plm/oc-k8s
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'oryhydra' into main

Browse Source
This commit is contained in:
plm 2024-12-02 13:30:28 +01:00
commit 519fb80ee7
40 changed files with 3184 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
opencloud/Chart.yaml
View File

@ -5,7 +5,7 @@ type: application
version: 0.0.1
appVersion: "0.0.1"
# TODO: ldap, mongo, mongo-express, ory hydra, keto
# TODO: ldap, ory hydra, keto
dependencies:
- name: openldap-stack-ha
version: "4.3.1"
@ -26,4 +26,8 @@ dependencies:
- name: mongo-express
version: "6.5.2"
repository: "https://cowboysysop.github.io/charts/"
condition: mongo-express.enabled
condition: mongo-express.enabled
- name: hydra
version: "0.50.2"
repository: "https://k8s.ory.sh/helm/charts"
condition: hydra.enabled

23
opencloud/charts/hydra/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
*.txt

9
opencloud/charts/hydra/Chart.lock Normal file
View File

@ -0,0 +1,9 @@
dependencies:
- name: ory-commons
repository: file://../ory-commons
version: 0.1.0
- name: hydra-maester
repository: file://../hydra-maester
version: 0.50.2
digest: sha256:f39e4a74150060c63515886f4905dce57e1a90419e5a5c530684f1a363686cda
generated: "2024-11-28T10:30:15.53366383Z"

33
opencloud/charts/hydra/Chart.yaml Normal file
View File

@ -0,0 +1,33 @@
apiVersion: v2
appVersion: v2.2.0
dependencies:
- alias: ory
name: ory-commons
repository: file://../ory-commons
version: 0.1.0
- alias: hydra-maester
condition: maester.enabled
name: hydra-maester
repository: file://../hydra-maester
version: 0.50.2
description: A Helm chart for deploying ORY Hydra in Kubernetes
home: https://www.ory.sh/
icon: https://raw.githubusercontent.com/ory/docs/master/docs/static/img/logo-hydra.svg
keywords:
- oauth2
- openid-connect
- openid
- oidc
- op
- api-security
- security
maintainers:
- email: hi@ory.sh
name: ORY Team
url: https://www.ory.sh/
name: hydra
sources:
- https://github.com/ory/hydra
- https://github.com/ory/k8s
type: application
version: 0.50.2

206
opencloud/charts/hydra/README.md Normal file
View File

@ -0,0 +1,206 @@
# hydra
![Version: 0.50.1](https://img.shields.io/badge/Version-0.50.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.2.0](https://img.shields.io/badge/AppVersion-v2.2.0-informational?style=flat-square)
A Helm chart for deploying ORY Hydra in Kubernetes
**Homepage:** <https://www.ory.sh/>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| ORY Team | <hi@ory.sh> | <https://www.ory.sh/> |
## Source Code
* <https://github.com/ory/hydra>
* <https://github.com/ory/k8s>
## Requirements
| Repository | Name | Version |
|------------|------|---------|
| file://../hydra-maester | hydra-maester(hydra-maester) | 0.50.1 |
| file://../ory-commons | ory(ory-commons) | 0.1.0 |
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | |
| configmap.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods |
| cronjob.janitor.affinity | object | `{}` | Configure node affinity |
| cronjob.janitor.annotations | object | `{}` | Set custom cron job level annotations |
| cronjob.janitor.automountServiceAccountToken | bool | `true` | Set automounting of the SA token |
| cronjob.janitor.customArgs | list | `[]` | Configure the arguments of the entrypoint, overriding the default value |
| cronjob.janitor.customCommand | list | `[]` | Configure a custom entrypoint, overriding the default value |
| cronjob.janitor.extraContainers | string | `""` | If you want to add extra sidecar containers. |
| cronjob.janitor.extraEnv | list | `[]` | Array of extra envs to be passed to the cronjob. This takes precedence over deployment variables. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO value: BAR |
| cronjob.janitor.extraInitContainers | string | `""` | If you want to add extra init containers. These are processed before the migration init container. |
| cronjob.janitor.extraVolumeMounts | list | `[]` | |
| cronjob.janitor.extraVolumes | list | `[]` | If you want to mount external volume |
| cronjob.janitor.labels | object | `{}` | Set custom cron job level labels |
| cronjob.janitor.nodeSelector | object | `{}` | Configure node labels for pod assignment |
| cronjob.janitor.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects |
| cronjob.janitor.podMetadata.annotations | object | `{}` | Extra pod level annotations |
| cronjob.janitor.podMetadata.labels | object | `{}` | Extra pod level labels |
| cronjob.janitor.podSecurityContext | object | `{}` | |
| cronjob.janitor.resources | object | `{"limits":{},"requests":{}}` | We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits: cpu: 100m memory: 128Mi requests: cpu: 100m memory: 128Mi |
| cronjob.janitor.schedule | string | `"0 */1 * * *"` | Configure how often the cron job is ran |
| cronjob.janitor.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":100}` | Configure the containers' SecurityContext for the janitor cronjob |
| cronjob.janitor.serviceAccount | object | `{"annotations":{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"},"create":true,"name":""}` | Specify the serviceAccountName value. In some situations it is needed to provides specific permissions to Hydra deployments Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. |
| cronjob.janitor.serviceAccount.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"}` | Annotations to add to the service account |
| cronjob.janitor.serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
| cronjob.janitor.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
| cronjob.janitor.tolerations | list | `[]` | Configure node tolerations |
| deployment.annotations | object | `{}` | Set custom deployment level annotations |
| deployment.automigration | object | `{"extraEnv":[]}` | Parameters for the automigration initContainer |
| deployment.automigration.extraEnv | list | `[]` | Array of extra envs to be passed to the initContainer. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO value: BAR |
| deployment.automountServiceAccountToken | bool | `false` | |
| deployment.autoscaling | object | `{"behavior":{},"enabled":false,"maxReplicas":3,"minReplicas":1,"targetCPU":{},"targetMemory":{}}` | Configure HPA |
| deployment.autoscaling.behavior | object | `{}` | Set custom behavior https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior |
| deployment.customLivenessProbe | object | `{}` | Configure a custom livenessProbe. This overwrites the default object |
| deployment.customReadinessProbe | object | `{}` | Configure a custom readinessProbe. This overwrites the default object |
| deployment.customStartupProbe | object | `{}` | Configure a custom startupProbe. This overwrites the default object |
| deployment.dnsConfig | object | `{}` | Configure pod dnsConfig. |
| deployment.extraContainers | string | `""` | If you want to add extra sidecar containers. |
| deployment.extraEnv | list | `[]` | Array of extra envs to be passed to the deployment. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO value: BAR |
| deployment.extraInitContainers | string | `""` | If you want to add extra init containers. These are processed before the migration init container. |
| deployment.extraVolumeMounts | list | `[]` | |
| deployment.extraVolumes | list | `[]` | If you want to mount external volume |
| deployment.initContainerSecurityContext | object | `{}` | |
| deployment.labels | object | `{}` | Set custom deployment level labels |
| deployment.lifecycle | object | `{}` | |
| deployment.nodeSelector | object | `{}` | Node labels for pod assignment. |
| deployment.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects |
| deployment.podMetadata.annotations | object | `{}` | Extra pod level annotations |
| deployment.podMetadata.labels | object | `{}` | Extra pod level labels |
| deployment.podSecurityContext.fsGroup | int | `65534` | |
| deployment.podSecurityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` | |
| deployment.podSecurityContext.runAsGroup | int | `65534` | |
| deployment.podSecurityContext.runAsNonRoot | bool | `true` | |
| deployment.podSecurityContext.runAsUser | int | `65534` | |
| deployment.podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| deployment.readinessProbe | object | `{"failureThreshold":5,"initialDelaySeconds":5,"periodSeconds":10}` | Default probe timers |
| deployment.resources | object | `{}` | We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits: cpu: 100m memory: 128Mi requests: cpu: 100m memory: 128Mi |
| deployment.revisionHistoryLimit | int | `5` | Number of revisions kept in history |
| deployment.securityContext.allowPrivilegeEscalation | bool | `false` | |
| deployment.securityContext.capabilities.drop[0] | string | `"ALL"` | |
| deployment.securityContext.privileged | bool | `false` | |
| deployment.securityContext.readOnlyRootFilesystem | bool | `true` | |
| deployment.securityContext.runAsGroup | int | `65534` | |
| deployment.securityContext.runAsNonRoot | bool | `true` | |
| deployment.securityContext.runAsUser | int | `65534` | |
| deployment.securityContext.seLinuxOptions.level | string | `"s0:c123,c456"` | |
| deployment.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| deployment.serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | Specify the serviceAccountName value. In some situations it is needed to provides specific permissions to Hydra deployments Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. |
| deployment.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
| deployment.serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
| deployment.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
| deployment.startupProbe | object | `{"failureThreshold":5,"initialDelaySeconds":0,"periodSeconds":1,"successThreshold":1,"timeoutSeconds":1}` | Default probe timers |
| deployment.strategy.rollingUpdate.maxSurge | string | `"25%"` | |
| deployment.strategy.rollingUpdate.maxUnavailable | string | `"25%"` | |
| deployment.strategy.type | string | `"RollingUpdate"` | |
| deployment.terminationGracePeriodSeconds | int | `60` | |
| deployment.tolerations | list | `[]` | Configure node tolerations. |
| deployment.topologySpreadConstraints | list | `[]` | Configure pod topologySpreadConstraints. |
| fullnameOverride | string | `""` | Full chart name override |
| hydra-maester.adminService.name | string | `""` | The service name value may need to be set if you use `fullnameOverride` for the parent chart |
| hydra.automigration.customArgs | list | `[]` | Ability to override arguments of the entrypoint. Can be used in-depended of customCommand eg: - sleep 5; - kratos |
| hydra.automigration.customCommand | list | `[]` | Ability to override the entrypoint of the automigration container (e.g. to source dynamic secrets or export environment dynamic variables) |
| hydra.automigration.enabled | bool | `false` | |
| hydra.automigration.resources | object | `{}` | resource requests and limits for the automigration initcontainer |
| hydra.automigration.type | string | `"job"` | Configure the way to execute database migration. Possible values: job, initContainer When set to job, the migration will be executed as a job on release or upgrade. When set to initContainer, the migration will be executed when kratos pod is created Defaults to job |
| hydra.command | list | `["hydra"]` | Ability to override the entrypoint of hydra container (e.g. to source dynamic secrets or export environment dynamic variables) |
| hydra.config | object | `{"secrets":{},"serve":{"admin":{"port":4445},"public":{"port":4444},"tls":{"allow_termination_from":["10.0.0.0/8","172.16.0.0/12","192.168.0.0/16"]}},"urls":{"self":{}}}` | The ORY Hydra configuration. For a full list of available settings, check: https://www.ory.sh/docs/hydra/reference/configuration |
| hydra.config.secrets | object | `{}` | The secrets have to be provided as a string slice, example: system: - "OG5XbmxXa3dYeGplQXpQanYxeEFuRUFa" - "foo bar 123 456 lorem" - "foo bar 123 456 lorem 1" - "foo bar 123 456 lorem 2" - "foo bar 123 456 lorem 3" |
| hydra.config.urls | object | `{"self":{}}` | Configure the urls used by hydra itself, such as the issuer. Note: some values are required for hydra to start, please refer to https://www.ory.sh/docs/hydra/self-hosted/kubernetes-helm-chart self: issuer: "https://public.hydra.localhost:4444/" |
| hydra.customArgs | list | `[]` | Ability to override arguments of the entrypoint. Can be used in-depended of customCommand |
| hydra.dev | bool | `false` | Enable dev mode, not secure in production environments |
| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
| image.repository | string | `"oryd/hydra"` | ORY Hydra image |
| image.tag | string | `"v2.2.0"` | ORY Hydra version |
| imagePullSecrets | list | `[]` | Image pull secrets |
| ingress.admin.annotations | object | `{}` | |
| ingress.admin.className | string | `""` | |
| ingress.admin.enabled | bool | `false` | En-/Disable the api ingress. |
| ingress.admin.hosts[0].host | string | `"admin.hydra.localhost"` | |
| ingress.admin.hosts[0].paths[0].path | string | `"/"` | |
| ingress.admin.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | |
| ingress.public | object | `{"annotations":{},"className":"","enabled":false,"hosts":[{"host":"public.hydra.localhost","paths":[{"path":"/","pathType":"ImplementationSpecific"}]}]}` | Configure ingress for the proxy port. |
| ingress.public.enabled | bool | `false` | En-/Disable the proxy ingress. |
| janitor.batchSize | int | `100` | Configure how many records are deleted with each iteration |
| janitor.cleanupGrants | bool | `false` | Configure if the trust relationships must be cleaned up |
| janitor.cleanupRequests | bool | `false` | Configure if the consent and authentication requests must be cleaned up |
| janitor.cleanupTokens | bool | `false` | Configure if the access and refresh tokens must be cleaned up |
| janitor.enabled | bool | `false` | Enable cleanup of stale database rows by periodically running the janitor command |
| janitor.limit | int | `10000` | Configure how many records are retrieved from database for deletion |
| job.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"1"}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. |
| job.automountServiceAccountToken | bool | `true` | Set automounting of the SA token |
| job.extraContainers | string | `""` | If you want to add extra sidecar containers. |
| job.extraEnv | list | `[]` | Array of extra envs to be passed to the job. This takes precedence over deployment variables. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO value: BAR |
| job.extraInitContainers | string | `""` | If you want to add extra init containers. extraInitContainers: | - name: ... image: ... |
| job.labels | object | `{}` | Set custom deployment level labels |
| job.lifecycle | string | `""` | If you want to add lifecycle hooks. |
| job.nodeSelector | object | `{}` | Node labels for pod assignment. |
| job.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects |
| job.podMetadata.annotations | object | `{}` | Extra pod level annotations |
| job.podMetadata.labels | object | `{}` | Extra pod level labels |
| job.resources | object | `{}` | resource requests and limits for the automigration job |
| job.serviceAccount | object | `{"annotations":{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"},"create":true,"name":""}` | Specify the serviceAccountName value. In some situations it is needed to provides specific permissions to Hydra deployments Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. |
| job.serviceAccount.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"}` | Annotations to add to the service account |
| job.serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
| job.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
| job.shareProcessNamespace | bool | `false` | Set sharing process namespace |
| job.spec.backoffLimit | int | `10` | Set job back off limit |
| job.tolerations | list | `[]` | Configure node tolerations. |
| maester.enabled | bool | `true` | |
| nameOverride | string | `""` | |
| pdb.enabled | bool | `false` | |
| pdb.spec.maxUnavailable | string | `""` | |
| pdb.spec.minAvailable | string | `""` | |
| priorityClassName | string | `""` | Pod priority https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ |
| replicaCount | int | `1` | Number of ORY Hydra members |
| secret.enabled | bool | `true` | switch to false to prevent creating the secret |
| secret.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods |
| secret.nameOverride | string | `""` | Provide custom name of existing secret, or custom name of secret to be created |
| secret.secretAnnotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0","helm.sh/resource-policy":"keep"}` | Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified. |
| service.admin | object | `{"annotations":{},"enabled":true,"labels":{},"loadBalancerIP":"","metricsPath":"/admin/metrics/prometheus","name":"http","port":4445,"type":"ClusterIP"}` | Configures the Kubernetes service for the api port. |
| service.admin.annotations | object | `{}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. |
| service.admin.enabled | bool | `true` | En-/disable the service |
| service.admin.loadBalancerIP | string | `""` | The load balancer IP |
| service.admin.metricsPath | string | `"/admin/metrics/prometheus"` | Path to the metrics endpoint |
| service.admin.name | string | `"http"` | The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio) |
| service.admin.port | int | `4445` | The service port |
| service.admin.type | string | `"ClusterIP"` | The service type |
| service.public | object | `{"annotations":{},"enabled":true,"labels":{},"loadBalancerIP":"","name":"http","port":4444,"type":"ClusterIP"}` | Configures the Kubernetes service for the proxy port. |
| service.public.annotations | object | `{}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. |
| service.public.enabled | bool | `true` | En-/disable the service |
| service.public.loadBalancerIP | string | `""` | The load balancer IP |
| service.public.name | string | `"http"` | The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio) |
| service.public.port | int | `4444` | The service port |
| service.public.type | string | `"ClusterIP"` | The service type |
| serviceMonitor.enabled | bool | `false` | switch to true to enable creating the ServiceMonitor |
| serviceMonitor.labels | object | `{}` | Provide additionnal labels to the ServiceMonitor ressource metadata |
| serviceMonitor.scheme | string | `"http"` | HTTP scheme to use for scraping. |
| serviceMonitor.scrapeInterval | string | `"60s"` | Interval at which metrics should be scraped |
| serviceMonitor.scrapeTimeout | string | `"30s"` | Timeout after which the scrape is ended |
| serviceMonitor.tlsConfig | object | `{}` | TLS configuration to use when scraping the endpoint |
| test.busybox | object | `{"repository":"busybox","tag":1}` | use a busybox image from another repository |
| test.labels | object | `{}` | Provide additional labels to the test pod |
| watcher.automountServiceAccountToken | bool | `true` | |
| watcher.enabled | bool | `false` | |
| watcher.image | string | `"oryd/k8s-toolbox:v0.0.7"` | |
| watcher.mountFile | string | `""` | Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo |
| watcher.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects |
| watcher.podMetadata.annotations | object | `{}` | Extra pod level annotations |
| watcher.podMetadata.labels | object | `{}` | Extra pod level labels |
| watcher.podSecurityContext | object | `{}` | pod securityContext for watcher deployment |
| watcher.resources | object | `{}` | |
| watcher.revisionHistoryLimit | int | `5` | Number of revisions kept in history |
| watcher.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":100,"seccompProfile":{"type":"RuntimeDefault"}}` | container securityContext for watcher deployment |
| watcher.watchLabelKey | string | `"ory.sh/watcher"` | Label key used for managing applications |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

21
opencloud/charts/hydra/charts/hydra-maester/.helmignore Normal file
View File

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

7
opencloud/charts/hydra/charts/hydra-maester/Chart.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: v2
appVersion: v0.0.34
description: A Helm chart for Kubernetes
icon: https://raw.githubusercontent.com/ory/docs/master/docs/static/img/logo-hydra.svg
name: hydra-maester
type: application
version: 0.50.2

66
opencloud/charts/hydra/charts/hydra-maester/README.md Normal file
View File

@ -0,0 +1,66 @@
# hydra-maester
![Version: 0.50.1](https://img.shields.io/badge/Version-0.50.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.34](https://img.shields.io/badge/AppVersion-v0.0.34-informational?style=flat-square)
A Helm chart for Kubernetes
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| adminService.endpoint | string | `"/admin/clients"` | Set the clients endpoint, should be `/clients` for Hydra 1.x and `/admin/clients` for Hydra 2.x |
| adminService.insecureSkipVerify | bool | `false` | Skip http client insecure verification |
| adminService.name | string | `nil` | Service name |
| adminService.port | int | `4445` | Service port |
| adminService.scheme | string | `"http"` | Scheme used by Hydra client endpoint. May be "http" or "https" |
| adminService.tlsTrustStorePath | string | `""` | TLS ca-cert path for hydra client |
| affinity | object | `{}` | Configure node affinity |
| deployment.args | object | `{"syncPeriod":""}` | Arguments to be passed to the program |
| deployment.args.syncPeriod | string | `""` | The minimum frequency at which watched resources are reconciled |
| deployment.automountServiceAccountToken | bool | `true` | This applications connects to the k8s API and requires the permissions |
| deployment.dnsConfig | object | `{}` | Configure pod dnsConfig. |
| deployment.extraAnnotations | object | `{}` | Deployment level extra annotations |
| deployment.extraLabels | object | `{}` | Deployment level extra labels |
| deployment.extraVolumeMounts | list | `[]` | |
| deployment.extraVolumes | list | `[]` | If you want to mount external volume |
| deployment.nodeSelector | object | `{}` | Node labels for pod assignment. |
| deployment.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects |
| deployment.podMetadata.annotations | object | `{}` | Extra pod level annotations |
| deployment.podMetadata.labels | object | `{}` | Extra pod level labels |
| deployment.podSecurityContext.fsGroup | int | `65534` | |
| deployment.podSecurityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` | |
| deployment.podSecurityContext.runAsGroup | int | `65534` | |
| deployment.podSecurityContext.runAsNonRoot | bool | `true` | |
| deployment.podSecurityContext.runAsUser | int | `65534` | |
| deployment.podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| deployment.resources | object | `{}` | |
| deployment.securityContext.allowPrivilegeEscalation | bool | `false` | |
| deployment.securityContext.capabilities.drop[0] | string | `"ALL"` | |
| deployment.securityContext.privileged | bool | `false` | |
| deployment.securityContext.readOnlyRootFilesystem | bool | `true` | |
| deployment.securityContext.runAsGroup | int | `65534` | |
| deployment.securityContext.runAsNonRoot | bool | `true` | |
| deployment.securityContext.runAsUser | int | `65534` | |
| deployment.securityContext.seLinuxOptions.level | string | `"s0:c123,c456"` | |
| deployment.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| deployment.serviceAccount | object | `{"annotations":{}}` | Configure service account |
| deployment.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
| deployment.terminationGracePeriodSeconds | int | `60` | |
| deployment.tolerations | list | `[]` | Configure node tolerations. |
| deployment.topologySpreadConstraints | list | `[]` | Configure pod topologySpreadConstraints. |
| enabledNamespaces | list | `[]` | The Controller have CREATE and READ access to all Secrets in the namespaces listed below. |
| forwardedProto | string | `nil` | |
| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
| image.repository | string | `"oryd/hydra-maester"` | Ory Hydra-maester image |
| image.tag | string | `"v0.0.35-amd64"` | Ory Hydra-maester version |
| imagePullSecrets | list | `[]` | Image pull secrets |
| pdb.enabled | bool | `false` | |
| pdb.spec.maxUnavailable | string | `""` | |
| pdb.spec.minAvailable | string | `""` | |
| priorityClassName | string | `""` | Pod priority # https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ |
| replicaCount | int | `1` | Number of replicas in deployment |
| revisionHistoryLimit | int | `5` | Number of revisions kept in history |
| singleNamespaceMode | bool | `false` | Single namespace mode. If enabled the controller will watch for resources only from namespace it is deployed in, ignoring others |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

357
opencloud/charts/hydra/charts/hydra-maester/crds/crd-oauth2clients.yaml Normal file
View File

@ -0,0 +1,357 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.11.3
creationTimestamp: null
name: oauth2clients.hydra.ory.sh
spec:
group: hydra.ory.sh
names:
kind: OAuth2Client
listKind: OAuth2ClientList
plural: oauth2clients
singular: oauth2client
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: OAuth2Client is the Schema for the oauth2clients API
properties:
apiVersion:
description:
"APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the
latest internal value, and may reject unrecognized values. More
info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"
type: string
kind:
description:
"Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the
client submits requests to. Cannot be updated. In CamelCase.
More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
type: string
metadata:
type: object
spec:
description:
OAuth2ClientSpec defines the desired state of OAuth2Client
properties:
allowedCorsOrigins:
description:
AllowedCorsOrigins is an array of allowed CORS origins
items:
description:
RedirectURI represents a redirect URI for the client
pattern: \w+:/?/?[^\s]+
type: string
type: array
audience:
description:
Audience is a whitelist defining the audiences this client
is allowed to request tokens for
items:
type: string
type: array
backChannelLogoutSessionRequired:
default: false
description:
BackChannelLogoutSessionRequired Boolean value specifying
whether the RP requires that a sid (session ID) Claim be
included in the Logout Token to identify the RP session with
the OP when the backchannel_logout_uri is used. If omitted,
the default value is false.
type: boolean
backChannelLogoutURI:
description:
BackChannelLogoutURI RP URL that will cause the RP to log
itself out when sent a Logout Token by the OP
pattern: (^$|^https?://.*)
type: string
clientName:
description:
ClientName is the human-readable string name of the client
to be presented to the end-user during authorization.
type: string
frontChannelLogoutSessionRequired:
default: false
description:
FrontChannelLogoutSessionRequired Boolean value specifying
whether the RP requires that iss (issuer) and sid (session
ID) query parameters be included to identify the RP session
with the OP when the frontchannel_logout_uri is used
type: boolean
frontChannelLogoutURI:
description:
FrontChannelLogoutURI RP URL that will cause the RP to log
itself out when rendered in an iframe by the OP. An iss
(issuer) query parameter and a sid (session ID) query
parameter MAY be included by the OP to enable the RP to
validate the request and to determine which of the
potentially multiple sessions is to be logged out; if either
is included, both MUST be
pattern: (^$|^https?://.*)
type: string
grantTypes:
description:
GrantTypes is an array of grant types the client is allowed
to use.
items:
description: GrantType represents an OAuth 2.0 grant type
enum:
- client_credentials
- authorization_code
- implicit
- refresh_token
type: string
maxItems: 4
minItems: 1
type: array
hydraAdmin:
description:
HydraAdmin is the optional configuration to use for managing
this client
properties:
endpoint:
description:
Endpoint is the endpoint for the hydra instance on which
to set up the client. This value will override the value
provided to `--endpoint` (defaults to `"/clients"` in
the application)
pattern: (^$|^/.*)
type: string
forwardedProto:
description:
ForwardedProto overrides the `--forwarded-proto` flag.
The value "off" will force this to be off even if
`--forwarded-proto` is specified
pattern: (^$|https?|off)
type: string
port:
description:
Port is the port for the hydra instance on which to set
up the client. This value will override the value
provided to `--hydra-port`
maximum: 65535
type: integer
url:
description:
URL is the URL for the hydra instance on which to set up
the client. This value will override the value provided
to `--hydra-url`
maxLength: 64
pattern: (^$|^https?://.*)
type: string
type: object
jwksUri:
description:
JwksUri Define the URL where the JSON Web Key Set should be
fetched from when performing the private_key_jwt client
authentication method.
pattern: (^$|^https?://.*)
type: string
metadata:
description: Metadata is arbitrary data
nullable: true
type: object
x-kubernetes-preserve-unknown-fields: true
postLogoutRedirectUris:
description:
PostLogoutRedirectURIs is an array of the post logout
redirect URIs allowed for the application
items:
description:
RedirectURI represents a redirect URI for the client
pattern: \w+:/?/?[^\s]+
type: string
type: array
redirectUris:
description:
RedirectURIs is an array of the redirect URIs allowed for
the application
items:
description:
RedirectURI represents a redirect URI for the client
pattern: \w+:/?/?[^\s]+
type: string
type: array
responseTypes:
description:
ResponseTypes is an array of the OAuth 2.0 response type
strings that the client can use at the authorization
endpoint.
items:
description:
ResponseType represents an OAuth 2.0 response type strings
enum:
- id_token
- code
- token
- code token
- code id_token
- id_token token
- code id_token token
type: string
maxItems: 3
minItems: 1
type: array
scope:
description:
Scope is a string containing a space-separated list of scope
values (as described in Section 3.3 of OAuth 2.0 [RFC6749])
that the client can use when requesting access tokens.
pattern: ([a-zA-Z0-9\.\*]+\s?)+
type: string
secretName:
description:
SecretName points to the K8s secret that contains this
client's ID and password
maxLength: 253
minLength: 1
pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'
type: string
skipConsent:
default: false
description:
SkipConsent skips the consent screen for this client.
type: boolean
tokenEndpointAuthMethod:
allOf:
- enum:
- client_secret_basic
- client_secret_post
- private_key_jwt
- none
- enum:
- client_secret_basic
- client_secret_post
- private_key_jwt
- none
description:
Indication which authentication method shoud be used for the
token endpoint
type: string
tokenLifespans:
description: Configuration about token lifespans.
properties:
authorization_code_grant_access_token_lifespan:
description:
The lifespan of the access token issued during
authorization_code grant type.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
authorization_code_grant_id_token_lifespan:
description:
The lifespan of the id token issued during
authorization_code grant type.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
authorization_code_grant_refresh_token_lifespan:
description:
The lifespan of the refresh token issued during
authorization_code grant type.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
client_credentials_grant_access_token_lifespan:
description:
The lifespan of the access token issued during
client_credentials grant type.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
implicit_grant_access_token_lifespan:
description:
The lifespan of the access token issued during implicit
grant type.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
implicit_grant_id_token_lifespan:
description:
The lifespan of the id token issued during implicit
grant type.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
jwt_bearer_grant_access_token_lifespan:
description:
The lifespan of the access token issued during
jwt_bearer grant type.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
refresh_token_grant_access_token_lifespan:
description:
The lifespan of the access token issued during
refresh_token grant type.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
refresh_token_grant_id_token_lifespan:
description:
The lifespan of the id token issued during refresh_token
grant type.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
refresh_token_grant_refresh_token_lifespan:
description:
The lifespan of the refresh token issued during
refresh_token grant type.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
type: object
required:
- grantTypes
- scope
- secretName
type: object
status:
description:
OAuth2ClientStatus defines the observed state of OAuth2Client
properties:
conditions:
items:
description:
OAuth2ClientCondition contains condition information for
an OAuth2Client
properties:
status:
enum:
- "True"
- "False"
- Unknown
type: string
type:
type: string
required:
- status
- type
type: object
type: array
observedGeneration:
description:
ObservedGeneration represents the most recent generation
observed by the daemon set controller.
format: int64
type: integer
reconciliationError:
description:
ReconciliationError represents an error that occurred during
the reconciliation process
properties:
description:
description:
Description is the description of the reconciliation
error
type: string
statusCode:
description:
Code is the status code of the reconciliation error
type: string
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}

59
opencloud/charts/hydra/charts/hydra-maester/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,59 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "hydra-maester.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "hydra-maester.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "hydra-maester.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "hydra-maester.labels" -}}
app.kubernetes.io/name: {{ include "hydra-maester.name" . }}
helm.sh/chart: {{ include "hydra-maester.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Get Hydra admin service name
*/}}
{{- define "hydra-maester.adminService" -}}
{{- if .Values.hydraFullnameOverride -}}
{{- printf "%s-admin" .Values.hydraFullnameOverride -}}
{{- else if contains "hydra" .Release.Name -}}
{{- printf "%s-admin" .Release.Name -}}
{{- else -}}
{{- printf "%s-%s-admin" .Release.Name "hydra" -}}
{{- end -}}
{{- end -}}

119
opencloud/charts/hydra/charts/hydra-maester/templates/deployment.yaml Normal file
View File

@ -0,0 +1,119 @@
{{- if and (ne .Values.adminService.scheme "http") (ne .Values.adminService.scheme "https") -}}
{{ fail "invalid scheme: must be http or https" }}
{{- end -}}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "hydra-maester.fullname" . }}
labels:
{{- include "hydra-maester.labels" . | nindent 4 }}
{{- with .Values.deployment.extraLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicaCount }}
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
selector:
matchLabels:
control-plane: controller-manager
app.kubernetes.io/name: {{ include "hydra-maester.fullname" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
control-plane: controller-manager
app.kubernetes.io/name: {{ include "hydra-maester.fullname" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.deployment.extraLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.podMetadata.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
annotations:
{{- with .Values.deployment.extraAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.podMetadata.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
{{- if .Values.deployment.extraVolumes }}
{{- toYaml .Values.deployment.extraVolumes | nindent 8 }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- /manager
args:
- --metrics-addr=127.0.0.1:8080
- --hydra-url={{ required "scheme is required" .Values.adminService.scheme }}://{{ .Values.adminService.name | default ( include "hydra-maester.adminService" . ) }}
- --hydra-port={{ required "port must be set and non-empty" .Values.adminService.port }}
{{- with .Values.adminService.endpoint }}
- --endpoint={{ . }}
{{- end }}
{{- if .Values.forwardedProto }}
- --forwarded-proto={{ .Values.forwardedProto }}
{{- end }}
{{- if .Values.singleNamespaceMode }}
- --namespace={{ .Release.Namespace }}
{{- end }}
{{- if .Values.deployment.args.syncPeriod }}
- --sync-period={{ .Values.deployment.args.syncPeriod }}
{{- end }}
{{- if .Values.adminService.insecureSkipVerify }}
- --insecure-skip-verify={{ .Values.adminService.insecureSkipVerify }}
{{- end}}
{{- if .Values.adminService.tlsTrustStorePath }}
- --tls-trust-store={{ .Values.adminService.tlsTrustStorePath }}
{{- end }}
volumeMounts:
{{- if .Values.deployment.extraVolumeMounts }}
{{- toYaml .Values.deployment.extraVolumeMounts | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.deployment.resources | nindent 12 }}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
{{- if .Values.deployment.securityContext }}
securityContext:
{{- toYaml .Values.deployment.securityContext | nindent 12 }}
{{- end }}
serviceAccountName: {{ include "hydra-maester.fullname" . }}-account
automountServiceAccountToken: {{ .Values.deployment.automountServiceAccountToken }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
nodeSelector:
{{- with .Values.deployment.nodeSelector }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.dnsConfig }}
dnsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}

19
opencloud/charts/hydra/charts/hydra-maester/templates/pdb.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if .Values.pdb.enabled -}}
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "hydra-maester.fullname" . }}
spec:
selector:
matchLabels:
control-plane: controller-manager
app.kubernetes.io/name: {{ include "hydra-maester.fullname" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.pdb.spec.maxUnavailable }}
maxUnavailable: {{ . }}
{{- end }}
{{- with .Values.pdb.spec.minAvailable }}
minAvailable: {{ . }}
{{- end }}
{{- end -}}

95
opencloud/charts/hydra/charts/hydra-maester/templates/rbac.yaml Normal file
View File

@ -0,0 +1,95 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "hydra-maester.fullname" . }}-account
namespace: {{ .Release.Namespace }}
labels:
{{- include "hydra-maester.labels" . | nindent 4 }}
{{- with .Values.deployment.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if not .Values.singleNamespaceMode }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "hydra-maester.fullname" . }}-role
rules:
- apiGroups: ["hydra.ory.sh"]
resources: ["oauth2clients", "oauth2clients/status"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["list", "watch", "create"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "hydra-maester.fullname" . }}-role-binding
subjects:
- kind: ServiceAccount
name: {{ include "hydra-maester.fullname" . }}-account # Service account assigned to the controller pod.
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "hydra-maester.fullname" . }}-role
{{- end }}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "hydra-maester.fullname" . }}-role
namespace: {{ .Release.Namespace }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create"]
- apiGroups: ["hydra.ory.sh"]
resources: ["oauth2clients", "oauth2clients/status"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "hydra-maester.fullname" . }}-role-binding
namespace: {{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: {{ include "hydra-maester.fullname" . }}-account # Service account assigned to the controller pod.
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "hydra-maester.fullname" . }}-role
{{- $name := include "hydra-maester.fullname" . -}}
{{- $namespace := .Release.Namespace -}}
{{- range .Values.enabledNamespaces }}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ $name }}-role
namespace: {{ . }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ $name }}-role-binding
namespace: {{ . }}
subjects:
- kind: ServiceAccount
name: {{ $name }}-account # Service account assigned to the controller pod.
namespace: {{ $namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $name }}-role
{{- end }}

156
opencloud/charts/hydra/charts/hydra-maester/values.yaml Normal file
View File

@ -0,0 +1,156 @@
# -- Number of replicas in deployment
replicaCount: 1
# -- Number of revisions kept in history
revisionHistoryLimit: 5
# -- The Controller have CREATE and READ access to all Secrets in the namespaces listed below.
enabledNamespaces: []
# -- Single namespace mode. If enabled the controller will watch for resources only from namespace it is deployed in, ignoring others
singleNamespaceMode: false
image:
# -- Ory Hydra-maester image
repository: oryd/hydra-maester
# -- Ory Hydra-maester version
tag: v0.0.35-amd64
# -- Image pull policy
pullPolicy: IfNotPresent
# -- Image pull secrets
imagePullSecrets: []
# -- Pod priority
## https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
priorityClassName: ""
## -- Connection data to admin service of Hydra
adminService:
# -- Service name
name:
# -- Service port
port: 4445
# -- Set the clients endpoint, should be `/clients` for Hydra 1.x and
# `/admin/clients` for Hydra 2.x
endpoint: /admin/clients
# -- Scheme used by Hydra client endpoint. May be "http" or "https"
scheme: http
# -- TLS ca-cert path for hydra client
tlsTrustStorePath: ""
# -- Skip http client insecure verification
insecureSkipVerify: false
forwardedProto:
## -- Deployment specific config
deployment:
resources:
{}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 30Mi
# requests:
# cpu: 100m
# memory: 20Mi
# -- If you want to mount external volume
extraVolumes: []
# - name: my-volume
# secret:
# secretName: my-secret
extraVolumeMounts: []
# - name: my-volume
# mountPath: /etc/secrets/my-secret
# readOnly: true
## -- pod securityContext
podSecurityContext:
fsGroupChangePolicy: "OnRootMismatch"
runAsNonRoot: true
runAsUser: 65534
fsGroup: 65534
runAsGroup: 65534
seccompProfile:
type: RuntimeDefault
## -- container securityContext
securityContext:
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
allowPrivilegeEscalation: false
privileged: false
seLinuxOptions:
level: "s0:c123,c456"
# -- Node labels for pod assignment.
nodeSelector: {}
# If you do want to specify node labels, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
# foo: bar
# -- Configure node tolerations.
tolerations: []
# -- Deployment level extra annotations
extraAnnotations: {}
# -- Deployment level extra labels
extraLabels: {}
# -- Configure pod topologySpreadConstraints.
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: DoNotSchedule
# labelSelector:
# matchLabels:
# app.kubernetes.io/name: hydra
# app.kubernetes.io/instance: hydra
# -- Configure pod dnsConfig.
dnsConfig: {}
# options:
# - name: "ndots"
# value: "1"
# -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
podMetadata:
# -- Extra pod level labels
labels: {}
# -- Extra pod level annotations
annotations: {}
# https://github.com/kubernetes/kubernetes/issues/57601
# -- This applications connects to the k8s API and requires the permissions
automountServiceAccountToken: true
terminationGracePeriodSeconds: 60
# -- Arguments to be passed to the program
args:
# -- The minimum frequency at which watched resources are reconciled
syncPeriod: ""
# syncPeriod: 10h
# -- Configure service account
serviceAccount:
# -- Annotations to add to the service account
annotations: {}
# -- Configure node affinity
affinity: {}
## -- PodDistributionBudget configuration
pdb:
enabled: false
spec:
minAvailable: ""
maxUnavailable: ""

23
opencloud/charts/hydra/charts/ory-commons/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

6
opencloud/charts/hydra/charts/ory-commons/Chart.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: v2
appVersion: 0.0.0
description: 'Collection of helper function for the Ory Helm environment '
name: ory-commons
type: library
version: 0.1.0

12
opencloud/charts/hydra/charts/ory-commons/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,12 @@
{{/*
Check if list contains object
*/}}
{{- define "ory.extraEnvContainsEnvName" -}}
{{- $extraEnvs := index . 0 -}}
{{- $envName := index . 1 -}}
{{- range $k, $v := $extraEnvs -}}
{{- if eq $v.name $envName -}}
found
{{- end -}}
{{- end -}}
{{- end -}}

17
opencloud/charts/hydra/files/watch.sh Normal file
View File

@ -0,0 +1,17 @@
set -Eeuo pipefail
set -x
function rollOut() {
DEPLOY=$(kubectl get deploy -n "${NAMESPACE}" -l "${1}" -o name)
kubectl set env -n $NAMESPACE ${DEPLOY} sync=$(date "+%Y%m%d-%H%M%S")
kubectl rollout status -n $NAMESPACE ${DEPLOY}
}
while true; do
# After change in the CM the symlink is recreated, so we need to restart the monitor
inotifywait --event DELETE_SELF "${WATCH_FILE}" |
while read path _ file; do
echo "---> $path$file modified"
rollOut "${LABEL_SELECTOR}"
done
done

229
opencloud/charts/hydra/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,229 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "hydra.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "hydra.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "hydra.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Ensure there is always a way to track down source of the deployment.
It is unlikely AppVersion will be missing, but we will fallback on the
chart's version in that case.
*/}}
{{- define "hydra.version" -}}
{{- if .Chart.AppVersion }}
{{- .Chart.AppVersion -}}
{{- else -}}
{{- printf "v%s" .Chart.Version -}}
{{- end -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "hydra.labels" -}}
"app.kubernetes.io/name": {{ include "hydra.name" . | quote }}
"app.kubernetes.io/instance": {{ .Release.Name | quote }}
"app.kubernetes.io/version": {{ include "hydra.version" . | quote }}
"app.kubernetes.io/managed-by": {{ .Release.Service | quote }}
"helm.sh/chart": {{ include "hydra.chart" . | quote }}
{{- if $.Values.watcher.enabled }}
{{ printf "\"%s\": \"%s\"" $.Values.watcher.watchLabelKey (include "hydra.name" .) }}
{{- end }}
{{- end -}}
{{/*
Generate the dsn value
*/}}
{{- define "hydra.dsn" -}}
{{- if .Values.demo -}}
memory
{{- else if and .Values.secret.nameOverride (not .Values.secret.enabled) -}}
dsn-loaded-from-env
{{- else if not (empty (.Values.hydra.config.dsn)) -}}
{{- .Values.hydra.config.dsn }}
{{- end -}}
{{- end -}}
{{/*
Generate the name of the secret resource containing secrets
*/}}
{{- define "hydra.secretname" -}}
{{- if .Values.secret.nameOverride -}}
{{- .Values.secret.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{ include "hydra.fullname" . }}
{{- end -}}
{{- end -}}
{{/*
Generate the secrets.system value
*/}}
{{- define "hydra.secrets.system" -}}
{{- if (.Values.hydra.config.secrets).system -}}
{{- if kindIs "slice" .Values.hydra.config.secrets.system -}}
{{- if gt (len .Values.hydra.config.secrets.system) 1 -}}
"{{- join "\",\"" .Values.hydra.config.secrets.system -}}"
{{- else -}}
{{- join "" .Values.hydra.config.secrets.system -}}
{{- end -}}
{{- else -}}
{{- fail "Expected hydra.config.secrets.system to be a list of strings" -}}
{{- end -}}
{{- else if .Values.demo -}}
a-very-insecure-secret-for-checking-out-the-demo
{{- end -}}
{{- end -}}
{{/*
Generate the secrets.cookie value
*/}}
{{- define "hydra.secrets.cookie" -}}
{{- if (.Values.hydra.config.secrets).cookie -}}
{{- if kindIs "slice" .Values.hydra.config.secrets.cookie -}}
{{- if gt (len .Values.hydra.config.secrets.cookie) 1 -}}
"{{- join "\",\"" .Values.hydra.config.secrets.cookie -}}"
{{- else -}}
{{- join "" .Values.hydra.config.secrets.cookie -}}
{{- end -}}
{{- else -}}
{{- fail "Expected hydra.config.secrets.cookie to be a list of strings" -}}
{{- end -}}
{{- else -}}
{{- include "hydra.secrets.system" . }}
{{- end -}}
{{- end -}}
{{/*
Generate the configmap data, redacting secrets
*/}}
{{- define "hydra.configmap" -}}
{{- $config := omit .Values.hydra.config "dsn" "secrets" -}}
{{- tpl (toYaml $config) . -}}
{{- end -}}
{{/*
Generate the urls.issuer value
*/}}
{{- define "hydra.config.urls.issuer" -}}
{{- if .Values.hydra.config.urls.self.issuer -}}
{{- .Values.hydra.config.urls.self.issuer }}
{{- else if .Values.ingress.public.enabled -}}
{{- $host := index .Values.ingress.public.hosts 0 -}}
http{{ if $.Values.ingress.public.tls }}s{{ end }}://{{ $host.host }}
{{- else if contains "ClusterIP" .Values.service.public.type -}}
http://127.0.0.1:{{ .Values.service.public.port }}/
{{- end -}}
{{- end -}}
{{/*
Check overrides consistency
*/}}
{{- define "hydra.check.override.consistency" -}}
{{- if and .Values.maester.enabled .Values.fullnameOverride -}}
{{- if not .Values.maester.hydraFullnameOverride -}}
{{ fail "hydra fullname has been overridden, but the new value has not been provided to maester. Set maester.hydraFullnameOverride" }}
{{- else if not (eq .Values.maester.hydraFullnameOverride .Values.fullnameOverride) -}}
{{ fail (tpl "hydra fullname has been overridden, but a different value was provided to maester. {{ .Values.maester.hydraFullnameOverride }} different of {{ .Values.fullnameOverride }}" . ) }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "hydra.utils.joinListWithComma" -}}
{{- $local := dict "first" true -}}
{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "hydra.serviceAccountName" -}}
{{- if .Values.deployment.serviceAccount.create }}
{{- default (include "hydra.fullname" .) .Values.deployment.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.deployment.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Create the name of the service account for the Job to use
*/}}
{{- define "hydra.job.serviceAccountName" -}}
{{- if .Values.job.serviceAccount.create }}
{{- printf "%s-job" (default (include "hydra.fullname" .) .Values.job.serviceAccount.name) }}
{{- else }}
{{- include "hydra.serviceAccountName" . }}
{{- end }}
{{- end }}
{{/*
Create the name of the service account for the Job to use
*/}}
{{- define "hydra.cronjob.janitor.serviceAccountName" -}}
{{- if .Values.cronjob.janitor.serviceAccount.create }}
{{- printf "%s-cronjob-janitor" (default (include "hydra.fullname" .) .Values.cronjob.janitor.serviceAccount.name) }}
{{- else }}
{{- include "hydra.serviceAccountName" . }}
{{- end }}
{{- end }}
{{/*
Checksum annotations generated from configmaps and secrets
*/}}
{{- define "hydra.annotations.checksum" -}}
{{- if .Values.configmap.hashSumEnabled }}
checksum/hydra-config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- end }}
{{- if and .Values.secret.enabled .Values.secret.hashSumEnabled }}
checksum/hydra-secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
{{- end }}
{{- end }}
{{/*
Check the migration type value and fail if unexpected
*/}}
{{- define "hydra.automigration.typeVerification" -}}
{{- if and .Values.hydra.automigration.enabled .Values.hydra.automigration.type }}
{{- if and (ne .Values.hydra.automigration.type "initContainer") (ne .Values.hydra.automigration.type "job") }}
{{- fail "hydra.automigration.type must be either 'initContainer' or 'job'" -}}
{{- end }}
{{- end }}
{{- end }}
{{/*
Common labels for the janitor cron job
*/}}
{{- define "hydra.janitor.labels" -}}
"app.kubernetes.io/name": {{ printf "%s-janitor" (include "hydra.name" .) | quote }}
"app.kubernetes.io/instance": {{ .Release.Name | quote }}
"app.kubernetes.io/version": {{ include "hydra.version" . | quote }}
"app.kubernetes.io/managed-by": {{ .Release.Service | quote }}
"app.kubernetes.io/component": janitor
"helm.sh/chart": {{ include "hydra.chart" . | quote }}
{{- end -}}

18
opencloud/charts/hydra/templates/configmap-automigrate.yaml Normal file
View File

@ -0,0 +1,18 @@
{{- if and ( .Values.hydra.automigration.enabled ) ( eq .Values.hydra.automigration.type "job" ) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "hydra.fullname" . }}-migrate
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
annotations:
helm.sh/hook-weight: "0"
helm.sh/hook: "pre-install, pre-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
data:
"hydra.yaml": |
{{- include "hydra.configmap" . | nindent 4 }}
{{- end }}

12
opencloud/charts/hydra/templates/configmap.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "hydra.fullname" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
data:
"hydra.yaml": |
{{- include "hydra.configmap" . | nindent 4 }}

77
opencloud/charts/hydra/templates/deployment-watcher.yaml Normal file
View File

@ -0,0 +1,77 @@
{{- if .Values.watcher.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "hydra.fullname" . }}-watcher
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/name: {{ include "hydra.name" . }}-watcher
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.deployment.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.deployment.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
revisionHistoryLimit: {{ .Values.watcher.revisionHistoryLimit }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "hydra.name" . }}-watcher
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ include "hydra.name" . }}-watcher
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.deployment.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.watcher.podMetadata.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
annotations:
{{- with .Values.watcher.podMetadata.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
automountServiceAccountToken: {{ .Values.watcher.automountServiceAccountToken }}
serviceAccountName: {{ include "hydra.serviceAccountName" . }}-watcher
terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
containers:
- name: watcher
{{- with .Values.watcher.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: {{ .Values.watcher.image }}
command:
- /bin/bash
- -c
- |
{{- .Files.Get "files/watch.sh" | printf "%s" | nindent 14 }}
env:
- name: NAMESPACE
value: {{ .Release.Namespace | quote }}
- name: WATCH_FILE
value: {{ .Values.watcher.mountFile | quote }}
- name: LABEL_SELECTOR
value: '{{ $.Values.watcher.watchLabelKey }}={{ include "hydra.name" . }}'
resources:
{{- toYaml .Values.watcher.resources | nindent 12 }}
volumeMounts:
{{- with .Values.deployment.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.watcher.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
{{- if .Values.deployment.extraVolumes }}
{{- toYaml .Values.deployment.extraVolumes | nindent 8 }}
{{- end }}
{{- end }}

236
opencloud/charts/hydra/templates/deployment.yaml Normal file
View File

@ -0,0 +1,236 @@
{{- include "hydra.automigration.typeVerification" . -}}
{{- $migrationExtraEnv := ternary .Values.deployment.automigration.extraEnv .Values.deployment.extraEnv (not (empty .Values.deployment.automigration.extraEnv )) -}}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "hydra.fullname" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.deployment.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.deployment.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if not .Values.deployment.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
revisionHistoryLimit: {{ .Values.deployment.revisionHistoryLimit }}
strategy:
{{- toYaml .Values.deployment.strategy | nindent 4 }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "hydra.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
{{- include "hydra.labels" . | nindent 8 }}
{{- with .Values.deployment.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $.Values.deployment.podMetadata.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
annotations:
{{- include "hydra.annotations.checksum" . | nindent 8 -}}
{{- with .Values.deployment.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $.Values.deployment.podMetadata.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: {{ include "hydra.name" . }}-config-volume
configMap:
name: {{ include "hydra.fullname" . }}
{{- if .Values.deployment.extraVolumes }}
{{- toYaml .Values.deployment.extraVolumes | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "hydra.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.deployment.automountServiceAccountToken }}
terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command: {{- toYaml .Values.hydra.command | nindent 12 }}
{{- if .Values.hydra.customArgs }}
args: {{- toYaml .Values.hydra.customArgs | nindent 12 }}
{{- else }}
args:
- serve
- all
{{- if .Values.hydra.dev }}
- "--dev"
{{- end }}
- --config
- /etc/config/hydra.yaml
{{- end }}
volumeMounts:
- name: {{ include "hydra.name" . }}-config-volume
mountPath: /etc/config
readOnly: true
{{- if .Values.deployment.extraVolumeMounts }}
{{- toYaml .Values.deployment.extraVolumeMounts | nindent 12 }}
{{- end }}
ports:
- name: http-public
containerPort: {{ .Values.hydra.config.serve.public.port }}
protocol: TCP
- name: http-admin
containerPort: {{ .Values.hydra.config.serve.admin.port }}
protocol: TCP
{{- if .Values.deployment.customLivenessProbe }}
livenessProbe:
{{- toYaml .Values.deployment.customLivenessProbe | nindent 12 }}
{{- end }}
readinessProbe:
{{- if .Values.deployment.customReadinessProbe }}
{{- toYaml .Values.deployment.customReadinessProbe | nindent 12 }}
{{- else }}
httpGet:
path: /health/alive
port: {{ .Values.hydra.config.serve.admin.port }}
httpHeaders:
- name: Host
value: '127.0.0.1'
{{- toYaml .Values.deployment.readinessProbe | nindent 12 }}
{{- end }}
startupProbe:
{{- if .Values.deployment.customStartupProbe }}
{{- toYaml .Values.deployment.customStartupProbe | nindent 12 }}
{{- else }}
httpGet:
path: /health/ready
port: {{ .Values.hydra.config.serve.admin.port }}
httpHeaders:
- name: Host
value: '127.0.0.1'
{{- toYaml .Values.deployment.startupProbe | nindent 12 }}
{{- end }}
env:
{{- $issuer := include "hydra.config.urls.issuer" . -}}
{{- if $issuer }}
- name: URLS_SELF_ISSUER
value: {{ $issuer | quote }}
{{- end }}
{{- if not (empty ( include "hydra.dsn" . )) }}
{{- if not (include "ory.extraEnvContainsEnvName" (list .Values.deployment.extraEnv "DSN")) }}
- name: DSN
valueFrom:
secretKeyRef:
name: {{ include "hydra.secretname" . }}
key: dsn
{{- end }}
{{- end }}
- name: SECRETS_SYSTEM
valueFrom:
secretKeyRef:
name: {{ include "hydra.secretname" . }}
key: secretsSystem
- name: SECRETS_COOKIE
valueFrom:
secretKeyRef:
name: {{ include "hydra.secretname" . }}
key: secretsCookie
{{- if .Values.deployment.extraEnv }}
{{- tpl (toYaml .Values.deployment.extraEnv) . | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.deployment.resources | nindent 12 }}
{{- if .Values.deployment.securityContext }}
securityContext:
{{- toYaml .Values.deployment.securityContext | nindent 12 }}
{{- end }}
lifecycle:
{{- toYaml .Values.deployment.lifecycle | nindent 12 }}
{{- if .Values.deployment.extraContainers }}
{{- tpl .Values.deployment.extraContainers . | nindent 8 }}
{{- end }}
initContainers:
{{- if .Values.deployment.extraInitContainers }}
{{- tpl .Values.deployment.extraInitContainers . | nindent 8 }}
{{- end }}
{{- if and ( .Values.hydra.automigration.enabled ) ( eq .Values.hydra.automigration.type "initContainer" ) }}
- name: {{ .Chart.Name }}-automigrate
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.hydra.automigration.customCommand }}
command: {{- toYaml .Values.hydra.automigration.customCommand | nindent 12 }}
{{- else }}
command: ["hydra"]
{{- end }}
{{- if .Values.hydra.automigration.customArgs }}
args: {{- toYaml .Values.hydra.automigration.customArgs | nindent 12 }}
{{- else }}
args: ["migrate", "sql", "-e", "--yes", "--config", "/etc/config/hydra.yaml"]
{{- end }}
volumeMounts:
- name: {{ include "hydra.name" . }}-config-volume
mountPath: /etc/config
readOnly: true
{{- with .Values.deployment.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
env:
{{- if not (empty ( include "hydra.dsn" . )) }}
{{- if not (include "ory.extraEnvContainsEnvName" (list $migrationExtraEnv "DSN")) }}
- name: DSN
valueFrom:
secretKeyRef:
name: {{ include "hydra.secretname" . }}
key: dsn
{{- end }}
{{- end }}
{{- if $migrationExtraEnv }}
{{- tpl (toYaml $migrationExtraEnv) . | nindent 12 }}
{{- end }}
{{- if .Values.hydra.automigration.resources }}
resources:
{{- toYaml .Values.hydra.automigration.resources | nindent 12 }}
{{- end }}
{{- with .Values.deployment.initContainerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
{{- with .Values.deployment.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.dnsConfig }}
dnsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}

36
opencloud/charts/hydra/templates/hpa.yaml Normal file
View File

@ -0,0 +1,36 @@
{{- if .Values.deployment.autoscaling.enabled }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
name: {{ include "hydra.fullname" . }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
spec:
{{- with .Values.deployment.autoscaling.behavior }}
behavior: {{- toYaml . | nindent 4 }}
{{- end }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "hydra.fullname" . }}
minReplicas: {{ .Values.deployment.autoscaling.minReplicas }}
maxReplicas: {{ .Values.deployment.autoscaling.maxReplicas }}
metrics:
{{- with .Values.deployment.autoscaling.targetMemory }}
- type: Resource
resource:
name: memory
target:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.autoscaling.targetCPU}}
- type: Resource
resource:
name: cpu
target:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

54
opencloud/charts/hydra/templates/ingress-admin.yaml Normal file
View File

@ -0,0 +1,54 @@
{{- if .Values.ingress.admin.enabled -}}
{{- $fullName := include "hydra.fullname" . -}}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else -}}
apiVersion: networking.k8s.io/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}-admin
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.ingress.admin.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ingressClassName: {{ .Values.ingress.admin.className }}
{{- if .Values.ingress.admin.tls }}
tls:
{{- range .Values.ingress.admin.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.admin.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if .pathType }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}-admin
port:
name: {{ $.Values.service.admin.name }}
{{- else }}
serviceName: {{ $fullName }}-admin
servicePort: {{ $.Values.service.admin.name }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

54
opencloud/charts/hydra/templates/ingress-public.yaml Normal file
View File

@ -0,0 +1,54 @@
{{- if or .Values.ingress.public.enabled .Values.demo -}}
{{- $fullName := include "hydra.fullname" . -}}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else -}}
apiVersion: networking.k8s.io/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}-public
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.ingress.public.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ingressClassName: {{ .Values.ingress.public.className }}
{{- if .Values.ingress.public.tls }}
tls:
{{- range .Values.ingress.public.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.public.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if .pathType }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}-public
port:
name: {{ $.Values.service.public.name }}
{{- else }}
serviceName: {{ $fullName }}-public
servicePort: {{ $.Values.service.public.name }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

17
opencloud/charts/hydra/templates/janitor-cron-job-rbac.yaml Normal file
View File

@ -0,0 +1,17 @@
{{- if .Values.cronjob.janitor.serviceAccount.create -}}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "hydra.cronjob.janitor.serviceAccountName" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.cronjob.janitor.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: false
{{- end -}}

137
opencloud/charts/hydra/templates/janitor-cron-job.yaml Normal file
View File

@ -0,0 +1,137 @@
{{- if .Values.janitor.enabled -}}
{{- $janitorExtraEnv := ternary .Values.cronjob.janitor.extraEnv .Values.deployment.extraEnv (not (empty .Values.cronjob.janitor.extraEnv )) -}}
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: {{ include "hydra.fullname" . }}-janitor
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.janitor.labels" . | nindent 4 }}
{{- with .Values.cronjob.janitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.cronjob.janitor.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
concurrencyPolicy: Forbid
schedule: {{ .Values.cronjob.janitor.schedule | quote }}
jobTemplate:
spec:
template:
metadata:
labels:
{{- include "hydra.janitor.labels" . | nindent 12 }}
{{- with .Values.cronjob.janitor.labels }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.cronjob.janitor.podMetadata.labels }}
{{- toYaml . | nindent 12 }}
{{- end }}
annotations:
{{- include "hydra.annotations.checksum" . | nindent 12 -}}
{{- with .Values.cronjob.janitor.annotations }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with $.Values.cronjob.janitor.podMetadata.annotations }}
{{- toYaml . | nindent 12 }}
{{- end }}
spec:
restartPolicy: OnFailure
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 12 }}
{{- end }}
serviceAccountName: {{ include "hydra.cronjob.janitor.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.cronjob.janitor.automountServiceAccountToken }}
volumes:
- name: {{ include "hydra.name" . }}-config-volume
configMap:
name: {{ include "hydra.fullname" . }}
{{- if .Values.cronjob.janitor.extraVolumes }}
{{- toYaml .Values.cronjob.janitor.extraVolumes | nindent 12 }}
{{- end }}
containers:
- name: janitor
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- with .Values.cronjob.janitor.securityContext }}
securityContext:
{{- toYaml . | nindent 16 }}
{{- end }}
{{- if .Values.cronjob.janitor.customCommand }}
command: {{- toYaml .Values.cronjob.janitor.customCommand | nindent 14 }}
{{- else }}
command: ["hydra"]
{{- end }}
{{- if .Values.cronjob.janitor.customArgs }}
args: {{- toYaml .Values.cronjob.janitor.customArgs | nindent 14 }}
{{- else }}
args:
- janitor
{{- if .Values.janitor.cleanupGrants }}
- --grants
{{- end }}
{{- if .Values.janitor.cleanupRequests }}
- --requests
{{- end }}
{{- if .Values.janitor.cleanupTokens }}
- --tokens
{{- end }}
- --batch-size
- {{ .Values.janitor.batchSize | quote }}
- --limit
- {{ .Values.janitor.limit | quote }}
- --config
- /etc/config/hydra.yaml
{{- end }}
env:
{{- if not (empty ( include "hydra.dsn" . )) }}
{{- if not (include "ory.extraEnvContainsEnvName" (list $janitorExtraEnv "DSN")) }}
- name: DSN
valueFrom:
secretKeyRef:
name: {{ include "hydra.secretname" . }}
key: dsn
{{- end }}
{{- end }}
{{- with $janitorExtraEnv }}
{{- toYaml . | nindent 16 }}
{{- end }}
resources:
{{- toYaml .Values.cronjob.janitor.resources | nindent 16 }}
volumeMounts:
- name: {{ include "hydra.name" . }}-config-volume
mountPath: /etc/config
readOnly: true
{{- if .Values.cronjob.janitor.extraVolumeMounts }}
{{- toYaml .Values.cronjob.janitor.extraVolumeMounts | nindent 16 }}
{{- end }}
{{- if .Values.cronjob.janitor.extraContainers }}
{{- tpl .Values.cronjob.janitor.extraContainers . | nindent 12 }}
{{- end }}
{{- if .Values.cronjob.janitor.extraInitContainers }}
initContainers:
{{- tpl .Values.cronjob.janitor.extraInitContainers . | nindent 10 }}
{{- end }}
{{- with .Values.cronjob.janitor.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.cronjob.janitor.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.cronjob.janitor.tolerations }}
tolerations:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.cronjob.janitor.affinity }}
affinity:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}

125
opencloud/charts/hydra/templates/job-migration.yaml Normal file
View File

@ -0,0 +1,125 @@
{{- include "hydra.automigration.typeVerification" . -}}
{{- if and ( .Values.hydra.automigration.enabled ) ( eq .Values.hydra.automigration.type "job" ) }}
{{- $nodeSelector := ternary .Values.job.nodeSelector .Values.deployment.nodeSelector (not (empty .Values.job.nodeSelector )) -}}
{{- $migrationExtraEnv := ternary .Values.job.extraEnv .Values.deployment.extraEnv (not (empty .Values.job.extraEnv )) -}}
{{- $resources := ternary .Values.job.resources .Values.hydra.automigration.resources (not (empty .Values.job.resources)) -}}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "hydra.fullname" . }}-automigrate
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.job.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.job.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
template:
metadata:
annotations:
{{- with .Values.job.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.job.podMetadata.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
app.kubernetes.io/name: {{ include "hydra.fullname" . }}-automigrate
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.job.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.job.podMetadata.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "hydra.job.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.job.automountServiceAccountToken }}
containers:
- name: {{ .Chart.Name }}-automigrate
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.hydra.automigration.customCommand }}
command: {{- toYaml .Values.hydra.automigration.customCommand | nindent 10 }}
{{- else }}
command: ["hydra"]
{{- end }}
{{- if .Values.hydra.automigration.customArgs }}
args: {{- toYaml .Values.hydra.automigration.customArgs | nindent 10 }}
{{- else }}
args: ["migrate", "sql", "-e", "--yes", "--config", "/etc/config/hydra.yaml"]
{{- end }}
env:
{{- if not (empty ( include "hydra.dsn" . )) }}
{{- if not (include "ory.extraEnvContainsEnvName" (list $migrationExtraEnv "DSN")) }}
- name: DSN
valueFrom:
secretKeyRef:
name: {{ include "hydra.secretname" . }}
key: dsn
{{- end }}
{{- end }}
{{- with $migrationExtraEnv }}
{{- toYaml . | nindent 10 }}
{{- end }}
lifecycle:
{{- if .Values.job.lifecycle }}
{{- tpl .Values.job.lifecycle . | nindent 10 }}
{{- end }}
{{- with .Values.deployment.securityContext }}
securityContext:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with $resources }}
resources:
{{- toYaml . | nindent 10 }}
{{- end }}
volumeMounts:
- name: {{ include "hydra.name" . }}-config-volume
mountPath: /etc/config
readOnly: true
{{- if .Values.deployment.extraVolumeMounts }}
{{- toYaml .Values.deployment.extraVolumeMounts | nindent 10 }}
{{- end }}
{{- if .Values.job.extraContainers }}
{{- tpl .Values.job.extraContainers . | nindent 6 }}
{{- end }}
{{- if .Values.job.extraInitContainers }}
initContainers:
{{- tpl .Values.job.extraInitContainers . | nindent 8 }}
{{- end }}
restartPolicy: Never
{{- with .Values.deployment.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
shareProcessNamespace: {{ .Values.job.shareProcessNamespace }}
volumes:
- name: {{ include "hydra.name" . }}-config-volume
configMap:
name: {{ include "hydra.fullname" . }}-migrate
{{- if .Values.deployment.extraVolumes }}
{{- toYaml .Values.deployment.extraVolumes | nindent 8 }}
{{- end }}
{{- with $nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.job.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
backoffLimit: {{ .Values.job.spec.backoffLimit }}
{{- end }}

17
opencloud/charts/hydra/templates/job-rbac.yaml Normal file
View File

@ -0,0 +1,17 @@
{{- if .Values.job.serviceAccount.create -}}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "hydra.job.serviceAccountName" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.job.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: false
{{- end -}}

18
opencloud/charts/hydra/templates/pdb.yaml Normal file
View File

@ -0,0 +1,18 @@
{{- if .Values.pdb.enabled -}}
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "hydra.fullname" . }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ include "hydra.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.pdb.spec.maxUnavailable }}
maxUnavailable: {{ . }}
{{- end }}
{{- with .Values.pdb.spec.minAvailable }}
minAvailable: {{ . }}
{{- end }}
{{- end -}}

53
opencloud/charts/hydra/templates/rbac-watcher.yaml Normal file
View File

@ -0,0 +1,53 @@
{{- if .Values.watcher.enabled }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "hydra.serviceAccountName" . }}-watcher
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/name: {{ include "hydra.name" . }}-watcher
app.kubernetes.io/instance: {{ .Release.Name }}
automountServiceAccountToken: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "hydra.fullname" . }}-watcher
namespace: {{ .Release.Namespace }}
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs:
- list
- watch
- get
- apiGroups: ["apps"]
resources: ["deployments"]
verbs:
- get
- list
- patch
- update
- watch
resourceNames:
- {{ include "hydra.fullname" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "hydra.fullname" . }}-watcher
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "hydra.fullname" . }}-watcher
subjects:
- kind: ServiceAccount
name: {{ include "hydra.fullname" . }}-watcher
namespace: {{ .Release.Namespace }}
{{- end }}

17
opencloud/charts/hydra/templates/rbac.yaml Normal file
View File

@ -0,0 +1,17 @@
{{- if .Values.deployment.serviceAccount.create -}}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "hydra.serviceAccountName" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.deployment.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: false
{{- end }}

21
opencloud/charts/hydra/templates/secrets.yaml Normal file
View File

@ -0,0 +1,21 @@
{{- if .Values.secret.enabled -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "hydra.secretname" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
annotations:
{{- with .Values.secret.secretAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
type: Opaque
data:
# Generate a random secret if the user doesn't give one. User given password has priority
secretsSystem: {{ ( include "hydra.secrets.system" . | default ( randAlphaNum 32 )) | required "Value secrets.system can not be empty!" | b64enc | quote }}
secretsCookie: {{ ( include "hydra.secrets.cookie" . | default ( randAlphaNum 32 )) | required "Value secrets.cookie can not be empty!" | b64enc | quote }}
dsn: {{ include "hydra.dsn" . | b64enc | quote }}
{{- end -}}

71
opencloud/charts/hydra/templates/service-admin.yaml Normal file
View File

@ -0,0 +1,71 @@
{{- if .Values.service.admin.enabled -}}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "hydra.fullname" . }}-admin
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.service.admin.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
app.kubernetes.io/component: admin
annotations:
{{- with .Values.service.admin.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.service.admin.type }}
{{- if eq .Values.service.admin.type "LoadBalancer" }}
{{- with .Values.service.admin.loadBalancerIP }}
loadBalancerIP: {{ . }}
{{- end }}
{{- end }}
ports:
- port: {{ .Values.service.admin.port }}
targetPort: http-admin
protocol: TCP
name: {{ .Values.service.admin.name }}
selector:
app.kubernetes.io/name: {{ include "hydra.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.serviceMonitor.enabled }}
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "hydra.fullname" . }}-admin
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/component: admin
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.serviceMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.service.admin.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
endpoints:
- path: {{ .Values.service.admin.metricsPath }}
port: {{ .Values.service.admin.name }}
scheme: {{ .Values.serviceMonitor.scheme }}
interval: {{ .Values.serviceMonitor.scrapeInterval }}
scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
{{- with .Values.serviceMonitor.tlsConfig }}
tlsConfig:
{{- toYaml . | nindent 6 }}
{{- end }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "hydra.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: admin
{{- end -}}
{{- end }}

33
opencloud/charts/hydra/templates/service-public.yaml Normal file
View File

@ -0,0 +1,33 @@
{{- if .Values.service.public.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "hydra.fullname" . }}-public
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.service.public.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.service.public.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.service.public.type }}
{{- if eq .Values.service.public.type "LoadBalancer" }}
{{- with .Values.service.public.loadBalancerIP }}
loadBalancerIP: {{ . }}
{{- end }}
{{- end }}
ports:
- port: {{ .Values.service.public.port }}
targetPort: http-public
protocol: TCP
name: {{ .Values.service.public.name }}
selector:
app.kubernetes.io/name: {{ include "hydra.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

20
opencloud/charts/hydra/templates/tests/test-connection.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "hydra.fullname" . }}-test-connection"
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels: {{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.test.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
"helm.sh/hook": test-success
spec:
containers:
- name: healthcheck-ready
image: "{{ .Values.test.busybox.repository }}:{{ .Values.test.busybox.tag }}"
command: ['wget']
args: ['{{ include "hydra.fullname" . }}-admin:{{ .Values.service.admin.port }}/health/ready']
restartPolicy: Never

670
opencloud/charts/hydra/values.yaml Normal file
View File

@ -0,0 +1,670 @@
# -- Number of ORY Hydra members
replicaCount: 1
image:
# -- ORY Hydra image
repository: oryd/hydra
# -- ORY Hydra version
tag: v2.2.0
# -- Image pull policy
pullPolicy: IfNotPresent
# -- Image pull secrets
imagePullSecrets: []
# Chart name override
nameOverride: ""
# -- Full chart name override
fullnameOverride: ""
# -- Pod priority
# https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
priorityClassName: ""
## -- Configures the Kubernetes service
service:
# -- Configures the Kubernetes service for the proxy port.
public:
# -- En-/disable the service
enabled: true
# -- The service type
type: ClusterIP
# -- The load balancer IP
loadBalancerIP: ""
# -- The service port
port: 4444
# -- The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio)
name: http
# -- If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
labels: {}
# If you do want to specify additional labels, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'labels:'.
# e.g. app: hydra
# -- Configures the Kubernetes service for the api port.
admin:
# -- En-/disable the service
enabled: true
# -- The service type
type: ClusterIP
# -- The load balancer IP
loadBalancerIP: ""
# -- The service port
port: 4445
# -- The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio)
name: http
# -- If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
labels: {}
# If you do want to specify additional labels, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'labels:'.
# e.g. app: hydra
# -- Path to the metrics endpoint
metricsPath: /admin/metrics/prometheus
## -- Secret management
secret:
# -- switch to false to prevent creating the secret
enabled: true
# -- Provide custom name of existing secret, or custom name of secret to be created
nameOverride: ""
# nameOverride: "myCustomSecret"
# -- Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified.
secretAnnotations:
# Create the secret before installation, and only then. This saves the secret from regenerating during an upgrade
# pre-upgrade is needed to upgrade from 0.7.0 to newer. Can be deleted afterwards.
helm.sh/hook-weight: "0"
helm.sh/hook: "pre-install, pre-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
helm.sh/resource-policy: "keep"
# -- switch to false to prevent checksum annotations being maintained and propogated to the pods
hashSumEnabled: true
## -- Configure ingress
ingress:
# -- Configure ingress for the proxy port.
public:
# -- En-/Disable the proxy ingress.
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: public.hydra.localhost
paths:
- path: /
pathType: ImplementationSpecific
# tls: []
# hosts:
# - proxy.hydra.local
# - secretName: hydra-proxy-example-tls
admin:
# -- En-/Disable the api ingress.
enabled: false
className: ""
annotations: {}
# If you do want to specify annotations, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: admin.hydra.localhost
paths:
- path: /
pathType: ImplementationSpecific
# tls: []
# hosts:
# - api.hydra.local
# - secretName: hydra-api-example-tls
## -- Configure ORY Hydra itself
hydra:
# -- Ability to override the entrypoint of hydra container
# (e.g. to source dynamic secrets or export environment dynamic variables)
command: ["hydra"]
# -- Ability to override arguments of the entrypoint. Can be used in-depended of customCommand
customArgs: []
# -- The ORY Hydra configuration. For a full list of available settings, check:
# https://www.ory.sh/docs/hydra/reference/configuration
config:
serve:
public:
port: 4444
admin:
port: 4445
tls:
allow_termination_from:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
# -- The secrets have to be provided as a string slice, example:
# system:
# - "OG5XbmxXa3dYeGplQXpQanYxeEFuRUFa"
# - "foo bar 123 456 lorem"
# - "foo bar 123 456 lorem 1"
# - "foo bar 123 456 lorem 2"
# - "foo bar 123 456 lorem 3"
secrets: {}
# -- Configure the urls used by hydra itself, such as the issuer.
# Note: some values are required for hydra to start, please refer to https://www.ory.sh/docs/hydra/self-hosted/kubernetes-helm-chart
# self:
# issuer: "https://public.hydra.localhost:4444/"
urls:
self: {}
# -- Enables database migration
automigration:
enabled: false
# -- Configure the way to execute database migration. Possible values: job, initContainer
# When set to job, the migration will be executed as a job on release or upgrade.
# When set to initContainer, the migration will be executed when kratos pod is created
# Defaults to job
type: job
# -- Ability to override the entrypoint of the automigration container
# (e.g. to source dynamic secrets or export environment dynamic variables)
customCommand: []
# -- Ability to override arguments of the entrypoint. Can be used in-depended of customCommand
# eg:
# - sleep 5;
# - kratos
customArgs: []
# -- resource requests and limits for the automigration initcontainer
resources: {}
# -- Enable dev mode, not secure in production environments
dev: false
## -- Deployment specific config
deployment:
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: "25%"
maxUnavailable: "25%"
# -- We usually recommend not to specify default resources and to leave this as a conscious choice for the user.
# This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
resources: {}
## -- initContainer securityContext for hydra & migration init
initContainerSecurityContext: {}
## -- pod securityContext for hydra & migration init
podSecurityContext:
fsGroupChangePolicy: "OnRootMismatch"
runAsNonRoot: true
runAsUser: 65534
fsGroup: 65534
runAsGroup: 65534
seccompProfile:
type: RuntimeDefault
## -- container securityContext for hydra & migration init
securityContext:
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
allowPrivilegeEscalation: false
privileged: false
seLinuxOptions:
level: "s0:c123,c456"
lifecycle: {}
# -- Set custom deployment level labels
labels: {}
# -- Set custom deployment level annotations
annotations: {}
# -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
podMetadata:
# -- Extra pod level labels
labels: {}
# -- Extra pod level annotations
annotations: {}
# -- Node labels for pod assignment.
nodeSelector: {}
# If you do want to specify node labels, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'nodeSelector:'.
# foo: bar
# -- Array of extra envs to be passed to the deployment. Kubernetes format is expected. Value is processed with Helm
# `tpl`
# - name: FOO
# value: BAR
extraEnv: []
# -- Parameters for the automigration initContainer
automigration:
# -- Array of extra envs to be passed to the initContainer. Kubernetes format is expected. Value is processed with
# Helm `tpl`
# - name: FOO
# value: BAR
extraEnv: []
# -- Configure node tolerations.
tolerations: []
# -- Configure pod topologySpreadConstraints.
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: DoNotSchedule
# labelSelector:
# matchLabels:
# app.kubernetes.io/name: hydra
# app.kubernetes.io/instance: hydra
# -- Configure pod dnsConfig.
dnsConfig: {}
# options:
# - name: "ndots"
# value: "1"
# -- Specify the serviceAccountName value.
# In some situations it is needed to provides specific permissions to Hydra deployments
# Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio.
# Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment.
# -- Specify the serviceAccountName value.
# In some situations it is needed to provides specific permissions to Hydra deployments
# Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio.
# Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment.
serviceAccount:
# -- Specifies whether a service account should be created
create: true
# -- Annotations to add to the service account
annotations: {}
# -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template
name: ""
# -- If you want to mount external volume
extraVolumes: []
# - name: my-volume
# secret:
# secretName: my-secret
extraVolumeMounts: []
# - name: my-volume
# mountPath: /etc/secrets/my-secret
# readOnly: true
# For example, mount a secret containing Certificate root CA to verify database
# TLS connection.
# extraVolumes:
# - name: postgresql-tls
# secret:
# secretName: postgresql-root-ca
# extraVolumeMounts:
# - name: postgresql-tls
# mountPath: "/etc/postgresql-tls"
# readOnly: true
# -- Configure HPA
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 3
targetCPU: {}
# type: Utilization
# averageUtilization: 80
targetMemory: {}
# type: Utilization
# averageUtilization: 80
# -- Set custom behavior
# https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior
behavior: {}
# -- Default probe timers
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 10
failureThreshold: 5
# -- Default probe timers
startupProbe:
failureThreshold: 5
successThreshold: 1
periodSeconds: 1
timeoutSeconds: 1
initialDelaySeconds: 0
automountServiceAccountToken: false
terminationGracePeriodSeconds: 60
# -- If you want to add extra init containers. These are processed before the migration init container.
extraInitContainers: ""
# extraInitContainers: |
# - name: ...
# image: ...
# -- If you want to add extra sidecar containers.
extraContainers: ""
# extraContainers: |
# - name: ...
# image: ...
# -- Configure a custom livenessProbe. This overwrites the default object
customLivenessProbe: {}
# -- Configure a custom readinessProbe. This overwrites the default object
customReadinessProbe: {}
# -- Configure a custom startupProbe. This overwrites the default object
customStartupProbe: {}
# -- Number of revisions kept in history
revisionHistoryLimit: 5
## -- Values for initialization job
job:
# -- If you do want to specify annotations, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
annotations:
helm.sh/hook-weight: "1"
helm.sh/hook: "pre-install, pre-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# -- Set custom deployment level labels
labels: {}
# -- If you want to add extra sidecar containers.
extraContainers: ""
# extraContainers: |
# - name: ...
# image: ...
# -- Array of extra envs to be passed to the job. This takes precedence over deployment variables. Kubernetes format
# is expected. Value is processed with Helm `tpl`
# - name: FOO
# value: BAR
extraEnv: []
# -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
podMetadata:
# -- Extra pod level labels
labels: {}
# -- Extra pod level annotations
annotations: {}
# -- If you want to add extra init containers.
# extraInitContainers: |
# - name: ...
# image: ...
extraInitContainers: ""
# -- Node labels for pod assignment.
nodeSelector: {}
# If you do want to specify node labels, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'nodeSelector:'.
# foo: bar
# -- resource requests and limits for the automigration job
resources: {}
# -- Configure node tolerations.
tolerations: []
# -- If you want to add lifecycle hooks.
lifecycle: ""
# lifecycle: |
# preStop:
# exec:
# command: [...]
# -- Set automounting of the SA token
automountServiceAccountToken: true
# -- Set sharing process namespace
shareProcessNamespace: false
# -- Specify the serviceAccountName value.
# In some situations it is needed to provides specific permissions to Hydra deployments
# Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio.
# Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment.
serviceAccount:
# -- Specifies whether a service account should be created
create: true
# -- Annotations to add to the service account
annotations:
helm.sh/hook-weight: "0"
helm.sh/hook: "pre-install, pre-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
# -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template
name: ""
spec:
# -- Set job back off limit
backoffLimit: 10
## -- Configure node affinity
affinity: {}
## -- Configures controller setup
maester:
enabled: true
## -- Values for the hydra admin service arguments to hydra-maester
hydra-maester:
adminService:
# -- The service name value may need to be set if you use `fullnameOverride` for the parent chart
name: ""
# -- You only need to set this port if you change the value for `service.admin.port` in the parent chart
# port:
## -- Sidecar watcher configuration
watcher:
enabled: false
image: oryd/k8s-toolbox:v0.0.7
# -- Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo
mountFile: ""
# -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
podMetadata:
# -- Extra pod level labels
labels: {}
# -- Extra pod level annotations
annotations: {}
# -- Label key used for managing applications
watchLabelKey: "ory.sh/watcher"
# -- Number of revisions kept in history
revisionHistoryLimit: 5
# -- pod securityContext for watcher deployment
podSecurityContext: {}
resources: {}
automountServiceAccountToken: true
# -- container securityContext for watcher deployment
securityContext:
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 100
allowPrivilegeEscalation: false
privileged: false
## -- Janitor cron job configuration
janitor:
# -- Enable cleanup of stale database rows by periodically running the janitor command
enabled: false
# -- Configure if the trust relationships must be cleaned up
cleanupGrants: false
# -- Configure if the consent and authentication requests must be cleaned up
cleanupRequests: false
# -- Configure if the access and refresh tokens must be cleaned up
cleanupTokens: false
# -- Configure how many records are deleted with each iteration
batchSize: 100
# -- Configure how many records are retrieved from database for deletion
limit: 10000
## -- CronJob configuration
cronjob:
janitor:
# -- Configure how often the cron job is ran
schedule: "0 */1 * * *"
# -- Configure a custom entrypoint, overriding the default value
customCommand: []
# -- Configure the arguments of the entrypoint, overriding the default value
customArgs: []
# -- Array of extra envs to be passed to the cronjob. This takes precedence over deployment variables. Kubernetes
# format is expected. Value is processed with Helm `tpl`
# - name: FOO
# value: BAR
extraEnv: []
# -- If you want to add extra init containers. These are processed before the migration init container.
extraInitContainers: ""
# extraInitContainers: |
# - name: ...
# image: ...
# -- If you want to add extra sidecar containers.
extraContainers: ""
# extraContainers: |
# - name: ...
# image: ...
# -- If you want to mount external volume
extraVolumes: []
# - name: my-volume
# secret:
# secretName: my-secret
extraVolumeMounts: []
# - name: my-volume
# mountPath: /etc/secrets/my-secret
# readOnly: true
# -- Set custom cron job level labels
labels: {}
# -- Set custom cron job level annotations
annotations: {}
# -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
podMetadata:
# -- Extra pod level labels
labels: {}
# -- Extra pod level annotations
annotations: {}
# -- Configure node labels for pod assignment
nodeSelector: {}
# -- Configure node tolerations
tolerations: []
# -- Configure node affinity
affinity: {}
# -- Set automounting of the SA token
automountServiceAccountToken: true
# -- Specify the serviceAccountName value.
# In some situations it is needed to provides specific permissions to Hydra deployments
# Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio.
# Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment.
serviceAccount:
# -- Specifies whether a service account should be created
create: true
# -- Annotations to add to the service account
annotations:
helm.sh/hook-weight: "0"
helm.sh/hook: "pre-install, pre-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
# -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template
name: ""
# -- Configure the containers' SecurityContext for the janitor cronjob
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 100
allowPrivilegeEscalation: false
privileged: false
## -- pod securityContext for the janitor cronjob
podSecurityContext: {}
# -- We usually recommend not to specify default resources and to leave this as a conscious choice for the user.
# This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
resources:
limits: {}
requests: {}
## -- PodDistributionBudget configuration
pdb:
enabled: false
spec:
minAvailable: ""
maxUnavailable: ""
## -- Parameters for the Prometheus ServiceMonitor objects.
# Reference: https://docs.openshift.com/container-platform/4.6/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.html
serviceMonitor:
# -- switch to true to enable creating the ServiceMonitor
enabled: false
# -- HTTP scheme to use for scraping.
scheme: http
# -- Interval at which metrics should be scraped
scrapeInterval: 60s
# -- Timeout after which the scrape is ended
scrapeTimeout: 30s
# -- Provide additionnal labels to the ServiceMonitor ressource metadata
labels: {}
# -- TLS configuration to use when scraping the endpoint
tlsConfig: {}
configmap:
# -- switch to false to prevent checksum annotations being maintained and propogated to the pods
hashSumEnabled: true
test:
# -- Provide additional labels to the test pod
labels: {}
# -- use a busybox image from another repository
busybox:
repository: busybox
tag: 1

19
opencloud/dev-values.yaml
View File

@ -14,7 +14,6 @@ mongo-express:
mongodb:
enabled: false
#TODO PROVISIONING CUSTOM PVC
mongodb:
enabled: true
global:
@ -119,4 +118,20 @@ traefik:
entryPoints: [web]
ports:
web:
nodePort: 30950
nodePort: 30950
hydra:
enabled: true
maester:
enabled: false
hydra:
dev: true
config:
dsn: memory
urls:
login: http://localhost/auth/login
consent: http://localhost/auth/consent
logout: http://localhost/auth/logout
self:
issuer: http://localhost/auth

18
opencloud/templates/hydra.yaml Normal file
View File

@ -0,0 +1,18 @@
{{- if index .Values "mongo-express" "enabled" }}
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: hydra-ingress
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`{{ .Values.host }}`) && PathPrefix(`/auth`)
priority: 10
services:
- kind: Service
name: {{ .Release.Name }}-mongo-express
passHostHeader: true
port: 8081
{{- end }}