Mobu: Split GitHub refresh and CI app config

* Separate config dicts in Values * Separate anonymous ingresses for each app * Separate ConfigMaps for each app
lsst-sqre · Jul 12, 2024 · 681d382 · 681d382
1 parent ecf3d8e
commit 681d382
Show file tree

Hide file tree

Showing 17 changed files with 252 additions and 155 deletions.
diff --git a/applications/mobu/README.md b/applications/mobu/README.md
@@ -15,9 +15,8 @@ Continuous integration testing
 | affinity | object | `{}` | Affinity rules for the mobu frontend pod |
 | config.autostart | list | `[]` | Autostart specification. Must be a list of mobu flock specifications. Each flock listed will be automatically started when mobu is started. |
 | config.debug | bool | `false` | If set to true, include the output from all flocks in the main mobu log and disable structured JSON logging. |
-| config.github | object | See `values.yaml` | GitHub app integration options. |
-| config.githubCiAppEnabled | bool | `false` | Whether to enable the GitHub CI app integration. This should be `false` in production environments, because we don't want to run unapproved/ unreviewed code there. This should also be `false` in envs that are behind a VPN because the integration depends on being able to receive webhook requests from github.com. |
-| config.githubRefreshAppEnabled | bool | `false` | Whether to enable the GitHub refresh app integration. This should be `false` in envs that are behind a VPN because the integration depends on being able to receive webhook requests from github.com. |
+| config.githubCiApp | object | disabled. | Configuration for the GitHub refresh app integration. See https://mobu.lsst.io/operations/github_ci_app.html#add-phalanx-configuration |
+| config.githubRefreshApp | object | disabled. | Configuration for the GitHub refresh app integration. See https://mobu.lsst.io/operations/github_refresh_app.html#add-phalanx-configuration |
 | config.pathPrefix | string | `"/mobu"` | Prefix for mobu's API routes. |
 | config.slackAlerts | bool | `true` | Whether to send alerts and status to Slack. |
 | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) |

diff --git a/applications/mobu/templates/configmap-github-ci-app.yaml b/applications/mobu/templates/configmap-github-ci-app.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.config.githubCiApp -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "mobu.fullname" . }}-github-ci-app
+  labels:
+    {{- include "mobu.labels" . | nindent 4 }}
+data:
+  github-ci-app.yaml: |
+    {{- toYaml .Values.config.githubCiApp | nindent 4 }}
+{{- end }}
diff --git a/applications/mobu/templates/configmap-github-config.yaml b/applications/mobu/templates/configmap-github-config.yaml
diff --git a/applications/mobu/templates/configmap-github-refresh-app.yaml b/applications/mobu/templates/configmap-github-refresh-app.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.config.githubRefreshApp -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "mobu.fullname" . }}-github-refresh-app
+  labels:
+    {{- include "mobu.labels" . | nindent 4 }}
+data:
+  github-refresh-app.yaml: |
+    {{- toYaml .Values.config.githubRefreshApp | nindent 4 }}
+{{- end }}
diff --git a/applications/mobu/templates/deployment.yaml b/applications/mobu/templates/deployment.yaml
@@ -35,29 +35,25 @@ spec:
             - name: "MOBU_AUTOSTART_PATH"
               value: "/etc/mobu/autostart.yaml"
             {{- end }}
-            {{- if .Values.config.github }}
-            - name: "MOBU_GITHUB_CONFIG_PATH"
-              value: "/etc/mobu/github-config.yaml"
-            {{- end }}
             - name: "MOBU_ENVIRONMENT_URL"
               value: {{ .Values.global.baseUrl }}
             - name: "MOBU_GAFAELFAWR_TOKEN"
               valueFrom:
                 secretKeyRef:
                   name: {{ template "mobu.fullname" . }}-gafaelfawr-token
                   key: "token"
-            {{- if .Values.config.githubRefreshAppEnabled }}
-            - name: "MOBU_GITHUB_REFRESH_APP_ENABLED"
-              value: "true"
+            {{- if .Values.config.githubRefreshApp }}
+            - name: "MOBU_GITHUB_REFRESH_APP_CONFIG_PATH"
+              value: "/etc/mobu/github-refresh-app.yaml"
             - name: "MOBU_GITHUB_REFRESH_APP_WEBHOOK_SECRET"
               valueFrom:
                 secretKeyRef:
                   name: {{ template "mobu.fullname" . }}-secret
                   key: "github-refresh-app-webhook-secret"
             {{- end}}
-            {{- if .Values.config.githubCiAppEnabled }}
-            - name: "MOBU_GITHUB_CI_APP_ENABLED"
-              value: "true"
+            {{- if .Values.config.githubCiApp }}
+            - name: "MOBU_GITHUB_CI_APP_CONFIG_PATH"
+              value: "/etc/mobu/github-ci-app.yaml"
             - name: "MOBU_GITHUB_CI_APP_ID"
               valueFrom:
                 secretKeyRef:
@@ -74,10 +70,6 @@ spec:
                   name: {{ template "mobu.fullname" . }}-secret
                   key: "github-ci-app-webhook-secret"
             {{- end}}
-            {{- if .Values.config.github_config }}
-            - name: "MOBU_GITHUB_CONFIG_PATH"
-              value: "/etc/mobu/github-config.yaml"
-            {{- end}}
             - name: "MOBU_PATH_PREFIX"
               value: {{ .Values.config.pathPrefix | quote }}
             {{- if .Values.config.debug }}
@@ -131,12 +123,19 @@ spec:
                   - key: autostart.yaml
                     path: autostart.yaml
             {{- end }}
-            {{- if .Values.config.github }}
+            {{- if .Values.config.githubCiApp }}
+            - configMap:
+                name: {{ include "mobu.fullname" . }}-github-ci-app
+                items:
+                  - key: github-ci-app.yaml
+                    path: github-ci-app.yaml
+            {{- end }}
+            {{- if .Values.config.githubRefreshApp }}
             - configMap:
-                name: {{ include "mobu.fullname" . }}-github-config
+                name: {{ include "mobu.fullname" . }}-github-refresh-app
                 items:
-                  - key: github-config.yaml
-                    path: github-config.yaml
+                  - key: github-refresh-app.yaml
+                    path: github-refresh-app.yaml
             {{- end }}
         - name: "tmp"
           emptyDir: {}

diff --git a/...ions/mobu/templates/ingress-webhooks.yaml → ...mobu/templates/ingress-github-ci-app.yaml b/...ions/mobu/templates/ingress-webhooks.yaml → ...mobu/templates/ingress-github-ci-app.yaml
@@ -1,8 +1,8 @@
-{{- if or .Values.config.githubRefreshAppEnabled .Values.config.githubCiAppEnabled }}
+{{- if .Values.config.githubCiApp }}
 apiVersion: gafaelfawr.lsst.io/v1alpha1
 kind: GafaelfawrIngress
 metadata:
-  name: {{ template "mobu.fullname" . }}-github-webhook
+  name: {{ template "mobu.fullname" . }}-github-ci
   labels:
     {{- include "mobu.labels" . | nindent 4 }}
 config:
@@ -11,7 +11,7 @@ config:
     anonymous: true
 template:
   metadata:
-    name: {{ template "mobu.fullname" . }}-github-webhook
+    name: {{ template "mobu.fullname" . }}-github-ci
     {{- with .Values.ingress.annotations }}
     annotations:
       {{- toYaml . | nindent 6 }}
@@ -21,7 +21,7 @@ template:
       - host: {{ required "global.host must be set" .Values.global.host | quote }}
         http:
           paths:
-            - path: "{{ .Values.config.pathPrefix }}/github"
+            - path: "{{ .Values.config.pathPrefix }}/github/ci"
               pathType: "Prefix"
               backend:
                 service:

diff --git a/applications/mobu/templates/ingress-github-refresh-app.yaml b/applications/mobu/templates/ingress-github-refresh-app.yaml
@@ -0,0 +1,31 @@
+{{- if .Values.config.githubRefreshApp }}
+apiVersion: gafaelfawr.lsst.io/v1alpha1
+kind: GafaelfawrIngress
+metadata:
+  name: {{ template "mobu.fullname" . }}-github-refresh
+  labels:
+    {{- include "mobu.labels" . | nindent 4 }}
+config:
+  baseUrl: {{ .Values.global.baseUrl | quote }}
+  scopes:
+    anonymous: true
+template:
+  metadata:
+    name: {{ template "mobu.fullname" . }}-github-refresh
+    {{- with .Values.ingress.annotations }}
+    annotations:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+  spec:
+    rules:
+      - host: {{ required "global.host must be set" .Values.global.host | quote }}
+        http:
+          paths:
+            - path: "{{ .Values.config.pathPrefix }}/github/refresh"
+              pathType: "Prefix"
+              backend:
+                service:
+                  name: {{ template "mobu.fullname" . }}
+                  port:
+                    number: 8080
+{{- end }}
diff --git a/applications/mobu/tests/github_ci_app_enabled_test.yaml b/applications/mobu/tests/github_ci_app_enabled_test.yaml
@@ -0,0 +1,67 @@
+suite: Github CI App Integration Enabled
+set:
+  config:
+    githubCiApp:
+      accepted_github_orgs:
+        - "org1"
+        - "org2"
+      users:
+        - "bot-mobu-ci-user-1"
+        - "bot-mobu-ci-user-2"
+      scopes:
+        - "exec:notebook"
+        - "read:tap"
+  global:
+    host: "example.com"
+tests:
+  - it: "Should create an anonymous ingress"
+    template: "ingress-github-ci-app.yaml"
+    asserts:
+      - containsDocument:
+          kind: "GafaelfawrIngress"
+          apiVersion: gafaelfawr.lsst.io/v1alpha1
+      - equal:
+          path: "config.scopes.anonymous"
+          value: true
+
+  - it: "Should inject secrets into the Deployment env"
+    template: "deployment.yaml"
+    asserts:
+      - contains:
+          path: "spec.template.spec.containers[0].env"
+          any: true
+          content:
+            name: "MOBU_GITHUB_CI_APP_CONFIG_PATH"
+      - contains:
+          path: "spec.template.spec.containers[0].env"
+          any: true
+          content:
+            name: "MOBU_GITHUB_CI_APP_ID"
+      - contains:
+          path: "spec.template.spec.containers[0].env"
+          any: true
+          content:
+            name: "MOBU_GITHUB_CI_APP_PRIVATE_KEY"
+      - contains:
+          path: "spec.template.spec.containers[0].env"
+          any: true
+          content:
+            name: "MOBU_GITHUB_CI_APP_WEBHOOK_SECRET"
+  - it: "Should create a ConfigMap"
+    template: "configmap-github-ci-app.yaml"
+    asserts:
+      - containsDocument:
+          kind: "ConfigMap"
+          apiVersion: v1
+      - equal:
+          path: "data['github-ci-app.yaml']"
+          value: |
+            accepted_github_orgs:
+            - org1
+            - org2
+            scopes:
+            - exec:notebook
+            - read:tap
+            users:
+            - bot-mobu-ci-user-1
+            - bot-mobu-ci-user-2
diff --git a/applications/mobu/tests/github_ci_enabled_test.yaml b/applications/mobu/tests/github_ci_enabled_test.yaml
diff --git a/applications/mobu/tests/github_config_test.yaml b/applications/mobu/tests/github_config_test.yaml
diff --git a/applications/mobu/tests/github_disabled_test.yaml b/applications/mobu/tests/github_disabled_test.yaml
@@ -4,21 +4,59 @@ set:
   global:
     host: "example.com"
 tests:
-  - it: "Should not create an anonymous ingress"
-    template: "ingress-webhooks.yaml"
+  - it: "Should not create a GitHub CI app ingress"
+    template: "ingress-github-ci-app.yaml"
     asserts:
       - hasDocuments:
           count: 0
-  - it: "Should not create an github-config ConfigMap"
-    template: "configmap-github-config.yaml"
+  - it: "Should not create a GitHub refresh app ingress"
+    template: "ingress-github-refresh-app.yaml"
     asserts:
       - hasDocuments:
           count: 0
-  - it: "Should not inject GitHub secrets into the Deployment env"
+  - it: "Should not create a GitHub CI app ConfigMap"
+    template: "configmap-github-ci-app.yaml"
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: "Should not create a GitHub refresh app ConfigMap"
+    template: "configmap-github-refresh-app.yaml"
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: "Should not inject GitHub CI app secrets into the Deployment env"
+    template: "deployment.yaml"
+    asserts:
+      - notContains:
+          path: "spec.template.spec.containers[0].env"
+          any: true
+          content:
+            name: "MOBU_GITHUB_CI_APP_CONFIG_PATH"
+      - notContains:
+          path: "spec.template.spec.containers[0].env"
+          any: true
+          content:
+            name: "MOBU_GITHUB_CI_APP_ID"
+      - notContains:
+          path: "spec.template.spec.containers[0].env"
+          any: true
+          content:
+            name: "MOBU_GITHUB_CI_APP_PRIVATE_KEY"
+      - notContains:
+          path: "spec.template.spec.containers[0].env"
+          any: true
+          content:
+            name: "MOBU_GITHUB_CI_APP_WEBHOOK_SECRET"
+  - it: "Should not inject GitHub refresh app secrets into the Deployment env"
     template: "deployment.yaml"
     asserts:
       - notContains:
           path: "spec.template.spec.containers[0].env"
           any: true
           content:
-            name: "MOBU_GITHUB_WEBHOOK_SECRET"
+            name: "MOBU_GITHUB_REFRESH_APP_CONFIG_PATH"
+      - notContains:
+          path: "spec.template.spec.containers[0].env"
+          any: true
+          content:
+            name: "MOBU_GITHUB_REFRESH_APP_WEBHOOK_SECRET"