diff --git a/helm/.gitignore b/helm/.gitignore new file mode 100644 index 0000000..1377554 --- /dev/null +++ b/helm/.gitignore @@ -0,0 +1 @@ +*.swp diff --git a/helm/.helmignore b/helm/.helmignore new file mode 100644 index 0000000..50af031 --- /dev/null +++ b/helm/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm/Chart.yaml b/helm/Chart.yaml new file mode 100644 index 0000000..b1b6855 --- /dev/null +++ b/helm/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart for Kubernetes +name: ucentralsec +version: 0.1.0 diff --git a/helm/templates/_config.tpl b/helm/templates/_config.tpl new file mode 100644 index 0000000..53bff07 --- /dev/null +++ b/helm/templates/_config.tpl @@ -0,0 +1,5 @@ +{{- define "ucentralsec.config" -}} +{{- range $key, $value := .Values.configProperties }} +{{ $key }} = {{ $value }} +{{- end }} +{{- end -}} diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl new file mode 100644 index 0000000..ab7213b --- /dev/null +++ b/helm/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "ucentralsec.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "ucentralsec.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "ucentralsec.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml new file mode 100644 index 0000000..0c67a19 --- /dev/null +++ b/helm/templates/deployment.yaml @@ -0,0 +1,114 @@ +{{- $root := . -}} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "ucentralsec.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "ucentralsec.name" . }} + helm.sh/chart: {{ include "ucentralsec.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + replicas: {{ .Values.replicaCount }} + strategy: + type: {{ .Values.strategyType }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "ucentralsec.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.services.ucentralsec.labels }} + {{- toYaml . | nindent 6 }} + {{- end }} + template: + metadata: + annotations: + checksum/config: {{ include "ucentralsec.config" . | sha256sum }} + labels: + app.kubernetes.io/name: {{ include "ucentralsec.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.services.ucentralsec.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + + containers: + + - name: ucentralsec + image: "{{ .Values.images.ucentralsec.repository }}:{{ .Values.images.ucentralsec.tag }}" + imagePullPolicy: {{ .Values.images.ucentralsec.pullPolicy }} + + env: + - name: KUBERNETES_DEPLOYED + value: "{{ now }}" + {{- range $key, $value := .Values.public_env_variables }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + {{- range $key, $value := .Values.secret_env_variables }} + - name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ include "ucentralsec.fullname" $root }}-env + key: {{ $key }} + {{- end }} + + ports: + {{- range $port, $portValue := .Values.services.ucentralsec.ports }} + - name: {{ $port }} + containerPort: {{ $portValue.targetPort }} + protocol: {{ $portValue.protocol }} + {{- end }} + + volumeMounts: + {{- range .Values.volumes.ucentralsec }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + {{- if .subPath }} + subPath: {{ .subPath }} + {{- end }} + {{- end }} + + {{- if .Values.checks.ucentralsec.liveness }} + livenessProbe: + {{- toYaml .Values.checks.ucentralsec.liveness | nindent 12 }} + {{- end }} + {{- if .Values.checks.ucentralsec.readiness }} + readinessProbe: + {{- toYaml .Values.checks.ucentralsec.readiness | nindent 12 }} + {{- end }} + + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + + imagePullSecrets: + {{- range $image, $imageValue := .Values.images }} + {{- if $imageValue.regcred }} + - name: {{ include "ucentralsec.fullname" $root }}-{{ $image }}-regcred + {{- end }} + {{- end }} + + volumes: + {{- range $container, $containerVolumes := .Values.volumes }} + {{- range $containerVolumes }} + - name: {{ .name }} + {{- tpl .volumeDefinition $root | nindent 8 }} + {{- end }} + {{- end }} + + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/helm/templates/ingress.yaml b/helm/templates/ingress.yaml new file mode 100644 index 0000000..58f1096 --- /dev/null +++ b/helm/templates/ingress.yaml @@ -0,0 +1,47 @@ +{{- $root := . -}} +{{- range $ingress, $ingressValue := .Values.ingresses }} +{{- if $ingressValue.enabled }} +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: {{ include "ucentralsec.fullname" $root }}-{{ $ingress }} + labels: + app.kubernetes.io/name: {{ include "ucentralsec.name" $root }} + helm.sh/chart: {{ include "ucentralsec.chart" $root }} + app.kubernetes.io/instance: {{ $root.Release.Name }} + app.kubernetes.io/managed-by: {{ $root.Release.Service }} + {{- with $ingressValue.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + +spec: + +{{- if $ingressValue.tls }} + tls: + {{- range $ingressValue.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ tpl .secretName $root }} + {{- end }} +{{- end }} + + rules: + {{- range $ingressValue.hosts }} + - host: {{ . | quote }} + http: + paths: + {{- range $ingressValue.paths }} + - path: {{ .path }} + backend: + serviceName: {{ include "ucentralsec.fullname" $root }}-{{ .serviceName }} + servicePort: {{ .servicePort }} + {{- end }} + {{- end }} + +{{- end }} + +{{- end }} diff --git a/helm/templates/pvc.yaml b/helm/templates/pvc.yaml new file mode 100644 index 0000000..096b230 --- /dev/null +++ b/helm/templates/pvc.yaml @@ -0,0 +1,27 @@ +{{- if .Values.persistence.enabled }} +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ template "ucentralsec.fullname" . }}-pvc + labels: + app.kubernetes.io/name: {{ include "ucentralsec.name" . }} + helm.sh/chart: {{ include "ucentralsec.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- with .Values.persistence.annotations }} + annotations: +{{ toYaml . | indent 4 }} + {{- end }} +spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} +{{- if .Values.persistence.storageClassName }} + storageClassName: {{ .Values.persistence.storageClassName }} +{{- end }} +{{- end }} diff --git a/helm/templates/secret-certs.yaml b/helm/templates/secret-certs.yaml new file mode 100644 index 0000000..a184114 --- /dev/null +++ b/helm/templates/secret-certs.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +metadata: + labels: + app.kuberentes.io/name: {{ include "ucentralsec.name" . }} + helm.sh/chart: {{ include "ucentralsec.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + name: {{ include "ucentralsec.fullname" . }}-certs +kind: Secret +type: Opaque +data: + {{- range $key, $value := .Values.certs }} + {{ $key }}: {{ $value | b64enc | quote }} + {{- end }} diff --git a/helm/templates/secret-config.yaml b/helm/templates/secret-config.yaml new file mode 100644 index 0000000..d8c9ca3 --- /dev/null +++ b/helm/templates/secret-config.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +metadata: + labels: + app.kuberentes.io/name: {{ include "ucentralsec.name" . }} + helm.sh/chart: {{ include "ucentralsec.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + name: {{ include "ucentralsec.fullname" . }}-config +kind: Secret +type: Opaque +data: + ucentralsec.properties: {{ include "ucentralsec.config" . | b64enc }} diff --git a/helm/templates/secret-env.yaml b/helm/templates/secret-env.yaml new file mode 100644 index 0000000..c0abeda --- /dev/null +++ b/helm/templates/secret-env.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: v1 +metadata: + labels: + app.kuberentes.io/name: {{ include "ucentralsec.name" . }} + helm.sh/chart: {{ include "ucentralsec.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + name: {{ include "ucentralsec.fullname" . }}-env +kind: Secret +type: Opaque +data: + # Secret env variables + {{- range $key, $value := .Values.secret_env_variables }} + {{ $key }}: {{ $value | b64enc | quote }} + {{- end }} + diff --git a/helm/templates/secret-regcred.yaml b/helm/templates/secret-regcred.yaml new file mode 100644 index 0000000..18616e7 --- /dev/null +++ b/helm/templates/secret-regcred.yaml @@ -0,0 +1,21 @@ +{{- define "imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .registry (printf "%s:%s" .username .password | b64enc) | b64enc }} +{{- end }} +{{- $root := . -}} +{{- range $image, $imageValue := .Values.images }} +{{- if $imageValue.regcred }} +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + labels: + app.kuberentes.io/name: {{ include "ucentralsec.name" $root }} + helm.sh/chart: {{ include "ucentralsec.chart" $root }} + app.kubernetes.io/instance: {{ $root.Release.Name }} + app.kubernetes.io/managed-by: {{ $root.Release.Service }} + name: {{ include "ucentralsec.fullname" $root }}-{{ $image }}-regcred +data: + .dockerconfigjson: {{ template "imagePullSecret" $imageValue.regcred }} +{{- end }} +{{- end }} diff --git a/helm/templates/service.yaml b/helm/templates/service.yaml new file mode 100644 index 0000000..ebf483a --- /dev/null +++ b/helm/templates/service.yaml @@ -0,0 +1,48 @@ +{{- $root := . -}} +{{- range $service, $serviceValue := .Values.services }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "ucentralsec.fullname" $root }}-{{ $service }} + {{- with $serviceValue.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ include "ucentralsec.name" $root }} + helm.sh/chart: {{ include "ucentralsec.chart" $root }} + app.kubernetes.io/instance: {{ $root.Release.Name }} + app.kubernetes.io/managed-by: {{ $root.Release.Service }} + + {{- with $serviceValue.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + + {{- if $serviceValue.serviceMonitor }} + + {{- range $selector, $selectorValue := $serviceValue.serviceMonitor.serviceSelector }} + {{ $selector }}: {{ tpl $selectorValue $root }} + {{- end }} + {{- end }} +spec: + type: {{ $serviceValue.type }} + ports: + + {{- range $service_service, $service_value := $serviceValue.ports }} + - name: {{ $service_service }} + targetPort: {{ $service_value.targetPort }} + protocol: {{ $service_value.protocol }} + port: {{ $service_value.servicePort }} + {{- if and (eq "NodePort" $serviceValue.type) $service_value.nodePort }} + nodePort: {{ $service_value.nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "ucentralsec.name" $root }} + app.kubernetes.io/instance: {{ $root.Release.Name }} + {{- with $serviceValue.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + +{{- end }} diff --git a/helm/values.yaml b/helm/values.yaml new file mode 100644 index 0000000..fe0c1a5 --- /dev/null +++ b/helm/values.yaml @@ -0,0 +1,213 @@ +# System +replicaCount: 1 +strategyType: Recreate + +nameOverride: "" +fullnameOverride: "" + +images: + ucentralsec: + repository: tip-tip-wlan-cloud-ucentral.jfrog.io/ucentralsec + tag: main + pullPolicy: Always +# regcred: +# registry: tip-tip-wlan-cloud-ucentral.jfrog.io +# username: username +# password: password + +services: + ucentralsec: + type: LoadBalancer + ports: + restapi: + servicePort: 16001 + targetPort: 16001 + protocol: TCP + restapiinternal: + servicePort: 17001 + targetPort: 17001 + protocol: TCP + +checks: + ucentralsec: + liveness: + httpGet: + path: / + port: 16101 + readiness: + httpGet: + path: / + port: 16101 + +ingresses: + restapi: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - restapi.chart-example.local + paths: + - path: / + serviceName: ucentralsec + servicePort: restapi + +volumes: + ucentralsec: + - name: config + mountPath: /ucentralsec-data/ucentralsec.properties + subPath: ucentralsec.properties + # Template below will be rendered in template + volumeDefinition: | + secret: + secretName: {{ include "ucentralsec.fullname" . }}-config + - name: certs + mountPath: /ucentralsec-data/certs + volumeDefinition: | + secret: + secretName: {{ include "ucentralsec.fullname" . }}-certs + # Change this if you want to use another volume type + - name: persist + mountPath: /ucentralsec-data/persist + volumeDefinition: | + persistentVolumeClaim: + claimName: {{ template "ucentralsec.fullname" . }}-pvc + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # requests: + # cpu: 100m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +persistence: + enabled: true + # storageClassName: "-" + accessModes: + - ReadWriteOnce + size: 10Gi + annotations: {} + +# Application +public_env_variables: + UCENTRALSEC_ROOT: /ucentralsec-data + UCENTRALSEC_CONFIG: /ucentralsec-data + +secret_env_variables: {} + +configProperties: + # -> Public part + # REST API + ucentral.restapi.host.0.backlog: 100 + ucentral.restapi.host.0.security: relaxed + ucentral.restapi.host.0.rootca: $UCENTRALSEC_ROOT/certs/restapi-ca.pem + ucentral.restapi.host.0.address: "*" + ucentral.restapi.host.0.port: 16001 + ucentral.restapi.host.0.cert: $UCENTRALSEC_ROOT/certs/restapi-cert.pem + ucentral.restapi.host.0.key: $UCENTRALSEC_ROOT/certs/restapi-key.pem + ucentral.restapi.wwwassets: $UCENTRALSEC_ROOT/wwwassets + ucentral.internal.restapi.host.0.backlog: 100 + ucentral.internal.restapi.host.0.security: relaxed + ucentral.internal.restapi.host.0.rootca: $UCENTRALSEC_ROOT/certs/restapi-ca.pem + ucentral.internal.restapi.host.0.address: "*" + ucentral.internal.restapi.host.0.port: 17001 + ucentral.internal.restapi.host.0.cert: $UCENTRALSEC_ROOT/certs/restapi-cert.pem + ucentral.internal.restapi.host.0.key: $UCENTRALSEC_ROOT/certs/restapi-key.pem + # Authentication + authentication.enabled: true + authentication.default.access: master + authentication.service.type: internal + # Mailer + mailer.hostname: smtp.gmail.com + mailer.loginmethod: login + mailer.port: 587 + mailer.templates: $UCENTRALSEC_ROOT/templates + # ALB + alb.enable: "true" + alb.port: 16101 + # Kafka + ucentral.kafka.enable: "false" + ucentral.kafka.group.id: security + ucentral.kafka.client.id: security1 + ucentral.kafka.brokerlist: localhost:9092 + ucentral.kafka.auto.commit: false + ucentral.kafka.queue.buffering.max.ms: 50 + # Storage + storage.type: sqlite # (sqlite|postgresql|mysql|odbc) + ## SQLite + storage.type.sqlite.db: devices.db + storage.type.sqlite.idletime: 120 + storage.type.sqlite.maxsessions: 128 + ## PostgreSQL + storage.type.postgresql.maxsessions: 64 + storage.type.postgresql.idletime: 60 + storage.type.postgresql.host: localhost + storage.type.postgresql.database: ucentral + storage.type.postgresql.port: 5432 + storage.type.postgresql.connectiontimeout: 60 + ## MySQL + storage.type.mysql.maxsessions: 64 + storage.type.mysql.idletime: 60 + storage.type.mysql.host: localhost + storage.type.mysql.database: ucentral + storage.type.mysql.port: 3306 + storage.type.mysql.connectiontimeout: 60 + # System + ucentral.service.key: $UCENTRALSEC_ROOT/certs/restapi-key.pem + ucentral.system.data: $UCENTRALSEC_ROOT/persist + ucentral.system.debug: "true" + ucentral.system.uri.private: https://localhost:17001 + ucentral.system.uri.public: https://localhost:16001 + ucentral.system.uri.ui: https://localhost + ucentral.system.commandchannel: /tmp/app_ucentralsec + # Logging + logging.formatters.f1.class: PatternFormatter + logging.formatters.f1.pattern: "%s: [%p] %t" + logging.formatters.f1.times: UTC + logging.channels.c1.class: ConsoleChannel + logging.channels.c1.formatter: f1 + logging.channels.c2.class: FileChannel + logging.channels.c2.path: /dev/stdout + logging.channels.c2.formatter.class: PatternFormatter + logging.channels.c2.formatter.pattern: "%Y-%m-%d %H:%M:%S %s: [%p] %t" + logging.channels.c2.rotation: "20 M" + logging.channels.c2.archive: timestamp + logging.channels.c2.purgeCount: 20 + logging.channels.c3.class: ConsoleChannel + logging.channels.c3.pattern: "%s: [%p] %t" + logging.loggers.root.channel: c2 + logging.loggers.root.level: debug + + # -> Secret part + # REST API + ucentral.restapi.host.0.key.password: mypassword + ucentral.internal.restapi.host.0.key.password: mypassword + # Authentication + authentication.default.username: tip@ucentral.com + authentication.default.password: 13268b7daa751240369d125e79c873bd8dd3bef7981bdfd38ea03dbb1fbe7dcf + # Mailer + mailer.username: no-reply@arilia.com + mailer.password: "**************************" + # Storage + ## PostgreSQL + storage.type.postgresql.username: stephb + storage.type.postgresql.password: snoopy99 + ## MySQL + storage.type.mysql.username: stephb + storage.type.mysql.password: snoopy99 + +certs: + # restapi-ca.pem: "" + # restapi-cert.pem: "" + # restapi-key.pem: ""