diff --git a/charts/management-portal/Chart.yaml b/charts/management-portal/Chart.yaml index f5880623..7f8fb388 100644 --- a/charts/management-portal/Chart.yaml +++ b/charts/management-portal/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: "2.0.0" description: A Helm chart for RADAR-Base Management Portal to manage projects and participants throughout RADAR-base. name: management-portal -version: 1.1.2 +version: 1.1.3 icon: "http://radar-base.org/wp-content/uploads/2022/09/Logo_RADAR-Base-RGB.png" sources: - https://github.com/RADAR-base/radar-helm-charts/tree/main/charts/management-portal @@ -19,9 +19,9 @@ maintainers: - email: keyvan@thehyve.nl name: Keyvan Hedayati url: https://www.thehyve.nl - - email: joris@thehyve.nl - name: Joris Borgdorff - url: https://www.thehyve.nl/experts/joris-borgdorff + - email: bastiaan@thehyve.nl + name: Bastiaan de Graaf + url: https://www.thehyve.nl/experts/bastiaan-de-graaf - email: nivethika@thehyve.nl name: Nivethika Mahasivam url: https://www.thehyve.nl/experts/nivethika-mahasivam diff --git a/charts/management-portal/README.md b/charts/management-portal/README.md index 50de8968..fd139967 100644 --- a/charts/management-portal/README.md +++ b/charts/management-portal/README.md @@ -3,7 +3,7 @@ # management-portal [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/management-portal)](https://artifacthub.io/packages/helm/radar-base/management-portal) -![Version: 1.1.2](https://img.shields.io/badge/Version-1.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.0.0](https://img.shields.io/badge/AppVersion-2.0.0-informational?style=flat-square) +![Version: 1.1.3](https://img.shields.io/badge/Version-1.1.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.0.0](https://img.shields.io/badge/AppVersion-2.0.0-informational?style=flat-square) A Helm chart for RADAR-Base Management Portal to manage projects and participants throughout RADAR-base. @@ -14,7 +14,7 @@ A Helm chart for RADAR-Base Management Portal to manage projects and participant | Name | Email | Url | | ---- | ------ | --- | | Keyvan Hedayati | | | -| Joris Borgdorff | | | +| Bastiaan de Graaf | | | | Nivethika Mahasivam | | | ## Source Code @@ -88,10 +88,14 @@ A Helm chart for RADAR-Base Management Portal to manage projects and participant | postgres.ssl.keystore | string | `""` | base64 encoded certificate needed to connect to the PostgreSQL With helmfile, this can be set in a production.yaml.gotmpl file by setting keystore: {{ readFile "certificate.pem" | b64enc | quote }} or with SOPS keystore: {{ exec "sops" (list "-d" "certificate.pem") | b64enc | quote }} | | server_name | string | `"localhost"` | domain name of the server | | catalogue_server | string | `"catalog-server"` | Hostname of the catalogue-server | -| managementportal.catalogue_server_enable_auto_import | string | `"false"` | set to true, if automatic source-type import from catalogue server should be enabled | +| identity_server.admin_email | string | `"admin@example.com"` | The admin email to link to the admin service account. This account should only be used to set up admin-users | +| identity_server.server_url | string | `"https://my.example-domain.net/kratos"` | The publicly accessible server URL for the IDP | +| identity_server.server_admin_url | string | `"http://kratos-admin"` | The admin server URL for the IDP. Only needs to be accessible from inside the cluster where the managementportal resides | +| managementportal.catalogue_server_enable_auto_import | bool | `false` | set to true, if automatic source-type import from catalogue server should be enabled | | managementportal.common_privacy_policy_url | string | `"http://info.thehyve.nl/radar-cns-privacy-policy"` | Override with a publicly resolvable url of the privacy-policy url for your set-up. This can be overridden on a project basis as well. | | managementportal.oauth_checking_key_aliases_0 | string | `"radarbase-managementportal-ec"` | Keystore alias to sign JWT tokens from Management Portal | | managementportal.oauth_checking_key_aliases_1 | string | `"selfsigned"` | Keystore alias to sign JWT tokens from Management Portal | +| managementportal.oauth_require_aal2 | bool | `true` | Whether or not to require AAL2 level authentication (i.e. MFA) | | managementportal.frontend_client_secret | string | `"xxx"` | OAuth2 Client secret of the Management Portal frontend application | | managementportal.common_admin_password | string | `"xxx"` | Admin password of the default admin user created by the system | | smtp.enabled | bool | `false` | set to true, if SMTP server should be enabled. Required to be true for production setup | diff --git a/charts/management-portal/templates/deployment.yaml b/charts/management-portal/templates/deployment.yaml index 3e2e0239..9bb1e9cb 100644 --- a/charts/management-portal/templates/deployment.yaml +++ b/charts/management-portal/templates/deployment.yaml @@ -84,6 +84,12 @@ spec: value: "{{ .Values.managementportal.catalogue_server_enable_auto_import }}" - name: MANAGEMENTPORTAL_CATALOGUE_SERVER_SERVER_URL value: http://{{ .Values.catalogue_server }}:9010/source-types + - name: MANAGEMENTPORTAL_IDENTITY_SERVER_ADMIN_EMAIL + value: {{ .Values.identity_server.admin_email }} + - name: MANAGEMENTPORTAL_IDENTITY_SERVER_SERVER_URL + value: {{ .Values.identity_server.server_url }} + - name: MANAGEMENTPORTAL_IDENTITY_SERVER_SERVER_ADMIN_URL + value: {{ .Values.identity_server.server_admin_url }} - name: MANAGEMENTPORTAL_COMMON_ADMIN_PASSWORD valueFrom: secretKeyRef: diff --git a/charts/management-portal/values.yaml b/charts/management-portal/values.yaml index f8bcef6f..e0b1c15a 100644 --- a/charts/management-portal/values.yaml +++ b/charts/management-portal/values.yaml @@ -289,15 +289,27 @@ postgres: server_name: localhost # -- Hostname of the catalogue-server catalogue_server: catalog-server + +# Settings pertaining to the identity provider (IDP) +identity_server: + # -- The admin email to link to the admin service account. This account should only be used to set up admin-users + admin_email: admin@example.com + # -- The publicly accessible server URL for the IDP + server_url: https://my.example-domain.net/kratos + # -- The admin server URL for the IDP. Only needs to be accessible from inside the cluster where the managementportal resides + server_admin_url: http://kratos-admin + managementportal: # -- set to true, if automatic source-type import from catalogue server should be enabled - catalogue_server_enable_auto_import: "false" + catalogue_server_enable_auto_import: false # -- Override with a publicly resolvable url of the privacy-policy url for your set-up. This can be overridden on a project basis as well. common_privacy_policy_url: http://info.thehyve.nl/radar-cns-privacy-policy # -- Keystore alias to sign JWT tokens from Management Portal oauth_checking_key_aliases_0: radarbase-managementportal-ec # -- Keystore alias to sign JWT tokens from Management Portal oauth_checking_key_aliases_1: selfsigned + # -- Whether or not to require AAL2 level authentication (i.e. MFA) + oauth_require_aal2: true # -- OAuth2 Client secret of the Management Portal frontend application frontend_client_secret: xxx # -- Admin password of the default admin user created by the system diff --git a/charts/radar-rest-sources-authorizer/Chart.yaml b/charts/radar-rest-sources-authorizer/Chart.yaml index 4816e8a1..b8b86616 100644 --- a/charts/radar-rest-sources-authorizer/Chart.yaml +++ b/charts/radar-rest-sources-authorizer/Chart.yaml @@ -1,27 +1,27 @@ -apiVersion: v2 -appVersion: "4.4.0" -description: A Helm chart for the front-end application of RADAR-base Rest Sources Authorizer which is a portal to authorize the Fitbit connector to read data from Fitbit accounts. -name: radar-rest-sources-authorizer -version: 1.1.3 -icon: "http://radar-base.org/wp-content/uploads/2022/09/Logo_RADAR-Base-RGB.png" -sources: -- https://github.com/RADAR-base/radar-helm-charts/tree/main/charts/radar-rest-sources-authorizer -- https://github.com/RADAR-base/RADAR-Rest-Source-Auth -keywords: - - radar-base - - remote-trial -annotations: - artifacthub.io/license: Apache-2.0 -deprecated: false -type: application -home: "https://radar-base.org" -maintainers: - - email: keyvan@thehyve.nl - name: Keyvan Hedayati - url: https://www.thehyve.nl - - email: joris@thehyve.nl - name: Joris Borgdorff - url: https://www.thehyve.nl/experts/joris-borgdorff - - email: nivethika@thehyve.nl - name: Nivethika Mahasivam - url: https://www.thehyve.nl/experts/nivethika-mahasivam +apiVersion: v2 +appVersion: "4.4.0" +description: A Helm chart for the front-end application of RADAR-base Rest Sources Authorizer which is a portal to authorize the Fitbit connector to read data from Fitbit accounts. +name: radar-rest-sources-authorizer +version: 1.1.3 +icon: "http://radar-base.org/wp-content/uploads/2022/09/Logo_RADAR-Base-RGB.png" +sources: +- https://github.com/RADAR-base/radar-helm-charts/tree/main/charts/radar-rest-sources-authorizer +- https://github.com/RADAR-base/RADAR-Rest-Source-Auth +keywords: + - radar-base + - remote-trial +annotations: + artifacthub.io/license: Apache-2.0 +deprecated: false +type: application +home: "https://radar-base.org" +maintainers: + - email: keyvan@thehyve.nl + name: Keyvan Hedayati + url: https://www.thehyve.nl + - email: joris@thehyve.nl + name: Joris Borgdorff + url: https://www.thehyve.nl/experts/joris-borgdorff + - email: nivethika@thehyve.nl + name: Nivethika Mahasivam + url: https://www.thehyve.nl/experts/nivethika-mahasivam diff --git a/charts/radar-rest-sources-authorizer/README.md b/charts/radar-rest-sources-authorizer/README.md index 833b56af..e62a17f2 100644 --- a/charts/radar-rest-sources-authorizer/README.md +++ b/charts/radar-rest-sources-authorizer/README.md @@ -1,74 +1,74 @@ - - -# radar-rest-sources-authorizer -[![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/radar-rest-sources-authorizer)](https://artifacthub.io/packages/helm/radar-base/radar-rest-sources-authorizer) - -![Version: 1.1.3](https://img.shields.io/badge/Version-1.1.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.4.0](https://img.shields.io/badge/AppVersion-4.4.0-informational?style=flat-square) - -A Helm chart for the front-end application of RADAR-base Rest Sources Authorizer which is a portal to authorize the Fitbit connector to read data from Fitbit accounts. - -**Homepage:** - -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| Keyvan Hedayati | | | -| Joris Borgdorff | | | -| Nivethika Mahasivam | | | - -## Source Code - -* -* - -## Prerequisites -* Kubernetes 1.22+ -* Kubectl 1.22+ -* Helm 3.1.0+ - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| replicaCount | int | `2` | Number of radar-rest-sources-authorizer replicas to deploy | -| image.repository | string | `"radarbase/radar-rest-source-authorizer"` | radar-rest-sources-authorizer image repository | -| image.tag | string | `"4.4.0"` | radar-rest-sources-authorizer image tag (immutable tags are recommended) Overrides the image tag whose default is the chart appVersion. | -| image.pullPolicy | string | `"IfNotPresent"` | radar-rest-sources-authorizer image pull policy | -| imagePullSecrets | list | `[]` | Docker registry secret names as an array | -| nameOverride | string | `""` | String to partially override radar-rest-sources-authorizer.fullname template with a string (will prepend the release name) | -| fullnameOverride | string | `""` | String to fully override radar-rest-sources-authorizer.fullname template with a string | -| podSecurityContext | object | `{}` | Configure radar-rest-sources-authorizer pods' Security Context | -| securityContext | object | `{}` | Configure radar-rest-sources-authorizer containers' Security Context | -| service.type | string | `"ClusterIP"` | Kubernetes Service type | -| service.port | int | `8080` | radar-rest-sources-authorizer port | -| ingress.enabled | bool | `true` | Enable ingress controller resource | -| ingress.annotations | object | check values.yaml | Annotations that define default ingress class, certificate issuer | -| ingress.path | string | `"/rest-sources/authorizer"` | Path within the url structure | -| ingress.pathType | string | `"ImplementationSpecific"` | Ingress Path type | -| ingress.ingressClassName | string | `"nginx"` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | -| ingress.hosts | list | `["localhost"]` | Hosts to accept requests from | -| ingress.tls.secretName | string | `"radar-base-tls-radar-rest-sources-authorizer"` | TLS Secret Name | -| resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | CPU/Memory resource requests | -| nodeSelector | object | `{}` | Node labels for pod assignment | -| tolerations | list | `[]` | Toleration labels for pod assignment | -| affinity | object | `{}` | Affinity labels for pod assignment | -| extraEnvVars | list | `[]` | Extra environment variables | -| customLivenessProbe | object | `{}` | Custom livenessProbe that overrides the default one | -| livenessProbe.enabled | bool | `true` | Enable livenessProbe | -| livenessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for livenessProbe | -| livenessProbe.periodSeconds | int | `30` | Period seconds for livenessProbe | -| livenessProbe.timeoutSeconds | int | `3` | Timeout seconds for livenessProbe | -| livenessProbe.successThreshold | int | `1` | Success threshold for livenessProbe | -| livenessProbe.failureThreshold | int | `3` | Failure threshold for livenessProbe | -| customReadinessProbe | object | `{}` | Custom readinessProbe that overrides the default one | -| readinessProbe.enabled | bool | `true` | Enable readinessProbe | -| readinessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for readinessProbe | -| readinessProbe.periodSeconds | int | `10` | Period seconds for readinessProbe | -| readinessProbe.timeoutSeconds | int | `3` | Timeout seconds for readinessProbe | -| readinessProbe.successThreshold | int | `1` | Success threshold for readinessProbe | -| readinessProbe.failureThreshold | int | `3` | Failure threshold for readinessProbe | -| networkpolicy | object | check `values.yaml` | Network policy defines who can access this application and who this applications has access to | -| clientId | string | `"radar_rest_sources_authorizer"` | OAuth2 client id of the application registered in Management Portal. It is assumed that this is a public client with empty client secret. | -| serverName | string | `"localhost"` | Domain name of the server | -| authUrl | string | `"localhost/managementportal/oauth"` | Authorization URL of the IDP | + + +# radar-rest-sources-authorizer +[![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/radar-rest-sources-authorizer)](https://artifacthub.io/packages/helm/radar-base/radar-rest-sources-authorizer) + +![Version: 1.1.3](https://img.shields.io/badge/Version-1.1.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.4.0](https://img.shields.io/badge/AppVersion-4.4.0-informational?style=flat-square) + +A Helm chart for the front-end application of RADAR-base Rest Sources Authorizer which is a portal to authorize the Fitbit connector to read data from Fitbit accounts. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Keyvan Hedayati | | | +| Joris Borgdorff | | | +| Nivethika Mahasivam | | | + +## Source Code + +* +* + +## Prerequisites +* Kubernetes 1.22+ +* Kubectl 1.22+ +* Helm 3.1.0+ + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| replicaCount | int | `2` | Number of radar-rest-sources-authorizer replicas to deploy | +| image.repository | string | `"radarbase/radar-rest-source-authorizer"` | radar-rest-sources-authorizer image repository | +| image.tag | string | `"4.4.0"` | radar-rest-sources-authorizer image tag (immutable tags are recommended) Overrides the image tag whose default is the chart appVersion. | +| image.pullPolicy | string | `"IfNotPresent"` | radar-rest-sources-authorizer image pull policy | +| imagePullSecrets | list | `[]` | Docker registry secret names as an array | +| nameOverride | string | `""` | String to partially override radar-rest-sources-authorizer.fullname template with a string (will prepend the release name) | +| fullnameOverride | string | `""` | String to fully override radar-rest-sources-authorizer.fullname template with a string | +| podSecurityContext | object | `{}` | Configure radar-rest-sources-authorizer pods' Security Context | +| securityContext | object | `{}` | Configure radar-rest-sources-authorizer containers' Security Context | +| service.type | string | `"ClusterIP"` | Kubernetes Service type | +| service.port | int | `8080` | radar-rest-sources-authorizer port | +| ingress.enabled | bool | `true` | Enable ingress controller resource | +| ingress.annotations | object | check values.yaml | Annotations that define default ingress class, certificate issuer | +| ingress.path | string | `"/rest-sources/authorizer"` | Path within the url structure | +| ingress.pathType | string | `"ImplementationSpecific"` | Ingress Path type | +| ingress.ingressClassName | string | `"nginx"` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | +| ingress.hosts | list | `["localhost"]` | Hosts to accept requests from | +| ingress.tls.secretName | string | `"radar-base-tls-radar-rest-sources-authorizer"` | TLS Secret Name | +| resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | CPU/Memory resource requests | +| nodeSelector | object | `{}` | Node labels for pod assignment | +| tolerations | list | `[]` | Toleration labels for pod assignment | +| affinity | object | `{}` | Affinity labels for pod assignment | +| extraEnvVars | list | `[]` | Extra environment variables | +| customLivenessProbe | object | `{}` | Custom livenessProbe that overrides the default one | +| livenessProbe.enabled | bool | `true` | Enable livenessProbe | +| livenessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for livenessProbe | +| livenessProbe.periodSeconds | int | `30` | Period seconds for livenessProbe | +| livenessProbe.timeoutSeconds | int | `3` | Timeout seconds for livenessProbe | +| livenessProbe.successThreshold | int | `1` | Success threshold for livenessProbe | +| livenessProbe.failureThreshold | int | `3` | Failure threshold for livenessProbe | +| customReadinessProbe | object | `{}` | Custom readinessProbe that overrides the default one | +| readinessProbe.enabled | bool | `true` | Enable readinessProbe | +| readinessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for readinessProbe | +| readinessProbe.periodSeconds | int | `10` | Period seconds for readinessProbe | +| readinessProbe.timeoutSeconds | int | `3` | Timeout seconds for readinessProbe | +| readinessProbe.successThreshold | int | `1` | Success threshold for readinessProbe | +| readinessProbe.failureThreshold | int | `3` | Failure threshold for readinessProbe | +| networkpolicy | object | check `values.yaml` | Network policy defines who can access this application and who this applications has access to | +| clientId | string | `"radar_rest_sources_authorizer"` | OAuth2 client id of the application registered in Management Portal. It is assumed that this is a public client with empty client secret. | +| serverName | string | `"localhost"` | Domain name of the server | +| authUrl | string | `"localhost/managementportal/oauth"` | Authorization URL of the IDP | diff --git a/charts/radar-rest-sources-authorizer/templates/deployment.yaml b/charts/radar-rest-sources-authorizer/templates/deployment.yaml index a11af988..4aad8fda 100644 --- a/charts/radar-rest-sources-authorizer/templates/deployment.yaml +++ b/charts/radar-rest-sources-authorizer/templates/deployment.yaml @@ -1,110 +1,110 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "radar-rest-sources-authorizer.fullname" . }} - labels: -{{ include "radar-rest-sources-authorizer.labels" . | indent 4 }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "radar-rest-sources-authorizer.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - template: - metadata: - labels: - app.kubernetes.io/name: {{ include "radar-rest-sources-authorizer.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: "app.kubernetes.io/name" - operator: In - values: - - {{ template "radar-rest-sources-authorizer.name" . }} - - key: "app.kubernetes.io/instance" - operator: In - values: - - {{ .Release.Name }} - topologyKey: "kubernetes.io/hostname" - containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: BASE_HREF - value: /rest-sources/authorizer/ - - name: BACKEND_BASE_URL - value: https://{{ .Values.serverName }}/rest-sources/backend - - name: VALIDATE - value: "true" - - name: AUTH_GRANT_TYPE - value: "authorization_code" - - name: AUTH_CLIENT_ID - value: {{ .Values.clientId }} - - name: AUTH_CLIENT_SECRET - value: "" - - name: AUTH_CALLBACK_URL - value: https://{{ .Values.serverName }}/rest-sources/authorizer/login - - name: AUTH_URI - value: https://{{ .Values.authUrl }} - {{- with .Values.extraEnvVars }} - {{- toYaml . | nindent 10 }} - {{- end }} - ports: - - name: http - containerPort: 8080 - protocol: TCP - {{- if .Values.customLivenessProbe }} - livenessProbe: {{- .Values.customLivenessProbe | toYaml | nindent 12 }} - {{- else if .Values.livenessProbe.enabled }} - livenessProbe: - httpGet: - path: /rest-sources/authorizer/ - port: http - initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} - successThreshold: {{ .Values.livenessProbe.successThreshold }} - failureThreshold: {{ .Values.livenessProbe.failureThreshold }} - {{- end }} - {{- if .Values.customReadinessProbe }} - readinessProbe: {{- .Values.customReadinessProbe | toYaml | nindent 12 }} - {{- else if .Values.readinessProbe.enabled }} - readinessProbe: - httpGet: - path: /rest-sources/authorizer/ - port: http - initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.readinessProbe.successThreshold }} - failureThreshold: {{ .Values.readinessProbe.failureThreshold }} - {{- end }} - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "radar-rest-sources-authorizer.fullname" . }} + labels: +{{ include "radar-rest-sources-authorizer.labels" . | indent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "radar-rest-sources-authorizer.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "radar-rest-sources-authorizer.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app.kubernetes.io/name" + operator: In + values: + - {{ template "radar-rest-sources-authorizer.name" . }} + - key: "app.kubernetes.io/instance" + operator: In + values: + - {{ .Release.Name }} + topologyKey: "kubernetes.io/hostname" + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: BASE_HREF + value: /rest-sources/authorizer/ + - name: BACKEND_BASE_URL + value: https://{{ .Values.serverName }}/rest-sources/backend + - name: VALIDATE + value: "true" + - name: AUTH_GRANT_TYPE + value: "authorization_code" + - name: AUTH_CLIENT_ID + value: {{ .Values.clientId }} + - name: AUTH_CLIENT_SECRET + value: "" + - name: AUTH_CALLBACK_URL + value: https://{{ .Values.serverName }}/rest-sources/authorizer/login + - name: AUTH_URI + value: https://{{ .Values.authUrl }} + {{- with .Values.extraEnvVars }} + {{- toYaml . | nindent 10 }} + {{- end }} + ports: + - name: http + containerPort: 8080 + protocol: TCP + {{- if .Values.customLivenessProbe }} + livenessProbe: {{- .Values.customLivenessProbe | toYaml | nindent 12 }} + {{- else if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: /rest-sources/authorizer/ + port: http + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.customReadinessProbe }} + readinessProbe: {{- .Values.customReadinessProbe | toYaml | nindent 12 }} + {{- else if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /rest-sources/authorizer/ + port: http + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/radar-rest-sources-authorizer/values.yaml b/charts/radar-rest-sources-authorizer/values.yaml index 79f8547e..fcf309b4 100644 --- a/charts/radar-rest-sources-authorizer/values.yaml +++ b/charts/radar-rest-sources-authorizer/values.yaml @@ -1,159 +1,159 @@ -# Default values for radar-rest-sources-authorizer. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# -- Number of radar-rest-sources-authorizer replicas to deploy -replicaCount: 2 - -image: - # -- radar-rest-sources-authorizer image repository - repository: radarbase/radar-rest-source-authorizer - # -- radar-rest-sources-authorizer image tag (immutable tags are recommended) - # Overrides the image tag whose default is the chart appVersion. - tag: 4.4.0 - # -- radar-rest-sources-authorizer image pull policy - pullPolicy: IfNotPresent - -# -- Docker registry secret names as an array -imagePullSecrets: [] - -# -- String to partially override radar-rest-sources-authorizer.fullname template with a string (will prepend the release name) -nameOverride: "" -# -- String to fully override radar-rest-sources-authorizer.fullname template with a string -fullnameOverride: "" - -# -- Configure radar-rest-sources-authorizer pods' Security Context -podSecurityContext: {} - # fsGroup: 2000 - -# -- Configure radar-rest-sources-authorizer containers' Security Context -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -service: - # -- Kubernetes Service type - type: ClusterIP - # -- radar-rest-sources-authorizer port - port: 8080 - -ingress: - # -- Enable ingress controller resource - enabled: true - # -- Annotations that define default ingress class, certificate issuer - # @default -- check values.yaml - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - # -- Path within the url structure - path: /rest-sources/authorizer - # -- Ingress Path type - pathType: ImplementationSpecific - # -- IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) - ingressClassName: nginx - # -- Hosts to accept requests from - hosts: - - localhost - tls: - # -- TLS Secret Name - secretName: radar-base-tls-radar-rest-sources-authorizer - -resources: - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - - # -- CPU/Memory resource requests - requests: - cpu: 100m - memory: 128Mi - -# -- Node labels for pod assignment -nodeSelector: {} - -# -- Toleration labels for pod assignment -tolerations: [] - -# -- Affinity labels for pod assignment -affinity: {} - -# -- Extra environment variables -extraEnvVars: [] -# - name: BEARER_AUTH -# value: true - -# -- Custom livenessProbe that overrides the default one -customLivenessProbe: {} - -livenessProbe: - # -- Enable livenessProbe - enabled: true - # -- Initial delay seconds for livenessProbe - initialDelaySeconds: 5 - # -- Period seconds for livenessProbe - periodSeconds: 30 - # -- Timeout seconds for livenessProbe - timeoutSeconds: 3 - # -- Success threshold for livenessProbe - successThreshold: 1 - # -- Failure threshold for livenessProbe - failureThreshold: 3 - -# -- Custom readinessProbe that overrides the default one -customReadinessProbe: {} - -readinessProbe: - # -- Enable readinessProbe - enabled: true - # -- Initial delay seconds for readinessProbe - initialDelaySeconds: 5 - # -- Period seconds for readinessProbe - periodSeconds: 10 - # -- Timeout seconds for readinessProbe - timeoutSeconds: 3 - # -- Success threshold for readinessProbe - successThreshold: 1 - # -- Failure threshold for readinessProbe - failureThreshold: 3 - -# -- Network policy defines who can access this application and who this applications has access to -# @default -- check `values.yaml` -networkpolicy: - policyTypes: - - Ingress - - Egress - ingress: - - from: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: '{{ .Release.Namespace }}' - podSelector: - matchLabels: - app.kubernetes.io/name: ingress-nginx - egress: - - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: kube-system - podSelector: - matchLabels: - k8s-app: kube-dns - ports: - - port: 53 - protocol: UDP - - port: 53 - protocol: TCP - -# -- OAuth2 client id of the application registered in Management Portal. It is assumed that this is a public client with empty client secret. -clientId: radar_rest_sources_authorizer -# -- Domain name of the server -serverName: localhost -# -- Authorization URL of the IDP -authUrl: localhost/managementportal/oauth +# Default values for radar-rest-sources-authorizer. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# -- Number of radar-rest-sources-authorizer replicas to deploy +replicaCount: 2 + +image: + # -- radar-rest-sources-authorizer image repository + repository: radarbase/radar-rest-source-authorizer + # -- radar-rest-sources-authorizer image tag (immutable tags are recommended) + # Overrides the image tag whose default is the chart appVersion. + tag: 4.4.0 + # -- radar-rest-sources-authorizer image pull policy + pullPolicy: IfNotPresent + +# -- Docker registry secret names as an array +imagePullSecrets: [] + +# -- String to partially override radar-rest-sources-authorizer.fullname template with a string (will prepend the release name) +nameOverride: "" +# -- String to fully override radar-rest-sources-authorizer.fullname template with a string +fullnameOverride: "" + +# -- Configure radar-rest-sources-authorizer pods' Security Context +podSecurityContext: {} + # fsGroup: 2000 + +# -- Configure radar-rest-sources-authorizer containers' Security Context +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + # -- Kubernetes Service type + type: ClusterIP + # -- radar-rest-sources-authorizer port + port: 8080 + +ingress: + # -- Enable ingress controller resource + enabled: true + # -- Annotations that define default ingress class, certificate issuer + # @default -- check values.yaml + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + # -- Path within the url structure + path: /rest-sources/authorizer + # -- Ingress Path type + pathType: ImplementationSpecific + # -- IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ingressClassName: nginx + # -- Hosts to accept requests from + hosts: + - localhost + tls: + # -- TLS Secret Name + secretName: radar-base-tls-radar-rest-sources-authorizer + +resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + + # -- CPU/Memory resource requests + requests: + cpu: 100m + memory: 128Mi + +# -- Node labels for pod assignment +nodeSelector: {} + +# -- Toleration labels for pod assignment +tolerations: [] + +# -- Affinity labels for pod assignment +affinity: {} + +# -- Extra environment variables +extraEnvVars: [] +# - name: BEARER_AUTH +# value: true + +# -- Custom livenessProbe that overrides the default one +customLivenessProbe: {} + +livenessProbe: + # -- Enable livenessProbe + enabled: true + # -- Initial delay seconds for livenessProbe + initialDelaySeconds: 5 + # -- Period seconds for livenessProbe + periodSeconds: 30 + # -- Timeout seconds for livenessProbe + timeoutSeconds: 3 + # -- Success threshold for livenessProbe + successThreshold: 1 + # -- Failure threshold for livenessProbe + failureThreshold: 3 + +# -- Custom readinessProbe that overrides the default one +customReadinessProbe: {} + +readinessProbe: + # -- Enable readinessProbe + enabled: true + # -- Initial delay seconds for readinessProbe + initialDelaySeconds: 5 + # -- Period seconds for readinessProbe + periodSeconds: 10 + # -- Timeout seconds for readinessProbe + timeoutSeconds: 3 + # -- Success threshold for readinessProbe + successThreshold: 1 + # -- Failure threshold for readinessProbe + failureThreshold: 3 + +# -- Network policy defines who can access this application and who this applications has access to +# @default -- check `values.yaml` +networkpolicy: + policyTypes: + - Ingress + - Egress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: '{{ .Release.Namespace }}' + podSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + +# -- OAuth2 client id of the application registered in Management Portal. It is assumed that this is a public client with empty client secret. +clientId: radar_rest_sources_authorizer +# -- Domain name of the server +serverName: localhost +# -- Authorization URL of the IDP +authUrl: localhost/managementportal/oauth