From 1be0c379bdb23aca5712a4e903ce81d49947495b Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 14 Nov 2024 16:04:18 -0500 Subject: [PATCH] rename property, disable by default --- charts/cryostat/README.md | 18 +++++++++--------- charts/cryostat/templates/NOTES.txt | 4 ++-- charts/cryostat/templates/_oauth2Proxy.tpl | 2 +- charts/cryostat/templates/alpha_config.yaml | 2 +- .../templates/cryostat_deployment.yaml | 2 +- .../cryostat/templates/cryostat_service.yaml | 2 +- .../templates/cryostat_tls_secret.yaml | 2 +- .../templates/tests/test-core-connection.yaml | 1 + .../tests/test-grafana-connection.yaml | 1 + charts/cryostat/tests/notes_test.yaml | 11 +++++++++-- charts/cryostat/values.schema.json | 13 +++++++++---- charts/cryostat/values.yaml | 5 +++-- 12 files changed, 39 insertions(+), 24 deletions(-) diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 79ac9419..e6c60f04 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -169,15 +169,15 @@ helm install cryostat ./charts/cryostat ### OAuth2 Proxy -| Name | Description | Value | -| ------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | -| `oauth2Proxy.image.repository` | Repository for the OAuth2 Proxy container image | `quay.io/oauth2-proxy/oauth2-proxy` | -| `oauth2Proxy.image.pullPolicy` | Image pull policy for the OAuth2 Proxy container image | `Always` | -| `oauth2Proxy.image.tag` | Tag for the OAuth2 Proxy container image | `latest` | -| `oauth2Proxy.service.tls.enableSelfSigned` | Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used. | `true` | -| `oauth2Proxy.resources.requests.cpu` | CPU resource request for the OAuth2 Proxy container. | `25m` | -| `oauth2Proxy.resources.requests.memory` | Memory resource request for the OAuth2 Proxy container. | `64Mi` | -| `oauth2Proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). If the chart is installed in default namespaces (e.g. default), `securityContext.runAsUser` must be set if the proxy image does not specify a numeric non-root user. This is due to OpenShift Security Context Constraints are not applied in default namespaces. See [Understanding and Managing Pod Security Admission](https://docs.openshift.com/container-platform/4.15/authentication/understanding-and-managing-pod-security-admission.html#psa-privileged-namespaces_understanding-and-managing-pod-security-admission). | `{}` | +| Name | Description | Value | +| -------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `oauth2Proxy.image.repository` | Repository for the OAuth2 Proxy container image | `quay.io/oauth2-proxy/oauth2-proxy` | +| `oauth2Proxy.image.pullPolicy` | Image pull policy for the OAuth2 Proxy container image | `Always` | +| `oauth2Proxy.image.tag` | Tag for the OAuth2 Proxy container image | `latest` | +| `oauth2Proxy.service.tls.selfSigned.enabled` | Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used. | `true` | +| `oauth2Proxy.resources.requests.cpu` | CPU resource request for the OAuth2 Proxy container. | `25m` | +| `oauth2Proxy.resources.requests.memory` | Memory resource request for the OAuth2 Proxy container. | `64Mi` | +| `oauth2Proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). If the chart is installed in default namespaces (e.g. default), `securityContext.runAsUser` must be set if the proxy image does not specify a numeric non-root user. This is due to OpenShift Security Context Constraints are not applied in default namespaces. See [Understanding and Managing Pod Security Admission](https://docs.openshift.com/container-platform/4.15/authentication/understanding-and-managing-pod-security-admission.html#psa-privileged-namespaces_understanding-and-managing-pod-security-admission). | `{}` | ### OpenShift OAuth Proxy diff --git a/charts/cryostat/templates/NOTES.txt b/charts/cryostat/templates/NOTES.txt index c5c43614..c7c48d46 100644 --- a/charts/cryostat/templates/NOTES.txt +++ b/charts/cryostat/templates/NOTES.txt @@ -39,7 +39,7 @@ kubectl -n {{ .Release.Namespace }} wait --for=condition=available --timeout=60s deploy/{{ include "cryostat.deploymentName" . }} export SVC_NAME=$(kubectl get services -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "cryostat.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=cryostat" --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}") -{{- if or .Values.authentication.openshift.enabled .Values.oauth2Proxy.service.tls.enableSelfSigned }} +{{- if or .Values.authentication.openshift.enabled .Values.oauth2Proxy.service.tls.selfSigned.enabled }} kubectl -n {{ .Release.Namespace }} port-forward svc/$SVC_NAME 8443:cryostat-https {{- else }} kubectl -n {{ .Release.Namespace }} port-forward svc/$SVC_NAME 8080:cryostat-http @@ -63,6 +63,6 @@ {{- else if contains "LoadBalancer" .Values.core.service.type }} echo http://$SERVICE_IP:{{ .Values.core.service.httpPort }} {{- else if contains "ClusterIP" .Values.core.service.type }} - {{ ternary "https" "http" (or .Values.authentication.openshift.enabled .Values.oauth2Proxy.service.tls.enableSelfSigned) }}://localhost:{{ ternary "8443" "8080" (or .Values.authentication.openshift.enabled .Values.oauth2Proxy.service.tls.enableSelfSigned) }} + {{ ternary "https" "http" (or .Values.authentication.openshift.enabled .Values.oauth2Proxy.service.tls.selfSigned.enabled) }}://localhost:{{ ternary "8443" "8080" (or .Values.authentication.openshift.enabled .Values.oauth2Proxy.service.tls.selfSigned.enabled) }} {{- end }} ``` diff --git a/charts/cryostat/templates/_oauth2Proxy.tpl b/charts/cryostat/templates/_oauth2Proxy.tpl index dc2f0ef6..e4b2a820 100644 --- a/charts/cryostat/templates/_oauth2Proxy.tpl +++ b/charts/cryostat/templates/_oauth2Proxy.tpl @@ -47,7 +47,7 @@ Create OAuth2 Proxy container. Configurations defined in alpha_config.yaml mountPath: /etc/oauth2_proxy/basicauth readOnly: true {{- end }} - {{- if .Values.oauth2Proxy.service.tls.enableSelfSigned }} + {{- if .Values.oauth2Proxy.service.tls.selfSigned.enabled }} - name: {{ .Release.Name }}-oauth2proxy-tls mountPath: /etc/tls/private {{- end }} diff --git a/charts/cryostat/templates/alpha_config.yaml b/charts/cryostat/templates/alpha_config.yaml index 212f52c0..7e61c6f8 100644 --- a/charts/cryostat/templates/alpha_config.yaml +++ b/charts/cryostat/templates/alpha_config.yaml @@ -12,7 +12,7 @@ data: alpha_config.yaml: |- server: BindAddress: http://0.0.0.0:4180 - {{- if .Values.oauth2Proxy.service.tls.enableSelfSigned }} + {{- if .Values.oauth2Proxy.service.tls.selfSigned.enabled }} SecureBindAddress: https://0.0.0.0:8443 {{- end}} TLS: diff --git a/charts/cryostat/templates/cryostat_deployment.yaml b/charts/cryostat/templates/cryostat_deployment.yaml index 0ae4e811..e076d958 100644 --- a/charts/cryostat/templates/cryostat_deployment.yaml +++ b/charts/cryostat/templates/cryostat_deployment.yaml @@ -204,7 +204,7 @@ spec: - name: {{ .Release.Name }}-proxy-tls secret: secretName: {{ .Release.Name }}-proxy-tls - {{- else if .Values.oauth2Proxy.service.tls.enableSelfSigned }} + {{- else if .Values.oauth2Proxy.service.tls.selfSigned.enabled }} - name: {{ .Release.Name }}-oauth2proxy-tls secret: secretName: {{ .Release.Name }}-oauth2proxy-tls diff --git a/charts/cryostat/templates/cryostat_service.yaml b/charts/cryostat/templates/cryostat_service.yaml index 3d3709a2..3e1bf937 100644 --- a/charts/cryostat/templates/cryostat_service.yaml +++ b/charts/cryostat/templates/cryostat_service.yaml @@ -18,7 +18,7 @@ spec: targetPort: 4180 protocol: TCP name: cryostat-http - {{- if or (.Values.authentication.openshift).enabled .Values.oauth2Proxy.service.tls.enableSelfSigned }} + {{- if or (.Values.authentication.openshift).enabled .Values.oauth2Proxy.service.tls.selfSigned.enabled }} - port: 443 targetPort: 8443 protocol: TCP diff --git a/charts/cryostat/templates/cryostat_tls_secret.yaml b/charts/cryostat/templates/cryostat_tls_secret.yaml index 4e59d333..a0d24407 100644 --- a/charts/cryostat/templates/cryostat_tls_secret.yaml +++ b/charts/cryostat/templates/cryostat_tls_secret.yaml @@ -1,4 +1,4 @@ -{{- if (and (not (.Values.authentication.openshift).enabled) (.Values.oauth2Proxy.service.tls.enableSelfSigned)) }} +{{- if (and (not (.Values.authentication.openshift).enabled) (.Values.oauth2Proxy.service.tls.selfSigned.enabled)) }} {{- $fullName := include "cryostat.fullname" . }} {{- $cert := genSelfSignedCert $fullName nil nil 365 }} apiVersion: v1 diff --git a/charts/cryostat/templates/tests/test-core-connection.yaml b/charts/cryostat/templates/tests/test-core-connection.yaml index 89242bd4..b3d5220f 100644 --- a/charts/cryostat/templates/tests/test-core-connection.yaml +++ b/charts/cryostat/templates/tests/test-core-connection.yaml @@ -5,6 +5,7 @@ metadata: labels: {{- include "cryostat.labels" . | nindent 4 }} app.kubernetes.io/component: test-core-connection + helm-test: cryostat annotations: "helm.sh/hook": test spec: diff --git a/charts/cryostat/templates/tests/test-grafana-connection.yaml b/charts/cryostat/templates/tests/test-grafana-connection.yaml index 9b68ad6b..3aeae40a 100644 --- a/charts/cryostat/templates/tests/test-grafana-connection.yaml +++ b/charts/cryostat/templates/tests/test-grafana-connection.yaml @@ -5,6 +5,7 @@ metadata: labels: {{- include "cryostat.labels" . | nindent 4 }} app.kubernetes.io/component: test-grafana-connection + helm-test: cryostat annotations: "helm.sh/hook": test spec: diff --git a/charts/cryostat/tests/notes_test.yaml b/charts/cryostat/tests/notes_test.yaml index b75f744e..5912df4b 100644 --- a/charts/cryostat/tests/notes_test.yaml +++ b/charts/cryostat/tests/notes_test.yaml @@ -107,7 +107,13 @@ tests: echo http://$SERVICE_IP:8181 ``` - - it: should render correct notes for ClusterIP service without ingress or route + - it: should render correct notes for ClusterIP service without ingress or route and TLS enabled + set: + oauth2Proxy: + service: + tls: + selfSigned: + enabled: true asserts: - equalRaw: value: | @@ -135,7 +141,8 @@ tests: oauth2Proxy: service: tls: - enableSelfSigned: false + selfSigned: + enabled: false asserts: - equalRaw: value: | diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index b36e762d..453d13d1 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -745,10 +745,15 @@ "tls": { "type": "object", "properties": { - "enableSelfSigned": { - "type": "boolean", - "description": "Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used.", - "default": true + "selfSigned": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used.", + "default": true + } + } } } } diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index bcb37530..144cd4dc 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -269,8 +269,9 @@ oauth2Proxy: tag: "latest" service: tls: - ## @param oauth2Proxy.service.tls.enableSelfSigned Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used. - enableSelfSigned: true + selfSigned: + ## @param oauth2Proxy.service.tls.selfSigned.enabled Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used. + enabled: false resources: requests: ## @param oauth2Proxy.resources.requests.cpu CPU resource request for the OAuth2 Proxy container.