio-anonymizer + template: + metadata: + labels: + app: presidio-presidio-anonymizer + spec: + containers: + - name: presidio + image: "ghcr.io/presidio-anonymizer:latest" + imagePullPolicy: Always + ports: + - containerPort: 8080 + resources: + requests: + memory: 128Mi + cpu: 125m + limits: + memory: 512Mi + cpu: 500m + env: + - name: PORT + value: "8080" diff --git a/src/presidio/helm/out/presidio/templates/anonymizer-image-deployment.yaml b/src/presidio/helm/out/presidio/templates/anonymizer-image-deployment.yaml new file mode 100644 index 0000000..753e099 --- /dev/null +++ b/src/presidio/helm/out/presidio/templates/anonymizer-image-deployment.yaml @@ -0,0 +1,37 @@ +--- +# Source: presidio/templates/anonymizer-image-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: presidio-presidio-image-redactor + labels: + app: presidio-presidio-image-redactor + chart: "presidio-2" + release: "presidio" + heritage: "Helm" +spec: + replicas: 1 + selector: + matchLabels: + app: presidio-presidio-image-redactor + template: + metadata: + labels: + app: presidio-presidio-image-redactor + spec: + containers: + - name: presidio + image: "ghcr.io/presidio-image-redactor:latest" + imagePullPolicy: Always + ports: + - containerPort: 8080 + resources: + requests: + memory: 1500Mi + cpu: 1500m + limits: + memory: 3000Mi + cpu: 2000m + env: + - name: PORT + value: "8080" diff --git a/src/presidio/helm/out/presidio/templates/anonymizer-image-service.yaml b/src/presidio/helm/out/presidio/templates/anonymizer-image-service.yaml new file mode 100644 index 0000000..d7ac2d4 --- /dev/null +++ b/src/presidio/helm/out/presidio/templates/anonymizer-image-service.yaml @@ -0,0 +1,21 @@ +--- +# Source: presidio/templates/anonymizer-image-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: presidio-presidio-image-redactor + labels: + app: presidio-presidio-image-redactor + service: presidio-presidio-image-redactor + chart: "presidio-2" + release: "presidio" + heritage: "Helm" +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: 8080 + protocol: TCP + name: http + selector: + app: presidio-presidio-image-redactor diff --git a/src/presidio/helm/out/presidio/templates/anonymizer-service.yaml b/src/presidio/helm/out/presidio/templates/anonymizer-service.yaml new file mode 100644 index 0000000..d370b3d --- /dev/null +++ b/src/presidio/helm/out/presidio/templates/anonymizer-service.yaml @@ -0,0 +1,21 @@ +--- +# Source: presidio/templates/anonymizer-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: presidio-presidio-anonymizer + labels: + app: presidio-presidio-anonymizer + service: presidio-presidio-anonymizer + chart: "presidio-2" + release: "presidio" + heritage: "Helm" +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: 8080 + protocol: TCP + name: http + selector: + app: presidio-presidio-anonymizer diff --git a/tools/deploy/presidio/values.yaml b/src/presidio/helm/values.yaml similarity index 94% rename from tools/deploy/presidio/values.yaml rename to src/presidio/helm/values.yaml index 8640458..22f976d 100644 --- a/tools/deploy/presidio/values.yaml +++ b/src/presidio/helm/values.yaml @@ -1,7 +1,6 @@ -registry: mcr.microsoft.com +registry: ghcr.io # Image pull secret -# privateRegistry: acr-auth tag: latest # supported types are nginx (wip: traefik and istio) diff --git a/src/presidio/kustomization.yaml b/src/presidio/kustomization.yaml new file mode 100644 index 0000000..08098c8 --- /dev/null +++ b/src/presidio/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespaces.yaml + - ./helm/out/presidio/templates/analyzer-deployment.yaml + - ./helm/out/presidio/templates/anonymizer-deployment.yaml + - ./helm/out/presidio/templates/analyzer-service.yaml + - ./helm/out/presidio/templates/anonymizer-service.yaml + - ./helm/out/presidio/templates/analyzer-ingress.yaml + - ./configmap-analyzer.yaml + - ./patch-config-analyzer.yaml +namespace: presidio diff --git a/src/presidio/namespaces.yaml b/src/presidio/namespaces.yaml new file mode 100644 index 0000000..9698b81 --- /dev/null +++ b/src/presidio/namespaces.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: presidio + labels: + name: presidio diff --git a/src/presidio/patch-config-analyzer.yaml b/src/presidio/patch-config-analyzer.yaml new file mode 100644 index 0000000..e35c7b0 --- /dev/null +++ b/src/presidio/patch-config-analyzer.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: presidio-presidio-analyzer +spec: + selector: + matchLabels: + app: presidio-presidio-analyzer + template: + spec: + volumes: + - name: presidio-analyzer-config + configMap: + name: presidio-analyzer-config + containers: + - name: presidio + volumeMounts: + - name: presidio-analyzer-config + #TO-DO ensure this is the right path in the container + mountPath: presidio_analyzer/conf/default_analyzer.yaml + subPath: default-analyzer.yaml diff --git a/tools/deploy/presidio/.helmignore b/tools/deploy/presidio/.helmignore deleted file mode 100644 index f0c1319..0000000 --- a/tools/deploy/presidio/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/tools/deploy/presidio/Chart.yaml b/tools/deploy/presidio/Chart.yaml deleted file mode 100644 index aa69be3..0000000 --- a/tools/deploy/presidio/Chart.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v2 -description: A context aware, born to the cloud, customizable data loss prevention service -name: presidio -version: 2.0 -appVersion: latest diff --git a/tools/deploy/presidio/templates/_helpers.tpl b/tools/deploy/presidio/templates/_helpers.tpl deleted file mode 100644 index 935b0ad..0000000 --- a/tools/deploy/presidio/templates/_helpers.tpl +++ /dev/null @@ -1,40 +0,0 @@ -{{/* vim: set filetype=mustache */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "presidio.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "presidio.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{- define "presidio.analyzer.fullname" -}} -{{ include "presidio.fullname" . | printf "%s-analyzer" }} -{{- end -}} -{{- define "presidio.anonymizer.fullname" -}} -{{ include "presidio.fullname" . | printf "%s-anonymizer" }} -{{- end -}} -{{- define "presidio.anonymizerimage.fullname" -}} -{{ include "presidio.fullname" . | printf "%s-image-redactor" }} -{{- end -}} - -{{- define "presidio.analyzer.address" -}} -{{template "presidio.analyzer.fullname" .}}:{{.Values.analyzer.service.externalPort}} -{{- end -}} - -{{- define "presidio.anonymizer.address" -}} -{{template "presidio.anonymizer.fullname" .}}:{{.Values.anonymizer.service.externalPort}} -{{- end -}} - -{{- define "presidio.anonymizerimage.address" -}} -{{template "presidio.anonymizerimage.fullname" .}}:{{.Values.anonymizerimage.service.externalPort}} -{{- end -}} - -{{- define "presidio.rbac.version" }}rbac.authorization.k8s.io/v1{{ end -}} \ No newline at end of file diff --git a/tools/deploy/presidio/templates/analyzer-deployment.yaml b/tools/deploy/presidio/templates/analyzer-deployment.yaml deleted file mode 100644 index 1e693d8..0000000 --- a/tools/deploy/presidio/templates/analyzer-deployment.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{ $fullname := include "presidio.analyzer.fullname" . }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ $fullname }} - labels: - app: {{ $fullname }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ .Release.Name }}" - heritage: "{{ .Release.Service }}" -spec: - replicas: {{ .Values.analyzer.replicas }} - selector: - matchLabels: - app: {{ $fullname }} - template: - metadata: - labels: - app: {{ $fullname }} - spec: - containers: - - name: {{ .Chart.Name }} - image: "{{ .Values.registry }}/{{ .Values.analyzer.name }}:{{ default .Chart.AppVersion .Values.tag }}" - imagePullPolicy: {{ default "IfNotPresent" .Values.analyzer.imagePullPolicy }} - ports: - - containerPort: {{ .Values.analyzer.service.internalPort }} - resources: - requests: - memory: {{ .Values.analyzer.container.resources.requests.memory }} - cpu: {{ .Values.analyzer.container.resources.requests.cpu }} - limits: - memory: {{ .Values.analyzer.container.resources.limits.memory }} - cpu: {{ .Values.analyzer.container.resources.limits.cpu }} - env: - - name: PORT - value: {{ .Values.analyzer.service.internalPort | quote }} - {{ if .Values.privateRegistry }}imagePullSecrets: - - name: {{.Values.privateRegistry}}{{ end }} \ No newline at end of file diff --git a/tools/deploy/presidio/templates/analyzer-service.yaml b/tools/deploy/presidio/templates/analyzer-service.yaml deleted file mode 100644 index 5a2f693..0000000 --- a/tools/deploy/presidio/templates/analyzer-service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{ $fullname := include "presidio.analyzer.fullname" . }} -apiVersion: v1 -kind: Service -metadata: - name: {{ $fullname }} - labels: - app: {{ $fullname }} - service: {{ $fullname }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ .Release.Name }}" - heritage: "{{ .Release.Service }}" -spec: - type: {{ .Values.analyzer.service.type }} - ports: - - port: {{ .Values.analyzer.service.externalPort }} - targetPort: {{ .Values.analyzer.service.internalPort }} - protocol: TCP - name: {{ .Values.analyzer.service.name }} - selector: - app: {{ $fullname }} \ No newline at end of file diff --git a/tools/deploy/presidio/templates/anonymizer-deployment.yaml b/tools/deploy/presidio/templates/anonymizer-deployment.yaml deleted file mode 100644 index f211ca0..0000000 --- a/tools/deploy/presidio/templates/anonymizer-deployment.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{ $fullname := include "presidio.anonymizer.fullname" . }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ $fullname }} - labels: - app: {{ $fullname }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ .Release.Name }}" - heritage: "{{ .Release.Service }}" -spec: - replicas: {{ .Values.anonymizer.replicas }} - selector: - matchLabels: - app: {{ $fullname }} - template: - metadata: - labels: - app: {{ $fullname }} - spec: - containers: - - name: {{ .Chart.Name }} - image: "{{ .Values.registry }}/{{ .Values.anonymizer.name }}:{{ default .Chart.AppVersion .Values.tag }}" - imagePullPolicy: {{ default "IfNotPresent" .Values.anonymizer.imagePullPolicy }} - ports: - - containerPort: {{ .Values.anonymizer.service.internalPort }} - resources: - requests: - memory: {{ .Values.anonymizer.container.resources.requests.memory }} - cpu: {{ .Values.anonymizer.container.resources.requests.cpu }} - limits: - memory: {{ .Values.anonymizer.container.resources.limits.memory }} - cpu: {{ .Values.anonymizer.container.resources.limits.cpu }} - env: - - name: PORT - value: {{ .Values.anonymizer.service.internalPort | quote }} - {{ if .Values.privateRegistry }}imagePullSecrets: - - name: {{.Values.privateRegistry}}{{ end }} \ No newline at end of file diff --git a/tools/deploy/presidio/templates/anonymizer-service.yaml b/tools/deploy/presidio/templates/anonymizer-service.yaml deleted file mode 100644 index 1cd4668..0000000 --- a/tools/deploy/presidio/templates/anonymizer-service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{ $fullname := include "presidio.anonymizer.fullname" . }} -apiVersion: v1 -kind: Service -metadata: - name: {{ $fullname }} - labels: - app: {{ $fullname }} - service: {{ $fullname }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ .Release.Name }}" - heritage: "{{ .Release.Service }}" -spec: - type: {{ .Values.anonymizer.service.type }} - ports: - - port: {{ .Values.anonymizer.service.externalPort }} - targetPort: {{ .Values.anonymizer.service.internalPort }} - protocol: TCP - name: {{ .Values.anonymizer.service.name }} - selector: - app: {{ $fullname }} \ No newline at end of file diff --git a/tools/deploy/presidio/templates/ingress.yaml b/tools/deploy/presidio/templates/ingress.yaml deleted file mode 100644 index 32976d7..0000000 --- a/tools/deploy/presidio/templates/ingress.yaml +++ /dev/null @@ -1,36 +0,0 @@ -{{- if and (.Values.ingress.enabled) (eq .Values.ingress.class "nginx") -}} -{{- $analyzerfullname := include "presidio.analyzer.fullname" . -}} -{{- $anonymizerfullname := include "presidio.anonymizer.fullname" . -}} -{{- $anonymizerimagefullname := include "presidio.anonymizerimage.fullname" . -}} -apiVersion: networking.k8s.io/v1beta1 -kind: Ingress -metadata: - name: presidio-ingress - labels: - app: presidio-ingress - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - annotations: - kubernetes.io/ingress.class: {{ .Values.ingress.class }} - nginx.ingress.kubernetes.io/rewrite-target: "/$2" -spec: - rules: - - http: - paths: - - backend: - serviceName: {{ $analyzerfullname }} - servicePort: {{ .Values.analyzer.service.externalPort }} - path: /{{ $analyzerfullname }}(/|$)(.*) - pathType: Prefix - - backend: - serviceName: {{ $anonymizerfullname }} - servicePort: {{ .Values.anonymizer.service.externalPort }} - path: /{{ $anonymizerfullname }}(/|$)(.*) - pathType: Prefix - - backend: - serviceName: {{ $anonymizerimagefullname }} - servicePort: {{ .Values.anonymizerimage.service.externalPort }} - path: /{{ $anonymizerimagefullname }}(/|$)(.*) - pathType: Prefix -{{- end -}}