1 |
-| image.repository | | "dbgate/dbgate" |
-| image.pullPolicy | | Always |
-| image.tag | Overrides the image tag whose default is the chart appVersion. | "alpine" |
-| imagePullSecrets | | [] |
-| nameOverride | | "" |
-| fullnameOverride | | "" |
-| serviceAccount.create | Specifies whether a service account should be created | true |
-| serviceAccount.annotations | Annotations to add to the service account | {} |
-| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" |
-| podAnnotations | | {} |
-| podSecurityContext | | {} |
-| service.type | | ClusterIP |
-| service.port | | 80 |
-| resources | | {} |
-| nodeSelector | | {} |
-| tolerations | | [] |
-| affinity | | {} |
-| namespace.create | | false |
-| gateway.className | | "ace" |
-| gateway.port | | 8082 |
-| gateway.tlsSecretRef.name | | service-presets-cert |
-| gateway.tlsSecretRef.namespace | | ace |
-| gateway.referenceGrant.create | | true |
-| keda.proxyService.namespace | | "keda" |
-| keda.proxyService.name | | "keda-add-ons-http-interceptor-proxy" |
-| keda.proxyService.port | | 8080 |
-| targetPendingRequests | | 200 |
-| autoscaling.http.minReplicas | | 0 |
-| autoscaling.http.maxReplicas | | 1 |
-| app.kind | MicrosoftSQLServer: mssql@dbgate-plugin-mssql MySQL: mysql@dbgate-plugin-mysql MariaDB: mariadb@dbgate-plugin-mysql Postgres: postgres@dbgate-plugin-postgres MongoDB: mongo@dbgate-plugin-mongo Redis: redis@dbgate-plugin-redis | "" |
-| app.service.name | | "" |
-| app.service.namespace | | "" |
-| app.authSecret.name | | "" |
-| bind.name | | "" |
-| bind.namespace | | "" |
+| Parameter | Description | Default |
+|------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| replicaCount | | 1 |
+| image.repository | | "dbgate/dbgate" |
+| image.pullPolicy | | Always |
+| image.tag | Overrides the image tag whose default is the chart appVersion. | "alpine" |
+| imagePullSecrets | | [] |
+| nameOverride | | "" |
+| fullnameOverride | | "" |
+| serviceAccount.create | Specifies whether a service account should be created | true |
+| serviceAccount.annotations | Annotations to add to the service account | {} |
+| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" |
+| podAnnotations | | {} |
+| podSecurityContext | | {} |
+| service.type | | ClusterIP |
+| service.port | | 80 |
+| resources | | {} |
+| nodeSelector | | {} |
+| tolerations | | [] |
+| affinity | | {} |
+| namespace.create | | false |
+| gateway.className | | "ace" |
+| gateway.port | | 8082 |
+| gateway.tlsSecretRef.name | | service-presets-cert |
+| gateway.tlsSecretRef.namespace | | ace |
+| gateway.referenceGrant.create | | true |
+| keda.proxyService.namespace | | "keda" |
+| keda.proxyService.name | | "keda-add-ons-http-interceptor-proxy" |
+| keda.proxyService.port | | 8080 |
+| targetPendingRequests | | 200 |
+| autoscaling.http.minReplicas | | 0 |
+| autoscaling.http.maxReplicas | | 1 |
+| app.kind | MicrosoftSQLServer: mssql@dbgate-plugin-mssql MySQL: mysql@dbgate-plugin-mysql MariaDB: mariadb@dbgate-plugin-mysql Postgres: postgres@dbgate-plugin-postgres MongoDB: mongo@dbgate-plugin-mongo Redis: redis@dbgate-plugin-redis | "" |
+| app.service.name | | "" |
+| app.service.namespace | | "" |
+| app.authSecret.name | | "" |
+| bind.name | | "" |
+| bind.namespace | | "" |
+| authzproxy.enabled | | false |
+| authzproxy.repository | KubeDB operator container image | ghcr.io/appscode/kube-authz-proxy |
+| authzproxy.tag | KubeDB operator container image tag | "v0.0.1" |
+| authzproxy.securityContext | Security options this container should run with | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}} |
+| authzproxy.resources | Compute Resources required by this container | {} |
+| authzproxy.params.listen | | 8000 |
+| authzproxy.params.metricsAddr | | 8080 |
+| authzproxy.params.platformURL | | "" |
+| authzproxy.params.platformCABundle | | "" |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example:
diff --git a/charts/dbgate/templates/cluster-role-binding.yaml b/charts/dbgate/templates/cluster-role-binding.yaml
new file mode 100644
index 00000000..1a83fd6a
--- /dev/null
+++ b/charts/dbgate/templates/cluster-role-binding.yaml
@@ -0,0 +1,15 @@
+# to delegate authentication and authorization
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "dbgate.fullname" . }}-auth-delegator
+ labels:
+ {{- include "dbgate.labels" . | nindent 4 }}
+roleRef:
+ kind: ClusterRole
+ apiGroup: rbac.authorization.k8s.io
+ name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+ name: {{ include "dbgate.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
diff --git a/charts/dbgate/templates/deployment.yaml b/charts/dbgate/templates/deployment.yaml
index 5de62d2f..1f834130 100644
--- a/charts/dbgate/templates/deployment.yaml
+++ b/charts/dbgate/templates/deployment.yaml
@@ -37,11 +37,52 @@ spec:
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
+ {{- if .Values.authzproxy.enabled }}
+ - name: authz-proxy
+ securityContext:
+ {{- toYaml .Values.authzproxy.securityContext | nindent 12 }}
+ image: "{{ .Values.authzproxy.repository }}:{{ .Values.authzproxy.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ args:
+ - run
+ - --listen={{ .Values.authzproxy.params.listen }}
+ - --metrics-addr={{ .Values.authzproxy.params.metricsAddr }}
+ - --secret-name={{ .Values.app.authSecret.name }}
+ - --secret-namespace={{ .Release.Namespace }}
+ - --target-url=http://localhost:3000
+ - --platform-url={{ .Values.authzproxy.params.platformURL }}
+ {{- if .Values.authzproxy.params.platformCABundle }}
+ - --platform-ca-file=/var/platform-auth/ca.crt
+ {{- end }}
+ ports:
+ - name: proxy
+ containerPort: {{ .Values.authzproxy.params.listen }}
+ protocol: TCP
+ - name: metrics
+ containerPort: {{ .Values.authzproxy.params.metricsAddr }}
+ protocol: TCP
+ # livenessProbe:
+ # httpGet:
+ # path: /
+ # port: http
+ # readinessProbe:
+ # httpGet:
+ # path: /
+ # port: http
+ resources:
+ {{- toYaml .Values.authzproxy.resources | nindent 12 }}
+ {{- if .Values.authzproxy.params.platformCABundle }}
+ volumeMounts:
+ - mountPath: /var/platform-auth
+ name: platform-auth
+ {{- end }}
+ {{ end }}
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
+ {{- if not .Values.authzproxy.enabled }}
env:
- name: CONNECTIONS
value: "PRIMARY"
@@ -63,6 +104,7 @@ spec:
secretKeyRef:
name: {{ .Values.app.authSecret.name }}
key: password
+ {{- end }}
ports:
- name: http
containerPort: 3000
@@ -77,6 +119,13 @@ spec:
port: http
resources:
{{- toYaml .Values.resources | nindent 12 }}
+ {{- if .Values.authzproxy.params.platformCABundle }}
+ volumes:
+ - name: platform-auth
+ secret:
+ defaultMode: 420
+ secretName: {{ include "dbgate.fullname" . }}-platform-auth
+ {{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
diff --git a/charts/dbgate/templates/secret.yaml b/charts/dbgate/templates/secret.yaml
new file mode 100644
index 00000000..2dae2cfe
--- /dev/null
+++ b/charts/dbgate/templates/secret.yaml
@@ -0,0 +1,17 @@
+{{ $data := dict }}
+
+{{- with .Values.authzproxy.params.platformCABundle }}
+{{ $_ := set $data "ca.crt" . }}
+{{- end }}
+
+{{- if $data }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ include "dbgate.fullname" . }}-platform-auth
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "dbgate.labels" . | nindent 4 }}
+type: Opaque
+stringData: {{ $data | toJson }}
+{{- end }}
diff --git a/charts/dbgate/templates/service.yaml b/charts/dbgate/templates/service.yaml
index 9f91eef2..a791be5d 100644
--- a/charts/dbgate/templates/service.yaml
+++ b/charts/dbgate/templates/service.yaml
@@ -9,7 +9,7 @@ spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
- targetPort: http
+ targetPort: {{- if .Values.authzproxy.enabled }}"proxy"{{ else }}"http"{{ end }}
protocol: TCP
name: http
selector:
diff --git a/charts/dbgate/templates/serviceaccount.yaml b/charts/dbgate/templates/serviceaccount.yaml
index 2599c812..543859d7 100644
--- a/charts/dbgate/templates/serviceaccount.yaml
+++ b/charts/dbgate/templates/serviceaccount.yaml
@@ -10,4 +10,5 @@ metadata:
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
+automountServiceAccountToken: true
{{- end }}
diff --git a/charts/dbgate/values.yaml b/charts/dbgate/values.yaml
index 0894c2bd..d8f46690 100644
--- a/charts/dbgate/values.yaml
+++ b/charts/dbgate/values.yaml
@@ -122,3 +122,30 @@ app:
bind:
name: ""
namespace: ""
+
+authzproxy:
+ enabled: false
+ # KubeDB operator container image
+ repository: ghcr.io/appscode/kube-authz-proxy
+ # KubeDB operator container image tag
+ tag: "v0.0.1"
+ # Security options this container should run with
+ securityContext: # +doc-gen:break
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: ["ALL"]
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ # Compute Resources required by this container
+ resources: {}
+ # requests:
+ # cpu: 100m
+ # memory: 128Mi
+ params:
+ listen: 8000
+ metricsAddr: 8080
+ platformURL: ""
+ platformCABundle: ""
diff --git a/charts/mongo-ui/README.md b/charts/mongo-ui/README.md
index 68d8c904..d6157b69 100644
--- a/charts/mongo-ui/README.md
+++ b/charts/mongo-ui/README.md
@@ -45,47 +45,56 @@ The command removes all the Kubernetes components associated with the chart and
The following table lists the configurable parameters of the `mongo-ui` chart and their default values.
-| Parameter | Description | Default |
-|--------------------------------|------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
-| replicaCount | | 1 |
-| image.repository | | "ugleiton/mongo-gui" |
-| image.pullPolicy | | Always |
-| image.tag | Overrides the image tag whose default is the chart appVersion. | "latest" |
-| imagePullSecrets | | [] |
-| nameOverride | | "" |
-| fullnameOverride | | "" |
-| serviceAccount.create | Specifies whether a service account should be created | true |
-| serviceAccount.annotations | Annotations to add to the service account | {} |
-| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" |
-| podAnnotations | | {} |
-| podSecurityContext | | {} |
-| securityContext | | {} |
-| service.type | | ClusterIP |
-| service.port | | 80 |
-| resources | | {} |
-| nodeSelector | | {} |
-| tolerations | | [] |
-| affinity | | {} |
-| namespace.create | | false |
-| gateway.className | | "ace" |
-| gateway.port | | 10000 |
-| gateway.tlsSecretRef.name | | service-presets-cert |
-| gateway.tlsSecretRef.namespace | | ace |
-| gateway.referenceGrant.create | | true |
-| keda.proxyService.namespace | | "keda" |
-| keda.proxyService.name | | "keda-add-ons-http-interceptor-proxy" |
-| keda.proxyService.port | | 8080 |
-| targetPendingRequests | | 200 |
-| autoscaling.http.minReplicas | | 0 |
-| autoscaling.http.maxReplicas | | 1 |
-| app.service.name | | "" |
-| app.service.namespace | | "" |
-| app.authSecret.name | | "" |
-| app.url | | "mongodb://root:***@*.*.svc:27017?retryWrites=true&w=majority" |
-| tls.enabled | | false |
-| tls.secretName | | "" # mongo client cert |
-| bind.name | | "" |
-| bind.namespace | | "" |
+| Parameter | Description | Default |
+|------------------------------------|------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| replicaCount | | 1 |
+| image.repository | | "ugleiton/mongo-gui" |
+| image.pullPolicy | | Always |
+| image.tag | Overrides the image tag whose default is the chart appVersion. | "latest" |
+| imagePullSecrets | | [] |
+| nameOverride | | "" |
+| fullnameOverride | | "" |
+| serviceAccount.create | Specifies whether a service account should be created | true |
+| serviceAccount.annotations | Annotations to add to the service account | {} |
+| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" |
+| podAnnotations | | {} |
+| podSecurityContext | | {} |
+| securityContext | | {} |
+| service.type | | ClusterIP |
+| service.port | | 80 |
+| resources | | {} |
+| nodeSelector | | {} |
+| tolerations | | [] |
+| affinity | | {} |
+| namespace.create | | false |
+| gateway.className | | "ace" |
+| gateway.port | | 10000 |
+| gateway.tlsSecretRef.name | | service-presets-cert |
+| gateway.tlsSecretRef.namespace | | ace |
+| gateway.referenceGrant.create | | true |
+| keda.proxyService.namespace | | "keda" |
+| keda.proxyService.name | | "keda-add-ons-http-interceptor-proxy" |
+| keda.proxyService.port | | 8080 |
+| targetPendingRequests | | 200 |
+| autoscaling.http.minReplicas | | 0 |
+| autoscaling.http.maxReplicas | | 1 |
+| app.service.name | | "" |
+| app.service.namespace | | "" |
+| app.authSecret.name | | "" |
+| app.url | | "mongodb://root:***@*.*.svc:27017?retryWrites=true&w=majority" |
+| tls.enabled | | false |
+| tls.secretName | | "" # mongo client cert |
+| bind.name | | "" |
+| bind.namespace | | "" |
+| authzproxy.enabled | | false |
+| authzproxy.repository | KubeDB operator container image | ghcr.io/appscode/kube-authz-proxy |
+| authzproxy.tag | KubeDB operator container image tag | "v0.0.1" |
+| authzproxy.securityContext | Security options this container should run with | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}} |
+| authzproxy.resources | Compute Resources required by this container | {} |
+| authzproxy.params.listen | | 8000 |
+| authzproxy.params.metricsAddr | | 8080 |
+| authzproxy.params.platformURL | | "" |
+| authzproxy.params.platformCABundle | | "" |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example:
diff --git a/charts/mongo-ui/templates/deployment.yaml b/charts/mongo-ui/templates/deployment.yaml
index 32862473..6e5be44b 100644
--- a/charts/mongo-ui/templates/deployment.yaml
+++ b/charts/mongo-ui/templates/deployment.yaml
@@ -34,9 +34,11 @@ spec:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
+ {{- if not .Values.authzproxy.enabled }}
env:
- name: MONGO_URL
value: {{ .Values.app.url }}
+ {{- end }}
ports:
- name: http
containerPort: 4321
diff --git a/charts/mongo-ui/values.yaml b/charts/mongo-ui/values.yaml
index 61e6756c..9f897e13 100644
--- a/charts/mongo-ui/values.yaml
+++ b/charts/mongo-ui/values.yaml
@@ -119,3 +119,30 @@ tls:
bind:
name: ""
namespace: ""
+
+authzproxy:
+ enabled: false
+ # KubeDB operator container image
+ repository: ghcr.io/appscode/kube-authz-proxy
+ # KubeDB operator container image tag
+ tag: "v0.0.1"
+ # Security options this container should run with
+ securityContext: # +doc-gen:break
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: ["ALL"]
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ # Compute Resources required by this container
+ resources: {}
+ # requests:
+ # cpu: 100m
+ # memory: 128Mi
+ params:
+ listen: 8000
+ metricsAddr: 8080
+ platformURL: ""
+ platformCABundle: ""
diff --git a/charts/pgadmin/README.md b/charts/pgadmin/README.md
index 5807e5b3..a21c0f12 100644
--- a/charts/pgadmin/README.md
+++ b/charts/pgadmin/README.md
@@ -45,44 +45,53 @@ The command removes all the Kubernetes components associated with the chart and
The following table lists the configurable parameters of the `pgadmin` chart and their default values.
-| Parameter | Description | Default |
-|--------------------------------|------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------|
-| replicaCount | | 1 |
-| image.repository | | "dpage/pgadmin4" |
-| image.pullPolicy | | Always |
-| image.tag | Overrides the image tag whose default is the chart appVersion. | "latest" |
-| imagePullSecrets | | [] |
-| nameOverride | | "" |
-| fullnameOverride | | "" |
-| serviceAccount.create | Specifies whether a service account should be created | true |
-| serviceAccount.annotations | Annotations to add to the service account | {} |
-| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" |
-| podAnnotations | | {} |
-| podSecurityContext | | {} |
-| securityContext | | {} |
-| service.type | | ClusterIP |
-| service.port | | 80 |
-| resources | | {} |
-| nodeSelector | | {} |
-| tolerations | | [] |
-| affinity | | {} |
-| namespace.create | | false |
-| gateway.className | | "ace" |
-| gateway.port | | 8082 |
-| gateway.tlsSecretRef.name | | service-presets-cert |
-| gateway.tlsSecretRef.namespace | | ace |
-| gateway.referenceGrant.create | | true |
-| keda.proxyService.namespace | | "keda" |
-| keda.proxyService.name | | "keda-add-ons-http-interceptor-proxy" |
-| keda.proxyService.port | | 8080 |
-| targetPendingRequests | | 200 |
-| autoscaling.http.minReplicas | | 0 |
-| autoscaling.http.maxReplicas | | 1 |
-| app.service.name | | "" |
-| app.service.namespace | | "" |
-| app.authSecret.name | | "" |
-| bind.name | | "" |
-| bind.namespace | | "" |
+| Parameter | Description | Default |
+|------------------------------------|------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| replicaCount | | 1 |
+| image.repository | | "dpage/pgadmin4" |
+| image.pullPolicy | | Always |
+| image.tag | Overrides the image tag whose default is the chart appVersion. | "latest" |
+| imagePullSecrets | | [] |
+| nameOverride | | "" |
+| fullnameOverride | | "" |
+| serviceAccount.create | Specifies whether a service account should be created | true |
+| serviceAccount.annotations | Annotations to add to the service account | {} |
+| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" |
+| podAnnotations | | {} |
+| podSecurityContext | | {} |
+| securityContext | | {} |
+| service.type | | ClusterIP |
+| service.port | | 80 |
+| resources | | {} |
+| nodeSelector | | {} |
+| tolerations | | [] |
+| affinity | | {} |
+| namespace.create | | false |
+| gateway.className | | "ace" |
+| gateway.port | | 8082 |
+| gateway.tlsSecretRef.name | | service-presets-cert |
+| gateway.tlsSecretRef.namespace | | ace |
+| gateway.referenceGrant.create | | true |
+| keda.proxyService.namespace | | "keda" |
+| keda.proxyService.name | | "keda-add-ons-http-interceptor-proxy" |
+| keda.proxyService.port | | 8080 |
+| targetPendingRequests | | 200 |
+| autoscaling.http.minReplicas | | 0 |
+| autoscaling.http.maxReplicas | | 1 |
+| app.service.name | | "" |
+| app.service.namespace | | "" |
+| app.authSecret.name | | "" |
+| bind.name | | "" |
+| bind.namespace | | "" |
+| authzproxy.enabled | | false |
+| authzproxy.repository | KubeDB operator container image | ghcr.io/appscode/kube-authz-proxy |
+| authzproxy.tag | KubeDB operator container image tag | "v0.0.1" |
+| authzproxy.securityContext | Security options this container should run with | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}} |
+| authzproxy.resources | Compute Resources required by this container | {} |
+| authzproxy.params.listen | | 8000 |
+| authzproxy.params.metricsAddr | | 8080 |
+| authzproxy.params.platformURL | | "" |
+| authzproxy.params.platformCABundle | | "" |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example:
diff --git a/charts/pgadmin/templates/deployment.yaml b/charts/pgadmin/templates/deployment.yaml
index 7dcb997b..9778a78f 100644
--- a/charts/pgadmin/templates/deployment.yaml
+++ b/charts/pgadmin/templates/deployment.yaml
@@ -29,6 +29,46 @@ spec:
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
+ {{- if .Values.authzproxy.enabled }}
+ - name: authz-proxy
+ securityContext:
+ {{- toYaml .Values.authzproxy.securityContext | nindent 12 }}
+ image: "{{ .Values.authzproxy.repository }}:{{ .Values.authzproxy.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ args:
+ - run
+ - --listen={{ .Values.authzproxy.params.listen }}
+ - --metrics-addr={{ .Values.authzproxy.params.metricsAddr }}
+ - --secret-name={{ .Values.app.authSecret.name }}
+ - --secret-namespace={{ .Release.Namespace }}
+ - --target-url=http://localhost:3000
+ - --platform-url={{ .Values.authzproxy.params.platformURL }}
+ {{- if .Values.authzproxy.params.platformCABundle }}
+ - --platform-ca-file=/var/platform-auth/ca.crt
+ {{- end }}
+ ports:
+ - name: proxy
+ containerPort: {{ .Values.authzproxy.params.listen }}
+ protocol: TCP
+ - name: metrics
+ containerPort: {{ .Values.authzproxy.params.metricsAddr }}
+ protocol: TCP
+ # livenessProbe:
+ # httpGet:
+ # path: /
+ # port: http
+ # readinessProbe:
+ # httpGet:
+ # path: /
+ # port: http
+ resources:
+ {{- toYaml .Values.authzproxy.resources | nindent 12 }}
+ {{- if .Values.authzproxy.params.platformCABundle }}
+ volumeMounts:
+ - mountPath: /var/platform-auth
+ name: platform-auth
+ {{- end }}
+ {{ end }}
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
@@ -81,6 +121,12 @@ spec:
secretName: {{ include "pgadmin.serviceAccountName" . }}-config
- name: data
emptyDir: {}
+ {{- if .Values.authzproxy.params.platformCABundle }}
+ - name: platform-auth
+ secret:
+ defaultMode: 420
+ secretName: {{ include "pgadmin.fullname" . }}-platform-auth
+ {{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
diff --git a/charts/pgadmin/values.yaml b/charts/pgadmin/values.yaml
index 20c2c71d..f95fe139 100644
--- a/charts/pgadmin/values.yaml
+++ b/charts/pgadmin/values.yaml
@@ -115,3 +115,30 @@ app:
bind:
name: ""
namespace: ""
+
+authzproxy:
+ enabled: false
+ # KubeDB operator container image
+ repository: ghcr.io/appscode/kube-authz-proxy
+ # KubeDB operator container image tag
+ tag: "v0.0.1"
+ # Security options this container should run with
+ securityContext: # +doc-gen:break
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: ["ALL"]
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ # Compute Resources required by this container
+ resources: {}
+ # requests:
+ # cpu: 100m
+ # memory: 128Mi
+ params:
+ listen: 8000
+ metricsAddr: 8080
+ platformURL: ""
+ platformCABundle: ""
diff --git a/charts/phpmyadmin/README.md b/charts/phpmyadmin/README.md
index d47f28ce..5d619d9c 100644
--- a/charts/phpmyadmin/README.md
+++ b/charts/phpmyadmin/README.md
@@ -45,44 +45,53 @@ The command removes all the Kubernetes components associated with the chart and
The following table lists the configurable parameters of the `phpmyadmin` chart and their default values.
-| Parameter | Description | Default |
-|--------------------------------|------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------|
-| replicaCount | | 1 |
-| image.repository | | "phpmyadmin" |
-| image.pullPolicy | | Always |
-| image.tag | Overrides the image tag whose default is the chart appVersion. | "latest" |
-| imagePullSecrets | | [] |
-| nameOverride | | "" |
-| fullnameOverride | | "" |
-| serviceAccount.create | Specifies whether a service account should be created | true |
-| serviceAccount.annotations | Annotations to add to the service account | {} |
-| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" |
-| podAnnotations | | {} |
-| podSecurityContext | | {} |
-| securityContext | | {} |
-| service.type | | ClusterIP |
-| service.port | | 80 |
-| resources | | {} |
-| nodeSelector | | {} |
-| tolerations | | [] |
-| affinity | | {} |
-| namespace.create | | false |
-| gateway.className | | "ace" |
-| gateway.port | | 8082 |
-| gateway.tlsSecretRef.name | | service-presets-cert |
-| gateway.tlsSecretRef.namespace | | ace |
-| gateway.referenceGrant.create | | true |
-| keda.proxyService.namespace | | "keda" |
-| keda.proxyService.name | | "keda-add-ons-http-interceptor-proxy" |
-| keda.proxyService.port | | 8080 |
-| targetPendingRequests | | 200 |
-| autoscaling.http.minReplicas | | 0 |
-| autoscaling.http.maxReplicas | | 1 |
-| app.service.name | | "" |
-| app.service.namespace | | "" |
-| app.authSecret.name | | "" |
-| bind.name | | "" |
-| bind.namespace | | "" |
+| Parameter | Description | Default |
+|------------------------------------|------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| replicaCount | | 1 |
+| image.repository | | "phpmyadmin" |
+| image.pullPolicy | | Always |
+| image.tag | Overrides the image tag whose default is the chart appVersion. | "latest" |
+| imagePullSecrets | | [] |
+| nameOverride | | "" |
+| fullnameOverride | | "" |
+| serviceAccount.create | Specifies whether a service account should be created | true |
+| serviceAccount.annotations | Annotations to add to the service account | {} |
+| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" |
+| podAnnotations | | {} |
+| podSecurityContext | | {} |
+| securityContext | | {} |
+| service.type | | ClusterIP |
+| service.port | | 80 |
+| resources | | {} |
+| nodeSelector | | {} |
+| tolerations | | [] |
+| affinity | | {} |
+| namespace.create | | false |
+| gateway.className | | "ace" |
+| gateway.port | | 8082 |
+| gateway.tlsSecretRef.name | | service-presets-cert |
+| gateway.tlsSecretRef.namespace | | ace |
+| gateway.referenceGrant.create | | true |
+| keda.proxyService.namespace | | "keda" |
+| keda.proxyService.name | | "keda-add-ons-http-interceptor-proxy" |
+| keda.proxyService.port | | 8080 |
+| targetPendingRequests | | 200 |
+| autoscaling.http.minReplicas | | 0 |
+| autoscaling.http.maxReplicas | | 1 |
+| app.service.name | | "" |
+| app.service.namespace | | "" |
+| app.authSecret.name | | "" |
+| bind.name | | "" |
+| bind.namespace | | "" |
+| authzproxy.enabled | | false |
+| authzproxy.repository | KubeDB operator container image | ghcr.io/appscode/kube-authz-proxy |
+| authzproxy.tag | KubeDB operator container image tag | "v0.0.1" |
+| authzproxy.securityContext | Security options this container should run with | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}} |
+| authzproxy.resources | Compute Resources required by this container | {} |
+| authzproxy.params.listen | | 8000 |
+| authzproxy.params.metricsAddr | | 8080 |
+| authzproxy.params.platformURL | | "" |
+| authzproxy.params.platformCABundle | | "" |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example:
diff --git a/charts/phpmyadmin/templates/deployment.yaml b/charts/phpmyadmin/templates/deployment.yaml
index 031bf7ba..bb2d2a8e 100644
--- a/charts/phpmyadmin/templates/deployment.yaml
+++ b/charts/phpmyadmin/templates/deployment.yaml
@@ -29,6 +29,46 @@ spec:
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
+ {{- if .Values.authzproxy.enabled }}
+ - name: authz-proxy
+ securityContext:
+ {{- toYaml .Values.authzproxy.securityContext | nindent 12 }}
+ image: "{{ .Values.authzproxy.repository }}:{{ .Values.authzproxy.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ args:
+ - run
+ - --listen={{ .Values.authzproxy.params.listen }}
+ - --metrics-addr={{ .Values.authzproxy.params.metricsAddr }}
+ - --secret-name={{ .Values.app.authSecret.name }}
+ - --secret-namespace={{ .Release.Namespace }}
+ - --target-url=http://localhost:3000
+ - --platform-url={{ .Values.authzproxy.params.platformURL }}
+ {{- if .Values.authzproxy.params.platformCABundle }}
+ - --platform-ca-file=/var/platform-auth/ca.crt
+ {{- end }}
+ ports:
+ - name: proxy
+ containerPort: {{ .Values.authzproxy.params.listen }}
+ protocol: TCP
+ - name: metrics
+ containerPort: {{ .Values.authzproxy.params.metricsAddr }}
+ protocol: TCP
+ # livenessProbe:
+ # httpGet:
+ # path: /
+ # port: http
+ # readinessProbe:
+ # httpGet:
+ # path: /
+ # port: http
+ resources:
+ {{- toYaml .Values.authzproxy.resources | nindent 12 }}
+ {{- if .Values.authzproxy.params.platformCABundle }}
+ volumeMounts:
+ - mountPath: /var/platform-auth
+ name: platform-auth
+ {{- end }}
+ {{ end }}
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
@@ -64,6 +104,12 @@ spec:
# https://docs.phpmyadmin.net/en/latest/config.html#cfg_SaveDir
- name: data
emptyDir: {}
+ {{- if .Values.authzproxy.params.platformCABundle }}
+ - name: platform-auth
+ secret:
+ defaultMode: 420
+ secretName: {{ include "pgadmin.fullname" . }}-platform-auth
+ {{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
diff --git a/charts/phpmyadmin/values.yaml b/charts/phpmyadmin/values.yaml
index 7c044cba..66cfd711 100644
--- a/charts/phpmyadmin/values.yaml
+++ b/charts/phpmyadmin/values.yaml
@@ -115,3 +115,30 @@ app:
bind:
name: ""
namespace: ""
+
+authzproxy:
+ enabled: false
+ # KubeDB operator container image
+ repository: ghcr.io/appscode/kube-authz-proxy
+ # KubeDB operator container image tag
+ tag: "v0.0.1"
+ # Security options this container should run with
+ securityContext: # +doc-gen:break
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: ["ALL"]
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ # Compute Resources required by this container
+ resources: {}
+ # requests:
+ # cpu: 100m
+ # memory: 128Mi
+ params:
+ listen: 8000
+ metricsAddr: 8080
+ platformURL: ""
+ platformCABundle: ""