plm/oc-k8s
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: plm:cde967a4049fa841eae54041fce85e01a36402ff
Branches Tags
plm:main
plm:openldap
plm:oryhydra
plm:mongo
plm:nats
plm:bootstraping
...
compare: plm:ba9a971964794bb0f930c7caba69aa4dc73f4d7f
Branches Tags
plm:main
plm:openldap
plm:oryhydra
plm:mongo
plm:nats
plm:bootstraping

3 Commits
cde967a404 ... ba9a971964

Author SHA1 Message Date
plm
ba9a971964 Adding openldap + ldap user manager 2024-12-02 13:57:37 +01:00
plm
519fb80ee7 Merge branch 'oryhydra' into main 2024-12-02 13:30:28 +01:00
plm
324f0f6828 hydra bootstraping 2024-12-02 13:20:11 +01:00
76 changed files with 5168 additions and 33 deletions
Show Stats Expand all files Collapse all files

16
opencloud/Chart.yaml
View File

@ -5,12 +5,12 @@ type: application
version: 0.0.1
appVersion: "0.0.1"
# TODO: ldap, mongo, mongo-express, ory hydra, keto
# TODO: ldap, ory hydra, keto
dependencies:
- name: openldap-stack-ha
version: "4.3.1"
repository: "https://jp-gouin.github.io/helm-openldap/"
condition: openldap-stack-ha.enabled
- name: openldap
repository: https://jp-gouin.github.io/helm-openldap/
version: "2.0.4"
condition: openldap.enabled
- name: traefik
version: "33.0.0"
repository: "https://helm.traefik.io/traefik"
@ -26,4 +26,8 @@ dependencies:
- name: mongo-express
version: "6.5.2"
repository: "https://cowboysysop.github.io/charts/"
condition: mongo-express.enabled
condition: mongo-express.enabled
- name: hydra
version: "0.50.2"
repository: "https://k8s.ory.sh/helm/charts"
condition: hydra.enabled

23
opencloud/charts/hydra/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
*.txt

9
opencloud/charts/hydra/Chart.lock Normal file
View File

@ -0,0 +1,9 @@
dependencies:
- name: ory-commons
repository: file://../ory-commons
version: 0.1.0
- name: hydra-maester
repository: file://../hydra-maester
version: 0.50.2
digest: sha256:f39e4a74150060c63515886f4905dce57e1a90419e5a5c530684f1a363686cda
generated: "2024-11-28T10:30:15.53366383Z"

33
opencloud/charts/hydra/Chart.yaml Normal file
View File

@ -0,0 +1,33 @@
apiVersion: v2
appVersion: v2.2.0
dependencies:
- alias: ory
name: ory-commons
repository: file://../ory-commons
version: 0.1.0
- alias: hydra-maester
condition: maester.enabled
name: hydra-maester
repository: file://../hydra-maester
version: 0.50.2
description: A Helm chart for deploying ORY Hydra in Kubernetes
home: https://www.ory.sh/
icon: https://raw.githubusercontent.com/ory/docs/master/docs/static/img/logo-hydra.svg
keywords:
- oauth2
- openid-connect
- openid
- oidc
- op
- api-security
- security
maintainers:
- email: hi@ory.sh
name: ORY Team
url: https://www.ory.sh/
name: hydra
sources:
- https://github.com/ory/hydra
- https://github.com/ory/k8s
type: application
version: 0.50.2

206
opencloud/charts/hydra/README.md Normal file
View File

@ -0,0 +1,206 @@
# hydra
![Version: 0.50.1](https://img.shields.io/badge/Version-0.50.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.2.0](https://img.shields.io/badge/AppVersion-v2.2.0-informational?style=flat-square)
A Helm chart for deploying ORY Hydra in Kubernetes
**Homepage:** <https://www.ory.sh/>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| ORY Team | <hi@ory.sh> | <https://www.ory.sh/> |
## Source Code
* <https://github.com/ory/hydra>
* <https://github.com/ory/k8s>
## Requirements
| Repository | Name | Version |
|------------|------|---------|
| file://../hydra-maester | hydra-maester(hydra-maester) | 0.50.1 |
| file://../ory-commons | ory(ory-commons) | 0.1.0 |
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | |
| configmap.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods |
| cronjob.janitor.affinity | object | `{}` | Configure node affinity |
| cronjob.janitor.annotations | object | `{}` | Set custom cron job level annotations |
| cronjob.janitor.automountServiceAccountToken | bool | `true` | Set automounting of the SA token |
| cronjob.janitor.customArgs | list | `[]` | Configure the arguments of the entrypoint, overriding the default value |
| cronjob.janitor.customCommand | list | `[]` | Configure a custom entrypoint, overriding the default value |
| cronjob.janitor.extraContainers | string | `""` | If you want to add extra sidecar containers. |
| cronjob.janitor.extraEnv | list | `[]` | Array of extra envs to be passed to the cronjob. This takes precedence over deployment variables. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO value: BAR |
| cronjob.janitor.extraInitContainers | string | `""` | If you want to add extra init containers. These are processed before the migration init container. |
| cronjob.janitor.extraVolumeMounts | list | `[]` | |
| cronjob.janitor.extraVolumes | list | `[]` | If you want to mount external volume |
| cronjob.janitor.labels | object | `{}` | Set custom cron job level labels |
| cronjob.janitor.nodeSelector | object | `{}` | Configure node labels for pod assignment |
| cronjob.janitor.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects |
| cronjob.janitor.podMetadata.annotations | object | `{}` | Extra pod level annotations |
| cronjob.janitor.podMetadata.labels | object | `{}` | Extra pod level labels |
| cronjob.janitor.podSecurityContext | object | `{}` | |
| cronjob.janitor.resources | object | `{"limits":{},"requests":{}}` | We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits: cpu: 100m memory: 128Mi requests: cpu: 100m memory: 128Mi |
| cronjob.janitor.schedule | string | `"0 */1 * * *"` | Configure how often the cron job is ran |
| cronjob.janitor.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":100}` | Configure the containers' SecurityContext for the janitor cronjob |
| cronjob.janitor.serviceAccount | object | `{"annotations":{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"},"create":true,"name":""}` | Specify the serviceAccountName value. In some situations it is needed to provides specific permissions to Hydra deployments Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. |
| cronjob.janitor.serviceAccount.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"}` | Annotations to add to the service account |
| cronjob.janitor.serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
| cronjob.janitor.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
| cronjob.janitor.tolerations | list | `[]` | Configure node tolerations |
| deployment.annotations | object | `{}` | Set custom deployment level annotations |
| deployment.automigration | object | `{"extraEnv":[]}` | Parameters for the automigration initContainer |
| deployment.automigration.extraEnv | list | `[]` | Array of extra envs to be passed to the initContainer. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO value: BAR |
| deployment.automountServiceAccountToken | bool | `false` | |
| deployment.autoscaling | object | `{"behavior":{},"enabled":false,"maxReplicas":3,"minReplicas":1,"targetCPU":{},"targetMemory":{}}` | Configure HPA |
| deployment.autoscaling.behavior | object | `{}` | Set custom behavior https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior |
| deployment.customLivenessProbe | object | `{}` | Configure a custom livenessProbe. This overwrites the default object |
| deployment.customReadinessProbe | object | `{}` | Configure a custom readinessProbe. This overwrites the default object |
| deployment.customStartupProbe | object | `{}` | Configure a custom startupProbe. This overwrites the default object |
| deployment.dnsConfig | object | `{}` | Configure pod dnsConfig. |
| deployment.extraContainers | string | `""` | If you want to add extra sidecar containers. |
| deployment.extraEnv | list | `[]` | Array of extra envs to be passed to the deployment. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO value: BAR |
| deployment.extraInitContainers | string | `""` | If you want to add extra init containers. These are processed before the migration init container. |
| deployment.extraVolumeMounts | list | `[]` | |
| deployment.extraVolumes | list | `[]` | If you want to mount external volume |
| deployment.initContainerSecurityContext | object | `{}` | |
| deployment.labels | object | `{}` | Set custom deployment level labels |
| deployment.lifecycle | object | `{}` | |
| deployment.nodeSelector | object | `{}` | Node labels for pod assignment. |
| deployment.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects |
| deployment.podMetadata.annotations | object | `{}` | Extra pod level annotations |
| deployment.podMetadata.labels | object | `{}` | Extra pod level labels |
| deployment.podSecurityContext.fsGroup | int | `65534` | |
| deployment.podSecurityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` | |
| deployment.podSecurityContext.runAsGroup | int | `65534` | |
| deployment.podSecurityContext.runAsNonRoot | bool | `true` | |
| deployment.podSecurityContext.runAsUser | int | `65534` | |
| deployment.podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| deployment.readinessProbe | object | `{"failureThreshold":5,"initialDelaySeconds":5,"periodSeconds":10}` | Default probe timers |
| deployment.resources | object | `{}` | We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits: cpu: 100m memory: 128Mi requests: cpu: 100m memory: 128Mi |
| deployment.revisionHistoryLimit | int | `5` | Number of revisions kept in history |
| deployment.securityContext.allowPrivilegeEscalation | bool | `false` | |
| deployment.securityContext.capabilities.drop[0] | string | `"ALL"` | |
| deployment.securityContext.privileged | bool | `false` | |
| deployment.securityContext.readOnlyRootFilesystem | bool | `true` | |
| deployment.securityContext.runAsGroup | int | `65534` | |
| deployment.securityContext.runAsNonRoot | bool | `true` | |
| deployment.securityContext.runAsUser | int | `65534` | |
| deployment.securityContext.seLinuxOptions.level | string | `"s0:c123,c456"` | |
| deployment.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| deployment.serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | Specify the serviceAccountName value. In some situations it is needed to provides specific permissions to Hydra deployments Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. |
| deployment.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
| deployment.serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
| deployment.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
| deployment.startupProbe | object | `{"failureThreshold":5,"initialDelaySeconds":0,"periodSeconds":1,"successThreshold":1,"timeoutSeconds":1}` | Default probe timers |
| deployment.strategy.rollingUpdate.maxSurge | string | `"25%"` | |
| deployment.strategy.rollingUpdate.maxUnavailable | string | `"25%"` | |
| deployment.strategy.type | string | `"RollingUpdate"` | |
| deployment.terminationGracePeriodSeconds | int | `60` | |
| deployment.tolerations | list | `[]` | Configure node tolerations. |
| deployment.topologySpreadConstraints | list | `[]` | Configure pod topologySpreadConstraints. |
| fullnameOverride | string | `""` | Full chart name override |
| hydra-maester.adminService.name | string | `""` | The service name value may need to be set if you use `fullnameOverride` for the parent chart |
| hydra.automigration.customArgs | list | `[]` | Ability to override arguments of the entrypoint. Can be used in-depended of customCommand eg: - sleep 5; - kratos |
| hydra.automigration.customCommand | list | `[]` | Ability to override the entrypoint of the automigration container (e.g. to source dynamic secrets or export environment dynamic variables) |
| hydra.automigration.enabled | bool | `false` | |
| hydra.automigration.resources | object | `{}` | resource requests and limits for the automigration initcontainer |
| hydra.automigration.type | string | `"job"` | Configure the way to execute database migration. Possible values: job, initContainer When set to job, the migration will be executed as a job on release or upgrade. When set to initContainer, the migration will be executed when kratos pod is created Defaults to job |
| hydra.command | list | `["hydra"]` | Ability to override the entrypoint of hydra container (e.g. to source dynamic secrets or export environment dynamic variables) |
| hydra.config | object | `{"secrets":{},"serve":{"admin":{"port":4445},"public":{"port":4444},"tls":{"allow_termination_from":["10.0.0.0/8","172.16.0.0/12","192.168.0.0/16"]}},"urls":{"self":{}}}` | The ORY Hydra configuration. For a full list of available settings, check: https://www.ory.sh/docs/hydra/reference/configuration |
| hydra.config.secrets | object | `{}` | The secrets have to be provided as a string slice, example: system: - "OG5XbmxXa3dYeGplQXpQanYxeEFuRUFa" - "foo bar 123 456 lorem" - "foo bar 123 456 lorem 1" - "foo bar 123 456 lorem 2" - "foo bar 123 456 lorem 3" |
| hydra.config.urls | object | `{"self":{}}` | Configure the urls used by hydra itself, such as the issuer. Note: some values are required for hydra to start, please refer to https://www.ory.sh/docs/hydra/self-hosted/kubernetes-helm-chart self: issuer: "https://public.hydra.localhost:4444/" |
| hydra.customArgs | list | `[]` | Ability to override arguments of the entrypoint. Can be used in-depended of customCommand |
| hydra.dev | bool | `false` | Enable dev mode, not secure in production environments |
| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
| image.repository | string | `"oryd/hydra"` | ORY Hydra image |
| image.tag | string | `"v2.2.0"` | ORY Hydra version |
| imagePullSecrets | list | `[]` | Image pull secrets |
| ingress.admin.annotations | object | `{}` | |
| ingress.admin.className | string | `""` | |
| ingress.admin.enabled | bool | `false` | En-/Disable the api ingress. |
| ingress.admin.hosts[0].host | string | `"admin.hydra.localhost"` | |
| ingress.admin.hosts[0].paths[0].path | string | `"/"` | |
| ingress.admin.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | |
| ingress.public | object | `{"annotations":{},"className":"","enabled":false,"hosts":[{"host":"public.hydra.localhost","paths":[{"path":"/","pathType":"ImplementationSpecific"}]}]}` | Configure ingress for the proxy port. |
| ingress.public.enabled | bool | `false` | En-/Disable the proxy ingress. |
| janitor.batchSize | int | `100` | Configure how many records are deleted with each iteration |
| janitor.cleanupGrants | bool | `false` | Configure if the trust relationships must be cleaned up |
| janitor.cleanupRequests | bool | `false` | Configure if the consent and authentication requests must be cleaned up |
| janitor.cleanupTokens | bool | `false` | Configure if the access and refresh tokens must be cleaned up |
| janitor.enabled | bool | `false` | Enable cleanup of stale database rows by periodically running the janitor command |
| janitor.limit | int | `10000` | Configure how many records are retrieved from database for deletion |
| job.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"1"}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. |
| job.automountServiceAccountToken | bool | `true` | Set automounting of the SA token |
| job.extraContainers | string | `""` | If you want to add extra sidecar containers. |
| job.extraEnv | list | `[]` | Array of extra envs to be passed to the job. This takes precedence over deployment variables. Kubernetes format is expected. Value is processed with Helm `tpl` - name: FOO value: BAR |
| job.extraInitContainers | string | `""` | If you want to add extra init containers. extraInitContainers: | - name: ... image: ... |
| job.labels | object | `{}` | Set custom deployment level labels |
| job.lifecycle | string | `""` | If you want to add lifecycle hooks. |
| job.nodeSelector | object | `{}` | Node labels for pod assignment. |
| job.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects |
| job.podMetadata.annotations | object | `{}` | Extra pod level annotations |
| job.podMetadata.labels | object | `{}` | Extra pod level labels |
| job.resources | object | `{}` | resource requests and limits for the automigration job |
| job.serviceAccount | object | `{"annotations":{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"},"create":true,"name":""}` | Specify the serviceAccountName value. In some situations it is needed to provides specific permissions to Hydra deployments Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. |
| job.serviceAccount.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"}` | Annotations to add to the service account |
| job.serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
| job.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
| job.shareProcessNamespace | bool | `false` | Set sharing process namespace |
| job.spec.backoffLimit | int | `10` | Set job back off limit |
| job.tolerations | list | `[]` | Configure node tolerations. |
| maester.enabled | bool | `true` | |
| nameOverride | string | `""` | |
| pdb.enabled | bool | `false` | |
| pdb.spec.maxUnavailable | string | `""` | |
| pdb.spec.minAvailable | string | `""` | |
| priorityClassName | string | `""` | Pod priority https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ |
| replicaCount | int | `1` | Number of ORY Hydra members |
| secret.enabled | bool | `true` | switch to false to prevent creating the secret |
| secret.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods |
| secret.nameOverride | string | `""` | Provide custom name of existing secret, or custom name of secret to be created |
| secret.secretAnnotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0","helm.sh/resource-policy":"keep"}` | Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified. |
| service.admin | object | `{"annotations":{},"enabled":true,"labels":{},"loadBalancerIP":"","metricsPath":"/admin/metrics/prometheus","name":"http","port":4445,"type":"ClusterIP"}` | Configures the Kubernetes service for the api port. |
| service.admin.annotations | object | `{}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. |
| service.admin.enabled | bool | `true` | En-/disable the service |
| service.admin.loadBalancerIP | string | `""` | The load balancer IP |
| service.admin.metricsPath | string | `"/admin/metrics/prometheus"` | Path to the metrics endpoint |
| service.admin.name | string | `"http"` | The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio) |
| service.admin.port | int | `4445` | The service port |
| service.admin.type | string | `"ClusterIP"` | The service type |
| service.public | object | `{"annotations":{},"enabled":true,"labels":{},"loadBalancerIP":"","name":"http","port":4444,"type":"ClusterIP"}` | Configures the Kubernetes service for the proxy port. |
| service.public.annotations | object | `{}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. |
| service.public.enabled | bool | `true` | En-/disable the service |
| service.public.loadBalancerIP | string | `""` | The load balancer IP |
| service.public.name | string | `"http"` | The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio) |
| service.public.port | int | `4444` | The service port |
| service.public.type | string | `"ClusterIP"` | The service type |
| serviceMonitor.enabled | bool | `false` | switch to true to enable creating the ServiceMonitor |
| serviceMonitor.labels | object | `{}` | Provide additionnal labels to the ServiceMonitor ressource metadata |
| serviceMonitor.scheme | string | `"http"` | HTTP scheme to use for scraping. |
| serviceMonitor.scrapeInterval | string | `"60s"` | Interval at which metrics should be scraped |
| serviceMonitor.scrapeTimeout | string | `"30s"` | Timeout after which the scrape is ended |
| serviceMonitor.tlsConfig | object | `{}` | TLS configuration to use when scraping the endpoint |
| test.busybox | object | `{"repository":"busybox","tag":1}` | use a busybox image from another repository |
| test.labels | object | `{}` | Provide additional labels to the test pod |
| watcher.automountServiceAccountToken | bool | `true` | |
| watcher.enabled | bool | `false` | |
| watcher.image | string | `"oryd/k8s-toolbox:v0.0.7"` | |
| watcher.mountFile | string | `""` | Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo |
| watcher.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects |
| watcher.podMetadata.annotations | object | `{}` | Extra pod level annotations |
| watcher.podMetadata.labels | object | `{}` | Extra pod level labels |
| watcher.podSecurityContext | object | `{}` | pod securityContext for watcher deployment |
| watcher.resources | object | `{}` | |
| watcher.revisionHistoryLimit | int | `5` | Number of revisions kept in history |
| watcher.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":100,"seccompProfile":{"type":"RuntimeDefault"}}` | container securityContext for watcher deployment |
| watcher.watchLabelKey | string | `"ory.sh/watcher"` | Label key used for managing applications |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

21
opencloud/charts/hydra/charts/hydra-maester/.helmignore Normal file
View File

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

7
opencloud/charts/hydra/charts/hydra-maester/Chart.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: v2
appVersion: v0.0.34
description: A Helm chart for Kubernetes
icon: https://raw.githubusercontent.com/ory/docs/master/docs/static/img/logo-hydra.svg
name: hydra-maester
type: application
version: 0.50.2

66
opencloud/charts/hydra/charts/hydra-maester/README.md Normal file
View File

@ -0,0 +1,66 @@
# hydra-maester
![Version: 0.50.1](https://img.shields.io/badge/Version-0.50.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.34](https://img.shields.io/badge/AppVersion-v0.0.34-informational?style=flat-square)
A Helm chart for Kubernetes
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| adminService.endpoint | string | `"/admin/clients"` | Set the clients endpoint, should be `/clients` for Hydra 1.x and `/admin/clients` for Hydra 2.x |
| adminService.insecureSkipVerify | bool | `false` | Skip http client insecure verification |
| adminService.name | string | `nil` | Service name |
| adminService.port | int | `4445` | Service port |
| adminService.scheme | string | `"http"` | Scheme used by Hydra client endpoint. May be "http" or "https" |
| adminService.tlsTrustStorePath | string | `""` | TLS ca-cert path for hydra client |
| affinity | object | `{}` | Configure node affinity |
| deployment.args | object | `{"syncPeriod":""}` | Arguments to be passed to the program |
| deployment.args.syncPeriod | string | `""` | The minimum frequency at which watched resources are reconciled |
| deployment.automountServiceAccountToken | bool | `true` | This applications connects to the k8s API and requires the permissions |
| deployment.dnsConfig | object | `{}` | Configure pod dnsConfig. |
| deployment.extraAnnotations | object | `{}` | Deployment level extra annotations |
| deployment.extraLabels | object | `{}` | Deployment level extra labels |
| deployment.extraVolumeMounts | list | `[]` | |
| deployment.extraVolumes | list | `[]` | If you want to mount external volume |
| deployment.nodeSelector | object | `{}` | Node labels for pod assignment. |
| deployment.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects |
| deployment.podMetadata.annotations | object | `{}` | Extra pod level annotations |
| deployment.podMetadata.labels | object | `{}` | Extra pod level labels |
| deployment.podSecurityContext.fsGroup | int | `65534` | |
| deployment.podSecurityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` | |
| deployment.podSecurityContext.runAsGroup | int | `65534` | |
| deployment.podSecurityContext.runAsNonRoot | bool | `true` | |
| deployment.podSecurityContext.runAsUser | int | `65534` | |
| deployment.podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| deployment.resources | object | `{}` | |
| deployment.securityContext.allowPrivilegeEscalation | bool | `false` | |
| deployment.securityContext.capabilities.drop[0] | string | `"ALL"` | |
| deployment.securityContext.privileged | bool | `false` | |
| deployment.securityContext.readOnlyRootFilesystem | bool | `true` | |
| deployment.securityContext.runAsGroup | int | `65534` | |
| deployment.securityContext.runAsNonRoot | bool | `true` | |
| deployment.securityContext.runAsUser | int | `65534` | |
| deployment.securityContext.seLinuxOptions.level | string | `"s0:c123,c456"` | |
| deployment.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| deployment.serviceAccount | object | `{"annotations":{}}` | Configure service account |
| deployment.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
| deployment.terminationGracePeriodSeconds | int | `60` | |
| deployment.tolerations | list | `[]` | Configure node tolerations. |
| deployment.topologySpreadConstraints | list | `[]` | Configure pod topologySpreadConstraints. |
| enabledNamespaces | list | `[]` | The Controller have CREATE and READ access to all Secrets in the namespaces listed below. |
| forwardedProto | string | `nil` | |
| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
| image.repository | string | `"oryd/hydra-maester"` | Ory Hydra-maester image |
| image.tag | string | `"v0.0.35-amd64"` | Ory Hydra-maester version |
| imagePullSecrets | list | `[]` | Image pull secrets |
| pdb.enabled | bool | `false` | |
| pdb.spec.maxUnavailable | string | `""` | |
| pdb.spec.minAvailable | string | `""` | |
| priorityClassName | string | `""` | Pod priority # https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ |
| replicaCount | int | `1` | Number of replicas in deployment |
| revisionHistoryLimit | int | `5` | Number of revisions kept in history |
| singleNamespaceMode | bool | `false` | Single namespace mode. If enabled the controller will watch for resources only from namespace it is deployed in, ignoring others |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

357
opencloud/charts/hydra/charts/hydra-maester/crds/crd-oauth2clients.yaml Normal file
View File

@ -0,0 +1,357 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.11.3
creationTimestamp: null
name: oauth2clients.hydra.ory.sh
spec:
group: hydra.ory.sh
names:
kind: OAuth2Client
listKind: OAuth2ClientList
plural: oauth2clients
singular: oauth2client
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: OAuth2Client is the Schema for the oauth2clients API
properties:
apiVersion:
description:
"APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the
latest internal value, and may reject unrecognized values. More
info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"
type: string
kind:
description:
"Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the
client submits requests to. Cannot be updated. In CamelCase.
More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
type: string
metadata:
type: object
spec:
description:
OAuth2ClientSpec defines the desired state of OAuth2Client
properties:
allowedCorsOrigins:
description:
AllowedCorsOrigins is an array of allowed CORS origins
items:
description:
RedirectURI represents a redirect URI for the client
pattern: \w+:/?/?[^\s]+
type: string
type: array
audience:
description:
Audience is a whitelist defining the audiences this client
is allowed to request tokens for
items:
type: string
type: array
backChannelLogoutSessionRequired:
default: false
description:
BackChannelLogoutSessionRequired Boolean value specifying
whether the RP requires that a sid (session ID) Claim be
included in the Logout Token to identify the RP session with
the OP when the backchannel_logout_uri is used. If omitted,
the default value is false.
type: boolean
backChannelLogoutURI:
description:
BackChannelLogoutURI RP URL that will cause the RP to log
itself out when sent a Logout Token by the OP
pattern: (^$|^https?://.*)
type: string
clientName:
description:
ClientName is the human-readable string name of the client
to be presented to the end-user during authorization.
type: string
frontChannelLogoutSessionRequired:
default: false
description:
FrontChannelLogoutSessionRequired Boolean value specifying
whether the RP requires that iss (issuer) and sid (session
ID) query parameters be included to identify the RP session
with the OP when the frontchannel_logout_uri is used
type: boolean
frontChannelLogoutURI:
description:
FrontChannelLogoutURI RP URL that will cause the RP to log
itself out when rendered in an iframe by the OP. An iss
(issuer) query parameter and a sid (session ID) query
parameter MAY be included by the OP to enable the RP to
validate the request and to determine which of the
potentially multiple sessions is to be logged out; if either
is included, both MUST be
pattern: (^$|^https?://.*)
type: string
grantTypes:
description:
GrantTypes is an array of grant types the client is allowed
to use.
items:
description: GrantType represents an OAuth 2.0 grant type
enum:
- client_credentials
- authorization_code
- implicit
- refresh_token
type: string
maxItems: 4
minItems: 1
type: array
hydraAdmin:
description:
HydraAdmin is the optional configuration to use for managing
this client
properties:
endpoint:
description:
Endpoint is the endpoint for the hydra instance on which
to set up the client. This value will override the value
provided to `--endpoint` (defaults to `"/clients"` in
the application)
pattern: (^$|^/.*)
type: string
forwardedProto:
description:
ForwardedProto overrides the `--forwarded-proto` flag.
The value "off" will force this to be off even if
`--forwarded-proto` is specified
pattern: (^$|https?|off)
type: string
port:
description:
Port is the port for the hydra instance on which to set
up the client. This value will override the value
provided to `--hydra-port`
maximum: 65535
type: integer
url:
description:
URL is the URL for the hydra instance on which to set up
the client. This value will override the value provided
to `--hydra-url`
maxLength: 64
pattern: (^$|^https?://.*)
type: string
type: object
jwksUri:
description:
JwksUri Define the URL where the JSON Web Key Set should be
fetched from when performing the private_key_jwt client
authentication method.
pattern: (^$|^https?://.*)
type: string
metadata:
description: Metadata is arbitrary data
nullable: true
type: object
x-kubernetes-preserve-unknown-fields: true
postLogoutRedirectUris:
description:
PostLogoutRedirectURIs is an array of the post logout
redirect URIs allowed for the application
items:
description:
RedirectURI represents a redirect URI for the client
pattern: \w+:/?/?[^\s]+
type: string
type: array
redirectUris:
description:
RedirectURIs is an array of the redirect URIs allowed for
the application
items:
description:
RedirectURI represents a redirect URI for the client
pattern: \w+:/?/?[^\s]+
type: string
type: array
responseTypes:
description:
ResponseTypes is an array of the OAuth 2.0 response type
strings that the client can use at the authorization
endpoint.
items:
description:
ResponseType represents an OAuth 2.0 response type strings
enum:
- id_token
- code
- token
- code token
- code id_token
- id_token token
- code id_token token
type: string
maxItems: 3
minItems: 1
type: array
scope:
description:
Scope is a string containing a space-separated list of scope
values (as described in Section 3.3 of OAuth 2.0 [RFC6749])
that the client can use when requesting access tokens.
pattern: ([a-zA-Z0-9\.\*]+\s?)+
type: string
secretName:
description:
SecretName points to the K8s secret that contains this
client's ID and password
maxLength: 253
minLength: 1
pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'
type: string
skipConsent:
default: false
description:
SkipConsent skips the consent screen for this client.
type: boolean
tokenEndpointAuthMethod:
allOf:
- enum:
- client_secret_basic
- client_secret_post
- private_key_jwt
- none
- enum:
- client_secret_basic
- client_secret_post
- private_key_jwt
- none
description:
Indication which authentication method shoud be used for the
token endpoint
type: string
tokenLifespans:
description: Configuration about token lifespans.
properties:
authorization_code_grant_access_token_lifespan:
description:
The lifespan of the access token issued during
authorization_code grant type.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
authorization_code_grant_id_token_lifespan:
description:
The lifespan of the id token issued during
authorization_code grant type.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
authorization_code_grant_refresh_token_lifespan:
description:
The lifespan of the refresh token issued during
authorization_code grant type.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
client_credentials_grant_access_token_lifespan:
description:
The lifespan of the access token issued during
client_credentials grant type.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
implicit_grant_access_token_lifespan:
description:
The lifespan of the access token issued during implicit
grant type.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
implicit_grant_id_token_lifespan:
description:
The lifespan of the id token issued during implicit
grant type.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
jwt_bearer_grant_access_token_lifespan:
description:
The lifespan of the access token issued during
jwt_bearer grant type.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
refresh_token_grant_access_token_lifespan:
description:
The lifespan of the access token issued during
refresh_token grant type.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
refresh_token_grant_id_token_lifespan:
description:
The lifespan of the id token issued during refresh_token
grant type.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
refresh_token_grant_refresh_token_lifespan:
description:
The lifespan of the refresh token issued during
refresh_token grant type.
pattern: "[0-9]+(ns|us|ms|s|m|h)"
type: string
type: object
required:
- grantTypes
- scope
- secretName
type: object
status:
description:
OAuth2ClientStatus defines the observed state of OAuth2Client
properties:
conditions:
items:
description:
OAuth2ClientCondition contains condition information for
an OAuth2Client
properties:
status:
enum:
- "True"
- "False"
- Unknown
type: string
type:
type: string
required:
- status
- type
type: object
type: array
observedGeneration:
description:
ObservedGeneration represents the most recent generation
observed by the daemon set controller.
format: int64
type: integer
reconciliationError:
description:
ReconciliationError represents an error that occurred during
the reconciliation process
properties:
description:
description:
Description is the description of the reconciliation
error
type: string
statusCode:
description:
Code is the status code of the reconciliation error
type: string
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}

59
opencloud/charts/hydra/charts/hydra-maester/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,59 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "hydra-maester.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "hydra-maester.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "hydra-maester.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "hydra-maester.labels" -}}
app.kubernetes.io/name: {{ include "hydra-maester.name" . }}
helm.sh/chart: {{ include "hydra-maester.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Get Hydra admin service name
*/}}
{{- define "hydra-maester.adminService" -}}
{{- if .Values.hydraFullnameOverride -}}
{{- printf "%s-admin" .Values.hydraFullnameOverride -}}
{{- else if contains "hydra" .Release.Name -}}
{{- printf "%s-admin" .Release.Name -}}
{{- else -}}
{{- printf "%s-%s-admin" .Release.Name "hydra" -}}
{{- end -}}
{{- end -}}

119
opencloud/charts/hydra/charts/hydra-maester/templates/deployment.yaml Normal file
View File

@ -0,0 +1,119 @@
{{- if and (ne .Values.adminService.scheme "http") (ne .Values.adminService.scheme "https") -}}
{{ fail "invalid scheme: must be http or https" }}
{{- end -}}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "hydra-maester.fullname" . }}
labels:
{{- include "hydra-maester.labels" . | nindent 4 }}
{{- with .Values.deployment.extraLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicaCount }}
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
selector:
matchLabels:
control-plane: controller-manager
app.kubernetes.io/name: {{ include "hydra-maester.fullname" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
control-plane: controller-manager
app.kubernetes.io/name: {{ include "hydra-maester.fullname" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.deployment.extraLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.podMetadata.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
annotations:
{{- with .Values.deployment.extraAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.podMetadata.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
{{- if .Values.deployment.extraVolumes }}
{{- toYaml .Values.deployment.extraVolumes | nindent 8 }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- /manager
args:
- --metrics-addr=127.0.0.1:8080
- --hydra-url={{ required "scheme is required" .Values.adminService.scheme }}://{{ .Values.adminService.name | default ( include "hydra-maester.adminService" . ) }}
- --hydra-port={{ required "port must be set and non-empty" .Values.adminService.port }}
{{- with .Values.adminService.endpoint }}
- --endpoint={{ . }}
{{- end }}
{{- if .Values.forwardedProto }}
- --forwarded-proto={{ .Values.forwardedProto }}
{{- end }}
{{- if .Values.singleNamespaceMode }}
- --namespace={{ .Release.Namespace }}
{{- end }}
{{- if .Values.deployment.args.syncPeriod }}
- --sync-period={{ .Values.deployment.args.syncPeriod }}
{{- end }}
{{- if .Values.adminService.insecureSkipVerify }}
- --insecure-skip-verify={{ .Values.adminService.insecureSkipVerify }}
{{- end}}
{{- if .Values.adminService.tlsTrustStorePath }}
- --tls-trust-store={{ .Values.adminService.tlsTrustStorePath }}
{{- end }}
volumeMounts:
{{- if .Values.deployment.extraVolumeMounts }}
{{- toYaml .Values.deployment.extraVolumeMounts | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.deployment.resources | nindent 12 }}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
{{- if .Values.deployment.securityContext }}
securityContext:
{{- toYaml .Values.deployment.securityContext | nindent 12 }}
{{- end }}
serviceAccountName: {{ include "hydra-maester.fullname" . }}-account
automountServiceAccountToken: {{ .Values.deployment.automountServiceAccountToken }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
nodeSelector:
{{- with .Values.deployment.nodeSelector }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.dnsConfig }}
dnsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}

19
opencloud/charts/hydra/charts/hydra-maester/templates/pdb.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if .Values.pdb.enabled -}}
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "hydra-maester.fullname" . }}
spec:
selector:
matchLabels:
control-plane: controller-manager
app.kubernetes.io/name: {{ include "hydra-maester.fullname" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.pdb.spec.maxUnavailable }}
maxUnavailable: {{ . }}
{{- end }}
{{- with .Values.pdb.spec.minAvailable }}
minAvailable: {{ . }}
{{- end }}
{{- end -}}

95
opencloud/charts/hydra/charts/hydra-maester/templates/rbac.yaml Normal file
View File

@ -0,0 +1,95 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "hydra-maester.fullname" . }}-account
namespace: {{ .Release.Namespace }}
labels:
{{- include "hydra-maester.labels" . | nindent 4 }}
{{- with .Values.deployment.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if not .Values.singleNamespaceMode }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "hydra-maester.fullname" . }}-role
rules:
- apiGroups: ["hydra.ory.sh"]
resources: ["oauth2clients", "oauth2clients/status"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["list", "watch", "create"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "hydra-maester.fullname" . }}-role-binding
subjects:
- kind: ServiceAccount
name: {{ include "hydra-maester.fullname" . }}-account # Service account assigned to the controller pod.
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "hydra-maester.fullname" . }}-role
{{- end }}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "hydra-maester.fullname" . }}-role
namespace: {{ .Release.Namespace }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create"]
- apiGroups: ["hydra.ory.sh"]
resources: ["oauth2clients", "oauth2clients/status"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "hydra-maester.fullname" . }}-role-binding
namespace: {{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: {{ include "hydra-maester.fullname" . }}-account # Service account assigned to the controller pod.
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "hydra-maester.fullname" . }}-role
{{- $name := include "hydra-maester.fullname" . -}}
{{- $namespace := .Release.Namespace -}}
{{- range .Values.enabledNamespaces }}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ $name }}-role
namespace: {{ . }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ $name }}-role-binding
namespace: {{ . }}
subjects:
- kind: ServiceAccount
name: {{ $name }}-account # Service account assigned to the controller pod.
namespace: {{ $namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $name }}-role
{{- end }}

156
opencloud/charts/hydra/charts/hydra-maester/values.yaml Normal file
View File

@ -0,0 +1,156 @@
# -- Number of replicas in deployment
replicaCount: 1
# -- Number of revisions kept in history
revisionHistoryLimit: 5
# -- The Controller have CREATE and READ access to all Secrets in the namespaces listed below.
enabledNamespaces: []
# -- Single namespace mode. If enabled the controller will watch for resources only from namespace it is deployed in, ignoring others
singleNamespaceMode: false
image:
# -- Ory Hydra-maester image
repository: oryd/hydra-maester
# -- Ory Hydra-maester version
tag: v0.0.35-amd64
# -- Image pull policy
pullPolicy: IfNotPresent
# -- Image pull secrets
imagePullSecrets: []
# -- Pod priority
## https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
priorityClassName: ""
## -- Connection data to admin service of Hydra
adminService:
# -- Service name
name:
# -- Service port
port: 4445
# -- Set the clients endpoint, should be `/clients` for Hydra 1.x and
# `/admin/clients` for Hydra 2.x
endpoint: /admin/clients
# -- Scheme used by Hydra client endpoint. May be "http" or "https"
scheme: http
# -- TLS ca-cert path for hydra client
tlsTrustStorePath: ""
# -- Skip http client insecure verification
insecureSkipVerify: false
forwardedProto:
## -- Deployment specific config
deployment:
resources:
{}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 30Mi
# requests:
# cpu: 100m
# memory: 20Mi
# -- If you want to mount external volume
extraVolumes: []
# - name: my-volume
# secret:
# secretName: my-secret
extraVolumeMounts: []
# - name: my-volume
# mountPath: /etc/secrets/my-secret
# readOnly: true
## -- pod securityContext
podSecurityContext:
fsGroupChangePolicy: "OnRootMismatch"
runAsNonRoot: true
runAsUser: 65534
fsGroup: 65534
runAsGroup: 65534
seccompProfile:
type: RuntimeDefault
## -- container securityContext
securityContext:
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
allowPrivilegeEscalation: false
privileged: false
seLinuxOptions:
level: "s0:c123,c456"
# -- Node labels for pod assignment.
nodeSelector: {}
# If you do want to specify node labels, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
# foo: bar
# -- Configure node tolerations.
tolerations: []
# -- Deployment level extra annotations
extraAnnotations: {}
# -- Deployment level extra labels
extraLabels: {}
# -- Configure pod topologySpreadConstraints.
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: DoNotSchedule
# labelSelector:
# matchLabels:
# app.kubernetes.io/name: hydra
# app.kubernetes.io/instance: hydra
# -- Configure pod dnsConfig.
dnsConfig: {}
# options:
# - name: "ndots"
# value: "1"
# -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
podMetadata:
# -- Extra pod level labels
labels: {}
# -- Extra pod level annotations
annotations: {}
# https://github.com/kubernetes/kubernetes/issues/57601
# -- This applications connects to the k8s API and requires the permissions
automountServiceAccountToken: true
terminationGracePeriodSeconds: 60
# -- Arguments to be passed to the program
args:
# -- The minimum frequency at which watched resources are reconciled
syncPeriod: ""
# syncPeriod: 10h
# -- Configure service account
serviceAccount:
# -- Annotations to add to the service account
annotations: {}
# -- Configure node affinity
affinity: {}
## -- PodDistributionBudget configuration
pdb:
enabled: false
spec:
minAvailable: ""
maxUnavailable: ""

23
opencloud/charts/hydra/charts/ory-commons/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

6
opencloud/charts/hydra/charts/ory-commons/Chart.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: v2
appVersion: 0.0.0
description: 'Collection of helper function for the Ory Helm environment '
name: ory-commons
type: library
version: 0.1.0

12
opencloud/charts/hydra/charts/ory-commons/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,12 @@
{{/*
Check if list contains object
*/}}
{{- define "ory.extraEnvContainsEnvName" -}}
{{- $extraEnvs := index . 0 -}}
{{- $envName := index . 1 -}}
{{- range $k, $v := $extraEnvs -}}
{{- if eq $v.name $envName -}}
found
{{- end -}}
{{- end -}}
{{- end -}}

17
opencloud/charts/hydra/files/watch.sh Normal file
View File

@ -0,0 +1,17 @@
set -Eeuo pipefail
set -x
function rollOut() {
DEPLOY=$(kubectl get deploy -n "${NAMESPACE}" -l "${1}" -o name)
kubectl set env -n $NAMESPACE ${DEPLOY} sync=$(date "+%Y%m%d-%H%M%S")
kubectl rollout status -n $NAMESPACE ${DEPLOY}
}
while true; do
# After change in the CM the symlink is recreated, so we need to restart the monitor
inotifywait --event DELETE_SELF "${WATCH_FILE}" |
while read path _ file; do
echo "---> $path$file modified"
rollOut "${LABEL_SELECTOR}"
done
done

229
opencloud/charts/hydra/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,229 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "hydra.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "hydra.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "hydra.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Ensure there is always a way to track down source of the deployment.
It is unlikely AppVersion will be missing, but we will fallback on the
chart's version in that case.
*/}}
{{- define "hydra.version" -}}
{{- if .Chart.AppVersion }}
{{- .Chart.AppVersion -}}
{{- else -}}
{{- printf "v%s" .Chart.Version -}}
{{- end -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "hydra.labels" -}}
"app.kubernetes.io/name": {{ include "hydra.name" . | quote }}
"app.kubernetes.io/instance": {{ .Release.Name | quote }}
"app.kubernetes.io/version": {{ include "hydra.version" . | quote }}
"app.kubernetes.io/managed-by": {{ .Release.Service | quote }}
"helm.sh/chart": {{ include "hydra.chart" . | quote }}
{{- if $.Values.watcher.enabled }}
{{ printf "\"%s\": \"%s\"" $.Values.watcher.watchLabelKey (include "hydra.name" .) }}
{{- end }}
{{- end -}}
{{/*
Generate the dsn value
*/}}
{{- define "hydra.dsn" -}}
{{- if .Values.demo -}}
memory
{{- else if and .Values.secret.nameOverride (not .Values.secret.enabled) -}}
dsn-loaded-from-env
{{- else if not (empty (.Values.hydra.config.dsn)) -}}
{{- .Values.hydra.config.dsn }}
{{- end -}}
{{- end -}}
{{/*
Generate the name of the secret resource containing secrets
*/}}
{{- define "hydra.secretname" -}}
{{- if .Values.secret.nameOverride -}}
{{- .Values.secret.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{ include "hydra.fullname" . }}
{{- end -}}
{{- end -}}
{{/*
Generate the secrets.system value
*/}}
{{- define "hydra.secrets.system" -}}
{{- if (.Values.hydra.config.secrets).system -}}
{{- if kindIs "slice" .Values.hydra.config.secrets.system -}}
{{- if gt (len .Values.hydra.config.secrets.system) 1 -}}
"{{- join "\",\"" .Values.hydra.config.secrets.system -}}"
{{- else -}}
{{- join "" .Values.hydra.config.secrets.system -}}
{{- end -}}
{{- else -}}
{{- fail "Expected hydra.config.secrets.system to be a list of strings" -}}
{{- end -}}
{{- else if .Values.demo -}}
a-very-insecure-secret-for-checking-out-the-demo
{{- end -}}
{{- end -}}
{{/*
Generate the secrets.cookie value
*/}}
{{- define "hydra.secrets.cookie" -}}
{{- if (.Values.hydra.config.secrets).cookie -}}
{{- if kindIs "slice" .Values.hydra.config.secrets.cookie -}}
{{- if gt (len .Values.hydra.config.secrets.cookie) 1 -}}
"{{- join "\",\"" .Values.hydra.config.secrets.cookie -}}"
{{- else -}}
{{- join "" .Values.hydra.config.secrets.cookie -}}
{{- end -}}
{{- else -}}
{{- fail "Expected hydra.config.secrets.cookie to be a list of strings" -}}
{{- end -}}
{{- else -}}
{{- include "hydra.secrets.system" . }}
{{- end -}}
{{- end -}}
{{/*
Generate the configmap data, redacting secrets
*/}}
{{- define "hydra.configmap" -}}
{{- $config := omit .Values.hydra.config "dsn" "secrets" -}}
{{- tpl (toYaml $config) . -}}
{{- end -}}
{{/*
Generate the urls.issuer value
*/}}
{{- define "hydra.config.urls.issuer" -}}
{{- if .Values.hydra.config.urls.self.issuer -}}
{{- .Values.hydra.config.urls.self.issuer }}
{{- else if .Values.ingress.public.enabled -}}
{{- $host := index .Values.ingress.public.hosts 0 -}}
http{{ if $.Values.ingress.public.tls }}s{{ end }}://{{ $host.host }}
{{- else if contains "ClusterIP" .Values.service.public.type -}}
http://127.0.0.1:{{ .Values.service.public.port }}/
{{- end -}}
{{- end -}}
{{/*
Check overrides consistency
*/}}
{{- define "hydra.check.override.consistency" -}}
{{- if and .Values.maester.enabled .Values.fullnameOverride -}}
{{- if not .Values.maester.hydraFullnameOverride -}}
{{ fail "hydra fullname has been overridden, but the new value has not been provided to maester. Set maester.hydraFullnameOverride" }}
{{- else if not (eq .Values.maester.hydraFullnameOverride .Values.fullnameOverride) -}}
{{ fail (tpl "hydra fullname has been overridden, but a different value was provided to maester. {{ .Values.maester.hydraFullnameOverride }} different of {{ .Values.fullnameOverride }}" . ) }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "hydra.utils.joinListWithComma" -}}
{{- $local := dict "first" true -}}
{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "hydra.serviceAccountName" -}}
{{- if .Values.deployment.serviceAccount.create }}
{{- default (include "hydra.fullname" .) .Values.deployment.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.deployment.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Create the name of the service account for the Job to use
*/}}
{{- define "hydra.job.serviceAccountName" -}}
{{- if .Values.job.serviceAccount.create }}
{{- printf "%s-job" (default (include "hydra.fullname" .) .Values.job.serviceAccount.name) }}
{{- else }}
{{- include "hydra.serviceAccountName" . }}
{{- end }}
{{- end }}
{{/*
Create the name of the service account for the Job to use
*/}}
{{- define "hydra.cronjob.janitor.serviceAccountName" -}}
{{- if .Values.cronjob.janitor.serviceAccount.create }}
{{- printf "%s-cronjob-janitor" (default (include "hydra.fullname" .) .Values.cronjob.janitor.serviceAccount.name) }}
{{- else }}
{{- include "hydra.serviceAccountName" . }}
{{- end }}
{{- end }}
{{/*
Checksum annotations generated from configmaps and secrets
*/}}
{{- define "hydra.annotations.checksum" -}}
{{- if .Values.configmap.hashSumEnabled }}
checksum/hydra-config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- end }}
{{- if and .Values.secret.enabled .Values.secret.hashSumEnabled }}
checksum/hydra-secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
{{- end }}
{{- end }}
{{/*
Check the migration type value and fail if unexpected
*/}}
{{- define "hydra.automigration.typeVerification" -}}
{{- if and .Values.hydra.automigration.enabled .Values.hydra.automigration.type }}
{{- if and (ne .Values.hydra.automigration.type "initContainer") (ne .Values.hydra.automigration.type "job") }}
{{- fail "hydra.automigration.type must be either 'initContainer' or 'job'" -}}
{{- end }}
{{- end }}
{{- end }}
{{/*
Common labels for the janitor cron job
*/}}
{{- define "hydra.janitor.labels" -}}
"app.kubernetes.io/name": {{ printf "%s-janitor" (include "hydra.name" .) | quote }}
"app.kubernetes.io/instance": {{ .Release.Name | quote }}
"app.kubernetes.io/version": {{ include "hydra.version" . | quote }}
"app.kubernetes.io/managed-by": {{ .Release.Service | quote }}
"app.kubernetes.io/component": janitor
"helm.sh/chart": {{ include "hydra.chart" . | quote }}
{{- end -}}

18
opencloud/charts/hydra/templates/configmap-automigrate.yaml Normal file
View File

@ -0,0 +1,18 @@
{{- if and ( .Values.hydra.automigration.enabled ) ( eq .Values.hydra.automigration.type "job" ) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "hydra.fullname" . }}-migrate
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
annotations:
helm.sh/hook-weight: "0"
helm.sh/hook: "pre-install, pre-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
data:
"hydra.yaml": |
{{- include "hydra.configmap" . | nindent 4 }}
{{- end }}

12
opencloud/charts/hydra/templates/configmap.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "hydra.fullname" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
data:
"hydra.yaml": |
{{- include "hydra.configmap" . | nindent 4 }}

77
opencloud/charts/hydra/templates/deployment-watcher.yaml Normal file
View File

@ -0,0 +1,77 @@
{{- if .Values.watcher.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "hydra.fullname" . }}-watcher
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/name: {{ include "hydra.name" . }}-watcher
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.deployment.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.deployment.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
revisionHistoryLimit: {{ .Values.watcher.revisionHistoryLimit }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "hydra.name" . }}-watcher
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ include "hydra.name" . }}-watcher
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.deployment.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.watcher.podMetadata.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
annotations:
{{- with .Values.watcher.podMetadata.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
automountServiceAccountToken: {{ .Values.watcher.automountServiceAccountToken }}
serviceAccountName: {{ include "hydra.serviceAccountName" . }}-watcher
terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
containers:
- name: watcher
{{- with .Values.watcher.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: {{ .Values.watcher.image }}
command:
- /bin/bash
- -c
- |
{{- .Files.Get "files/watch.sh" | printf "%s" | nindent 14 }}
env:
- name: NAMESPACE
value: {{ .Release.Namespace | quote }}
- name: WATCH_FILE
value: {{ .Values.watcher.mountFile | quote }}
- name: LABEL_SELECTOR
value: '{{ $.Values.watcher.watchLabelKey }}={{ include "hydra.name" . }}'
resources:
{{- toYaml .Values.watcher.resources | nindent 12 }}
volumeMounts:
{{- with .Values.deployment.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.watcher.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
{{- if .Values.deployment.extraVolumes }}
{{- toYaml .Values.deployment.extraVolumes | nindent 8 }}
{{- end }}
{{- end }}

236
opencloud/charts/hydra/templates/deployment.yaml Normal file
View File

@ -0,0 +1,236 @@
{{- include "hydra.automigration.typeVerification" . -}}
{{- $migrationExtraEnv := ternary .Values.deployment.automigration.extraEnv .Values.deployment.extraEnv (not (empty .Values.deployment.automigration.extraEnv )) -}}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "hydra.fullname" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.deployment.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.deployment.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if not .Values.deployment.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
revisionHistoryLimit: {{ .Values.deployment.revisionHistoryLimit }}
strategy:
{{- toYaml .Values.deployment.strategy | nindent 4 }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "hydra.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
{{- include "hydra.labels" . | nindent 8 }}
{{- with .Values.deployment.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $.Values.deployment.podMetadata.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
annotations:
{{- include "hydra.annotations.checksum" . | nindent 8 -}}
{{- with .Values.deployment.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $.Values.deployment.podMetadata.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: {{ include "hydra.name" . }}-config-volume
configMap:
name: {{ include "hydra.fullname" . }}
{{- if .Values.deployment.extraVolumes }}
{{- toYaml .Values.deployment.extraVolumes | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "hydra.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.deployment.automountServiceAccountToken }}
terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command: {{- toYaml .Values.hydra.command | nindent 12 }}
{{- if .Values.hydra.customArgs }}
args: {{- toYaml .Values.hydra.customArgs | nindent 12 }}
{{- else }}
args:
- serve
- all
{{- if .Values.hydra.dev }}
- "--dev"
{{- end }}
- --config
- /etc/config/hydra.yaml
{{- end }}
volumeMounts:
- name: {{ include "hydra.name" . }}-config-volume
mountPath: /etc/config
readOnly: true
{{- if .Values.deployment.extraVolumeMounts }}
{{- toYaml .Values.deployment.extraVolumeMounts | nindent 12 }}
{{- end }}
ports:
- name: http-public
containerPort: {{ .Values.hydra.config.serve.public.port }}
protocol: TCP
- name: http-admin
containerPort: {{ .Values.hydra.config.serve.admin.port }}
protocol: TCP
{{- if .Values.deployment.customLivenessProbe }}
livenessProbe:
{{- toYaml .Values.deployment.customLivenessProbe | nindent 12 }}
{{- end }}
readinessProbe:
{{- if .Values.deployment.customReadinessProbe }}
{{- toYaml .Values.deployment.customReadinessProbe | nindent 12 }}
{{- else }}
httpGet:
path: /health/alive
port: {{ .Values.hydra.config.serve.admin.port }}
httpHeaders:
- name: Host
value: '127.0.0.1'
{{- toYaml .Values.deployment.readinessProbe | nindent 12 }}
{{- end }}
startupProbe:
{{- if .Values.deployment.customStartupProbe }}
{{- toYaml .Values.deployment.customStartupProbe | nindent 12 }}
{{- else }}
httpGet:
path: /health/ready
port: {{ .Values.hydra.config.serve.admin.port }}
httpHeaders:
- name: Host
value: '127.0.0.1'
{{- toYaml .Values.deployment.startupProbe | nindent 12 }}
{{- end }}
env:
{{- $issuer := include "hydra.config.urls.issuer" . -}}
{{- if $issuer }}
- name: URLS_SELF_ISSUER
value: {{ $issuer | quote }}
{{- end }}
{{- if not (empty ( include "hydra.dsn" . )) }}
{{- if not (include "ory.extraEnvContainsEnvName" (list .Values.deployment.extraEnv "DSN")) }}
- name: DSN
valueFrom:
secretKeyRef:
name: {{ include "hydra.secretname" . }}
key: dsn
{{- end }}
{{- end }}
- name: SECRETS_SYSTEM
valueFrom:
secretKeyRef:
name: {{ include "hydra.secretname" . }}
key: secretsSystem
- name: SECRETS_COOKIE
valueFrom:
secretKeyRef:
name: {{ include "hydra.secretname" . }}
key: secretsCookie
{{- if .Values.deployment.extraEnv }}
{{- tpl (toYaml .Values.deployment.extraEnv) . | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.deployment.resources | nindent 12 }}
{{- if .Values.deployment.securityContext }}
securityContext:
{{- toYaml .Values.deployment.securityContext | nindent 12 }}
{{- end }}
lifecycle:
{{- toYaml .Values.deployment.lifecycle | nindent 12 }}
{{- if .Values.deployment.extraContainers }}
{{- tpl .Values.deployment.extraContainers . | nindent 8 }}
{{- end }}
initContainers:
{{- if .Values.deployment.extraInitContainers }}
{{- tpl .Values.deployment.extraInitContainers . | nindent 8 }}
{{- end }}
{{- if and ( .Values.hydra.automigration.enabled ) ( eq .Values.hydra.automigration.type "initContainer" ) }}
- name: {{ .Chart.Name }}-automigrate
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.hydra.automigration.customCommand }}
command: {{- toYaml .Values.hydra.automigration.customCommand | nindent 12 }}
{{- else }}
command: ["hydra"]
{{- end }}
{{- if .Values.hydra.automigration.customArgs }}
args: {{- toYaml .Values.hydra.automigration.customArgs | nindent 12 }}
{{- else }}
args: ["migrate", "sql", "-e", "--yes", "--config", "/etc/config/hydra.yaml"]
{{- end }}
volumeMounts:
- name: {{ include "hydra.name" . }}-config-volume
mountPath: /etc/config
readOnly: true
{{- with .Values.deployment.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
env:
{{- if not (empty ( include "hydra.dsn" . )) }}
{{- if not (include "ory.extraEnvContainsEnvName" (list $migrationExtraEnv "DSN")) }}
- name: DSN
valueFrom:
secretKeyRef:
name: {{ include "hydra.secretname" . }}
key: dsn
{{- end }}
{{- end }}
{{- if $migrationExtraEnv }}
{{- tpl (toYaml $migrationExtraEnv) . | nindent 12 }}
{{- end }}
{{- if .Values.hydra.automigration.resources }}
resources:
{{- toYaml .Values.hydra.automigration.resources | nindent 12 }}
{{- end }}
{{- with .Values.deployment.initContainerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
{{- with .Values.deployment.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.dnsConfig }}
dnsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}

36
opencloud/charts/hydra/templates/hpa.yaml Normal file
View File

@ -0,0 +1,36 @@
{{- if .Values.deployment.autoscaling.enabled }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
name: {{ include "hydra.fullname" . }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
spec:
{{- with .Values.deployment.autoscaling.behavior }}
behavior: {{- toYaml . | nindent 4 }}
{{- end }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "hydra.fullname" . }}
minReplicas: {{ .Values.deployment.autoscaling.minReplicas }}
maxReplicas: {{ .Values.deployment.autoscaling.maxReplicas }}
metrics:
{{- with .Values.deployment.autoscaling.targetMemory }}
- type: Resource
resource:
name: memory
target:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.autoscaling.targetCPU}}
- type: Resource
resource:
name: cpu
target:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

54
opencloud/charts/hydra/templates/ingress-admin.yaml Normal file
View File

@ -0,0 +1,54 @@
{{- if .Values.ingress.admin.enabled -}}
{{- $fullName := include "hydra.fullname" . -}}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else -}}
apiVersion: networking.k8s.io/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}-admin
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.ingress.admin.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ingressClassName: {{ .Values.ingress.admin.className }}
{{- if .Values.ingress.admin.tls }}
tls:
{{- range .Values.ingress.admin.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.admin.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if .pathType }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}-admin
port:
name: {{ $.Values.service.admin.name }}
{{- else }}
serviceName: {{ $fullName }}-admin
servicePort: {{ $.Values.service.admin.name }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

54
opencloud/charts/hydra/templates/ingress-public.yaml Normal file
View File

@ -0,0 +1,54 @@
{{- if or .Values.ingress.public.enabled .Values.demo -}}
{{- $fullName := include "hydra.fullname" . -}}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else -}}
apiVersion: networking.k8s.io/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}-public
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.ingress.public.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ingressClassName: {{ .Values.ingress.public.className }}
{{- if .Values.ingress.public.tls }}
tls:
{{- range .Values.ingress.public.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.public.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if .pathType }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}-public
port:
name: {{ $.Values.service.public.name }}
{{- else }}
serviceName: {{ $fullName }}-public
servicePort: {{ $.Values.service.public.name }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

17
opencloud/charts/hydra/templates/janitor-cron-job-rbac.yaml Normal file
View File

@ -0,0 +1,17 @@
{{- if .Values.cronjob.janitor.serviceAccount.create -}}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "hydra.cronjob.janitor.serviceAccountName" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.cronjob.janitor.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: false
{{- end -}}

137
opencloud/charts/hydra/templates/janitor-cron-job.yaml Normal file
View File

@ -0,0 +1,137 @@
{{- if .Values.janitor.enabled -}}
{{- $janitorExtraEnv := ternary .Values.cronjob.janitor.extraEnv .Values.deployment.extraEnv (not (empty .Values.cronjob.janitor.extraEnv )) -}}
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: {{ include "hydra.fullname" . }}-janitor
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.janitor.labels" . | nindent 4 }}
{{- with .Values.cronjob.janitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.cronjob.janitor.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
concurrencyPolicy: Forbid
schedule: {{ .Values.cronjob.janitor.schedule | quote }}
jobTemplate:
spec:
template:
metadata:
labels:
{{- include "hydra.janitor.labels" . | nindent 12 }}
{{- with .Values.cronjob.janitor.labels }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.cronjob.janitor.podMetadata.labels }}
{{- toYaml . | nindent 12 }}
{{- end }}
annotations:
{{- include "hydra.annotations.checksum" . | nindent 12 -}}
{{- with .Values.cronjob.janitor.annotations }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with $.Values.cronjob.janitor.podMetadata.annotations }}
{{- toYaml . | nindent 12 }}
{{- end }}
spec:
restartPolicy: OnFailure
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 12 }}
{{- end }}
serviceAccountName: {{ include "hydra.cronjob.janitor.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.cronjob.janitor.automountServiceAccountToken }}
volumes:
- name: {{ include "hydra.name" . }}-config-volume
configMap:
name: {{ include "hydra.fullname" . }}
{{- if .Values.cronjob.janitor.extraVolumes }}
{{- toYaml .Values.cronjob.janitor.extraVolumes | nindent 12 }}
{{- end }}
containers:
- name: janitor
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- with .Values.cronjob.janitor.securityContext }}
securityContext:
{{- toYaml . | nindent 16 }}
{{- end }}
{{- if .Values.cronjob.janitor.customCommand }}
command: {{- toYaml .Values.cronjob.janitor.customCommand | nindent 14 }}
{{- else }}
command: ["hydra"]
{{- end }}
{{- if .Values.cronjob.janitor.customArgs }}
args: {{- toYaml .Values.cronjob.janitor.customArgs | nindent 14 }}
{{- else }}
args:
- janitor
{{- if .Values.janitor.cleanupGrants }}
- --grants
{{- end }}
{{- if .Values.janitor.cleanupRequests }}
- --requests
{{- end }}
{{- if .Values.janitor.cleanupTokens }}
- --tokens
{{- end }}
- --batch-size
- {{ .Values.janitor.batchSize | quote }}
- --limit
- {{ .Values.janitor.limit | quote }}
- --config
- /etc/config/hydra.yaml
{{- end }}
env:
{{- if not (empty ( include "hydra.dsn" . )) }}
{{- if not (include "ory.extraEnvContainsEnvName" (list $janitorExtraEnv "DSN")) }}
- name: DSN
valueFrom:
secretKeyRef:
name: {{ include "hydra.secretname" . }}
key: dsn
{{- end }}
{{- end }}
{{- with $janitorExtraEnv }}
{{- toYaml . | nindent 16 }}
{{- end }}
resources:
{{- toYaml .Values.cronjob.janitor.resources | nindent 16 }}
volumeMounts:
- name: {{ include "hydra.name" . }}-config-volume
mountPath: /etc/config
readOnly: true
{{- if .Values.cronjob.janitor.extraVolumeMounts }}
{{- toYaml .Values.cronjob.janitor.extraVolumeMounts | nindent 16 }}
{{- end }}
{{- if .Values.cronjob.janitor.extraContainers }}
{{- tpl .Values.cronjob.janitor.extraContainers . | nindent 12 }}
{{- end }}
{{- if .Values.cronjob.janitor.extraInitContainers }}
initContainers:
{{- tpl .Values.cronjob.janitor.extraInitContainers . | nindent 10 }}
{{- end }}
{{- with .Values.cronjob.janitor.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.cronjob.janitor.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.cronjob.janitor.tolerations }}
tolerations:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.cronjob.janitor.affinity }}
affinity:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}

125
opencloud/charts/hydra/templates/job-migration.yaml Normal file
View File

@ -0,0 +1,125 @@
{{- include "hydra.automigration.typeVerification" . -}}
{{- if and ( .Values.hydra.automigration.enabled ) ( eq .Values.hydra.automigration.type "job" ) }}
{{- $nodeSelector := ternary .Values.job.nodeSelector .Values.deployment.nodeSelector (not (empty .Values.job.nodeSelector )) -}}
{{- $migrationExtraEnv := ternary .Values.job.extraEnv .Values.deployment.extraEnv (not (empty .Values.job.extraEnv )) -}}
{{- $resources := ternary .Values.job.resources .Values.hydra.automigration.resources (not (empty .Values.job.resources)) -}}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "hydra.fullname" . }}-automigrate
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.job.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.job.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
template:
metadata:
annotations:
{{- with .Values.job.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.job.podMetadata.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
app.kubernetes.io/name: {{ include "hydra.fullname" . }}-automigrate
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.job.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.job.podMetadata.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "hydra.job.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.job.automountServiceAccountToken }}
containers:
- name: {{ .Chart.Name }}-automigrate
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.hydra.automigration.customCommand }}
command: {{- toYaml .Values.hydra.automigration.customCommand | nindent 10 }}
{{- else }}
command: ["hydra"]
{{- end }}
{{- if .Values.hydra.automigration.customArgs }}
args: {{- toYaml .Values.hydra.automigration.customArgs | nindent 10 }}
{{- else }}
args: ["migrate", "sql", "-e", "--yes", "--config", "/etc/config/hydra.yaml"]
{{- end }}
env:
{{- if not (empty ( include "hydra.dsn" . )) }}
{{- if not (include "ory.extraEnvContainsEnvName" (list $migrationExtraEnv "DSN")) }}
- name: DSN
valueFrom:
secretKeyRef:
name: {{ include "hydra.secretname" . }}
key: dsn
{{- end }}
{{- end }}
{{- with $migrationExtraEnv }}
{{- toYaml . | nindent 10 }}
{{- end }}
lifecycle:
{{- if .Values.job.lifecycle }}
{{- tpl .Values.job.lifecycle . | nindent 10 }}
{{- end }}
{{- with .Values.deployment.securityContext }}
securityContext:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with $resources }}
resources:
{{- toYaml . | nindent 10 }}
{{- end }}
volumeMounts:
- name: {{ include "hydra.name" . }}-config-volume
mountPath: /etc/config
readOnly: true
{{- if .Values.deployment.extraVolumeMounts }}
{{- toYaml .Values.deployment.extraVolumeMounts | nindent 10 }}
{{- end }}
{{- if .Values.job.extraContainers }}
{{- tpl .Values.job.extraContainers . | nindent 6 }}
{{- end }}
{{- if .Values.job.extraInitContainers }}
initContainers:
{{- tpl .Values.job.extraInitContainers . | nindent 8 }}
{{- end }}
restartPolicy: Never
{{- with .Values.deployment.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
shareProcessNamespace: {{ .Values.job.shareProcessNamespace }}
volumes:
- name: {{ include "hydra.name" . }}-config-volume
configMap:
name: {{ include "hydra.fullname" . }}-migrate
{{- if .Values.deployment.extraVolumes }}
{{- toYaml .Values.deployment.extraVolumes | nindent 8 }}
{{- end }}
{{- with $nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.job.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
backoffLimit: {{ .Values.job.spec.backoffLimit }}
{{- end }}

17
opencloud/charts/hydra/templates/job-rbac.yaml Normal file
View File

@ -0,0 +1,17 @@
{{- if .Values.job.serviceAccount.create -}}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "hydra.job.serviceAccountName" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.job.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: false
{{- end -}}

18
opencloud/charts/hydra/templates/pdb.yaml Normal file
View File

@ -0,0 +1,18 @@
{{- if .Values.pdb.enabled -}}
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "hydra.fullname" . }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ include "hydra.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.pdb.spec.maxUnavailable }}
maxUnavailable: {{ . }}
{{- end }}
{{- with .Values.pdb.spec.minAvailable }}
minAvailable: {{ . }}
{{- end }}
{{- end -}}

53
opencloud/charts/hydra/templates/rbac-watcher.yaml Normal file
View File

@ -0,0 +1,53 @@
{{- if .Values.watcher.enabled }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "hydra.serviceAccountName" . }}-watcher
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/name: {{ include "hydra.name" . }}-watcher
app.kubernetes.io/instance: {{ .Release.Name }}
automountServiceAccountToken: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "hydra.fullname" . }}-watcher
namespace: {{ .Release.Namespace }}
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs:
- list
- watch
- get
- apiGroups: ["apps"]
resources: ["deployments"]
verbs:
- get
- list
- patch
- update
- watch
resourceNames:
- {{ include "hydra.fullname" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "hydra.fullname" . }}-watcher
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "hydra.fullname" . }}-watcher
subjects:
- kind: ServiceAccount
name: {{ include "hydra.fullname" . }}-watcher
namespace: {{ .Release.Namespace }}
{{- end }}

17
opencloud/charts/hydra/templates/rbac.yaml Normal file
View File

@ -0,0 +1,17 @@
{{- if .Values.deployment.serviceAccount.create -}}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "hydra.serviceAccountName" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.deployment.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: false
{{- end }}

21
opencloud/charts/hydra/templates/secrets.yaml Normal file
View File

@ -0,0 +1,21 @@
{{- if .Values.secret.enabled -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "hydra.secretname" . }}
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
annotations:
{{- with .Values.secret.secretAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
type: Opaque
data:
# Generate a random secret if the user doesn't give one. User given password has priority
secretsSystem: {{ ( include "hydra.secrets.system" . | default ( randAlphaNum 32 )) | required "Value secrets.system can not be empty!" | b64enc | quote }}
secretsCookie: {{ ( include "hydra.secrets.cookie" . | default ( randAlphaNum 32 )) | required "Value secrets.cookie can not be empty!" | b64enc | quote }}
dsn: {{ include "hydra.dsn" . | b64enc | quote }}
{{- end -}}

71
opencloud/charts/hydra/templates/service-admin.yaml Normal file
View File

@ -0,0 +1,71 @@
{{- if .Values.service.admin.enabled -}}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "hydra.fullname" . }}-admin
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.service.admin.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
app.kubernetes.io/component: admin
annotations:
{{- with .Values.service.admin.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.service.admin.type }}
{{- if eq .Values.service.admin.type "LoadBalancer" }}
{{- with .Values.service.admin.loadBalancerIP }}
loadBalancerIP: {{ . }}
{{- end }}
{{- end }}
ports:
- port: {{ .Values.service.admin.port }}
targetPort: http-admin
protocol: TCP
name: {{ .Values.service.admin.name }}
selector:
app.kubernetes.io/name: {{ include "hydra.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.serviceMonitor.enabled }}
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "hydra.fullname" . }}-admin
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/component: admin
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.serviceMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.service.admin.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
endpoints:
- path: {{ .Values.service.admin.metricsPath }}
port: {{ .Values.service.admin.name }}
scheme: {{ .Values.serviceMonitor.scheme }}
interval: {{ .Values.serviceMonitor.scrapeInterval }}
scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
{{- with .Values.serviceMonitor.tlsConfig }}
tlsConfig:
{{- toYaml . | nindent 6 }}
{{- end }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "hydra.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: admin
{{- end -}}
{{- end }}

33
opencloud/charts/hydra/templates/service-public.yaml Normal file
View File

@ -0,0 +1,33 @@
{{- if .Values.service.public.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "hydra.fullname" . }}-public
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.service.public.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.service.public.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.service.public.type }}
{{- if eq .Values.service.public.type "LoadBalancer" }}
{{- with .Values.service.public.loadBalancerIP }}
loadBalancerIP: {{ . }}
{{- end }}
{{- end }}
ports:
- port: {{ .Values.service.public.port }}
targetPort: http-public
protocol: TCP
name: {{ .Values.service.public.name }}
selector:
app.kubernetes.io/name: {{ include "hydra.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

20
opencloud/charts/hydra/templates/tests/test-connection.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "hydra.fullname" . }}-test-connection"
{{- if .Release.Namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels: {{- include "hydra.labels" . | nindent 4 }}
{{- with .Values.test.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
"helm.sh/hook": test-success
spec:
containers:
- name: healthcheck-ready
image: "{{ .Values.test.busybox.repository }}:{{ .Values.test.busybox.tag }}"
command: ['wget']
args: ['{{ include "hydra.fullname" . }}-admin:{{ .Values.service.admin.port }}/health/ready']
restartPolicy: Never

670
opencloud/charts/hydra/values.yaml Normal file
View File

@ -0,0 +1,670 @@
# -- Number of ORY Hydra members
replicaCount: 1
image:
# -- ORY Hydra image
repository: oryd/hydra
# -- ORY Hydra version
tag: v2.2.0
# -- Image pull policy
pullPolicy: IfNotPresent
# -- Image pull secrets
imagePullSecrets: []
# Chart name override
nameOverride: ""
# -- Full chart name override
fullnameOverride: ""
# -- Pod priority
# https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
priorityClassName: ""
## -- Configures the Kubernetes service
service:
# -- Configures the Kubernetes service for the proxy port.
public:
# -- En-/disable the service
enabled: true
# -- The service type
type: ClusterIP
# -- The load balancer IP
loadBalancerIP: ""
# -- The service port
port: 4444
# -- The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio)
name: http
# -- If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
labels: {}
# If you do want to specify additional labels, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'labels:'.
# e.g. app: hydra
# -- Configures the Kubernetes service for the api port.
admin:
# -- En-/disable the service
enabled: true
# -- The service type
type: ClusterIP
# -- The load balancer IP
loadBalancerIP: ""
# -- The service port
port: 4445
# -- The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio)
name: http
# -- If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
labels: {}
# If you do want to specify additional labels, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'labels:'.
# e.g. app: hydra
# -- Path to the metrics endpoint
metricsPath: /admin/metrics/prometheus
## -- Secret management
secret:
# -- switch to false to prevent creating the secret
enabled: true
# -- Provide custom name of existing secret, or custom name of secret to be created
nameOverride: ""
# nameOverride: "myCustomSecret"
# -- Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified.
secretAnnotations:
# Create the secret before installation, and only then. This saves the secret from regenerating during an upgrade
# pre-upgrade is needed to upgrade from 0.7.0 to newer. Can be deleted afterwards.
helm.sh/hook-weight: "0"
helm.sh/hook: "pre-install, pre-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
helm.sh/resource-policy: "keep"
# -- switch to false to prevent checksum annotations being maintained and propogated to the pods
hashSumEnabled: true
## -- Configure ingress
ingress:
# -- Configure ingress for the proxy port.
public:
# -- En-/Disable the proxy ingress.
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: public.hydra.localhost
paths:
- path: /
pathType: ImplementationSpecific
# tls: []
# hosts:
# - proxy.hydra.local
# - secretName: hydra-proxy-example-tls
admin:
# -- En-/Disable the api ingress.
enabled: false
className: ""
annotations: {}
# If you do want to specify annotations, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: admin.hydra.localhost
paths:
- path: /
pathType: ImplementationSpecific
# tls: []
# hosts:
# - api.hydra.local
# - secretName: hydra-api-example-tls
## -- Configure ORY Hydra itself
hydra:
# -- Ability to override the entrypoint of hydra container
# (e.g. to source dynamic secrets or export environment dynamic variables)
command: ["hydra"]
# -- Ability to override arguments of the entrypoint. Can be used in-depended of customCommand
customArgs: []
# -- The ORY Hydra configuration. For a full list of available settings, check:
# https://www.ory.sh/docs/hydra/reference/configuration
config:
serve:
public:
port: 4444
admin:
port: 4445
tls:
allow_termination_from:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
# -- The secrets have to be provided as a string slice, example:
# system:
# - "OG5XbmxXa3dYeGplQXpQanYxeEFuRUFa"
# - "foo bar 123 456 lorem"
# - "foo bar 123 456 lorem 1"
# - "foo bar 123 456 lorem 2"
# - "foo bar 123 456 lorem 3"
secrets: {}
# -- Configure the urls used by hydra itself, such as the issuer.
# Note: some values are required for hydra to start, please refer to https://www.ory.sh/docs/hydra/self-hosted/kubernetes-helm-chart
# self:
# issuer: "https://public.hydra.localhost:4444/"
urls:
self: {}
# -- Enables database migration
automigration:
enabled: false
# -- Configure the way to execute database migration. Possible values: job, initContainer
# When set to job, the migration will be executed as a job on release or upgrade.
# When set to initContainer, the migration will be executed when kratos pod is created
# Defaults to job
type: job
# -- Ability to override the entrypoint of the automigration container
# (e.g. to source dynamic secrets or export environment dynamic variables)
customCommand: []
# -- Ability to override arguments of the entrypoint. Can be used in-depended of customCommand
# eg:
# - sleep 5;
# - kratos
customArgs: []
# -- resource requests and limits for the automigration initcontainer
resources: {}
# -- Enable dev mode, not secure in production environments
dev: false
## -- Deployment specific config
deployment:
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: "25%"
maxUnavailable: "25%"
# -- We usually recommend not to specify default resources and to leave this as a conscious choice for the user.
# This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
resources: {}
## -- initContainer securityContext for hydra & migration init
initContainerSecurityContext: {}
## -- pod securityContext for hydra & migration init
podSecurityContext:
fsGroupChangePolicy: "OnRootMismatch"
runAsNonRoot: true
runAsUser: 65534
fsGroup: 65534
runAsGroup: 65534
seccompProfile:
type: RuntimeDefault
## -- container securityContext for hydra & migration init
securityContext:
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
allowPrivilegeEscalation: false
privileged: false
seLinuxOptions:
level: "s0:c123,c456"
lifecycle: {}
# -- Set custom deployment level labels
labels: {}
# -- Set custom deployment level annotations
annotations: {}
# -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
podMetadata:
# -- Extra pod level labels
labels: {}
# -- Extra pod level annotations
annotations: {}
# -- Node labels for pod assignment.
nodeSelector: {}
# If you do want to specify node labels, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'nodeSelector:'.
# foo: bar
# -- Array of extra envs to be passed to the deployment. Kubernetes format is expected. Value is processed with Helm
# `tpl`
# - name: FOO
# value: BAR
extraEnv: []
# -- Parameters for the automigration initContainer
automigration:
# -- Array of extra envs to be passed to the initContainer. Kubernetes format is expected. Value is processed with
# Helm `tpl`
# - name: FOO
# value: BAR
extraEnv: []
# -- Configure node tolerations.
tolerations: []
# -- Configure pod topologySpreadConstraints.
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: DoNotSchedule
# labelSelector:
# matchLabels:
# app.kubernetes.io/name: hydra
# app.kubernetes.io/instance: hydra
# -- Configure pod dnsConfig.
dnsConfig: {}
# options:
# - name: "ndots"
# value: "1"
# -- Specify the serviceAccountName value.
# In some situations it is needed to provides specific permissions to Hydra deployments
# Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio.
# Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment.
# -- Specify the serviceAccountName value.
# In some situations it is needed to provides specific permissions to Hydra deployments
# Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio.
# Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment.
serviceAccount:
# -- Specifies whether a service account should be created
create: true
# -- Annotations to add to the service account
annotations: {}
# -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template
name: ""
# -- If you want to mount external volume
extraVolumes: []
# - name: my-volume
# secret:
# secretName: my-secret
extraVolumeMounts: []
# - name: my-volume
# mountPath: /etc/secrets/my-secret
# readOnly: true
# For example, mount a secret containing Certificate root CA to verify database
# TLS connection.
# extraVolumes:
# - name: postgresql-tls
# secret:
# secretName: postgresql-root-ca
# extraVolumeMounts:
# - name: postgresql-tls
# mountPath: "/etc/postgresql-tls"
# readOnly: true
# -- Configure HPA
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 3
targetCPU: {}
# type: Utilization
# averageUtilization: 80
targetMemory: {}
# type: Utilization
# averageUtilization: 80
# -- Set custom behavior
# https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior
behavior: {}
# -- Default probe timers
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 10
failureThreshold: 5
# -- Default probe timers
startupProbe:
failureThreshold: 5
successThreshold: 1
periodSeconds: 1
timeoutSeconds: 1
initialDelaySeconds: 0
automountServiceAccountToken: false
terminationGracePeriodSeconds: 60
# -- If you want to add extra init containers. These are processed before the migration init container.
extraInitContainers: ""
# extraInitContainers: |
# - name: ...
# image: ...
# -- If you want to add extra sidecar containers.
extraContainers: ""
# extraContainers: |
# - name: ...
# image: ...
# -- Configure a custom livenessProbe. This overwrites the default object
customLivenessProbe: {}
# -- Configure a custom readinessProbe. This overwrites the default object
customReadinessProbe: {}
# -- Configure a custom startupProbe. This overwrites the default object
customStartupProbe: {}
# -- Number of revisions kept in history
revisionHistoryLimit: 5
## -- Values for initialization job
job:
# -- If you do want to specify annotations, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
annotations:
helm.sh/hook-weight: "1"
helm.sh/hook: "pre-install, pre-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# -- Set custom deployment level labels
labels: {}
# -- If you want to add extra sidecar containers.
extraContainers: ""
# extraContainers: |
# - name: ...
# image: ...
# -- Array of extra envs to be passed to the job. This takes precedence over deployment variables. Kubernetes format
# is expected. Value is processed with Helm `tpl`
# - name: FOO
# value: BAR
extraEnv: []
# -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
podMetadata:
# -- Extra pod level labels
labels: {}
# -- Extra pod level annotations
annotations: {}
# -- If you want to add extra init containers.
# extraInitContainers: |
# - name: ...
# image: ...
extraInitContainers: ""
# -- Node labels for pod assignment.
nodeSelector: {}
# If you do want to specify node labels, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'nodeSelector:'.
# foo: bar
# -- resource requests and limits for the automigration job
resources: {}
# -- Configure node tolerations.
tolerations: []
# -- If you want to add lifecycle hooks.
lifecycle: ""
# lifecycle: |
# preStop:
# exec:
# command: [...]
# -- Set automounting of the SA token
automountServiceAccountToken: true
# -- Set sharing process namespace
shareProcessNamespace: false
# -- Specify the serviceAccountName value.
# In some situations it is needed to provides specific permissions to Hydra deployments
# Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio.
# Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment.
serviceAccount:
# -- Specifies whether a service account should be created
create: true
# -- Annotations to add to the service account
annotations:
helm.sh/hook-weight: "0"
helm.sh/hook: "pre-install, pre-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
# -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template
name: ""
spec:
# -- Set job back off limit
backoffLimit: 10
## -- Configure node affinity
affinity: {}
## -- Configures controller setup
maester:
enabled: true
## -- Values for the hydra admin service arguments to hydra-maester
hydra-maester:
adminService:
# -- The service name value may need to be set if you use `fullnameOverride` for the parent chart
name: ""
# -- You only need to set this port if you change the value for `service.admin.port` in the parent chart
# port:
## -- Sidecar watcher configuration
watcher:
enabled: false
image: oryd/k8s-toolbox:v0.0.7
# -- Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo
mountFile: ""
# -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
podMetadata:
# -- Extra pod level labels
labels: {}
# -- Extra pod level annotations
annotations: {}
# -- Label key used for managing applications
watchLabelKey: "ory.sh/watcher"
# -- Number of revisions kept in history
revisionHistoryLimit: 5
# -- pod securityContext for watcher deployment
podSecurityContext: {}
resources: {}
automountServiceAccountToken: true
# -- container securityContext for watcher deployment
securityContext:
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 100
allowPrivilegeEscalation: false
privileged: false
## -- Janitor cron job configuration
janitor:
# -- Enable cleanup of stale database rows by periodically running the janitor command
enabled: false
# -- Configure if the trust relationships must be cleaned up
cleanupGrants: false
# -- Configure if the consent and authentication requests must be cleaned up
cleanupRequests: false
# -- Configure if the access and refresh tokens must be cleaned up
cleanupTokens: false
# -- Configure how many records are deleted with each iteration
batchSize: 100
# -- Configure how many records are retrieved from database for deletion
limit: 10000
## -- CronJob configuration
cronjob:
janitor:
# -- Configure how often the cron job is ran
schedule: "0 */1 * * *"
# -- Configure a custom entrypoint, overriding the default value
customCommand: []
# -- Configure the arguments of the entrypoint, overriding the default value
customArgs: []
# -- Array of extra envs to be passed to the cronjob. This takes precedence over deployment variables. Kubernetes
# format is expected. Value is processed with Helm `tpl`
# - name: FOO
# value: BAR
extraEnv: []
# -- If you want to add extra init containers. These are processed before the migration init container.
extraInitContainers: ""
# extraInitContainers: |
# - name: ...
# image: ...
# -- If you want to add extra sidecar containers.
extraContainers: ""
# extraContainers: |
# - name: ...
# image: ...
# -- If you want to mount external volume
extraVolumes: []
# - name: my-volume
# secret:
# secretName: my-secret
extraVolumeMounts: []
# - name: my-volume
# mountPath: /etc/secrets/my-secret
# readOnly: true
# -- Set custom cron job level labels
labels: {}
# -- Set custom cron job level annotations
annotations: {}
# -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
podMetadata:
# -- Extra pod level labels
labels: {}
# -- Extra pod level annotations
annotations: {}
# -- Configure node labels for pod assignment
nodeSelector: {}
# -- Configure node tolerations
tolerations: []
# -- Configure node affinity
affinity: {}
# -- Set automounting of the SA token
automountServiceAccountToken: true
# -- Specify the serviceAccountName value.
# In some situations it is needed to provides specific permissions to Hydra deployments
# Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio.
# Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment.
serviceAccount:
# -- Specifies whether a service account should be created
create: true
# -- Annotations to add to the service account
annotations:
helm.sh/hook-weight: "0"
helm.sh/hook: "pre-install, pre-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
# -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template
name: ""
# -- Configure the containers' SecurityContext for the janitor cronjob
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 100
allowPrivilegeEscalation: false
privileged: false
## -- pod securityContext for the janitor cronjob
podSecurityContext: {}
# -- We usually recommend not to specify default resources and to leave this as a conscious choice for the user.
# This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
resources:
limits: {}
requests: {}
## -- PodDistributionBudget configuration
pdb:
enabled: false
spec:
minAvailable: ""
maxUnavailable: ""
## -- Parameters for the Prometheus ServiceMonitor objects.
# Reference: https://docs.openshift.com/container-platform/4.6/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.html
serviceMonitor:
# -- switch to true to enable creating the ServiceMonitor
enabled: false
# -- HTTP scheme to use for scraping.
scheme: http
# -- Interval at which metrics should be scraped
scrapeInterval: 60s
# -- Timeout after which the scrape is ended
scrapeTimeout: 30s
# -- Provide additionnal labels to the ServiceMonitor ressource metadata
labels: {}
# -- TLS configuration to use when scraping the endpoint
tlsConfig: {}
configmap:
# -- switch to false to prevent checksum annotations being maintained and propogated to the pods
hashSumEnabled: true
test:
# -- Provide additional labels to the test pod
labels: {}
# -- use a busybox image from another repository
busybox:
repository: busybox
tag: 1

133
opencloud/charts/openldap/.argo-workflow.yaml Normal file
View File

@ -0,0 +1,133 @@
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
generateName: openldap-qualif-
spec:
entrypoint: test-deployment
arguments:
parameters:
- name: namespace
value: openldap-qualif
- name: app
value: openldap-qualif
# This spec contains two templates: hello-hello-hello and whalesay
templates:
- name: test-deployment
parallelism: 1
# Instead of just running a container
# This template has a sequence of steps
steps:
- - name: wait-upgrade # hello1 is run before the following steps
template: wait-upgrade
arguments:
parameters:
- name: time
value: 10
- name: type
value: sts
- - name: test-openldap-upgrade # double dash => run after previous step
template: test-openldap-upgrade
arguments:
parameters:
- name: url
value: "{{workflow.parameters.app}}.{{workflow.parameters.namespace}}"
- name: password
value: "Not@SecurePassw0rd"
- name: user
value: "cn=admin,dc=example,dc=org"
- name: occurence
value: "{{item}}"
withSequence:
count: "1"
- - name: apply-chaos-test # double dash => run after previous step
template: apply-chaos-test
- - name: test-openldap # double dash => run after previous step
template: test-openldap-upgrade
arguments:
parameters:
- name: url
value: "{{workflow.parameters.app}}.{{workflow.parameters.namespace}}"
- name: password
value: "Not@SecurePassw0rd"
- name: user
value: "cn=admin,dc=example,dc=org"
- name: occurence
value: "{{item}}"
withSequence:
count: "60"
- - name: cleanup # double dash => run after previous step
template: pause-chaos-test
# This is the same template as from the previous example
- name: wait-upgrade
serviceAccountName: argo-workflow-invocator
inputs:
parameters:
- name: time
- name: type # type of resources to wait (deployement or sts)
script:
image: bitnami/kubectl:1.18.13
command: [/bin/bash]
source: |
sleep {{inputs.parameters.time}}
kubectl rollout status -n {{workflow.parameters.namespace}} {{inputs.parameters.type}} {{workflow.parameters.app}}
- name: test-openldap-upgrade
serviceAccountName: argo-workflow-invocator
inputs:
parameters:
- name: url
- name: password
- name: user
- name: occurence
script:
image: alpine
command: [sh]
source: | # Contents of the here-script
apk add openldap-clients
echo "run ldap commands (add, search, modify...)"
LDAPTLS_REQCERT=never ldapsearch -x -D '{{inputs.parameters.user}}' -w {{inputs.parameters.password}} -H ldaps://{{inputs.parameters.url}} -b 'dc=example,dc=org'
sleep 60
- name: apply-chaos-test
serviceAccountName: argo-workflow-invocator
resource: # indicates that this is a resource template
action: apply # can be any kubectl action (e.g. create, delete, apply, patch)
manifest: | #put your kubernetes spec here
apiVersion: chaos-mesh.org/v1alpha1
kind: PodChaos
metadata:
name: pod-failure-openldap
namespace: openldap-qualif
annotations:
experiment.chaos-mesh.org/pause: "false"
spec:
action: pod-failure
mode: random-max-percent
value: "100"
duration: "15s"
selector:
labelSelectors:
"app": "openldap-qualif"
scheduler:
cron: "@every 2m"
- name: pause-chaos-test
serviceAccountName: argo-workflow-invocator
resource: # indicates that this is a resource template
action: apply # can be any kubectl action (e.g. create, delete, apply, patch)
manifest: | #put your kubernetes spec here
apiVersion: chaos-mesh.org/v1alpha1
kind: PodChaos
metadata:
name: pod-failure-openldap
namespace: openldap-qualif
annotations:
experiment.chaos-mesh.org/pause: "true"
spec:
action: pod-failure
mode: random-max-percent
value: "100"
duration: "15s"
selector:
labelSelectors:
"app": "openldap-qualif"
scheduler:
cron: "@every 2m"

5
opencloud/charts/openldap/.helmignore Normal file
View File

@ -0,0 +1,5 @@
.git
.github
.chaos
.argo-workflow

24
opencloud/charts/openldap/Chart.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: v2
appVersion: 2.4.47
dependencies:
- condition: ltb-passwd.enabled
name: ltb-passwd
repository: ""
version: 0.1.x
- condition: phpldapadmin.enabled
name: phpldapadmin
repository: ""
version: 0.1.x
description: Community developed LDAP software
home: https://www.openldap.org
icon: http://www.openldap.org/images/headers/LDAPworm.gif
keywords:
- ldap
- openldap
maintainers:
- email: jp-gouin@hotmail.fr
name: Jean-Philippe Gouin
name: openldap
sources:
- https://github.com/kubernetes/charts
version: 2.0.4

167
opencloud/charts/openldap/README.md Normal file
View File

@ -0,0 +1,167 @@
# OpenLDAP Helm Chart
## Prerequisites Details
* Kubernetes 1.8+
* PV support on the underlying infrastructure
## Chart Details
This chart will do the following:
* Instantiate 3 instances of OpenLDAP server with multi-master replication
* A phpldapadmin to administrate the OpenLDAP server
* ltb-passwd for self service password
## Installing the Chart
To install the chart with the release name `my-release`:
```bash
$ git clone https://github.com/jp-gouin/helm-openldap.git
$ cd helm-openldap
$ helm install openldap .
```
## Configuration
We use the docker images provided by https://github.com/osixia/docker-openldap. The docker image is highly configurable and well documented. Please consult to documentation for the docker image for more information.
The following table lists the configurable parameters of the openldap chart and their default values.
| Parameter | Description | Default |
| ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------------- |
| `replicaCount` | Number of replicas | `3` |
| `strategy` | Deployment strategy | `{}` |
| `image.repository` | Container image repository | `osixia/openldap` |
| `image.tag` | Container image tag | `1.1.10` |
| `image.pullPolicy` | Container pull policy | `IfNotPresent` |
| `extraLabels` | Labels to add to the Resources | `{}` |
| `podAnnotations` | Annotations to add to the pod | `{}` |
| `existingSecret` | Use an existing secret for admin and config user passwords | `""` |
| `service.annotations` | Annotations to add to the service | `{}` |
| `service.externalIPs` | Service external IP addresses | `[]` |
| `service.ldapPort` | External service port for LDAP | `389` |
| `service.ldapPortNodePort` | Nodeport of External service port for LDAP if service.type is NodePort | `nil` |
| `service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` |
| `service.loadBalancerSourceRanges` | List of IP CIDRs allowed access to load balancer (if supported) | `[]` |
| `service.sslLdapPort` | External service port for SSL+LDAP | `636` |
| `service.sslLdapPortNodePort` | Nodeport of External service port for SSL if service.type is NodePort | `nil` |
| `service.type` | Service type can be ClusterIP, NodePort, LoadBalancer | `ClusterIP` |
| `env` | List of key value pairs as env variables to be sent to the docker image. See https://github.com/osixia/docker-openldap for available ones | `[see values.yaml]` |
| `logLevel` | Set the container log level. Valid values: `none`, `error`, `warning`, `info`, `debug`, `trace` | `info` |
| `tls.enabled` | Set to enable TLS/LDAPS with custom certificate - should also set `tls.secret` | `false` |
| `tls.secret` | Secret containing TLS cert and key (eg, generated via cert-manager) | `""` |
| `tls.CA.enabled` | Set to enable custom CA crt file - should also set `tls.CA.secret` | `false` |
| `tls.CA.secret` | Secret containing CA certificate (ca.crt) | `""` |
| `adminPassword` | Password for admin user. Unset to auto-generate the password | None |
| `configPassword` | Password for config user. Unset to auto-generate the password | None |
| `customLdifFiles` | Custom ldif files to seed the LDAP server. List of filename -> data pairs | None |
| `persistence.enabled` | Whether to use PersistentVolumes or not | `false` |
| `persistence.storageClass` | Storage class for PersistentVolumes. | `<unset>` |
| `persistence.accessMode` | Access mode for PersistentVolumes | `ReadWriteOnce` |
| `persistence.size` | PersistentVolumeClaim storage size | `8Gi` |
| `resources` | Container resource requests and limits in yaml | `{}` |
| `test.enabled` | Conditionally provision test resources | `false` |
| `test.image.repository` | Test container image requires bats framework | `dduportal/bats` |
| `test.image.tag` | Test container tag | `0.4.0` |
| `replication.enabled` | Enable the multi-master replication | `true` |
| `replication.retry` | retry period for replication in sec | `60` |
| `replication.timeout` | timeout for replication in sec| `1` |
| `replication.starttls` | starttls replication | `critical` |
| `replication.tls_reqcert` | tls certificate validation for replication | `never` |
| `replication.interval` | interval for replication | `00:00:00:10` |
| `replication.clusterName` | Set the clustername for replication | "cluster.local" |
| `phpldapadmin.enabled` | Enable the deployment of PhpLdapAdmin | `true`|
| `phpldapadmin.ingress` | Ingress of Phpldapadmin | `{}` |
| `phpldapadmin.env` | Environment variables for PhpldapAdmin| `{}` |
|`ltb-passwd.enabled`| Enable the deployment of Ltb-Passwd| `true` |
|`ltb-passwd.ingress`| Ingress of the Ltb-Passwd service | `{}` |
|`ltb-passwd.ldap`| Ldap configuration for the Ltb-Passwd service | `{}` |
|`ltb-passwd.env`| Environment variables for ltp-passwd | `{}` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
```bash
$ helm install --name my-release -f values.yaml stable/openldap
```
> **Tip**: You can use the default [values.yaml](values.yaml)
## PhpLdapAdmin
To enable PhpLdapAdmin set `phpldapadmin.enabled` to `true`
Ingress can be configure if you want to expose the service.
Setup the env part of the configuration to access the OpenLdap server
**Note** : The ldap host should match the following `namespace.Appfullname`
Example :
```
phpldapadmin:
enabled: true
ingress:
enabled: true
annotations: {}
path: /
## Ingress Host
hosts:
- phpldapadmin.local
env:
PHPLDAPADMIN_LDAP_HOSTS: openldap.openldap
```
## Self-service-password
To enable Self-service-password set `ltb-passwd.enabled` to `true`
Ingress can be configure if you want to expose the service.
Setup the `ldap` part with the information of the OpenLdap server.
Set `bindDN` accordingly to your ldap domain
**Note** : The ldap server host should match the following `ldap://namespace.Appfullname`
Example :
```
ltb-passwd:
enabled : true
ingress:
enabled: true
annotations: {}
host: "ssl-ldap2.local"
ldap:
server: ldap://openldap.openldap
searchBase: dc=example,dc=org
bindDN: cn=admin,dc=example,dc=org
bindPWKey: LDAP_ADMIN_PASSWORD
```
## Cleanup orphaned Persistent Volumes
Deleting the Deployment will not delete associated Persistent Volumes if persistence is enabled.
Do the following after deleting the chart release to clean up orphaned Persistent Volumes.
```bash
$ kubectl delete pvc -l release=${RELEASE-NAME}
```
## Custom Secret
`existingSecret` can be used to override the default secret.yaml provided
## Testing
Helm tests are included and they confirm connection to slapd.
```bash
helm install . --set test.enabled=true
helm test <RELEASE_NAME>
RUNNING: foolish-mouse-openldap-service-test-akmms
PASSED: foolish-mouse-openldap-service-test-akmms
```
It will confirm that we can do an ldapsearch with the default credentials

22
opencloud/charts/openldap/charts/ltb-passwd/.helmignore Normal file
View File

@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

5
opencloud/charts/openldap/charts/ltb-passwd/Chart.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v2
appVersion: "1.3"
description: LTB Project Password self service
name: ltb-passwd
version: 0.1.0

63
opencloud/charts/openldap/charts/ltb-passwd/README.md Normal file
View File

@ -0,0 +1,63 @@
# LTB Password Self Service Helm Chart
This repository contains the helm chart for the LTB password change webapp.
It is based on several other projects, namely:
- [LTB Self-Service Password](https://ltb-project.org/documentation/self-service-password)
- [LTB Self-Service Password Github Repo](https://github.com/ltb-project/self-service-password)
- [tiredofit Docker Image for the LTB repo](https://github.com/tiredofit/docker-self-service-password)
## Prerequisites
- Kubernetes 1.8+
## Chart Details
This chart will do the following:
- Instantiate an instance of the LTB LDAP Self-Service Password webapp.
## Installing the Chart
To install the chart with the release name `my-release`:
```bash
$ helm install --name my-release $PATH_TO_THIS_REPO
```
## Configuration
We use this image as base image, please refer to the documentation for specific options.
- [tiredofit Docker Image for the LTB repo](https://github.com/tiredofit/docker-self-service-password)
Configuration is done within `values.yaml`:
| Parameter | Description | Default |
| ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------- |
| `ldap.server` | LDAP Server URL, should be of the form: `ldap://ldap.svc:389` | ` ` |
| `ldap.searchBase` | LDAP Search Base for the users | ` ` |
| `ldap.binduserSecret` | Name of an **existing** secret to fetch the credentials for the bind user from. Needs keys `BINDDN` and `BINDPW` | ` ` |
| `env` | List of key value pairs as env variables to be sent to the docker image. See https://github.com/tiredofit/docker-self-service-password for available ones | `[see values.yaml]`|
| `replicaCount` | Number of replicas | `1` |
| `image.repository` | Container image repository | ` tiredofit/self-service-password` |
| `image.tag` | Container image tag | `latest` |
| `image.pullPolicy` | Container pull policy | `Default` |
| `service.port` | External port for the WebApp | `80` |
| `service.type` | Service type | `ClusterIP` |
| `ingress.enabled` | Whether to generate ingress resources | `false` |
| `ingress.annotations` | Annotations to add to the ingress | `{}` |
| `ingress.hosts` | Hostnames to redirect to the webapp | `[]` |
| `ingress.tls` | TLS Configuration | `[]` |
| `resources` | Container resource requests and limits in yaml | `{}` |
| `nodeSelector` | NodeSelector to run the image on | `{}` |
| `tolerations` | Tolerations for the service pod | `[]` |
| `affinity` | Attractions for the service pod | `{}` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
```bash
$ helm install --name my-release -f values.yaml $PATH_TO_THIS_REPO
```

1
opencloud/charts/openldap/charts/ltb-passwd/templates/NOTES.txt Normal file
View File

@ -0,0 +1 @@
Happy password changing :)

51
opencloud/charts/openldap/charts/ltb-passwd/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,51 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "ltb-passwd.name" -}}
{{ default .Release.Name .Values.existingSecret }}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "ltb-passwd.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "ltb-passwd.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "ltb-passwd.labels" -}}
app.kubernetes.io/name: {{ include "ltb-passwd.name" . }}
helm.sh/chart: {{ include "ltb-passwd.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Generate chart secret name
*/}}
{{- define "ltb-passwd.secretName" -}}
{{ default (include "ltb-passwd.fullname" .) .Values.existingSecret }}
{{- end -}}

69
opencloud/charts/openldap/charts/ltb-passwd/templates/deployment.yaml Normal file
View File

@ -0,0 +1,69 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "ltb-passwd.fullname" . }}
labels:
{{ include "ltb-passwd.labels" . | indent 4 }}
spec:
replicas: {{ default 1 .Values.replicaCount }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "ltb-passwd.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ include "ltb-passwd.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: LDAP_SERVER
value: {{ .Values.ldap.server | quote }}
- name: LDAP_BINDDN
value: {{ .Values.ldap.bindDN | quote }}
- name: LDAP_BINDPASS
valueFrom:
secretKeyRef:
name: {{ template "ltb-passwd.secretName" . }}
key: {{ .Values.ldap.bindPWKey }}
- name: LDAP_STARTTLS
value: "false"
- name: LDAP_BASE_SEARCH
value: {{ .Values.ldap.searchBase | quote }}
{{- with .Values.env }}
{{- toYaml . | nindent 10 }}
{{- end }}
ports:
- name: http
containerPort: 80
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
readinessProbe:
httpGet:
path: /
port: http
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

38
opencloud/charts/openldap/charts/ltb-passwd/templates/ingress.yaml Normal file
View File

@ -0,0 +1,38 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "ltb-passwd.fullname" . -}}
{{- $ingressPath := .Values.ingress.path -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
app: {{ template "ltb-passwd.name" . }}
chart: {{ template "ltb-passwd.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- with .Values.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ . }}
http:
paths:
- path: {{ $ingressPath }}
backend:
serviceName: {{ $fullName }}
servicePort: http
{{- end }}
{{- end }}

19
opencloud/charts/openldap/charts/ltb-passwd/templates/service.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "ltb-passwd.fullname" . }}
labels:
app.kubernetes.io/name: {{ include "ltb-passwd.name" . }}
helm.sh/chart: {{ include "ltb-passwd.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/name: {{ include "ltb-passwd.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}

51
opencloud/charts/openldap/charts/ltb-passwd/values.yaml Normal file
View File

@ -0,0 +1,51 @@
# Default values for ltb-passwd.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
image:
repository: tiredofit/self-service-password
tag: latest
pullPolicy: Always
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
service:
type: ClusterIP
port: 80
ingress:
enabled: true
annotations: {}
host: "ssl-ldap.local"
## Configure Ingress based on the documentation here: https://kubernetes.io/docs/concepts/services-networking/ingress/
ingress:
enabled: false
annotations: {}
path: /
## Ingress Host
# hosts:
# - ssl-ldap.local
#
tls: []
# tls:
# - secretName: ssl-ldap-dedicated-tls
# hosts:
# - ssl-ldap.local
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}
ldap:
server: ldap://openldap.openldap
searchBase: dc=example,dc=org
# existingSecret: ssp-ldap
bindDN: cn=admin,dc=example,dc=org
bindPWKey: BINDPW
env:
- name: SECRETEKEY
value: "password"
- name: LDAP_LOGIN_ATTRIBUTE
value: "cn"

13
opencloud/charts/openldap/charts/phpldapadmin/Chart.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
appVersion: 0.7.1
description: Web-based LDAP browser to manage your LDAP server
home: http://phpldapadmin.sourceforge.net
icon: http://phpldapadmin.sourceforge.net/wiki/images/d/d4/Logo.jpg
keywords:
- phpldapadmin
- openldap
- userrights
maintainers:
- name: Jean-Philippe Gouin
name: phpldapadmin
version: 0.1.2

107
opencloud/charts/openldap/charts/phpldapadmin/README.md Normal file
View File

@ -0,0 +1,107 @@
# Helm Chart for phpLDAPadmin
[![CircleCI](https://circleci.com/gh/cetic/helm-phpLDAPadmin.svg?style=svg)](https://circleci.com/gh/cetic/helm-phpLDAPadmin/tree/master) [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) ![version](https://img.shields.io/github/tag/cetic/helm-phpLDAPadmin.svg?label=release)
## Introduction
This [Helm](https://github.com/kubernetes/helm) chart installs [phpLDAPadmin](http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page) in a Kubernetes cluster.
## Prerequisites
- Kubernetes cluster 1.10+
- Helm 2.8.0+
- PV provisioner support in the underlying infrastructure.
## Installation
### Add Helm repository
```bash
helm repo add cetic https://cetic.github.io/helm-charts
helm repo update
```
### Configure the chart
The following items can be set via `--set` flag during installation or configured by editing the `values.yaml` directly (you need to download the chart first).
#### Configure the way how to expose phpLDAPadmin service:
- **Ingress**: The ingress controller must be installed in the Kubernetes cluster.
- **ClusterIP**: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster.
- **NodePort**: Exposes the service on each Nodes IP at a static port (the NodePort). Youll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`.
- **LoadBalancer**: Exposes the service externally using a cloud providers load balancer.
#### Configure how to persist data (TODO):
- **Disable**: The data does not survive the termination of a pod.
- **Persistent Volume Claim(default)**: A default `StorageClass` is needed in the Kubernetes cluster to dynamic provision the volumes. Specify another StorageClass in the `storageClass` or set `existingClaim` if you have already existing persistent volumes to use.
### Install the chart
Install the phpLDAPadmin helm chart with a release name `my-release`:
```bash
helm install --name my-release cetic/phpldapadmin
```
## Uninstallation
To uninstall/delete the `my-release` deployment:
```bash
helm delete --purge my-release
```
## Configuration
The following table lists the configurable parameters of the phpLDAPadmin chart and the default values.
| Parameter | Description | Default |
| --------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------| ------------------------------- |
| **ReplicaCount** |
| `replicaCount` | number of phpLDAPadmin images | `1` |
| **Env** |
| `env` | See values.yaml | `nil` |
| **Image** |
| `image.repository` | phpldapadmin Image name | `osixia/phpldapadmin` |
| `image.tag` | phpldapadmin Image tag | `0.7.1` |
| `image.pullPolicy` | phpldapadmin Image pull policy | `IfNotPresent` |
| **Service** |
| `service.type` | Type of service for phpldapadmin frontend | `LoadBalancer` |
| `service.port` | Port to expose service | `80` |
| `service.loadBalancerIP` | LoadBalancerIP if service type is `LoadBalancer` | `nil` |
| `service.loadBalancerSourceRanges` | LoadBalancerSourceRanges | `nil` |
| `service.annotations` | Service annotations | `{}` |
| **Ingress** |
| `ingress.enabled` | Enables Ingress | `false` |
| `ingress.annotations` | Ingress annotations | `{}` |
| `ingress.path` | Path to access frontend | `/` |
| `ingress.hosts` | Ingress hosts | `nil` |
| `ingress.tls` | Ingress TLS configuration | `[]` |
| **ReadinessProbe** |
| `readinessProbe` | Rediness Probe settings | `{ "httpGet": { "path": "/", "port": http }}`|
| **LivenessProbe** |
| `livenessProbe` | Liveness Probe settings | `{ "httpGet": { "path": "/", "port": http }}`|
| **Resources** |
| `resources` | CPU/Memory resource requests/limits | `{}` |
| **nodeSelector** |
| `nodeSelector` | nodeSelector | `{}` |
| **tolerations** |
| `tolerations` | tolerations | `{}` |
| **affinity** |
| `affinity` | affinity | `{}` |
## Credits
Initially inspired from https://github.com/gengen1988/helm-phpldapadmin.
## Contributing
Feel free to contribute by making a [pull request](https://github.com/cetic/helm-phpLDAPadmin/pull/new/master).
Please read the official [Contribution Guide](https://github.com/helm/charts/blob/master/CONTRIBUTING.md) from Helm for more information on how you can contribute to this Chart.
## License
[Apache License 2.0](/LICENSE)

84
opencloud/charts/openldap/charts/phpldapadmin/publish.sh Normal file
View File

@ -0,0 +1,84 @@
#!/bin/sh
set -e
set -o pipefail
WORKING_DIRECTORY="$PWD"
[ "$GITHUB_PAGES_REPO" ] || {
echo "ERROR: Environment variable GITHUB_PAGES_REPO is required"
exit 1
}
[ "$HELM_CHART" ] || {
echo "ERROR: Environment variable HELM_CHART is required"
exit 1
}
[ -z "$GITHUB_PAGES_BRANCH" ] && GITHUB_PAGES_BRANCH=gh-pages
[ -z "$HELM_CHARTS_SOURCE" ] && HELM_CHARTS_SOURCE="$WORKING_DIRECTORY/$HELM_CHART"
[ -d "$WORKING_DIRECTORY" ] || {
echo "ERROR: Could not find Helm charts in $WORKING_DIRECTORY"
exit 1
}
[ -z "$HELM_VERSION" ] && HELM_VERSION=2.8.1
[ "$CIRCLE_BRANCH" ] || {
echo "ERROR: Environment variable CIRCLE_BRANCH is required"
exit 1
}
echo "GITHUB_PAGES_REPO=$GITHUB_PAGES_REPO"
echo "GITHUB_PAGES_BRANCH=$GITHUB_PAGES_BRANCH"
echo "HELM_CHARTS_SOURCE=$HELM_CHARTS_SOURCE"
echo "HELM_VERSION=$HELM_VERSION"
echo "CIRCLE_BRANCH=$CIRCLE_BRANCH"
echo ">>> Create Chart Directory"
mkdir -p $HELM_CHARTS_SOURCE/
mkdir -p /tmp/helm-tmp/
mv $WORKING_DIRECTORY/* /tmp/helm-tmp/
mv /tmp/helm-tmp/ $HELM_CHARTS_SOURCE/
echo '>> Prepare...'
mkdir -p /tmp/helm/bin
mkdir -p /tmp/helm/publish
apk update
apk add ca-certificates git openssh
echo '>> Installing Helm...'
cd /tmp/helm/bin
wget "https://storage.googleapis.com/kubernetes-helm/helm-v${HELM_VERSION}-linux-amd64.tar.gz"
tar -zxf "helm-v${HELM_VERSION}-linux-amd64.tar.gz"
chmod +x linux-amd64/helm
alias helm=/tmp/helm/bin/linux-amd64/helm
helm version -c
helm init -c
echo ">> Checking out $GITHUB_PAGES_BRANCH branch from $GITHUB_PAGES_REPO"
cd /tmp/helm/publish
mkdir -p "$HOME/.ssh"
ssh-keyscan -H github.com >> "$HOME/.ssh/known_hosts"
git clone -b "$GITHUB_PAGES_BRANCH" "git@github.com:$GITHUB_PAGES_REPO.git" .
echo '>> Building chart...'
echo ">>> helm lint $HELM_CHARTS_SOURCE"
helm lint "$HELM_CHARTS_SOURCE"
echo ">>> helm package -d $HELM_CHART $HELM_CHARTS_SOURCE"
mkdir -p "$HELM_CHART"
helm package -d "$HELM_CHART" "$HELM_CHARTS_SOURCE"
echo '>>> helm repo index'
helm repo index .
if [ "$CIRCLE_BRANCH" != "master" ]; then
echo "Current branch is not master and do not publish"
exit 0
fi
echo ">> Publishing to $GITHUB_PAGES_BRANCH branch of $GITHUB_PAGES_REPO"
git config user.email "$CIRCLE_USERNAME@users.noreply.github.com"
git config user.name CircleCI
git add .
git status
git commit -m "Published by CircleCI $CIRCLE_BUILD_URL"
git push origin "$GITHUB_PAGES_BRANCH"

26
opencloud/charts/openldap/charts/phpldapadmin/templates/NOTES.txt Normal file
View File

@ -0,0 +1,26 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range .Values.ingress.hosts }}
You should be able to access your new phpLDAPadmin installation through
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }}
Find out your cluster ip address by running:
$ kubectl cluster-info
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "phpldapadmin.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get svc -w {{ template "phpldapadmin.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "phpldapadmin.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "phpldapadmin.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl port-forward $POD_NAME 8080:80
{{- end }}
** Please be patient while the chart is being deployed **

32
opencloud/charts/openldap/charts/phpldapadmin/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,32 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "phpldapadmin.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "phpldapadmin.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "phpldapadmin.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

14
opencloud/charts/openldap/charts/phpldapadmin/templates/configmap.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "phpldapadmin.fullname" . }}
labels:
app: {{ template "phpldapadmin.name" . }}
chart: {{ template "phpldapadmin.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.extraLabels }}
{{ toYaml .Values.extraLabels | indent 4 }}
{{- end }}
data:
{{ toYaml .Values.env | indent 2 }}

52
opencloud/charts/openldap/charts/phpldapadmin/templates/deployment.yaml Normal file
View File

@ -0,0 +1,52 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "phpldapadmin.fullname" . }}
labels:
app: {{ template "phpldapadmin.name" . }}
chart: {{ template "phpldapadmin.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: {{ template "phpldapadmin.name" . }}
release: {{ .Release.Name }}
template:
metadata:
labels:
app: {{ template "phpldapadmin.name" . }}
release: {{ .Release.Name }}
spec:
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: 80
protocol: TCP
envFrom:
- configMapRef:
name: {{ template "phpldapadmin.fullname" . }}
livenessProbe:
{{ toYaml .Values.livenessProbe | indent 12 }}
readinessProbe:
{{ toYaml .Values.readinessProbe | indent 12 }}
resources:
{{ toYaml .Values.resources | indent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}

38
opencloud/charts/openldap/charts/phpldapadmin/templates/ingress.yaml Normal file
View File

@ -0,0 +1,38 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "phpldapadmin.fullname" . -}}
{{- $ingressPath := .Values.ingress.path -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
app: {{ template "phpldapadmin.name" . }}
chart: {{ template "phpldapadmin.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- with .Values.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ . }}
http:
paths:
- path: {{ $ingressPath }}
backend:
serviceName: {{ $fullName }}
servicePort: http
{{- end }}
{{- end }}

32
opencloud/charts/openldap/charts/phpldapadmin/templates/service.yaml Normal file
View File

@ -0,0 +1,32 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "phpldapadmin.fullname" . }}
labels:
app: {{ template "phpldapadmin.name" . }}
chart: {{ template "phpldapadmin.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.service.annotations }}
annotations:
{{ toYaml .Values.service.annotations | indent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
{{- if and .Values.service.loadBalancerIP (eq .Values.service.type "LoadBalancer") }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
{{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{ with .Values.service.loadBalancerSourceRanges }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- end }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
app: {{ template "phpldapadmin.name" . }}
release: {{ .Release.Name }}

94
opencloud/charts/openldap/charts/phpldapadmin/values.yaml Normal file
View File

@ -0,0 +1,94 @@
---
# Default values for phpldapadmin.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
## TODO: add this in the deployment.yaml
env:
# PHPLDAPADMIN_LDAP_HOSTS: ...
PHPLDAPADMIN_HTTPS: "false"
PHPLDAPADMIN_TRUST_PROXY_SSL: "true"
## Number of phpLDAPadmin images
replicaCount: 1
## Set default image, imageTag, and imagePullPolicy. mode is used to indicate the
##
image:
repository: osixia/phpldapadmin
tag: 0.9.0
pullPolicy: IfNotPresent
## Enable persistence using Persistent Volume Claims
## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
##
## TODO persistence
## Expose the pgAdmin service to be accessed from outside the cluster (LoadBalancer service).
## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it.
## ref: http://kubernetes.io/docs/user-guide/services/
##
service:
type: ClusterIP
## name: phpldapadmin
port: 80
annotations: {}
## Set the LoadBalancer service type to internal only.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
##
# loadBalancerIP:
## Load Balancer sources
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
##
# loadBalancerSourceRanges:
# - 10.10.10.0/24
## Configure Ingress based on the documentation here: https://kubernetes.io/docs/concepts/services-networking/ingress/
##
ingress:
enabled: false
annotations: {}
path: /
## Ingress Host
# hosts:
# - phpldapadmin.example.org
#
tls: []
# tls:
# - secretName: phpldapadmin-dedicated-tls
# hosts:
# - phpldapadmin.example.org
## Configure liveness and readiness probes
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
##
readinessProbe:
httpGet:
path: /
port: http
livenessProbe:
httpGet:
path: /
port: http
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}

20
opencloud/charts/openldap/templates/NOTES.txt Normal file
View File

@ -0,0 +1,20 @@
OpenLDAP has been installed. You can access the server from within the k8s cluster using:
{{ template "openldap.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.ldapPort }}
You can access the LDAP adminPassword and configPassword using:
kubectl get secret --namespace {{ .Release.Namespace }} {{ template "openldap.secretName" . }} -o jsonpath="{.data.LDAP_ADMIN_PASSWORD}" | base64 --decode; echo
kubectl get secret --namespace {{ .Release.Namespace }} {{ template "openldap.secretName" . }} -o jsonpath="{.data.LDAP_CONFIG_PASSWORD}" | base64 --decode; echo
You can access the LDAP service, from within the cluster (or with kubectl port-forward) with a command like (replace password and domain):
ldapsearch -x -H ldap://{{ template "openldap.fullname" . }}-service.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.ldapPort }} -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w $LDAP_ADMIN_PASSWORD
Test server health using Helm test:
helm test {{ .Release.Name }}
You can also consider installing the helm chart for phpldapadmin to manage this instance of OpenLDAP, or install Apache Directory Studio, and connect using kubectl port-forward.

74
opencloud/charts/openldap/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,74 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "openldap.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for statefulset.
*/}}
{{- define "statefulset.apiVersion" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "apps/v1beta1" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "openldap.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "openldap.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Generate chart secret name
*/}}
{{- define "openldap.secretName" -}}
{{ default (include "openldap.fullname" .) .Values.existingSecret }}
{{- end -}}
{{/*
Generate replication services list
*/}}
{{- define "replicalist" -}}
{{- $name := (include "openldap.fullname" .) }}
{{- $namespace := .Release.Namespace }}
{{- $cluster := .Values.replication.clusterName }}
{{- $nodeCount := .Values.replicaCount | int }}
{{- range $index0 := until $nodeCount -}}
{{- $index1 := $index0 | add1 -}}
'ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}'{{ if ne $index1 $nodeCount }},{{ end }}
{{- end -}}
{{- end -}}
{{/*
Renders a value that contains template.
Usage:
{{ include "openldap.tplValue" ( dict "value" .Values.path.to.the.Value "context" $) }}
*/}}
{{- define "openldap.tplValue" -}}
{{- if typeIs "string" .value }}
{{- tpl .value .context }}
{{- else }}
{{- tpl (.value | toYaml) .context }}
{{- end }}
{{- end -}}

23
opencloud/charts/openldap/templates/configmap-customldif.yaml Normal file
View File

@ -0,0 +1,23 @@
#
# A ConfigMap spec for openldap slapd that map directly to files under
# /container/service/slapd/assets/config/bootstrap/ldif/custom
#
{{- if .Values.customLdifFiles }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "openldap.fullname" . }}-customldif
labels:
app: {{ template "openldap.name" . }}
chart: {{ template "openldap.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.extraLabels }}
{{ toYaml .Values.extraLabels | indent 4 }}
{{- end }}
data:
{{- range $key, $val := .Values.customLdifFiles }}
{{ $key }}: |-
{{ $val | indent 4}}
{{- end }}
{{- end }}

26
opencloud/charts/openldap/templates/configmap-env.yaml Normal file
View File

@ -0,0 +1,26 @@
#
# A ConfigMap spec for openldap slapd that map directly to env variables in the Pod.
# List of environment variables supported is from the docker image:
# https://github.com/osixia/docker-openldap#beginner-guide
# Note that passwords are defined as secrets
#
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "openldap.fullname" . }}-env
labels:
app: {{ template "openldap.name" . }}
chart: {{ template "openldap.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.extraLabels }}
{{ toYaml .Values.extraLabels | indent 4 }}
{{- end }}
data:
{{ toYaml .Values.env | indent 2 }}
{{- if .Values.replication.enabled }}
LDAP_REPLICATION: "true"
LDAP_REPLICATION_CONFIG_SYNCPROV: "binddn=\"cn=admin,cn=config\" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase=\"cn=config\" type=refreshAndPersist retry=\"{{.Values.replication.retry }} +\" timeout={{.Values.replication.timeout }} starttls={{.Values.replication.starttls }} tls_reqcert={{.Values.replication.tls_reqcert }}"
LDAP_REPLICATION_DB_SYNCPROV: "binddn=\"cn=admin,$LDAP_BASE_DN\" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase=\"$LDAP_BASE_DN\" type=refreshAndPersist interval={{.Values.replication.interval }} retry=\"{{.Values.replication.retry }} +\" timeout={{.Values.replication.timeout }} starttls={{.Values.replication.starttls }} tls_reqcert={{.Values.replication.tls_reqcert }}"
LDAP_REPLICATION_HOSTS: "#PYTHON2BASH:[{{ template "replicalist" . }}]"
{{- end }}

17
opencloud/charts/openldap/templates/secret-ltb.yaml Normal file
View File

@ -0,0 +1,17 @@
{{ if not .Values.existingSecret }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "openldap.fullname" . }}-ltb-passwd
labels:
app: {{ template "openldap.name" . }}
chart: {{ template "openldap.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.extraLabels }}
{{ toYaml .Values.extraLabels | indent 4 }}
{{- end }}
type: Opaque
data:
LDAP_ADMIN_PASSWORD: {{ .Values.adminPassword | b64enc | quote }}
{{ end }}

18
opencloud/charts/openldap/templates/secret.yaml Normal file
View File

@ -0,0 +1,18 @@
{{ if not .Values.existingSecret }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "openldap.fullname" . }}
labels:
app: {{ template "openldap.name" . }}
chart: {{ template "openldap.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.extraLabels }}
{{ toYaml .Values.extraLabels | indent 4 }}
{{- end }}
type: Opaque
data:
LDAP_ADMIN_PASSWORD: {{ .Values.adminPassword | b64enc | quote }}
LDAP_CONFIG_PASSWORD: {{ .Values.configPassword | b64enc | quote }}
{{ end }}

47
opencloud/charts/openldap/templates/service.yaml Normal file
View File

@ -0,0 +1,47 @@
apiVersion: v1
kind: Service
metadata:
{{- if .Values.service.annotations }}
annotations:
{{ toYaml .Values.service.annotations | indent 4 }}
{{- end }}
name: {{ template "openldap.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "openldap.fullname" . }}
chart: {{ template "openldap.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.extraLabels }}
{{ toYaml .Values.extraLabels | indent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
{{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
{{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges: {{ toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }}
{{- end }}
ports:
- name: ldap-port
protocol: TCP
port: {{ .Values.service.ldapPort }}
targetPort: ldap-port
{{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePort)) }}
nodePort: {{ .Values.service.ldapPortNodePort }}
{{- else if eq .Values.service.type "ClusterIP" }}
nodePort: null
{{- end }}
- name: ssl-ldap-port
protocol: TCP
port: {{ .Values.service.sslLdapPort }}
targetPort: ssl-ldap-port
{{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePort)) }}
nodePort: {{ .Values.service.sslLdapPortNodePort }}
{{- else if eq .Values.service.type "ClusterIP" }}
nodePort: null
{{- end }}
selector:
app: {{ template "openldap.fullname" . }}
release: {{ .Release.Name }}

153
opencloud/charts/openldap/templates/statefullset.yaml Normal file
View File

@ -0,0 +1,153 @@
apiVersion: {{ template "statefulset.apiVersion" . }}
kind: StatefulSet
metadata:
name: {{ template "openldap.fullname" . }}
labels:
app: {{ template "openldap.fullname" . }}
chart: {{ template "openldap.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.extraLabels }}
{{ toYaml .Values.extraLabels | indent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicaCount }}
{{- if .Values.strategy }}
strategy:
{{ toYaml .Values.strategy | indent 4 }}
{{- end }}
selector:
matchLabels:
app: {{ template "openldap.fullname" . }}
release: {{ .Release.Name }}
serviceName: {{ template "openldap.fullname" . }}-headless
template:
metadata:
annotations:
checksum/configmap-env: {{ include (print $.Template.BasePath "/configmap-env.yaml") . | sha256sum }}
{{- if .Values.customLdifFiles}}
checksum/configmap-customldif: {{ include (print $.Template.BasePath "/configmap-customldif.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.podAnnotations}}
{{ toYaml .Values.podAnnotations | indent 8}}
{{- end }}
labels:
app: {{ template "openldap.fullname" . }}
release: {{ .Release.Name }}
spec:
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
- -l
- {{ .Values.logLevel }}
{{- if .Values.customLdifFiles }}
- --copy-service
{{- end }}
ports:
- name: ldap-port
containerPort: 389
- name: ssl-ldap-port
containerPort: 636
envFrom:
- configMapRef:
name: {{ template "openldap.fullname" . }}-env
- secretRef:
name: {{ template "openldap.secretName" . }}
volumeMounts:
- name: data
mountPath: /var/lib/ldap
subPath: data
- name: data
mountPath: /etc/ldap/slapd.d
subPath: config-data
- name: data
mountPath: /container/service/slapd/assets/certs
{{- if .Values.customLdifFiles }}
- name: custom-ldif-files
mountPath: /container/service/slapd/assets/config/bootstrap/ldif/custom
{{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
#- name: HOSTNAME
# value: $(POD_NAME).{{ template "openldap.fullname" . }}-headless
{{- if .Values.tls.enabled }}
- name: LDAP_TLS_CRT_FILENAME
value: tls.crt
- name: LDAP_TLS_KEY_FILENAME
value: tls.key
{{- if .Values.tls.CA.enabled }}
- name: LDAP_TLS_CA_CRT_FILENAME
value: ca.crt
{{- end }}
{{- end }}
livenessProbe:
tcpSocket:
port: ldap-port
initialDelaySeconds: 20
periodSeconds: 10
failureThreshold: 10
readinessProbe:
tcpSocket:
port: ldap-port
initialDelaySeconds: 20
periodSeconds: 10
failureThreshold: 10
resources:
{{ toYaml .Values.resources | indent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- topologyKey: kubernetes.io/hostname
labelSelector:
matchLabels:
app.kubernetes.io/component: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
imagePullSecrets:
- name: {{ .Values.image.pullSecret }}
{{- if .Values.customLdifFiles }}
volumes:
- name: custom-ldif-files
configMap:
name: {{ template "openldap.fullname" . }}-customldif
{{- end }}
{{- if .Values.persistence.enabled }}
volumeClaimTemplates:
- metadata:
name: data
annotations:
{{- range $key, $value := .Values.persistence.annotations }}
{{ $key }}: {{ $value }}
{{- end }}
spec:
accessModes:
{{- range .Values.persistence.accessModes }}
- {{ . | quote }}
{{- end }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.storageClass }}
{{- if (eq "-" .Values.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.persistence.storageClass }}"
{{- end }}
{{- end }}
{{- else }}
- name: data
emptyDir: {}
{{- end }}

20
opencloud/charts/openldap/templates/svc-headless.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "openldap.fullname" . }}-headless
labels:
app: {{ template "openldap.fullname" . }}
chart: {{ template "openldap.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
ports:
- port: {{ .Values.service.ldapPort }}
name: ldap-port
targetPort: ldap-port
clusterIP: None
selector:
app: {{ template "openldap.fullname" . }}
release: {{ .Release.Name }}
type: ClusterIP
sessionAffinity: None

50
opencloud/charts/openldap/templates/tests/openldap-test-runner.yaml Normal file
View File

@ -0,0 +1,50 @@
{{- if .Values.test.enabled -}}
apiVersion: v1
kind: Pod
metadata:
name: "{{ template "openldap.fullname" . }}-test-{{ randAlphaNum 5 | lower }}"
labels:
app: {{ template "openldap.name" . }}
chart: {{ template "openldap.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.extraLabels }}
{{ toYaml .Values.extraLabels | indent 4 }}
{{- end }}
annotations:
"helm.sh/hook": test-success
spec:
initContainers:
- name: test-framework
image: {{ .Values.test.image.repository }}:{{ .Values.test.image.tag }}
command:
- "bash"
- "-c"
- |
set -ex
# copy bats to tools dir
cp -R /usr/local/libexec/ /tools/bats/
volumeMounts:
- mountPath: /tools
name: tools
containers:
- name: {{ .Release.Name }}-test
image: {{ .Values.test.image.repository }}:{{ .Values.test.image.tag }}
envFrom:
- secretRef:
name: {{ template "openldap.secretName" . }}
command: ["/tools/bats/bats", "-t", "/tests/run.sh"]
volumeMounts:
- mountPath: /tests
name: tests
readOnly: true
- mountPath: /tools
name: tools
volumes:
- name: tests
configMap:
name: {{ template "openldap.fullname" . }}-tests
- name: tools
emptyDir: {}
restartPolicy: Never
{{- end -}}

22
opencloud/charts/openldap/templates/tests/openldap-tests.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- if .Values.test.enabled -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "openldap.fullname" . }}-tests
labels:
app: {{ template "openldap.name" . }}
chart: {{ template "openldap.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.extraLabels }}
{{ toYaml .Values.extraLabels | indent 4 }}
{{- end }}
data:
run.sh: |-
@test "Testing connecting to slapd server" {
# Ideally, this should be in the docker image, but there is not a generic image we can use
# with bats and ldap-utils installed. It is not worth for now to push an image for this.
apt-get update && apt-get install -y ldap-utils
ldapsearch -x -H ldap://{{ template "openldap.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.ldapPort }} -b "dc=example,dc=org" -D "cn=admin,dc=example,dc=org" -w $LDAP_ADMIN_PASSWORD
}
{{- end -}}

179
opencloud/charts/openldap/values.yaml Normal file
View File

@ -0,0 +1,179 @@
# Default values for openldap.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 3
# Define deployment strategy - IMPORTANT: use rollingUpdate: null when use Recreate strategy.
# It prevents from merging with existing map keys which are forbidden.
strategy: {}
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 1
# maxUnavailable: 0
#
# or
#
# type: Recreate
# rollingUpdate: null
image:
# From repository https://github.com/osixia/docker-openldap
repository: osixia/openldap
tag: 1.4.0
pullPolicy: Always
pullSecret: harbor
# Set the container log level
# Valid log levels: none, error, warning, info (default), debug, trace
logLevel: info
# Spcifies an existing secret to be used for admin and config user passwords
existingSecret: ""
# settings for enabling TLS with custom certificate
tls:
enabled: true
secret: "" # The name of a kubernetes.io/tls type secret to use for TLS
CA:
enabled: false
secret: "" # The name of a generic secret to use for custom CA certificate (ca.crt)
## Add additional labels to all resources
extraLabels: {}
## Add additional annotations to pods
podAnnotations: {}
service:
annotations: {}
ldapPort: 389
sslLdapPort: 636
## If service type NodePort, define the value here
#ldapPortNodePort:
#sslLdapPortNodePort:
## List of IP addresses at which the service is available
## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
##
externalIPs: []
#loadBalancerIP:
#loadBalancerSourceRanges: []
type: ClusterIP
# Default configuration for openldap as environment variables. These get injected directly in the container.
# Use the env variables from https://github.com/osixia/docker-openldap#beginner-guide
env:
LDAP_LOG_LEVEL: "256"
LDAP_ORGANISATION: "Example Inc."
LDAP_DOMAIN: "example.org"
LDAP_READONLY_USER: "false"
LDAP_READONLY_USER_USERNAME: "readonly"
LDAP_READONLY_USER_PASSWORD: "readonly"
LDAP_RFC2307BIS_SCHEMA: "false"
LDAP_BACKEND: "mdb"
LDAP_TLS: "true"
LDAP_TLS_CRT_FILENAME: "ldap.crt"
LDAP_TLS_KEY_FILENAME: "ldap.key"
LDAP_TLS_DH_PARAM_FILENAME: "dhparam.pem"
LDAP_TLS_CA_CRT_FILENAME: "ca.crt"
LDAP_TLS_ENFORCE: "false"
CONTAINER_LOG_LEVEL: "4"
LDAP_TLS_REQCERT: "never"
KEEP_EXISTING_CONFIG: "false"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
LDAP_SSL_HELPER_PREFIX: "ldap"
LDAP_TLS_VERIFY_CLIENT: "never"
LDAP_TLS_PROTOCOL_MIN: "3.0"
LDAP_TLS_CIPHER_SUITE: "NORMAL"
# Default Passwords to use, stored as a secret.
# You can override these at install time with
# helm install openldap --set openldap.adminPassword=<passwd>,openldap.configPassword=<passwd>
adminPassword: Not@SecurePassw0rd
configPassword: Not@SecurePassw0rd
# Custom openldap configuration files used to override default settings
# customLdifFiles:
# 01-default-users.ldif: |-
# Predefine users here
replication:
enabled: true
# Enter the name of your cluster, defaults to "cluster.local"
clusterName: "cluster.local"
retry: 60
timeout: 1
interval: 00:00:00:10
starttls: "critical"
tls_reqcert: "never"
## Persist data to a persistent volume
persistence:
enabled: true
## database data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClass: "standard-singlewriter"
accessModes:
- ReadWriteOnce
size: 8Gi
resources: {}
# requests:
# cpu: "100m"
# memory: "256Mi"
# limits:
# cpu: "500m"
# memory: "512Mi"
nodeSelector: {}
tolerations: []
## test container details
test:
enabled: false
image:
repository: dduportal/bats
tag: 0.4.0
ltb-passwd:
enabled : true
ingress:
enabled: true
annotations: {}
path: /
## Ingress Host
hosts:
- "ssl-ldap2.example"
ldap:
server: ldap://openldap
searchBase: dc=example,dc=org
# existingSecret: openldaptest
bindDN: cn=admin,dc=example,dc=org
bindPWKey: LDAP_ADMIN_PASSWORD
phpldapadmin:
enabled: true
ingress:
enabled: true
annotations: {}
path: /
## Ingress Host
hosts:
- phpldapadmin.example
env:
PHPLDAPADMIN_LDAP_HOSTS: openldap
# TODO make it works
# "#PYTHON2BASH:
# [{'openldap.openldap':
# [{'server': [
# {'tls': False},
# {'port':636}
# ]},
# {'login':
# [{'bind_id': 'cn=admin,dc=example,dc=org'}]
# }]
# }]"

122
opencloud/dev-values.yaml
View File

@ -14,7 +14,6 @@ mongo-express:
mongodb:
enabled: false
#TODO PROVISIONING CUSTOM PVC
mongodb:
enabled: true
global:
@ -56,47 +55,100 @@ nats:
storageClassName: kind-sc
openldap-stack-ha:
enabled: false
global:
ldapDomain: "opencloud.acme.com"
adminUser: "admin"
adminPassword: "acmeOpenCloudAdmin"
configUser: "admin"
configPassword: "acmeOpenCloudConfig"
openldap:
enabled: true
test:
enabled: false
ltb-passwd:
enabled: false
replicaCount: 1
image:
repository: osixia/openldap
tag: 1.5.0
tls:
enabled: false
env:
LDAP_ORGANISATION: "Acme opencloud"
LDAP_DOMAIN: "acme.com"
LDAP_BACKEND: "mdb"
LDAP_TLS: "false"
LDAP_TLS_ENFORCE: "false"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
adminPassword: "goaChai9"
configPassword: "xaidee2M"
phpldapadmin:
enabled: false
persistence:
enabled: true
accessMode: ReadWriteOnce
size: 20Mi
size: 10Mi
storageClass: kind-sc
ltb-passwd:
enabled : false
env:
LDAP_REQUIRE_TLS: "false"
LDAP_ENABLE_TLS: "yes"
LDAP_TLS_ENFORCE: "false"
phpldapadmin:
enabled: false
replication:
enabled: false
replicaCount: 1
customLdifFiles:
01-schema.ldif: |-
dn: ou=groups,dc=acme,dc=com
objectClass: organizationalUnit
ou: groups
dn: ou=users,dc=acme,dc=com
objectClass: organizationalUnit
ou: users
dn: cn=lastGID,dc=acme,dc=com
objectClass: device
objectClass: top
description: Records the last GID used to create a Posix group. This prevents the re-use of a GID from a deleted group.
cn: lastGID
serialNumber: 2001
dn: cn=lastUID,dc=acme,dc=com
objectClass: device
objectClass: top
serialNumber: 2001
description: Records the last UID used to create a Posix account. This prevents the re-use of a UID from a deleted account.
cn: lastUID
02-ldapadmin.ldif : |-
dn: cn=ldapadmin,ou=groups,dc=acme,dc=com
objectClass: top
objectClass: posixGroup
cn: ldapadmin
memberUid: acme.ldapadmin
gidNumber: 2001
dn: uid=acme.ldapadmin,ou=users,dc=acme,dc=com
givenName: ldapadmin
sn: ldapadmin
uid: acme.ldapadmin
cn: acmeldapadmin
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
userPassword:: e0NSWVBUfSQ2JDhycFZxbk5NJHNmWVhBYUNYUzdZbXFhR1VWTjdJa20wT2hXLmVtT3oua2x5L3V5YUdjNE81MDVEalU0R2ZMb0hTaFVwNUkvVUxFT0JubWJ2d29meFNFcXIuaFRVMm0u
uidNumber: 2001
gidNumber: 2001
loginShell: /bin/bash
homeDirectory: /home/acme.ldapadmin
#acme.ldapadmin ia3Bahr3
# ldap user manager configuration
ldapUserManager:
enabled: false
version: v1.11
enabled: true
env:
SERVER_HOSTNAME: "opencloud.acme.com"
LDAP_BASE_DN: "dc=opencloud,dc=acme,dc=com"
SERVER_HOSTNAME: "users.acme.com"
LDAP_BASE_DN: "dc=acme,dc=com"
LDAP_REQUIRE_STARTTLS: "false"
LDAP_ADMINS_GROUP: "ldapadmin"
LDAP_ADMIN_BIND_DN: "cn=admin,dc=opencloud,dc=acme,dc=com"
LDAP_ADMIN_BIND_PWD: "acmeOpenCloudAdmin"
LDAP_ADMIN_BIND_DN: "cn=admin,dc=acme,dc=com"
LDAP_ADMIN_BIND_PWD: "goaChai9"
LDAP_IGNORE_CERT_ERRORS: "true"
EMAIL_DOMAIN: ""
NO_HTTPS: "true"
SERVER_PATH: "/users"
ORGANISATION_NAME: "Opencloud Acme"
ORGANISATION_NAME: "Acme"
LDAP_USER_OU: "users"
LDAP_GROUP_OU: "groups"
ACCEPT_WEAK_PASSWORDS: "true"
@ -119,4 +171,20 @@ traefik:
entryPoints: [web]
ports:
web:
nodePort: 30950
nodePort: 30950
hydra:
enabled: true
maester:
enabled: false
hydra:
dev: true
config:
dsn: memory
urls:
login: http://localhost/auth/login
consent: http://localhost/auth/consent
logout: http://localhost/auth/logout
self:
issuer: http://localhost/auth

18
opencloud/templates/hydra.yaml Normal file
View File

@ -0,0 +1,18 @@
{{- if index .Values "mongo-express" "enabled" }}
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: hydra-ingress
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`{{ .Values.host }}`) && PathPrefix(`/auth`)
priority: 10
services:
- kind: Service
name: {{ .Release.Name }}-mongo-express
passHostHeader: true
port: 8081
{{- end }}

113
opencloud/templates/ldapUserManager.yaml Normal file
View File

@ -0,0 +1,113 @@
{{- if .Values.ldapUserManager.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: ldap-user-manager
name: {{ .Release.Name }}-ldap-user-manager
spec:
replicas: 1
selector:
matchLabels:
app: ldap-user-manager
strategy: {}
template:
metadata:
labels:
app: ldap-user-manager
spec:
containers:
- image: wheelybird/ldap-user-manager:v1.8
name: ldap-user-manager
env:
- name: SERVER_HOSTNAME
value: "{{ .Values.ldapUserManager.env.SERVER_HOSTNAME }}"
- name: LDAP_URI
value: "ldap://{{ .Release.Name }}-openldap.{{ .Release.Namespace }}.svc.cluster.local"
- name: LDAP_BASE_DN
value: "{{ .Values.ldapUserManager.env.LDAP_BASE_DN }}"
- name: LDAP_REQUIRE_STARTTLS
value: "{{ .Values.ldapUserManager.env.LDAP_REQUIRE_STARTTLS }}"
- name: LDAP_ADMINS_GROUP
value: "{{ .Values.ldapUserManager.env.LDAP_ADMINS_GROUP }}"
- name: LDAP_ADMIN_BIND_DN
value: "{{ .Values.ldapUserManager.env.LDAP_ADMIN_BIND_DN }}"
- name: LDAP_ADMIN_BIND_PWD
value: "{{ .Values.ldapUserManager.env.LDAP_ADMIN_BIND_PWD }}"
- name: LDAP_IGNORE_CERT_ERRORS
value: "{{ .Values.ldapUserManager.env.LDAP_IGNORE_CERT_ERRORS }}"
- name: NO_HTTPS
value: "{{ .Values.ldapUserManager.env.NO_HTTPS }}"
- name: EMAIL_DOMAIN
value: "{{ .Values.ldapUserManager.env.EMAIL_DOMAIN }}"
- name: ORGANISATION_NAME
value: "{{ .Values.ldapUserManager.env.ORGANISATION_NAME }}"
- name: LDAP_USER_OU
value: "{{ .Values.ldapUserManager.env.LDAP_USER_OU }}"
- name: LDAP_GROUP_OU
value: "{{ .Values.ldapUserManager.env.LDAP_GROUP_OU }}"
- name: SERVER_PATH
value: "{{ .Values.ldapUserManager.env.SERVER_PATH }}"
- name: LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES
value: "{{ .Values.ldapUserManager.env.LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES }}"
- name: LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES
value: "{{ .Values.ldapUserManager.env.LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES }}"
- name: LDAP_GROUP_ADDITIONAL_OBJECTCLASSES
value: "{{ .Values.ldapUserManager.env.LDAP_GROUP_ADDITIONAL_OBJECTCLASSES }}"
- name: LDAP_GROUP_ADDITIONAL_ATTRIBUTES
value: "{{ .Values.ldapUserManager.env.LDAP_GROUP_ADDITIONAL_ATTRIBUTES }}"
- name: ACCEPT_WEAK_PASSWORDS
value: "{{ .Values.ldapUserManager.env.ACCEPT_WEAK_PASSWORDS }}"
ports:
- name: http
containerPort: 80
protocol: TCP
- name: https
containerPort: 443
protocol: TCP
resources:
limits:
cpu: "{{ .Values.ldapUserManager.resources.limits.cpu }}"
memory: "{{ .Values.ldapUserManager.resources.limits.memory }}"
requests:
cpu: "{{ .Values.ldapUserManager.resources.requests.cpu }}"
memory: "{{ .Values.ldapUserManager.resources.requests.memory }}"
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}-ldap-user-manager-svc
labels:
app: ldap-user-manager-svc
spec:
ports:
- name: http
port: 8080
protocol: TCP
targetPort: 80
- name: https
port: 8443
protocol: TCP
targetPort: 443
selector:
app: ldap-user-manager
type: ClusterIP
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ldap-user-manager-ingress
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`{{ .Values.host }}`) && PathPrefix(`/users`)
priority: 10
services:
- kind: Service
name: {{ .Release.Name }}-ldap-user-manager-svc
passHostHeader: true
port: 8080
{{- end }}