diff --git a/k8s/chart/Chart.yaml b/k8s/chart/Chart.yaml new file mode 100644 index 000000000..e0c70cf3e --- /dev/null +++ b/k8s/chart/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart for Kubernetes +name: gatekeeper +version: 0.1.4 diff --git a/k8s/chart/secrets.dev.yaml b/k8s/chart/secrets.dev.yaml new file mode 100644 index 000000000..2e8a20dfa --- /dev/null +++ b/k8s/chart/secrets.dev.yaml @@ -0,0 +1,14 @@ +clientSecret: ENC[AES256_GCM,data:Pl1Fak4zlIV4w8lBZFdpQdWU2j7OVx6JL2d2DnONm7utaIeC,iv:kmZ5vNVd50U7UF51279o4i6tEhWNfr/N5oxRCCnR0BU=,tag:VOqh7Z/pKU4iLEA7LQ+ZFg==,type:str] +encryptionKey: ENC[AES256_GCM,data:WIi/ZBHn0XChhf6/LvfkJ+8nfl5GWHJk766Mqoq4RBs=,iv:87lgCZpOS2PSZhaDIL9kEB3irkPUQlfHBR3RqGFRCxM=,tag:z5sw0sjaw5hoXJURs/5ztg==,type:str] +sops: + kms: [] + gcp_kms: + - resource_id: projects/onec-co/locations/global/keyRings/sops/cryptoKeys/sops-key + created_at: '2019-02-24T22:20:24Z' + enc: CiQANPTHQA5PBULZs6riyGjetX7FSGnfZ+scHZz8JBMJSD0F6vMSSQDDBPFaIowzey0OgY/U3ybesnOb2TsVyKQMDsz+cPhZW7Bk38scfvL0P2fcufLtDpLo5BvdbX3s13mf8SLsBFUY/bsua/xszOQ= + azure_kv: [] + lastmodified: '2019-02-24T22:20:25Z' + mac: ENC[AES256_GCM,data:iTaNE7TzbG8u8ZbYoBe9GQcI773sjinoOXyjWockGezoFfK2zDwIVUuLBjAaC2JWK26i477CMvUbH8iy1M/CF6CMUzOeTnEFOPwywPD8AmZC2Afp49FQ7lyeTZQ37p7Q352RDF8n7fbKOyraNN5rvWyIod8FK2HRtXLy/jkAldo=,iv:lB4dkHQk16Eev9qa40Bg7lMBM48sd3bUchmedqpX4t8=,tag:RRCCQoLEfiIalSRMhbqsVg==,type:str] + pgp: [] + unencrypted_suffix: .dec + version: 3.2.0 diff --git a/k8s/chart/templates/NOTES.txt b/k8s/chart/templates/NOTES.txt new file mode 100644 index 000000000..3e050989b --- /dev/null +++ b/k8s/chart/templates/NOTES.txt @@ -0,0 +1,21 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range $.Values.ingress.paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host }}{{ . }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "gatekeeper.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc -w {{ include "gatekeeper.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "gatekeeper.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "gatekeeper.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl port-forward $POD_NAME 8080:80 +{{- end }} diff --git a/k8s/chart/templates/_helpers.tpl b/k8s/chart/templates/_helpers.tpl new file mode 100644 index 000000000..d8075f374 --- /dev/null +++ b/k8s/chart/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "gatekeeper.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "gatekeeper.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "gatekeeper.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/k8s/chart/templates/certificate.yaml b/k8s/chart/templates/certificate.yaml new file mode 100644 index 000000000..e89a94511 --- /dev/null +++ b/k8s/chart/templates/certificate.yaml @@ -0,0 +1,25 @@ +{{ if .Values.certmanager.enabled }} +apiVersion: certmanager.k8s.io/v1alpha1 +kind: Certificate +metadata: + name: {{ template "gatekeeper.fullname" . }}.{{ .Release.Namespace }}.svc + namespace: {{ .Release.Namespace }} +spec: + secretName: {{ template "gatekeeper.fullname" . }}.{{ .Release.Namespace }}.svc-tls + issuerRef: + name: ca-issuer + # We can reference ClusterIssuers by changing the kind here. + # The {{ .Release.Namespace }} value is Issuer (i.e. a locally namespaced Issuer) + kind: ClusterIssuer + commonName: "{{ template "gatekeeper.fullname" . }} server" + organization: + - One Concern CA + dnsNames: + - {{ template "gatekeeper.fullname" . }} + - "127.0.0.1" + - "::1" + - localhost + - {{ template "gatekeeper.fullname" . }}.{{ .Release.Namespace }} + - {{ template "gatekeeper.fullname" . }}.{{ .Release.Namespace }}.svc + - {{ template "gatekeeper.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local +{{ end }} diff --git a/k8s/chart/templates/configmap.yaml b/k8s/chart/templates/configmap.yaml new file mode 100644 index 000000000..09fba6748 --- /dev/null +++ b/k8s/chart/templates/configmap.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "gatekeeper.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "gatekeeper.name" . }} + helm.sh/chart: {{ include "gatekeeper.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +data: + config.yaml: | +{{ toYaml .Values.config.keys | indent 4 }} + diff --git a/k8s/chart/templates/deployment.yaml b/k8s/chart/templates/deployment.yaml new file mode 100644 index 000000000..0932a3706 --- /dev/null +++ b/k8s/chart/templates/deployment.yaml @@ -0,0 +1,151 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "gatekeeper.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "gatekeeper.name" . }} + helm.sh/chart: {{ include "gatekeeper.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "gatekeeper.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "gatekeeper.name" . }} + helm.sh/chart: {{ include "gatekeeper.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + annotations: + prometheus.io/scrape: 'true' + prometheus.io/path: '/oauth/metrics' + prometheus.io/port: '{{ .Values.config.gatekeeper.adminPort | default .Values.config.gatekeeper.port }}' + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} + spec: + hostAliases: + - ip: "127.0.0.1" + hostnames: +{{ toYaml .Values.hostnames | indent 10 }} + containers: + - name: "{{ .Chart.Name }}" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + {{- if .Values.securityContext }} + securityContext: +{{ toYaml .Values.securityContext | indent 12 }} + {{- end }} + args: + - "--config=/etc/gatekeeper/config.yaml" + - "--tls-cert=/etc/gatekeeper/server/tls.crt" + - "--tls-private-key=/etc/gatekeeper/server/tls.key" + - "--listen=0.0.0.0:{{ .Values.config.gatekeeper.port }}" + {{- if .Values.config.gatekeeper.adminPort }} + - "--listen-admin=0.0.0.0:{{ .Values.config.gatekeeper.adminPort }}" + - --listen-admin-scheme=http + {{- end }} + {{- if .Values.config.oidc.proxy}} + - "--openid-provider-proxy={{ .Values.config.oidc.proxy }}" + {{- end }} + {{- if .Values.caSecret }} + - --upstream-ca=/etc/gatekeeper/upstream/ca.crt + {{- end }} + {{- if .Values.config.oidc.discoveryURL }} + - "--discovery-url={{ .Values.config.oidc.discoveryURL }}" + {{- end }} + {{- if .Values.config.gatekeeper.upstreamURL }} + - "--upstream-url={{ .Values.config.gatekeeper.upstreamURL }}" + {{- end }} + {{- if .Values.extraArgs }} +{{ toYaml .Values.extraArgs | indent 12 }} + {{- end }} + env: + # OIDC client used by the gateway to connect to Keycloak + - name: PROXY_CLIENT_ID + value: {{ .Values.config.oidc.clientID }} + # OIDC client secret password + - name: PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + key: clientSecret + name: {{ include "gatekeeper.fullname" . }} + # Encryption key to seal cookies (32 bytes) + - name: PROXY_ENCRYPTION_KEY + valueFrom: + secretKeyRef: + key: encryptionKey + name: {{ include "gatekeeper.fullname" . }} +{{- if .Values.extraEnv }} +{{ toYaml .Values.extraEnv | indent 12 }} +{{- end }} + ports: + - name: https + containerPort: {{ .Values.config.gatekeeper.port }} + protocol: TCP + # livenessProbe: + # httpGet: + # path: /oauth/health + # port: {{ .Values.config.gatekeeper.adminPort | default .Values.config.gatekeeper.port }} + # scheme: HTTP + #readinessProbe: + # httpGet: + # path: / + # port: https + # scheme: HTTPS + resources: +{{ toYaml .Values.resources | indent 12 }} + volumeMounts: + # Configuration file to set complex parameters (arrays, objects) + # All simple params are preferrably passed as container args, + # or env for secret ones. + - mountPath: "/etc/gatekeeper" + name: config + {{- if .Values.certmanager.enabled }} + - mountPath: /etc/gatekeeper/server + name: certs + {{- end }} + {{- if .Values.caSecret }} + - mountPath: /etc/gatekeeper/upstream + name: upstream-ca + {{- end }} + {{- if .Values.extraVolumes }} +{{ toYaml .Values.extraVolumeMounts | indent 12 }} + {{- end }} + {{- if .Values.extraContainers }} +{{ toYaml .Values.extraContainers | indent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ include "gatekeeper.fullname" . }} +{{- if .Values.certmanager.enabled }} + - name: certs + secret: + defaultMode: 420 + secretName: {{ template "gatekeeper.fullname" . }}.{{ .Release.Namespace }}.svc-tls +{{- end }} + {{- if .Values.caSecret }} + - name: upstream-ca + secret: + defaultMode: 420 + secretName: {{ .Values.caSecret }} + {{- end }} +{{- if .Values.extraVolumes }} +{{ toYaml .Values.extraVolumes | indent 8 -}} +{{- end}} diff --git a/k8s/chart/templates/ingress.yaml b/k8s/chart/templates/ingress.yaml new file mode 100644 index 000000000..6454a34ff --- /dev/null +++ b/k8s/chart/templates/ingress.yaml @@ -0,0 +1,40 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "gatekeeper.fullname" . -}} +{{- $ingressPaths := .Values.ingress.paths -}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + app.kubernetes.io/name: {{ include "gatekeeper.name" . }} + helm.sh/chart: {{ include "gatekeeper.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ . | quote }} + http: + paths: + {{- range $ingressPaths }} + - path: {{ . }} + backend: + serviceName: {{ $fullName }} + servicePort: https + {{- end }} + {{- end }} +{{- end }} diff --git a/k8s/chart/templates/secrets.yaml b/k8s/chart/templates/secrets.yaml new file mode 100644 index 000000000..9e5763233 --- /dev/null +++ b/k8s/chart/templates/secrets.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "gatekeeper.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "gatekeeper.name" . }} + helm.sh/chart: {{ include "gatekeeper.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +type: Opaque +data: + clientSecret: {{ .Values.clientSecret | b64enc | quote }} + encryptionKey: {{ .Values.encryptionKey | b64enc | quote }} diff --git a/k8s/chart/templates/service.yaml b/k8s/chart/templates/service.yaml new file mode 100644 index 000000000..72990c77b --- /dev/null +++ b/k8s/chart/templates/service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gatekeeper.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "gatekeeper.name" . }} + helm.sh/chart: {{ include "gatekeeper.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: https + protocol: TCP + name: https + selector: + app.kubernetes.io/name: {{ include "gatekeeper.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/k8s/chart/templates/tests/test-connection.yaml b/k8s/chart/templates/tests/test-connection.yaml new file mode 100644 index 000000000..0e275f322 --- /dev/null +++ b/k8s/chart/templates/tests/test-connection.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "gatekeeper.fullname" . }}-test-connection" + labels: + app.kubernetes.io/name: {{ include "gatekeeper.name" . }} + helm.sh/chart: {{ include "gatekeeper.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + annotations: + "helm.sh/hook": test-success +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "gatekeeper.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/k8s/chart/values.dev.yaml b/k8s/chart/values.dev.yaml new file mode 100644 index 000000000..e40ab5888 --- /dev/null +++ b/k8s/chart/values.dev.yaml @@ -0,0 +1,162 @@ +# Default values for gatekeeper. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: gcr.io/onec-co/gatekeeper + tag: v0.0.12-1c + pullPolicy: IfNotPresent + +nameOverride: "" +fullnameOverride: "" + +service: + type: ClusterIP + port: 4455 + +certmanager: + enabled: true + +ingress: + enabled: true + annotations: + certmanager.k8s.io/acme-challenge-type: dns01 + certmanager.k8s.io/acme-dns01-provider: clouddns + certmanager.k8s.io/cluster-issuer: letsencrypt-prod + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + nginx.ingress.kubernetes.io/enable-cors: "false" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/proxy-buffer-size: "8k" + # for websockets we want a longer timeout, set to 2h now + nginx.ingress.kubernetes.io/proxy-read-timeout: "7200" + nginx.ingress.kubernetes.io/proxy-send-timeout: "7200" + nginx.ingress.kubernetes.io/secure-backends: "true" + nginx.ingress.kubernetes.io/secure-verify-ca-secret: cluster-ca + paths: + - "/" + hosts: + - app.dev.onec.co + tls: + - secretName: app.dev.onec.co + hosts: + - app.dev.onec.co + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +extraVolumes: [] +extraVolumeMounts: [] + +hostnames: +- "app" +application: gatekeeper + +caSecret: cluster-ca + +extraArgs: [] + + +config: + oidc: + # We have to call the real external endpoint to have proper configuration + # This is because the oidc lib (coreos/go-oidc@V1) checks that the returned issued matches the + # discoveryURL url => have to patch that in gatekeeper (TODO(fredbi)) + # Parameters which depend on the keycloak auth server configuration + #discoveryURL: https://oauth2.default.svc.cluster.local:8443/auth/realms/oneconcern/.well-known/openid-configuration + discoveryURL: https://auth.dev.onec.co/auth/realms/oneconcern/.well-known/openid-configuration + clientID: gatekeeper + gatekeeper: + # Parameters specific to keycloak-gatekeeper + # + # Upstream route + upstreamURL: https://depmon:6632 + port: 4455 + adminPort: 4456 + keys: + # Logging control + enable-logging: true + verbose: true + enable-json-logging: true + # + # Token checks + # + match-claims: + # verifies the issuer of the token (with FDQN) + iss: https://auth.dev.onec.co/auth/realms/oneconcern + # additional scopes to add to add to the default (openid+email+profile) + scopes: [] + # + # CORS settings + # + # An array of origins (Access-Control-Allow-Origin) + # Add your app servers here if they are not behind proxy (e.g. app-react.{domain}:3000). + # Wildcard origins are supported. + cors-origins: + - 'https://*.dev.onec.co' + - 'https://*.auryc.com' + # an array of headers to apply (Access-Control-Allow-Headers) + cors-headers: + - '*' + # an array of exposed headers (Access-Control-Expose-Headers) + cors-exposed-headers: + - Accept + - Content-Type + - Location + - Strict-Transport-Security + - X-Csrf-Token + # an array of methods (Access-Control-Allow-Methods) + cors-methods: + - GET + - POST + - PUT + - DELETE + - PATCH + cors-credentials: true + # lifespan of preflight CORS cache + cors-max-age: 1h + # + # RBAC rules on routes + # + resources: + # DEFAULT: DENY + - uri: /* + # API Service 1 + - uri: /query* + # the methods on this url that should be protected, if missing, assuming all + methods: + - GET + - POST + - DELETE + roles: + - api_access + groups: + - group:oneconcern.com:users + enable-csrf: true + - uri: /playground* + methods: + - GET + - POST + - DELETE + roles: + - api_access + groups: + - group:oneconcern.com:admin + enable-csrf: true diff --git a/k8s/chart/values.prod.yaml b/k8s/chart/values.prod.yaml new file mode 100644 index 000000000..84c59b3b4 --- /dev/null +++ b/k8s/chart/values.prod.yaml @@ -0,0 +1,161 @@ +# Default values for gatekeeper. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: gcr.io/onec-co/gatekeeper + tag: v0.0.12-1c + pullPolicy: IfNotPresent + +nameOverride: "" +fullnameOverride: "" + +service: + type: ClusterIP + port: 4455 + +certmanager: + enabled: true + +ingress: + enabled: true + annotations: + certmanager.k8s.io/acme-challenge-type: http01 + certmanager.k8s.io/acme-http01-edit-in-place: "false" + certmanager.k8s.io/cluster-issuer: letsencrypt-prod + kubernetes.io/ingress.class: nginx + kubernetes.io/tls-acme: "true" + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + nginx.ingress.kubernetes.io/enable-cors: "false" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/proxy-buffer-size: "8k" + # for websockets we want a longer timeout, set to 2h now + nginx.ingress.kubernetes.io/proxy-read-timeout: "7200" + nginx.ingress.kubernetes.io/proxy-send-timeout: "7200" + nginx.ingress.kubernetes.io/secure-backends: "true" + nginx.ingress.kubernetes.io/secure-verify-ca-secret: cluster-ca + paths: + - "/" + hosts: + - app.oneconcern.com + tls: + - secretName: app.oneconcern.com + hosts: + - app.oneconcern.com + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {"kubernetes.io/role":"platform"} +tolerations: [{"key": "dedicated","operator": "Equal","value": "platform"}] + +affinity: {} + +extraVolumes: [] +extraVolumeMounts: [] + +hostnames: +- "app" +application: gatekeeper + +caSecret: cluster-ca + +extraArgs: [] + +config: + oidc: + # We have to call the real external endpoint to have proper configuration + # This is because the oidc lib (coreos/go-oidc@V1) checks that the returned issued matches the + # discoveryURL url => have to patch that in gatekeeper (TODO(fredbi)) + # Parameters which depend on the keycloak auth server configuration + #discoveryURL: https://oauth2.default.svc.cluster.local:8443/auth/realms/oneconcern/.well-known/openid-configuration + discoveryURL: https://auth.oneconcern.com/auth/realms/oneconcern/.well-known/openid-configuration + clientID: gatekeeper + gatekeeper: + # Parameters specific to keycloak-gatekeeper + # + # Upstream route + upstreamURL: https://depmon:6632 + port: 4455 + adminPort: 4456 + keys: + # Logging control + enable-logging: true + verbose: true + enable-json-logging: true + # + # Token checks + # + match-claims: + # verifies the issuer of the token (with FDQN) + iss: https://auth.oneconcern.com/auth/realms/oneconcern + # additional scopes to add to add to the default (openid+email+profile) + scopes: [] + # + # CORS settings + # + # An array of origins (Access-Control-Allow-Origin) + # Add your app servers here if they are not behind proxy (e.g. app-react.{domain}:3000). + # Wildcard origins are supported. + cors-origins: + - 'https://*.oneconcern.com' + - 'https://*.auryc.com' + # an array of headers to apply (Access-Control-Allow-Headers) + cors-headers: + - '*' + # an array of exposed headers (Access-Control-Expose-Headers) + cors-exposed-headers: + - Accept + - Content-Type + - Location + - Strict-Transport-Security + - X-Csrf-Token + # an array of methods (Access-Control-Allow-Methods) + cors-methods: + - GET + - POST + - PUT + - DELETE + - PATCH + cors-credentials: true + # lifespan of preflight CORS cache + cors-max-age: 1h + # + # RBAC rules on routes + # + resources: + # DEFAULT: DENY + - uri: /* + # API Service 1 + - uri: /query* + # the methods on this url that should be protected, if missing, assuming all + methods: + - GET + - POST + - DELETE + roles: + - api_access + groups: + - group:oneconcern.com:users + enable-csrf: true + - uri: /playground* + methods: + - GET + - POST + - DELETE + roles: + - api_access + groups: + - group:oneconcern.com:admin + enable-csrf: true diff --git a/k8s/chart/values.staging.yaml b/k8s/chart/values.staging.yaml new file mode 100644 index 000000000..d3079e93c --- /dev/null +++ b/k8s/chart/values.staging.yaml @@ -0,0 +1,161 @@ +# Default values for gatekeeper. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: gcr.io/onec-co/gatekeeper + tag: v0.0.12-1c + pullPolicy: IfNotPresent + +nameOverride: "" +fullnameOverride: "" + +service: + type: ClusterIP + port: 4455 + +certmanager: + enabled: true + +ingress: + enabled: true + annotations: + certmanager.k8s.io/acme-challenge-type: dns01 + certmanager.k8s.io/acme-dns01-provider: clouddns + certmanager.k8s.io/cluster-issuer: letsencrypt-prod + kubernetes.io/ingress.class: nginx + kubernetes.io/tls-acme: "true" + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + nginx.ingress.kubernetes.io/enable-cors: "false" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/proxy-buffer-size: "8k" + # for websockets we want a longer timeout, set to 2h now + nginx.ingress.kubernetes.io/proxy-read-timeout: "7200" + nginx.ingress.kubernetes.io/proxy-send-timeout: "7200" + nginx.ingress.kubernetes.io/secure-backends: "true" + nginx.ingress.kubernetes.io/secure-verify-ca-secret: cluster-ca + paths: + - "/" + hosts: + - app.staging.onec.co + tls: + - secretName: app.staging.onec.co + hosts: + - app.staging.onec.co + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {"kubernetes.io/role":"platform"} +tolerations: [{"key": "dedicated","operator": "Equal","value": "platform"}] + +affinity: {} + +extraVolumes: [] +extraVolumeMounts: [] + +hostnames: +- "app" +application: gatekeeper + +caSecret: cluster-ca + +extraArgs: [] + +config: + oidc: + # We have to call the real external endpoint to have proper configuration + # This is because the oidc lib (coreos/go-oidc@V1) checks that the returned issued matches the + # discoveryURL url => have to patch that in gatekeeper (TODO(fredbi)) + # Parameters which depend on the keycloak auth server configuration + #discoveryURL: https://oauth2.default.svc.cluster.local:8443/auth/realms/oneconcern/.well-known/openid-configuration + discoveryURL: https://auth.staging.onec.co/auth/realms/oneconcern/.well-known/openid-configuration + clientID: gatekeeper + gatekeeper: + # Parameters specific to keycloak-gatekeeper + # + # Upstream route + upstreamURL: https://depmon:6632 + port: 4455 + adminPort: 4456 + keys: + # Logging control + enable-logging: true + verbose: true + enable-json-logging: true + # + # Token checks + # + match-claims: + # verifies the issuer of the token (with FDQN) + iss: https://auth.staging.onec.co/auth/realms/oneconcern + # additional scopes to add to add to the default (openid+email+profile) + scopes: [] + # + # CORS settings + # + # An array of origins (Access-Control-Allow-Origin) + # Add your app servers here if they are not behind proxy (e.g. app-react.{domain}:3000). + # Wildcard origins are supported. + cors-origins: + - 'https://*.staging.onec.co' + - 'https://*.auryc.com' + # an array of headers to apply (Access-Control-Allow-Headers) + cors-headers: + - '*' + # an array of exposed headers (Access-Control-Expose-Headers) + cors-exposed-headers: + - Accept + - Content-Type + - Location + - Strict-Transport-Security + - X-Csrf-Token + # an array of methods (Access-Control-Allow-Methods) + cors-methods: + - GET + - POST + - PUT + - DELETE + - PATCH + cors-credentials: true + # lifespan of preflight CORS cache + cors-max-age: 1h + # + # RBAC rules on routes + # + resources: + # DEFAULT: DENY + - uri: /* + # API Service 1 + - uri: /query* + # the methods on this url that should be protected, if missing, assuming all + methods: + - GET + - POST + - DELETE + roles: + - api_access + groups: + - group:oneconcern.com:users + enable-csrf: true + - uri: /playground* + methods: + - GET + - POST + - DELETE + roles: + - api_access + groups: + - group:oneconcern.com:admin + enable-csrf: true diff --git a/k8s/chart/values.yaml b/k8s/chart/values.yaml new file mode 100644 index 000000000..fa95dd031 --- /dev/null +++ b/k8s/chart/values.yaml @@ -0,0 +1,62 @@ +# Default values for gatekeeper. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: gcr.io/onec-co/gatekeeper + tag: v0.0.11-1c + pullPolicy: IfNotPresent + +nameOverride: "" +fullnameOverride: "" + +service: + type: ClusterIP + port: 4455 + +certmanager: + enabled: false + +ingress: + enabled: false + annotations: {} + paths: + - "/" + hosts: + - api.dev.onec.co + tls: + - secretName: api.dev.onec.co + hosts: + - api.dev.onec.co + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +extraVolumes: [] +extraVolumeMounts: [] +extraArgs: [] + +hostnames: +- "api" +application: gatekeeper + +caSecret: "" + +config: {}