command
This commit is contained in:
60
utils/assets/templates/oc-auth/deployment.yaml
Normal file
60
utils/assets/templates/oc-auth/deployment.yaml
Normal file
@@ -0,0 +1,60 @@
|
||||
{{- if .Values.ocAuth.enabled }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
app: oc-auth
|
||||
name: {{ .Release.Name }}-oc-auth
|
||||
spec:
|
||||
replicas: {{ .Values.ocAuth.replicas }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app: oc-auth
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: oc-auth
|
||||
spec:
|
||||
volumes:
|
||||
- name: public-key-volume
|
||||
secret:
|
||||
secretName: public-key-secret
|
||||
- name: private-key-volume
|
||||
secret:
|
||||
secretName: private-key-secret
|
||||
{{- if or (eq .Values.env "prod") (eq .Values.env "staging") }}
|
||||
imagePullSecrets:
|
||||
- name: regcred
|
||||
{{- end }}
|
||||
containers:
|
||||
- image: "{{ .Values.ocAuth.image }}"
|
||||
name: oc-auth
|
||||
#command: ["tail", "-f", "/dev/null"]
|
||||
volumeMounts:
|
||||
- name: public-key-volume
|
||||
mountPath: /keys/public/public.pem
|
||||
subPath: public.pem
|
||||
- name: private-key-volume
|
||||
mountPath: /keys/private/private.pem
|
||||
subPath: private.pem
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: opencloud-config
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 8080
|
||||
protocol: TCP
|
||||
resources:
|
||||
limits:
|
||||
cpu: "{{ .Values.ocAuth.resources.limits.cpu }}"
|
||||
memory: "{{ .Values.ocAuth.resources.limits.memory }}"
|
||||
requests:
|
||||
cpu: "{{ .Values.ocAuth.resources.requests.cpu }}"
|
||||
memory: "{{ .Values.ocAuth.resources.requests.memory }}"
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /oc/version
|
||||
port: 8080
|
||||
initialDelaySeconds: 10
|
||||
periodSeconds: 30
|
||||
{{- end }}
|
||||
31
utils/assets/templates/oc-auth/ingress.yaml
Normal file
31
utils/assets/templates/oc-auth/ingress.yaml
Normal file
@@ -0,0 +1,31 @@
|
||||
{{- if index .Values.ocAuth.enabled }}
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: oc-auth-ingress
|
||||
spec:
|
||||
entryPoints:
|
||||
- web
|
||||
routes:
|
||||
- kind: Rule
|
||||
match: Host(`{{ .Values.host }}`) && PathPrefix(`/auth`)
|
||||
priority: 10
|
||||
services:
|
||||
- kind: Service
|
||||
name: oc-auth-svc
|
||||
port: 8080
|
||||
middlewares:
|
||||
#{{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
|
||||
#- name: forward-auth
|
||||
#{{- end }}
|
||||
- name: strip-auth-prefix
|
||||
---
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: strip-auth-prefix
|
||||
spec:
|
||||
replacePathRegex:
|
||||
regex: ^/auth(.*)
|
||||
replacement: /oc$1
|
||||
{{- end }}
|
||||
36
utils/assets/templates/oc-auth/openCloudOauth2.yaml
Normal file
36
utils/assets/templates/oc-auth/openCloudOauth2.yaml
Normal file
@@ -0,0 +1,36 @@
|
||||
{{- if index .Values.ocAuth.enabled }}
|
||||
apiVersion: hydra.ory.sh/v1alpha1
|
||||
kind: OAuth2Client
|
||||
metadata:
|
||||
name: open-cloud-client
|
||||
spec:
|
||||
grantTypes:
|
||||
- refresh_token
|
||||
- authorization_code
|
||||
- client_credentials
|
||||
- implicit
|
||||
responseTypes:
|
||||
- id_token
|
||||
- token
|
||||
- code
|
||||
scope: openid profile email roles
|
||||
secretName: oc-oauth2-client-secret
|
||||
redirectUris:
|
||||
- https://{{ .Values.host }}/auth/callback
|
||||
postLogoutRedirectUris:
|
||||
- https://{{ .Values.host }}/auth/logout/
|
||||
tokenEndpointAuthMethod: client_secret_post
|
||||
allowedCorsOrigins:
|
||||
- "http://0.0.0.0"
|
||||
#---
|
||||
#apiVersion: v1
|
||||
#kind: Secret
|
||||
#metadata:
|
||||
# name: oc-auth-got-secret
|
||||
# namespace: dev
|
||||
#stringData:
|
||||
# CLIENT_ID: {{ .Values.ocAuth.hydra.clientId }}
|
||||
# CLIENT_SECRET: {{ .Values.ocAuth.hydra.clientSecret }}
|
||||
|
||||
{{- end }}
|
||||
|
||||
21
utils/assets/templates/oc-auth/pem.yaml
Normal file
21
utils/assets/templates/oc-auth/pem.yaml
Normal file
@@ -0,0 +1,21 @@
|
||||
{{- if index .Values.ocAuth.enabled }}
|
||||
# peer public key: public-key-secret.yaml
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: public-key-secret
|
||||
type: Opaque
|
||||
data:
|
||||
public.pem: |
|
||||
LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUNDZ0tDQWdFQXcycGRHNndNdHVMY1AwK2sxTEZ2SWIwRFFvL29IVzJ1TkphRUpLNzRwbFhxcDR6dHoyZFIKYitSUUhGTGVMdXFrNGkvemMzYjRLM2ZLUFhTbHduVlBKQ3d6UHJueVQ4allHT1pWbFdsRVRpVjl4ZUpodTZzLwpCaDZnMVBXejc1WGpqd1Y1MGl2L0NFaUxOQlQyM2YvM0o0NHdyUXp5Z3FOUUNpUVNBTGR4V0xBRWw0bDVrSFNhCjlvTXlWNzAvVXFsOTQvYXlNQVJac0hncDladnFRS2JrWlB3Nnl6Vk1mQ0J4UW96bE5sbzMxNU9IZXZ1ZGhuaHAKRFJqTjVJN3pXbXFZdDZyYlhKSkM3WTNJemR2em43UUk4OFJxalNSU1Q1SS83S3ozbmRDcXJPbkkrT1FVRTVOVApSRXlRZWJwaHZRZlREVEtsUlBYa2R5a3RkSzJESDI4Wmo2WkYzeWpRdk4zNVE0emhPemxxNzdkTzVJaGhvcEk3CmN0OGRaSDFUMW5Za3ZkeUNBL0VWTXRRc0FTbUJPaXRIMFkwQUNvWFFLNUtiNm5tL1RjTS85WlNKVU5pRU11eTUKZ0JaM1lLRTlvYTRjcFRwUFh3Y0ErUy9jVTdIUE5uUUFzdkQzaUppOEdUVzl1SnM4NHBuNC9XaHBRcW1YZDRydgpoS1dFQ0NOM2ZIeTAxZlVzL1UwUGFTajJqRFkva1FWZVhvaWtOTXpQVWpkWmQ5bTgxNlRJQmgzdjNhVlhDSC8wCmlUSEhBeGN0dkRnTVJiMmZwdlJKL3d3bllqRkc5UnBhbVZGRE12QzlOZmZ1WXpXQUE5SVJJWTRjcWdlcmZIclYKWjJISGlQVEREdkRBSXN2SW1YWmMvaDdtWE42bTNSQ1E0UXl3eTk5M3dkOWdVZGdnL3FueW5IY0NBd0VBQVE9PQotLS0tLUVORCBSU0EgUFVCTElDIEtFWS0tLS0tCg==
|
||||
---
|
||||
# peer private key: private-key-secret.yaml
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: private-key-secret
|
||||
type: Opaque
|
||||
data:
|
||||
private.pem: |
|
||||
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS1FJQkFBS0NBZ0VBdzJwZEc2d010dUxjUDArazFMRnZJYjBEUW8vb0hXMnVOSmFFSks3NHBsWHFwNHp0CnoyZFJiK1JRSEZMZUx1cWs0aS96YzNiNEszZktQWFNsd25WUEpDd3pQcm55VDhqWUdPWlZsV2xFVGlWOXhlSmgKdTZzL0JoNmcxUFd6NzVYamp3VjUwaXYvQ0VpTE5CVDIzZi8zSjQ0d3JRenlncU5RQ2lRU0FMZHhXTEFFbDRsNQprSFNhOW9NeVY3MC9VcWw5NC9heU1BUlpzSGdwOVp2cVFLYmtaUHc2eXpWTWZDQnhRb3psTmxvMzE1T0hldnVkCmhuaHBEUmpONUk3eldtcVl0NnJiWEpKQzdZM0l6ZHZ6bjdRSTg4UnFqU1JTVDVJLzdLejNuZENxck9uSStPUVUKRTVOVFJFeVFlYnBodlFmVERUS2xSUFhrZHlrdGRLMkRIMjhaajZaRjN5alF2TjM1UTR6aE96bHE3N2RPNUloaApvcEk3Y3Q4ZFpIMVQxbllrdmR5Q0EvRVZNdFFzQVNtQk9pdEgwWTBBQ29YUUs1S2I2bm0vVGNNLzlaU0pVTmlFCk11eTVnQlozWUtFOW9hNGNwVHBQWHdjQStTL2NVN0hQTm5RQXN2RDNpSmk4R1RXOXVKczg0cG40L1docFFxbVgKZDRydmhLV0VDQ04zZkh5MDFmVXMvVTBQYVNqMmpEWS9rUVZlWG9pa05NelBVamRaZDltODE2VElCaDN2M2FWWApDSC8waVRISEF4Y3R2RGdNUmIyZnB2Ukovd3duWWpGRzlScGFtVkZETXZDOU5mZnVZeldBQTlJUklZNGNxZ2VyCmZIclZaMkhIaVBURER2REFJc3ZJbVhaYy9oN21YTjZtM1JDUTRReXd5OTkzd2Q5Z1VkZ2cvcW55bkhjQ0F3RUEKQVFLQ0FnQlNSYzI5Z01vNWxYbTFEZ3NQb1VSd3ArdGZjc2IrM05halBWdVZOalZwa25LZzZDeVhUYUJ6dzJRWApDS3lTaENlM013a0VhK3BBSXNiNjZNbUEvWEs4Zi85elFVWkxZUHZhUDk5NGNFRlp4VjhXbVNFY3FoUjJ0eDV2CmlxS2ZGRFFpV3VQWElMN1c5ZlBsa1kzK0dXNHRNU2c5TTE1R3NndFl1YWI2dGtENlhlRVJDOGdxa1cxTXJCL2QKNE1kd1BmdktwbXFPM01ZR0RoRmNYckJaVitxQXVkRG5EU0dPZ1BvdVVyT09GcDI4SFZqRTVucUR5dDR2clduQgorSTFzVzhUQVR5YmI2cGhTKzRhM1pRdEZDYjliSWk3YURaaTU5NUVDVERCVU9TNGlicXMyWHBBMVRhbVk3OE5ECi9MeDVvWG14N01pNEorNXdYTjNPYWQ3eXRRdkZPZE90dElMTnBBTUZiTFU1eUtzeGYrRURqQ0JjUjVmYU5BdHUKd0FNSDlUa3pGcG1ocDVOQndRZEFrQ0ZuaHlsYTM2M2xqbWxHQVdQdUcvRDliVlowcXRCZjNOQUY0aEVKL0w0bgp2WVFGRXJkNjR0UGFzQWdXUG93MkxMdnFpM2pUMjMyYURnYWhqMWxYMWVuSG9SNlRiUUU0cjN6eThEZUE3aTBDCmhBOEdGQXZNc3FJY2VlOVhpNHlEOFFGRUgwUHJKaDZ6UDFQV0tYUjRBUVZFeG5GR2FuejBzNk8xR1JxTFBySUsKMzFOaVJUd0lWcDB4YmV0OS9Hc0p4V3hxclRLUHFkNXlKdlVHRzNBNEVMOGUzUmRXUk01dlRIYk5DVkdpOUxoUwozT0lYVjkvWU9RSnRXeHpXVWpGTjNIcGFOdVdIVlNSMTQ5R0FZcFR4ZWgrL1pHb0FRUUtDQVFFQTlSekcwTHJCCi9vblNuemZBWEQ1SXdHVy9qU2I0ZThWTENaLzdXMENpRDFodDIzUTFwQVI0Ym9mU1lYZHgvcmhWaFJ0eSszOHEKR3p1Z0JQY2VqR2VHWXlLSVZpTzFlOFBzcmQ2ZHlkWW9hQTlmWDNZemNaMG9uazl0K3RZTnhWaHN0b2xmSUdnYwpLVzFxd0ROclYxUFAwTi9vUVU0UVB4TG13Y2YvQlNTbDNzZjUzbVZNemNuSGtqQ0Y1U2dFTjFydElBT1VaYU04CkI0dXJTU01aTUxwd21oWEY5ckFVUFhXZ0xTKzBma3JRem9hQlMyWmZxRWNGTnMxbG44c1RCZW9YQXo2a3laZW0KMFRvMW9ZaFRlTitUZzExcXVXaEpLaVRNWW1TR1QzQjduVnQyNW4wQnlwRGt0ZmFVVStMTVk5L0Jld1d3RTZ4eAppWDk3YmxkZ3Y2eTR1d0tDQVFFQXpCaDVJWWEwOXVKVHdyeFkwSUtWZmtYUnAyUys4ZnFoSjVxaEVQeWtDRis0CkpKQktQcDdJQTdyaGNmNXR3M05WcGEvWUUxaDJIMVA1WjRFUWt6Z0VURXhWb3RCbE9ZWU5ta0JrZDlldFVSR3MKb21BUEhwcm52VDdxK2RSL3JjOC9sUXQzWHp2ZWo0UDR6U1JibnpnL3EySzBJMXFzM3ZPd25aeU8zR1hrNmVuaQpRNTlrMHk4em9zS2RkZTdtMVlKK0tBajVNWmMzUGVIVGZiTGFMY2ZYblRTVVg2eHduWCtKczhrcjJQVlArd1NqCnNFeGFrUDZpZU51L1p6RmNZdjZhaVBneVhJV08vNXBqd0x0L0dUcVVQUWNPOVc3Nm0wdzI0bFduWUN4MWl5U3cKYWxybDJpckwycm5sWEppbjdxNEZ0dEhUV2JlSDkwUlZ0MzA1MG04ZGRRS0NBUUVBa2d5bGduWGxaYytsaW0xagoxeExkc3BadC9xTTc2RFAwdERWNVJqUkszQzNxdDVxVTQ3Z3VNbDRId3oreTB2M3ZKekxsM21rMUk2anhma1BwCkZld1JyVHhFVkY5T29nSnFJbWZGU1NDc1R1VHFCUzJmRlpGNVJHczdzdnljay94T09xMjcyc2x1RGxrK0JHd2YKQjVmTytqeVFYV2t3VVFUb0xvc0dyMy9ZdmRnV1VLZTNqZDh2WlRJNGRnVFVEay9GZncvaStuUzdMaHZRNGZGaAo3eUVJT3lmQ0gyMW5nZjkyZzdZckxCMVVNZHIvYTNnQ2czaGQ2UHVXRkJLaXNTRjh1Tmc0eEUzeWZqVGJBL2NCCkZjTFNXTEh2QjY3VithQ1hrQUVwN21ldG9HT0JnM0QxQWtnM254emY0T1FBdVhuNEJWK3NQT3pCY2haZDY2OXcKM0lVRVJRS0NBUUJ4UEU3UWpCV1JPS2N5VHgrVHFDL2JIRStpNlNHTHpmdGxwc1FnVVp1TXpkYXo2cDVXdWUvTgpLZjExS3EycG1DNzN1MlZON25HekZmczFNd1dJT0xjaHdlUnRiZVFMazFXdXRIVkpqSThyZ0h2Z3B4MGNaT09ZCk92VlI0VlZwa0tmOVFKeGRhVEVsUFJwb2J2aXFrU0c2TEF3MzVWSXViTlFiemtYeEFGT09lR1pDRUloM0p5UWwKOUlZNmJXOERIT0J6dys3R1ZkaWZhOURVVjh2M1JINWJTVlhjOHlhVUs3T3gzVGFIckN0UTRSVVVkbmgxSStIdQozalVHd3ZzNExYeDk2LzY5R0pqck5iU010VHBpTy84TkVRSjZwN1ZCUG5yZy9wYmJwQzhmSVI4RUV5U2Q4OHFnCnN5MFBQOTlFYktiYzlQT25QazJnb2ZoUTBwaW5LV0VWQW9JQkFRQzBoOEozbEdTRzlLaTlRSnZBT2RNcW5zU2cKdW9xakkweTZSbWVSN0xwWVgxQVNLTk5JbWpHMWh3THlaOFFnNWhDTmp5U0VxQkFHR2QzTUJOZklDNnd6QkRyVgp6U0pJcnhqdnUrMnNmejFuVUdkWVdqUWZoeDNjVCt5R3FUNk5FUXVwbXN0TnVreGl1MkhEdTc2cGk5NkFYMm1rClRYWVhsdWJJcGZMNTBkV1owd2lqMExpdkg2VFBhdnZqYlJablhOVnRoMXFsWk9VdHVCR3lFd2NYYjRDT3RxUnEKK25QOEFFZ3pLeGJNSkZWeTNQWTVFNUp5akI1ZDFaUFEyT2VZVVZiZkRFRVlxemtvcmpCeUNjTGR2N08xQ0hOcQpWalV5SnNkOEYxdHVDR1B4YmNiZ3lDZUlxZ0RNMUp4TzR6VE1TUCtDODJBcjdWWGtyNlE4aEFzQ2dIUS8KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
|
||||
{{- end }}
|
||||
31
utils/assets/templates/oc-auth/rbac.yaml
Normal file
31
utils/assets/templates/oc-auth/rbac.yaml
Normal file
@@ -0,0 +1,31 @@
|
||||
{{- if .Values.ocAuth.enabled }}
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: secret-reader-role
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: secret-reader-binding
|
||||
namespace: default
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: ocauth-sa
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: secret-reader-role
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
kind: ServiceAccount
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: ocauth-sa
|
||||
{{- end }}
|
||||
|
||||
40
utils/assets/templates/oc-auth/service.yaml
Normal file
40
utils/assets/templates/oc-auth/service.yaml
Normal file
@@ -0,0 +1,40 @@
|
||||
{{- if .Values.ocAuth.enabled }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: oc-auth-svc
|
||||
labels:
|
||||
app: oc-auth-svc
|
||||
spec:
|
||||
ports:
|
||||
- name: http
|
||||
port: 8080
|
||||
protocol: TCP
|
||||
targetPort: 8080
|
||||
selector:
|
||||
app: oc-auth
|
||||
type: ClusterIP
|
||||
{{- end }}
|
||||
|
||||
{{- if and .Values.ocAuth.enabled .Values.ocAuth.hpa.enabled }}
|
||||
---
|
||||
# Horizontal Pod Autoscaler
|
||||
apiVersion: autoscaling/v2
|
||||
kind: HorizontalPodAutoscaler
|
||||
metadata:
|
||||
name: {{ .Release.Name }}-oc-auth
|
||||
spec:
|
||||
scaleTargetRef:
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
name: {{ .Release.Name }}-oc-auth
|
||||
minReplicas: {{ .Values.ocAuth.hpa.minReplicas }}
|
||||
maxReplicas: {{ .Values.ocAuth.hpa.maxReplicas }}
|
||||
metrics:
|
||||
- type: Resource
|
||||
resource:
|
||||
name: cpu
|
||||
target:
|
||||
type: Utilization
|
||||
averageUtilization: {{ .Values.ocAuth.hpa.targetCPUUtilizationPercentage }}
|
||||
{{- end }}
|
||||
Reference in New Issue
Block a user