Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-16 06:47:30 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/pinniped] feat: 🎉 Add chart (#10569)

Browse Source 
* [bitnami/pinniped] feat: 🎉 Add chart

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* Apply requested changes

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* Add VIB files

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* update tag

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* Update README.md with readme-generator-for-helm

Signed-off-by: Bitnami Containers <containers@bitnami.com>

* Bump image

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* Update README.md with readme-generator-for-helm

Signed-off-by: Bitnami Containers <containers@bitnami.com>

* Add cypress tests

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* add chromeWebSecurity

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* change visit with request

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* Revert and use generic port

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

Co-authored-by: Bitnami Containers <containers@bitnami.com>
This commit is contained in:
Javier J. Salmerón-García
2022-06-14 10:01:22 +02:00
committed by GitHub
parent 0b45ef7ed3
commit cd7cccabba
32 changed files with 4269 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
bitnami/pinniped/.helmignore Normal file
View File

@@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

6
bitnami/pinniped/Chart.lock Normal file
View File

@@ -0,0 +1,6 @@
dependencies:
- name: common
repository: https://charts.bitnami.com/bitnami
version: 1.15.2
digest: sha256:48c25b91a91551319ebd92c8b894dd6795e0a1dd40ac544d1b625a14d179eba0
generated: "2022-06-03T12:14:13.318852+02:00"

25
bitnami/pinniped/Chart.yaml Normal file
View File

@@ -0,0 +1,25 @@
annotations:
category: Infrastructure
apiVersion: v2
appVersion: 0.17.0
dependencies:
- name: common
repository: https://charts.bitnami.com/bitnami
tags:
- bitnami-common
version: 1.x.x
description: Pinniped is an identity service provider for Kubernetes. Provides a consistent, unified login experience across all your clusters, allowing enteprise IDP protocols.
engine: gotpl
home: https://pinniped.dev/
icon: https://bitnami.com/assets/stacks/pinniped/img/pinniped-stack-220x234.png
keywords:
- identity
- infrastructure
maintainers:
- email: containers@bitnami.com
name: Bitnami
name: pinniped
sources:
- https://github.com/bitnami/bitnami-docker-pinniped
- https://github.com/vmware-tanzu/pinniped/
version: 0.1.0

375
bitnami/pinniped/README.md Normal file
View File

@@ -0,0 +1,375 @@
<!--- app-name: Pinniped -->
# Pinniped packaged by Bitnami
Pinniped is an identity service provider for Kubernetes. Provides a consistent, unified login experience across all your clusters, allowing enteprise IDP protocols.
[Overview of Pinniped](https://pinniped.dev/)
Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.
## TL;DR
```console
$ helm repo add bitnami https://charts.bitnami.com/bitnami
$ helm install my-release bitnami/pinniped
```
## Introduction
Bitnami charts for Helm are carefully engineered, actively maintained and are the quickest and easiest way to deploy containers on a Kubernetes cluster that are ready to handle production workloads.
This chart bootstraps a [Grafana Loki](https://github.com/grafana/loki) Deployment in a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications.
[Learn more about the default configuration of the chart](https://docs.bitnami.com/kubernetes/infrastructure/grafana-loki/get-started/).
## Prerequisites
- Kubernetes 1.19+
- Helm 3.2.0+
## Installing the Chart
To install the chart with the release name `my-release`:
```console
helm install my-release bitnami/pinniped
```
The command deploys pinniped on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
> **Tip**: List all releases using `helm list`
## Uninstalling the Chart
To uninstall/delete the `my-release` deployment:
```console
helm delete my-release
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Parameters
### Global parameters
| Name | Description | Value |
| ------------------------- | ----------------------------------------------- | ----- |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
### Common parameters
| Name | Description | Value |
| ------------------- | --------------------------------------------------- | ------------------- |
| `kubeVersion` | Override Kubernetes version | `""` |
| `nameOverride` | String to partially override common.names.name | `""` |
| `fullnameOverride` | String to fully override common.names.fullname | `""` |
| `namespaceOverride` | String to fully override common.names.namespace | `""` |
| `commonLabels` | Labels to add to all deployed objects | `{}` |
| `commonAnnotations` | Annotations to add to all deployed objects | `{}` |
| `clusterDomain` | Kubernetes cluster domain name | `cluster.local` |
| `extraDeploy` | Array of extra objects to deploy with the release | `[]` |
| `image.registry` | Pinniped image registry | `docker.io` |
| `image.repository` | Pinniped image repository | `bitnami/pinniped` |
| `image.tag` | Pinniped image tag (immutable tags are recommended) | `0.18.0-scratch-r2` |
| `image.pullPolicy` | Pinniped image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Pinniped image pull secrets | `[]` |
### Concierge Parameters
| Name | Description | Value |
| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------- |
| `concierge.enabled` | Deploy Concierge | `true` |
| `concierge.replicaCount` | Number of Concierge replicas to deploy | `1` |
| `concierge.containerPorts.api` | Concierge API container port | `10250` |
| `concierge.containerPorts.proxy` | Concierge Proxy container port | `8443` |
| `concierge.configuration` | Concierge pinniped.yaml configuration file | `""` |
| `concierge.credentialIssuerConfig` | Configuration for the credential issuer | `""` |
| `concierge.livenessProbe.enabled` | Enable livenessProbe on Concierge containers | `true` |
| `concierge.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` |
| `concierge.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `concierge.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` |
| `concierge.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` |
| `concierge.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `concierge.readinessProbe.enabled` | Enable readinessProbe on Concierge containers | `true` |
| `concierge.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `10` |
| `concierge.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
| `concierge.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` |
| `concierge.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
| `concierge.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `concierge.startupProbe.enabled` | Enable startupProbe on Concierge containers | `false` |
| `concierge.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` |
| `concierge.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `concierge.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
| `concierge.startupProbe.failureThreshold` | Failure threshold for startupProbe | `3` |
| `concierge.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `concierge.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `concierge.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `concierge.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `concierge.resources.limits` | The resources limits for the Concierge containers | `{}` |
| `concierge.resources.requests` | The requested resources for the Concierge containers | `{}` |
| `concierge.podSecurityContext.enabled` | Enabled Concierge pods' Security Context | `true` |
| `concierge.podSecurityContext.fsGroup` | Set Concierge pod's Security Context fsGroup | `1001` |
| `concierge.containerSecurityContext.enabled` | Enabled Concierge containers' Security Context | `true` |
| `concierge.containerSecurityContext.runAsUser` | Set Concierge containers' Security Context runAsUser | `1001` |
| `concierge.containerSecurityContext.runAsNonRoot` | Set Concierge containers' Security Context runAsNonRoot | `true` |
| `concierge.containerSecurityContext.readOnlyRootFilesystem` | Enable readOnlyRootFilesystem | `false` |
| `concierge.existingConfigmap` | The name of an existing ConfigMap with your custom configuration for Concierge | `""` |
| `concierge.command` | Override default container command (useful when using custom images) | `[]` |
| `concierge.args` | Override default container args (useful when using custom images) | `[]` |
| `concierge.deployAPIService` | Deploy the APIService objects | `true` |
| `concierge.hostAliases` | Concierge pods host aliases | `[]` |
| `concierge.podLabels` | Extra labels for Concierge pods | `{}` |
| `concierge.podAnnotations` | Annotations for Concierge pods | `{}` |
| `concierge.podAffinityPreset` | Pod affinity preset. Ignored if `concierge.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `concierge.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `concierge.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `concierge.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `concierge.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `concierge.nodeAffinityPreset.key` | Node label key to match. Ignored if `concierge.affinity` is set | `""` |
| `concierge.nodeAffinityPreset.values` | Node label values to match. Ignored if `concierge.affinity` is set | `[]` |
| `concierge.affinity` | Affinity for Concierge pods assignment | `{}` |
| `concierge.nodeSelector` | Node labels for Concierge pods assignment | `{}` |
| `concierge.tolerations` | Tolerations for Concierge pods assignment | `[]` |
| `concierge.updateStrategy.type` | Concierge statefulset strategy type | `RollingUpdate` |
| `concierge.priorityClassName` | Concierge pods' priorityClassName | `""` |
| `concierge.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `{}` |
| `concierge.schedulerName` | Name of the k8s scheduler (other than default) for Concierge pods | `""` |
| `concierge.terminationGracePeriodSeconds` | Seconds Redmine pod needs to terminate gracefully | `""` |
| `concierge.lifecycleHooks` | for the Concierge container(s) to automate configuration before or after startup | `{}` |
| `concierge.extraEnvVars` | Array with extra environment variables to add to Concierge nodes | `[]` |
| `concierge.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Concierge nodes | `""` |
| `concierge.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Concierge nodes | `""` |
| `concierge.extraVolumes` | Optionally specify extra list of additional volumes for the Concierge pod(s) | `[]` |
| `concierge.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Concierge container(s) | `[]` |
| `concierge.sidecars` | Add additional sidecar containers to the Concierge pod(s) | `{}` |
| `concierge.initContainers` | Add additional init containers to the Concierge pod(s) | `{}` |
### Concierge RBAC settings
| Name | Description | Value |
| ---------------------------------------------------------------------------- | ----------------------------------------------------------------------------- | ------ |
| `concierge.rbac.create` | Create Concierge RBAC objects | `true` |
| `concierge.serviceAccount.concierge.name` | Name of an existing Service Account for the Concierge Deployment | `""` |
| `concierge.serviceAccount.concierge.create` | Create a Service Account for the Concierge Deployment | `true` |
| `concierge.serviceAccount.concierge.automountServiceAccountToken` | Auto mount token for the Concierge Deployment Service Account | `true` |
| `concierge.serviceAccount.concierge.annotations` | Annotations for the Concierge Service Account | `{}` |
| `concierge.serviceAccount.impersonationProxy.name` | Name of an existing Service Account for the Concierge Impersonator | `""` |
| `concierge.serviceAccount.impersonationProxy.create` | Create a Service Account for the Concierge Impersonator | `true` |
| `concierge.serviceAccount.impersonationProxy.automountServiceAccountToken` | Auto mount token for the Concierge Impersonator Service Account | `true` |
| `concierge.serviceAccount.impersonationProxy.annotations` | Annotations for the Concierge Service Account | `{}` |
| `concierge.serviceAccount.kubeCertAgentService.name` | Name of an existing Service Account for the Concierge kube-cert-agent-service | `""` |
| `concierge.serviceAccount.kubeCertAgentService.create` | Create a Service Account for the Concierge kube-cert-agent-service | `true` |
| `concierge.serviceAccount.kubeCertAgentService.automountServiceAccountToken` | Auto mount token for the Concierge kube-cert-agent-service Service Account | `true` |
| `concierge.serviceAccount.kubeCertAgentService.annotations` | Annotations for the Concierge Service Account | `{}` |
### Concierge Traffic Exposure Parameters
| Name | Description | Value |
| -------------------------------------------- | ------------------------------------------------------------------------------------ | ----------- |
| `concierge.service.type` | Concierge service type | `ClusterIP` |
| `concierge.service.ports.https` | Concierge service HTTPS port | `443` |
| `concierge.service.nodePorts.https` | Node port for HTTPS | `""` |
| `concierge.service.clusterIP` | Concierge service Cluster IP | `""` |
| `concierge.service.labels` | Add labels to the service | `{}` |
| `concierge.service.loadBalancerIP` | Concierge service Load Balancer IP | `""` |
| `concierge.service.loadBalancerSourceRanges` | Concierge service Load Balancer sources | `[]` |
| `concierge.service.externalTrafficPolicy` | Concierge service external traffic policy | `Cluster` |
| `concierge.service.annotations` | Additional custom annotations for Concierge service | `{}` |
| `concierge.service.extraPorts` | Extra ports to expose in Concierge service (normally used with the `sidecars` value) | `[]` |
| `concierge.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` |
| `concierge.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
### Supervisor Parameters
| Name | Description | Value |
| ------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------ | --------------- |
| `supervisor.enabled` | Deploy Supervisor | `true` |
| `supervisor.replicaCount` | Number of Supervisor replicas to deploy | `1` |
| `supervisor.containerPorts.https` | Supervisor HTTP container port | `8443` |
| `supervisor.configuration` | Supervisor pinniped.yaml configuration file | `""` |
| `supervisor.livenessProbe.enabled` | Enable livenessProbe on Supervisor containers | `true` |
| `supervisor.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` |
| `supervisor.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `supervisor.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` |
| `supervisor.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` |
| `supervisor.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `supervisor.readinessProbe.enabled` | Enable readinessProbe on Supervisor containers | `true` |
| `supervisor.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `10` |
| `supervisor.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
| `supervisor.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` |
| `supervisor.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
| `supervisor.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `supervisor.startupProbe.enabled` | Enable startupProbe on Supervisor containers | `false` |
| `supervisor.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` |
| `supervisor.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `supervisor.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
| `supervisor.startupProbe.failureThreshold` | Failure threshold for startupProbe | `3` |
| `supervisor.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `supervisor.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `supervisor.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `supervisor.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `supervisor.resources.limits` | The resources limits for the Supervisor containers | `{}` |
| `supervisor.resources.requests` | The requested resources for the Supervisor containers | `{}` |
| `supervisor.podSecurityContext.enabled` | Enabled Supervisor pods' Security Context | `true` |
| `supervisor.podSecurityContext.fsGroup` | Set Supervisor pod's Security Context fsGroup | `1001` |
| `supervisor.containerSecurityContext.enabled` | Enabled Supervisor containers' Security Context | `true` |
| `supervisor.containerSecurityContext.runAsUser` | Set Supervisor containers' Security Context runAsUser | `1001` |
| `supervisor.containerSecurityContext.runAsNonRoot` | Set Supervisor containers' Security Context runAsNonRoot | `true` |
| `supervisor.containerSecurityContext.readOnlyRootFilesystem` | Enable readOnlyRootFilesystem | `false` |
| `supervisor.existingConfigmap` | The name of an existing ConfigMap with your custom configuration for Supervisor | `""` |
| `supervisor.command` | Override default container command (useful when using custom images) | `[]` |
| `supervisor.args` | Override default container args (useful when using custom images) | `[]` |
| `supervisor.hostAliases` | Supervisor pods host aliases | `[]` |
| `supervisor.podLabels` | Extra labels for Supervisor pods | `{}` |
| `supervisor.podAnnotations` | Annotations for Supervisor pods | `{}` |
| `supervisor.podAffinityPreset` | Pod affinity preset. Ignored if `supervisor.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `supervisor.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `supervisor.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `supervisor.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `supervisor.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `supervisor.nodeAffinityPreset.key` | Node label key to match. Ignored if `supervisor.affinity` is set | `""` |
| `supervisor.nodeAffinityPreset.values` | Node label values to match. Ignored if `supervisor.affinity` is set | `[]` |
| `supervisor.affinity` | Affinity for Supervisor pods assignment | `{}` |
| `supervisor.nodeSelector` | Node labels for Supervisor pods assignment | `{}` |
| `supervisor.tolerations` | Tolerations for Supervisor pods assignment | `[]` |
| `supervisor.updateStrategy.type` | Supervisor statefulset strategy type | `RollingUpdate` |
| `supervisor.priorityClassName` | Supervisor pods' priorityClassName | `""` |
| `supervisor.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `{}` |
| `supervisor.schedulerName` | Name of the k8s scheduler (other than default) for Supervisor pods | `""` |
| `supervisor.terminationGracePeriodSeconds` | Seconds Redmine pod needs to terminate gracefully | `""` |
| `supervisor.lifecycleHooks` | for the Supervisor container(s) to automate configuration before or after startup | `{}` |
| `supervisor.extraEnvVars` | Array with extra environment variables to add to Supervisor nodes | `[]` |
| `supervisor.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Supervisor nodes | `""` |
| `supervisor.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Supervisor nodes | `""` |
| `supervisor.extraVolumes` | Optionally specify extra list of additional volumes for the Supervisor pod(s) | `[]` |
| `supervisor.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Supervisor container(s) | `[]` |
| `supervisor.sidecars` | Add additional sidecar containers to the Supervisor pod(s) | `{}` |
| `supervisor.initContainers` | Add additional init containers to the Supervisor pod(s) | `{}` |
### Supervisor RBAC settings
| Name | Description | Value |
| -------------------------------------------------------- | ----------------------------------------------------------------- | ------ |
| `supervisor.rbac.create` | Create Supervisor RBAC objects | `true` |
| `supervisor.serviceAccount.name` | Name of an existing Service Account for the Supervisor Deployment | `""` |
| `supervisor.serviceAccount.create` | Create a Service Account for the Supervisor Deployment | `true` |
| `supervisor.serviceAccount.automountServiceAccountToken` | Auto mount token for the Supervisor Deployment Service Account | `true` |
| `supervisor.serviceAccount.annotations` | Annotations for the Supervisor Service Account | `{}` |
### Supervisor Traffic Exposure Parameters
| Name | Description | Value |
| --------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | --------------------------- |
| `supervisor.service.type` | Supervisor service type | `LoadBalancer` |
| `supervisor.service.ports.https` | Supervisor service HTTPS port | `443` |
| `supervisor.service.nodePorts.https` | Node port for HTTPS | `""` |
| `supervisor.service.clusterIP` | Supervisor service Cluster IP | `""` |
| `supervisor.service.labels` | Add labels to the service | `{}` |
| `supervisor.service.loadBalancerIP` | Supervisor service Load Balancer IP | `""` |
| `supervisor.service.loadBalancerSourceRanges` | Supervisor service Load Balancer sources | `[]` |
| `supervisor.service.externalTrafficPolicy` | Supervisor service external traffic policy | `Cluster` |
| `supervisor.service.annotations` | Additional custom annotations for Supervisor service | `{}` |
| `supervisor.service.extraPorts` | Extra ports to expose in Supervisor service (normally used with the `sidecars` value) | `[]` |
| `supervisor.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` |
| `supervisor.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `supervisor.ingress.enabled` | Enable ingress record generation for Pinniped Supervisor | `false` |
| `supervisor.ingress.pathType` | Ingress path type | `ImplementationSpecific` |
| `supervisor.ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` |
| `supervisor.ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` |
| `supervisor.ingress.hostname` | Default host for the ingress record | `pinniped-supervisor.local` |
| `supervisor.ingress.path` | Default path for the ingress record | `/` |
| `supervisor.ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` |
| `supervisor.ingress.tls` | Enable TLS configuration for the host defined at `ingress.hostname` parameter | `false` |
| `supervisor.ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` |
| `supervisor.ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` |
| `supervisor.ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` |
| `supervisor.ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` |
| `supervisor.ingress.secrets` | Custom TLS certificates as secrets | `[]` |
| `supervisor.ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` |
See https://github.com/bitnami-labs/readme-generator-for-helm to create the table
The above parameters map to the env variables defined in [bitnami/pinniped](http://github.com/bitnami/bitnami-docker-pinniped). For more information please refer to the [bitnami/pinniped](http://github.com/bitnami/bitnami-docker-pinniped) image documentation.
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```console
helm install my-release \
--set supervisor.enabled=false \
bitnami/pinniped
```
The above command sets disables the supervisor compoment deployment.
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
```console
helm install my-release -f values.yaml bitnami/pinniped
```
> **Tip**: You can use the default [values.yaml](values.yaml)
## Configuration and installation details
### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/)
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
## Persistence
The [Bitnami pinniped](https://github.com/bitnami/bitnami-docker-pinniped) image stores the pinniped data and configurations at the `/bitnami` path of the container. Persistent Volume Claims are used to keep the data across deployments. [Learn more about persistence in the chart documentation](https://docs.bitnami.com/kubernetes/apps/pinniped/configuration/chart-persistence/).
### Additional environment variables
In case you want to add extra environment variables (useful for advanced operations like custom init scripts), you can use the `extraEnvVars` property.
```yaml
pinniped:
extraEnvVars:
- name: LOG_LEVEL
value: error
```
Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the `extraEnvVarsCM` or the `extraEnvVarsSecret` values.
### Sidecars
If additional containers are needed in the same pod as pinniped (such as additional metrics or logging exporters), they can be defined using the `sidecars` parameter. If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter. [Learn more about configuring and using sidecar containers](https://docs.bitnami.com/kubernetes/apps/pinniped/administration/configure-use-sidecars/).
### Pod affinity
This chart allows you to set your custom affinity using the `affinity` parameter. Find more information about Pod affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity).
As an alternative, use one of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/master/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters.
## Troubleshooting
Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues).
## License
Copyright &copy; 2022 Bitnami
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

479
bitnami/pinniped/crds/concierge-crds.yaml Normal file
View File

@@ -0,0 +1,479 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: jwtauthenticators.authentication.concierge.pinniped.dev
labels:
app: pinniped-concierge
spec:
group: authentication.concierge.pinniped.dev
names:
categories:
- pinniped
- pinniped-authenticator
- pinniped-authenticators
kind: JWTAuthenticator
listKind: JWTAuthenticatorList
plural: jwtauthenticators
singular: jwtauthenticator
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .spec.issuer
name: Issuer
type: string
- jsonPath: .spec.audience
name: Audience
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: "JWTAuthenticator describes the configuration of a JWT authenticator. \n Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid signature, existence of claims, etc.) and extract the username and groups from the token."
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec for configuring the authenticator.
properties:
audience:
description: Audience is the required value of the "aud" JWT claim.
minLength: 1
type: string
claims:
description: Claims allows customization of the claims that will be mapped to user identity for Kubernetes access.
properties:
groups:
description: Groups is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups".
type: string
username:
description: Username is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username".
type: string
type: object
issuer:
description: Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim.
minLength: 1
pattern: ^https://
type: string
tls:
description: TLS configuration for communicating with the OIDC provider.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
type: string
type: object
required:
- audience
- issuer
type: object
status:
description: Status of the authenticator.
properties:
conditions:
description: Represents the observations of the authenticator's current state.
items:
description: Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: webhookauthenticators.authentication.concierge.pinniped.dev
labels:
app: pinniped-concierge
spec:
group: authentication.concierge.pinniped.dev
names:
categories:
- pinniped
- pinniped-authenticator
- pinniped-authenticators
kind: WebhookAuthenticator
listKind: WebhookAuthenticatorList
plural: webhookauthenticators
singular: webhookauthenticator
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .spec.endpoint
name: Endpoint
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: WebhookAuthenticator describes the configuration of a webhook authenticator.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec for configuring the authenticator.
properties:
endpoint:
description: Webhook server endpoint URL.
minLength: 1
pattern: ^https://
type: string
tls:
description: TLS configuration.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
type: string
type: object
required:
- endpoint
type: object
status:
description: Status of the authenticator.
properties:
conditions:
description: Represents the observations of the authenticator's current state.
items:
description: Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: credentialissuers.config.concierge.pinniped.dev
labels:
app: pinniped-concierge
spec:
group: config.concierge.pinniped.dev
names:
categories:
- pinniped
kind: CredentialIssuer
listKind: CredentialIssuerList
plural: credentialissuers
singular: credentialissuer
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .spec.impersonationProxy.mode
name: ProxyMode
type: string
- jsonPath: .status.strategies[?(@.status == "Success")].type
name: DefaultStrategy
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: CredentialIssuer describes the configuration and status of the Pinniped Concierge credential issuer.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec describes the intended configuration of the Concierge.
properties:
impersonationProxy:
description: ImpersonationProxy describes the intended configuration of the Concierge impersonation proxy.
properties:
externalEndpoint:
description: "ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. \n This field must be non-empty when spec.impersonationProxy.service.type is \"None\"."
type: string
mode:
description: 'Mode configures whether the impersonation proxy should be started: - "disabled" explicitly disables the impersonation proxy. This is the default. - "enabled" explicitly enables the impersonation proxy. - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.'
enum:
- auto
- enabled
- disabled
type: string
service:
default:
type: LoadBalancer
description: Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
properties:
annotations:
additionalProperties:
type: string
description: Annotations specifies zero or more key/value pairs to set as annotations on the provisioned Service.
type: object
loadBalancerIP:
description: LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers.
maxLength: 255
minLength: 1
type: string
type:
default: LoadBalancer
description: "Type specifies the type of Service to provision for the impersonation proxy. \n If the type is \"None\", then the \"spec.impersonationProxy.externalEndpoint\" field must be set to a non-empty value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status."
enum:
- LoadBalancer
- ClusterIP
- None
type: string
type: object
required:
- mode
- service
type: object
required:
- impersonationProxy
type: object
status:
description: CredentialIssuerStatus describes the status of the Concierge.
properties:
kubeConfigInfo:
description: Information needed to form a valid Pinniped-based kubeconfig using this credential issuer. This field is deprecated and will be removed in a future version.
properties:
certificateAuthorityData:
description: The K8s API server CA bundle.
minLength: 1
type: string
server:
description: The K8s API server URL.
minLength: 1
pattern: ^https://|^http://
type: string
required:
- certificateAuthorityData
- server
type: object
strategies:
description: List of integration strategies that were attempted by Pinniped.
items:
description: CredentialIssuerStrategy describes the status of an integration strategy that was attempted by Pinniped.
properties:
frontend:
description: Frontend describes how clients can connect using this strategy.
properties:
impersonationProxyInfo:
description: ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge. This field is only set when Type is "ImpersonationProxy".
properties:
certificateAuthorityData:
description: CertificateAuthorityData is the base64-encoded PEM CA bundle of the impersonation proxy.
minLength: 1
type: string
endpoint:
description: Endpoint is the HTTPS endpoint of the impersonation proxy.
minLength: 1
pattern: ^https://
type: string
required:
- certificateAuthorityData
- endpoint
type: object
tokenCredentialRequestInfo:
description: TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge. This field is only set when Type is "TokenCredentialRequestAPI".
properties:
certificateAuthorityData:
description: CertificateAuthorityData is the base64-encoded Kubernetes API server CA bundle.
minLength: 1
type: string
server:
description: Server is the Kubernetes API server URL.
minLength: 1
pattern: ^https://|^http://
type: string
required:
- certificateAuthorityData
- server
type: object
type:
description: Type describes which frontend mechanism clients can use with a strategy.
enum:
- TokenCredentialRequestAPI
- ImpersonationProxy
type: string
required:
- type
type: object
lastUpdateTime:
description: When the status was last checked.
format: date-time
type: string
message:
description: Human-readable description of the current status.
minLength: 1
type: string
reason:
description: Reason for the current status.
enum:
- Listening
- Pending
- Disabled
- ErrorDuringSetup
- CouldNotFetchKey
- CouldNotGetClusterInfo
- FetchedKey
type: string
status:
description: Status of the attempted integration strategy.
enum:
- Success
- Error
type: string
type:
description: Type of integration attempted.
enum:
- KubeClusterSigningCertificate
- ImpersonationProxy
type: string
required:
- lastUpdateTime
- message
- reason
- status
- type
type: object
type: array
required:
- strategies
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

684
bitnami/pinniped/crds/supervisor.crds.yaml Normal file
View File

@@ -0,0 +1,684 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: federationdomains.config.supervisor.pinniped.dev
labels:
app: pinniped-supervisor
spec:
group: config.supervisor.pinniped.dev
names:
categories:
- pinniped
kind: FederationDomain
listKind: FederationDomainList
plural: federationdomains
singular: federationdomain
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.issuer
name: Issuer
type: string
- jsonPath: .status.status
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: FederationDomain describes the configuration of an OIDC provider.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec of the OIDC provider.
properties:
issuer:
description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information."
minLength: 1
type: string
tls:
description: TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
properties:
secretName:
description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. \n Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. \n SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. \n SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. \n When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses."
type: string
type: object
required:
- issuer
type: object
status:
description: Status of the OIDC provider.
properties:
lastUpdateTime:
description: LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811).
format: date-time
type: string
message:
description: Message provides human-readable details about the Status.
type: string
secrets:
description: Secrets contains information about this OIDC Provider's secrets.
properties:
jwks:
description: JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are stored. If it is empty, then the signing/verification keys are either unknown or they don't exist.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
stateEncryptionKey:
description: StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for encrypting state parameters is stored.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
stateSigningKey:
description: StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for signing state parameters is stored.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
tokenSigningKey:
description: TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for signing tokens is stored.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
type: object
status:
description: Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure.
enum:
- Success
- Duplicate
- Invalid
- SameIssuerHostMustUseSameSecret
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev
labels:
app: pinniped-supervisor
spec:
group: idp.supervisor.pinniped.dev
names:
categories:
- pinniped
- pinniped-idp
- pinniped-idps
kind: ActiveDirectoryIdentityProvider
listKind: ActiveDirectoryIdentityProviderList
plural: activedirectoryidentityproviders
singular: activedirectoryidentityprovider
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.host
name: Host
type: string
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: ActiveDirectoryIdentityProvider describes the configuration of an upstream Microsoft Active Directory identity provider.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec for configuring the identity provider.
properties:
bind:
description: Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
properties:
secretName:
description: SecretName contains the name of a namespace-local Secret object that provides the username and password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password must be non-empty.
minLength: 1
type: string
required:
- secretName
type: object
groupSearch:
description: GroupSearch contains the configuration for searching for a user's group membership in ActiveDirectory.
properties:
attributes:
description: Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search.
properties:
groupName:
description: GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name in the user's list of groups after a successful authentication. The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", where domain is constructed from the domain components of the group DN.
type: string
type: object
base:
description: Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
type: string
filter:
description: Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})"
type: string
skipGroupRefresh:
description: "The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. \n In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. \n If the group search query cannot be made performant and you are willing to have group memberships remain static for approximately a day, then set skipGroupRefresh to true. This is an insecure configuration as authorization policies that are bound to group membership will not notice if a user has been removed from a particular group until their next login. \n This is an experimental feature that may be removed or significantly altered in the future. Consumers of this configuration should carefully read all release notes before upgrading to ensure that the meaning of this field has not changed."
type: boolean
type: object
host:
description: 'Host is the hostname of this Active Directory identity provider, i.e., where to connect. For example: ldap.example.com:636.'
minLength: 1
type: string
tls:
description: TLS contains the connection settings for how to establish the connection to the Host.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
type: string
type: object
userSearch:
description: UserSearch contains the configuration for searching for a user by name in Active Directory.
properties:
attributes:
description: Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as the result of the user search.
properties:
uid:
description: UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely identify the user within this ActiveDirectory provider after a successful authentication. Optional, when empty this defaults to "objectGUID".
type: string
username:
description: Username specifies the name of the attribute in Active Directory entry whose value shall become the username of the user after a successful authentication. Optional, when empty this defaults to "userPrincipalName".
type: string
type: object
base:
description: Base is the dn (distinguished name) that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. It may make sense to specify a subtree as a search base if you wish to exclude some users or to make searches faster.
type: string
filter:
description: Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, and is not shown in advanced view only (which would likely mean its a system created service account with advanced permissions). Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username.
type: string
type: object
required:
- host
type: object
status:
description: Status of the identity provider.
properties:
conditions:
description: Represents the observations of an identity provider's current state.
items:
description: Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
phase:
default: Pending
description: Phase summarizes the overall status of the ActiveDirectoryIdentityProvider.
enum:
- Pending
- Ready
- Error
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: ldapidentityproviders.idp.supervisor.pinniped.dev
labels:
app: pinniped-supervisor
spec:
group: idp.supervisor.pinniped.dev
names:
categories:
- pinniped
- pinniped-idp
- pinniped-idps
kind: LDAPIdentityProvider
listKind: LDAPIdentityProviderList
plural: ldapidentityproviders
singular: ldapidentityprovider
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.host
name: Host
type: string
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access Protocol (LDAP) identity provider.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec for configuring the identity provider.
properties:
bind:
description: Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
properties:
secretName:
description: SecretName contains the name of a namespace-local Secret object that provides the username and password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password must be non-empty.
minLength: 1
type: string
required:
- secretName
type: object
groupSearch:
description: GroupSearch contains the configuration for searching for a user's group membership in the LDAP provider.
properties:
attributes:
description: Attributes specifies how the group's information should be read from each LDAP entry which was found as the result of the group search.
properties:
groupName:
description: GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name in the user's list of groups after a successful authentication. The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name).
type: string
type: object
base:
description: Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter and Attributes are ignored.
type: string
filter:
description: Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}".
type: string
skipGroupRefresh:
description: "The user's group membership is refreshed as they interact with the supervisor to obtain new credentials (as their old credentials expire). This allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. \n In some environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base. \n If the group search query cannot be made performant and you are willing to have group memberships remain static for approximately a day, then set skipGroupRefresh to true. This is an insecure configuration as authorization policies that are bound to group membership will not notice if a user has been removed from a particular group until their next login. \n This is an experimental feature that may be removed or significantly altered in the future. Consumers of this configuration should carefully read all release notes before upgrading to ensure that the meaning of this field has not changed."
type: boolean
type: object
host:
description: 'Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.'
minLength: 1
type: string
tls:
description: TLS contains the connection settings for how to establish the connection to the Host.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
type: string
type: object
userSearch:
description: UserSearch contains the configuration for searching for a user by name in the LDAP provider.
properties:
attributes:
description: Attributes specifies how the user's information should be read from the LDAP entry which was found as the result of the user search.
properties:
uid:
description: UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID". The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP server in the user's entry. Distinguished names can be used by specifying lower-case "dn".
minLength: 1
type: string
username:
description: Username specifies the name of the attribute in the LDAP entry whose value shall become the username of the user after a successful authentication. This would typically be the same attribute name used in the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName". The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default value of "dn={}" would not work.
minLength: 1
type: string
type: object
base:
description: Base is the dn (distinguished name) that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
minLength: 1
type: string
filter:
description: Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as the value from Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be explicitly specified, since the default value of "dn={}" would not work.
type: string
type: object
required:
- host
type: object
status:
description: Status of the identity provider.
properties:
conditions:
description: Represents the observations of an identity provider's current state.
items:
description: Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
phase:
default: Pending
description: Phase summarizes the overall status of the LDAPIdentityProvider.
enum:
- Pending
- Ready
- Error
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: oidcidentityproviders.idp.supervisor.pinniped.dev
labels:
app: pinniped-supervisor
spec:
group: idp.supervisor.pinniped.dev
names:
categories:
- pinniped
- pinniped-idp
- pinniped-idps
kind: OIDCIdentityProvider
listKind: OIDCIdentityProviderList
plural: oidcidentityproviders
singular: oidcidentityprovider
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.issuer
name: Issuer
type: string
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: OIDCIdentityProvider describes the configuration of an upstream OpenID Connect identity provider.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec for configuring the identity provider.
properties:
authorizationConfig:
description: AuthorizationConfig holds information about how to form the OAuth2 authorization request parameters to be used with this OIDC identity provider.
properties:
additionalAuthorizeParameters:
description: additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time. The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped. This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's authorization endpoint for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, then include it here. Also note that most providers also require a certain scope to be requested in order to receive refresh tokens. See the additionalScopes setting for more information about using scopes to request refresh tokens.
items:
description: Parameter is a key/value pair which represents a parameter in an HTTP request.
properties:
name:
description: The name of the parameter. Required.
minLength: 1
type: string
value:
description: The value of the parameter.
type: string
required:
- name
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
additionalScopes:
description: 'additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request the following scopes: "openid", "offline_access", "email", and "profile". See https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email" scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves, or as common patterns used by providers who implement the standard in the ecosystem evolve. By setting this list to anything other than an empty list, you are overriding the default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list. If you do not want any of these scopes to be requested, you may set this list to contain only "openid". Some OIDC providers may also require a scope to get access to the user''s group membership, in which case you may wish to include it in this list. Sometimes the scope to request the user''s group membership is called "groups", but unfortunately this is not specified in the OIDC standard. Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See your OIDC provider''s documentation for more information about what scopes are available to request claims. Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access". See the documentation of your OIDC provider''s authorization and token endpoints for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider may ignore scopes that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the "offline_access" scope, then you must override the default value of this setting. This is required if your OIDC provider will reject the request when it includes "offline_access" (e.g. GitLab''s OIDC provider).'
items:
type: string
type: array
allowPasswordGrant:
description: allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be convenient for users, especially for identities from your OIDC provider which are not intended to represent a human actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. allowPasswordGrant defaults to false.
type: boolean
type: object
claims:
description: Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider.
properties:
groups:
description: Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
type: string
username:
description: Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
type: string
type: object
client:
description: OIDCClient contains OIDC client information to be used used with this OIDC identity provider.
properties:
secretName:
description: SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys "clientID" and "clientSecret".
type: string
required:
- secretName
type: object
issuer:
description: Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch /.well-known/openid-configuration.
minLength: 1
pattern: ^https://
type: string
tls:
description: TLS configuration for discovery/JWKS requests to the issuer.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
type: string
type: object
required:
- client
- issuer
type: object
status:
description: Status of the identity provider.
properties:
conditions:
description: Represents the observations of an identity provider's current state.
items:
description: Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
phase:
default: Pending
description: Phase summarizes the overall status of the OIDCIdentityProvider.
enum:
- Pending
- Ready
- Error
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

54
bitnami/pinniped/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,54 @@
CHART NAME: {{ .Chart.Name }}
CHART VERSION: {{ .Chart.Version }}
APP VERSION: {{ .Chart.AppVersion }}
** Please be patient while the chart is being deployed **
The following components have been deployed
{{- if .Values.concierge.enabled }}
- concierge
{{- end }}
{{- if .Values.supervisor.enabled }}
- supervisor
{{- end }}
{{- if .Values.concierge.enabled }}
Get the list of pods by executing:
kubectl get pods --namespace {{ include "common.names.namespace" . }} -l app.kubernetes.io/instance={{ .Release.Name }} -l app.kubernetes.io/component=concierge
Follow the official documentation to configure an authenticator in Concierge: https://pinniped.dev/docs/howto/configure-concierge-jwt/
{{- end }}
{{- if .Values.supervisor.enabled }}
{{- if .Values.supervisor.ingress.enabled }}
1. Get the Pinniped Supervisor URL and associate the gateway hostname to your cluster external IP:
export CLUSTER_IP=$(minikube ip) # On Minikube. Use: `kubectl cluster-info` on others K8s clusters
echo "Supervisor URL: http{{ if .Values.supervisor.ingress.tls }}s{{ end }}://{{ .Values.supervisor.ingress.hostname }}/"
echo "$CLUSTER_IP {{ .Values.supervisor.ingress.hostname }}" | sudo tee -a /etc/hosts
{{- else }}
1. Get the Pinniped Supervisor URL by running these commands:
{{- if contains "NodePort" .Values.supervisor.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "pinniped.supervisor.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.supervisor.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get --namespace {{ include "common.names.namespace" . }} svc -w {{ template "common.names.fullname" . }}
export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.names.namespace" . }} {{ template "common.names.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo http://$SERVICE_IP:{{ .Values.supervisor.service.ports.https }}
{{- else if contains "ClusterIP" .Values.supervisor.service.type }}
echo "The Supervisor is available at http://127.0.0.1:{{ .Values.supervisor.service.ports.https }}"
kubectl port-forward svc/{{ template "pinniped.supervisor.fullname" . }} {{ .Values.supervisor.service.ports.https }}:{{ .Values.supervisor.service.ports.https }} &
{{- end }}
{{- end }}
Follow the official instructions to configure an OIDC provider: https://pinniped.dev/docs/howto/configure-supervisor/
{{- end }}
{{- include "common.warnings.rollingTag" .Values.image }}
{{- include "pinniped.validateValues" . }}

151
bitnami/pinniped/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,151 @@
{{/*
Return the proper concierge image name
*/}}
{{- define "pinniped.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "pinniped.imagePullSecrets" -}}
{{- include "common.images.pullSecrets" (dict "images" (list .Values.image) "global" .Values.global) -}}
{{- end -}}
{{/*
Pinniped Concierge helpers
*/}}
{{/*
Return the proper Concierge fullname
*/}}
{{- define "pinniped.concierge.fullname" -}}
{{- printf "%s-%s" (include "common.names.fullname" .) "concierge" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Return the proper Concierge fullname (with ns)
*/}}
{{- define "pinniped.concierge.fullname.namespace" -}}
{{- printf "%s-%s-%s" (include "common.names.fullname" .) "concierge" (include "common.names.namespace" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Return the proper Concierge API fullname
*/}}
{{- define "pinniped.concierge.api.fullname" -}}
{{- printf "%s-%s" (include "pinniped.concierge.fullname" .) "api" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Return the proper impersonation proxy fullname
*/}}
{{- define "pinniped.concierge.impersonation-proxy.fullname" -}}
{{- printf "%s-%s" (include "pinniped.concierge.fullname" .) "impersonation-proxy" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Return the proper impersonation proxy fullname
*/}}
{{- define "pinniped.concierge.kube-cert-agent.fullname" -}}
{{- printf "%s-%s" (include "pinniped.concierge.fullname" .) "kube-cert-agent-server" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Get the Loki configuration configmap.
*/}}
{{- define "pinniped.concierge.configmapName" -}}
{{- if .Values.concierge.existingConfigmap -}}
{{- .Values.concierge.existingConfigmap -}}
{{- else }}
{{- printf "%s" (include "pinniped.concierge.fullname" . ) -}}
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "pinniped.concierge.serviceAccountName" -}}
{{- if .Values.concierge.serviceAccount.concierge.create -}}
{{ default (include "pinniped.concierge.fullname" .) .Values.concierge.serviceAccount.concierge.name }}
{{- else -}}
{{ default "default" .Values.concierge.serviceAccount.concierge.name }}
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "pinniped.concierge.impersonation-proxy.serviceAccountName" -}}
{{- if .Values.concierge.serviceAccount.impersonationProxy.create -}}
{{ default (include "pinniped.concierge.impersonation-proxy.fullname" .) .Values.concierge.serviceAccount.impersonationProxy.name }}
{{- else -}}
{{ default "default" .Values.concierge.serviceAccount.impersonationProxy.name }}
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "pinniped.concierge.kube-cert-agent.serviceAccountName" -}}
{{- if .Values.concierge.serviceAccount.kubeCertAgentService.create -}}
{{ default (include "pinniped.concierge.kube-cert-agent.fullname" .) .Values.concierge.serviceAccount.kubeCertAgentService.name }}
{{- else -}}
{{ default "default" .Values.concierge.serviceAccount.kubeCertAgentService.name }}
{{- end -}}
{{- end -}}
{{/*
Pinniped Supervisor helpers
*/}}
{{/*
Return the proper Supervisor fullname
*/}}
{{- define "pinniped.supervisor.fullname" -}}
{{- printf "%s-%s" (include "common.names.fullname" .) "supervisor" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Get the Pinniped Supervisor configuration configmap.
*/}}
{{- define "pinniped.supervisor.configmapName" -}}
{{- if .Values.supervisor.existingConfigmap -}}
{{- .Values.supervisor.existingConfigmap -}}
{{- else }}
{{- printf "%s" (include "pinniped.supervisor.fullname" . ) -}}
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "pinniped.supervisor.serviceAccountName" -}}
{{- if .Values.supervisor.serviceAccount.create -}}
{{ default (include "pinniped.supervisor.fullname" .) .Values.supervisor.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.supervisor.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Compile all warnings into a single message.
*/}}
{{- define "pinniped.validateValues" -}}
{{- $messages := list -}}
{{- $messages := append $messages (include "pinniped.validateValues.deploy" .) -}}
{{- $messages := without $messages "" -}}
{{- $message := join "\n" $messages -}}
{{- if $message -}}
{{- printf "\nVALUES VALIDATION:\n%s" $message -}}
{{- end -}}
{{- end -}}
{{/* Validate values of Grafana Loki - Memcached (IndexWrites) */}}
{{- define "pinniped.validateValues.deploy" -}}
{{- if not (or .Values.concierge.enabled .Values.supervisor.enabled) -}}
pinniped: No deployments
Neither the Concierge of the Supervisor was deployed. Please deploy one of them by setting concierge.enabled=true or supervisor.enabled=true
{{- end -}}
{{- end -}}

28
bitnami/pinniped/templates/concierge/apiservice-identity.yaml Normal file
View File

@@ -0,0 +1,28 @@
{{- if and .Values.concierge.enabled .Values.concierge.deployAPIService }}
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1alpha1.identity.concierge.pinniped.dev
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: concierge
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
spec:
version: v1alpha1
group: identity.concierge.pinniped.dev
groupPriorityMinimum: 9900
versionPriority: 15
service:
name: {{ template "pinniped.concierge.api.fullname" . }}
namespace: {{ template "common.names.namespace" . }}
port: 443
{{- end }}

28
bitnami/pinniped/templates/concierge/apiservice-login.yaml Normal file
View File

@@ -0,0 +1,28 @@
{{- if and .Values.concierge.enabled .Values.concierge.deployAPIService }}
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1alpha1.login.concierge.pinniped.dev
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: concierge
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
spec:
version: v1alpha1
group: login.concierge.pinniped.dev
groupPriorityMinimum: 9900
versionPriority: 15
service:
name: {{ template "pinniped.concierge.api.fullname" . }}
namespace: {{ template "common.names.namespace" . }}
port: 443
{{- end }}

19
bitnami/pinniped/templates/concierge/configmap.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- if and .Values.concierge.enabled (not .Values.concierge.existingConfigmap) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "pinniped.concierge.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: concierge
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
pinniped.yaml: |-
{{- include "common.tplvalues.render" (dict "value" .Values.concierge.configuration "context" $) | nindent 4 }}
{{- end }}

15
bitnami/pinniped/templates/concierge/credential-issuer.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: config.concierge.pinniped.dev/v1alpha1
kind: CredentialIssuer
metadata:
name: {{ template "pinniped.concierge.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: concierge
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec: {{- include "common.tplvalues.render" (dict "value" .Values.concierge.credentialIssuerConfig "context" $) | nindent 2 }}

193
bitnami/pinniped/templates/concierge/deployment.yaml Normal file
View File

@@ -0,0 +1,193 @@
{{- if .Values.concierge.enabled }}
apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
kind: Deployment
metadata:
name: {{ template "pinniped.concierge.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: concierge
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.concierge.replicaCount }}
{{- if .Values.concierge.updateStrategy }}
strategy: {{- toYaml .Values.concierge.updateStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: concierge
template:
metadata:
annotations:
{{- if .Values.concierge.podAnnotations }}
{{- include "common.tplvalues.render" (dict "value" .Values.concierge.podAnnotations "context" $) | nindent 8 }}
{{- end }}
labels: {{- include "common.labels.standard" . | nindent 8 }}
app.kubernetes.io/component: concierge
{{- if .Values.concierge.podLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.concierge.podLabels "context" $) | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ template "pinniped.concierge.serviceAccountName" . }}
{{- include "pinniped.imagePullSecrets" . | nindent 6 }}
{{- if .Values.concierge.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.concierge.hostAliases "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.concierge.affinity }}
affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.concierge.affinity "context" $) | nindent 8 }}
{{- else }}
affinity:
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.concierge.podAffinityPreset "component" "concierge" "context" $) | nindent 10 }}
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.concierge.podAntiAffinityPreset "component" "concierge" "context" $) | nindent 10 }}
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.concierge.nodeAffinityPreset.type "key" .Values.concierge.nodeAffinityPreset.key "values" .Values.concierge.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
{{- if .Values.concierge.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.concierge.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.concierge.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.concierge.tolerations "context" .) | nindent 8 }}
{{- end }}
{{- if .Values.concierge.priorityClassName }}
priorityClassName: {{ .Values.concierge.priorityClassName | quote }}
{{- end }}
{{- if .Values.concierge.schedulerName }}
schedulerName: {{ .Values.concierge.schedulerName | quote }}
{{- end }}
{{- if .Values.concierge.topologySpreadConstraints }}
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.concierge.topologySpreadConstraints "context" .) | nindent 8 }}
{{- end }}
{{- if .Values.concierge.podSecurityContext.enabled }}
securityContext: {{- omit .Values.concierge.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- end }}
{{- if .Values.concierge.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.concierge.terminationGracePeriodSeconds }}
{{- end }}
initContainers:
{{- if .Values.concierge.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.concierge.initContainers "context" $) | nindent 8 }}
{{- end }}
containers:
- name: concierge
image: {{ template "pinniped.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.concierge.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.concierge.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- if .Values.concierge.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.concierge.command "context" $) | nindent 12 }}
{{- else }}
command:
- pinniped-concierge
{{- end }}
{{- if .Values.concierge.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.concierge.args "context" $) | nindent 12 }}
{{- else }}
args:
- --config=/bitnami/pinniped/conf/pinniped.yaml
- --downward-api-path=/etc/podinfo
{{- end }}
env:
{{- if .Values.concierge.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.concierge.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
envFrom:
{{- if .Values.concierge.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.concierge.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.concierge.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.concierge.extraEnvVarsSecret "context" $) }}
{{- end }}
{{- if .Values.concierge.resources }}
resources: {{- toYaml .Values.concierge.resources | nindent 12 }}
{{- end }}
ports:
- name: https-proxy
containerPort: {{ .Values.concierge.containerPorts.proxy }}
- name: https-api
containerPort: {{ .Values.concierge.containerPorts.api }}
{{- if .Values.concierge.livenessProbe.enabled }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.concierge.livenessProbe "enabled") "context" $) | nindent 12 }}
httpGet:
path: /healthz
port: https-api
scheme: HTTPS
{{- else if .Values.concierge.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.concierge.customLivenessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.concierge.readinessProbe.enabled }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.concierge.readinessProbe "enabled") "context" $) | nindent 12 }}
httpGet:
path: /healthz
port: https-api
scheme: HTTPS
{{- else if .Values.concierge.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.concierge.customReadinessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.concierge.startupProbe.enabled }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.concierge.startupProbe "enabled") "context" $) | nindent 12 }}
httpGet:
path: /healthz
port: https-api
scheme: HTTPS
{{- else if .Values.concierge.customStartupProbe }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.concierge.customStartupProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.concierge.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.concierge.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
volumeMounts:
- name: tmp
mountPath: /tmp
- name: config-volume
mountPath: /bitnami/pinniped/conf
readOnly: true
- name: podinfo
mountPath: /etc/podinfo
readOnly: true
- name: impersonation-proxy
# This mount path is hardcoded in the pinniped source code
mountPath: /var/run/secrets/impersonation-proxy.concierge.pinniped.dev/serviceaccount
readOnly: true
{{- if .Values.concierge.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.concierge.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.concierge.sidecars }}
{{- include "common.tplvalues.render" ( dict "value" .Values.concierge.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: tmp
emptyDir:
medium: Memory
sizeLimit: 100Mi
- name: config-volume
configMap:
name: {{ template "pinniped.concierge.configmapName" . }}
- name: impersonation-proxy
secret:
secretName: {{ template "pinniped.concierge.impersonation-proxy.fullname" . }}
items:
- key: token
path: token
- name: podinfo
downwardAPI:
items:
- path: labels
fieldRef:
fieldPath: metadata.labels
- path: name
fieldRef:
fieldPath: metadata.name
- path: namespace
fieldRef:
fieldPath: metadata.namespace
{{- if .Values.concierge.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.concierge.extraVolumes "context" $) | nindent 8 }}
{{- end }}
{{- end }}

23
bitnami/pinniped/templates/concierge/impersonation-proxy-service-account.yaml Normal file
View File

@@ -0,0 +1,23 @@
{{- if and .Values.concierge.enabled .Values.concierge.serviceAccount.impersonationProxy.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "pinniped.concierge.impersonation-proxy.serviceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: concierge
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.concierge.serviceAccount.impersonationProxy.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.concierge.serviceAccount.impersonationProxy.annotations "context" $ ) | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.concierge.serviceAccount.impersonationProxy.automountServiceAccountToken }}
secrets:
- name: {{ template "pinniped.concierge.impersonation-proxy.fullname" . }}
{{- end }}

21
bitnami/pinniped/templates/concierge/kube-cert-agent-service-account.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{- if and .Values.concierge.enabled .Values.concierge.serviceAccount.kubeCertAgentService.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "pinniped.concierge.kube-cert-agent.serviceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: concierge
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.concierge.serviceAccount.kubeCertAgentService.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.concierge.serviceAccount.kubeCertAgentService.annotations "context" $ ) | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.concierge.serviceAccount.kubeCertAgentService.automountServiceAccountToken }}
{{- end }}

519
bitnami/pinniped/templates/concierge/rbac.yaml Normal file
View File

@@ -0,0 +1,519 @@
{{- if .Values.concierge.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "pinniped.concierge.fullname.namespace" . }}-aggregated-api-server
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: concierge
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
- mutatingwebhookconfigurations
verbs:
- get
- list
- watch
- apiGroups:
- flowcontrol.apiserver.k8s.io
resources:
- flowschemas
- prioritylevelconfigurations
verbs:
- get
- list
- watch
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
verbs:
- use
resourceNames:
- nonroot
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- apiGroups:
- config.concierge.pinniped.dev
resources:
- credentialissuers
verbs:
- get
- list
- watch
- create
- apiGroups:
- config.concierge.pinniped.dev
resources:
- credentialissuers/status
verbs:
- get
- patch
- update
- apiGroups:
- authentication.concierge.pinniped.dev
resources:
- jwtauthenticators
- webhookauthenticators
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "pinniped.concierge.fullname.namespace" . }}-aggregated-api-server
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: concierge
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
subjects:
- kind: ServiceAccount
name: {{ template "pinniped.concierge.serviceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
roleRef:
kind: ClusterRole
name: {{ template "pinniped.concierge.fullname.namespace" . }}-aggregated-api-server
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "pinniped.concierge.fullname.namespace" . }}-impersonation-proxy
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: concierge
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- users
- groups
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- authentication.k8s.io
resources:
- '*'
verbs:
- impersonate
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "pinniped.concierge.fullname.namespace" . }}-impersonation-proxy
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: concierge
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
subjects:
- kind: ServiceAccount
name: {{ template "pinniped.concierge.impersonation-proxy.serviceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
roleRef:
kind: ClusterRole
name: {{ template "pinniped.concierge.fullname.namespace" . }}-impersonation-proxy
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "pinniped.concierge.fullname" . }}-kube-cert-agent
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: concierge
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- policy
resources:
- podsecuritypolicies
verbs:
- use
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "pinniped.concierge.fullname" . }}-kube-cert-agent
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: concierge
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
subjects:
- kind: ServiceAccount
name: {{ template "pinniped.concierge.kube-cert-agent.serviceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
roleRef:
kind: Role
name: {{ template "pinniped.concierge.fullname" . }}-kube-cert-agent
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "pinniped.concierge.fullname" . }}-aggregated-api-server
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: concierge
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- services
verbs:
- create
- get
- list
- patch
- update
- watch
- delete
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- get
- list
- patch
- update
- watch
- delete
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
- apiGroups:
- ""
resources:
- pods
verbs:
- delete
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- get
- list
- patch
- update
- watch
- delete
- apiGroups:
- apps
resources:
- replicasets
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
verbs:
- list
- get
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "pinniped.concierge.fullname" . }}-aggregated-api-server
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: concierge
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
subjects:
- kind: ServiceAccount
name: {{ template "pinniped.concierge.serviceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
roleRef:
kind: Role
name: {{ template "pinniped.concierge.fullname" . }}-aggregated-api-server
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "pinniped.concierge.fullname.namespace" . }}-kube-system-pod-read
namespace: kube-system
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: concierge
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "pinniped.concierge.fullname.namespace" . }}-kube-system-pod-read
namespace: kube-system
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: concierge
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
subjects:
- kind: ServiceAccount
name: {{ template "pinniped.concierge.serviceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
roleRef:
kind: Role
name: {{ template "pinniped.concierge.fullname.namespace" . }}-kube-system-pod-read
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "pinniped.concierge.fullname.namespace" . }}-pre-authn-apis
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: concierge
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- login.concierge.pinniped.dev
resources:
- tokencredentialrequests
verbs:
- create
- list
- apiGroups:
- identity.concierge.pinniped.dev
resources:
- whoamirequests
verbs:
- create
- list
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "pinniped.concierge.fullname.namespace" . }}-pre-authn-apis
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: concierge
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
subjects:
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: system:unauthenticated
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: {{ template "pinniped.concierge.fullname.namespace" . }}-pre-authn-apis
apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "pinniped.concierge.fullname.namespace" . }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: concierge
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
subjects:
- kind: ServiceAccount
name: {{ template "pinniped.concierge.serviceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
roleRef:
kind: ClusterRole
name: system:auth-delegator
apiGroup: rbac.authorization.k8s.io
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "pinniped.concierge.fullname.namespace" . }}-extension-apiserver-authentication-reader
namespace: kube-system
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: concierge
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
subjects:
- kind: ServiceAccount
name: {{ template "pinniped.concierge.serviceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
roleRef:
kind: Role
name: extension-apiserver-authentication-reader
apiGroup: rbac.authorization.k8s.io
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "pinniped.concierge.fullname.namespace" . }}-cluster-info-lister-watcher
namespace: kube-public
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: concierge
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- list
- watch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "pinniped.concierge.fullname.namespace" . }}-cluster-info-lister-watcher
namespace: kube-public
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: concierge
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
subjects:
- kind: ServiceAccount
name: {{ template "pinniped.concierge.serviceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
roleRef:
kind: Role
name: {{ template "pinniped.concierge.fullname.namespace" . }}-cluster-info-lister-watcher
apiGroup: rbac.authorization.k8s.io
{{- end }}

21
bitnami/pinniped/templates/concierge/service-account.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{- if and .Values.concierge.enabled .Values.concierge.serviceAccount.concierge.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "pinniped.concierge.serviceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: concierge
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.concierge.serviceAccount.concierge.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.concierge.serviceAccount.concierge.annotations "context" $ ) | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.concierge.serviceAccount.concierge.automountServiceAccountToken }}
{{- end }}

28
bitnami/pinniped/templates/concierge/service-api.yaml Normal file
View File

@@ -0,0 +1,28 @@
{{/* This service is meant to be consumed by the Kubernetes API, so we don't allow configuration on it */}}
{{- if .Values.concierge.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "pinniped.concierge.api.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: concierge
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
spec:
type: ClusterIP
ports:
- protocol: TCP
port: 443
targetPort: https-api
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: concierge
{{- end }}

60
bitnami/pinniped/templates/concierge/service-proxy.yaml Normal file
View File

@@ -0,0 +1,60 @@
{{- if .Values.concierge.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "pinniped.concierge.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: concierge
{{- if .Values.concierge.service.labels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.concierge.service.labels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if or .Values.concierge.service.annotations .Values.commonAnnotations }}
annotations:
{{- if .Values.concierge.service.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.concierge.service.annotations "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
spec:
type: {{ .Values.concierge.service.type }}
{{- if and .Values.concierge.service.clusterIP (eq .Values.concierge.service.type "ClusterIP") }}
clusterIP: {{ .Values.concierge.service.clusterIP }}
{{- end }}
{{- if .Values.concierge.service.sessionAffinity }}
sessionAffinity: {{ .Values.concierge.service.sessionAffinity }}
{{- end }}
{{- if .Values.concierge.service.sessionAffinityConfig }}
sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.concierge.service.sessionAffinityConfig "context" $) | nindent 4 }}
{{- end }}
{{- if or (eq .Values.concierge.service.type "LoadBalancer") (eq .Values.concierge.service.type "NodePort") }}
externalTrafficPolicy: {{ .Values.concierge.service.externalTrafficPolicy | quote }}
{{- end }}
{{- if and (eq .Values.concierge.service.type "LoadBalancer") (not (empty .Values.concierge.service.loadBalancerSourceRanges)) }}
loadBalancerSourceRanges: {{ .Values.concierge.service.loadBalancerSourceRanges }}
{{- end }}
{{- if and (eq .Values.concierge.service.type "LoadBalancer") (not (empty .Values.concierge.service.loadBalancerIP)) }}
loadBalancerIP: {{ .Values.concierge.service.loadBalancerIP }}
{{- end }}
ports:
- name: https
port: {{ .Values.concierge.service.ports.https }}
protocol: TCP
targetPort: https-proxy
{{- if and (or (eq .Values.concierge.service.type "NodePort") (eq .Values.concierge.service.type "LoadBalancer")) (not (empty .Values.concierge.service.nodePorts.https)) }}
nodePort: {{ .Values.concierge.service.nodePorts.https }}
{{- else if eq .Values.concierge.service.type "ClusterIP" }}
nodePort: null
{{- end }}
{{- if .Values.concierge.service.extraPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.concierge.service.extraPorts "context" $) | nindent 4 }}
{{- end }}
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: concierge
{{- end }}

19
bitnami/pinniped/templates/concierge/token-secret.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- if .Values.concierge.enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "pinniped.concierge.impersonation-proxy.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: concierge
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
annotations:
kubernetes.io/service-account.name: {{ template "pinniped.concierge.impersonation-proxy.fullname" . }}
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: kubernetes.io/service-account-token
{{- end }}

4
bitnami/pinniped/templates/extra-list.yaml Normal file
View File

@@ -0,0 +1,4 @@
{{- range .Values.extraDeploy }}
---
{{ include "common.tplvalues.render" (dict "value" . "context" $) }}
{{- end }}

19
bitnami/pinniped/templates/supervisor/configmap.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- if and .Values.supervisor.enabled (not .Values.supervisor.existingConfigmap) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "pinniped.supervisor.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: supervisor
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
pinniped.yaml: |-
{{- include "common.tplvalues.render" (dict "value" .Values.supervisor.configuration "context" $) | nindent 4 }}
{{- end }}

181
bitnami/pinniped/templates/supervisor/deployment.yaml Normal file
View File

@@ -0,0 +1,181 @@
{{- if .Values.supervisor.enabled }}
apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
kind: Deployment
metadata:
name: {{ template "pinniped.supervisor.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: supervisor
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.supervisor.replicaCount }}
{{- if .Values.supervisor.updateStrategy }}
strategy: {{- toYaml .Values.supervisor.updateStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: supervisor
template:
metadata:
annotations:
{{- if .Values.supervisor.podAnnotations }}
{{- include "common.tplvalues.render" (dict "value" .Values.supervisor.podAnnotations "context" $) | nindent 8 }}
{{- end }}
labels: {{- include "common.labels.standard" . | nindent 8 }}
app.kubernetes.io/component: supervisor
{{- if .Values.supervisor.podLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.supervisor.podLabels "context" $) | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ template "pinniped.supervisor.serviceAccountName" . }}
{{- include "pinniped.imagePullSecrets" . | nindent 6 }}
{{- if .Values.supervisor.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.supervisor.hostAliases "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.supervisor.affinity }}
affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.supervisor.affinity "context" $) | nindent 8 }}
{{- else }}
affinity:
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.supervisor.podAffinityPreset "component" "supervisor" "context" $) | nindent 10 }}
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.supervisor.podAntiAffinityPreset "component" "supervisor" "context" $) | nindent 10 }}
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.supervisor.nodeAffinityPreset.type "key" .Values.supervisor.nodeAffinityPreset.key "values" .Values.supervisor.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
{{- if .Values.supervisor.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.supervisor.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.supervisor.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.supervisor.tolerations "context" .) | nindent 8 }}
{{- end }}
{{- if .Values.supervisor.priorityClassName }}
priorityClassName: {{ .Values.supervisor.priorityClassName | quote }}
{{- end }}
{{- if .Values.supervisor.schedulerName }}
schedulerName: {{ .Values.supervisor.schedulerName | quote }}
{{- end }}
{{- if .Values.supervisor.topologySpreadConstraints }}
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.supervisor.topologySpreadConstraints "context" .) | nindent 8 }}
{{- end }}
{{- if .Values.supervisor.podSecurityContext.enabled }}
securityContext: {{- omit .Values.supervisor.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- end }}
{{- if .Values.supervisor.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.supervisor.terminationGracePeriodSeconds }}
{{- end }}
initContainers:
{{- if .Values.supervisor.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.supervisor.initContainers "context" $) | nindent 8 }}
{{- end }}
containers:
- name: supervisor
image: {{ template "pinniped.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.supervisor.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.supervisor.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- if .Values.supervisor.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.supervisor.command "context" $) | nindent 12 }}
{{- else }}
command:
- pinniped-supervisor
{{- end }}
{{- if .Values.supervisor.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.supervisor.args "context" $) | nindent 12 }}
{{- else }}
args:
- /etc/podinfo
- /bitnami/pinniped/conf/pinniped.yaml
{{- end }}
env:
{{- if .Values.supervisor.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.supervisor.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
envFrom:
{{- if .Values.supervisor.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.supervisor.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.supervisor.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.supervisor.extraEnvVarsSecret "context" $) }}
{{- end }}
{{- if .Values.supervisor.resources }}
resources: {{- toYaml .Values.supervisor.resources | nindent 12 }}
{{- end }}
ports:
- name: https
containerPort: {{ .Values.supervisor.containerPorts.https }}
{{- if .Values.supervisor.livenessProbe.enabled }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.supervisor.livenessProbe "enabled") "context" $) | nindent 12 }}
httpGet:
path: /healthz
port: https
scheme: HTTPS
{{- else if .Values.supervisor.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.supervisor.customLivenessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.supervisor.readinessProbe.enabled }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.supervisor.readinessProbe "enabled") "context" $) | nindent 12 }}
httpGet:
path: /healthz
port: https
scheme: HTTPS
{{- else if .Values.supervisor.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.supervisor.customReadinessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.supervisor.startupProbe.enabled }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.supervisor.startupProbe "enabled") "context" $) | nindent 12 }}
httpGet:
path: /healthz
port: https
scheme: HTTPS
{{- else if .Values.supervisor.customStartupProbe }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.supervisor.customStartupProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.supervisor.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.supervisor.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
volumeMounts:
- name: tmp
mountPath: /tmp
- name: config-volume
mountPath: /bitnami/pinniped/conf
readOnly: true
- name: podinfo
mountPath: /etc/podinfo
readOnly: true
{{- if .Values.supervisor.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.supervisor.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.supervisor.sidecars }}
{{- include "common.tplvalues.render" ( dict "value" .Values.supervisor.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: tmp
emptyDir:
medium: Memory
sizeLimit: 100Mi
- name: config-volume
configMap:
name: {{ template "pinniped.supervisor.configmapName" . }}
- name: podinfo
downwardAPI:
items:
- path: labels
fieldRef:
fieldPath: metadata.labels
- path: name
fieldRef:
fieldPath: metadata.name
- path: namespace
fieldRef:
fieldPath: metadata.namespace
{{- if .Values.supervisor.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.supervisor.extraVolumes "context" $) | nindent 8 }}
{{- end }}
{{- end }}

60
bitnami/pinniped/templates/supervisor/ingress.yaml Executable file
View File

@@ -0,0 +1,60 @@
{{- if .Values.supervisor.ingress.enabled }}
apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
kind: Ingress
metadata:
name: {{ include "pinniped.supervisor.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
annotations:
{{- if .Values.supervisor.ingress.annotations }}
{{- include "common.tplvalues.render" (dict "value" .Values.supervisor.ingress.annotations "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.supervisor.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }}
ingressClassName: {{ .Values.supervisor.ingress.ingressClassName | quote }}
{{- end }}
rules:
{{- if .Values.supervisor.ingress.hostname }}
- host: {{ .Values.supervisor.ingress.hostname | quote }}
http:
paths:
{{- if .Values.supervisor.ingress.extraPaths }}
{{- toYaml .Values.supervisor.ingress.extraPaths | nindent 10 }}
{{- end }}
- path: {{ .Values.supervisor.ingress.path }}
{{- if eq "true" (include "common.ingress.supportsPathType" .) }}
pathType: {{ .Values.supervisor.ingress.pathType }}
{{- end }}
backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" "https" "context" $) | nindent 14 }}
{{- end }}
{{- range .Values.supervisor.ingress.extraHosts }}
- host: {{ .name | quote }}
http:
paths:
- path: {{ default "/" .path }}
{{- if eq "true" (include "common.ingress.supportsPathType" $) }}
pathType: {{ default "ImplementationSpecific" .pathType }}
{{- end }}
backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" "https" "context" $) | nindent 14 }}
{{- end }}
{{- if .Values.supervisor.ingress.extraRules }}
{{- include "common.tplvalues.render" (dict "value" .Values.supervisor.ingress.extraRules "context" $) | nindent 4 }}
{{- end }}
{{- if or (and .Values.supervisor.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.supervisor.ingress.annotations )) .Values.supervisor.ingress.selfSigned)) .Values.supervisor.ingress.extraTls }}
tls:
{{- if and .Values.supervisor.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.supervisor.ingress.annotations )) .Values.supervisor.ingress.selfSigned) }}
- hosts:
- {{ .Values.supervisor.ingress.hostname | quote }}
secretName: {{ printf "%s-tls" .Values.supervisor.ingress.hostname }}
{{- end }}
{{- if .Values.supervisor.ingress.extraTls }}
{{- include "common.tplvalues.render" (dict "value" .Values.supervisor.ingress.extraTls "context" $) | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

137
bitnami/pinniped/templates/supervisor/rbac.yaml Normal file
View File

@@ -0,0 +1,137 @@
{{- if .Values.supervisor.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "pinniped.supervisor.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: supervisor
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- get
- list
- patch
- update
- watch
- delete
- apiGroups:
- config.supervisor.pinniped.dev
resources:
- federationdomains
verbs:
- get
- list
- watch
- apiGroups:
- config.supervisor.pinniped.dev
resources:
- federationdomains/status
verbs:
- get
- patch
- update
- apiGroups:
- idp.supervisor.pinniped.dev
resources:
- oidcidentityproviders
verbs:
- get
- list
- watch
- apiGroups:
- idp.supervisor.pinniped.dev
resources:
- oidcidentityproviders/status
verbs:
- get
- patch
- update
- apiGroups:
- idp.supervisor.pinniped.dev
resources:
- ldapidentityproviders
verbs:
- get
- list
- watch
- apiGroups:
- idp.supervisor.pinniped.dev
resources:
- ldapidentityproviders/status
verbs:
- get
- patch
- update
- apiGroups:
- idp.supervisor.pinniped.dev
resources:
- activedirectoryidentityproviders
verbs:
- get
- list
- watch
- apiGroups:
- idp.supervisor.pinniped.dev
resources:
- activedirectoryidentityproviders/status
verbs:
- get
- patch
- update
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- apps
resources:
- replicasets
- deployments
verbs:
- get
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "pinniped.supervisor.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: supervisor
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
subjects:
- kind: ServiceAccount
name: {{ template "pinniped.supervisor.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
roleRef:
kind: Role
name: {{ template "pinniped.supervisor.fullname" . }}
apiGroup: rbac.authorization.k8s.io
{{- end }}

21
bitnami/pinniped/templates/supervisor/service-account.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{- if and .Values.supervisor.enabled .Values.supervisor.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "pinniped.supervisor.serviceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: supervisor
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.supervisor.serviceAccount.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.supervisor.serviceAccount.annotations "context" $ ) | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.supervisor.serviceAccount.automountServiceAccountToken }}
{{- end }}

60
bitnami/pinniped/templates/supervisor/service.yaml Normal file
View File

@@ -0,0 +1,60 @@
{{- if .Values.supervisor.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "pinniped.supervisor.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/part-of: pinniped
app.kubernetes.io/component: supervisor
{{- if .Values.supervisor.service.labels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.supervisor.service.labels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if or .Values.supervisor.service.annotations .Values.commonAnnotations }}
annotations:
{{- if .Values.supervisor.service.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.supervisor.service.annotations "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
spec:
type: {{ .Values.supervisor.service.type }}
{{- if and .Values.supervisor.service.clusterIP (eq .Values.supervisor.service.type "ClusterIP") }}
clusterIP: {{ .Values.supervisor.service.clusterIP }}
{{- end }}
{{- if .Values.supervisor.service.sessionAffinity }}
sessionAffinity: {{ .Values.supervisor.service.sessionAffinity }}
{{- end }}
{{- if .Values.supervisor.service.sessionAffinityConfig }}
sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.supervisor.service.sessionAffinityConfig "context" $) | nindent 4 }}
{{- end }}
{{- if or (eq .Values.supervisor.service.type "LoadBalancer") (eq .Values.supervisor.service.type "NodePort") }}
externalTrafficPolicy: {{ .Values.supervisor.service.externalTrafficPolicy | quote }}
{{- end }}
{{- if and (eq .Values.supervisor.service.type "LoadBalancer") (not (empty .Values.supervisor.service.loadBalancerSourceRanges)) }}
loadBalancerSourceRanges: {{ .Values.supervisor.service.loadBalancerSourceRanges }}
{{- end }}
{{- if and (eq .Values.supervisor.service.type "LoadBalancer") (not (empty .Values.supervisor.service.loadBalancerIP)) }}
loadBalancerIP: {{ .Values.supervisor.service.loadBalancerIP }}
{{- end }}
ports:
- name: https
port: {{ .Values.supervisor.service.ports.https }}
protocol: TCP
targetPort: https
{{- if and (or (eq .Values.supervisor.service.type "NodePort") (eq .Values.supervisor.service.type "LoadBalancer")) (not (empty .Values.supervisor.service.nodePorts.https)) }}
nodePort: {{ .Values.supervisor.service.nodePorts.https }}
{{- else if eq .Values.supervisor.service.type "ClusterIP" }}
nodePort: null
{{- end }}
{{- if .Values.supervisor.service.extraPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.supervisor.service.extraPorts "context" $) | nindent 4 }}
{{- end }}
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: supervisor
{{- end }}

44
bitnami/pinniped/templates/supervisor/tls-secret.yaml Normal file
View File

@@ -0,0 +1,44 @@
{{- if .Values.supervisor.ingress.enabled }}
{{- if .Values.supervisor.ingress.secrets }}
{{- range .Values.supervisor.ingress.secrets }}
apiVersion: v1
kind: Secret
metadata:
name: {{ .name }}
namespace: {{ include "common.names.namespace" $ | quote }}
labels: {{- include "common.labels.standard" $ | nindent 4 }}
{{- if $.Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if $.Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
tls.crt: {{ .certificate | b64enc }}
tls.key: {{ .key | b64enc }}
---
{{- end }}
{{- end }}
{{- if and .Values.supervisor.ingress.tls .Values.supervisor.ingress.selfSigned }}
{{- $ca := genCA "pinniped-ca" 365 }}
{{- $cert := genSignedCert .Values.supervisor.ingress.hostname nil (list .Values.supervisor.ingress.hostname) 365 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: {{ printf "%s-tls" .Values.supervisor.ingress.hostname }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
tls.crt: {{ $cert.Cert | b64enc | quote }}
tls.key: {{ $cert.Key | b64enc | quote }}
ca.crt: {{ $ca.Cert | b64enc | quote }}
{{- end }}
{{- end }}

852
bitnami/pinniped/values.yaml Normal file
View File

@@ -0,0 +1,852 @@
## @section Global parameters
## Global Docker image parameters
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
##
## @param global.imageRegistry Global Docker image registry
## @param global.imagePullSecrets Global Docker registry secret names as an array
## @param global.storageClass Global StorageClass for Persistent Volume(s)
##
global:
imageRegistry: ""
## E.g.
## imagePullSecrets:
## - myRegistryKeySecretName
##
imagePullSecrets: []
storageClass: ""
## @section Common parameters
##
## @param kubeVersion Override Kubernetes version
##
kubeVersion: ""
## @param nameOverride String to partially override common.names.name
##
nameOverride: ""
## @param fullnameOverride String to fully override common.names.fullname
##
fullnameOverride: ""
## @param namespaceOverride String to fully override common.names.namespace
##
namespaceOverride: ""
## @param commonLabels Labels to add to all deployed objects
##
commonLabels: {}
## @param commonAnnotations Annotations to add to all deployed objects
##
commonAnnotations: {}
## @param clusterDomain Kubernetes cluster domain name
##
clusterDomain: cluster.local
## @param extraDeploy Array of extra objects to deploy with the release
##
extraDeploy: []
## Bitnami Pinniped image
## ref: https://hub.docker.com/r/bitnami/pinniped/tags/
## @param image.registry Pinniped image registry
## @param image.repository Pinniped image repository
## @param image.tag Pinniped image tag (immutable tags are recommended)
## @param image.pullPolicy Pinniped image pull policy
## @param image.pullSecrets Pinniped image pull secrets
##
image:
registry: docker.io
repository: bitnami/pinniped
tag: 0.18.0-scratch-r2
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## e.g:
## pullSecrets:
## - myRegistryKeySecretName
##
pullSecrets: []
## @section Concierge Parameters
##
##
concierge:
## @param concierge.enabled Deploy Concierge
##
enabled: true
## @param concierge.replicaCount Number of Concierge replicas to deploy
##
replicaCount: 1
## @param concierge.containerPorts.api Concierge API container port
## @param concierge.containerPorts.proxy Concierge Proxy container port
##
containerPorts:
api: 10250
proxy: 8443
## @param concierge.configuration [string] Concierge pinniped.yaml configuration file
##
configuration: |
discovery:
url: null
api:
servingCertificate:
durationSeconds: 2592000
renewBeforeSeconds: 2160000
apiGroupSuffix: pinniped.dev
# aggregatedAPIServerPort may be set here, although other YAML references to the default port (10250) may also need to be updated
# impersonationProxyServerPort may be set here, although other YAML references to the default port (8444) may also need to be updated
names:
servingCertificateSecret: {{ template "pinniped.concierge.api.fullname" . }}-tls-serving-certificate
credentialIssuer: {{ template "pinniped.concierge.fullname" . }}
apiService: {{ template "pinniped.concierge.api.fullname" . }}
impersonationLoadBalancerService: {{ template "pinniped.concierge.impersonation-proxy.fullname" . }}-load-balancer
impersonationClusterIPService: {{ template "pinniped.concierge.impersonation-proxy.fullname" . }}-cluster-ip
impersonationTLSCertificateSecret: {{ template "pinniped.concierge.impersonation-proxy.fullname" . }}-tls-serving-certificate
impersonationCACertificateSecret: {{ template "pinniped.concierge.impersonation-proxy.fullname" . }}-ca-certificate
impersonationSignerSecret: {{ template "pinniped.concierge.impersonation-proxy.fullname" . }}-signer-ca-certificate
agentServiceAccount: {{ template "pinniped.concierge.kube-cert-agent.fullname" . }}
labels: {"app.kubernetes.io/part-of":"pinniped", "app.kubernetes.io/component": "concierge", "app.kubernetes.io/instance": "{{ .Release.Name }}"}
kubeCertAgent:
namePrefix: {{ template "pinniped.concierge.fullname" . }}-kube-cert-agent-
image: {{ template "pinniped.image" . }}
## @param concierge.credentialIssuerConfig [string] Configuration for the credential issuer
##
credentialIssuerConfig: |
impersonationProxy:
mode: auto
service:
type: LoadBalancer
annotations:
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "4000"
## Configure extra options for Concierge containers' liveness and readiness probes
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
## @param concierge.livenessProbe.enabled Enable livenessProbe on Concierge containers
## @param concierge.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
## @param concierge.livenessProbe.periodSeconds Period seconds for livenessProbe
## @param concierge.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
## @param concierge.livenessProbe.failureThreshold Failure threshold for livenessProbe
## @param concierge.livenessProbe.successThreshold Success threshold for livenessProbe
##
livenessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
## @param concierge.readinessProbe.enabled Enable readinessProbe on Concierge containers
## @param concierge.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
## @param concierge.readinessProbe.periodSeconds Period seconds for readinessProbe
## @param concierge.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
## @param concierge.readinessProbe.failureThreshold Failure threshold for readinessProbe
## @param concierge.readinessProbe.successThreshold Success threshold for readinessProbe
##
readinessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
## @param concierge.startupProbe.enabled Enable startupProbe on Concierge containers
## @param concierge.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
## @param concierge.startupProbe.periodSeconds Period seconds for startupProbe
## @param concierge.startupProbe.timeoutSeconds Timeout seconds for startupProbe
## @param concierge.startupProbe.failureThreshold Failure threshold for startupProbe
## @param concierge.startupProbe.successThreshold Success threshold for startupProbe
##
startupProbe:
enabled: false
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
## @param concierge.customLivenessProbe Custom livenessProbe that overrides the default one
##
customLivenessProbe: {}
## @param concierge.customReadinessProbe Custom readinessProbe that overrides the default one
##
customReadinessProbe: {}
## @param concierge.customStartupProbe Custom startupProbe that overrides the default one
##
customStartupProbe: {}
## Concierge resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
## @param concierge.resources.limits The resources limits for the Concierge containers
## @param concierge.resources.requests The requested resources for the Concierge containers
##
resources:
limits: {}
requests: {}
## Configure Pods Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param concierge.podSecurityContext.enabled Enabled Concierge pods' Security Context
## @param concierge.podSecurityContext.fsGroup Set Concierge pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroup: 1001
## Configure Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param concierge.containerSecurityContext.enabled Enabled Concierge containers' Security Context
## @param concierge.containerSecurityContext.runAsUser Set Concierge containers' Security Context runAsUser
## @param concierge.containerSecurityContext.runAsNonRoot Set Concierge containers' Security Context runAsNonRoot
## @param concierge.containerSecurityContext.readOnlyRootFilesystem Enable readOnlyRootFilesystem
##
containerSecurityContext:
enabled: true
runAsUser: 1001
runAsNonRoot: true
readOnlyRootFilesystem: false
## @param concierge.existingConfigmap The name of an existing ConfigMap with your custom configuration for Concierge
##
existingConfigmap: ""
## @param concierge.command Override default container command (useful when using custom images)
##
command: []
## @param concierge.args Override default container args (useful when using custom images)
##
args: []
## @param concierge.deployAPIService Deploy the APIService objects
##
deployAPIService: true
## @param concierge.hostAliases Concierge pods host aliases
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
##
hostAliases: []
## @param concierge.podLabels Extra labels for Concierge pods
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
##
podLabels: {}
## @param concierge.podAnnotations Annotations for Concierge pods
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
##
podAnnotations: {}
## @param concierge.podAffinityPreset Pod affinity preset. Ignored if `concierge.affinity` is set. Allowed values: `soft` or `hard`
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
##
podAffinityPreset: ""
## @param concierge.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `concierge.affinity` is set. Allowed values: `soft` or `hard`
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
##
podAntiAffinityPreset: soft
## Node concierge.affinity preset
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
##
nodeAffinityPreset:
## @param concierge.nodeAffinityPreset.type Node affinity preset type. Ignored if `concierge.affinity` is set. Allowed values: `soft` or `hard`
##
type: ""
## @param concierge.nodeAffinityPreset.key Node label key to match. Ignored if `concierge.affinity` is set
##
key: ""
## @param concierge.nodeAffinityPreset.values Node label values to match. Ignored if `concierge.affinity` is set
## E.g.
## values:
## - e2e-az1
## - e2e-az2
##
values: []
## @param concierge.affinity Affinity for Concierge pods assignment
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
## NOTE: `concierge.podAffinityPreset`, `concierge.podAntiAffinityPreset`, and `concierge.nodeAffinityPreset` will be ignored when it's set
##
affinity: {}
## @param concierge.nodeSelector Node labels for Concierge pods assignment
## ref: https://kubernetes.io/docs/user-guide/node-selection/
##
nodeSelector: {}
## @param concierge.tolerations Tolerations for Concierge pods assignment
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
tolerations: []
## @param concierge.updateStrategy.type Concierge statefulset strategy type
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
##
updateStrategy:
## StrategyType
## Can be set to RollingUpdate or OnDelete
##
type: RollingUpdate
## @param concierge.priorityClassName Concierge pods' priorityClassName
##
priorityClassName: ""
## @param concierge.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
##
topologySpreadConstraints: {}
## @param concierge.schedulerName Name of the k8s scheduler (other than default) for Concierge pods
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
##
schedulerName: ""
## @param concierge.terminationGracePeriodSeconds Seconds Redmine pod needs to terminate gracefully
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
##
terminationGracePeriodSeconds: ""
## @param concierge.lifecycleHooks for the Concierge container(s) to automate configuration before or after startup
##
lifecycleHooks: {}
## @param concierge.extraEnvVars Array with extra environment variables to add to Concierge nodes
## e.g:
## extraEnvVars:
## - name: FOO
## value: "bar"
##
extraEnvVars: []
## @param concierge.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Concierge nodes
##
extraEnvVarsCM: ""
## @param concierge.extraEnvVarsSecret Name of existing Secret containing extra env vars for Concierge nodes
##
extraEnvVarsSecret: ""
## @param concierge.extraVolumes Optionally specify extra list of additional volumes for the Concierge pod(s)
##
extraVolumes: []
## @param concierge.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Concierge container(s)
##
extraVolumeMounts: []
## @param concierge.sidecars Add additional sidecar containers to the Concierge pod(s)
## e.g:
## sidecars:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## ports:
## - name: portname
## containerPort: 1234
##
sidecars: {}
## @param concierge.initContainers Add additional init containers to the Concierge pod(s)
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
## e.g:
## initContainers:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## command: ['sh', '-c', 'echo "hello world"']
##
initContainers: {}
## @section Concierge RBAC settings
##
rbac:
## @param concierge.rbac.create Create Concierge RBAC objects
##
create: true
serviceAccount:
## @param concierge.serviceAccount.concierge.name Name of an existing Service Account for the Concierge Deployment
## @param concierge.serviceAccount.concierge.create Create a Service Account for the Concierge Deployment
## @param concierge.serviceAccount.concierge.automountServiceAccountToken Auto mount token for the Concierge Deployment Service Account
## @param concierge.serviceAccount.concierge.annotations Annotations for the Concierge Service Account
##
concierge:
name: ""
create: true
automountServiceAccountToken: true
annotations: {}
## @param concierge.serviceAccount.impersonationProxy.name Name of an existing Service Account for the Concierge Impersonator
## @param concierge.serviceAccount.impersonationProxy.create Create a Service Account for the Concierge Impersonator
## @param concierge.serviceAccount.impersonationProxy.automountServiceAccountToken Auto mount token for the Concierge Impersonator Service Account
## @param concierge.serviceAccount.impersonationProxy.annotations Annotations for the Concierge Service Account
##
impersonationProxy:
name: ""
create: true
automountServiceAccountToken: true
annotations: {}
## @param concierge.serviceAccount.kubeCertAgentService.name Name of an existing Service Account for the Concierge kube-cert-agent-service
## @param concierge.serviceAccount.kubeCertAgentService.create Create a Service Account for the Concierge kube-cert-agent-service
## @param concierge.serviceAccount.kubeCertAgentService.automountServiceAccountToken Auto mount token for the Concierge kube-cert-agent-service Service Account
## @param concierge.serviceAccount.kubeCertAgentService.annotations Annotations for the Concierge Service Account
##
kubeCertAgentService:
name: ""
create: true
automountServiceAccountToken: true
annotations: {}
## @section Concierge Traffic Exposure Parameters
##
## Concierge proxy service parameters
##
service:
## @param concierge.service.type Concierge service type
##
type: ClusterIP
## @param concierge.service.ports.https Concierge service HTTPS port
##
ports:
https: 443
## Node ports to expose
## @param concierge.service.nodePorts.https Node port for HTTPS
## NOTE: choose port between <30000-32767>
##
nodePorts:
https: ""
## @param concierge.service.clusterIP Concierge service Cluster IP
## e.g.:
## clusterIP: None
##
clusterIP: ""
## @param concierge.service.labels Add labels to the service
##
labels: {}
## @param concierge.service.loadBalancerIP Concierge service Load Balancer IP
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
##
loadBalancerIP: ""
## @param concierge.service.loadBalancerSourceRanges Concierge service Load Balancer sources
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
## e.g:
## loadBalancerSourceRanges:
## - 10.10.10.0/24
##
loadBalancerSourceRanges: []
## @param concierge.service.externalTrafficPolicy Concierge service external traffic policy
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
##
externalTrafficPolicy: Cluster
## @param concierge.service.annotations Additional custom annotations for Concierge service
##
annotations: {}
## @param concierge.service.extraPorts Extra ports to expose in Concierge service (normally used with the `sidecars` value)
##
extraPorts: []
## @param concierge.service.sessionAffinity Control where client requests go, to the same pod or round-robin
## Values: ClientIP or None
## ref: https://kubernetes.io/docs/user-guide/services/
##
sessionAffinity: None
## @param concierge.service.sessionAffinityConfig Additional settings for the sessionAffinity
## sessionAffinityConfig:
## clientIP:
## timeoutSeconds: 300
##
sessionAffinityConfig: {}
## @section Supervisor Parameters
##
##
supervisor:
## @param supervisor.enabled Deploy Supervisor
##
enabled: true
## @param supervisor.replicaCount Number of Supervisor replicas to deploy
##
replicaCount: 1
## @param supervisor.containerPorts.https Supervisor HTTP container port
##
containerPorts:
https: 8443
## @param supervisor.configuration [string] Supervisor pinniped.yaml configuration file
##
configuration: |
apiGroupSuffix: pinniped.dev
names:
defaultTLSCertificateSecret: {{ template "pinniped.supervisor.fullname" . }}-default-tls-certificate
labels: {"app.kubernetes.io/part-of":"pinniped", "app.kubernetes.io/component": "supervisor", "app.kubernetes.io/instance": "{{ .Release.Name }}"}
insecureAcceptExternalUnencryptedHttpRequests: false
## Configure extra options for Supervisor containers' liveness and readiness probes
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
## @param supervisor.livenessProbe.enabled Enable livenessProbe on Supervisor containers
## @param supervisor.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
## @param supervisor.livenessProbe.periodSeconds Period seconds for livenessProbe
## @param supervisor.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
## @param supervisor.livenessProbe.failureThreshold Failure threshold for livenessProbe
## @param supervisor.livenessProbe.successThreshold Success threshold for livenessProbe
##
livenessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
## @param supervisor.readinessProbe.enabled Enable readinessProbe on Supervisor containers
## @param supervisor.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
## @param supervisor.readinessProbe.periodSeconds Period seconds for readinessProbe
## @param supervisor.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
## @param supervisor.readinessProbe.failureThreshold Failure threshold for readinessProbe
## @param supervisor.readinessProbe.successThreshold Success threshold for readinessProbe
##
readinessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
## @param supervisor.startupProbe.enabled Enable startupProbe on Supervisor containers
## @param supervisor.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
## @param supervisor.startupProbe.periodSeconds Period seconds for startupProbe
## @param supervisor.startupProbe.timeoutSeconds Timeout seconds for startupProbe
## @param supervisor.startupProbe.failureThreshold Failure threshold for startupProbe
## @param supervisor.startupProbe.successThreshold Success threshold for startupProbe
##
startupProbe:
enabled: false
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
## @param supervisor.customLivenessProbe Custom livenessProbe that overrides the default one
##
customLivenessProbe: {}
## @param supervisor.customReadinessProbe Custom readinessProbe that overrides the default one
##
customReadinessProbe: {}
## @param supervisor.customStartupProbe Custom startupProbe that overrides the default one
##
customStartupProbe: {}
## Supervisor resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
## @param supervisor.resources.limits The resources limits for the Supervisor containers
## @param supervisor.resources.requests The requested resources for the Supervisor containers
##
resources:
limits: {}
requests: {}
## Configure Pods Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param supervisor.podSecurityContext.enabled Enabled Supervisor pods' Security Context
## @param supervisor.podSecurityContext.fsGroup Set Supervisor pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroup: 1001
## Configure Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param supervisor.containerSecurityContext.enabled Enabled Supervisor containers' Security Context
## @param supervisor.containerSecurityContext.runAsUser Set Supervisor containers' Security Context runAsUser
## @param supervisor.containerSecurityContext.runAsNonRoot Set Supervisor containers' Security Context runAsNonRoot
## @param supervisor.containerSecurityContext.readOnlyRootFilesystem Enable readOnlyRootFilesystem
##
containerSecurityContext:
enabled: true
runAsUser: 1001
runAsNonRoot: true
readOnlyRootFilesystem: false
## @param supervisor.existingConfigmap The name of an existing ConfigMap with your custom configuration for Supervisor
##
existingConfigmap: ""
## @param supervisor.command Override default container command (useful when using custom images)
##
command: []
## @param supervisor.args Override default container args (useful when using custom images)
##
args: []
## @param supervisor.hostAliases Supervisor pods host aliases
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
##
hostAliases: []
## @param supervisor.podLabels Extra labels for Supervisor pods
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
##
podLabels: {}
## @param supervisor.podAnnotations Annotations for Supervisor pods
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
##
podAnnotations: {}
## @param supervisor.podAffinityPreset Pod affinity preset. Ignored if `supervisor.affinity` is set. Allowed values: `soft` or `hard`
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
##
podAffinityPreset: ""
## @param supervisor.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `supervisor.affinity` is set. Allowed values: `soft` or `hard`
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
##
podAntiAffinityPreset: soft
## Node supervisor.affinity preset
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
##
nodeAffinityPreset:
## @param supervisor.nodeAffinityPreset.type Node affinity preset type. Ignored if `supervisor.affinity` is set. Allowed values: `soft` or `hard`
##
type: ""
## @param supervisor.nodeAffinityPreset.key Node label key to match. Ignored if `supervisor.affinity` is set
##
key: ""
## @param supervisor.nodeAffinityPreset.values Node label values to match. Ignored if `supervisor.affinity` is set
## E.g.
## values:
## - e2e-az1
## - e2e-az2
##
values: []
## @param supervisor.affinity Affinity for Supervisor pods assignment
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
## NOTE: `supervisor.podAffinityPreset`, `supervisor.podAntiAffinityPreset`, and `supervisor.nodeAffinityPreset` will be ignored when it's set
##
affinity: {}
## @param supervisor.nodeSelector Node labels for Supervisor pods assignment
## ref: https://kubernetes.io/docs/user-guide/node-selection/
##
nodeSelector: {}
## @param supervisor.tolerations Tolerations for Supervisor pods assignment
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
tolerations: []
## @param supervisor.updateStrategy.type Supervisor statefulset strategy type
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
##
updateStrategy:
## StrategyType
## Can be set to RollingUpdate or OnDelete
##
type: RollingUpdate
## @param supervisor.priorityClassName Supervisor pods' priorityClassName
##
priorityClassName: ""
## @param supervisor.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
##
topologySpreadConstraints: {}
## @param supervisor.schedulerName Name of the k8s scheduler (other than default) for Supervisor pods
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
##
schedulerName: ""
## @param supervisor.terminationGracePeriodSeconds Seconds Redmine pod needs to terminate gracefully
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
##
terminationGracePeriodSeconds: ""
## @param supervisor.lifecycleHooks for the Supervisor container(s) to automate configuration before or after startup
##
lifecycleHooks: {}
## @param supervisor.extraEnvVars Array with extra environment variables to add to Supervisor nodes
## e.g:
## extraEnvVars:
## - name: FOO
## value: "bar"
##
extraEnvVars: []
## @param supervisor.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Supervisor nodes
##
extraEnvVarsCM: ""
## @param supervisor.extraEnvVarsSecret Name of existing Secret containing extra env vars for Supervisor nodes
##
extraEnvVarsSecret: ""
## @param supervisor.extraVolumes Optionally specify extra list of additional volumes for the Supervisor pod(s)
##
extraVolumes: []
## @param supervisor.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Supervisor container(s)
##
extraVolumeMounts: []
## @param supervisor.sidecars Add additional sidecar containers to the Supervisor pod(s)
## e.g:
## sidecars:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## ports:
## - name: portname
## containerPort: 1234
##
sidecars: {}
## @param supervisor.initContainers Add additional init containers to the Supervisor pod(s)
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
## e.g:
## initContainers:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## command: ['sh', '-c', 'echo "hello world"']
##
initContainers: {}
## @section Supervisor RBAC settings
##
rbac:
## @param supervisor.rbac.create Create Supervisor RBAC objects
##
create: true
serviceAccount:
## @param supervisor.serviceAccount.name Name of an existing Service Account for the Supervisor Deployment
## @param supervisor.serviceAccount.create Create a Service Account for the Supervisor Deployment
## @param supervisor.serviceAccount.automountServiceAccountToken Auto mount token for the Supervisor Deployment Service Account
## @param supervisor.serviceAccount.annotations Annotations for the Supervisor Service Account
##
name: ""
create: true
automountServiceAccountToken: true
annotations: {}
## @section Supervisor Traffic Exposure Parameters
##
## Supervisor proxy service parameters
##
service:
## @param supervisor.service.type Supervisor service type
##
type: LoadBalancer
## @param supervisor.service.ports.https Supervisor service HTTPS port
##
ports:
https: 443
## Node ports to expose
## @param supervisor.service.nodePorts.https Node port for HTTPS
## NOTE: choose port between <30000-32767>
##
nodePorts:
https: ""
## @param supervisor.service.clusterIP Supervisor service Cluster IP
## e.g.:
## clusterIP: None
##
clusterIP: ""
## @param supervisor.service.labels Add labels to the service
##
labels: {}
## @param supervisor.service.loadBalancerIP Supervisor service Load Balancer IP
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
##
loadBalancerIP: ""
## @param supervisor.service.loadBalancerSourceRanges Supervisor service Load Balancer sources
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
## e.g:
## loadBalancerSourceRanges:
## - 10.10.10.0/24
##
loadBalancerSourceRanges: []
## @param supervisor.service.externalTrafficPolicy Supervisor service external traffic policy
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
##
externalTrafficPolicy: Cluster
## @param supervisor.service.annotations Additional custom annotations for Supervisor service
##
annotations: {}
## @param supervisor.service.extraPorts Extra ports to expose in Supervisor service (normally used with the `sidecars` value)
##
extraPorts: []
## @param supervisor.service.sessionAffinity Control where client requests go, to the same pod or round-robin
## Values: ClientIP or None
## ref: https://kubernetes.io/docs/user-guide/services/
##
sessionAffinity: None
## @param supervisor.service.sessionAffinityConfig Additional settings for the sessionAffinity
## sessionAffinityConfig:
## clientIP:
## timeoutSeconds: 300
##
sessionAffinityConfig: {}
## Configure the ingress resource that allows you to access the Pinniped Supervisor installation
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
##
ingress:
## @param supervisor.ingress.enabled Enable ingress record generation for Pinniped Supervisor
##
enabled: false
## @param supervisor.ingress.pathType Ingress path type
##
pathType: ImplementationSpecific
## @param supervisor.ingress.apiVersion Force Ingress API version (automatically detected if not set)
##
apiVersion: ""
## @param supervisor.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
##
ingressClassName: ""
## @param supervisor.ingress.hostname Default host for the ingress record
##
hostname: pinniped-supervisor.local
## @param supervisor.ingress.path Default path for the ingress record
## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers
##
path: /
## @param supervisor.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
## For a full list of possible ingress annotations, please see
## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md
## Use this parameter to set the required annotations for cert-manager, see
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
##
## e.g:
## annotations:
## kubernetes.io/ingress.class: nginx
## cert-manager.io/cluster-issuer: cluster-issuer-name
##
annotations: {}
## @param supervisor.ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`
## You can:
## - Use the `ingress.secrets` parameter to create this TLS secret
## - Rely on cert-manager to create it by setting the corresponding annotations
## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
##
tls: false
## @param supervisor.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
##
selfSigned: false
## @param supervisor.ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
## e.g:
## extraHosts:
## - name: Pinniped Supervisor.local
## path: /
##
extraHosts: []
## @param supervisor.ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host
## e.g:
## extraPaths:
## - path: /*
## backend:
## serviceName: ssl-redirect
## servicePort: use-annotation
##
extraPaths: []
## @param supervisor.ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
## e.g:
## extraTls:
## - hosts:
## - Pinniped Supervisor.local
## secretName: Pinniped Supervisor.local-tls
##
extraTls: []
## @param supervisor.ingress.secrets Custom TLS certificates as secrets
## NOTE: 'key' and 'certificate' are expected in PEM format
## NOTE: 'name' should line up with a 'secretName' set further up
## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
## It is also possible to create and manage the certificates outside of this helm chart
## Please see README.md for more information
## e.g:
## secrets:
## - name: Pinniped Supervisor.local-tls
## key: |-
## -----BEGIN RSA PRIVATE KEY-----
## ...
## -----END RSA PRIVATE KEY-----
## certificate: |-
## -----BEGIN CERTIFICATE-----
## ...
## -----END CERTIFICATE-----
##
secrets: []
## @param supervisor.ingress.extraRules Additional rules to be covered with this ingress record
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
## e.g:
## extraRules:
## - host: apache.local
## http:
## path: /
## backend:
## service:
## name: apache-svc
## port:
## name: http
##
extraRules: []