Add kube oidc proxy

README.md

@@ -1,5 +1,8 @@
-# Helm charts
+# Helm charts  
 
-WIP  
+Various (infrastructure focused) charts used at Insee (https://insee.fr).  
+See the other repository ([Helm charts datascience](https://github.com/inseefrlab/helm-charts-datascience)) for datascience focused charts.   
 
-Repo is available at https://inseefrlab.github.io/helm-charts/index.yaml
+Repo is available at https://inseefrlab.github.io/helm-charts/index.yaml  
+
+`kube-oidc-proxy` is a copy (may be out of date) of https://github.com/jetstack/kube-oidc-proxy/tree/master/deploy/charts/kube-oidc-proxy with the sole purpose of exposing it on the internet (see https://github.com/jetstack/kube-oidc-proxy/issues/123)

charts/kube-oidc-proxy/Chart.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+appVersion: "v0.3.0"
+description: A Helm chart for kube-oidc-proxy
+home: https://github.com/jetstack/kube-oidc-proxy
+name: kube-oidc-proxy
+version: 0.3.1
+maintainers:
+- name: mhrabovcin
+- name: joshvanl

charts/kube-oidc-proxy/README.md

@@ -0,0 +1,73 @@
+# kube-oidc-proxy helm chart
+
+This is a `helm` chart that installs [`kube-oidc-proxy`](https://github.com/jetstack/kube-oidc-proxy/).
+This helm chart cannot be installed out of the box without providing own
+configuration.
+
+This helm chart is based on example configuration provided in `kube-oidc-proxy`
+[repository](https://github.com/jetstack/kube-oidc-proxy/blob/master/deploy/yaml/kube-oidc-proxy.yaml).
+
+Minimal required configuration is `oidc` section of `value.yaml` file.
+
+```yaml
+oidc:
+  clientId: my-client
+  issuerUrl: https://accounts.google.com
+  usernameClaim: email
+```
+
+When a custom root CA certificate is required it should be added as PEM encoded
+text value:
+
+```yaml
+oidc:
+  caPEM: |
+    -----BEGIN CERTIFICATE-----
+    MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
+    A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
+    b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
+    MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
+    YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
+    aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
+    jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
+    xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
+    1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
+    snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
+    U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
+    9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
+    BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
+    AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
+    yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
+    38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
+    AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
+    DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
+    HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
+    -----END CERTIFICATE-----
+```
+
+This minimal configuration gives a cluster internal IP address that can be used
+with `kubectl` to authenticate requests to Kubernetes API server.
+
+The service can be exposed via ingress controller and give access to external
+clients. Example of exposing via ingress controller.
+
+```yaml
+ingress:
+  enabled: true
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/rule-type: PathPrefixStrip
+  hosts:
+    - host: ""
+      paths:
+        - /oidc-proxy
+```
+
+By default the helm chart will create self-signed TLS certificate for `kube-oidc-proxy`
+service. It is possible to provide secret name that contains TLS artifacts for
+service. The secret must be of `kubernetes.io/tls` type.
+
+```yaml
+tls:
+  secretName: my-tls-secret-with-key-and-cert
+```

charts/kube-oidc-proxy/templates/NOTES.txt

@@ -0,0 +1,21 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "kube-oidc-proxy.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "kube-oidc-proxy.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "kube-oidc-proxy.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "kube-oidc-proxy.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl port-forward $POD_NAME 8080:80
+{{- end }}

charts/kube-oidc-proxy/templates/_helpers.tpl

@@ -0,0 +1,58 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "kube-oidc-proxy.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "kube-oidc-proxy.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "kube-oidc-proxy.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "kube-oidc-proxy.labels" -}}
+app.kubernetes.io/name: {{ include "kube-oidc-proxy.name" . }}
+helm.sh/chart: {{ include "kube-oidc-proxy.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Required claims serialized to CLI argument
+*/}}
+{{- define "requiredClaims" -}}
+{{- if .Values.oidc.requiredClaims -}}
+{{- $local := (list) -}}
+{{- range $k, $v := .Values.oidc.requiredClaims -}}
+{{- $local = (printf "%s=%s" $k $v | append $local) -}}
+{{- end -}}
+{{ join "," $local }}
+{{- end -}}
+{{- end -}}

charts/kube-oidc-proxy/templates/clusterrole.yaml

@@ -0,0 +1,23 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+{{ include "kube-oidc-proxy.labels" . | indent 4 }}
+  name: {{ include "kube-oidc-proxy.fullname" . }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - "users"
+  - "groups"
+  - "serviceaccounts"
+  verbs:
+  - "impersonate"
+- apiGroups:
+  - "authentication.k8s.io"
+  resources:
+  - "userextras/scopes"
+  - "tokenreviews"
+  verbs:
+  - "create"
+  - "impersonate"

charts/kube-oidc-proxy/templates/clusterrolebinding.yaml

@@ -0,0 +1,14 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+{{ include "kube-oidc-proxy.labels" . | indent 4 }}
+  name: {{ include "kube-oidc-proxy.fullname" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "kube-oidc-proxy.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "kube-oidc-proxy.fullname" . }}
+  namespace: {{ .Release.Namespace }}

charts/kube-oidc-proxy/templates/deployment.yaml

@@ -0,0 +1,169 @@
+{{ $fullname := include "kube-oidc-proxy.fullname" . }}
+{{ $defaultTlsSecretName := printf "%s-tls" $fullname }}
+{{ $tlsSecretName := .Values.tls.secretName | default $defaultTlsSecretName }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "kube-oidc-proxy.fullname" . }}
+  labels:
+{{ include "kube-oidc-proxy.labels" . | indent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "kube-oidc-proxy.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "kube-oidc-proxy.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      serviceAccountName: {{ include "kube-oidc-proxy.fullname" . }}
+      containers:
+      - name: {{ .Chart.Name }}
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        ports:
+        - containerPort: 443
+        - containerPort: 8080
+        readinessProbe:
+          httpGet:
+            path: /ready
+            port: 8080
+          initialDelaySeconds: 15
+          periodSeconds: 10
+        command: ["kube-oidc-proxy"]
+        args:
+          - "--secure-port=443"
+          - "--tls-cert-file=/etc/oidc/tls/crt.pem"
+          - "--tls-private-key-file=/etc/oidc/tls/key.pem"
+          - "--oidc-client-id=$(OIDC_CLIENT_ID)"
+          - "--oidc-issuer-url=$(OIDC_ISSUER_URL)"
+          - "--oidc-username-claim=$(OIDC_USERNAME_CLAIM)"
+          {{- if .Values.oidc.caPEM }}
+          - "--oidc-ca-file=/etc/oidc/oidc-ca.pem"
+          {{ end }}
+          {{- if .Values.oidc.usernamePrefix }}
+          - "--oidc-username-prefix=$(OIDC_USERNAME_PREFIX)"
+          {{ end }}
+          {{- if .Values.oidc.groupsClaim }}
+          - "--oidc-groups-claim=$(OIDC_GROUPS_CLAIM)"
+          {{ end }}
+          {{- if .Values.oidc.groupsPrefix }}
+          - "--oidc-groups-prefix=$(OIDC_GROUPS_PREFIX)"
+          {{ end }}
+          {{- if .Values.oidc.signingAlgs }}
+          - "--oidc-signing-algs=$(OIDC_SIGNING_ALGS)"
+          {{ end }}
+          {{- if .Values.oidc.requiredClaims }}
+          - "--oidc-signing-algs=$(OIDC_REQUIRED_CLAIMS)"
+          {{ end }}
+          {{- if .Values.tokenPassthrough.enabled }}
+          - "--token-passthrough"
+          {{- if .Values.tokenPassthrough.audiences }}
+          - "--token-passthrough-audiences={{ join "," .Values.tokenPassthrough.audiences }}"
+          {{ end }}
+          {{ end }}
+          {{- if .Values.extraImpersonationHeaders.clientIP }}
+          - "--extra-user-header-client-ip"
+          {{ end }}
+          {{- if .Values.extraImpersonationHeaders.headers }}
+          - "--extra-user-headers={{ .Values.extraImpersonationHeaders.headers }}"
+          {{ end }}
+          {{- range $key, $value := .Values.extraArgs -}}
+          - "--{{ $key }}={{ $value -}}"
+          {{ end }}
+        resources:
+          {{- toYaml .Values.resources | nindent 12 }}
+        env:
+        - name: OIDC_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "kube-oidc-proxy.fullname" . }}-config
+              key: oidc.client-id
+        - name: OIDC_ISSUER_URL
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "kube-oidc-proxy.fullname" . }}-config
+              key: oidc.issuer-url
+        - name: OIDC_USERNAME_CLAIM
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "kube-oidc-proxy.fullname" . }}-config
+              key: oidc.username-claim
+        {{- if .Values.oidc.usernamePrefix }}
+        - name: OIDC_USERNAME_PREFIX
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "kube-oidc-proxy.fullname" . }}-config
+              key: oidc.username-prefix
+        {{ end }}
+        {{- if .Values.oidc.groupsClaim }}
+        - name: OIDC_GROUPS_CLAIM
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "kube-oidc-proxy.fullname" . }}-config
+              key: oidc.groups-claim
+        {{ end }}
+        {{- if .Values.oidc.groupsPrefix }}
+        - name: OIDC_GROUPS_PREFIX
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "kube-oidc-proxy.fullname" . }}-config
+              key: oidc.groups-prefix
+        {{ end }}
+        {{- if .Values.oidc.signingAlgs }}
+        - name: OIDC_SIGNING_ALGS
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "kube-oidc-proxy.fullname" . }}-config
+              key: oidc.signing-algs
+        {{ end }}
+        {{- if .Values.oidc.requiredClaims }}
+        - name: OIDC_REQUIRED_CLAIMS
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "kube-oidc-proxy.fullname" . }}-config
+              key: oidc.required-claims
+        {{ end }}
+        volumeMounts:
+          {{- if .Values.oidc.caPEM }}
+          - name: kube-oidc-proxy-config
+            mountPath: /etc/oidc
+            readOnly: true
+          {{ end }}
+          - name: kube-oidc-proxy-tls
+            mountPath: /etc/oidc/tls
+            readOnly: true
+          {{- if .Values.extraVolumeMounts }}{{ toYaml .Values.extraVolumeMounts | trim | nindent 10 }}{{ end }}
+      volumes:
+        {{ if .Values.oidc.caPEM }}
+        - name: kube-oidc-proxy-config
+          secret:
+            secretName: {{ include "kube-oidc-proxy.fullname" . }}-config
+            items:
+            - key: oidc.ca-pem
+              path: oidc-ca.pem
+        {{ end }}
+        {{- if .Values.extraVolumes }}{{ toYaml .Values.extraVolumes | trim | nindent 8 }}{{ end }}
+        - name: kube-oidc-proxy-tls
+          secret:
+            secretName: {{ $tlsSecretName }}
+            items:
+            - key: tls.crt
+              path: crt.pem
+            - key: tls.key
+              path: key.pem
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}