core/oc-k8s
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: core:oryhydra
Branches Tags
core:main core:oc-front core:oc-auth core:openldap core:oryhydra core:mongo core:nats core:bootstraping
...
pull from: core:openldap
Branches Tags
core:main core:oc-front core:oc-auth core:openldap core:oryhydra core:mongo core:nats core:bootstraping

7 Commits
oryhydra ... openldap

Author SHA1 Message Date
plm
11bdecd80d Adding helm chart upgrade script 2024-12-09 15:05:47 +01:00
plm
f7ae1165b9 Fixing ldap conf, initializing keto, oc-auth and co 2024-12-09 15:05:29 +01:00
plm
ba9a971964 Adding openldap + ldap user manager 2024-12-02 13:57:37 +01:00
plm
519fb80ee7 Merge branch 'oryhydra' into main 2024-12-02 13:30:28 +01:00
plm
cde967a404 remove useless file 2024-12-02 13:28:46 +01:00
plm
d0118ed095 Merge branch 'main' of https://cloud.o-forge.io/plm/oc-k8s into main 2024-12-02 13:28:10 +01:00
plm
b4edaba6d8 Test 2024-12-02 13:27:30 +01:00
76 changed files with 4097 additions and 38 deletions
Expand all files Collapse all files

2
install_development.sh
View File

@@ -2,4 +2,4 @@
RELEASE_NAME=dev RELEASE_NAME=dev
RELEASE_NAMESPACE=dev RELEASE_NAMESPACE=dev
helm upgrade ${RELEASE_NAME} opencloud -n ${RELEASE_NAMESPACE} --create-namespace --install -f opencloud/dev-values.yaml helm install ${RELEASE_NAME} opencloud -n ${RELEASE_NAMESPACE} --create-namespace -f opencloud/dev-values.yaml

14
opencloud/Chart.yaml
View File

@@ -5,12 +5,12 @@ type: application
version: 0.0.1 version: 0.0.1
appVersion: "0.0.1" appVersion: "0.0.1"
# TODO: ldap, ory hydra, keto # TODO: ory hydra, keto
dependencies: dependencies:
- name: openldap-stack-ha - name: openldap
version: "4.3.1" repository: https://jp-gouin.github.io/helm-openldap/
repository: "https://jp-gouin.github.io/helm-openldap/" version: "2.0.4"
condition: openldap-stack-ha.enabled condition: openldap.enabled
- name: traefik - name: traefik
version: "33.0.0" version: "33.0.0"
repository: "https://helm.traefik.io/traefik" repository: "https://helm.traefik.io/traefik"
@@ -31,3 +31,7 @@ dependencies:
version: "0.50.2" version: "0.50.2"
repository: "https://k8s.ory.sh/helm/charts" repository: "https://k8s.ory.sh/helm/charts"
condition: hydra.enabled condition: hydra.enabled
- name: keto
version: "0.50.2"
repository: "https://k8s.ory.sh/helm/charts"
condition: keto.enabled

23
opencloud/charts/keto/.helmignore Normal file
View File

@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

6
opencloud/charts/keto/Chart.lock Normal file
View File

@@ -0,0 +1,6 @@
dependencies:
- name: ory-commons
repository: file://../ory-commons
version: 0.1.0
digest: sha256:eec8978215334aad38275f0171681f1200220dccef4762ddeb197679fd287abb
generated: "2024-06-11T14:47:42.552973+02:00"

27
opencloud/charts/keto/Chart.yaml Normal file
View File

@@ -0,0 +1,27 @@
apiVersion: v2
appVersion: v0.12.0
dependencies:
- alias: ory
name: ory-commons
repository: file://../ory-commons
version: 0.1.0
description: Access Control Policies as a Server
home: https://www.ory.sh/keto/
icon: https://raw.githubusercontent.com/ory/docs/master/docs/static/img/logo-keto.svg
keywords:
- rbac
- hrbac
- acl
- iam
- api-security
- security
maintainers:
- email: hi@ory.sh
name: ORY Team
url: https://www.ory.sh/
name: keto
sources:
- https://github.com/ory/keto
- https://github.com/ory/k8s
type: application
version: 0.50.2

187
opencloud/charts/keto/README.md Normal file
View File

@@ -0,0 +1,187 @@
# keto
![Version: 0.50.1](https://img.shields.io/badge/Version-0.50.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.12.0](https://img.shields.io/badge/AppVersion-v0.12.0-informational?style=flat-square)
Access Control Policies as a Server
**Homepage:** <https://www.ory.sh/keto/>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| ORY Team | <hi@ory.sh> | <https://www.ory.sh/> |
## Source Code
* <https://github.com/ory/keto>
* <https://github.com/ory/k8s>
## Requirements
| Repository | Name | Version |
|------------|------|---------|
| file://../ory-commons | ory(ory-commons) | 0.1.0 |
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| configmap.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods |
| deployment.affinity | object | `{}` | |
| deployment.annotations | object | `{}` | |
| deployment.automigration | object | `{"extraEnv":[]}` | Parameters for the automigration initContainer |
| deployment.automigration.extraEnv | list | `[]` | Array of extra envs to be passed to the initContainer. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO value: BAR |
| deployment.automountServiceAccountToken | bool | `true` | |
| deployment.autoscaling | object | `{"behavior":{},"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPU":{},"targetMemory":{}}` | Autoscaling for keto deployment |
| deployment.autoscaling.behavior | object | `{}` | Set custom behavior https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior |
| deployment.customLivenessProbe | object | `{}` | |
| deployment.customReadinessProbe | object | `{}` | |
| deployment.customStartupProbe | object | `{}` | |
| deployment.dnsConfig | object | `{}` | Configure pod dnsConfig. |
| deployment.extraContainers | string | `""` | If you want to add extra sidecar containers. |
| deployment.extraEnv | list | `[]` | Array of extra Envs to be added to the deployment. Kubernetes format expected. Value is processed with Helm `tpl` - name: FOO value: BAR |
| deployment.extraInitContainers | object | `{}` | If you want to add extra init containers. These are processed before the migration init container. |
| deployment.extraLabels | object | `{}` | Extra labels to be added to the deployment, and pods. K8s object format expected foo: bar my.special.label/type: value |
| deployment.extraPorts | list | `[]` | Extra ports to be exposed by the main deployment |
| deployment.extraVolumeMounts | list | `[]` | Array of extra VolumeMounts to be added to the deployment. K8s format expected - name: my-volume mountPath: /etc/secrets/my-secret readOnly: true |
| deployment.extraVolumes | list | `[]` | Array of extra Volumes to be added to the deployment. K8s format expected - name: my-volume secret: secretName: my-secret |
| deployment.lifecycle | object | `{}` | |
| deployment.minReadySeconds | int | `0` | |
| deployment.nodeSelector | object | `{}` | |
| deployment.podAnnotations | object | `{}` | |
| deployment.podMetadata.annotations | object | `{}` | |
| deployment.podMetadata.labels | object | `{}` | |
| deployment.podSecurityContext | object | `{}` | |
| deployment.readinessProbe.failureThreshold | int | `5` | |
| deployment.readinessProbe.initialDelaySeconds | int | `5` | |
| deployment.readinessProbe.periodSeconds | int | `10` | |
| deployment.resources | object | `{}` | |
| deployment.revisionHistoryLimit | int | `5` | Number of revisions kept in history |
| deployment.startupProbe.failureThreshold | int | `5` | |
| deployment.startupProbe.initialDelaySeconds | int | `0` | |
| deployment.startupProbe.periodSeconds | int | `1` | |
| deployment.startupProbe.successThreshold | int | `1` | |
| deployment.startupProbe.timeoutSeconds | int | `1` | |
| deployment.strategy.rollingUpdate.maxSurge | string | `"25%"` | |
| deployment.strategy.rollingUpdate.maxUnavailable | string | `"25%"` | |
| deployment.strategy.type | string | `"RollingUpdate"` | |
| deployment.terminationGracePeriodSeconds | int | `60` | |
| deployment.tolerations | list | `[]` | |
| deployment.topologySpreadConstraints | list | `[]` | Configure pod topologySpreadConstraints. |
| extraServices | object | `{}` | |
| fullnameOverride | string | `""` | |
| image.pullPolicy | string | `"IfNotPresent"` | Default image pull policy |
| image.repository | string | `"oryd/keto"` | Ory KETO image |
| image.tag | string | `"v0.12.0"` | Ory KETO version |
| imagePullSecrets | list | `[]` | |
| ingress.read.annotations | object | `{}` | |
| ingress.read.className | string | `""` | |
| ingress.read.enabled | bool | `false` | |
| ingress.read.hosts[0].host | string | `"chart-example.local"` | |
| ingress.read.hosts[0].paths[0].path | string | `"/read"` | |
| ingress.read.hosts[0].paths[0].pathType | string | `"Prefix"` | |
| ingress.read.tls | list | `[]` | |
| ingress.write.annotations | object | `{}` | |
| ingress.write.className | string | `""` | |
| ingress.write.enabled | bool | `false` | |
| ingress.write.hosts[0].host | string | `"chart-example.local"` | |
| ingress.write.hosts[0].paths[0].path | string | `"/write"` | |
| ingress.write.hosts[0].paths[0].pathType | string | `"Prefix"` | |
| ingress.write.tls | list | `[]` | |
| job.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation,hook-succeeded","helm.sh/hook-weight":"1"}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. |
| job.automountServiceAccountToken | bool | `false` | Set automounting of the SA token |
| job.extraContainers | string | `""` | If you want to add extra sidecar containers. |
| job.extraEnv | list | `[]` | Array of extra envs to be passed to the job. This takes precedence over deployment variables. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO value: BAR |
| job.extraInitContainers | string | `""` | If you want to add extra init containers. |
| job.lifecycle | string | `""` | If you want to add lifecycle hooks. |
| job.nodeSelector | object | `{}` | Node labels for pod assignment. |
| job.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects |
| job.podMetadata.annotations | object | `{}` | Extra pod level annotations |
| job.podMetadata.labels | object | `{}` | Extra pod level labels |
| job.resources | object | `{}` | Job resources |
| job.serviceAccount | object | `{"annotations":{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"},"create":true,"name":""}` | Specify the serviceAccountName value. In some situations it is needed to provides specific permissions to Hydra deployments Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. |
| job.serviceAccount.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"}` | Annotations to add to the service account |
| job.serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
| job.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
| job.shareProcessNamespace | bool | `false` | Set sharing process namespace |
| job.spec.backoffLimit | int | `10` | Set job back off limit |
| job.tolerations | list | `[]` | Configure node tolerations. |
| keto.automigration | object | `{"customArgs":[],"customCommand":[],"enabled":false,"resources":{},"type":"job"}` | Enables database migration |
| keto.automigration.customArgs | list | `[]` | Ability to override arguments of the entrypoint. Can be used in-depended of customCommand eg: - sleep 5; - keto |
| keto.automigration.customCommand | list | `[]` | Ability to override the entrypoint of the automigration container (e.g. to source dynamic secrets or export environment dynamic variables) |
| keto.automigration.resources | object | `{}` | resource requests and limits for the automigration initcontainer |
| keto.automigration.type | string | `"job"` | Configure the way to execute database migration. Possible values: job, initContainer When set to job, the migration will be executed as a job on release or upgrade. When set to initContainer, the migration will be executed when kratos pod is created Defaults to job |
| keto.command | list | `["keto"]` | Ability to override the entrypoint of keto container (e.g. to source dynamic secrets or export environment dynamic variables) |
| keto.config | object | `{"dsn":"memory","namespaces":[{"id":0,"name":"sample"}],"serve":{"metrics":{"port":4468},"read":{"port":4466},"write":{"port":4467}}}` | Direct keto config. Full documentation can be found in https://www.ory.sh/keto/docs/reference/configuration |
| keto.customArgs | list | `[]` | Ability to override arguments of the entrypoint. Can be used in-depended of customCommand |
| nameOverride | string | `""` | |
| pdb.enabled | bool | `false` | |
| pdb.spec.maxUnavailable | string | `""` | |
| pdb.spec.minAvailable | string | `""` | |
| podSecurityContext.fsGroup | int | `65534` | |
| podSecurityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` | |
| podSecurityContext.runAsGroup | int | `65534` | |
| podSecurityContext.runAsNonRoot | bool | `true` | |
| podSecurityContext.runAsUser | int | `65534` | |
| podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| priorityClassName | string | `""` | Pod priority https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ |
| replicaCount | int | `1` | Number of replicas in deployment |
| secret.enabled | bool | `true` | Switch to false to prevent creating the secret |
| secret.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods |
| secret.nameOverride | string | `""` | Provide custom name of existing secret, or custom name of secret to be created |
| secret.secretAnnotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0","helm.sh/resource-policy":"keep"}` | Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified. |
| securityContext.allowPrivilegeEscalation | bool | `false` | |
| securityContext.capabilities.drop[0] | string | `"ALL"` | |
| securityContext.privileged | bool | `false` | |
| securityContext.readOnlyRootFilesystem | bool | `true` | |
| securityContext.runAsGroup | int | `65534` | |
| securityContext.runAsNonRoot | bool | `true` | |
| securityContext.runAsUser | int | `65534` | |
| securityContext.seLinuxOptions.level | string | `"s0:c123,c456"` | |
| securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| service.metrics.annotations | object | `{}` | |
| service.metrics.enabled | bool | `false` | |
| service.metrics.loadBalancerIP | string | `""` | |
| service.metrics.name | string | `"http-metrics"` | |
| service.metrics.port | int | `80` | |
| service.metrics.type | string | `"ClusterIP"` | |
| service.read.appProtocol | string | `"grpc"` | |
| service.read.clusterIP | string | `""` | |
| service.read.enabled | bool | `true` | |
| service.read.headless.enabled | bool | `true` | |
| service.read.loadBalancerIP | string | `""` | |
| service.read.name | string | `"grpc-read"` | |
| service.read.port | int | `80` | |
| service.read.type | string | `"ClusterIP"` | |
| service.write.appProtocol | string | `"grpc"` | |
| service.write.clusterIP | string | `""` | |
| service.write.enabled | bool | `true` | |
| service.write.headless.enabled | bool | `true` | |
| service.write.loadBalancerIP | string | `""` | |
| service.write.name | string | `"grpc-write"` | |
| service.write.port | int | `80` | |
| service.write.type | string | `"ClusterIP"` | |
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
| serviceMonitor.labels | object | `{}` | Provide additionnal labels to the ServiceMonitor ressource metadata |
| serviceMonitor.scheme | string | `"http"` | HTTP scheme to use for scraping. |
| serviceMonitor.scrapeInterval | string | `"60s"` | Interval at which metrics should be scraped |
| serviceMonitor.scrapeTimeout | string | `"30s"` | Timeout after which the scrape is ended |
| serviceMonitor.tlsConfig | object | `{}` | TLS configuration to use when scraping the endpoint |
| test.busybox | object | `{"repository":"busybox","tag":1}` | use a busybox image from another repository |
| test.labels | object | `{}` | Provide additional labels to the test pod |
| watcher.automountServiceAccountToken | bool | `true` | |
| watcher.enabled | bool | `false` | |
| watcher.image | string | `"oryd/k8s-toolbox:v0.0.7"` | |
| watcher.mountFile | string | `""` | Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo |
| watcher.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects |
| watcher.podMetadata.annotations | object | `{}` | Extra pod level annotations |
| watcher.podMetadata.labels | object | `{}` | Extra pod level labels |
| watcher.resources | object | `{}` | |
| watcher.revisionHistoryLimit | int | `5` | Number of revisions kept in history |
| watcher.watchLabelKey | string | `"ory.sh/watcher"` | Label key used for managing applications |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

23
opencloud/charts/keto/charts/ory-commons/.helmignore Normal file
View File

@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

6
opencloud/charts/keto/charts/ory-commons/Chart.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: v2
appVersion: 0.0.0
description: 'Collection of helper function for the Ory Helm environment '
name: ory-commons
type: library
version: 0.1.0

12
opencloud/charts/keto/charts/ory-commons/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,12 @@
{{/*
Check if list contains object
*/}}
{{- define "ory.extraEnvContainsEnvName" -}}
{{- $extraEnvs := index . 0 -}}
{{- $envName := index . 1 -}}
{{- range $k, $v := $extraEnvs -}}
{{- if eq $v.name $envName -}}
found
{{- end -}}
{{- end -}}
{{- end -}}

17
opencloud/charts/keto/files/watch.sh Normal file
View File

@@ -0,0 +1,17 @@
set -Eeuo pipefail
set -x
function rollOut() {
DEPLOY=$(kubectl get deploy -n "${NAMESPACE}" -l "${1}" -o name)
kubectl set env -n $NAMESPACE ${DEPLOY} sync=$(date "+%Y%m%d-%H%M%S")
kubectl rollout status -n $NAMESPACE ${DEPLOY}
}
while true; do
# After change in the CM the symlink is recreated, so we need to restart the monitor
inotifywait --event DELETE_SELF "${WATCH_FILE}" |
while read path _ file; do
echo "---> $path$file modified"
rollOut "${LABEL_SELECTOR}"
done
done

33
opencloud/charts/keto/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,33 @@
1. Get the application URL by running these commands:
{{- if or .Values.ingress.read.enabled .Values.ingress.write.enabled -}}
Read endpoint available at:
{{- range $host := .Values.ingress.read.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.read.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
{{- end }}
{{- end }}
Write endpoint available at:
{{- range $host := .Values.ingress.write.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.write.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
{{- end }}
{{- end }}
{{- else if or ( contains "NodePort" .Values.service.read.type ) ( contains "NodePort" .Values.service.write.type ) }}
export NODE_PORT_READ=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "keto.fullname" . }}-read)
export NODE_PORT_READ=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "keto.fullname" . }}-write)
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
Read endpoint available at: http://$NODE_IP:$NODE_PORT_READ
Write endpoint available at: http://$NODE_IP:$NODE_PORT_WRITE
{{- else if or ( contains "LoadBalancer" .Values.service.read.type ) ( contains "LoadBalancer" .Values.service.read.type ) }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "keto.fullname" . }}-read'
export SERVICE_IP_READ=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "keto.fullname" . }}-read --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
export SERVICE_IP_WRITE=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "keto.fullname" . }}-write --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
Read endpoint available at: http://$SERVICE_IP_READ:{{ .Values.service.read.port }}
Write endpoint available at: http://$SERVICE_IP_READ:{{ .Values.service.write.port }}
{{- else if or ( contains "ClusterIP" .Values.service.read.type ) ( contains "ClusterIP" .Values.service.read.type ) }}
kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ include "keto.fullname" . }}-read {{ .Values.keto.config.serve.read.port }}:80
kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ include "keto.fullname" . }}-write {{ .Values.keto.config.serve.write.port }}:80
Read endpoint available at: http://127.0.0.1:{{ .Values.keto.config.serve.read.port }}
Write endpoint available at: http://127.0.0.1:{{ .Values.keto.config.serve.write.port }}
{{- end }}

130
opencloud/charts/keto/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,130 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "keto.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "keto.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create a secret name which can be overridden.
*/}}
{{- define "keto.secretname" -}}
{{- if .Values.secret.nameOverride -}}
{{- .Values.secret.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{ include "keto.fullname" . }}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "keto.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Generate the dsn value
*/}}
{{- define "keto.dsn" -}}
{{- if and .Values.secret.nameOverride (not .Values.secret.enabled) -}}
dsn-loaded-from-env
{{- else if not (empty (.Values.keto.config.dsn)) -}}
{{- .Values.keto.config.dsn }}
{{- end -}}
{{- end -}}
{{/*
Generate the configmap data, redacting secrets
*/}}
{{- define "keto.configmap" -}}
{{- $config := omit .Values.keto.config "dsn" -}}
{{- tpl (toYaml $config) . -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "keto.labels" -}}
helm.sh/chart: {{ include "keto.chart" . }}
{{ include "keto.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if $.Values.watcher.enabled }}
{{ printf "\"%s\": \"%s\"" $.Values.watcher.watchLabelKey (include "keto.name" .) }}
{{- end }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "keto.selectorLabels" -}}
app.kubernetes.io/name: {{ include "keto.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "keto.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "keto.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Create the name of the service account for the Job to use
*/}}
{{- define "keto.job.serviceAccountName" -}}
{{- if .Values.job.serviceAccount.create }}
{{- printf "%s-job" (default (include "keto.fullname" .) .Values.job.serviceAccount.name) }}
{{- else }}
{{- include "keto.serviceAccountName" . }}
{{- end }}
{{- end }}
{{/*
Checksum annotations generated from configmaps and secrets
*/}}
{{- define "keto.annotations.checksum" -}}
{{- if .Values.configmap.hashSumEnabled }}
checksum/keto-config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- end }}
{{- if and .Values.secret.enabled .Values.secret.hashSumEnabled }}
checksum/keto-secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
{{- end }}
{{- end }}
{{/*
Check the migration type value and fail if unexpected
*/}}
{{- define "keto.automigration.typeVerification" -}}
{{- if and .Values.keto.automigration.enabled .Values.keto.automigration.type }}
{{- if and (ne .Values.keto.automigration.type "initContainer") (ne .Values.keto.automigration.type "job") }}
{{- fail "keto.automigration.type must be either 'initContainer' or 'job'" -}}
{{- end }}
{{- end }}
{{- end }}

18
opencloud/charts/keto/templates/configmap-migrate.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if and ( .Values.keto.automigration.enabled ) ( eq .Values.keto.automigration.type "job" ) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "keto.fullname" . }}-migrate
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{ include "keto.labels" . | indent 4 }}
annotations:
helm.sh/hook-weight: "0"
helm.sh/hook: "pre-install, pre-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
data:
"keto.yaml": |
{{- include "keto.configmap" . | nindent 4 }}
{{- end }}

12
opencloud/charts/keto/templates/configmap.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "keto.fullname" . }}-config
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{ include "keto.labels" . | indent 4 }}
data:
"keto.yaml": |
{{- include "keto.configmap" . | nindent 4 }}

75
opencloud/charts/keto/templates/deployment-watcher.yaml Normal file
View File

@@ -0,0 +1,75 @@
{{- if .Values.watcher.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "keto.fullname" . }}-watcher
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/name: {{ include "keto.name" . }}-watcher
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.deployment.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.deployment.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
revisionHistoryLimit: {{ .Values.watcher.revisionHistoryLimit }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "keto.name" . }}-watcher
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ include "keto.name" . }}-watcher
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.deployment.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.watcher.podMetadata.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
annotations:
{{- with .Values.watcher.podMetadata.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
automountServiceAccountToken: {{ .Values.watcher.automountServiceAccountToken }}
serviceAccountName: {{ include "keto.serviceAccountName" . }}-watcher
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
containers:
- name: watcher
{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
{{- end }}
image: {{ .Values.watcher.image }}
command:
- /bin/bash
- -c
- |
{{- .Files.Get "files/watch.sh" | printf "%s" | nindent 14 }}
env:
- name: NAMESPACE
value: {{ .Release.Namespace | quote }}
- name: WATCH_FILE
value: {{ .Values.watcher.mountFile | quote }}
- name: LABEL_SELECTOR
value: '{{ $.Values.watcher.watchLabelKey }}={{ include "keto.name" . }}'
resources:
{{- toYaml .Values.watcher.resources | nindent 12 }}
volumeMounts:
{{- with .Values.deployment.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
{{- if .Values.deployment.extraVolumes }}
{{- toYaml .Values.deployment.extraVolumes | nindent 8 }}
{{- end }}
{{- end }}

232
opencloud/charts/keto/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,232 @@
{{- $podAnnotations := ternary .Values.deployment.podAnnotations .Values.podAnnotations (not (empty .Values.deployment.podAnnotations )) -}}
{{- $automountServiceAccountToken := ternary .Values.deployment.automountServiceAccountToken .Values.automountServiceAccountToken (not (empty .Values.deployment.automountServiceAccountToken )) -}}
{{- $livenessProbe := ternary .Values.deployment.livenessProbe .Values.livenessProbe (not (empty .Values.deployment.livenessProbe )) -}}
{{- $readinessProbe := ternary .Values.deployment.readinessProbe .Values.readinessProbe (not (empty .Values.deployment.readinessProbe )) -}}
{{- $autoscaling := ternary .Values.deployment.autoscaling .Values.autoscaling (not (empty .Values.deployment.autoscaling )) -}}
{{- $resources := ternary .Values.deployment.resources .Values.resources (not (empty .Values.deployment.resources )) -}}
{{- $extraInitContainers := ternary .Values.deployment.extraInitContainers .Values.extraInitContainers (not (empty .Values.deployment.extraInitContainers )) -}}
{{- $extraContainers := ternary .Values.deployment.extraContainers .Values.extraContainers (not (empty .Values.deployment.extraContainers )) -}}
{{- $extraLabels := ternary .Values.deployment.extraLabels .Values.extraLabels (not (empty .Values.deployment.extraLabels )) -}}
{{- $extraVolumeMounts := ternary .Values.deployment.extraVolumeMounts .Values.extraVolumeMounts (not (empty .Values.deployment.extraVolumeMounts )) -}}
{{- $extraVolumes := ternary .Values.deployment.extraVolumes .Values.extraVolumes (not (empty .Values.deployment.extraVolumes )) -}}
{{- $nodeSelector := ternary .Values.deployment.nodeSelector .Values.nodeSelector (not (empty .Values.deployment.nodeSelector )) -}}
{{- $affinity := ternary .Values.deployment.affinity .Values.affinity (not (empty .Values.deployment.affinity )) -}}
{{- $tolerations := ternary .Values.deployment.tolerations .Values.tolerations (not (empty .Values.deployment.tolerations )) -}}
{{- $topologySpreadConstraints := ternary .Values.deployment.topologySpreadConstraints .Values.topologySpreadConstraints (not (empty .Values.deployment.topologySpreadConstraints )) -}}
{{- include "keto.automigration.typeVerification" . -}}
{{- $migrationExtraEnv := ternary .Values.deployment.automigration.extraEnv .Values.deployment.extraEnv (not (empty .Values.deployment.automigration.extraEnv )) -}}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "keto.fullname" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "keto.labels" . | nindent 4 }}
{{- with $extraLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.deployment.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
minReadySeconds: {{ .Values.deployment.minReadySeconds }}
{{- if not $autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
revisionHistoryLimit: {{ .Values.deployment.revisionHistoryLimit }}
strategy:
{{- toYaml .Values.deployment.strategy | nindent 4 }}
selector:
matchLabels:
{{- include "keto.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
{{- include "keto.annotations.checksum" . | indent 8 -}}
{{- with $podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $.Values.deployment.podMetadata.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "keto.selectorLabels" . | nindent 8 }}
{{- with $extraLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $.Values.deployment.podMetadata.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
initContainers:
{{- if $extraInitContainers}}
{{- tpl $extraInitContainers . | nindent 8 }}
{{- end }}
{{- if and ( .Values.keto.automigration.enabled ) ( eq .Values.keto.automigration.type "initContainer" ) }}
- name: {{ .Chart.Name }}-automigrate
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.keto.automigration.customCommand }}
command: {{- toYaml .Values.keto.automigration.customCommand | nindent 12 }}
{{- else }}
command: ["keto"]
{{- end }}
{{- if .Values.keto.automigration.customArgs }}
args: {{- toYaml .Values.keto.automigration.customArgs | nindent 12 }}
{{- else }}
args: [ "migrate", "up", "-y", "--config", "/etc/config/keto.yaml" ]
{{- end }}
volumeMounts:
- name: {{ include "keto.name" . }}-config-volume
mountPath: /etc/config
readOnly: true
{{- with $extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
env:
{{- if not (empty ( include "keto.dsn" . )) }}
{{- if not (include "ory.extraEnvContainsEnvName" (list $migrationExtraEnv "DSN")) }}
- name: DSN
valueFrom:
secretKeyRef:
name: {{ include "keto.secretname" . }}
key: dsn
{{- end }}
{{- end }}
{{- if $migrationExtraEnv }}
{{- tpl (toYaml $migrationExtraEnv) . | nindent 12 }}
{{- end }}
{{- with .Values.keto.automigration.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
serviceAccountName: {{ include "keto.serviceAccountName" . }}
automountServiceAccountToken: {{ $automountServiceAccountToken }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
containers:
- name: {{ .Chart.Name }}
{{- with .Values.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command: {{- toYaml .Values.keto.command | nindent 12 }}
{{- if .Values.keto.customArgs }}
args: {{- toYaml .Values.keto.customArgs | nindent 12 }}
{{- else }}
args:
- serve
- --config
- /etc/config/keto.yaml
{{- end }}
ports:
- name: {{ .Values.service.read.name }}
containerPort: {{ .Values.keto.config.serve.read.port }}
protocol: TCP
- name: {{ .Values.service.write.name }}
containerPort: {{ .Values.keto.config.serve.write.port }}
protocol: TCP
- name: {{ .Values.service.metrics.name }}
containerPort: {{ .Values.keto.config.serve.metrics.port }}
protocol: TCP
{{- with .Values.deployment.extraPorts }}
{{- toYaml . | nindent 12 }}
{{- end }}
lifecycle:
{{- toYaml .Values.deployment.lifecycle | nindent 12 }}
{{- if .Values.deployment.customLivenessProbe }}
livenessProbe:
{{- toYaml .Values.deployment.customLivenessProbe | nindent 12 }}
{{- end }}
readinessProbe:
{{- if .Values.deployment.customReadinessProbe }}
{{- toYaml .Values.deployment.customReadinessProbe | nindent 12 }}
{{- else }}
httpGet:
path: /health/alive
port: {{ .Values.keto.config.serve.write.port }}
httpHeaders:
- name: Host
value: '127.0.0.1'
{{- toYaml $readinessProbe | nindent 12 }}
{{- end }}
startupProbe:
{{- if .Values.deployment.customStartupProbe }}
{{- toYaml .Values.deployment.customStartupProbe | nindent 12 }}
{{- else }}
httpGet:
path: /health/ready
port: {{ .Values.keto.config.serve.write.port }}
httpHeaders:
- name: Host
value: '127.0.0.1'
{{- toYaml .Values.deployment.startupProbe | nindent 12 }}
{{- end }}
resources:
{{- toYaml $resources | nindent 12 }}
env:
{{- if not (empty ( include "keto.dsn" . )) }}
{{- if not (include "ory.extraEnvContainsEnvName" (list .Values.deployment.extraEnv "DSN")) }}
- name: DSN
valueFrom:
secretKeyRef:
name: {{ include "keto.secretname" . }}
key: dsn
{{- end }}
{{- end }}
{{- if .Values.deployment.extraEnv }}
{{- tpl (toYaml .Values.deployment.extraEnv) . | nindent 12 }}
{{- end }}
volumeMounts:
- name: {{ include "keto.name" . }}-config-volume
mountPath: /etc/config
readOnly: true
{{- with $extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if $extraContainers }}
{{- tpl $extraContainers . | nindent 8 }}
{{- end }}
volumes:
- name: {{ include "keto.name" . }}-config-volume
configMap:
name: {{ include "keto.fullname" . }}-config
{{- with $extraVolumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- with $nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.dnsConfig }}
dnsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}

38
opencloud/charts/keto/templates/hpa.yaml Normal file
View File

@@ -0,0 +1,38 @@
{{- $autoscaling := ternary .Values.deployment.autoscaling .Values.autoscaling (not (empty .Values.deployment.autoscaling )) -}}
{{- if $autoscaling.enabled }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "keto.fullname" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "keto.labels" . | nindent 4 }}
spec:
{{- with $autoscaling.behavior }}
behavior: {{- toYaml . | nindent 4 }}
{{- end }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "keto.fullname" . }}
minReplicas: {{ $autoscaling.minReplicas }}
maxReplicas: {{ $autoscaling.maxReplicas }}
metrics:
{{- with $autoscaling.targetMemory }}
- type: Resource
resource:
name: memory
target:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $autoscaling.targetCPU}}
- type: Resource
resource:
name: cpu
target:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

54
opencloud/charts/keto/templates/ingress-read.yaml Normal file
View File

@@ -0,0 +1,54 @@
{{- if .Values.ingress.read.enabled -}}
{{- $fullName := include "keto.fullname" . -}}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else -}}
apiVersion: networking.k8s.io/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}-read
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "keto.labels" . | nindent 4 }}
{{- with .Values.ingress.read.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ingressClassName: {{ .Values.ingress.read.className }}
{{- if .Values.ingress.read.tls }}
tls:
{{- range .Values.ingress.read.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.read.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if .pathType }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}-read
port:
name: {{ $.Values.service.read.name }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $.Values.service.read.name }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

54
opencloud/charts/keto/templates/ingress-write.yaml Normal file
View File

@@ -0,0 +1,54 @@
{{- if .Values.ingress.write.enabled -}}
{{- $fullName := include "keto.fullname" . -}}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else -}}
apiVersion: networking.k8s.io/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}-write
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "keto.labels" . | nindent 4 }}
{{- with .Values.ingress.write.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ingressClassName: {{ .Values.ingress.write.className }}
{{- if .Values.ingress.write.tls }}
tls:
{{- range .Values.ingress.write.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.write.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if .pathType }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}-write
port:
name: {{ $.Values.service.write.name }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $.Values.service.write.name }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

123
opencloud/charts/keto/templates/job-migration.yaml Normal file
View File

@@ -0,0 +1,123 @@
{{- include "keto.automigration.typeVerification" . -}}
{{- if and ( .Values.keto.automigration.enabled ) ( eq .Values.keto.automigration.type "job" ) }}
{{- $extraLabels := ternary .Values.deployment.extraLabels .Values.extraLabels (not (empty .Values.deployment.extraLabels )) -}}
{{- $extraVolumeMounts := ternary .Values.deployment.extraVolumeMounts .Values.extraVolumeMounts (not (empty .Values.deployment.extraVolumeMounts )) -}}
{{- $extraVolumes := ternary .Values.deployment.extraVolumes .Values.extraVolumes (not (empty .Values.deployment.extraVolumes )) -}}
{{- $nodeSelector := ternary .Values.job.nodeSelector .Values.deployment.nodeSelector (not (empty .Values.job.nodeSelector )) -}}
{{- $migrationExtraEnv := ternary .Values.job.extraEnv .Values.deployment.extraEnv (not (empty .Values.job.extraEnv )) -}}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "keto.fullname" . }}-automigrate
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "keto.labels" . | nindent 4 }}
{{- with $extraLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.job.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
template:
metadata:
annotations:
{{- with .Values.job.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.job.podMetadata.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
app.kubernetes.io/name: {{ include "keto.fullname" . }}-automigrate
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with $extraLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.job.podMetadata.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "keto.job.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.job.automountServiceAccountToken }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}-automigrate
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.keto.automigration.customCommand }}
command: {{- toYaml .Values.keto.automigration.customCommand | nindent 10 }}
{{- else }}
command: ["keto"]
{{- end }}
{{- if .Values.keto.automigration.customArgs }}
args: {{- toYaml .Values.keto.automigration.customArgs | nindent 10 }}
{{- else }}
args: [ "migrate", "up", "-y", "--config", "/etc/config/keto.yaml" ]
{{- end }}
{{- if .Values.job.lifecycle }}
{{- tpl .Values.job.lifecycle . | nindent 8 }}
{{- end }}
volumeMounts:
- name: {{ include "keto.name" . }}-config-volume
mountPath: /etc/config
readOnly: true
{{- with $extraVolumeMounts }}
{{- toYaml . | nindent 10 }}
{{- end }}
env:
{{- if not (empty ( include "keto.dsn" . )) }}
{{- if not (include "ory.extraEnvContainsEnvName" (list $migrationExtraEnv "DSN")) }}
- name: DSN
valueFrom:
secretKeyRef:
name: {{ include "keto.secretname" . }}
key: dsn
{{- end }}
{{- end }}
{{- with $migrationExtraEnv }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.job.resources }}
resources:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 10 }}
{{- end }}
{{- if .Values.job.extraContainers }}
{{- tpl .Values.job.extraContainers . | nindent 6 }}
{{- end }}
{{- if .Values.job.extraInitContainers }}
initContainers:
{{- tpl .Values.job.extraInitContainers . | nindent 8 }}
{{- end }}
restartPolicy: Never
volumes:
- name: {{ include "keto.name" . }}-config-volume
configMap:
name: {{ include "keto.fullname" . }}-migrate
{{- with $extraVolumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.job.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
shareProcessNamespace: {{ .Values.job.shareProcessNamespace }}
backoffLimit: {{ .Values.job.spec.backoffLimit }}
{{- end }}

17
opencloud/charts/keto/templates/job-rbac.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{- if .Values.job.serviceAccount.create -}}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "keto.job.serviceAccountName" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "keto.labels" . | nindent 4 }}
{{- with .Values.job.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: false
{{- end -}}

20
opencloud/charts/keto/templates/pdb.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- if .Values.pdb.enabled -}}
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "keto.fullname" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "keto.selectorLabels" . | nindent 6 }}
{{- with .Values.pdb.spec.maxUnavailable }}
maxUnavailable: {{ . }}
{{- end }}
{{- with .Values.pdb.spec.minAvailable }}
minAvailable: {{ . }}
{{- end }}
{{- end -}}

55
opencloud/charts/keto/templates/rbac-watcher.yaml Normal file
View File

@@ -0,0 +1,55 @@
{{- if .Values.watcher.enabled }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "keto.serviceAccountName" . }}-watcher
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/name: {{ include "keto.name" . }}-watcher
app.kubernetes.io/instance: {{ .Release.Name }}
automountServiceAccountToken: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "keto.fullname" . }}-watcher
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs:
- list
- watch
- get
- apiGroups: ["apps"]
resources: ["deployments"]
verbs:
- get
- list
- patch
- update
- watch
resourceNames:
- {{ include "keto.fullname" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "keto.fullname" . }}-watcher
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "keto.fullname" . }}-watcher
subjects:
- kind: ServiceAccount
name: {{ include "keto.fullname" . }}-watcher
namespace: {{ .Release.Namespace }}
{{- end }}

17
opencloud/charts/keto/templates/rbac.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{- if .Values.serviceAccount.create -}}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "keto.serviceAccountName" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "keto.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: false
{{- end }}

18
opencloud/charts/keto/templates/secrets.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if .Values.secret.enabled -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "keto.secretname" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{ include "keto.labels" . | indent 4 }}
annotations:
{{- with .Values.secret.secretAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
type: Opaque
data:
dsn: {{ include "keto.dsn" . | b64enc | quote }}
{{- end }}

32
opencloud/charts/keto/templates/service-extraServices.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- range $ServiceName, $ServiceData := .Values.extraServices }}
{{- if $ServiceData.enabled }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "keto.fullname" $ }}-{{ $ServiceName }}
{{- if $.Release.Namespace }}
namespace: {{ $.Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/component: {{ $ServiceName }}
{{- include "keto.labels" $ | nindent 4 }}
spec:
type: {{ $ServiceData.type }}
{{- if eq $ServiceData.type "LoadBalancer" }}
{{- with $ServiceData.loadBalancerIP }}
loadBalancerIP: {{ . }}
{{- end }}
{{- end }}
ports:
- port: {{ $ServiceData.port }}
targetPort: {{ $ServiceData.name }}
protocol: TCP
name: {{ $ServiceData.name }}
selector:
app.kubernetes.io/name: {{ include "keto.name" $ }}
app.kubernetes.io/instance: {{ $.Release.Name }}
{{- end }}
{{- end }}

27
opencloud/charts/keto/templates/service-metrics.yaml Normal file
View File

@@ -0,0 +1,27 @@
{{- if .Values.service.metrics.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "keto.fullname" . }}-metrics
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/component: metrics
{{- include "keto.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.metrics.type }}
{{- if eq .Values.service.metrics.type "LoadBalancer" }}
{{- with .Values.service.metrics.loadBalancerIP }}
loadBalancerIP: {{ . }}
{{- end }}
{{- end }}
ports:
- port: {{ .Values.service.metrics.port }}
targetPort: {{ .Values.service.metrics.name }}
protocol: TCP
name: {{ .Values.service.metrics.name }}
selector:
app.kubernetes.io/name: {{ include "keto.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{ end }}

60
opencloud/charts/keto/templates/service-read.yaml Normal file
View File

@@ -0,0 +1,60 @@
{{- if .Values.service.read.enabled }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "keto.fullname" . }}-read
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/component: read
{{- include "keto.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.read.type }}
{{- if eq .Values.service.read.type "LoadBalancer" }}
{{- with .Values.service.read.loadBalancerIP }}
loadBalancerIP: {{ . }}
{{- end }}
{{- end }}
{{- if eq .Values.service.read.type "ClusterIP" }}
{{- with .Values.service.read.clusterIP }}
clusterIP: {{ . }}
{{- end }}
{{- end }}
ports:
- port: {{ .Values.service.read.port }}
targetPort: {{ .Values.service.read.name }}
protocol: TCP
name: {{ .Values.service.read.name }}
appProtocol: {{ .Values.service.read.appProtocol }}
selector:
app.kubernetes.io/name: {{ include "keto.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.service.read.headless.enabled }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "keto.fullname" . }}-read-headless
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
service.ory.sh/type: headless
app.kubernetes.io/component: read
{{- include "keto.labels" . | nindent 4 }}
spec:
type: "ClusterIP"
clusterIP: "None"
ports:
- port: {{ .Values.keto.config.serve.read.port }}
targetPort: {{ .Values.service.read.name }}
protocol: TCP
name: {{ .Values.service.read.name }}
appProtocol: {{ .Values.service.read.appProtocol }}
selector:
app.kubernetes.io/name: {{ include "keto.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{- end }}

59
opencloud/charts/keto/templates/service-write.yaml Normal file
View File

@@ -0,0 +1,59 @@
{{- if .Values.service.write.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "keto.fullname" . }}-write
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/component: write
{{- include "keto.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.write.type }}
{{- if eq .Values.service.write.type "LoadBalancer" }}
{{- with .Values.service.write.loadBalancerIP }}
loadBalancerIP: {{ . }}
{{- end }}
{{- end }}
{{- if eq .Values.service.write.type "ClusterIP" }}
{{- with .Values.service.write.clusterIP }}
clusterIP: {{ . }}
{{- end }}
{{- end }}
ports:
- port: {{ .Values.service.write.port }}
targetPort: {{ .Values.service.write.name }}
protocol: TCP
name: {{ .Values.service.write.name }}
appProtocol: {{ .Values.service.write.appProtocol }}
selector:
app.kubernetes.io/name: {{ include "keto.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.service.write.headless.enabled }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "keto.fullname" . }}-write-headless
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
service.ory.sh/type: headless
app.kubernetes.io/component: write
{{- include "keto.labels" . | nindent 4 }}
spec:
type: "ClusterIP"
clusterIP: "None"
ports:
- port: {{ .Values.keto.config.serve.write.port }}
targetPort: {{ .Values.service.write.name }}
protocol: TCP
name: {{ .Values.service.write.name }}
appProtocol: {{ .Values.service.write.appProtocol }}
selector:
app.kubernetes.io/name: {{ include "keto.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{- end }}

36
opencloud/charts/keto/templates/servicemonitor-metrics.yaml Normal file
View File

@@ -0,0 +1,36 @@
{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") (.Values.service.metrics.enabled) }}
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "keto.fullname" . }}-metrics
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/component: metrics
{{ include "keto.labels" . | indent 4 }}
{{- with .Values.serviceMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.service.metrics.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
endpoints:
- path: /metrics/prometheus
port: {{ .Values.service.metrics.name }}
scheme: {{ .Values.serviceMonitor.scheme }}
interval: {{ .Values.serviceMonitor.scrapeInterval }}
scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
{{- with .Values.serviceMonitor.tlsConfig }}
tlsConfig:
{{- toYaml . | nindent 6 }}
{{- end }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "keto.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: metrics
{{- end -}}

20
opencloud/charts/keto/templates/tests/test-connection.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "keto.fullname" . }}-test-connection"
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels: {{- include "keto.labels" . | nindent 4 }}
{{- with .Values.test.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
helm.sh/hook: test-success
spec:
containers:
- name: wget
image: "{{ .Values.test.busybox.repository }}:{{ .Values.test.busybox.tag }}"
command: ['wget']
args: ['{{ include "keto.fullname" . }}-write:{{ .Values.service.write.port }}/health/ready']
restartPolicy: Never

471
opencloud/charts/keto/values.yaml Normal file
View File

@@ -0,0 +1,471 @@
# Default values for keto.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# -- Number of replicas in deployment
replicaCount: 1
## -- Image configuration
image:
# -- Ory KETO image
repository: oryd/keto
# -- Default image pull policy
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
# -- Ory KETO version
tag: "v0.12.0"
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
# -- Pod priority
# https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
priorityClassName: ""
## -- ServiceAccount
serviceAccount:
# -- Specifies whether a service account should be created
create: true
# -- Annotations to add to the service account
annotations: {}
# -- The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
## -- pod securityContext for hydra & migration init
podSecurityContext:
fsGroupChangePolicy: "OnRootMismatch"
runAsNonRoot: true
runAsUser: 65534
fsGroup: 65534
runAsGroup: 65534
seccompProfile:
type: RuntimeDefault
## -- container securityContext for hydra & migration init
securityContext:
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
allowPrivilegeEscalation: false
privileged: false
seLinuxOptions:
level: "s0:c123,c456"
## -- Values for initialization job
job:
# -- If you do want to specify annotations, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
annotations:
helm.sh/hook-weight: "1"
helm.sh/hook: "pre-install, pre-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation,hook-succeeded"
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# -- If you want to add extra sidecar containers.
extraContainers: ""
# extraContainers: |
# - name: ...
# image: ...
# -- If you want to add extra init containers.
extraInitContainers: ""
# extraInitContainers: |
# - name: ...
# image: ...
# -- Array of extra envs to be passed to the job. This takes precedence over deployment variables. Kubernetes format
# is expected. Value is processed with Helm `tpl`
# - name: FOO
# value: BAR
extraEnv: []
# -- Node labels for pod assignment.
nodeSelector: {}
# If you do want to specify node labels, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'nodeSelector:'.
# foo: bar
# -- Configure node tolerations.
tolerations: []
# -- Job resources
resources: {}
# -- If you want to add lifecycle hooks.
lifecycle: ""
# lifecycle: |
# preStop:
# exec:
# command: [...]
# -- Set automounting of the SA token
automountServiceAccountToken: false
# -- Set sharing process namespace
shareProcessNamespace: false
# -- Specify the serviceAccountName value.
# In some situations it is needed to provides specific permissions to Hydra deployments
# Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio.
# Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment.
serviceAccount:
# -- Specifies whether a service account should be created
create: true
# -- Annotations to add to the service account
annotations:
helm.sh/hook-weight: "0"
helm.sh/hook: "pre-install, pre-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
# -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template
name: ""
# -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
podMetadata:
# -- Extra pod level labels
labels: {}
# -- Extra pod level annotations
annotations: {}
spec:
# -- Set job back off limit
backoffLimit: 10
## -- Ingress definitions
ingress:
read:
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths:
- path: /read
pathType: Prefix
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
write:
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths:
- path: /write
pathType: Prefix
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
## -- Service configurations
service:
## -- Read service
read:
enabled: true
type: ClusterIP
clusterIP: ""
## -- The load balancer IP
loadBalancerIP: ""
name: grpc-read
port: 80
appProtocol: grpc
## -- Enable extra headless service
headless:
enabled: true
## -- Write service
write:
enabled: true
type: ClusterIP
clusterIP: ""
## -- The load balancer IP
loadBalancerIP: ""
name: grpc-write
port: 80
appProtocol: grpc
## -- Enable extra headless service
headless:
enabled: true
## -- Metrics service
metrics:
enabled: false
type: ClusterIP
## -- The load balancer IP
loadBalancerIP: ""
name: http-metrics
port: 80
annotations: {}
## -- Extra services to be deployed
extraServices: {}
## -- Secret management
secret:
# -- Switch to false to prevent creating the secret
enabled: true
# -- Provide custom name of existing secret, or custom name of secret to be created
nameOverride: ""
# nameOverride: "myCustomSecret"
# -- Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified.
secretAnnotations:
# Create the secret before installation, and only then. This saves the secret from regenerating during an upgrade
# pre-upgrade is needed to upgrade from 0.7.0 to newer. Can be deleted afterwards.
helm.sh/hook-weight: "0"
helm.sh/hook: "pre-install, pre-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
helm.sh/resource-policy: "keep"
# -- switch to false to prevent checksum annotations being maintained and propogated to the pods
hashSumEnabled: true
## -- Main application config.
keto:
# -- Ability to override the entrypoint of keto container
# (e.g. to source dynamic secrets or export environment dynamic variables)
command: ["keto"]
# -- Ability to override arguments of the entrypoint. Can be used in-depended of customCommand
customArgs: []
# -- Enables database migration
automigration:
enabled: false
# -- Configure the way to execute database migration. Possible values: job, initContainer
# When set to job, the migration will be executed as a job on release or upgrade.
# When set to initContainer, the migration will be executed when kratos pod is created
# Defaults to job
type: job
# -- Ability to override the entrypoint of the automigration container
# (e.g. to source dynamic secrets or export environment dynamic variables)
customCommand: []
# -- Ability to override arguments of the entrypoint. Can be used in-depended of customCommand
# eg:
# - sleep 5;
# - keto
customArgs: []
# -- resource requests and limits for the automigration initcontainer
resources: {}
# -- Direct keto config. Full documentation can be found in https://www.ory.sh/keto/docs/reference/configuration
config:
serve:
read:
port: 4466
write:
port: 4467
metrics:
port: 4468
namespaces:
- id: 0
name: sample
dsn: memory
## -- Configure the probes for when the deployment is considered ready and ongoing health check
deployment:
## -- Specify pod deployment strategy
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: "25%"
maxUnavailable: "25%"
## -- Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)
minReadySeconds: 0
## -- DEPRECATED Set custom pod annotations
podAnnotations: {}
## -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
podMetadata:
## -- Extra pod level labels
labels: {}
## -- Extra pod level annotations
annotations: {}
## -- Set custom security context for pods
podSecurityContext: {}
# fsGroup: 2000
# https://github.com/kubernetes/kubernetes/issues/57601
automountServiceAccountToken: true
lifecycle: {}
## -- Default probe timers
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 10
failureThreshold: 5
## -- Default probe timers
startupProbe:
failureThreshold: 5
successThreshold: 1
periodSeconds: 1
timeoutSeconds: 1
initialDelaySeconds: 0
## -- Configure a custom livenessProbe. This overwrites the default object
customLivenessProbe: {}
## -- Configure a custom readinessProbe. This overwrites the default object
customReadinessProbe: {}
## -- Configure a custom startupProbe. This overwrites the default object
customStartupProbe: {}
## -- Add custom annotations to the deployment
annotations: {}
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
# -- Autoscaling for keto deployment
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPU: {}
# type: Utilization
# averageUtilization: 80
targetMemory: {}
# type: Utilization
# averageUtilization: 80
# -- Set custom behavior
# https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior
behavior: {}
nodeSelector: {}
# -- If you want to add extra sidecar containers.
extraContainers: ""
# extraContainers: |
# - name: ...
# image: ...
# -- Array of extra Envs to be added to the deployment. Kubernetes format expected. Value is processed with Helm `tpl`
# - name: FOO
# value: BAR
extraEnv: []
# -- Array of extra Volumes to be added to the deployment. K8s format expected
# - name: my-volume
# secret:
# secretName: my-secret
extraVolumes: []
# -- Array of extra VolumeMounts to be added to the deployment. K8s format expected
# - name: my-volume
# mountPath: /etc/secrets/my-secret
# readOnly: true
extraVolumeMounts: []
# -- If you want to add extra init containers. These are processed before the migration init container.
extraInitContainers: {}
# extraInitContainers: |
# - name: ...
# image: ...
# -- Extra labels to be added to the deployment, and pods. K8s object format expected
# foo: bar
# my.special.label/type: value
extraLabels: {}
# -- Extra ports to be exposed by the main deployment
extraPorts: []
tolerations: []
affinity: {}
# -- Configure pod topologySpreadConstraints.
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: DoNotSchedule
# labelSelector:
# matchLabels:
# app.kubernetes.io/name: keto
# app.kubernetes.io/instance: keto
# -- Configure pod dnsConfig.
dnsConfig: {}
# options:
# - name: "ndots"
# value: "1"
# -- Parameters for the automigration initContainer
automigration:
# -- Array of extra envs to be passed to the initContainer. Kubernetes format is expected. Value is processed with
# Helm `tpl`
# - name: FOO
# value: BAR
extraEnv: []
# -- Number of revisions kept in history
revisionHistoryLimit: 5
terminationGracePeriodSeconds: 60
## -- Watcher sidecar configuration
watcher:
enabled: false
image: oryd/k8s-toolbox:v0.0.7
# -- Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo
mountFile: ""
# -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
podMetadata:
# -- Extra pod level labels
labels: {}
# -- Extra pod level annotations
annotations: {}
# -- Label key used for managing applications
watchLabelKey: "ory.sh/watcher"
# -- Number of revisions kept in history
revisionHistoryLimit: 5
automountServiceAccountToken: true
resources: {}
## -- PodDistributionBudget configuration
pdb:
enabled: false
spec:
minAvailable: ""
maxUnavailable: ""
## -- Parameters for the Prometheus ServiceMonitor objects.
# Reference: https://docs.openshift.com/container-platform/4.6/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.html
serviceMonitor:
# -- HTTP scheme to use for scraping.
scheme: http
# -- Interval at which metrics should be scraped
scrapeInterval: 60s
# -- Timeout after which the scrape is ended
scrapeTimeout: 30s
# -- Provide additionnal labels to the ServiceMonitor ressource metadata
labels: {}
# -- TLS configuration to use when scraping the endpoint
tlsConfig: {}
configmap:
# -- switch to false to prevent checksum annotations being maintained and propogated to the pods
hashSumEnabled: true
test:
# -- Provide additional labels to the test pod
labels: {}
# -- use a busybox image from another repository
busybox:
repository: busybox
tag: 1

133
opencloud/charts/openldap/.argo-workflow.yaml Normal file
View File

@@ -0,0 +1,133 @@
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
generateName: openldap-qualif-
spec:
entrypoint: test-deployment
arguments:
parameters:
- name: namespace
value: openldap-qualif
- name: app
value: openldap-qualif
# This spec contains two templates: hello-hello-hello and whalesay
templates:
- name: test-deployment
parallelism: 1
# Instead of just running a container
# This template has a sequence of steps
steps:
- - name: wait-upgrade # hello1 is run before the following steps
template: wait-upgrade
arguments:
parameters:
- name: time
value: 10
- name: type
value: sts
- - name: test-openldap-upgrade # double dash => run after previous step
template: test-openldap-upgrade
arguments:
parameters:
- name: url
value: "{{workflow.parameters.app}}.{{workflow.parameters.namespace}}"
- name: password
value: "Not@SecurePassw0rd"
- name: user
value: "cn=admin,dc=example,dc=org"
- name: occurence
value: "{{item}}"
withSequence:
count: "1"
- - name: apply-chaos-test # double dash => run after previous step
template: apply-chaos-test
- - name: test-openldap # double dash => run after previous step
template: test-openldap-upgrade
arguments:
parameters:
- name: url
value: "{{workflow.parameters.app}}.{{workflow.parameters.namespace}}"
- name: password
value: "Not@SecurePassw0rd"
- name: user
value: "cn=admin,dc=example,dc=org"
- name: occurence
value: "{{item}}"
withSequence:
count: "60"
- - name: cleanup # double dash => run after previous step
template: pause-chaos-test
# This is the same template as from the previous example
- name: wait-upgrade
serviceAccountName: argo-workflow-invocator
inputs:
parameters:
- name: time
- name: type # type of resources to wait (deployement or sts)
script:
image: bitnami/kubectl:1.18.13
command: [/bin/bash]
source: |
sleep {{inputs.parameters.time}}
kubectl rollout status -n {{workflow.parameters.namespace}} {{inputs.parameters.type}} {{workflow.parameters.app}}
- name: test-openldap-upgrade
serviceAccountName: argo-workflow-invocator
inputs:
parameters:
- name: url
- name: password
- name: user
- name: occurence
script:
image: alpine
command: [sh]
source: | # Contents of the here-script
apk add openldap-clients
echo "run ldap commands (add, search, modify...)"
LDAPTLS_REQCERT=never ldapsearch -x -D '{{inputs.parameters.user}}' -w {{inputs.parameters.password}} -H ldaps://{{inputs.parameters.url}} -b 'dc=example,dc=org'
sleep 60
- name: apply-chaos-test
serviceAccountName: argo-workflow-invocator
resource: # indicates that this is a resource template
action: apply # can be any kubectl action (e.g. create, delete, apply, patch)
manifest: | #put your kubernetes spec here
apiVersion: chaos-mesh.org/v1alpha1
kind: PodChaos
metadata:
name: pod-failure-openldap
namespace: openldap-qualif
annotations:
experiment.chaos-mesh.org/pause: "false"
spec:
action: pod-failure
mode: random-max-percent
value: "100"
duration: "15s"
selector:
labelSelectors:
"app": "openldap-qualif"
scheduler:
cron: "@every 2m"
- name: pause-chaos-test
serviceAccountName: argo-workflow-invocator
resource: # indicates that this is a resource template
action: apply # can be any kubectl action (e.g. create, delete, apply, patch)
manifest: | #put your kubernetes spec here
apiVersion: chaos-mesh.org/v1alpha1
kind: PodChaos
metadata:
name: pod-failure-openldap
namespace: openldap-qualif
annotations:
experiment.chaos-mesh.org/pause: "true"
spec:
action: pod-failure
mode: random-max-percent
value: "100"
duration: "15s"
selector:
labelSelectors:
"app": "openldap-qualif"
scheduler:
cron: "@every 2m"

5
opencloud/charts/openldap/.helmignore Normal file
View File

@@ -0,0 +1,5 @@
.git
.github
.chaos
.argo-workflow

24
opencloud/charts/openldap/Chart.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: v2
appVersion: 2.4.47
dependencies:
- condition: ltb-passwd.enabled
name: ltb-passwd
repository: ""
version: 0.1.x
- condition: phpldapadmin.enabled
name: phpldapadmin
repository: ""
version: 0.1.x
description: Community developed LDAP software
home: https://www.openldap.org
icon: http://www.openldap.org/images/headers/LDAPworm.gif
keywords:
- ldap
- openldap
maintainers:
- email: jp-gouin@hotmail.fr
name: Jean-Philippe Gouin
name: openldap
sources:
- https://github.com/kubernetes/charts
version: 2.0.4

167
opencloud/charts/openldap/README.md Normal file
View File

@@ -0,0 +1,167 @@
# OpenLDAP Helm Chart
## Prerequisites Details
* Kubernetes 1.8+
* PV support on the underlying infrastructure
## Chart Details
This chart will do the following:
* Instantiate 3 instances of OpenLDAP server with multi-master replication
* A phpldapadmin to administrate the OpenLDAP server
* ltb-passwd for self service password
## Installing the Chart
To install the chart with the release name `my-release`:
```bash
$ git clone https://github.com/jp-gouin/helm-openldap.git
$ cd helm-openldap
$ helm install openldap .
```
## Configuration
We use the docker images provided by https://github.com/osixia/docker-openldap. The docker image is highly configurable and well documented. Please consult to documentation for the docker image for more information.
The following table lists the configurable parameters of the openldap chart and their default values.
| Parameter | Description | Default |
| ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------------- |
| `replicaCount` | Number of replicas | `3` |
| `strategy` | Deployment strategy | `{}` |
| `image.repository` | Container image repository | `osixia/openldap` |
| `image.tag` | Container image tag | `1.1.10` |
| `image.pullPolicy` | Container pull policy | `IfNotPresent` |
| `extraLabels` | Labels to add to the Resources | `{}` |
| `podAnnotations` | Annotations to add to the pod | `{}` |
| `existingSecret` | Use an existing secret for admin and config user passwords | `""` |
| `service.annotations` | Annotations to add to the service | `{}` |
| `service.externalIPs` | Service external IP addresses | `[]` |
| `service.ldapPort` | External service port for LDAP | `389` |
| `service.ldapPortNodePort` | Nodeport of External service port for LDAP if service.type is NodePort | `nil` |
| `service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` |
| `service.loadBalancerSourceRanges` | List of IP CIDRs allowed access to load balancer (if supported) | `[]` |
| `service.sslLdapPort` | External service port for SSL+LDAP | `636` |
| `service.sslLdapPortNodePort` | Nodeport of External service port for SSL if service.type is NodePort | `nil` |
| `service.type` | Service type can be ClusterIP, NodePort, LoadBalancer | `ClusterIP` |
| `env` | List of key value pairs as env variables to be sent to the docker image. See https://github.com/osixia/docker-openldap for available ones | `[see values.yaml]` |
| `logLevel` | Set the container log level. Valid values: `none`, `error`, `warning`, `info`, `debug`, `trace` | `info` |
| `tls.enabled` | Set to enable TLS/LDAPS with custom certificate - should also set `tls.secret` | `false` |
| `tls.secret` | Secret containing TLS cert and key (eg, generated via cert-manager) | `""` |
| `tls.CA.enabled` | Set to enable custom CA crt file - should also set `tls.CA.secret` | `false` |
| `tls.CA.secret` | Secret containing CA certificate (ca.crt) | `""` |
| `adminPassword` | Password for admin user. Unset to auto-generate the password | None |
| `configPassword` | Password for config user. Unset to auto-generate the password | None |
| `customLdifFiles` | Custom ldif files to seed the LDAP server. List of filename -> data pairs | None |
| `persistence.enabled` | Whether to use PersistentVolumes or not | `false` |
| `persistence.storageClass` | Storage class for PersistentVolumes. | `<unset>` |
| `persistence.accessMode` | Access mode for PersistentVolumes | `ReadWriteOnce` |
| `persistence.size` | PersistentVolumeClaim storage size | `8Gi` |
| `resources` | Container resource requests and limits in yaml | `{}` |
| `test.enabled` | Conditionally provision test resources | `false` |
| `test.image.repository` | Test container image requires bats framework | `dduportal/bats` |
| `test.image.tag` | Test container tag | `0.4.0` |
| `replication.enabled` | Enable the multi-master replication | `true` |
| `replication.retry` | retry period for replication in sec | `60` |
| `replication.timeout` | timeout for replication in sec| `1` |
| `replication.starttls` | starttls replication | `critical` |
| `replication.tls_reqcert` | tls certificate validation for replication | `never` |
| `replication.interval` | interval for replication | `00:00:00:10` |
| `replication.clusterName` | Set the clustername for replication | "cluster.local" |
| `phpldapadmin.enabled` | Enable the deployment of PhpLdapAdmin | `true`|
| `phpldapadmin.ingress` | Ingress of Phpldapadmin | `{}` |
| `phpldapadmin.env` | Environment variables for PhpldapAdmin| `{}` |
|`ltb-passwd.enabled`| Enable the deployment of Ltb-Passwd| `true` |
|`ltb-passwd.ingress`| Ingress of the Ltb-Passwd service | `{}` |
|`ltb-passwd.ldap`| Ldap configuration for the Ltb-Passwd service | `{}` |
|`ltb-passwd.env`| Environment variables for ltp-passwd | `{}` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
```bash
$ helm install --name my-release -f values.yaml stable/openldap
```
> **Tip**: You can use the default [values.yaml](values.yaml)
## PhpLdapAdmin
To enable PhpLdapAdmin set `phpldapadmin.enabled` to `true`
Ingress can be configure if you want to expose the service.
Setup the env part of the configuration to access the OpenLdap server
**Note** : The ldap host should match the following `namespace.Appfullname`
Example :
```
phpldapadmin:
enabled: true
ingress:
enabled: true
annotations: {}
path: /
## Ingress Host
hosts:
- phpldapadmin.local
env:
PHPLDAPADMIN_LDAP_HOSTS: openldap.openldap
```
## Self-service-password
To enable Self-service-password set `ltb-passwd.enabled` to `true`
Ingress can be configure if you want to expose the service.
Setup the `ldap` part with the information of the OpenLdap server.
Set `bindDN` accordingly to your ldap domain
**Note** : The ldap server host should match the following `ldap://namespace.Appfullname`
Example :
```
ltb-passwd:
enabled : true
ingress:
enabled: true
annotations: {}
host: "ssl-ldap2.local"
ldap:
server: ldap://openldap.openldap
searchBase: dc=example,dc=org
bindDN: cn=admin,dc=example,dc=org
bindPWKey: LDAP_ADMIN_PASSWORD
```
## Cleanup orphaned Persistent Volumes
Deleting the Deployment will not delete associated Persistent Volumes if persistence is enabled.
Do the following after deleting the chart release to clean up orphaned Persistent Volumes.
```bash
$ kubectl delete pvc -l release=${RELEASE-NAME}
```
## Custom Secret
`existingSecret` can be used to override the default secret.yaml provided
## Testing
Helm tests are included and they confirm connection to slapd.
```bash
helm install . --set test.enabled=true
helm test <RELEASE_NAME>
RUNNING: foolish-mouse-openldap-service-test-akmms
PASSED: foolish-mouse-openldap-service-test-akmms
```
It will confirm that we can do an ldapsearch with the default credentials

22
opencloud/charts/openldap/charts/ltb-passwd/.helmignore Normal file
View File

@@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

5
opencloud/charts/openldap/charts/ltb-passwd/Chart.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: v2
appVersion: "1.3"
description: LTB Project Password self service
name: ltb-passwd
version: 0.1.0

63
opencloud/charts/openldap/charts/ltb-passwd/README.md Normal file
View File

@@ -0,0 +1,63 @@
# LTB Password Self Service Helm Chart
This repository contains the helm chart for the LTB password change webapp.
It is based on several other projects, namely:
- [LTB Self-Service Password](https://ltb-project.org/documentation/self-service-password)
- [LTB Self-Service Password Github Repo](https://github.com/ltb-project/self-service-password)
- [tiredofit Docker Image for the LTB repo](https://github.com/tiredofit/docker-self-service-password)
## Prerequisites
- Kubernetes 1.8+
## Chart Details
This chart will do the following:
- Instantiate an instance of the LTB LDAP Self-Service Password webapp.
## Installing the Chart
To install the chart with the release name `my-release`:
```bash
$ helm install --name my-release $PATH_TO_THIS_REPO
```
## Configuration
We use this image as base image, please refer to the documentation for specific options.
- [tiredofit Docker Image for the LTB repo](https://github.com/tiredofit/docker-self-service-password)
Configuration is done within `values.yaml`:
| Parameter | Description | Default |
| ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------- |
| `ldap.server` | LDAP Server URL, should be of the form: `ldap://ldap.svc:389` | ` ` |
| `ldap.searchBase` | LDAP Search Base for the users | ` ` |
| `ldap.binduserSecret` | Name of an **existing** secret to fetch the credentials for the bind user from. Needs keys `BINDDN` and `BINDPW` | ` ` |
| `env` | List of key value pairs as env variables to be sent to the docker image. See https://github.com/tiredofit/docker-self-service-password for available ones | `[see values.yaml]`|
| `replicaCount` | Number of replicas | `1` |
| `image.repository` | Container image repository | ` tiredofit/self-service-password` |
| `image.tag` | Container image tag | `latest` |
| `image.pullPolicy` | Container pull policy | `Default` |
| `service.port` | External port for the WebApp | `80` |
| `service.type` | Service type | `ClusterIP` |
| `ingress.enabled` | Whether to generate ingress resources | `false` |
| `ingress.annotations` | Annotations to add to the ingress | `{}` |
| `ingress.hosts` | Hostnames to redirect to the webapp | `[]` |
| `ingress.tls` | TLS Configuration | `[]` |
| `resources` | Container resource requests and limits in yaml | `{}` |
| `nodeSelector` | NodeSelector to run the image on | `{}` |
| `tolerations` | Tolerations for the service pod | `[]` |
| `affinity` | Attractions for the service pod | `{}` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
```bash
$ helm install --name my-release -f values.yaml $PATH_TO_THIS_REPO
```

1
opencloud/charts/openldap/charts/ltb-passwd/templates/NOTES.txt Normal file
View File

@@ -0,0 +1 @@
Happy password changing :)

51
opencloud/charts/openldap/charts/ltb-passwd/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,51 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "ltb-passwd.name" -}}
{{ default .Release.Name .Values.existingSecret }}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "ltb-passwd.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "ltb-passwd.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "ltb-passwd.labels" -}}
app.kubernetes.io/name: {{ include "ltb-passwd.name" . }}
helm.sh/chart: {{ include "ltb-passwd.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Generate chart secret name
*/}}
{{- define "ltb-passwd.secretName" -}}
{{ default (include "ltb-passwd.fullname" .) .Values.existingSecret }}
{{- end -}}

69
opencloud/charts/openldap/charts/ltb-passwd/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,69 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "ltb-passwd.fullname" . }}
labels:
{{ include "ltb-passwd.labels" . | indent 4 }}
spec:
replicas: {{ default 1 .Values.replicaCount }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "ltb-passwd.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ include "ltb-passwd.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: LDAP_SERVER
value: {{ .Values.ldap.server | quote }}
- name: LDAP_BINDDN
value: {{ .Values.ldap.bindDN | quote }}
- name: LDAP_BINDPASS
valueFrom:
secretKeyRef:
name: {{ template "ltb-passwd.secretName" . }}
key: {{ .Values.ldap.bindPWKey }}
- name: LDAP_STARTTLS
value: "false"
- name: LDAP_BASE_SEARCH
value: {{ .Values.ldap.searchBase | quote }}
{{- with .Values.env }}
{{- toYaml . | nindent 10 }}
{{- end }}
ports:
- name: http
containerPort: 80
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
readinessProbe:
httpGet:
path: /
port: http
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

38
opencloud/charts/openldap/charts/ltb-passwd/templates/ingress.yaml Normal file
View File

@@ -0,0 +1,38 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "ltb-passwd.fullname" . -}}
{{- $ingressPath := .Values.ingress.path -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
app: {{ template "ltb-passwd.name" . }}
chart: {{ template "ltb-passwd.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- with .Values.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ . }}
http:
paths:
- path: {{ $ingressPath }}
backend:
serviceName: {{ $fullName }}
servicePort: http
{{- end }}
{{- end }}

19
opencloud/charts/openldap/charts/ltb-passwd/templates/service.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "ltb-passwd.fullname" . }}
labels:
app.kubernetes.io/name: {{ include "ltb-passwd.name" . }}
helm.sh/chart: {{ include "ltb-passwd.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/name: {{ include "ltb-passwd.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}

51
opencloud/charts/openldap/charts/ltb-passwd/values.yaml Normal file
View File

@@ -0,0 +1,51 @@
# Default values for ltb-passwd.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
image:
repository: tiredofit/self-service-password
tag: latest
pullPolicy: Always
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
service:
type: ClusterIP
port: 80
ingress:
enabled: true
annotations: {}
host: "ssl-ldap.local"
## Configure Ingress based on the documentation here: https://kubernetes.io/docs/concepts/services-networking/ingress/
ingress:
enabled: false
annotations: {}
path: /
## Ingress Host
# hosts:
# - ssl-ldap.local
#
tls: []
# tls:
# - secretName: ssl-ldap-dedicated-tls
# hosts:
# - ssl-ldap.local
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}
ldap:
server: ldap://openldap.openldap
searchBase: dc=example,dc=org
# existingSecret: ssp-ldap
bindDN: cn=admin,dc=example,dc=org
bindPWKey: BINDPW
env:
- name: SECRETEKEY
value: "password"
- name: LDAP_LOGIN_ATTRIBUTE
value: "cn"

13
opencloud/charts/openldap/charts/phpldapadmin/Chart.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: v1
appVersion: 0.7.1
description: Web-based LDAP browser to manage your LDAP server
home: http://phpldapadmin.sourceforge.net
icon: http://phpldapadmin.sourceforge.net/wiki/images/d/d4/Logo.jpg
keywords:
- phpldapadmin
- openldap
- userrights
maintainers:
- name: Jean-Philippe Gouin
name: phpldapadmin
version: 0.1.2

107
opencloud/charts/openldap/charts/phpldapadmin/README.md Normal file
View File

@@ -0,0 +1,107 @@
# Helm Chart for phpLDAPadmin
[![CircleCI](https://circleci.com/gh/cetic/helm-phpLDAPadmin.svg?style=svg)](https://circleci.com/gh/cetic/helm-phpLDAPadmin/tree/master) [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) ![version](https://img.shields.io/github/tag/cetic/helm-phpLDAPadmin.svg?label=release)
## Introduction
This [Helm](https://github.com/kubernetes/helm) chart installs [phpLDAPadmin](http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page) in a Kubernetes cluster.
## Prerequisites
- Kubernetes cluster 1.10+
- Helm 2.8.0+
- PV provisioner support in the underlying infrastructure.
## Installation
### Add Helm repository
```bash
helm repo add cetic https://cetic.github.io/helm-charts
helm repo update
```
### Configure the chart
The following items can be set via `--set` flag during installation or configured by editing the `values.yaml` directly (you need to download the chart first).
#### Configure the way how to expose phpLDAPadmin service:
- **Ingress**: The ingress controller must be installed in the Kubernetes cluster.
- **ClusterIP**: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster.
- **NodePort**: Exposes the service on each Nodes IP at a static port (the NodePort). Youll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`.
- **LoadBalancer**: Exposes the service externally using a cloud providers load balancer.
#### Configure how to persist data (TODO):
- **Disable**: The data does not survive the termination of a pod.
- **Persistent Volume Claim(default)**: A default `StorageClass` is needed in the Kubernetes cluster to dynamic provision the volumes. Specify another StorageClass in the `storageClass` or set `existingClaim` if you have already existing persistent volumes to use.
### Install the chart
Install the phpLDAPadmin helm chart with a release name `my-release`:
```bash
helm install --name my-release cetic/phpldapadmin
```
## Uninstallation
To uninstall/delete the `my-release` deployment:
```bash
helm delete --purge my-release
```
## Configuration
The following table lists the configurable parameters of the phpLDAPadmin chart and the default values.
| Parameter | Description | Default |
| --------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------| ------------------------------- |
| **ReplicaCount** |
| `replicaCount` | number of phpLDAPadmin images | `1` |
| **Env** |
| `env` | See values.yaml | `nil` |
| **Image** |
| `image.repository` | phpldapadmin Image name | `osixia/phpldapadmin` |
| `image.tag` | phpldapadmin Image tag | `0.7.1` |
| `image.pullPolicy` | phpldapadmin Image pull policy | `IfNotPresent` |
| **Service** |
| `service.type` | Type of service for phpldapadmin frontend | `LoadBalancer` |
| `service.port` | Port to expose service | `80` |
| `service.loadBalancerIP` | LoadBalancerIP if service type is `LoadBalancer` | `nil` |
| `service.loadBalancerSourceRanges` | LoadBalancerSourceRanges | `nil` |
| `service.annotations` | Service annotations | `{}` |
| **Ingress** |
| `ingress.enabled` | Enables Ingress | `false` |
| `ingress.annotations` | Ingress annotations | `{}` |
| `ingress.path` | Path to access frontend | `/` |
| `ingress.hosts` | Ingress hosts | `nil` |
| `ingress.tls` | Ingress TLS configuration | `[]` |
| **ReadinessProbe** |
| `readinessProbe` | Rediness Probe settings | `{ "httpGet": { "path": "/", "port": http }}`|
| **LivenessProbe** |
| `livenessProbe` | Liveness Probe settings | `{ "httpGet": { "path": "/", "port": http }}`|
| **Resources** |
| `resources` | CPU/Memory resource requests/limits | `{}` |
| **nodeSelector** |
| `nodeSelector` | nodeSelector | `{}` |
| **tolerations** |
| `tolerations` | tolerations | `{}` |
| **affinity** |
| `affinity` | affinity | `{}` |
## Credits
Initially inspired from https://github.com/gengen1988/helm-phpldapadmin.
## Contributing
Feel free to contribute by making a [pull request](https://github.com/cetic/helm-phpLDAPadmin/pull/new/master).
Please read the official [Contribution Guide](https://github.com/helm/charts/blob/master/CONTRIBUTING.md) from Helm for more information on how you can contribute to this Chart.
## License
[Apache License 2.0](/LICENSE)

84
opencloud/charts/openldap/charts/phpldapadmin/publish.sh Normal file
View File

@@ -0,0 +1,84 @@
#!/bin/sh
set -e
set -o pipefail
WORKING_DIRECTORY="$PWD"
[ "$GITHUB_PAGES_REPO" ] || {
echo "ERROR: Environment variable GITHUB_PAGES_REPO is required"
exit 1
}
[ "$HELM_CHART" ] || {
echo "ERROR: Environment variable HELM_CHART is required"
exit 1
}
[ -z "$GITHUB_PAGES_BRANCH" ] && GITHUB_PAGES_BRANCH=gh-pages
[ -z "$HELM_CHARTS_SOURCE" ] && HELM_CHARTS_SOURCE="$WORKING_DIRECTORY/$HELM_CHART"
[ -d "$WORKING_DIRECTORY" ] || {
echo "ERROR: Could not find Helm charts in $WORKING_DIRECTORY"
exit 1
}
[ -z "$HELM_VERSION" ] && HELM_VERSION=2.8.1
[ "$CIRCLE_BRANCH" ] || {
echo "ERROR: Environment variable CIRCLE_BRANCH is required"
exit 1
}
echo "GITHUB_PAGES_REPO=$GITHUB_PAGES_REPO"
echo "GITHUB_PAGES_BRANCH=$GITHUB_PAGES_BRANCH"
echo "HELM_CHARTS_SOURCE=$HELM_CHARTS_SOURCE"
echo "HELM_VERSION=$HELM_VERSION"
echo "CIRCLE_BRANCH=$CIRCLE_BRANCH"
echo ">>> Create Chart Directory"
mkdir -p $HELM_CHARTS_SOURCE/
mkdir -p /tmp/helm-tmp/
mv $WORKING_DIRECTORY/* /tmp/helm-tmp/
mv /tmp/helm-tmp/ $HELM_CHARTS_SOURCE/
echo '>> Prepare...'
mkdir -p /tmp/helm/bin
mkdir -p /tmp/helm/publish
apk update
apk add ca-certificates git openssh
echo '>> Installing Helm...'
cd /tmp/helm/bin
wget "https://storage.googleapis.com/kubernetes-helm/helm-v${HELM_VERSION}-linux-amd64.tar.gz"
tar -zxf "helm-v${HELM_VERSION}-linux-amd64.tar.gz"
chmod +x linux-amd64/helm
alias helm=/tmp/helm/bin/linux-amd64/helm
helm version -c
helm init -c
echo ">> Checking out $GITHUB_PAGES_BRANCH branch from $GITHUB_PAGES_REPO"
cd /tmp/helm/publish
mkdir -p "$HOME/.ssh"
ssh-keyscan -H github.com >> "$HOME/.ssh/known_hosts"
git clone -b "$GITHUB_PAGES_BRANCH" "git@github.com:$GITHUB_PAGES_REPO.git" .
echo '>> Building chart...'
echo ">>> helm lint $HELM_CHARTS_SOURCE"
helm lint "$HELM_CHARTS_SOURCE"
echo ">>> helm package -d $HELM_CHART $HELM_CHARTS_SOURCE"
mkdir -p "$HELM_CHART"
helm package -d "$HELM_CHART" "$HELM_CHARTS_SOURCE"
echo '>>> helm repo index'
helm repo index .
if [ "$CIRCLE_BRANCH" != "master" ]; then
echo "Current branch is not master and do not publish"
exit 0
fi
echo ">> Publishing to $GITHUB_PAGES_BRANCH branch of $GITHUB_PAGES_REPO"
git config user.email "$CIRCLE_USERNAME@users.noreply.github.com"
git config user.name CircleCI
git add .
git status
git commit -m "Published by CircleCI $CIRCLE_BUILD_URL"
git push origin "$GITHUB_PAGES_BRANCH"

26
opencloud/charts/openldap/charts/phpldapadmin/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,26 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range .Values.ingress.hosts }}
You should be able to access your new phpLDAPadmin installation through
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }}
Find out your cluster ip address by running:
$ kubectl cluster-info
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "phpldapadmin.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get svc -w {{ template "phpldapadmin.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "phpldapadmin.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "phpldapadmin.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl port-forward $POD_NAME 8080:80
{{- end }}
** Please be patient while the chart is being deployed **

32
opencloud/charts/openldap/charts/phpldapadmin/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,32 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "phpldapadmin.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "phpldapadmin.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "phpldapadmin.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

14
opencloud/charts/openldap/charts/phpldapadmin/templates/configmap.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "phpldapadmin.fullname" . }}
labels:
app: {{ template "phpldapadmin.name" . }}
chart: {{ template "phpldapadmin.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.extraLabels }}
{{ toYaml .Values.extraLabels | indent 4 }}
{{- end }}
data:
{{ toYaml .Values.env | indent 2 }}

52
opencloud/charts/openldap/charts/phpldapadmin/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,52 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "phpldapadmin.fullname" . }}
labels:
app: {{ template "phpldapadmin.name" . }}
chart: {{ template "phpldapadmin.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: {{ template "phpldapadmin.name" . }}
release: {{ .Release.Name }}
template:
metadata:
labels:
app: {{ template "phpldapadmin.name" . }}
release: {{ .Release.Name }}
spec:
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: 80
protocol: TCP
envFrom:
- configMapRef:
name: {{ template "phpldapadmin.fullname" . }}
livenessProbe:
{{ toYaml .Values.livenessProbe | indent 12 }}
readinessProbe:
{{ toYaml .Values.readinessProbe | indent 12 }}
resources:
{{ toYaml .Values.resources | indent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}

38
opencloud/charts/openldap/charts/phpldapadmin/templates/ingress.yaml Normal file
View File

@@ -0,0 +1,38 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "phpldapadmin.fullname" . -}}
{{- $ingressPath := .Values.ingress.path -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
app: {{ template "phpldapadmin.name" . }}
chart: {{ template "phpldapadmin.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- with .Values.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ . }}
http:
paths:
- path: {{ $ingressPath }}
backend:
serviceName: {{ $fullName }}
servicePort: http
{{- end }}
{{- end }}

32
opencloud/charts/openldap/charts/phpldapadmin/templates/service.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "phpldapadmin.fullname" . }}
labels:
app: {{ template "phpldapadmin.name" . }}
chart: {{ template "phpldapadmin.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.service.annotations }}
annotations:
{{ toYaml .Values.service.annotations | indent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
{{- if and .Values.service.loadBalancerIP (eq .Values.service.type "LoadBalancer") }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
{{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{ with .Values.service.loadBalancerSourceRanges }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- end }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
app: {{ template "phpldapadmin.name" . }}
release: {{ .Release.Name }}

94
opencloud/charts/openldap/charts/phpldapadmin/values.yaml Normal file
View File

@@ -0,0 +1,94 @@
---
# Default values for phpldapadmin.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
## TODO: add this in the deployment.yaml
env:
# PHPLDAPADMIN_LDAP_HOSTS: ...
PHPLDAPADMIN_HTTPS: "false"
PHPLDAPADMIN_TRUST_PROXY_SSL: "true"
## Number of phpLDAPadmin images
replicaCount: 1
## Set default image, imageTag, and imagePullPolicy. mode is used to indicate the
##
image:
repository: osixia/phpldapadmin
tag: 0.9.0
pullPolicy: IfNotPresent
## Enable persistence using Persistent Volume Claims
## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
##
## TODO persistence
## Expose the pgAdmin service to be accessed from outside the cluster (LoadBalancer service).
## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it.
## ref: http://kubernetes.io/docs/user-guide/services/
##
service:
type: ClusterIP
## name: phpldapadmin
port: 80
annotations: {}
## Set the LoadBalancer service type to internal only.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
##
# loadBalancerIP:
## Load Balancer sources
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
##
# loadBalancerSourceRanges:
# - 10.10.10.0/24
## Configure Ingress based on the documentation here: https://kubernetes.io/docs/concepts/services-networking/ingress/
##
ingress:
enabled: false
annotations: {}
path: /
## Ingress Host
# hosts:
# - phpldapadmin.example.org
#
tls: []
# tls:
# - secretName: phpldapadmin-dedicated-tls
# hosts:
# - phpldapadmin.example.org
## Configure liveness and readiness probes
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
##
readinessProbe:
httpGet:
path: /
port: http
livenessProbe:
httpGet:
path: /
port: http
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}

20
opencloud/charts/openldap/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,20 @@
OpenLDAP has been installed. You can access the server from within the k8s cluster using:
{{ template "openldap.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.ldapPort }}
You can access the LDAP adminPassword and configPassword using:
kubectl get secret --namespace {{ .Release.Namespace }} {{ template "openldap.secretName" . }} -o jsonpath="{.data.LDAP_ADMIN_PASSWORD}" | base64 --decode; echo
kubectl get secret --namespace {{ .Release.Namespace }} {{ template "openldap.secretName" . }} -o jsonpath="{.data.LDAP_CONFIG_PASSWORD}" | base64 --decode; echo
You can access the LDAP service, from within the cluster (or with kubectl port-forward) with a command like (replace password and domain):
ldapsearch -x -H ldap://{{ template "openldap.fullname" . }}-service.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.ldapPort }} -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w $LDAP_ADMIN_PASSWORD
Test server health using Helm test:
helm test {{ .Release.Name }}
You can also consider installing the helm chart for phpldapadmin to manage this instance of OpenLDAP, or install Apache Directory Studio, and connect using kubectl port-forward.

74
opencloud/charts/openldap/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,74 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "openldap.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for statefulset.
*/}}
{{- define "statefulset.apiVersion" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "apps/v1beta1" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "openldap.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "openldap.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Generate chart secret name
*/}}
{{- define "openldap.secretName" -}}
{{ default (include "openldap.fullname" .) .Values.existingSecret }}
{{- end -}}
{{/*
Generate replication services list
*/}}
{{- define "replicalist" -}}
{{- $name := (include "openldap.fullname" .) }}
{{- $namespace := .Release.Namespace }}
{{- $cluster := .Values.replication.clusterName }}
{{- $nodeCount := .Values.replicaCount | int }}
{{- range $index0 := until $nodeCount -}}
{{- $index1 := $index0 | add1 -}}
'ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}'{{ if ne $index1 $nodeCount }},{{ end }}
{{- end -}}
{{- end -}}
{{/*
Renders a value that contains template.
Usage:
{{ include "openldap.tplValue" ( dict "value" .Values.path.to.the.Value "context" $) }}
*/}}
{{- define "openldap.tplValue" -}}
{{- if typeIs "string" .value }}
{{- tpl .value .context }}
{{- else }}
{{- tpl (.value | toYaml) .context }}
{{- end }}
{{- end -}}

23
opencloud/charts/openldap/templates/configmap-customldif.yaml Normal file
View File

@@ -0,0 +1,23 @@
#
# A ConfigMap spec for openldap slapd that map directly to files under
# /container/service/slapd/assets/config/bootstrap/ldif/custom
#
{{- if .Values.customLdifFiles }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "openldap.fullname" . }}-customldif
labels:
app: {{ template "openldap.name" . }}
chart: {{ template "openldap.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.extraLabels }}
{{ toYaml .Values.extraLabels | indent 4 }}
{{- end }}
data:
{{- range $key, $val := .Values.customLdifFiles }}
{{ $key }}: |-
{{ $val | indent 4}}
{{- end }}
{{- end }}

26
opencloud/charts/openldap/templates/configmap-env.yaml Normal file
View File

@@ -0,0 +1,26 @@
#
# A ConfigMap spec for openldap slapd that map directly to env variables in the Pod.
# List of environment variables supported is from the docker image:
# https://github.com/osixia/docker-openldap#beginner-guide
# Note that passwords are defined as secrets
#
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "openldap.fullname" . }}-env
labels:
app: {{ template "openldap.name" . }}
chart: {{ template "openldap.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.extraLabels }}
{{ toYaml .Values.extraLabels | indent 4 }}
{{- end }}
data:
{{ toYaml .Values.env | indent 2 }}
{{- if .Values.replication.enabled }}
LDAP_REPLICATION: "true"
LDAP_REPLICATION_CONFIG_SYNCPROV: "binddn=\"cn=admin,cn=config\" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase=\"cn=config\" type=refreshAndPersist retry=\"{{.Values.replication.retry }} +\" timeout={{.Values.replication.timeout }} starttls={{.Values.replication.starttls }} tls_reqcert={{.Values.replication.tls_reqcert }}"
LDAP_REPLICATION_DB_SYNCPROV: "binddn=\"cn=admin,$LDAP_BASE_DN\" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase=\"$LDAP_BASE_DN\" type=refreshAndPersist interval={{.Values.replication.interval }} retry=\"{{.Values.replication.retry }} +\" timeout={{.Values.replication.timeout }} starttls={{.Values.replication.starttls }} tls_reqcert={{.Values.replication.tls_reqcert }}"
LDAP_REPLICATION_HOSTS: "#PYTHON2BASH:[{{ template "replicalist" . }}]"
{{- end }}

17
opencloud/charts/openldap/templates/secret-ltb.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{ if not .Values.existingSecret }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "openldap.fullname" . }}-ltb-passwd
labels:
app: {{ template "openldap.name" . }}
chart: {{ template "openldap.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.extraLabels }}
{{ toYaml .Values.extraLabels | indent 4 }}
{{- end }}
type: Opaque
data:
LDAP_ADMIN_PASSWORD: {{ .Values.adminPassword | b64enc | quote }}
{{ end }}

18
opencloud/charts/openldap/templates/secret.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{ if not .Values.existingSecret }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "openldap.fullname" . }}
labels:
app: {{ template "openldap.name" . }}
chart: {{ template "openldap.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.extraLabels }}
{{ toYaml .Values.extraLabels | indent 4 }}
{{- end }}
type: Opaque
data:
LDAP_ADMIN_PASSWORD: {{ .Values.adminPassword | b64enc | quote }}
LDAP_CONFIG_PASSWORD: {{ .Values.configPassword | b64enc | quote }}
{{ end }}

47
opencloud/charts/openldap/templates/service.yaml Normal file
View File

@@ -0,0 +1,47 @@
apiVersion: v1
kind: Service
metadata:
{{- if .Values.service.annotations }}
annotations:
{{ toYaml .Values.service.annotations | indent 4 }}
{{- end }}
name: {{ template "openldap.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "openldap.fullname" . }}
chart: {{ template "openldap.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.extraLabels }}
{{ toYaml .Values.extraLabels | indent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
{{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
{{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges: {{ toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }}
{{- end }}
ports:
- name: ldap-port
protocol: TCP
port: {{ .Values.service.ldapPort }}
targetPort: ldap-port
{{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePort)) }}
nodePort: {{ .Values.service.ldapPortNodePort }}
{{- else if eq .Values.service.type "ClusterIP" }}
nodePort: null
{{- end }}
- name: ssl-ldap-port
protocol: TCP
port: {{ .Values.service.sslLdapPort }}
targetPort: ssl-ldap-port
{{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePort)) }}
nodePort: {{ .Values.service.sslLdapPortNodePort }}
{{- else if eq .Values.service.type "ClusterIP" }}
nodePort: null
{{- end }}
selector:
app: {{ template "openldap.fullname" . }}
release: {{ .Release.Name }}

153
opencloud/charts/openldap/templates/statefullset.yaml Normal file
View File

@@ -0,0 +1,153 @@
apiVersion: {{ template "statefulset.apiVersion" . }}
kind: StatefulSet
metadata:
name: {{ template "openldap.fullname" . }}
labels:
app: {{ template "openldap.fullname" . }}
chart: {{ template "openldap.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.extraLabels }}
{{ toYaml .Values.extraLabels | indent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicaCount }}
{{- if .Values.strategy }}
strategy:
{{ toYaml .Values.strategy | indent 4 }}
{{- end }}
selector:
matchLabels:
app: {{ template "openldap.fullname" . }}
release: {{ .Release.Name }}
serviceName: {{ template "openldap.fullname" . }}-headless
template:
metadata:
annotations:
checksum/configmap-env: {{ include (print $.Template.BasePath "/configmap-env.yaml") . | sha256sum }}
{{- if .Values.customLdifFiles}}
checksum/configmap-customldif: {{ include (print $.Template.BasePath "/configmap-customldif.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.podAnnotations}}
{{ toYaml .Values.podAnnotations | indent 8}}
{{- end }}
labels:
app: {{ template "openldap.fullname" . }}
release: {{ .Release.Name }}
spec:
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
- -l
- {{ .Values.logLevel }}
{{- if .Values.customLdifFiles }}
- --copy-service
{{- end }}
ports:
- name: ldap-port
containerPort: 389
- name: ssl-ldap-port
containerPort: 636
envFrom:
- configMapRef:
name: {{ template "openldap.fullname" . }}-env
- secretRef:
name: {{ template "openldap.secretName" . }}
volumeMounts:
- name: data
mountPath: /var/lib/ldap
subPath: data
- name: data
mountPath: /etc/ldap/slapd.d
subPath: config-data
- name: data
mountPath: /container/service/slapd/assets/certs
{{- if .Values.customLdifFiles }}
- name: custom-ldif-files
mountPath: /container/service/slapd/assets/config/bootstrap/ldif/custom
{{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
#- name: HOSTNAME
# value: $(POD_NAME).{{ template "openldap.fullname" . }}-headless
{{- if .Values.tls.enabled }}
- name: LDAP_TLS_CRT_FILENAME
value: tls.crt
- name: LDAP_TLS_KEY_FILENAME
value: tls.key
{{- if .Values.tls.CA.enabled }}
- name: LDAP_TLS_CA_CRT_FILENAME
value: ca.crt
{{- end }}
{{- end }}
livenessProbe:
tcpSocket:
port: ldap-port
initialDelaySeconds: 20
periodSeconds: 10
failureThreshold: 10
readinessProbe:
tcpSocket:
port: ldap-port
initialDelaySeconds: 20
periodSeconds: 10
failureThreshold: 10
resources:
{{ toYaml .Values.resources | indent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- topologyKey: kubernetes.io/hostname
labelSelector:
matchLabels:
app.kubernetes.io/component: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
imagePullSecrets:
- name: {{ .Values.image.pullSecret }}
{{- if .Values.customLdifFiles }}
volumes:
- name: custom-ldif-files
configMap:
name: {{ template "openldap.fullname" . }}-customldif
{{- end }}
{{- if .Values.persistence.enabled }}
volumeClaimTemplates:
- metadata:
name: data
annotations:
{{- range $key, $value := .Values.persistence.annotations }}
{{ $key }}: {{ $value }}
{{- end }}
spec:
accessModes:
{{- range .Values.persistence.accessModes }}
- {{ . | quote }}
{{- end }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.storageClass }}
{{- if (eq "-" .Values.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.persistence.storageClass }}"
{{- end }}
{{- end }}
{{- else }}
- name: data
emptyDir: {}
{{- end }}

20
opencloud/charts/openldap/templates/svc-headless.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "openldap.fullname" . }}-headless
labels:
app: {{ template "openldap.fullname" . }}
chart: {{ template "openldap.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
ports:
- port: {{ .Values.service.ldapPort }}
name: ldap-port
targetPort: ldap-port
clusterIP: None
selector:
app: {{ template "openldap.fullname" . }}
release: {{ .Release.Name }}
type: ClusterIP
sessionAffinity: None

50
opencloud/charts/openldap/templates/tests/openldap-test-runner.yaml Normal file
View File

@@ -0,0 +1,50 @@
{{- if .Values.test.enabled -}}
apiVersion: v1
kind: Pod
metadata:
name: "{{ template "openldap.fullname" . }}-test-{{ randAlphaNum 5 | lower }}"
labels:
app: {{ template "openldap.name" . }}
chart: {{ template "openldap.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.extraLabels }}
{{ toYaml .Values.extraLabels | indent 4 }}
{{- end }}
annotations:
"helm.sh/hook": test-success
spec:
initContainers:
- name: test-framework
image: {{ .Values.test.image.repository }}:{{ .Values.test.image.tag }}
command:
- "bash"
- "-c"
- |
set -ex
# copy bats to tools dir
cp -R /usr/local/libexec/ /tools/bats/
volumeMounts:
- mountPath: /tools
name: tools
containers:
- name: {{ .Release.Name }}-test
image: {{ .Values.test.image.repository }}:{{ .Values.test.image.tag }}
envFrom:
- secretRef:
name: {{ template "openldap.secretName" . }}
command: ["/tools/bats/bats", "-t", "/tests/run.sh"]
volumeMounts:
- mountPath: /tests
name: tests
readOnly: true
- mountPath: /tools
name: tools
volumes:
- name: tests
configMap:
name: {{ template "openldap.fullname" . }}-tests
- name: tools
emptyDir: {}
restartPolicy: Never
{{- end -}}

22
opencloud/charts/openldap/templates/tests/openldap-tests.yaml Normal file
View File

@@ -0,0 +1,22 @@
{{- if .Values.test.enabled -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "openldap.fullname" . }}-tests
labels:
app: {{ template "openldap.name" . }}
chart: {{ template "openldap.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.extraLabels }}
{{ toYaml .Values.extraLabels | indent 4 }}
{{- end }}
data:
run.sh: |-
@test "Testing connecting to slapd server" {
# Ideally, this should be in the docker image, but there is not a generic image we can use
# with bats and ldap-utils installed. It is not worth for now to push an image for this.
apt-get update && apt-get install -y ldap-utils
ldapsearch -x -H ldap://{{ template "openldap.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.ldapPort }} -b "dc=example,dc=org" -D "cn=admin,dc=example,dc=org" -w $LDAP_ADMIN_PASSWORD
}
{{- end -}}

179
opencloud/charts/openldap/values.yaml Normal file
View File

@@ -0,0 +1,179 @@
# Default values for openldap.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 3
# Define deployment strategy - IMPORTANT: use rollingUpdate: null when use Recreate strategy.
# It prevents from merging with existing map keys which are forbidden.
strategy: {}
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 1
# maxUnavailable: 0
#
# or
#
# type: Recreate
# rollingUpdate: null
image:
# From repository https://github.com/osixia/docker-openldap
repository: osixia/openldap
tag: 1.4.0
pullPolicy: Always
pullSecret: harbor
# Set the container log level
# Valid log levels: none, error, warning, info (default), debug, trace
logLevel: info
# Spcifies an existing secret to be used for admin and config user passwords
existingSecret: ""
# settings for enabling TLS with custom certificate
tls:
enabled: true
secret: "" # The name of a kubernetes.io/tls type secret to use for TLS
CA:
enabled: false
secret: "" # The name of a generic secret to use for custom CA certificate (ca.crt)
## Add additional labels to all resources
extraLabels: {}
## Add additional annotations to pods
podAnnotations: {}
service:
annotations: {}
ldapPort: 389
sslLdapPort: 636
## If service type NodePort, define the value here
#ldapPortNodePort:
#sslLdapPortNodePort:
## List of IP addresses at which the service is available
## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
##
externalIPs: []
#loadBalancerIP:
#loadBalancerSourceRanges: []
type: ClusterIP
# Default configuration for openldap as environment variables. These get injected directly in the container.
# Use the env variables from https://github.com/osixia/docker-openldap#beginner-guide
env:
LDAP_LOG_LEVEL: "256"
LDAP_ORGANISATION: "Example Inc."
LDAP_DOMAIN: "example.org"
LDAP_READONLY_USER: "false"
LDAP_READONLY_USER_USERNAME: "readonly"
LDAP_READONLY_USER_PASSWORD: "readonly"
LDAP_RFC2307BIS_SCHEMA: "false"
LDAP_BACKEND: "mdb"
LDAP_TLS: "true"
LDAP_TLS_CRT_FILENAME: "ldap.crt"
LDAP_TLS_KEY_FILENAME: "ldap.key"
LDAP_TLS_DH_PARAM_FILENAME: "dhparam.pem"
LDAP_TLS_CA_CRT_FILENAME: "ca.crt"
LDAP_TLS_ENFORCE: "false"
CONTAINER_LOG_LEVEL: "4"
LDAP_TLS_REQCERT: "never"
KEEP_EXISTING_CONFIG: "false"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
LDAP_SSL_HELPER_PREFIX: "ldap"
LDAP_TLS_VERIFY_CLIENT: "never"
LDAP_TLS_PROTOCOL_MIN: "3.0"
LDAP_TLS_CIPHER_SUITE: "NORMAL"
# Default Passwords to use, stored as a secret.
# You can override these at install time with
# helm install openldap --set openldap.adminPassword=<passwd>,openldap.configPassword=<passwd>
adminPassword: Not@SecurePassw0rd
configPassword: Not@SecurePassw0rd
# Custom openldap configuration files used to override default settings
# customLdifFiles:
# 01-default-users.ldif: |-
# Predefine users here
replication:
enabled: true
# Enter the name of your cluster, defaults to "cluster.local"
clusterName: "cluster.local"
retry: 60
timeout: 1
interval: 00:00:00:10
starttls: "critical"
tls_reqcert: "never"
## Persist data to a persistent volume
persistence:
enabled: true
## database data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClass: "standard-singlewriter"
accessModes:
- ReadWriteOnce
size: 8Gi
resources: {}
# requests:
# cpu: "100m"
# memory: "256Mi"
# limits:
# cpu: "500m"
# memory: "512Mi"
nodeSelector: {}
tolerations: []
## test container details
test:
enabled: false
image:
repository: dduportal/bats
tag: 0.4.0
ltb-passwd:
enabled : true
ingress:
enabled: true
annotations: {}
path: /
## Ingress Host
hosts:
- "ssl-ldap2.example"
ldap:
server: ldap://openldap
searchBase: dc=example,dc=org
# existingSecret: openldaptest
bindDN: cn=admin,dc=example,dc=org
bindPWKey: LDAP_ADMIN_PASSWORD
phpldapadmin:
enabled: true
ingress:
enabled: true
annotations: {}
path: /
## Ingress Host
hosts:
- phpldapadmin.example
env:
PHPLDAPADMIN_LDAP_HOSTS: openldap
# TODO make it works
# "#PYTHON2BASH:
# [{'openldap.openldap':
# [{'server': [
# {'tls': False},
# {'port':636}
# ]},
# {'login':
# [{'bind_id': 'cn=admin,dc=example,dc=org'}]
# }]
# }]"

132
opencloud/dev-values.yaml
View File

@@ -55,47 +55,99 @@ nats:
storageClassName: kind-sc storageClassName: kind-sc
openldap-stack-ha: openldap:
enabled: true
test:
enabled: false
ltb-passwd:
enabled: false
replicaCount: 1
image:
repository: osixia/openldap
tag: 1.5.0
tls:
enabled: false
env:
LDAP_ORGANISATION: "Example opencloud"
LDAP_DOMAIN: "example.com"
LDAP_BACKEND: "mdb"
LDAP_TLS: "false"
LDAP_TLS_ENFORCE: "false"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
adminPassword: "admin@password"
configPassword: "config@password"
phpldapadmin:
enabled: false enabled: false
global:
ldapDomain: "opencloud.acme.com"
adminUser: "admin"
adminPassword: "acmeOpenCloudAdmin"
configUser: "admin"
configPassword: "acmeOpenCloudConfig"
persistence: persistence:
enabled: true enabled: true
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 20Mi size: 10Mi
storageClass: kind-sc storageClass: kind-sc
ltb-passwd:
enabled : false
env:
LDAP_REQUIRE_TLS: "false"
LDAP_ENABLE_TLS: "yes"
LDAP_TLS_ENFORCE: "false"
phpldapadmin:
enabled: false
replication: replication:
enabled: false enabled: false
replicaCount: 1 customLdifFiles:
01-schema.ldif: |-
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
dn: ou=users,dc=example,dc=com
objectClass: organizationalUnit
ou: users
dn: cn=lastGID,dc=example,dc=com
objectClass: device
objectClass: top
description: Records the last GID used to create a Posix group. This prevents the re-use of a GID from a deleted group.
cn: lastGID
serialNumber: 2001
dn: cn=lastUID,dc=example,dc=com
objectClass: device
objectClass: top
serialNumber: 2001
description: Records the last UID used to create a Posix account. This prevents the re-use of a UID from a deleted account.
cn: lastUID
02-ldapadmin.ldif : |-
dn: cn=ldapadmin,ou=groups,dc=example,dc=com
objectClass: top
objectClass: posixGroup
cn: ldapadmin
memberUid: ldapadmin
gidNumber: 2001
dn: uid=ldapadmin,ou=users,dc=example,dc=com
givenName: ldap
sn: admin
uid: ldapadmin
cn: ldapadmin
mail: ldapadmin@example.com
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
userPassword: ldapadmin
uidNumber: 2001
gidNumber: 2001
loginShell: /bin/bash
homeDirectory: /home/ldapadmin
# ldap user manager configuration
ldapUserManager: ldapUserManager:
enabled: false enabled: true
version: v1.11
env: env:
SERVER_HOSTNAME: "opencloud.acme.com" SERVER_HOSTNAME: "users.example.com"
LDAP_BASE_DN: "dc=opencloud,dc=acme,dc=com" LDAP_BASE_DN: "dc=example,dc=com"
LDAP_REQUIRE_STARTTLS: "false" LDAP_REQUIRE_STARTTLS: "false"
LDAP_ADMINS_GROUP: "ldapadmin" LDAP_ADMINS_GROUP: "ldapadmin"
LDAP_ADMIN_BIND_DN: "cn=admin,dc=opencloud,dc=acme,dc=com" LDAP_ADMIN_BIND_DN: "cn=admin,dc=example,dc=com"
LDAP_ADMIN_BIND_PWD: "acmeOpenCloudAdmin" LDAP_ADMIN_BIND_PWD: "admin@password"
LDAP_IGNORE_CERT_ERRORS: "true" LDAP_IGNORE_CERT_ERRORS: "true"
EMAIL_DOMAIN: "" EMAIL_DOMAIN: ""
NO_HTTPS: "true" NO_HTTPS: "true"
SERVER_PATH: "/users" SERVER_PATH: "/users"
ORGANISATION_NAME: "Opencloud Acme" ORGANISATION_NAME: "Example"
LDAP_USER_OU: "users" LDAP_USER_OU: "users"
LDAP_GROUP_OU: "groups" LDAP_GROUP_OU: "groups"
ACCEPT_WEAK_PASSWORDS: "true" ACCEPT_WEAK_PASSWORDS: "true"
@@ -123,15 +175,37 @@ traefik:
hydra: hydra:
enabled: true enabled: true
maester: maester:
enabled: false enabled: true
hydra: hydra:
dev: true dev: true
config: config:
dsn: memory dsn: memory
urls: urls:
login: http://localhost/auth/login login: http://localhost/authentication/login
consent: http://localhost/auth/consent consent: http://localhost/consent/consent
logout: http://localhost/auth/logout logout: http://localhost/authentication/logout
self: self:
issuer: http://localhost/auth issuer: http://localhost/idp
keto:
enabled: true
ocAuth:
enabled: false
image: oc-auth:latest
authType: hydra
hydra:
adminRole: admin
openCloudOauth2ClientSecretName: oc-auth-got-secret
ldap:
bindDn: "cn=admin,dc=example,dc=com"
binPwd: "password"
baseDn: "dc=example,dc=com"
roleBaseDn: "ou=AppRoles,dc=example,dc=com"
resources:
limits:
cpu: "128m"
memory: "128Mi"
requests:
cpu: "128m"
memory: "256Mi"

113
opencloud/templates/ldapUserManager.yaml Normal file
View File

@@ -0,0 +1,113 @@
{{- if .Values.ldapUserManager.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: ldap-user-manager
name: {{ .Release.Name }}-ldap-user-manager
spec:
replicas: 1
selector:
matchLabels:
app: ldap-user-manager
strategy: {}
template:
metadata:
labels:
app: ldap-user-manager
spec:
containers:
- image: wheelybird/ldap-user-manager:v1.8
name: ldap-user-manager
env:
- name: SERVER_HOSTNAME
value: "{{ .Values.ldapUserManager.env.SERVER_HOSTNAME }}"
- name: LDAP_URI
value: "ldap://{{ .Release.Name }}-openldap.{{ .Release.Namespace }}.svc.cluster.local"
- name: LDAP_BASE_DN
value: "{{ .Values.ldapUserManager.env.LDAP_BASE_DN }}"
- name: LDAP_REQUIRE_STARTTLS
value: "{{ .Values.ldapUserManager.env.LDAP_REQUIRE_STARTTLS }}"
- name: LDAP_ADMINS_GROUP
value: "{{ .Values.ldapUserManager.env.LDAP_ADMINS_GROUP }}"
- name: LDAP_ADMIN_BIND_DN
value: "{{ .Values.ldapUserManager.env.LDAP_ADMIN_BIND_DN }}"
- name: LDAP_ADMIN_BIND_PWD
value: "{{ .Values.ldapUserManager.env.LDAP_ADMIN_BIND_PWD }}"
- name: LDAP_IGNORE_CERT_ERRORS
value: "{{ .Values.ldapUserManager.env.LDAP_IGNORE_CERT_ERRORS }}"
- name: NO_HTTPS
value: "{{ .Values.ldapUserManager.env.NO_HTTPS }}"
- name: EMAIL_DOMAIN
value: "{{ .Values.ldapUserManager.env.EMAIL_DOMAIN }}"
- name: ORGANISATION_NAME
value: "{{ .Values.ldapUserManager.env.ORGANISATION_NAME }}"
- name: LDAP_USER_OU
value: "{{ .Values.ldapUserManager.env.LDAP_USER_OU }}"
- name: LDAP_GROUP_OU
value: "{{ .Values.ldapUserManager.env.LDAP_GROUP_OU }}"
- name: SERVER_PATH
value: "{{ .Values.ldapUserManager.env.SERVER_PATH }}"
- name: LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES
value: "{{ .Values.ldapUserManager.env.LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES }}"
- name: LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES
value: "{{ .Values.ldapUserManager.env.LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES }}"
- name: LDAP_GROUP_ADDITIONAL_OBJECTCLASSES
value: "{{ .Values.ldapUserManager.env.LDAP_GROUP_ADDITIONAL_OBJECTCLASSES }}"
- name: LDAP_GROUP_ADDITIONAL_ATTRIBUTES
value: "{{ .Values.ldapUserManager.env.LDAP_GROUP_ADDITIONAL_ATTRIBUTES }}"
- name: ACCEPT_WEAK_PASSWORDS
value: "{{ .Values.ldapUserManager.env.ACCEPT_WEAK_PASSWORDS }}"
ports:
- name: http
containerPort: 80
protocol: TCP
- name: https
containerPort: 443
protocol: TCP
resources:
limits:
cpu: "{{ .Values.ldapUserManager.resources.limits.cpu }}"
memory: "{{ .Values.ldapUserManager.resources.limits.memory }}"
requests:
cpu: "{{ .Values.ldapUserManager.resources.requests.cpu }}"
memory: "{{ .Values.ldapUserManager.resources.requests.memory }}"
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}-ldap-user-manager-svc
labels:
app: ldap-user-manager-svc
spec:
ports:
- name: http
port: 8080
protocol: TCP
targetPort: 80
- name: https
port: 8443
protocol: TCP
targetPort: 443
selector:
app: ldap-user-manager
type: ClusterIP
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ldap-user-manager-ingress
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`{{ .Values.host }}`) && PathPrefix(`/users`)
priority: 10
services:
- kind: Service
name: {{ .Release.Name }}-ldap-user-manager-svc
passHostHeader: true
port: 8080
{{- end }}

80
opencloud/templates/oc-auth/deployment.yaml Normal file
View File

@@ -0,0 +1,80 @@
{{- if index .Values.ocAuth.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: oc-auth
name: {{ .Release.Name }}-oc-auth
spec:
replicas: 1
selector:
matchLabels:
app: oc-auth
strategy: {}
template:
metadata:
labels:
app: oc-auth
spec:
volumes:
- name: public-key-volume
secret:
secretName: public-key-secret
- name: private-key-volume
secret:
secretName: private-key-secret
containers:
- image: "{{ .Values.ocAuth.image }}"
name: oc-auth
volumeMounts:
- name: public-key-volume
mountPath: /keys/public
subPath: public.pem
- name: private-key-volume
mountPath: /keys/private
subPath: private.pem
env:
- name: OCAUTH_ADMIN_ROLE
value: "{{ .Values.ocAuth.hydra }}"
- name: OCAUTH_PUBLIC_KEY_PATH
value: /keys/public/public.pem
- name: OCAUTH_PRIVATE_KEY_PATH
value: /keys/private/private.pem
- name: OCAUTH_CLIENT_SECRET
value: "{{ .Values.ocAuth.hydra.openCloudOauth2ClientSecretName }}"
- name: OCAUTH_AUTH
value: "{{ .Values.ocAuth.authType }}"
- name: OCAUTH_AUTH_CONNECTOR_HOST
value: "{{ .Release.Name }}.hydra-admin.{{ .Release.Namespace }}"
- name: OCAUTH_AUTH_CONNECTOR_PORT
value: 4444
- name: OCAUTH_AUTH_CONNECTOR_ADMIN_PORT
value: 4445
- name: OCAUTH_PERMISSION_CONNECTOR_HOST
value: "{{ .Release.Name }}.keto-write.{{ .Release.Namespace }}"
- name: OCAUTH_PERMISSION_CONNECTOR_PORT
value: 80
- name: OCAUTH_PERMISSION_CONNECTOR_ADMIN_PORT
value: 80
- name: OCAUTH_LDAP_ENDPOINTS
value: "{{ .Release.Name }}-openldap.{{ .Release.Namespace }}.svc.cluster.local:389"
- name: OCAUTH_LDAP_BINDDN
value: "{{ index .Values.ocAuth.ldap.bindDn }}"
- name: OCAUTH_LDAP_BINDPW
value: "{{ index .Values.ocAuth.ldap.binPwd }}"
- name: OCAUTH_LDAP_BASEDN
value: "{{ index .Values.ocAuth.ldap.baseDn }}"
- name: OCAUTH_LDAP_ROLE_BASEDN
value: "{{ index .Values.ocAuth.ldap.roleBaseDn }}"
ports:
- name: http
containerPort: 80
protocol: TCP
resources:
limits:
cpu: "{{ .Values.ldapUserManager.resources.limits.cpu }}"
memory: "{{ .Values.ldapUserManager.resources.limits.memory }}"
requests:
cpu: "{{ .Values.ldapUserManager.resources.requests.cpu }}"
memory: "{{ .Values.ldapUserManager.resources.requests.memory }}"
{{- end }}

20
opencloud/templates/oc-auth/ingress.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- if index .Values.ocAuth.enabled }}
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: oc-auth-ingress
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`{{ .Values.host }}`) && PathPrefix(`/auth`)
priority: 10
services:
- kind: Service
name: oc-auth-svc
passHostHeader: true
port: 8094
middlewares:
- name: forwardauth
{{- end }}

26
opencloud/templates/oc-auth/openCloudOauth2.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{- if index .Values.ocAuth.enabled }}
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
name: openCloudClient
spec:
clientId: test-client
clientSecret: oc-auth-got-secret
grantTypes:
- implicit
- refresh_token
- authorization_code
- client_credentials
responseTypes:
- id_token
- token
- code
redirectUris:
- https://myapp.example.com/callback
scope: openid profile email roles
tokenEndpointAuthMethod: client_secret_post
postLogoutRedirectUris:
-http://localhost:3000
allowedCorsOrigins:
- http://localhost
{{- end }}

21
opencloud/templates/oc-auth/pem.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{- if index .Values.ocAuth.enabled }}
# public-key-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: public-key-secret
type: Opaque
data:
public.pem: |
LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUNDZ0tDQWdFQXcycGRHNndNdHVMY1AwK2sxTEZ2SWIwRFFvL29IVzJ1TkphRUpLNzRwbFhxcDR6dHoyZFIKYitSUUhGTGVMdXFrNGkvemMzYjRLM2ZLUFhTbHduVlBKQ3d6UHJueVQ4allHT1pWbFdsRVRpVjl4ZUpodTZzLwpCaDZnMVBXejc1WGpqd1Y1MGl2L0NFaUxOQlQyM2YvM0o0NHdyUXp5Z3FOUUNpUVNBTGR4V0xBRWw0bDVrSFNhCjlvTXlWNzAvVXFsOTQvYXlNQVJac0hncDladnFRS2JrWlB3Nnl6Vk1mQ0J4UW96bE5sbzMxNU9IZXZ1ZGhuaHAKRFJqTjVJN3pXbXFZdDZyYlhKSkM3WTNJemR2em43UUk4OFJxalNSU1Q1SS83S3ozbmRDcXJPbkkrT1FVRTVOVApSRXlRZWJwaHZRZlREVEtsUlBYa2R5a3RkSzJESDI4Wmo2WkYzeWpRdk4zNVE0emhPemxxNzdkTzVJaGhvcEk3CmN0OGRaSDFUMW5Za3ZkeUNBL0VWTXRRc0FTbUJPaXRIMFkwQUNvWFFLNUtiNm5tL1RjTS85WlNKVU5pRU11eTUKZ0JaM1lLRTlvYTRjcFRwUFh3Y0ErUy9jVTdIUE5uUUFzdkQzaUppOEdUVzl1SnM4NHBuNC9XaHBRcW1YZDRydgpoS1dFQ0NOM2ZIeTAxZlVzL1UwUGFTajJqRFkva1FWZVhvaWtOTXpQVWpkWmQ5bTgxNlRJQmgzdjNhVlhDSC8wCmlUSEhBeGN0dkRnTVJiMmZwdlJKL3d3bllqRkc5UnBhbVZGRE12QzlOZmZ1WXpXQUE5SVJJWTRjcWdlcmZIclYKWjJISGlQVEREdkRBSXN2SW1YWmMvaDdtWE42bTNSQ1E0UXl3eTk5M3dkOWdVZGdnL3FueW5IY0NBd0VBQVE9PQotLS0tLUVORCBSU0EgUFVCTElDIEtFWS0tLS0tCg==
---
# private-key-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: private-key-secret
type: Opaque
data:
private.pem: |
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS1FJQkFBS0NBZ0VBdzJwZEc2d010dUxjUDArazFMRnZJYjBEUW8vb0hXMnVOSmFFSks3NHBsWHFwNHp0CnoyZFJiK1JRSEZMZUx1cWs0aS96YzNiNEszZktQWFNsd25WUEpDd3pQcm55VDhqWUdPWlZsV2xFVGlWOXhlSmgKdTZzL0JoNmcxUFd6NzVYamp3VjUwaXYvQ0VpTE5CVDIzZi8zSjQ0d3JRenlncU5RQ2lRU0FMZHhXTEFFbDRsNQprSFNhOW9NeVY3MC9VcWw5NC9heU1BUlpzSGdwOVp2cVFLYmtaUHc2eXpWTWZDQnhRb3psTmxvMzE1T0hldnVkCmhuaHBEUmpONUk3eldtcVl0NnJiWEpKQzdZM0l6ZHZ6bjdRSTg4UnFqU1JTVDVJLzdLejNuZENxck9uSStPUVUKRTVOVFJFeVFlYnBodlFmVERUS2xSUFhrZHlrdGRLMkRIMjhaajZaRjN5alF2TjM1UTR6aE96bHE3N2RPNUloaApvcEk3Y3Q4ZFpIMVQxbllrdmR5Q0EvRVZNdFFzQVNtQk9pdEgwWTBBQ29YUUs1S2I2bm0vVGNNLzlaU0pVTmlFCk11eTVnQlozWUtFOW9hNGNwVHBQWHdjQStTL2NVN0hQTm5RQXN2RDNpSmk4R1RXOXVKczg0cG40L1docFFxbVgKZDRydmhLV0VDQ04zZkh5MDFmVXMvVTBQYVNqMmpEWS9rUVZlWG9pa05NelBVamRaZDltODE2VElCaDN2M2FWWApDSC8waVRISEF4Y3R2RGdNUmIyZnB2Ukovd3duWWpGRzlScGFtVkZETXZDOU5mZnVZeldBQTlJUklZNGNxZ2VyCmZIclZaMkhIaVBURER2REFJc3ZJbVhaYy9oN21YTjZtM1JDUTRReXd5OTkzd2Q5Z1VkZ2cvcW55bkhjQ0F3RUEKQVFLQ0FnQlNSYzI5Z01vNWxYbTFEZ3NQb1VSd3ArdGZjc2IrM05halBWdVZOalZwa25LZzZDeVhUYUJ6dzJRWApDS3lTaENlM013a0VhK3BBSXNiNjZNbUEvWEs4Zi85elFVWkxZUHZhUDk5NGNFRlp4VjhXbVNFY3FoUjJ0eDV2CmlxS2ZGRFFpV3VQWElMN1c5ZlBsa1kzK0dXNHRNU2c5TTE1R3NndFl1YWI2dGtENlhlRVJDOGdxa1cxTXJCL2QKNE1kd1BmdktwbXFPM01ZR0RoRmNYckJaVitxQXVkRG5EU0dPZ1BvdVVyT09GcDI4SFZqRTVucUR5dDR2clduQgorSTFzVzhUQVR5YmI2cGhTKzRhM1pRdEZDYjliSWk3YURaaTU5NUVDVERCVU9TNGlicXMyWHBBMVRhbVk3OE5ECi9MeDVvWG14N01pNEorNXdYTjNPYWQ3eXRRdkZPZE90dElMTnBBTUZiTFU1eUtzeGYrRURqQ0JjUjVmYU5BdHUKd0FNSDlUa3pGcG1ocDVOQndRZEFrQ0ZuaHlsYTM2M2xqbWxHQVdQdUcvRDliVlowcXRCZjNOQUY0aEVKL0w0bgp2WVFGRXJkNjR0UGFzQWdXUG93MkxMdnFpM2pUMjMyYURnYWhqMWxYMWVuSG9SNlRiUUU0cjN6eThEZUE3aTBDCmhBOEdGQXZNc3FJY2VlOVhpNHlEOFFGRUgwUHJKaDZ6UDFQV0tYUjRBUVZFeG5GR2FuejBzNk8xR1JxTFBySUsKMzFOaVJUd0lWcDB4YmV0OS9Hc0p4V3hxclRLUHFkNXlKdlVHRzNBNEVMOGUzUmRXUk01dlRIYk5DVkdpOUxoUwozT0lYVjkvWU9RSnRXeHpXVWpGTjNIcGFOdVdIVlNSMTQ5R0FZcFR4ZWgrL1pHb0FRUUtDQVFFQTlSekcwTHJCCi9vblNuemZBWEQ1SXdHVy9qU2I0ZThWTENaLzdXMENpRDFodDIzUTFwQVI0Ym9mU1lYZHgvcmhWaFJ0eSszOHEKR3p1Z0JQY2VqR2VHWXlLSVZpTzFlOFBzcmQ2ZHlkWW9hQTlmWDNZemNaMG9uazl0K3RZTnhWaHN0b2xmSUdnYwpLVzFxd0ROclYxUFAwTi9vUVU0UVB4TG13Y2YvQlNTbDNzZjUzbVZNemNuSGtqQ0Y1U2dFTjFydElBT1VaYU04CkI0dXJTU01aTUxwd21oWEY5ckFVUFhXZ0xTKzBma3JRem9hQlMyWmZxRWNGTnMxbG44c1RCZW9YQXo2a3laZW0KMFRvMW9ZaFRlTitUZzExcXVXaEpLaVRNWW1TR1QzQjduVnQyNW4wQnlwRGt0ZmFVVStMTVk5L0Jld1d3RTZ4eAppWDk3YmxkZ3Y2eTR1d0tDQVFFQXpCaDVJWWEwOXVKVHdyeFkwSUtWZmtYUnAyUys4ZnFoSjVxaEVQeWtDRis0CkpKQktQcDdJQTdyaGNmNXR3M05WcGEvWUUxaDJIMVA1WjRFUWt6Z0VURXhWb3RCbE9ZWU5ta0JrZDlldFVSR3MKb21BUEhwcm52VDdxK2RSL3JjOC9sUXQzWHp2ZWo0UDR6U1JibnpnL3EySzBJMXFzM3ZPd25aeU8zR1hrNmVuaQpRNTlrMHk4em9zS2RkZTdtMVlKK0tBajVNWmMzUGVIVGZiTGFMY2ZYblRTVVg2eHduWCtKczhrcjJQVlArd1NqCnNFeGFrUDZpZU51L1p6RmNZdjZhaVBneVhJV08vNXBqd0x0L0dUcVVQUWNPOVc3Nm0wdzI0bFduWUN4MWl5U3cKYWxybDJpckwycm5sWEppbjdxNEZ0dEhUV2JlSDkwUlZ0MzA1MG04ZGRRS0NBUUVBa2d5bGduWGxaYytsaW0xagoxeExkc3BadC9xTTc2RFAwdERWNVJqUkszQzNxdDVxVTQ3Z3VNbDRId3oreTB2M3ZKekxsM21rMUk2anhma1BwCkZld1JyVHhFVkY5T29nSnFJbWZGU1NDc1R1VHFCUzJmRlpGNVJHczdzdnljay94T09xMjcyc2x1RGxrK0JHd2YKQjVmTytqeVFYV2t3VVFUb0xvc0dyMy9ZdmRnV1VLZTNqZDh2WlRJNGRnVFVEay9GZncvaStuUzdMaHZRNGZGaAo3eUVJT3lmQ0gyMW5nZjkyZzdZckxCMVVNZHIvYTNnQ2czaGQ2UHVXRkJLaXNTRjh1Tmc0eEUzeWZqVGJBL2NCCkZjTFNXTEh2QjY3VithQ1hrQUVwN21ldG9HT0JnM0QxQWtnM254emY0T1FBdVhuNEJWK3NQT3pCY2haZDY2OXcKM0lVRVJRS0NBUUJ4UEU3UWpCV1JPS2N5VHgrVHFDL2JIRStpNlNHTHpmdGxwc1FnVVp1TXpkYXo2cDVXdWUvTgpLZjExS3EycG1DNzN1MlZON25HekZmczFNd1dJT0xjaHdlUnRiZVFMazFXdXRIVkpqSThyZ0h2Z3B4MGNaT09ZCk92VlI0VlZwa0tmOVFKeGRhVEVsUFJwb2J2aXFrU0c2TEF3MzVWSXViTlFiemtYeEFGT09lR1pDRUloM0p5UWwKOUlZNmJXOERIT0J6dys3R1ZkaWZhOURVVjh2M1JINWJTVlhjOHlhVUs3T3gzVGFIckN0UTRSVVVkbmgxSStIdQozalVHd3ZzNExYeDk2LzY5R0pqck5iU010VHBpTy84TkVRSjZwN1ZCUG5yZy9wYmJwQzhmSVI4RUV5U2Q4OHFnCnN5MFBQOTlFYktiYzlQT25QazJnb2ZoUTBwaW5LV0VWQW9JQkFRQzBoOEozbEdTRzlLaTlRSnZBT2RNcW5zU2cKdW9xakkweTZSbWVSN0xwWVgxQVNLTk5JbWpHMWh3THlaOFFnNWhDTmp5U0VxQkFHR2QzTUJOZklDNnd6QkRyVgp6U0pJcnhqdnUrMnNmejFuVUdkWVdqUWZoeDNjVCt5R3FUNk5FUXVwbXN0TnVreGl1MkhEdTc2cGk5NkFYMm1rClRYWVhsdWJJcGZMNTBkV1owd2lqMExpdkg2VFBhdnZqYlJablhOVnRoMXFsWk9VdHVCR3lFd2NYYjRDT3RxUnEKK25QOEFFZ3pLeGJNSkZWeTNQWTVFNUp5akI1ZDFaUFEyT2VZVVZiZkRFRVlxemtvcmpCeUNjTGR2N08xQ0hOcQpWalV5SnNkOEYxdHVDR1B4YmNiZ3lDZUlxZ0RNMUp4TzR6VE1TUCtDODJBcjdWWGtyNlE4aEFzQ2dIUS8KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
{{- end }}

17
opencloud/templates/oc-auth/service.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{- if index .Values.ocAuth.enabled }}
apiVersion: v1
kind: Service
metadata:
name: oc-auth-svc
labels:
app: oc-auth-svc
spec:
ports:
- name: http
port: 8094
protocol: TCP
targetPort: 8080
selector:
app: oc-auth
type: ClusterIP
{{- end }}

8
opencloud/templates/traefik.yaml
View File

@@ -0,0 +1,8 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: forward-auth
spec:
forwardAuth:
address: "http://oc-auth-svc.{{ .Release.Namespace }}:8080/oc/forward"
trustForwardHeader: true

5
upgrade_development.sh Executable file
View File

@@ -0,0 +1,5 @@
#!/bin/bash
RELEASE_NAME=dev
RELEASE_NAMESPACE=dev
helm upgrade ${RELEASE_NAME} opencloud -n ${RELEASE_NAMESPACE} --create-namespace -f opencloud/dev-values.yaml