diff --git a/charts/theia-cloud/Chart.yaml b/charts/theia-cloud/Chart.yaml index da1575a..8bbcbd8 100644 --- a/charts/theia-cloud/Chart.yaml +++ b/charts/theia-cloud/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.12.0-next.3 +version: 0.12.0-next.4 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/theia-cloud/templates/instances-ingress-path-based.yaml b/charts/theia-cloud/templates/instances-ingress-path-based.yaml index 44c9e5f..57d04d9 100644 --- a/charts/theia-cloud/templates/instances-ingress-path-based.yaml +++ b/charts/theia-cloud/templates/instances-ingress-path-based.yaml @@ -1,76 +1,76 @@ -{{- if .Values.hosts.usePaths }} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ tpl (.Values.ingress.instanceName | toString) . }} - namespace: {{ .Release.Namespace }} - annotations: - {{- if not .Values.ingress.tls }} - nginx.ingress.kubernetes.io/ssl-redirect: "false" - {{- end }} - nginx.ingress.kubernetes.io/proxy-buffer-size: "128k" - nginx.ingress.kubernetes.io/rewrite-target: /$2 - nginx.ingress.kubernetes.io/configuration-snippet: | - proxy_set_header 'X-Forwarded-Uri' $request_uri; - nginx.ingress.kubernetes.io/proxy-body-size: {{ tpl (.Values.ingress.proxyBodySize | toString) . }} - {{- if .Values.ingress.addTLSSecretName }} - {{- if .Values.ingress.certManagerAnnotations }} - cert-manager.io/cluster-issuer: {{ tpl (.Values.ingress.clusterIssuer | toString) . }} - {{- if .Values.ingress.theiaCloudCommonName }} - cert-manager.io/common-name: "Theia Cloud" - {{- end }} - acme.cert-manager.io/http01-ingress-class: nginx - {{- end }} - {{- end }} -spec: - ingressClassName: nginx - {{- if .Values.ingress.tls }} - tls: - - hosts: - - {{ tpl (.Values.hosts.configuration.baseHost | toString) . }} - {{- if .Values.ingress.addTLSSecretName }} - {{- range $wildcard := .Values.hosts.allWildcardInstances }} - {{- if (not (hasKey $.Values.ingress.allWildcardSecretNames $wildcard)) }} - - {{ printf "%s%s" (tpl . $) (tpl $.Values.hosts.configuration.baseHost $)| quote }} - {{- end }} - {{- end }} - secretName: ws-cert-secret - {{- end }} - {{- end }} - - {{- range $wildcard := .Values.hosts.allWildcardInstances }} - {{- if hasKey $.Values.ingress.allWildcardSecretNames $wildcard }} - {{- $secretName := get $.Values.ingress.allWildcardSecretNames $wildcard }} - - hosts: - - {{ printf "%s%s" (tpl $wildcard $) (tpl $.Values.hosts.configuration.baseHost $) | quote }} - secretName: {{ tpl $secretName $ | quote }} - {{- end }} - {{- end }} - {{- if not (lookup "networking.k8s.io/v1" "Ingress" .Release.Namespace (tpl (.Values.ingress.instanceName | toString) .) ) }} - rules: - - host: {{ tpl (.Values.hosts.configuration.baseHost | toString) . }} - http: - {{- range .Values.hosts.allWildcardInstances }} - - host: {{ printf "'%s%s'" (tpl . $) (tpl $.Values.hosts.configuration.baseHost $) }} - http: - {{- end }} - {{- else }} - rules: - {{ range $rule := (lookup "networking.k8s.io/v1" "Ingress" .Release.Namespace (tpl (.Values.ingress.instanceName | toString) .)).spec.rules }} - - host: {{ .host | quote }} - {{ if .http }} - http: - paths: - {{ with index .http.paths 0 }} - - path: {{ .path }} - pathType: Prefix - backend: - service: - name: {{ .backend.service.name }} - port: - number: {{ .backend.service.port.number }} - {{- end }} - {{ end }} - {{- end }} - {{- end }} -{{- end }} +{{- if .Values.hosts.usePaths }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ tpl (.Values.ingress.instanceName | toString) . }} + namespace: {{ .Release.Namespace }} + annotations: + {{- if not .Values.ingress.tls }} + nginx.ingress.kubernetes.io/ssl-redirect: "false" + {{- end }} + nginx.ingress.kubernetes.io/proxy-buffer-size: "128k" + nginx.ingress.kubernetes.io/rewrite-target: /$2 + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_set_header 'X-Forwarded-Uri' $request_uri; + nginx.ingress.kubernetes.io/proxy-body-size: {{ tpl (.Values.ingress.proxyBodySize | toString) . }} + {{- if .Values.ingress.addTLSSecretName }} + {{- if .Values.ingress.certManagerAnnotations }} + cert-manager.io/cluster-issuer: {{ tpl (.Values.ingress.clusterIssuer | toString) . }} + {{- if .Values.ingress.theiaCloudCommonName }} + cert-manager.io/common-name: "Theia Cloud" + {{- end }} + acme.cert-manager.io/http01-ingress-class: nginx + {{- end }} + {{- end }} +spec: + ingressClassName: nginx + {{- if .Values.ingress.tls }} + tls: + - hosts: + - {{ tpl (.Values.hosts.configuration.baseHost | toString) . }} + {{- if .Values.ingress.addTLSSecretName }} + {{- range $wildcard := .Values.hosts.allWildcardInstances }} + {{- if (not (hasKey $.Values.ingress.allWildcardSecretNames $wildcard)) }} + - {{ printf "%s%s" (tpl . $) (tpl $.Values.hosts.configuration.baseHost $)| quote }} + {{- end }} + {{- end }} + secretName: ws-cert-secret + {{- end }} + {{- end }} + + {{- range $wildcard := .Values.hosts.allWildcardInstances }} + {{- if hasKey $.Values.ingress.allWildcardSecretNames $wildcard }} + {{- $secretName := get $.Values.ingress.allWildcardSecretNames $wildcard }} + - hosts: + - {{ printf "%s%s" (tpl $wildcard $) (tpl $.Values.hosts.configuration.baseHost $) | quote }} + secretName: {{ tpl $secretName $ | quote }} + {{- end }} + {{- end }} + {{- if not (lookup "networking.k8s.io/v1" "Ingress" .Release.Namespace (tpl (.Values.ingress.instanceName | toString) .) ) }} + rules: + - host: {{ tpl (.Values.hosts.configuration.baseHost | toString) . }} + http: + {{- range .Values.hosts.allWildcardInstances }} + - host: {{ printf "'%s%s'" (tpl . $) (tpl $.Values.hosts.configuration.baseHost $) }} + http: + {{- end }} + {{- else }} + rules: + {{ range $rule := (lookup "networking.k8s.io/v1" "Ingress" .Release.Namespace (tpl (.Values.ingress.instanceName | toString) .)).spec.rules }} + - host: {{ .host | quote }} + {{ if .http }} + http: + paths: + {{ with index .http.paths 0 }} + - path: {{ .path }} + pathType: Prefix + backend: + service: + name: {{ .backend.service.name }} + port: + number: {{ .backend.service.port.number }} + {{- end }} + {{ end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/theia-cloud/templates/instances-ingress.yaml b/charts/theia-cloud/templates/instances-ingress.yaml index 1d7d590..7590348 100644 --- a/charts/theia-cloud/templates/instances-ingress.yaml +++ b/charts/theia-cloud/templates/instances-ingress.yaml @@ -1,77 +1,77 @@ -{{- if not .Values.hosts.usePaths }} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ tpl (.Values.ingress.instanceName | toString) . }} - namespace: {{ .Release.Namespace }} - annotations: - {{- if not .Values.ingress.tls }} - nginx.ingress.kubernetes.io/ssl-redirect: "false" - {{- end }} - {{- if .Values.ingress.addTLSSecretName }} - {{- if .Values.ingress.certManagerAnnotations }} - cert-manager.io/cluster-issuer: {{ tpl (.Values.ingress.clusterIssuer | toString) . }} - {{- if .Values.ingress.theiaCloudCommonName }} - cert-manager.io/common-name: "Theia Cloud" - {{- end }} - acme.cert-manager.io/http01-ingress-class: nginx - {{- end }} - {{- end }} - nginx.ingress.kubernetes.io/proxy-buffer-size: "128k" - nginx.ingress.kubernetes.io/rewrite-target: /$2 - nginx.ingress.kubernetes.io/configuration-snippet: | - proxy_set_header 'X-Forwarded-Uri' $request_uri; - nginx.ingress.kubernetes.io/proxy-body-size: {{ tpl (.Values.ingress.proxyBodySize | toString) . }} -spec: - ingressClassName: nginx - {{- if .Values.ingress.tls }} - tls: - - hosts: - - {{ tpl (printf "%s.%s" .Values.hosts.configuration.instance .Values.hosts.configuration.baseHost | toString) . }} - {{- if .Values.ingress.addTLSSecretName }} - {{- range $wildcard := .Values.hosts.allWildcardInstances }} - {{- if (not (hasKey $.Values.ingress.allWildcardSecretNames $wildcard)) }} - - {{ printf "%s%s.%s" (tpl . $) (tpl $.Values.hosts.configuration.instance $) (tpl $.Values.hosts.configuration.baseHost $) | quote }} - {{- end }} - {{- end }} - secretName: ws-cert-secret - {{- end }} - {{- end }} - - {{- range $wildcard := .Values.hosts.allWildcardInstances }} - {{- if hasKey $.Values.ingress.allWildcardSecretNames $wildcard }} - {{- $secretName := get $.Values.ingress.allWildcardSecretNames $wildcard }} - - hosts: - - {{ printf "%s%s.%s" (tpl $wildcard $) (tpl $.Values.hosts.configuration.instance $) (tpl $.Values.hosts.configuration.baseHost $) | quote }} - secretName: {{ tpl $secretName $ | quote }} - {{- end }} - {{- end }} - - {{- if not (lookup "networking.k8s.io/v1" "Ingress" .Release.Namespace (tpl (.Values.ingress.instanceName | toString) .) ) }} - rules: - - host: {{ printf "%s.%s" (tpl .Values.hosts.configuration.instance .) (tpl .Values.hosts.configuration.baseHost .) }} - http: - {{- range .Values.hosts.allWildcardInstances }} - - host: {{ printf "%s%s.%s" (tpl . $) (tpl $.Values.hosts.configuration.instance $) (tpl $.Values.hosts.configuration.baseHost $) | quote }} - http: - {{- end }} - {{- else }} - rules: - {{ range $rule := (lookup "networking.k8s.io/v1" "Ingress" .Release.Namespace (tpl (.Values.ingress.instanceName | toString) .)).spec.rules }} - - host: {{ .host | quote }} - {{ if .http }} - http: - paths: - {{ with index .http.paths 0 }} - - path: {{ .path }} - pathType: Prefix - backend: - service: - name: {{ .backend.service.name }} - port: - number: {{ .backend.service.port.number }} - {{- end }} - {{ end }} - {{- end }} - {{- end }} -{{- end }} +{{- if not .Values.hosts.usePaths }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ tpl (.Values.ingress.instanceName | toString) . }} + namespace: {{ .Release.Namespace }} + annotations: + {{- if not .Values.ingress.tls }} + nginx.ingress.kubernetes.io/ssl-redirect: "false" + {{- end }} + {{- if .Values.ingress.addTLSSecretName }} + {{- if .Values.ingress.certManagerAnnotations }} + cert-manager.io/cluster-issuer: {{ tpl (.Values.ingress.clusterIssuer | toString) . }} + {{- if .Values.ingress.theiaCloudCommonName }} + cert-manager.io/common-name: "Theia Cloud" + {{- end }} + acme.cert-manager.io/http01-ingress-class: nginx + {{- end }} + {{- end }} + nginx.ingress.kubernetes.io/proxy-buffer-size: "128k" + nginx.ingress.kubernetes.io/rewrite-target: /$2 + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_set_header 'X-Forwarded-Uri' $request_uri; + nginx.ingress.kubernetes.io/proxy-body-size: {{ tpl (.Values.ingress.proxyBodySize | toString) . }} +spec: + ingressClassName: nginx + {{- if .Values.ingress.tls }} + tls: + - hosts: + - {{ tpl (printf "%s.%s" .Values.hosts.configuration.instance .Values.hosts.configuration.baseHost | toString) . }} + {{- if .Values.ingress.addTLSSecretName }} + {{- range $wildcard := .Values.hosts.allWildcardInstances }} + {{- if (not (hasKey $.Values.ingress.allWildcardSecretNames $wildcard)) }} + - {{ printf "%s%s.%s" (tpl . $) (tpl $.Values.hosts.configuration.instance $) (tpl $.Values.hosts.configuration.baseHost $) | quote }} + {{- end }} + {{- end }} + secretName: ws-cert-secret + {{- end }} + {{- end }} + + {{- range $wildcard := .Values.hosts.allWildcardInstances }} + {{- if hasKey $.Values.ingress.allWildcardSecretNames $wildcard }} + {{- $secretName := get $.Values.ingress.allWildcardSecretNames $wildcard }} + - hosts: + - {{ printf "%s%s.%s" (tpl $wildcard $) (tpl $.Values.hosts.configuration.instance $) (tpl $.Values.hosts.configuration.baseHost $) | quote }} + secretName: {{ tpl $secretName $ | quote }} + {{- end }} + {{- end }} + + {{- if not (lookup "networking.k8s.io/v1" "Ingress" .Release.Namespace (tpl (.Values.ingress.instanceName | toString) .) ) }} + rules: + - host: {{ printf "%s.%s" (tpl .Values.hosts.configuration.instance .) (tpl .Values.hosts.configuration.baseHost .) }} + http: + {{- range .Values.hosts.allWildcardInstances }} + - host: {{ printf "%s%s.%s" (tpl . $) (tpl $.Values.hosts.configuration.instance $) (tpl $.Values.hosts.configuration.baseHost $) | quote }} + http: + {{- end }} + {{- else }} + rules: + {{ range $rule := (lookup "networking.k8s.io/v1" "Ingress" .Release.Namespace (tpl (.Values.ingress.instanceName | toString) .)).spec.rules }} + - host: {{ .host | quote }} + {{ if .http }} + http: + paths: + {{ with index .http.paths 0 }} + - path: {{ .path }} + pathType: Prefix + backend: + service: + name: {{ .backend.service.name }} + port: + number: {{ .backend.service.port.number }} + {{- end }} + {{ end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/theia-cloud/templates/oauth2-configmap-oauth2proxy-keycloak.yaml b/charts/theia-cloud/templates/oauth2-configmap-oauth2proxy-keycloak.yaml index 0adebde..a4c9ae7 100644 --- a/charts/theia-cloud/templates/oauth2-configmap-oauth2proxy-keycloak.yaml +++ b/charts/theia-cloud/templates/oauth2-configmap-oauth2proxy-keycloak.yaml @@ -1,35 +1,42 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: oauth2-proxy-config - namespace: {{ .Release.Namespace }} -data: - oauth2-proxy.cfg: |+ - # Provider config - provider="keycloak-oidc" - redirect_url="https://placeholder/oauth2/callback" - oidc_issuer_url="{{ tpl (.Values.keycloak.authUrl | toString) . }}realms/{{ tpl (.Values.keycloak.realm | toString) . }}" - ssl_insecure_skip_verify=true - # Client config - client_id="{{ tpl (.Values.keycloak.clientId | toString) . }}" - client_secret="{{ tpl (.Values.keycloak.clientSecret | toString) . }}" - cookie_secret="{{ tpl (.Values.keycloak.cookieSecret | toString) . }}" - cookie_secure="false" - #proxy_prefix="" - # Upstream config - http_address="0.0.0.0:5000" - upstreams="http://127.0.0.1:placeholder-port/" - # Proxy Config - #user_id_claim="preferred_username" - skip_auth_routes=["/health.*"] - skip_provider_button="true" - reverse_proxy="true" - # email_domains=["*"] - {{- if .Values.hosts.usePaths }} - cookie_domains=["{{ tpl (.Values.hosts.configuration.baseHost | toString) . }}"] - whitelist_domains=["{{ tpl (.Values.hosts.configuration.baseHost | toString) . }}:*",".google.com:*"] - {{- else }} - cookie_domains=["{{ tpl (.Values.hosts.configuration.instance | toString) . }}.{{ tpl (.Values.hosts.configuration.baseHost | toString) . }}"] - whitelist_domains=["{{ tpl (.Values.hosts.configuration.instance | toString) . }}.{{ tpl (.Values.hosts.configuration.baseHost | toString) . }}:*",".google.com:*"] - {{- end }} - custom_templates_dir="/templates" +{{- /* Extract the host where the Keycloak runs by extracting it from the auth URL via regex. */ -}} +{{- $keycloakUrl := tpl (.Values.keycloak.authUrl | toString) . -}} +{{- /* Regex to match a URL that matches the host in group 1: ([^/]+) */ -}} +{{- $hostRegex := `^https?://([^/]+)(/.*)?$` -}} +{{- /* Replace the URL with only the first group which is only the host. */ -}} +{{- $keycloakHost:= regexReplaceAll $hostRegex $keycloakUrl `$1` -}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: oauth2-proxy-config + namespace: {{ .Release.Namespace }} +data: + oauth2-proxy.cfg: |+ + # Provider config + provider="keycloak-oidc" + redirect_url="https://placeholder/oauth2/callback" + oidc_issuer_url="{{ $keycloakUrl }}realms/{{ tpl (.Values.keycloak.realm | toString) . }}" + ssl_insecure_skip_verify=true + # Client config + client_id="{{ tpl (.Values.keycloak.clientId | toString) . }}" + client_secret="{{ tpl (.Values.keycloak.clientSecret | toString) . }}" + cookie_secret="{{ tpl (.Values.keycloak.cookieSecret | toString) . }}" + cookie_secure="false" + #proxy_prefix="" + # Upstream config + http_address="0.0.0.0:5000" + upstreams="http://127.0.0.1:placeholder-port/" + # Proxy Config + #user_id_claim="preferred_username" + skip_auth_routes=["/health.*"] + skip_provider_button="true" + reverse_proxy="true" + # email_domains=["*"] + {{- if .Values.hosts.usePaths }} + cookie_domains=["{{ tpl (.Values.hosts.configuration.baseHost | toString) . }}"] + whitelist_domains=["{{ tpl (.Values.hosts.configuration.baseHost | toString) . }}:*","{{ $keycloakHost }}:*",".google.com:*"] + {{- else }} + cookie_domains=["{{ tpl (.Values.hosts.configuration.instance | toString) . }}.{{ tpl (.Values.hosts.configuration.baseHost | toString) . }}"] + whitelist_domains=["{{ tpl (.Values.hosts.configuration.instance | toString) . }}:*","{{ $keycloakHost }}:*",".google.com:*"] + {{- end }} + custom_templates_dir="/templates" diff --git a/charts/theia-cloud/templates/operator-configmap-logging.yaml b/charts/theia-cloud/templates/operator-configmap-logging.yaml index 06db1e2..fd82147 100644 --- a/charts/theia-cloud/templates/operator-configmap-logging.yaml +++ b/charts/theia-cloud/templates/operator-configmap-logging.yaml @@ -1,9 +1,9 @@ -{{- if .Values.operator.logging.override }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: operator-logging-config - namespace: {{ .Release.Namespace }} -data: - log4j2.xml: {{ tpl (.Values.operator.logging.config | toYaml | indent 1) . }} -{{- end }} +{{- if .Values.operator.logging.override }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: operator-logging-config + namespace: {{ .Release.Namespace }} +data: + log4j2.xml: {{ tpl (.Values.operator.logging.config | toYaml | indent 1) . }} +{{- end }}