core/oc-k8s
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

hydra bootstraping

Browse Source
This commit is contained in:
plm
2024-12-02 13:20:11 +01:00
parent fd81d1b020
commit 324f0f6828
40 changed files with 3184 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

229
opencloud/charts/hydra/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,229 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "hydra.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "hydra.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "hydra.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Ensure there is always a way to track down source of the deployment.
It is unlikely AppVersion will be missing, but we will fallback on the
chart's version in that case.
*/}}
{{- define "hydra.version" -}}
{{- if .Chart.AppVersion }}
{{- .Chart.AppVersion -}}
{{- else -}}
{{- printf "v%s" .Chart.Version -}}
{{- end -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "hydra.labels" -}}
"app.kubernetes.io/name": {{ include "hydra.name" . | quote }}
"app.kubernetes.io/instance": {{ .Release.Name | quote }}
"app.kubernetes.io/version": {{ include "hydra.version" . | quote }}
"app.kubernetes.io/managed-by": {{ .Release.Service | quote }}
"helm.sh/chart": {{ include "hydra.chart" . | quote }}
{{- if $.Values.watcher.enabled }}
{{ printf "\"%s\": \"%s\"" $.Values.watcher.watchLabelKey (include "hydra.name" .) }}
{{- end }}
{{- end -}}
{{/*
Generate the dsn value
*/}}
{{- define "hydra.dsn" -}}
{{- if .Values.demo -}}
memory
{{- else if and .Values.secret.nameOverride (not .Values.secret.enabled) -}}
dsn-loaded-from-env
{{- else if not (empty (.Values.hydra.config.dsn)) -}}
{{- .Values.hydra.config.dsn }}
{{- end -}}
{{- end -}}
{{/*
Generate the name of the secret resource containing secrets
*/}}
{{- define "hydra.secretname" -}}
{{- if .Values.secret.nameOverride -}}
{{- .Values.secret.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{ include "hydra.fullname" . }}
{{- end -}}
{{- end -}}
{{/*
Generate the secrets.system value
*/}}
{{- define "hydra.secrets.system" -}}
{{- if (.Values.hydra.config.secrets).system -}}
{{- if kindIs "slice" .Values.hydra.config.secrets.system -}}
{{- if gt (len .Values.hydra.config.secrets.system) 1 -}}
"{{- join "\",\"" .Values.hydra.config.secrets.system -}}"
{{- else -}}
{{- join "" .Values.hydra.config.secrets.system -}}
{{- end -}}
{{- else -}}
{{- fail "Expected hydra.config.secrets.system to be a list of strings" -}}
{{- end -}}
{{- else if .Values.demo -}}
a-very-insecure-secret-for-checking-out-the-demo
{{- end -}}
{{- end -}}
{{/*
Generate the secrets.cookie value
*/}}
{{- define "hydra.secrets.cookie" -}}
{{- if (.Values.hydra.config.secrets).cookie -}}
{{- if kindIs "slice" .Values.hydra.config.secrets.cookie -}}
{{- if gt (len .Values.hydra.config.secrets.cookie) 1 -}}
"{{- join "\",\"" .Values.hydra.config.secrets.cookie -}}"
{{- else -}}
{{- join "" .Values.hydra.config.secrets.cookie -}}
{{- end -}}
{{- else -}}
{{- fail "Expected hydra.config.secrets.cookie to be a list of strings" -}}
{{- end -}}
{{- else -}}
{{- include "hydra.secrets.system" . }}
{{- end -}}
{{- end -}}
{{/*
Generate the configmap data, redacting secrets
*/}}
{{- define "hydra.configmap" -}}
{{- $config := omit .Values.hydra.config "dsn" "secrets" -}}
{{- tpl (toYaml $config) . -}}
{{- end -}}
{{/*
Generate the urls.issuer value
*/}}
{{- define "hydra.config.urls.issuer" -}}
{{- if .Values.hydra.config.urls.self.issuer -}}
{{- .Values.hydra.config.urls.self.issuer }}
{{- else if .Values.ingress.public.enabled -}}
{{- $host := index .Values.ingress.public.hosts 0 -}}
http{{ if $.Values.ingress.public.tls }}s{{ end }}://{{ $host.host }}
{{- else if contains "ClusterIP" .Values.service.public.type -}}
http://127.0.0.1:{{ .Values.service.public.port }}/
{{- end -}}
{{- end -}}
{{/*
Check overrides consistency
*/}}
{{- define "hydra.check.override.consistency" -}}
{{- if and .Values.maester.enabled .Values.fullnameOverride -}}
{{- if not .Values.maester.hydraFullnameOverride -}}
{{ fail "hydra fullname has been overridden, but the new value has not been provided to maester. Set maester.hydraFullnameOverride" }}
{{- else if not (eq .Values.maester.hydraFullnameOverride .Values.fullnameOverride) -}}
{{ fail (tpl "hydra fullname has been overridden, but a different value was provided to maester. {{ .Values.maester.hydraFullnameOverride }} different of {{ .Values.fullnameOverride }}" . ) }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "hydra.utils.joinListWithComma" -}}
{{- $local := dict "first" true -}}
{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "hydra.serviceAccountName" -}}
{{- if .Values.deployment.serviceAccount.create }}
{{- default (include "hydra.fullname" .) .Values.deployment.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.deployment.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Create the name of the service account for the Job to use
*/}}
{{- define "hydra.job.serviceAccountName" -}}
{{- if .Values.job.serviceAccount.create }}
{{- printf "%s-job" (default (include "hydra.fullname" .) .Values.job.serviceAccount.name) }}
{{- else }}
{{- include "hydra.serviceAccountName" . }}
{{- end }}
{{- end }}
{{/*
Create the name of the service account for the Job to use
*/}}
{{- define "hydra.cronjob.janitor.serviceAccountName" -}}
{{- if .Values.cronjob.janitor.serviceAccount.create }}
{{- printf "%s-cronjob-janitor" (default (include "hydra.fullname" .) .Values.cronjob.janitor.serviceAccount.name) }}
{{- else }}
{{- include "hydra.serviceAccountName" . }}
{{- end }}
{{- end }}
{{/*
Checksum annotations generated from configmaps and secrets
*/}}
{{- define "hydra.annotations.checksum" -}}
{{- if .Values.configmap.hashSumEnabled }}
checksum/hydra-config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- end }}
{{- if and .Values.secret.enabled .Values.secret.hashSumEnabled }}
checksum/hydra-secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
{{- end }}
{{- end }}
{{/*
Check the migration type value and fail if unexpected
*/}}
{{- define "hydra.automigration.typeVerification" -}}
{{- if and .Values.hydra.automigration.enabled .Values.hydra.automigration.type }}
{{- if and (ne .Values.hydra.automigration.type "initContainer") (ne .Values.hydra.automigration.type "job") }}
{{- fail "hydra.automigration.type must be either 'initContainer' or 'job'" -}}
{{- end }}
{{- end }}
{{- end }}
{{/*
Common labels for the janitor cron job
*/}}
{{- define "hydra.janitor.labels" -}}
"app.kubernetes.io/name": {{ printf "%s-janitor" (include "hydra.name" .) | quote }}
"app.kubernetes.io/instance": {{ .Release.Name | quote }}
"app.kubernetes.io/version": {{ include "hydra.version" . | quote }}
"app.kubernetes.io/managed-by": {{ .Release.Service | quote }}
"app.kubernetes.io/component": janitor
"helm.sh/chart": {{ include "hydra.chart" . | quote }}
{{- end -}}

18
opencloud/charts/hydra/templates/configmap-automigrate.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if and ( .Values.hydra.automigration.enabled ) ( eq .Values.hydra.automigration.type "job" ) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "hydra.fullname" . }}-migrate
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
annotations:
helm.sh/hook-weight: "0"
helm.sh/hook: "pre-install, pre-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
data:
"hydra.yaml": |
{{- include "hydra.configmap" . | nindent 4 }}
{{- end }}

12
opencloud/charts/hydra/templates/configmap.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "hydra.fullname" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
data:
"hydra.yaml": |
{{- include "hydra.configmap" . | nindent 4 }}

77
opencloud/charts/hydra/templates/deployment-watcher.yaml Normal file
View File

@@ -0,0 +1,77 @@
{{- if .Values.watcher.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "hydra.fullname" . }}-watcher
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/name: {{ include "hydra.name" . }}-watcher
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.deployment.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.deployment.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
revisionHistoryLimit: {{ .Values.watcher.revisionHistoryLimit }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "hydra.name" . }}-watcher
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ include "hydra.name" . }}-watcher
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.deployment.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.watcher.podMetadata.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
annotations:
{{- with .Values.watcher.podMetadata.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
automountServiceAccountToken: {{ .Values.watcher.automountServiceAccountToken }}
serviceAccountName: {{ include "hydra.serviceAccountName" . }}-watcher
terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
containers:
- name: watcher
{{- with .Values.watcher.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: {{ .Values.watcher.image }}
command:
- /bin/bash
- -c
- |
{{- .Files.Get "files/watch.sh" | printf "%s" | nindent 14 }}
env:
- name: NAMESPACE
value: {{ .Release.Namespace | quote }}
- name: WATCH_FILE
value: {{ .Values.watcher.mountFile | quote }}
- name: LABEL_SELECTOR
value: '{{ $.Values.watcher.watchLabelKey }}={{ include "hydra.name" . }}'
resources:
{{- toYaml .Values.watcher.resources | nindent 12 }}
volumeMounts:
{{- with .Values.deployment.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.watcher.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
{{- if .Values.deployment.extraVolumes }}
{{- toYaml .Values.deployment.extraVolumes | nindent 8 }}
{{- end }}
{{- end }}

236
opencloud/charts/hydra/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,236 @@
{{- include "hydra.automigration.typeVerification" . -}}
{{- $migrationExtraEnv := ternary .Values.deployment.automigration.extraEnv .Values.deployment.extraEnv (not (empty .Values.deployment.automigration.extraEnv )) -}}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "hydra.fullname" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.deployment.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.deployment.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if not .Values.deployment.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
revisionHistoryLimit: {{ .Values.deployment.revisionHistoryLimit }}
strategy:
{{- toYaml .Values.deployment.strategy | nindent 4 }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "hydra.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
{{- include "hydra.labels" . | nindent 8 }}
{{- with .Values.deployment.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $.Values.deployment.podMetadata.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
annotations:
{{- include "hydra.annotations.checksum" . | nindent 8 -}}
{{- with .Values.deployment.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $.Values.deployment.podMetadata.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: {{ include "hydra.name" . }}-config-volume
configMap:
name: {{ include "hydra.fullname" . }}
{{- if .Values.deployment.extraVolumes }}
{{- toYaml .Values.deployment.extraVolumes | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "hydra.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.deployment.automountServiceAccountToken }}
terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command: {{- toYaml .Values.hydra.command | nindent 12 }}
{{- if .Values.hydra.customArgs }}
args: {{- toYaml .Values.hydra.customArgs | nindent 12 }}
{{- else }}
args:
- serve
- all
{{- if .Values.hydra.dev }}
- "--dev"
{{- end }}
- --config
- /etc/config/hydra.yaml
{{- end }}
volumeMounts:
- name: {{ include "hydra.name" . }}-config-volume
mountPath: /etc/config
readOnly: true
{{- if .Values.deployment.extraVolumeMounts }}
{{- toYaml .Values.deployment.extraVolumeMounts | nindent 12 }}
{{- end }}
ports:
- name: http-public
containerPort: {{ .Values.hydra.config.serve.public.port }}
protocol: TCP
- name: http-admin
containerPort: {{ .Values.hydra.config.serve.admin.port }}
protocol: TCP
{{- if .Values.deployment.customLivenessProbe }}
livenessProbe:
{{- toYaml .Values.deployment.customLivenessProbe | nindent 12 }}
{{- end }}
readinessProbe:
{{- if .Values.deployment.customReadinessProbe }}
{{- toYaml .Values.deployment.customReadinessProbe | nindent 12 }}
{{- else }}
httpGet:
path: /health/alive
port: {{ .Values.hydra.config.serve.admin.port }}
httpHeaders:
- name: Host
value: '127.0.0.1'
{{- toYaml .Values.deployment.readinessProbe | nindent 12 }}
{{- end }}
startupProbe:
{{- if .Values.deployment.customStartupProbe }}
{{- toYaml .Values.deployment.customStartupProbe | nindent 12 }}
{{- else }}
httpGet:
path: /health/ready
port: {{ .Values.hydra.config.serve.admin.port }}
httpHeaders:
- name: Host
value: '127.0.0.1'
{{- toYaml .Values.deployment.startupProbe | nindent 12 }}
{{- end }}
env:
{{- $issuer := include "hydra.config.urls.issuer" . -}}
{{- if $issuer }}
- name: URLS_SELF_ISSUER
value: {{ $issuer | quote }}
{{- end }}
{{- if not (empty ( include "hydra.dsn" . )) }}
{{- if not (include "ory.extraEnvContainsEnvName" (list .Values.deployment.extraEnv "DSN")) }}
- name: DSN
valueFrom:
secretKeyRef:
name: {{ include "hydra.secretname" . }}
key: dsn
{{- end }}
{{- end }}
- name: SECRETS_SYSTEM
valueFrom:
secretKeyRef:
name: {{ include "hydra.secretname" . }}
key: secretsSystem
- name: SECRETS_COOKIE
valueFrom:
secretKeyRef:
name: {{ include "hydra.secretname" . }}
key: secretsCookie
{{- if .Values.deployment.extraEnv }}
{{- tpl (toYaml .Values.deployment.extraEnv) . | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.deployment.resources | nindent 12 }}
{{- if .Values.deployment.securityContext }}
securityContext:
{{- toYaml .Values.deployment.securityContext | nindent 12 }}
{{- end }}
lifecycle:
{{- toYaml .Values.deployment.lifecycle | nindent 12 }}
{{- if .Values.deployment.extraContainers }}
{{- tpl .Values.deployment.extraContainers . | nindent 8 }}
{{- end }}
initContainers:
{{- if .Values.deployment.extraInitContainers }}
{{- tpl .Values.deployment.extraInitContainers . | nindent 8 }}
{{- end }}
{{- if and ( .Values.hydra.automigration.enabled ) ( eq .Values.hydra.automigration.type "initContainer" ) }}
- name: {{ .Chart.Name }}-automigrate
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.hydra.automigration.customCommand }}
command: {{- toYaml .Values.hydra.automigration.customCommand | nindent 12 }}
{{- else }}
command: ["hydra"]
{{- end }}
{{- if .Values.hydra.automigration.customArgs }}
args: {{- toYaml .Values.hydra.automigration.customArgs | nindent 12 }}
{{- else }}
args: ["migrate", "sql", "-e", "--yes", "--config", "/etc/config/hydra.yaml"]
{{- end }}
volumeMounts:
- name: {{ include "hydra.name" . }}-config-volume
mountPath: /etc/config
readOnly: true
{{- with .Values.deployment.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
env:
{{- if not (empty ( include "hydra.dsn" . )) }}
{{- if not (include "ory.extraEnvContainsEnvName" (list $migrationExtraEnv "DSN")) }}
- name: DSN
valueFrom:
secretKeyRef:
name: {{ include "hydra.secretname" . }}
key: dsn
{{- end }}
{{- end }}
{{- if $migrationExtraEnv }}
{{- tpl (toYaml $migrationExtraEnv) . | nindent 12 }}
{{- end }}
{{- if .Values.hydra.automigration.resources }}
resources:
{{- toYaml .Values.hydra.automigration.resources | nindent 12 }}
{{- end }}
{{- with .Values.deployment.initContainerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
{{- with .Values.deployment.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.dnsConfig }}
dnsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}

36
opencloud/charts/hydra/templates/hpa.yaml Normal file
View File

@@ -0,0 +1,36 @@
{{- if .Values.deployment.autoscaling.enabled }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
name: {{ include "hydra.fullname" . }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
spec:
{{- with .Values.deployment.autoscaling.behavior }}
behavior: {{- toYaml . | nindent 4 }}
{{- end }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "hydra.fullname" . }}
minReplicas: {{ .Values.deployment.autoscaling.minReplicas }}
maxReplicas: {{ .Values.deployment.autoscaling.maxReplicas }}
metrics:
{{- with .Values.deployment.autoscaling.targetMemory }}
- type: Resource
resource:
name: memory
target:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.autoscaling.targetCPU}}
- type: Resource
resource:
name: cpu
target:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

54
opencloud/charts/hydra/templates/ingress-admin.yaml Normal file
View File

@@ -0,0 +1,54 @@
{{- if .Values.ingress.admin.enabled -}}
{{- $fullName := include "hydra.fullname" . -}}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else -}}
apiVersion: networking.k8s.io/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}-admin
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.ingress.admin.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ingressClassName: {{ .Values.ingress.admin.className }}
{{- if .Values.ingress.admin.tls }}
tls:
{{- range .Values.ingress.admin.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.admin.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if .pathType }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}-admin
port:
name: {{ $.Values.service.admin.name }}
{{- else }}
serviceName: {{ $fullName }}-admin
servicePort: {{ $.Values.service.admin.name }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

54
opencloud/charts/hydra/templates/ingress-public.yaml Normal file
View File

@@ -0,0 +1,54 @@
{{- if or .Values.ingress.public.enabled .Values.demo -}}
{{- $fullName := include "hydra.fullname" . -}}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else -}}
apiVersion: networking.k8s.io/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}-public
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.ingress.public.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ingressClassName: {{ .Values.ingress.public.className }}
{{- if .Values.ingress.public.tls }}
tls:
{{- range .Values.ingress.public.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.public.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if .pathType }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}-public
port:
name: {{ $.Values.service.public.name }}
{{- else }}
serviceName: {{ $fullName }}-public
servicePort: {{ $.Values.service.public.name }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

17
opencloud/charts/hydra/templates/janitor-cron-job-rbac.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{- if .Values.cronjob.janitor.serviceAccount.create -}}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "hydra.cronjob.janitor.serviceAccountName" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.cronjob.janitor.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: false
{{- end -}}

137
opencloud/charts/hydra/templates/janitor-cron-job.yaml Normal file
View File

@@ -0,0 +1,137 @@
{{- if .Values.janitor.enabled -}}
{{- $janitorExtraEnv := ternary .Values.cronjob.janitor.extraEnv .Values.deployment.extraEnv (not (empty .Values.cronjob.janitor.extraEnv )) -}}
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: {{ include "hydra.fullname" . }}-janitor
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.janitor.labels" . | nindent 4 }}
{{- with .Values.cronjob.janitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.cronjob.janitor.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
concurrencyPolicy: Forbid
schedule: {{ .Values.cronjob.janitor.schedule | quote }}
jobTemplate:
spec:
template:
metadata:
labels:
{{- include "hydra.janitor.labels" . | nindent 12 }}
{{- with .Values.cronjob.janitor.labels }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.cronjob.janitor.podMetadata.labels }}
{{- toYaml . | nindent 12 }}
{{- end }}
annotations:
{{- include "hydra.annotations.checksum" . | nindent 12 -}}
{{- with .Values.cronjob.janitor.annotations }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with $.Values.cronjob.janitor.podMetadata.annotations }}
{{- toYaml . | nindent 12 }}
{{- end }}
spec:
restartPolicy: OnFailure
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 12 }}
{{- end }}
serviceAccountName: {{ include "hydra.cronjob.janitor.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.cronjob.janitor.automountServiceAccountToken }}
volumes:
- name: {{ include "hydra.name" . }}-config-volume
configMap:
name: {{ include "hydra.fullname" . }}
{{- if .Values.cronjob.janitor.extraVolumes }}
{{- toYaml .Values.cronjob.janitor.extraVolumes | nindent 12 }}
{{- end }}
containers:
- name: janitor
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- with .Values.cronjob.janitor.securityContext }}
securityContext:
{{- toYaml . | nindent 16 }}
{{- end }}
{{- if .Values.cronjob.janitor.customCommand }}
command: {{- toYaml .Values.cronjob.janitor.customCommand | nindent 14 }}
{{- else }}
command: ["hydra"]
{{- end }}
{{- if .Values.cronjob.janitor.customArgs }}
args: {{- toYaml .Values.cronjob.janitor.customArgs | nindent 14 }}
{{- else }}
args:
- janitor
{{- if .Values.janitor.cleanupGrants }}
- --grants
{{- end }}
{{- if .Values.janitor.cleanupRequests }}
- --requests
{{- end }}
{{- if .Values.janitor.cleanupTokens }}
- --tokens
{{- end }}
- --batch-size
- {{ .Values.janitor.batchSize | quote }}
- --limit
- {{ .Values.janitor.limit | quote }}
- --config
- /etc/config/hydra.yaml
{{- end }}
env:
{{- if not (empty ( include "hydra.dsn" . )) }}
{{- if not (include "ory.extraEnvContainsEnvName" (list $janitorExtraEnv "DSN")) }}
- name: DSN
valueFrom:
secretKeyRef:
name: {{ include "hydra.secretname" . }}
key: dsn
{{- end }}
{{- end }}
{{- with $janitorExtraEnv }}
{{- toYaml . | nindent 16 }}
{{- end }}
resources:
{{- toYaml .Values.cronjob.janitor.resources | nindent 16 }}
volumeMounts:
- name: {{ include "hydra.name" . }}-config-volume
mountPath: /etc/config
readOnly: true
{{- if .Values.cronjob.janitor.extraVolumeMounts }}
{{- toYaml .Values.cronjob.janitor.extraVolumeMounts | nindent 16 }}
{{- end }}
{{- if .Values.cronjob.janitor.extraContainers }}
{{- tpl .Values.cronjob.janitor.extraContainers . | nindent 12 }}
{{- end }}
{{- if .Values.cronjob.janitor.extraInitContainers }}
initContainers:
{{- tpl .Values.cronjob.janitor.extraInitContainers . | nindent 10 }}
{{- end }}
{{- with .Values.cronjob.janitor.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.cronjob.janitor.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.cronjob.janitor.tolerations }}
tolerations:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.cronjob.janitor.affinity }}
affinity:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}

125
opencloud/charts/hydra/templates/job-migration.yaml Normal file
View File

@@ -0,0 +1,125 @@
{{- include "hydra.automigration.typeVerification" . -}}
{{- if and ( .Values.hydra.automigration.enabled ) ( eq .Values.hydra.automigration.type "job" ) }}
{{- $nodeSelector := ternary .Values.job.nodeSelector .Values.deployment.nodeSelector (not (empty .Values.job.nodeSelector )) -}}
{{- $migrationExtraEnv := ternary .Values.job.extraEnv .Values.deployment.extraEnv (not (empty .Values.job.extraEnv )) -}}
{{- $resources := ternary .Values.job.resources .Values.hydra.automigration.resources (not (empty .Values.job.resources)) -}}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "hydra.fullname" . }}-automigrate
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.job.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.job.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
template:
metadata:
annotations:
{{- with .Values.job.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.job.podMetadata.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
app.kubernetes.io/name: {{ include "hydra.fullname" . }}-automigrate
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.job.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.job.podMetadata.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "hydra.job.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.job.automountServiceAccountToken }}
containers:
- name: {{ .Chart.Name }}-automigrate
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.hydra.automigration.customCommand }}
command: {{- toYaml .Values.hydra.automigration.customCommand | nindent 10 }}
{{- else }}
command: ["hydra"]
{{- end }}
{{- if .Values.hydra.automigration.customArgs }}
args: {{- toYaml .Values.hydra.automigration.customArgs | nindent 10 }}
{{- else }}
args: ["migrate", "sql", "-e", "--yes", "--config", "/etc/config/hydra.yaml"]
{{- end }}
env:
{{- if not (empty ( include "hydra.dsn" . )) }}
{{- if not (include "ory.extraEnvContainsEnvName" (list $migrationExtraEnv "DSN")) }}
- name: DSN
valueFrom:
secretKeyRef:
name: {{ include "hydra.secretname" . }}
key: dsn
{{- end }}
{{- end }}
{{- with $migrationExtraEnv }}
{{- toYaml . | nindent 10 }}
{{- end }}
lifecycle:
{{- if .Values.job.lifecycle }}
{{- tpl .Values.job.lifecycle . | nindent 10 }}
{{- end }}
{{- with .Values.deployment.securityContext }}
securityContext:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with $resources }}
resources:
{{- toYaml . | nindent 10 }}
{{- end }}
volumeMounts:
- name: {{ include "hydra.name" . }}-config-volume
mountPath: /etc/config
readOnly: true
{{- if .Values.deployment.extraVolumeMounts }}
{{- toYaml .Values.deployment.extraVolumeMounts | nindent 10 }}
{{- end }}
{{- if .Values.job.extraContainers }}
{{- tpl .Values.job.extraContainers . | nindent 6 }}
{{- end }}
{{- if .Values.job.extraInitContainers }}
initContainers:
{{- tpl .Values.job.extraInitContainers . | nindent 8 }}
{{- end }}
restartPolicy: Never
{{- with .Values.deployment.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
shareProcessNamespace: {{ .Values.job.shareProcessNamespace }}
volumes:
- name: {{ include "hydra.name" . }}-config-volume
configMap:
name: {{ include "hydra.fullname" . }}-migrate
{{- if .Values.deployment.extraVolumes }}
{{- toYaml .Values.deployment.extraVolumes | nindent 8 }}
{{- end }}
{{- with $nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.job.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
backoffLimit: {{ .Values.job.spec.backoffLimit }}
{{- end }}

17
opencloud/charts/hydra/templates/job-rbac.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{- if .Values.job.serviceAccount.create -}}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "hydra.job.serviceAccountName" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.job.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: false
{{- end -}}

18
opencloud/charts/hydra/templates/pdb.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if .Values.pdb.enabled -}}
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "hydra.fullname" . }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ include "hydra.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.pdb.spec.maxUnavailable }}
maxUnavailable: {{ . }}
{{- end }}
{{- with .Values.pdb.spec.minAvailable }}
minAvailable: {{ . }}
{{- end }}
{{- end -}}

53
opencloud/charts/hydra/templates/rbac-watcher.yaml Normal file
View File

@@ -0,0 +1,53 @@
{{- if .Values.watcher.enabled }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "hydra.serviceAccountName" . }}-watcher
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/name: {{ include "hydra.name" . }}-watcher
app.kubernetes.io/instance: {{ .Release.Name }}
automountServiceAccountToken: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "hydra.fullname" . }}-watcher
namespace: {{ .Release.Namespace }}
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs:
- list
- watch
- get
- apiGroups: ["apps"]
resources: ["deployments"]
verbs:
- get
- list
- patch
- update
- watch
resourceNames:
- {{ include "hydra.fullname" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "hydra.fullname" . }}-watcher
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "hydra.fullname" . }}-watcher
subjects:
- kind: ServiceAccount
name: {{ include "hydra.fullname" . }}-watcher
namespace: {{ .Release.Namespace }}
{{- end }}

17
opencloud/charts/hydra/templates/rbac.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{- if .Values.deployment.serviceAccount.create -}}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "hydra.serviceAccountName" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.deployment.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: false
{{- end }}

21
opencloud/charts/hydra/templates/secrets.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{- if .Values.secret.enabled -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "hydra.secretname" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
annotations:
{{- with .Values.secret.secretAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
type: Opaque
data:
# Generate a random secret if the user doesn't give one. User given password has priority
secretsSystem: {{ ( include "hydra.secrets.system" . | default ( randAlphaNum 32 )) | required "Value secrets.system can not be empty!" | b64enc | quote }}
secretsCookie: {{ ( include "hydra.secrets.cookie" . | default ( randAlphaNum 32 )) | required "Value secrets.cookie can not be empty!" | b64enc | quote }}
dsn: {{ include "hydra.dsn" . | b64enc | quote }}
{{- end -}}

71
opencloud/charts/hydra/templates/service-admin.yaml Normal file
View File

@@ -0,0 +1,71 @@
{{- if .Values.service.admin.enabled -}}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "hydra.fullname" . }}-admin
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.service.admin.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
app.kubernetes.io/component: admin
annotations:
{{- with .Values.service.admin.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.service.admin.type }}
{{- if eq .Values.service.admin.type "LoadBalancer" }}
{{- with .Values.service.admin.loadBalancerIP }}
loadBalancerIP: {{ . }}
{{- end }}
{{- end }}
ports:
- port: {{ .Values.service.admin.port }}
targetPort: http-admin
protocol: TCP
name: {{ .Values.service.admin.name }}
selector:
app.kubernetes.io/name: {{ include "hydra.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.serviceMonitor.enabled }}
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "hydra.fullname" . }}-admin
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/component: admin
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.serviceMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.service.admin.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
endpoints:
- path: {{ .Values.service.admin.metricsPath }}
port: {{ .Values.service.admin.name }}
scheme: {{ .Values.serviceMonitor.scheme }}
interval: {{ .Values.serviceMonitor.scrapeInterval }}
scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
{{- with .Values.serviceMonitor.tlsConfig }}
tlsConfig:
{{- toYaml . | nindent 6 }}
{{- end }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "hydra.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: admin
{{- end -}}
{{- end }}

33
opencloud/charts/hydra/templates/service-public.yaml Normal file
View File

@@ -0,0 +1,33 @@
{{- if .Values.service.public.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "hydra.fullname" . }}-public
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.service.public.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.service.public.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.service.public.type }}
{{- if eq .Values.service.public.type "LoadBalancer" }}
{{- with .Values.service.public.loadBalancerIP }}
loadBalancerIP: {{ . }}
{{- end }}
{{- end }}
ports:
- port: {{ .Values.service.public.port }}
targetPort: http-public
protocol: TCP
name: {{ .Values.service.public.name }}
selector:
app.kubernetes.io/name: {{ include "hydra.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

20
opencloud/charts/hydra/templates/tests/test-connection.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "hydra.fullname" . }}-test-connection"
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels: {{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.test.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
"helm.sh/hook": test-success
spec:
containers:
- name: healthcheck-ready
image: "{{ .Values.test.busybox.repository }}:{{ .Values.test.busybox.tag }}"
command: ['wget']
args: ['{{ include "hydra.fullname" . }}-admin:{{ .Values.service.admin.port }}/health/ready']
restartPolicy: Never