Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-09 15:38:00 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/concourse] Add conjur integration to concourse (#10167)

Browse Source 
* Add Conjur logic

Signed-off-by: David Gomez <dgomezleon@vmware.com>

* Remove extra whitespaces

Signed-off-by: David Gomez <dgomezleon@vmware.com>

* Use empty string for secrets

Signed-off-by: David Gomez <dgomezleon@vmware.com>

* Use empty string for applianceurl

Signed-off-by: David Gomez <dgomezleon@vmware.com>

* Revert NOTES.txt

Signed-off-by: David Gomez <dgomezleon@vmware.com>

* Fix typo

Signed-off-by: David Gomez <dgomezleon@vmware.com>

* Use underscore for all secrets

Signed-off-by: David Gomez <dgomezleon@vmware.com>

* Use underscore for all missing secrets

Signed-off-by: David Gomez <dgomezleon@vmware.com>

* Only mount conjur related secrets

Signed-off-by: David Gomez <dgomezleon@vmware.com>

* Improve README instructions

Signed-off-by: David Gomez <dgomezleon@vmware.com>

* Add validation to NOTES for Conjur values

Signed-off-by: David Gomez <dgomezleon@vmware.com>

* Only add token file is API is not provided

Signed-off-by: David Gomez <dgomezleon@vmware.com>

* Remove extra end in NOTES.txt

Signed-off-by: David Gomez <dgomezleon@vmware.com>

* Use helpers for validation

Signed-off-by: David Gomez <dgomezleon@vmware.com>

* Add validation when token and api are set

Signed-off-by: David Gomez <dgomezleon@vmware.com>

* Only add messages is conjur enabled

Signed-off-by: David Gomez <dgomezleon@vmware.com>

* Use simpler logic

Signed-off-by: David Gomez <dgomezleon@vmware.com>

* [bitnami/concourse] Update components versions

Signed-off-by: Bitnami Containers <containers@bitnami.com>

Co-authored-by: Carlos Rodríguez Hernández <carlosrh@vmware.com>
Co-authored-by: Bitnami Containers <containers@bitnami.com>
This commit is contained in:
David Gomez
2022-05-13 19:03:49 +02:00
committed by GitHub
parent 48c4cea7eb
commit d21d31deba
8 changed files with 242 additions and 108 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
bitnami/concourse/Chart.lock
View File

@@ -1,9 +1,9 @@
dependencies:
- name: postgresql
repository: https://charts.bitnami.com/bitnami
version: 11.1.22
version: 11.1.29
- name: common
repository: https://charts.bitnami.com/bitnami
version: 1.13.0
digest: sha256:91b62b2599812ff7deabf4f57c6a5b95315d86d52eb698c399864ebedbfb93d5
generated: "2022-04-21T14:00:56.708944652Z"
version: 1.14.0
digest: sha256:6e2f702b5878d87ad89d433ceaeb48e669c5a62a92609dfd93221f4c2842f3c1
generated: "2022-05-13T15:21:56.441482744Z"

2
bitnami/concourse/Chart.yaml
View File

@@ -30,4 +30,4 @@ name: concourse
sources:
- https://github.com/bitnami/bitnami-docker-concourse
- https://github.com/concourse/concourse
version: 1.0.20
version: 1.1.0

196
bitnami/concourse/README.md
View File

@@ -91,6 +91,11 @@ The command removes all the Kubernetes components associated with the chart and
| `secrets.localAuth.enabled` | the use of local authentication (basic auth). | `true` |
| `secrets.localUsers` | List of `username:password` or `username:bcrypted_password` combinations for all your local concourse users. Auto-generated if not set | `""` |
| `secrets.teamAuthorizedKeys` | Array of team names and public keys for team external workers | `[]` |
| `secrets.conjurAccount` | Account for Conjur auth provider. | `""` |
| `secrets.conjurAuthnLogin` | Host username for Conjur auth provider. | `""` |
| `secrets.conjurAuthnApiKey` | API key for host used for Conjur auth provider. Either API key or token file can be used, but not both. | `""` |
| `secrets.conjurAuthnTokenFile` | Token file used for Conjur auth provider if running in Kubernetes or IAM. Either token file or API key can be used, but not both. | `""` |
| `secrets.conjurCACert` | CA Certificate to specify if conjur instance is deployed with a self-signed cert | `""` |
| `secrets.hostKey` | Concourse Host Keys. | `""` |
| `secrets.hostKeyPub` | Concourse Host Keys. | `""` |
| `secrets.sessionSigningKey` | Concourse Session Signing Keys. | `""` |
@@ -101,99 +106,104 @@ The command removes all the Kubernetes components associated with the chart and
### Concourse Web parameters
| Name | Description | Value |
| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | --------------- |
| `web.enabled` | Enable Concourse web component | `true` |
| `web.baseUrl` | url | `/` |
| `web.logLevel` | Minimum level of logs to see. Possible options: debug, info, error. | `debug` |
| `web.clusterName` | A name for this Concourse cluster, to be displayed on the dashboard page. | `""` |
| `web.bindIp` | IP address on which to listen for HTTP traffic (web UI and API). | `0.0.0.0` |
| `web.peerAddress` | Network address of this web node, reachable by other web nodes. | `""` |
| `web.externalUrl` | URL used to reach any ATC from the outside world. | `""` |
| `web.auth.cookieSecure` | use cookie secure true or false | `false` |
| `web.auth.duration` | Length of time for which tokens are valid. Afterwards, users will have to log back in. | `24h` |
| `web.auth.passwordConnector` | The connector to use for password authentication for `fly login -u ... -p ...`. | `""` |
| `web.auth.mainTeam.config` | Configuration file for specifying the main teams params. | `""` |
| `web.auth.mainTeam.localUser` | Comma-separated list of local Concourse users to be included as members of the `main` team. | `user` |
| `web.existingSecret` | Use an existing secret for the Web service credentials | `""` |
| `web.enableAcrossStep` | Enable the experimental across step to be used in jobs. The API is subject to change. | `false` |
| `web.enablePipelineInstances` | Enable the creation of instanced pipelines. | `false` |
| `web.enableCacheStreamedVolumes` | Enable caching streamed resource volumes on the destination worker. | `false` |
| `web.baseResourceTypeDefaults` | Configuration file for specifying defaults for base resource types | `""` |
| `web.tsa.logLevel` | Minimum level of logs to see. Possible values: debug, info, error | `debug` |
| `web.tsa.bindIp` | IP address on which to listen for SSH | `0.0.0.0` |
| `web.tsa.debugBindIp` | IP address on which to listen for the pprof debugger endpoints (default: 127.0.0.1) | `127.0.0.1` |
| `web.tsa.heartbeatInterval` | Interval on which to heartbeat workers to the ATC | `30s` |
| `web.tsa.gardenRequestTimeout` | How long to wait for requests to Garden to complete. 0 means no timeout | `""` |
| `web.tls.enabled` | enable serving HTTPS traffic directly through the web component. | `false` |
| `web.configRBAC` | Set RBAC configuration | `""` |
| `web.existingConfigmap` | The name of an existing ConfigMap with your custom configuration for web | `""` |
| `web.command` | Override default container command (useful when using custom images) | `[]` |
| `web.args` | Override default container args (useful when using custom images) | `[]` |
| `web.extraEnvVars` | Array with extra environment variables to add to Concourse web nodes | `[]` |
| `web.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Concourse web nodes | `""` |
| `web.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Concourse web nodes | `""` |
| `web.replicaCount` | Number of Concourse web replicas to deploy | `1` |
| `web.containerPorts.http` | Concourse web UI and API HTTP container port | `8080` |
| `web.containerPorts.https` | Concourse web UI and API HTTPS container port | `8443` |
| `web.containerPorts.tsa` | Concourse web TSA SSH container port | `2222` |
| `web.containerPorts.pprof` | Concourse web TSA pprof server container port | `2221` |
| `web.livenessProbe.enabled` | Enable livenessProbe on Concourse web containers | `true` |
| `web.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` |
| `web.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `15` |
| `web.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `3` |
| `web.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `1` |
| `web.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `web.readinessProbe.enabled` | Enable readinessProbe on Concourse web containers | `true` |
| `web.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `10` |
| `web.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `15` |
| `web.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` |
| `web.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `1` |
| `web.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `web.startupProbe.enabled` | Enable startupProbe on Concourse web containers | `false` |
| `web.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` |
| `web.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `web.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
| `web.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` |
| `web.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `web.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `web.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `web.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `web.resources.limits` | The resources limits for the Concourse web containers | `{}` |
| `web.resources.requests` | The requested resources for the Concourse web containers | `{}` |
| `web.podSecurityContext.enabled` | Enabled web pods' Security Context | `true` |
| `web.podSecurityContext.fsGroup` | Set web pod's Security Context fsGroup | `1001` |
| `web.containerSecurityContext.enabled` | Enabled web containers' Security Context | `true` |
| `web.containerSecurityContext.runAsUser` | Set web containers' Security Context runAsUser | `1001` |
| `web.hostAliases` | Concourse web pod host aliases | `[]` |
| `web.podLabels` | Extra labels for Concourse web pods | `{}` |
| `web.podAnnotations` | Annotations for Concourse web pods | `{}` |
| `web.podAffinityPreset` | Pod affinity preset. Ignored if `web.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `web.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `web.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `web.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `web.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `web.nodeAffinityPreset.key` | Node label key to match. Ignored if `web.affinity` is set | `""` |
| `web.nodeAffinityPreset.values` | Node label values to match. Ignored if `web.affinity` is set | `[]` |
| `web.affinity` | Affinity for web pods assignment | `{}` |
| `web.nodeSelector` | Node labels for web pods assignment | `{}` |
| `web.tolerations` | Tolerations for web pods assignment | `[]` |
| `web.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `{}` |
| `web.priorityClassName` | Priority Class to use for each pod (Concourse web) | `""` |
| `web.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` |
| `web.terminationGracePeriodSeconds` | Seconds Concourse web pod needs to terminate gracefully | `""` |
| `web.updateStrategy.rollingUpdate` | Concourse web statefulset rolling update configuration parameters | `{}` |
| `web.updateStrategy.type` | Concourse web statefulset strategy type | `RollingUpdate` |
| `web.lifecycleHooks` | lifecycleHooks for the Concourse web container(s) | `{}` |
| `web.extraVolumes` | Optionally specify extra list of additional volumeMounts for the Concourse web container(s) | `[]` |
| `web.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Concourse web container(s) | `[]` |
| `web.sidecars` | Add additional sidecar containers to the Concourse web pod(s) | `[]` |
| `web.initContainers` | Add additional init containers to the Concourse web pod(s) | `[]` |
| `web.psp.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` |
| `web.rbac.create` | Specifies whether RBAC resources should be created | `true` |
| `web.rbac.rules` | Custom RBAC rules to set | `[]` |
| `web.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
| `web.serviceAccount.name` | Override Web service account name | `""` |
| `web.serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` |
| `web.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
| Name | Description | Value |
| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------- |
| `web.enabled` | Enable Concourse web component | `true` |
| `web.baseUrl` | url | `/` |
| `web.logLevel` | Minimum level of logs to see. Possible options: debug, info, error. | `debug` |
| `web.clusterName` | A name for this Concourse cluster, to be displayed on the dashboard page. | `""` |
| `web.bindIp` | IP address on which to listen for HTTP traffic (web UI and API). | `0.0.0.0` |
| `web.peerAddress` | Network address of this web node, reachable by other web nodes. | `""` |
| `web.externalUrl` | URL used to reach any ATC from the outside world. | `""` |
| `web.auth.cookieSecure` | use cookie secure true or false | `false` |
| `web.auth.duration` | Length of time for which tokens are valid. Afterwards, users will have to log back in. | `24h` |
| `web.auth.passwordConnector` | The connector to use for password authentication for `fly login -u ... -p ...`. | `""` |
| `web.auth.mainTeam.config` | Configuration file for specifying the main teams params. | `""` |
| `web.auth.mainTeam.localUser` | Comma-separated list of local Concourse users to be included as members of the `main` team. | `user` |
| `web.existingSecret` | Use an existing secret for the Web service credentials | `""` |
| `web.enableAcrossStep` | Enable the experimental across step to be used in jobs. The API is subject to change. | `false` |
| `web.enablePipelineInstances` | Enable the creation of instanced pipelines. | `false` |
| `web.enableCacheStreamedVolumes` | Enable caching streamed resource volumes on the destination worker. | `false` |
| `web.baseResourceTypeDefaults` | Configuration file for specifying defaults for base resource types | `""` |
| `web.tsa.logLevel` | Minimum level of logs to see. Possible values: debug, info, error | `debug` |
| `web.tsa.bindIp` | IP address on which to listen for SSH | `0.0.0.0` |
| `web.tsa.debugBindIp` | IP address on which to listen for the pprof debugger endpoints (default: 127.0.0.1) | `127.0.0.1` |
| `web.tsa.heartbeatInterval` | Interval on which to heartbeat workers to the ATC | `30s` |
| `web.tsa.gardenRequestTimeout` | How long to wait for requests to Garden to complete. 0 means no timeout | `""` |
| `web.tls.enabled` | enable serving HTTPS traffic directly through the web component. | `false` |
| `web.configRBAC` | Set RBAC configuration | `""` |
| `web.conjur.enabled` | Enable the use of Conjur as a credential manager | `false` |
| `web.conjur.applianceUrl` | URL of the Conjur instance. | `""` |
| `web.conjur.pipelineSecretTemplate` | Path used to locate pipeline-level secret | `concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}` |
| `web.conjur.teamSecretTemplate` | Path used to locate team-level secret | `concourse/{{.Team}}/{{.Secret}}` |
| `web.conjur.secretTemplate` | Path used to locate a vault or safe-level secret | `concourse/{{.Secret}}` |
| `web.existingConfigmap` | The name of an existing ConfigMap with your custom configuration for web | `""` |
| `web.command` | Override default container command (useful when using custom images) | `[]` |
| `web.args` | Override default container args (useful when using custom images) | `[]` |
| `web.extraEnvVars` | Array with extra environment variables to add to Concourse web nodes | `[]` |
| `web.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Concourse web nodes | `""` |
| `web.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Concourse web nodes | `""` |
| `web.replicaCount` | Number of Concourse web replicas to deploy | `1` |
| `web.containerPorts.http` | Concourse web UI and API HTTP container port | `8080` |
| `web.containerPorts.https` | Concourse web UI and API HTTPS container port | `8443` |
| `web.containerPorts.tsa` | Concourse web TSA SSH container port | `2222` |
| `web.containerPorts.pprof` | Concourse web TSA pprof server container port | `2221` |
| `web.livenessProbe.enabled` | Enable livenessProbe on Concourse web containers | `true` |
| `web.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` |
| `web.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `15` |
| `web.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `3` |
| `web.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `1` |
| `web.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `web.readinessProbe.enabled` | Enable readinessProbe on Concourse web containers | `true` |
| `web.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `10` |
| `web.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `15` |
| `web.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` |
| `web.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `1` |
| `web.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `web.startupProbe.enabled` | Enable startupProbe on Concourse web containers | `false` |
| `web.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` |
| `web.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `web.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
| `web.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` |
| `web.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `web.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `web.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `web.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `web.resources.limits` | The resources limits for the Concourse web containers | `{}` |
| `web.resources.requests` | The requested resources for the Concourse web containers | `{}` |
| `web.podSecurityContext.enabled` | Enabled web pods' Security Context | `true` |
| `web.podSecurityContext.fsGroup` | Set web pod's Security Context fsGroup | `1001` |
| `web.containerSecurityContext.enabled` | Enabled web containers' Security Context | `true` |
| `web.containerSecurityContext.runAsUser` | Set web containers' Security Context runAsUser | `1001` |
| `web.hostAliases` | Concourse web pod host aliases | `[]` |
| `web.podLabels` | Extra labels for Concourse web pods | `{}` |
| `web.podAnnotations` | Annotations for Concourse web pods | `{}` |
| `web.podAffinityPreset` | Pod affinity preset. Ignored if `web.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `web.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `web.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `web.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `web.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `web.nodeAffinityPreset.key` | Node label key to match. Ignored if `web.affinity` is set | `""` |
| `web.nodeAffinityPreset.values` | Node label values to match. Ignored if `web.affinity` is set | `[]` |
| `web.affinity` | Affinity for web pods assignment | `{}` |
| `web.nodeSelector` | Node labels for web pods assignment | `{}` |
| `web.tolerations` | Tolerations for web pods assignment | `[]` |
| `web.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `{}` |
| `web.priorityClassName` | Priority Class to use for each pod (Concourse web) | `""` |
| `web.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` |
| `web.terminationGracePeriodSeconds` | Seconds Concourse web pod needs to terminate gracefully | `""` |
| `web.updateStrategy.rollingUpdate` | Concourse web statefulset rolling update configuration parameters | `{}` |
| `web.updateStrategy.type` | Concourse web statefulset strategy type | `RollingUpdate` |
| `web.lifecycleHooks` | lifecycleHooks for the Concourse web container(s) | `{}` |
| `web.extraVolumes` | Optionally specify extra list of additional volumeMounts for the Concourse web container(s) | `[]` |
| `web.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Concourse web container(s) | `[]` |
| `web.sidecars` | Add additional sidecar containers to the Concourse web pod(s) | `[]` |
| `web.initContainers` | Add additional init containers to the Concourse web pod(s) | `[]` |
| `web.psp.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` |
| `web.rbac.create` | Specifies whether RBAC resources should be created | `true` |
| `web.rbac.rules` | Custom RBAC rules to set | `[]` |
| `web.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
| `web.serviceAccount.name` | Override Web service account name | `""` |
| `web.serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` |
| `web.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
### Concourse Worker parameters

9
bitnami/concourse/templates/NOTES.txt
View File

@@ -55,7 +55,7 @@ host. To configure Concourse with the URL of your service:
{{- if .Values.postgresql.enabled }}
{{- if and .Values.secrets.localAuth.enabled }}
{{ include "common.utils.secret.getvalue" (dict "secret" $concourseWebSecretName "field" "local-users" "context" $) }}
{{ include "common.utils.secret.getvalue" (dict "secret" $concourseWebSecretName "field" "local_users" "context" $) }}
{{- end }}
helm upgrade --namespace {{ $releaseNamespace }} {{ .Release.Name }} bitnami/{{ .Chart.Name }} \
{{- if and .Values.secrets.localAuth.enabled }}
@@ -104,7 +104,7 @@ Get your Concourse login credentials by running:
echo "Username : Password
-------------------
$(kubectl get secret --namespace {{ $releaseNamespace }} {{ $concourseWebSecretName }} -o jsonpath="{.data.local-users}" | base64 --decode)"
$(kubectl get secret --namespace {{ $releaseNamespace }} {{ $concourseWebSecretName }} -o jsonpath="{.data.local_users}" | base64 --decode)"
Concourse can be accessed via port {{ .Values.web.containerPorts.http }}: on the following DNS name from within your cluster:
@@ -153,13 +153,16 @@ To connect to Concourse from outside the cluster, perform the following steps:
{{- end }}
{{- include "concourse.validateValues" . }}
{{- if .Values.web.conjur.enabled -}}
{{- include "concourse.web.conjur.validateValues" . }}
{{- end }}
{{- include "common.warnings.rollingTag" .Values.image }}
{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }}
{{- $passwordValidationErrors := list -}}
{{- if and .Values.secrets.localAuth.enabled (not .Values.web.existingSecret) -}}
{{- $secretName := include "concourse.web.secretName" . -}}
{{- $requiredWebPassword := dict "valueKey" "secrets.localUsers" "secret" $secretName "field" "local-users" "context" $ -}}
{{- $requiredWebPassword := dict "valueKey" "secrets.localUsers" "secret" $secretName "field" "local_users" "context" $ -}}
{{- $requiredWebPasswordError := include "common.validations.values.single.empty" $requiredWebPassword -}}
{{- $passwordValidationErrors = append $passwordValidationErrors $requiredWebPasswordError -}}
{{- end }}

22
bitnami/concourse/templates/_helpers.tpl
View File

@@ -229,6 +229,7 @@ Compile all warnings into a single message.
{{- define "concourse.validateValues" -}}
{{- $messages := list -}}
{{- $messages := append $messages (include "concourse.validateValues.enabled" .) -}}
{{- $messages := append $messages (include "concourse.web.conjur.validateValues" .) -}}
{{- $messages := without $messages "" -}}
{{- $message := join "\n" $messages -}}
{{- if $message -}}
@@ -243,3 +244,24 @@ concourse: enabled
Must set either web.enabled or worker.enabled to create a Concourse deployment
{{- end -}}
{{- end -}}
{{/* Check Conjur parameters */}}
{{- define "concourse.web.conjur.validateValues" -}}
{{- if .Values.web.conjur.enabled -}}
{{- if (empty .Values.web.conjur.applianceUrl) -}}
{{- printf "Must set web.conjur.applianceUrl to integrate Conjur. Please set the parameter (--set web.conjur.applianceUrl=\"xxxx\")." -}}
{{- end -}}
{{- if (empty .Values.secrets.conjurAccount) -}}
{{- printf "Must set secrets.conjurAccount to integrate Conjur. Please set the parameter (--set secrets.conjurAccount=\"xxxx\")." -}}
{{- end -}}
{{- if (empty .Values.secrets.conjurAuthnLogin) -}}
{{- printf "Must set secrets.conjurAuthnLogin to integrate Conjur. Please set the parameter (--set secrets.conjurAuthnLogin=\"xxxx\")." -}}
{{- end -}}
{{- if and (empty .Values.secrets.conjurAuthnTokenFile) (empty .Values.secrets.conjurAuthnApiKey) -}}
{{- printf "Must set either secrets.conjurAuthnApiKey or secrets.conjurAuthnTokenFile to integrate Conjur. Please set the parameter (--set secrets.conjurAuthnLogin=\"xxxx\" or --set secrets.conjurAuthnTokenFile=\"xxxx\")" -}}
{{- end -}}
{{- if and .Values.secrets.conjurAuthnTokenFile .Values.secrets.conjurAuthnApiKey -}}
{{- printf "You specified both secrets.conjurAuthnTokenFile and secrets.conjurAuthnApiKey. You can only set one to integrate Conjur." -}}
{{- end -}}
{{- end -}}
{{- end -}}

71
bitnami/concourse/templates/web/deployment.yaml
View File

@@ -243,7 +243,7 @@ spec:
valueFrom:
secretKeyRef:
name: {{ template "concourse.web.fullname" . }}
key: local-users
key: local_users
{{- end }}
{{- if .Values.web.clusterName }}
- name: CONCOURSE_CLUSTER_NAME
@@ -293,6 +293,42 @@ spec:
value: {{ include "concourse.database.port" . }}
- name: CONCOURSE_POSTGRES_USER
value: {{ include "concourse.database.user" . }}
{{- if .Values.web.conjur.enabled }}
- name: CONCOURSE_CONJUR_APPLIANCE_URL
value: {{ .Values.web.conjur.applianceUrl | quote }}
- name: CONCOURSE_CONJUR_ACCOUNT
valueFrom:
secretKeyRef:
name: {{ template "concourse.web.fullname" . }}
key: conjur_account
{{- if .Values.secrets.conjurCACert }}
- name: CONCOURSE_CONJUR_CERT_FILE
value: "/bitnami/concourse/conjur-keys/ca.cert"
{{- end }}
- name: CONCOURSE_CONJUR_AUTHN_LOGIN
valueFrom:
secretKeyRef:
name: {{ template "concourse.web.fullname" . }}
key: conjur_authn_login
- name: CONCOURSE_CONJUR_AUTHN_API_KEY
valueFrom:
secretKeyRef:
name: {{ template "concourse.web.fullname" . }}
key: conjur_authn_api_key
{{- if (empty .Values.secrets.conjurAuthnApiKey) }}
- name: CONCOURSE_CONJUR_AUTHN_TOKEN_FILE
valueFrom:
secretKeyRef:
name: {{ template "concourse.web.fullname" . }}
key: conjur_authn_token_file
{{- end }}
- name: CONCOURSE_CONJUR_PIPELINE_SECRET_TEMPLATE
value: {{ .Values.web.conjur.pipelineSecretTemplate | quote }}
- name: CONCOURSE_CONJUR_TEAM_SECRET_TEMPLATE
value: {{ .Values.web.conjur.teamSecretTemplate | quote }}
- name: CONCOURSE_CONJUR_SECRET_TEMPLATE
value: {{ .Values.web.conjur.secretTemplate | quote }}
{{- end }}
envFrom:
{{- if .Values.web.extraEnvVarsCM }}
- configMapRef:
@@ -342,7 +378,7 @@ spec:
{{- else if .Values.web.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.web.customReadinessProbe "context" $) | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}
volumeMounts:
- name: concourse-keys
mountPath: /bitnami/concourse/concourse-keys
@@ -352,6 +388,11 @@ spec:
mountPath: /bitnami/concourse/team-authorized-keys
readOnly: true
{{- end }}
{{- if .Values.web.conjur.enabled }}
- name: conjur-keys
mountPath: /bitnami/concourse/conjur-keys
readOnly: true
{{- end }}
{{- if .Values.web.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.web.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
@@ -366,6 +407,13 @@ spec:
secret:
secretName: {{ include "concourse.web.secretName" . }}
defaultMode: 0400
items:
- key: host_key
path: host_key
- key: session_signing_key
path: session_signing_key
- key: worker_key.pub
path: worker_key.pub
{{- if .Values.secrets.teamAuthorizedKeys }}
- name: team-authorized-keys
secret:
@@ -375,4 +423,23 @@ spec:
{{- if .Values.web.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.web.extraVolumes "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.web.conjur.enabled }}
- name: conjur-keys
secret:
secretName: {{ template "concourse.web.fullname" . }}
defaultMode: 0400
items:
- key: conjur_account
path: conjur_account
- key: conjur_authn_api_key
path: conjur_authn_api_key
- key: conjur_authn_login
path: conjur_authn_login
- key: conjur_authn_token_file
path: conjur_authn_token_file
{{- if .Values.secrets.conjurCACert }}
- key: conjur_ca_cert
path: ca.cert
{{- end }}
{{- end }}
{{- end }}

11
bitnami/concourse/templates/web/secret.yaml
View File

@@ -19,9 +19,16 @@ data:
worker_key.pub: {{ .Values.secrets.workerKeyPub | b64enc | quote }}
{{- if .Values.secrets.localAuth.enabled }}
{{- if .Values.secrets.localUsers }}
local-users: {{ .Values.secrets.localUsers | b64enc | quote }}
local_users: {{ .Values.secrets.localUsers | b64enc | quote }}
{{- else }}
local-users: {{ printf "user:%s" (randAlphaNum 10) | b64enc | quote }}
local_users: {{ printf "user:%s" (randAlphaNum 10) | b64enc | quote }}
{{- end }}
{{- end }}
{{- if .Values.web.conjur.enabled }}
conjur_account: {{ default "" .Values.secrets.conjurAccount | b64enc | quote }}
conjur_authn_login: {{ default "" .Values.secrets.conjurAuthnLogin | b64enc | quote }}
conjur_authn_api_key: {{ default "" .Values.secrets.conjurAuthnApiKey | b64enc | quote }}
conjur_authn_token_file: {{ default "" .Values.secrets.conjurAuthnTokenFile | b64enc | quote }}
conjur_ca_cert: {{ default "" .Values.secrets.conjurCACert | b64enc | quote }}
{{- end }}
{{- end }}

31
bitnami/concourse/values.yaml
View File

@@ -67,7 +67,7 @@ diagnosticMode:
image:
registry: docker.io
repository: bitnami/concourse
tag: 7.7.1-debian-10-r22
tag: 7.7.1-debian-10-r43
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
@@ -86,7 +86,7 @@ image:
##
secrets:
## @param secrets.localAuth.enabled the use of local authentication (basic auth).
## Once enabled, users configured through `local-users` (secret)
## Once enabled, users configured through `local_users` (secret)
## are able to authenticate.
## Ref: https://concourse-ci.org/local-auth.html
##
@@ -109,6 +109,17 @@ secrets:
## https://concourse-ci.org/global-resources.html#complications-with-reusing-containers
##
teamAuthorizedKeys: []
## Secrets for Conjur credentials manager.
## @param secrets.conjurAccount Account for Conjur auth provider.
conjurAccount: ""
## @param secrets.conjurAuthnLogin Host username for Conjur auth provider.
conjurAuthnLogin: ""
## @param secrets.conjurAuthnApiKey API key for host used for Conjur auth provider. Either API key or token file can be used, but not both.
conjurAuthnApiKey: ""
## @param secrets.conjurAuthnTokenFile Token file used for Conjur auth provider if running in Kubernetes or IAM. Either token file or API key can be used, but not both.
conjurAuthnTokenFile: ""
## @param secrets.conjurCACert CA Certificate to specify if conjur instance is deployed with a self-signed cert
conjurCACert: ""
## @param secrets.hostKey [string] Concourse Host Keys.
## Example value taken from https://github.com/concourse/concourse-chart/blob/master/values.yaml
## Ref: https://concourse-ci.org/install.html#generating-keys
@@ -318,6 +329,20 @@ web:
enabled: false
## @param web.configRBAC Set RBAC configuration
##
## Configuration for using Conjur as a credential manager.
## Ref: https://concourse-ci.org/conjur-credential-manager.html
##
conjur:
## @param web.conjur.enabled Enable the use of Conjur as a credential manager
enabled: false
## @param web.conjur.applianceUrl URL of the Conjur instance.
applianceUrl: ""
## @param web.conjur.pipelineSecretTemplate Path used to locate pipeline-level secret
pipelineSecretTemplate: concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}
## @param web.conjur.teamSecretTemplate Path used to locate team-level secret
teamSecretTemplate: concourse/{{.Team}}/{{.Secret}}
## @param web.conjur.secretTemplate Path used to locate a vault or safe-level secret
secretTemplate: concourse/{{.Secret}}
configRBAC: ""
## @param web.existingConfigmap The name of an existing ConfigMap with your custom configuration for web
##
@@ -1151,7 +1176,7 @@ volumePermissions:
image:
registry: docker.io
repository: bitnami/bitnami-shell
tag: 10-debian-10-r402
tag: 10-debian-10-r424
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.