add config file watch + Helm chart enhancements (#1)

* add two ways of watching config file changes
  * one using the watchdog module based on filesystem events
  * and another one based on polling with Path.stat() to make it work with K8S mounted configmap's
* extend Helm chart functionality
  * add secret with public Certificate Authorities
  * add additionalTrustedCA values to extend list of trusted CA
  * add ability to specify list of environment variables
  * disable livenessProbe and readynessProbe
  * adjust pod resource limits
  * few additional minor fixes

Author: hanstrompert

chart/Chart.yaml

@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.1
+version: 0.0.6
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.0.1"
+appVersion: "master"

chart/files/cacert.pem

@@ -2,12 +2,11 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ .Release.Name }}-config
-  namespace: {{ .Release.Namespace }}
 {{- if .Values.config.inlineData }}
 data:
-{{.Values.config.inlineData | indent 2}}
+{{ .Values.config.inlineData | indent 2 }}
 {{- end }}
 {{- if .Values.config.inlineBinaryData }}
 binaryData:
-{{.Values.config.inlineBinaryData | indent 2}}
+{{ .Values.config.inlineBinaryData | indent 2 }}
 {{- end }}

chart/templates/configmap.yaml

@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "nsi-auth.fullname" . }}
+  name: {{ .Release.Name }}
   labels:
     {{- include "nsi-auth.labels" . | nindent 4 }}
 spec:
@@ -46,12 +46,12 @@ spec:
             {{- toYaml .Values.readinessProbe | nindent 12 }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
-          {{- with .Values.volumeMounts }}
           envFrom:
           {{- if .Values.env }}
             - configMapRef:
-                name: { { .Release.Name } }-environment
+                name: {{ .Release.Name }}-environment
           {{- end }}
+          {{- with .Values.volumeMounts }}
           volumeMounts:
             {{- toYaml . | nindent 12 }}
           {{- end }}

chart/templates/deployment.yaml

@@ -9,7 +9,6 @@ metadata:
     app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
     helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
   name: {{ .Release.Name }}-environment
-  namespace: {{ .Release.Namespace }}
 {{- with .Values.env }}
 data:
     {{- toYaml . | nindent 8 }}

chart/templates/environment-configmap.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ .Release.Name }}-ca
+data:
+  ca.crt: {{ printf "%s%s" (.Files.Get "files/cacert.pem") .Values.config.additionalTrustedCA | b64enc }}

chart/templates/secret.yaml

@@ -1,8 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "nsi-auth.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  name: {{ .Release.Name }}
   labels:
     {{- include "nsi-auth.labels" . | nindent 4 }}
 spec:

chart/templates/service.yaml

@@ -66,20 +66,20 @@ resources: {}
   # resources, such as Minikube. If you do want to specify resources, uncomment the following
   # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
   # limits:
-  #   cpu: 100m
-  #   memory: 128Mi
+  #   cpu: 10m
+  #   memory: 64Mi
   # requests:
-  #   cpu: 100m
+  #   cpu: 1000m
   #   memory: 128Mi
 
 livenessProbe:
-  httpGet:
-    path: /validate
-    port: http
+  #httpGet:
+  #  path: /validate
+  #  port: http
 readinessProbe:
-  httpGet:
-    path: /validate
-    port: http
+  #httpGet:
+  #  path: /validate
+  #  port: http
 
 autoscaling:
   enabled: false
@@ -89,17 +89,17 @@ autoscaling:
   # targetMemoryUtilizationPercentage: 80
 
 # Additional volumes on the output Deployment definition.
-volumes: []
-# - name: foo
-#   secret:
-#     secretName: mysecret
-#     optional: false
+volumes:
+  - name: config
+    configMap:
+      name: test-config
+      optional: false
 
 # Additional volumeMounts on the output Deployment definition.
-volumeMounts: []
-# - name: foo
-#   mountPath: "/etc/foo"
-#   readOnly: true
+volumeMounts:
+  - name: config
+    mountPath: "/config"
+    readOnly: true
 
 nodeSelector: {}
 
@@ -119,3 +119,29 @@ config:
       CN=CertB,OU=Dept Y,O=Company 2,C=NL
       CN=CertC,OU=Dept Z,O=Company 3,C=NL
   inlineBinaryData:
+#  additionalTrustedCA: |-
+#
+#    subject=C=AU, ST=Some-State, O=My Organisation, CN=My self signed root CA
+#    =========================================================================
+#    -----BEGIN CERTIFICATE-----
+#    MIIDmzCCAoOgAwIBAgIUYzV2fb5GNklmz1Wb/tcn3GprN0MwDQYJKoZIhvcNAQEL
+#    BQAwXTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxGDAWBgNVBAoM
+#    D015IE9yZ2FuaXNhdGlvbjEfMB0GA1UEAwwWTXkgc2VsZiBzaWduZWQgcm9vdCBD
+#    QTAeFw0yNTA4MDcxMTM0MTlaFw0zNTA4MDcxMTM0MTlaMF0xCzAJBgNVBAYTAkFV
+#    MRMwEQYDVQQIDApTb21lLVN0YXRlMRgwFgYDVQQKDA9NeSBPcmdhbmlzYXRpb24x
+#    HzAdBgNVBAMMFk15IHNlbGYgc2lnbmVkIHJvb3QgQ0EwggEiMA0GCSqGSIb3DQEB
+#    AQUAA4IBDwAwggEKAoIBAQCl6IIW7UwZbzzEqVy4ACpAAbcu20dBYZB/+ApLl6QP
+#    Sq+P2UkP4MqJ/JxAjeTzHpyBbQlMnmsA9OFIblR1Gj2EjMfwYp1+QapbppEjzYEJ
+#    KihVl8Mo+mQ7GBCdmVMKtvxM8yeafO07LwArVDDjA92EfdonO/8cYStQWtvcTPd8
+#    ZRm4udx7sYap2X0bGJALBqbPDpiPqc9BY8ZaGLtIyE97VR/S0786dLzWgKocwPOD
+#    U1ESjJq31WmsWASs2UNmHE1sdzn1vq08umoumGfkuchRSlDDsgz++WoKnZVtEop1
+#    YlmNU9bFlw1OfLCosCfyjLDRM8hSm5EaKWe0KRXMtJiFAgMBAAGjUzBRMB0GA1Ud
+#    DgQWBBTOqbjm/j/R+UeHKqSPl3TvUOjzhTAfBgNVHSMEGDAWgBTOqbjm/j/R+UeH
+#    KqSPl3TvUOjzhTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA9
+#    PglxaqamA3nyyenhAQX0JMB7LkUVrWNWOlxVAG86U1dN5HZUhzd16A/5HMxIHQSJ
+#    3nQueVSF3nI6gR3NcMcFs/VLpXkeJGeQSQ46ZpqAv6MHkrmFuBmAyf20wixD3Osp
+#    KSBhR21ouU5GWhJhsl+FnGg9R+/HbrjjU3lJiIDkHZr8Bv3t0qhzat3CA8ea6wId
+#    smP/bZtO0PL7iRAec/TnIXaWOfP3t8PwM9sWPjEf+g2IAIlPSp0MHSMobh2IwNxV
+#    Qg2gs7DxSatssgBvTjyAG6zlpWidjfhvIvq3tsa9wDhe3xoWFrZPiN7Ela3Mc2nj
+#    VwXOCCu9/2/MxG79jRDJ
+#    -----END CERTIFICATE-----

chart/values.yaml

@@ -11,13 +11,14 @@
 #  See the License for the specific language governing permissions and
 #  limitations under the License.
 """Verify DN from HTTP header against list of allowed DN's."""
-
+import threading
 from logging.config import dictConfig
+from typing import Callable
 
 from flask import Flask, request
 from pydantic import BaseModel, FilePath
 from pydantic_settings import BaseSettings
-from watchdog.events import DirModifiedEvent, FileModifiedEvent, FileSystemEventHandler
+from watchdog.events import FileModifiedEvent, FileSystemEvent, FileSystemEventHandler
 from watchdog.observers import Observer
 
 
@@ -29,6 +30,8 @@ class Settings(BaseSettings):
 
     allowed_client_subject_dn_path: FilePath = FilePath("/config/allowed_client_dn.txt")
     ssl_client_subject_dn_header: str = "ssl-client-subject-dn"
+    use_watchdog: bool = False
+    log_level: str = "INFO"
 
 
 class State(BaseModel):
@@ -59,7 +62,7 @@ def init_app() -> Flask:
         }
     )
     app = Flask(__name__)
-    app.logger.setLevel("DEBUG")
+    app.logger.setLevel(settings.log_level)
 
     return app
 
@@ -83,23 +86,66 @@ def validate() -> tuple[str, int]:
 
 
 #
-# Load DN from file plus watchdog for auto reload.
+# File watch based on watchdog.
 #
 class FileChangeHandler(FileSystemEventHandler):
     """On filesystem event, call load_allowed_client_dn() when `filepath` is modified."""
 
-    def __init__(self, filepath: FilePath) -> None:
+    def __init__(self, filepath: FilePath, callback: Callable[[FilePath], None]) -> None:
         """Set the filepath of the file to watch."""
-        self.filepath = filepath.resolve()
+        self.filepath = filepath
+        self.callback = callback
         load_allowed_client_dn(self.filepath)
         app.logger.info(f"watch {self.filepath} for changes")
 
-    def on_modified(self, event: DirModifiedEvent | FileModifiedEvent) -> None:
+    def on_modified(self, event: FileSystemEvent) -> None:
         """Call load_allowed_client_dn() when `filepath` is modified."""
-        if FilePath(str(event.src_path)).resolve() == self.filepath:
-            load_allowed_client_dn(self.filepath)
+        app.logger.debug(f"on_modified {event} {FilePath(str(event.src_path)).resolve()} {self.filepath.resolve()}")
+        if FilePath(str(event.src_path)).resolve() == self.filepath.resolve():
+            self.callback(self.filepath)
+
+
+def watchdog_file(filepath: FilePath, callback: Callable[[FilePath], None]) -> None:
+    """Setup watchdog to watch directory that the file resides in and call handler on change."""
+    observer = Observer()
+    observer.schedule(
+        FileChangeHandler(filepath, callback),
+        path=str(filepath.parent),
+        recursive=True,
+        event_filter=[FileModifiedEvent],
+    )
+    observer.start()
+
+
+#
+# File watch based on Path.stat().
+#
+def watch_file(filepath: FilePath, callback: Callable[[FilePath], None]) -> None:
+    """Watch modification time of `filepath` in a thread and call `callback` on change."""
+
+    def watch() -> None:
+        """If modification time of `filepath` changes call `callback`."""
+        last_modified = 0
+        app.logger.info(f"watch {filepath} for changes")
+        while True:
+            app.logger.debug(f"check modification time of {filepath}")
+            try:
+                modified = filepath.stat().st_mtime_ns
+            except FileNotFoundError as e:
+                app.logger.error(f"cannot get last modification time of {filepath}: {e!s}")
+            else:
+                if last_modified < modified:
+                    last_modified = modified
+                    callback(filepath)
+            event.wait(5)
+
+    event = threading.Event()
+    threading.Thread(target=watch, daemon=True).start()
 
 
+#
+# Load DN from file.
+#
 def load_allowed_client_dn(filepath: FilePath) -> None:
     """Load list of allowed client DN from file."""
     try:
@@ -113,11 +159,7 @@ def load_allowed_client_dn(filepath: FilePath) -> None:
             app.logger.info(f"load {len(new_allowed_client_subject_dn)} DN from {filepath}")
 
 
-def watch_file(file_to_watch: FilePath) -> None:
-    """Setup watchdog to watch directory that the file resides in and call handler on change."""
-    observer = Observer()
-    observer.schedule(FileChangeHandler(file_to_watch), path=str(file_to_watch.parent), recursive=False)
-    observer.start()
-
-
-watch_file(settings.allowed_client_subject_dn_path)
+if settings.use_watchdog:
+    watchdog_file(settings.allowed_client_subject_dn_path, load_allowed_client_dn)
+else:
+    watch_file(settings.allowed_client_subject_dn_path, load_allowed_client_dn)