feat: support keto v0.6 refactoring (#246)

helm/charts/keto/Chart.yaml

@@ -4,24 +4,26 @@ description: Access Control Policies as a Server
 type: application
 home: https://www.ory.sh/keto/
 keywords:
-  - rbac
-  - hrbac
-  - acl
-  - iam
-  - api-security
-  - security
+- rbac
+- hrbac
+- acl
+- iam
+- api-security
+- security
 sources:
-  - https://github.com/ory/keto
-  - https://github.com/ory/k8s
+- https://github.com/ory/keto
+- https://github.com/ory/k8s
 maintainers:
-  - name: ORY Team
-    email: [email protected]
-    url: https://www.ory.sh/
+- name: ORY Team
+  email: [email protected]
+  url: https://www.ory.sh/
+
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 version: 0.6.1
+
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: v0.5.7
+appVersion: v0.6.0

helm/charts/keto/templates/NOTES.txt

@@ -1,21 +1,33 @@
 1. Get the application URL by running these commands:
-{{- if .Values.ingress.enabled }}
-{{- range $host := .Values.ingress.hosts }}
-  {{- range .paths }}
-  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
+{{- if or .Values.ingress.read.enabled .Values.ingress.write.enabled -}}
+  Read endpoint available at: 
+  {{- range $host := .Values.ingress.read.hosts }}
+    {{- range .paths }}
+      http{{ if $.Values.ingress.read.tls }}s{{ end }}://{{ $host.host }}{{ . }}
+    {{- end }}
   {{- end }}
-{{- end }}
-{{- else if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "keto.fullname" . }})
+  Write endpoint available at: 
+  {{- range $host := .Values.ingress.write.hosts }}
+    {{- range .paths }}
+      http{{ if $.Values.ingress.write.tls }}s{{ end }}://{{ $host.host }}{{ . }}
+    {{- end }}
+ {{- end }}
+{{- else if or ( contains "NodePort" .Values.service.read.type ) ( contains "NodePort" .Values.service.write.type ) }}
+  export NODE_PORT_READ=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "keto.fullname" . }}-read)
+  export NODE_PORT_READ=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "keto.fullname" . }}-write)
   export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-  echo http://$NODE_IP:$NODE_PORT
-{{- else if contains "LoadBalancer" .Values.service.type }}
+Read endpoint available at: http://$NODE_IP:$NODE_PORT_READ
+Write endpoint available at: http://$NODE_IP:$NODE_PORT_WRITE
+{{- else if or ( contains "LoadBalancer" .Values.service.read.type ) ( contains "LoadBalancer" .Values.service.read.type ) }}
      NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "keto.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "keto.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
-  echo http://$SERVICE_IP:{{ .Values.service.port }}
-{{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "keto.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
-  echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "keto.fullname" . }}-read'
+  export SERVICE_IP_READ=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "keto.fullname" . }}-read --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  export SERVICE_IP_WRITE=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "keto.fullname" . }}-write --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  Read endpoint available at: http://$SERVICE_IP_READ:{{ .Values.service.read.port }}
+  Write endpoint available at: http://$SERVICE_IP_READ:{{ .Values.service.write.port }}
+{{- else if or ( contains "ClusterIP" .Values.service.read.type ) ( contains "ClusterIP" .Values.service.read.type ) }}
+  kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ include "keto.fullname" . }}-read {{ .Values.keto.config.serve.read.port }}:80
+  kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ include "keto.fullname" . }}-write {{ .Values.keto.config.serve.write.port }}:80
+  Read endpoint available at: http://127.0.0.1:{{ .Values.keto.config.serve.read.port }}
+  Write endpoint available at: http://127.0.0.1:{{ .Values.keto.config.serve.write.port }}
 {{- end }}

helm/charts/keto/templates/_helpers.tpl

@@ -41,8 +41,6 @@ Create chart name and version as used by the chart label.
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
-
-
 {{/*
 Generate the dsn value
 */}}

helm/charts/keto/templates/configmap.yaml

@@ -6,5 +6,5 @@ metadata:
   labels:
 {{ include "keto.labels" . | indent 4 }}
 data:
-  ".keto.yaml": |
+  "keto.yaml": |
     {{- include "keto.configmap" . | nindent 4 }}

helm/charts/keto/templates/deployment.yaml

@@ -30,7 +30,7 @@ spec:
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           command: [ "keto" ]
-          args: [ "migrate", "sql", "-e", "--config", "/etc/config/.keto.yaml" ]
+          args: [ "migrate", "up", "-y", "--all-namespaces", "--config", "/etc/config/keto.yaml" ]
           volumeMounts:
             - name: {{ include "keto.name" . }}-config-volume
               mountPath: /etc/config
@@ -41,6 +41,8 @@ spec:
                 secretKeyRef:
                   name: {{ include "keto.secretname" . }}
                   key: dsn
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
       {{- end }}
       serviceAccountName: {{ include "keto.serviceAccountName" . }}
       securityContext:
@@ -55,19 +57,22 @@ spec:
           args:
             - serve
             - --config
-            - /etc/config/.keto.yaml
+            - /etc/config/keto.yaml
           ports:
-            - name: http
-              containerPort: {{ .Values.keto.config.serve.port }}
+            - name: http-read
+              containerPort: {{ .Values.keto.config.serve.read.port }}
+              protocol: TCP
+            - name: http-write
+              containerPort: {{ .Values.keto.config.serve.write.port }}
               protocol: TCP
           livenessProbe:
             httpGet:
               path: /health/alive
-              port: http
+              port: http-write
           readinessProbe:
             httpGet:
               path: /health/ready
-              port: http
+              port: http-write
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           env:

helm/charts/keto/templates/ingress-read.yaml

@@ -0,0 +1,42 @@
+{{- if .Values.ingress.read.enabled -}}
+{{- $fullName := include "keto.fullname" . -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}-read
+  {{- if .Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
+  labels:
+{{ include "keto.labels" . | indent 4 }}
+  {{- with .Values.ingress.read.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+{{- if .Values.ingress.read.tls }}
+  tls:
+  {{- range .Values.ingress.read.tls }}
+    - hosts:
+      {{- range .hosts }}
+        - {{ . | quote }}
+      {{- end }}
+      secretName: {{ .secretName }}
+  {{- end }}
+{{- end }}
+  rules:
+  {{- range .Values.ingress.read.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+        {{- range .paths }}
+          - path: {{ . }}
+            pathType: Prefix
+            backend:
+                service:
+                  name: {{ $fullName }}
+                  port:
+                    name: http-read
+        {{- end }}
+  {{- end }}
+{{- end }}

helm/charts/keto/templates/ingress-write.yaml

@@ -0,0 +1,42 @@
+{{- if .Values.ingress.write.enabled -}}
+{{- $fullName := include "keto.fullname" . -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}-write
+  {{- if .Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
+  labels:
+{{ include "keto.labels" . | indent 4 }}
+  {{- with .Values.ingress.write.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+{{- if .Values.ingress.write.tls }}
+  tls:
+  {{- range .Values.ingress.write.tls }}
+    - hosts:
+      {{- range .hosts }}
+        - {{ . | quote }}
+      {{- end }}
+      secretName: {{ .secretName }}
+  {{- end }}
+{{- end }}
+  rules:
+  {{- range .Values.ingress.write.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+        {{- range .paths }}
+          - path: {{ . }}
+            pathType: Prefix
+            backend:
+                service:
+                  name: {{ $fullName }}
+                  port:
+                    name: http-write
+        {{- end }}
+  {{- end }}
+{{- end }}

helm/charts/keto/templates/secrets.yaml

@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "keto.fullname" . }}
+  name: {{ include "keto.secretname" . }}
   namespace: {{ .Release.Namespace }}
   labels:
 {{ include "keto.labels" . | indent 4 }}

helm/charts/keto/templates/service-read.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "keto.fullname" . }}-read
+  {{- if .Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
+  labels:
+{{ include "keto.labels" . | indent 4 }}
+spec:
+  type: {{ .Values.service.read.type }}
+  ports:
+    - port: {{ .Values.service.read.port }}
+      targetPort: http-read
+      protocol: TCP
+      name: http-read
+  selector:
+    app.kubernetes.io/name: {{ include "keto.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}

helm/charts/keto/templates/service-write.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "keto.fullname" . }}-write
+  {{- if .Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
+  labels:
+{{ include "keto.labels" . | indent 4 }}
+spec:
+  type: {{ .Values.service.write.type }}
+  ports:
+    - port: {{ .Values.service.write.port }}
+      targetPort: http-write
+      protocol: TCP
+      name: http-write
+  selector:
+    app.kubernetes.io/name: {{ include "keto.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}

helm/charts/keto/templates/tests/test-connection.yaml

@@ -5,7 +5,7 @@ metadata:
   labels:
     {{- include "keto.labels" . | nindent 4 }}
   annotations:
-    "helm.sh/hook": test-success
+    helm.sh/hook: test-success
 spec:
   containers:
     - name: wget