core/oc-k8s
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixing ldap conf, initializing keto, oc-auth and co

Browse Source
This commit is contained in:
plm
2024-12-09 15:05:29 +01:00
parent ba9a971964
commit f7ae1165b9
39 changed files with 2132 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
opencloud/charts/keto/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,33 @@
1. Get the application URL by running these commands:
{{- if or .Values.ingress.read.enabled .Values.ingress.write.enabled -}}
Read endpoint available at:
{{- range $host := .Values.ingress.read.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.read.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
{{- end }}
{{- end }}
Write endpoint available at:
{{- range $host := .Values.ingress.write.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.write.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
{{- end }}
{{- end }}
{{- else if or ( contains "NodePort" .Values.service.read.type ) ( contains "NodePort" .Values.service.write.type ) }}
export NODE_PORT_READ=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "keto.fullname" . }}-read)
export NODE_PORT_READ=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "keto.fullname" . }}-write)
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
Read endpoint available at: http://$NODE_IP:$NODE_PORT_READ
Write endpoint available at: http://$NODE_IP:$NODE_PORT_WRITE
{{- else if or ( contains "LoadBalancer" .Values.service.read.type ) ( contains "LoadBalancer" .Values.service.read.type ) }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "keto.fullname" . }}-read'
export SERVICE_IP_READ=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "keto.fullname" . }}-read --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
export SERVICE_IP_WRITE=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "keto.fullname" . }}-write --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
Read endpoint available at: http://$SERVICE_IP_READ:{{ .Values.service.read.port }}
Write endpoint available at: http://$SERVICE_IP_READ:{{ .Values.service.write.port }}
{{- else if or ( contains "ClusterIP" .Values.service.read.type ) ( contains "ClusterIP" .Values.service.read.type ) }}
kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ include "keto.fullname" . }}-read {{ .Values.keto.config.serve.read.port }}:80
kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ include "keto.fullname" . }}-write {{ .Values.keto.config.serve.write.port }}:80
Read endpoint available at: http://127.0.0.1:{{ .Values.keto.config.serve.read.port }}
Write endpoint available at: http://127.0.0.1:{{ .Values.keto.config.serve.write.port }}
{{- end }}

130
opencloud/charts/keto/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,130 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "keto.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "keto.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create a secret name which can be overridden.
*/}}
{{- define "keto.secretname" -}}
{{- if .Values.secret.nameOverride -}}
{{- .Values.secret.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{ include "keto.fullname" . }}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "keto.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Generate the dsn value
*/}}
{{- define "keto.dsn" -}}
{{- if and .Values.secret.nameOverride (not .Values.secret.enabled) -}}
dsn-loaded-from-env
{{- else if not (empty (.Values.keto.config.dsn)) -}}
{{- .Values.keto.config.dsn }}
{{- end -}}
{{- end -}}
{{/*
Generate the configmap data, redacting secrets
*/}}
{{- define "keto.configmap" -}}
{{- $config := omit .Values.keto.config "dsn" -}}
{{- tpl (toYaml $config) . -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "keto.labels" -}}
helm.sh/chart: {{ include "keto.chart" . }}
{{ include "keto.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if $.Values.watcher.enabled }}
{{ printf "\"%s\": \"%s\"" $.Values.watcher.watchLabelKey (include "keto.name" .) }}
{{- end }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "keto.selectorLabels" -}}
app.kubernetes.io/name: {{ include "keto.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "keto.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "keto.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Create the name of the service account for the Job to use
*/}}
{{- define "keto.job.serviceAccountName" -}}
{{- if .Values.job.serviceAccount.create }}
{{- printf "%s-job" (default (include "keto.fullname" .) .Values.job.serviceAccount.name) }}
{{- else }}
{{- include "keto.serviceAccountName" . }}
{{- end }}
{{- end }}
{{/*
Checksum annotations generated from configmaps and secrets
*/}}
{{- define "keto.annotations.checksum" -}}
{{- if .Values.configmap.hashSumEnabled }}
checksum/keto-config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- end }}
{{- if and .Values.secret.enabled .Values.secret.hashSumEnabled }}
checksum/keto-secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
{{- end }}
{{- end }}
{{/*
Check the migration type value and fail if unexpected
*/}}
{{- define "keto.automigration.typeVerification" -}}
{{- if and .Values.keto.automigration.enabled .Values.keto.automigration.type }}
{{- if and (ne .Values.keto.automigration.type "initContainer") (ne .Values.keto.automigration.type "job") }}
{{- fail "keto.automigration.type must be either 'initContainer' or 'job'" -}}
{{- end }}
{{- end }}
{{- end }}

18
opencloud/charts/keto/templates/configmap-migrate.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if and ( .Values.keto.automigration.enabled ) ( eq .Values.keto.automigration.type "job" ) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "keto.fullname" . }}-migrate
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{ include "keto.labels" . | indent 4 }}
annotations:
helm.sh/hook-weight: "0"
helm.sh/hook: "pre-install, pre-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
data:
"keto.yaml": |
{{- include "keto.configmap" . | nindent 4 }}
{{- end }}

12
opencloud/charts/keto/templates/configmap.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "keto.fullname" . }}-config
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{ include "keto.labels" . | indent 4 }}
data:
"keto.yaml": |
{{- include "keto.configmap" . | nindent 4 }}

75
opencloud/charts/keto/templates/deployment-watcher.yaml Normal file
View File

@@ -0,0 +1,75 @@
{{- if .Values.watcher.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "keto.fullname" . }}-watcher
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/name: {{ include "keto.name" . }}-watcher
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.deployment.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.deployment.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
revisionHistoryLimit: {{ .Values.watcher.revisionHistoryLimit }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "keto.name" . }}-watcher
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ include "keto.name" . }}-watcher
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.deployment.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.watcher.podMetadata.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
annotations:
{{- with .Values.watcher.podMetadata.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
automountServiceAccountToken: {{ .Values.watcher.automountServiceAccountToken }}
serviceAccountName: {{ include "keto.serviceAccountName" . }}-watcher
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
containers:
- name: watcher
{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
{{- end }}
image: {{ .Values.watcher.image }}
command:
- /bin/bash
- -c
- |
{{- .Files.Get "files/watch.sh" | printf "%s" | nindent 14 }}
env:
- name: NAMESPACE
value: {{ .Release.Namespace | quote }}
- name: WATCH_FILE
value: {{ .Values.watcher.mountFile | quote }}
- name: LABEL_SELECTOR
value: '{{ $.Values.watcher.watchLabelKey }}={{ include "keto.name" . }}'
resources:
{{- toYaml .Values.watcher.resources | nindent 12 }}
volumeMounts:
{{- with .Values.deployment.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
{{- if .Values.deployment.extraVolumes }}
{{- toYaml .Values.deployment.extraVolumes | nindent 8 }}
{{- end }}
{{- end }}

232
opencloud/charts/keto/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,232 @@
{{- $podAnnotations := ternary .Values.deployment.podAnnotations .Values.podAnnotations (not (empty .Values.deployment.podAnnotations )) -}}
{{- $automountServiceAccountToken := ternary .Values.deployment.automountServiceAccountToken .Values.automountServiceAccountToken (not (empty .Values.deployment.automountServiceAccountToken )) -}}
{{- $livenessProbe := ternary .Values.deployment.livenessProbe .Values.livenessProbe (not (empty .Values.deployment.livenessProbe )) -}}
{{- $readinessProbe := ternary .Values.deployment.readinessProbe .Values.readinessProbe (not (empty .Values.deployment.readinessProbe )) -}}
{{- $autoscaling := ternary .Values.deployment.autoscaling .Values.autoscaling (not (empty .Values.deployment.autoscaling )) -}}
{{- $resources := ternary .Values.deployment.resources .Values.resources (not (empty .Values.deployment.resources )) -}}
{{- $extraInitContainers := ternary .Values.deployment.extraInitContainers .Values.extraInitContainers (not (empty .Values.deployment.extraInitContainers )) -}}
{{- $extraContainers := ternary .Values.deployment.extraContainers .Values.extraContainers (not (empty .Values.deployment.extraContainers )) -}}
{{- $extraLabels := ternary .Values.deployment.extraLabels .Values.extraLabels (not (empty .Values.deployment.extraLabels )) -}}
{{- $extraVolumeMounts := ternary .Values.deployment.extraVolumeMounts .Values.extraVolumeMounts (not (empty .Values.deployment.extraVolumeMounts )) -}}
{{- $extraVolumes := ternary .Values.deployment.extraVolumes .Values.extraVolumes (not (empty .Values.deployment.extraVolumes )) -}}
{{- $nodeSelector := ternary .Values.deployment.nodeSelector .Values.nodeSelector (not (empty .Values.deployment.nodeSelector )) -}}
{{- $affinity := ternary .Values.deployment.affinity .Values.affinity (not (empty .Values.deployment.affinity )) -}}
{{- $tolerations := ternary .Values.deployment.tolerations .Values.tolerations (not (empty .Values.deployment.tolerations )) -}}
{{- $topologySpreadConstraints := ternary .Values.deployment.topologySpreadConstraints .Values.topologySpreadConstraints (not (empty .Values.deployment.topologySpreadConstraints )) -}}
{{- include "keto.automigration.typeVerification" . -}}
{{- $migrationExtraEnv := ternary .Values.deployment.automigration.extraEnv .Values.deployment.extraEnv (not (empty .Values.deployment.automigration.extraEnv )) -}}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "keto.fullname" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "keto.labels" . | nindent 4 }}
{{- with $extraLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.deployment.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
minReadySeconds: {{ .Values.deployment.minReadySeconds }}
{{- if not $autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
revisionHistoryLimit: {{ .Values.deployment.revisionHistoryLimit }}
strategy:
{{- toYaml .Values.deployment.strategy | nindent 4 }}
selector:
matchLabels:
{{- include "keto.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
{{- include "keto.annotations.checksum" . | indent 8 -}}
{{- with $podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $.Values.deployment.podMetadata.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "keto.selectorLabels" . | nindent 8 }}
{{- with $extraLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $.Values.deployment.podMetadata.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
initContainers:
{{- if $extraInitContainers}}
{{- tpl $extraInitContainers . | nindent 8 }}
{{- end }}
{{- if and ( .Values.keto.automigration.enabled ) ( eq .Values.keto.automigration.type "initContainer" ) }}
- name: {{ .Chart.Name }}-automigrate
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.keto.automigration.customCommand }}
command: {{- toYaml .Values.keto.automigration.customCommand | nindent 12 }}
{{- else }}
command: ["keto"]
{{- end }}
{{- if .Values.keto.automigration.customArgs }}
args: {{- toYaml .Values.keto.automigration.customArgs | nindent 12 }}
{{- else }}
args: [ "migrate", "up", "-y", "--config", "/etc/config/keto.yaml" ]
{{- end }}
volumeMounts:
- name: {{ include "keto.name" . }}-config-volume
mountPath: /etc/config
readOnly: true
{{- with $extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
env:
{{- if not (empty ( include "keto.dsn" . )) }}
{{- if not (include "ory.extraEnvContainsEnvName" (list $migrationExtraEnv "DSN")) }}
- name: DSN
valueFrom:
secretKeyRef:
name: {{ include "keto.secretname" . }}
key: dsn
{{- end }}
{{- end }}
{{- if $migrationExtraEnv }}
{{- tpl (toYaml $migrationExtraEnv) . | nindent 12 }}
{{- end }}
{{- with .Values.keto.automigration.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
serviceAccountName: {{ include "keto.serviceAccountName" . }}
automountServiceAccountToken: {{ $automountServiceAccountToken }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
containers:
- name: {{ .Chart.Name }}
{{- with .Values.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command: {{- toYaml .Values.keto.command | nindent 12 }}
{{- if .Values.keto.customArgs }}
args: {{- toYaml .Values.keto.customArgs | nindent 12 }}
{{- else }}
args:
- serve
- --config
- /etc/config/keto.yaml
{{- end }}
ports:
- name: {{ .Values.service.read.name }}
containerPort: {{ .Values.keto.config.serve.read.port }}
protocol: TCP
- name: {{ .Values.service.write.name }}
containerPort: {{ .Values.keto.config.serve.write.port }}
protocol: TCP
- name: {{ .Values.service.metrics.name }}
containerPort: {{ .Values.keto.config.serve.metrics.port }}
protocol: TCP
{{- with .Values.deployment.extraPorts }}
{{- toYaml . | nindent 12 }}
{{- end }}
lifecycle:
{{- toYaml .Values.deployment.lifecycle | nindent 12 }}
{{- if .Values.deployment.customLivenessProbe }}
livenessProbe:
{{- toYaml .Values.deployment.customLivenessProbe | nindent 12 }}
{{- end }}
readinessProbe:
{{- if .Values.deployment.customReadinessProbe }}
{{- toYaml .Values.deployment.customReadinessProbe | nindent 12 }}
{{- else }}
httpGet:
path: /health/alive
port: {{ .Values.keto.config.serve.write.port }}
httpHeaders:
- name: Host
value: '127.0.0.1'
{{- toYaml $readinessProbe | nindent 12 }}
{{- end }}
startupProbe:
{{- if .Values.deployment.customStartupProbe }}
{{- toYaml .Values.deployment.customStartupProbe | nindent 12 }}
{{- else }}
httpGet:
path: /health/ready
port: {{ .Values.keto.config.serve.write.port }}
httpHeaders:
- name: Host
value: '127.0.0.1'
{{- toYaml .Values.deployment.startupProbe | nindent 12 }}
{{- end }}
resources:
{{- toYaml $resources | nindent 12 }}
env:
{{- if not (empty ( include "keto.dsn" . )) }}
{{- if not (include "ory.extraEnvContainsEnvName" (list .Values.deployment.extraEnv "DSN")) }}
- name: DSN
valueFrom:
secretKeyRef:
name: {{ include "keto.secretname" . }}
key: dsn
{{- end }}
{{- end }}
{{- if .Values.deployment.extraEnv }}
{{- tpl (toYaml .Values.deployment.extraEnv) . | nindent 12 }}
{{- end }}
volumeMounts:
- name: {{ include "keto.name" . }}-config-volume
mountPath: /etc/config
readOnly: true
{{- with $extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if $extraContainers }}
{{- tpl $extraContainers . | nindent 8 }}
{{- end }}
volumes:
- name: {{ include "keto.name" . }}-config-volume
configMap:
name: {{ include "keto.fullname" . }}-config
{{- with $extraVolumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- with $nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.dnsConfig }}
dnsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}

38
opencloud/charts/keto/templates/hpa.yaml Normal file
View File

@@ -0,0 +1,38 @@
{{- $autoscaling := ternary .Values.deployment.autoscaling .Values.autoscaling (not (empty .Values.deployment.autoscaling )) -}}
{{- if $autoscaling.enabled }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "keto.fullname" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "keto.labels" . | nindent 4 }}
spec:
{{- with $autoscaling.behavior }}
behavior: {{- toYaml . | nindent 4 }}
{{- end }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "keto.fullname" . }}
minReplicas: {{ $autoscaling.minReplicas }}
maxReplicas: {{ $autoscaling.maxReplicas }}
metrics:
{{- with $autoscaling.targetMemory }}
- type: Resource
resource:
name: memory
target:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $autoscaling.targetCPU}}
- type: Resource
resource:
name: cpu
target:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

54
opencloud/charts/keto/templates/ingress-read.yaml Normal file
View File

@@ -0,0 +1,54 @@
{{- if .Values.ingress.read.enabled -}}
{{- $fullName := include "keto.fullname" . -}}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else -}}
apiVersion: networking.k8s.io/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}-read
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "keto.labels" . | nindent 4 }}
{{- with .Values.ingress.read.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ingressClassName: {{ .Values.ingress.read.className }}
{{- if .Values.ingress.read.tls }}
tls:
{{- range .Values.ingress.read.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.read.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if .pathType }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}-read
port:
name: {{ $.Values.service.read.name }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $.Values.service.read.name }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

54
opencloud/charts/keto/templates/ingress-write.yaml Normal file
View File

@@ -0,0 +1,54 @@
{{- if .Values.ingress.write.enabled -}}
{{- $fullName := include "keto.fullname" . -}}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else -}}
apiVersion: networking.k8s.io/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}-write
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "keto.labels" . | nindent 4 }}
{{- with .Values.ingress.write.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ingressClassName: {{ .Values.ingress.write.className }}
{{- if .Values.ingress.write.tls }}
tls:
{{- range .Values.ingress.write.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.write.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if .pathType }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}-write
port:
name: {{ $.Values.service.write.name }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $.Values.service.write.name }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

123
opencloud/charts/keto/templates/job-migration.yaml Normal file
View File

@@ -0,0 +1,123 @@
{{- include "keto.automigration.typeVerification" . -}}
{{- if and ( .Values.keto.automigration.enabled ) ( eq .Values.keto.automigration.type "job" ) }}
{{- $extraLabels := ternary .Values.deployment.extraLabels .Values.extraLabels (not (empty .Values.deployment.extraLabels )) -}}
{{- $extraVolumeMounts := ternary .Values.deployment.extraVolumeMounts .Values.extraVolumeMounts (not (empty .Values.deployment.extraVolumeMounts )) -}}
{{- $extraVolumes := ternary .Values.deployment.extraVolumes .Values.extraVolumes (not (empty .Values.deployment.extraVolumes )) -}}
{{- $nodeSelector := ternary .Values.job.nodeSelector .Values.deployment.nodeSelector (not (empty .Values.job.nodeSelector )) -}}
{{- $migrationExtraEnv := ternary .Values.job.extraEnv .Values.deployment.extraEnv (not (empty .Values.job.extraEnv )) -}}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "keto.fullname" . }}-automigrate
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "keto.labels" . | nindent 4 }}
{{- with $extraLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.job.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
template:
metadata:
annotations:
{{- with .Values.job.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.job.podMetadata.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
app.kubernetes.io/name: {{ include "keto.fullname" . }}-automigrate
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with $extraLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.job.podMetadata.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "keto.job.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.job.automountServiceAccountToken }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}-automigrate
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.keto.automigration.customCommand }}
command: {{- toYaml .Values.keto.automigration.customCommand | nindent 10 }}
{{- else }}
command: ["keto"]
{{- end }}
{{- if .Values.keto.automigration.customArgs }}
args: {{- toYaml .Values.keto.automigration.customArgs | nindent 10 }}
{{- else }}
args: [ "migrate", "up", "-y", "--config", "/etc/config/keto.yaml" ]
{{- end }}
{{- if .Values.job.lifecycle }}
{{- tpl .Values.job.lifecycle . | nindent 8 }}
{{- end }}
volumeMounts:
- name: {{ include "keto.name" . }}-config-volume
mountPath: /etc/config
readOnly: true
{{- with $extraVolumeMounts }}
{{- toYaml . | nindent 10 }}
{{- end }}
env:
{{- if not (empty ( include "keto.dsn" . )) }}
{{- if not (include "ory.extraEnvContainsEnvName" (list $migrationExtraEnv "DSN")) }}
- name: DSN
valueFrom:
secretKeyRef:
name: {{ include "keto.secretname" . }}
key: dsn
{{- end }}
{{- end }}
{{- with $migrationExtraEnv }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.job.resources }}
resources:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 10 }}
{{- end }}
{{- if .Values.job.extraContainers }}
{{- tpl .Values.job.extraContainers . | nindent 6 }}
{{- end }}
{{- if .Values.job.extraInitContainers }}
initContainers:
{{- tpl .Values.job.extraInitContainers . | nindent 8 }}
{{- end }}
restartPolicy: Never
volumes:
- name: {{ include "keto.name" . }}-config-volume
configMap:
name: {{ include "keto.fullname" . }}-migrate
{{- with $extraVolumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.job.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
shareProcessNamespace: {{ .Values.job.shareProcessNamespace }}
backoffLimit: {{ .Values.job.spec.backoffLimit }}
{{- end }}

17
opencloud/charts/keto/templates/job-rbac.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{- if .Values.job.serviceAccount.create -}}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "keto.job.serviceAccountName" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "keto.labels" . | nindent 4 }}
{{- with .Values.job.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: false
{{- end -}}

20
opencloud/charts/keto/templates/pdb.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- if .Values.pdb.enabled -}}
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "keto.fullname" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "keto.selectorLabels" . | nindent 6 }}
{{- with .Values.pdb.spec.maxUnavailable }}
maxUnavailable: {{ . }}
{{- end }}
{{- with .Values.pdb.spec.minAvailable }}
minAvailable: {{ . }}
{{- end }}
{{- end -}}

55
opencloud/charts/keto/templates/rbac-watcher.yaml Normal file
View File

@@ -0,0 +1,55 @@
{{- if .Values.watcher.enabled }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "keto.serviceAccountName" . }}-watcher
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/name: {{ include "keto.name" . }}-watcher
app.kubernetes.io/instance: {{ .Release.Name }}
automountServiceAccountToken: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "keto.fullname" . }}-watcher
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs:
- list
- watch
- get
- apiGroups: ["apps"]
resources: ["deployments"]
verbs:
- get
- list
- patch
- update
- watch
resourceNames:
- {{ include "keto.fullname" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "keto.fullname" . }}-watcher
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "keto.fullname" . }}-watcher
subjects:
- kind: ServiceAccount
name: {{ include "keto.fullname" . }}-watcher
namespace: {{ .Release.Namespace }}
{{- end }}

17
opencloud/charts/keto/templates/rbac.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{- if .Values.serviceAccount.create -}}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "keto.serviceAccountName" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "keto.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: false
{{- end }}

18
opencloud/charts/keto/templates/secrets.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if .Values.secret.enabled -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "keto.secretname" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{ include "keto.labels" . | indent 4 }}
annotations:
{{- with .Values.secret.secretAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
type: Opaque
data:
dsn: {{ include "keto.dsn" . | b64enc | quote }}
{{- end }}

32
opencloud/charts/keto/templates/service-extraServices.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- range $ServiceName, $ServiceData := .Values.extraServices }}
{{- if $ServiceData.enabled }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "keto.fullname" $ }}-{{ $ServiceName }}
{{- if $.Release.Namespace }}
namespace: {{ $.Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/component: {{ $ServiceName }}
{{- include "keto.labels" $ | nindent 4 }}
spec:
type: {{ $ServiceData.type }}
{{- if eq $ServiceData.type "LoadBalancer" }}
{{- with $ServiceData.loadBalancerIP }}
loadBalancerIP: {{ . }}
{{- end }}
{{- end }}
ports:
- port: {{ $ServiceData.port }}
targetPort: {{ $ServiceData.name }}
protocol: TCP
name: {{ $ServiceData.name }}
selector:
app.kubernetes.io/name: {{ include "keto.name" $ }}
app.kubernetes.io/instance: {{ $.Release.Name }}
{{- end }}
{{- end }}

27
opencloud/charts/keto/templates/service-metrics.yaml Normal file
View File

@@ -0,0 +1,27 @@
{{- if .Values.service.metrics.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "keto.fullname" . }}-metrics
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/component: metrics
{{- include "keto.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.metrics.type }}
{{- if eq .Values.service.metrics.type "LoadBalancer" }}
{{- with .Values.service.metrics.loadBalancerIP }}
loadBalancerIP: {{ . }}
{{- end }}
{{- end }}
ports:
- port: {{ .Values.service.metrics.port }}
targetPort: {{ .Values.service.metrics.name }}
protocol: TCP
name: {{ .Values.service.metrics.name }}
selector:
app.kubernetes.io/name: {{ include "keto.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{ end }}

60
opencloud/charts/keto/templates/service-read.yaml Normal file
View File

@@ -0,0 +1,60 @@
{{- if .Values.service.read.enabled }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "keto.fullname" . }}-read
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/component: read
{{- include "keto.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.read.type }}
{{- if eq .Values.service.read.type "LoadBalancer" }}
{{- with .Values.service.read.loadBalancerIP }}
loadBalancerIP: {{ . }}
{{- end }}
{{- end }}
{{- if eq .Values.service.read.type "ClusterIP" }}
{{- with .Values.service.read.clusterIP }}
clusterIP: {{ . }}
{{- end }}
{{- end }}
ports:
- port: {{ .Values.service.read.port }}
targetPort: {{ .Values.service.read.name }}
protocol: TCP
name: {{ .Values.service.read.name }}
appProtocol: {{ .Values.service.read.appProtocol }}
selector:
app.kubernetes.io/name: {{ include "keto.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.service.read.headless.enabled }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "keto.fullname" . }}-read-headless
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
service.ory.sh/type: headless
app.kubernetes.io/component: read
{{- include "keto.labels" . | nindent 4 }}
spec:
type: "ClusterIP"
clusterIP: "None"
ports:
- port: {{ .Values.keto.config.serve.read.port }}
targetPort: {{ .Values.service.read.name }}
protocol: TCP
name: {{ .Values.service.read.name }}
appProtocol: {{ .Values.service.read.appProtocol }}
selector:
app.kubernetes.io/name: {{ include "keto.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{- end }}

59
opencloud/charts/keto/templates/service-write.yaml Normal file
View File

@@ -0,0 +1,59 @@
{{- if .Values.service.write.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "keto.fullname" . }}-write
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/component: write
{{- include "keto.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.write.type }}
{{- if eq .Values.service.write.type "LoadBalancer" }}
{{- with .Values.service.write.loadBalancerIP }}
loadBalancerIP: {{ . }}
{{- end }}
{{- end }}
{{- if eq .Values.service.write.type "ClusterIP" }}
{{- with .Values.service.write.clusterIP }}
clusterIP: {{ . }}
{{- end }}
{{- end }}
ports:
- port: {{ .Values.service.write.port }}
targetPort: {{ .Values.service.write.name }}
protocol: TCP
name: {{ .Values.service.write.name }}
appProtocol: {{ .Values.service.write.appProtocol }}
selector:
app.kubernetes.io/name: {{ include "keto.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.service.write.headless.enabled }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "keto.fullname" . }}-write-headless
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
service.ory.sh/type: headless
app.kubernetes.io/component: write
{{- include "keto.labels" . | nindent 4 }}
spec:
type: "ClusterIP"
clusterIP: "None"
ports:
- port: {{ .Values.keto.config.serve.write.port }}
targetPort: {{ .Values.service.write.name }}
protocol: TCP
name: {{ .Values.service.write.name }}
appProtocol: {{ .Values.service.write.appProtocol }}
selector:
app.kubernetes.io/name: {{ include "keto.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{- end }}

36
opencloud/charts/keto/templates/servicemonitor-metrics.yaml Normal file
View File

@@ -0,0 +1,36 @@
{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") (.Values.service.metrics.enabled) }}
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "keto.fullname" . }}-metrics
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/component: metrics
{{ include "keto.labels" . | indent 4 }}
{{- with .Values.serviceMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.service.metrics.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
endpoints:
- path: /metrics/prometheus
port: {{ .Values.service.metrics.name }}
scheme: {{ .Values.serviceMonitor.scheme }}
interval: {{ .Values.serviceMonitor.scrapeInterval }}
scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
{{- with .Values.serviceMonitor.tlsConfig }}
tlsConfig:
{{- toYaml . | nindent 6 }}
{{- end }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "keto.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: metrics
{{- end -}}

20
opencloud/charts/keto/templates/tests/test-connection.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "keto.fullname" . }}-test-connection"
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels: {{- include "keto.labels" . | nindent 4 }}
{{- with .Values.test.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
helm.sh/hook: test-success
spec:
containers:
- name: wget
image: "{{ .Values.test.busybox.repository }}:{{ .Values.test.busybox.tag }}"
command: ['wget']
args: ['{{ include "keto.fullname" . }}-write:{{ .Values.service.write.port }}/health/ready']
restartPolicy: Never