plm/oc-k8s
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixing ldap conf, initializing keto, oc-auth and co

Browse Source
This commit is contained in:
plm 2024-12-09 15:05:29 +01:00
parent ba9a971964
commit f7ae1165b9
39 changed files with 2132 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
install_development.sh
View File

@ -2,4 +2,4 @@
RELEASE_NAME=dev RELEASE_NAME=dev
RELEASE_NAMESPACE=dev RELEASE_NAMESPACE=dev
helm upgrade ${RELEASE_NAME} opencloud -n ${RELEASE_NAMESPACE} --create-namespace --install -f opencloud/dev-values.yaml helm install ${RELEASE_NAME} opencloud -n ${RELEASE_NAMESPACE} --create-namespace -f opencloud/dev-values.yaml

6
opencloud/Chart.yaml
View File

@ -5,7 +5,7 @@ type: application
version: 0.0.1 version: 0.0.1
appVersion: "0.0.1" appVersion: "0.0.1"
# TODO: ldap, ory hydra, keto # TODO: ory hydra, keto
dependencies: dependencies:
- name: openldap - name: openldap
repository: https://jp-gouin.github.io/helm-openldap/ repository: https://jp-gouin.github.io/helm-openldap/
@ -31,3 +31,7 @@ dependencies:
version: "0.50.2" version: "0.50.2"
repository: "https://k8s.ory.sh/helm/charts" repository: "https://k8s.ory.sh/helm/charts"
condition: hydra.enabled condition: hydra.enabled
- name: keto
version: "0.50.2"
repository: "https://k8s.ory.sh/helm/charts"
condition: keto.enabled

23
opencloud/charts/keto/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

6
opencloud/charts/keto/Chart.lock Normal file
View File

@ -0,0 +1,6 @@
dependencies:
- name: ory-commons
repository: file://../ory-commons
version: 0.1.0
digest: sha256:eec8978215334aad38275f0171681f1200220dccef4762ddeb197679fd287abb
generated: "2024-06-11T14:47:42.552973+02:00"

27
opencloud/charts/keto/Chart.yaml Normal file
View File

@ -0,0 +1,27 @@
apiVersion: v2
appVersion: v0.12.0
dependencies:
- alias: ory
name: ory-commons
repository: file://../ory-commons
version: 0.1.0
description: Access Control Policies as a Server
home: https://www.ory.sh/keto/
icon: https://raw.githubusercontent.com/ory/docs/master/docs/static/img/logo-keto.svg
keywords:
- rbac
- hrbac
- acl
- iam
- api-security
- security
maintainers:
- email: hi@ory.sh
name: ORY Team
url: https://www.ory.sh/
name: keto
sources:
- https://github.com/ory/keto
- https://github.com/ory/k8s
type: application
version: 0.50.2

187
opencloud/charts/keto/README.md Normal file
View File

@ -0,0 +1,187 @@
# keto
![Version: 0.50.1](https://img.shields.io/badge/Version-0.50.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.12.0](https://img.shields.io/badge/AppVersion-v0.12.0-informational?style=flat-square)
Access Control Policies as a Server
**Homepage:** <https://www.ory.sh/keto/>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| ORY Team | <hi@ory.sh> | <https://www.ory.sh/> |
## Source Code
* <https://github.com/ory/keto>
* <https://github.com/ory/k8s>
## Requirements
| Repository | Name | Version |
|------------|------|---------|
| file://../ory-commons | ory(ory-commons) | 0.1.0 |
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| configmap.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods |
| deployment.affinity | object | `{}` | |
| deployment.annotations | object | `{}` | |
| deployment.automigration | object | `{"extraEnv":[]}` | Parameters for the automigration initContainer |
| deployment.automigration.extraEnv | list | `[]` | Array of extra envs to be passed to the initContainer. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO value: BAR |
| deployment.automountServiceAccountToken | bool | `true` | |
| deployment.autoscaling | object | `{"behavior":{},"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPU":{},"targetMemory":{}}` | Autoscaling for keto deployment |
| deployment.autoscaling.behavior | object | `{}` | Set custom behavior https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior |
| deployment.customLivenessProbe | object | `{}` | |
| deployment.customReadinessProbe | object | `{}` | |
| deployment.customStartupProbe | object | `{}` | |
| deployment.dnsConfig | object | `{}` | Configure pod dnsConfig. |
| deployment.extraContainers | string | `""` | If you want to add extra sidecar containers. |
| deployment.extraEnv | list | `[]` | Array of extra Envs to be added to the deployment. Kubernetes format expected. Value is processed with Helm `tpl` - name: FOO value: BAR |
| deployment.extraInitContainers | object | `{}` | If you want to add extra init containers. These are processed before the migration init container. |
| deployment.extraLabels | object | `{}` | Extra labels to be added to the deployment, and pods. K8s object format expected foo: bar my.special.label/type: value |
| deployment.extraPorts | list | `[]` | Extra ports to be exposed by the main deployment |
| deployment.extraVolumeMounts | list | `[]` | Array of extra VolumeMounts to be added to the deployment. K8s format expected - name: my-volume mountPath: /etc/secrets/my-secret readOnly: true |
| deployment.extraVolumes | list | `[]` | Array of extra Volumes to be added to the deployment. K8s format expected - name: my-volume secret: secretName: my-secret |
| deployment.lifecycle | object | `{}` | |
| deployment.minReadySeconds | int | `0` | |
| deployment.nodeSelector | object | `{}` | |
| deployment.podAnnotations | object | `{}` | |
| deployment.podMetadata.annotations | object | `{}` | |
| deployment.podMetadata.labels | object | `{}` | |
| deployment.podSecurityContext | object | `{}` | |
| deployment.readinessProbe.failureThreshold | int | `5` | |
| deployment.readinessProbe.initialDelaySeconds | int | `5` | |
| deployment.readinessProbe.periodSeconds | int | `10` | |
| deployment.resources | object | `{}` | |
| deployment.revisionHistoryLimit | int | `5` | Number of revisions kept in history |
| deployment.startupProbe.failureThreshold | int | `5` | |
| deployment.startupProbe.initialDelaySeconds | int | `0` | |
| deployment.startupProbe.periodSeconds | int | `1` | |
| deployment.startupProbe.successThreshold | int | `1` | |
| deployment.startupProbe.timeoutSeconds | int | `1` | |
| deployment.strategy.rollingUpdate.maxSurge | string | `"25%"` | |
| deployment.strategy.rollingUpdate.maxUnavailable | string | `"25%"` | |
| deployment.strategy.type | string | `"RollingUpdate"` | |
| deployment.terminationGracePeriodSeconds | int | `60` | |
| deployment.tolerations | list | `[]` | |
| deployment.topologySpreadConstraints | list | `[]` | Configure pod topologySpreadConstraints. |
| extraServices | object | `{}` | |
| fullnameOverride | string | `""` | |
| image.pullPolicy | string | `"IfNotPresent"` | Default image pull policy |
| image.repository | string | `"oryd/keto"` | Ory KETO image |
| image.tag | string | `"v0.12.0"` | Ory KETO version |
| imagePullSecrets | list | `[]` | |
| ingress.read.annotations | object | `{}` | |
| ingress.read.className | string | `""` | |
| ingress.read.enabled | bool | `false` | |
| ingress.read.hosts[0].host | string | `"chart-example.local"` | |
| ingress.read.hosts[0].paths[0].path | string | `"/read"` | |
| ingress.read.hosts[0].paths[0].pathType | string | `"Prefix"` | |
| ingress.read.tls | list | `[]` | |
| ingress.write.annotations | object | `{}` | |
| ingress.write.className | string | `""` | |
| ingress.write.enabled | bool | `false` | |
| ingress.write.hosts[0].host | string | `"chart-example.local"` | |
| ingress.write.hosts[0].paths[0].path | string | `"/write"` | |
| ingress.write.hosts[0].paths[0].pathType | string | `"Prefix"` | |
| ingress.write.tls | list | `[]` | |
| job.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation,hook-succeeded","helm.sh/hook-weight":"1"}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. |
| job.automountServiceAccountToken | bool | `false` | Set automounting of the SA token |
| job.extraContainers | string | `""` | If you want to add extra sidecar containers. |
| job.extraEnv | list | `[]` | Array of extra envs to be passed to the job. This takes precedence over deployment variables. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO value: BAR |
| job.extraInitContainers | string | `""` | If you want to add extra init containers. |
| job.lifecycle | string | `""` | If you want to add lifecycle hooks. |
| job.nodeSelector | object | `{}` | Node labels for pod assignment. |
| job.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects |
| job.podMetadata.annotations | object | `{}` | Extra pod level annotations |
| job.podMetadata.labels | object | `{}` | Extra pod level labels |
| job.resources | object | `{}` | Job resources |
| job.serviceAccount | object | `{"annotations":{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"},"create":true,"name":""}` | Specify the serviceAccountName value. In some situations it is needed to provides specific permissions to Hydra deployments Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. |
| job.serviceAccount.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"}` | Annotations to add to the service account |
| job.serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
| job.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
| job.shareProcessNamespace | bool | `false` | Set sharing process namespace |
| job.spec.backoffLimit | int | `10` | Set job back off limit |
| job.tolerations | list | `[]` | Configure node tolerations. |
| keto.automigration | object | `{"customArgs":[],"customCommand":[],"enabled":false,"resources":{},"type":"job"}` | Enables database migration |
| keto.automigration.customArgs | list | `[]` | Ability to override arguments of the entrypoint. Can be used in-depended of customCommand eg: - sleep 5; - keto |
| keto.automigration.customCommand | list | `[]` | Ability to override the entrypoint of the automigration container (e.g. to source dynamic secrets or export environment dynamic variables) |
| keto.automigration.resources | object | `{}` | resource requests and limits for the automigration initcontainer |
| keto.automigration.type | string | `"job"` | Configure the way to execute database migration. Possible values: job, initContainer When set to job, the migration will be executed as a job on release or upgrade. When set to initContainer, the migration will be executed when kratos pod is created Defaults to job |
| keto.command | list | `["keto"]` | Ability to override the entrypoint of keto container (e.g. to source dynamic secrets or export environment dynamic variables) |
| keto.config | object | `{"dsn":"memory","namespaces":[{"id":0,"name":"sample"}],"serve":{"metrics":{"port":4468},"read":{"port":4466},"write":{"port":4467}}}` | Direct keto config. Full documentation can be found in https://www.ory.sh/keto/docs/reference/configuration |
| keto.customArgs | list | `[]` | Ability to override arguments of the entrypoint. Can be used in-depended of customCommand |
| nameOverride | string | `""` | |
| pdb.enabled | bool | `false` | |
| pdb.spec.maxUnavailable | string | `""` | |
| pdb.spec.minAvailable | string | `""` | |
| podSecurityContext.fsGroup | int | `65534` | |
| podSecurityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` | |
| podSecurityContext.runAsGroup | int | `65534` | |
| podSecurityContext.runAsNonRoot | bool | `true` | |
| podSecurityContext.runAsUser | int | `65534` | |
| podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| priorityClassName | string | `""` | Pod priority https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ |
| replicaCount | int | `1` | Number of replicas in deployment |
| secret.enabled | bool | `true` | Switch to false to prevent creating the secret |
| secret.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods |
| secret.nameOverride | string | `""` | Provide custom name of existing secret, or custom name of secret to be created |
| secret.secretAnnotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0","helm.sh/resource-policy":"keep"}` | Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified. |
| securityContext.allowPrivilegeEscalation | bool | `false` | |
| securityContext.capabilities.drop[0] | string | `"ALL"` | |
| securityContext.privileged | bool | `false` | |
| securityContext.readOnlyRootFilesystem | bool | `true` | |
| securityContext.runAsGroup | int | `65534` | |
| securityContext.runAsNonRoot | bool | `true` | |
| securityContext.runAsUser | int | `65534` | |
| securityContext.seLinuxOptions.level | string | `"s0:c123,c456"` | |
| securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| service.metrics.annotations | object | `{}` | |
| service.metrics.enabled | bool | `false` | |
| service.metrics.loadBalancerIP | string | `""` | |
| service.metrics.name | string | `"http-metrics"` | |
| service.metrics.port | int | `80` | |
| service.metrics.type | string | `"ClusterIP"` | |
| service.read.appProtocol | string | `"grpc"` | |
| service.read.clusterIP | string | `""` | |
| service.read.enabled | bool | `true` | |
| service.read.headless.enabled | bool | `true` | |
| service.read.loadBalancerIP | string | `""` | |
| service.read.name | string | `"grpc-read"` | |
| service.read.port | int | `80` | |
| service.read.type | string | `"ClusterIP"` | |
| service.write.appProtocol | string | `"grpc"` | |
| service.write.clusterIP | string | `""` | |
| service.write.enabled | bool | `true` | |
| service.write.headless.enabled | bool | `true` | |
| service.write.loadBalancerIP | string | `""` | |
| service.write.name | string | `"grpc-write"` | |
| service.write.port | int | `80` | |
| service.write.type | string | `"ClusterIP"` | |
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
| serviceMonitor.labels | object | `{}` | Provide additionnal labels to the ServiceMonitor ressource metadata |
| serviceMonitor.scheme | string | `"http"` | HTTP scheme to use for scraping. |
| serviceMonitor.scrapeInterval | string | `"60s"` | Interval at which metrics should be scraped |
| serviceMonitor.scrapeTimeout | string | `"30s"` | Timeout after which the scrape is ended |
| serviceMonitor.tlsConfig | object | `{}` | TLS configuration to use when scraping the endpoint |
| test.busybox | object | `{"repository":"busybox","tag":1}` | use a busybox image from another repository |
| test.labels | object | `{}` | Provide additional labels to the test pod |
| watcher.automountServiceAccountToken | bool | `true` | |
| watcher.enabled | bool | `false` | |
| watcher.image | string | `"oryd/k8s-toolbox:v0.0.7"` | |
| watcher.mountFile | string | `""` | Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo |
| watcher.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects |
| watcher.podMetadata.annotations | object | `{}` | Extra pod level annotations |
| watcher.podMetadata.labels | object | `{}` | Extra pod level labels |
| watcher.resources | object | `{}` | |
| watcher.revisionHistoryLimit | int | `5` | Number of revisions kept in history |
| watcher.watchLabelKey | string | `"ory.sh/watcher"` | Label key used for managing applications |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

23
opencloud/charts/keto/charts/ory-commons/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

6
opencloud/charts/keto/charts/ory-commons/Chart.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: v2
appVersion: 0.0.0
description: 'Collection of helper function for the Ory Helm environment '
name: ory-commons
type: library
version: 0.1.0

12
opencloud/charts/keto/charts/ory-commons/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,12 @@
{{/*
Check if list contains object
*/}}
{{- define "ory.extraEnvContainsEnvName" -}}
{{- $extraEnvs := index . 0 -}}
{{- $envName := index . 1 -}}
{{- range $k, $v := $extraEnvs -}}
{{- if eq $v.name $envName -}}
found
{{- end -}}
{{- end -}}
{{- end -}}

17
opencloud/charts/keto/files/watch.sh Normal file
View File

@ -0,0 +1,17 @@
set -Eeuo pipefail
set -x
function rollOut() {
DEPLOY=$(kubectl get deploy -n "${NAMESPACE}" -l "${1}" -o name)
kubectl set env -n $NAMESPACE ${DEPLOY} sync=$(date "+%Y%m%d-%H%M%S")
kubectl rollout status -n $NAMESPACE ${DEPLOY}
}
while true; do
# After change in the CM the symlink is recreated, so we need to restart the monitor
inotifywait --event DELETE_SELF "${WATCH_FILE}" |
while read path _ file; do
echo "---> $path$file modified"
rollOut "${LABEL_SELECTOR}"
done
done

33
opencloud/charts/keto/templates/NOTES.txt Normal file
View File

@ -0,0 +1,33 @@
1. Get the application URL by running these commands:
{{- if or .Values.ingress.read.enabled .Values.ingress.write.enabled -}}
Read endpoint available at:
{{- range $host := .Values.ingress.read.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.read.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
{{- end }}
{{- end }}
Write endpoint available at:
{{- range $host := .Values.ingress.write.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.write.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
{{- end }}
{{- end }}
{{- else if or ( contains "NodePort" .Values.service.read.type ) ( contains "NodePort" .Values.service.write.type ) }}
export NODE_PORT_READ=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "keto.fullname" . }}-read)
export NODE_PORT_READ=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "keto.fullname" . }}-write)
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
Read endpoint available at: http://$NODE_IP:$NODE_PORT_READ
Write endpoint available at: http://$NODE_IP:$NODE_PORT_WRITE
{{- else if or ( contains "LoadBalancer" .Values.service.read.type ) ( contains "LoadBalancer" .Values.service.read.type ) }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "keto.fullname" . }}-read'
export SERVICE_IP_READ=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "keto.fullname" . }}-read --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
export SERVICE_IP_WRITE=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "keto.fullname" . }}-write --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
Read endpoint available at: http://$SERVICE_IP_READ:{{ .Values.service.read.port }}
Write endpoint available at: http://$SERVICE_IP_READ:{{ .Values.service.write.port }}
{{- else if or ( contains "ClusterIP" .Values.service.read.type ) ( contains "ClusterIP" .Values.service.read.type ) }}
kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ include "keto.fullname" . }}-read {{ .Values.keto.config.serve.read.port }}:80
kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ include "keto.fullname" . }}-write {{ .Values.keto.config.serve.write.port }}:80
Read endpoint available at: http://127.0.0.1:{{ .Values.keto.config.serve.read.port }}
Write endpoint available at: http://127.0.0.1:{{ .Values.keto.config.serve.write.port }}
{{- end }}

130
opencloud/charts/keto/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,130 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "keto.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "keto.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create a secret name which can be overridden.
*/}}
{{- define "keto.secretname" -}}
{{- if .Values.secret.nameOverride -}}
{{- .Values.secret.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{ include "keto.fullname" . }}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "keto.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Generate the dsn value
*/}}
{{- define "keto.dsn" -}}
{{- if and .Values.secret.nameOverride (not .Values.secret.enabled) -}}
dsn-loaded-from-env
{{- else if not (empty (.Values.keto.config.dsn)) -}}
{{- .Values.keto.config.dsn }}
{{- end -}}
{{- end -}}
{{/*
Generate the configmap data, redacting secrets
*/}}
{{- define "keto.configmap" -}}
{{- $config := omit .Values.keto.config "dsn" -}}
{{- tpl (toYaml $config) . -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "keto.labels" -}}
helm.sh/chart: {{ include "keto.chart" . }}
{{ include "keto.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if $.Values.watcher.enabled }}
{{ printf "\"%s\": \"%s\"" $.Values.watcher.watchLabelKey (include "keto.name" .) }}
{{- end }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "keto.selectorLabels" -}}
app.kubernetes.io/name: {{ include "keto.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "keto.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "keto.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Create the name of the service account for the Job to use
*/}}
{{- define "keto.job.serviceAccountName" -}}
{{- if .Values.job.serviceAccount.create }}
{{- printf "%s-job" (default (include "keto.fullname" .) .Values.job.serviceAccount.name) }}
{{- else }}
{{- include "keto.serviceAccountName" . }}
{{- end }}
{{- end }}
{{/*
Checksum annotations generated from configmaps and secrets
*/}}
{{- define "keto.annotations.checksum" -}}
{{- if .Values.configmap.hashSumEnabled }}
checksum/keto-config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- end }}
{{- if and .Values.secret.enabled .Values.secret.hashSumEnabled }}
checksum/keto-secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
{{- end }}
{{- end }}
{{/*
Check the migration type value and fail if unexpected
*/}}
{{- define "keto.automigration.typeVerification" -}}
{{- if and .Values.keto.automigration.enabled .Values.keto.automigration.type }}
{{- if and (ne .Values.keto.automigration.type "initContainer") (ne .Values.keto.automigration.type "job") }}
{{- fail "keto.automigration.type must be either 'initContainer' or 'job'" -}}
{{- end }}
{{- end }}
{{- end }}

18
opencloud/charts/keto/templates/configmap-migrate.yaml Normal file
View File

@ -0,0 +1,18 @@
{{- if and ( .Values.keto.automigration.enabled ) ( eq .Values.keto.automigration.type "job" ) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "keto.fullname" . }}-migrate
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{ include "keto.labels" . | indent 4 }}
annotations:
helm.sh/hook-weight: "0"
helm.sh/hook: "pre-install, pre-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
data:
"keto.yaml": |
{{- include "keto.configmap" . | nindent 4 }}
{{- end }}

12
opencloud/charts/keto/templates/configmap.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "keto.fullname" . }}-config
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{ include "keto.labels" . | indent 4 }}
data:
"keto.yaml": |
{{- include "keto.configmap" . | nindent 4 }}

75
opencloud/charts/keto/templates/deployment-watcher.yaml Normal file
View File

@ -0,0 +1,75 @@
{{- if .Values.watcher.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "keto.fullname" . }}-watcher
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/name: {{ include "keto.name" . }}-watcher
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.deployment.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.deployment.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
revisionHistoryLimit: {{ .Values.watcher.revisionHistoryLimit }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "keto.name" . }}-watcher
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ include "keto.name" . }}-watcher
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.deployment.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.watcher.podMetadata.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
annotations:
{{- with .Values.watcher.podMetadata.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
automountServiceAccountToken: {{ .Values.watcher.automountServiceAccountToken }}
serviceAccountName: {{ include "keto.serviceAccountName" . }}-watcher
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
containers:
- name: watcher
{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
{{- end }}
image: {{ .Values.watcher.image }}
command:
- /bin/bash
- -c
- |
{{- .Files.Get "files/watch.sh" | printf "%s" | nindent 14 }}
env:
- name: NAMESPACE
value: {{ .Release.Namespace | quote }}
- name: WATCH_FILE
value: {{ .Values.watcher.mountFile | quote }}
- name: LABEL_SELECTOR
value: '{{ $.Values.watcher.watchLabelKey }}={{ include "keto.name" . }}'
resources:
{{- toYaml .Values.watcher.resources | nindent 12 }}
volumeMounts:
{{- with .Values.deployment.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
{{- if .Values.deployment.extraVolumes }}
{{- toYaml .Values.deployment.extraVolumes | nindent 8 }}
{{- end }}
{{- end }}

232
opencloud/charts/keto/templates/deployment.yaml Normal file
View File

@ -0,0 +1,232 @@
{{- $podAnnotations := ternary .Values.deployment.podAnnotations .Values.podAnnotations (not (empty .Values.deployment.podAnnotations )) -}}
{{- $automountServiceAccountToken := ternary .Values.deployment.automountServiceAccountToken .Values.automountServiceAccountToken (not (empty .Values.deployment.automountServiceAccountToken )) -}}
{{- $livenessProbe := ternary .Values.deployment.livenessProbe .Values.livenessProbe (not (empty .Values.deployment.livenessProbe )) -}}
{{- $readinessProbe := ternary .Values.deployment.readinessProbe .Values.readinessProbe (not (empty .Values.deployment.readinessProbe )) -}}
{{- $autoscaling := ternary .Values.deployment.autoscaling .Values.autoscaling (not (empty .Values.deployment.autoscaling )) -}}
{{- $resources := ternary .Values.deployment.resources .Values.resources (not (empty .Values.deployment.resources )) -}}
{{- $extraInitContainers := ternary .Values.deployment.extraInitContainers .Values.extraInitContainers (not (empty .Values.deployment.extraInitContainers )) -}}
{{- $extraContainers := ternary .Values.deployment.extraContainers .Values.extraContainers (not (empty .Values.deployment.extraContainers )) -}}
{{- $extraLabels := ternary .Values.deployment.extraLabels .Values.extraLabels (not (empty .Values.deployment.extraLabels )) -}}
{{- $extraVolumeMounts := ternary .Values.deployment.extraVolumeMounts .Values.extraVolumeMounts (not (empty .Values.deployment.extraVolumeMounts )) -}}
{{- $extraVolumes := ternary .Values.deployment.extraVolumes .Values.extraVolumes (not (empty .Values.deployment.extraVolumes )) -}}
{{- $nodeSelector := ternary .Values.deployment.nodeSelector .Values.nodeSelector (not (empty .Values.deployment.nodeSelector )) -}}
{{- $affinity := ternary .Values.deployment.affinity .Values.affinity (not (empty .Values.deployment.affinity )) -}}
{{- $tolerations := ternary .Values.deployment.tolerations .Values.tolerations (not (empty .Values.deployment.tolerations )) -}}
{{- $topologySpreadConstraints := ternary .Values.deployment.topologySpreadConstraints .Values.topologySpreadConstraints (not (empty .Values.deployment.topologySpreadConstraints )) -}}
{{- include "keto.automigration.typeVerification" . -}}
{{- $migrationExtraEnv := ternary .Values.deployment.automigration.extraEnv .Values.deployment.extraEnv (not (empty .Values.deployment.automigration.extraEnv )) -}}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "keto.fullname" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "keto.labels" . | nindent 4 }}
{{- with $extraLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.deployment.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
minReadySeconds: {{ .Values.deployment.minReadySeconds }}
{{- if not $autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
revisionHistoryLimit: {{ .Values.deployment.revisionHistoryLimit }}
strategy:
{{- toYaml .Values.deployment.strategy | nindent 4 }}
selector:
matchLabels:
{{- include "keto.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
{{- include "keto.annotations.checksum" . | indent 8 -}}
{{- with $podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $.Values.deployment.podMetadata.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "keto.selectorLabels" . | nindent 8 }}
{{- with $extraLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $.Values.deployment.podMetadata.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
initContainers:
{{- if $extraInitContainers}}
{{- tpl $extraInitContainers . | nindent 8 }}
{{- end }}
{{- if and ( .Values.keto.automigration.enabled ) ( eq .Values.keto.automigration.type "initContainer" ) }}
- name: {{ .Chart.Name }}-automigrate
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.keto.automigration.customCommand }}
command: {{- toYaml .Values.keto.automigration.customCommand | nindent 12 }}
{{- else }}
command: ["keto"]
{{- end }}
{{- if .Values.keto.automigration.customArgs }}
args: {{- toYaml .Values.keto.automigration.customArgs | nindent 12 }}
{{- else }}
args: [ "migrate", "up", "-y", "--config", "/etc/config/keto.yaml" ]
{{- end }}
volumeMounts:
- name: {{ include "keto.name" . }}-config-volume
mountPath: /etc/config
readOnly: true
{{- with $extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
env:
{{- if not (empty ( include "keto.dsn" . )) }}
{{- if not (include "ory.extraEnvContainsEnvName" (list $migrationExtraEnv "DSN")) }}
- name: DSN
valueFrom:
secretKeyRef:
name: {{ include "keto.secretname" . }}
key: dsn
{{- end }}
{{- end }}
{{- if $migrationExtraEnv }}
{{- tpl (toYaml $migrationExtraEnv) . | nindent 12 }}
{{- end }}
{{- with .Values.keto.automigration.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
serviceAccountName: {{ include "keto.serviceAccountName" . }}
automountServiceAccountToken: {{ $automountServiceAccountToken }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
containers:
- name: {{ .Chart.Name }}
{{- with .Values.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command: {{- toYaml .Values.keto.command | nindent 12 }}
{{- if .Values.keto.customArgs }}
args: {{- toYaml .Values.keto.customArgs | nindent 12 }}
{{- else }}
args:
- serve
- --config
- /etc/config/keto.yaml
{{- end }}
ports:
- name: {{ .Values.service.read.name }}
containerPort: {{ .Values.keto.config.serve.read.port }}
protocol: TCP
- name: {{ .Values.service.write.name }}
containerPort: {{ .Values.keto.config.serve.write.port }}
protocol: TCP
- name: {{ .Values.service.metrics.name }}
containerPort: {{ .Values.keto.config.serve.metrics.port }}
protocol: TCP
{{- with .Values.deployment.extraPorts }}
{{- toYaml . | nindent 12 }}
{{- end }}
lifecycle:
{{- toYaml .Values.deployment.lifecycle | nindent 12 }}
{{- if .Values.deployment.customLivenessProbe }}
livenessProbe:
{{- toYaml .Values.deployment.customLivenessProbe | nindent 12 }}
{{- end }}
readinessProbe:
{{- if .Values.deployment.customReadinessProbe }}
{{- toYaml .Values.deployment.customReadinessProbe | nindent 12 }}
{{- else }}
httpGet:
path: /health/alive
port: {{ .Values.keto.config.serve.write.port }}
httpHeaders:
- name: Host
value: '127.0.0.1'
{{- toYaml $readinessProbe | nindent 12 }}
{{- end }}
startupProbe:
{{- if .Values.deployment.customStartupProbe }}
{{- toYaml .Values.deployment.customStartupProbe | nindent 12 }}
{{- else }}
httpGet:
path: /health/ready
port: {{ .Values.keto.config.serve.write.port }}
httpHeaders:
- name: Host
value: '127.0.0.1'
{{- toYaml .Values.deployment.startupProbe | nindent 12 }}
{{- end }}
resources:
{{- toYaml $resources | nindent 12 }}
env:
{{- if not (empty ( include "keto.dsn" . )) }}
{{- if not (include "ory.extraEnvContainsEnvName" (list .Values.deployment.extraEnv "DSN")) }}
- name: DSN
valueFrom:
secretKeyRef:
name: {{ include "keto.secretname" . }}
key: dsn
{{- end }}
{{- end }}
{{- if .Values.deployment.extraEnv }}
{{- tpl (toYaml .Values.deployment.extraEnv) . | nindent 12 }}
{{- end }}
volumeMounts:
- name: {{ include "keto.name" . }}-config-volume
mountPath: /etc/config
readOnly: true
{{- with $extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if $extraContainers }}
{{- tpl $extraContainers . | nindent 8 }}
{{- end }}
volumes:
- name: {{ include "keto.name" . }}-config-volume
configMap:
name: {{ include "keto.fullname" . }}-config
{{- with $extraVolumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- with $nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.dnsConfig }}
dnsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}

38
opencloud/charts/keto/templates/hpa.yaml Normal file
View File

@ -0,0 +1,38 @@
{{- $autoscaling := ternary .Values.deployment.autoscaling .Values.autoscaling (not (empty .Values.deployment.autoscaling )) -}}
{{- if $autoscaling.enabled }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "keto.fullname" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "keto.labels" . | nindent 4 }}
spec:
{{- with $autoscaling.behavior }}
behavior: {{- toYaml . | nindent 4 }}
{{- end }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "keto.fullname" . }}
minReplicas: {{ $autoscaling.minReplicas }}
maxReplicas: {{ $autoscaling.maxReplicas }}
metrics:
{{- with $autoscaling.targetMemory }}
- type: Resource
resource:
name: memory
target:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $autoscaling.targetCPU}}
- type: Resource
resource:
name: cpu
target:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

54
opencloud/charts/keto/templates/ingress-read.yaml Normal file
View File

@ -0,0 +1,54 @@
{{- if .Values.ingress.read.enabled -}}
{{- $fullName := include "keto.fullname" . -}}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else -}}
apiVersion: networking.k8s.io/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}-read
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "keto.labels" . | nindent 4 }}
{{- with .Values.ingress.read.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ingressClassName: {{ .Values.ingress.read.className }}
{{- if .Values.ingress.read.tls }}
tls:
{{- range .Values.ingress.read.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.read.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if .pathType }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}-read
port:
name: {{ $.Values.service.read.name }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $.Values.service.read.name }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

54
opencloud/charts/keto/templates/ingress-write.yaml Normal file
View File

@ -0,0 +1,54 @@
{{- if .Values.ingress.write.enabled -}}
{{- $fullName := include "keto.fullname" . -}}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else -}}
apiVersion: networking.k8s.io/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}-write
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "keto.labels" . | nindent 4 }}
{{- with .Values.ingress.write.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ingressClassName: {{ .Values.ingress.write.className }}
{{- if .Values.ingress.write.tls }}
tls:
{{- range .Values.ingress.write.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.write.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if .pathType }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}-write
port:
name: {{ $.Values.service.write.name }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $.Values.service.write.name }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

123
opencloud/charts/keto/templates/job-migration.yaml Normal file
View File

@ -0,0 +1,123 @@
{{- include "keto.automigration.typeVerification" . -}}
{{- if and ( .Values.keto.automigration.enabled ) ( eq .Values.keto.automigration.type "job" ) }}
{{- $extraLabels := ternary .Values.deployment.extraLabels .Values.extraLabels (not (empty .Values.deployment.extraLabels )) -}}
{{- $extraVolumeMounts := ternary .Values.deployment.extraVolumeMounts .Values.extraVolumeMounts (not (empty .Values.deployment.extraVolumeMounts )) -}}
{{- $extraVolumes := ternary .Values.deployment.extraVolumes .Values.extraVolumes (not (empty .Values.deployment.extraVolumes )) -}}
{{- $nodeSelector := ternary .Values.job.nodeSelector .Values.deployment.nodeSelector (not (empty .Values.job.nodeSelector )) -}}
{{- $migrationExtraEnv := ternary .Values.job.extraEnv .Values.deployment.extraEnv (not (empty .Values.job.extraEnv )) -}}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "keto.fullname" . }}-automigrate
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "keto.labels" . | nindent 4 }}
{{- with $extraLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.job.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
template:
metadata:
annotations:
{{- with .Values.job.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.job.podMetadata.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
app.kubernetes.io/name: {{ include "keto.fullname" . }}-automigrate
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with $extraLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.job.podMetadata.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "keto.job.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.job.automountServiceAccountToken }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}-automigrate
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.keto.automigration.customCommand }}
command: {{- toYaml .Values.keto.automigration.customCommand | nindent 10 }}
{{- else }}
command: ["keto"]
{{- end }}
{{- if .Values.keto.automigration.customArgs }}
args: {{- toYaml .Values.keto.automigration.customArgs | nindent 10 }}
{{- else }}
args: [ "migrate", "up", "-y", "--config", "/etc/config/keto.yaml" ]
{{- end }}
{{- if .Values.job.lifecycle }}
{{- tpl .Values.job.lifecycle . | nindent 8 }}
{{- end }}
volumeMounts:
- name: {{ include "keto.name" . }}-config-volume
mountPath: /etc/config
readOnly: true
{{- with $extraVolumeMounts }}
{{- toYaml . | nindent 10 }}
{{- end }}
env:
{{- if not (empty ( include "keto.dsn" . )) }}
{{- if not (include "ory.extraEnvContainsEnvName" (list $migrationExtraEnv "DSN")) }}
- name: DSN
valueFrom:
secretKeyRef:
name: {{ include "keto.secretname" . }}
key: dsn
{{- end }}
{{- end }}
{{- with $migrationExtraEnv }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.job.resources }}
resources:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 10 }}
{{- end }}
{{- if .Values.job.extraContainers }}
{{- tpl .Values.job.extraContainers . | nindent 6 }}
{{- end }}
{{- if .Values.job.extraInitContainers }}
initContainers:
{{- tpl .Values.job.extraInitContainers . | nindent 8 }}
{{- end }}
restartPolicy: Never
volumes:
- name: {{ include "keto.name" . }}-config-volume
configMap:
name: {{ include "keto.fullname" . }}-migrate
{{- with $extraVolumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.job.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
shareProcessNamespace: {{ .Values.job.shareProcessNamespace }}
backoffLimit: {{ .Values.job.spec.backoffLimit }}
{{- end }}

17
opencloud/charts/keto/templates/job-rbac.yaml Normal file
View File

@ -0,0 +1,17 @@
{{- if .Values.job.serviceAccount.create -}}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "keto.job.serviceAccountName" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "keto.labels" . | nindent 4 }}
{{- with .Values.job.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: false
{{- end -}}

20
opencloud/charts/keto/templates/pdb.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if .Values.pdb.enabled -}}
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "keto.fullname" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "keto.selectorLabels" . | nindent 6 }}
{{- with .Values.pdb.spec.maxUnavailable }}
maxUnavailable: {{ . }}
{{- end }}
{{- with .Values.pdb.spec.minAvailable }}
minAvailable: {{ . }}
{{- end }}
{{- end -}}

55
opencloud/charts/keto/templates/rbac-watcher.yaml Normal file
View File

@ -0,0 +1,55 @@
{{- if .Values.watcher.enabled }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "keto.serviceAccountName" . }}-watcher
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/name: {{ include "keto.name" . }}-watcher
app.kubernetes.io/instance: {{ .Release.Name }}
automountServiceAccountToken: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "keto.fullname" . }}-watcher
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs:
- list
- watch
- get
- apiGroups: ["apps"]
resources: ["deployments"]
verbs:
- get
- list
- patch
- update
- watch
resourceNames:
- {{ include "keto.fullname" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "keto.fullname" . }}-watcher
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "keto.fullname" . }}-watcher
subjects:
- kind: ServiceAccount
name: {{ include "keto.fullname" . }}-watcher
namespace: {{ .Release.Namespace }}
{{- end }}

17
opencloud/charts/keto/templates/rbac.yaml Normal file
View File

@ -0,0 +1,17 @@
{{- if .Values.serviceAccount.create -}}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "keto.serviceAccountName" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "keto.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: false
{{- end }}

18
opencloud/charts/keto/templates/secrets.yaml Normal file
View File

@ -0,0 +1,18 @@
{{- if .Values.secret.enabled -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "keto.secretname" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{ include "keto.labels" . | indent 4 }}
annotations:
{{- with .Values.secret.secretAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
type: Opaque
data:
dsn: {{ include "keto.dsn" . | b64enc | quote }}
{{- end }}

32
opencloud/charts/keto/templates/service-extraServices.yaml Normal file
View File

@ -0,0 +1,32 @@
{{- range $ServiceName, $ServiceData := .Values.extraServices }}
{{- if $ServiceData.enabled }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "keto.fullname" $ }}-{{ $ServiceName }}
{{- if $.Release.Namespace }}
namespace: {{ $.Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/component: {{ $ServiceName }}
{{- include "keto.labels" $ | nindent 4 }}
spec:
type: {{ $ServiceData.type }}
{{- if eq $ServiceData.type "LoadBalancer" }}
{{- with $ServiceData.loadBalancerIP }}
loadBalancerIP: {{ . }}
{{- end }}
{{- end }}
ports:
- port: {{ $ServiceData.port }}
targetPort: {{ $ServiceData.name }}
protocol: TCP
name: {{ $ServiceData.name }}
selector:
app.kubernetes.io/name: {{ include "keto.name" $ }}
app.kubernetes.io/instance: {{ $.Release.Name }}
{{- end }}
{{- end }}

27
opencloud/charts/keto/templates/service-metrics.yaml Normal file
View File

@ -0,0 +1,27 @@
{{- if .Values.service.metrics.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "keto.fullname" . }}-metrics
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/component: metrics
{{- include "keto.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.metrics.type }}
{{- if eq .Values.service.metrics.type "LoadBalancer" }}
{{- with .Values.service.metrics.loadBalancerIP }}
loadBalancerIP: {{ . }}
{{- end }}
{{- end }}
ports:
- port: {{ .Values.service.metrics.port }}
targetPort: {{ .Values.service.metrics.name }}
protocol: TCP
name: {{ .Values.service.metrics.name }}
selector:
app.kubernetes.io/name: {{ include "keto.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{ end }}

60
opencloud/charts/keto/templates/service-read.yaml Normal file
View File

@ -0,0 +1,60 @@
{{- if .Values.service.read.enabled }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "keto.fullname" . }}-read
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/component: read
{{- include "keto.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.read.type }}
{{- if eq .Values.service.read.type "LoadBalancer" }}
{{- with .Values.service.read.loadBalancerIP }}
loadBalancerIP: {{ . }}
{{- end }}
{{- end }}
{{- if eq .Values.service.read.type "ClusterIP" }}
{{- with .Values.service.read.clusterIP }}
clusterIP: {{ . }}
{{- end }}
{{- end }}
ports:
- port: {{ .Values.service.read.port }}
targetPort: {{ .Values.service.read.name }}
protocol: TCP
name: {{ .Values.service.read.name }}
appProtocol: {{ .Values.service.read.appProtocol }}
selector:
app.kubernetes.io/name: {{ include "keto.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.service.read.headless.enabled }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "keto.fullname" . }}-read-headless
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
service.ory.sh/type: headless
app.kubernetes.io/component: read
{{- include "keto.labels" . | nindent 4 }}
spec:
type: "ClusterIP"
clusterIP: "None"
ports:
- port: {{ .Values.keto.config.serve.read.port }}
targetPort: {{ .Values.service.read.name }}
protocol: TCP
name: {{ .Values.service.read.name }}
appProtocol: {{ .Values.service.read.appProtocol }}
selector:
app.kubernetes.io/name: {{ include "keto.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{- end }}

59
opencloud/charts/keto/templates/service-write.yaml Normal file
View File

@ -0,0 +1,59 @@
{{- if .Values.service.write.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "keto.fullname" . }}-write
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/component: write
{{- include "keto.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.write.type }}
{{- if eq .Values.service.write.type "LoadBalancer" }}
{{- with .Values.service.write.loadBalancerIP }}
loadBalancerIP: {{ . }}
{{- end }}
{{- end }}
{{- if eq .Values.service.write.type "ClusterIP" }}
{{- with .Values.service.write.clusterIP }}
clusterIP: {{ . }}
{{- end }}
{{- end }}
ports:
- port: {{ .Values.service.write.port }}
targetPort: {{ .Values.service.write.name }}
protocol: TCP
name: {{ .Values.service.write.name }}
appProtocol: {{ .Values.service.write.appProtocol }}
selector:
app.kubernetes.io/name: {{ include "keto.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.service.write.headless.enabled }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "keto.fullname" . }}-write-headless
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
service.ory.sh/type: headless
app.kubernetes.io/component: write
{{- include "keto.labels" . | nindent 4 }}
spec:
type: "ClusterIP"
clusterIP: "None"
ports:
- port: {{ .Values.keto.config.serve.write.port }}
targetPort: {{ .Values.service.write.name }}
protocol: TCP
name: {{ .Values.service.write.name }}
appProtocol: {{ .Values.service.write.appProtocol }}
selector:
app.kubernetes.io/name: {{ include "keto.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{- end }}

36
opencloud/charts/keto/templates/servicemonitor-metrics.yaml Normal file
View File

@ -0,0 +1,36 @@
{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") (.Values.service.metrics.enabled) }}
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "keto.fullname" . }}-metrics
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/component: metrics
{{ include "keto.labels" . | indent 4 }}
{{- with .Values.serviceMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.service.metrics.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
endpoints:
- path: /metrics/prometheus
port: {{ .Values.service.metrics.name }}
scheme: {{ .Values.serviceMonitor.scheme }}
interval: {{ .Values.serviceMonitor.scrapeInterval }}
scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
{{- with .Values.serviceMonitor.tlsConfig }}
tlsConfig:
{{- toYaml . | nindent 6 }}
{{- end }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "keto.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: metrics
{{- end -}}

20
opencloud/charts/keto/templates/tests/test-connection.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "keto.fullname" . }}-test-connection"
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels: {{- include "keto.labels" . | nindent 4 }}
{{- with .Values.test.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
helm.sh/hook: test-success
spec:
containers:
- name: wget
image: "{{ .Values.test.busybox.repository }}:{{ .Values.test.busybox.tag }}"
command: ['wget']
args: ['{{ include "keto.fullname" . }}-write:{{ .Values.service.write.port }}/health/ready']
restartPolicy: Never

471
opencloud/charts/keto/values.yaml Normal file
View File

@ -0,0 +1,471 @@
# Default values for keto.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# -- Number of replicas in deployment
replicaCount: 1
## -- Image configuration
image:
# -- Ory KETO image
repository: oryd/keto
# -- Default image pull policy
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
# -- Ory KETO version
tag: "v0.12.0"
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
# -- Pod priority
# https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
priorityClassName: ""
## -- ServiceAccount
serviceAccount:
# -- Specifies whether a service account should be created
create: true
# -- Annotations to add to the service account
annotations: {}
# -- The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
## -- pod securityContext for hydra & migration init
podSecurityContext:
fsGroupChangePolicy: "OnRootMismatch"
runAsNonRoot: true
runAsUser: 65534
fsGroup: 65534
runAsGroup: 65534
seccompProfile:
type: RuntimeDefault
## -- container securityContext for hydra & migration init
securityContext:
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
allowPrivilegeEscalation: false
privileged: false
seLinuxOptions:
level: "s0:c123,c456"
## -- Values for initialization job
job:
# -- If you do want to specify annotations, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
annotations:
helm.sh/hook-weight: "1"
helm.sh/hook: "pre-install, pre-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation,hook-succeeded"
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# -- If you want to add extra sidecar containers.
extraContainers: ""
# extraContainers: |
# - name: ...
# image: ...
# -- If you want to add extra init containers.
extraInitContainers: ""
# extraInitContainers: |
# - name: ...
# image: ...
# -- Array of extra envs to be passed to the job. This takes precedence over deployment variables. Kubernetes format
# is expected. Value is processed with Helm `tpl`
# - name: FOO
# value: BAR
extraEnv: []
# -- Node labels for pod assignment.
nodeSelector: {}
# If you do want to specify node labels, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'nodeSelector:'.
# foo: bar
# -- Configure node tolerations.
tolerations: []
# -- Job resources
resources: {}
# -- If you want to add lifecycle hooks.
lifecycle: ""
# lifecycle: |
# preStop:
# exec:
# command: [...]
# -- Set automounting of the SA token
automountServiceAccountToken: false
# -- Set sharing process namespace
shareProcessNamespace: false
# -- Specify the serviceAccountName value.
# In some situations it is needed to provides specific permissions to Hydra deployments
# Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio.
# Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment.
serviceAccount:
# -- Specifies whether a service account should be created
create: true
# -- Annotations to add to the service account
annotations:
helm.sh/hook-weight: "0"
helm.sh/hook: "pre-install, pre-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
# -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template
name: ""
# -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
podMetadata:
# -- Extra pod level labels
labels: {}
# -- Extra pod level annotations
annotations: {}
spec:
# -- Set job back off limit
backoffLimit: 10
## -- Ingress definitions
ingress:
read:
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths:
- path: /read
pathType: Prefix
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
write:
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths:
- path: /write
pathType: Prefix
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
## -- Service configurations
service:
## -- Read service
read:
enabled: true
type: ClusterIP
clusterIP: ""
## -- The load balancer IP
loadBalancerIP: ""
name: grpc-read
port: 80
appProtocol: grpc
## -- Enable extra headless service
headless:
enabled: true
## -- Write service
write:
enabled: true
type: ClusterIP
clusterIP: ""
## -- The load balancer IP
loadBalancerIP: ""
name: grpc-write
port: 80
appProtocol: grpc
## -- Enable extra headless service
headless:
enabled: true
## -- Metrics service
metrics:
enabled: false
type: ClusterIP
## -- The load balancer IP
loadBalancerIP: ""
name: http-metrics
port: 80
annotations: {}
## -- Extra services to be deployed
extraServices: {}
## -- Secret management
secret:
# -- Switch to false to prevent creating the secret
enabled: true
# -- Provide custom name of existing secret, or custom name of secret to be created
nameOverride: ""
# nameOverride: "myCustomSecret"
# -- Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified.
secretAnnotations:
# Create the secret before installation, and only then. This saves the secret from regenerating during an upgrade
# pre-upgrade is needed to upgrade from 0.7.0 to newer. Can be deleted afterwards.
helm.sh/hook-weight: "0"
helm.sh/hook: "pre-install, pre-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
helm.sh/resource-policy: "keep"
# -- switch to false to prevent checksum annotations being maintained and propogated to the pods
hashSumEnabled: true
## -- Main application config.
keto:
# -- Ability to override the entrypoint of keto container
# (e.g. to source dynamic secrets or export environment dynamic variables)
command: ["keto"]
# -- Ability to override arguments of the entrypoint. Can be used in-depended of customCommand
customArgs: []
# -- Enables database migration
automigration:
enabled: false
# -- Configure the way to execute database migration. Possible values: job, initContainer
# When set to job, the migration will be executed as a job on release or upgrade.
# When set to initContainer, the migration will be executed when kratos pod is created
# Defaults to job
type: job
# -- Ability to override the entrypoint of the automigration container
# (e.g. to source dynamic secrets or export environment dynamic variables)
customCommand: []
# -- Ability to override arguments of the entrypoint. Can be used in-depended of customCommand
# eg:
# - sleep 5;
# - keto
customArgs: []
# -- resource requests and limits for the automigration initcontainer
resources: {}
# -- Direct keto config. Full documentation can be found in https://www.ory.sh/keto/docs/reference/configuration
config:
serve:
read:
port: 4466
write:
port: 4467
metrics:
port: 4468
namespaces:
- id: 0
name: sample
dsn: memory
## -- Configure the probes for when the deployment is considered ready and ongoing health check
deployment:
## -- Specify pod deployment strategy
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: "25%"
maxUnavailable: "25%"
## -- Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)
minReadySeconds: 0
## -- DEPRECATED Set custom pod annotations
podAnnotations: {}
## -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
podMetadata:
## -- Extra pod level labels
labels: {}
## -- Extra pod level annotations
annotations: {}
## -- Set custom security context for pods
podSecurityContext: {}
# fsGroup: 2000
# https://github.com/kubernetes/kubernetes/issues/57601
automountServiceAccountToken: true
lifecycle: {}
## -- Default probe timers
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 10
failureThreshold: 5
## -- Default probe timers
startupProbe:
failureThreshold: 5
successThreshold: 1
periodSeconds: 1
timeoutSeconds: 1
initialDelaySeconds: 0
## -- Configure a custom livenessProbe. This overwrites the default object
customLivenessProbe: {}
## -- Configure a custom readinessProbe. This overwrites the default object
customReadinessProbe: {}
## -- Configure a custom startupProbe. This overwrites the default object
customStartupProbe: {}
## -- Add custom annotations to the deployment
annotations: {}
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
# -- Autoscaling for keto deployment
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPU: {}
# type: Utilization
# averageUtilization: 80
targetMemory: {}
# type: Utilization
# averageUtilization: 80
# -- Set custom behavior
# https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior
behavior: {}
nodeSelector: {}
# -- If you want to add extra sidecar containers.
extraContainers: ""
# extraContainers: |
# - name: ...
# image: ...
# -- Array of extra Envs to be added to the deployment. Kubernetes format expected. Value is processed with Helm `tpl`
# - name: FOO
# value: BAR
extraEnv: []
# -- Array of extra Volumes to be added to the deployment. K8s format expected
# - name: my-volume
# secret:
# secretName: my-secret
extraVolumes: []
# -- Array of extra VolumeMounts to be added to the deployment. K8s format expected
# - name: my-volume
# mountPath: /etc/secrets/my-secret
# readOnly: true
extraVolumeMounts: []
# -- If you want to add extra init containers. These are processed before the migration init container.
extraInitContainers: {}
# extraInitContainers: |
# - name: ...
# image: ...
# -- Extra labels to be added to the deployment, and pods. K8s object format expected
# foo: bar
# my.special.label/type: value
extraLabels: {}
# -- Extra ports to be exposed by the main deployment
extraPorts: []
tolerations: []
affinity: {}
# -- Configure pod topologySpreadConstraints.
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: DoNotSchedule
# labelSelector:
# matchLabels:
# app.kubernetes.io/name: keto
# app.kubernetes.io/instance: keto
# -- Configure pod dnsConfig.
dnsConfig: {}
# options:
# - name: "ndots"
# value: "1"
# -- Parameters for the automigration initContainer
automigration:
# -- Array of extra envs to be passed to the initContainer. Kubernetes format is expected. Value is processed with
# Helm `tpl`
# - name: FOO
# value: BAR
extraEnv: []
# -- Number of revisions kept in history
revisionHistoryLimit: 5
terminationGracePeriodSeconds: 60
## -- Watcher sidecar configuration
watcher:
enabled: false
image: oryd/k8s-toolbox:v0.0.7
# -- Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo
mountFile: ""
# -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
podMetadata:
# -- Extra pod level labels
labels: {}
# -- Extra pod level annotations
annotations: {}
# -- Label key used for managing applications
watchLabelKey: "ory.sh/watcher"
# -- Number of revisions kept in history
revisionHistoryLimit: 5
automountServiceAccountToken: true
resources: {}
## -- PodDistributionBudget configuration
pdb:
enabled: false
spec:
minAvailable: ""
maxUnavailable: ""
## -- Parameters for the Prometheus ServiceMonitor objects.
# Reference: https://docs.openshift.com/container-platform/4.6/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.html
serviceMonitor:
# -- HTTP scheme to use for scraping.
scheme: http
# -- Interval at which metrics should be scraped
scrapeInterval: 60s
# -- Timeout after which the scrape is ended
scrapeTimeout: 30s
# -- Provide additionnal labels to the ServiceMonitor ressource metadata
labels: {}
# -- TLS configuration to use when scraping the endpoint
tlsConfig: {}
configmap:
# -- switch to false to prevent checksum annotations being maintained and propogated to the pods
hashSumEnabled: true
test:
# -- Provide additional labels to the test pod
labels: {}
# -- use a busybox image from another repository
busybox:
repository: busybox
tag: 1

79
opencloud/dev-values.yaml
View File

@ -68,14 +68,14 @@ openldap:
tls: tls:
enabled: false enabled: false
env: env:
LDAP_ORGANISATION: "Acme opencloud" LDAP_ORGANISATION: "Example opencloud"
LDAP_DOMAIN: "acme.com" LDAP_DOMAIN: "example.com"
LDAP_BACKEND: "mdb" LDAP_BACKEND: "mdb"
LDAP_TLS: "false" LDAP_TLS: "false"
LDAP_TLS_ENFORCE: "false" LDAP_TLS_ENFORCE: "false"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true" LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
adminPassword: "goaChai9" adminPassword: "admin@password"
configPassword: "xaidee2M" configPassword: "config@password"
phpldapadmin: phpldapadmin:
enabled: false enabled: false
persistence: persistence:
@ -88,22 +88,22 @@ openldap:
customLdifFiles: customLdifFiles:
01-schema.ldif: |- 01-schema.ldif: |-
dn: ou=groups,dc=acme,dc=com dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit objectClass: organizationalUnit
ou: groups ou: groups
dn: ou=users,dc=acme,dc=com dn: ou=users,dc=example,dc=com
objectClass: organizationalUnit objectClass: organizationalUnit
ou: users ou: users
dn: cn=lastGID,dc=acme,dc=com dn: cn=lastGID,dc=example,dc=com
objectClass: device objectClass: device
objectClass: top objectClass: top
description: Records the last GID used to create a Posix group. This prevents the re-use of a GID from a deleted group. description: Records the last GID used to create a Posix group. This prevents the re-use of a GID from a deleted group.
cn: lastGID cn: lastGID
serialNumber: 2001 serialNumber: 2001
dn: cn=lastUID,dc=acme,dc=com dn: cn=lastUID,dc=example,dc=com
objectClass: device objectClass: device
objectClass: top objectClass: top
serialNumber: 2001 serialNumber: 2001
@ -111,44 +111,43 @@ openldap:
cn: lastUID cn: lastUID
02-ldapadmin.ldif : |- 02-ldapadmin.ldif : |-
dn: cn=ldapadmin,ou=groups,dc=acme,dc=com dn: cn=ldapadmin,ou=groups,dc=example,dc=com
objectClass: top objectClass: top
objectClass: posixGroup objectClass: posixGroup
cn: ldapadmin cn: ldapadmin
memberUid: acme.ldapadmin memberUid: ldapadmin
gidNumber: 2001 gidNumber: 2001
dn: uid=acme.ldapadmin,ou=users,dc=acme,dc=com dn: uid=ldapadmin,ou=users,dc=example,dc=com
givenName: ldapadmin givenName: ldap
sn: ldapadmin sn: admin
uid: acme.ldapadmin uid: ldapadmin
cn: acmeldapadmin cn: ldapadmin
mail: ldapadmin@example.com
objectClass: person objectClass: person
objectClass: inetOrgPerson objectClass: inetOrgPerson
objectClass: posixAccount objectClass: posixAccount
userPassword:: e0NSWVBUfSQ2JDhycFZxbk5NJHNmWVhBYUNYUzdZbXFhR1VWTjdJa20wT2hXLmVtT3oua2x5L3V5YUdjNE81MDVEalU0R2ZMb0hTaFVwNUkvVUxFT0JubWJ2d29meFNFcXIuaFRVMm0u userPassword: ldapadmin
uidNumber: 2001 uidNumber: 2001
gidNumber: 2001 gidNumber: 2001
loginShell: /bin/bash loginShell: /bin/bash
homeDirectory: /home/acme.ldapadmin homeDirectory: /home/ldapadmin
#acme.ldapadmin ia3Bahr3
# ldap user manager configuration # ldap user manager configuration
ldapUserManager: ldapUserManager:
enabled: true enabled: true
env: env:
SERVER_HOSTNAME: "users.acme.com" SERVER_HOSTNAME: "users.example.com"
LDAP_BASE_DN: "dc=acme,dc=com" LDAP_BASE_DN: "dc=example,dc=com"
LDAP_REQUIRE_STARTTLS: "false" LDAP_REQUIRE_STARTTLS: "false"
LDAP_ADMINS_GROUP: "ldapadmin" LDAP_ADMINS_GROUP: "ldapadmin"
LDAP_ADMIN_BIND_DN: "cn=admin,dc=acme,dc=com" LDAP_ADMIN_BIND_DN: "cn=admin,dc=example,dc=com"
LDAP_ADMIN_BIND_PWD: "goaChai9" LDAP_ADMIN_BIND_PWD: "admin@password"
LDAP_IGNORE_CERT_ERRORS: "true" LDAP_IGNORE_CERT_ERRORS: "true"
EMAIL_DOMAIN: "" EMAIL_DOMAIN: ""
NO_HTTPS: "true" NO_HTTPS: "true"
SERVER_PATH: "/users" SERVER_PATH: "/users"
ORGANISATION_NAME: "Acme" ORGANISATION_NAME: "Example"
LDAP_USER_OU: "users" LDAP_USER_OU: "users"
LDAP_GROUP_OU: "groups" LDAP_GROUP_OU: "groups"
ACCEPT_WEAK_PASSWORDS: "true" ACCEPT_WEAK_PASSWORDS: "true"
@ -176,15 +175,37 @@ traefik:
hydra: hydra:
enabled: true enabled: true
maester: maester:
enabled: false enabled: true
hydra: hydra:
dev: true dev: true
config: config:
dsn: memory dsn: memory
urls: urls:
login: http://localhost/auth/login login: http://localhost/authentication/login
consent: http://localhost/auth/consent consent: http://localhost/consent/consent
logout: http://localhost/auth/logout logout: http://localhost/authentication/logout
self: self:
issuer: http://localhost/auth issuer: http://localhost/idp
keto:
enabled: true
ocAuth:
enabled: false
image: oc-auth:latest
authType: hydra
hydra:
adminRole: admin
openCloudOauth2ClientSecretName: oc-auth-got-secret
ldap:
bindDn: "cn=admin,dc=example,dc=com"
binPwd: "password"
baseDn: "dc=example,dc=com"
roleBaseDn: "ou=AppRoles,dc=example,dc=com"
resources:
limits:
cpu: "128m"
memory: "128Mi"
requests:
cpu: "128m"
memory: "256Mi"

80
opencloud/templates/oc-auth/deployment.yaml Normal file
View File

@ -0,0 +1,80 @@
{{- if index .Values.ocAuth.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: oc-auth
name: {{ .Release.Name }}-oc-auth
spec:
replicas: 1
selector:
matchLabels:
app: oc-auth
strategy: {}
template:
metadata:
labels:
app: oc-auth
spec:
volumes:
- name: public-key-volume
secret:
secretName: public-key-secret
- name: private-key-volume
secret:
secretName: private-key-secret
containers:
- image: "{{ .Values.ocAuth.image }}"
name: oc-auth
volumeMounts:
- name: public-key-volume
mountPath: /keys/public
subPath: public.pem
- name: private-key-volume
mountPath: /keys/private
subPath: private.pem
env:
- name: OCAUTH_ADMIN_ROLE
value: "{{ .Values.ocAuth.hydra }}"
- name: OCAUTH_PUBLIC_KEY_PATH
value: /keys/public/public.pem
- name: OCAUTH_PRIVATE_KEY_PATH
value: /keys/private/private.pem
- name: OCAUTH_CLIENT_SECRET
value: "{{ .Values.ocAuth.hydra.openCloudOauth2ClientSecretName }}"
- name: OCAUTH_AUTH
value: "{{ .Values.ocAuth.authType }}"
- name: OCAUTH_AUTH_CONNECTOR_HOST
value: "{{ .Release.Name }}.hydra-admin.{{ .Release.Namespace }}"
- name: OCAUTH_AUTH_CONNECTOR_PORT
value: 4444
- name: OCAUTH_AUTH_CONNECTOR_ADMIN_PORT
value: 4445
- name: OCAUTH_PERMISSION_CONNECTOR_HOST
value: "{{ .Release.Name }}.keto-write.{{ .Release.Namespace }}"
- name: OCAUTH_PERMISSION_CONNECTOR_PORT
value: 80
- name: OCAUTH_PERMISSION_CONNECTOR_ADMIN_PORT
value: 80
- name: OCAUTH_LDAP_ENDPOINTS
value: "{{ .Release.Name }}-openldap.{{ .Release.Namespace }}.svc.cluster.local:389"
- name: OCAUTH_LDAP_BINDDN
value: "{{ index .Values.ocAuth.ldap.bindDn }}"
- name: OCAUTH_LDAP_BINDPW
value: "{{ index .Values.ocAuth.ldap.binPwd }}"
- name: OCAUTH_LDAP_BASEDN
value: "{{ index .Values.ocAuth.ldap.baseDn }}"
- name: OCAUTH_LDAP_ROLE_BASEDN
value: "{{ index .Values.ocAuth.ldap.roleBaseDn }}"
ports:
- name: http
containerPort: 80
protocol: TCP
resources:
limits:
cpu: "{{ .Values.ldapUserManager.resources.limits.cpu }}"
memory: "{{ .Values.ldapUserManager.resources.limits.memory }}"
requests:
cpu: "{{ .Values.ldapUserManager.resources.requests.cpu }}"
memory: "{{ .Values.ldapUserManager.resources.requests.memory }}"
{{- end }}

20
opencloud/templates/oc-auth/ingress.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if index .Values.ocAuth.enabled }}
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: oc-auth-ingress
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`{{ .Values.host }}`) && PathPrefix(`/auth`)
priority: 10
services:
- kind: Service
name: oc-auth-svc
passHostHeader: true
port: 8094
middlewares:
- name: forwardauth
{{- end }}

26
opencloud/templates/oc-auth/openCloudOauth2.yaml Normal file
View File

@ -0,0 +1,26 @@
{{- if index .Values.ocAuth.enabled }}
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
name: openCloudClient
spec:
clientId: test-client
clientSecret: oc-auth-got-secret
grantTypes:
- implicit
- refresh_token
- authorization_code
- client_credentials
responseTypes:
- id_token
- token
- code
redirectUris:
- https://myapp.example.com/callback
scope: openid profile email roles
tokenEndpointAuthMethod: client_secret_post
postLogoutRedirectUris:
-http://localhost:3000
allowedCorsOrigins:
- http://localhost
{{- end }}

21
opencloud/templates/oc-auth/pem.yaml Normal file
View File

@ -0,0 +1,21 @@
{{- if index .Values.ocAuth.enabled }}
# public-key-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: public-key-secret
type: Opaque
data:
public.pem: |
LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUNDZ0tDQWdFQXcycGRHNndNdHVMY1AwK2sxTEZ2SWIwRFFvL29IVzJ1TkphRUpLNzRwbFhxcDR6dHoyZFIKYitSUUhGTGVMdXFrNGkvemMzYjRLM2ZLUFhTbHduVlBKQ3d6UHJueVQ4allHT1pWbFdsRVRpVjl4ZUpodTZzLwpCaDZnMVBXejc1WGpqd1Y1MGl2L0NFaUxOQlQyM2YvM0o0NHdyUXp5Z3FOUUNpUVNBTGR4V0xBRWw0bDVrSFNhCjlvTXlWNzAvVXFsOTQvYXlNQVJac0hncDladnFRS2JrWlB3Nnl6Vk1mQ0J4UW96bE5sbzMxNU9IZXZ1ZGhuaHAKRFJqTjVJN3pXbXFZdDZyYlhKSkM3WTNJemR2em43UUk4OFJxalNSU1Q1SS83S3ozbmRDcXJPbkkrT1FVRTVOVApSRXlRZWJwaHZRZlREVEtsUlBYa2R5a3RkSzJESDI4Wmo2WkYzeWpRdk4zNVE0emhPemxxNzdkTzVJaGhvcEk3CmN0OGRaSDFUMW5Za3ZkeUNBL0VWTXRRc0FTbUJPaXRIMFkwQUNvWFFLNUtiNm5tL1RjTS85WlNKVU5pRU11eTUKZ0JaM1lLRTlvYTRjcFRwUFh3Y0ErUy9jVTdIUE5uUUFzdkQzaUppOEdUVzl1SnM4NHBuNC9XaHBRcW1YZDRydgpoS1dFQ0NOM2ZIeTAxZlVzL1UwUGFTajJqRFkva1FWZVhvaWtOTXpQVWpkWmQ5bTgxNlRJQmgzdjNhVlhDSC8wCmlUSEhBeGN0dkRnTVJiMmZwdlJKL3d3bllqRkc5UnBhbVZGRE12QzlOZmZ1WXpXQUE5SVJJWTRjcWdlcmZIclYKWjJISGlQVEREdkRBSXN2SW1YWmMvaDdtWE42bTNSQ1E0UXl3eTk5M3dkOWdVZGdnL3FueW5IY0NBd0VBQVE9PQotLS0tLUVORCBSU0EgUFVCTElDIEtFWS0tLS0tCg==
---
# private-key-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: private-key-secret
type: Opaque
data:
private.pem: |
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS1FJQkFBS0NBZ0VBdzJwZEc2d010dUxjUDArazFMRnZJYjBEUW8vb0hXMnVOSmFFSks3NHBsWHFwNHp0CnoyZFJiK1JRSEZMZUx1cWs0aS96YzNiNEszZktQWFNsd25WUEpDd3pQcm55VDhqWUdPWlZsV2xFVGlWOXhlSmgKdTZzL0JoNmcxUFd6NzVYamp3VjUwaXYvQ0VpTE5CVDIzZi8zSjQ0d3JRenlncU5RQ2lRU0FMZHhXTEFFbDRsNQprSFNhOW9NeVY3MC9VcWw5NC9heU1BUlpzSGdwOVp2cVFLYmtaUHc2eXpWTWZDQnhRb3psTmxvMzE1T0hldnVkCmhuaHBEUmpONUk3eldtcVl0NnJiWEpKQzdZM0l6ZHZ6bjdRSTg4UnFqU1JTVDVJLzdLejNuZENxck9uSStPUVUKRTVOVFJFeVFlYnBodlFmVERUS2xSUFhrZHlrdGRLMkRIMjhaajZaRjN5alF2TjM1UTR6aE96bHE3N2RPNUloaApvcEk3Y3Q4ZFpIMVQxbllrdmR5Q0EvRVZNdFFzQVNtQk9pdEgwWTBBQ29YUUs1S2I2bm0vVGNNLzlaU0pVTmlFCk11eTVnQlozWUtFOW9hNGNwVHBQWHdjQStTL2NVN0hQTm5RQXN2RDNpSmk4R1RXOXVKczg0cG40L1docFFxbVgKZDRydmhLV0VDQ04zZkh5MDFmVXMvVTBQYVNqMmpEWS9rUVZlWG9pa05NelBVamRaZDltODE2VElCaDN2M2FWWApDSC8waVRISEF4Y3R2RGdNUmIyZnB2Ukovd3duWWpGRzlScGFtVkZETXZDOU5mZnVZeldBQTlJUklZNGNxZ2VyCmZIclZaMkhIaVBURER2REFJc3ZJbVhaYy9oN21YTjZtM1JDUTRReXd5OTkzd2Q5Z1VkZ2cvcW55bkhjQ0F3RUEKQVFLQ0FnQlNSYzI5Z01vNWxYbTFEZ3NQb1VSd3ArdGZjc2IrM05halBWdVZOalZwa25LZzZDeVhUYUJ6dzJRWApDS3lTaENlM013a0VhK3BBSXNiNjZNbUEvWEs4Zi85elFVWkxZUHZhUDk5NGNFRlp4VjhXbVNFY3FoUjJ0eDV2CmlxS2ZGRFFpV3VQWElMN1c5ZlBsa1kzK0dXNHRNU2c5TTE1R3NndFl1YWI2dGtENlhlRVJDOGdxa1cxTXJCL2QKNE1kd1BmdktwbXFPM01ZR0RoRmNYckJaVitxQXVkRG5EU0dPZ1BvdVVyT09GcDI4SFZqRTVucUR5dDR2clduQgorSTFzVzhUQVR5YmI2cGhTKzRhM1pRdEZDYjliSWk3YURaaTU5NUVDVERCVU9TNGlicXMyWHBBMVRhbVk3OE5ECi9MeDVvWG14N01pNEorNXdYTjNPYWQ3eXRRdkZPZE90dElMTnBBTUZiTFU1eUtzeGYrRURqQ0JjUjVmYU5BdHUKd0FNSDlUa3pGcG1ocDVOQndRZEFrQ0ZuaHlsYTM2M2xqbWxHQVdQdUcvRDliVlowcXRCZjNOQUY0aEVKL0w0bgp2WVFGRXJkNjR0UGFzQWdXUG93MkxMdnFpM2pUMjMyYURnYWhqMWxYMWVuSG9SNlRiUUU0cjN6eThEZUE3aTBDCmhBOEdGQXZNc3FJY2VlOVhpNHlEOFFGRUgwUHJKaDZ6UDFQV0tYUjRBUVZFeG5GR2FuejBzNk8xR1JxTFBySUsKMzFOaVJUd0lWcDB4YmV0OS9Hc0p4V3hxclRLUHFkNXlKdlVHRzNBNEVMOGUzUmRXUk01dlRIYk5DVkdpOUxoUwozT0lYVjkvWU9RSnRXeHpXVWpGTjNIcGFOdVdIVlNSMTQ5R0FZcFR4ZWgrL1pHb0FRUUtDQVFFQTlSekcwTHJCCi9vblNuemZBWEQ1SXdHVy9qU2I0ZThWTENaLzdXMENpRDFodDIzUTFwQVI0Ym9mU1lYZHgvcmhWaFJ0eSszOHEKR3p1Z0JQY2VqR2VHWXlLSVZpTzFlOFBzcmQ2ZHlkWW9hQTlmWDNZemNaMG9uazl0K3RZTnhWaHN0b2xmSUdnYwpLVzFxd0ROclYxUFAwTi9vUVU0UVB4TG13Y2YvQlNTbDNzZjUzbVZNemNuSGtqQ0Y1U2dFTjFydElBT1VaYU04CkI0dXJTU01aTUxwd21oWEY5ckFVUFhXZ0xTKzBma3JRem9hQlMyWmZxRWNGTnMxbG44c1RCZW9YQXo2a3laZW0KMFRvMW9ZaFRlTitUZzExcXVXaEpLaVRNWW1TR1QzQjduVnQyNW4wQnlwRGt0ZmFVVStMTVk5L0Jld1d3RTZ4eAppWDk3YmxkZ3Y2eTR1d0tDQVFFQXpCaDVJWWEwOXVKVHdyeFkwSUtWZmtYUnAyUys4ZnFoSjVxaEVQeWtDRis0CkpKQktQcDdJQTdyaGNmNXR3M05WcGEvWUUxaDJIMVA1WjRFUWt6Z0VURXhWb3RCbE9ZWU5ta0JrZDlldFVSR3MKb21BUEhwcm52VDdxK2RSL3JjOC9sUXQzWHp2ZWo0UDR6U1JibnpnL3EySzBJMXFzM3ZPd25aeU8zR1hrNmVuaQpRNTlrMHk4em9zS2RkZTdtMVlKK0tBajVNWmMzUGVIVGZiTGFMY2ZYblRTVVg2eHduWCtKczhrcjJQVlArd1NqCnNFeGFrUDZpZU51L1p6RmNZdjZhaVBneVhJV08vNXBqd0x0L0dUcVVQUWNPOVc3Nm0wdzI0bFduWUN4MWl5U3cKYWxybDJpckwycm5sWEppbjdxNEZ0dEhUV2JlSDkwUlZ0MzA1MG04ZGRRS0NBUUVBa2d5bGduWGxaYytsaW0xagoxeExkc3BadC9xTTc2RFAwdERWNVJqUkszQzNxdDVxVTQ3Z3VNbDRId3oreTB2M3ZKekxsM21rMUk2anhma1BwCkZld1JyVHhFVkY5T29nSnFJbWZGU1NDc1R1VHFCUzJmRlpGNVJHczdzdnljay94T09xMjcyc2x1RGxrK0JHd2YKQjVmTytqeVFYV2t3VVFUb0xvc0dyMy9ZdmRnV1VLZTNqZDh2WlRJNGRnVFVEay9GZncvaStuUzdMaHZRNGZGaAo3eUVJT3lmQ0gyMW5nZjkyZzdZckxCMVVNZHIvYTNnQ2czaGQ2UHVXRkJLaXNTRjh1Tmc0eEUzeWZqVGJBL2NCCkZjTFNXTEh2QjY3VithQ1hrQUVwN21ldG9HT0JnM0QxQWtnM254emY0T1FBdVhuNEJWK3NQT3pCY2haZDY2OXcKM0lVRVJRS0NBUUJ4UEU3UWpCV1JPS2N5VHgrVHFDL2JIRStpNlNHTHpmdGxwc1FnVVp1TXpkYXo2cDVXdWUvTgpLZjExS3EycG1DNzN1MlZON25HekZmczFNd1dJT0xjaHdlUnRiZVFMazFXdXRIVkpqSThyZ0h2Z3B4MGNaT09ZCk92VlI0VlZwa0tmOVFKeGRhVEVsUFJwb2J2aXFrU0c2TEF3MzVWSXViTlFiemtYeEFGT09lR1pDRUloM0p5UWwKOUlZNmJXOERIT0J6dys3R1ZkaWZhOURVVjh2M1JINWJTVlhjOHlhVUs3T3gzVGFIckN0UTRSVVVkbmgxSStIdQozalVHd3ZzNExYeDk2LzY5R0pqck5iU010VHBpTy84TkVRSjZwN1ZCUG5yZy9wYmJwQzhmSVI4RUV5U2Q4OHFnCnN5MFBQOTlFYktiYzlQT25QazJnb2ZoUTBwaW5LV0VWQW9JQkFRQzBoOEozbEdTRzlLaTlRSnZBT2RNcW5zU2cKdW9xakkweTZSbWVSN0xwWVgxQVNLTk5JbWpHMWh3THlaOFFnNWhDTmp5U0VxQkFHR2QzTUJOZklDNnd6QkRyVgp6U0pJcnhqdnUrMnNmejFuVUdkWVdqUWZoeDNjVCt5R3FUNk5FUXVwbXN0TnVreGl1MkhEdTc2cGk5NkFYMm1rClRYWVhsdWJJcGZMNTBkV1owd2lqMExpdkg2VFBhdnZqYlJablhOVnRoMXFsWk9VdHVCR3lFd2NYYjRDT3RxUnEKK25QOEFFZ3pLeGJNSkZWeTNQWTVFNUp5akI1ZDFaUFEyT2VZVVZiZkRFRVlxemtvcmpCeUNjTGR2N08xQ0hOcQpWalV5SnNkOEYxdHVDR1B4YmNiZ3lDZUlxZ0RNMUp4TzR6VE1TUCtDODJBcjdWWGtyNlE4aEFzQ2dIUS8KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
{{- end }}

17
opencloud/templates/oc-auth/service.yaml Normal file
View File

@ -0,0 +1,17 @@
{{- if index .Values.ocAuth.enabled }}
apiVersion: v1
kind: Service
metadata:
name: oc-auth-svc
labels:
app: oc-auth-svc
spec:
ports:
- name: http
port: 8094
protocol: TCP
targetPort: 8080
selector:
app: oc-auth
type: ClusterIP
{{- end }}

8
opencloud/templates/traefik.yaml
View File

@ -0,0 +1,8 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: forward-auth
spec:
forwardAuth:
address: "http://oc-auth-svc.{{ .Release.Namespace }}:8080/oc/forward"
trustForwardHeader: true