diff --git a/bitnami/kiam/.helmignore b/bitnami/kiam/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/bitnami/kiam/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/bitnami/kiam/Chart.yaml b/bitnami/kiam/Chart.yaml new file mode 100644 index 0000000000..bea774424c --- /dev/null +++ b/bitnami/kiam/Chart.yaml @@ -0,0 +1,26 @@ +annotations: + category: Infrastructure +apiVersion: v2 +appVersion: 3.6.0 +dependencies: + - name: common + repository: 'https://charts.bitnami.com/bitnami' + tags: + - bitnami-common + version: 0.x.x +description: kiam is a proxy that captures AWS Metadata API requests. It allows AWS IAM roles to be set for Kubernetes workloads. +engine: gotpl +home: 'https://github.com/uswitch/kiam' +icon: 'https://bitnami.com/assets/stacks/kiam/img/kiam-stack-110x117.png' +keywords: + - aws + - iam + - security +maintainers: + - email: containers@bitnami.com + name: Bitnami +name: kiam +sources: + - 'https://github.com/bitnami/bitnami-docker-kiam' + - 'https://github.com/uswitch/kiam' +version: 0.1.0 diff --git a/bitnami/kiam/README.md b/bitnami/kiam/README.md new file mode 100644 index 0000000000..e88d8877d8 --- /dev/null +++ b/bitnami/kiam/README.md @@ -0,0 +1,373 @@ +# kiam + +[kiam](https://github.com/uswitch/kiam) is a Kubernetes agent that allows to associate IAM roles to pods. + +## TL;DR + +```console + helm repo add bitnami https://charts.bitnami.com/bitnami + helm install my-release bitnami/kiam +``` + +> NOTE: This chart only works in Kubernetes clusters in AWS + +## Introduction + +Bitnami charts for Helm are carefully engineered, actively maintained and are the quickest and easiest way to deploy containers on a Kubernetes cluster that are ready to handle production workloads. + +This chart bootstraps a [kiam](https://github.com/bitnami/bitnami-docker-kiam) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications. + +## Prerequisites + +- Kubernetes 1.12+ in AWS +- Helm 2.12+ or Helm 3.0-beta3+ + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```bash +$ helm repo add bitnami https://charts.bitnami.com/bitnami +$ helm install my-release bitnami/kiam +``` + +These commands deploy a kiam application on the Kubernetes cluster in the default configuration. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```bash +$ helm delete my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Parameters + +The following tables lists the configurable parameters of the kiam chart and their default values per section/component: + +### Global parameters + +| Parameter | Description | Default | +|---------------------------|-------------------------------------------------|---------------------------------------------------------| +| `global.imageRegistry` | Global Docker image registry | `nil` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | +| `global.storageClass` | Global storage class for dynamic provisioning | `nil` | + +### Common parameters + +| Parameter | Description | Default | +|---------------------|---------------------------------------------------|--------------------------------| +| `nameOverride` | String to partially override kiam.fullname | `nil` | +| `fullnameOverride` | String to fully override kiam.fullname | `nil` | +| `commonLabels` | Labels to add to all deployed objects | `{}` | +| `commonAnnotations` | Annotations to add to all deployed objects | `{}` | +| `extraDeploy` | Array of extra objects to deploy with the release | `[]` (evaluated as a template) | + +### kiam image parameters + +| Parameter | Description | Default | +|---------------------|--------------------------------------------------|---------------------------------------------------------| +| `image.registry` | kiam image registry | `docker.io` | +| `image.repository` | kiam image name | `bitnami/kiam` | +| `image.tag` | kiam image tag | `{TAG_NAME}` | +| `image.pullPolicy` | kiam image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | + +### kiam server parameters + +| Parameter | Description | Default | +|---------------------------------------------|---------------------------------------------------------------------------------------------|------------------------------------------| +| `server.enabled` | Deploy the kiam server | `true` | +| `server.containerPort` | HTTPS port to expose at container level | `8443` | +| `server.resourceType` | Specify how to deploy the server (allowed values: `daemonset` and `deployment`) | `daemonset` | +| `server.replicaCount` | Number of replicas to deploy (when `server.resourceType` is `daemonset`) | `1` | +| `server.logJsonOutput` | Use JSON format for logs | `true` | +| `server.extraArgs` | Extra arguments to add to the default kiam command | `[]` | +| `server.command` | Override kiam default command | `[]` | +| `server.args` | Override kiam default args | `[]` | +| `server.logLevel` | Logging level | `info` | +| `server.sslCertHostPath` | Path to the host system SSL certificates (necessary for contacting the AWS metadata server) | `/etc/ssl/certs` | +| `server.tlsFiles.ca` | Base64-encoded CA to use with the container | `nil` | +| `server.tlsFiles.cert` | Base64-encoded certificate to use with the container | `nil` | +| `server.tlsFiles.key` | Base64-encoded key to use with the container | `nil` | +| `server.tlsCerts.certFileName` | Name of the certificate filename | `cert.pem` | +| `server.tlsCerts.keyFileName` | Name of the certificate filename | `key.pem` | +| `server.tlsCerts.caFileName` | Name of the certificate filename | `ca.pem` | +| `server.gatewayTimeoutCreation` | Timeout when creating the kiam gateway | `1s` | +| `server.podSecurityPolicy.create` | Create a PodSecurityPolicy resources | `true` | +| `server.podSecurityPolicy.allowedHostPaths` | Extra host paths to allow in the PodSecurityPolicy | `[]` | +| `server.tlsSecret` | Name of a secret with TLS certificates for the container | `nil` | +| `server.dnsPolicy` | Pod DNS policy | `ClusterFirstWithHostNet` | +| `server.extraEnvVars` | Array containing extra env vars to configure kiam server | `nil` | +| `server.extraEnvVarsCM` | ConfigMap containing extra env vars to configure kiam server | `nil` | +| `server.extraEnvVarsSecret` | Secret containing extra env vars to configure kiam server (in case of sensitive data) | `nil` | +| `server.roleBaseArn` | Base ARN for IAM roles. If not set kiam will detect it automatically | `ClusterFirstWithHostNet` | +| `server.cacheSyncInterval` | Cache synchronization interval | `1m` | +| `server.containerSecurityContext` | Container security podSecurityContext | `{ runAsUser: 1001, runAsNonRoot: true}` | +| `server.podSecurityContext` | Pod security context | `{}` | +| `server.assumeRoleArn` | IAM role for the server to assume | `nil` | +| `server.sessionDuration` | Session duration for STS tokens | `15m` | +| `server.useHostNetwork` | Use host networking (ports will be directly exposed in the host) | `false` | +| `server.resources.limits` | The resources limits for the kiam container | `{}` | +| `server.resources.requests` | The requested resources for the kiam container | `{}` | +| `server.lifecycleHooks` | LifecycleHooks to set additional configuration at startup. | `{}` (evaluated as a template) | +| `server.livenessProbe` | Liveness probe configuration for kiam | Check `values.yaml` file | +| `server.readinessProbe` | Readiness probe configuration for kiam | Check `values.yaml` file | +| `server.customLivenessProbe` | Override default liveness probe | `nil` | +| `server.customReadinessProbe` | Override default readiness probe | `nil` | +| `server.updateStrategy` | Strategy to use to update Pods | Check `values.yaml` file | +| `server.podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `server.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `server.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `server.nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set. | `""` | +| `server.nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | +| `server.affinity` | Affinity for pod assignment | `{}` (evaluated as a template) | +| `server.nodeSelector` | Node labels for pod assignment | `{}` (evaluated as a template) | +| `server.tolerations` | Tolerations for pod assignment | `[]` (evaluated as a template) | +| `server.podLabels` | Extra labels for kiam pods | `{}` | +| `server.podAnnotations` | Annotations for kiam pods | `{}` | +| `server.priorityClassName` | Server priorityClassName | `nil` | +| `server.lifecycleHooks` | LifecycleHooks to set additional configuration at startup. | `{}` (evaluated as a template) | +| `server.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for kiam container(s) | `[]` | +| `server.extraVolumes` | Optionally specify extra list of additional volumes for kiam pods | `[]` | +| `server.initContainers` | Add additional init containers to the kiam pods | `{}` (evaluated as a template) | +| `server.sidecars` | Add additional sidecar containers to the kiam pods | `{}` (evaluated as a template) | + +### kiam agent parameters + +| Parameter | Description | Default | +|---------------------------------------------|--------------------------------------------------------------------------------------------|------------------------------------------| +| `agent.enabled` | Deploy the kiam agent | `true` | +| `agent.containerPort` | HTTPS port to expose at container level | `8443` | +| `agent.allowRouteRegExp` | Regexp with the allowed paths for agents to redirect | `nil` | +| `agent.iptables` | Have the agent modify the host iptables rules | `false` | +| `agent.iptablesRemoveOnShutdown` | Remove iptables rules when shutting down the agent node | `false` | +| `agent.hostInterface` | Interface for agents for redirecting requests | `cali+` | +| `agent.logJsonOutput` | Use JSON format for logs | `true` | +| `agent.keepaliveParams.time` | Keepalive time | `nil` | +| `agent.keepaliveParams.timeout` | Keepalive timeout | `nil` | +| `agent.keepaliveParams.permitWithoutStream` | Permit keepalive without stream | `nil` | +| `agent.enableDeepProbe` | Use the probes using the `/health` endpoint | `false` | +| `agent.extraArgs` | Extra arguments to add to the default kiam command | `[]` | +| `agent.command` | Override kiam default command | `[]` | +| `agent.args` | Override kiam default args | `[]` | +| `agent.logLevel` | Logging level | `info` | +| `agent.sslCertHostPath` | Path to the host system SSL certificates (necessary for contacting the AWS metadata agent) | `/etc/ssl/certs` | +| `agent.tlsFiles.ca` | Base64-encoded CA to use with the container | `nil` | +| `agent.tlsFiles.cert` | Base64-encoded certificate to use with the container | `nil` | +| `agent.tlsFiles.key` | Base64-encoded key to use with the container | `nil` | +| `agent.tlsCerts.certFileName` | Name of the certificate filename | `cert.pem` | +| `agent.tlsCerts.keyFileName` | Name of the certificate filename | `key.pem` | +| `agent.tlsCerts.caFileName` | Name of the certificate filename | `ca.pem` | +| `agent.gatewayTimeoutCreation` | Timeout when creating the kiam gateway | `1s` | +| `agent.podSecurityPolicy.create` | Create a PodSecurityPolicy resources | `false` | +| `agent.podSecurityPolicy.allowedHostPaths` | Extra host paths to allow in the PodSecurityPolicy | `[]` | +| `agent.tlsSecret` | Name of a secret with TLS certificates for the container | `nil` | +| `agent.dnsPolicy` | Pod DNS policy | `ClusterFirstWithHostNet` | +| `agent.extraEnvVars` | Array containing extra env vars to configure kiam agent | `nil` | +| `agent.extraEnvVarsCM` | ConfigMap containing extra env vars to configure kiam agent | `nil` | +| `agent.extraEnvVarsSecret` | Secret containing extra env vars to configure kiam agent (in case of sensitive data) | `nil` | +| `agent.containerSecurityContext` | Container security podSecurityContext | `{ runAsUser: 1001, runAsNonRoot: true}` | +| `agent.podSecurityContext` | Pod security context | `{}` | +| `agent.useHostNetwork` | Use host networking (ports will be directly exposed in the host) | `false` | +| `agent.resources.limits` | The resources limits for the kiam container | `{}` | +| `agent.resources.requests` | The requested resources for the kiam container | `{}` | +| `agent.lifecycleHooks` | LifecycleHooks to set additional configuration at startup. | `{}` (evaluated as a template) | +| `agent.livenessProbe` | Liveness probe configuration for kiam | Check `values.yaml` file | +| `agent.readinessProbe` | Readiness probe configuration for kiam | Check `values.yaml` file | +| `agent.customLivenessProbe` | Override default liveness probe | `nil` | +| `agent.customReadinessProbe` | Override default readiness probe | `nil` | +| `agent.updateStrategy` | Strategy to use to update Pods | Check `values.yaml` file | +| `agent.podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `agent.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `agent.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `agent.nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set. | `""` | +| `agent.nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | +| `agent.affinity` | Affinity for pod assignment | `{}` (evaluated as a template) | +| `agent.nodeSelector` | Node labels for pod assignment | `{}` (evaluated as a template) | +| `agent.tolerations` | Tolerations for pod assignment | `[]` (evaluated as a template) | +| `agent.podLabels` | Extra labels for kiam pods | `{}` | +| `agent.podAnnotations` | Annotations for kiam pods | `{}` | +| `agent.priorityClassName` | Server priorityClassName | `nil` | +| `agent.lifecycleHooks` | LifecycleHooks to set additional configuration at startup. | `{}` (evaluated as a template) | +| `agent.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for kiam container(s) | `[]` | +| `agent.extraVolumes` | Optionally specify extra list of additional volumes for kiam pods | `[]` | +| `agent.initContainers` | Add additional init containers to the kiam pods | `{}` (evaluated as a template) | +| `agent.sidecars` | Add additional sidecar containers to the kiam pods | `{}` (evaluated as a template) | + +### Exposure parameters + +| Parameter | Description | Default | +|-------------------------------------------|-------------------------------------------------------|--------------------------------| +| `server.service.type` | Kubernetes service type | `ClusterIP` | +| `server.service.port` | Service HTTPS port | `443` | +| `server.service.nodePorts.http` | Service HTTPS NodePort | `nil` | +| `server.service.nodePorts.metrics` | Service metrics NodePort | `nil` | +| `server.service.clusterIP` | kiam service clusterIP IP | `None` | +| `server.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `server.service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` | `nil` | +| `server.service.loadBalancerSourceRanges` | Address that are allowed when service is LoadBalancer | `[]` | +| `server.service.annotations` | Annotations for kiam service | `{}` (evaluated as a template) | +| `agent.service.type` | Kubernetes service type | `ClusterIP` | +| `agent.service.nodePorts.metrics` | Service metrics NodePort | `nil` | +| `agent.service.clusterIP` | kiam service clusterIP IP | `None` | +| `agent.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `agent.service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` | `nil` | +| `agent.service.loadBalancerSourceRanges` | Address that are allowed when service is LoadBalancer | `[]` | +| `agent.service.annotations` | Annotations for kiam service | `{}` (evaluated as a template) | + +### RBAC parameters + +| Parameter | Description | Default | +|--------------------------------|-------------------------------------------------------|----------------------------------------------| +| `server.serviceAccount.name` | Name of the created ServiceAccount | Generated using the `kiam.fullname` template | +| `server.serviceAccount.create` | Enable the creation of a ServiceAccount for kiam pods | `true` | +| `agent.serviceAccount.name` | Name of the created ServiceAccount | Generated using the `kiam.fullname` template | +| `agent.serviceAccount.create` | Enable the creation of a ServiceAccount for kiam pods | `true` | +| `rbac.create` | Weather to create & use RBAC resources or not | `false` | + +### Metrics parameters + +| Parameter | Description | Default | +|---------------------------------------------------|------------------------------------------------------------------------------|--------------------------------------------------------------| +| `agent.metrics.enabled` | Enable exposing kiam statistics | `false` | +| `agent.metrics.port` | Service HTTP managemenet port | `9990` | +| `agent.metrics.syncInterval` | Metrics synchronization interval statistics | `5s` | +| `agent.metrics.annotations` | Annotations for enabling prometheus to access the metrics endpoints | `{prometheus.io/scrape: "true", prometheus.io/port: "9990"}` | +| `agent.metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator | `false` | +| `agent.metrics.serviceMonitor.namespace` | Namespace which Prometheus is running in | `nil` | +| `agent.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` | +| `agent.metrics.serviceMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `nil` | +| `agent.metrics.serviceMonitor.relabelings` | Specify Relabelings to add to the scrape endpoint | `nil` | +| `agent.metrics.serviceMonitor.metricRelabelings` | Specify Metric Relabelings to add to the scrape endpoint | `nil` | +| `agent.metrics.serviceMonitor.selector` | metrics service selector | `nil` | +| `server.metrics.enabled` | Enable exposing kiam statistics | `false` | +| `server.metrics.syncInterval` | Metrics synchronization interval statistics | `5s` | +| `server.metrics.port` | Metrics port | `9621` | +| `server.metrics.annotations` | Annotations for enabling prometheus to access the metrics endpoints | `{prometheus.io/scrape: "true", prometheus.io/port: "9990"}` | +| `server.metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator | `false` | +| `server.metrics.serviceMonitor.namespace` | Namespace which Prometheus is running in | `nil` | +| `server.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` | +| `server.metrics.serviceMonitor.selector` | metrics service selector | `nil` | +| `server.metrics.serviceMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `nil` | +| `server.metrics.serviceMonitor.relabelings` | Specify Relabelings to add to the scrape endpoint | `nil` | +| `server.metrics.serviceMonitor.metricRelabelings` | Specify Metric Relabellings to add to the scrape endpoint | `nil` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```bash +helm install my-release --set server.resourceType=deployment bitnami/kiam +``` + +The above command sets the server nodes to be deployed as Deployment objects. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```bash +$ helm install my-release -f values.yaml bitnami/kiam +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Configuration and installation details + +### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Adding extra environment variables + +In case you want to add extra environment variables (useful for advanced operations like custom init scripts), you can use the `server.extraEnvVars` and `agent.extraEnvVars` property. + +```yaml +server: + extraEnvVars: + - name: LOG_LEVEL + value: error +``` + +Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the `server.extraEnvVarsCM`, `agent.extraEnvVarsCM` or the `server.extraEnvVarsSecret` and `agent.extraEnvVarsSecret` values. + +### Sidecars and Init Containers + +If you have a need for additional containers to run within the same pod as the kiam app (e.g. an additional metrics or logging exporter), you can do so via the `server.sidecars` and `agent.sidecars` config parameters. Simply define your container according to the Kubernetes container spec. + +```yaml +server: + sidecars: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +Similarly, you can add extra init containers using the `server.initContainers` and `agent.initContainers` parameters. + +```yaml +server: + initContainers: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +### Deploying extra resources + +There are cases where you may want to deploy extra objects, such a ConfigMap containing your app's configuration or some extra deployment with a micro service used by your app. For covering this case, the chart allows adding the full specification of other objects using the `extraDeploy` parameter. + +### Setting Pod's affinity + +This chart allows you to set your custom affinity using the `server.affinity` and `agent.affinity` paremeters. Find more infomation about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/master/bitnami/common#affinities) chart. To do so, set the `server.podAffinityPreset`, `agent.podAffinityPreset`, `server.podAntiAffinityPreset`, `agent.podAntiAffinityPreset`, or `server.nodeAffinityPreset` and `agent.nodeAffinityPreset` parameters. + +### TLS Secrets + +This chart will facilitate the creation of TLS secrets for use with kiam. There are three common use cases: + +- Helm auto-generates the certificates. +- User specifies the certificates in the values. +- User generates/manages certificates separately. + +By default the first use case will be applied. In second case, it's needed a certificate and a key. We would expect them to look like this: + +- The certificate files should look like (there can be more than one certificate if there is a certificate chain) + + ```console + -----BEGIN CERTIFICATE----- + MIID6TCCAtGgAwIBAgIJAIaCwivkeB5EMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV + ... + jScrvkiBO65F46KioCL9h5tDvomdU1aqpI/CBzhvZn1c0ZTf87tGQR8NK7v7 + -----END CERTIFICATE----- + ``` + +- The keys should look like this: + + ```console + -----BEGIN RSA PRIVATE KEY----- + MIIEogIBAAKCAQEAvLYcyu8f3skuRyUgeeNpeDvYBCDcgq+LsWap6zbX5f8oLqp4 + ... + wrj2wDbCDCFmfqnSJ+dKI3vFLlEz44sAV8jX/kd4Y6ZTQhlLbYc= + -----END RSA PRIVATE KEY----- + ``` + +If you are going to use the values file to manage the certificates, please copy these values into the `server.tlsFiles.cert`, `server.tlsFiles.ca` and `server.tlsFiles.key` or `agent.tlsFiles.cert`, `agent.tlsFiles.ca` and `agent.tlsFiles.key`. + +If you are going to manage TLS secrets outside of Helm, please know that you can create a TLS secret (named `kiam.local-tls` for example) and set it using the `server.tlsSecret` or `agent.tlsSecret` values. + +## Troubleshooting + +Find more information about how to deal with common errors related to Bitnami’s Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). diff --git a/bitnami/kiam/requirements.lock b/bitnami/kiam/requirements.lock new file mode 100644 index 0000000000..332b96f12d --- /dev/null +++ b/bitnami/kiam/requirements.lock @@ -0,0 +1,6 @@ +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + version: 0.10.0 +digest: sha256:cbe8f782ad7168557b9bb101a4d441d3210e2dda09cd249eb8426d1499ce6afc +generated: "2020-11-10T18:12:53.13587+01:00" diff --git a/bitnami/kiam/templates/NOTES.txt b/bitnami/kiam/templates/NOTES.txt new file mode 100644 index 0000000000..00a09e2eae --- /dev/null +++ b/bitnami/kiam/templates/NOTES.txt @@ -0,0 +1,31 @@ +** Please be patient while the chart is being deployed ** + +In order to associate your pods with AWS IAM roles, follow the steps below: + +* Annotate your namespace with the allowed role ARNs via `iam.amazonaws.com/permitted`: + + kubectl edit namespace my-namespace + + kind: Namespace + metadata: + name: my-namespace + annotations: + iam.amazonaws.com/permitted: "" + +* Annotate your pods with the desired role via `iam.amazonaws.com/role`: + + kubectl edit pod my-pod + + kind: Pod + metadata: + name: my-pod + annotations: + iam.amazonaws.com/role: "" + +* Verify the role by entering your pod and executing the following command + + kubectl exec -ti my-pod bash + curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ + +{{- include "common.warnings.rollingTag" .Values.image }} +{{- include "kiam.validateValues" . }} diff --git a/bitnami/kiam/templates/_helpers.tpl b/bitnami/kiam/templates/_helpers.tpl new file mode 100644 index 0000000000..fbdbbd5a49 --- /dev/null +++ b/bitnami/kiam/templates/_helpers.tpl @@ -0,0 +1,100 @@ +{{/* +Return the proper kiam image name +*/}} +{{- define "kiam.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "kiam.imagePullSecrets" -}} +{{- include "common.images.pullSecrets" (dict "images" (list .Values.image) "global" .Values.global) -}} +{{- end -}} + +{{/* +Create the name of the service account to use (server) +*/}} +{{- define "kiam.server.serviceAccountName" -}} +{{- if .Values.server.serviceAccount.create -}} + {{ default (printf "%s-server" (include "common.names.fullname" .)) .Values.server.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.server.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use (agent) +*/}} +{{- define "kiam.agent.serviceAccountName" -}} +{{- if .Values.agent.serviceAccount.create -}} + {{ default (printf "%s-agent" (include "common.names.fullname" .)) .Values.agent.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.agent.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Generate certificates for kiam agent and server +*/}} +{{- define "kiam.agent.gen-certs" -}} +{{- $ca := .ca | default (genCA "kiam-ca" 365) -}} +{{- $_ := set . "ca" $ca -}} +{{- $cert := genSignedCert "Kiam Agent" nil nil 365 $ca -}} +{{ .Values.agent.tlsCerts.caFileName }}: {{ $ca.Cert | b64enc }} +{{ .Values.agent.tlsCerts.certFileName }}: {{ $cert.Cert | b64enc }} +{{ .Values.agent.tlsCerts.keyFileName }}: {{ $cert.Key | b64enc }} +{{- end -}} + +{{- define "kiam.server.gen-certs" -}} +{{- $altNames := list (printf "%s-server" (include "common.names.fullname" .)) (printf "%s-server:%d" (include "common.names.fullname" .) .Values.server.service.port ) (printf "127.0.0.1:%d" .Values.server.containerPort) -}} +{{- $ca := .ca | default (genCA "kiam-ca" 365) -}} +{{- $_ := set . "ca" $ca -}} +{{- $cert := genSignedCert "Kiam Server" (list "127.0.0.1") $altNames 365 $ca -}} +{{ .Values.server.tlsCerts.caFileName }}: {{ $ca.Cert | b64enc }} +{{ .Values.server.tlsCerts.certFileName }}: {{ $cert.Cert | b64enc }} +{{ .Values.server.tlsCerts.keyFileName }}: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Compile all warnings into a single message. +*/}} +{{- define "kiam.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "kiam.validateValues.ports" .) -}} +{{- $messages := append $messages (include "kiam.validateValues.nodeploy" .) -}} +{{- $messages := append $messages (include "kiam.validateValues.resourceType" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message -}} +{{- end -}} +{{- end -}} + +{{/* Validate values of Kiam - ports */}} +{{- define "kiam.validateValues.ports" -}} +{{- if and .Values.server.enabled .Values.server.metrics.enabled (eq .Values.server.containerPort .Values.server.metrics.port) -}} +kiam: server-ports-conflict + You enabled the metrics endpoint with the same port as the kiam server port, {{ .Values.server.containerPort }} == {{ .Values.server.metrics.port }}. + Please use a different port by setting server.metrics.port and server.containerPort with different values. +{{- end -}} +{{- end -}} + +{{/* Validate values of Kiam - no deployment */}} +{{- define "kiam.validateValues.nodeploy" -}} +{{- if and (not .Values.server.enabled) (not .Values.agent.enabled) -}} +kiam: nothing-deployed + You did not deploy neither the server nor the agents. Please set at least one of the following values + server.enabled=true + agent.enabled=true +{{- end -}} +{{- end -}} + +{{/* Validate values of Kiam - resource type */}} +{{- define "kiam.validateValues.resourceType" -}} +{{- if and (not (eq .Values.server.resourceType "daemonset")) (not (eq .Values.server.resourceType "deployment")) -}} +kiam: server-resource-type + Server resource type {{ .Values.server.resourceType }} is not valid, only "daemonset" and "deployment" are allowed +{{- end -}} +{{- end -}} diff --git a/bitnami/kiam/templates/agent/agent-daemonset.yaml b/bitnami/kiam/templates/agent/agent-daemonset.yaml new file mode 100644 index 0000000000..176e5f714d --- /dev/null +++ b/bitnami/kiam/templates/agent/agent-daemonset.yaml @@ -0,0 +1,217 @@ +{{- if .Values.agent.enabled }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: agent + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "common.names.fullname" . }}-agent + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.agent.updateStrategy }} + updateStrategy: {{- toYaml .Values.agent.updateStrategy | nindent 4 }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: agent + template: + metadata: + {{- if .Values.agent.podAnnotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.agent.podAnnotations "context" $) | nindent 8 }} + {{- end }} + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: agent + {{- if .Values.agent.podLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.agent.podLabels "context" $) | nindent 8 }} + {{- end }} + spec: + {{- include "kiam.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ template "kiam.agent.serviceAccountName" . }} + dnsPolicy: {{ .Values.agent.dnsPolicy }} + hostNetwork: true + {{- if .Values.agent.affinity }} + affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.agent.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.agent.podAffinityPreset "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.agent.podAntiAffinityPreset "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.agent.nodeAffinityPreset.type "key" .Values.agent.nodeAffinityPreset.key "values" .Values.agent.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.agent.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.agent.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.agent.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.agent.tolerations "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.agent.priorityClassName }} + priorityClassName: {{ .Values.agent.priorityClassName | quote }} + {{- end }} + {{- if .Values.agent.podSecurityContext.enabled }} + securityContext: {{- omit .Values.agent.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.agent.initContainers }} + initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.agent.initContainers "context" $) | nindent 8 }} + {{- end }} + containers: + - name: agent + image: {{ template "kiam.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.agent.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.agent.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.agent.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.agent.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.agent.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.agent.command "context" $) | nindent 12 }} + {{- else }} + command: + - kiam + - agent + {{- end }} + {{- if .Values.agent.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.agent.args "context" $) | nindent 12 }} + {{- else }} + args: + {{- if .Values.agent.iptables }} + - --iptables + {{- end }} + {{- if not .Values.agent.iptablesRemoveOnShutdown }} + - --no-iptables-remove + {{- end }} + - --host-interface={{ .Values.agent.hostInterface }} + {{- if .Values.agent.logJsonOutput }} + - --json-log + {{- end }} + - --level={{ .Values.agent.logLevel }} + - --port={{ .Values.agent.containerPort }} + - --cert=/bitnami/kiam/tls/{{ .Values.agent.tlsCerts.certFileName }} + - --key=/bitnami/kiam/tls/{{ .Values.agent.tlsCerts.keyFileName }} + - --ca=/bitnami/kiam/tls/{{ .Values.agent.tlsCerts.caFileName }} + - --server-address={{ template "common.names.fullname" . }}-server:{{ .Values.server.service.port }} + {{- if .Values.agent.metrics.enabled }} + - --prometheus-listen-addr=0.0.0.0:{{ .Values.agent.metrics.port }} + - --prometheus-sync-interval={{ .Values.agent.metrics.syncInterval }} + {{- end }} + {{- if .Values.agent.allowRouteRegExp }} + - --allow-route-regexp={{ .Values.agent.allowRouteRegExp }} + {{- end }} + - --gateway-timeout-creation={{ .Values.agent.gatewayTimeoutCreation }} + {{- if .Values.agent.keepaliveParams.time }} + - --grpc-keepalive-time-ms={{ .Values.agent.keepaliveParams.time }} + {{- end }} + {{- if .Values.agent.keepaliveParams.timeout }} + - --grpc-keepalive-timeout-ms={{ .Values.agent.keepaliveParams.timeout }} + {{- end }} + {{- if .Values.agent.keepaliveParams.permitWithoutStream }} + - --grpc-keepalive-permit-without-stream + {{- end }} + {{- range $key, $value := .Values.agent.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- else }} + - --{{ $key }} + {{- end }} + {{- end }} + {{- end }} + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.agent.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.agent.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + envFrom: + {{- if .Values.agent.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.agent.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.agent.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.agent.extraEnvVarsSecret "context" $) }} + {{- end }} + ports: + {{- if .Values.agent.metrics.enabled }} + - name: metrics + containerPort: {{ .Values.agent.metrics.port }} + protocol: TCP + {{- end }} + {{- if .Values.agent.resources }} + resources: {{- toYaml .Values.agent.resources | nindent 12 }} + {{- end }} + {{- if .Values.agent.livenessProbe.enabled }} + livenessProbe: + httpGet: + {{- if .Values.agent.enableDeepProbe }} + path: /health?deep=1 + {{- else }} + path: /ping + {{- end }} + port: {{ .Values.agent.containerPort }} + initialDelaySeconds: {{ .Values.agent.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.agent.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.agent.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.agent.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.agent.livenessProbe.failureThreshold }} + {{- else if .Values.agent.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.agent.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.agent.readinessProbe.enabled }} + readinessProbe: + httpGet: + {{- if .Values.agent.enableDeepProbe }} + path: /health?deep=1 + {{- else }} + path: /ping + {{- end }} + port: {{ .Values.agent.containerPort }} + initialDelaySeconds: {{ .Values.agent.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.agent.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.agent.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.agent.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.agent.readinessProbe.failureThreshold }} + {{- else if .Values.agent.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.agent.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: /bitnami/kiam/tls + name: tls + {{- if .Values.server.sslCertHostPath }} + - mountPath: /etc/ssl/certs + name: ssl-certs + readOnly: true + {{- end }} + - mountPath: /var/run/xtables.lock + name: xtables + {{- if .Values.agent.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.agent.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.agent.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.agent.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: tls + secret: + {{- if .Values.agent.tlsSecret }} + secretName: {{ .Values.agent.tlsSecret }} + {{else}} + secretName: {{ template "common.names.fullname" . }}-agent + {{- end }} + {{- if .Values.server.sslCertHostPath }} + - name: ssl-certs + hostPath: + path: {{ .Values.server.sslCertHostPath }} + {{- end }} + - name: xtables + hostPath: + path: /run/xtables.lock + type: FileOrCreate + {{- if .Values.agent.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.agent.extraVolumes "context" $) | nindent 8 }} + {{- end }} +{{- end }} diff --git a/bitnami/kiam/templates/agent/agent-psp-clusterrole.yaml b/bitnami/kiam/templates/agent/agent-psp-clusterrole.yaml new file mode 100644 index 0000000000..dace0a9d61 --- /dev/null +++ b/bitnami/kiam/templates/agent/agent-psp-clusterrole.yaml @@ -0,0 +1,25 @@ +{{- if and .Values.agent.enabled .Values.agent.podSecurityPolicy.create }} +{{- if .Values.rbac.create }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: agent + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "common.names.fullname" . }}-agent-psp + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ template "common.names.fullname" . }}-agent + verbs: + - use +{{- end }} +{{- end }} diff --git a/bitnami/kiam/templates/agent/agent-psp-clusterrolebinding.yaml b/bitnami/kiam/templates/agent/agent-psp-clusterrolebinding.yaml new file mode 100644 index 0000000000..c5fdf191af --- /dev/null +++ b/bitnami/kiam/templates/agent/agent-psp-clusterrolebinding.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.agent.enabled .Values.agent.podSecurityPolicy.create }} +{{- if .Values.rbac.create }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: agent + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "common.names.fullname" . }}-agent-psp + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "common.names.fullname" . }}-agent-psp +subjects: + - kind: ServiceAccount + name: {{ template "kiam.agent.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/bitnami/kiam/templates/agent/agent-psp.yaml b/bitnami/kiam/templates/agent/agent-psp.yaml new file mode 100644 index 0000000000..296b3abc46 --- /dev/null +++ b/bitnami/kiam/templates/agent/agent-psp.yaml @@ -0,0 +1,54 @@ +{{- if and .Values.agent.enabled .Values.agent.podSecurityPolicy.create }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: agent + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "common.names.fullname" . }}-agent + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + privileged: false + {{- if .Values.agent.iptables }} + allowedCapabilities: + - "NET_ADMIN" + {{ end }} + allowPrivilegeEscalation: false + volumes: + - 'secret' + - 'hostPath' + allowedHostPaths: + - pathPrefix: "/run/xtables.lock" + - pathPrefix: {{ .Values.agent.sslCertHostPath }} + readOnly: true + {{- if .Values.agent.podSecurityPolicy.allowedHostPaths }} + {{- toYaml .Values.agent.podSecurityPolicy.allowedHostPaths | nindent 4 }} + {{- end }} + hostNetwork: {{ .Values.agent.useHostNetwork }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + {{- if .Values.agent.containerSecurityContext.seLinuxOptions }} + rule: 'MustRunAs' + seLinuxOptions: {{- toYaml .Values.agent.containerSecurityContext.seLinuxOptions | nindent 6 }} + {{- else }} + rule: 'RunAsAny' + {{- end }} + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} diff --git a/bitnami/kiam/templates/agent/agent-secret.yaml b/bitnami/kiam/templates/agent/agent-secret.yaml new file mode 100644 index 0000000000..24475730d0 --- /dev/null +++ b/bitnami/kiam/templates/agent/agent-secret.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.agent.enabled (not .Values.agent.tlsSecret) -}} +apiVersion: v1 +kind: Secret +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: agent + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "common.names.fullname" . }}-agent + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: +{{- if .Values.agent.tlsFiles.ca }} + {{- toYaml .Values.agent.tlsFiles | nindent 2 }} +{{- else }} + {{- include "kiam.agent.gen-certs" . | nindent 2 }} +{{- end -}} +{{- end }} diff --git a/bitnami/kiam/templates/agent/agent-service-account.yaml b/bitnami/kiam/templates/agent/agent-service-account.yaml new file mode 100644 index 0000000000..8fafa94667 --- /dev/null +++ b/bitnami/kiam/templates/agent/agent-service-account.yaml @@ -0,0 +1,17 @@ +{{- if .Values.agent.enabled }} +{{- if .Values.rbac.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: agent + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "kiam.agent.serviceAccountName" . }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/bitnami/kiam/templates/agent/agent-service.yaml b/bitnami/kiam/templates/agent/agent-service.yaml new file mode 100644 index 0000000000..1f06123077 --- /dev/null +++ b/bitnami/kiam/templates/agent/agent-service.yaml @@ -0,0 +1,49 @@ +{{- if .Values.agent.enabled }} +{{- if .Values.agent.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: agent + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "common.names.fullname" . }}-agent-metrics + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.agent.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.agent.service.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if and .Values.agent.metrics.enabled .Values.agent.metrics.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.agent.metrics.annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.agent.service.type }} + {{- if and .Values.agent.service.clusterIP (eq .Values.agent.service.type "ClusterIP") }} + clusterIP: {{ .Values.agent.service.clusterIP }} + {{- end }} + {{- if (or (eq .Values.agent.service.type "LoadBalancer") (eq .Values.agent.service.type "NodePort")) }} + externalTrafficPolicy: {{ .Values.agent.service.externalTrafficPolicy | quote }} + {{- end }} + {{ if eq .Values.agent.service.type "LoadBalancer" }} + loadBalancerSourceRanges: {{ .Values.agent.service.loadBalancerSourceRanges }} + {{ end }} + {{- if (and (eq .Values.agent.service.type "LoadBalancer") (not (empty .Values.agent.service.loadBalancerIP))) }} + loadBalancerIP: {{ .Values.agent.service.loadBalancerIP }} + {{- end }} + ports: + - name: metrics + port: {{ .Values.agent.metrics.port }} + targetPort: metrics + protocol: TCP + {{- if (and (or (eq .Values.agent.service.type "NodePort") (eq .Values.agent.service.type "LoadBalancer")) (not (empty .Values.agent.service.nodePorts.metrics))) }} + nodePort: {{ .Values.agent.service.nodePorts.metrics }} + {{- else if eq .Values.agent.service.type "ClusterIP" }} + nodePort: null + {{- end }} + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: agent +{{- end }} +{{- end }} diff --git a/bitnami/kiam/templates/agent/agent-servicemonitor.yaml b/bitnami/kiam/templates/agent/agent-servicemonitor.yaml new file mode 100644 index 0000000000..eb50062f8e --- /dev/null +++ b/bitnami/kiam/templates/agent/agent-servicemonitor.yaml @@ -0,0 +1,41 @@ +{{- if and .Values.agent.enabled .Values.agent.metrics.enabled .Values.agent.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "common.names.fullname" . }}-agent + {{- if .Values.agent.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.agent.metrics.serviceMonitor.namespace }} + {{- end }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: agent + {{- range $key, $value := .Values.agent.metrics.serviceMonitor.selector }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: agent + endpoints: + - port: metrics + {{- if .Values.agent.metrics.serviceMonitor.interval }} + interval: {{ .Values.agent.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.agent.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.agent.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.agent.metrics.serviceMonitor.relabelings }} + relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.agent.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.agent.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.agent.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} +{{- end }} diff --git a/bitnami/kiam/templates/extra-list.yaml b/bitnami/kiam/templates/extra-list.yaml new file mode 100644 index 0000000000..9ac65f9e16 --- /dev/null +++ b/bitnami/kiam/templates/extra-list.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/bitnami/kiam/templates/server/server-daemonset.yaml b/bitnami/kiam/templates/server/server-daemonset.yaml new file mode 100644 index 0000000000..f1fe237845 --- /dev/null +++ b/bitnami/kiam/templates/server/server-daemonset.yaml @@ -0,0 +1,206 @@ +{{- if and .Values.server.enabled (eq .Values.server.resourceType "daemonset") }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: server + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "common.names.fullname" . }}-server + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.server.updateStrategy }} + updateStrategy: {{- toYaml .Values.server.updateStrategy | nindent 4 }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: server + template: + metadata: + {{- if .Values.server.podAnnotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.server.podAnnotations "context" $) | nindent 8 }} + {{- end }} + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: server + {{- if .Values.server.podLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.server.podLabels "context" $) | nindent 8 }} + {{- end }} + spec: + {{- include "kiam.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ template "kiam.server.serviceAccountName" . }} + dnsPolicy: {{ .Values.server.dnsPolicy }} + hostNetwork: true + {{- if .Values.server.affinity }} + affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.server.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.server.podAffinityPreset "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.server.podAntiAffinityPreset "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.server.nodeAffinityPreset.type "key" .Values.server.nodeAffinityPreset.key "values" .Values.server.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.server.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.server.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.server.tolerations "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.server.priorityClassName }} + priorityClassName: {{ .Values.server.priorityClassName | quote }} + {{- end }} + {{- if .Values.server.podSecurityContext.enabled }} + securityContext: {{- omit .Values.server.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.server.initContainers }} + initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.server.initContainers "context" $) | nindent 8 }} + {{- end }} + containers: + - name: server + image: {{ template "kiam.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.server.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.server.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.server.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.server.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.server.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.server.command "context" $) | nindent 12 }} + {{- else }} + command: + - kiam + - server + {{- end }} + {{- if .Values.server.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.server.args "context" $) | nindent 12 }} + {{- else }} + args: + {{- if .Values.server.logJsonOutput }} + - --json-log + {{- end }} + - --level={{ .Values.server.logLevel }} + - --bind=0.0.0.0:{{ .Values.server.containerPort }} + - --cert=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.certFileName }} + - --key=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.keyFileName }} + - --ca=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.caFileName }} + {{- if .Values.server.roleBaseArn }} + - --role-base-arn={{ .Values.server.roleBaseArn }} + {{- else }} + - --role-base-arn-autodetect + {{- end }} + {{- if .Values.server.assumeRoleArn }} + - --assume-role-arn={{ .Values.server.assumeRoleArn }} + {{- end }} + - --session-duration={{ .Values.server.sessionDuration }} + - --sync={{ .Values.server.cacheSyncInterval }} + {{- if .Values.server.metrics.enabled }} + - --prometheus-listen-addr=0.0.0.0:{{ .Values.server.metrics.port }} + - --prometheus-sync-interval={{ .Values.server.metrics.syncInterval }} + {{- end }} + {{- range $key, $value := .Values.server.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- else }} + - --{{ $key }} + {{- end }} + {{- end }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.server.containerPort }} + protocol: TCP + {{- if .Values.server.metrics.enabled }} + - name: metrics + containerPort: {{ .Values.server.metrics.port }} + protocol: TCP + {{- end }} + {{- if .Values.server.extraEnvVars }} + env: {{- include "common.tplvalues.render" (dict "value" .Values.server.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + envFrom: + {{- if .Values.server.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.server.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.server.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.server.extraEnvVarsSecret "context" $) }} + {{- end }} + {{- if .Values.server.resources }} + resources: {{- toYaml .Values.server.resources | nindent 12 }} + {{- end }} + {{- if .Values.server.livenessProbe.enabled }} + livenessProbe: + exec: + command: + - kiam + - health + - --cert=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.certFileName }} + - --key=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.keyFileName }} + - --ca=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.caFileName }} + - --server-address=127.0.0.1:{{ .Values.server.containerPort }} + - --server-address-refresh=2s + - --timeout=5s + - --gateway-timeout-creation={{ .Values.server.gatewayTimeoutCreation }} + initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.server.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.server.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.server.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }} + {{- else if .Values.server.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.server.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.server.readinessProbe.enabled }} + readinessProbe: + exec: + command: + - kiam + - health + - --cert=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.certFileName }} + - --key=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.keyFileName }} + - --ca=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.caFileName }} + - --server-address=127.0.0.1:{{ .Values.server.containerPort }} + - --server-address-refresh=2s + - --timeout=5s + - --gateway-timeout-creation={{ .Values.server.gatewayTimeoutCreation }} + initialDelaySeconds: {{ .Values.server.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.server.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.server.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.server.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }} + {{- else if .Values.server.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.server.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: /bitnami/kiam/tls + name: tls + {{- if .Values.server.sslCertHostPath }} + - mountPath: /etc/ssl/certs + name: ssl-certs + readOnly: true + {{- end }} + {{- if .Values.server.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.server.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.server.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.server.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: tls + secret: + {{- if .Values.server.tlsSecret }} + secretName: {{ .Values.server.tlsSecret }} + {{else}} + secretName: {{ template "common.names.fullname" . }}-server + {{- end }} + {{- if .Values.server.sslCertHostPath }} + - name: ssl-certs + hostPath: + path: {{ .Values.server.sslCertHostPath }} + {{- end }} + {{- if .Values.server.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.server.extraVolumes "context" $) | nindent 8 }} + {{- end }} +{{- end }} diff --git a/bitnami/kiam/templates/server/server-deployment.yaml b/bitnami/kiam/templates/server/server-deployment.yaml new file mode 100644 index 0000000000..72735863da --- /dev/null +++ b/bitnami/kiam/templates/server/server-deployment.yaml @@ -0,0 +1,207 @@ +{{- if and .Values.server.enabled (eq .Values.server.resourceType "deployment") }} +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} +kind: Deployment +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: server + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "common.names.fullname" . }}-server + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.server.replicaCount }} + {{- if .Values.server.updateStrategy }} + strategy: {{- toYaml .Values.server.updateStrategy | nindent 4 }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: server + template: + metadata: + {{- if .Values.server.podAnnotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.server.podAnnotations "context" $) | nindent 8 }} + {{- end }} + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: server + {{- if .Values.server.podLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.server.podLabels "context" $) | nindent 8 }} + {{- end }} + spec: + {{- include "kiam.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ template "kiam.server.serviceAccountName" . }} + dnsPolicy: {{ .Values.server.dnsPolicy }} + hostNetwork: true + {{- if .Values.server.affinity }} + affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.server.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.server.podAffinityPreset "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.server.podAntiAffinityPreset "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.server.nodeAffinityPreset.type "key" .Values.server.nodeAffinityPreset.key "values" .Values.server.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.server.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.server.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.server.tolerations "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.server.priorityClassName }} + priorityClassName: {{ .Values.server.priorityClassName | quote }} + {{- end }} + {{- if .Values.server.podSecurityContext.enabled }} + securityContext: {{- omit .Values.server.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.server.initContainers }} + initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.server.initContainers "context" $) | nindent 8 }} + {{- end }} + containers: + - name: server + image: {{ template "kiam.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.server.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.server.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.server.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.server.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.server.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.server.command "context" $) | nindent 12 }} + {{- else }} + command: + - kiam + - server + {{- end }} + {{- if .Values.server.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.server.args "context" $) | nindent 12 }} + {{- else }} + args: + {{- if .Values.server.logJsonOutput }} + - --json-log + {{- end }} + - --level={{ .Values.server.logLevel }} + - --bind=0.0.0.0:{{ .Values.server.containerPort }} + - --cert=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.certFileName }} + - --key=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.keyFileName }} + - --ca=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.caFileName }} + {{- if .Values.server.roleBaseArn }} + - --role-base-arn={{ .Values.server.roleBaseArn }} + {{- else }} + - --role-base-arn-autodetect + {{- end }} + {{- if .Values.server.assumeRoleArn }} + - --assume-role-arn={{ .Values.server.assumeRoleArn }} + {{- end }} + - --session-duration={{ .Values.server.sessionDuration }} + - --sync={{ .Values.server.cacheSyncInterval }} + {{- if .Values.server.metrics.enabled }} + - --prometheus-listen-addr=0.0.0.0:{{ .Values.server.metrics.port }} + - --prometheus-sync-interval={{ .Values.server.metrics.syncInterval }} + {{- end }} + {{- range $key, $value := .Values.server.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- else }} + - --{{ $key }} + {{- end }} + {{- end }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.server.containerPort }} + protocol: TCP + {{- if .Values.server.metrics.enabled }} + - name: metrics + containerPort: {{ .Values.server.metrics.port }} + protocol: TCP + {{- end }} + {{- if .Values.server.extraEnvVars }} + env: {{- include "common.tplvalues.render" (dict "value" .Values.server.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + envFrom: + {{- if .Values.server.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.server.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.server.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.server.extraEnvVarsSecret "context" $) }} + {{- end }} + {{- if .Values.server.resources }} + resources: {{- toYaml .Values.server.resources | nindent 12 }} + {{- end }} + {{- if .Values.server.livenessProbe.enabled }} + livenessProbe: + exec: + command: + - kiam + - health + - --cert=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.certFileName }} + - --key=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.keyFileName }} + - --ca=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.caFileName }} + - --server-address=127.0.0.1:{{ .Values.server.containerPort }} + - --server-address-refresh=2s + - --timeout=5s + - --gateway-timeout-creation={{ .Values.server.gatewayTimeoutCreation }} + initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.server.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.server.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.server.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }} + {{- else if .Values.server.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.server.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.server.readinessProbe.enabled }} + readinessProbe: + exec: + command: + - kiam + - health + - --cert=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.certFileName }} + - --key=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.keyFileName }} + - --ca=/bitnami/kiam/tls/{{ .Values.server.tlsCerts.caFileName }} + - --server-address=127.0.0.1:{{ .Values.server.containerPort }} + - --server-address-refresh=2s + - --timeout=5s + - --gateway-timeout-creation={{ .Values.server.gatewayTimeoutCreation }} + initialDelaySeconds: {{ .Values.server.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.server.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.server.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.server.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }} + {{- else if .Values.server.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.server.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: /bitnami/kiam/tls + name: tls + {{- if .Values.server.sslCertHostPath }} + - mountPath: /etc/ssl/certs + name: ssl-certs + readOnly: true + {{- end }} + {{- if .Values.server.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.server.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.server.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.server.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: tls + secret: + {{- if .Values.server.tlsSecret }} + secretName: {{ .Values.server.tlsSecret }} + {{else}} + secretName: {{ template "common.names.fullname" . }}-server + {{- end }} + {{- if .Values.server.sslCertHostPath }} + - name: ssl-certs + hostPath: + path: {{ .Values.server.sslCertHostPath }} + {{- end }} + {{- if .Values.server.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.server.extraVolumes "context" $) | nindent 8 }} + {{- end }} +{{- end }} diff --git a/bitnami/kiam/templates/server/server-psp-clusterrole.yaml b/bitnami/kiam/templates/server/server-psp-clusterrole.yaml new file mode 100644 index 0000000000..e23344ee23 --- /dev/null +++ b/bitnami/kiam/templates/server/server-psp-clusterrole.yaml @@ -0,0 +1,25 @@ +{{- if and .Values.server.enabled .Values.server.podSecurityPolicy.create }} +{{- if .Values.rbac.create }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: server + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "common.names.fullname" . }}-server-psp + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ template "common.names.fullname" . }}-server + verbs: + - use +{{- end }} +{{- end }} diff --git a/bitnami/kiam/templates/server/server-psp-clusterrolebinding.yaml b/bitnami/kiam/templates/server/server-psp-clusterrolebinding.yaml new file mode 100644 index 0000000000..683bdc09db --- /dev/null +++ b/bitnami/kiam/templates/server/server-psp-clusterrolebinding.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.server.enabled .Values.server.podSecurityPolicy.create }} +{{- if .Values.rbac.create }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: server + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "common.names.fullname" . }}-server-psp + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "common.names.fullname" . }}-server-psp +subjects: + - kind: ServiceAccount + name: {{ template "kiam.server.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/bitnami/kiam/templates/server/server-psp.yaml b/bitnami/kiam/templates/server/server-psp.yaml new file mode 100644 index 0000000000..f7db1d4f4d --- /dev/null +++ b/bitnami/kiam/templates/server/server-psp.yaml @@ -0,0 +1,49 @@ +{{- if and .Values.server.enabled .Values.server.podSecurityPolicy.create }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: server + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "common.names.fullname" . }}-server + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + volumes: + - 'secret' + - 'hostPath' + allowedHostPaths: + - pathPrefix: {{ .Values.server.sslCertHostPath }} + readOnly: true + {{- if .Values.server.podSecurityPolicy.allowedHostPaths }} + {{- toYaml .Values.server.podSecurityPolicy.allowedHostPaths | nindent 4 }} + {{- end }} + hostNetwork: {{ .Values.server.useHostNetwork }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + {{- if .Values.server.containerSecurityContext.seLinuxOptions }} + rule: 'MustRunAs' + seLinuxOptions: {{- toYaml .Values.server.containerSecurityContext.seLinuxOptions | nindent 6 }} + {{- else }} + rule: 'RunAsAny' + {{- end }} + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} diff --git a/bitnami/kiam/templates/server/server-read-clusterrole.yaml b/bitnami/kiam/templates/server/server-read-clusterrole.yaml new file mode 100644 index 0000000000..e59ff42a60 --- /dev/null +++ b/bitnami/kiam/templates/server/server-read-clusterrole.yaml @@ -0,0 +1,26 @@ +{{- if .Values.server.enabled }} +{{- if .Values.rbac.create }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: server + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "common.names.fullname" . }}-server-read + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - "" + resources: + - namespaces + - pods + verbs: + - watch + - get + - list +{{- end }} +{{- end }} diff --git a/bitnami/kiam/templates/server/server-read-clusterrolebinding.yaml b/bitnami/kiam/templates/server/server-read-clusterrolebinding.yaml new file mode 100644 index 0000000000..cc5467c266 --- /dev/null +++ b/bitnami/kiam/templates/server/server-read-clusterrolebinding.yaml @@ -0,0 +1,24 @@ +{{- if .Values.server.enabled }} +{{- if .Values.rbac.create }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: server + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "common.names.fullname" . }}-server-read + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "common.names.fullname" . }}-server-read +subjects: + - kind: ServiceAccount + name: {{ template "kiam.server.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/bitnami/kiam/templates/server/server-secret.yaml b/bitnami/kiam/templates/server/server-secret.yaml new file mode 100644 index 0000000000..31369a6a88 --- /dev/null +++ b/bitnami/kiam/templates/server/server-secret.yaml @@ -0,0 +1,21 @@ +{{- if and (.Values.server.enabled) (not .Values.server.tlsSecret) -}} +apiVersion: v1 +kind: Secret +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: server + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "common.names.fullname" . }}-server + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: +{{- if .Values.server.tlsFiles.ca }} + {{- toYaml .Values.server.tlsFiles | nindent 2 }} +{{- else }} + {{- include "kiam.server.gen-certs" . | nindent 2 }} +{{- end -}} +{{- end }} diff --git a/bitnami/kiam/templates/server/server-service-account.yaml b/bitnami/kiam/templates/server/server-service-account.yaml new file mode 100644 index 0000000000..9841b2f81e --- /dev/null +++ b/bitnami/kiam/templates/server/server-service-account.yaml @@ -0,0 +1,17 @@ +{{- if .Values.server.enabled }} +{{- if .Values.rbac.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: server + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "kiam.server.serviceAccountName" . }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/bitnami/kiam/templates/server/server-service.yaml b/bitnami/kiam/templates/server/server-service.yaml new file mode 100644 index 0000000000..28dc56fc52 --- /dev/null +++ b/bitnami/kiam/templates/server/server-service.yaml @@ -0,0 +1,58 @@ +{{- if .Values.server.enabled }} +apiVersion: v1 +kind: Service +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: server + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "common.names.fullname" . }}-server + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.server.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.server.service.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if and .Values.server.metrics.enabled .Values.server.metrics.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.server.metrics.annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.server.service.type }} + {{- if and .Values.server.service.clusterIP (eq .Values.server.service.type "ClusterIP") }} + clusterIP: {{ .Values.server.service.clusterIP }} + {{- end }} + {{- if (or (eq .Values.server.service.type "LoadBalancer") (eq .Values.server.service.type "NodePort")) }} + externalTrafficPolicy: {{ .Values.server.service.externalTrafficPolicy | quote }} + {{- end }} + {{ if eq .Values.server.service.type "LoadBalancer" }} + loadBalancerSourceRanges: {{ .Values.server.service.loadBalancerSourceRanges }} + {{ end }} + {{- if (and (eq .Values.server.service.type "LoadBalancer") (not (empty .Values.server.service.loadBalancerIP))) }} + loadBalancerIP: {{ .Values.server.service.loadBalancerIP }} + {{- end }} + ports: + - name: http + port: {{ .Values.server.service.port }} + targetPort: http + protocol: TCP + {{- if (and (or (eq .Values.server.service.type "NodePort") (eq .Values.server.service.type "LoadBalancer")) (not (empty .Values.server.service.nodePorts.http))) }} + nodePort: {{ .Values.server.service.nodePorts.http }} + {{- else if eq .Values.server.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.server.metrics.enabled }} + - name: metrics + port: {{ .Values.server.metrics.port }} + targetPort: metrics + protocol: TCP + {{- if (and (or (eq .Values.server.service.type "NodePort") (eq .Values.server.service.type "LoadBalancer")) (not (empty .Values.server.service.nodePorts.metrics))) }} + nodePort: {{ .Values.server.service.nodePorts.metrics }} + {{- else if eq .Values.server.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- end }} + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: server +{{- end }} diff --git a/bitnami/kiam/templates/server/server-servicemonitor.yaml b/bitnami/kiam/templates/server/server-servicemonitor.yaml new file mode 100644 index 0000000000..ff0f5cf19c --- /dev/null +++ b/bitnami/kiam/templates/server/server-servicemonitor.yaml @@ -0,0 +1,41 @@ +{{- if and .Values.server.enabled .Values.server.metrics.enabled .Values.server.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "common.names.fullname" . }}-server + {{- if .Values.server.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.server.metrics.serviceMonitor.namespace }} + {{- end }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: server + {{- range $key, $value := .Values.server.metrics.serviceMonitor.selector }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: server + endpoints: + - port: metrics + {{- if .Values.server.metrics.serviceMonitor.interval }} + interval: {{ .Values.server.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.server.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.server.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.server.metrics.serviceMonitor.relabelings }} + relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.server.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.server.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.server.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} +{{- end }} diff --git a/bitnami/kiam/templates/server/server-write-clusterrole.yaml b/bitnami/kiam/templates/server/server-write-clusterrole.yaml new file mode 100644 index 0000000000..d9ac1d6ae5 --- /dev/null +++ b/bitnami/kiam/templates/server/server-write-clusterrole.yaml @@ -0,0 +1,24 @@ +{{- if .Values.server.enabled }} +{{- if .Values.rbac.create }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: server + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "common.names.fullname" . }}-server-write + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- end }} +{{- end }} diff --git a/bitnami/kiam/templates/server/server-write-clusterrolebinding.yaml b/bitnami/kiam/templates/server/server-write-clusterrolebinding.yaml new file mode 100644 index 0000000000..d7c9937ee6 --- /dev/null +++ b/bitnami/kiam/templates/server/server-write-clusterrolebinding.yaml @@ -0,0 +1,24 @@ +{{- if .Values.server.enabled }} +{{- if .Values.rbac.create }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: server + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "common.names.fullname" . }}-server-write + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "common.names.fullname" . }}-server-write +subjects: + - kind: ServiceAccount + name: {{ template "kiam.server.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/bitnami/kiam/values.yaml b/bitnami/kiam/values.yaml new file mode 100644 index 0000000000..9a55bd8199 --- /dev/null +++ b/bitnami/kiam/values.yaml @@ -0,0 +1,749 @@ +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry and imagePullSecrets +## +# global: +# imageRegistry: myRegistryName +# imagePullSecrets: +# - myRegistryKeySecretName +# storageClass: myStorageClass + +## Release name override +## +nameOverride: + +## Release full name override +## +fullnameOverride: + +## Add labels to all the deployed resources +## +commonLabels: {} + +## Add annotations to all the deployed resources +## +commonAnnotations: {} + +## Extra objects to deploy (value evaluated as a template) +## +extraDeploy: [] + +image: + registry: docker.io + repository: bitnami/kiam + tag: 3.6.0-debian-10-r26 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + pullSecrets: [] + # - myRegistryKeySecretName + +## kiam server properties +## +server: + enabled: true + + ## Service configuratiom + ## + service: + ## Service type. + ## + type: ClusterIP + ## HTTPS Port + ## + port: 443 + ## Specify the nodePort values for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + http: + metrics: + ## Service clusterIP. + ## + clusterIP: + ## loadBalancerIP for the SuiteCRM Service (optional, cloud specific) + ## ref: http://kubernetes.io/docs/user-guide/services/#type-loadbalancer + ## + loadBalancerIP: + ## Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## Example: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## Enable client source IP preservation + ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## Provide any additional annotations which may be required (evaluated as a template). + ## + annotations: {} + + containerPort: 8443 + ## Use a deployment instead of a daemonset + ## + resourceType: daemonset + + ## Number of nodes + ## + replicaCount: 1 + + ## Logging settings + ## + logJsonOutput: true + logLevel: info + + # Location of SSL certs on host + sslCertHostPath: /etc/ssl/certs + + podSecurityPolicy: + create: true + allowedHostPaths: [] + + ## Used to assign priority to server pods + ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + ## + priorityClassName: "" + + ## Configure extra options for liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 30 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 30 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + + ## Additional kiam arguments + ## + extraArgs: [] + + ## Specifies whether a ServiceAccount should be created + ## + serviceAccount: + create: true + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + ## + name: + + ## Override command and args for running the container (set to default if not set). Use array form + ## + command: [] + args: [] + + ## Base64-encoded PEM values for server's CA certificate(s), certificate and private key + ## + tlsFiles: + ca: + cert: + key: + + ## Timeout when creating the kiam gateway + ## + gatewayTimeoutCreation: 1s + + ## Secret name of server's TLS certificates + ## + tlsSecret: + + ## Pod DNS policy + ## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-policy + ## + dnsPolicy: ClusterFirstWithHostNet + + ## Base ARN for IAM roles + ## If not specified use EC2 metadata service to detect ARN prefix + ## + roleBaseArn: null + + ## Pod cache settings + ## + cacheSyncInterval: 1m + + ## IAM role for the server to assume + ## + assumeRoleArn: null + ## Session duration for STS tokens + ## + sessionDuration: 15m + ## Use hostNetwork for server + ## Set this to true when running the servers on the same nodes as the agents + ## + useHostNetwork: false + + ## Agent TLS Certificate filenames + ## + tlsCerts: + certFileName: cert.pem + keyFileName: key.pem + caFileName: ca.pem + + ## kiam server resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: {} + # cpu: 200m + # memory: 256Mi + requests: {} + # cpu: 200m + # memory: 10Mi + + ## SecurityContext configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + seLinuxOptions: + + podSecurityContext: + enabled: true + fsGroup: 1001 + + ## Pod affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## Allowed values: soft, hard + ## + podAffinityPreset: "" + + ## Pod anti-affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## Allowed values: soft, hard + ## + podAntiAffinityPreset: soft + + ## Node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## Allowed values: soft, hard + ## + nodeAffinityPreset: + ## Node affinity type + ## Allowed values: soft, hard + ## + type: "" + ## Node label key to match + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## Node label values to match + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + + ## Affinity for pod assignment. Evaluated as a template. + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## + affinity: {} + + ## Node labels for pod assignment. Evaluated as a template. + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Tolerations for pod assignment. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + + ## Pod extra labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + + ## Annotations for server pods. + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + + ## lifecycleHooks for the kiam server container to automate configuration before or after startup. + ## + lifecycleHooks: {} + + ## Custom Liveness probes for kiam server + ## + customLivenessProbe: {} + + ## Custom Rediness probes kiam server + ## + customReadinessProbe: {} + + ## Update strategy - only really applicable for deployments with RWO PVs attached + ## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the + ## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will + ## terminate the single previous pod, so that the new, incoming pod can attach to the PV + ## + updateStrategy: + type: RollingUpdate + + ## An array to add extra env vars + ## For example: + ## + extraEnvVars: [] + # - name: BEARER_AUTH + # value: true + + ## ConfigMap with extra environment variables + ## + extraEnvVarsCM: + + ## Secret with extra environment variables + ## + extraEnvVarsSecret: + + ## Extra volumes to add to the deployment + ## + extraVolumes: [] + + ## Extra volume mounts to add to the container + ## + extraVolumeMounts: [] + + ## Add init containers to the kiam server pods. + ## Example: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + initContainers: [] + + ## Add sidecars to the kiam server pods. + ## Example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + + metrics: + enabled: false + port: 9621 + syncInterval: 5s + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: '{{ .Values.server.metrics.port }}' + + ## Prometheus Operator ServiceMonitor configuration + ## + serviceMonitor: + enabled: false + ## Namespace in which Prometheus is running + ## + namespace: + + ## Interval at which metrics should be scraped. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + interval: 30s + + ## MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#podmetricsendpoint + ## + metricRelabelings: [] + + ## RelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#podmetricsendpoint + ## + relabelings: [] + + ## Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + scrapeTimeout: + + ## ServiceMonitor selector labels + ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration + ## + selector: + +## kiam agent properties +## +agent: + enabled: true + + ## Service configuratiom (essentially for metrics) + ## + service: + ## Service type. + ## + type: ClusterIP + ## Specify the nodePort values for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + metrics: + ## Service clusterIP. + ## + clusterIP: + ## loadBalancerIP for the SuiteCRM Service (optional, cloud specific) + ## ref: http://kubernetes.io/docs/user-guide/services/#type-loadbalancer + ## + loadBalancerIP: + ## Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## Example: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## Enable client source IP preservation + ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## Provide any additional annotations which may be required (evaluated as a template). + ## + annotations: {} + + ## Logging settings + ## + + logJsonOutput: true + logLevel: info + + ## Used to assign priority to server pods + ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + ## + priorityClassName: "" + + ## agent permits only request paths matching this reg-ex + ## + allowRouteRegExp: + + ## Host networking settings + ## + containerPort: 8183 + iptables: false + # do not remove iptables forwarding rules when kiam-agent terminates + # needed for RollingUpdate strategy and for security reeasons + iptablesRemoveOnShutdown: false + hostInterface: cali+ + + ## Specifies whether a ServiceAccount should be created + ## + serviceAccount: + create: true + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + ## + name: + + ## gRPC keepalive variables + ## + keepaliveParams: + time: + timeout: + ## gRPC keepalive ping even with no RPC + ## + permitWithoutStream: false + + ## if true, liveness probe will fail if the agent is not + ## able to communicate with servers, which may happen on + ## certificate change + ## + enableDeepProbe: false + + ## Pod DNS policy + ## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-policy + ## + dnsPolicy: ClusterFirstWithHostNet + + # Location of SSL certs on host + sslCertHostPath: /etc/ssl/certs + + ## Base64-encoded PEM values for server's CA certificate(s), certificate and private key + ## + tlsFiles: + ca: + cert: + key: + + podSecurityPolicy: + create: true + allowedHostPaths: + + ## Secret name of server's TLS certificates + ## + tlsSecret: + + ## Use hostNetwork for server + ## Set this to true when running the servers on the same nodes as the agents + ## + useHostNetwork: false + + ## Agent TLS Certificate filenames + ## + tlsCerts: + certFileName: cert.pem + keyFileName: key.pem + caFileName: ca.pem + + ## Configure extra options for liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 30 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 30 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + + ## Additional kiam arguments + ## + extraArgs: [] + + ## Timeout when creating the kiam gateway + ## + gatewayTimeoutCreation: 1s + + ## Override command and args for running the container (set to default if not set). Use array form + ## + command: [] + args: [] + + ## kiam agent resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: {} + # cpu: 200m + # memory: 256Mi + requests: {} + # cpu: 200m + # memory: 10Mi + + ## SecurityContext configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + seLinuxOptions: + + podSecurityContext: + enabled: true + fsGroup: 1001 + + ## Pod affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## Allowed values: soft, hard + ## + podAffinityPreset: "" + + ## Pod anti-affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## Allowed values: soft, hard + ## + podAntiAffinityPreset: soft + + ## Node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## Allowed values: soft, hard + ## + nodeAffinityPreset: + ## Node affinity type + ## Allowed values: soft, hard + ## + type: "" + ## Node label key to match + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## Node label values to match + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + + ## Affinity for pod assignment. Evaluated as a template. + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## + affinity: {} + + ## Node labels for pod assignment. Evaluated as a template. + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Tolerations for pod assignment. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + + ## Pod extra labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + + ## Annotations for agent pods. + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + + ## kiam agent pods' priority. + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + ## + # priorityClassName: "" + + ## lifecycleHooks for the kiam agent container to automate configuration before or after startup. + ## + lifecycleHooks: {} + + ## Custom Liveness probes for kiam agent + ## + customLivenessProbe: {} + + ## Custom Rediness probes kiam agent + ## + customReadinessProbe: {} + + ## Update strategy - only really applicable for deployments with RWO PVs attached + ## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the + ## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will + ## terminate the single previous pod, so that the new, incoming pod can attach to the PV + ## + updateStrategy: + type: RollingUpdate + + ## An array to add extra env vars + ## For example: + ## + extraEnvVars: [] + # - name: BEARER_AUTH + # value: true + + ## ConfigMap with extra environment variables + ## + extraEnvVarsCM: + + ## Secret with extra environment variables + ## + extraEnvVarsSecret: + + ## Extra volumes to add to the deployment + ## + extraVolumes: [] + + ## Extra volume mounts to add to the container + ## + extraVolumeMounts: [] + + ## Add init containers to the kiam agent pods. + ## Example: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + initContainers: [] + + ## Add sidecars to the kiam agent pods. + ## Example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + + metrics: + enabled: false + port: 9620 + syncInterval: 5s + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: '{{ .Values.agent.metrics.port }}' + + ## Prometheus Operator ServiceMonitor configuration + ## + serviceMonitor: + enabled: false + ## Namespace in which Prometheus is running + ## + namespace: + + ## Interval at which metrics should be scraped. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + interval: 30s + + ## MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#podmetricsendpoint + ## + metricRelabelings: [] + + ## RelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#podmetricsendpoint + ## + relabelings: [] + + ## Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + scrapeTimeout: + + ## ServiceMonitor selector labels + ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration + ## + selector: + +## Specifies whether RBAC resources should be created +## +rbac: + create: true