From 02337bec392927caa14cdb32eda9f835721db035 Mon Sep 17 00:00:00 2001 From: Olivier Levitt Date: Sat, 10 Oct 2020 19:09:24 +0200 Subject: [PATCH] Add kube oidc proxy --- README.md | 9 +- charts/kube-oidc-proxy/Chart.yaml | 9 + charts/kube-oidc-proxy/README.md | 73 ++++++++ charts/kube-oidc-proxy/templates/NOTES.txt | 21 +++ charts/kube-oidc-proxy/templates/_helpers.tpl | 58 ++++++ .../templates/clusterrole.yaml | 23 +++ .../templates/clusterrolebinding.yaml | 14 ++ .../kube-oidc-proxy/templates/deployment.yaml | 169 ++++++++++++++++++ charts/kube-oidc-proxy/templates/ingress.yaml | 36 ++++ .../templates/poddisruptionbudget.yaml | 15 ++ .../templates/secret_config.yaml | 43 +++++ .../kube-oidc-proxy/templates/secret_tls.yaml | 17 ++ charts/kube-oidc-proxy/templates/service.yaml | 27 +++ .../templates/serviceaccount.yaml | 7 + .../templates/tests/test-connection.yaml | 15 ++ charts/kube-oidc-proxy/values.yaml | 118 ++++++++++++ 16 files changed, 651 insertions(+), 3 deletions(-) create mode 100644 charts/kube-oidc-proxy/Chart.yaml create mode 100644 charts/kube-oidc-proxy/README.md create mode 100644 charts/kube-oidc-proxy/templates/NOTES.txt create mode 100644 charts/kube-oidc-proxy/templates/_helpers.tpl create mode 100644 charts/kube-oidc-proxy/templates/clusterrole.yaml create mode 100644 charts/kube-oidc-proxy/templates/clusterrolebinding.yaml create mode 100644 charts/kube-oidc-proxy/templates/deployment.yaml create mode 100644 charts/kube-oidc-proxy/templates/ingress.yaml create mode 100644 charts/kube-oidc-proxy/templates/poddisruptionbudget.yaml create mode 100644 charts/kube-oidc-proxy/templates/secret_config.yaml create mode 100644 charts/kube-oidc-proxy/templates/secret_tls.yaml create mode 100644 charts/kube-oidc-proxy/templates/service.yaml create mode 100644 charts/kube-oidc-proxy/templates/serviceaccount.yaml create mode 100644 charts/kube-oidc-proxy/templates/tests/test-connection.yaml create mode 100644 charts/kube-oidc-proxy/values.yaml diff --git a/README.md b/README.md index ea41886..b92af30 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,8 @@ -# Helm charts +# Helm charts -WIP +Various (infrastructure focused) charts used at Insee (https://insee.fr). +See the other repository ([Helm charts datascience](https://github.com/inseefrlab/helm-charts-datascience)) for datascience focused charts. -Repo is available at https://inseefrlab.github.io/helm-charts/index.yaml +Repo is available at https://inseefrlab.github.io/helm-charts/index.yaml + +`kube-oidc-proxy` is a copy (may be out of date) of https://github.com/jetstack/kube-oidc-proxy/tree/master/deploy/charts/kube-oidc-proxy with the sole purpose of exposing it on the internet (see https://github.com/jetstack/kube-oidc-proxy/issues/123) \ No newline at end of file diff --git a/charts/kube-oidc-proxy/Chart.yaml b/charts/kube-oidc-proxy/Chart.yaml new file mode 100644 index 0000000..91ec980 --- /dev/null +++ b/charts/kube-oidc-proxy/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +appVersion: "v0.3.0" +description: A Helm chart for kube-oidc-proxy +home: https://github.com/jetstack/kube-oidc-proxy +name: kube-oidc-proxy +version: 0.3.1 +maintainers: +- name: mhrabovcin +- name: joshvanl diff --git a/charts/kube-oidc-proxy/README.md b/charts/kube-oidc-proxy/README.md new file mode 100644 index 0000000..e669d68 --- /dev/null +++ b/charts/kube-oidc-proxy/README.md @@ -0,0 +1,73 @@ +# kube-oidc-proxy helm chart + +This is a `helm` chart that installs [`kube-oidc-proxy`](https://github.com/jetstack/kube-oidc-proxy/). +This helm chart cannot be installed out of the box without providing own +configuration. + +This helm chart is based on example configuration provided in `kube-oidc-proxy` +[repository](https://github.com/jetstack/kube-oidc-proxy/blob/master/deploy/yaml/kube-oidc-proxy.yaml). + +Minimal required configuration is `oidc` section of `value.yaml` file. + +```yaml +oidc: + clientId: my-client + issuerUrl: https://accounts.google.com + usernameClaim: email +``` + +When a custom root CA certificate is required it should be added as PEM encoded +text value: + +```yaml +oidc: + caPEM: | + -----BEGIN CERTIFICATE----- + MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG + A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv + b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw + MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i + YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT + aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ + jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp + xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp + 1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG + snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ + U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8 + 9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E + BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B + AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz + yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE + 38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP + AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad + DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME + HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A== + -----END CERTIFICATE----- +``` + +This minimal configuration gives a cluster internal IP address that can be used +with `kubectl` to authenticate requests to Kubernetes API server. + +The service can be exposed via ingress controller and give access to external +clients. Example of exposing via ingress controller. + +```yaml +ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: traefik + traefik.ingress.kubernetes.io/rule-type: PathPrefixStrip + hosts: + - host: "" + paths: + - /oidc-proxy +``` + +By default the helm chart will create self-signed TLS certificate for `kube-oidc-proxy` +service. It is possible to provide secret name that contains TLS artifacts for +service. The secret must be of `kubernetes.io/tls` type. + +```yaml +tls: + secretName: my-tls-secret-with-key-and-cert +``` diff --git a/charts/kube-oidc-proxy/templates/NOTES.txt b/charts/kube-oidc-proxy/templates/NOTES.txt new file mode 100644 index 0000000..5b5605e --- /dev/null +++ b/charts/kube-oidc-proxy/templates/NOTES.txt @@ -0,0 +1,21 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "kube-oidc-proxy.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "kube-oidc-proxy.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "kube-oidc-proxy.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "kube-oidc-proxy.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl port-forward $POD_NAME 8080:80 +{{- end }} diff --git a/charts/kube-oidc-proxy/templates/_helpers.tpl b/charts/kube-oidc-proxy/templates/_helpers.tpl new file mode 100644 index 0000000..868a47a --- /dev/null +++ b/charts/kube-oidc-proxy/templates/_helpers.tpl @@ -0,0 +1,58 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "kube-oidc-proxy.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kube-oidc-proxy.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kube-oidc-proxy.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "kube-oidc-proxy.labels" -}} +app.kubernetes.io/name: {{ include "kube-oidc-proxy.name" . }} +helm.sh/chart: {{ include "kube-oidc-proxy.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Required claims serialized to CLI argument +*/}} +{{- define "requiredClaims" -}} +{{- if .Values.oidc.requiredClaims -}} +{{- $local := (list) -}} +{{- range $k, $v := .Values.oidc.requiredClaims -}} +{{- $local = (printf "%s=%s" $k $v | append $local) -}} +{{- end -}} +{{ join "," $local }} +{{- end -}} +{{- end -}} diff --git a/charts/kube-oidc-proxy/templates/clusterrole.yaml b/charts/kube-oidc-proxy/templates/clusterrole.yaml new file mode 100644 index 0000000..00c8fac --- /dev/null +++ b/charts/kube-oidc-proxy/templates/clusterrole.yaml @@ -0,0 +1,23 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "kube-oidc-proxy.labels" . | indent 4 }} + name: {{ include "kube-oidc-proxy.fullname" . }} +rules: +- apiGroups: + - "" + resources: + - "users" + - "groups" + - "serviceaccounts" + verbs: + - "impersonate" +- apiGroups: + - "authentication.k8s.io" + resources: + - "userextras/scopes" + - "tokenreviews" + verbs: + - "create" + - "impersonate" diff --git a/charts/kube-oidc-proxy/templates/clusterrolebinding.yaml b/charts/kube-oidc-proxy/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..8f6e7b3 --- /dev/null +++ b/charts/kube-oidc-proxy/templates/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "kube-oidc-proxy.labels" . | indent 4 }} + name: {{ include "kube-oidc-proxy.fullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kube-oidc-proxy.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kube-oidc-proxy.fullname" . }} + namespace: {{ .Release.Namespace }} diff --git a/charts/kube-oidc-proxy/templates/deployment.yaml b/charts/kube-oidc-proxy/templates/deployment.yaml new file mode 100644 index 0000000..66aa0a2 --- /dev/null +++ b/charts/kube-oidc-proxy/templates/deployment.yaml @@ -0,0 +1,169 @@ +{{ $fullname := include "kube-oidc-proxy.fullname" . }} +{{ $defaultTlsSecretName := printf "%s-tls" $fullname }} +{{ $tlsSecretName := .Values.tls.secretName | default $defaultTlsSecretName }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kube-oidc-proxy.fullname" . }} + labels: +{{ include "kube-oidc-proxy.labels" . | indent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kube-oidc-proxy.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kube-oidc-proxy.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + spec: + serviceAccountName: {{ include "kube-oidc-proxy.fullname" . }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - containerPort: 443 + - containerPort: 8080 + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 15 + periodSeconds: 10 + command: ["kube-oidc-proxy"] + args: + - "--secure-port=443" + - "--tls-cert-file=/etc/oidc/tls/crt.pem" + - "--tls-private-key-file=/etc/oidc/tls/key.pem" + - "--oidc-client-id=$(OIDC_CLIENT_ID)" + - "--oidc-issuer-url=$(OIDC_ISSUER_URL)" + - "--oidc-username-claim=$(OIDC_USERNAME_CLAIM)" + {{- if .Values.oidc.caPEM }} + - "--oidc-ca-file=/etc/oidc/oidc-ca.pem" + {{ end }} + {{- if .Values.oidc.usernamePrefix }} + - "--oidc-username-prefix=$(OIDC_USERNAME_PREFIX)" + {{ end }} + {{- if .Values.oidc.groupsClaim }} + - "--oidc-groups-claim=$(OIDC_GROUPS_CLAIM)" + {{ end }} + {{- if .Values.oidc.groupsPrefix }} + - "--oidc-groups-prefix=$(OIDC_GROUPS_PREFIX)" + {{ end }} + {{- if .Values.oidc.signingAlgs }} + - "--oidc-signing-algs=$(OIDC_SIGNING_ALGS)" + {{ end }} + {{- if .Values.oidc.requiredClaims }} + - "--oidc-signing-algs=$(OIDC_REQUIRED_CLAIMS)" + {{ end }} + {{- if .Values.tokenPassthrough.enabled }} + - "--token-passthrough" + {{- if .Values.tokenPassthrough.audiences }} + - "--token-passthrough-audiences={{ join "," .Values.tokenPassthrough.audiences }}" + {{ end }} + {{ end }} + {{- if .Values.extraImpersonationHeaders.clientIP }} + - "--extra-user-header-client-ip" + {{ end }} + {{- if .Values.extraImpersonationHeaders.headers }} + - "--extra-user-headers={{ .Values.extraImpersonationHeaders.headers }}" + {{ end }} + {{- range $key, $value := .Values.extraArgs -}} + - "--{{ $key }}={{ $value -}}" + {{ end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + env: + - name: OIDC_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ include "kube-oidc-proxy.fullname" . }}-config + key: oidc.client-id + - name: OIDC_ISSUER_URL + valueFrom: + secretKeyRef: + name: {{ include "kube-oidc-proxy.fullname" . }}-config + key: oidc.issuer-url + - name: OIDC_USERNAME_CLAIM + valueFrom: + secretKeyRef: + name: {{ include "kube-oidc-proxy.fullname" . }}-config + key: oidc.username-claim + {{- if .Values.oidc.usernamePrefix }} + - name: OIDC_USERNAME_PREFIX + valueFrom: + secretKeyRef: + name: {{ include "kube-oidc-proxy.fullname" . }}-config + key: oidc.username-prefix + {{ end }} + {{- if .Values.oidc.groupsClaim }} + - name: OIDC_GROUPS_CLAIM + valueFrom: + secretKeyRef: + name: {{ include "kube-oidc-proxy.fullname" . }}-config + key: oidc.groups-claim + {{ end }} + {{- if .Values.oidc.groupsPrefix }} + - name: OIDC_GROUPS_PREFIX + valueFrom: + secretKeyRef: + name: {{ include "kube-oidc-proxy.fullname" . }}-config + key: oidc.groups-prefix + {{ end }} + {{- if .Values.oidc.signingAlgs }} + - name: OIDC_SIGNING_ALGS + valueFrom: + secretKeyRef: + name: {{ include "kube-oidc-proxy.fullname" . }}-config + key: oidc.signing-algs + {{ end }} + {{- if .Values.oidc.requiredClaims }} + - name: OIDC_REQUIRED_CLAIMS + valueFrom: + secretKeyRef: + name: {{ include "kube-oidc-proxy.fullname" . }}-config + key: oidc.required-claims + {{ end }} + volumeMounts: + {{- if .Values.oidc.caPEM }} + - name: kube-oidc-proxy-config + mountPath: /etc/oidc + readOnly: true + {{ end }} + - name: kube-oidc-proxy-tls + mountPath: /etc/oidc/tls + readOnly: true + {{- if .Values.extraVolumeMounts }}{{ toYaml .Values.extraVolumeMounts | trim | nindent 10 }}{{ end }} + volumes: + {{ if .Values.oidc.caPEM }} + - name: kube-oidc-proxy-config + secret: + secretName: {{ include "kube-oidc-proxy.fullname" . }}-config + items: + - key: oidc.ca-pem + path: oidc-ca.pem + {{ end }} + {{- if .Values.extraVolumes }}{{ toYaml .Values.extraVolumes | trim | nindent 8 }}{{ end }} + - name: kube-oidc-proxy-tls + secret: + secretName: {{ $tlsSecretName }} + items: + - key: tls.crt + path: crt.pem + - key: tls.key + path: key.pem + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/kube-oidc-proxy/templates/ingress.yaml b/charts/kube-oidc-proxy/templates/ingress.yaml new file mode 100644 index 0000000..dbd3e3e --- /dev/null +++ b/charts/kube-oidc-proxy/templates/ingress.yaml @@ -0,0 +1,36 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "kube-oidc-proxy.fullname" . -}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: {{ $fullName }} + labels: +{{ include "kube-oidc-proxy.labels" . | indent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ . }} + backend: + serviceName: {{ $fullName }} + servicePort: https + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/kube-oidc-proxy/templates/poddisruptionbudget.yaml b/charts/kube-oidc-proxy/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000..823cf70 --- /dev/null +++ b/charts/kube-oidc-proxy/templates/poddisruptionbudget.yaml @@ -0,0 +1,15 @@ +{{- if .Values.podDisruptionBudget.enabled -}} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ include "kube-oidc-proxy.fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "kube-oidc-proxy.labels" . | indent 4 }} +spec: + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kube-oidc-proxy.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/kube-oidc-proxy/templates/secret_config.yaml b/charts/kube-oidc-proxy/templates/secret_config.yaml new file mode 100644 index 0000000..8ab3bb3 --- /dev/null +++ b/charts/kube-oidc-proxy/templates/secret_config.yaml @@ -0,0 +1,43 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "kube-oidc-proxy.fullname" . }}-config + labels: +{{ include "kube-oidc-proxy.labels" . | indent 4 }} +type: Opaque +data: + {{- if .Values.oidc.caPEM }} + oidc.ca-pem: {{ .Values.oidc.caPEM | default "" | b64enc }} + {{- end }} + + {{- if .Values.oidc.issuerUrl }} + oidc.issuer-url: {{ .Values.oidc.issuerUrl | b64enc }} + {{- end }} + + {{- if .Values.oidc.usernameClaim }} + oidc.username-claim: {{ .Values.oidc.usernameClaim | default "" | b64enc }} + {{- end }} + + {{- if .Values.oidc.clientId }} + oidc.client-id: {{ .Values.oidc.clientId | b64enc }} + {{- end }} + + {{- if .Values.oidc.usernamePrefix }} + oidc.username-prefix: {{ .Values.oidc.usernamePrefix | default "" | b64enc }} + {{- end }} + + {{- if .Values.oidc.groupsClaim }} + oidc.groups-claim: {{ .Values.oidc.groupsClaim | default "" | b64enc }} + {{- end }} + + {{- if .Values.oidc.groupsPrefix }} + oidc.groups-prefix: {{ .Values.oidc.groupsPrefix | default "" | b64enc }} + {{- end }} + + {{- if .Values.oidc.signingAlgs }} + oidc.signing-algs: {{ join "," .Values.oidc.signingAlgs | default "" | b64enc }} + {{- end }} + + {{- if .Values.oidc.requiredClaims }} + oidc.required-claims: {{ include "requiredClaims" . | b64enc }} + {{- end }} diff --git a/charts/kube-oidc-proxy/templates/secret_tls.yaml b/charts/kube-oidc-proxy/templates/secret_tls.yaml new file mode 100644 index 0000000..ace3540 --- /dev/null +++ b/charts/kube-oidc-proxy/templates/secret_tls.yaml @@ -0,0 +1,17 @@ +{{- if (not .Values.tls.secretName) }} +{{ $fullname := include "kube-oidc-proxy.fullname" . }} +{{ $ca := genCA (printf "%s-ca" $fullname) 3650 }} +{{ $cn := printf "%s.%s.svc.cluster.local" $fullname .Release.Namespace }} +{{ $server := genSignedCert $cn nil nil 365 $ca }} + +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ template "kube-oidc-proxy.fullname" . }}-tls + labels: +{{ include "kube-oidc-proxy.labels" . | indent 4 }} +data: + tls.crt: {{ b64enc $server.Cert }} + tls.key: {{ b64enc $server.Key }} +{{ end }} diff --git a/charts/kube-oidc-proxy/templates/service.yaml b/charts/kube-oidc-proxy/templates/service.yaml new file mode 100644 index 0000000..e5feee6 --- /dev/null +++ b/charts/kube-oidc-proxy/templates/service.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kube-oidc-proxy.fullname" . }} + labels: +{{ include "kube-oidc-proxy.labels" . | indent 4 }} + annotations: + {{- range $key, $val := .Values.service.annotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} +spec: + type: {{ .Values.service.type }} +{{- if .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} + ports: + - port: {{ .Values.service.port }} + targetPort: 443 + protocol: TCP + name: https + selector: + app.kubernetes.io/name: {{ include "kube-oidc-proxy.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/kube-oidc-proxy/templates/serviceaccount.yaml b/charts/kube-oidc-proxy/templates/serviceaccount.yaml new file mode 100644 index 0000000..ff5c18f --- /dev/null +++ b/charts/kube-oidc-proxy/templates/serviceaccount.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: +{{ include "kube-oidc-proxy.labels" . | indent 4 }} + name: {{ include "kube-oidc-proxy.fullname" . }} + diff --git a/charts/kube-oidc-proxy/templates/tests/test-connection.yaml b/charts/kube-oidc-proxy/templates/tests/test-connection.yaml new file mode 100644 index 0000000..7ef7c14 --- /dev/null +++ b/charts/kube-oidc-proxy/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "kube-oidc-proxy.fullname" . }}-test-connection" + labels: +{{ include "kube-oidc-proxy.labels" . | indent 4 }} + annotations: + "helm.sh/hook": test-success +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "kube-oidc-proxy.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/charts/kube-oidc-proxy/values.yaml b/charts/kube-oidc-proxy/values.yaml new file mode 100644 index 0000000..e85214a --- /dev/null +++ b/charts/kube-oidc-proxy/values.yaml @@ -0,0 +1,118 @@ +# Default values for kube-oidc-proxy. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: quay.io/jetstack/kube-oidc-proxy + tag: v0.3.0 + pullPolicy: IfNotPresent + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +service: + type: ClusterIP + port: 443 + annotations: + # You can use this field to add annotations to the Service. + # Define it in a key-value pairs. E.g. + # service.beta.kubernetes.io/aws-load-balancer-internal: true + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + +tls: + # `secretName` must be a name of Secret of TLS type. If not provided a + # self-signed certificate will get generated. + secretName: + +# These values needs to be set in overrides in order to get kube-oidc-proxy +# working. +oidc: + # A minimal configuration requires setting clientId, issuerUrl and usernameClaim + # values. + clientId: "" + issuerUrl: "" + usernameClaim: "" + + # PEM encoded value of CA cert that will verify TLS connection to + # OIDC issuer URL. If not provided, default hosts root CA's will be used. + caPEM: + + usernamePrefix: + groupsClaim: + groupsPrefix: + + signingAlgs: + - RS256 + requiredClaims: {} + +# To enable token passthrough feature +# https://github.com/jetstack/kube-oidc-proxy/blob/master/docs/tasks/token-passthrough.md +tokenPassthrough: + enabled: false + audiences: [] + +# To add extra impersonation headers +# https://github.com/jetstack/kube-oidc-proxy/blob/master/docs/tasks/extra-impersonation-headers.md +extraImpersonationHeaders: + clientIP: false + #headers: key1=foo,key2=bar,key1=bar + +extraArgs: {} + #audit-log-path: /audit-log + #audit-policy-file: /audit/audit.yaml + +extraVolumeMounts: {} + #- name: audit + # mountPath: /audit + # readOnly: true + +extraVolumes: {} + #- configMap: + #defaultMode: 420 + #name: kube-oidc-proxy-policy + #name: audit + +ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: [] + + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +# Enable Pod Disruption Budget +podDisruptionBudget: + enabled: false + minAvailable: 1 + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + # + +initContainers: [] + +nodeSelector: {} + +tolerations: [] + +affinity: {}