aserto-dev · ronenh · Jan 24, 2025 · Jan 14, 2025 · Jan 17, 2025 · Jan 20, 2025
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -52,6 +52,15 @@ jobs:
         uses: azure/setup-helm@v4
         with:
           version: ${{ env.HELM_VERSION }}
+      -
+        name: Install tools
+        run: |
+          make install-grpcurl
+          echo "GRPCURL=$(realpath .ext/bin/grpcurl)" >> "$GITHUB_ENV"
+      -
+        name: Create Temp Directory
+        run: |
+          echo "TMPDIR=$(mktemp -d)" >> "$GITHUB_ENV"
       -
         name: Install topaz CLI
         run: |
@@ -123,6 +132,16 @@ jobs:
           EOF
 
           chmod 400 ~/.ssh/config
+      -
+        name: Test Controller
+        timeout-minutes: 10
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SSH_PUBLIC_KEY: ${{ steps.sshkey.outputs.public_key }}
+          SSH_PRIVATE_KEY: ${{ steps.sshkey.outputs.private_key }}
+          TOPAZ_CERTS_DIR: ${{ env.TOPAZ_CERTS_DIR }}
+        run: |
+          make test-controller
       -
         name: Test Directory
         timeout-minutes: 10

diff --git a/charts/aserto-lib/templates/_client.tpl b/charts/aserto-lib/templates/_client.tpl
@@ -11,15 +11,15 @@ ca_cert_path: /{{ .certVolume }}/ca.crt
 {{- end }}
 {{- end }}
 
-{{- define "aserto-lib.rootDirectoryClient" -}}
-address: {{ include "aserto-lib.rootDirectoryAddress" . }}
-tenant_id: {{ include "aserto-lib.rootDirectoryTenantID" . }}
-{{- $cfg := include "aserto-lib.rootClientCfg" . | fromYaml }}
-{{- include "aserto-lib.clientTLS" (mergeOverwrite $cfg (dict "certVolume" "root-ds-grpc-certs")) -}}
+{{- define "aserto-lib.controllerClient" -}}
+address: {{ include "aserto-lib.controllerAddress" . }}
+tenant_id: {{ include "aserto-lib.controllerTenantID" . }}
+{{- $cfg := include "aserto-lib.controllerClientCfg" . | fromYaml }}
+{{- include "aserto-lib.clientTLS" (mergeOverwrite $cfg (dict "certVolume" "controller-grpc-certs")) -}}
 {{- end }}
 
 {{- define "aserto-lib.directoryClient" -}}
 address: {{ include "aserto-lib.directoryAddress" . }}
 {{- $cfg := include "aserto-lib.mergeGlobal" (list . "directory") | fromYaml }}
-{{- include "aserto-lib.clientTLS" (mergeOverwrite $cfg (dict "certVolume" "ds-grpc-certs")) -}}
+{{- include "aserto-lib.clientTLS" (mergeOverwrite $cfg (dict "certVolume" "directory-grpc-certs")) -}}
 {{- end }}
diff --git a/charts/aserto-lib/templates/_clusteraddr.tpl b/charts/aserto-lib/templates/_clusteraddr.tpl
@@ -28,8 +28,8 @@ Args: [scope, config, service]
 {{/*
 Cluster address of the root directory service
 */}}
-{{- define "aserto-lib.rootDirectoryAddress" }}
-{{- include "aserto-lib.svcClusterAddress" (list . "grpc" "rootDS" "directory")}}
+{{- define "aserto-lib.controllerAddress" }}
+{{- include "aserto-lib.svcClusterAddress" (list . "grpc" "controller" "controller")}}
 {{- end }}
 
 {{/*

diff --git a/charts/aserto-lib/templates/_config.tpl b/charts/aserto-lib/templates/_config.tpl
@@ -1,32 +1,54 @@
-{{- define "aserto-lib.rootClientCfg" }}
-{{- include "aserto-lib.mergeGlobal" (list . "rootDS") }}
+{{- define "aserto-lib.controllerClientCfg" }}
+{{- include "aserto-lib.mergeGlobal" (list . "controller") | fromYaml |
+	merge (dict "apiKeysSecret" "controller-keys") | toYaml }}
 {{- end }}
 
-{{- define "aserto-lib.directoryCfg" }}
-{{- include "aserto-lib.mergeGlobal" (list . "directory") }}
+{{- define "aserto-lib.directoryClientCfg" }}
+{{- include "aserto-lib.mergeGlobal" (list . "directory") | fromYaml |
+	merge (dict "apiKeysSecret" "directory-keys") | toYaml }}
 {{- end }}
 
 {{- define "aserto-lib.discoveryCfg" }}
 {{- include "aserto-lib.mergeGlobal" (list . "discovery") }}
 {{- end }}
 
-{{- define "aserto-lib.rootApiKeyEnv" }}
-{{- with include "aserto-lib.rootClientCfg" . | fromYaml -}}
-{{- if .apiKey -}}
-value: {{ .apiKey }}
+
+{{- define "aserto-lib.dsApiKeyEnv" -}}
+{{- $keyType := index . 1 -}}
+{{- $defaultSecretName := index . 2 -}}
+
+{{- with first . -}}
+{{- $key := dig "apiKeys" $keyType "" . }}
+{{- if $key -}}
+value: {{ $key }}
 {{- else -}}
 valueFrom:
   secretKeyRef:
-    name: {{ (.apiKeySecret).name | default "root-ds-keys" }}
-    key: {{ (.apiKeySecret).key | default "api-key" }}
+    name: {{ .apiKeysSecret | default $defaultSecretName }}
+    key: {{ $keyType }}
+{{- end }}
+{{- end }}
+
 {{- end }}
+
+
+{{- define "aserto-lib.controllerKeyEnv" -}}
+{{- $scope := first . -}}
+{{- $keyType := last . -}}
+{{- with include "aserto-lib.controllerClientCfg" $scope | fromYaml -}}
+{{ include "aserto-lib.dsApiKeyEnv" (list . $keyType "controller-keys") }}
 {{- end }}
 {{- end }}
 
-{{- define "aserto-lib.directoryApiKeys" }}
-{{- (include "aserto-lib.directoryCfg" . | fromYaml).apiKey |
-  default (dict "secretName" "ds-keys" "writerSecretKey" "writeKey" "readerSecretKey" "readKey") | toYaml -}}
+
+{{- define "aserto-lib.directoryKeyEnv" -}}
+{{- $scope := first . -}}
+{{- $keyType := last . -}}
+{{- with include "aserto-lib.directoryClientCfg" $scope | fromYaml -}}
+{{ include "aserto-lib.dsApiKeyEnv" (list . $keyType "directory-keys") }}
 {{- end }}
+{{- end }}
+
 
 {{- define "aserto-lib.discoveryApiKey" }}
 {{- (include "aserto-lib.discoveryCfg" . | fromYaml).apiKey |
@@ -37,8 +59,8 @@ valueFrom:
 {{/*
 Root directory tenant ID
 */}}
-{{- define "aserto-lib.rootDirectoryTenantID" -}}
-{{- (include "aserto-lib.rootClientCfg" . | fromYaml).tenantID |
+{{- define "aserto-lib.controllerTenantID" -}}
+{{- (include "aserto-lib.controllerClientCfg" . | fromYaml).tenantID |
 	default "00000000-0000-11ef-0000-000000000000" -}}
 {{- end }}
 

diff --git a/charts/aserto/Chart.lock b/charts/aserto/Chart.lock
@@ -1,7 +1,7 @@
 dependencies:
-- name: aserto-lib
-  repository: file://../aserto-lib
-  version: 0.2.1
+- name: controller
+  repository: file://../controller
+  version: 0.0.1
 - name: directory
   repository: file://../directory
   version: 0.2.2
@@ -20,5 +20,8 @@ dependencies:
 - name: registry-proxy
   repository: file://../registry-proxy
   version: 0.1.6
-digest: sha256:a416841691e59b989714a06b49fdb540de61094d3ebbc5e935eb85b53f11387e
-generated: "2025-01-10T12:41:01.715504-05:00"
+- name: aserto-lib
+  repository: file://../aserto-lib
+  version: 0.2.1
+digest: sha256:3f436ac7dfb9062fb8fb780d8bee9d03c72cfb871e1b53de562f277ddfc6d493
+generated: "2025-01-20T10:06:46.030495-05:00"
diff --git a/charts/aserto/Chart.yaml b/charts/aserto/Chart.yaml
@@ -30,13 +30,12 @@ version: 0.1.12
 appVersion: "0.1.0"
 
 dependencies:
-  - name: aserto-lib
-    version: 0.2.1
-    repository: file://../aserto-lib
+  - name: controller
+    version: 0.0.1
+    repository: file://../controller
   - name: directory
     version: 0.2.2
     repository: file://../directory
-    condition: directory.enabled
   - name: authorizer
     version: 0.1.10
     repository: file://../authorizer
@@ -57,3 +56,6 @@ dependencies:
     version: 0.1.6
     repository: file://../registry-proxy
     condition: registry-proxy.enabled
+  - name: aserto-lib
+    version: 0.2.1
+    repository: file://../aserto-lib
diff --git a/charts/aserto/ci/test-values.yaml b/charts/aserto/ci/test-values.yaml
@@ -15,13 +15,13 @@ discovery:
       scheme: bearer
       tokenSecretName: ghcr-token-secret
 
-directory:
-  rootDirectory:
-    database:
-      host: root-db-host
-  tenantDirectory:
-    database:
-      host: tenant-db-host
+controller:
+  database:
+    host: root-db-host
   sshAdminKeys:
     keys: |
       ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDf6
+
+directory:
+  database:
+    host: tenant-db-host
diff --git a/charts/aserto/values.yaml b/charts/aserto/values.yaml
@@ -18,62 +18,92 @@ global:
       health: 8484
       mertics: 8585
 
-    # # gRPC configuration.
-    # grpc:
-    #   connectionTimeoutSec: 2
+    # gRPC configuration.
+    grpc:
+      connectionTimeoutSec: 2
 
-    # # HTTPS configuration.
+    # HTTPS configuration.
     https:
-      # read_timeout: 2s
-      # read_header_timeout: 2s
-      # write_timeout: 2s
-      # idle_timeout: 30s
+      read_timeout: 2s
+      read_header_timeout: 2s
+      write_timeout: 2s
+      idle_timeout: 30s
 
       # [REQUIRED] Specify the ingress address of the
       # conosle service.
       allowed_origins:
       # - https://console.aserto.example.com
 
-
-    # # Metrics configuration.
-    # metrics:
-    #   zpages: false
-    #   grpc:
-    #     counters: false
-    #     durations: false
-    #     gateway: false
-
-    rootDS:
-      # Address and port of the root directory's gRPC service.
-      # Default: directory.<namespace>.svc.cluster.local:8282
-      address: ""
-      # [Optiona] API key for the remote directory
-      apiKey: ""
-      # [Optional] Kubernetes secret containing the API key for the remote directory
-      apiKeySecret:
-        # Secret name
-        name: ""
-        # Secret key
-        key: "api-key"
-      # [Optional] Kubernetes secret containing the CA certificate of the root directory.
-      caCertSecret:
-        name: ""
-        key: ""
-      # Skip verification of remote TLS certificate
-      noVerify: false
-      # Connect over a plain-text connection.
-      # INSECURE: credentials are sent unencrypted within the cluster.
-      noTLS: false
-
-    rootDirectory:
-      # Disable TLS verification on
-      disableTLSVerification: true
+    # Metrics configuration.
+    metrics:
+      zpages: false
+
+    # Controller connection configuration.
+    # Services use these options when connecting to the controller.
+    controller:
+      # Use plain-text connection between pods.
+      noTLS: true
+      # # Address and port of the controller's gRPC service.
+      # # Default: controller.<namespace>.svc.cluster.local:8282
+      # address: ""
+      # # [Optiona] Controller API keys. All fields are required.
+      # apiKeys:
+      #   read: ""
+      #   write: ""
+      #   readStore: ""
+      #   writeStore: ""
+      # # [Optional] Kubernetes secret containing the controller's API keys.
+      # apiKeysSecret: controller-keys
+      # # [Optional] Kubernetes secret containing the CA certificate of the root directory.
+      # caCertSecret:
+      #   name: ""
+      #   key: ""
+      # # Skip verification of remote TLS certificate
+      # noVerify: false
 
     directory:
-      disableTLSVerification: true
+      # Use plain-text connection between pods.
+      noTLS: true
+      # # Address and port of the directory's gRPC service.
+      # # Default: directory.<namespace>.svc.cluster.local:8282
+      # address: ""
+      # # [Optiona] Directory API keys.
+      # apiKeys:
+      #   read: ""
+      #   write: ""
+      #   readStore: ""
+      #   writeStore: ""
+      # # [Optional] Kubernetes secret containing the directory's API keys.
+      # apiKeysSecret: directory-keys
+      # # [Optional] Kubernetes secret containing the directory's CA certificate.
+      # caCertSecret:
+      #   name: ""
+      #   key: ""
+      # # Skip verification of remote TLS certificate
+      # noVerify: false
+
+controller:
+  # Database configuration.
+  database:
+    # [REQUIRED] Host name of the root directory PostgreSQL instance.
+    host: ""
+    port: 5432
+    # Set to 'disable` if the PostgreSQL instance does not use SSL.
+    sslMode: require
+    admin:
+      # Kubernetes secret containing credentials for the root database's owner.
+      credentialsSecret: pg-controller-credentials
+
+  # Required: Provide one or more SSH public keys to be granted admin access.
+  # sshAdminKeys: |
+  #   # Add your authorized SSH public keys here
+  #   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDf6
+  #   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDa7
+
 
 directory:
-  enabled: true
+  controller:
+    enabled: true
   # Kubernetes pull secret for private Aserto images.
   # imagePullSecrets:
   #   - name: ghcr-creds
@@ -84,37 +114,16 @@ directory:
   #   tag: x.y.z
   #   pullPolicy: IfNotPresent
 
-  # Required: Provide one or more SSH public keys to be granted admin access.
-  # sshAdminKeys: |
-  #   # Add your authorized SSH public keys here
-  #   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDf6
-  #   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDa7
-
-  # Configuration for the root directory.
-  rootDirectory:
-    # Database configuration.
-    database:
-      # [REQUIRED] Host name of the root directory PostgreSQL instance.
-      host: ""
-      port: 5432
-      # Set to 'disable` if the PostgreSQL instance does not use SSL.
-      sslMode: require
-      admin:
-        # Kubernetes secret containing credentials for the root database's owner.
-        credentialsSecret: pg-ds-credentials
-
-  # Configuration for the tenant directory.
-  tenantDirectory:
-    # Database configuration.
-    database:
-      # [REQUIRED] Host name of the tenant directory PostgreSQL instance.
-      host: ""
-      port: 5432
-      # Set to 'disable` if the PostgreSQL instance does not use SSL.
-      sslMode: require
-      admin:
-        # Kubernetes secret containing credentials for the tenant database's owner.
-        credentialsSecret: pg-ds-credentials
+  # Database configuration.
+  database:
+    # [REQUIRED] Host name of the tenant directory PostgreSQL instance.
+    host: ""
+    port: 5432
+    # Set to 'disable` if the PostgreSQL instance does not use SSL.
+    sslMode: require
+    admin:
+      # Kubernetes secret containing credentials for the tenant database's owner.
+      credentialsSecret: pg-directory-credentials
 
 discovery:
   enabled: true