feat: Add OPA backed by identity.diamond.ac.uk

charts/apps/Chart.yaml

@@ -2,4 +2,4 @@ apiVersion: v2
 name: authz
 description: ArgoCD Apps used to deploy Authorization infrastructure
 type: application
-version: 0.3.0
+version: 0.4.0

charts/apps/templates/opa-authn-app.yaml

@@ -0,0 +1,28 @@
+{{ if .Values.opa-authn.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: opa-authn
+  namespace: {{ .Release.Namespace }}
+  finalizers:
+    - resources-finalizer.argocd.arogproj.io
+spec:
+  project: {{ default .Release.Namespace .Values.project }}
+  source:
+    repoURL: {{ .Values.opa-authn.repoUrl }}
+    targetRevision: {{ .Values.opa-authn.targetRevision }}
+    path: {{ .Values.opa-authn.path }}
+    {{- if .Values.opa-authn.valuesObject }}
+    helm:
+      valuesObject:
+          {{ .Values.opa-authn.valuesObject | toYaml | nindent 10 }}
+    {{- end }}
+  destination:
+    name: {{ .Values.destination.name }}
+    server: {{ .Values.destination.server }}
+    namespace: {{ default .Release.Namespace .Values.destination.namespace }}
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+{{- end }}

charts/apps/templates/opa-app.yaml → charts/apps/templates/opa-id-app.yaml

@@ -1,21 +1,21 @@
-{{ if .Values.opa.enabled }}
+{{ if .Values.opa-id.enabled }}
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: opa
+  name: opa-id
   namespace: {{ .Release.Namespace }}
   finalizers:
     - resources-finalizer.argocd.arogproj.io
 spec:
   project: {{ default .Release.Namespace .Values.project }}
   source:
-    repoURL: {{ .Values.opa.repoUrl }}
-    targetRevision: {{ .Values.opa.targetRevision }}
-    path: {{ .Values.opa.path }}
-    {{- if .Values.opa.valuesObject }}
+    repoURL: {{ .Values.opa-id.repoUrl }}
+    targetRevision: {{ .Values.opa-id.targetRevision }}
+    path: {{ .Values.opa-id.path }}
+    {{- if .Values.opa-id.valuesObject }}
     helm:
       valuesObject:
-          {{ .Values.opa.valuesObject | toYaml | nindent 10 }}
+          {{ .Values.opa-id.valuesObject | toYaml | nindent 10 }}
     {{- end }}
   destination:
     name: {{ .Values.destination.name }}

charts/apps/values.yaml

@@ -50,7 +50,7 @@ bundler:
             - path: /bundle.tar.gz
               pathType: Prefix
 
-opa:
+opa-authn:
   enabled: true
   repoUrl: https://github.com/DiamondLightSource/authz.git
   targetRevision: HEAD
@@ -111,3 +111,65 @@ opa:
       limits:
         cpu: 1000m
         memory: 2Gi
+
+opa-id:
+  enabled: true
+  repoUrl: https://github.com/DiamondLightSource/authz.git
+  targetRevision: HEAD
+  path: charts/opa
+  valuesObject:
+
+    env:
+    - name: BUNDLER_BEARER_TOKEN
+      valueFrom:
+        secretKeyRef:
+          name: token-authorization
+          key: bearer
+    - name: ISSUER
+      value: https://identity.diamond.ac.uk/realms/dls
+
+    autoscaling:
+      enabled: true
+      minReplicas: 2
+      maxReplicas: 10
+      targetMemoryUtilizationPercentage: 80
+
+    ingress:
+      enabled: true
+      hosts:
+        - host: authz.diamond.ac.uk
+          paths:
+            - path: /id
+              pathType: Prefix
+
+    config:
+      services:
+        diamond-bundler:
+          url: https://authz.diamond.ac.uk
+          credentials:
+            bearer:
+              token: ${BUNDLER_BEARER_TOKEN}
+        ghcr:
+          url: https://ghcr.io
+          type: oci
+      bundles:
+        diamond-permissionables:
+          service: diamond-bundler
+          resource: bundle.tar.gz
+          polling:
+            min_delay_seconds: 10
+            max_delay_seconds: 60
+        diamond-policies:
+          service: ghcr
+          resource: ghcr.io/diamondlightsource/authz-policy:0.0.16
+          polling:
+            min_delay_seconds: 30
+            max_delay_seconds: 120
+
+    resources:
+      requests:
+        cpu: 1000m
+        memory: 2Gi
+      limits:
+        cpu: 1000m
+        memory: 2Gi