From c97f5a1f1a46aa49abeff69dafc4d0c59f95b060 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20B=C5=82aszczyk?= Date: Thu, 15 Apr 2021 21:54:40 +0200 Subject: [PATCH] feat: support keto v0.6 refactoring (#246) --- helm/charts/keto/Chart.yaml | 26 +++---- helm/charts/keto/templates/NOTES.txt | 44 +++++++----- helm/charts/keto/templates/_helpers.tpl | 2 - helm/charts/keto/templates/configmap.yaml | 2 +- helm/charts/keto/templates/deployment.yaml | 17 +++-- helm/charts/keto/templates/ingress-read.yaml | 42 +++++++++++ helm/charts/keto/templates/ingress-write.yaml | 42 +++++++++++ helm/charts/keto/templates/ingress.yaml | 41 ----------- helm/charts/keto/templates/secrets.yaml | 2 +- helm/charts/keto/templates/service-read.yaml | 19 +++++ helm/charts/keto/templates/service-write.yaml | 19 +++++ helm/charts/keto/templates/service.yaml | 15 ---- .../keto/templates/tests/test-connection.yaml | 2 +- helm/charts/keto/values.yaml | 71 +++++++++++++------ 14 files changed, 228 insertions(+), 116 deletions(-) create mode 100644 helm/charts/keto/templates/ingress-read.yaml create mode 100644 helm/charts/keto/templates/ingress-write.yaml delete mode 100644 helm/charts/keto/templates/ingress.yaml create mode 100644 helm/charts/keto/templates/service-read.yaml create mode 100644 helm/charts/keto/templates/service-write.yaml delete mode 100644 helm/charts/keto/templates/service.yaml diff --git a/helm/charts/keto/Chart.yaml b/helm/charts/keto/Chart.yaml index a556c88d9b..0a53a2f033 100644 --- a/helm/charts/keto/Chart.yaml +++ b/helm/charts/keto/Chart.yaml @@ -4,24 +4,26 @@ description: Access Control Policies as a Server type: application home: https://www.ory.sh/keto/ keywords: - - rbac - - hrbac - - acl - - iam - - api-security - - security +- rbac +- hrbac +- acl +- iam +- api-security +- security sources: - - https://github.com/ory/keto - - https://github.com/ory/k8s +- https://github.com/ory/keto +- https://github.com/ory/k8s maintainers: - - name: ORY Team - email: hi@ory.sh - url: https://www.ory.sh/ +- name: ORY Team + email: hi@ory.sh + url: https://www.ory.sh/ + # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) version: 0.6.1 + # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: v0.5.7 +appVersion: v0.6.0 diff --git a/helm/charts/keto/templates/NOTES.txt b/helm/charts/keto/templates/NOTES.txt index 8f6de897c7..44e850cb18 100644 --- a/helm/charts/keto/templates/NOTES.txt +++ b/helm/charts/keto/templates/NOTES.txt @@ -1,21 +1,33 @@ 1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range $host := .Values.ingress.hosts }} - {{- range .paths }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }} +{{- if or .Values.ingress.read.enabled .Values.ingress.write.enabled -}} + Read endpoint available at: + {{- range $host := .Values.ingress.read.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.read.tls }}s{{ end }}://{{ $host.host }}{{ . }} + {{- end }} {{- end }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "keto.fullname" . }}) + Write endpoint available at: + {{- range $host := .Values.ingress.write.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.write.tls }}s{{ end }}://{{ $host.host }}{{ . }} + {{- end }} + {{- end }} +{{- else if or ( contains "NodePort" .Values.service.read.type ) ( contains "NodePort" .Values.service.write.type ) }} + export NODE_PORT_READ=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "keto.fullname" . }}-read) + export NODE_PORT_READ=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "keto.fullname" . }}-write) export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} +Read endpoint available at: http://$NODE_IP:$NODE_PORT_READ +Write endpoint available at: http://$NODE_IP:$NODE_PORT_WRITE +{{- else if or ( contains "LoadBalancer" .Values.service.read.type ) ( contains "LoadBalancer" .Values.service.read.type ) }} NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "keto.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "keto.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") - echo http://$SERVICE_IP:{{ .Values.service.port }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "keto.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80 + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "keto.fullname" . }}-read' + export SERVICE_IP_READ=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "keto.fullname" . }}-read --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + export SERVICE_IP_WRITE=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "keto.fullname" . }}-write --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + Read endpoint available at: http://$SERVICE_IP_READ:{{ .Values.service.read.port }} + Write endpoint available at: http://$SERVICE_IP_READ:{{ .Values.service.write.port }} +{{- else if or ( contains "ClusterIP" .Values.service.read.type ) ( contains "ClusterIP" .Values.service.read.type ) }} + kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ include "keto.fullname" . }}-read {{ .Values.keto.config.serve.read.port }}:80 + kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ include "keto.fullname" . }}-write {{ .Values.keto.config.serve.write.port }}:80 + Read endpoint available at: http://127.0.0.1:{{ .Values.keto.config.serve.read.port }} + Write endpoint available at: http://127.0.0.1:{{ .Values.keto.config.serve.write.port }} {{- end }} diff --git a/helm/charts/keto/templates/_helpers.tpl b/helm/charts/keto/templates/_helpers.tpl index b7e0a1df48..fb92acfa62 100644 --- a/helm/charts/keto/templates/_helpers.tpl +++ b/helm/charts/keto/templates/_helpers.tpl @@ -41,8 +41,6 @@ Create chart name and version as used by the chart label. {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} - - {{/* Generate the dsn value */}} diff --git a/helm/charts/keto/templates/configmap.yaml b/helm/charts/keto/templates/configmap.yaml index 1c88cbba3f..61b1093124 100644 --- a/helm/charts/keto/templates/configmap.yaml +++ b/helm/charts/keto/templates/configmap.yaml @@ -6,5 +6,5 @@ metadata: labels: {{ include "keto.labels" . | indent 4 }} data: - ".keto.yaml": | + "keto.yaml": | {{- include "keto.configmap" . | nindent 4 }} diff --git a/helm/charts/keto/templates/deployment.yaml b/helm/charts/keto/templates/deployment.yaml index 633080df47..c670ff5152 100644 --- a/helm/charts/keto/templates/deployment.yaml +++ b/helm/charts/keto/templates/deployment.yaml @@ -30,7 +30,7 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} command: [ "keto" ] - args: [ "migrate", "sql", "-e", "--config", "/etc/config/.keto.yaml" ] + args: [ "migrate", "up", "-y", "--all-namespaces", "--config", "/etc/config/keto.yaml" ] volumeMounts: - name: {{ include "keto.name" . }}-config-volume mountPath: /etc/config @@ -41,6 +41,8 @@ spec: secretKeyRef: name: {{ include "keto.secretname" . }} key: dsn + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} {{- end }} serviceAccountName: {{ include "keto.serviceAccountName" . }} securityContext: @@ -55,19 +57,22 @@ spec: args: - serve - --config - - /etc/config/.keto.yaml + - /etc/config/keto.yaml ports: - - name: http - containerPort: {{ .Values.keto.config.serve.port }} + - name: http-read + containerPort: {{ .Values.keto.config.serve.read.port }} + protocol: TCP + - name: http-write + containerPort: {{ .Values.keto.config.serve.write.port }} protocol: TCP livenessProbe: httpGet: path: /health/alive - port: http + port: http-write readinessProbe: httpGet: path: /health/ready - port: http + port: http-write resources: {{- toYaml .Values.resources | nindent 12 }} env: diff --git a/helm/charts/keto/templates/ingress-read.yaml b/helm/charts/keto/templates/ingress-read.yaml new file mode 100644 index 0000000000..e24bc171f2 --- /dev/null +++ b/helm/charts/keto/templates/ingress-read.yaml @@ -0,0 +1,42 @@ +{{- if .Values.ingress.read.enabled -}} +{{- $fullName := include "keto.fullname" . -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-read + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: +{{ include "keto.labels" . | indent 4 }} + {{- with .Values.ingress.read.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: +{{- if .Values.ingress.read.tls }} + tls: + {{- range .Values.ingress.read.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.read.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ . }} + pathType: Prefix + backend: + service: + name: {{ $fullName }} + port: + name: http-read + {{- end }} + {{- end }} +{{- end }} diff --git a/helm/charts/keto/templates/ingress-write.yaml b/helm/charts/keto/templates/ingress-write.yaml new file mode 100644 index 0000000000..4d1ef7ae56 --- /dev/null +++ b/helm/charts/keto/templates/ingress-write.yaml @@ -0,0 +1,42 @@ +{{- if .Values.ingress.write.enabled -}} +{{- $fullName := include "keto.fullname" . -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-write + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: +{{ include "keto.labels" . | indent 4 }} + {{- with .Values.ingress.write.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: +{{- if .Values.ingress.write.tls }} + tls: + {{- range .Values.ingress.write.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.write.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ . }} + pathType: Prefix + backend: + service: + name: {{ $fullName }} + port: + name: http-write + {{- end }} + {{- end }} +{{- end }} diff --git a/helm/charts/keto/templates/ingress.yaml b/helm/charts/keto/templates/ingress.yaml deleted file mode 100644 index a45ee076ef..0000000000 --- a/helm/charts/keto/templates/ingress.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{- if .Values.ingress.enabled -}} -{{- $fullName := include "keto.fullname" . -}} -{{- $svcPort := .Values.service.port -}} -{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1beta1 -{{- else -}} -apiVersion: extensions/v1beta1 -{{- end }} -kind: Ingress -metadata: - name: {{ $fullName }} - labels: - {{- include "keto.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} - {{- end }} - rules: - {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} - http: - paths: - {{- range .paths }} - - path: {{ . }} - backend: - serviceName: {{ $fullName }} - servicePort: {{ $svcPort }} - {{- end }} - {{- end }} - {{- end }} diff --git a/helm/charts/keto/templates/secrets.yaml b/helm/charts/keto/templates/secrets.yaml index 8a0d0d7aee..a2bb2623c5 100644 --- a/helm/charts/keto/templates/secrets.yaml +++ b/helm/charts/keto/templates/secrets.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Secret metadata: - name: {{ include "keto.fullname" . }} + name: {{ include "keto.secretname" . }} namespace: {{ .Release.Namespace }} labels: {{ include "keto.labels" . | indent 4 }} diff --git a/helm/charts/keto/templates/service-read.yaml b/helm/charts/keto/templates/service-read.yaml new file mode 100644 index 0000000000..c97e6d7848 --- /dev/null +++ b/helm/charts/keto/templates/service-read.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "keto.fullname" . }}-read + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: +{{ include "keto.labels" . | indent 4 }} +spec: + type: {{ .Values.service.read.type }} + ports: + - port: {{ .Values.service.read.port }} + targetPort: http-read + protocol: TCP + name: http-read + selector: + app.kubernetes.io/name: {{ include "keto.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/helm/charts/keto/templates/service-write.yaml b/helm/charts/keto/templates/service-write.yaml new file mode 100644 index 0000000000..1831ecae9c --- /dev/null +++ b/helm/charts/keto/templates/service-write.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "keto.fullname" . }}-write + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: +{{ include "keto.labels" . | indent 4 }} +spec: + type: {{ .Values.service.write.type }} + ports: + - port: {{ .Values.service.write.port }} + targetPort: http-write + protocol: TCP + name: http-write + selector: + app.kubernetes.io/name: {{ include "keto.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/helm/charts/keto/templates/service.yaml b/helm/charts/keto/templates/service.yaml deleted file mode 100644 index 579eb0f5ef..0000000000 --- a/helm/charts/keto/templates/service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "keto.fullname" . }}-api - labels: - {{- include "keto.labels" . | nindent 4 }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - {{- include "keto.selectorLabels" . | nindent 4 }} diff --git a/helm/charts/keto/templates/tests/test-connection.yaml b/helm/charts/keto/templates/tests/test-connection.yaml index 6a012c10a1..860758ee4e 100644 --- a/helm/charts/keto/templates/tests/test-connection.yaml +++ b/helm/charts/keto/templates/tests/test-connection.yaml @@ -5,7 +5,7 @@ metadata: labels: {{- include "keto.labels" . | nindent 4 }} annotations: - "helm.sh/hook": test-success + helm.sh/hook: test-success spec: containers: - name: wget diff --git a/helm/charts/keto/values.yaml b/helm/charts/keto/values.yaml index 4d3a179a5b..0d0c808ed0 100644 --- a/helm/charts/keto/values.yaml +++ b/helm/charts/keto/values.yaml @@ -8,7 +8,7 @@ image: repository: oryd/keto pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: "" + tag: "v0.6.0-alpha.1-sqlite" imagePullSecrets: [] nameOverride: "" @@ -28,7 +28,7 @@ podAnnotations: {} podSecurityContext: {} # fsGroup: 2000 -securityContext: +securityContext: capabilities: drop: - ALL @@ -38,31 +38,62 @@ securityContext: allowPrivilegeEscalation: false privileged: false +ingress: + read: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - /read + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + write: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - /write + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + service: - type: ClusterIP - port: 4456 + read: + type: ClusterIP + port: 80 + write: + type: ClusterIP + port: 80 + +secret: + # switch to false to prevent creating the secret + enabled: true + # ... and choose a different name for a secret you provide like this + # nameOverride: "MyOtherName" keto: # https://www.ory.sh/keto/docs/reference/configuration config: serve: - port: 4456 - + read: + port: 4466 + write: + port: 4467 + namespaces: + - id: 0 + name: sample + dsn: memory autoMigrate: false -ingress: - enabled: false - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: chart-example.local - paths: [] - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -112,6 +143,4 @@ tracing: tolerations: [] -secret: {} - affinity: {}