Compare commits
	
		
			7 Commits
		
	
	
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| 11bdecd80d | |||
| f7ae1165b9 | |||
| ba9a971964 | |||
| 519fb80ee7 | |||
| cde967a404 | |||
| d0118ed095 | |||
| b4edaba6d8 | 
| @@ -2,4 +2,4 @@ | ||||
| RELEASE_NAME=dev | ||||
| RELEASE_NAMESPACE=dev | ||||
|  | ||||
| helm upgrade ${RELEASE_NAME} opencloud -n ${RELEASE_NAMESPACE} --create-namespace --install -f opencloud/dev-values.yaml | ||||
| helm install ${RELEASE_NAME} opencloud -n ${RELEASE_NAMESPACE} --create-namespace -f opencloud/dev-values.yaml | ||||
|   | ||||
| @@ -5,12 +5,12 @@ type: application | ||||
| version: 0.0.1 | ||||
| appVersion: "0.0.1" | ||||
|  | ||||
| # TODO: ldap, ory hydra, keto | ||||
| # TODO: ory hydra, keto | ||||
| dependencies: | ||||
| - name: openldap-stack-ha | ||||
|   version: "4.3.1" | ||||
|   repository: "https://jp-gouin.github.io/helm-openldap/" | ||||
|   condition: openldap-stack-ha.enabled | ||||
| - name: openldap | ||||
|   repository: https://jp-gouin.github.io/helm-openldap/ | ||||
|   version: "2.0.4" | ||||
|   condition: openldap.enabled   | ||||
| - name: traefik | ||||
|   version: "33.0.0" | ||||
|   repository: "https://helm.traefik.io/traefik" | ||||
| @@ -31,3 +31,7 @@ dependencies: | ||||
|   version: "0.50.2" | ||||
|   repository: "https://k8s.ory.sh/helm/charts" | ||||
|   condition: hydra.enabled | ||||
| - name: keto | ||||
|   version: "0.50.2" | ||||
|   repository: "https://k8s.ory.sh/helm/charts" | ||||
|   condition: keto.enabled | ||||
							
								
								
									
										23
									
								
								opencloud/charts/keto/.helmignore
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										23
									
								
								opencloud/charts/keto/.helmignore
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,23 @@ | ||||
| # Patterns to ignore when building packages. | ||||
| # This supports shell glob matching, relative path matching, and | ||||
| # negation (prefixed with !). Only one pattern per line. | ||||
| .DS_Store | ||||
| # Common VCS dirs | ||||
| .git/ | ||||
| .gitignore | ||||
| .bzr/ | ||||
| .bzrignore | ||||
| .hg/ | ||||
| .hgignore | ||||
| .svn/ | ||||
| # Common backup files | ||||
| *.swp | ||||
| *.bak | ||||
| *.tmp | ||||
| *.orig | ||||
| *~ | ||||
| # Various IDEs | ||||
| .project | ||||
| .idea/ | ||||
| *.tmproj | ||||
| .vscode/ | ||||
							
								
								
									
										6
									
								
								opencloud/charts/keto/Chart.lock
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										6
									
								
								opencloud/charts/keto/Chart.lock
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,6 @@ | ||||
| dependencies: | ||||
| - name: ory-commons | ||||
|   repository: file://../ory-commons | ||||
|   version: 0.1.0 | ||||
| digest: sha256:eec8978215334aad38275f0171681f1200220dccef4762ddeb197679fd287abb | ||||
| generated: "2024-06-11T14:47:42.552973+02:00" | ||||
							
								
								
									
										27
									
								
								opencloud/charts/keto/Chart.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										27
									
								
								opencloud/charts/keto/Chart.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,27 @@ | ||||
| apiVersion: v2 | ||||
| appVersion: v0.12.0 | ||||
| dependencies: | ||||
| - alias: ory | ||||
|   name: ory-commons | ||||
|   repository: file://../ory-commons | ||||
|   version: 0.1.0 | ||||
| description: Access Control Policies as a Server | ||||
| home: https://www.ory.sh/keto/ | ||||
| icon: https://raw.githubusercontent.com/ory/docs/master/docs/static/img/logo-keto.svg | ||||
| keywords: | ||||
| - rbac | ||||
| - hrbac | ||||
| - acl | ||||
| - iam | ||||
| - api-security | ||||
| - security | ||||
| maintainers: | ||||
| - email: hi@ory.sh | ||||
|   name: ORY Team | ||||
|   url: https://www.ory.sh/ | ||||
| name: keto | ||||
| sources: | ||||
| - https://github.com/ory/keto | ||||
| - https://github.com/ory/k8s | ||||
| type: application | ||||
| version: 0.50.2 | ||||
							
								
								
									
										187
									
								
								opencloud/charts/keto/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										187
									
								
								opencloud/charts/keto/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,187 @@ | ||||
| # keto | ||||
|  | ||||
|    | ||||
|  | ||||
| Access Control Policies as a Server | ||||
|  | ||||
| **Homepage:** <https://www.ory.sh/keto/> | ||||
|  | ||||
| ## Maintainers | ||||
|  | ||||
| | Name | Email | Url | | ||||
| | ---- | ------ | --- | | ||||
| | ORY Team | <hi@ory.sh> | <https://www.ory.sh/> | | ||||
|  | ||||
| ## Source Code | ||||
|  | ||||
| * <https://github.com/ory/keto> | ||||
| * <https://github.com/ory/k8s> | ||||
|  | ||||
| ## Requirements | ||||
|  | ||||
| | Repository | Name | Version | | ||||
| |------------|------|---------| | ||||
| | file://../ory-commons | ory(ory-commons) | 0.1.0 | | ||||
|  | ||||
| ## Values | ||||
|  | ||||
| | Key | Type | Default | Description | | ||||
| |-----|------|---------|-------------| | ||||
| | configmap.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods | | ||||
| | deployment.affinity | object | `{}` |  | | ||||
| | deployment.annotations | object | `{}` |  | | ||||
| | deployment.automigration | object | `{"extraEnv":[]}` | Parameters for the automigration initContainer | | ||||
| | deployment.automigration.extraEnv | list | `[]` | Array of extra envs to be passed to the initContainer. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO   value: BAR | | ||||
| | deployment.automountServiceAccountToken | bool | `true` |  | | ||||
| | deployment.autoscaling | object | `{"behavior":{},"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPU":{},"targetMemory":{}}` | Autoscaling for keto deployment | | ||||
| | deployment.autoscaling.behavior | object | `{}` | Set custom behavior https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior | | ||||
| | deployment.customLivenessProbe | object | `{}` |  | | ||||
| | deployment.customReadinessProbe | object | `{}` |  | | ||||
| | deployment.customStartupProbe | object | `{}` |  | | ||||
| | deployment.dnsConfig | object | `{}` | Configure pod dnsConfig. | | ||||
| | deployment.extraContainers | string | `""` | If you want to add extra sidecar containers. | | ||||
| | deployment.extraEnv | list | `[]` | Array of extra Envs to be added to the deployment. Kubernetes format expected. Value is processed with Helm `tpl` - name: FOO   value: BAR | | ||||
| | deployment.extraInitContainers | object | `{}` | If you want to add extra init containers. These are processed before the migration init container. | | ||||
| | deployment.extraLabels | object | `{}` | Extra labels to be added to the deployment, and pods. K8s object format expected foo: bar my.special.label/type: value | | ||||
| | deployment.extraPorts | list | `[]` | Extra ports to be exposed by the main deployment | | ||||
| | deployment.extraVolumeMounts | list | `[]` | Array of extra VolumeMounts to be added to the deployment. K8s format expected - name: my-volume   mountPath: /etc/secrets/my-secret   readOnly: true | | ||||
| | deployment.extraVolumes | list | `[]` | Array of extra Volumes to be added to the deployment. K8s format expected - name: my-volume   secret:     secretName: my-secret | | ||||
| | deployment.lifecycle | object | `{}` |  | | ||||
| | deployment.minReadySeconds | int | `0` |  | | ||||
| | deployment.nodeSelector | object | `{}` |  | | ||||
| | deployment.podAnnotations | object | `{}` |  | | ||||
| | deployment.podMetadata.annotations | object | `{}` |  | | ||||
| | deployment.podMetadata.labels | object | `{}` |  | | ||||
| | deployment.podSecurityContext | object | `{}` |  | | ||||
| | deployment.readinessProbe.failureThreshold | int | `5` |  | | ||||
| | deployment.readinessProbe.initialDelaySeconds | int | `5` |  | | ||||
| | deployment.readinessProbe.periodSeconds | int | `10` |  | | ||||
| | deployment.resources | object | `{}` |  | | ||||
| | deployment.revisionHistoryLimit | int | `5` | Number of revisions kept in history | | ||||
| | deployment.startupProbe.failureThreshold | int | `5` |  | | ||||
| | deployment.startupProbe.initialDelaySeconds | int | `0` |  | | ||||
| | deployment.startupProbe.periodSeconds | int | `1` |  | | ||||
| | deployment.startupProbe.successThreshold | int | `1` |  | | ||||
| | deployment.startupProbe.timeoutSeconds | int | `1` |  | | ||||
| | deployment.strategy.rollingUpdate.maxSurge | string | `"25%"` |  | | ||||
| | deployment.strategy.rollingUpdate.maxUnavailable | string | `"25%"` |  | | ||||
| | deployment.strategy.type | string | `"RollingUpdate"` |  | | ||||
| | deployment.terminationGracePeriodSeconds | int | `60` |  | | ||||
| | deployment.tolerations | list | `[]` |  | | ||||
| | deployment.topologySpreadConstraints | list | `[]` | Configure pod topologySpreadConstraints. | | ||||
| | extraServices | object | `{}` |  | | ||||
| | fullnameOverride | string | `""` |  | | ||||
| | image.pullPolicy | string | `"IfNotPresent"` | Default image pull policy | | ||||
| | image.repository | string | `"oryd/keto"` | Ory KETO image | | ||||
| | image.tag | string | `"v0.12.0"` | Ory KETO version | | ||||
| | imagePullSecrets | list | `[]` |  | | ||||
| | ingress.read.annotations | object | `{}` |  | | ||||
| | ingress.read.className | string | `""` |  | | ||||
| | ingress.read.enabled | bool | `false` |  | | ||||
| | ingress.read.hosts[0].host | string | `"chart-example.local"` |  | | ||||
| | ingress.read.hosts[0].paths[0].path | string | `"/read"` |  | | ||||
| | ingress.read.hosts[0].paths[0].pathType | string | `"Prefix"` |  | | ||||
| | ingress.read.tls | list | `[]` |  | | ||||
| | ingress.write.annotations | object | `{}` |  | | ||||
| | ingress.write.className | string | `""` |  | | ||||
| | ingress.write.enabled | bool | `false` |  | | ||||
| | ingress.write.hosts[0].host | string | `"chart-example.local"` |  | | ||||
| | ingress.write.hosts[0].paths[0].path | string | `"/write"` |  | | ||||
| | ingress.write.hosts[0].paths[0].pathType | string | `"Prefix"` |  | | ||||
| | ingress.write.tls | list | `[]` |  | | ||||
| | job.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation,hook-succeeded","helm.sh/hook-weight":"1"}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. | | ||||
| | job.automountServiceAccountToken | bool | `false` | Set automounting of the SA token | | ||||
| | job.extraContainers | string | `""` | If you want to add extra sidecar containers. | | ||||
| | job.extraEnv | list | `[]` | Array of extra envs to be passed to the job. This takes precedence over deployment variables. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO   value: BAR | | ||||
| | job.extraInitContainers | string | `""` | If you want to add extra init containers. | | ||||
| | job.lifecycle | string | `""` | If you want to add lifecycle hooks. | | ||||
| | job.nodeSelector | object | `{}` | Node labels for pod assignment. | | ||||
| | job.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects | | ||||
| | job.podMetadata.annotations | object | `{}` | Extra pod level annotations | | ||||
| | job.podMetadata.labels | object | `{}` | Extra pod level labels | | ||||
| | job.resources | object | `{}` | Job resources | | ||||
| | job.serviceAccount | object | `{"annotations":{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"},"create":true,"name":""}` | Specify the serviceAccountName value. In some situations it is needed to provides specific permissions to Hydra deployments Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. | | ||||
| | job.serviceAccount.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"}` | Annotations to add to the service account | | ||||
| | job.serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | ||||
| | job.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | ||||
| | job.shareProcessNamespace | bool | `false` | Set sharing process namespace | | ||||
| | job.spec.backoffLimit | int | `10` | Set job back off limit | | ||||
| | job.tolerations | list | `[]` | Configure node tolerations. | | ||||
| | keto.automigration | object | `{"customArgs":[],"customCommand":[],"enabled":false,"resources":{},"type":"job"}` | Enables database migration | | ||||
| | keto.automigration.customArgs | list | `[]` | Ability to override arguments of the entrypoint. Can be used in-depended of customCommand eg: - sleep 5;   - keto | | ||||
| | keto.automigration.customCommand | list | `[]` | Ability to override the entrypoint of the automigration container (e.g. to source dynamic secrets or export environment dynamic variables) | | ||||
| | keto.automigration.resources | object | `{}` | resource requests and limits for the automigration initcontainer | | ||||
| | keto.automigration.type | string | `"job"` | Configure the way to execute database migration. Possible values: job, initContainer When set to job, the migration will be executed as a job on release or upgrade. When set to initContainer, the migration will be executed when kratos pod is created Defaults to job | | ||||
| | keto.command | list | `["keto"]` | Ability to override the entrypoint of keto container (e.g. to source dynamic secrets or export environment dynamic variables) | | ||||
| | keto.config | object | `{"dsn":"memory","namespaces":[{"id":0,"name":"sample"}],"serve":{"metrics":{"port":4468},"read":{"port":4466},"write":{"port":4467}}}` | Direct keto config. Full documentation can be found in https://www.ory.sh/keto/docs/reference/configuration | | ||||
| | keto.customArgs | list | `[]` | Ability to override arguments of the entrypoint. Can be used in-depended of customCommand | | ||||
| | nameOverride | string | `""` |  | | ||||
| | pdb.enabled | bool | `false` |  | | ||||
| | pdb.spec.maxUnavailable | string | `""` |  | | ||||
| | pdb.spec.minAvailable | string | `""` |  | | ||||
| | podSecurityContext.fsGroup | int | `65534` |  | | ||||
| | podSecurityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` |  | | ||||
| | podSecurityContext.runAsGroup | int | `65534` |  | | ||||
| | podSecurityContext.runAsNonRoot | bool | `true` |  | | ||||
| | podSecurityContext.runAsUser | int | `65534` |  | | ||||
| | podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` |  | | ||||
| | priorityClassName | string | `""` | Pod priority https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ | | ||||
| | replicaCount | int | `1` | Number of replicas in deployment | | ||||
| | secret.enabled | bool | `true` | Switch to false to prevent creating the secret | | ||||
| | secret.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods | | ||||
| | secret.nameOverride | string | `""` | Provide custom name of existing secret, or custom name of secret to be created | | ||||
| | secret.secretAnnotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0","helm.sh/resource-policy":"keep"}` | Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified. | | ||||
| | securityContext.allowPrivilegeEscalation | bool | `false` |  | | ||||
| | securityContext.capabilities.drop[0] | string | `"ALL"` |  | | ||||
| | securityContext.privileged | bool | `false` |  | | ||||
| | securityContext.readOnlyRootFilesystem | bool | `true` |  | | ||||
| | securityContext.runAsGroup | int | `65534` |  | | ||||
| | securityContext.runAsNonRoot | bool | `true` |  | | ||||
| | securityContext.runAsUser | int | `65534` |  | | ||||
| | securityContext.seLinuxOptions.level | string | `"s0:c123,c456"` |  | | ||||
| | securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  | | ||||
| | service.metrics.annotations | object | `{}` |  | | ||||
| | service.metrics.enabled | bool | `false` |  | | ||||
| | service.metrics.loadBalancerIP | string | `""` |  | | ||||
| | service.metrics.name | string | `"http-metrics"` |  | | ||||
| | service.metrics.port | int | `80` |  | | ||||
| | service.metrics.type | string | `"ClusterIP"` |  | | ||||
| | service.read.appProtocol | string | `"grpc"` |  | | ||||
| | service.read.clusterIP | string | `""` |  | | ||||
| | service.read.enabled | bool | `true` |  | | ||||
| | service.read.headless.enabled | bool | `true` |  | | ||||
| | service.read.loadBalancerIP | string | `""` |  | | ||||
| | service.read.name | string | `"grpc-read"` |  | | ||||
| | service.read.port | int | `80` |  | | ||||
| | service.read.type | string | `"ClusterIP"` |  | | ||||
| | service.write.appProtocol | string | `"grpc"` |  | | ||||
| | service.write.clusterIP | string | `""` |  | | ||||
| | service.write.enabled | bool | `true` |  | | ||||
| | service.write.headless.enabled | bool | `true` |  | | ||||
| | service.write.loadBalancerIP | string | `""` |  | | ||||
| | service.write.name | string | `"grpc-write"` |  | | ||||
| | service.write.port | int | `80` |  | | ||||
| | service.write.type | string | `"ClusterIP"` |  | | ||||
| | serviceAccount.annotations | object | `{}` | Annotations to add to the service account | | ||||
| | serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | ||||
| | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | ||||
| | serviceMonitor.labels | object | `{}` | Provide additionnal labels to the ServiceMonitor ressource metadata | | ||||
| | serviceMonitor.scheme | string | `"http"` | HTTP scheme to use for scraping. | | ||||
| | serviceMonitor.scrapeInterval | string | `"60s"` | Interval at which metrics should be scraped | | ||||
| | serviceMonitor.scrapeTimeout | string | `"30s"` | Timeout after which the scrape is ended | | ||||
| | serviceMonitor.tlsConfig | object | `{}` | TLS configuration to use when scraping the endpoint | | ||||
| | test.busybox | object | `{"repository":"busybox","tag":1}` | use a busybox image from another repository | | ||||
| | test.labels | object | `{}` | Provide additional labels to the test pod | | ||||
| | watcher.automountServiceAccountToken | bool | `true` |  | | ||||
| | watcher.enabled | bool | `false` |  | | ||||
| | watcher.image | string | `"oryd/k8s-toolbox:v0.0.7"` |  | | ||||
| | watcher.mountFile | string | `""` | Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo | | ||||
| | watcher.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects | | ||||
| | watcher.podMetadata.annotations | object | `{}` | Extra pod level annotations | | ||||
| | watcher.podMetadata.labels | object | `{}` | Extra pod level labels | | ||||
| | watcher.resources | object | `{}` |  | | ||||
| | watcher.revisionHistoryLimit | int | `5` | Number of revisions kept in history | | ||||
| | watcher.watchLabelKey | string | `"ory.sh/watcher"` | Label key used for managing applications | | ||||
|  | ||||
| ---------------------------------------------- | ||||
| Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) | ||||
							
								
								
									
										23
									
								
								opencloud/charts/keto/charts/ory-commons/.helmignore
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										23
									
								
								opencloud/charts/keto/charts/ory-commons/.helmignore
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,23 @@ | ||||
| # Patterns to ignore when building packages. | ||||
| # This supports shell glob matching, relative path matching, and | ||||
| # negation (prefixed with !). Only one pattern per line. | ||||
| .DS_Store | ||||
| # Common VCS dirs | ||||
| .git/ | ||||
| .gitignore | ||||
| .bzr/ | ||||
| .bzrignore | ||||
| .hg/ | ||||
| .hgignore | ||||
| .svn/ | ||||
| # Common backup files | ||||
| *.swp | ||||
| *.bak | ||||
| *.tmp | ||||
| *.orig | ||||
| *~ | ||||
| # Various IDEs | ||||
| .project | ||||
| .idea/ | ||||
| *.tmproj | ||||
| .vscode/ | ||||
							
								
								
									
										6
									
								
								opencloud/charts/keto/charts/ory-commons/Chart.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										6
									
								
								opencloud/charts/keto/charts/ory-commons/Chart.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,6 @@ | ||||
| apiVersion: v2 | ||||
| appVersion: 0.0.0 | ||||
| description: 'Collection of helper function for the Ory Helm environment ' | ||||
| name: ory-commons | ||||
| type: library | ||||
| version: 0.1.0 | ||||
| @@ -0,0 +1,12 @@ | ||||
| {{/* | ||||
| Check if list contains object | ||||
| */}} | ||||
| {{- define "ory.extraEnvContainsEnvName" -}} | ||||
|   {{- $extraEnvs := index . 0 -}} | ||||
|   {{- $envName := index . 1 -}} | ||||
|   {{- range $k, $v := $extraEnvs -}} | ||||
|     {{- if eq $v.name $envName -}} | ||||
|       found | ||||
|     {{- end -}} | ||||
|   {{- end -}} | ||||
| {{- end -}} | ||||
							
								
								
									
										17
									
								
								opencloud/charts/keto/files/watch.sh
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								opencloud/charts/keto/files/watch.sh
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | ||||
| set -Eeuo pipefail | ||||
| set -x | ||||
|  | ||||
| function rollOut() { | ||||
|   DEPLOY=$(kubectl get deploy -n "${NAMESPACE}" -l "${1}" -o name) | ||||
|   kubectl set env -n $NAMESPACE ${DEPLOY} sync=$(date "+%Y%m%d-%H%M%S") | ||||
|   kubectl rollout status -n $NAMESPACE ${DEPLOY} | ||||
| } | ||||
|  | ||||
| while true; do | ||||
|     # After change in the CM the symlink is recreated, so we need to restart the monitor | ||||
|     inotifywait --event DELETE_SELF "${WATCH_FILE}" | | ||||
|         while read path _ file; do | ||||
|            echo "---> $path$file modified" | ||||
|            rollOut "${LABEL_SELECTOR}" | ||||
|         done | ||||
| done | ||||
							
								
								
									
										33
									
								
								opencloud/charts/keto/templates/NOTES.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										33
									
								
								opencloud/charts/keto/templates/NOTES.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,33 @@ | ||||
| 1. Get the application URL by running these commands: | ||||
| {{- if or .Values.ingress.read.enabled .Values.ingress.write.enabled -}} | ||||
|   Read endpoint available at:  | ||||
|   {{- range $host := .Values.ingress.read.hosts }} | ||||
|     {{- range .paths }} | ||||
|       http{{ if $.Values.ingress.read.tls }}s{{ end }}://{{ $host.host }}{{ .path }} | ||||
|     {{- end }} | ||||
|   {{- end }} | ||||
|   Write endpoint available at:  | ||||
|   {{- range $host := .Values.ingress.write.hosts }} | ||||
|     {{- range .paths }} | ||||
|       http{{ if $.Values.ingress.write.tls }}s{{ end }}://{{ $host.host }}{{ .path }} | ||||
|     {{- end }} | ||||
|  {{- end }} | ||||
| {{- else if or ( contains "NodePort" .Values.service.read.type ) ( contains "NodePort" .Values.service.write.type ) }} | ||||
|   export NODE_PORT_READ=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "keto.fullname" . }}-read) | ||||
|   export NODE_PORT_READ=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "keto.fullname" . }}-write) | ||||
|   export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") | ||||
| Read endpoint available at: http://$NODE_IP:$NODE_PORT_READ | ||||
| Write endpoint available at: http://$NODE_IP:$NODE_PORT_WRITE | ||||
| {{- else if or ( contains "LoadBalancer" .Values.service.read.type ) ( contains "LoadBalancer" .Values.service.read.type ) }} | ||||
|      NOTE: It may take a few minutes for the LoadBalancer IP to be available. | ||||
|            You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "keto.fullname" . }}-read' | ||||
|   export SERVICE_IP_READ=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "keto.fullname" . }}-read --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") | ||||
|   export SERVICE_IP_WRITE=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "keto.fullname" . }}-write --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") | ||||
|   Read endpoint available at: http://$SERVICE_IP_READ:{{ .Values.service.read.port }} | ||||
|   Write endpoint available at: http://$SERVICE_IP_READ:{{ .Values.service.write.port }} | ||||
| {{- else if or ( contains "ClusterIP" .Values.service.read.type ) ( contains "ClusterIP" .Values.service.read.type ) }} | ||||
|   kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ include "keto.fullname" . }}-read {{ .Values.keto.config.serve.read.port }}:80 | ||||
|   kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ include "keto.fullname" . }}-write {{ .Values.keto.config.serve.write.port }}:80 | ||||
|   Read endpoint available at: http://127.0.0.1:{{ .Values.keto.config.serve.read.port }} | ||||
|   Write endpoint available at: http://127.0.0.1:{{ .Values.keto.config.serve.write.port }} | ||||
| {{- end }} | ||||
							
								
								
									
										130
									
								
								opencloud/charts/keto/templates/_helpers.tpl
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										130
									
								
								opencloud/charts/keto/templates/_helpers.tpl
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,130 @@ | ||||
| {{/* | ||||
| Expand the name of the chart. | ||||
| */}} | ||||
| {{- define "keto.name" -}} | ||||
| {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} | ||||
| {{- end }} | ||||
|  | ||||
| {{/* | ||||
| Create a default fully qualified app name. | ||||
| We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). | ||||
| If release name contains chart name it will be used as a full name. | ||||
| */}} | ||||
| {{- define "keto.fullname" -}} | ||||
| {{- if .Values.fullnameOverride }} | ||||
| {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} | ||||
| {{- else }} | ||||
| {{- $name := default .Chart.Name .Values.nameOverride }} | ||||
| {{- if contains $name .Release.Name }} | ||||
| {{- .Release.Name | trunc 63 | trimSuffix "-" }} | ||||
| {{- else }} | ||||
| {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} | ||||
| {{- end }} | ||||
| {{- end }} | ||||
| {{- end }} | ||||
|  | ||||
| {{/* | ||||
| Create a secret name which can be overridden. | ||||
| */}} | ||||
| {{- define "keto.secretname" -}} | ||||
| {{- if .Values.secret.nameOverride -}} | ||||
| {{- .Values.secret.nameOverride | trunc 63 | trimSuffix "-" -}} | ||||
| {{- else -}} | ||||
| {{ include "keto.fullname" . }} | ||||
| {{- end -}} | ||||
| {{- end -}} | ||||
|  | ||||
| {{/* | ||||
| Create chart name and version as used by the chart label. | ||||
| */}} | ||||
| {{- define "keto.chart" -}} | ||||
| {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} | ||||
| {{- end }} | ||||
|  | ||||
| {{/* | ||||
| Generate the dsn value | ||||
| */}} | ||||
| {{- define "keto.dsn" -}} | ||||
| {{- if and .Values.secret.nameOverride (not .Values.secret.enabled) -}} | ||||
| dsn-loaded-from-env | ||||
| {{- else if not (empty (.Values.keto.config.dsn)) -}} | ||||
| {{- .Values.keto.config.dsn }} | ||||
| {{- end -}} | ||||
| {{- end -}} | ||||
|  | ||||
| {{/* | ||||
| Generate the configmap data, redacting secrets | ||||
| */}} | ||||
| {{- define "keto.configmap" -}} | ||||
| {{- $config := omit .Values.keto.config "dsn" -}} | ||||
| {{- tpl (toYaml $config) . -}} | ||||
| {{- end -}} | ||||
|  | ||||
| {{/* | ||||
| Common labels | ||||
| */}} | ||||
| {{- define "keto.labels" -}} | ||||
| helm.sh/chart: {{ include "keto.chart" . }} | ||||
| {{ include "keto.selectorLabels" . }} | ||||
| {{- if .Chart.AppVersion }} | ||||
| app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} | ||||
| {{- end }} | ||||
| app.kubernetes.io/managed-by: {{ .Release.Service }} | ||||
| {{- if $.Values.watcher.enabled }} | ||||
| {{ printf "\"%s\": \"%s\"" $.Values.watcher.watchLabelKey (include "keto.name" .) }} | ||||
| {{- end }} | ||||
| {{- end }} | ||||
|  | ||||
| {{/* | ||||
| Selector labels | ||||
| */}} | ||||
| {{- define "keto.selectorLabels" -}} | ||||
| app.kubernetes.io/name: {{ include "keto.name" . }} | ||||
| app.kubernetes.io/instance: {{ .Release.Name }} | ||||
| {{- end }} | ||||
|  | ||||
| {{/* | ||||
| Create the name of the service account to use | ||||
| */}} | ||||
| {{- define "keto.serviceAccountName" -}} | ||||
| {{- if .Values.serviceAccount.create }} | ||||
| {{- default (include "keto.fullname" .) .Values.serviceAccount.name }} | ||||
| {{- else }} | ||||
| {{- default "default" .Values.serviceAccount.name }} | ||||
| {{- end }} | ||||
| {{- end }} | ||||
|  | ||||
| {{/* | ||||
| Create the name of the service account for the Job to use | ||||
| */}} | ||||
| {{- define "keto.job.serviceAccountName" -}} | ||||
| {{- if .Values.job.serviceAccount.create }} | ||||
| {{- printf "%s-job" (default (include "keto.fullname" .) .Values.job.serviceAccount.name) }} | ||||
| {{- else }} | ||||
| {{- include "keto.serviceAccountName" . }} | ||||
| {{- end }} | ||||
| {{- end }} | ||||
|  | ||||
|  | ||||
| {{/* | ||||
| Checksum annotations generated from configmaps and secrets | ||||
| */}} | ||||
| {{- define "keto.annotations.checksum" -}} | ||||
| {{- if .Values.configmap.hashSumEnabled }} | ||||
| checksum/keto-config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} | ||||
| {{- end }} | ||||
| {{- if and .Values.secret.enabled .Values.secret.hashSumEnabled }} | ||||
| checksum/keto-secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} | ||||
| {{- end }} | ||||
| {{- end }} | ||||
|  | ||||
| {{/* | ||||
| Check the migration type value and fail if unexpected | ||||
| */}} | ||||
| {{- define "keto.automigration.typeVerification" -}} | ||||
| {{- if and .Values.keto.automigration.enabled  .Values.keto.automigration.type }} | ||||
|   {{- if and (ne .Values.keto.automigration.type "initContainer") (ne .Values.keto.automigration.type "job") }} | ||||
|     {{- fail "keto.automigration.type must be either 'initContainer' or 'job'" -}} | ||||
|   {{- end }} | ||||
| {{- end }} | ||||
| {{- end }} | ||||
							
								
								
									
										18
									
								
								opencloud/charts/keto/templates/configmap-migrate.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										18
									
								
								opencloud/charts/keto/templates/configmap-migrate.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,18 @@ | ||||
| {{- if and  ( .Values.keto.automigration.enabled ) ( eq .Values.keto.automigration.type "job" ) }} | ||||
| apiVersion: v1 | ||||
| kind: ConfigMap | ||||
| metadata: | ||||
|   name: {{ include "keto.fullname" . }}-migrate | ||||
|   {{- if .Release.Namespace }} | ||||
|   namespace: {{ .Release.Namespace }} | ||||
|   {{- end }} | ||||
|   labels: | ||||
| {{ include "keto.labels" . | indent 4 }} | ||||
|   annotations: | ||||
|     helm.sh/hook-weight: "0" | ||||
|     helm.sh/hook: "pre-install, pre-upgrade" | ||||
|     helm.sh/hook-delete-policy: "before-hook-creation" | ||||
| data: | ||||
|   "keto.yaml": | | ||||
|     {{- include "keto.configmap" . | nindent 4 }} | ||||
| {{- end }} | ||||
							
								
								
									
										12
									
								
								opencloud/charts/keto/templates/configmap.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										12
									
								
								opencloud/charts/keto/templates/configmap.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,12 @@ | ||||
| apiVersion: v1 | ||||
| kind: ConfigMap | ||||
| metadata: | ||||
|   name: {{ include "keto.fullname" . }}-config | ||||
|   {{- if .Release.Namespace }} | ||||
|   namespace: {{ .Release.Namespace }} | ||||
|   {{- end }} | ||||
|   labels: | ||||
| {{ include "keto.labels" . | indent 4 }} | ||||
| data: | ||||
|   "keto.yaml": | | ||||
|     {{- include "keto.configmap" . | nindent 4 }} | ||||
							
								
								
									
										75
									
								
								opencloud/charts/keto/templates/deployment-watcher.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										75
									
								
								opencloud/charts/keto/templates/deployment-watcher.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,75 @@ | ||||
| {{- if .Values.watcher.enabled }} | ||||
| apiVersion: apps/v1 | ||||
| kind: Deployment | ||||
| metadata: | ||||
|   name: {{ include "keto.fullname" . }}-watcher | ||||
|   {{- if .Release.Namespace }} | ||||
|   namespace: {{ .Release.Namespace }} | ||||
|   {{- end }} | ||||
|   labels: | ||||
|     app.kubernetes.io/name: {{ include "keto.name" . }}-watcher | ||||
|     app.kubernetes.io/instance: {{ .Release.Name }} | ||||
|     {{- with .Values.deployment.labels }} | ||||
|       {{- toYaml . | nindent 4 }} | ||||
|     {{- end }} | ||||
|   annotations: | ||||
|     {{- with .Values.deployment.annotations }} | ||||
|       {{- toYaml . | nindent 4 }} | ||||
|     {{- end }} | ||||
| spec: | ||||
|   revisionHistoryLimit: {{ .Values.watcher.revisionHistoryLimit }} | ||||
|   selector: | ||||
|     matchLabels: | ||||
|       app.kubernetes.io/name: {{ include "keto.name" . }}-watcher | ||||
|       app.kubernetes.io/instance: {{ .Release.Name }} | ||||
|   template: | ||||
|     metadata: | ||||
|       labels: | ||||
|         app.kubernetes.io/name: {{ include "keto.name" . }}-watcher | ||||
|         app.kubernetes.io/instance: {{ .Release.Name }} | ||||
|         {{- with .Values.deployment.labels }} | ||||
|           {{- toYaml . | nindent 8 }} | ||||
|         {{- end }} | ||||
|         {{- with .Values.watcher.podMetadata.labels }} | ||||
|           {{- toYaml . | nindent 8 }} | ||||
|         {{- end }} | ||||
|       annotations: | ||||
|         {{- with .Values.watcher.podMetadata.annotations }} | ||||
|           {{- toYaml . | nindent 8 }} | ||||
|         {{- end }} | ||||
|     spec: | ||||
|       automountServiceAccountToken: {{ .Values.watcher.automountServiceAccountToken }} | ||||
|       serviceAccountName: {{ include "keto.serviceAccountName" . }}-watcher | ||||
|       securityContext: | ||||
|         {{- toYaml .Values.podSecurityContext | nindent 8 }} | ||||
|       terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }} | ||||
|       containers: | ||||
|         - name: watcher | ||||
|           {{- if .Values.securityContext }} | ||||
|           securityContext: | ||||
|             {{- toYaml .Values.securityContext | nindent 12 }} | ||||
|           {{- end }} | ||||
|           image: {{ .Values.watcher.image }} | ||||
|           command: | ||||
|             - /bin/bash | ||||
|             - -c | ||||
|             - | | ||||
|               {{- .Files.Get "files/watch.sh" | printf "%s" | nindent 14 }} | ||||
|           env: | ||||
|             - name: NAMESPACE | ||||
|               value: {{ .Release.Namespace | quote }} | ||||
|             - name: WATCH_FILE | ||||
|               value: {{ .Values.watcher.mountFile | quote }} | ||||
|             - name: LABEL_SELECTOR | ||||
|               value: '{{ $.Values.watcher.watchLabelKey }}={{ include "keto.name" . }}' | ||||
|           resources: | ||||
|             {{- toYaml .Values.watcher.resources | nindent 12 }} | ||||
|           volumeMounts: | ||||
|           {{- with .Values.deployment.extraVolumeMounts }} | ||||
|             {{- toYaml . | nindent 12 }} | ||||
|           {{- end }} | ||||
|       volumes: | ||||
|         {{- if .Values.deployment.extraVolumes }} | ||||
|           {{- toYaml .Values.deployment.extraVolumes | nindent 8 }} | ||||
|         {{- end }} | ||||
| {{- end }} | ||||
							
								
								
									
										232
									
								
								opencloud/charts/keto/templates/deployment.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										232
									
								
								opencloud/charts/keto/templates/deployment.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,232 @@ | ||||
| {{- $podAnnotations := ternary .Values.deployment.podAnnotations .Values.podAnnotations (not (empty .Values.deployment.podAnnotations )) -}} | ||||
| {{- $automountServiceAccountToken := ternary .Values.deployment.automountServiceAccountToken .Values.automountServiceAccountToken (not (empty .Values.deployment.automountServiceAccountToken )) -}} | ||||
| {{- $livenessProbe := ternary .Values.deployment.livenessProbe .Values.livenessProbe (not (empty .Values.deployment.livenessProbe )) -}} | ||||
| {{- $readinessProbe := ternary .Values.deployment.readinessProbe .Values.readinessProbe (not (empty .Values.deployment.readinessProbe )) -}} | ||||
| {{- $autoscaling := ternary .Values.deployment.autoscaling .Values.autoscaling (not (empty .Values.deployment.autoscaling )) -}} | ||||
| {{- $resources := ternary .Values.deployment.resources .Values.resources (not (empty .Values.deployment.resources )) -}} | ||||
| {{- $extraInitContainers := ternary .Values.deployment.extraInitContainers .Values.extraInitContainers (not (empty .Values.deployment.extraInitContainers )) -}} | ||||
| {{- $extraContainers := ternary .Values.deployment.extraContainers .Values.extraContainers (not (empty .Values.deployment.extraContainers )) -}} | ||||
| {{- $extraLabels := ternary .Values.deployment.extraLabels .Values.extraLabels (not (empty .Values.deployment.extraLabels )) -}} | ||||
| {{- $extraVolumeMounts := ternary .Values.deployment.extraVolumeMounts .Values.extraVolumeMounts (not (empty .Values.deployment.extraVolumeMounts )) -}} | ||||
| {{- $extraVolumes := ternary .Values.deployment.extraVolumes .Values.extraVolumes (not (empty .Values.deployment.extraVolumes )) -}} | ||||
| {{- $nodeSelector := ternary .Values.deployment.nodeSelector .Values.nodeSelector (not (empty .Values.deployment.nodeSelector )) -}} | ||||
| {{- $affinity := ternary .Values.deployment.affinity .Values.affinity (not (empty .Values.deployment.affinity )) -}} | ||||
| {{- $tolerations := ternary .Values.deployment.tolerations .Values.tolerations (not (empty .Values.deployment.tolerations )) -}} | ||||
| {{- $topologySpreadConstraints := ternary .Values.deployment.topologySpreadConstraints .Values.topologySpreadConstraints (not (empty .Values.deployment.topologySpreadConstraints )) -}} | ||||
| {{- include "keto.automigration.typeVerification" . -}} | ||||
| {{- $migrationExtraEnv := ternary .Values.deployment.automigration.extraEnv .Values.deployment.extraEnv (not (empty .Values.deployment.automigration.extraEnv )) -}} | ||||
|  | ||||
| --- | ||||
| apiVersion: apps/v1 | ||||
| kind: Deployment | ||||
| metadata: | ||||
|   name: {{ include "keto.fullname" . }} | ||||
|   {{- if .Release.Namespace }} | ||||
|   namespace: {{ .Release.Namespace }} | ||||
|   {{- end }} | ||||
|   labels: | ||||
|     {{- include "keto.labels" . | nindent 4 }} | ||||
|     {{- with $extraLabels }} | ||||
|       {{- toYaml . | nindent 4 }} | ||||
|     {{- end }} | ||||
|   annotations: | ||||
|     {{- with .Values.deployment.annotations }} | ||||
|       {{- toYaml . | nindent 4 }} | ||||
|     {{- end }} | ||||
| spec: | ||||
|   minReadySeconds: {{ .Values.deployment.minReadySeconds }} | ||||
| {{- if not $autoscaling.enabled }} | ||||
|   replicas: {{ .Values.replicaCount }} | ||||
| {{- end }} | ||||
|   revisionHistoryLimit: {{ .Values.deployment.revisionHistoryLimit }} | ||||
|   strategy: | ||||
|     {{- toYaml .Values.deployment.strategy | nindent 4 }} | ||||
|   selector: | ||||
|     matchLabels: | ||||
|       {{- include "keto.selectorLabels" . | nindent 6 }} | ||||
|   template: | ||||
|     metadata: | ||||
|       annotations: | ||||
|         {{- include "keto.annotations.checksum" . | indent 8 -}} | ||||
|         {{- with $podAnnotations }} | ||||
|           {{- toYaml . | nindent 8 }} | ||||
|         {{- end }} | ||||
|         {{- with $.Values.deployment.podMetadata.annotations }} | ||||
|           {{- toYaml . | nindent 8 }} | ||||
|         {{- end }} | ||||
|       labels: | ||||
|         {{- include "keto.selectorLabels" . | nindent 8 }} | ||||
|         {{- with $extraLabels }} | ||||
|           {{- toYaml . | nindent 8 }} | ||||
|         {{- end }} | ||||
|         {{- with $.Values.deployment.podMetadata.labels }} | ||||
|           {{- toYaml . | nindent 8 }} | ||||
|         {{- end }} | ||||
|     spec: | ||||
|       {{- with .Values.imagePullSecrets }} | ||||
|       imagePullSecrets: | ||||
|         {{- toYaml . | nindent 8 }} | ||||
|       {{- end }} | ||||
|       initContainers: | ||||
|       {{- if $extraInitContainers}} | ||||
|         {{- tpl $extraInitContainers . | nindent 8 }} | ||||
|       {{- end }} | ||||
|       {{- if and ( .Values.keto.automigration.enabled ) ( eq .Values.keto.automigration.type "initContainer" ) }} | ||||
|         - name: {{ .Chart.Name }}-automigrate | ||||
|           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" | ||||
|           imagePullPolicy: {{ .Values.image.pullPolicy }} | ||||
|           {{- if .Values.keto.automigration.customCommand }} | ||||
|           command: {{- toYaml .Values.keto.automigration.customCommand | nindent 12 }} | ||||
|           {{- else }} | ||||
|           command: ["keto"] | ||||
|           {{- end }} | ||||
|           {{- if .Values.keto.automigration.customArgs }} | ||||
|           args: {{- toYaml .Values.keto.automigration.customArgs | nindent 12 }} | ||||
|           {{- else }} | ||||
|           args: [ "migrate", "up", "-y", "--config", "/etc/config/keto.yaml" ] | ||||
|           {{- end }} | ||||
|           volumeMounts: | ||||
|             - name: {{ include "keto.name" . }}-config-volume | ||||
|               mountPath: /etc/config | ||||
|               readOnly: true | ||||
|           {{- with $extraVolumeMounts }} | ||||
|             {{- toYaml . | nindent 12 }} | ||||
|           {{- end }} | ||||
|           env: | ||||
|             {{- if not (empty ( include "keto.dsn" . )) }} | ||||
|               {{- if not (include "ory.extraEnvContainsEnvName" (list $migrationExtraEnv "DSN")) }} | ||||
|             - name: DSN | ||||
|               valueFrom: | ||||
|                 secretKeyRef: | ||||
|                   name: {{ include "keto.secretname" . }} | ||||
|                   key: dsn | ||||
|               {{- end }} | ||||
|             {{- end }} | ||||
|             {{- if $migrationExtraEnv }} | ||||
|               {{- tpl (toYaml $migrationExtraEnv) . | nindent 12 }} | ||||
|             {{- end }} | ||||
|           {{- with .Values.keto.automigration.resources }} | ||||
|           resources: | ||||
|             {{- toYaml . | nindent 12 }} | ||||
|           {{- end }} | ||||
|       {{- end }} | ||||
|       serviceAccountName: {{ include "keto.serviceAccountName" . }} | ||||
|       automountServiceAccountToken: {{ $automountServiceAccountToken }} | ||||
|       securityContext: | ||||
|         {{- toYaml .Values.podSecurityContext | nindent 8 }} | ||||
|       terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }} | ||||
|       containers: | ||||
|         - name: {{ .Chart.Name }} | ||||
|           {{- with .Values.securityContext }} | ||||
|           securityContext: | ||||
|             {{- toYaml . | nindent 12 }} | ||||
|           {{- end }} | ||||
|           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" | ||||
|           imagePullPolicy: {{ .Values.image.pullPolicy }} | ||||
|           command: {{- toYaml .Values.keto.command | nindent 12 }} | ||||
|           {{- if .Values.keto.customArgs }} | ||||
|           args: {{- toYaml .Values.keto.customArgs | nindent 12 }} | ||||
|           {{- else }} | ||||
|           args: | ||||
|             - serve | ||||
|             - --config | ||||
|             - /etc/config/keto.yaml | ||||
|           {{- end }} | ||||
|           ports: | ||||
|             - name: {{ .Values.service.read.name }} | ||||
|               containerPort: {{ .Values.keto.config.serve.read.port }} | ||||
|               protocol: TCP | ||||
|             - name: {{ .Values.service.write.name }} | ||||
|               containerPort: {{ .Values.keto.config.serve.write.port }} | ||||
|               protocol: TCP | ||||
|             - name: {{ .Values.service.metrics.name }} | ||||
|               containerPort: {{ .Values.keto.config.serve.metrics.port }} | ||||
|               protocol: TCP | ||||
|             {{- with .Values.deployment.extraPorts }} | ||||
|               {{- toYaml . | nindent 12 }} | ||||
|             {{- end }} | ||||
|           lifecycle: | ||||
|             {{- toYaml .Values.deployment.lifecycle | nindent 12 }} | ||||
|           {{- if .Values.deployment.customLivenessProbe }} | ||||
|           livenessProbe: | ||||
|             {{- toYaml .Values.deployment.customLivenessProbe | nindent 12 }} | ||||
|           {{- end }} | ||||
|           readinessProbe: | ||||
|             {{- if .Values.deployment.customReadinessProbe }}  | ||||
|               {{- toYaml .Values.deployment.customReadinessProbe | nindent 12 }} | ||||
|             {{- else }} | ||||
|             httpGet: | ||||
|               path: /health/alive | ||||
|               port: {{ .Values.keto.config.serve.write.port }} | ||||
|               httpHeaders: | ||||
|                 - name: Host | ||||
|                   value: '127.0.0.1' | ||||
|           {{- toYaml $readinessProbe | nindent 12 }} | ||||
|           {{- end }} | ||||
|           startupProbe: | ||||
|             {{- if .Values.deployment.customStartupProbe }}  | ||||
|               {{- toYaml .Values.deployment.customStartupProbe | nindent 12 }} | ||||
|             {{- else }} | ||||
|             httpGet: | ||||
|               path: /health/ready | ||||
|               port: {{ .Values.keto.config.serve.write.port }} | ||||
|               httpHeaders: | ||||
|                 - name: Host | ||||
|                   value: '127.0.0.1' | ||||
|             {{- toYaml .Values.deployment.startupProbe | nindent 12 }} | ||||
|             {{- end }} | ||||
|           resources: | ||||
|             {{- toYaml $resources | nindent 12 }} | ||||
|           env: | ||||
|             {{- if not (empty ( include "keto.dsn" . )) }} | ||||
|               {{- if not (include "ory.extraEnvContainsEnvName" (list .Values.deployment.extraEnv "DSN")) }} | ||||
|             - name: DSN | ||||
|               valueFrom: | ||||
|                 secretKeyRef: | ||||
|                   name: {{ include "keto.secretname" . }} | ||||
|                   key: dsn | ||||
|               {{- end }} | ||||
|             {{- end }} | ||||
|             {{- if .Values.deployment.extraEnv }} | ||||
|               {{- tpl (toYaml .Values.deployment.extraEnv) . | nindent 12 }} | ||||
|             {{- end }} | ||||
|           volumeMounts: | ||||
|             - name: {{ include "keto.name" . }}-config-volume | ||||
|               mountPath: /etc/config | ||||
|               readOnly: true | ||||
|           {{- with $extraVolumeMounts }} | ||||
|             {{- toYaml . | nindent 12 }} | ||||
|           {{- end }} | ||||
|         {{- if $extraContainers }} | ||||
|           {{- tpl $extraContainers . | nindent 8 }} | ||||
|         {{- end }} | ||||
|       volumes: | ||||
|         - name: {{ include "keto.name" . }}-config-volume | ||||
|           configMap: | ||||
|             name: {{ include "keto.fullname" . }}-config | ||||
|       {{- with $extraVolumes }} | ||||
|         {{- toYaml . | nindent 8 }} | ||||
|       {{- end }} | ||||
|       {{- with .Values.priorityClassName }} | ||||
|       priorityClassName: {{ . }} | ||||
|       {{- end }} | ||||
|       {{- with $nodeSelector }} | ||||
|       nodeSelector: | ||||
|         {{- toYaml . | nindent 8 }} | ||||
|       {{- end }} | ||||
|       {{- with $affinity }} | ||||
|       affinity: | ||||
|         {{- toYaml . | nindent 8 }} | ||||
|       {{- end }} | ||||
|       {{- with $tolerations }} | ||||
|       tolerations: | ||||
|         {{- toYaml . | nindent 8 }} | ||||
|       {{- end }} | ||||
|       {{- with $topologySpreadConstraints }} | ||||
|       topologySpreadConstraints: | ||||
|         {{- toYaml . | nindent 8 }} | ||||
|       {{- end }} | ||||
|       {{- with .Values.deployment.dnsConfig }} | ||||
|       dnsConfig: | ||||
|         {{- toYaml . | nindent 8 }} | ||||
|       {{- end }} | ||||
							
								
								
									
										38
									
								
								opencloud/charts/keto/templates/hpa.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										38
									
								
								opencloud/charts/keto/templates/hpa.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,38 @@ | ||||
| {{- $autoscaling := ternary .Values.deployment.autoscaling .Values.autoscaling (not (empty .Values.deployment.autoscaling )) -}} | ||||
|  | ||||
| {{- if $autoscaling.enabled }} | ||||
| apiVersion: autoscaling/v2 | ||||
| kind: HorizontalPodAutoscaler | ||||
| metadata: | ||||
|   name: {{ include "keto.fullname" . }} | ||||
|   {{- if .Release.Namespace }} | ||||
|   namespace: {{ .Release.Namespace }} | ||||
|   {{- end }} | ||||
|   labels: | ||||
|     {{- include "keto.labels" . | nindent 4 }} | ||||
| spec: | ||||
|   {{- with $autoscaling.behavior }} | ||||
|   behavior: {{- toYaml . | nindent 4 }} | ||||
|   {{- end }} | ||||
|   scaleTargetRef: | ||||
|     apiVersion: apps/v1 | ||||
|     kind: Deployment | ||||
|     name: {{ include "keto.fullname" . }} | ||||
|   minReplicas: {{ $autoscaling.minReplicas }} | ||||
|   maxReplicas: {{ $autoscaling.maxReplicas }} | ||||
|   metrics: | ||||
|   {{- with $autoscaling.targetMemory }} | ||||
|   - type: Resource | ||||
|     resource: | ||||
|       name: memory | ||||
|       target: | ||||
|         {{- toYaml . | nindent 8 }} | ||||
|   {{- end }} | ||||
|   {{- with $autoscaling.targetCPU}} | ||||
|   - type: Resource | ||||
|     resource: | ||||
|       name: cpu | ||||
|       target: | ||||
|         {{- toYaml . | nindent 8 }} | ||||
|   {{- end }} | ||||
| {{- end }} | ||||
							
								
								
									
										54
									
								
								opencloud/charts/keto/templates/ingress-read.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										54
									
								
								opencloud/charts/keto/templates/ingress-read.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,54 @@ | ||||
| {{- if .Values.ingress.read.enabled -}} | ||||
| {{- $fullName := include "keto.fullname" . -}} | ||||
| {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} | ||||
| apiVersion: networking.k8s.io/v1 | ||||
| {{- else -}} | ||||
| apiVersion: networking.k8s.io/v1beta1 | ||||
| {{- end }} | ||||
| kind: Ingress | ||||
| metadata: | ||||
|   name: {{ $fullName }}-read | ||||
|   {{- if .Release.Namespace }} | ||||
|   namespace: {{ .Release.Namespace }} | ||||
|   {{- end }} | ||||
|   labels: | ||||
|     {{- include "keto.labels" . | nindent 4 }} | ||||
|   {{- with .Values.ingress.read.annotations }} | ||||
|   annotations: | ||||
|     {{- toYaml . | nindent 4 }} | ||||
|   {{- end }} | ||||
| spec: | ||||
|   ingressClassName: {{ .Values.ingress.read.className }} | ||||
|   {{- if .Values.ingress.read.tls }} | ||||
|   tls: | ||||
|     {{- range .Values.ingress.read.tls }} | ||||
|     - hosts: | ||||
|         {{- range .hosts }} | ||||
|         - {{ . | quote }} | ||||
|         {{- end }} | ||||
|       secretName: {{ .secretName }} | ||||
|     {{- end }} | ||||
|   {{- end }} | ||||
|   rules: | ||||
|     {{- range .Values.ingress.read.hosts }} | ||||
|     - host: {{ .host | quote }} | ||||
|       http: | ||||
|         paths: | ||||
|           {{- range .paths }} | ||||
|           - path: {{ .path }} | ||||
|             {{- if .pathType }} | ||||
|             pathType: {{ .pathType }} | ||||
|             {{- end }} | ||||
|             backend: | ||||
|               {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} | ||||
|               service: | ||||
|                 name: {{ $fullName }}-read | ||||
|                 port: | ||||
|                   name: {{ $.Values.service.read.name }} | ||||
|               {{- else }} | ||||
|               serviceName: {{ $fullName }} | ||||
|               servicePort: {{ $.Values.service.read.name }} | ||||
|               {{- end }} | ||||
|           {{- end }} | ||||
|     {{- end }} | ||||
| {{- end }} | ||||
							
								
								
									
										54
									
								
								opencloud/charts/keto/templates/ingress-write.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										54
									
								
								opencloud/charts/keto/templates/ingress-write.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,54 @@ | ||||
| {{- if .Values.ingress.write.enabled -}} | ||||
| {{- $fullName := include "keto.fullname" . -}} | ||||
| {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} | ||||
| apiVersion: networking.k8s.io/v1 | ||||
| {{- else -}} | ||||
| apiVersion: networking.k8s.io/v1beta1 | ||||
| {{- end }} | ||||
| kind: Ingress | ||||
| metadata: | ||||
|   name: {{ $fullName }}-write | ||||
|   {{- if .Release.Namespace }} | ||||
|   namespace: {{ .Release.Namespace }} | ||||
|   {{- end }} | ||||
|   labels: | ||||
|     {{- include "keto.labels" . | nindent 4 }} | ||||
|   {{- with .Values.ingress.write.annotations }} | ||||
|   annotations: | ||||
|     {{- toYaml . | nindent 4 }} | ||||
|   {{- end }} | ||||
| spec: | ||||
|   ingressClassName: {{ .Values.ingress.write.className }} | ||||
|   {{- if .Values.ingress.write.tls }} | ||||
|   tls: | ||||
|     {{- range .Values.ingress.write.tls }} | ||||
|     - hosts: | ||||
|         {{- range .hosts }} | ||||
|         - {{ . | quote }} | ||||
|         {{- end }} | ||||
|       secretName: {{ .secretName }} | ||||
|     {{- end }} | ||||
|   {{- end }} | ||||
|   rules: | ||||
|     {{- range .Values.ingress.write.hosts }} | ||||
|     - host: {{ .host | quote }} | ||||
|       http: | ||||
|         paths: | ||||
|           {{- range .paths }} | ||||
|           - path: {{ .path }} | ||||
|             {{- if .pathType }} | ||||
|             pathType: {{ .pathType }} | ||||
|             {{- end }} | ||||
|             backend: | ||||
|               {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} | ||||
|               service: | ||||
|                 name: {{ $fullName }}-write | ||||
|                 port: | ||||
|                   name: {{ $.Values.service.write.name }} | ||||
|               {{- else }} | ||||
|               serviceName: {{ $fullName }} | ||||
|               servicePort: {{ $.Values.service.write.name }} | ||||
|               {{- end }} | ||||
|           {{- end }} | ||||
|     {{- end }} | ||||
| {{- end }} | ||||
							
								
								
									
										123
									
								
								opencloud/charts/keto/templates/job-migration.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										123
									
								
								opencloud/charts/keto/templates/job-migration.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,123 @@ | ||||
| {{- include "keto.automigration.typeVerification" . -}} | ||||
| {{- if and  ( .Values.keto.automigration.enabled ) ( eq .Values.keto.automigration.type "job" ) }} | ||||
| {{- $extraLabels := ternary .Values.deployment.extraLabels .Values.extraLabels (not (empty .Values.deployment.extraLabels )) -}} | ||||
| {{- $extraVolumeMounts := ternary .Values.deployment.extraVolumeMounts .Values.extraVolumeMounts (not (empty .Values.deployment.extraVolumeMounts )) -}} | ||||
| {{- $extraVolumes := ternary .Values.deployment.extraVolumes .Values.extraVolumes (not (empty .Values.deployment.extraVolumes )) -}} | ||||
| {{- $nodeSelector := ternary .Values.job.nodeSelector .Values.deployment.nodeSelector (not (empty .Values.job.nodeSelector )) -}} | ||||
| {{- $migrationExtraEnv := ternary .Values.job.extraEnv .Values.deployment.extraEnv (not (empty .Values.job.extraEnv )) -}} | ||||
| --- | ||||
| apiVersion: batch/v1 | ||||
| kind: Job | ||||
| metadata: | ||||
|   name: {{ include "keto.fullname" . }}-automigrate | ||||
|   {{- if .Release.Namespace }} | ||||
|   namespace: {{ .Release.Namespace }} | ||||
|   {{- end }} | ||||
|   labels: | ||||
|     {{- include "keto.labels" . | nindent 4 }} | ||||
|     {{- with $extraLabels }} | ||||
|       {{- toYaml . | nindent 4 }} | ||||
|     {{- end }} | ||||
|   annotations: | ||||
|     {{- with .Values.job.annotations }} | ||||
|       {{- toYaml . | nindent 4 }} | ||||
|     {{- end }} | ||||
| spec: | ||||
|   template: | ||||
|     metadata:  | ||||
|       annotations: | ||||
|         {{- with .Values.job.annotations }}   | ||||
|           {{- toYaml . | nindent 8 }} | ||||
|         {{- end }} | ||||
|         {{- with .Values.job.podMetadata.annotations }} | ||||
|           {{- toYaml . | nindent 8 }} | ||||
|         {{- end }} | ||||
|       labels: | ||||
|         app.kubernetes.io/name: {{ include "keto.fullname" . }}-automigrate | ||||
|         app.kubernetes.io/instance: {{ .Release.Name }} | ||||
|         {{- with $extraLabels }} | ||||
|           {{- toYaml . | nindent 8 }} | ||||
|         {{- end }} | ||||
|         {{- with .Values.job.podMetadata.labels }} | ||||
|           {{- toYaml . | nindent 8 }} | ||||
|         {{- end }} | ||||
|     spec: | ||||
|       {{- with .Values.imagePullSecrets }} | ||||
|       imagePullSecrets: | ||||
|         {{- toYaml . | nindent 8 }} | ||||
|       {{- end }} | ||||
|       serviceAccountName: {{ include "keto.job.serviceAccountName" . }} | ||||
|       automountServiceAccountToken: {{ .Values.job.automountServiceAccountToken }} | ||||
|       securityContext: | ||||
|         {{- toYaml .Values.podSecurityContext | nindent 8 }} | ||||
|       containers: | ||||
|       - name: {{ .Chart.Name }}-automigrate | ||||
|         image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" | ||||
|         imagePullPolicy: {{ .Values.image.pullPolicy }} | ||||
|         {{- if .Values.keto.automigration.customCommand }} | ||||
|         command: {{- toYaml .Values.keto.automigration.customCommand | nindent 10 }} | ||||
|         {{- else }} | ||||
|         command: ["keto"] | ||||
|         {{- end }} | ||||
|         {{- if .Values.keto.automigration.customArgs }} | ||||
|         args: {{- toYaml .Values.keto.automigration.customArgs | nindent 10 }} | ||||
|         {{- else }} | ||||
|         args: [ "migrate", "up", "-y", "--config", "/etc/config/keto.yaml" ] | ||||
|         {{- end }} | ||||
|         {{- if .Values.job.lifecycle }} | ||||
|           {{- tpl .Values.job.lifecycle . | nindent 8 }} | ||||
|         {{- end }} | ||||
|         volumeMounts: | ||||
|           - name: {{ include "keto.name" . }}-config-volume | ||||
|             mountPath: /etc/config | ||||
|             readOnly: true | ||||
|         {{- with $extraVolumeMounts }} | ||||
|           {{- toYaml . | nindent 10 }} | ||||
|         {{- end }} | ||||
|         env: | ||||
|           {{- if not (empty ( include "keto.dsn" . )) }} | ||||
|             {{- if not (include "ory.extraEnvContainsEnvName" (list $migrationExtraEnv "DSN")) }} | ||||
|           - name: DSN | ||||
|             valueFrom: | ||||
|               secretKeyRef: | ||||
|                 name: {{ include "keto.secretname" . }} | ||||
|                 key: dsn | ||||
|             {{- end }} | ||||
|           {{- end }} | ||||
|           {{- with $migrationExtraEnv }} | ||||
|             {{- toYaml . | nindent 10 }} | ||||
|           {{- end }} | ||||
|         {{- with .Values.job.resources }} | ||||
|         resources: | ||||
|           {{- toYaml . | nindent 10 }} | ||||
|         {{- end }} | ||||
|         {{- if .Values.securityContext }} | ||||
|         securityContext: | ||||
|           {{- toYaml .Values.securityContext | nindent 10 }} | ||||
|         {{- end }} | ||||
|       {{- if .Values.job.extraContainers }} | ||||
|         {{- tpl .Values.job.extraContainers . | nindent 6 }} | ||||
|       {{- end }} | ||||
|       {{- if .Values.job.extraInitContainers }} | ||||
|       initContainers: | ||||
|         {{- tpl .Values.job.extraInitContainers . | nindent 8 }} | ||||
|       {{- end }} | ||||
|       restartPolicy: Never | ||||
|       volumes: | ||||
|         - name: {{ include "keto.name" . }}-config-volume | ||||
|           configMap: | ||||
|             name: {{ include "keto.fullname" . }}-migrate | ||||
|       {{- with $extraVolumes }} | ||||
|         {{- toYaml . | nindent 8 }} | ||||
|       {{- end }} | ||||
|       {{- with $nodeSelector }} | ||||
|       nodeSelector: | ||||
|         {{- toYaml . | nindent 8 }} | ||||
|       {{- end }} | ||||
|       {{- with .Values.job.tolerations }} | ||||
|       tolerations: | ||||
|         {{- toYaml . | nindent 8 }} | ||||
|       {{- end }} | ||||
|       shareProcessNamespace: {{ .Values.job.shareProcessNamespace }} | ||||
|   backoffLimit: {{ .Values.job.spec.backoffLimit }} | ||||
| {{- end }} | ||||
							
								
								
									
										17
									
								
								opencloud/charts/keto/templates/job-rbac.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								opencloud/charts/keto/templates/job-rbac.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | ||||
| {{- if .Values.job.serviceAccount.create -}} | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: ServiceAccount | ||||
| metadata: | ||||
|   name: {{ include "keto.job.serviceAccountName" . }} | ||||
|   {{- if .Release.Namespace }} | ||||
|   namespace: {{ .Release.Namespace }} | ||||
|   {{- end }} | ||||
|   labels: | ||||
|     {{- include "keto.labels" . | nindent 4 }} | ||||
|   {{- with .Values.job.serviceAccount.annotations }} | ||||
|   annotations: | ||||
|     {{- toYaml . | nindent 4 }} | ||||
|   {{- end }} | ||||
| automountServiceAccountToken: false | ||||
| {{- end -}} | ||||
							
								
								
									
										20
									
								
								opencloud/charts/keto/templates/pdb.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								opencloud/charts/keto/templates/pdb.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| {{- if .Values.pdb.enabled -}} | ||||
| --- | ||||
| apiVersion: policy/v1 | ||||
| kind: PodDisruptionBudget | ||||
| metadata: | ||||
|   name: {{ include "keto.fullname" . }} | ||||
|   {{- if .Release.Namespace }} | ||||
|   namespace: {{ .Release.Namespace }} | ||||
|   {{- end }} | ||||
| spec: | ||||
|   selector: | ||||
|     matchLabels: | ||||
|       {{- include "keto.selectorLabels" . | nindent 6 }} | ||||
|   {{- with .Values.pdb.spec.maxUnavailable }} | ||||
|   maxUnavailable: {{ . }} | ||||
|   {{- end }} | ||||
|   {{- with .Values.pdb.spec.minAvailable }} | ||||
|   minAvailable: {{ . }} | ||||
|   {{- end }} | ||||
| {{- end -}} | ||||
							
								
								
									
										55
									
								
								opencloud/charts/keto/templates/rbac-watcher.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										55
									
								
								opencloud/charts/keto/templates/rbac-watcher.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,55 @@ | ||||
| {{- if .Values.watcher.enabled }} | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: ServiceAccount | ||||
| metadata: | ||||
|   name: {{ include "keto.serviceAccountName" . }}-watcher | ||||
|   {{- if .Release.Namespace }} | ||||
|   namespace: {{ .Release.Namespace }} | ||||
|   {{- end }} | ||||
|   labels: | ||||
|     app.kubernetes.io/name: {{ include "keto.name" . }}-watcher | ||||
|     app.kubernetes.io/instance: {{ .Release.Name }} | ||||
| automountServiceAccountToken: false | ||||
| --- | ||||
| apiVersion: rbac.authorization.k8s.io/v1 | ||||
| kind: Role | ||||
| metadata: | ||||
|   name: {{ include "keto.fullname" . }}-watcher | ||||
|   {{- if .Release.Namespace }} | ||||
|   namespace: {{ .Release.Namespace }} | ||||
|   {{- end }} | ||||
| rules: | ||||
|   - apiGroups: ["apps"] | ||||
|     resources: ["deployments"] | ||||
|     verbs:  | ||||
|       - list | ||||
|       - watch | ||||
|       - get | ||||
|   - apiGroups: ["apps"] | ||||
|     resources: ["deployments"] | ||||
|     verbs: | ||||
|       - get | ||||
|       - list | ||||
|       - patch | ||||
|       - update | ||||
|       - watch | ||||
|     resourceNames: | ||||
|       - {{ include "keto.fullname" . }} | ||||
| --- | ||||
| apiVersion: rbac.authorization.k8s.io/v1 | ||||
| kind: RoleBinding | ||||
| metadata: | ||||
|   name: {{ include "keto.fullname" . }}-watcher | ||||
|   {{- if .Release.Namespace }} | ||||
|   namespace: {{ .Release.Namespace }} | ||||
|   {{- end }} | ||||
| roleRef: | ||||
|   apiGroup: rbac.authorization.k8s.io | ||||
|   kind: Role | ||||
|   name: {{ include "keto.fullname" . }}-watcher | ||||
| subjects: | ||||
|   - kind: ServiceAccount | ||||
|     name: {{ include "keto.fullname" . }}-watcher | ||||
|     namespace: {{ .Release.Namespace }} | ||||
| {{- end }} | ||||
							
								
								
									
										17
									
								
								opencloud/charts/keto/templates/rbac.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								opencloud/charts/keto/templates/rbac.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | ||||
| {{- if .Values.serviceAccount.create -}} | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: ServiceAccount | ||||
| metadata: | ||||
|   name: {{ include "keto.serviceAccountName" . }} | ||||
|   {{- if .Release.Namespace }} | ||||
|   namespace: {{ .Release.Namespace }} | ||||
|   {{- end }} | ||||
|   labels: | ||||
|     {{- include "keto.labels" . | nindent 4 }} | ||||
|   {{- with .Values.serviceAccount.annotations }} | ||||
|   annotations: | ||||
|     {{- toYaml . | nindent 4 }} | ||||
|   {{- end }} | ||||
| automountServiceAccountToken: false | ||||
| {{- end }} | ||||
							
								
								
									
										18
									
								
								opencloud/charts/keto/templates/secrets.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										18
									
								
								opencloud/charts/keto/templates/secrets.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,18 @@ | ||||
| {{- if .Values.secret.enabled -}} | ||||
| apiVersion: v1 | ||||
| kind: Secret | ||||
| metadata: | ||||
|   name: {{ include "keto.secretname" . }} | ||||
|   {{- if .Release.Namespace }} | ||||
|   namespace: {{ .Release.Namespace }} | ||||
|   {{- end }} | ||||
|   labels: | ||||
| {{ include "keto.labels" . | indent 4 }} | ||||
|   annotations: | ||||
| {{- with .Values.secret.secretAnnotations }} | ||||
|   {{- toYaml . | nindent 4 }} | ||||
| {{- end }} | ||||
| type: Opaque | ||||
| data: | ||||
|   dsn: {{ include "keto.dsn" . | b64enc | quote }} | ||||
| {{- end }} | ||||
							
								
								
									
										32
									
								
								opencloud/charts/keto/templates/service-extraServices.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										32
									
								
								opencloud/charts/keto/templates/service-extraServices.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,32 @@ | ||||
| {{- range $ServiceName, $ServiceData := .Values.extraServices }} | ||||
|  | ||||
| {{- if $ServiceData.enabled }} | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: Service | ||||
| metadata: | ||||
|   name: {{ include "keto.fullname" $ }}-{{ $ServiceName }} | ||||
|   {{- if $.Release.Namespace }} | ||||
|   namespace: {{ $.Release.Namespace }} | ||||
|   {{- end }} | ||||
|   labels: | ||||
|     app.kubernetes.io/component: {{ $ServiceName }} | ||||
|     {{- include "keto.labels" $ | nindent 4 }} | ||||
| spec: | ||||
|   type: {{ $ServiceData.type }} | ||||
|   {{- if eq $ServiceData.type "LoadBalancer" }} | ||||
|   {{- with $ServiceData.loadBalancerIP }} | ||||
|   loadBalancerIP: {{ . }} | ||||
|   {{- end }} | ||||
|   {{- end }} | ||||
|   ports: | ||||
|     - port: {{ $ServiceData.port }} | ||||
|       targetPort: {{ $ServiceData.name }} | ||||
|       protocol: TCP | ||||
|       name: {{ $ServiceData.name }} | ||||
|   selector: | ||||
|     app.kubernetes.io/name: {{ include "keto.name" $ }} | ||||
|     app.kubernetes.io/instance: {{ $.Release.Name }} | ||||
| {{- end }} | ||||
|  | ||||
| {{- end }} | ||||
							
								
								
									
										27
									
								
								opencloud/charts/keto/templates/service-metrics.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										27
									
								
								opencloud/charts/keto/templates/service-metrics.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,27 @@ | ||||
| {{- if .Values.service.metrics.enabled }} | ||||
| apiVersion: v1 | ||||
| kind: Service | ||||
| metadata: | ||||
|   name: {{ include "keto.fullname" . }}-metrics | ||||
|   {{- if .Release.Namespace }} | ||||
|   namespace: {{ .Release.Namespace }} | ||||
|   {{- end }} | ||||
|   labels: | ||||
|     app.kubernetes.io/component: metrics | ||||
|     {{- include "keto.labels" . | nindent 4 }} | ||||
| spec: | ||||
|   type: {{ .Values.service.metrics.type }} | ||||
|   {{- if eq .Values.service.metrics.type "LoadBalancer" }} | ||||
|   {{- with .Values.service.metrics.loadBalancerIP }} | ||||
|   loadBalancerIP: {{ . }} | ||||
|   {{- end }} | ||||
|   {{- end }} | ||||
|   ports: | ||||
|     - port: {{ .Values.service.metrics.port }} | ||||
|       targetPort: {{ .Values.service.metrics.name }} | ||||
|       protocol: TCP | ||||
|       name: {{ .Values.service.metrics.name }} | ||||
|   selector: | ||||
|     app.kubernetes.io/name: {{ include "keto.name" . }} | ||||
|     app.kubernetes.io/instance: {{ .Release.Name }} | ||||
| {{ end }} | ||||
							
								
								
									
										60
									
								
								opencloud/charts/keto/templates/service-read.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										60
									
								
								opencloud/charts/keto/templates/service-read.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,60 @@ | ||||
| {{- if .Values.service.read.enabled }} | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: Service | ||||
| metadata: | ||||
|   name: {{ include "keto.fullname" . }}-read | ||||
|   {{- if .Release.Namespace }} | ||||
|   namespace: {{ .Release.Namespace }} | ||||
|   {{- end }} | ||||
|   labels: | ||||
|     app.kubernetes.io/component: read | ||||
|     {{- include "keto.labels" . | nindent 4 }} | ||||
| spec: | ||||
|   type: {{ .Values.service.read.type }} | ||||
|   {{- if eq .Values.service.read.type "LoadBalancer" }} | ||||
|   {{- with .Values.service.read.loadBalancerIP }} | ||||
|   loadBalancerIP: {{ . }} | ||||
|   {{- end }} | ||||
|   {{- end }} | ||||
|   {{- if eq .Values.service.read.type "ClusterIP" }} | ||||
|   {{- with .Values.service.read.clusterIP }} | ||||
|   clusterIP: {{ . }} | ||||
|   {{- end }} | ||||
|   {{- end }} | ||||
|   ports: | ||||
|     - port: {{ .Values.service.read.port }} | ||||
|       targetPort: {{ .Values.service.read.name }} | ||||
|       protocol: TCP | ||||
|       name: {{ .Values.service.read.name }} | ||||
|       appProtocol: {{ .Values.service.read.appProtocol }} | ||||
|   selector: | ||||
|     app.kubernetes.io/name: {{ include "keto.name" . }} | ||||
|     app.kubernetes.io/instance: {{ .Release.Name }} | ||||
| {{- if .Values.service.read.headless.enabled }} | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: Service | ||||
| metadata: | ||||
|   name: {{ include "keto.fullname" . }}-read-headless | ||||
|   {{- if .Release.Namespace }} | ||||
|   namespace: {{ .Release.Namespace }} | ||||
|   {{- end }} | ||||
|   labels: | ||||
|     service.ory.sh/type: headless | ||||
|     app.kubernetes.io/component: read | ||||
|     {{- include "keto.labels" . | nindent 4 }} | ||||
| spec: | ||||
|   type: "ClusterIP" | ||||
|   clusterIP: "None" | ||||
|   ports: | ||||
|     - port: {{ .Values.keto.config.serve.read.port }} | ||||
|       targetPort: {{ .Values.service.read.name }} | ||||
|       protocol: TCP | ||||
|       name: {{ .Values.service.read.name }} | ||||
|       appProtocol: {{ .Values.service.read.appProtocol }} | ||||
|   selector: | ||||
|     app.kubernetes.io/name: {{ include "keto.name" . }} | ||||
|     app.kubernetes.io/instance: {{ .Release.Name }} | ||||
| {{- end }} | ||||
| {{- end }} | ||||
							
								
								
									
										59
									
								
								opencloud/charts/keto/templates/service-write.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										59
									
								
								opencloud/charts/keto/templates/service-write.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,59 @@ | ||||
| {{- if .Values.service.write.enabled }} | ||||
| apiVersion: v1 | ||||
| kind: Service | ||||
| metadata: | ||||
|   name: {{ include "keto.fullname" . }}-write | ||||
|   {{- if .Release.Namespace }} | ||||
|   namespace: {{ .Release.Namespace }} | ||||
|   {{- end }} | ||||
|   labels: | ||||
|     app.kubernetes.io/component: write | ||||
|     {{- include "keto.labels" . | nindent 4 }} | ||||
| spec: | ||||
|   type: {{ .Values.service.write.type }} | ||||
|   {{- if eq .Values.service.write.type "LoadBalancer" }} | ||||
|   {{- with .Values.service.write.loadBalancerIP }} | ||||
|   loadBalancerIP: {{ . }} | ||||
|   {{- end }} | ||||
|   {{- end }} | ||||
|   {{- if eq .Values.service.write.type "ClusterIP" }} | ||||
|   {{- with .Values.service.write.clusterIP }} | ||||
|   clusterIP: {{ . }} | ||||
|   {{- end }} | ||||
|   {{- end }} | ||||
|   ports: | ||||
|     - port: {{ .Values.service.write.port }} | ||||
|       targetPort: {{ .Values.service.write.name }} | ||||
|       protocol: TCP | ||||
|       name: {{ .Values.service.write.name }} | ||||
|       appProtocol: {{ .Values.service.write.appProtocol }} | ||||
|   selector: | ||||
|     app.kubernetes.io/name: {{ include "keto.name" . }} | ||||
|     app.kubernetes.io/instance: {{ .Release.Name }} | ||||
| {{- if .Values.service.write.headless.enabled }} | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: Service | ||||
| metadata: | ||||
|   name: {{ include "keto.fullname" . }}-write-headless | ||||
|   {{- if .Release.Namespace }} | ||||
|   namespace: {{ .Release.Namespace }} | ||||
|   {{- end }} | ||||
|   labels: | ||||
|     service.ory.sh/type: headless | ||||
|     app.kubernetes.io/component: write | ||||
|     {{- include "keto.labels" . | nindent 4 }} | ||||
| spec: | ||||
|   type: "ClusterIP" | ||||
|   clusterIP: "None" | ||||
|   ports: | ||||
|     - port: {{ .Values.keto.config.serve.write.port }} | ||||
|       targetPort: {{ .Values.service.write.name }} | ||||
|       protocol: TCP | ||||
|       name: {{ .Values.service.write.name }} | ||||
|       appProtocol: {{ .Values.service.write.appProtocol }} | ||||
|   selector: | ||||
|     app.kubernetes.io/name: {{ include "keto.name" . }} | ||||
|     app.kubernetes.io/instance: {{ .Release.Name }} | ||||
| {{- end }} | ||||
| {{- end }} | ||||
							
								
								
									
										36
									
								
								opencloud/charts/keto/templates/servicemonitor-metrics.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										36
									
								
								opencloud/charts/keto/templates/servicemonitor-metrics.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,36 @@ | ||||
| {{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") (.Values.service.metrics.enabled) }} | ||||
| --- | ||||
| apiVersion: monitoring.coreos.com/v1 | ||||
| kind: ServiceMonitor | ||||
| metadata: | ||||
|   name: {{ include "keto.fullname" . }}-metrics | ||||
|   {{- if .Release.Namespace }} | ||||
|   namespace: {{ .Release.Namespace }} | ||||
|   {{- end }} | ||||
|   labels: | ||||
|     app.kubernetes.io/component: metrics | ||||
| {{ include "keto.labels" . | indent 4 }} | ||||
|   {{- with .Values.serviceMonitor.labels }} | ||||
|       {{- toYaml . | nindent 4 }} | ||||
|   {{- end }} | ||||
|   {{- with .Values.service.metrics.annotations }} | ||||
|   annotations: | ||||
|     {{- toYaml . | nindent 4 }} | ||||
|   {{- end }} | ||||
| spec: | ||||
|   endpoints: | ||||
|   - path: /metrics/prometheus | ||||
|     port: {{ .Values.service.metrics.name }} | ||||
|     scheme: {{ .Values.serviceMonitor.scheme }} | ||||
|     interval: {{ .Values.serviceMonitor.scrapeInterval }} | ||||
|     scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }} | ||||
|     {{- with .Values.serviceMonitor.tlsConfig }} | ||||
|     tlsConfig: | ||||
|       {{- toYaml . | nindent 6 }} | ||||
|     {{- end }} | ||||
|   selector: | ||||
|     matchLabels: | ||||
|       app.kubernetes.io/name: {{ include "keto.name" . }} | ||||
|       app.kubernetes.io/instance: {{ .Release.Name }} | ||||
|       app.kubernetes.io/component: metrics | ||||
| {{- end -}} | ||||
							
								
								
									
										20
									
								
								opencloud/charts/keto/templates/tests/test-connection.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								opencloud/charts/keto/templates/tests/test-connection.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| apiVersion: v1 | ||||
| kind: Pod | ||||
| metadata: | ||||
|   name: "{{ include "keto.fullname" . }}-test-connection" | ||||
|   {{- if .Release.Namespace }} | ||||
|   namespace: {{ .Release.Namespace }} | ||||
|   {{- end }} | ||||
|   labels: {{- include "keto.labels" . | nindent 4 }} | ||||
|     {{- with .Values.test.labels }} | ||||
|     {{- toYaml . | nindent 4 }} | ||||
|     {{- end }} | ||||
|   annotations: | ||||
|     helm.sh/hook: test-success | ||||
| spec: | ||||
|   containers: | ||||
|     - name: wget | ||||
|       image: "{{ .Values.test.busybox.repository }}:{{ .Values.test.busybox.tag }}" | ||||
|       command: ['wget'] | ||||
|       args: ['{{ include "keto.fullname" . }}-write:{{ .Values.service.write.port }}/health/ready'] | ||||
|   restartPolicy: Never | ||||
							
								
								
									
										471
									
								
								opencloud/charts/keto/values.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										471
									
								
								opencloud/charts/keto/values.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,471 @@ | ||||
| # Default values for keto. | ||||
| # This is a YAML-formatted file. | ||||
| # Declare variables to be passed into your templates. | ||||
| # -- Number of replicas in deployment | ||||
| replicaCount: 1 | ||||
|  | ||||
| ## -- Image configuration | ||||
| image: | ||||
|   # -- Ory KETO image | ||||
|   repository: oryd/keto | ||||
|   # -- Default image pull policy | ||||
|   pullPolicy: IfNotPresent | ||||
|   # Overrides the image tag whose default is the chart appVersion. | ||||
|   # -- Ory KETO version | ||||
|   tag: "v0.12.0" | ||||
|  | ||||
| imagePullSecrets: [] | ||||
| nameOverride: "" | ||||
| fullnameOverride: "" | ||||
|  | ||||
| # -- Pod priority | ||||
| # https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ | ||||
| priorityClassName: "" | ||||
|  | ||||
| ## -- ServiceAccount | ||||
| serviceAccount: | ||||
|   # -- Specifies whether a service account should be created | ||||
|   create: true | ||||
|   # -- Annotations to add to the service account | ||||
|   annotations: {} | ||||
|   # -- The name of the service account to use. | ||||
|   # If not set and create is true, a name is generated using the fullname template | ||||
|   name: "" | ||||
|  | ||||
| ## -- pod securityContext for hydra & migration init | ||||
| podSecurityContext: | ||||
|   fsGroupChangePolicy: "OnRootMismatch" | ||||
|   runAsNonRoot: true | ||||
|   runAsUser: 65534 | ||||
|   fsGroup: 65534 | ||||
|   runAsGroup: 65534 | ||||
|   seccompProfile: | ||||
|     type: RuntimeDefault | ||||
|  | ||||
| ## -- container securityContext for hydra & migration init | ||||
| securityContext: | ||||
|   capabilities: | ||||
|     drop: | ||||
|       - ALL | ||||
|   seccompProfile: | ||||
|     type: RuntimeDefault | ||||
|   readOnlyRootFilesystem: true | ||||
|   runAsNonRoot: true | ||||
|   runAsUser: 65534 | ||||
|   runAsGroup: 65534 | ||||
|   allowPrivilegeEscalation: false | ||||
|   privileged: false | ||||
|   seLinuxOptions: | ||||
|     level: "s0:c123,c456" | ||||
|  | ||||
| ## -- Values for initialization job | ||||
| job: | ||||
|   # -- If you do want to specify annotations, uncomment the following | ||||
|   # lines, adjust them as necessary, and remove the curly braces after 'annotations:'. | ||||
|   annotations: | ||||
|     helm.sh/hook-weight: "1" | ||||
|     helm.sh/hook: "pre-install, pre-upgrade" | ||||
|     helm.sh/hook-delete-policy: "before-hook-creation,hook-succeeded" | ||||
|   # kubernetes.io/ingress.class: nginx | ||||
|   # kubernetes.io/tls-acme: "true" | ||||
|  | ||||
|   # -- If you want to add extra sidecar containers. | ||||
|   extraContainers: "" | ||||
|   # extraContainers: | | ||||
|   #  - name: ... | ||||
|   #    image: ... | ||||
|  | ||||
|   # -- If you want to add extra init containers. | ||||
|   extraInitContainers: "" | ||||
|   # extraInitContainers: | | ||||
|   #  - name: ... | ||||
|   #    image: ... | ||||
|  | ||||
|   # -- Array of extra envs to be passed to the job. This takes precedence over deployment variables. Kubernetes format | ||||
|   # is expected. Value is processed with Helm `tpl` | ||||
|   # - name: FOO | ||||
|   #   value: BAR | ||||
|   extraEnv: [] | ||||
|  | ||||
|   # -- Node labels for pod assignment. | ||||
|   nodeSelector: {} | ||||
|   # If you do want to specify node labels, uncomment the following | ||||
|   # lines, adjust them as necessary, and remove the curly braces after 'nodeSelector:'. | ||||
|   #   foo: bar | ||||
|  | ||||
|   # -- Configure node tolerations. | ||||
|   tolerations: [] | ||||
|  | ||||
|   # -- Job resources | ||||
|   resources: {} | ||||
|  | ||||
|   # -- If you want to add lifecycle hooks. | ||||
|   lifecycle: "" | ||||
|   # lifecycle: | | ||||
|   #   preStop: | ||||
|   #     exec: | ||||
|   #       command: [...] | ||||
|  | ||||
|   # -- Set automounting of the SA token | ||||
|   automountServiceAccountToken: false | ||||
|  | ||||
|   # -- Set sharing process namespace | ||||
|   shareProcessNamespace: false | ||||
|  | ||||
|   # -- Specify the serviceAccountName value. | ||||
|   # In some situations it is needed to provides specific permissions to Hydra deployments | ||||
|   # Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. | ||||
|   # Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. | ||||
|   serviceAccount: | ||||
|     # -- Specifies whether a service account should be created | ||||
|     create: true | ||||
|     # -- Annotations to add to the service account | ||||
|     annotations: | ||||
|       helm.sh/hook-weight: "0" | ||||
|       helm.sh/hook: "pre-install, pre-upgrade" | ||||
|       helm.sh/hook-delete-policy: "before-hook-creation" | ||||
|     # -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template | ||||
|     name: "" | ||||
|  | ||||
|   # -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects | ||||
|   podMetadata: | ||||
|     # -- Extra pod level labels | ||||
|     labels: {} | ||||
|     # -- Extra pod level annotations | ||||
|     annotations: {} | ||||
|  | ||||
|   spec: | ||||
|     # -- Set job back off limit | ||||
|     backoffLimit: 10 | ||||
|  | ||||
| ## -- Ingress definitions | ||||
| ingress: | ||||
|   read: | ||||
|     enabled: false | ||||
|     className: "" | ||||
|     annotations: {} | ||||
|     # kubernetes.io/ingress.class: nginx | ||||
|     # kubernetes.io/tls-acme: "true" | ||||
|     hosts: | ||||
|       - host: chart-example.local | ||||
|         paths: | ||||
|           - path: /read | ||||
|             pathType: Prefix | ||||
|     tls: [] | ||||
|     #  - secretName: chart-example-tls | ||||
|     #    hosts: | ||||
|     #      - chart-example.local | ||||
|   write: | ||||
|     enabled: false | ||||
|     className: "" | ||||
|     annotations: {} | ||||
|     # kubernetes.io/ingress.class: nginx | ||||
|     # kubernetes.io/tls-acme: "true" | ||||
|     hosts: | ||||
|       - host: chart-example.local | ||||
|         paths: | ||||
|           - path: /write | ||||
|             pathType: Prefix | ||||
|     tls: [] | ||||
|     #  - secretName: chart-example-tls | ||||
|     #    hosts: | ||||
|     #      - chart-example.local | ||||
|  | ||||
| ## -- Service configurations | ||||
| service: | ||||
|   ## -- Read service | ||||
|   read: | ||||
|     enabled: true | ||||
|     type: ClusterIP | ||||
|     clusterIP: "" | ||||
|     ## -- The load balancer IP | ||||
|     loadBalancerIP: "" | ||||
|     name: grpc-read | ||||
|     port: 80 | ||||
|     appProtocol: grpc | ||||
|     ## -- Enable extra headless service | ||||
|     headless: | ||||
|       enabled: true | ||||
|   ## -- Write service | ||||
|   write: | ||||
|     enabled: true | ||||
|     type: ClusterIP | ||||
|     clusterIP: "" | ||||
|     ## -- The load balancer IP | ||||
|     loadBalancerIP: "" | ||||
|     name: grpc-write | ||||
|     port: 80 | ||||
|     appProtocol: grpc | ||||
|     ## -- Enable extra headless service | ||||
|     headless: | ||||
|       enabled: true | ||||
|   ## -- Metrics service | ||||
|   metrics: | ||||
|     enabled: false | ||||
|     type: ClusterIP | ||||
|     ## -- The load balancer IP | ||||
|     loadBalancerIP: "" | ||||
|     name: http-metrics | ||||
|     port: 80 | ||||
|     annotations: {} | ||||
|  | ||||
| ## -- Extra services to be deployed | ||||
| extraServices: {} | ||||
|  | ||||
| ## -- Secret management | ||||
| secret: | ||||
|   # -- Switch to false to prevent creating the secret | ||||
|   enabled: true | ||||
|   # -- Provide custom name of existing secret, or custom name of secret to be created | ||||
|   nameOverride: "" | ||||
|   # nameOverride: "myCustomSecret" | ||||
|   # -- Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified. | ||||
|   secretAnnotations: | ||||
|     # Create the secret before installation, and only then. This saves the secret from regenerating during an upgrade | ||||
|     # pre-upgrade is needed to upgrade from 0.7.0 to newer. Can be deleted afterwards. | ||||
|     helm.sh/hook-weight: "0" | ||||
|     helm.sh/hook: "pre-install, pre-upgrade" | ||||
|     helm.sh/hook-delete-policy: "before-hook-creation" | ||||
|     helm.sh/resource-policy: "keep" | ||||
|   # -- switch to false to prevent checksum annotations being maintained and propogated to the pods | ||||
|   hashSumEnabled: true | ||||
|  | ||||
| ## -- Main application config. | ||||
| keto: | ||||
|   # -- Ability to override the entrypoint of keto container | ||||
|   # (e.g. to source dynamic secrets or export environment dynamic variables) | ||||
|   command: ["keto"] | ||||
|   # -- Ability to override arguments of the entrypoint. Can be used in-depended of customCommand | ||||
|   customArgs: [] | ||||
|   # -- Enables database migration | ||||
|   automigration: | ||||
|     enabled: false | ||||
|     # -- Configure the way to execute database migration. Possible values: job, initContainer | ||||
|     # When set to job, the migration will be executed as a job on release or upgrade. | ||||
|     # When set to initContainer, the migration will be executed when kratos pod is created | ||||
|     # Defaults to job | ||||
|     type: job | ||||
|     # -- Ability to override the entrypoint of the automigration container | ||||
|     # (e.g. to source dynamic secrets or export environment dynamic variables) | ||||
|     customCommand: [] | ||||
|     # -- Ability to override arguments of the entrypoint. Can be used in-depended of customCommand | ||||
|     # eg: | ||||
|     # - sleep 5; | ||||
|     #   - keto | ||||
|     customArgs: [] | ||||
|     # -- resource requests and limits for the automigration initcontainer | ||||
|     resources: {} | ||||
|   # -- Direct keto config. Full documentation can be found in https://www.ory.sh/keto/docs/reference/configuration | ||||
|   config: | ||||
|     serve: | ||||
|       read: | ||||
|         port: 4466 | ||||
|       write: | ||||
|         port: 4467 | ||||
|       metrics: | ||||
|         port: 4468 | ||||
|     namespaces: | ||||
|       - id: 0 | ||||
|         name: sample | ||||
|     dsn: memory | ||||
|  | ||||
| ## -- Configure the probes for when the deployment is considered ready and ongoing health check | ||||
| deployment: | ||||
|   ## -- Specify pod deployment strategy | ||||
|   strategy: | ||||
|     type: RollingUpdate | ||||
|     rollingUpdate: | ||||
|       maxSurge: "25%" | ||||
|       maxUnavailable: "25%" | ||||
|  | ||||
|   ## -- Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready) | ||||
|   minReadySeconds: 0 | ||||
|  | ||||
|   ## -- DEPRECATED Set custom pod annotations | ||||
|   podAnnotations: {} | ||||
|  | ||||
|   ## -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects | ||||
|   podMetadata: | ||||
|     ## -- Extra pod level labels | ||||
|     labels: {} | ||||
|     ## -- Extra pod level annotations | ||||
|     annotations: {} | ||||
|  | ||||
|   ## -- Set custom security context for pods | ||||
|   podSecurityContext: {} | ||||
|   # fsGroup: 2000 | ||||
|  | ||||
|   # https://github.com/kubernetes/kubernetes/issues/57601 | ||||
|   automountServiceAccountToken: true | ||||
|  | ||||
|   lifecycle: {} | ||||
|   ## -- Default probe timers | ||||
|   readinessProbe: | ||||
|     initialDelaySeconds: 5 | ||||
|     periodSeconds: 10 | ||||
|     failureThreshold: 5 | ||||
|   ## -- Default probe timers | ||||
|   startupProbe: | ||||
|     failureThreshold: 5 | ||||
|     successThreshold: 1 | ||||
|     periodSeconds: 1 | ||||
|     timeoutSeconds: 1 | ||||
|     initialDelaySeconds: 0 | ||||
|   ## -- Configure a custom livenessProbe. This overwrites the default object | ||||
|   customLivenessProbe: {} | ||||
|   ## -- Configure a custom readinessProbe. This overwrites the default object | ||||
|   customReadinessProbe: {} | ||||
|   ## -- Configure a custom startupProbe. This overwrites the default object | ||||
|   customStartupProbe: {} | ||||
|  | ||||
|   ## -- Add custom annotations to the deployment | ||||
|   annotations: {} | ||||
|  | ||||
|   resources: {} | ||||
|   # We usually recommend not to specify default resources and to leave this as a conscious | ||||
|   # choice for the user. This also increases chances charts run on environments with little | ||||
|   # resources, such as Minikube. If you do want to specify resources, uncomment the following | ||||
|   # lines, adjust them as necessary, and remove the curly braces after 'resources:'. | ||||
|   # limits: | ||||
|   #   cpu: 100m | ||||
|   #   memory: 128Mi | ||||
|   # requests: | ||||
|   #   cpu: 100m | ||||
|   #   memory: 128Mi | ||||
|  | ||||
|   # -- Autoscaling for keto deployment | ||||
|   autoscaling: | ||||
|     enabled: false | ||||
|     minReplicas: 1 | ||||
|     maxReplicas: 100 | ||||
|     targetCPU: {} | ||||
|     #   type: Utilization | ||||
|     #   averageUtilization: 80 | ||||
|     targetMemory: {} | ||||
|     #   type: Utilization | ||||
|     #   averageUtilization: 80 | ||||
|     # -- Set custom behavior | ||||
|     # https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior | ||||
|     behavior: {} | ||||
|  | ||||
|   nodeSelector: {} | ||||
|  | ||||
|   # -- If you want to add extra sidecar containers. | ||||
|   extraContainers: "" | ||||
|   # extraContainers: | | ||||
|   #  - name: ... | ||||
|   #    image: ... | ||||
|  | ||||
|   # -- Array of extra Envs to be added to the deployment. Kubernetes format expected. Value is processed with Helm `tpl` | ||||
|   # - name: FOO | ||||
|   #   value: BAR | ||||
|   extraEnv: [] | ||||
|  | ||||
|   # -- Array of extra Volumes to be added to the deployment. K8s format expected | ||||
|   # - name: my-volume | ||||
|   #   secret: | ||||
|   #     secretName: my-secret | ||||
|   extraVolumes: [] | ||||
|  | ||||
|   # -- Array of extra VolumeMounts to be added to the deployment. K8s format expected | ||||
|   # - name: my-volume | ||||
|   #   mountPath: /etc/secrets/my-secret | ||||
|   #   readOnly: true | ||||
|   extraVolumeMounts: [] | ||||
|  | ||||
|   # -- If you want to add extra init containers. These are processed before the migration init container. | ||||
|   extraInitContainers: {} | ||||
|   # extraInitContainers: | | ||||
|   #  - name: ... | ||||
|   #    image: ... | ||||
|  | ||||
|   # -- Extra labels to be added to the deployment, and pods. K8s object format expected | ||||
|   # foo: bar | ||||
|   # my.special.label/type: value | ||||
|   extraLabels: {} | ||||
|  | ||||
|   # -- Extra ports to be exposed by the main deployment | ||||
|   extraPorts: [] | ||||
|  | ||||
|   tolerations: [] | ||||
|  | ||||
|   affinity: {} | ||||
|  | ||||
|   # -- Configure pod topologySpreadConstraints. | ||||
|   topologySpreadConstraints: [] | ||||
|   # - maxSkew: 1 | ||||
|   #   topologyKey: topology.kubernetes.io/zone | ||||
|   #   whenUnsatisfiable: DoNotSchedule | ||||
|   #   labelSelector: | ||||
|   #     matchLabels: | ||||
|   #       app.kubernetes.io/name: keto | ||||
|   #       app.kubernetes.io/instance: keto | ||||
|  | ||||
|   # -- Configure pod dnsConfig. | ||||
|   dnsConfig: {} | ||||
|   #   options: | ||||
|   #     - name: "ndots" | ||||
|   #       value: "1" | ||||
|  | ||||
|   # -- Parameters for the automigration initContainer | ||||
|   automigration: | ||||
|     # -- Array of extra envs to be passed to the initContainer. Kubernetes format is expected. Value is processed with | ||||
|     # Helm `tpl` | ||||
|     # - name: FOO | ||||
|     #   value: BAR | ||||
|     extraEnv: [] | ||||
|   # -- Number of revisions kept in history | ||||
|   revisionHistoryLimit: 5 | ||||
|   terminationGracePeriodSeconds: 60 | ||||
|  | ||||
| ## -- Watcher sidecar configuration | ||||
| watcher: | ||||
|   enabled: false | ||||
|   image: oryd/k8s-toolbox:v0.0.7 | ||||
|   # -- Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo | ||||
|   mountFile: "" | ||||
|   # -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects | ||||
|   podMetadata: | ||||
|     # -- Extra pod level labels | ||||
|     labels: {} | ||||
|     # -- Extra pod level annotations | ||||
|     annotations: {} | ||||
|   # -- Label key used for managing applications | ||||
|   watchLabelKey: "ory.sh/watcher" | ||||
|   # -- Number of revisions kept in history | ||||
|   revisionHistoryLimit: 5 | ||||
|   automountServiceAccountToken: true | ||||
|   resources: {} | ||||
|  | ||||
| ## -- PodDistributionBudget configuration | ||||
| pdb: | ||||
|   enabled: false | ||||
|   spec: | ||||
|     minAvailable: "" | ||||
|     maxUnavailable: "" | ||||
|  | ||||
| ## -- Parameters for the Prometheus ServiceMonitor objects. | ||||
| # Reference: https://docs.openshift.com/container-platform/4.6/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.html | ||||
| serviceMonitor: | ||||
|   # -- HTTP scheme to use for scraping. | ||||
|   scheme: http | ||||
|   # -- Interval at which metrics should be scraped | ||||
|   scrapeInterval: 60s | ||||
|   # -- Timeout after which the scrape is ended | ||||
|   scrapeTimeout: 30s | ||||
|   # -- Provide additionnal labels to the ServiceMonitor ressource metadata | ||||
|   labels: {} | ||||
|   # -- TLS configuration to use when scraping the endpoint | ||||
|   tlsConfig: {} | ||||
|  | ||||
| configmap: | ||||
|   # -- switch to false to prevent checksum annotations being maintained and propogated to the pods | ||||
|   hashSumEnabled: true | ||||
|  | ||||
| test: | ||||
|   # -- Provide additional labels to the test pod | ||||
|   labels: {} | ||||
|   # -- use a busybox image from another repository | ||||
|   busybox: | ||||
|     repository: busybox | ||||
|     tag: 1 | ||||
							
								
								
									
										133
									
								
								opencloud/charts/openldap/.argo-workflow.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										133
									
								
								opencloud/charts/openldap/.argo-workflow.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,133 @@ | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Workflow | ||||
| metadata: | ||||
|   generateName: openldap-qualif- | ||||
| spec: | ||||
|   entrypoint: test-deployment | ||||
|   arguments: | ||||
|     parameters: | ||||
|       - name: namespace | ||||
|         value: openldap-qualif | ||||
|       - name: app | ||||
|         value: openldap-qualif | ||||
|   # This spec contains two templates: hello-hello-hello and whalesay | ||||
|   templates: | ||||
|   - name: test-deployment | ||||
|     parallelism: 1 | ||||
|     # Instead of just running a container | ||||
|     # This template has a sequence of steps | ||||
|     steps: | ||||
|     - - name: wait-upgrade            # hello1 is run before the following steps | ||||
|         template: wait-upgrade | ||||
|         arguments: | ||||
|           parameters: | ||||
|           - name: time | ||||
|             value: 10 | ||||
|           - name: type | ||||
|             value: sts | ||||
|     - - name: test-openldap-upgrade           # double dash => run after previous step | ||||
|         template: test-openldap-upgrade | ||||
|         arguments: | ||||
|           parameters: | ||||
|           - name: url | ||||
|             value: "{{workflow.parameters.app}}.{{workflow.parameters.namespace}}" | ||||
|           - name: password | ||||
|             value: "Not@SecurePassw0rd" | ||||
|           - name: user | ||||
|             value: "cn=admin,dc=example,dc=org" | ||||
|           - name: occurence | ||||
|             value: "{{item}}" | ||||
|         withSequence: | ||||
|           count: "1" | ||||
|     - - name: apply-chaos-test           # double dash => run after previous step | ||||
|         template: apply-chaos-test | ||||
|     - - name: test-openldap          # double dash => run after previous step | ||||
|         template: test-openldap-upgrade | ||||
|         arguments: | ||||
|           parameters: | ||||
|           - name: url | ||||
|             value: "{{workflow.parameters.app}}.{{workflow.parameters.namespace}}" | ||||
|           - name: password | ||||
|             value: "Not@SecurePassw0rd" | ||||
|           - name: user | ||||
|             value: "cn=admin,dc=example,dc=org" | ||||
|           - name: occurence | ||||
|             value: "{{item}}" | ||||
|         withSequence: | ||||
|           count: "60" | ||||
|     - - name: cleanup           # double dash => run after previous step | ||||
|         template: pause-chaos-test | ||||
|  | ||||
|   # This is the same template as from the previous example | ||||
|   - name: wait-upgrade | ||||
|     serviceAccountName: argo-workflow-invocator | ||||
|     inputs: | ||||
|       parameters: | ||||
|       - name: time | ||||
|       - name: type # type of resources to wait (deployement or sts) | ||||
|     script: | ||||
|       image: bitnami/kubectl:1.18.13 | ||||
|       command: [/bin/bash] | ||||
|       source: |     | ||||
|         sleep {{inputs.parameters.time}} | ||||
|         kubectl rollout status -n {{workflow.parameters.namespace}} {{inputs.parameters.type}} {{workflow.parameters.app}} | ||||
|   - name: test-openldap-upgrade     | ||||
|     serviceAccountName: argo-workflow-invocator  | ||||
|     inputs: | ||||
|       parameters: | ||||
|       - name: url | ||||
|       - name: password | ||||
|       - name: user | ||||
|       - name: occurence | ||||
|     script: | ||||
|       image: alpine | ||||
|       command: [sh] | ||||
|       source: |                                         # Contents of the here-script | ||||
|          apk add openldap-clients | ||||
|          echo "run ldap commands (add, search, modify...)" | ||||
|          LDAPTLS_REQCERT=never ldapsearch -x -D '{{inputs.parameters.user}}' -w {{inputs.parameters.password}} -H ldaps://{{inputs.parameters.url}} -b 'dc=example,dc=org' | ||||
|          sleep 60 | ||||
|   - name: apply-chaos-test | ||||
|     serviceAccountName: argo-workflow-invocator | ||||
|     resource:                   # indicates that this is a resource template | ||||
|       action: apply            # can be any kubectl action (e.g. create, delete, apply, patch) | ||||
|       manifest: |               #put your kubernetes spec here | ||||
|         apiVersion: chaos-mesh.org/v1alpha1 | ||||
|         kind: PodChaos | ||||
|         metadata: | ||||
|           name: pod-failure-openldap | ||||
|           namespace: openldap-qualif | ||||
|           annotations: | ||||
|             experiment.chaos-mesh.org/pause: "false" | ||||
|         spec: | ||||
|           action: pod-failure | ||||
|           mode: random-max-percent | ||||
|           value: "100" | ||||
|           duration: "15s" | ||||
|           selector: | ||||
|             labelSelectors: | ||||
|               "app": "openldap-qualif" | ||||
|           scheduler: | ||||
|             cron: "@every 2m" | ||||
|   - name: pause-chaos-test | ||||
|     serviceAccountName: argo-workflow-invocator | ||||
|     resource:                   # indicates that this is a resource template | ||||
|       action: apply            # can be any kubectl action (e.g. create, delete, apply, patch) | ||||
|       manifest: |               #put your kubernetes spec here | ||||
|         apiVersion: chaos-mesh.org/v1alpha1 | ||||
|         kind: PodChaos | ||||
|         metadata: | ||||
|           name: pod-failure-openldap | ||||
|           namespace: openldap-qualif | ||||
|           annotations: | ||||
|             experiment.chaos-mesh.org/pause: "true" | ||||
|         spec: | ||||
|           action: pod-failure | ||||
|           mode: random-max-percent | ||||
|           value: "100" | ||||
|           duration: "15s" | ||||
|           selector: | ||||
|             labelSelectors: | ||||
|               "app": "openldap-qualif" | ||||
|           scheduler: | ||||
|             cron: "@every 2m" | ||||
							
								
								
									
										5
									
								
								opencloud/charts/openldap/.helmignore
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										5
									
								
								opencloud/charts/openldap/.helmignore
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,5 @@ | ||||
| .git | ||||
| .github | ||||
| .chaos | ||||
| .argo-workflow | ||||
|  | ||||
							
								
								
									
										24
									
								
								opencloud/charts/openldap/Chart.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										24
									
								
								opencloud/charts/openldap/Chart.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,24 @@ | ||||
| apiVersion: v2 | ||||
| appVersion: 2.4.47 | ||||
| dependencies: | ||||
| - condition: ltb-passwd.enabled | ||||
|   name: ltb-passwd | ||||
|   repository: "" | ||||
|   version: 0.1.x | ||||
| - condition: phpldapadmin.enabled | ||||
|   name: phpldapadmin | ||||
|   repository: "" | ||||
|   version: 0.1.x | ||||
| description: Community developed LDAP software | ||||
| home: https://www.openldap.org | ||||
| icon: http://www.openldap.org/images/headers/LDAPworm.gif | ||||
| keywords: | ||||
| - ldap | ||||
| - openldap | ||||
| maintainers: | ||||
| - email: jp-gouin@hotmail.fr | ||||
|   name: Jean-Philippe Gouin | ||||
| name: openldap | ||||
| sources: | ||||
| - https://github.com/kubernetes/charts | ||||
| version: 2.0.4 | ||||
							
								
								
									
										167
									
								
								opencloud/charts/openldap/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										167
									
								
								opencloud/charts/openldap/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,167 @@ | ||||
| # OpenLDAP Helm Chart | ||||
|  | ||||
| ## Prerequisites Details | ||||
| * Kubernetes 1.8+ | ||||
| * PV support on the underlying infrastructure | ||||
|  | ||||
| ## Chart Details | ||||
| This chart will do the following: | ||||
|  | ||||
| * Instantiate 3 instances of OpenLDAP server with multi-master replication | ||||
| * A phpldapadmin to administrate the OpenLDAP server | ||||
| * ltb-passwd for self service password | ||||
|  | ||||
| ## Installing the Chart | ||||
|  | ||||
| To install the chart with the release name `my-release`: | ||||
|  | ||||
| ```bash | ||||
| $ git clone https://github.com/jp-gouin/helm-openldap.git | ||||
| $ cd helm-openldap | ||||
| $ helm install openldap . | ||||
| ``` | ||||
|  | ||||
| ## Configuration | ||||
|  | ||||
| We use the docker images provided by https://github.com/osixia/docker-openldap. The docker image is highly configurable and well documented. Please consult to documentation for the docker image for more information. | ||||
|  | ||||
| The following table lists the configurable parameters of the openldap chart and their default values. | ||||
|  | ||||
| | Parameter                          | Description                                                                                                                               | Default             | | ||||
| | ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | | ||||
| | `replicaCount`                     | Number of replicas                                                                                                                        | `3`                 | | ||||
| | `strategy`                         | Deployment strategy                                                                                                                       | `{}`                | | ||||
| | `image.repository`                 | Container image repository                                                                                                                | `osixia/openldap`   | | ||||
| | `image.tag`                        | Container image tag                                                                                                                       | `1.1.10`            | | ||||
| | `image.pullPolicy`                 | Container pull policy                                                                                                                     | `IfNotPresent`      | | ||||
| | `extraLabels`                      | Labels to add to the Resources                                                                                                            | `{}`                | | ||||
| | `podAnnotations`                   | Annotations to add to the pod                                                                                                             | `{}`                | | ||||
| | `existingSecret`                   | Use an existing secret for admin and config user passwords                                                                                | `""`                | | ||||
| | `service.annotations`              | Annotations to add to the service                                                                                                         | `{}`                | | ||||
| | `service.externalIPs`              | Service external IP addresses                                                                                                             | `[]`                | | ||||
| | `service.ldapPort`                 | External service port for LDAP                                                                                                            | `389`               | | ||||
| | `service.ldapPortNodePort`                 | Nodeport of External service port for LDAP if service.type is NodePort                                                                                                            | `nil`               | | ||||
| | `service.loadBalancerIP`           | IP address to assign to load balancer (if supported)                                                                                      | `""`                | | ||||
| | `service.loadBalancerSourceRanges` | List of IP CIDRs allowed access to load balancer (if supported)                                                                           | `[]`                | | ||||
| | `service.sslLdapPort`              | External service port for SSL+LDAP                                                                                                        | `636`               | | ||||
| | `service.sslLdapPortNodePort`                 | Nodeport of External service port for SSL if service.type is NodePort                                                                                                            | `nil`               | | ||||
| | `service.type`                     | Service type can be ClusterIP, NodePort, LoadBalancer                                                                                                                              | `ClusterIP`         | | ||||
| | `env`                              | List of key value pairs as env variables to be sent to the docker image. See https://github.com/osixia/docker-openldap for available ones | `[see values.yaml]` | | ||||
| | `logLevel`                         | Set the container log level. Valid values: `none`, `error`, `warning`, `info`, `debug`, `trace`                                           | `info`              | | ||||
| | `tls.enabled`                      | Set to enable TLS/LDAPS with custom certificate - should also set `tls.secret`                                                                                    | `false`             | | ||||
| | `tls.secret`                       | Secret containing TLS cert and key (eg, generated via cert-manager)                                                                       | `""`                | | ||||
| | `tls.CA.enabled`                   | Set to enable custom CA crt file - should also set `tls.CA.secret`                                                                        | `false`             | | ||||
| | `tls.CA.secret`                    | Secret containing CA certificate (ca.crt)                                                                                                 | `""`                | | ||||
| | `adminPassword`                    | Password for admin user. Unset to auto-generate the password                                                                              | None                | | ||||
| | `configPassword`                   | Password for config user. Unset to auto-generate the password                                                                             | None                | | ||||
| | `customLdifFiles`                  | Custom ldif files to seed the LDAP server. List of filename -> data pairs                                                                 | None                | | ||||
| | `persistence.enabled`              | Whether to use PersistentVolumes or not                                                                                                   | `false`             | | ||||
| | `persistence.storageClass`         | Storage class for PersistentVolumes.                                                                                                      | `<unset>`           | | ||||
| | `persistence.accessMode`           | Access mode for PersistentVolumes                                                                                                         | `ReadWriteOnce`     | | ||||
| | `persistence.size`                 | PersistentVolumeClaim storage size                                                                                                        | `8Gi`               | | ||||
| | `resources`                        | Container resource requests and limits in yaml                                                                                            | `{}`                | | ||||
| | `test.enabled`                     | Conditionally provision test resources                                                                                                    | `false`             | | ||||
| | `test.image.repository`            | Test container image requires bats framework                                                                                              | `dduportal/bats`    | | ||||
| | `test.image.tag`                   | Test container tag                                                                                                                        | `0.4.0`             | | ||||
| | `replication.enabled`              | Enable the multi-master replication | `true` | | ||||
| | `replication.retry`              | retry period for replication in sec | `60` | | ||||
| | `replication.timeout`              | timeout for replication  in sec| `1` | | ||||
| | `replication.starttls`              | starttls replication | `critical` | | ||||
| | `replication.tls_reqcert`              | tls certificate validation for replication | `never` | | ||||
| | `replication.interval`              | interval for replication | `00:00:00:10` | | ||||
| | `replication.clusterName`          | Set the clustername for replication | "cluster.local" | | ||||
| | `phpldapadmin.enabled`             | Enable the deployment of PhpLdapAdmin | `true`| | ||||
| | `phpldapadmin.ingress`             | Ingress of Phpldapadmin | `{}` | | ||||
| | `phpldapadmin.env`  | Environment variables for PhpldapAdmin| `{}` | | ||||
| |`ltb-passwd.enabled`| Enable the deployment of Ltb-Passwd| `true` | | ||||
| |`ltb-passwd.ingress`| Ingress of the Ltb-Passwd service | `{}` | | ||||
| |`ltb-passwd.ldap`| Ldap configuration for the Ltb-Passwd service | `{}` | | ||||
| |`ltb-passwd.env`| Environment variables for ltp-passwd | `{}` | | ||||
|  | ||||
| Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. | ||||
|  | ||||
| Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, | ||||
|  | ||||
| ```bash | ||||
| $ helm install --name my-release -f values.yaml stable/openldap | ||||
| ``` | ||||
|  | ||||
| > **Tip**: You can use the default [values.yaml](values.yaml) | ||||
|  | ||||
|  | ||||
| ## PhpLdapAdmin | ||||
| To enable PhpLdapAdmin set `phpldapadmin.enabled`  to `true` | ||||
|  | ||||
| Ingress can be configure if you want to expose the service. | ||||
| Setup the env part of the configuration to access the OpenLdap server | ||||
|  | ||||
| **Note** : The ldap host should match the following `namespace.Appfullname` | ||||
|  | ||||
| Example :  | ||||
| ``` | ||||
| phpldapadmin: | ||||
|   enabled: true | ||||
|   ingress: | ||||
|     enabled: true | ||||
|     annotations: {} | ||||
|     path: / | ||||
|     ## Ingress Host | ||||
|     hosts: | ||||
|     - phpldapadmin.local | ||||
|   env: | ||||
|     PHPLDAPADMIN_LDAP_HOSTS: openldap.openldap | ||||
|       | ||||
| ``` | ||||
| ## Self-service-password | ||||
| To enable Self-service-password set `ltb-passwd.enabled`  to `true` | ||||
|  | ||||
| Ingress can be configure if you want to expose the service. | ||||
|  | ||||
| Setup the `ldap` part with the information of the OpenLdap server. | ||||
|  | ||||
| Set `bindDN` accordingly to your ldap domain | ||||
|  | ||||
| **Note** : The ldap server host should match the following `ldap://namespace.Appfullname` | ||||
|  | ||||
| Example :  | ||||
| ``` | ||||
| ltb-passwd: | ||||
|   enabled : true | ||||
|   ingress: | ||||
|     enabled: true | ||||
|     annotations: {} | ||||
|     host: "ssl-ldap2.local" | ||||
|   ldap: | ||||
|     server: ldap://openldap.openldap | ||||
|     searchBase: dc=example,dc=org | ||||
|     bindDN: cn=admin,dc=example,dc=org | ||||
|     bindPWKey: LDAP_ADMIN_PASSWORD | ||||
|    | ||||
| ``` | ||||
|  | ||||
| ## Cleanup orphaned Persistent Volumes | ||||
|  | ||||
| Deleting the Deployment will not delete associated Persistent Volumes if persistence is enabled. | ||||
|  | ||||
| Do the following after deleting the chart release to clean up orphaned Persistent Volumes. | ||||
|  | ||||
| ```bash | ||||
| $ kubectl delete pvc -l release=${RELEASE-NAME} | ||||
| ``` | ||||
|  | ||||
| ## Custom Secret | ||||
|  | ||||
| `existingSecret` can be used to override the default secret.yaml provided | ||||
|  | ||||
| ## Testing | ||||
|  | ||||
| Helm tests are included and they confirm connection to slapd. | ||||
|  | ||||
| ```bash | ||||
| helm install . --set test.enabled=true | ||||
| helm test <RELEASE_NAME> | ||||
| RUNNING: foolish-mouse-openldap-service-test-akmms | ||||
| PASSED: foolish-mouse-openldap-service-test-akmms | ||||
| ``` | ||||
|  | ||||
| It will confirm that we can do an ldapsearch with the default credentials | ||||
							
								
								
									
										22
									
								
								opencloud/charts/openldap/charts/ltb-passwd/.helmignore
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										22
									
								
								opencloud/charts/openldap/charts/ltb-passwd/.helmignore
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,22 @@ | ||||
| # Patterns to ignore when building packages. | ||||
| # This supports shell glob matching, relative path matching, and | ||||
| # negation (prefixed with !). Only one pattern per line. | ||||
| .DS_Store | ||||
| # Common VCS dirs | ||||
| .git/ | ||||
| .gitignore | ||||
| .bzr/ | ||||
| .bzrignore | ||||
| .hg/ | ||||
| .hgignore | ||||
| .svn/ | ||||
| # Common backup files | ||||
| *.swp | ||||
| *.bak | ||||
| *.tmp | ||||
| *~ | ||||
| # Various IDEs | ||||
| .project | ||||
| .idea/ | ||||
| *.tmproj | ||||
| .vscode/ | ||||
							
								
								
									
										5
									
								
								opencloud/charts/openldap/charts/ltb-passwd/Chart.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										5
									
								
								opencloud/charts/openldap/charts/ltb-passwd/Chart.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,5 @@ | ||||
| apiVersion: v2 | ||||
| appVersion: "1.3" | ||||
| description: LTB Project Password self service | ||||
| name: ltb-passwd | ||||
| version: 0.1.0 | ||||
							
								
								
									
										63
									
								
								opencloud/charts/openldap/charts/ltb-passwd/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										63
									
								
								opencloud/charts/openldap/charts/ltb-passwd/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,63 @@ | ||||
| # LTB Password Self Service Helm Chart | ||||
|  | ||||
| This repository contains the helm chart for the LTB password change webapp. | ||||
| It is based on several other projects, namely: | ||||
|  | ||||
| - [LTB Self-Service Password](https://ltb-project.org/documentation/self-service-password) | ||||
| - [LTB Self-Service Password Github Repo](https://github.com/ltb-project/self-service-password) | ||||
| - [tiredofit Docker Image for the LTB repo](https://github.com/tiredofit/docker-self-service-password) | ||||
|  | ||||
| ## Prerequisites | ||||
|  | ||||
| - Kubernetes 1.8+ | ||||
|  | ||||
| ## Chart Details | ||||
|  | ||||
| This chart will do the following: | ||||
|  | ||||
| - Instantiate an instance of the LTB LDAP Self-Service Password webapp. | ||||
|  | ||||
| ## Installing the Chart | ||||
|  | ||||
| To install the chart with the release name `my-release`: | ||||
|  | ||||
| ```bash | ||||
| $ helm install --name my-release $PATH_TO_THIS_REPO | ||||
| ``` | ||||
|  | ||||
| ## Configuration | ||||
|  | ||||
| We use this image as base image, please refer to the documentation for specific options. | ||||
|  | ||||
| - [tiredofit Docker Image for the LTB repo](https://github.com/tiredofit/docker-self-service-password) | ||||
|  | ||||
| Configuration is done within `values.yaml`: | ||||
|  | ||||
| | Parameter                          | Description                                                                                                                               | Default                            | | ||||
| | ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------- | | ||||
| | `ldap.server`                      | LDAP Server URL, should be of the form: `ldap://ldap.svc:389`                                                                             | ` `                                | | ||||
| | `ldap.searchBase`                  | LDAP Search Base for the users                                                                                                            | ` `                                | | ||||
| | `ldap.binduserSecret`              | Name of an **existing** secret to fetch the credentials for the bind user from. Needs keys `BINDDN` and `BINDPW`                          | ` `                                | | ||||
| | `env`                              | List of key value pairs as env variables to be sent to the docker image. See https://github.com/tiredofit/docker-self-service-password for available ones | `[see values.yaml]`| | ||||
| | `replicaCount`                     | Number of replicas                                                                                                                        | `1`                                | | ||||
| | `image.repository`                 | Container image repository                                                                                                                | ` tiredofit/self-service-password` | | ||||
| | `image.tag`                        | Container image tag                                                                                                                       | `latest`                           | | ||||
| | `image.pullPolicy`                 | Container pull policy                                                                                                                     | `Default`                          | | ||||
| | `service.port`                     | External port for the WebApp                                                                                                              | `80`                               | | ||||
| | `service.type`                     | Service type                                                                                                                              | `ClusterIP`                        | | ||||
| | `ingress.enabled`                  | Whether to generate ingress resources                                                                                                     | `false`                            | | ||||
| | `ingress.annotations`              | Annotations to add to the ingress                                                                                                         | `{}`                               | | ||||
| | `ingress.hosts`                    | Hostnames to redirect to the webapp                                                                                                       | `[]`                               | | ||||
| | `ingress.tls`                      | TLS Configuration                                                                                                                         | `[]`                               | | ||||
| | `resources`                        | Container resource requests and limits in yaml                                                                                            | `{}`                               | | ||||
| | `nodeSelector`                     | NodeSelector to run the image on                                                                                                          | `{}`                               | | ||||
| | `tolerations`                      | Tolerations for the service pod                                                                                                           | `[]`                               | | ||||
| | `affinity`                         | Attractions for the service pod                                                                                                           | `{}`                               | | ||||
|  | ||||
| Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. | ||||
|  | ||||
| Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, | ||||
|  | ||||
| ```bash | ||||
| $ helm install --name my-release -f values.yaml $PATH_TO_THIS_REPO | ||||
| ``` | ||||
| @@ -0,0 +1 @@ | ||||
| Happy password changing :) | ||||
| @@ -0,0 +1,51 @@ | ||||
| {{/* vim: set filetype=mustache: */}} | ||||
| {{/* | ||||
| Expand the name of the chart. | ||||
| */}} | ||||
| {{- define "ltb-passwd.name" -}} | ||||
| {{ default .Release.Name .Values.existingSecret }} | ||||
| {{- end -}} | ||||
|  | ||||
| {{/* | ||||
| Create a default fully qualified app name. | ||||
| We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). | ||||
| If release name contains chart name it will be used as a full name. | ||||
| */}} | ||||
| {{- define "ltb-passwd.fullname" -}} | ||||
| {{- if .Values.fullnameOverride -}} | ||||
| {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} | ||||
| {{- else -}} | ||||
| {{- $name := default .Chart.Name .Values.nameOverride -}} | ||||
| {{- if contains $name .Release.Name -}} | ||||
| {{- .Release.Name | trunc 63 | trimSuffix "-" -}} | ||||
| {{- else -}} | ||||
| {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} | ||||
| {{- end -}} | ||||
| {{- end -}} | ||||
| {{- end -}} | ||||
|  | ||||
| {{/* | ||||
| Create chart name and version as used by the chart label. | ||||
| */}} | ||||
| {{- define "ltb-passwd.chart" -}} | ||||
| {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} | ||||
| {{- end -}} | ||||
|  | ||||
| {{/* | ||||
| Common labels | ||||
| */}} | ||||
| {{- define "ltb-passwd.labels" -}} | ||||
| app.kubernetes.io/name: {{ include "ltb-passwd.name" . }} | ||||
| helm.sh/chart: {{ include "ltb-passwd.chart" . }} | ||||
| app.kubernetes.io/instance: {{ .Release.Name }} | ||||
| {{- if .Chart.AppVersion }} | ||||
| app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} | ||||
| {{- end }} | ||||
| app.kubernetes.io/managed-by: {{ .Release.Service }} | ||||
| {{- end -}} | ||||
| {{/* | ||||
| Generate chart secret name | ||||
| */}} | ||||
| {{- define "ltb-passwd.secretName" -}} | ||||
| {{ default (include "ltb-passwd.fullname" .) .Values.existingSecret }} | ||||
| {{- end -}} | ||||
| @@ -0,0 +1,69 @@ | ||||
| apiVersion: apps/v1 | ||||
| kind: Deployment | ||||
| metadata: | ||||
|   name: {{ include "ltb-passwd.fullname" . }} | ||||
|   labels: | ||||
| {{ include "ltb-passwd.labels" . | indent 4 }} | ||||
| spec: | ||||
|   replicas: {{ default 1 .Values.replicaCount }} | ||||
|   selector: | ||||
|     matchLabels: | ||||
|       app.kubernetes.io/name: {{ include "ltb-passwd.name" . }} | ||||
|       app.kubernetes.io/instance: {{ .Release.Name }} | ||||
|   template: | ||||
|     metadata: | ||||
|       labels: | ||||
|         app.kubernetes.io/name: {{ include "ltb-passwd.name" . }} | ||||
|         app.kubernetes.io/instance: {{ .Release.Name }} | ||||
|     spec: | ||||
|     {{- with .Values.imagePullSecrets }} | ||||
|       imagePullSecrets: | ||||
|         {{- toYaml . | nindent 8 }} | ||||
|     {{- end }} | ||||
|       containers: | ||||
|         - name: {{ .Chart.Name }} | ||||
|           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" | ||||
|           imagePullPolicy: {{ .Values.image.pullPolicy }} | ||||
|           env: | ||||
|           - name: LDAP_SERVER | ||||
|             value: {{ .Values.ldap.server | quote }} | ||||
|           - name: LDAP_BINDDN | ||||
|             value: {{ .Values.ldap.bindDN | quote }} | ||||
|           - name: LDAP_BINDPASS | ||||
|             valueFrom: | ||||
|               secretKeyRef: | ||||
|                 name: {{ template "ltb-passwd.secretName" . }} | ||||
|                 key: {{ .Values.ldap.bindPWKey }}  | ||||
|           - name: LDAP_STARTTLS | ||||
|             value: "false" | ||||
|           - name: LDAP_BASE_SEARCH | ||||
|             value: {{ .Values.ldap.searchBase | quote }} | ||||
|           {{- with .Values.env }} | ||||
|           {{- toYaml . | nindent 10 }} | ||||
|           {{- end }} | ||||
|           ports: | ||||
|             - name: http | ||||
|               containerPort: 80 | ||||
|               protocol: TCP | ||||
|           livenessProbe: | ||||
|             httpGet: | ||||
|               path: / | ||||
|               port: http | ||||
|           readinessProbe: | ||||
|             httpGet: | ||||
|               path: / | ||||
|               port: http | ||||
|           resources: | ||||
|             {{- toYaml .Values.resources | nindent 12 }} | ||||
|       {{- with .Values.nodeSelector }} | ||||
|       nodeSelector: | ||||
|         {{- toYaml . | nindent 8 }} | ||||
|       {{- end }} | ||||
|     {{- with .Values.affinity }} | ||||
|       affinity: | ||||
|         {{- toYaml . | nindent 8 }} | ||||
|     {{- end }} | ||||
|     {{- with .Values.tolerations }} | ||||
|       tolerations: | ||||
|         {{- toYaml . | nindent 8 }} | ||||
|     {{- end }} | ||||
| @@ -0,0 +1,38 @@ | ||||
| {{- if .Values.ingress.enabled -}} | ||||
| {{- $fullName := include "ltb-passwd.fullname" . -}} | ||||
| {{- $ingressPath := .Values.ingress.path -}} | ||||
| apiVersion: extensions/v1beta1 | ||||
| kind: Ingress | ||||
| metadata: | ||||
|   name: {{ $fullName }} | ||||
|   labels: | ||||
|     app: {{ template "ltb-passwd.name" . }} | ||||
|     chart: {{ template "ltb-passwd.chart" . }} | ||||
|     release: {{ .Release.Name }} | ||||
|     heritage: {{ .Release.Service }} | ||||
| {{- with .Values.ingress.annotations }} | ||||
|   annotations: | ||||
| {{ toYaml . | indent 4 }} | ||||
| {{- end }} | ||||
| spec: | ||||
| {{- if .Values.ingress.tls }} | ||||
|   tls: | ||||
|   {{- range .Values.ingress.tls }} | ||||
|     - hosts: | ||||
|       {{- range .hosts }} | ||||
|         - {{ . }} | ||||
|       {{- end }} | ||||
|       secretName: {{ .secretName }} | ||||
|   {{- end }} | ||||
| {{- end }} | ||||
|   rules: | ||||
|   {{- range .Values.ingress.hosts }} | ||||
|     - host: {{ . }} | ||||
|       http: | ||||
|         paths: | ||||
|           - path: {{ $ingressPath }} | ||||
|             backend: | ||||
|               serviceName: {{ $fullName }} | ||||
|               servicePort: http | ||||
|   {{- end }} | ||||
| {{- end }} | ||||
| @@ -0,0 +1,19 @@ | ||||
| apiVersion: v1 | ||||
| kind: Service | ||||
| metadata: | ||||
|   name: {{ include "ltb-passwd.fullname" . }} | ||||
|   labels: | ||||
|     app.kubernetes.io/name: {{ include "ltb-passwd.name" . }} | ||||
|     helm.sh/chart: {{ include "ltb-passwd.chart" . }} | ||||
|     app.kubernetes.io/instance: {{ .Release.Name }} | ||||
|     app.kubernetes.io/managed-by: {{ .Release.Service }} | ||||
| spec: | ||||
|   type: {{ .Values.service.type }} | ||||
|   ports: | ||||
|     - port: {{ .Values.service.port }} | ||||
|       targetPort: http | ||||
|       protocol: TCP | ||||
|       name: http | ||||
|   selector: | ||||
|     app.kubernetes.io/name: {{ include "ltb-passwd.name" . }} | ||||
|     app.kubernetes.io/instance: {{ .Release.Name }} | ||||
							
								
								
									
										51
									
								
								opencloud/charts/openldap/charts/ltb-passwd/values.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										51
									
								
								opencloud/charts/openldap/charts/ltb-passwd/values.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,51 @@ | ||||
| # Default values for ltb-passwd. | ||||
| # This is a YAML-formatted file. | ||||
| # Declare variables to be passed into your templates. | ||||
|  | ||||
| replicaCount: 1 | ||||
|  | ||||
| image: | ||||
|   repository: tiredofit/self-service-password | ||||
|   tag: latest | ||||
|   pullPolicy: Always | ||||
|  | ||||
| imagePullSecrets: [] | ||||
| nameOverride: "" | ||||
| fullnameOverride: "" | ||||
|  | ||||
| service: | ||||
|   type: ClusterIP | ||||
|   port: 80 | ||||
| ingress: | ||||
|   enabled: true | ||||
|   annotations: {} | ||||
|   host: "ssl-ldap.local" | ||||
| ## Configure Ingress based on the documentation here: https://kubernetes.io/docs/concepts/services-networking/ingress/ | ||||
| ingress: | ||||
|   enabled: false | ||||
|   annotations: {} | ||||
|   path: / | ||||
|   ## Ingress Host | ||||
|   # hosts: | ||||
|   # - ssl-ldap.local | ||||
|   # | ||||
|   tls: [] | ||||
|   # tls: | ||||
|   # - secretName: ssl-ldap-dedicated-tls | ||||
|   #   hosts: | ||||
|   #   - ssl-ldap.local | ||||
| resources: {} | ||||
| nodeSelector: {} | ||||
| tolerations: [] | ||||
| affinity: {} | ||||
| ldap: | ||||
|   server: ldap://openldap.openldap | ||||
|   searchBase: dc=example,dc=org | ||||
|   # existingSecret: ssp-ldap | ||||
|   bindDN: cn=admin,dc=example,dc=org | ||||
|   bindPWKey: BINDPW | ||||
| env: | ||||
| - name: SECRETEKEY | ||||
|   value: "password" | ||||
| - name: LDAP_LOGIN_ATTRIBUTE | ||||
|   value: "cn" | ||||
							
								
								
									
										13
									
								
								opencloud/charts/openldap/charts/phpldapadmin/Chart.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										13
									
								
								opencloud/charts/openldap/charts/phpldapadmin/Chart.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,13 @@ | ||||
| apiVersion: v1 | ||||
| appVersion: 0.7.1 | ||||
| description: Web-based LDAP browser to manage your LDAP server | ||||
| home: http://phpldapadmin.sourceforge.net | ||||
| icon: http://phpldapadmin.sourceforge.net/wiki/images/d/d4/Logo.jpg | ||||
| keywords: | ||||
| - phpldapadmin | ||||
| - openldap | ||||
| - userrights | ||||
| maintainers: | ||||
| - name: Jean-Philippe Gouin | ||||
| name: phpldapadmin | ||||
| version: 0.1.2 | ||||
							
								
								
									
										107
									
								
								opencloud/charts/openldap/charts/phpldapadmin/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										107
									
								
								opencloud/charts/openldap/charts/phpldapadmin/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,107 @@ | ||||
| # Helm Chart for phpLDAPadmin | ||||
|  | ||||
| [](https://circleci.com/gh/cetic/helm-phpLDAPadmin/tree/master) [](https://opensource.org/licenses/Apache-2.0)  | ||||
|  | ||||
| ## Introduction | ||||
|  | ||||
| This [Helm](https://github.com/kubernetes/helm) chart installs [phpLDAPadmin](http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page) in a Kubernetes cluster. | ||||
|  | ||||
| ## Prerequisites | ||||
|  | ||||
| - Kubernetes cluster 1.10+ | ||||
| - Helm 2.8.0+ | ||||
| - PV provisioner support in the underlying infrastructure. | ||||
|  | ||||
| ## Installation | ||||
|  | ||||
| ### Add Helm repository | ||||
|  | ||||
| ```bash | ||||
| helm repo add cetic https://cetic.github.io/helm-charts | ||||
| helm repo update | ||||
| ``` | ||||
|  | ||||
| ### Configure the chart | ||||
|  | ||||
| The following items can be set via `--set` flag during installation or configured by editing the `values.yaml` directly (you need to download the chart first). | ||||
|  | ||||
| #### Configure the way how to expose phpLDAPadmin service: | ||||
|  | ||||
| - **Ingress**: The ingress controller must be installed in the Kubernetes cluster. | ||||
| - **ClusterIP**: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster. | ||||
| - **NodePort**: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`. | ||||
| - **LoadBalancer**: Exposes the service externally using a cloud provider’s load balancer. | ||||
|  | ||||
| #### Configure how to persist data (TODO): | ||||
|  | ||||
| - **Disable**: The data does not survive the termination of a pod. | ||||
| - **Persistent Volume Claim(default)**: A default `StorageClass` is needed in the Kubernetes cluster to dynamic provision the volumes. Specify another StorageClass in the `storageClass` or set `existingClaim` if you have already existing persistent volumes to use. | ||||
|  | ||||
| ### Install the chart | ||||
|  | ||||
| Install the phpLDAPadmin helm chart with a release name `my-release`: | ||||
|  | ||||
| ```bash | ||||
| helm install --name my-release cetic/phpldapadmin | ||||
| ``` | ||||
|  | ||||
| ## Uninstallation | ||||
|  | ||||
| To uninstall/delete the `my-release` deployment: | ||||
|  | ||||
| ```bash | ||||
| helm delete --purge my-release | ||||
| ``` | ||||
|  | ||||
| ## Configuration | ||||
|  | ||||
| The following table lists the configurable parameters of the phpLDAPadmin chart and the default values. | ||||
|  | ||||
| | Parameter                                                                   | Description                                                                                                        | Default                         | | ||||
| | --------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------| ------------------------------- | | ||||
| | **ReplicaCount**                                                            | | ||||
| | `replicaCount`                                                              | number of phpLDAPadmin images                                                                                               | `1`      | | ||||
| | **Env**                                                                     | | ||||
| | `env`                                                                       | See values.yaml                                                                                                           | `nil`      | | ||||
| | **Image**                                                                   | | ||||
| | `image.repository`                                                          | phpldapadmin Image name                                                                                                 | `osixia/phpldapadmin`      | | ||||
| | `image.tag`                                                                 | phpldapadmin Image tag                                                                                                  | `0.7.1`                    | | ||||
| | `image.pullPolicy`                                                          | phpldapadmin Image pull policy                                                                                          | `IfNotPresent`             | | ||||
| | **Service**                                                                 | | ||||
| | `service.type`                                                              | Type of service for phpldapadmin frontend                                                                               | `LoadBalancer`             | | ||||
| | `service.port`                                                              | Port to expose service                                                                                             | `80`                            | | ||||
| | `service.loadBalancerIP`                                                    | LoadBalancerIP if service type is `LoadBalancer`                                                                   | `nil`                           | | ||||
| | `service.loadBalancerSourceRanges`                                          | LoadBalancerSourceRanges                                                                                           | `nil`                           | | ||||
| | `service.annotations`                                                       | Service annotations                                                                                                | `{}`                            | | ||||
| | **Ingress**                                                                 | | ||||
| | `ingress.enabled`                                                           | Enables Ingress                                                                                                    | `false`                         | | ||||
| | `ingress.annotations`                                                       | Ingress annotations                                                                                                | `{}`                            | | ||||
| | `ingress.path`                                                              | Path to access frontend                                                                                            | `/`                             | | ||||
| | `ingress.hosts`                                                             | Ingress hosts                                                                                                      | `nil`                           | | ||||
| | `ingress.tls`                                                               | Ingress TLS configuration                                                                                          | `[]`                            | | ||||
| | **ReadinessProbe**                                                          | | ||||
| | `readinessProbe`                                                            | Rediness Probe settings                                                                                            | `{ "httpGet": { "path": "/", "port": http }}`| | ||||
| | **LivenessProbe**                                                           | | ||||
| | `livenessProbe`                                                             | Liveness Probe settings                                                                                            | `{ "httpGet": { "path": "/", "port": http }}`| | ||||
| | **Resources**                                                               | | ||||
| | `resources`                                                                 | CPU/Memory resource requests/limits                                                                                | `{}`                            | | ||||
| | **nodeSelector**                                                            | | ||||
| | `nodeSelector`                                                              | nodeSelector                                                                                                       | `{}`                            | | ||||
| | **tolerations**                                                             | | ||||
| | `tolerations`                                                               | tolerations                                                                                                        | `{}`                            | | ||||
| | **affinity**                                                                | | ||||
| | `affinity`                                                                  | affinity                                                                                                           | `{}`                            | | ||||
|  | ||||
| ## Credits | ||||
|  | ||||
| Initially inspired from https://github.com/gengen1988/helm-phpldapadmin. | ||||
|  | ||||
| ## Contributing | ||||
|  | ||||
| Feel free to contribute by making a [pull request](https://github.com/cetic/helm-phpLDAPadmin/pull/new/master). | ||||
|  | ||||
| Please read the official [Contribution Guide](https://github.com/helm/charts/blob/master/CONTRIBUTING.md) from Helm for more information on how you can contribute to this Chart. | ||||
|  | ||||
| ## License | ||||
|  | ||||
| [Apache License 2.0](/LICENSE) | ||||
							
								
								
									
										84
									
								
								opencloud/charts/openldap/charts/phpldapadmin/publish.sh
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										84
									
								
								opencloud/charts/openldap/charts/phpldapadmin/publish.sh
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,84 @@ | ||||
| #!/bin/sh | ||||
| set -e | ||||
| set -o pipefail | ||||
|  | ||||
| WORKING_DIRECTORY="$PWD" | ||||
|  | ||||
| [ "$GITHUB_PAGES_REPO" ] || { | ||||
|   echo "ERROR: Environment variable GITHUB_PAGES_REPO is required" | ||||
|   exit 1 | ||||
| } | ||||
| [ "$HELM_CHART" ] || { | ||||
|   echo "ERROR: Environment variable HELM_CHART is required" | ||||
|   exit 1 | ||||
| } | ||||
| [ -z "$GITHUB_PAGES_BRANCH" ] && GITHUB_PAGES_BRANCH=gh-pages | ||||
| [ -z "$HELM_CHARTS_SOURCE" ] && HELM_CHARTS_SOURCE="$WORKING_DIRECTORY/$HELM_CHART" | ||||
| [ -d "$WORKING_DIRECTORY" ] || { | ||||
|   echo "ERROR: Could not find Helm charts in $WORKING_DIRECTORY" | ||||
|   exit 1 | ||||
| } | ||||
| [ -z "$HELM_VERSION" ] && HELM_VERSION=2.8.1 | ||||
| [ "$CIRCLE_BRANCH" ] || { | ||||
|   echo "ERROR: Environment variable CIRCLE_BRANCH is required" | ||||
|   exit 1 | ||||
| } | ||||
|  | ||||
| echo "GITHUB_PAGES_REPO=$GITHUB_PAGES_REPO" | ||||
| echo "GITHUB_PAGES_BRANCH=$GITHUB_PAGES_BRANCH" | ||||
| echo "HELM_CHARTS_SOURCE=$HELM_CHARTS_SOURCE" | ||||
| echo "HELM_VERSION=$HELM_VERSION" | ||||
| echo "CIRCLE_BRANCH=$CIRCLE_BRANCH" | ||||
|  | ||||
| echo ">>> Create Chart Directory" | ||||
|  | ||||
| mkdir -p $HELM_CHARTS_SOURCE/ | ||||
| mkdir -p /tmp/helm-tmp/ | ||||
|  | ||||
| mv $WORKING_DIRECTORY/* /tmp/helm-tmp/ | ||||
| mv /tmp/helm-tmp/ $HELM_CHARTS_SOURCE/ | ||||
|  | ||||
| echo '>> Prepare...' | ||||
| mkdir -p /tmp/helm/bin | ||||
| mkdir -p /tmp/helm/publish | ||||
| apk update | ||||
| apk add ca-certificates git openssh | ||||
|  | ||||
| echo '>> Installing Helm...' | ||||
| cd /tmp/helm/bin | ||||
| wget "https://storage.googleapis.com/kubernetes-helm/helm-v${HELM_VERSION}-linux-amd64.tar.gz" | ||||
| tar -zxf "helm-v${HELM_VERSION}-linux-amd64.tar.gz" | ||||
| chmod +x linux-amd64/helm | ||||
| alias helm=/tmp/helm/bin/linux-amd64/helm | ||||
| helm version -c | ||||
| helm init -c | ||||
|  | ||||
| echo ">> Checking out $GITHUB_PAGES_BRANCH branch from $GITHUB_PAGES_REPO" | ||||
| cd /tmp/helm/publish | ||||
| mkdir -p "$HOME/.ssh" | ||||
| ssh-keyscan -H github.com >> "$HOME/.ssh/known_hosts" | ||||
| git clone -b "$GITHUB_PAGES_BRANCH" "git@github.com:$GITHUB_PAGES_REPO.git" . | ||||
|  | ||||
| echo '>> Building chart...' | ||||
| echo ">>> helm lint $HELM_CHARTS_SOURCE" | ||||
| helm lint "$HELM_CHARTS_SOURCE" | ||||
| echo ">>> helm package -d $HELM_CHART $HELM_CHARTS_SOURCE" | ||||
| mkdir -p "$HELM_CHART" | ||||
| helm package -d "$HELM_CHART" "$HELM_CHARTS_SOURCE" | ||||
|  | ||||
| echo '>>> helm repo index' | ||||
| helm repo index . | ||||
|  | ||||
| if [ "$CIRCLE_BRANCH" != "master" ]; then | ||||
|   echo "Current branch is not master and do not publish" | ||||
|   exit 0 | ||||
| fi | ||||
|  | ||||
| echo ">> Publishing to $GITHUB_PAGES_BRANCH branch of $GITHUB_PAGES_REPO" | ||||
| git config user.email "$CIRCLE_USERNAME@users.noreply.github.com" | ||||
| git config user.name CircleCI | ||||
| git add . | ||||
| git status | ||||
| git commit -m "Published by CircleCI $CIRCLE_BUILD_URL" | ||||
| git push origin "$GITHUB_PAGES_BRANCH" | ||||
|  | ||||
| @@ -0,0 +1,26 @@ | ||||
| 1. Get the application URL by running these commands: | ||||
| {{- if .Values.ingress.enabled }} | ||||
| {{- range .Values.ingress.hosts }} | ||||
|   You should be able to access your new phpLDAPadmin installation through | ||||
|   http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }} | ||||
|  | ||||
|   Find out your cluster ip address by running: | ||||
|   $ kubectl cluster-info | ||||
|  | ||||
| {{- end }} | ||||
| {{- else if contains "NodePort" .Values.service.type }} | ||||
|   export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "phpldapadmin.fullname" . }}) | ||||
|   export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") | ||||
|   echo http://$NODE_IP:$NODE_PORT | ||||
| {{- else if contains "LoadBalancer" .Values.service.type }} | ||||
|      NOTE: It may take a few minutes for the LoadBalancer IP to be available. | ||||
|            You can watch the status of by running 'kubectl get svc -w {{ template "phpldapadmin.fullname" . }}' | ||||
|   export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "phpldapadmin.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') | ||||
|   echo http://$SERVICE_IP:{{ .Values.service.port }} | ||||
| {{- else if contains "ClusterIP" .Values.service.type }} | ||||
|   export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "phpldapadmin.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") | ||||
|   echo "Visit http://127.0.0.1:8080 to use your application" | ||||
|   kubectl port-forward $POD_NAME 8080:80 | ||||
| {{- end }} | ||||
|  | ||||
| ** Please be patient while the chart is being deployed ** | ||||
| @@ -0,0 +1,32 @@ | ||||
| {{/* vim: set filetype=mustache: */}} | ||||
| {{/* | ||||
| Expand the name of the chart. | ||||
| */}} | ||||
| {{- define "phpldapadmin.name" -}} | ||||
| {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} | ||||
| {{- end -}} | ||||
|  | ||||
| {{/* | ||||
| Create a default fully qualified app name. | ||||
| We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). | ||||
| If release name contains chart name it will be used as a full name. | ||||
| */}} | ||||
| {{- define "phpldapadmin.fullname" -}} | ||||
| {{- if .Values.fullnameOverride -}} | ||||
| {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} | ||||
| {{- else -}} | ||||
| {{- $name := default .Chart.Name .Values.nameOverride -}} | ||||
| {{- if contains $name .Release.Name -}} | ||||
| {{- .Release.Name | trunc 63 | trimSuffix "-" -}} | ||||
| {{- else -}} | ||||
| {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} | ||||
| {{- end -}} | ||||
| {{- end -}} | ||||
| {{- end -}} | ||||
|  | ||||
| {{/* | ||||
| Create chart name and version as used by the chart label. | ||||
| */}} | ||||
| {{- define "phpldapadmin.chart" -}} | ||||
| {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} | ||||
| {{- end -}} | ||||
| @@ -0,0 +1,14 @@ | ||||
| apiVersion: v1 | ||||
| kind: ConfigMap | ||||
| metadata: | ||||
|   name: {{ template "phpldapadmin.fullname" . }} | ||||
|   labels: | ||||
|     app: {{ template "phpldapadmin.name" . }} | ||||
|     chart: {{ template "phpldapadmin.chart" . }} | ||||
|     release: {{ .Release.Name }} | ||||
|     heritage: {{ .Release.Service }} | ||||
| {{- if .Values.extraLabels }} | ||||
| {{ toYaml .Values.extraLabels | indent 4 }} | ||||
| {{- end }} | ||||
| data: | ||||
| {{ toYaml .Values.env | indent 2 }} | ||||
| @@ -0,0 +1,52 @@ | ||||
| apiVersion: apps/v1 | ||||
| kind: Deployment | ||||
|  | ||||
| metadata: | ||||
|   name: {{ template "phpldapadmin.fullname" . }} | ||||
|   labels: | ||||
|     app: {{ template "phpldapadmin.name" . }} | ||||
|     chart: {{ template "phpldapadmin.chart" . }} | ||||
|     release: {{ .Release.Name }} | ||||
|     heritage: {{ .Release.Service }} | ||||
|  | ||||
| spec: | ||||
|   replicas: {{ .Values.replicaCount }} | ||||
|   selector: | ||||
|     matchLabels: | ||||
|       app: {{ template "phpldapadmin.name" . }} | ||||
|       release: {{ .Release.Name }} | ||||
|   template: | ||||
|     metadata: | ||||
|       labels: | ||||
|         app: {{ template "phpldapadmin.name" . }} | ||||
|         release: {{ .Release.Name }} | ||||
|     spec: | ||||
|       containers: | ||||
|       - name: {{ .Chart.Name }} | ||||
|         image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" | ||||
|         imagePullPolicy: {{ .Values.image.pullPolicy }} | ||||
|         ports: | ||||
|         - name: http | ||||
|           containerPort: 80 | ||||
|           protocol: TCP | ||||
|         envFrom: | ||||
|         - configMapRef: | ||||
|             name: {{ template "phpldapadmin.fullname" . }} | ||||
|         livenessProbe: | ||||
| {{ toYaml .Values.livenessProbe | indent 12 }} | ||||
|         readinessProbe: | ||||
| {{ toYaml .Values.readinessProbe | indent 12 }} | ||||
|         resources: | ||||
| {{ toYaml .Values.resources | indent 12 }} | ||||
|     {{- with .Values.nodeSelector }} | ||||
|       nodeSelector: | ||||
| {{ toYaml . | indent 8 }} | ||||
|     {{- end }} | ||||
|     {{- with .Values.affinity }} | ||||
|       affinity: | ||||
| {{ toYaml . | indent 8 }} | ||||
|     {{- end }} | ||||
|     {{- with .Values.tolerations }} | ||||
|       tolerations: | ||||
| {{ toYaml . | indent 8 }} | ||||
|     {{- end }} | ||||
| @@ -0,0 +1,38 @@ | ||||
| {{- if .Values.ingress.enabled -}} | ||||
| {{- $fullName := include "phpldapadmin.fullname" . -}} | ||||
| {{- $ingressPath := .Values.ingress.path -}} | ||||
| apiVersion: extensions/v1beta1 | ||||
| kind: Ingress | ||||
| metadata: | ||||
|   name: {{ $fullName }} | ||||
|   labels: | ||||
|     app: {{ template "phpldapadmin.name" . }} | ||||
|     chart: {{ template "phpldapadmin.chart" . }} | ||||
|     release: {{ .Release.Name }} | ||||
|     heritage: {{ .Release.Service }} | ||||
| {{- with .Values.ingress.annotations }} | ||||
|   annotations: | ||||
| {{ toYaml . | indent 4 }} | ||||
| {{- end }} | ||||
| spec: | ||||
| {{- if .Values.ingress.tls }} | ||||
|   tls: | ||||
|   {{- range .Values.ingress.tls }} | ||||
|     - hosts: | ||||
|       {{- range .hosts }} | ||||
|         - {{ . }} | ||||
|       {{- end }} | ||||
|       secretName: {{ .secretName }} | ||||
|   {{- end }} | ||||
| {{- end }} | ||||
|   rules: | ||||
|   {{- range .Values.ingress.hosts }} | ||||
|     - host: {{ . }} | ||||
|       http: | ||||
|         paths: | ||||
|           - path: {{ $ingressPath }} | ||||
|             backend: | ||||
|               serviceName: {{ $fullName }} | ||||
|               servicePort: http | ||||
|   {{- end }} | ||||
| {{- end }} | ||||
| @@ -0,0 +1,32 @@ | ||||
| apiVersion: v1 | ||||
| kind: Service | ||||
| metadata: | ||||
|   name: {{ template "phpldapadmin.fullname" . }} | ||||
|   labels: | ||||
|     app: {{ template "phpldapadmin.name" . }} | ||||
|     chart: {{ template "phpldapadmin.chart" . }} | ||||
|     release: {{ .Release.Name }} | ||||
|     heritage: {{ .Release.Service }} | ||||
| {{- if .Values.service.annotations }} | ||||
|   annotations: | ||||
| {{ toYaml .Values.service.annotations | indent 4 }} | ||||
| {{- end }} | ||||
| spec: | ||||
|   type: {{ .Values.service.type }} | ||||
|   {{- if and .Values.service.loadBalancerIP (eq .Values.service.type "LoadBalancer") }} | ||||
|   loadBalancerIP: {{ .Values.service.loadBalancerIP }} | ||||
|   {{- end }} | ||||
|   {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }} | ||||
|   loadBalancerSourceRanges: | ||||
|   {{ with .Values.service.loadBalancerSourceRanges }} | ||||
| {{ toYaml . | indent 4 }} | ||||
| {{- end }} | ||||
|   {{- end }} | ||||
|   ports: | ||||
|   - port: {{ .Values.service.port }} | ||||
|     targetPort: http | ||||
|     protocol: TCP | ||||
|     name: http | ||||
|   selector: | ||||
|     app: {{ template "phpldapadmin.name" . }} | ||||
|     release: {{ .Release.Name }} | ||||
							
								
								
									
										94
									
								
								opencloud/charts/openldap/charts/phpldapadmin/values.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										94
									
								
								opencloud/charts/openldap/charts/phpldapadmin/values.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,94 @@ | ||||
| --- | ||||
| # Default values for phpldapadmin. | ||||
| # This is a YAML-formatted file. | ||||
| # Declare variables to be passed into your templates. | ||||
|  | ||||
| ## TODO: add this in the deployment.yaml | ||||
| env: | ||||
|   # PHPLDAPADMIN_LDAP_HOSTS: ... | ||||
|   PHPLDAPADMIN_HTTPS: "false" | ||||
|   PHPLDAPADMIN_TRUST_PROXY_SSL: "true" | ||||
|  | ||||
| ## Number of phpLDAPadmin images | ||||
| replicaCount: 1 | ||||
|  | ||||
| ## Set default image, imageTag, and imagePullPolicy. mode is used to indicate the | ||||
| ## | ||||
| image: | ||||
|   repository: osixia/phpldapadmin | ||||
|   tag: 0.9.0 | ||||
|   pullPolicy: IfNotPresent | ||||
|  | ||||
|  | ||||
| ## Enable persistence using Persistent Volume Claims | ||||
| ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ | ||||
| ## | ||||
|  | ||||
| ## TODO persistence | ||||
|  | ||||
| ## Expose the pgAdmin service to be accessed from outside the cluster (LoadBalancer service). | ||||
| ## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it. | ||||
| ## ref: http://kubernetes.io/docs/user-guide/services/ | ||||
| ## | ||||
| service: | ||||
|   type: ClusterIP | ||||
|   ## name: phpldapadmin | ||||
|   port: 80 | ||||
|   annotations: {} | ||||
|  | ||||
|   ## Set the LoadBalancer service type to internal only. | ||||
|   ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer | ||||
|   ## | ||||
|   # loadBalancerIP: | ||||
|  | ||||
|   ## Load Balancer sources | ||||
|   ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service | ||||
|   ## | ||||
|   # loadBalancerSourceRanges: | ||||
|   # - 10.10.10.0/24 | ||||
|  | ||||
| ## Configure Ingress based on the documentation here: https://kubernetes.io/docs/concepts/services-networking/ingress/ | ||||
| ## | ||||
| ingress: | ||||
|   enabled: false | ||||
|   annotations: {} | ||||
|   path: / | ||||
|   ## Ingress Host | ||||
|   # hosts: | ||||
|   # - phpldapadmin.example.org | ||||
|   # | ||||
|   tls: [] | ||||
|   # tls: | ||||
|   # - secretName: phpldapadmin-dedicated-tls | ||||
|   #   hosts: | ||||
|   #   - phpldapadmin.example.org | ||||
|  | ||||
| ## Configure liveness and readiness probes | ||||
| ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ | ||||
| ## | ||||
| readinessProbe: | ||||
|   httpGet: | ||||
|     path: / | ||||
|     port: http | ||||
| livenessProbe: | ||||
|    httpGet: | ||||
|      path: / | ||||
|      port: http | ||||
|  | ||||
| resources: {} | ||||
|   # We usually recommend not to specify default resources and to leave this as a conscious | ||||
|   # choice for the user. This also increases chances charts run on environments with little | ||||
|   # resources, such as Minikube. If you do want to specify resources, uncomment the following | ||||
|   # lines, adjust them as necessary, and remove the curly braces after 'resources:'. | ||||
|   # limits: | ||||
|   #  cpu: 100m | ||||
|   #  memory: 128Mi | ||||
|   # requests: | ||||
|   #  cpu: 100m | ||||
|   #  memory: 128Mi | ||||
|  | ||||
| nodeSelector: {} | ||||
|  | ||||
| tolerations: [] | ||||
|  | ||||
| affinity: {} | ||||
							
								
								
									
										20
									
								
								opencloud/charts/openldap/templates/NOTES.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								opencloud/charts/openldap/templates/NOTES.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| OpenLDAP has been installed. You can access the server from within the k8s cluster using: | ||||
|  | ||||
|   {{ template "openldap.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.ldapPort }} | ||||
|  | ||||
|  | ||||
| You can access the LDAP adminPassword and configPassword using: | ||||
|  | ||||
|   kubectl get secret --namespace {{ .Release.Namespace }} {{ template "openldap.secretName" . }} -o jsonpath="{.data.LDAP_ADMIN_PASSWORD}" | base64 --decode; echo | ||||
|   kubectl get secret --namespace {{ .Release.Namespace }} {{ template "openldap.secretName" . }} -o jsonpath="{.data.LDAP_CONFIG_PASSWORD}" | base64 --decode; echo | ||||
|  | ||||
|  | ||||
| You can access the LDAP service, from within the cluster (or with kubectl port-forward) with a command like (replace password and domain): | ||||
|   ldapsearch -x -H ldap://{{ template "openldap.fullname" . }}-service.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.ldapPort }} -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w $LDAP_ADMIN_PASSWORD | ||||
|  | ||||
|  | ||||
| Test server health using Helm test: | ||||
|   helm test {{ .Release.Name }} | ||||
|  | ||||
|  | ||||
| You can also consider installing the helm chart for phpldapadmin to manage this instance of OpenLDAP, or install Apache Directory Studio, and connect using kubectl port-forward. | ||||
							
								
								
									
										74
									
								
								opencloud/charts/openldap/templates/_helpers.tpl
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										74
									
								
								opencloud/charts/openldap/templates/_helpers.tpl
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,74 @@ | ||||
| {{/* vim: set filetype=mustache: */}} | ||||
| {{/* | ||||
| Expand the name of the chart. | ||||
| */}} | ||||
| {{- define "openldap.name" -}} | ||||
| {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} | ||||
| {{- end -}} | ||||
| {{/* | ||||
| Return the appropriate apiVersion for statefulset. | ||||
| */}} | ||||
| {{- define "statefulset.apiVersion" -}} | ||||
| {{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} | ||||
| {{- print "apps/v1beta1" -}} | ||||
| {{- else -}} | ||||
| {{- print "apps/v1" -}} | ||||
| {{- end -}} | ||||
| {{- end -}} | ||||
| {{/* | ||||
| Create a default fully qualified app name. | ||||
| We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). | ||||
| If release name contains chart name it will be used as a full name. | ||||
| */}} | ||||
| {{- define "openldap.fullname" -}} | ||||
| {{- if .Values.fullnameOverride -}} | ||||
| {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} | ||||
| {{- else -}} | ||||
| {{- $name := default .Chart.Name .Values.nameOverride -}} | ||||
| {{- if contains $name .Release.Name -}} | ||||
| {{- .Release.Name | trunc 63 | trimSuffix "-" -}} | ||||
| {{- else -}} | ||||
| {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} | ||||
| {{- end -}} | ||||
| {{- end -}} | ||||
| {{- end -}} | ||||
|  | ||||
| {{/* | ||||
| Create chart name and version as used by the chart label. | ||||
| */}} | ||||
| {{- define "openldap.chart" -}} | ||||
| {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} | ||||
| {{- end -}} | ||||
|  | ||||
|  | ||||
| {{/* | ||||
| Generate chart secret name | ||||
| */}} | ||||
| {{- define "openldap.secretName" -}} | ||||
| {{ default (include "openldap.fullname" .) .Values.existingSecret }} | ||||
| {{- end -}} | ||||
| {{/* | ||||
| Generate replication services list | ||||
| */}} | ||||
| {{- define "replicalist" -}} | ||||
| {{- $name := (include "openldap.fullname" .) }} | ||||
| {{- $namespace := .Release.Namespace }} | ||||
| {{- $cluster := .Values.replication.clusterName }} | ||||
| {{- $nodeCount := .Values.replicaCount | int }} | ||||
|   {{- range $index0 := until $nodeCount -}} | ||||
|     {{- $index1 := $index0 | add1 -}} | ||||
| 'ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}'{{ if ne $index1 $nodeCount }},{{ end }} | ||||
|   {{- end -}} | ||||
| {{- end -}} | ||||
| {{/* | ||||
| Renders a value that contains template. | ||||
| Usage: | ||||
| {{ include "openldap.tplValue" ( dict "value" .Values.path.to.the.Value "context" $) }} | ||||
| */}} | ||||
| {{- define "openldap.tplValue" -}} | ||||
|     {{- if typeIs "string" .value }} | ||||
|         {{- tpl .value .context }} | ||||
|     {{- else }} | ||||
|         {{- tpl (.value | toYaml) .context }} | ||||
|     {{- end }} | ||||
| {{- end -}} | ||||
| @@ -0,0 +1,23 @@ | ||||
| # | ||||
| # A ConfigMap spec for openldap slapd that map directly to files under | ||||
| # /container/service/slapd/assets/config/bootstrap/ldif/custom | ||||
| # | ||||
| {{- if .Values.customLdifFiles }} | ||||
| apiVersion: v1 | ||||
| kind: ConfigMap | ||||
| metadata: | ||||
|   name: {{ template "openldap.fullname" . }}-customldif | ||||
|   labels: | ||||
|     app: {{ template "openldap.name" . }} | ||||
|     chart: {{ template "openldap.chart" . }} | ||||
|     release: {{ .Release.Name }} | ||||
|     heritage: {{ .Release.Service }} | ||||
| {{- if .Values.extraLabels }} | ||||
| {{ toYaml .Values.extraLabels | indent 4 }} | ||||
| {{- end }} | ||||
| data: | ||||
| {{- range $key, $val := .Values.customLdifFiles }} | ||||
|   {{ $key }}: |- | ||||
| {{ $val | indent 4}} | ||||
| {{- end }} | ||||
| {{- end }} | ||||
							
								
								
									
										26
									
								
								opencloud/charts/openldap/templates/configmap-env.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										26
									
								
								opencloud/charts/openldap/templates/configmap-env.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,26 @@ | ||||
| # | ||||
| # A ConfigMap spec for openldap slapd that map directly to env variables in the Pod. | ||||
| # List of environment variables supported is from the docker image: | ||||
| # https://github.com/osixia/docker-openldap#beginner-guide | ||||
| # Note that passwords are defined as secrets | ||||
| # | ||||
| apiVersion: v1 | ||||
| kind: ConfigMap | ||||
| metadata: | ||||
|   name: {{ template "openldap.fullname" . }}-env | ||||
|   labels: | ||||
|     app: {{ template "openldap.name" . }} | ||||
|     chart: {{ template "openldap.chart" . }} | ||||
|     release: {{ .Release.Name }} | ||||
|     heritage: {{ .Release.Service }} | ||||
| {{- if .Values.extraLabels }} | ||||
| {{ toYaml .Values.extraLabels | indent 4 }} | ||||
| {{- end }} | ||||
| data: | ||||
| {{ toYaml .Values.env | indent 2 }} | ||||
| {{- if .Values.replication.enabled }} | ||||
|   LDAP_REPLICATION: "true" | ||||
|   LDAP_REPLICATION_CONFIG_SYNCPROV: "binddn=\"cn=admin,cn=config\" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase=\"cn=config\" type=refreshAndPersist retry=\"{{.Values.replication.retry }} +\" timeout={{.Values.replication.timeout }} starttls={{.Values.replication.starttls }} tls_reqcert={{.Values.replication.tls_reqcert }}" | ||||
|   LDAP_REPLICATION_DB_SYNCPROV: "binddn=\"cn=admin,$LDAP_BASE_DN\" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase=\"$LDAP_BASE_DN\" type=refreshAndPersist interval={{.Values.replication.interval }} retry=\"{{.Values.replication.retry }} +\" timeout={{.Values.replication.timeout }} starttls={{.Values.replication.starttls }} tls_reqcert={{.Values.replication.tls_reqcert }}" | ||||
|   LDAP_REPLICATION_HOSTS: "#PYTHON2BASH:[{{ template "replicalist" . }}]" | ||||
| {{- end }} | ||||
							
								
								
									
										17
									
								
								opencloud/charts/openldap/templates/secret-ltb.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								opencloud/charts/openldap/templates/secret-ltb.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | ||||
| {{ if not .Values.existingSecret }} | ||||
| apiVersion: v1 | ||||
| kind: Secret | ||||
| metadata: | ||||
|   name: {{ template "openldap.fullname" . }}-ltb-passwd | ||||
|   labels: | ||||
|     app: {{ template "openldap.name" . }} | ||||
|     chart: {{ template "openldap.chart" . }} | ||||
|     release: {{ .Release.Name }} | ||||
|     heritage: {{ .Release.Service }} | ||||
| {{- if .Values.extraLabels }} | ||||
| {{ toYaml .Values.extraLabels | indent 4 }} | ||||
| {{- end }} | ||||
| type: Opaque | ||||
| data: | ||||
|   LDAP_ADMIN_PASSWORD: {{ .Values.adminPassword | b64enc | quote }} | ||||
| {{ end }} | ||||
							
								
								
									
										18
									
								
								opencloud/charts/openldap/templates/secret.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										18
									
								
								opencloud/charts/openldap/templates/secret.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,18 @@ | ||||
| {{ if not .Values.existingSecret }} | ||||
| apiVersion: v1 | ||||
| kind: Secret | ||||
| metadata: | ||||
|   name: {{ template "openldap.fullname" . }} | ||||
|   labels: | ||||
|     app: {{ template "openldap.name" . }} | ||||
|     chart: {{ template "openldap.chart" . }} | ||||
|     release: {{ .Release.Name }} | ||||
|     heritage: {{ .Release.Service }} | ||||
| {{- if .Values.extraLabels }} | ||||
| {{ toYaml .Values.extraLabels | indent 4 }} | ||||
| {{- end }} | ||||
| type: Opaque | ||||
| data: | ||||
|   LDAP_ADMIN_PASSWORD: {{ .Values.adminPassword | b64enc | quote }} | ||||
|   LDAP_CONFIG_PASSWORD: {{ .Values.configPassword  | b64enc | quote }} | ||||
| {{ end }} | ||||
							
								
								
									
										47
									
								
								opencloud/charts/openldap/templates/service.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										47
									
								
								opencloud/charts/openldap/templates/service.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,47 @@ | ||||
| apiVersion: v1 | ||||
| kind: Service | ||||
| metadata: | ||||
| {{- if .Values.service.annotations }} | ||||
|   annotations: | ||||
| {{ toYaml .Values.service.annotations | indent 4 }} | ||||
| {{- end }} | ||||
|   name: {{ template "openldap.fullname" . }} | ||||
|   namespace: {{ .Release.Namespace }} | ||||
|   labels: | ||||
|     app: {{ template "openldap.fullname" . }} | ||||
|     chart: {{ template "openldap.chart" . }} | ||||
|     release: {{ .Release.Name }} | ||||
|     heritage: {{ .Release.Service }} | ||||
| {{- if .Values.extraLabels }} | ||||
| {{ toYaml .Values.extraLabels | indent 4 }} | ||||
| {{- end }} | ||||
| spec: | ||||
|   type: {{ .Values.service.type }} | ||||
|   {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerIP }} | ||||
|   loadBalancerIP: {{ .Values.service.loadBalancerIP }} | ||||
|   {{- end }} | ||||
|   {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }} | ||||
|   loadBalancerSourceRanges: {{ toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }} | ||||
|   {{- end }} | ||||
|   ports: | ||||
|     - name: ldap-port | ||||
|       protocol: TCP | ||||
|       port: {{ .Values.service.ldapPort }} | ||||
|       targetPort: ldap-port | ||||
|       {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePort)) }} | ||||
|       nodePort: {{ .Values.service.ldapPortNodePort }} | ||||
|       {{- else if eq .Values.service.type "ClusterIP" }} | ||||
|       nodePort: null | ||||
|       {{- end }} | ||||
|     - name: ssl-ldap-port | ||||
|       protocol: TCP | ||||
|       port: {{ .Values.service.sslLdapPort }} | ||||
|       targetPort: ssl-ldap-port | ||||
|       {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePort)) }} | ||||
|       nodePort: {{ .Values.service.sslLdapPortNodePort }} | ||||
|       {{- else if eq .Values.service.type "ClusterIP" }} | ||||
|       nodePort: null | ||||
|       {{- end }} | ||||
|   selector: | ||||
|     app: {{ template "openldap.fullname" . }} | ||||
|     release: {{ .Release.Name }} | ||||
							
								
								
									
										153
									
								
								opencloud/charts/openldap/templates/statefullset.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										153
									
								
								opencloud/charts/openldap/templates/statefullset.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,153 @@ | ||||
| apiVersion: {{ template "statefulset.apiVersion" . }} | ||||
| kind: StatefulSet | ||||
| metadata: | ||||
|   name:  {{ template "openldap.fullname" . }} | ||||
|   labels: | ||||
|     app: {{ template "openldap.fullname" . }} | ||||
|     chart: {{ template "openldap.chart" . }} | ||||
|     release: {{ .Release.Name }} | ||||
|     heritage: {{ .Release.Service }} | ||||
| {{- if .Values.extraLabels }} | ||||
| {{ toYaml .Values.extraLabels | indent 4 }} | ||||
| {{- end }} | ||||
| spec: | ||||
|   replicas: {{ .Values.replicaCount }} | ||||
| {{- if .Values.strategy }} | ||||
|   strategy: | ||||
| {{ toYaml .Values.strategy | indent 4 }} | ||||
| {{- end }} | ||||
|   selector: | ||||
|     matchLabels: | ||||
|       app: {{ template "openldap.fullname" . }} | ||||
|       release: {{ .Release.Name }} | ||||
|   serviceName: {{ template "openldap.fullname" . }}-headless | ||||
|   template: | ||||
|     metadata: | ||||
|       annotations: | ||||
|         checksum/configmap-env: {{ include (print $.Template.BasePath "/configmap-env.yaml") . | sha256sum }} | ||||
| {{- if .Values.customLdifFiles}} | ||||
|         checksum/configmap-customldif: {{ include (print $.Template.BasePath "/configmap-customldif.yaml") . | sha256sum }} | ||||
| {{- end }} | ||||
| {{- if .Values.podAnnotations}} | ||||
| {{ toYaml .Values.podAnnotations | indent 8}} | ||||
| {{- end }} | ||||
|       labels: | ||||
|         app: {{ template "openldap.fullname" . }} | ||||
|         release: {{ .Release.Name }} | ||||
|     spec: | ||||
|       containers: | ||||
|         - name: {{ .Chart.Name }} | ||||
|           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" | ||||
|           imagePullPolicy: {{ .Values.image.pullPolicy }} | ||||
|           args: | ||||
|             - -l | ||||
|             - {{ .Values.logLevel }} | ||||
| {{- if .Values.customLdifFiles }} | ||||
|             - --copy-service | ||||
| {{- end }} | ||||
|           ports: | ||||
|             - name: ldap-port | ||||
|               containerPort: 389 | ||||
|             - name: ssl-ldap-port | ||||
|               containerPort: 636 | ||||
|           envFrom: | ||||
|             - configMapRef: | ||||
|                 name: {{ template "openldap.fullname" . }}-env | ||||
|             - secretRef: | ||||
|                 name: {{ template "openldap.secretName" . }} | ||||
|           volumeMounts: | ||||
|             - name: data | ||||
|               mountPath: /var/lib/ldap | ||||
|               subPath: data | ||||
|             - name: data | ||||
|               mountPath: /etc/ldap/slapd.d | ||||
|               subPath: config-data | ||||
|             - name: data | ||||
|               mountPath: /container/service/slapd/assets/certs | ||||
| {{- if .Values.customLdifFiles }} | ||||
|             - name: custom-ldif-files | ||||
|               mountPath: /container/service/slapd/assets/config/bootstrap/ldif/custom | ||||
| {{- end }} | ||||
|           env: | ||||
|             - name: POD_NAME | ||||
|               valueFrom: | ||||
|                 fieldRef: | ||||
|                   apiVersion: v1 | ||||
|                   fieldPath: metadata.name | ||||
|             #- name: HOSTNAME | ||||
|             #  value: $(POD_NAME).{{ template "openldap.fullname" . }}-headless | ||||
|           {{- if .Values.tls.enabled }} | ||||
|             - name: LDAP_TLS_CRT_FILENAME | ||||
|               value: tls.crt | ||||
|             - name: LDAP_TLS_KEY_FILENAME | ||||
|               value: tls.key | ||||
|           {{- if .Values.tls.CA.enabled }} | ||||
|             - name: LDAP_TLS_CA_CRT_FILENAME | ||||
|               value: ca.crt | ||||
|           {{- end }} | ||||
|           {{- end }} | ||||
|           livenessProbe: | ||||
|             tcpSocket: | ||||
|               port: ldap-port | ||||
|             initialDelaySeconds: 20 | ||||
|             periodSeconds: 10 | ||||
|             failureThreshold: 10 | ||||
|           readinessProbe: | ||||
|             tcpSocket: | ||||
|               port: ldap-port | ||||
|             initialDelaySeconds: 20 | ||||
|             periodSeconds: 10 | ||||
|             failureThreshold: 10 | ||||
|           resources: | ||||
| {{ toYaml .Values.resources | indent 12 }} | ||||
|     {{- with .Values.nodeSelector }} | ||||
|       nodeSelector: | ||||
| {{ toYaml . | indent 8 }} | ||||
|     {{- end }} | ||||
|       affinity:  | ||||
|         podAntiAffinity: | ||||
|           requiredDuringSchedulingIgnoredDuringExecution: | ||||
|           - topologyKey: kubernetes.io/hostname | ||||
|             labelSelector: | ||||
|               matchLabels: | ||||
|                 app.kubernetes.io/component: {{ .Release.Name }} | ||||
|                 app.kubernetes.io/instance: {{ .Release.Name }} | ||||
|     {{- with .Values.tolerations }} | ||||
|       tolerations: | ||||
| {{ toYaml . | indent 8 }} | ||||
|     {{- end }} | ||||
|       imagePullSecrets:  | ||||
|         - name: {{ .Values.image.pullSecret }} | ||||
| {{- if .Values.customLdifFiles }} | ||||
|       volumes: | ||||
|         - name: custom-ldif-files | ||||
|           configMap: | ||||
|             name: {{ template "openldap.fullname" . }}-customldif | ||||
| {{- end }} | ||||
| {{- if .Values.persistence.enabled }}  | ||||
|   volumeClaimTemplates: | ||||
|     - metadata: | ||||
|         name: data | ||||
|         annotations: | ||||
|         {{- range $key, $value := .Values.persistence.annotations }} | ||||
|           {{ $key }}: {{ $value }} | ||||
|         {{- end }} | ||||
|       spec: | ||||
|         accessModes: | ||||
|         {{- range .Values.persistence.accessModes }} | ||||
|           - {{ . | quote }} | ||||
|         {{- end }} | ||||
|         resources: | ||||
|           requests: | ||||
|             storage: {{ .Values.persistence.size | quote }} | ||||
|       {{- if .Values.persistence.storageClass }} | ||||
|       {{- if (eq "-" .Values.persistence.storageClass) }} | ||||
|         storageClassName: "" | ||||
|       {{- else }} | ||||
|         storageClassName: "{{ .Values.persistence.storageClass }}" | ||||
|       {{- end }} | ||||
| {{- end }} | ||||
| {{- else }} | ||||
|         - name: data | ||||
|           emptyDir: {} | ||||
| {{- end }} | ||||
							
								
								
									
										20
									
								
								opencloud/charts/openldap/templates/svc-headless.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								opencloud/charts/openldap/templates/svc-headless.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| apiVersion: v1 | ||||
| kind: Service | ||||
| metadata: | ||||
|   name: {{ template "openldap.fullname" . }}-headless | ||||
|   labels: | ||||
|     app: {{ template "openldap.fullname" . }} | ||||
|     chart: {{ template "openldap.chart" . }} | ||||
|     release: {{ .Release.Name }} | ||||
|     heritage: {{ .Release.Service }} | ||||
| spec: | ||||
|   ports: | ||||
|   - port: {{ .Values.service.ldapPort }} | ||||
|     name: ldap-port | ||||
|     targetPort: ldap-port | ||||
|   clusterIP: None | ||||
|   selector: | ||||
|     app: {{ template "openldap.fullname" . }} | ||||
|     release: {{ .Release.Name }}   | ||||
|   type: ClusterIP | ||||
|   sessionAffinity: None | ||||
| @@ -0,0 +1,50 @@ | ||||
| {{- if .Values.test.enabled -}} | ||||
| apiVersion: v1 | ||||
| kind: Pod | ||||
| metadata: | ||||
|   name: "{{ template "openldap.fullname" . }}-test-{{ randAlphaNum 5 | lower }}" | ||||
|   labels: | ||||
|     app: {{ template "openldap.name" . }} | ||||
|     chart: {{ template "openldap.chart" . }} | ||||
|     release: {{ .Release.Name }} | ||||
|     heritage: {{ .Release.Service }} | ||||
| {{- if .Values.extraLabels }} | ||||
| {{ toYaml .Values.extraLabels | indent 4 }} | ||||
| {{- end }} | ||||
|   annotations: | ||||
|     "helm.sh/hook": test-success | ||||
| spec: | ||||
|   initContainers: | ||||
|     - name: test-framework | ||||
|       image: {{ .Values.test.image.repository }}:{{ .Values.test.image.tag }} | ||||
|       command: | ||||
|         - "bash" | ||||
|         - "-c" | ||||
|         - | | ||||
|           set -ex | ||||
|           # copy bats to tools dir | ||||
|           cp -R /usr/local/libexec/ /tools/bats/ | ||||
|       volumeMounts: | ||||
|         - mountPath: /tools | ||||
|           name: tools | ||||
|   containers: | ||||
|     - name: {{ .Release.Name }}-test | ||||
|       image: {{ .Values.test.image.repository }}:{{ .Values.test.image.tag }} | ||||
|       envFrom: | ||||
|         - secretRef: | ||||
|             name: {{ template "openldap.secretName" . }} | ||||
|       command: ["/tools/bats/bats", "-t", "/tests/run.sh"] | ||||
|       volumeMounts: | ||||
|         - mountPath: /tests | ||||
|           name: tests | ||||
|           readOnly: true | ||||
|         - mountPath: /tools | ||||
|           name: tools | ||||
|   volumes: | ||||
|     - name: tests | ||||
|       configMap: | ||||
|         name: {{ template "openldap.fullname" . }}-tests | ||||
|     - name: tools | ||||
|       emptyDir: {} | ||||
|   restartPolicy: Never | ||||
| {{- end -}} | ||||
| @@ -0,0 +1,22 @@ | ||||
| {{- if .Values.test.enabled -}} | ||||
| apiVersion: v1 | ||||
| kind: ConfigMap | ||||
| metadata: | ||||
|   name: {{ template "openldap.fullname" . }}-tests | ||||
|   labels: | ||||
|     app: {{ template "openldap.name" . }} | ||||
|     chart: {{ template "openldap.chart" . }} | ||||
|     release: {{ .Release.Name }} | ||||
|     heritage: {{ .Release.Service }} | ||||
| {{- if .Values.extraLabels }} | ||||
| {{ toYaml .Values.extraLabels | indent 4 }} | ||||
| {{- end }} | ||||
| data: | ||||
|   run.sh: |- | ||||
|     @test "Testing connecting to slapd server" { | ||||
|       # Ideally, this should be in the docker image, but there is not a generic image we can use | ||||
|       # with bats and ldap-utils installed. It is not worth for now to push an image for this. | ||||
|       apt-get update && apt-get install -y ldap-utils | ||||
|       ldapsearch -x -H ldap://{{ template "openldap.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.ldapPort }} -b "dc=example,dc=org" -D "cn=admin,dc=example,dc=org" -w $LDAP_ADMIN_PASSWORD | ||||
|     } | ||||
| {{- end -}} | ||||
							
								
								
									
										179
									
								
								opencloud/charts/openldap/values.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										179
									
								
								opencloud/charts/openldap/values.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,179 @@ | ||||
| # Default values for openldap. | ||||
| # This is a YAML-formatted file. | ||||
| # Declare variables to be passed into your templates. | ||||
|  | ||||
| replicaCount: 3 | ||||
| # Define deployment strategy - IMPORTANT: use rollingUpdate: null when use Recreate strategy. | ||||
| # It prevents from merging with existing map keys which are forbidden. | ||||
| strategy: {} | ||||
|   # type: RollingUpdate | ||||
|   # rollingUpdate: | ||||
|   #   maxSurge: 1 | ||||
|   #   maxUnavailable: 0 | ||||
|   # | ||||
|   # or | ||||
|   # | ||||
|   # type: Recreate | ||||
|   # rollingUpdate: null | ||||
| image: | ||||
|   # From repository https://github.com/osixia/docker-openldap | ||||
|   repository: osixia/openldap | ||||
|   tag: 1.4.0 | ||||
|   pullPolicy: Always | ||||
|   pullSecret: harbor | ||||
|  | ||||
| # Set the container log level | ||||
| # Valid log levels: none, error, warning, info (default), debug, trace | ||||
| logLevel: info | ||||
|  | ||||
| # Spcifies an existing secret to be used for admin and config user passwords | ||||
| existingSecret: "" | ||||
| # settings for enabling TLS with custom certificate | ||||
| tls: | ||||
|   enabled: true | ||||
|   secret: ""  # The name of a kubernetes.io/tls type secret to use for TLS | ||||
|   CA: | ||||
|     enabled: false | ||||
|     secret: ""  # The name of a generic secret to use for custom CA certificate (ca.crt) | ||||
| ## Add additional labels to all resources | ||||
| extraLabels: {} | ||||
| ## Add additional annotations to pods | ||||
| podAnnotations: {} | ||||
| service: | ||||
|   annotations: {} | ||||
|  | ||||
|   ldapPort: 389 | ||||
|   sslLdapPort: 636 | ||||
|  | ||||
|   ## If service type NodePort, define the value here | ||||
|   #ldapPortNodePort: | ||||
|   #sslLdapPortNodePort: | ||||
|   ## List of IP addresses at which the service is available | ||||
|   ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips | ||||
|   ## | ||||
|   externalIPs: [] | ||||
|  | ||||
|   #loadBalancerIP:  | ||||
|   #loadBalancerSourceRanges: [] | ||||
|   type: ClusterIP | ||||
|  | ||||
| # Default configuration for openldap as environment variables. These get injected directly in the container. | ||||
| # Use the env variables from https://github.com/osixia/docker-openldap#beginner-guide | ||||
| env: | ||||
|  LDAP_LOG_LEVEL: "256" | ||||
|  LDAP_ORGANISATION: "Example Inc." | ||||
|  LDAP_DOMAIN: "example.org" | ||||
|  LDAP_READONLY_USER: "false" | ||||
|  LDAP_READONLY_USER_USERNAME: "readonly" | ||||
|  LDAP_READONLY_USER_PASSWORD: "readonly" | ||||
|  LDAP_RFC2307BIS_SCHEMA: "false" | ||||
|  LDAP_BACKEND: "mdb" | ||||
|  LDAP_TLS: "true" | ||||
|  LDAP_TLS_CRT_FILENAME: "ldap.crt" | ||||
|  LDAP_TLS_KEY_FILENAME: "ldap.key" | ||||
|  LDAP_TLS_DH_PARAM_FILENAME: "dhparam.pem" | ||||
|  LDAP_TLS_CA_CRT_FILENAME: "ca.crt" | ||||
|  LDAP_TLS_ENFORCE: "false" | ||||
|  CONTAINER_LOG_LEVEL: "4" | ||||
|  LDAP_TLS_REQCERT: "never" | ||||
|  KEEP_EXISTING_CONFIG: "false" | ||||
|  LDAP_REMOVE_CONFIG_AFTER_SETUP: "true" | ||||
|  LDAP_SSL_HELPER_PREFIX: "ldap" | ||||
|  LDAP_TLS_VERIFY_CLIENT: "never" | ||||
|  LDAP_TLS_PROTOCOL_MIN: "3.0" | ||||
|  LDAP_TLS_CIPHER_SUITE: "NORMAL" | ||||
|  | ||||
|    | ||||
|  | ||||
| # Default Passwords to use, stored as a secret. | ||||
| # You can override these at install time with | ||||
| # helm install openldap --set openldap.adminPassword=<passwd>,openldap.configPassword=<passwd> | ||||
| adminPassword: Not@SecurePassw0rd | ||||
| configPassword: Not@SecurePassw0rd | ||||
|  | ||||
| # Custom openldap configuration files used to override default settings | ||||
| # customLdifFiles: | ||||
|   # 01-default-users.ldif: |- | ||||
|     # Predefine users here | ||||
| replication: | ||||
|   enabled: true     | ||||
|   # Enter the name of your cluster, defaults to "cluster.local" | ||||
|   clusterName: "cluster.local" | ||||
|   retry: 60 | ||||
|   timeout: 1 | ||||
|   interval: 00:00:00:10 | ||||
|   starttls: "critical" | ||||
|   tls_reqcert: "never" | ||||
| ## Persist data to a persistent volume | ||||
| persistence: | ||||
|   enabled: true | ||||
|   ## database data Persistent Volume Storage Class | ||||
|   ## If defined, storageClassName: <storageClass> | ||||
|   ## If set to "-", storageClassName: "", which disables dynamic provisioning | ||||
|   ## If undefined (the default) or set to null, no storageClassName spec is | ||||
|   ##   set, choosing the default provisioner.  (gp2 on AWS, standard on | ||||
|   ##   GKE, AWS & OpenStack) | ||||
|   ## | ||||
|   # storageClass: "standard-singlewriter" | ||||
|   accessModes: | ||||
|     - ReadWriteOnce | ||||
|   size: 8Gi | ||||
|  | ||||
| resources: {} | ||||
|  # requests: | ||||
|  #   cpu: "100m" | ||||
|  #   memory: "256Mi" | ||||
|  # limits: | ||||
|  #   cpu: "500m" | ||||
|  #   memory: "512Mi" | ||||
|  | ||||
| nodeSelector: {} | ||||
|  | ||||
| tolerations: [] | ||||
|  | ||||
|  | ||||
| ## test container details | ||||
| test: | ||||
|   enabled: false | ||||
|   image: | ||||
|     repository: dduportal/bats | ||||
|     tag: 0.4.0 | ||||
| ltb-passwd: | ||||
|   enabled : true | ||||
|   ingress: | ||||
|     enabled: true | ||||
|     annotations: {} | ||||
|     path: / | ||||
|     ## Ingress Host | ||||
|     hosts: | ||||
|     - "ssl-ldap2.example" | ||||
|   ldap: | ||||
|     server: ldap://openldap | ||||
|     searchBase: dc=example,dc=org | ||||
|     # existingSecret: openldaptest | ||||
|     bindDN: cn=admin,dc=example,dc=org | ||||
|     bindPWKey: LDAP_ADMIN_PASSWORD | ||||
|  | ||||
| phpldapadmin: | ||||
|   enabled: true | ||||
|   ingress: | ||||
|     enabled: true | ||||
|     annotations: {} | ||||
|     path: / | ||||
|     ## Ingress Host | ||||
|     hosts: | ||||
|     - phpldapadmin.example | ||||
|   env: | ||||
|     PHPLDAPADMIN_LDAP_HOSTS: openldap | ||||
|  # TODO make it works | ||||
|  #     "#PYTHON2BASH: | ||||
|  #       [{'openldap.openldap':  | ||||
|  #         [{'server': [ | ||||
|  #           {'tls': False}, | ||||
|  #           {'port':636} | ||||
|  #         ]}, | ||||
|  #           {'login':  | ||||
|  #             [{'bind_id': 'cn=admin,dc=example,dc=org'}] | ||||
|  #           }] | ||||
|  #       }]" | ||||
|       | ||||
| @@ -55,47 +55,99 @@ nats: | ||||
|       storageClassName: kind-sc | ||||
|  | ||||
|  | ||||
| openldap-stack-ha: | ||||
|   enabled: false | ||||
|   global: | ||||
|     ldapDomain: "opencloud.acme.com" | ||||
|     adminUser: "admin" | ||||
|     adminPassword: "acmeOpenCloudAdmin" | ||||
|     configUser: "admin" | ||||
|     configPassword: "acmeOpenCloudConfig" | ||||
| openldap: | ||||
|   enabled: true | ||||
|   test: | ||||
|     enabled: false | ||||
|   ltb-passwd: | ||||
|     enabled: false | ||||
|   replicaCount: 1 | ||||
|   image: | ||||
|     repository: osixia/openldap | ||||
|     tag: 1.5.0 | ||||
|   tls: | ||||
|     enabled: false | ||||
|   env: | ||||
|     LDAP_ORGANISATION: "Example opencloud" | ||||
|     LDAP_DOMAIN: "example.com" | ||||
|     LDAP_BACKEND: "mdb" | ||||
|     LDAP_TLS: "false" | ||||
|     LDAP_TLS_ENFORCE: "false" | ||||
|     LDAP_REMOVE_CONFIG_AFTER_SETUP: "true" | ||||
|   adminPassword: "admin@password" | ||||
|   configPassword: "config@password" | ||||
|   phpldapadmin: | ||||
|     enabled: false | ||||
|   persistence: | ||||
|     enabled: true | ||||
|     accessMode: ReadWriteOnce | ||||
|     size: 20Mi | ||||
|     size: 10Mi | ||||
|     storageClass: kind-sc | ||||
|   ltb-passwd: | ||||
|     enabled : false | ||||
|   env: | ||||
|     LDAP_REQUIRE_TLS: "false" | ||||
|     LDAP_ENABLE_TLS: "yes" | ||||
|     LDAP_TLS_ENFORCE: "false" | ||||
|   phpldapadmin: | ||||
|     enabled: false | ||||
|   replication: | ||||
|     enabled: false | ||||
|   replicaCount: 1 | ||||
|   customLdifFiles: | ||||
|  | ||||
|     01-schema.ldif: |- | ||||
|       dn: ou=groups,dc=example,dc=com | ||||
|       objectClass: organizationalUnit | ||||
|       ou: groups | ||||
|  | ||||
|       dn: ou=users,dc=example,dc=com | ||||
|       objectClass: organizationalUnit | ||||
|       ou: users | ||||
|  | ||||
|       dn: cn=lastGID,dc=example,dc=com | ||||
|       objectClass: device | ||||
|       objectClass: top | ||||
|       description: Records the last GID used to create a Posix group. This prevents the re-use of a GID from a deleted group. | ||||
|       cn: lastGID | ||||
|       serialNumber: 2001 | ||||
|  | ||||
|       dn: cn=lastUID,dc=example,dc=com | ||||
|       objectClass: device | ||||
|       objectClass: top | ||||
|       serialNumber: 2001 | ||||
|       description: Records the last UID used to create a Posix account. This prevents the re-use of a UID from a deleted account. | ||||
|       cn: lastUID | ||||
|  | ||||
|     02-ldapadmin.ldif : |- | ||||
|       dn: cn=ldapadmin,ou=groups,dc=example,dc=com | ||||
|       objectClass: top | ||||
|       objectClass: posixGroup | ||||
|       cn: ldapadmin | ||||
|       memberUid: ldapadmin | ||||
|       gidNumber: 2001 | ||||
|  | ||||
|       dn: uid=ldapadmin,ou=users,dc=example,dc=com | ||||
|       givenName: ldap | ||||
|       sn: admin | ||||
|       uid: ldapadmin | ||||
|       cn: ldapadmin | ||||
|       mail: ldapadmin@example.com | ||||
|       objectClass: person | ||||
|       objectClass: inetOrgPerson | ||||
|       objectClass: posixAccount | ||||
|       userPassword: ldapadmin | ||||
|       uidNumber: 2001 | ||||
|       gidNumber: 2001 | ||||
|       loginShell: /bin/bash | ||||
|       homeDirectory: /home/ldapadmin | ||||
|  | ||||
| # ldap user manager configuration | ||||
| ldapUserManager: | ||||
|   enabled: false | ||||
|   version: v1.11 | ||||
|   enabled: true | ||||
|   env: | ||||
|     SERVER_HOSTNAME: "opencloud.acme.com" | ||||
|     LDAP_BASE_DN: "dc=opencloud,dc=acme,dc=com" | ||||
|     SERVER_HOSTNAME: "users.example.com" | ||||
|     LDAP_BASE_DN: "dc=example,dc=com" | ||||
|     LDAP_REQUIRE_STARTTLS: "false" | ||||
|     LDAP_ADMINS_GROUP: "ldapadmin" | ||||
|     LDAP_ADMIN_BIND_DN: "cn=admin,dc=opencloud,dc=acme,dc=com" | ||||
|     LDAP_ADMIN_BIND_PWD: "acmeOpenCloudAdmin" | ||||
|     LDAP_ADMIN_BIND_DN: "cn=admin,dc=example,dc=com" | ||||
|     LDAP_ADMIN_BIND_PWD: "admin@password" | ||||
|     LDAP_IGNORE_CERT_ERRORS: "true" | ||||
|     EMAIL_DOMAIN: "" | ||||
|     NO_HTTPS: "true" | ||||
|     SERVER_PATH: "/users" | ||||
|     ORGANISATION_NAME: "Opencloud Acme" | ||||
|     ORGANISATION_NAME: "Example" | ||||
|     LDAP_USER_OU: "users" | ||||
|     LDAP_GROUP_OU: "groups" | ||||
|     ACCEPT_WEAK_PASSWORDS: "true" | ||||
| @@ -123,15 +175,37 @@ traefik: | ||||
| hydra: | ||||
|   enabled: true | ||||
|   maester: | ||||
|     enabled: false | ||||
|     enabled: true | ||||
|   hydra: | ||||
|     dev: true | ||||
|     config: | ||||
|       dsn: memory | ||||
|       urls: | ||||
|         login: http://localhost/auth/login | ||||
|         consent: http://localhost/auth/consent | ||||
|         logout: http://localhost/auth/logout | ||||
|         login: http://localhost/authentication/login | ||||
|         consent: http://localhost/consent/consent | ||||
|         logout: http://localhost/authentication/logout | ||||
|         self: | ||||
|           issuer: http://localhost/auth | ||||
|           issuer: http://localhost/idp | ||||
|  | ||||
| keto: | ||||
|   enabled: true | ||||
|  | ||||
| ocAuth: | ||||
|   enabled: false | ||||
|   image: oc-auth:latest | ||||
|   authType: hydra | ||||
|   hydra: | ||||
|     adminRole: admin | ||||
|     openCloudOauth2ClientSecretName: oc-auth-got-secret | ||||
|   ldap: | ||||
|     bindDn: "cn=admin,dc=example,dc=com" | ||||
|     binPwd: "password" | ||||
|     baseDn: "dc=example,dc=com" | ||||
|     roleBaseDn: "ou=AppRoles,dc=example,dc=com" | ||||
|   resources: | ||||
|     limits: | ||||
|       cpu: "128m" | ||||
|       memory: "128Mi" | ||||
|     requests: | ||||
|       cpu: "128m" | ||||
|       memory: "256Mi" | ||||
|   | ||||
							
								
								
									
										113
									
								
								opencloud/templates/ldapUserManager.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										113
									
								
								opencloud/templates/ldapUserManager.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,113 @@ | ||||
| {{- if .Values.ldapUserManager.enabled }} | ||||
| apiVersion: apps/v1 | ||||
| kind: Deployment | ||||
| metadata: | ||||
|   labels: | ||||
|     app: ldap-user-manager | ||||
|   name: {{ .Release.Name }}-ldap-user-manager | ||||
| spec: | ||||
|   replicas: 1 | ||||
|   selector: | ||||
|     matchLabels: | ||||
|       app: ldap-user-manager | ||||
|   strategy: {} | ||||
|   template: | ||||
|     metadata: | ||||
|       labels: | ||||
|         app: ldap-user-manager | ||||
|     spec: | ||||
|       containers: | ||||
|       - image: wheelybird/ldap-user-manager:v1.8 | ||||
|         name: ldap-user-manager | ||||
|         env: | ||||
|         - name: SERVER_HOSTNAME | ||||
|           value: "{{ .Values.ldapUserManager.env.SERVER_HOSTNAME }}" | ||||
|         - name: LDAP_URI | ||||
|           value: "ldap://{{ .Release.Name }}-openldap.{{ .Release.Namespace }}.svc.cluster.local" | ||||
|         - name: LDAP_BASE_DN | ||||
|           value: "{{ .Values.ldapUserManager.env.LDAP_BASE_DN }}" | ||||
|         - name: LDAP_REQUIRE_STARTTLS | ||||
|           value: "{{ .Values.ldapUserManager.env.LDAP_REQUIRE_STARTTLS }}" | ||||
|         - name: LDAP_ADMINS_GROUP | ||||
|           value: "{{ .Values.ldapUserManager.env.LDAP_ADMINS_GROUP }}" | ||||
|         - name: LDAP_ADMIN_BIND_DN | ||||
|           value: "{{ .Values.ldapUserManager.env.LDAP_ADMIN_BIND_DN }}" | ||||
|         - name: LDAP_ADMIN_BIND_PWD | ||||
|           value: "{{ .Values.ldapUserManager.env.LDAP_ADMIN_BIND_PWD }}" | ||||
|         - name: LDAP_IGNORE_CERT_ERRORS | ||||
|           value: "{{ .Values.ldapUserManager.env.LDAP_IGNORE_CERT_ERRORS }}" | ||||
|         - name: NO_HTTPS | ||||
|           value: "{{ .Values.ldapUserManager.env.NO_HTTPS }}" | ||||
|         - name: EMAIL_DOMAIN | ||||
|           value: "{{ .Values.ldapUserManager.env.EMAIL_DOMAIN }}" | ||||
|         - name: ORGANISATION_NAME | ||||
|           value: "{{ .Values.ldapUserManager.env.ORGANISATION_NAME }}" | ||||
|         - name: LDAP_USER_OU | ||||
|           value: "{{ .Values.ldapUserManager.env.LDAP_USER_OU }}" | ||||
|         - name: LDAP_GROUP_OU | ||||
|           value: "{{ .Values.ldapUserManager.env.LDAP_GROUP_OU }}" | ||||
|         - name: SERVER_PATH | ||||
|           value: "{{ .Values.ldapUserManager.env.SERVER_PATH }}" | ||||
|         - name: LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES | ||||
|           value: "{{ .Values.ldapUserManager.env.LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES }}" | ||||
|         - name: LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES | ||||
|           value: "{{ .Values.ldapUserManager.env.LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES }}" | ||||
|         - name: LDAP_GROUP_ADDITIONAL_OBJECTCLASSES | ||||
|           value: "{{ .Values.ldapUserManager.env.LDAP_GROUP_ADDITIONAL_OBJECTCLASSES }}" | ||||
|         - name: LDAP_GROUP_ADDITIONAL_ATTRIBUTES | ||||
|           value: "{{ .Values.ldapUserManager.env.LDAP_GROUP_ADDITIONAL_ATTRIBUTES }}" | ||||
|         - name: ACCEPT_WEAK_PASSWORDS | ||||
|           value: "{{ .Values.ldapUserManager.env.ACCEPT_WEAK_PASSWORDS }}" | ||||
|         ports: | ||||
|           - name: http | ||||
|             containerPort: 80 | ||||
|             protocol: TCP | ||||
|           - name: https | ||||
|             containerPort: 443 | ||||
|             protocol: TCP | ||||
|         resources: | ||||
|           limits: | ||||
|             cpu: "{{ .Values.ldapUserManager.resources.limits.cpu }}" | ||||
|             memory: "{{ .Values.ldapUserManager.resources.limits.memory }}" | ||||
|           requests: | ||||
|             cpu: "{{ .Values.ldapUserManager.resources.requests.cpu }}" | ||||
|             memory: "{{ .Values.ldapUserManager.resources.requests.memory }}" | ||||
|  | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: Service | ||||
| metadata: | ||||
|   name: {{ .Release.Name }}-ldap-user-manager-svc | ||||
|   labels: | ||||
|     app: ldap-user-manager-svc | ||||
| spec: | ||||
|   ports: | ||||
|   - name: http | ||||
|     port: 8080 | ||||
|     protocol: TCP | ||||
|     targetPort: 80 | ||||
|   - name: https | ||||
|     port: 8443 | ||||
|     protocol: TCP | ||||
|     targetPort: 443 | ||||
|   selector: | ||||
|     app: ldap-user-manager | ||||
|   type: ClusterIP | ||||
| --- | ||||
| apiVersion: traefik.io/v1alpha1 | ||||
| kind: IngressRoute | ||||
| metadata: | ||||
|   name: ldap-user-manager-ingress | ||||
| spec: | ||||
|   entryPoints: | ||||
|     - web | ||||
|   routes:                            | ||||
|     - kind: Rule | ||||
|       match:  Host(`{{ .Values.host }}`) &&  PathPrefix(`/users`) | ||||
|       priority: 10                     | ||||
|       services: | ||||
|       - kind: Service | ||||
|         name: {{ .Release.Name }}-ldap-user-manager-svc | ||||
|         passHostHeader: true | ||||
|         port: 8080 | ||||
| {{- end }} | ||||
							
								
								
									
										80
									
								
								opencloud/templates/oc-auth/deployment.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										80
									
								
								opencloud/templates/oc-auth/deployment.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,80 @@ | ||||
| {{- if index .Values.ocAuth.enabled }} | ||||
| apiVersion: apps/v1 | ||||
| kind: Deployment | ||||
| metadata: | ||||
|   labels: | ||||
|     app: oc-auth | ||||
|   name: {{ .Release.Name }}-oc-auth | ||||
| spec: | ||||
|   replicas: 1 | ||||
|   selector: | ||||
|     matchLabels: | ||||
|       app: oc-auth | ||||
|   strategy: {} | ||||
|   template: | ||||
|     metadata: | ||||
|       labels: | ||||
|         app: oc-auth | ||||
|     spec: | ||||
|       volumes: | ||||
|         - name: public-key-volume | ||||
|           secret: | ||||
|             secretName: public-key-secret | ||||
|         - name: private-key-volume | ||||
|           secret: | ||||
|             secretName: private-key-secret     | ||||
|       containers: | ||||
|       - image: "{{ .Values.ocAuth.image }}" | ||||
|         name: oc-auth | ||||
|         volumeMounts: | ||||
|           - name: public-key-volume | ||||
|             mountPath: /keys/public | ||||
|             subPath: public.pem | ||||
|           - name: private-key-volume | ||||
|             mountPath: /keys/private | ||||
|             subPath: private.pem | ||||
|         env: | ||||
|         - name: OCAUTH_ADMIN_ROLE | ||||
|           value: "{{ .Values.ocAuth.hydra }}" | ||||
|         - name: OCAUTH_PUBLIC_KEY_PATH | ||||
|           value: /keys/public/public.pem | ||||
|         - name: OCAUTH_PRIVATE_KEY_PATH | ||||
|           value: /keys/private/private.pem | ||||
|         - name: OCAUTH_CLIENT_SECRET | ||||
|           value: "{{ .Values.ocAuth.hydra.openCloudOauth2ClientSecretName }}" | ||||
|         - name: OCAUTH_AUTH | ||||
|           value: "{{ .Values.ocAuth.authType }}" | ||||
|         - name: OCAUTH_AUTH_CONNECTOR_HOST | ||||
|           value: "{{ .Release.Name }}.hydra-admin.{{ .Release.Namespace }}" | ||||
|         - name: OCAUTH_AUTH_CONNECTOR_PORT | ||||
|           value: 4444 | ||||
|         - name: OCAUTH_AUTH_CONNECTOR_ADMIN_PORT | ||||
|           value: 4445 | ||||
|         - name: OCAUTH_PERMISSION_CONNECTOR_HOST | ||||
|           value: "{{ .Release.Name }}.keto-write.{{ .Release.Namespace }}" | ||||
|         - name: OCAUTH_PERMISSION_CONNECTOR_PORT | ||||
|           value: 80 | ||||
|         - name: OCAUTH_PERMISSION_CONNECTOR_ADMIN_PORT | ||||
|           value: 80 | ||||
|         - name: OCAUTH_LDAP_ENDPOINTS | ||||
|           value: "{{ .Release.Name }}-openldap.{{ .Release.Namespace }}.svc.cluster.local:389" | ||||
|         - name: OCAUTH_LDAP_BINDDN | ||||
|           value: "{{ index .Values.ocAuth.ldap.bindDn }}" | ||||
|         - name: OCAUTH_LDAP_BINDPW | ||||
|           value: "{{ index .Values.ocAuth.ldap.binPwd }}" | ||||
|         - name: OCAUTH_LDAP_BASEDN | ||||
|           value: "{{ index .Values.ocAuth.ldap.baseDn }}" | ||||
|         - name: OCAUTH_LDAP_ROLE_BASEDN | ||||
|           value: "{{ index .Values.ocAuth.ldap.roleBaseDn }}" | ||||
|         ports: | ||||
|           - name: http | ||||
|             containerPort: 80 | ||||
|             protocol: TCP | ||||
|         resources: | ||||
|           limits: | ||||
|             cpu: "{{ .Values.ldapUserManager.resources.limits.cpu }}" | ||||
|             memory: "{{ .Values.ldapUserManager.resources.limits.memory }}" | ||||
|           requests: | ||||
|             cpu: "{{ .Values.ldapUserManager.resources.requests.cpu }}" | ||||
|             memory: "{{ .Values.ldapUserManager.resources.requests.memory }}"         | ||||
| {{- end }} | ||||
							
								
								
									
										20
									
								
								opencloud/templates/oc-auth/ingress.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								opencloud/templates/oc-auth/ingress.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| {{- if index .Values.ocAuth.enabled }} | ||||
| apiVersion: traefik.io/v1alpha1 | ||||
| kind: IngressRoute | ||||
| metadata: | ||||
|   name: oc-auth-ingress | ||||
| spec: | ||||
|   entryPoints: | ||||
|     - web | ||||
|   routes:                            | ||||
|     - kind: Rule | ||||
|       match:  Host(`{{ .Values.host }}`) &&  PathPrefix(`/auth`) | ||||
|       priority: 10                     | ||||
|       services: | ||||
|       - kind: Service | ||||
|         name: oc-auth-svc | ||||
|         passHostHeader: true | ||||
|         port: 8094 | ||||
|       middlewares: | ||||
|         - name: forwardauth | ||||
| {{- end }} | ||||
							
								
								
									
										26
									
								
								opencloud/templates/oc-auth/openCloudOauth2.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										26
									
								
								opencloud/templates/oc-auth/openCloudOauth2.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,26 @@ | ||||
| {{- if index .Values.ocAuth.enabled }} | ||||
| apiVersion: hydra.ory.sh/v1alpha1 | ||||
| kind: OAuth2Client | ||||
| metadata: | ||||
|   name: openCloudClient | ||||
| spec: | ||||
|   clientId:  test-client | ||||
|   clientSecret: oc-auth-got-secret | ||||
|   grantTypes: | ||||
|     - implicit | ||||
|     - refresh_token | ||||
|     - authorization_code | ||||
|     - client_credentials | ||||
|   responseTypes: | ||||
|     - id_token | ||||
|     - token | ||||
|     - code | ||||
|   redirectUris: | ||||
|     - https://myapp.example.com/callback | ||||
|   scope: openid profile email roles | ||||
|   tokenEndpointAuthMethod: client_secret_post | ||||
|   postLogoutRedirectUris: | ||||
|     -http://localhost:3000 | ||||
|   allowedCorsOrigins: | ||||
|     - http://localhost | ||||
| {{- end }} | ||||
							
								
								
									
										21
									
								
								opencloud/templates/oc-auth/pem.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								opencloud/templates/oc-auth/pem.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,21 @@ | ||||
| {{- if index .Values.ocAuth.enabled }} | ||||
| # public-key-secret.yaml | ||||
| apiVersion: v1 | ||||
| kind: Secret | ||||
| metadata: | ||||
|   name: public-key-secret | ||||
| type: Opaque | ||||
| data: | ||||
|   public.pem: | | ||||
|     LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUNDZ0tDQWdFQXcycGRHNndNdHVMY1AwK2sxTEZ2SWIwRFFvL29IVzJ1TkphRUpLNzRwbFhxcDR6dHoyZFIKYitSUUhGTGVMdXFrNGkvemMzYjRLM2ZLUFhTbHduVlBKQ3d6UHJueVQ4allHT1pWbFdsRVRpVjl4ZUpodTZzLwpCaDZnMVBXejc1WGpqd1Y1MGl2L0NFaUxOQlQyM2YvM0o0NHdyUXp5Z3FOUUNpUVNBTGR4V0xBRWw0bDVrSFNhCjlvTXlWNzAvVXFsOTQvYXlNQVJac0hncDladnFRS2JrWlB3Nnl6Vk1mQ0J4UW96bE5sbzMxNU9IZXZ1ZGhuaHAKRFJqTjVJN3pXbXFZdDZyYlhKSkM3WTNJemR2em43UUk4OFJxalNSU1Q1SS83S3ozbmRDcXJPbkkrT1FVRTVOVApSRXlRZWJwaHZRZlREVEtsUlBYa2R5a3RkSzJESDI4Wmo2WkYzeWpRdk4zNVE0emhPemxxNzdkTzVJaGhvcEk3CmN0OGRaSDFUMW5Za3ZkeUNBL0VWTXRRc0FTbUJPaXRIMFkwQUNvWFFLNUtiNm5tL1RjTS85WlNKVU5pRU11eTUKZ0JaM1lLRTlvYTRjcFRwUFh3Y0ErUy9jVTdIUE5uUUFzdkQzaUppOEdUVzl1SnM4NHBuNC9XaHBRcW1YZDRydgpoS1dFQ0NOM2ZIeTAxZlVzL1UwUGFTajJqRFkva1FWZVhvaWtOTXpQVWpkWmQ5bTgxNlRJQmgzdjNhVlhDSC8wCmlUSEhBeGN0dkRnTVJiMmZwdlJKL3d3bllqRkc5UnBhbVZGRE12QzlOZmZ1WXpXQUE5SVJJWTRjcWdlcmZIclYKWjJISGlQVEREdkRBSXN2SW1YWmMvaDdtWE42bTNSQ1E0UXl3eTk5M3dkOWdVZGdnL3FueW5IY0NBd0VBQVE9PQotLS0tLUVORCBSU0EgUFVCTElDIEtFWS0tLS0tCg== | ||||
| --- | ||||
| # private-key-secret.yaml | ||||
| apiVersion: v1 | ||||
| kind: Secret | ||||
| metadata: | ||||
|   name: private-key-secret | ||||
| type: Opaque | ||||
| data: | ||||
|   private.pem: | | ||||
|     LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS1FJQkFBS0NBZ0VBdzJwZEc2d010dUxjUDArazFMRnZJYjBEUW8vb0hXMnVOSmFFSks3NHBsWHFwNHp0CnoyZFJiK1JRSEZMZUx1cWs0aS96YzNiNEszZktQWFNsd25WUEpDd3pQcm55VDhqWUdPWlZsV2xFVGlWOXhlSmgKdTZzL0JoNmcxUFd6NzVYamp3VjUwaXYvQ0VpTE5CVDIzZi8zSjQ0d3JRenlncU5RQ2lRU0FMZHhXTEFFbDRsNQprSFNhOW9NeVY3MC9VcWw5NC9heU1BUlpzSGdwOVp2cVFLYmtaUHc2eXpWTWZDQnhRb3psTmxvMzE1T0hldnVkCmhuaHBEUmpONUk3eldtcVl0NnJiWEpKQzdZM0l6ZHZ6bjdRSTg4UnFqU1JTVDVJLzdLejNuZENxck9uSStPUVUKRTVOVFJFeVFlYnBodlFmVERUS2xSUFhrZHlrdGRLMkRIMjhaajZaRjN5alF2TjM1UTR6aE96bHE3N2RPNUloaApvcEk3Y3Q4ZFpIMVQxbllrdmR5Q0EvRVZNdFFzQVNtQk9pdEgwWTBBQ29YUUs1S2I2bm0vVGNNLzlaU0pVTmlFCk11eTVnQlozWUtFOW9hNGNwVHBQWHdjQStTL2NVN0hQTm5RQXN2RDNpSmk4R1RXOXVKczg0cG40L1docFFxbVgKZDRydmhLV0VDQ04zZkh5MDFmVXMvVTBQYVNqMmpEWS9rUVZlWG9pa05NelBVamRaZDltODE2VElCaDN2M2FWWApDSC8waVRISEF4Y3R2RGdNUmIyZnB2Ukovd3duWWpGRzlScGFtVkZETXZDOU5mZnVZeldBQTlJUklZNGNxZ2VyCmZIclZaMkhIaVBURER2REFJc3ZJbVhaYy9oN21YTjZtM1JDUTRReXd5OTkzd2Q5Z1VkZ2cvcW55bkhjQ0F3RUEKQVFLQ0FnQlNSYzI5Z01vNWxYbTFEZ3NQb1VSd3ArdGZjc2IrM05halBWdVZOalZwa25LZzZDeVhUYUJ6dzJRWApDS3lTaENlM013a0VhK3BBSXNiNjZNbUEvWEs4Zi85elFVWkxZUHZhUDk5NGNFRlp4VjhXbVNFY3FoUjJ0eDV2CmlxS2ZGRFFpV3VQWElMN1c5ZlBsa1kzK0dXNHRNU2c5TTE1R3NndFl1YWI2dGtENlhlRVJDOGdxa1cxTXJCL2QKNE1kd1BmdktwbXFPM01ZR0RoRmNYckJaVitxQXVkRG5EU0dPZ1BvdVVyT09GcDI4SFZqRTVucUR5dDR2clduQgorSTFzVzhUQVR5YmI2cGhTKzRhM1pRdEZDYjliSWk3YURaaTU5NUVDVERCVU9TNGlicXMyWHBBMVRhbVk3OE5ECi9MeDVvWG14N01pNEorNXdYTjNPYWQ3eXRRdkZPZE90dElMTnBBTUZiTFU1eUtzeGYrRURqQ0JjUjVmYU5BdHUKd0FNSDlUa3pGcG1ocDVOQndRZEFrQ0ZuaHlsYTM2M2xqbWxHQVdQdUcvRDliVlowcXRCZjNOQUY0aEVKL0w0bgp2WVFGRXJkNjR0UGFzQWdXUG93MkxMdnFpM2pUMjMyYURnYWhqMWxYMWVuSG9SNlRiUUU0cjN6eThEZUE3aTBDCmhBOEdGQXZNc3FJY2VlOVhpNHlEOFFGRUgwUHJKaDZ6UDFQV0tYUjRBUVZFeG5GR2FuejBzNk8xR1JxTFBySUsKMzFOaVJUd0lWcDB4YmV0OS9Hc0p4V3hxclRLUHFkNXlKdlVHRzNBNEVMOGUzUmRXUk01dlRIYk5DVkdpOUxoUwozT0lYVjkvWU9RSnRXeHpXVWpGTjNIcGFOdVdIVlNSMTQ5R0FZcFR4ZWgrL1pHb0FRUUtDQVFFQTlSekcwTHJCCi9vblNuemZBWEQ1SXdHVy9qU2I0ZThWTENaLzdXMENpRDFodDIzUTFwQVI0Ym9mU1lYZHgvcmhWaFJ0eSszOHEKR3p1Z0JQY2VqR2VHWXlLSVZpTzFlOFBzcmQ2ZHlkWW9hQTlmWDNZemNaMG9uazl0K3RZTnhWaHN0b2xmSUdnYwpLVzFxd0ROclYxUFAwTi9vUVU0UVB4TG13Y2YvQlNTbDNzZjUzbVZNemNuSGtqQ0Y1U2dFTjFydElBT1VaYU04CkI0dXJTU01aTUxwd21oWEY5ckFVUFhXZ0xTKzBma3JRem9hQlMyWmZxRWNGTnMxbG44c1RCZW9YQXo2a3laZW0KMFRvMW9ZaFRlTitUZzExcXVXaEpLaVRNWW1TR1QzQjduVnQyNW4wQnlwRGt0ZmFVVStMTVk5L0Jld1d3RTZ4eAppWDk3YmxkZ3Y2eTR1d0tDQVFFQXpCaDVJWWEwOXVKVHdyeFkwSUtWZmtYUnAyUys4ZnFoSjVxaEVQeWtDRis0CkpKQktQcDdJQTdyaGNmNXR3M05WcGEvWUUxaDJIMVA1WjRFUWt6Z0VURXhWb3RCbE9ZWU5ta0JrZDlldFVSR3MKb21BUEhwcm52VDdxK2RSL3JjOC9sUXQzWHp2ZWo0UDR6U1JibnpnL3EySzBJMXFzM3ZPd25aeU8zR1hrNmVuaQpRNTlrMHk4em9zS2RkZTdtMVlKK0tBajVNWmMzUGVIVGZiTGFMY2ZYblRTVVg2eHduWCtKczhrcjJQVlArd1NqCnNFeGFrUDZpZU51L1p6RmNZdjZhaVBneVhJV08vNXBqd0x0L0dUcVVQUWNPOVc3Nm0wdzI0bFduWUN4MWl5U3cKYWxybDJpckwycm5sWEppbjdxNEZ0dEhUV2JlSDkwUlZ0MzA1MG04ZGRRS0NBUUVBa2d5bGduWGxaYytsaW0xagoxeExkc3BadC9xTTc2RFAwdERWNVJqUkszQzNxdDVxVTQ3Z3VNbDRId3oreTB2M3ZKekxsM21rMUk2anhma1BwCkZld1JyVHhFVkY5T29nSnFJbWZGU1NDc1R1VHFCUzJmRlpGNVJHczdzdnljay94T09xMjcyc2x1RGxrK0JHd2YKQjVmTytqeVFYV2t3VVFUb0xvc0dyMy9ZdmRnV1VLZTNqZDh2WlRJNGRnVFVEay9GZncvaStuUzdMaHZRNGZGaAo3eUVJT3lmQ0gyMW5nZjkyZzdZckxCMVVNZHIvYTNnQ2czaGQ2UHVXRkJLaXNTRjh1Tmc0eEUzeWZqVGJBL2NCCkZjTFNXTEh2QjY3VithQ1hrQUVwN21ldG9HT0JnM0QxQWtnM254emY0T1FBdVhuNEJWK3NQT3pCY2haZDY2OXcKM0lVRVJRS0NBUUJ4UEU3UWpCV1JPS2N5VHgrVHFDL2JIRStpNlNHTHpmdGxwc1FnVVp1TXpkYXo2cDVXdWUvTgpLZjExS3EycG1DNzN1MlZON25HekZmczFNd1dJT0xjaHdlUnRiZVFMazFXdXRIVkpqSThyZ0h2Z3B4MGNaT09ZCk92VlI0VlZwa0tmOVFKeGRhVEVsUFJwb2J2aXFrU0c2TEF3MzVWSXViTlFiemtYeEFGT09lR1pDRUloM0p5UWwKOUlZNmJXOERIT0J6dys3R1ZkaWZhOURVVjh2M1JINWJTVlhjOHlhVUs3T3gzVGFIckN0UTRSVVVkbmgxSStIdQozalVHd3ZzNExYeDk2LzY5R0pqck5iU010VHBpTy84TkVRSjZwN1ZCUG5yZy9wYmJwQzhmSVI4RUV5U2Q4OHFnCnN5MFBQOTlFYktiYzlQT25QazJnb2ZoUTBwaW5LV0VWQW9JQkFRQzBoOEozbEdTRzlLaTlRSnZBT2RNcW5zU2cKdW9xakkweTZSbWVSN0xwWVgxQVNLTk5JbWpHMWh3THlaOFFnNWhDTmp5U0VxQkFHR2QzTUJOZklDNnd6QkRyVgp6U0pJcnhqdnUrMnNmejFuVUdkWVdqUWZoeDNjVCt5R3FUNk5FUXVwbXN0TnVreGl1MkhEdTc2cGk5NkFYMm1rClRYWVhsdWJJcGZMNTBkV1owd2lqMExpdkg2VFBhdnZqYlJablhOVnRoMXFsWk9VdHVCR3lFd2NYYjRDT3RxUnEKK25QOEFFZ3pLeGJNSkZWeTNQWTVFNUp5akI1ZDFaUFEyT2VZVVZiZkRFRVlxemtvcmpCeUNjTGR2N08xQ0hOcQpWalV5SnNkOEYxdHVDR1B4YmNiZ3lDZUlxZ0RNMUp4TzR6VE1TUCtDODJBcjdWWGtyNlE4aEFzQ2dIUS8KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K | ||||
| {{- end }} | ||||
							
								
								
									
										17
									
								
								opencloud/templates/oc-auth/service.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								opencloud/templates/oc-auth/service.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | ||||
| {{- if index .Values.ocAuth.enabled }} | ||||
| apiVersion: v1 | ||||
| kind: Service | ||||
| metadata: | ||||
|   name: oc-auth-svc | ||||
|   labels: | ||||
|     app: oc-auth-svc | ||||
| spec: | ||||
|   ports: | ||||
|   - name: http | ||||
|     port: 8094 | ||||
|     protocol: TCP | ||||
|     targetPort: 8080 | ||||
|   selector: | ||||
|     app: oc-auth | ||||
|   type: ClusterIP | ||||
| {{- end }} | ||||
| @@ -0,0 +1,8 @@ | ||||
| apiVersion: traefik.io/v1alpha1 | ||||
| kind: Middleware | ||||
| metadata: | ||||
|   name: forward-auth | ||||
| spec: | ||||
|   forwardAuth: | ||||
|     address: "http://oc-auth-svc.{{ .Release.Namespace }}:8080/oc/forward" | ||||
|     trustForwardHeader: true | ||||
|   | ||||
							
								
								
									
										5
									
								
								upgrade_development.sh
									
									
									
									
									
										Executable file
									
								
							
							
						
						
									
										5
									
								
								upgrade_development.sh
									
									
									
									
									
										Executable file
									
								
							| @@ -0,0 +1,5 @@ | ||||
| #!/bin/bash | ||||
| RELEASE_NAME=dev | ||||
| RELEASE_NAMESPACE=dev | ||||
|  | ||||
| helm upgrade ${RELEASE_NAME} opencloud -n ${RELEASE_NAMESPACE} --create-namespace -f opencloud/dev-values.yaml | ||||
		Reference in New Issue
	
	Block a user