oneconcern · fredbi · Nov 13, 2019 · Nov 20, 2019
diff --git a/k8s/chart/Chart.yaml b/k8s/chart/Chart.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "1.0"
+description: A Helm chart for Kubernetes
+name: gatekeeper
+version: 0.1.4
diff --git a/k8s/chart/secrets.dev.yaml b/k8s/chart/secrets.dev.yaml
@@ -0,0 +1,14 @@
+clientSecret: ENC[AES256_GCM,data:Pl1Fak4zlIV4w8lBZFdpQdWU2j7OVx6JL2d2DnONm7utaIeC,iv:kmZ5vNVd50U7UF51279o4i6tEhWNfr/N5oxRCCnR0BU=,tag:VOqh7Z/pKU4iLEA7LQ+ZFg==,type:str]
+encryptionKey: ENC[AES256_GCM,data:WIi/ZBHn0XChhf6/LvfkJ+8nfl5GWHJk766Mqoq4RBs=,iv:87lgCZpOS2PSZhaDIL9kEB3irkPUQlfHBR3RqGFRCxM=,tag:z5sw0sjaw5hoXJURs/5ztg==,type:str]
+sops:
+    kms: []
+    gcp_kms:
+    -   resource_id: projects/onec-co/locations/global/keyRings/sops/cryptoKeys/sops-key
+        created_at: '2019-02-24T22:20:24Z'
+        enc: CiQANPTHQA5PBULZs6riyGjetX7FSGnfZ+scHZz8JBMJSD0F6vMSSQDDBPFaIowzey0OgY/U3ybesnOb2TsVyKQMDsz+cPhZW7Bk38scfvL0P2fcufLtDpLo5BvdbX3s13mf8SLsBFUY/bsua/xszOQ=
+    azure_kv: []
+    lastmodified: '2019-02-24T22:20:25Z'
+    mac: ENC[AES256_GCM,data:iTaNE7TzbG8u8ZbYoBe9GQcI773sjinoOXyjWockGezoFfK2zDwIVUuLBjAaC2JWK26i477CMvUbH8iy1M/CF6CMUzOeTnEFOPwywPD8AmZC2Afp49FQ7lyeTZQ37p7Q352RDF8n7fbKOyraNN5rvWyIod8FK2HRtXLy/jkAldo=,iv:lB4dkHQk16Eev9qa40Bg7lMBM48sd3bUchmedqpX4t8=,tag:RRCCQoLEfiIalSRMhbqsVg==,type:str]
+    pgp: []
+    unencrypted_suffix: .dec
+    version: 3.2.0
diff --git a/k8s/chart/templates/NOTES.txt b/k8s/chart/templates/NOTES.txt
@@ -0,0 +1,21 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range $.Values.ingress.paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host }}{{ . }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "gatekeeper.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get svc -w {{ include "gatekeeper.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "gatekeeper.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "gatekeeper.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl port-forward $POD_NAME 8080:80
+{{- end }}
diff --git a/k8s/chart/templates/_helpers.tpl b/k8s/chart/templates/_helpers.tpl
@@ -0,0 +1,32 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "gatekeeper.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "gatekeeper.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "gatekeeper.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
diff --git a/k8s/chart/templates/certificate.yaml b/k8s/chart/templates/certificate.yaml
@@ -0,0 +1,25 @@
+{{ if .Values.certmanager.enabled }}
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+  name: {{ template "gatekeeper.fullname" . }}.{{ .Release.Namespace }}.svc
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretName: {{ template "gatekeeper.fullname" . }}.{{ .Release.Namespace }}.svc-tls
+  issuerRef:
+    name: ca-issuer
+    # We can reference ClusterIssuers by changing the kind here.
+    # The {{ .Release.Namespace }} value is Issuer (i.e. a locally namespaced Issuer)
+    kind: ClusterIssuer
+  commonName: "{{ template "gatekeeper.fullname" . }} server"
+  organization:
+  - One Concern CA
+  dnsNames:
+  - {{ template "gatekeeper.fullname" . }}
+  - "127.0.0.1"
+  - "::1"
+  - localhost
+  - {{ template "gatekeeper.fullname" . }}.{{ .Release.Namespace }}
+  - {{ template "gatekeeper.fullname" . }}.{{ .Release.Namespace }}.svc
+  - {{ template "gatekeeper.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
+{{ end }}
diff --git a/k8s/chart/templates/configmap.yaml b/k8s/chart/templates/configmap.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "gatekeeper.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "gatekeeper.name" . }}
+    helm.sh/chart: {{ include "gatekeeper.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+data:
+  config.yaml: |
+{{ toYaml .Values.config.keys | indent 4 }}
+
diff --git a/k8s/chart/templates/deployment.yaml b/k8s/chart/templates/deployment.yaml
@@ -0,0 +1,151 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "gatekeeper.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "gatekeeper.name" . }}
+    helm.sh/chart: {{ include "gatekeeper.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "gatekeeper.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "gatekeeper.name" . }}
+        helm.sh/chart: {{ include "gatekeeper.chart" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        app.kubernetes.io/managed-by: {{ .Release.Service }}
+      annotations:
+        prometheus.io/scrape: 'true'
+        prometheus.io/path: '/oauth/metrics'
+        prometheus.io/port: '{{ .Values.config.gatekeeper.adminPort | default .Values.config.gatekeeper.port }}'
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
+    spec:
+      hostAliases:
+      - ip: "127.0.0.1"
+        hostnames:
+{{ toYaml .Values.hostnames | indent 10 }}
+      containers:
+        - name: "{{ .Chart.Name }}"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+          {{- if .Values.securityContext }}
+          securityContext:
+{{ toYaml .Values.securityContext | indent 12 }}
+          {{- end }}
+          args:
+            - "--config=/etc/gatekeeper/config.yaml"
+            - "--tls-cert=/etc/gatekeeper/server/tls.crt"
+            - "--tls-private-key=/etc/gatekeeper/server/tls.key"
+            - "--listen=0.0.0.0:{{ .Values.config.gatekeeper.port }}"
+            {{- if .Values.config.gatekeeper.adminPort }}
+            - "--listen-admin=0.0.0.0:{{ .Values.config.gatekeeper.adminPort }}"
+            - --listen-admin-scheme=http
+            {{- end }}
+            {{- if .Values.config.oidc.proxy}}
+            - "--openid-provider-proxy={{ .Values.config.oidc.proxy }}"
+            {{- end }}
+            {{- if .Values.caSecret }}
+            - --upstream-ca=/etc/gatekeeper/upstream/ca.crt
+            {{- end }}
+            {{- if  .Values.config.oidc.discoveryURL }}
+            - "--discovery-url={{ .Values.config.oidc.discoveryURL }}"
+            {{- end }}
+            {{- if  .Values.config.gatekeeper.upstreamURL }}
+            - "--upstream-url={{ .Values.config.gatekeeper.upstreamURL }}"
+            {{- end }}
+            {{- if .Values.extraArgs }}
+{{ toYaml .Values.extraArgs | indent 12 }}
+            {{- end }}
+          env:
+            # OIDC client used by the gateway to connect to Keycloak
+            - name: PROXY_CLIENT_ID
+              value: {{ .Values.config.oidc.clientID }}
+            # OIDC client secret password
+            - name: PROXY_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  key: clientSecret
+                  name: {{ include "gatekeeper.fullname" . }}
+            # Encryption key to seal cookies (32 bytes)
+            - name: PROXY_ENCRYPTION_KEY
+              valueFrom:
+                secretKeyRef:
+                  key: encryptionKey
+                  name: {{ include "gatekeeper.fullname" . }}
+{{- if .Values.extraEnv }}
+{{ toYaml .Values.extraEnv | indent 12 }}
+{{- end }}
+          ports:
+            - name: https
+              containerPort: {{ .Values.config.gatekeeper.port }}
+              protocol: TCP
+          # livenessProbe:
+          #   httpGet:
+          #     path: /oauth/health
+          #     port: {{ .Values.config.gatekeeper.adminPort | default .Values.config.gatekeeper.port }}
+          #     scheme: HTTP
+          #readinessProbe:
+          # httpGet:
+          #   path: /
+          #   port: https
+          #   scheme: HTTPS
+          resources:
+{{ toYaml .Values.resources | indent 12 }}
+          volumeMounts:
+            # Configuration file to set complex parameters (arrays, objects)
+            # All simple params are preferrably passed as container args,
+            # or env for secret ones.
+            - mountPath: "/etc/gatekeeper"
+              name: config
+            {{- if .Values.certmanager.enabled }}
+            - mountPath: /etc/gatekeeper/server
+              name: certs
+            {{- end }}
+            {{- if .Values.caSecret }}
+            - mountPath: /etc/gatekeeper/upstream
+              name: upstream-ca
+            {{- end }}
+            {{- if .Values.extraVolumes }}
+{{ toYaml .Values.extraVolumeMounts | indent 12 }}
+            {{- end }}
+    {{- if .Values.extraContainers }}
+{{ toYaml .Values.extraContainers | indent 8 }}
+    {{- end }}
+    {{- with .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.affinity }}
+      affinity:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+      volumes:
+        - name: config
+          configMap:
+            name: {{ include "gatekeeper.fullname" . }}
+{{- if .Values.certmanager.enabled }}
+        - name: certs
+          secret:
+            defaultMode: 420
+            secretName: {{ template "gatekeeper.fullname" . }}.{{ .Release.Namespace }}.svc-tls
+{{- end }}
+        {{- if .Values.caSecret }}
+        - name: upstream-ca
+          secret:
+            defaultMode: 420
+            secretName: {{ .Values.caSecret }}
+        {{- end }}
+{{- if .Values.extraVolumes }}
+{{ toYaml .Values.extraVolumes | indent 8 -}}
+{{- end}}
diff --git a/k8s/chart/templates/ingress.yaml b/k8s/chart/templates/ingress.yaml
@@ -0,0 +1,40 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "gatekeeper.fullname" . -}}
+{{- $ingressPaths := .Values.ingress.paths -}}
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    app.kubernetes.io/name: {{ include "gatekeeper.name" . }}
+    helm.sh/chart: {{ include "gatekeeper.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+{{- if .Values.ingress.tls }}
+  tls:
+  {{- range .Values.ingress.tls }}
+    - hosts:
+      {{- range .hosts }}
+        - {{ . | quote }}
+      {{- end }}
+      secretName: {{ .secretName }}
+  {{- end }}
+{{- end }}
+  rules:
+  {{- range .Values.ingress.hosts }}
+    - host: {{ . | quote }}
+      http:
+        paths:
+	{{- range $ingressPaths }}
+          - path: {{ . }}
+            backend:
+              serviceName: {{ $fullName }}
+              servicePort: https
+	{{- end }}
+  {{- end }}
+{{- end }}
diff --git a/k8s/chart/templates/secrets.yaml b/k8s/chart/templates/secrets.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "gatekeeper.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "gatekeeper.name" . }}
+    helm.sh/chart: {{ include "gatekeeper.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+type: Opaque
+data:
+  clientSecret: {{ .Values.clientSecret | b64enc | quote }}
+  encryptionKey: {{ .Values.encryptionKey | b64enc | quote }}
diff --git a/k8s/chart/templates/service.yaml b/k8s/chart/templates/service.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "gatekeeper.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "gatekeeper.name" . }}
+    helm.sh/chart: {{ include "gatekeeper.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: https
+      protocol: TCP
+      name: https
+  selector:
+    app.kubernetes.io/name: {{ include "gatekeeper.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
diff --git a/k8s/chart/templates/tests/test-connection.yaml b/k8s/chart/templates/tests/test-connection.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "gatekeeper.fullname" . }}-test-connection"
+  labels:
+    app.kubernetes.io/name: {{ include "gatekeeper.name" . }}
+    helm.sh/chart: {{ include "gatekeeper.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": test-success
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args:  ['{{ include "gatekeeper.fullname" . }}:{{ .Values.service.port }}']
+  restartPolicy: Never