diff --git a/bitnami/concourse/Chart.lock b/bitnami/concourse/Chart.lock index 9fafb73ad5..beb2160c8e 100644 --- a/bitnami/concourse/Chart.lock +++ b/bitnami/concourse/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: postgresql repository: https://charts.bitnami.com/bitnami - version: 11.1.22 + version: 11.1.29 - name: common repository: https://charts.bitnami.com/bitnami - version: 1.13.0 -digest: sha256:91b62b2599812ff7deabf4f57c6a5b95315d86d52eb698c399864ebedbfb93d5 -generated: "2022-04-21T14:00:56.708944652Z" + version: 1.14.0 +digest: sha256:6e2f702b5878d87ad89d433ceaeb48e669c5a62a92609dfd93221f4c2842f3c1 +generated: "2022-05-13T15:21:56.441482744Z" diff --git a/bitnami/concourse/Chart.yaml b/bitnami/concourse/Chart.yaml index 4a3af411ea..8ed5d32c8a 100644 --- a/bitnami/concourse/Chart.yaml +++ b/bitnami/concourse/Chart.yaml @@ -30,4 +30,4 @@ name: concourse sources: - https://github.com/bitnami/bitnami-docker-concourse - https://github.com/concourse/concourse -version: 1.0.20 +version: 1.1.0 \ No newline at end of file diff --git a/bitnami/concourse/README.md b/bitnami/concourse/README.md index 07c4c19a28..fda930f146 100644 --- a/bitnami/concourse/README.md +++ b/bitnami/concourse/README.md @@ -91,6 +91,11 @@ The command removes all the Kubernetes components associated with the chart and | `secrets.localAuth.enabled` | the use of local authentication (basic auth). | `true` | | `secrets.localUsers` | List of `username:password` or `username:bcrypted_password` combinations for all your local concourse users. Auto-generated if not set | `""` | | `secrets.teamAuthorizedKeys` | Array of team names and public keys for team external workers | `[]` | +| `secrets.conjurAccount` | Account for Conjur auth provider. | `""` | +| `secrets.conjurAuthnLogin` | Host username for Conjur auth provider. | `""` | +| `secrets.conjurAuthnApiKey` | API key for host used for Conjur auth provider. Either API key or token file can be used, but not both. | `""` | +| `secrets.conjurAuthnTokenFile` | Token file used for Conjur auth provider if running in Kubernetes or IAM. Either token file or API key can be used, but not both. | `""` | +| `secrets.conjurCACert` | CA Certificate to specify if conjur instance is deployed with a self-signed cert | `""` | | `secrets.hostKey` | Concourse Host Keys. | `""` | | `secrets.hostKeyPub` | Concourse Host Keys. | `""` | | `secrets.sessionSigningKey` | Concourse Session Signing Keys. | `""` | @@ -101,99 +106,104 @@ The command removes all the Kubernetes components associated with the chart and ### Concourse Web parameters -| Name | Description | Value | -| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | --------------- | -| `web.enabled` | Enable Concourse web component | `true` | -| `web.baseUrl` | url | `/` | -| `web.logLevel` | Minimum level of logs to see. Possible options: debug, info, error. | `debug` | -| `web.clusterName` | A name for this Concourse cluster, to be displayed on the dashboard page. | `""` | -| `web.bindIp` | IP address on which to listen for HTTP traffic (web UI and API). | `0.0.0.0` | -| `web.peerAddress` | Network address of this web node, reachable by other web nodes. | `""` | -| `web.externalUrl` | URL used to reach any ATC from the outside world. | `""` | -| `web.auth.cookieSecure` | use cookie secure true or false | `false` | -| `web.auth.duration` | Length of time for which tokens are valid. Afterwards, users will have to log back in. | `24h` | -| `web.auth.passwordConnector` | The connector to use for password authentication for `fly login -u ... -p ...`. | `""` | -| `web.auth.mainTeam.config` | Configuration file for specifying the main teams params. | `""` | -| `web.auth.mainTeam.localUser` | Comma-separated list of local Concourse users to be included as members of the `main` team. | `user` | -| `web.existingSecret` | Use an existing secret for the Web service credentials | `""` | -| `web.enableAcrossStep` | Enable the experimental across step to be used in jobs. The API is subject to change. | `false` | -| `web.enablePipelineInstances` | Enable the creation of instanced pipelines. | `false` | -| `web.enableCacheStreamedVolumes` | Enable caching streamed resource volumes on the destination worker. | `false` | -| `web.baseResourceTypeDefaults` | Configuration file for specifying defaults for base resource types | `""` | -| `web.tsa.logLevel` | Minimum level of logs to see. Possible values: debug, info, error | `debug` | -| `web.tsa.bindIp` | IP address on which to listen for SSH | `0.0.0.0` | -| `web.tsa.debugBindIp` | IP address on which to listen for the pprof debugger endpoints (default: 127.0.0.1) | `127.0.0.1` | -| `web.tsa.heartbeatInterval` | Interval on which to heartbeat workers to the ATC | `30s` | -| `web.tsa.gardenRequestTimeout` | How long to wait for requests to Garden to complete. 0 means no timeout | `""` | -| `web.tls.enabled` | enable serving HTTPS traffic directly through the web component. | `false` | -| `web.configRBAC` | Set RBAC configuration | `""` | -| `web.existingConfigmap` | The name of an existing ConfigMap with your custom configuration for web | `""` | -| `web.command` | Override default container command (useful when using custom images) | `[]` | -| `web.args` | Override default container args (useful when using custom images) | `[]` | -| `web.extraEnvVars` | Array with extra environment variables to add to Concourse web nodes | `[]` | -| `web.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Concourse web nodes | `""` | -| `web.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Concourse web nodes | `""` | -| `web.replicaCount` | Number of Concourse web replicas to deploy | `1` | -| `web.containerPorts.http` | Concourse web UI and API HTTP container port | `8080` | -| `web.containerPorts.https` | Concourse web UI and API HTTPS container port | `8443` | -| `web.containerPorts.tsa` | Concourse web TSA SSH container port | `2222` | -| `web.containerPorts.pprof` | Concourse web TSA pprof server container port | `2221` | -| `web.livenessProbe.enabled` | Enable livenessProbe on Concourse web containers | `true` | -| `web.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` | -| `web.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `15` | -| `web.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `3` | -| `web.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `1` | -| `web.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `web.readinessProbe.enabled` | Enable readinessProbe on Concourse web containers | `true` | -| `web.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `10` | -| `web.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `15` | -| `web.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` | -| `web.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `1` | -| `web.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `web.startupProbe.enabled` | Enable startupProbe on Concourse web containers | `false` | -| `web.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | -| `web.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `web.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | -| `web.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | -| `web.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `web.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `web.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `web.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `web.resources.limits` | The resources limits for the Concourse web containers | `{}` | -| `web.resources.requests` | The requested resources for the Concourse web containers | `{}` | -| `web.podSecurityContext.enabled` | Enabled web pods' Security Context | `true` | -| `web.podSecurityContext.fsGroup` | Set web pod's Security Context fsGroup | `1001` | -| `web.containerSecurityContext.enabled` | Enabled web containers' Security Context | `true` | -| `web.containerSecurityContext.runAsUser` | Set web containers' Security Context runAsUser | `1001` | -| `web.hostAliases` | Concourse web pod host aliases | `[]` | -| `web.podLabels` | Extra labels for Concourse web pods | `{}` | -| `web.podAnnotations` | Annotations for Concourse web pods | `{}` | -| `web.podAffinityPreset` | Pod affinity preset. Ignored if `web.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `web.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `web.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `web.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `web.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `web.nodeAffinityPreset.key` | Node label key to match. Ignored if `web.affinity` is set | `""` | -| `web.nodeAffinityPreset.values` | Node label values to match. Ignored if `web.affinity` is set | `[]` | -| `web.affinity` | Affinity for web pods assignment | `{}` | -| `web.nodeSelector` | Node labels for web pods assignment | `{}` | -| `web.tolerations` | Tolerations for web pods assignment | `[]` | -| `web.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `{}` | -| `web.priorityClassName` | Priority Class to use for each pod (Concourse web) | `""` | -| `web.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | -| `web.terminationGracePeriodSeconds` | Seconds Concourse web pod needs to terminate gracefully | `""` | -| `web.updateStrategy.rollingUpdate` | Concourse web statefulset rolling update configuration parameters | `{}` | -| `web.updateStrategy.type` | Concourse web statefulset strategy type | `RollingUpdate` | -| `web.lifecycleHooks` | lifecycleHooks for the Concourse web container(s) | `{}` | -| `web.extraVolumes` | Optionally specify extra list of additional volumeMounts for the Concourse web container(s) | `[]` | -| `web.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Concourse web container(s) | `[]` | -| `web.sidecars` | Add additional sidecar containers to the Concourse web pod(s) | `[]` | -| `web.initContainers` | Add additional init containers to the Concourse web pod(s) | `[]` | -| `web.psp.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` | -| `web.rbac.create` | Specifies whether RBAC resources should be created | `true` | -| `web.rbac.rules` | Custom RBAC rules to set | `[]` | -| `web.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | -| `web.serviceAccount.name` | Override Web service account name | `""` | -| `web.serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` | -| `web.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | +| Name | Description | Value | +| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------- | +| `web.enabled` | Enable Concourse web component | `true` | +| `web.baseUrl` | url | `/` | +| `web.logLevel` | Minimum level of logs to see. Possible options: debug, info, error. | `debug` | +| `web.clusterName` | A name for this Concourse cluster, to be displayed on the dashboard page. | `""` | +| `web.bindIp` | IP address on which to listen for HTTP traffic (web UI and API). | `0.0.0.0` | +| `web.peerAddress` | Network address of this web node, reachable by other web nodes. | `""` | +| `web.externalUrl` | URL used to reach any ATC from the outside world. | `""` | +| `web.auth.cookieSecure` | use cookie secure true or false | `false` | +| `web.auth.duration` | Length of time for which tokens are valid. Afterwards, users will have to log back in. | `24h` | +| `web.auth.passwordConnector` | The connector to use for password authentication for `fly login -u ... -p ...`. | `""` | +| `web.auth.mainTeam.config` | Configuration file for specifying the main teams params. | `""` | +| `web.auth.mainTeam.localUser` | Comma-separated list of local Concourse users to be included as members of the `main` team. | `user` | +| `web.existingSecret` | Use an existing secret for the Web service credentials | `""` | +| `web.enableAcrossStep` | Enable the experimental across step to be used in jobs. The API is subject to change. | `false` | +| `web.enablePipelineInstances` | Enable the creation of instanced pipelines. | `false` | +| `web.enableCacheStreamedVolumes` | Enable caching streamed resource volumes on the destination worker. | `false` | +| `web.baseResourceTypeDefaults` | Configuration file for specifying defaults for base resource types | `""` | +| `web.tsa.logLevel` | Minimum level of logs to see. Possible values: debug, info, error | `debug` | +| `web.tsa.bindIp` | IP address on which to listen for SSH | `0.0.0.0` | +| `web.tsa.debugBindIp` | IP address on which to listen for the pprof debugger endpoints (default: 127.0.0.1) | `127.0.0.1` | +| `web.tsa.heartbeatInterval` | Interval on which to heartbeat workers to the ATC | `30s` | +| `web.tsa.gardenRequestTimeout` | How long to wait for requests to Garden to complete. 0 means no timeout | `""` | +| `web.tls.enabled` | enable serving HTTPS traffic directly through the web component. | `false` | +| `web.configRBAC` | Set RBAC configuration | `""` | +| `web.conjur.enabled` | Enable the use of Conjur as a credential manager | `false` | +| `web.conjur.applianceUrl` | URL of the Conjur instance. | `""` | +| `web.conjur.pipelineSecretTemplate` | Path used to locate pipeline-level secret | `concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}` | +| `web.conjur.teamSecretTemplate` | Path used to locate team-level secret | `concourse/{{.Team}}/{{.Secret}}` | +| `web.conjur.secretTemplate` | Path used to locate a vault or safe-level secret | `concourse/{{.Secret}}` | +| `web.existingConfigmap` | The name of an existing ConfigMap with your custom configuration for web | `""` | +| `web.command` | Override default container command (useful when using custom images) | `[]` | +| `web.args` | Override default container args (useful when using custom images) | `[]` | +| `web.extraEnvVars` | Array with extra environment variables to add to Concourse web nodes | `[]` | +| `web.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Concourse web nodes | `""` | +| `web.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Concourse web nodes | `""` | +| `web.replicaCount` | Number of Concourse web replicas to deploy | `1` | +| `web.containerPorts.http` | Concourse web UI and API HTTP container port | `8080` | +| `web.containerPorts.https` | Concourse web UI and API HTTPS container port | `8443` | +| `web.containerPorts.tsa` | Concourse web TSA SSH container port | `2222` | +| `web.containerPorts.pprof` | Concourse web TSA pprof server container port | `2221` | +| `web.livenessProbe.enabled` | Enable livenessProbe on Concourse web containers | `true` | +| `web.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` | +| `web.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `15` | +| `web.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `3` | +| `web.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `1` | +| `web.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `web.readinessProbe.enabled` | Enable readinessProbe on Concourse web containers | `true` | +| `web.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `10` | +| `web.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `15` | +| `web.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` | +| `web.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `1` | +| `web.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `web.startupProbe.enabled` | Enable startupProbe on Concourse web containers | `false` | +| `web.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | +| `web.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `web.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `web.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `web.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `web.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `web.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `web.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `web.resources.limits` | The resources limits for the Concourse web containers | `{}` | +| `web.resources.requests` | The requested resources for the Concourse web containers | `{}` | +| `web.podSecurityContext.enabled` | Enabled web pods' Security Context | `true` | +| `web.podSecurityContext.fsGroup` | Set web pod's Security Context fsGroup | `1001` | +| `web.containerSecurityContext.enabled` | Enabled web containers' Security Context | `true` | +| `web.containerSecurityContext.runAsUser` | Set web containers' Security Context runAsUser | `1001` | +| `web.hostAliases` | Concourse web pod host aliases | `[]` | +| `web.podLabels` | Extra labels for Concourse web pods | `{}` | +| `web.podAnnotations` | Annotations for Concourse web pods | `{}` | +| `web.podAffinityPreset` | Pod affinity preset. Ignored if `web.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `web.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `web.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `web.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `web.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `web.nodeAffinityPreset.key` | Node label key to match. Ignored if `web.affinity` is set | `""` | +| `web.nodeAffinityPreset.values` | Node label values to match. Ignored if `web.affinity` is set | `[]` | +| `web.affinity` | Affinity for web pods assignment | `{}` | +| `web.nodeSelector` | Node labels for web pods assignment | `{}` | +| `web.tolerations` | Tolerations for web pods assignment | `[]` | +| `web.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `{}` | +| `web.priorityClassName` | Priority Class to use for each pod (Concourse web) | `""` | +| `web.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | +| `web.terminationGracePeriodSeconds` | Seconds Concourse web pod needs to terminate gracefully | `""` | +| `web.updateStrategy.rollingUpdate` | Concourse web statefulset rolling update configuration parameters | `{}` | +| `web.updateStrategy.type` | Concourse web statefulset strategy type | `RollingUpdate` | +| `web.lifecycleHooks` | lifecycleHooks for the Concourse web container(s) | `{}` | +| `web.extraVolumes` | Optionally specify extra list of additional volumeMounts for the Concourse web container(s) | `[]` | +| `web.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Concourse web container(s) | `[]` | +| `web.sidecars` | Add additional sidecar containers to the Concourse web pod(s) | `[]` | +| `web.initContainers` | Add additional init containers to the Concourse web pod(s) | `[]` | +| `web.psp.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` | +| `web.rbac.create` | Specifies whether RBAC resources should be created | `true` | +| `web.rbac.rules` | Custom RBAC rules to set | `[]` | +| `web.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `web.serviceAccount.name` | Override Web service account name | `""` | +| `web.serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` | +| `web.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | ### Concourse Worker parameters diff --git a/bitnami/concourse/templates/NOTES.txt b/bitnami/concourse/templates/NOTES.txt index 1fcaedb40b..a9889d22aa 100644 --- a/bitnami/concourse/templates/NOTES.txt +++ b/bitnami/concourse/templates/NOTES.txt @@ -55,7 +55,7 @@ host. To configure Concourse with the URL of your service: {{- if .Values.postgresql.enabled }} {{- if and .Values.secrets.localAuth.enabled }} - {{ include "common.utils.secret.getvalue" (dict "secret" $concourseWebSecretName "field" "local-users" "context" $) }} + {{ include "common.utils.secret.getvalue" (dict "secret" $concourseWebSecretName "field" "local_users" "context" $) }} {{- end }} helm upgrade --namespace {{ $releaseNamespace }} {{ .Release.Name }} bitnami/{{ .Chart.Name }} \ {{- if and .Values.secrets.localAuth.enabled }} @@ -104,7 +104,7 @@ Get your Concourse login credentials by running: echo "Username : Password ------------------- -$(kubectl get secret --namespace {{ $releaseNamespace }} {{ $concourseWebSecretName }} -o jsonpath="{.data.local-users}" | base64 --decode)" +$(kubectl get secret --namespace {{ $releaseNamespace }} {{ $concourseWebSecretName }} -o jsonpath="{.data.local_users}" | base64 --decode)" Concourse can be accessed via port {{ .Values.web.containerPorts.http }}: on the following DNS name from within your cluster: @@ -153,13 +153,16 @@ To connect to Concourse from outside the cluster, perform the following steps: {{- end }} {{- include "concourse.validateValues" . }} +{{- if .Values.web.conjur.enabled -}} +{{- include "concourse.web.conjur.validateValues" . }} +{{- end }} {{- include "common.warnings.rollingTag" .Values.image }} {{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} {{- $passwordValidationErrors := list -}} {{- if and .Values.secrets.localAuth.enabled (not .Values.web.existingSecret) -}} {{- $secretName := include "concourse.web.secretName" . -}} - {{- $requiredWebPassword := dict "valueKey" "secrets.localUsers" "secret" $secretName "field" "local-users" "context" $ -}} + {{- $requiredWebPassword := dict "valueKey" "secrets.localUsers" "secret" $secretName "field" "local_users" "context" $ -}} {{- $requiredWebPasswordError := include "common.validations.values.single.empty" $requiredWebPassword -}} {{- $passwordValidationErrors = append $passwordValidationErrors $requiredWebPasswordError -}} {{- end }} diff --git a/bitnami/concourse/templates/_helpers.tpl b/bitnami/concourse/templates/_helpers.tpl index 725971d019..6064609f7b 100644 --- a/bitnami/concourse/templates/_helpers.tpl +++ b/bitnami/concourse/templates/_helpers.tpl @@ -229,6 +229,7 @@ Compile all warnings into a single message. {{- define "concourse.validateValues" -}} {{- $messages := list -}} {{- $messages := append $messages (include "concourse.validateValues.enabled" .) -}} +{{- $messages := append $messages (include "concourse.web.conjur.validateValues" .) -}} {{- $messages := without $messages "" -}} {{- $message := join "\n" $messages -}} {{- if $message -}} @@ -243,3 +244,24 @@ concourse: enabled Must set either web.enabled or worker.enabled to create a Concourse deployment {{- end -}} {{- end -}} + +{{/* Check Conjur parameters */}} +{{- define "concourse.web.conjur.validateValues" -}} +{{- if .Values.web.conjur.enabled -}} +{{- if (empty .Values.web.conjur.applianceUrl) -}} +{{- printf "Must set web.conjur.applianceUrl to integrate Conjur. Please set the parameter (--set web.conjur.applianceUrl=\"xxxx\")." -}} +{{- end -}} +{{- if (empty .Values.secrets.conjurAccount) -}} +{{- printf "Must set secrets.conjurAccount to integrate Conjur. Please set the parameter (--set secrets.conjurAccount=\"xxxx\")." -}} +{{- end -}} +{{- if (empty .Values.secrets.conjurAuthnLogin) -}} +{{- printf "Must set secrets.conjurAuthnLogin to integrate Conjur. Please set the parameter (--set secrets.conjurAuthnLogin=\"xxxx\")." -}} +{{- end -}} +{{- if and (empty .Values.secrets.conjurAuthnTokenFile) (empty .Values.secrets.conjurAuthnApiKey) -}} +{{- printf "Must set either secrets.conjurAuthnApiKey or secrets.conjurAuthnTokenFile to integrate Conjur. Please set the parameter (--set secrets.conjurAuthnLogin=\"xxxx\" or --set secrets.conjurAuthnTokenFile=\"xxxx\")" -}} +{{- end -}} +{{- if and .Values.secrets.conjurAuthnTokenFile .Values.secrets.conjurAuthnApiKey -}} +{{- printf "You specified both secrets.conjurAuthnTokenFile and secrets.conjurAuthnApiKey. You can only set one to integrate Conjur." -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/bitnami/concourse/templates/web/deployment.yaml b/bitnami/concourse/templates/web/deployment.yaml index b3116bb4e1..09215d4b4e 100644 --- a/bitnami/concourse/templates/web/deployment.yaml +++ b/bitnami/concourse/templates/web/deployment.yaml @@ -243,7 +243,7 @@ spec: valueFrom: secretKeyRef: name: {{ template "concourse.web.fullname" . }} - key: local-users + key: local_users {{- end }} {{- if .Values.web.clusterName }} - name: CONCOURSE_CLUSTER_NAME @@ -293,6 +293,42 @@ spec: value: {{ include "concourse.database.port" . }} - name: CONCOURSE_POSTGRES_USER value: {{ include "concourse.database.user" . }} + {{- if .Values.web.conjur.enabled }} + - name: CONCOURSE_CONJUR_APPLIANCE_URL + value: {{ .Values.web.conjur.applianceUrl | quote }} + - name: CONCOURSE_CONJUR_ACCOUNT + valueFrom: + secretKeyRef: + name: {{ template "concourse.web.fullname" . }} + key: conjur_account + {{- if .Values.secrets.conjurCACert }} + - name: CONCOURSE_CONJUR_CERT_FILE + value: "/bitnami/concourse/conjur-keys/ca.cert" + {{- end }} + - name: CONCOURSE_CONJUR_AUTHN_LOGIN + valueFrom: + secretKeyRef: + name: {{ template "concourse.web.fullname" . }} + key: conjur_authn_login + - name: CONCOURSE_CONJUR_AUTHN_API_KEY + valueFrom: + secretKeyRef: + name: {{ template "concourse.web.fullname" . }} + key: conjur_authn_api_key + {{- if (empty .Values.secrets.conjurAuthnApiKey) }} + - name: CONCOURSE_CONJUR_AUTHN_TOKEN_FILE + valueFrom: + secretKeyRef: + name: {{ template "concourse.web.fullname" . }} + key: conjur_authn_token_file + {{- end }} + - name: CONCOURSE_CONJUR_PIPELINE_SECRET_TEMPLATE + value: {{ .Values.web.conjur.pipelineSecretTemplate | quote }} + - name: CONCOURSE_CONJUR_TEAM_SECRET_TEMPLATE + value: {{ .Values.web.conjur.teamSecretTemplate | quote }} + - name: CONCOURSE_CONJUR_SECRET_TEMPLATE + value: {{ .Values.web.conjur.secretTemplate | quote }} + {{- end }} envFrom: {{- if .Values.web.extraEnvVarsCM }} - configMapRef: @@ -342,7 +378,7 @@ spec: {{- else if .Values.web.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.web.customReadinessProbe "context" $) | nindent 12 }} {{- end }} - {{- end }} + {{- end }} volumeMounts: - name: concourse-keys mountPath: /bitnami/concourse/concourse-keys @@ -352,6 +388,11 @@ spec: mountPath: /bitnami/concourse/team-authorized-keys readOnly: true {{- end }} + {{- if .Values.web.conjur.enabled }} + - name: conjur-keys + mountPath: /bitnami/concourse/conjur-keys + readOnly: true + {{- end }} {{- if .Values.web.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.web.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -366,6 +407,13 @@ spec: secret: secretName: {{ include "concourse.web.secretName" . }} defaultMode: 0400 + items: + - key: host_key + path: host_key + - key: session_signing_key + path: session_signing_key + - key: worker_key.pub + path: worker_key.pub {{- if .Values.secrets.teamAuthorizedKeys }} - name: team-authorized-keys secret: @@ -375,4 +423,23 @@ spec: {{- if .Values.web.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.web.extraVolumes "context" $) | nindent 8 }} {{- end }} + {{- if .Values.web.conjur.enabled }} + - name: conjur-keys + secret: + secretName: {{ template "concourse.web.fullname" . }} + defaultMode: 0400 + items: + - key: conjur_account + path: conjur_account + - key: conjur_authn_api_key + path: conjur_authn_api_key + - key: conjur_authn_login + path: conjur_authn_login + - key: conjur_authn_token_file + path: conjur_authn_token_file + {{- if .Values.secrets.conjurCACert }} + - key: conjur_ca_cert + path: ca.cert + {{- end }} + {{- end }} {{- end }} diff --git a/bitnami/concourse/templates/web/secret.yaml b/bitnami/concourse/templates/web/secret.yaml index 51c019729c..c3068034a8 100644 --- a/bitnami/concourse/templates/web/secret.yaml +++ b/bitnami/concourse/templates/web/secret.yaml @@ -19,9 +19,16 @@ data: worker_key.pub: {{ .Values.secrets.workerKeyPub | b64enc | quote }} {{- if .Values.secrets.localAuth.enabled }} {{- if .Values.secrets.localUsers }} - local-users: {{ .Values.secrets.localUsers | b64enc | quote }} + local_users: {{ .Values.secrets.localUsers | b64enc | quote }} {{- else }} - local-users: {{ printf "user:%s" (randAlphaNum 10) | b64enc | quote }} + local_users: {{ printf "user:%s" (randAlphaNum 10) | b64enc | quote }} {{- end }} {{- end }} + {{- if .Values.web.conjur.enabled }} + conjur_account: {{ default "" .Values.secrets.conjurAccount | b64enc | quote }} + conjur_authn_login: {{ default "" .Values.secrets.conjurAuthnLogin | b64enc | quote }} + conjur_authn_api_key: {{ default "" .Values.secrets.conjurAuthnApiKey | b64enc | quote }} + conjur_authn_token_file: {{ default "" .Values.secrets.conjurAuthnTokenFile | b64enc | quote }} + conjur_ca_cert: {{ default "" .Values.secrets.conjurCACert | b64enc | quote }} + {{- end }} {{- end }} diff --git a/bitnami/concourse/values.yaml b/bitnami/concourse/values.yaml index 75020a4999..aafbb454cb 100644 --- a/bitnami/concourse/values.yaml +++ b/bitnami/concourse/values.yaml @@ -67,7 +67,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/concourse - tag: 7.7.1-debian-10-r22 + tag: 7.7.1-debian-10-r43 ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images @@ -86,7 +86,7 @@ image: ## secrets: ## @param secrets.localAuth.enabled the use of local authentication (basic auth). - ## Once enabled, users configured through `local-users` (secret) + ## Once enabled, users configured through `local_users` (secret) ## are able to authenticate. ## Ref: https://concourse-ci.org/local-auth.html ## @@ -109,6 +109,17 @@ secrets: ## https://concourse-ci.org/global-resources.html#complications-with-reusing-containers ## teamAuthorizedKeys: [] + ## Secrets for Conjur credentials manager. + ## @param secrets.conjurAccount Account for Conjur auth provider. + conjurAccount: "" + ## @param secrets.conjurAuthnLogin Host username for Conjur auth provider. + conjurAuthnLogin: "" + ## @param secrets.conjurAuthnApiKey API key for host used for Conjur auth provider. Either API key or token file can be used, but not both. + conjurAuthnApiKey: "" + ## @param secrets.conjurAuthnTokenFile Token file used for Conjur auth provider if running in Kubernetes or IAM. Either token file or API key can be used, but not both. + conjurAuthnTokenFile: "" + ## @param secrets.conjurCACert CA Certificate to specify if conjur instance is deployed with a self-signed cert + conjurCACert: "" ## @param secrets.hostKey [string] Concourse Host Keys. ## Example value taken from https://github.com/concourse/concourse-chart/blob/master/values.yaml ## Ref: https://concourse-ci.org/install.html#generating-keys @@ -318,6 +329,20 @@ web: enabled: false ## @param web.configRBAC Set RBAC configuration ## + ## Configuration for using Conjur as a credential manager. + ## Ref: https://concourse-ci.org/conjur-credential-manager.html + ## + conjur: + ## @param web.conjur.enabled Enable the use of Conjur as a credential manager + enabled: false + ## @param web.conjur.applianceUrl URL of the Conjur instance. + applianceUrl: "" + ## @param web.conjur.pipelineSecretTemplate Path used to locate pipeline-level secret + pipelineSecretTemplate: concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}} + ## @param web.conjur.teamSecretTemplate Path used to locate team-level secret + teamSecretTemplate: concourse/{{.Team}}/{{.Secret}} + ## @param web.conjur.secretTemplate Path used to locate a vault or safe-level secret + secretTemplate: concourse/{{.Secret}} configRBAC: "" ## @param web.existingConfigmap The name of an existing ConfigMap with your custom configuration for web ## @@ -1151,7 +1176,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/bitnami-shell - tag: 10-debian-10-r402 + tag: 10-debian-10-r424 pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace.