Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-02-20 20:17:21 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/kiam] Add kiam helm chart (#4313)

Browse Source 
* [bitnami/kiam] Add kiam helm chart

* fix readme

* Fix apiversion

* Update bitnami/kiam/templates/NOTES.txt

Co-authored-by: Marcos Bjoerkelund <marcosbc@users.noreply.github.com>

* Update bitnami/kiam/templates/NOTES.txt

Co-authored-by: Marcos Bjoerkelund <marcosbc@users.noreply.github.com>

* Apply requested changes

* Add helper

* Update bitnami/kiam/README.md

Co-authored-by: Marcos Bjoerkelund <marcosbc@users.noreply.github.com>

Co-authored-by: Marcos Bjoerkelund <marcosbc@users.noreply.github.com>
This commit is contained in:
Javier J. Salmerón-García
2020-11-12 16:10:30 +01:00
committed by GitHub
parent f650c1ebed
commit 2a66fcbe79
29 changed files with 2504 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
bitnami/kiam/.helmignore Normal file
View File

@@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

26
bitnami/kiam/Chart.yaml Normal file
View File

@@ -0,0 +1,26 @@
annotations:
category: Infrastructure
apiVersion: v2
appVersion: 3.6.0
dependencies:
- name: common
repository: 'https://charts.bitnami.com/bitnami'
tags:
- bitnami-common
version: 0.x.x
description: kiam is a proxy that captures AWS Metadata API requests. It allows AWS IAM roles to be set for Kubernetes workloads.
engine: gotpl
home: 'https://github.com/uswitch/kiam'
icon: 'https://bitnami.com/assets/stacks/kiam/img/kiam-stack-110x117.png'
keywords:
- aws
- iam
- security
maintainers:
- email: containers@bitnami.com
name: Bitnami
name: kiam
sources:
- 'https://github.com/bitnami/bitnami-docker-kiam'
- 'https://github.com/uswitch/kiam'
version: 0.1.0

373
bitnami/kiam/README.md Normal file
View File

@@ -0,0 +1,373 @@
# kiam
[kiam](https://github.com/uswitch/kiam) is a Kubernetes agent that allows to associate IAM roles to pods.
## TL;DR
```console
helm repo add bitnami https://charts.bitnami.com/bitnami
helm install my-release bitnami/kiam
```
> NOTE: This chart only works in Kubernetes clusters in AWS
## Introduction
Bitnami charts for Helm are carefully engineered, actively maintained and are the quickest and easiest way to deploy containers on a Kubernetes cluster that are ready to handle production workloads.
This chart bootstraps a [kiam](https://github.com/bitnami/bitnami-docker-kiam) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications.
## Prerequisites
- Kubernetes 1.12+ in AWS
- Helm 2.12+ or Helm 3.0-beta3+
## Installing the Chart
To install the chart with the release name `my-release`:
```bash
$ helm repo add bitnami https://charts.bitnami.com/bitnami
$ helm install my-release bitnami/kiam
```
These commands deploy a kiam application on the Kubernetes cluster in the default configuration.
> **Tip**: List all releases using `helm list`
## Uninstalling the Chart
To uninstall/delete the `my-release` deployment:
```bash
$ helm delete my-release
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Parameters
The following tables lists the configurable parameters of the kiam chart and their default values per section/component:
### Global parameters
| Parameter | Description | Default |
|---------------------------|-------------------------------------------------|---------------------------------------------------------|
| `global.imageRegistry` | Global Docker image registry | `nil` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `global.storageClass` | Global storage class for dynamic provisioning | `nil` |
### Common parameters
| Parameter | Description | Default |
|---------------------|---------------------------------------------------|--------------------------------|
| `nameOverride` | String to partially override kiam.fullname | `nil` |
| `fullnameOverride` | String to fully override kiam.fullname | `nil` |
| `commonLabels` | Labels to add to all deployed objects | `{}` |
| `commonAnnotations` | Annotations to add to all deployed objects | `{}` |
| `extraDeploy` | Array of extra objects to deploy with the release | `[]` (evaluated as a template) |
### kiam image parameters
| Parameter | Description | Default |
|---------------------|--------------------------------------------------|---------------------------------------------------------|
| `image.registry` | kiam image registry | `docker.io` |
| `image.repository` | kiam image name | `bitnami/kiam` |
| `image.tag` | kiam image tag | `{TAG_NAME}` |
| `image.pullPolicy` | kiam image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
### kiam server parameters
| Parameter | Description | Default |
|---------------------------------------------|---------------------------------------------------------------------------------------------|------------------------------------------|
| `server.enabled` | Deploy the kiam server | `true` |
| `server.containerPort` | HTTPS port to expose at container level | `8443` |
| `server.resourceType` | Specify how to deploy the server (allowed values: `daemonset` and `deployment`) | `daemonset` |
| `server.replicaCount` | Number of replicas to deploy (when `server.resourceType` is `daemonset`) | `1` |
| `server.logJsonOutput` | Use JSON format for logs | `true` |
| `server.extraArgs` | Extra arguments to add to the default kiam command | `[]` |
| `server.command` | Override kiam default command | `[]` |
| `server.args` | Override kiam default args | `[]` |
| `server.logLevel` | Logging level | `info` |
| `server.sslCertHostPath` | Path to the host system SSL certificates (necessary for contacting the AWS metadata server) | `/etc/ssl/certs` |
| `server.tlsFiles.ca` | Base64-encoded CA to use with the container | `nil` |
| `server.tlsFiles.cert` | Base64-encoded certificate to use with the container | `nil` |
| `server.tlsFiles.key` | Base64-encoded key to use with the container | `nil` |
| `server.tlsCerts.certFileName` | Name of the certificate filename | `cert.pem` |
| `server.tlsCerts.keyFileName` | Name of the certificate filename | `key.pem` |
| `server.tlsCerts.caFileName` | Name of the certificate filename | `ca.pem` |
| `server.gatewayTimeoutCreation` | Timeout when creating the kiam gateway | `1s` |
| `server.podSecurityPolicy.create` | Create a PodSecurityPolicy resources | `true` |
| `server.podSecurityPolicy.allowedHostPaths` | Extra host paths to allow in the PodSecurityPolicy | `[]` |
| `server.tlsSecret` | Name of a secret with TLS certificates for the container | `nil` |
| `server.dnsPolicy` | Pod DNS policy | `ClusterFirstWithHostNet` |
| `server.extraEnvVars` | Array containing extra env vars to configure kiam server | `nil` |
| `server.extraEnvVarsCM` | ConfigMap containing extra env vars to configure kiam server | `nil` |
| `server.extraEnvVarsSecret` | Secret containing extra env vars to configure kiam server (in case of sensitive data) | `nil` |
| `server.roleBaseArn` | Base ARN for IAM roles. If not set kiam will detect it automatically | `ClusterFirstWithHostNet` |
| `server.cacheSyncInterval` | Cache synchronization interval | `1m` |
| `server.containerSecurityContext` | Container security podSecurityContext | `{ runAsUser: 1001, runAsNonRoot: true}` |
| `server.podSecurityContext` | Pod security context | `{}` |
| `server.assumeRoleArn` | IAM role for the server to assume | `nil` |
| `server.sessionDuration` | Session duration for STS tokens | `15m` |
| `server.useHostNetwork` | Use host networking (ports will be directly exposed in the host) | `false` |
| `server.resources.limits` | The resources limits for the kiam container | `{}` |
| `server.resources.requests` | The requested resources for the kiam container | `{}` |
| `server.lifecycleHooks` | LifecycleHooks to set additional configuration at startup. | `{}` (evaluated as a template) |
| `server.livenessProbe` | Liveness probe configuration for kiam | Check `values.yaml` file |
| `server.readinessProbe` | Readiness probe configuration for kiam | Check `values.yaml` file |
| `server.customLivenessProbe` | Override default liveness probe | `nil` |
| `server.customReadinessProbe` | Override default readiness probe | `nil` |
| `server.updateStrategy` | Strategy to use to update Pods | Check `values.yaml` file |
| `server.podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `server.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `server.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `server.nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set. | `""` |
| `server.nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` |
| `server.affinity` | Affinity for pod assignment | `{}` (evaluated as a template) |
| `server.nodeSelector` | Node labels for pod assignment | `{}` (evaluated as a template) |
| `server.tolerations` | Tolerations for pod assignment | `[]` (evaluated as a template) |
| `server.podLabels` | Extra labels for kiam pods | `{}` |
| `server.podAnnotations` | Annotations for kiam pods | `{}` |
| `server.priorityClassName` | Server priorityClassName | `nil` |
| `server.lifecycleHooks` | LifecycleHooks to set additional configuration at startup. | `{}` (evaluated as a template) |
| `server.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for kiam container(s) | `[]` |
| `server.extraVolumes` | Optionally specify extra list of additional volumes for kiam pods | `[]` |
| `server.initContainers` | Add additional init containers to the kiam pods | `{}` (evaluated as a template) |
| `server.sidecars` | Add additional sidecar containers to the kiam pods | `{}` (evaluated as a template) |
### kiam agent parameters
| Parameter | Description | Default |
|---------------------------------------------|--------------------------------------------------------------------------------------------|------------------------------------------|
| `agent.enabled` | Deploy the kiam agent | `true` |
| `agent.containerPort` | HTTPS port to expose at container level | `8443` |
| `agent.allowRouteRegExp` | Regexp with the allowed paths for agents to redirect | `nil` |
| `agent.iptables` | Have the agent modify the host iptables rules | `false` |
| `agent.iptablesRemoveOnShutdown` | Remove iptables rules when shutting down the agent node | `false` |
| `agent.hostInterface` | Interface for agents for redirecting requests | `cali+` |
| `agent.logJsonOutput` | Use JSON format for logs | `true` |
| `agent.keepaliveParams.time` | Keepalive time | `nil` |
| `agent.keepaliveParams.timeout` | Keepalive timeout | `nil` |
| `agent.keepaliveParams.permitWithoutStream` | Permit keepalive without stream | `nil` |
| `agent.enableDeepProbe` | Use the probes using the `/health` endpoint | `false` |
| `agent.extraArgs` | Extra arguments to add to the default kiam command | `[]` |
| `agent.command` | Override kiam default command | `[]` |
| `agent.args` | Override kiam default args | `[]` |
| `agent.logLevel` | Logging level | `info` |
| `agent.sslCertHostPath` | Path to the host system SSL certificates (necessary for contacting the AWS metadata agent) | `/etc/ssl/certs` |
| `agent.tlsFiles.ca` | Base64-encoded CA to use with the container | `nil` |
| `agent.tlsFiles.cert` | Base64-encoded certificate to use with the container | `nil` |
| `agent.tlsFiles.key` | Base64-encoded key to use with the container | `nil` |
| `agent.tlsCerts.certFileName` | Name of the certificate filename | `cert.pem` |
| `agent.tlsCerts.keyFileName` | Name of the certificate filename | `key.pem` |
| `agent.tlsCerts.caFileName` | Name of the certificate filename | `ca.pem` |
| `agent.gatewayTimeoutCreation` | Timeout when creating the kiam gateway | `1s` |
| `agent.podSecurityPolicy.create` | Create a PodSecurityPolicy resources | `false` |
| `agent.podSecurityPolicy.allowedHostPaths` | Extra host paths to allow in the PodSecurityPolicy | `[]` |
| `agent.tlsSecret` | Name of a secret with TLS certificates for the container | `nil` |
| `agent.dnsPolicy` | Pod DNS policy | `ClusterFirstWithHostNet` |
| `agent.extraEnvVars` | Array containing extra env vars to configure kiam agent | `nil` |
| `agent.extraEnvVarsCM` | ConfigMap containing extra env vars to configure kiam agent | `nil` |
| `agent.extraEnvVarsSecret` | Secret containing extra env vars to configure kiam agent (in case of sensitive data) | `nil` |
| `agent.containerSecurityContext` | Container security podSecurityContext | `{ runAsUser: 1001, runAsNonRoot: true}` |
| `agent.podSecurityContext` | Pod security context | `{}` |
| `agent.useHostNetwork` | Use host networking (ports will be directly exposed in the host) | `false` |
| `agent.resources.limits` | The resources limits for the kiam container | `{}` |
| `agent.resources.requests` | The requested resources for the kiam container | `{}` |
| `agent.lifecycleHooks` | LifecycleHooks to set additional configuration at startup. | `{}` (evaluated as a template) |
| `agent.livenessProbe` | Liveness probe configuration for kiam | Check `values.yaml` file |
| `agent.readinessProbe` | Readiness probe configuration for kiam | Check `values.yaml` file |
| `agent.customLivenessProbe` | Override default liveness probe | `nil` |
| `agent.customReadinessProbe` | Override default readiness probe | `nil` |
| `agent.updateStrategy` | Strategy to use to update Pods | Check `values.yaml` file |
| `agent.podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `agent.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `agent.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `agent.nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set. | `""` |
| `agent.nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` |
| `agent.affinity` | Affinity for pod assignment | `{}` (evaluated as a template) |
| `agent.nodeSelector` | Node labels for pod assignment | `{}` (evaluated as a template) |
| `agent.tolerations` | Tolerations for pod assignment | `[]` (evaluated as a template) |
| `agent.podLabels` | Extra labels for kiam pods | `{}` |
| `agent.podAnnotations` | Annotations for kiam pods | `{}` |
| `agent.priorityClassName` | Server priorityClassName | `nil` |
| `agent.lifecycleHooks` | LifecycleHooks to set additional configuration at startup. | `{}` (evaluated as a template) |
| `agent.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for kiam container(s) | `[]` |
| `agent.extraVolumes` | Optionally specify extra list of additional volumes for kiam pods | `[]` |
| `agent.initContainers` | Add additional init containers to the kiam pods | `{}` (evaluated as a template) |
| `agent.sidecars` | Add additional sidecar containers to the kiam pods | `{}` (evaluated as a template) |
### Exposure parameters
| Parameter | Description | Default |
|-------------------------------------------|-------------------------------------------------------|--------------------------------|
| `server.service.type` | Kubernetes service type | `ClusterIP` |
| `server.service.port` | Service HTTPS port | `443` |
| `server.service.nodePorts.http` | Service HTTPS NodePort | `nil` |
| `server.service.nodePorts.metrics` | Service metrics NodePort | `nil` |
| `server.service.clusterIP` | kiam service clusterIP IP | `None` |
| `server.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` |
| `server.service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` | `nil` |
| `server.service.loadBalancerSourceRanges` | Address that are allowed when service is LoadBalancer | `[]` |
| `server.service.annotations` | Annotations for kiam service | `{}` (evaluated as a template) |
| `agent.service.type` | Kubernetes service type | `ClusterIP` |
| `agent.service.nodePorts.metrics` | Service metrics NodePort | `nil` |
| `agent.service.clusterIP` | kiam service clusterIP IP | `None` |
| `agent.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` |
| `agent.service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` | `nil` |
| `agent.service.loadBalancerSourceRanges` | Address that are allowed when service is LoadBalancer | `[]` |
| `agent.service.annotations` | Annotations for kiam service | `{}` (evaluated as a template) |
### RBAC parameters
| Parameter | Description | Default |
|--------------------------------|-------------------------------------------------------|----------------------------------------------|
| `server.serviceAccount.name` | Name of the created ServiceAccount | Generated using the `kiam.fullname` template |
| `server.serviceAccount.create` | Enable the creation of a ServiceAccount for kiam pods | `true` |
| `agent.serviceAccount.name` | Name of the created ServiceAccount | Generated using the `kiam.fullname` template |
| `agent.serviceAccount.create` | Enable the creation of a ServiceAccount for kiam pods | `true` |
| `rbac.create` | Weather to create & use RBAC resources or not | `false` |
### Metrics parameters
| Parameter | Description | Default |
|---------------------------------------------------|------------------------------------------------------------------------------|--------------------------------------------------------------|
| `agent.metrics.enabled` | Enable exposing kiam statistics | `false` |
| `agent.metrics.port` | Service HTTP managemenet port | `9990` |
| `agent.metrics.syncInterval` | Metrics synchronization interval statistics | `5s` |
| `agent.metrics.annotations` | Annotations for enabling prometheus to access the metrics endpoints | `{prometheus.io/scrape: "true", prometheus.io/port: "9990"}` |
| `agent.metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator | `false` |
| `agent.metrics.serviceMonitor.namespace` | Namespace which Prometheus is running in | `nil` |
| `agent.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` |
| `agent.metrics.serviceMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `nil` |
| `agent.metrics.serviceMonitor.relabelings` | Specify Relabelings to add to the scrape endpoint | `nil` |
| `agent.metrics.serviceMonitor.metricRelabelings` | Specify Metric Relabelings to add to the scrape endpoint | `nil` |
| `agent.metrics.serviceMonitor.selector` | metrics service selector | `nil` |
| `server.metrics.enabled` | Enable exposing kiam statistics | `false` |
| `server.metrics.syncInterval` | Metrics synchronization interval statistics | `5s` |
| `server.metrics.port` | Metrics port | `9621` |
| `server.metrics.annotations` | Annotations for enabling prometheus to access the metrics endpoints | `{prometheus.io/scrape: "true", prometheus.io/port: "9990"}` |
| `server.metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator | `false` |
| `server.metrics.serviceMonitor.namespace` | Namespace which Prometheus is running in | `nil` |
| `server.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` |
| `server.metrics.serviceMonitor.selector` | metrics service selector | `nil` |
| `server.metrics.serviceMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `nil` |
| `server.metrics.serviceMonitor.relabelings` | Specify Relabelings to add to the scrape endpoint | `nil` |
| `server.metrics.serviceMonitor.metricRelabelings` | Specify Metric Relabellings to add to the scrape endpoint | `nil` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```bash
helm install my-release --set server.resourceType=deployment bitnami/kiam
```
The above command sets the server nodes to be deployed as Deployment objects.
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
```bash
$ helm install my-release -f values.yaml bitnami/kiam
```
> **Tip**: You can use the default [values.yaml](values.yaml)
## Configuration and installation details
### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/)
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
### Adding extra environment variables
In case you want to add extra environment variables (useful for advanced operations like custom init scripts), you can use the `server.extraEnvVars` and `agent.extraEnvVars` property.
```yaml
server:
extraEnvVars:
- name: LOG_LEVEL
value: error
```
Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the `server.extraEnvVarsCM`, `agent.extraEnvVarsCM` or the `server.extraEnvVarsSecret` and `agent.extraEnvVarsSecret` values.
### Sidecars and Init Containers
If you have a need for additional containers to run within the same pod as the kiam app (e.g. an additional metrics or logging exporter), you can do so via the `server.sidecars` and `agent.sidecars` config parameters. Simply define your container according to the Kubernetes container spec.
```yaml
server:
sidecars:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
```
Similarly, you can add extra init containers using the `server.initContainers` and `agent.initContainers` parameters.
```yaml
server:
initContainers:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
```
### Deploying extra resources
There are cases where you may want to deploy extra objects, such a ConfigMap containing your app's configuration or some extra deployment with a micro service used by your app. For covering this case, the chart allows adding the full specification of other objects using the `extraDeploy` parameter.
### Setting Pod's affinity
This chart allows you to set your custom affinity using the `server.affinity` and `agent.affinity` paremeters. Find more infomation about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity).
As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/master/bitnami/common#affinities) chart. To do so, set the `server.podAffinityPreset`, `agent.podAffinityPreset`, `server.podAntiAffinityPreset`, `agent.podAntiAffinityPreset`, or `server.nodeAffinityPreset` and `agent.nodeAffinityPreset` parameters.
### TLS Secrets
This chart will facilitate the creation of TLS secrets for use with kiam. There are three common use cases:
- Helm auto-generates the certificates.
- User specifies the certificates in the values.
- User generates/manages certificates separately.
By default the first use case will be applied. In second case, it's needed a certificate and a key. We would expect them to look like this:
- The certificate files should look like (there can be more than one certificate if there is a certificate chain)
```console
-----BEGIN CERTIFICATE-----
MIID6TCCAtGgAwIBAgIJAIaCwivkeB5EMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV
...
jScrvkiBO65F46KioCL9h5tDvomdU1aqpI/CBzhvZn1c0ZTf87tGQR8NK7v7
-----END CERTIFICATE-----
```
- The keys should look like this:
```console
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvLYcyu8f3skuRyUgeeNpeDvYBCDcgq+LsWap6zbX5f8oLqp4
...
wrj2wDbCDCFmfqnSJ+dKI3vFLlEz44sAV8jX/kd4Y6ZTQhlLbYc=
-----END RSA PRIVATE KEY-----
```
If you are going to use the values file to manage the certificates, please copy these values into the `server.tlsFiles.cert`, `server.tlsFiles.ca` and `server.tlsFiles.key` or `agent.tlsFiles.cert`, `agent.tlsFiles.ca` and `agent.tlsFiles.key`.
If you are going to manage TLS secrets outside of Helm, please know that you can create a TLS secret (named `kiam.local-tls` for example) and set it using the `server.tlsSecret` or `agent.tlsSecret` values.
## Troubleshooting
Find more information about how to deal with common errors related to Bitnamis Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues).

6
bitnami/kiam/requirements.lock Normal file
View File

@@ -0,0 +1,6 @@
dependencies:
- name: common
repository: https://charts.bitnami.com/bitnami
version: 0.10.0
digest: sha256:cbe8f782ad7168557b9bb101a4d441d3210e2dda09cd249eb8426d1499ce6afc
generated: "2020-11-10T18:12:53.13587+01:00"

31
bitnami/kiam/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,31 @@
** Please be patient while the chart is being deployed **
In order to associate your pods with AWS IAM roles, follow the steps below:
* Annotate your namespace with the allowed role ARNs via `iam.amazonaws.com/permitted`:
kubectl edit namespace my-namespace
kind: Namespace
metadata:
name: my-namespace
annotations:
iam.amazonaws.com/permitted: "<Role ARN or Regex matching role ARN(s)>"
* Annotate your pods with the desired role via `iam.amazonaws.com/role`:
kubectl edit pod my-pod
kind: Pod
metadata:
name: my-pod
annotations:
iam.amazonaws.com/role: "<Name of the ARN role>"
* Verify the role by entering your pod and executing the following command
kubectl exec -ti my-pod bash
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
{{- include "common.warnings.rollingTag" .Values.image }}
{{- include "kiam.validateValues" . }}

100
bitnami/kiam/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,100 @@
{{/*
Return the proper kiam image name
*/}}
{{- define "kiam.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "kiam.imagePullSecrets" -}}
{{- include "common.images.pullSecrets" (dict "images" (list .Values.image) "global" .Values.global) -}}
{{- end -}}
{{/*
Create the name of the service account to use (server)
*/}}
{{- define "kiam.server.serviceAccountName" -}}
{{- if .Values.server.serviceAccount.create -}}
{{ default (printf "%s-server" (include "common.names.fullname" .)) .Values.server.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.server.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use (agent)
*/}}
{{- define "kiam.agent.serviceAccountName" -}}
{{- if .Values.agent.serviceAccount.create -}}
{{ default (printf "%s-agent" (include "common.names.fullname" .)) .Values.agent.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.agent.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Generate certificates for kiam agent and server
*/}}
{{- define "kiam.agent.gen-certs" -}}
{{- $ca := .ca | default (genCA "kiam-ca" 365) -}}
{{- $_ := set . "ca" $ca -}}
{{- $cert := genSignedCert "Kiam Agent" nil nil 365 $ca -}}
{{ .Values.agent.tlsCerts.caFileName }}: {{ $ca.Cert | b64enc }}
{{ .Values.agent.tlsCerts.certFileName }}: {{ $cert.Cert | b64enc }}
{{ .Values.agent.tlsCerts.keyFileName }}: {{ $cert.Key | b64enc }}
{{- end -}}
{{- define "kiam.server.gen-certs" -}}
{{- $altNames := list (printf "%s-server" (include "common.names.fullname" .)) (printf "%s-server:%d" (include "common.names.fullname" .) .Values.server.service.port ) (printf "127.0.0.1:%d" .Values.server.containerPort) -}}
{{- $ca := .ca | default (genCA "kiam-ca" 365) -}}
{{- $_ := set . "ca" $ca -}}
{{- $cert := genSignedCert "Kiam Server" (list "127.0.0.1") $altNames 365 $ca -}}
{{ .Values.server.tlsCerts.caFileName }}: {{ $ca.Cert | b64enc }}
{{ .Values.server.tlsCerts.certFileName }}: {{ $cert.Cert | b64enc }}
{{ .Values.server.tlsCerts.keyFileName }}: {{ $cert.Key | b64enc }}
{{- end -}}
{{/*
Compile all warnings into a single message.
*/}}
{{- define "kiam.validateValues" -}}
{{- $messages := list -}}
{{- $messages := append $messages (include "kiam.validateValues.ports" .) -}}
{{- $messages := append $messages (include "kiam.validateValues.nodeploy" .) -}}
{{- $messages := append $messages (include "kiam.validateValues.resourceType" .) -}}
{{- $messages := without $messages "" -}}
{{- $message := join "\n" $messages -}}
{{- if $message -}}
{{- printf "\nVALUES VALIDATION:\n%s" $message -}}
{{- end -}}
{{- end -}}
{{/* Validate values of Kiam - ports */}}
{{- define "kiam.validateValues.ports" -}}
{{- if and .Values.server.enabled .Values.server.metrics.enabled (eq .Values.server.containerPort .Values.server.metrics.port) -}}
kiam: server-ports-conflict
You enabled the metrics endpoint with the same port as the kiam server port, {{ .Values.server.containerPort }} == {{ .Values.server.metrics.port }}.
Please use a different port by setting server.metrics.port and server.containerPort with different values.
{{- end -}}
{{- end -}}
{{/* Validate values of Kiam - no deployment */}}
{{- define "kiam.validateValues.nodeploy" -}}
{{- if and (not .Values.server.enabled) (not .Values.agent.enabled) -}}
kiam: nothing-deployed
You did not deploy neither the server nor the agents. Please set at least one of the following values
server.enabled=true
agent.enabled=true
{{- end -}}
{{- end -}}
{{/* Validate values of Kiam - resource type */}}
{{- define "kiam.validateValues.resourceType" -}}
{{- if and (not (eq .Values.server.resourceType "daemonset")) (not (eq .Values.server.resourceType "deployment")) -}}
kiam: server-resource-type
Server resource type {{ .Values.server.resourceType }} is not valid, only "daemonset" and "deployment" are allowed
{{- end -}}
{{- end -}}

217
bitnami/kiam/templates/agent/agent-daemonset.yaml Normal file
View File

@@ -0,0 +1,217 @@
{{- if .Values.agent.enabled }}
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: agent
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
name: {{ template "common.names.fullname" . }}-agent
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if .Values.agent.updateStrategy }}
updateStrategy: {{- toYaml .Values.agent.updateStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: agent
template:
metadata:
{{- if .Values.agent.podAnnotations }}
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.agent.podAnnotations "context" $) | nindent 8 }}
{{- end }}
labels: {{- include "common.labels.standard" . | nindent 8 }}
app.kubernetes.io/component: agent
{{- if .Values.agent.podLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.agent.podLabels "context" $) | nindent 8 }}
{{- end }}
spec:
{{- include "kiam.imagePullSecrets" . | nindent 6 }}
serviceAccountName: {{ template "kiam.agent.serviceAccountName" . }}
dnsPolicy: {{ .Values.agent.dnsPolicy }}
hostNetwork: true
{{- if .Values.agent.affinity }}
affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.agent.affinity "context" $) | nindent 8 }}
{{- else }}
affinity:
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.agent.podAffinityPreset "context" $) | nindent 10 }}
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.agent.podAntiAffinityPreset "context" $) | nindent 10 }}
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.agent.nodeAffinityPreset.type "key" .Values.agent.nodeAffinityPreset.key "values" .Values.agent.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
{{- if .Values.agent.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.agent.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.agent.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.agent.tolerations "context" .) | nindent 8 }}
{{- end }}
{{- if .Values.agent.priorityClassName }}
priorityClassName: {{ .Values.agent.priorityClassName | quote }}
{{- end }}
{{- if .Values.agent.podSecurityContext.enabled }}
securityContext: {{- omit .Values.agent.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- end }}
{{- if .Values.agent.initContainers }}
initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.agent.initContainers "context" $) | nindent 8 }}
{{- end }}
containers:
- name: agent
image: {{ template "kiam.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.agent.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.agent.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.agent.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.agent.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- if .Values.agent.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.agent.command "context" $) | nindent 12 }}
{{- else }}
command:
- kiam
- agent
{{- end }}
{{- if .Values.agent.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.agent.args "context" $) | nindent 12 }}
{{- else }}
args:
{{- if .Values.agent.iptables }}
- --iptables
{{- end }}
{{- if not .Values.agent.iptablesRemoveOnShutdown }}
- --no-iptables-remove
{{- end }}
- --host-interface={{ .Values.agent.hostInterface }}
{{- if .Values.agent.logJsonOutput }}
- --json-log
{{- end }}
- --level={{ .Values.agent.logLevel }}
- --port={{ .Values.agent.containerPort }}
- --cert=/bitnami/kiam/tls/{{ .Values.agent.tlsCerts.certFileName }}
- --key=/bitnami/kiam/tls/{{ .Values.agent.tlsCerts.keyFileName }}
- --ca=/bitnami/kiam/tls/{{ .Values.agent.tlsCerts.caFileName }}
- --server-address={{ template "common.names.fullname" . }}-server:{{ .Values.server.service.port }}
{{- if .Values.agent.metrics.enabled }}
- --prometheus-listen-addr=0.0.0.0:{{ .Values.agent.metrics.port }}
- --prometheus-sync-interval={{ .Values.agent.metrics.syncInterval }}
{{- end }}
{{- if .Values.agent.allowRouteRegExp }}
- --allow-route-regexp={{ .Values.agent.allowRouteRegExp }}
{{- end }}
- --gateway-timeout-creation={{ .Values.agent.gatewayTimeoutCreation }}
{{- if .Values.agent.keepaliveParams.time }}
- --grpc-keepalive-time-ms={{ .Values.agent.keepaliveParams.time }}
{{- end }}
{{- if .Values.agent.keepaliveParams.timeout }}
- --grpc-keepalive-timeout-ms={{ .Values.agent.keepaliveParams.timeout }}
{{- end }}
{{- if .Values.agent.keepaliveParams.permitWithoutStream }}
- --grpc-keepalive-permit-without-stream
{{- end }}
{{- range $key, $value := .Values.agent.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- else }}
- --{{ $key }}
{{- end }}
{{- end }}
{{- end }}
env:
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
{{- if .Values.agent.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.agent.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
envFrom:
{{- if .Values.agent.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.agent.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.agent.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.agent.extraEnvVarsSecret "context" $) }}
{{- end }}
ports:
{{- if .Values.agent.metrics.enabled }}
- name: metrics
containerPort: {{ .Values.agent.metrics.port }}
protocol: TCP
{{- end }}
{{- if .Values.agent.resources }}
resources: {{- toYaml .Values.agent.resources | nindent 12 }}
{{- end }}
{{- if .Values.agent.livenessProbe.enabled }}
livenessProbe:
httpGet:
{{- if .Values.agent.enableDeepProbe }}
path: /health?deep=1
{{- else }}
path: /ping
{{- end }}
port: {{ .Values.agent.containerPort }}
initialDelaySeconds: {{ .Values.agent.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.agent.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.agent.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.agent.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.agent.livenessProbe.failureThreshold }}
{{- else if .Values.agent.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.agent.customLivenessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.agent.readinessProbe.enabled }}
readinessProbe:
httpGet:
{{- if .Values.agent.enableDeepProbe }}
path: /health?deep=1
{{- else }}
path: /ping
{{- end }}
port: {{ .Values.agent.containerPort }}
initialDelaySeconds: {{ .Values.agent.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.agent.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.agent.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.agent.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.agent.readinessProbe.failureThreshold }}
{{- else if .Values.agent.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.agent.customReadinessProbe "context" $) | nindent 12 }}
{{- end }}
volumeMounts:
- mountPath: /bitnami/kiam/tls
name: tls
{{- if .Values.server.sslCertHostPath }}
- mountPath: /etc/ssl/certs
name: ssl-certs
readOnly: true
{{- end }}
- mountPath: /var/run/xtables.lock
name: xtables
{{- if .Values.agent.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.agent.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.agent.sidecars }}
{{- include "common.tplvalues.render" ( dict "value" .Values.agent.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: tls
secret:
{{- if .Values.agent.tlsSecret }}
secretName: {{ .Values.agent.tlsSecret }}
{{else}}
secretName: {{ template "common.names.fullname" . }}-agent
{{- end }}
{{- if .Values.server.sslCertHostPath }}
- name: ssl-certs
hostPath:
path: {{ .Values.server.sslCertHostPath }}
{{- end }}
- name: xtables
hostPath:
path: /run/xtables.lock
type: FileOrCreate
{{- if .Values.agent.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.agent.extraVolumes "context" $) | nindent 8 }}
{{- end }}
{{- end }}

25
bitnami/kiam/templates/agent/agent-psp-clusterrole.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{- if and .Values.agent.enabled .Values.agent.podSecurityPolicy.create }}
{{- if .Values.rbac.create }}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: agent
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
name: {{ template "common.names.fullname" . }}-agent-psp
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- policy
resources:
- podsecuritypolicies
resourceNames:
- {{ template "common.names.fullname" . }}-agent
verbs:
- use
{{- end }}
{{- end }}

24
bitnami/kiam/templates/agent/agent-psp-clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,24 @@
{{- if and .Values.agent.enabled .Values.agent.podSecurityPolicy.create }}
{{- if .Values.rbac.create }}
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: agent
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
name: {{ template "common.names.fullname" . }}-agent-psp
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "common.names.fullname" . }}-agent-psp
subjects:
- kind: ServiceAccount
name: {{ template "kiam.agent.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}

54
bitnami/kiam/templates/agent/agent-psp.yaml Normal file
View File

@@ -0,0 +1,54 @@
{{- if and .Values.agent.enabled .Values.agent.podSecurityPolicy.create }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: agent
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
name: {{ template "common.names.fullname" . }}-agent
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
privileged: false
{{- if .Values.agent.iptables }}
allowedCapabilities:
- "NET_ADMIN"
{{ end }}
allowPrivilegeEscalation: false
volumes:
- 'secret'
- 'hostPath'
allowedHostPaths:
- pathPrefix: "/run/xtables.lock"
- pathPrefix: {{ .Values.agent.sslCertHostPath }}
readOnly: true
{{- if .Values.agent.podSecurityPolicy.allowedHostPaths }}
{{- toYaml .Values.agent.podSecurityPolicy.allowedHostPaths | nindent 4 }}
{{- end }}
hostNetwork: {{ .Values.agent.useHostNetwork }}
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
{{- if .Values.agent.containerSecurityContext.seLinuxOptions }}
rule: 'MustRunAs'
seLinuxOptions: {{- toYaml .Values.agent.containerSecurityContext.seLinuxOptions | nindent 6 }}
{{- else }}
rule: 'RunAsAny'
{{- end }}
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
{{- end }}

21
bitnami/kiam/templates/agent/agent-secret.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{- if and .Values.agent.enabled (not .Values.agent.tlsSecret) -}}
apiVersion: v1
kind: Secret
metadata:
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: agent
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
name: {{ template "common.names.fullname" . }}-agent
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
{{- if .Values.agent.tlsFiles.ca }}
{{- toYaml .Values.agent.tlsFiles | nindent 2 }}
{{- else }}
{{- include "kiam.agent.gen-certs" . | nindent 2 }}
{{- end -}}
{{- end }}

17
bitnami/kiam/templates/agent/agent-service-account.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{- if .Values.agent.enabled }}
{{- if .Values.rbac.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: agent
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
name: {{ template "kiam.agent.serviceAccountName" . }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}

49
bitnami/kiam/templates/agent/agent-service.yaml Normal file
View File

@@ -0,0 +1,49 @@
{{- if .Values.agent.enabled }}
{{- if .Values.agent.metrics.enabled }}
apiVersion: v1
kind: Service
metadata:
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: agent
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
name: {{ template "common.names.fullname" . }}-agent-metrics
annotations:
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.agent.service.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.agent.service.annotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if and .Values.agent.metrics.enabled .Values.agent.metrics.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.agent.metrics.annotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.agent.service.type }}
{{- if and .Values.agent.service.clusterIP (eq .Values.agent.service.type "ClusterIP") }}
clusterIP: {{ .Values.agent.service.clusterIP }}
{{- end }}
{{- if (or (eq .Values.agent.service.type "LoadBalancer") (eq .Values.agent.service.type "NodePort")) }}
externalTrafficPolicy: {{ .Values.agent.service.externalTrafficPolicy | quote }}
{{- end }}
{{ if eq .Values.agent.service.type "LoadBalancer" }}
loadBalancerSourceRanges: {{ .Values.agent.service.loadBalancerSourceRanges }}
{{ end }}
{{- if (and (eq .Values.agent.service.type "LoadBalancer") (not (empty .Values.agent.service.loadBalancerIP))) }}
loadBalancerIP: {{ .Values.agent.service.loadBalancerIP }}
{{- end }}
ports:
- name: metrics
port: {{ .Values.agent.metrics.port }}
targetPort: metrics
protocol: TCP
{{- if (and (or (eq .Values.agent.service.type "NodePort") (eq .Values.agent.service.type "LoadBalancer")) (not (empty .Values.agent.service.nodePorts.metrics))) }}
nodePort: {{ .Values.agent.service.nodePorts.metrics }}
{{- else if eq .Values.agent.service.type "ClusterIP" }}
nodePort: null
{{- end }}
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: agent
{{- end }}
{{- end }}

41
bitnami/kiam/templates/agent/agent-servicemonitor.yaml Normal file
View File

@@ -0,0 +1,41 @@
{{- if and .Values.agent.enabled .Values.agent.metrics.enabled .Values.agent.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "common.names.fullname" . }}-agent
{{- if .Values.agent.metrics.serviceMonitor.namespace }}
namespace: {{ .Values.agent.metrics.serviceMonitor.namespace }}
{{- end }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: agent
{{- range $key, $value := .Values.agent.metrics.serviceMonitor.selector }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: agent
endpoints:
- port: metrics
{{- if .Values.agent.metrics.serviceMonitor.interval }}
interval: {{ .Values.agent.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.agent.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.agent.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
{{- if .Values.agent.metrics.serviceMonitor.relabelings }}
relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.agent.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.agent.metrics.serviceMonitor.metricRelabelings }}
metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.agent.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }}
{{- end }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
{{- end }}

4
bitnami/kiam/templates/extra-list.yaml Normal file
View File

@@ -0,0 +1,4 @@
{{- range .Values.extraDeploy }}
---
{{ include "common.tplvalues.render" (dict "value" . "context" $) }}
{{- end }}

206
bitnami/kiam/templates/server/server-daemonset.yaml Normal file
View File

@@ -0,0 +1,206 @@
{{- if and .Values.server.enabled (eq .Values.server.resourceType "daemonset") }}
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: server
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
name: {{ template "common.names.fullname" . }}-server
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if .Values.server.updateStrategy }}
updateStrategy: {{- toYaml .Values.server.updateStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: server
template:
metadata:
{{- if .Values.server.podAnnotations }}
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.server.podAnnotations "context" $) | nindent 8 }}
{{- end }}
labels: {{- include "common.labels.standard" . | nindent 8 }}
app.kubernetes.io/component: server
{{- if .Values.server.podLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.server.podLabels "context" $) | nindent 8 }}
{{- end }}
spec:
{{- include "kiam.imagePullSecrets" . | nindent 6 }}
serviceAccountName: {{ template "kiam.server.serviceAccountName" . }}
dnsPolicy: {{ .Values.server.dnsPolicy }}
hostNetwork: true
{{- if .Values.server.affinity }}
affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.server.affinity "context" $) | nindent 8 }}
{{- else }}
affinity:
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.server.podAffinityPreset "context" $) | nindent 10 }}
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.server.podAntiAffinityPreset "context" $) | nindent 10 }}
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.server.nodeAffinityPreset.type "key" .Values.server.nodeAffinityPreset.key "values" .Values.server.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
{{- if .Values.server.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.server.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.server.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.server.tolerations "context" .) | nindent 8 }}
{{- end }}
{{- if .Values.server.priorityClassName }}
priorityClassName: {{ .Values.server.priorityClassName | quote }}
{{- end }}
{{- if .Values.server.podSecurityContext.enabled }}
securityContext: {{- omit .Values.server.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- end }}
{{- if .Values.server.initContainers }}
initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.server.initContainers "context" $) | nindent 8 }}
{{- end }}
containers:
- name: server
image: {{ template "kiam.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.server.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.server.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.server.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.server.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- if .Values.server.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.server.command "context" $) | nindent 12 }}
{{- else }}
command:
- kiam
- server
{{- end }}
{{- if .Values.server.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.server.args "context" $) | nindent 12 }}
{{- else }}
args:
{{- if .Values.server.logJsonOutput }}
- --json-log
{{- end }}
- --level={{ .Values.server.logLevel }}
- --bind=0.0.0.0:{{ .Values.server.containerPort }}
- --cert=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.certFileName }}
- --key=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.keyFileName }}
- --ca=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.caFileName }}
{{- if .Values.server.roleBaseArn }}
- --role-base-arn={{ .Values.server.roleBaseArn }}
{{- else }}
- --role-base-arn-autodetect
{{- end }}
{{- if .Values.server.assumeRoleArn }}
- --assume-role-arn={{ .Values.server.assumeRoleArn }}
{{- end }}
- --session-duration={{ .Values.server.sessionDuration }}
- --sync={{ .Values.server.cacheSyncInterval }}
{{- if .Values.server.metrics.enabled }}
- --prometheus-listen-addr=0.0.0.0:{{ .Values.server.metrics.port }}
- --prometheus-sync-interval={{ .Values.server.metrics.syncInterval }}
{{- end }}
{{- range $key, $value := .Values.server.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- else }}
- --{{ $key }}
{{- end }}
{{- end }}
{{- end }}
ports:
- name: http
containerPort: {{ .Values.server.containerPort }}
protocol: TCP
{{- if .Values.server.metrics.enabled }}
- name: metrics
containerPort: {{ .Values.server.metrics.port }}
protocol: TCP
{{- end }}
{{- if .Values.server.extraEnvVars }}
env: {{- include "common.tplvalues.render" (dict "value" .Values.server.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
envFrom:
{{- if .Values.server.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.server.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.server.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.server.extraEnvVarsSecret "context" $) }}
{{- end }}
{{- if .Values.server.resources }}
resources: {{- toYaml .Values.server.resources | nindent 12 }}
{{- end }}
{{- if .Values.server.livenessProbe.enabled }}
livenessProbe:
exec:
command:
- kiam
- health
- --cert=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.certFileName }}
- --key=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.keyFileName }}
- --ca=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.caFileName }}
- --server-address=127.0.0.1:{{ .Values.server.containerPort }}
- --server-address-refresh=2s
- --timeout=5s
- --gateway-timeout-creation={{ .Values.server.gatewayTimeoutCreation }}
initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.server.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.server.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.server.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }}
{{- else if .Values.server.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.server.customLivenessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.server.readinessProbe.enabled }}
readinessProbe:
exec:
command:
- kiam
- health
- --cert=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.certFileName }}
- --key=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.keyFileName }}
- --ca=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.caFileName }}
- --server-address=127.0.0.1:{{ .Values.server.containerPort }}
- --server-address-refresh=2s
- --timeout=5s
- --gateway-timeout-creation={{ .Values.server.gatewayTimeoutCreation }}
initialDelaySeconds: {{ .Values.server.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.server.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.server.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.server.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }}
{{- else if .Values.server.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.server.customReadinessProbe "context" $) | nindent 12 }}
{{- end }}
volumeMounts:
- mountPath: /bitnami/kiam/tls
name: tls
{{- if .Values.server.sslCertHostPath }}
- mountPath: /etc/ssl/certs
name: ssl-certs
readOnly: true
{{- end }}
{{- if .Values.server.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.server.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.server.sidecars }}
{{- include "common.tplvalues.render" ( dict "value" .Values.server.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: tls
secret:
{{- if .Values.server.tlsSecret }}
secretName: {{ .Values.server.tlsSecret }}
{{else}}
secretName: {{ template "common.names.fullname" . }}-server
{{- end }}
{{- if .Values.server.sslCertHostPath }}
- name: ssl-certs
hostPath:
path: {{ .Values.server.sslCertHostPath }}
{{- end }}
{{- if .Values.server.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.server.extraVolumes "context" $) | nindent 8 }}
{{- end }}
{{- end }}

207
bitnami/kiam/templates/server/server-deployment.yaml Normal file
View File

@@ -0,0 +1,207 @@
{{- if and .Values.server.enabled (eq .Values.server.resourceType "deployment") }}
apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
kind: Deployment
metadata:
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: server
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
name: {{ template "common.names.fullname" . }}-server
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.server.replicaCount }}
{{- if .Values.server.updateStrategy }}
strategy: {{- toYaml .Values.server.updateStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: server
template:
metadata:
{{- if .Values.server.podAnnotations }}
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.server.podAnnotations "context" $) | nindent 8 }}
{{- end }}
labels: {{- include "common.labels.standard" . | nindent 8 }}
app.kubernetes.io/component: server
{{- if .Values.server.podLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.server.podLabels "context" $) | nindent 8 }}
{{- end }}
spec:
{{- include "kiam.imagePullSecrets" . | nindent 6 }}
serviceAccountName: {{ template "kiam.server.serviceAccountName" . }}
dnsPolicy: {{ .Values.server.dnsPolicy }}
hostNetwork: true
{{- if .Values.server.affinity }}
affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.server.affinity "context" $) | nindent 8 }}
{{- else }}
affinity:
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.server.podAffinityPreset "context" $) | nindent 10 }}
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.server.podAntiAffinityPreset "context" $) | nindent 10 }}
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.server.nodeAffinityPreset.type "key" .Values.server.nodeAffinityPreset.key "values" .Values.server.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
{{- if .Values.server.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.server.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.server.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.server.tolerations "context" .) | nindent 8 }}
{{- end }}
{{- if .Values.server.priorityClassName }}
priorityClassName: {{ .Values.server.priorityClassName | quote }}
{{- end }}
{{- if .Values.server.podSecurityContext.enabled }}
securityContext: {{- omit .Values.server.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- end }}
{{- if .Values.server.initContainers }}
initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.server.initContainers "context" $) | nindent 8 }}
{{- end }}
containers:
- name: server
image: {{ template "kiam.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.server.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.server.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.server.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.server.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- if .Values.server.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.server.command "context" $) | nindent 12 }}
{{- else }}
command:
- kiam
- server
{{- end }}
{{- if .Values.server.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.server.args "context" $) | nindent 12 }}
{{- else }}
args:
{{- if .Values.server.logJsonOutput }}
- --json-log
{{- end }}
- --level={{ .Values.server.logLevel }}
- --bind=0.0.0.0:{{ .Values.server.containerPort }}
- --cert=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.certFileName }}
- --key=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.keyFileName }}
- --ca=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.caFileName }}
{{- if .Values.server.roleBaseArn }}
- --role-base-arn={{ .Values.server.roleBaseArn }}
{{- else }}
- --role-base-arn-autodetect
{{- end }}
{{- if .Values.server.assumeRoleArn }}
- --assume-role-arn={{ .Values.server.assumeRoleArn }}
{{- end }}
- --session-duration={{ .Values.server.sessionDuration }}
- --sync={{ .Values.server.cacheSyncInterval }}
{{- if .Values.server.metrics.enabled }}
- --prometheus-listen-addr=0.0.0.0:{{ .Values.server.metrics.port }}
- --prometheus-sync-interval={{ .Values.server.metrics.syncInterval }}
{{- end }}
{{- range $key, $value := .Values.server.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- else }}
- --{{ $key }}
{{- end }}
{{- end }}
{{- end }}
ports:
- name: http
containerPort: {{ .Values.server.containerPort }}
protocol: TCP
{{- if .Values.server.metrics.enabled }}
- name: metrics
containerPort: {{ .Values.server.metrics.port }}
protocol: TCP
{{- end }}
{{- if .Values.server.extraEnvVars }}
env: {{- include "common.tplvalues.render" (dict "value" .Values.server.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
envFrom:
{{- if .Values.server.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.server.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.server.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.server.extraEnvVarsSecret "context" $) }}
{{- end }}
{{- if .Values.server.resources }}
resources: {{- toYaml .Values.server.resources | nindent 12 }}
{{- end }}
{{- if .Values.server.livenessProbe.enabled }}
livenessProbe:
exec:
command:
- kiam
- health
- --cert=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.certFileName }}
- --key=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.keyFileName }}
- --ca=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.caFileName }}
- --server-address=127.0.0.1:{{ .Values.server.containerPort }}
- --server-address-refresh=2s
- --timeout=5s
- --gateway-timeout-creation={{ .Values.server.gatewayTimeoutCreation }}
initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.server.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.server.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.server.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }}
{{- else if .Values.server.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.server.customLivenessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.server.readinessProbe.enabled }}
readinessProbe:
exec:
command:
- kiam
- health
- --cert=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.certFileName }}
- --key=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.keyFileName }}
- --ca=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.caFileName }}
- --server-address=127.0.0.1:{{ .Values.server.containerPort }}
- --server-address-refresh=2s
- --timeout=5s
- --gateway-timeout-creation={{ .Values.server.gatewayTimeoutCreation }}
initialDelaySeconds: {{ .Values.server.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.server.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.server.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.server.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }}
{{- else if .Values.server.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.server.customReadinessProbe "context" $) | nindent 12 }}
{{- end }}
volumeMounts:
- mountPath: /bitnami/kiam/tls
name: tls
{{- if .Values.server.sslCertHostPath }}
- mountPath: /etc/ssl/certs
name: ssl-certs
readOnly: true
{{- end }}
{{- if .Values.server.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.server.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.server.sidecars }}
{{- include "common.tplvalues.render" ( dict "value" .Values.server.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: tls
secret:
{{- if .Values.server.tlsSecret }}
secretName: {{ .Values.server.tlsSecret }}
{{else}}
secretName: {{ template "common.names.fullname" . }}-server
{{- end }}
{{- if .Values.server.sslCertHostPath }}
- name: ssl-certs
hostPath:
path: {{ .Values.server.sslCertHostPath }}
{{- end }}
{{- if .Values.server.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.server.extraVolumes "context" $) | nindent 8 }}
{{- end }}
{{- end }}

25
bitnami/kiam/templates/server/server-psp-clusterrole.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{- if and .Values.server.enabled .Values.server.podSecurityPolicy.create }}
{{- if .Values.rbac.create }}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: server
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
name: {{ template "common.names.fullname" . }}-server-psp
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- policy
resources:
- podsecuritypolicies
resourceNames:
- {{ template "common.names.fullname" . }}-server
verbs:
- use
{{- end }}
{{- end }}

24
bitnami/kiam/templates/server/server-psp-clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,24 @@
{{- if and .Values.server.enabled .Values.server.podSecurityPolicy.create }}
{{- if .Values.rbac.create }}
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: server
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
name: {{ template "common.names.fullname" . }}-server-psp
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "common.names.fullname" . }}-server-psp
subjects:
- kind: ServiceAccount
name: {{ template "kiam.server.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}

49
bitnami/kiam/templates/server/server-psp.yaml Normal file
View File

@@ -0,0 +1,49 @@
{{- if and .Values.server.enabled .Values.server.podSecurityPolicy.create }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: server
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
name: {{ template "common.names.fullname" . }}-server
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
privileged: false
allowPrivilegeEscalation: false
volumes:
- 'secret'
- 'hostPath'
allowedHostPaths:
- pathPrefix: {{ .Values.server.sslCertHostPath }}
readOnly: true
{{- if .Values.server.podSecurityPolicy.allowedHostPaths }}
{{- toYaml .Values.server.podSecurityPolicy.allowedHostPaths | nindent 4 }}
{{- end }}
hostNetwork: {{ .Values.server.useHostNetwork }}
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
{{- if .Values.server.containerSecurityContext.seLinuxOptions }}
rule: 'MustRunAs'
seLinuxOptions: {{- toYaml .Values.server.containerSecurityContext.seLinuxOptions | nindent 6 }}
{{- else }}
rule: 'RunAsAny'
{{- end }}
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
{{- end }}

26
bitnami/kiam/templates/server/server-read-clusterrole.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{- if .Values.server.enabled }}
{{- if .Values.rbac.create }}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: server
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
name: {{ template "common.names.fullname" . }}-server-read
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- namespaces
- pods
verbs:
- watch
- get
- list
{{- end }}
{{- end }}

24
bitnami/kiam/templates/server/server-read-clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,24 @@
{{- if .Values.server.enabled }}
{{- if .Values.rbac.create }}
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: server
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
name: {{ template "common.names.fullname" . }}-server-read
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "common.names.fullname" . }}-server-read
subjects:
- kind: ServiceAccount
name: {{ template "kiam.server.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}

21
bitnami/kiam/templates/server/server-secret.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{- if and (.Values.server.enabled) (not .Values.server.tlsSecret) -}}
apiVersion: v1
kind: Secret
metadata:
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: server
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
name: {{ template "common.names.fullname" . }}-server
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
{{- if .Values.server.tlsFiles.ca }}
{{- toYaml .Values.server.tlsFiles | nindent 2 }}
{{- else }}
{{- include "kiam.server.gen-certs" . | nindent 2 }}
{{- end -}}
{{- end }}

17
bitnami/kiam/templates/server/server-service-account.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{- if .Values.server.enabled }}
{{- if .Values.rbac.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: server
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
name: {{ template "kiam.server.serviceAccountName" . }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}

58
bitnami/kiam/templates/server/server-service.yaml Normal file
View File

@@ -0,0 +1,58 @@
{{- if .Values.server.enabled }}
apiVersion: v1
kind: Service
metadata:
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: server
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
name: {{ template "common.names.fullname" . }}-server
annotations:
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.server.service.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.server.service.annotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if and .Values.server.metrics.enabled .Values.server.metrics.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.server.metrics.annotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.server.service.type }}
{{- if and .Values.server.service.clusterIP (eq .Values.server.service.type "ClusterIP") }}
clusterIP: {{ .Values.server.service.clusterIP }}
{{- end }}
{{- if (or (eq .Values.server.service.type "LoadBalancer") (eq .Values.server.service.type "NodePort")) }}
externalTrafficPolicy: {{ .Values.server.service.externalTrafficPolicy | quote }}
{{- end }}
{{ if eq .Values.server.service.type "LoadBalancer" }}
loadBalancerSourceRanges: {{ .Values.server.service.loadBalancerSourceRanges }}
{{ end }}
{{- if (and (eq .Values.server.service.type "LoadBalancer") (not (empty .Values.server.service.loadBalancerIP))) }}
loadBalancerIP: {{ .Values.server.service.loadBalancerIP }}
{{- end }}
ports:
- name: http
port: {{ .Values.server.service.port }}
targetPort: http
protocol: TCP
{{- if (and (or (eq .Values.server.service.type "NodePort") (eq .Values.server.service.type "LoadBalancer")) (not (empty .Values.server.service.nodePorts.http))) }}
nodePort: {{ .Values.server.service.nodePorts.http }}
{{- else if eq .Values.server.service.type "ClusterIP" }}
nodePort: null
{{- end }}
{{- if .Values.server.metrics.enabled }}
- name: metrics
port: {{ .Values.server.metrics.port }}
targetPort: metrics
protocol: TCP
{{- if (and (or (eq .Values.server.service.type "NodePort") (eq .Values.server.service.type "LoadBalancer")) (not (empty .Values.server.service.nodePorts.metrics))) }}
nodePort: {{ .Values.server.service.nodePorts.metrics }}
{{- else if eq .Values.server.service.type "ClusterIP" }}
nodePort: null
{{- end }}
{{- end }}
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: server
{{- end }}

41
bitnami/kiam/templates/server/server-servicemonitor.yaml Normal file
View File

@@ -0,0 +1,41 @@
{{- if and .Values.server.enabled .Values.server.metrics.enabled .Values.server.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "common.names.fullname" . }}-server
{{- if .Values.server.metrics.serviceMonitor.namespace }}
namespace: {{ .Values.server.metrics.serviceMonitor.namespace }}
{{- end }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: server
{{- range $key, $value := .Values.server.metrics.serviceMonitor.selector }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: server
endpoints:
- port: metrics
{{- if .Values.server.metrics.serviceMonitor.interval }}
interval: {{ .Values.server.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.server.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.server.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
{{- if .Values.server.metrics.serviceMonitor.relabelings }}
relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.server.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.server.metrics.serviceMonitor.metricRelabelings }}
metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.server.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }}
{{- end }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
{{- end }}

24
bitnami/kiam/templates/server/server-write-clusterrole.yaml Normal file
View File

@@ -0,0 +1,24 @@
{{- if .Values.server.enabled }}
{{- if .Values.rbac.create }}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: server
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
name: {{ template "common.names.fullname" . }}-server-write
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
{{- end }}
{{- end }}

24
bitnami/kiam/templates/server/server-write-clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,24 @@
{{- if .Values.server.enabled }}
{{- if .Values.rbac.create }}
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: server
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
name: {{ template "common.names.fullname" . }}-server-write
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "common.names.fullname" . }}-server-write
subjects:
- kind: ServiceAccount
name: {{ template "kiam.server.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}

749
bitnami/kiam/values.yaml Normal file
View File

@@ -0,0 +1,749 @@
## Global Docker image parameters
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
## Current available global Docker image parameters: imageRegistry and imagePullSecrets
##
# global:
# imageRegistry: myRegistryName
# imagePullSecrets:
# - myRegistryKeySecretName
# storageClass: myStorageClass
## Release name override
##
nameOverride:
## Release full name override
##
fullnameOverride:
## Add labels to all the deployed resources
##
commonLabels: {}
## Add annotations to all the deployed resources
##
commonAnnotations: {}
## Extra objects to deploy (value evaluated as a template)
##
extraDeploy: []
image:
registry: docker.io
repository: bitnami/kiam
tag: 3.6.0-debian-10-r26
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
pullSecrets: []
# - myRegistryKeySecretName
## kiam server properties
##
server:
enabled: true
## Service configuratiom
##
service:
## Service type.
##
type: ClusterIP
## HTTPS Port
##
port: 443
## Specify the nodePort values for the LoadBalancer and NodePort service types.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
##
nodePorts:
http:
metrics:
## Service clusterIP.
##
clusterIP:
## loadBalancerIP for the SuiteCRM Service (optional, cloud specific)
## ref: http://kubernetes.io/docs/user-guide/services/#type-loadbalancer
##
loadBalancerIP:
## Load Balancer sources
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
## Example:
## loadBalancerSourceRanges:
## - 10.10.10.0/24
##
loadBalancerSourceRanges: []
## Enable client source IP preservation
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
##
externalTrafficPolicy: Cluster
## Provide any additional annotations which may be required (evaluated as a template).
##
annotations: {}
containerPort: 8443
## Use a deployment instead of a daemonset
##
resourceType: daemonset
## Number of nodes
##
replicaCount: 1
## Logging settings
##
logJsonOutput: true
logLevel: info
# Location of SSL certs on host
sslCertHostPath: /etc/ssl/certs
podSecurityPolicy:
create: true
allowedHostPaths: []
## Used to assign priority to server pods
## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
##
priorityClassName: ""
## Configure extra options for liveness and readiness probes
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
##
livenessProbe:
enabled: true
initialDelaySeconds: 5
periodSeconds: 30
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
readinessProbe:
enabled: true
initialDelaySeconds: 5
periodSeconds: 30
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
## Additional kiam arguments
##
extraArgs: []
## Specifies whether a ServiceAccount should be created
##
serviceAccount:
create: true
## The name of the ServiceAccount to use.
## If not set and create is true, a name is generated using the fullname template
##
name:
## Override command and args for running the container (set to default if not set). Use array form
##
command: []
args: []
## Base64-encoded PEM values for server's CA certificate(s), certificate and private key
##
tlsFiles:
ca:
cert:
key:
## Timeout when creating the kiam gateway
##
gatewayTimeoutCreation: 1s
## Secret name of server's TLS certificates
##
tlsSecret:
## Pod DNS policy
## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-policy
##
dnsPolicy: ClusterFirstWithHostNet
## Base ARN for IAM roles
## If not specified use EC2 metadata service to detect ARN prefix
##
roleBaseArn: null
## Pod cache settings
##
cacheSyncInterval: 1m
## IAM role for the server to assume
##
assumeRoleArn: null
## Session duration for STS tokens
##
sessionDuration: 15m
## Use hostNetwork for server
## Set this to true when running the servers on the same nodes as the agents
##
useHostNetwork: false
## Agent TLS Certificate filenames
##
tlsCerts:
certFileName: cert.pem
keyFileName: key.pem
caFileName: ca.pem
## kiam server resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
limits: {}
# cpu: 200m
# memory: 256Mi
requests: {}
# cpu: 200m
# memory: 10Mi
## SecurityContext configuration
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
##
containerSecurityContext:
enabled: true
runAsUser: 1001
runAsNonRoot: true
seLinuxOptions:
podSecurityContext:
enabled: true
fsGroup: 1001
## Pod affinity preset
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
## Allowed values: soft, hard
##
podAffinityPreset: ""
## Pod anti-affinity preset
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
## Allowed values: soft, hard
##
podAntiAffinityPreset: soft
## Node affinity preset
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
## Allowed values: soft, hard
##
nodeAffinityPreset:
## Node affinity type
## Allowed values: soft, hard
##
type: ""
## Node label key to match
## E.g.
## key: "kubernetes.io/e2e-az-name"
##
key: ""
## Node label values to match
## E.g.
## values:
## - e2e-az1
## - e2e-az2
##
values: []
## Affinity for pod assignment. Evaluated as a template.
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
##
affinity: {}
## Node labels for pod assignment. Evaluated as a template.
## ref: https://kubernetes.io/docs/user-guide/node-selection/
##
nodeSelector: {}
## Tolerations for pod assignment. Evaluated as a template.
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
tolerations: []
## Pod extra labels
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
##
podLabels: {}
## Annotations for server pods.
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
##
podAnnotations: {}
## lifecycleHooks for the kiam server container to automate configuration before or after startup.
##
lifecycleHooks: {}
## Custom Liveness probes for kiam server
##
customLivenessProbe: {}
## Custom Rediness probes kiam server
##
customReadinessProbe: {}
## Update strategy - only really applicable for deployments with RWO PVs attached
## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the
## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will
## terminate the single previous pod, so that the new, incoming pod can attach to the PV
##
updateStrategy:
type: RollingUpdate
## An array to add extra env vars
## For example:
##
extraEnvVars: []
# - name: BEARER_AUTH
# value: true
## ConfigMap with extra environment variables
##
extraEnvVarsCM:
## Secret with extra environment variables
##
extraEnvVarsSecret:
## Extra volumes to add to the deployment
##
extraVolumes: []
## Extra volume mounts to add to the container
##
extraVolumeMounts: []
## Add init containers to the kiam server pods.
## Example:
## initContainers:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## ports:
## - name: portname
## containerPort: 1234
##
initContainers: []
## Add sidecars to the kiam server pods.
## Example:
## sidecars:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## ports:
## - name: portname
## containerPort: 1234
##
sidecars: []
metrics:
enabled: false
port: 9621
syncInterval: 5s
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: '{{ .Values.server.metrics.port }}'
## Prometheus Operator ServiceMonitor configuration
##
serviceMonitor:
enabled: false
## Namespace in which Prometheus is running
##
namespace:
## Interval at which metrics should be scraped.
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
##
interval: 30s
## MetricRelabelConfigs to apply to samples before ingestion
## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#podmetricsendpoint
##
metricRelabelings: []
## RelabelConfigs to apply to samples before ingestion
## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#podmetricsendpoint
##
relabelings: []
## Timeout after which the scrape is ended
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
##
scrapeTimeout:
## ServiceMonitor selector labels
## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration
##
selector:
## kiam agent properties
##
agent:
enabled: true
## Service configuratiom (essentially for metrics)
##
service:
## Service type.
##
type: ClusterIP
## Specify the nodePort values for the LoadBalancer and NodePort service types.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
##
nodePorts:
metrics:
## Service clusterIP.
##
clusterIP:
## loadBalancerIP for the SuiteCRM Service (optional, cloud specific)
## ref: http://kubernetes.io/docs/user-guide/services/#type-loadbalancer
##
loadBalancerIP:
## Load Balancer sources
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
## Example:
## loadBalancerSourceRanges:
## - 10.10.10.0/24
##
loadBalancerSourceRanges: []
## Enable client source IP preservation
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
##
externalTrafficPolicy: Cluster
## Provide any additional annotations which may be required (evaluated as a template).
##
annotations: {}
## Logging settings
##
logJsonOutput: true
logLevel: info
## Used to assign priority to server pods
## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
##
priorityClassName: ""
## agent permits only request paths matching this reg-ex
##
allowRouteRegExp:
## Host networking settings
##
containerPort: 8183
iptables: false
# do not remove iptables forwarding rules when kiam-agent terminates
# needed for RollingUpdate strategy and for security reeasons
iptablesRemoveOnShutdown: false
hostInterface: cali+
## Specifies whether a ServiceAccount should be created
##
serviceAccount:
create: true
## The name of the ServiceAccount to use.
## If not set and create is true, a name is generated using the fullname template
##
name:
## gRPC keepalive variables
##
keepaliveParams:
time:
timeout:
## gRPC keepalive ping even with no RPC
##
permitWithoutStream: false
## if true, liveness probe will fail if the agent is not
## able to communicate with servers, which may happen on
## certificate change
##
enableDeepProbe: false
## Pod DNS policy
## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-policy
##
dnsPolicy: ClusterFirstWithHostNet
# Location of SSL certs on host
sslCertHostPath: /etc/ssl/certs
## Base64-encoded PEM values for server's CA certificate(s), certificate and private key
##
tlsFiles:
ca:
cert:
key:
podSecurityPolicy:
create: true
allowedHostPaths:
## Secret name of server's TLS certificates
##
tlsSecret:
## Use hostNetwork for server
## Set this to true when running the servers on the same nodes as the agents
##
useHostNetwork: false
## Agent TLS Certificate filenames
##
tlsCerts:
certFileName: cert.pem
keyFileName: key.pem
caFileName: ca.pem
## Configure extra options for liveness and readiness probes
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
##
livenessProbe:
enabled: true
initialDelaySeconds: 5
periodSeconds: 30
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
readinessProbe:
enabled: true
initialDelaySeconds: 5
periodSeconds: 30
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
## Additional kiam arguments
##
extraArgs: []
## Timeout when creating the kiam gateway
##
gatewayTimeoutCreation: 1s
## Override command and args for running the container (set to default if not set). Use array form
##
command: []
args: []
## kiam agent resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
limits: {}
# cpu: 200m
# memory: 256Mi
requests: {}
# cpu: 200m
# memory: 10Mi
## SecurityContext configuration
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
##
containerSecurityContext:
enabled: true
runAsUser: 1001
runAsNonRoot: true
seLinuxOptions:
podSecurityContext:
enabled: true
fsGroup: 1001
## Pod affinity preset
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
## Allowed values: soft, hard
##
podAffinityPreset: ""
## Pod anti-affinity preset
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
## Allowed values: soft, hard
##
podAntiAffinityPreset: soft
## Node affinity preset
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
## Allowed values: soft, hard
##
nodeAffinityPreset:
## Node affinity type
## Allowed values: soft, hard
##
type: ""
## Node label key to match
## E.g.
## key: "kubernetes.io/e2e-az-name"
##
key: ""
## Node label values to match
## E.g.
## values:
## - e2e-az1
## - e2e-az2
##
values: []
## Affinity for pod assignment. Evaluated as a template.
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
##
affinity: {}
## Node labels for pod assignment. Evaluated as a template.
## ref: https://kubernetes.io/docs/user-guide/node-selection/
##
nodeSelector: {}
## Tolerations for pod assignment. Evaluated as a template.
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
tolerations: []
## Pod extra labels
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
##
podLabels: {}
## Annotations for agent pods.
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
##
podAnnotations: {}
## kiam agent pods' priority.
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
##
# priorityClassName: ""
## lifecycleHooks for the kiam agent container to automate configuration before or after startup.
##
lifecycleHooks: {}
## Custom Liveness probes for kiam agent
##
customLivenessProbe: {}
## Custom Rediness probes kiam agent
##
customReadinessProbe: {}
## Update strategy - only really applicable for deployments with RWO PVs attached
## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the
## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will
## terminate the single previous pod, so that the new, incoming pod can attach to the PV
##
updateStrategy:
type: RollingUpdate
## An array to add extra env vars
## For example:
##
extraEnvVars: []
# - name: BEARER_AUTH
# value: true
## ConfigMap with extra environment variables
##
extraEnvVarsCM:
## Secret with extra environment variables
##
extraEnvVarsSecret:
## Extra volumes to add to the deployment
##
extraVolumes: []
## Extra volume mounts to add to the container
##
extraVolumeMounts: []
## Add init containers to the kiam agent pods.
## Example:
## initContainers:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## ports:
## - name: portname
## containerPort: 1234
##
initContainers: []
## Add sidecars to the kiam agent pods.
## Example:
## sidecars:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## ports:
## - name: portname
## containerPort: 1234
##
sidecars: []
metrics:
enabled: false
port: 9620
syncInterval: 5s
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: '{{ .Values.agent.metrics.port }}'
## Prometheus Operator ServiceMonitor configuration
##
serviceMonitor:
enabled: false
## Namespace in which Prometheus is running
##
namespace:
## Interval at which metrics should be scraped.
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
##
interval: 30s
## MetricRelabelConfigs to apply to samples before ingestion
## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#podmetricsendpoint
##
metricRelabelings: []
## RelabelConfigs to apply to samples before ingestion
## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#podmetricsendpoint
##
relabelings: []
## Timeout after which the scrape is ended
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
##
scrapeTimeout:
## ServiceMonitor selector labels
## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration
##
selector:
## Specifies whether RBAC resources should be created
##
rbac:
create: true