diff --git a/install_development.sh b/install_development.sh index 8cc80d3..94944ae 100755 --- a/install_development.sh +++ b/install_development.sh @@ -2,4 +2,4 @@ RELEASE_NAME=dev RELEASE_NAMESPACE=dev -helm upgrade ${RELEASE_NAME} opencloud -n ${RELEASE_NAMESPACE} --create-namespace --install -f opencloud/dev-values.yaml +helm install ${RELEASE_NAME} opencloud -n ${RELEASE_NAMESPACE} --create-namespace -f opencloud/dev-values.yaml diff --git a/opencloud/Chart.yaml b/opencloud/Chart.yaml index 27ecc88..236044c 100644 --- a/opencloud/Chart.yaml +++ b/opencloud/Chart.yaml @@ -5,7 +5,7 @@ type: application version: 0.0.1 appVersion: "0.0.1" -# TODO: ldap, ory hydra, keto +# TODO: ory hydra, keto dependencies: - name: openldap repository: https://jp-gouin.github.io/helm-openldap/ @@ -30,4 +30,8 @@ dependencies: - name: hydra version: "0.50.2" repository: "https://k8s.ory.sh/helm/charts" - condition: hydra.enabled \ No newline at end of file + condition: hydra.enabled +- name: keto + version: "0.50.2" + repository: "https://k8s.ory.sh/helm/charts" + condition: keto.enabled \ No newline at end of file diff --git a/opencloud/charts/keto/.helmignore b/opencloud/charts/keto/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/opencloud/charts/keto/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/opencloud/charts/keto/Chart.lock b/opencloud/charts/keto/Chart.lock new file mode 100644 index 0000000..d8092d3 --- /dev/null +++ b/opencloud/charts/keto/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: ory-commons + repository: file://../ory-commons + version: 0.1.0 +digest: sha256:eec8978215334aad38275f0171681f1200220dccef4762ddeb197679fd287abb +generated: "2024-06-11T14:47:42.552973+02:00" diff --git a/opencloud/charts/keto/Chart.yaml b/opencloud/charts/keto/Chart.yaml new file mode 100644 index 0000000..72ec1ee --- /dev/null +++ b/opencloud/charts/keto/Chart.yaml @@ -0,0 +1,27 @@ +apiVersion: v2 +appVersion: v0.12.0 +dependencies: +- alias: ory + name: ory-commons + repository: file://../ory-commons + version: 0.1.0 +description: Access Control Policies as a Server +home: https://www.ory.sh/keto/ +icon: https://raw.githubusercontent.com/ory/docs/master/docs/static/img/logo-keto.svg +keywords: +- rbac +- hrbac +- acl +- iam +- api-security +- security +maintainers: +- email: hi@ory.sh + name: ORY Team + url: https://www.ory.sh/ +name: keto +sources: +- https://github.com/ory/keto +- https://github.com/ory/k8s +type: application +version: 0.50.2 diff --git a/opencloud/charts/keto/README.md b/opencloud/charts/keto/README.md new file mode 100644 index 0000000..a142bae --- /dev/null +++ b/opencloud/charts/keto/README.md @@ -0,0 +1,187 @@ +# keto + +![Version: 0.50.1](https://img.shields.io/badge/Version-0.50.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.12.0](https://img.shields.io/badge/AppVersion-v0.12.0-informational?style=flat-square) + +Access Control Policies as a Server + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| ORY Team | | | + +## Source Code + +* +* + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| file://../ory-commons | ory(ory-commons) | 0.1.0 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| configmap.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods | +| deployment.affinity | object | `{}` | | +| deployment.annotations | object | `{}` | | +| deployment.automigration | object | `{"extraEnv":[]}` | Parameters for the automigration initContainer | +| deployment.automigration.extraEnv | list | `[]` | Array of extra envs to be passed to the initContainer. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO value: BAR | +| deployment.automountServiceAccountToken | bool | `true` | | +| deployment.autoscaling | object | `{"behavior":{},"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPU":{},"targetMemory":{}}` | Autoscaling for keto deployment | +| deployment.autoscaling.behavior | object | `{}` | Set custom behavior https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior | +| deployment.customLivenessProbe | object | `{}` | | +| deployment.customReadinessProbe | object | `{}` | | +| deployment.customStartupProbe | object | `{}` | | +| deployment.dnsConfig | object | `{}` | Configure pod dnsConfig. | +| deployment.extraContainers | string | `""` | If you want to add extra sidecar containers. | +| deployment.extraEnv | list | `[]` | Array of extra Envs to be added to the deployment. Kubernetes format expected. Value is processed with Helm `tpl` - name: FOO value: BAR | +| deployment.extraInitContainers | object | `{}` | If you want to add extra init containers. These are processed before the migration init container. | +| deployment.extraLabels | object | `{}` | Extra labels to be added to the deployment, and pods. K8s object format expected foo: bar my.special.label/type: value | +| deployment.extraPorts | list | `[]` | Extra ports to be exposed by the main deployment | +| deployment.extraVolumeMounts | list | `[]` | Array of extra VolumeMounts to be added to the deployment. K8s format expected - name: my-volume mountPath: /etc/secrets/my-secret readOnly: true | +| deployment.extraVolumes | list | `[]` | Array of extra Volumes to be added to the deployment. K8s format expected - name: my-volume secret: secretName: my-secret | +| deployment.lifecycle | object | `{}` | | +| deployment.minReadySeconds | int | `0` | | +| deployment.nodeSelector | object | `{}` | | +| deployment.podAnnotations | object | `{}` | | +| deployment.podMetadata.annotations | object | `{}` | | +| deployment.podMetadata.labels | object | `{}` | | +| deployment.podSecurityContext | object | `{}` | | +| deployment.readinessProbe.failureThreshold | int | `5` | | +| deployment.readinessProbe.initialDelaySeconds | int | `5` | | +| deployment.readinessProbe.periodSeconds | int | `10` | | +| deployment.resources | object | `{}` | | +| deployment.revisionHistoryLimit | int | `5` | Number of revisions kept in history | +| deployment.startupProbe.failureThreshold | int | `5` | | +| deployment.startupProbe.initialDelaySeconds | int | `0` | | +| deployment.startupProbe.periodSeconds | int | `1` | | +| deployment.startupProbe.successThreshold | int | `1` | | +| deployment.startupProbe.timeoutSeconds | int | `1` | | +| deployment.strategy.rollingUpdate.maxSurge | string | `"25%"` | | +| deployment.strategy.rollingUpdate.maxUnavailable | string | `"25%"` | | +| deployment.strategy.type | string | `"RollingUpdate"` | | +| deployment.terminationGracePeriodSeconds | int | `60` | | +| deployment.tolerations | list | `[]` | | +| deployment.topologySpreadConstraints | list | `[]` | Configure pod topologySpreadConstraints. | +| extraServices | object | `{}` | | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | Default image pull policy | +| image.repository | string | `"oryd/keto"` | Ory KETO image | +| image.tag | string | `"v0.12.0"` | Ory KETO version | +| imagePullSecrets | list | `[]` | | +| ingress.read.annotations | object | `{}` | | +| ingress.read.className | string | `""` | | +| ingress.read.enabled | bool | `false` | | +| ingress.read.hosts[0].host | string | `"chart-example.local"` | | +| ingress.read.hosts[0].paths[0].path | string | `"/read"` | | +| ingress.read.hosts[0].paths[0].pathType | string | `"Prefix"` | | +| ingress.read.tls | list | `[]` | | +| ingress.write.annotations | object | `{}` | | +| ingress.write.className | string | `""` | | +| ingress.write.enabled | bool | `false` | | +| ingress.write.hosts[0].host | string | `"chart-example.local"` | | +| ingress.write.hosts[0].paths[0].path | string | `"/write"` | | +| ingress.write.hosts[0].paths[0].pathType | string | `"Prefix"` | | +| ingress.write.tls | list | `[]` | | +| job.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation,hook-succeeded","helm.sh/hook-weight":"1"}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. | +| job.automountServiceAccountToken | bool | `false` | Set automounting of the SA token | +| job.extraContainers | string | `""` | If you want to add extra sidecar containers. | +| job.extraEnv | list | `[]` | Array of extra envs to be passed to the job. This takes precedence over deployment variables. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO value: BAR | +| job.extraInitContainers | string | `""` | If you want to add extra init containers. | +| job.lifecycle | string | `""` | If you want to add lifecycle hooks. | +| job.nodeSelector | object | `{}` | Node labels for pod assignment. | +| job.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects | +| job.podMetadata.annotations | object | `{}` | Extra pod level annotations | +| job.podMetadata.labels | object | `{}` | Extra pod level labels | +| job.resources | object | `{}` | Job resources | +| job.serviceAccount | object | `{"annotations":{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"},"create":true,"name":""}` | Specify the serviceAccountName value. In some situations it is needed to provides specific permissions to Hydra deployments Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. | +| job.serviceAccount.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"}` | Annotations to add to the service account | +| job.serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| job.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | +| job.shareProcessNamespace | bool | `false` | Set sharing process namespace | +| job.spec.backoffLimit | int | `10` | Set job back off limit | +| job.tolerations | list | `[]` | Configure node tolerations. | +| keto.automigration | object | `{"customArgs":[],"customCommand":[],"enabled":false,"resources":{},"type":"job"}` | Enables database migration | +| keto.automigration.customArgs | list | `[]` | Ability to override arguments of the entrypoint. Can be used in-depended of customCommand eg: - sleep 5; - keto | +| keto.automigration.customCommand | list | `[]` | Ability to override the entrypoint of the automigration container (e.g. to source dynamic secrets or export environment dynamic variables) | +| keto.automigration.resources | object | `{}` | resource requests and limits for the automigration initcontainer | +| keto.automigration.type | string | `"job"` | Configure the way to execute database migration. Possible values: job, initContainer When set to job, the migration will be executed as a job on release or upgrade. When set to initContainer, the migration will be executed when kratos pod is created Defaults to job | +| keto.command | list | `["keto"]` | Ability to override the entrypoint of keto container (e.g. to source dynamic secrets or export environment dynamic variables) | +| keto.config | object | `{"dsn":"memory","namespaces":[{"id":0,"name":"sample"}],"serve":{"metrics":{"port":4468},"read":{"port":4466},"write":{"port":4467}}}` | Direct keto config. Full documentation can be found in https://www.ory.sh/keto/docs/reference/configuration | +| keto.customArgs | list | `[]` | Ability to override arguments of the entrypoint. Can be used in-depended of customCommand | +| nameOverride | string | `""` | | +| pdb.enabled | bool | `false` | | +| pdb.spec.maxUnavailable | string | `""` | | +| pdb.spec.minAvailable | string | `""` | | +| podSecurityContext.fsGroup | int | `65534` | | +| podSecurityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` | | +| podSecurityContext.runAsGroup | int | `65534` | | +| podSecurityContext.runAsNonRoot | bool | `true` | | +| podSecurityContext.runAsUser | int | `65534` | | +| podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | | +| priorityClassName | string | `""` | Pod priority https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ | +| replicaCount | int | `1` | Number of replicas in deployment | +| secret.enabled | bool | `true` | Switch to false to prevent creating the secret | +| secret.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods | +| secret.nameOverride | string | `""` | Provide custom name of existing secret, or custom name of secret to be created | +| secret.secretAnnotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0","helm.sh/resource-policy":"keep"}` | Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified. | +| securityContext.allowPrivilegeEscalation | bool | `false` | | +| securityContext.capabilities.drop[0] | string | `"ALL"` | | +| securityContext.privileged | bool | `false` | | +| securityContext.readOnlyRootFilesystem | bool | `true` | | +| securityContext.runAsGroup | int | `65534` | | +| securityContext.runAsNonRoot | bool | `true` | | +| securityContext.runAsUser | int | `65534` | | +| securityContext.seLinuxOptions.level | string | `"s0:c123,c456"` | | +| securityContext.seccompProfile.type | string | `"RuntimeDefault"` | | +| service.metrics.annotations | object | `{}` | | +| service.metrics.enabled | bool | `false` | | +| service.metrics.loadBalancerIP | string | `""` | | +| service.metrics.name | string | `"http-metrics"` | | +| service.metrics.port | int | `80` | | +| service.metrics.type | string | `"ClusterIP"` | | +| service.read.appProtocol | string | `"grpc"` | | +| service.read.clusterIP | string | `""` | | +| service.read.enabled | bool | `true` | | +| service.read.headless.enabled | bool | `true` | | +| service.read.loadBalancerIP | string | `""` | | +| service.read.name | string | `"grpc-read"` | | +| service.read.port | int | `80` | | +| service.read.type | string | `"ClusterIP"` | | +| service.write.appProtocol | string | `"grpc"` | | +| service.write.clusterIP | string | `""` | | +| service.write.enabled | bool | `true` | | +| service.write.headless.enabled | bool | `true` | | +| service.write.loadBalancerIP | string | `""` | | +| service.write.name | string | `"grpc-write"` | | +| service.write.port | int | `80` | | +| service.write.type | string | `"ClusterIP"` | | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | +| serviceMonitor.labels | object | `{}` | Provide additionnal labels to the ServiceMonitor ressource metadata | +| serviceMonitor.scheme | string | `"http"` | HTTP scheme to use for scraping. | +| serviceMonitor.scrapeInterval | string | `"60s"` | Interval at which metrics should be scraped | +| serviceMonitor.scrapeTimeout | string | `"30s"` | Timeout after which the scrape is ended | +| serviceMonitor.tlsConfig | object | `{}` | TLS configuration to use when scraping the endpoint | +| test.busybox | object | `{"repository":"busybox","tag":1}` | use a busybox image from another repository | +| test.labels | object | `{}` | Provide additional labels to the test pod | +| watcher.automountServiceAccountToken | bool | `true` | | +| watcher.enabled | bool | `false` | | +| watcher.image | string | `"oryd/k8s-toolbox:v0.0.7"` | | +| watcher.mountFile | string | `""` | Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo | +| watcher.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects | +| watcher.podMetadata.annotations | object | `{}` | Extra pod level annotations | +| watcher.podMetadata.labels | object | `{}` | Extra pod level labels | +| watcher.resources | object | `{}` | | +| watcher.revisionHistoryLimit | int | `5` | Number of revisions kept in history | +| watcher.watchLabelKey | string | `"ory.sh/watcher"` | Label key used for managing applications | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) diff --git a/opencloud/charts/keto/charts/ory-commons/.helmignore b/opencloud/charts/keto/charts/ory-commons/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/opencloud/charts/keto/charts/ory-commons/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/opencloud/charts/keto/charts/ory-commons/Chart.yaml b/opencloud/charts/keto/charts/ory-commons/Chart.yaml new file mode 100644 index 0000000..35269f4 --- /dev/null +++ b/opencloud/charts/keto/charts/ory-commons/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +appVersion: 0.0.0 +description: 'Collection of helper function for the Ory Helm environment ' +name: ory-commons +type: library +version: 0.1.0 diff --git a/opencloud/charts/keto/charts/ory-commons/templates/_helpers.tpl b/opencloud/charts/keto/charts/ory-commons/templates/_helpers.tpl new file mode 100644 index 0000000..531b34c --- /dev/null +++ b/opencloud/charts/keto/charts/ory-commons/templates/_helpers.tpl @@ -0,0 +1,12 @@ +{{/* +Check if list contains object +*/}} +{{- define "ory.extraEnvContainsEnvName" -}} + {{- $extraEnvs := index . 0 -}} + {{- $envName := index . 1 -}} + {{- range $k, $v := $extraEnvs -}} + {{- if eq $v.name $envName -}} + found + {{- end -}} + {{- end -}} +{{- end -}} diff --git a/opencloud/charts/keto/files/watch.sh b/opencloud/charts/keto/files/watch.sh new file mode 100644 index 0000000..cb5b44b --- /dev/null +++ b/opencloud/charts/keto/files/watch.sh @@ -0,0 +1,17 @@ +set -Eeuo pipefail +set -x + +function rollOut() { + DEPLOY=$(kubectl get deploy -n "${NAMESPACE}" -l "${1}" -o name) + kubectl set env -n $NAMESPACE ${DEPLOY} sync=$(date "+%Y%m%d-%H%M%S") + kubectl rollout status -n $NAMESPACE ${DEPLOY} +} + +while true; do + # After change in the CM the symlink is recreated, so we need to restart the monitor + inotifywait --event DELETE_SELF "${WATCH_FILE}" | + while read path _ file; do + echo "---> $path$file modified" + rollOut "${LABEL_SELECTOR}" + done +done diff --git a/opencloud/charts/keto/templates/NOTES.txt b/opencloud/charts/keto/templates/NOTES.txt new file mode 100644 index 0000000..91b1ae7 --- /dev/null +++ b/opencloud/charts/keto/templates/NOTES.txt @@ -0,0 +1,33 @@ +1. Get the application URL by running these commands: +{{- if or .Values.ingress.read.enabled .Values.ingress.write.enabled -}} + Read endpoint available at: + {{- range $host := .Values.ingress.read.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.read.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} + {{- end }} + Write endpoint available at: + {{- range $host := .Values.ingress.write.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.write.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} + {{- end }} +{{- else if or ( contains "NodePort" .Values.service.read.type ) ( contains "NodePort" .Values.service.write.type ) }} + export NODE_PORT_READ=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "keto.fullname" . }}-read) + export NODE_PORT_READ=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "keto.fullname" . }}-write) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") +Read endpoint available at: http://$NODE_IP:$NODE_PORT_READ +Write endpoint available at: http://$NODE_IP:$NODE_PORT_WRITE +{{- else if or ( contains "LoadBalancer" .Values.service.read.type ) ( contains "LoadBalancer" .Values.service.read.type ) }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "keto.fullname" . }}-read' + export SERVICE_IP_READ=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "keto.fullname" . }}-read --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + export SERVICE_IP_WRITE=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "keto.fullname" . }}-write --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + Read endpoint available at: http://$SERVICE_IP_READ:{{ .Values.service.read.port }} + Write endpoint available at: http://$SERVICE_IP_READ:{{ .Values.service.write.port }} +{{- else if or ( contains "ClusterIP" .Values.service.read.type ) ( contains "ClusterIP" .Values.service.read.type ) }} + kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ include "keto.fullname" . }}-read {{ .Values.keto.config.serve.read.port }}:80 + kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ include "keto.fullname" . }}-write {{ .Values.keto.config.serve.write.port }}:80 + Read endpoint available at: http://127.0.0.1:{{ .Values.keto.config.serve.read.port }} + Write endpoint available at: http://127.0.0.1:{{ .Values.keto.config.serve.write.port }} +{{- end }} diff --git a/opencloud/charts/keto/templates/_helpers.tpl b/opencloud/charts/keto/templates/_helpers.tpl new file mode 100644 index 0000000..98ba10a --- /dev/null +++ b/opencloud/charts/keto/templates/_helpers.tpl @@ -0,0 +1,130 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "keto.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "keto.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create a secret name which can be overridden. +*/}} +{{- define "keto.secretname" -}} +{{- if .Values.secret.nameOverride -}} +{{- .Values.secret.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{ include "keto.fullname" . }} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "keto.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Generate the dsn value +*/}} +{{- define "keto.dsn" -}} +{{- if and .Values.secret.nameOverride (not .Values.secret.enabled) -}} +dsn-loaded-from-env +{{- else if not (empty (.Values.keto.config.dsn)) -}} +{{- .Values.keto.config.dsn }} +{{- end -}} +{{- end -}} + +{{/* +Generate the configmap data, redacting secrets +*/}} +{{- define "keto.configmap" -}} +{{- $config := omit .Values.keto.config "dsn" -}} +{{- tpl (toYaml $config) . -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "keto.labels" -}} +helm.sh/chart: {{ include "keto.chart" . }} +{{ include "keto.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if $.Values.watcher.enabled }} +{{ printf "\"%s\": \"%s\"" $.Values.watcher.watchLabelKey (include "keto.name" .) }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "keto.selectorLabels" -}} +app.kubernetes.io/name: {{ include "keto.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "keto.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "keto.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Create the name of the service account for the Job to use +*/}} +{{- define "keto.job.serviceAccountName" -}} +{{- if .Values.job.serviceAccount.create }} +{{- printf "%s-job" (default (include "keto.fullname" .) .Values.job.serviceAccount.name) }} +{{- else }} +{{- include "keto.serviceAccountName" . }} +{{- end }} +{{- end }} + + +{{/* +Checksum annotations generated from configmaps and secrets +*/}} +{{- define "keto.annotations.checksum" -}} +{{- if .Values.configmap.hashSumEnabled }} +checksum/keto-config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} +{{- end }} +{{- if and .Values.secret.enabled .Values.secret.hashSumEnabled }} +checksum/keto-secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} +{{- end }} +{{- end }} + +{{/* +Check the migration type value and fail if unexpected +*/}} +{{- define "keto.automigration.typeVerification" -}} +{{- if and .Values.keto.automigration.enabled .Values.keto.automigration.type }} + {{- if and (ne .Values.keto.automigration.type "initContainer") (ne .Values.keto.automigration.type "job") }} + {{- fail "keto.automigration.type must be either 'initContainer' or 'job'" -}} + {{- end }} +{{- end }} +{{- end }} diff --git a/opencloud/charts/keto/templates/configmap-migrate.yaml b/opencloud/charts/keto/templates/configmap-migrate.yaml new file mode 100644 index 0000000..db858a9 --- /dev/null +++ b/opencloud/charts/keto/templates/configmap-migrate.yaml @@ -0,0 +1,18 @@ +{{- if and ( .Values.keto.automigration.enabled ) ( eq .Values.keto.automigration.type "job" ) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "keto.fullname" . }}-migrate + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: +{{ include "keto.labels" . | indent 4 }} + annotations: + helm.sh/hook-weight: "0" + helm.sh/hook: "pre-install, pre-upgrade" + helm.sh/hook-delete-policy: "before-hook-creation" +data: + "keto.yaml": | + {{- include "keto.configmap" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/opencloud/charts/keto/templates/configmap.yaml b/opencloud/charts/keto/templates/configmap.yaml new file mode 100644 index 0000000..8a655d0 --- /dev/null +++ b/opencloud/charts/keto/templates/configmap.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "keto.fullname" . }}-config + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: +{{ include "keto.labels" . | indent 4 }} +data: + "keto.yaml": | + {{- include "keto.configmap" . | nindent 4 }} diff --git a/opencloud/charts/keto/templates/deployment-watcher.yaml b/opencloud/charts/keto/templates/deployment-watcher.yaml new file mode 100644 index 0000000..ba05cfd --- /dev/null +++ b/opencloud/charts/keto/templates/deployment-watcher.yaml @@ -0,0 +1,75 @@ +{{- if .Values.watcher.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "keto.fullname" . }}-watcher + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app.kubernetes.io/name: {{ include "keto.name" . }}-watcher + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.deployment.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- with .Values.deployment.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + revisionHistoryLimit: {{ .Values.watcher.revisionHistoryLimit }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "keto.name" . }}-watcher + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "keto.name" . }}-watcher + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.deployment.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.watcher.podMetadata.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + annotations: + {{- with .Values.watcher.podMetadata.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + automountServiceAccountToken: {{ .Values.watcher.automountServiceAccountToken }} + serviceAccountName: {{ include "keto.serviceAccountName" . }}-watcher + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }} + containers: + - name: watcher + {{- if .Values.securityContext }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} + image: {{ .Values.watcher.image }} + command: + - /bin/bash + - -c + - | + {{- .Files.Get "files/watch.sh" | printf "%s" | nindent 14 }} + env: + - name: NAMESPACE + value: {{ .Release.Namespace | quote }} + - name: WATCH_FILE + value: {{ .Values.watcher.mountFile | quote }} + - name: LABEL_SELECTOR + value: '{{ $.Values.watcher.watchLabelKey }}={{ include "keto.name" . }}' + resources: + {{- toYaml .Values.watcher.resources | nindent 12 }} + volumeMounts: + {{- with .Values.deployment.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + volumes: + {{- if .Values.deployment.extraVolumes }} + {{- toYaml .Values.deployment.extraVolumes | nindent 8 }} + {{- end }} +{{- end }} diff --git a/opencloud/charts/keto/templates/deployment.yaml b/opencloud/charts/keto/templates/deployment.yaml new file mode 100644 index 0000000..c29586a --- /dev/null +++ b/opencloud/charts/keto/templates/deployment.yaml @@ -0,0 +1,232 @@ +{{- $podAnnotations := ternary .Values.deployment.podAnnotations .Values.podAnnotations (not (empty .Values.deployment.podAnnotations )) -}} +{{- $automountServiceAccountToken := ternary .Values.deployment.automountServiceAccountToken .Values.automountServiceAccountToken (not (empty .Values.deployment.automountServiceAccountToken )) -}} +{{- $livenessProbe := ternary .Values.deployment.livenessProbe .Values.livenessProbe (not (empty .Values.deployment.livenessProbe )) -}} +{{- $readinessProbe := ternary .Values.deployment.readinessProbe .Values.readinessProbe (not (empty .Values.deployment.readinessProbe )) -}} +{{- $autoscaling := ternary .Values.deployment.autoscaling .Values.autoscaling (not (empty .Values.deployment.autoscaling )) -}} +{{- $resources := ternary .Values.deployment.resources .Values.resources (not (empty .Values.deployment.resources )) -}} +{{- $extraInitContainers := ternary .Values.deployment.extraInitContainers .Values.extraInitContainers (not (empty .Values.deployment.extraInitContainers )) -}} +{{- $extraContainers := ternary .Values.deployment.extraContainers .Values.extraContainers (not (empty .Values.deployment.extraContainers )) -}} +{{- $extraLabels := ternary .Values.deployment.extraLabels .Values.extraLabels (not (empty .Values.deployment.extraLabels )) -}} +{{- $extraVolumeMounts := ternary .Values.deployment.extraVolumeMounts .Values.extraVolumeMounts (not (empty .Values.deployment.extraVolumeMounts )) -}} +{{- $extraVolumes := ternary .Values.deployment.extraVolumes .Values.extraVolumes (not (empty .Values.deployment.extraVolumes )) -}} +{{- $nodeSelector := ternary .Values.deployment.nodeSelector .Values.nodeSelector (not (empty .Values.deployment.nodeSelector )) -}} +{{- $affinity := ternary .Values.deployment.affinity .Values.affinity (not (empty .Values.deployment.affinity )) -}} +{{- $tolerations := ternary .Values.deployment.tolerations .Values.tolerations (not (empty .Values.deployment.tolerations )) -}} +{{- $topologySpreadConstraints := ternary .Values.deployment.topologySpreadConstraints .Values.topologySpreadConstraints (not (empty .Values.deployment.topologySpreadConstraints )) -}} +{{- include "keto.automigration.typeVerification" . -}} +{{- $migrationExtraEnv := ternary .Values.deployment.automigration.extraEnv .Values.deployment.extraEnv (not (empty .Values.deployment.automigration.extraEnv )) -}} + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "keto.fullname" . }} + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "keto.labels" . | nindent 4 }} + {{- with $extraLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- with .Values.deployment.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + minReadySeconds: {{ .Values.deployment.minReadySeconds }} +{{- if not $autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} +{{- end }} + revisionHistoryLimit: {{ .Values.deployment.revisionHistoryLimit }} + strategy: + {{- toYaml .Values.deployment.strategy | nindent 4 }} + selector: + matchLabels: + {{- include "keto.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + {{- include "keto.annotations.checksum" . | indent 8 -}} + {{- with $podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $.Values.deployment.podMetadata.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "keto.selectorLabels" . | nindent 8 }} + {{- with $extraLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $.Values.deployment.podMetadata.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + initContainers: + {{- if $extraInitContainers}} + {{- tpl $extraInitContainers . | nindent 8 }} + {{- end }} + {{- if and ( .Values.keto.automigration.enabled ) ( eq .Values.keto.automigration.type "initContainer" ) }} + - name: {{ .Chart.Name }}-automigrate + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.keto.automigration.customCommand }} + command: {{- toYaml .Values.keto.automigration.customCommand | nindent 12 }} + {{- else }} + command: ["keto"] + {{- end }} + {{- if .Values.keto.automigration.customArgs }} + args: {{- toYaml .Values.keto.automigration.customArgs | nindent 12 }} + {{- else }} + args: [ "migrate", "up", "-y", "--config", "/etc/config/keto.yaml" ] + {{- end }} + volumeMounts: + - name: {{ include "keto.name" . }}-config-volume + mountPath: /etc/config + readOnly: true + {{- with $extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + env: + {{- if not (empty ( include "keto.dsn" . )) }} + {{- if not (include "ory.extraEnvContainsEnvName" (list $migrationExtraEnv "DSN")) }} + - name: DSN + valueFrom: + secretKeyRef: + name: {{ include "keto.secretname" . }} + key: dsn + {{- end }} + {{- end }} + {{- if $migrationExtraEnv }} + {{- tpl (toYaml $migrationExtraEnv) . | nindent 12 }} + {{- end }} + {{- with .Values.keto.automigration.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} + serviceAccountName: {{ include "keto.serviceAccountName" . }} + automountServiceAccountToken: {{ $automountServiceAccountToken }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }} + containers: + - name: {{ .Chart.Name }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: {{- toYaml .Values.keto.command | nindent 12 }} + {{- if .Values.keto.customArgs }} + args: {{- toYaml .Values.keto.customArgs | nindent 12 }} + {{- else }} + args: + - serve + - --config + - /etc/config/keto.yaml + {{- end }} + ports: + - name: {{ .Values.service.read.name }} + containerPort: {{ .Values.keto.config.serve.read.port }} + protocol: TCP + - name: {{ .Values.service.write.name }} + containerPort: {{ .Values.keto.config.serve.write.port }} + protocol: TCP + - name: {{ .Values.service.metrics.name }} + containerPort: {{ .Values.keto.config.serve.metrics.port }} + protocol: TCP + {{- with .Values.deployment.extraPorts }} + {{- toYaml . | nindent 12 }} + {{- end }} + lifecycle: + {{- toYaml .Values.deployment.lifecycle | nindent 12 }} + {{- if .Values.deployment.customLivenessProbe }} + livenessProbe: + {{- toYaml .Values.deployment.customLivenessProbe | nindent 12 }} + {{- end }} + readinessProbe: + {{- if .Values.deployment.customReadinessProbe }} + {{- toYaml .Values.deployment.customReadinessProbe | nindent 12 }} + {{- else }} + httpGet: + path: /health/alive + port: {{ .Values.keto.config.serve.write.port }} + httpHeaders: + - name: Host + value: '127.0.0.1' + {{- toYaml $readinessProbe | nindent 12 }} + {{- end }} + startupProbe: + {{- if .Values.deployment.customStartupProbe }} + {{- toYaml .Values.deployment.customStartupProbe | nindent 12 }} + {{- else }} + httpGet: + path: /health/ready + port: {{ .Values.keto.config.serve.write.port }} + httpHeaders: + - name: Host + value: '127.0.0.1' + {{- toYaml .Values.deployment.startupProbe | nindent 12 }} + {{- end }} + resources: + {{- toYaml $resources | nindent 12 }} + env: + {{- if not (empty ( include "keto.dsn" . )) }} + {{- if not (include "ory.extraEnvContainsEnvName" (list .Values.deployment.extraEnv "DSN")) }} + - name: DSN + valueFrom: + secretKeyRef: + name: {{ include "keto.secretname" . }} + key: dsn + {{- end }} + {{- end }} + {{- if .Values.deployment.extraEnv }} + {{- tpl (toYaml .Values.deployment.extraEnv) . | nindent 12 }} + {{- end }} + volumeMounts: + - name: {{ include "keto.name" . }}-config-volume + mountPath: /etc/config + readOnly: true + {{- with $extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if $extraContainers }} + {{- tpl $extraContainers . | nindent 8 }} + {{- end }} + volumes: + - name: {{ include "keto.name" . }}-config-volume + configMap: + name: {{ include "keto.fullname" . }}-config + {{- with $extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} + {{- with $nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.deployment.dnsConfig }} + dnsConfig: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/opencloud/charts/keto/templates/hpa.yaml b/opencloud/charts/keto/templates/hpa.yaml new file mode 100644 index 0000000..acf1a59 --- /dev/null +++ b/opencloud/charts/keto/templates/hpa.yaml @@ -0,0 +1,38 @@ +{{- $autoscaling := ternary .Values.deployment.autoscaling .Values.autoscaling (not (empty .Values.deployment.autoscaling )) -}} + +{{- if $autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "keto.fullname" . }} + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "keto.labels" . | nindent 4 }} +spec: + {{- with $autoscaling.behavior }} + behavior: {{- toYaml . | nindent 4 }} + {{- end }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "keto.fullname" . }} + minReplicas: {{ $autoscaling.minReplicas }} + maxReplicas: {{ $autoscaling.maxReplicas }} + metrics: + {{- with $autoscaling.targetMemory }} + - type: Resource + resource: + name: memory + target: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $autoscaling.targetCPU}} + - type: Resource + resource: + name: cpu + target: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/opencloud/charts/keto/templates/ingress-read.yaml b/opencloud/charts/keto/templates/ingress-read.yaml new file mode 100644 index 0000000..ff30ed1 --- /dev/null +++ b/opencloud/charts/keto/templates/ingress-read.yaml @@ -0,0 +1,54 @@ +{{- if .Values.ingress.read.enabled -}} +{{- $fullName := include "keto.fullname" . -}} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else -}} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }}-read + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "keto.labels" . | nindent 4 }} + {{- with .Values.ingress.read.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ingressClassName: {{ .Values.ingress.read.className }} + {{- if .Values.ingress.read.tls }} + tls: + {{- range .Values.ingress.read.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.read.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if .pathType }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }}-read + port: + name: {{ $.Values.service.read.name }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $.Values.service.read.name }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/opencloud/charts/keto/templates/ingress-write.yaml b/opencloud/charts/keto/templates/ingress-write.yaml new file mode 100644 index 0000000..9aefbc9 --- /dev/null +++ b/opencloud/charts/keto/templates/ingress-write.yaml @@ -0,0 +1,54 @@ +{{- if .Values.ingress.write.enabled -}} +{{- $fullName := include "keto.fullname" . -}} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else -}} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }}-write + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "keto.labels" . | nindent 4 }} + {{- with .Values.ingress.write.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ingressClassName: {{ .Values.ingress.write.className }} + {{- if .Values.ingress.write.tls }} + tls: + {{- range .Values.ingress.write.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.write.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if .pathType }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }}-write + port: + name: {{ $.Values.service.write.name }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $.Values.service.write.name }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/opencloud/charts/keto/templates/job-migration.yaml b/opencloud/charts/keto/templates/job-migration.yaml new file mode 100644 index 0000000..18b7f57 --- /dev/null +++ b/opencloud/charts/keto/templates/job-migration.yaml @@ -0,0 +1,123 @@ +{{- include "keto.automigration.typeVerification" . -}} +{{- if and ( .Values.keto.automigration.enabled ) ( eq .Values.keto.automigration.type "job" ) }} +{{- $extraLabels := ternary .Values.deployment.extraLabels .Values.extraLabels (not (empty .Values.deployment.extraLabels )) -}} +{{- $extraVolumeMounts := ternary .Values.deployment.extraVolumeMounts .Values.extraVolumeMounts (not (empty .Values.deployment.extraVolumeMounts )) -}} +{{- $extraVolumes := ternary .Values.deployment.extraVolumes .Values.extraVolumes (not (empty .Values.deployment.extraVolumes )) -}} +{{- $nodeSelector := ternary .Values.job.nodeSelector .Values.deployment.nodeSelector (not (empty .Values.job.nodeSelector )) -}} +{{- $migrationExtraEnv := ternary .Values.job.extraEnv .Values.deployment.extraEnv (not (empty .Values.job.extraEnv )) -}} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "keto.fullname" . }}-automigrate + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "keto.labels" . | nindent 4 }} + {{- with $extraLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- with .Values.job.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + template: + metadata: + annotations: + {{- with .Values.job.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.job.podMetadata.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ include "keto.fullname" . }}-automigrate + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with $extraLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.job.podMetadata.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "keto.job.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.job.automountServiceAccountToken }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }}-automigrate + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.keto.automigration.customCommand }} + command: {{- toYaml .Values.keto.automigration.customCommand | nindent 10 }} + {{- else }} + command: ["keto"] + {{- end }} + {{- if .Values.keto.automigration.customArgs }} + args: {{- toYaml .Values.keto.automigration.customArgs | nindent 10 }} + {{- else }} + args: [ "migrate", "up", "-y", "--config", "/etc/config/keto.yaml" ] + {{- end }} + {{- if .Values.job.lifecycle }} + {{- tpl .Values.job.lifecycle . | nindent 8 }} + {{- end }} + volumeMounts: + - name: {{ include "keto.name" . }}-config-volume + mountPath: /etc/config + readOnly: true + {{- with $extraVolumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + env: + {{- if not (empty ( include "keto.dsn" . )) }} + {{- if not (include "ory.extraEnvContainsEnvName" (list $migrationExtraEnv "DSN")) }} + - name: DSN + valueFrom: + secretKeyRef: + name: {{ include "keto.secretname" . }} + key: dsn + {{- end }} + {{- end }} + {{- with $migrationExtraEnv }} + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.job.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- if .Values.securityContext }} + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} + {{- end }} + {{- if .Values.job.extraContainers }} + {{- tpl .Values.job.extraContainers . | nindent 6 }} + {{- end }} + {{- if .Values.job.extraInitContainers }} + initContainers: + {{- tpl .Values.job.extraInitContainers . | nindent 8 }} + {{- end }} + restartPolicy: Never + volumes: + - name: {{ include "keto.name" . }}-config-volume + configMap: + name: {{ include "keto.fullname" . }}-migrate + {{- with $extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.job.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + shareProcessNamespace: {{ .Values.job.shareProcessNamespace }} + backoffLimit: {{ .Values.job.spec.backoffLimit }} +{{- end }} diff --git a/opencloud/charts/keto/templates/job-rbac.yaml b/opencloud/charts/keto/templates/job-rbac.yaml new file mode 100644 index 0000000..a788af6 --- /dev/null +++ b/opencloud/charts/keto/templates/job-rbac.yaml @@ -0,0 +1,17 @@ +{{- if .Values.job.serviceAccount.create -}} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "keto.job.serviceAccountName" . }} + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "keto.labels" . | nindent 4 }} + {{- with .Values.job.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: false +{{- end -}} \ No newline at end of file diff --git a/opencloud/charts/keto/templates/pdb.yaml b/opencloud/charts/keto/templates/pdb.yaml new file mode 100644 index 0000000..1e01ff1 --- /dev/null +++ b/opencloud/charts/keto/templates/pdb.yaml @@ -0,0 +1,20 @@ +{{- if .Values.pdb.enabled -}} +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "keto.fullname" . }} + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "keto.selectorLabels" . | nindent 6 }} + {{- with .Values.pdb.spec.maxUnavailable }} + maxUnavailable: {{ . }} + {{- end }} + {{- with .Values.pdb.spec.minAvailable }} + minAvailable: {{ . }} + {{- end }} +{{- end -}} diff --git a/opencloud/charts/keto/templates/rbac-watcher.yaml b/opencloud/charts/keto/templates/rbac-watcher.yaml new file mode 100644 index 0000000..15a693a --- /dev/null +++ b/opencloud/charts/keto/templates/rbac-watcher.yaml @@ -0,0 +1,55 @@ +{{- if .Values.watcher.enabled }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "keto.serviceAccountName" . }}-watcher + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app.kubernetes.io/name: {{ include "keto.name" . }}-watcher + app.kubernetes.io/instance: {{ .Release.Name }} +automountServiceAccountToken: false +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "keto.fullname" . }}-watcher + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} +rules: + - apiGroups: ["apps"] + resources: ["deployments"] + verbs: + - list + - watch + - get + - apiGroups: ["apps"] + resources: ["deployments"] + verbs: + - get + - list + - patch + - update + - watch + resourceNames: + - {{ include "keto.fullname" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "keto.fullname" . }}-watcher + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "keto.fullname" . }}-watcher +subjects: + - kind: ServiceAccount + name: {{ include "keto.fullname" . }}-watcher + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/opencloud/charts/keto/templates/rbac.yaml b/opencloud/charts/keto/templates/rbac.yaml new file mode 100644 index 0000000..f616731 --- /dev/null +++ b/opencloud/charts/keto/templates/rbac.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "keto.serviceAccountName" . }} + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "keto.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: false +{{- end }} \ No newline at end of file diff --git a/opencloud/charts/keto/templates/secrets.yaml b/opencloud/charts/keto/templates/secrets.yaml new file mode 100644 index 0000000..41bd0b1 --- /dev/null +++ b/opencloud/charts/keto/templates/secrets.yaml @@ -0,0 +1,18 @@ +{{- if .Values.secret.enabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "keto.secretname" . }} + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: +{{ include "keto.labels" . | indent 4 }} + annotations: +{{- with .Values.secret.secretAnnotations }} + {{- toYaml . | nindent 4 }} +{{- end }} +type: Opaque +data: + dsn: {{ include "keto.dsn" . | b64enc | quote }} +{{- end }} diff --git a/opencloud/charts/keto/templates/service-extraServices.yaml b/opencloud/charts/keto/templates/service-extraServices.yaml new file mode 100644 index 0000000..ba04b1a --- /dev/null +++ b/opencloud/charts/keto/templates/service-extraServices.yaml @@ -0,0 +1,32 @@ +{{- range $ServiceName, $ServiceData := .Values.extraServices }} + +{{- if $ServiceData.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "keto.fullname" $ }}-{{ $ServiceName }} + {{- if $.Release.Namespace }} + namespace: {{ $.Release.Namespace }} + {{- end }} + labels: + app.kubernetes.io/component: {{ $ServiceName }} + {{- include "keto.labels" $ | nindent 4 }} +spec: + type: {{ $ServiceData.type }} + {{- if eq $ServiceData.type "LoadBalancer" }} + {{- with $ServiceData.loadBalancerIP }} + loadBalancerIP: {{ . }} + {{- end }} + {{- end }} + ports: + - port: {{ $ServiceData.port }} + targetPort: {{ $ServiceData.name }} + protocol: TCP + name: {{ $ServiceData.name }} + selector: + app.kubernetes.io/name: {{ include "keto.name" $ }} + app.kubernetes.io/instance: {{ $.Release.Name }} +{{- end }} + +{{- end }} \ No newline at end of file diff --git a/opencloud/charts/keto/templates/service-metrics.yaml b/opencloud/charts/keto/templates/service-metrics.yaml new file mode 100644 index 0000000..ce15ab6 --- /dev/null +++ b/opencloud/charts/keto/templates/service-metrics.yaml @@ -0,0 +1,27 @@ +{{- if .Values.service.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "keto.fullname" . }}-metrics + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app.kubernetes.io/component: metrics + {{- include "keto.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.metrics.type }} + {{- if eq .Values.service.metrics.type "LoadBalancer" }} + {{- with .Values.service.metrics.loadBalancerIP }} + loadBalancerIP: {{ . }} + {{- end }} + {{- end }} + ports: + - port: {{ .Values.service.metrics.port }} + targetPort: {{ .Values.service.metrics.name }} + protocol: TCP + name: {{ .Values.service.metrics.name }} + selector: + app.kubernetes.io/name: {{ include "keto.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{ end }} diff --git a/opencloud/charts/keto/templates/service-read.yaml b/opencloud/charts/keto/templates/service-read.yaml new file mode 100644 index 0000000..b86a615 --- /dev/null +++ b/opencloud/charts/keto/templates/service-read.yaml @@ -0,0 +1,60 @@ +{{- if .Values.service.read.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "keto.fullname" . }}-read + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app.kubernetes.io/component: read + {{- include "keto.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.read.type }} + {{- if eq .Values.service.read.type "LoadBalancer" }} + {{- with .Values.service.read.loadBalancerIP }} + loadBalancerIP: {{ . }} + {{- end }} + {{- end }} + {{- if eq .Values.service.read.type "ClusterIP" }} + {{- with .Values.service.read.clusterIP }} + clusterIP: {{ . }} + {{- end }} + {{- end }} + ports: + - port: {{ .Values.service.read.port }} + targetPort: {{ .Values.service.read.name }} + protocol: TCP + name: {{ .Values.service.read.name }} + appProtocol: {{ .Values.service.read.appProtocol }} + selector: + app.kubernetes.io/name: {{ include "keto.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Values.service.read.headless.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "keto.fullname" . }}-read-headless + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + service.ory.sh/type: headless + app.kubernetes.io/component: read + {{- include "keto.labels" . | nindent 4 }} +spec: + type: "ClusterIP" + clusterIP: "None" + ports: + - port: {{ .Values.keto.config.serve.read.port }} + targetPort: {{ .Values.service.read.name }} + protocol: TCP + name: {{ .Values.service.read.name }} + appProtocol: {{ .Values.service.read.appProtocol }} + selector: + app.kubernetes.io/name: {{ include "keto.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/opencloud/charts/keto/templates/service-write.yaml b/opencloud/charts/keto/templates/service-write.yaml new file mode 100644 index 0000000..d4dab78 --- /dev/null +++ b/opencloud/charts/keto/templates/service-write.yaml @@ -0,0 +1,59 @@ +{{- if .Values.service.write.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "keto.fullname" . }}-write + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app.kubernetes.io/component: write + {{- include "keto.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.write.type }} + {{- if eq .Values.service.write.type "LoadBalancer" }} + {{- with .Values.service.write.loadBalancerIP }} + loadBalancerIP: {{ . }} + {{- end }} + {{- end }} + {{- if eq .Values.service.write.type "ClusterIP" }} + {{- with .Values.service.write.clusterIP }} + clusterIP: {{ . }} + {{- end }} + {{- end }} + ports: + - port: {{ .Values.service.write.port }} + targetPort: {{ .Values.service.write.name }} + protocol: TCP + name: {{ .Values.service.write.name }} + appProtocol: {{ .Values.service.write.appProtocol }} + selector: + app.kubernetes.io/name: {{ include "keto.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Values.service.write.headless.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "keto.fullname" . }}-write-headless + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + service.ory.sh/type: headless + app.kubernetes.io/component: write + {{- include "keto.labels" . | nindent 4 }} +spec: + type: "ClusterIP" + clusterIP: "None" + ports: + - port: {{ .Values.keto.config.serve.write.port }} + targetPort: {{ .Values.service.write.name }} + protocol: TCP + name: {{ .Values.service.write.name }} + appProtocol: {{ .Values.service.write.appProtocol }} + selector: + app.kubernetes.io/name: {{ include "keto.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/opencloud/charts/keto/templates/servicemonitor-metrics.yaml b/opencloud/charts/keto/templates/servicemonitor-metrics.yaml new file mode 100644 index 0000000..c72b624 --- /dev/null +++ b/opencloud/charts/keto/templates/servicemonitor-metrics.yaml @@ -0,0 +1,36 @@ +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") (.Values.service.metrics.enabled) }} +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "keto.fullname" . }}-metrics + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app.kubernetes.io/component: metrics +{{ include "keto.labels" . | indent 4 }} + {{- with .Values.serviceMonitor.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.service.metrics.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + endpoints: + - path: /metrics/prometheus + port: {{ .Values.service.metrics.name }} + scheme: {{ .Values.serviceMonitor.scheme }} + interval: {{ .Values.serviceMonitor.scrapeInterval }} + scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }} + {{- with .Values.serviceMonitor.tlsConfig }} + tlsConfig: + {{- toYaml . | nindent 6 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "keto.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: metrics +{{- end -}} diff --git a/opencloud/charts/keto/templates/tests/test-connection.yaml b/opencloud/charts/keto/templates/tests/test-connection.yaml new file mode 100644 index 0000000..1947c9b --- /dev/null +++ b/opencloud/charts/keto/templates/tests/test-connection.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "keto.fullname" . }}-test-connection" + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: {{- include "keto.labels" . | nindent 4 }} + {{- with .Values.test.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + helm.sh/hook: test-success +spec: + containers: + - name: wget + image: "{{ .Values.test.busybox.repository }}:{{ .Values.test.busybox.tag }}" + command: ['wget'] + args: ['{{ include "keto.fullname" . }}-write:{{ .Values.service.write.port }}/health/ready'] + restartPolicy: Never diff --git a/opencloud/charts/keto/values.yaml b/opencloud/charts/keto/values.yaml new file mode 100644 index 0000000..5c3e181 --- /dev/null +++ b/opencloud/charts/keto/values.yaml @@ -0,0 +1,471 @@ +# Default values for keto. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +# -- Number of replicas in deployment +replicaCount: 1 + +## -- Image configuration +image: + # -- Ory KETO image + repository: oryd/keto + # -- Default image pull policy + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + # -- Ory KETO version + tag: "v0.12.0" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +# -- Pod priority +# https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +priorityClassName: "" + +## -- ServiceAccount +serviceAccount: + # -- Specifies whether a service account should be created + create: true + # -- Annotations to add to the service account + annotations: {} + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +## -- pod securityContext for hydra & migration init +podSecurityContext: + fsGroupChangePolicy: "OnRootMismatch" + runAsNonRoot: true + runAsUser: 65534 + fsGroup: 65534 + runAsGroup: 65534 + seccompProfile: + type: RuntimeDefault + +## -- container securityContext for hydra & migration init +securityContext: + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + allowPrivilegeEscalation: false + privileged: false + seLinuxOptions: + level: "s0:c123,c456" + +## -- Values for initialization job +job: + # -- If you do want to specify annotations, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'annotations:'. + annotations: + helm.sh/hook-weight: "1" + helm.sh/hook: "pre-install, pre-upgrade" + helm.sh/hook-delete-policy: "before-hook-creation,hook-succeeded" + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + + # -- If you want to add extra sidecar containers. + extraContainers: "" + # extraContainers: | + # - name: ... + # image: ... + + # -- If you want to add extra init containers. + extraInitContainers: "" + # extraInitContainers: | + # - name: ... + # image: ... + + # -- Array of extra envs to be passed to the job. This takes precedence over deployment variables. Kubernetes format + # is expected. Value is processed with Helm `tpl` + # - name: FOO + # value: BAR + extraEnv: [] + + # -- Node labels for pod assignment. + nodeSelector: {} + # If you do want to specify node labels, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'nodeSelector:'. + # foo: bar + + # -- Configure node tolerations. + tolerations: [] + + # -- Job resources + resources: {} + + # -- If you want to add lifecycle hooks. + lifecycle: "" + # lifecycle: | + # preStop: + # exec: + # command: [...] + + # -- Set automounting of the SA token + automountServiceAccountToken: false + + # -- Set sharing process namespace + shareProcessNamespace: false + + # -- Specify the serviceAccountName value. + # In some situations it is needed to provides specific permissions to Hydra deployments + # Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. + # Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. + serviceAccount: + # -- Specifies whether a service account should be created + create: true + # -- Annotations to add to the service account + annotations: + helm.sh/hook-weight: "0" + helm.sh/hook: "pre-install, pre-upgrade" + helm.sh/hook-delete-policy: "before-hook-creation" + # -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template + name: "" + + # -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects + podMetadata: + # -- Extra pod level labels + labels: {} + # -- Extra pod level annotations + annotations: {} + + spec: + # -- Set job back off limit + backoffLimit: 10 + +## -- Ingress definitions +ingress: + read: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: /read + pathType: Prefix + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + write: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: /write + pathType: Prefix + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +## -- Service configurations +service: + ## -- Read service + read: + enabled: true + type: ClusterIP + clusterIP: "" + ## -- The load balancer IP + loadBalancerIP: "" + name: grpc-read + port: 80 + appProtocol: grpc + ## -- Enable extra headless service + headless: + enabled: true + ## -- Write service + write: + enabled: true + type: ClusterIP + clusterIP: "" + ## -- The load balancer IP + loadBalancerIP: "" + name: grpc-write + port: 80 + appProtocol: grpc + ## -- Enable extra headless service + headless: + enabled: true + ## -- Metrics service + metrics: + enabled: false + type: ClusterIP + ## -- The load balancer IP + loadBalancerIP: "" + name: http-metrics + port: 80 + annotations: {} + +## -- Extra services to be deployed +extraServices: {} + +## -- Secret management +secret: + # -- Switch to false to prevent creating the secret + enabled: true + # -- Provide custom name of existing secret, or custom name of secret to be created + nameOverride: "" + # nameOverride: "myCustomSecret" + # -- Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified. + secretAnnotations: + # Create the secret before installation, and only then. This saves the secret from regenerating during an upgrade + # pre-upgrade is needed to upgrade from 0.7.0 to newer. Can be deleted afterwards. + helm.sh/hook-weight: "0" + helm.sh/hook: "pre-install, pre-upgrade" + helm.sh/hook-delete-policy: "before-hook-creation" + helm.sh/resource-policy: "keep" + # -- switch to false to prevent checksum annotations being maintained and propogated to the pods + hashSumEnabled: true + +## -- Main application config. +keto: + # -- Ability to override the entrypoint of keto container + # (e.g. to source dynamic secrets or export environment dynamic variables) + command: ["keto"] + # -- Ability to override arguments of the entrypoint. Can be used in-depended of customCommand + customArgs: [] + # -- Enables database migration + automigration: + enabled: false + # -- Configure the way to execute database migration. Possible values: job, initContainer + # When set to job, the migration will be executed as a job on release or upgrade. + # When set to initContainer, the migration will be executed when kratos pod is created + # Defaults to job + type: job + # -- Ability to override the entrypoint of the automigration container + # (e.g. to source dynamic secrets or export environment dynamic variables) + customCommand: [] + # -- Ability to override arguments of the entrypoint. Can be used in-depended of customCommand + # eg: + # - sleep 5; + # - keto + customArgs: [] + # -- resource requests and limits for the automigration initcontainer + resources: {} + # -- Direct keto config. Full documentation can be found in https://www.ory.sh/keto/docs/reference/configuration + config: + serve: + read: + port: 4466 + write: + port: 4467 + metrics: + port: 4468 + namespaces: + - id: 0 + name: sample + dsn: memory + +## -- Configure the probes for when the deployment is considered ready and ongoing health check +deployment: + ## -- Specify pod deployment strategy + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: "25%" + maxUnavailable: "25%" + + ## -- Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready) + minReadySeconds: 0 + + ## -- DEPRECATED Set custom pod annotations + podAnnotations: {} + + ## -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects + podMetadata: + ## -- Extra pod level labels + labels: {} + ## -- Extra pod level annotations + annotations: {} + + ## -- Set custom security context for pods + podSecurityContext: {} + # fsGroup: 2000 + + # https://github.com/kubernetes/kubernetes/issues/57601 + automountServiceAccountToken: true + + lifecycle: {} + ## -- Default probe timers + readinessProbe: + initialDelaySeconds: 5 + periodSeconds: 10 + failureThreshold: 5 + ## -- Default probe timers + startupProbe: + failureThreshold: 5 + successThreshold: 1 + periodSeconds: 1 + timeoutSeconds: 1 + initialDelaySeconds: 0 + ## -- Configure a custom livenessProbe. This overwrites the default object + customLivenessProbe: {} + ## -- Configure a custom readinessProbe. This overwrites the default object + customReadinessProbe: {} + ## -- Configure a custom startupProbe. This overwrites the default object + customStartupProbe: {} + + ## -- Add custom annotations to the deployment + annotations: {} + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + # -- Autoscaling for keto deployment + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPU: {} + # type: Utilization + # averageUtilization: 80 + targetMemory: {} + # type: Utilization + # averageUtilization: 80 + # -- Set custom behavior + # https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior + behavior: {} + + nodeSelector: {} + + # -- If you want to add extra sidecar containers. + extraContainers: "" + # extraContainers: | + # - name: ... + # image: ... + + # -- Array of extra Envs to be added to the deployment. Kubernetes format expected. Value is processed with Helm `tpl` + # - name: FOO + # value: BAR + extraEnv: [] + + # -- Array of extra Volumes to be added to the deployment. K8s format expected + # - name: my-volume + # secret: + # secretName: my-secret + extraVolumes: [] + + # -- Array of extra VolumeMounts to be added to the deployment. K8s format expected + # - name: my-volume + # mountPath: /etc/secrets/my-secret + # readOnly: true + extraVolumeMounts: [] + + # -- If you want to add extra init containers. These are processed before the migration init container. + extraInitContainers: {} + # extraInitContainers: | + # - name: ... + # image: ... + + # -- Extra labels to be added to the deployment, and pods. K8s object format expected + # foo: bar + # my.special.label/type: value + extraLabels: {} + + # -- Extra ports to be exposed by the main deployment + extraPorts: [] + + tolerations: [] + + affinity: {} + + # -- Configure pod topologySpreadConstraints. + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: keto + # app.kubernetes.io/instance: keto + + # -- Configure pod dnsConfig. + dnsConfig: {} + # options: + # - name: "ndots" + # value: "1" + + # -- Parameters for the automigration initContainer + automigration: + # -- Array of extra envs to be passed to the initContainer. Kubernetes format is expected. Value is processed with + # Helm `tpl` + # - name: FOO + # value: BAR + extraEnv: [] + # -- Number of revisions kept in history + revisionHistoryLimit: 5 + terminationGracePeriodSeconds: 60 + +## -- Watcher sidecar configuration +watcher: + enabled: false + image: oryd/k8s-toolbox:v0.0.7 + # -- Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo + mountFile: "" + # -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects + podMetadata: + # -- Extra pod level labels + labels: {} + # -- Extra pod level annotations + annotations: {} + # -- Label key used for managing applications + watchLabelKey: "ory.sh/watcher" + # -- Number of revisions kept in history + revisionHistoryLimit: 5 + automountServiceAccountToken: true + resources: {} + +## -- PodDistributionBudget configuration +pdb: + enabled: false + spec: + minAvailable: "" + maxUnavailable: "" + +## -- Parameters for the Prometheus ServiceMonitor objects. +# Reference: https://docs.openshift.com/container-platform/4.6/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.html +serviceMonitor: + # -- HTTP scheme to use for scraping. + scheme: http + # -- Interval at which metrics should be scraped + scrapeInterval: 60s + # -- Timeout after which the scrape is ended + scrapeTimeout: 30s + # -- Provide additionnal labels to the ServiceMonitor ressource metadata + labels: {} + # -- TLS configuration to use when scraping the endpoint + tlsConfig: {} + +configmap: + # -- switch to false to prevent checksum annotations being maintained and propogated to the pods + hashSumEnabled: true + +test: + # -- Provide additional labels to the test pod + labels: {} + # -- use a busybox image from another repository + busybox: + repository: busybox + tag: 1 diff --git a/opencloud/dev-values.yaml b/opencloud/dev-values.yaml index 0dfc7bb..8d4eb11 100644 --- a/opencloud/dev-values.yaml +++ b/opencloud/dev-values.yaml @@ -68,14 +68,14 @@ openldap: tls: enabled: false env: - LDAP_ORGANISATION: "Acme opencloud" - LDAP_DOMAIN: "acme.com" + LDAP_ORGANISATION: "Example opencloud" + LDAP_DOMAIN: "example.com" LDAP_BACKEND: "mdb" LDAP_TLS: "false" LDAP_TLS_ENFORCE: "false" LDAP_REMOVE_CONFIG_AFTER_SETUP: "true" - adminPassword: "goaChai9" - configPassword: "xaidee2M" + adminPassword: "admin@password" + configPassword: "config@password" phpldapadmin: enabled: false persistence: @@ -88,22 +88,22 @@ openldap: customLdifFiles: 01-schema.ldif: |- - dn: ou=groups,dc=acme,dc=com + dn: ou=groups,dc=example,dc=com objectClass: organizationalUnit ou: groups - dn: ou=users,dc=acme,dc=com + dn: ou=users,dc=example,dc=com objectClass: organizationalUnit ou: users - dn: cn=lastGID,dc=acme,dc=com + dn: cn=lastGID,dc=example,dc=com objectClass: device objectClass: top description: Records the last GID used to create a Posix group. This prevents the re-use of a GID from a deleted group. cn: lastGID serialNumber: 2001 - dn: cn=lastUID,dc=acme,dc=com + dn: cn=lastUID,dc=example,dc=com objectClass: device objectClass: top serialNumber: 2001 @@ -111,44 +111,43 @@ openldap: cn: lastUID 02-ldapadmin.ldif : |- - dn: cn=ldapadmin,ou=groups,dc=acme,dc=com + dn: cn=ldapadmin,ou=groups,dc=example,dc=com objectClass: top objectClass: posixGroup cn: ldapadmin - memberUid: acme.ldapadmin + memberUid: ldapadmin gidNumber: 2001 - dn: uid=acme.ldapadmin,ou=users,dc=acme,dc=com - givenName: ldapadmin - sn: ldapadmin - uid: acme.ldapadmin - cn: acmeldapadmin + dn: uid=ldapadmin,ou=users,dc=example,dc=com + givenName: ldap + sn: admin + uid: ldapadmin + cn: ldapadmin + mail: ldapadmin@example.com objectClass: person objectClass: inetOrgPerson objectClass: posixAccount - userPassword:: e0NSWVBUfSQ2JDhycFZxbk5NJHNmWVhBYUNYUzdZbXFhR1VWTjdJa20wT2hXLmVtT3oua2x5L3V5YUdjNE81MDVEalU0R2ZMb0hTaFVwNUkvVUxFT0JubWJ2d29meFNFcXIuaFRVMm0u + userPassword: ldapadmin uidNumber: 2001 gidNumber: 2001 loginShell: /bin/bash - homeDirectory: /home/acme.ldapadmin - - #acme.ldapadmin ia3Bahr3 + homeDirectory: /home/ldapadmin # ldap user manager configuration ldapUserManager: enabled: true env: - SERVER_HOSTNAME: "users.acme.com" - LDAP_BASE_DN: "dc=acme,dc=com" + SERVER_HOSTNAME: "users.example.com" + LDAP_BASE_DN: "dc=example,dc=com" LDAP_REQUIRE_STARTTLS: "false" LDAP_ADMINS_GROUP: "ldapadmin" - LDAP_ADMIN_BIND_DN: "cn=admin,dc=acme,dc=com" - LDAP_ADMIN_BIND_PWD: "goaChai9" + LDAP_ADMIN_BIND_DN: "cn=admin,dc=example,dc=com" + LDAP_ADMIN_BIND_PWD: "admin@password" LDAP_IGNORE_CERT_ERRORS: "true" EMAIL_DOMAIN: "" NO_HTTPS: "true" SERVER_PATH: "/users" - ORGANISATION_NAME: "Acme" + ORGANISATION_NAME: "Example" LDAP_USER_OU: "users" LDAP_GROUP_OU: "groups" ACCEPT_WEAK_PASSWORDS: "true" @@ -176,15 +175,37 @@ traefik: hydra: enabled: true maester: - enabled: false + enabled: true hydra: dev: true config: dsn: memory urls: - login: http://localhost/auth/login - consent: http://localhost/auth/consent - logout: http://localhost/auth/logout + login: http://localhost/authentication/login + consent: http://localhost/consent/consent + logout: http://localhost/authentication/logout self: - issuer: http://localhost/auth - \ No newline at end of file + issuer: http://localhost/idp + +keto: + enabled: true + +ocAuth: + enabled: false + image: oc-auth:latest + authType: hydra + hydra: + adminRole: admin + openCloudOauth2ClientSecretName: oc-auth-got-secret + ldap: + bindDn: "cn=admin,dc=example,dc=com" + binPwd: "password" + baseDn: "dc=example,dc=com" + roleBaseDn: "ou=AppRoles,dc=example,dc=com" + resources: + limits: + cpu: "128m" + memory: "128Mi" + requests: + cpu: "128m" + memory: "256Mi" diff --git a/opencloud/templates/oc-auth/deployment.yaml b/opencloud/templates/oc-auth/deployment.yaml new file mode 100644 index 0000000..f9f4842 --- /dev/null +++ b/opencloud/templates/oc-auth/deployment.yaml @@ -0,0 +1,80 @@ +{{- if index .Values.ocAuth.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: oc-auth + name: {{ .Release.Name }}-oc-auth +spec: + replicas: 1 + selector: + matchLabels: + app: oc-auth + strategy: {} + template: + metadata: + labels: + app: oc-auth + spec: + volumes: + - name: public-key-volume + secret: + secretName: public-key-secret + - name: private-key-volume + secret: + secretName: private-key-secret + containers: + - image: "{{ .Values.ocAuth.image }}" + name: oc-auth + volumeMounts: + - name: public-key-volume + mountPath: /keys/public + subPath: public.pem + - name: private-key-volume + mountPath: /keys/private + subPath: private.pem + env: + - name: OCAUTH_ADMIN_ROLE + value: "{{ .Values.ocAuth.hydra }}" + - name: OCAUTH_PUBLIC_KEY_PATH + value: /keys/public/public.pem + - name: OCAUTH_PRIVATE_KEY_PATH + value: /keys/private/private.pem + - name: OCAUTH_CLIENT_SECRET + value: "{{ .Values.ocAuth.hydra.openCloudOauth2ClientSecretName }}" + - name: OCAUTH_AUTH + value: "{{ .Values.ocAuth.authType }}" + - name: OCAUTH_AUTH_CONNECTOR_HOST + value: "{{ .Release.Name }}.hydra-admin.{{ .Release.Namespace }}" + - name: OCAUTH_AUTH_CONNECTOR_PORT + value: 4444 + - name: OCAUTH_AUTH_CONNECTOR_ADMIN_PORT + value: 4445 + - name: OCAUTH_PERMISSION_CONNECTOR_HOST + value: "{{ .Release.Name }}.keto-write.{{ .Release.Namespace }}" + - name: OCAUTH_PERMISSION_CONNECTOR_PORT + value: 80 + - name: OCAUTH_PERMISSION_CONNECTOR_ADMIN_PORT + value: 80 + - name: OCAUTH_LDAP_ENDPOINTS + value: "{{ .Release.Name }}-openldap.{{ .Release.Namespace }}.svc.cluster.local:389" + - name: OCAUTH_LDAP_BINDDN + value: "{{ index .Values.ocAuth.ldap.bindDn }}" + - name: OCAUTH_LDAP_BINDPW + value: "{{ index .Values.ocAuth.ldap.binPwd }}" + - name: OCAUTH_LDAP_BASEDN + value: "{{ index .Values.ocAuth.ldap.baseDn }}" + - name: OCAUTH_LDAP_ROLE_BASEDN + value: "{{ index .Values.ocAuth.ldap.roleBaseDn }}" + ports: + - name: http + containerPort: 80 + protocol: TCP + resources: + limits: + cpu: "{{ .Values.ldapUserManager.resources.limits.cpu }}" + memory: "{{ .Values.ldapUserManager.resources.limits.memory }}" + requests: + cpu: "{{ .Values.ldapUserManager.resources.requests.cpu }}" + memory: "{{ .Values.ldapUserManager.resources.requests.memory }}" +{{- end }} \ No newline at end of file diff --git a/opencloud/templates/oc-auth/ingress.yaml b/opencloud/templates/oc-auth/ingress.yaml new file mode 100644 index 0000000..7d9742e --- /dev/null +++ b/opencloud/templates/oc-auth/ingress.yaml @@ -0,0 +1,20 @@ +{{- if index .Values.ocAuth.enabled }} +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: oc-auth-ingress +spec: + entryPoints: + - web + routes: + - kind: Rule + match: Host(`{{ .Values.host }}`) && PathPrefix(`/auth`) + priority: 10 + services: + - kind: Service + name: oc-auth-svc + passHostHeader: true + port: 8094 + middlewares: + - name: forwardauth +{{- end }} \ No newline at end of file diff --git a/opencloud/templates/oc-auth/openCloudOauth2.yaml b/opencloud/templates/oc-auth/openCloudOauth2.yaml new file mode 100644 index 0000000..062d788 --- /dev/null +++ b/opencloud/templates/oc-auth/openCloudOauth2.yaml @@ -0,0 +1,26 @@ +{{- if index .Values.ocAuth.enabled }} +apiVersion: hydra.ory.sh/v1alpha1 +kind: OAuth2Client +metadata: + name: openCloudClient +spec: + clientId: test-client + clientSecret: oc-auth-got-secret + grantTypes: + - implicit + - refresh_token + - authorization_code + - client_credentials + responseTypes: + - id_token + - token + - code + redirectUris: + - https://myapp.example.com/callback + scope: openid profile email roles + tokenEndpointAuthMethod: client_secret_post + postLogoutRedirectUris: + -http://localhost:3000 + allowedCorsOrigins: + - http://localhost +{{- end }} \ No newline at end of file diff --git a/opencloud/templates/oc-auth/pem.yaml b/opencloud/templates/oc-auth/pem.yaml new file mode 100644 index 0000000..3ab5cc0 --- /dev/null +++ b/opencloud/templates/oc-auth/pem.yaml @@ -0,0 +1,21 @@ +{{- if index .Values.ocAuth.enabled }} +# public-key-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: public-key-secret +type: Opaque +data: + public.pem: | + LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUNDZ0tDQWdFQXcycGRHNndNdHVMY1AwK2sxTEZ2SWIwRFFvL29IVzJ1TkphRUpLNzRwbFhxcDR6dHoyZFIKYitSUUhGTGVMdXFrNGkvemMzYjRLM2ZLUFhTbHduVlBKQ3d6UHJueVQ4allHT1pWbFdsRVRpVjl4ZUpodTZzLwpCaDZnMVBXejc1WGpqd1Y1MGl2L0NFaUxOQlQyM2YvM0o0NHdyUXp5Z3FOUUNpUVNBTGR4V0xBRWw0bDVrSFNhCjlvTXlWNzAvVXFsOTQvYXlNQVJac0hncDladnFRS2JrWlB3Nnl6Vk1mQ0J4UW96bE5sbzMxNU9IZXZ1ZGhuaHAKRFJqTjVJN3pXbXFZdDZyYlhKSkM3WTNJemR2em43UUk4OFJxalNSU1Q1SS83S3ozbmRDcXJPbkkrT1FVRTVOVApSRXlRZWJwaHZRZlREVEtsUlBYa2R5a3RkSzJESDI4Wmo2WkYzeWpRdk4zNVE0emhPemxxNzdkTzVJaGhvcEk3CmN0OGRaSDFUMW5Za3ZkeUNBL0VWTXRRc0FTbUJPaXRIMFkwQUNvWFFLNUtiNm5tL1RjTS85WlNKVU5pRU11eTUKZ0JaM1lLRTlvYTRjcFRwUFh3Y0ErUy9jVTdIUE5uUUFzdkQzaUppOEdUVzl1SnM4NHBuNC9XaHBRcW1YZDRydgpoS1dFQ0NOM2ZIeTAxZlVzL1UwUGFTajJqRFkva1FWZVhvaWtOTXpQVWpkWmQ5bTgxNlRJQmgzdjNhVlhDSC8wCmlUSEhBeGN0dkRnTVJiMmZwdlJKL3d3bllqRkc5UnBhbVZGRE12QzlOZmZ1WXpXQUE5SVJJWTRjcWdlcmZIclYKWjJISGlQVEREdkRBSXN2SW1YWmMvaDdtWE42bTNSQ1E0UXl3eTk5M3dkOWdVZGdnL3FueW5IY0NBd0VBQVE9PQotLS0tLUVORCBSU0EgUFVCTElDIEtFWS0tLS0tCg== +--- +# private-key-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: private-key-secret +type: Opaque +data: + private.pem: | + LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS1FJQkFBS0NBZ0VBdzJwZEc2d010dUxjUDArazFMRnZJYjBEUW8vb0hXMnVOSmFFSks3NHBsWHFwNHp0CnoyZFJiK1JRSEZMZUx1cWs0aS96YzNiNEszZktQWFNsd25WUEpDd3pQcm55VDhqWUdPWlZsV2xFVGlWOXhlSmgKdTZzL0JoNmcxUFd6NzVYamp3VjUwaXYvQ0VpTE5CVDIzZi8zSjQ0d3JRenlncU5RQ2lRU0FMZHhXTEFFbDRsNQprSFNhOW9NeVY3MC9VcWw5NC9heU1BUlpzSGdwOVp2cVFLYmtaUHc2eXpWTWZDQnhRb3psTmxvMzE1T0hldnVkCmhuaHBEUmpONUk3eldtcVl0NnJiWEpKQzdZM0l6ZHZ6bjdRSTg4UnFqU1JTVDVJLzdLejNuZENxck9uSStPUVUKRTVOVFJFeVFlYnBodlFmVERUS2xSUFhrZHlrdGRLMkRIMjhaajZaRjN5alF2TjM1UTR6aE96bHE3N2RPNUloaApvcEk3Y3Q4ZFpIMVQxbllrdmR5Q0EvRVZNdFFzQVNtQk9pdEgwWTBBQ29YUUs1S2I2bm0vVGNNLzlaU0pVTmlFCk11eTVnQlozWUtFOW9hNGNwVHBQWHdjQStTL2NVN0hQTm5RQXN2RDNpSmk4R1RXOXVKczg0cG40L1docFFxbVgKZDRydmhLV0VDQ04zZkh5MDFmVXMvVTBQYVNqMmpEWS9rUVZlWG9pa05NelBVamRaZDltODE2VElCaDN2M2FWWApDSC8waVRISEF4Y3R2RGdNUmIyZnB2Ukovd3duWWpGRzlScGFtVkZETXZDOU5mZnVZeldBQTlJUklZNGNxZ2VyCmZIclZaMkhIaVBURER2REFJc3ZJbVhaYy9oN21YTjZtM1JDUTRReXd5OTkzd2Q5Z1VkZ2cvcW55bkhjQ0F3RUEKQVFLQ0FnQlNSYzI5Z01vNWxYbTFEZ3NQb1VSd3ArdGZjc2IrM05halBWdVZOalZwa25LZzZDeVhUYUJ6dzJRWApDS3lTaENlM013a0VhK3BBSXNiNjZNbUEvWEs4Zi85elFVWkxZUHZhUDk5NGNFRlp4VjhXbVNFY3FoUjJ0eDV2CmlxS2ZGRFFpV3VQWElMN1c5ZlBsa1kzK0dXNHRNU2c5TTE1R3NndFl1YWI2dGtENlhlRVJDOGdxa1cxTXJCL2QKNE1kd1BmdktwbXFPM01ZR0RoRmNYckJaVitxQXVkRG5EU0dPZ1BvdVVyT09GcDI4SFZqRTVucUR5dDR2clduQgorSTFzVzhUQVR5YmI2cGhTKzRhM1pRdEZDYjliSWk3YURaaTU5NUVDVERCVU9TNGlicXMyWHBBMVRhbVk3OE5ECi9MeDVvWG14N01pNEorNXdYTjNPYWQ3eXRRdkZPZE90dElMTnBBTUZiTFU1eUtzeGYrRURqQ0JjUjVmYU5BdHUKd0FNSDlUa3pGcG1ocDVOQndRZEFrQ0ZuaHlsYTM2M2xqbWxHQVdQdUcvRDliVlowcXRCZjNOQUY0aEVKL0w0bgp2WVFGRXJkNjR0UGFzQWdXUG93MkxMdnFpM2pUMjMyYURnYWhqMWxYMWVuSG9SNlRiUUU0cjN6eThEZUE3aTBDCmhBOEdGQXZNc3FJY2VlOVhpNHlEOFFGRUgwUHJKaDZ6UDFQV0tYUjRBUVZFeG5GR2FuejBzNk8xR1JxTFBySUsKMzFOaVJUd0lWcDB4YmV0OS9Hc0p4V3hxclRLUHFkNXlKdlVHRzNBNEVMOGUzUmRXUk01dlRIYk5DVkdpOUxoUwozT0lYVjkvWU9RSnRXeHpXVWpGTjNIcGFOdVdIVlNSMTQ5R0FZcFR4ZWgrL1pHb0FRUUtDQVFFQTlSekcwTHJCCi9vblNuemZBWEQ1SXdHVy9qU2I0ZThWTENaLzdXMENpRDFodDIzUTFwQVI0Ym9mU1lYZHgvcmhWaFJ0eSszOHEKR3p1Z0JQY2VqR2VHWXlLSVZpTzFlOFBzcmQ2ZHlkWW9hQTlmWDNZemNaMG9uazl0K3RZTnhWaHN0b2xmSUdnYwpLVzFxd0ROclYxUFAwTi9vUVU0UVB4TG13Y2YvQlNTbDNzZjUzbVZNemNuSGtqQ0Y1U2dFTjFydElBT1VaYU04CkI0dXJTU01aTUxwd21oWEY5ckFVUFhXZ0xTKzBma3JRem9hQlMyWmZxRWNGTnMxbG44c1RCZW9YQXo2a3laZW0KMFRvMW9ZaFRlTitUZzExcXVXaEpLaVRNWW1TR1QzQjduVnQyNW4wQnlwRGt0ZmFVVStMTVk5L0Jld1d3RTZ4eAppWDk3YmxkZ3Y2eTR1d0tDQVFFQXpCaDVJWWEwOXVKVHdyeFkwSUtWZmtYUnAyUys4ZnFoSjVxaEVQeWtDRis0CkpKQktQcDdJQTdyaGNmNXR3M05WcGEvWUUxaDJIMVA1WjRFUWt6Z0VURXhWb3RCbE9ZWU5ta0JrZDlldFVSR3MKb21BUEhwcm52VDdxK2RSL3JjOC9sUXQzWHp2ZWo0UDR6U1JibnpnL3EySzBJMXFzM3ZPd25aeU8zR1hrNmVuaQpRNTlrMHk4em9zS2RkZTdtMVlKK0tBajVNWmMzUGVIVGZiTGFMY2ZYblRTVVg2eHduWCtKczhrcjJQVlArd1NqCnNFeGFrUDZpZU51L1p6RmNZdjZhaVBneVhJV08vNXBqd0x0L0dUcVVQUWNPOVc3Nm0wdzI0bFduWUN4MWl5U3cKYWxybDJpckwycm5sWEppbjdxNEZ0dEhUV2JlSDkwUlZ0MzA1MG04ZGRRS0NBUUVBa2d5bGduWGxaYytsaW0xagoxeExkc3BadC9xTTc2RFAwdERWNVJqUkszQzNxdDVxVTQ3Z3VNbDRId3oreTB2M3ZKekxsM21rMUk2anhma1BwCkZld1JyVHhFVkY5T29nSnFJbWZGU1NDc1R1VHFCUzJmRlpGNVJHczdzdnljay94T09xMjcyc2x1RGxrK0JHd2YKQjVmTytqeVFYV2t3VVFUb0xvc0dyMy9ZdmRnV1VLZTNqZDh2WlRJNGRnVFVEay9GZncvaStuUzdMaHZRNGZGaAo3eUVJT3lmQ0gyMW5nZjkyZzdZckxCMVVNZHIvYTNnQ2czaGQ2UHVXRkJLaXNTRjh1Tmc0eEUzeWZqVGJBL2NCCkZjTFNXTEh2QjY3VithQ1hrQUVwN21ldG9HT0JnM0QxQWtnM254emY0T1FBdVhuNEJWK3NQT3pCY2haZDY2OXcKM0lVRVJRS0NBUUJ4UEU3UWpCV1JPS2N5VHgrVHFDL2JIRStpNlNHTHpmdGxwc1FnVVp1TXpkYXo2cDVXdWUvTgpLZjExS3EycG1DNzN1MlZON25HekZmczFNd1dJT0xjaHdlUnRiZVFMazFXdXRIVkpqSThyZ0h2Z3B4MGNaT09ZCk92VlI0VlZwa0tmOVFKeGRhVEVsUFJwb2J2aXFrU0c2TEF3MzVWSXViTlFiemtYeEFGT09lR1pDRUloM0p5UWwKOUlZNmJXOERIT0J6dys3R1ZkaWZhOURVVjh2M1JINWJTVlhjOHlhVUs3T3gzVGFIckN0UTRSVVVkbmgxSStIdQozalVHd3ZzNExYeDk2LzY5R0pqck5iU010VHBpTy84TkVRSjZwN1ZCUG5yZy9wYmJwQzhmSVI4RUV5U2Q4OHFnCnN5MFBQOTlFYktiYzlQT25QazJnb2ZoUTBwaW5LV0VWQW9JQkFRQzBoOEozbEdTRzlLaTlRSnZBT2RNcW5zU2cKdW9xakkweTZSbWVSN0xwWVgxQVNLTk5JbWpHMWh3THlaOFFnNWhDTmp5U0VxQkFHR2QzTUJOZklDNnd6QkRyVgp6U0pJcnhqdnUrMnNmejFuVUdkWVdqUWZoeDNjVCt5R3FUNk5FUXVwbXN0TnVreGl1MkhEdTc2cGk5NkFYMm1rClRYWVhsdWJJcGZMNTBkV1owd2lqMExpdkg2VFBhdnZqYlJablhOVnRoMXFsWk9VdHVCR3lFd2NYYjRDT3RxUnEKK25QOEFFZ3pLeGJNSkZWeTNQWTVFNUp5akI1ZDFaUFEyT2VZVVZiZkRFRVlxemtvcmpCeUNjTGR2N08xQ0hOcQpWalV5SnNkOEYxdHVDR1B4YmNiZ3lDZUlxZ0RNMUp4TzR6VE1TUCtDODJBcjdWWGtyNlE4aEFzQ2dIUS8KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K +{{- end }} \ No newline at end of file diff --git a/opencloud/templates/oc-auth/service.yaml b/opencloud/templates/oc-auth/service.yaml new file mode 100644 index 0000000..02ad1b8 --- /dev/null +++ b/opencloud/templates/oc-auth/service.yaml @@ -0,0 +1,17 @@ +{{- if index .Values.ocAuth.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: oc-auth-svc + labels: + app: oc-auth-svc +spec: + ports: + - name: http + port: 8094 + protocol: TCP + targetPort: 8080 + selector: + app: oc-auth + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/opencloud/templates/traefik.yaml b/opencloud/templates/traefik.yaml index e69de29..24b7c92 100644 --- a/opencloud/templates/traefik.yaml +++ b/opencloud/templates/traefik.yaml @@ -0,0 +1,8 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: forward-auth +spec: + forwardAuth: + address: "http://oc-auth-svc.{{ .Release.Namespace }}:8080/oc/forward" + trustForwardHeader: true