AMRC-FactoryPlus · djnewbould · Feb 20, 2025 · Feb 20, 2025 · Feb 27, 2025 · Mar 3, 2025
diff --git a/acs-mqtt/Makefile b/acs-mqtt/Makefile
@@ -23,5 +23,5 @@ include ${mk}/acs.docker.mk
 build: build-plugin
 
 build-plugin: git.prepare
-	cd ${src} && ${env} ${mvn} -B package
+	cd ${src} && ${env} ${mvn} -B clean package
 	cp ${src}/target/${zip} .
diff --git a/deploy/templates/identity/rbac.yaml b/deploy/templates/identity/rbac.yaml
@@ -18,6 +18,9 @@ rules:
   -   apiGroups: [factoryplus.app.amrc.co.uk]
       resources: [kerberos-keys/status]
       verbs: [list, get, create, update, delete, watch, patch]
+  -   apiGroups: [factoryplus.app.amrc.co.uk]
+      resources: [localsecrets]
+      verbs: [list,watch]
   -   apiGroups: [""]
       resources: [secrets]
       verbs: [get, create, update, delete, patch]
@@ -29,10 +32,13 @@ rules:
       verbs: [get]
   -   apiGroups: [""]
       resources: [namespaces]
-      verbs: [get,list]
+      verbs: [get,list,watch]
   -   apiGroups: [""]
       resources: [events]
       verbs: [create]
+  -   apiGroups: [apiextensions.k8s.io]
+      resources: [customresourcedefinitions]
+      verbs: [list,watch]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

diff --git a/deploy/templates/service-setup.yaml b/deploy/templates/service-setup.yaml
@@ -2,150 +2,137 @@
 # upgraded. This Job pulls in an image with configuration to load into
 # the F+ services which is specific to deployment decisions made by ACS.
 apiVersion: batch/v1
-kind: Job
+kind: CronJob
 metadata:
   namespace: {{ .Release.Namespace }}
   # Give the job a random id so helm reruns it on helm upgrade.
-  name: service-setup-{{ randAlphaNum 8 | lower }}
+  name: service-setup
 spec:
-  backoffLimit: 9999
-  template:
+  concurrencyPolicy: Forbid
+  failedJobsHistoryLimit: 1
+  successfulJobsHistoryLimit: 1
+  schedule: "*/5 * * * *"  # Runs every 5 minutes
+  jobTemplate:
     spec:
-      serviceAccountName: service-setup
-      restartPolicy: OnFailure
-      volumes:
-        - name: git-checkouts
-          emptyDir: { }
-        - name: manager-keytab
-          secret:
-            secretName: manager-keytab
-        - name: krb5-conf
-          configMap:
-            name: krb5-conf
-        - name: manager-ccache-storage
-          emptyDir: { }
-      initContainers:
-        - name: service-setup
-{{ include "amrc-connectivity-stack.image" (list . .Values.serviceSetup) | indent 10 }}
-          env:
-            - name: DIRECTORY_URL
-              value: http://directory.{{ .Release.Namespace }}.svc.cluster.local
-            - name: SERVICE_USERNAME
-              value: admin
-            - name: SERVICE_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: admin-password
-                  key: password
-            - name: VERBOSE
-              value: ALL,!token,!service
-            - name: GIT_CHECKOUTS
-              value: /data
-            - name: SS_CONFIG
-              value: {{ .Values.serviceSetup.config | toRawJson | quote }}
-            - name: ACS_CONFIG
-              value: {{
-                dict
-                  "organisation"    .Values.acs.organisation
-                  "namespace"       .Release.Namespace
-                  "domain"          .Values.acs.baseUrl
-                  "k8sdomain"       "cluster.local"
-                  "secure"          (.Values.acs.secure | ternary "s" "")
-                  "realm"           .Values.identity.realm
-                  "directory"
-                    (include "amrc-connectivity-stack.external-url" 
-                      (list . "directory"))
-                | toRawJson | quote }}
-          volumeMounts:
-            - mountPath: /data
-              name: git-checkouts
-        - name: edge-helm-charts
-{{ include "amrc-connectivity-stack.image" (list . .Values.edgeHelm) | indent 10 }}
-          env:
-            - name: DIRECTORY_URL
-              value: http://directory.{{ .Release.Namespace }}.svc.cluster.local
-            - name: SERVICE_USERNAME
-              value: admin
-            - name: SERVICE_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: admin-password
-                  key: password
-            - name: VERBOSE
-              value: ALL,!token,!service
-            - name: GIT_REPO_PATH
-              value: {{ .Values.edgeHelm.repoPath }}
-        - name: manager
-          image: "{{ include "amrc-connectivity-stack.image-name" (list . .Values.manager ) }}-backend"
-          imagePullPolicy: {{ .Values.manager.image.pullPolicy }}
-          command: 
-              - /bin/sh
-              - "-c"
-              - |
-                php artisan migrate --force
-                php artisan connections:register
-          env:
-            - name: KRB5_CONFIG
-              value: /config/krb5-conf/krb5.conf
-            - name: MINIO_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: manager-minio-secret
-                  key: CONSOLE_ACCESS_KEY
-            - name: MINIO_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: manager-minio-secret
-                  key: CONSOLE_SECRET_KEY
-            - name: DB_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: manager-database-secret
-                  key: postgres-password
-            - name: SERVICE_USERNAME
-              value: admin
-            - name: SERVICE_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: admin-password
-                  key: password
-            - name: LOG_LEVEL
-              value: debug
-          envFrom:
-            - configMapRef:
-                name: manager-config
-            - secretRef:
-                name: manager-secrets
-          volumeMounts:
-            - mountPath: /config/keytab
-              name: manager-keytab
-            - mountPath: /config/krb5-conf
-              name: krb5-conf
-            - mountPath: /app/storage/ccache
-              name: manager-ccache-storage
-      containers:
-        - name: restart-mqtt
-          image: bitnami/kubectl:latest
-          command:
-            - /bin/sh
-            - -c
-            - |
-              DEPLOYMENT_NAME=mqtt
-              NAMESPACE={{.Release.Namespace}}
-
-              echo "Attempting to restart deployment: $DEPLOYMENT_NAME"
-
-              # Try to rollout restart the deployment
-              kubectl rollout restart deployment/$DEPLOYMENT_NAME -n $NAMESPACE
-
-              # Wait and check rollout status
-              if kubectl rollout status deployment/$DEPLOYMENT_NAME -n $NAMESPACE --timeout=60s; then
-                echo "Deployment restarted successfully!"
-                exit 0  # Exit successfully, no pod restart needed
-              else
-                echo "Deployment restart failed, retrying..."
-                exit 1  # Exit with error, pod will restart
-              fi
+      template:
+        spec:
+          serviceAccountName: service-setup
+          restartPolicy: OnFailure
+          volumes:
+            - name: git-checkouts
+              emptyDir: { }
+            - name: manager-keytab
+              secret:
+                secretName: manager-keytab
+            - name: krb5-conf
+              configMap:
+                name: krb5-conf
+            - name: manager-ccache-storage
+              emptyDir: { }
+          initContainers:
+            - name: service-setup
+{{ include "amrc-connectivity-stack.image" (list . .Values.serviceSetup) | indent 14 }}
+              env:
+                - name: DIRECTORY_URL
+                  value: http://directory.{{ .Release.Namespace }}.svc.cluster.local
+                - name: SERVICE_USERNAME
+                  value: admin
+                - name: SERVICE_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: admin-password
+                      key: password
+                - name: VERBOSE
+                  value: ALL,!token,!service
+                - name: GIT_CHECKOUTS
+                  value: /data
+                - name: SS_CONFIG
+                  value: {{ .Values.serviceSetup.config | toRawJson | quote }}
+                - name: ACS_CONFIG
+                  value: {{
+                        dict
+                           "organisation"    .Values.acs.organisation
+                           "namespace"       .Release.Namespace
+                           "domain"          .Values.acs.baseUrl
+                           "k8sdomain"       "cluster.local"
+                           "secure"          (.Values.acs.secure | ternary "s" "")
+                           "realm"           .Values.identity.realm
+                           "directory"
+                             (include "amrc-connectivity-stack.external-url"
+                               (list . "directory"))
+                         | toRawJson | quote }}
+              volumeMounts:
+                - mountPath: /data
+                  name: git-checkouts
+            - name: edge-helm-charts
+{{ include "amrc-connectivity-stack.image" (list . .Values.edgeHelm) | indent 14 }}
+              env:
+                - name: DIRECTORY_URL
+                  value: http://directory.{{ .Release.Namespace }}.svc.cluster.local
+                - name: SERVICE_USERNAME
+                  value: admin
+                - name: SERVICE_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: admin-password
+                      key: password
+                - name: VERBOSE
+                  value: ALL,!token,!service
+                - name: GIT_REPO_PATH
+                  value: {{ .Values.edgeHelm.repoPath }}
+            - name: manager
+              image: "{{ include "amrc-connectivity-stack.image-name" (list . .Values.manager ) }}-backend"
+              imagePullPolicy: {{ .Values.manager.image.pullPolicy }}
+              command:
+                - /bin/sh
+                - "-c"
+                - |
+                  php artisan migrate --force
+                  php artisan connections:register
+              env:
+                - name: KRB5_CONFIG
+                  value: /config/krb5-conf/krb5.conf
+                - name: MINIO_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: manager-minio-secret
+                      key: CONSOLE_ACCESS_KEY
+                - name: MINIO_SECRET
+                  valueFrom:
+                    secretKeyRef:
+                      name: manager-minio-secret
+                      key: CONSOLE_SECRET_KEY
+                - name: DB_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: manager-database-secret
+                      key: postgres-password
+                - name: SERVICE_USERNAME
+                  value: admin
+                - name: SERVICE_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: admin-password
+                      key: password
+                - name: LOG_LEVEL
+                  value: debug
+              envFrom:
+                - configMapRef:
+                    name: manager-config
+                - secretRef:
+                    name: manager-secrets
+              volumeMounts:
+                - mountPath: /config/keytab
+                  name: manager-keytab
+                - mountPath: /config/krb5-conf
+                  name: krb5-conf
+                - mountPath: /app/storage/ccache
+                  name: manager-ccache-storage
+          containers:
+          # We need a do-nothing container to keep k8s happy
+          - name: done
+{{ include "amrc-connectivity-stack.image" (list . .Values.shell) | indent 12 }}
+            command: [ "/bin/true" ]
 ---
 
 apiVersion: v1

diff --git a/hivemq-krb/src/main/java/uk/co/amrc/factoryplus/FPAuth.java b/hivemq-krb/src/main/java/uk/co/amrc/factoryplus/FPAuth.java
@@ -6,24 +6,16 @@
 
 package uk.co.amrc.factoryplus;
 
-import java.net.*;
-import java.util.Map;
-import java.util.Optional;
-import java.util.Set;
-import java.util.UUID;
+import java.util.*;
 import java.util.stream.Stream;
-import java.util.stream.Collectors;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import org.json.*;
 
-import io.reactivex.rxjava3.schedulers.Schedulers;
 import io.reactivex.rxjava3.core.*;
 
-import uk.co.amrc.factoryplus.http.*;
-
 /**
  * Authentication service.
  *
@@ -34,12 +26,19 @@
 public class FPAuth {
     private static final Logger log = LoggerFactory.getLogger(FPAuth.class);
     private static final UUID SERVICE = FPUuid.Service.Authentication;
-
-    private FPServiceClient fplus;
-
+    private final FPServiceClient fplus;
+    private final RequestCache<String, JSONArray> cache;
     public FPAuth (FPServiceClient fplus)
     {
         this.fplus = fplus;
+        this.cache = new RequestCache<>(5, this::getACL);
+    }
+
+    public Single<Stream<Map>> getOrFetchAcl(String principal){
+        return this.cache.getOrFetch(principal)
+                .map(acl -> acl.toList().stream()
+                .filter(o -> o instanceof Map)
+                .map(o -> (Map)o));
     }
 
     /**
@@ -53,25 +52,19 @@ public FPAuth (FPServiceClient fplus)
      * permission group.
      *
      * @param princ The principal to fetch permissions for.
-     * @param perms The permission group to fetch.
-     * @return A stream of maps represnting the granted permissions.
+     * @return A stream of maps representing the granted permissions.
      */
-    public Single<Stream<Map>> getACL (String princ, UUID perms)
+    public Single<JSONArray> getACL (String princ)
     {
         //FPThreadUtil.logId("fetching acl");
         return fplus.http().request(SERVICE, "GET")
             .withURIBuilder(b -> b
-                .appendPath("authz/acl")
-                .setParameter("principal", princ)
-                .setParameter("permission", perms.toString()))
+                .appendPath("v2/acl/kerberos/" + princ))
             .fetch()
             .map(res -> res.ifOk()
                 .flatMap(r -> r.getBodyArray())
                 .orElseThrow(() -> new FPServiceException(SERVICE, 
                     res.getCode(), "Can't fetch ACL")))
-            .doOnSuccess(acl -> log.info("F+ ACL [{}]: {}", princ, acl))
-            .map(acl -> acl.toList().stream()
-                .filter(o -> o instanceof Map)
-                .map(o -> (Map)o));
+            .doOnSuccess(acl -> log.info("F+ ACL [{}]: {}", princ, acl));
     }
 }