Merge branch 'aws-integration' into 'master'

Adding support for EKS 1.23

See merge request !295

NOTICE

@@ -18,7 +18,7 @@ The following software have components provided under the terms of this license:
 - google-api-core (from https://github.com/googleapis/python-api-core)
 - google-auth (from https://github.com/GoogleCloudPlatform/google-auth-library-python, https://github.com/googleapis/google-auth-library-python)
 - google-cloud-core (from https://github.com/googleapis/python-cloud-core)
-- google-cloud-storage (from https://github.com/googleapis/python-storage)
+- google-cloud-storage (from https://github.com/GoogleCloudPlatform/google-cloud-python, https://github.com/googleapis/python-storage)
 - google-crc32c (from https://github.com/googleapis/python-crc32c)
 - google-resumable-media (from https://github.com/googleapis/google-resumable-media-python)
 - googleapis-common-protos (from https://github.com/googleapis/python-api-common-protos)
@@ -56,7 +56,7 @@ The following software have components provided under the terms of this license:
 - click (from https://palletsprojects.com/p/click/)
 - cryptography (from https://github.com/pyca/cryptography)
 - idna (from https://pypi.org/project/idna/3.4/)
-- isodate (from https://github.com/gweis/isodate/)
+- isodate (from http://cheeseshop.python.org/pypi/isodate, https://github.com/gweis/isodate/)
 - jinja2
 - oauthlib (from https://github.com/oauthlib/oauthlib)
 - packaging (from https://pypi.org/project/packaging/22.0/, https://pypi.org/project/packaging/23.0/)
@@ -65,7 +65,7 @@ The following software have components provided under the terms of this license:
 - pyrsistent (from https://github.com/tobgu/pyrsistent/)
 - python-dateutil (from https://github.com/dateutil/dateutil)
 - sniffio (from https://github.com/python-trio/sniffio)
-- starlette (from https://pypi.org/project/starlette/0.22.0/, https://pypi.org/project/starlette/0.23.1/)
+- starlette (from https://pypi.org/project/starlette/0.22.0/, https://pypi.org/project/starlette/0.24.0/)
 - uvicorn (from https://github.com/tomchristie/uvicorn, https://pypi.org/project/uvicorn/0.20.0/, https://www.uvicorn.org/)
 
 ========================================================================
@@ -119,10 +119,10 @@ The following software have components provided under the terms of this license:
 - coloredlogs (from https://coloredlogs.readthedocs.io)
 - coverage (from https://github.com/nedbat/coveragepy)
 - exceptiongroup (from https://pypi.org/project/exceptiongroup/1.0.1/, https://pypi.org/project/exceptiongroup/1.1.0/)
-- fastapi (from https://pypi.org/project/fastapi/0.86.0/, https://pypi.org/project/fastapi/0.89.1/)
+- fastapi (from https://pypi.org/project/fastapi/0.86.0/, https://pypi.org/project/fastapi/0.90.1/)
 - h11
 - humanfriendly (from https://humanfriendly.readthedocs.io)
-- iniconfig (from https://pypi.org/project/iniconfig/2.0.0/)
+- iniconfig (from http://github.com/RonnyPfannschmidt/iniconfig, https://pypi.org/project/iniconfig/2.0.0/)
 - jmespath (from https://github.com/jmespath/jmespath.py)
 - jsonschema
 - msal (from https://github.com/AzureAD/microsoft-authentication-library-for-python)
@@ -139,9 +139,9 @@ The following software have components provided under the terms of this license:
 - pytest-order (from https://github.com/pytest-dev/pytest-order)
 - pytz (from http://pythonhosted.org/pytz)
 - requests (from http://python-requests.org, https://requests.readthedocs.io)
-- six (from https://github.com/benjaminp/six)
+- six (from http://pypi.python.org/pypi/six/, https://github.com/benjaminp/six)
 - sniffio (from https://github.com/python-trio/sniffio)
-- starlette (from https://pypi.org/project/starlette/0.22.0/, https://pypi.org/project/starlette/0.23.1/)
+- starlette (from https://pypi.org/project/starlette/0.22.0/, https://pypi.org/project/starlette/0.24.0/)
 - starlette-context (from https://github.com/tomwojcik/starlette-context)
 - tomli (from https://pypi.org/project/tomli/1.2.2/, https://pypi.org/project/tomli/2.0.0/, https://pypi.org/project/tomli/2.0.1/)
 - urllib3 (from https://urllib3.readthedocs.io/)

devops/aws/chart/Chart.yaml

 apiVersion: v2
 name: "os-policy"
 version: __CHART_VERSION__
-kubeVersion: "v1.21.x-x-x"
+kubeVersion: ">= 1.21.x-x-x < 1.24.x-x-x"
 description: Policy Service Helm Chart for Kubernetes
 type: application
 appVersion: __VERSION__
 dependencies:
   - name: osdu-aws-lib
-    version: 0.1.0
+    version: 0.2.0
     repository: __HELM_REPO__/osdu-aws-lib/
 deprecated: false

devops/aws/chart/templates/tests/test-connection.yaml

-apiVersion: v1
-kind: Pod
-metadata:
-  name: "{{ include "common.fullname" . }}-test-connection"
-  labels:
-    {{- include "common.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": test
-spec:
-  containers:
-    - name: wget
-      image: busybox
-      command: ['wget']
-      args: ['{{ include "common.fullname" . }}:{{ .Values.service.port }}']
-  restartPolicy: Never

devops/aws/chart/values.schema.json

@@ -6,10 +6,8 @@
         "image",
         "imagePullPolicy",
         "service",
-        "podAnnotations",
         "replicaCount",
-        "serviceAccountRole",
-        "securityContext"
+        "serviceAccountRole"
     ],
     "properties": {
         "image": {
@@ -262,10 +260,10 @@
                 "type": "string",
                 "title": "Allowed principal",
                 "examples": [
-                    "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account",
+                    "cluster.local/ns/istio-system/sa/istio-ingressgateway",
                     "cluster.local/ns/osdu-services/sa/compliance-queue"
                 ]
             }
         }
     }
-}
+}
\ No newline at end of file

devops/aws/chart/values.yaml

@@ -38,8 +38,6 @@ environmentVariables:
     value: http://os-legal:8080
   - name: OPA_URL
     value: http://opa-agent
-podAnnotations: 
-  seccomp.security.alpha.kubernetes.io/pod: "runtime/default"
 
 # Resource Config
 replicaCount: 1
@@ -67,9 +65,13 @@ securityContext:
   capabilities:
     drop:
     - ALL
+podSecurityContext: 
+  fsGroup: 1337
+  seccompProfile:
+    type: RuntimeDefault
 
 allowedPrincipals:
-  - cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
+  - cluster.local/ns/istio-system/sa/istio-ingressgateway
   - cluster.local/ns/{{ .Release.Namespace }}/sa/os-search
   - cluster.local/ns/aws-binary-dms/sa/binary-dms
   - cluster.local/ns/osdu-airflow/sa/airflow-dag-upload

devops/aws/opa/Chart.yaml

 apiVersion: v2
 name: "opa-agent"
 version: __CHART_VERSION__
-kubeVersion: "v1.21.x-x-x"
+kubeVersion: ">= 1.21.x-x-x < 1.24.x-x-x"
 description: OPA Agent Helm Chart for Kubernetes
 type: application
 appVersion: __VERSION__
 dependencies:
   - name: osdu-aws-lib
-    version: 0.1.0
+    version: 0.2.0
     repository: __HELM_REPO__/osdu-aws-lib/
 deprecated: false

devops/aws/opa/values.schema.json

@@ -6,10 +6,8 @@
         "partitions",
         "image",
         "imagePullPolicy",
-        "podAnnotations",
         "replicaCount",
-        "serviceAccountRole",
-        "securityContext"
+        "serviceAccountRole"
     ],
     "properties": {
         "partitions": {
@@ -221,10 +219,10 @@
                 "type": "string",
                 "title": "Allowed principal",
                 "examples": [
-                    "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account",
+                    "cluster.local/ns/istio-system/sa/istio-ingressgateway",
                     "cluster.local/ns/osdu-services/sa/compliance-queue"
                 ]
             }
         }
     }
-}
+}
\ No newline at end of file

devops/aws/opa/values.yaml

@@ -18,8 +18,6 @@ environmentVariables:
     value: "http://os-entitlements:8080"
   - name: LEGAL_BASE_URL
     value: http://os-legal:8080
-podAnnotations: 
-  seccomp.security.alpha.kubernetes.io/pod: "runtime/default"
 
 # Resource Config
 maxConnections: 200
@@ -48,3 +46,7 @@ securityContext:
   capabilities:
     drop:
     - ALL
+podSecurityContext: 
+  fsGroup: 1337
+  seccompProfile:
+    type: RuntimeDefault
\ No newline at end of file