github.com/verrazzano/verrazzano@v1.7.1/platform-operator/helm_config/charts/verrazzano-authproxy/templates/verrazzano-authproxy.yaml (about) 1 # Copyright (c) 2021, 2023, Oracle and/or its affiliates. 2 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. 3 apiVersion: rbac.authorization.k8s.io/v1 4 kind: ClusterRole 5 metadata: 6 name: {{ .Values.impersonatorRoleName }} 7 rules: 8 - apiGroups: [""] 9 resources: ["users", "groups"] 10 verbs: ["impersonate"] 11 - apiGroups: [""] 12 resources: ["secrets"] 13 verbs: ["get", "list", "watch"] 14 - apiGroups: ["authentication.k8s.io"] 15 resources: ["uids"] 16 verbs: ["impersonate"] 17 --- 18 apiVersion: rbac.authorization.k8s.io/v1 19 kind: ClusterRoleBinding 20 metadata: 21 name: {{ .Values.impersonatorRoleName }} 22 roleRef: 23 apiGroup: rbac.authorization.k8s.io 24 kind: ClusterRole 25 name: {{ .Values.impersonatorRoleName }} 26 subjects: 27 - kind: ServiceAccount 28 name: {{ .Values.name }} 29 namespace: {{ .Release.Namespace }} 30 --- 31 apiVersion: apps/v1 32 kind: Deployment 33 metadata: 34 labels: 35 app: {{ .Values.name }} 36 name: {{ .Values.name }} 37 namespace: {{ .Release.Namespace }} 38 spec: 39 replicas: {{ .Values.replicas }} 40 selector: 41 matchLabels: 42 app: {{ .Values.name }} 43 strategy: 44 rollingUpdate: 45 maxSurge: 1 46 maxUnavailable: 0 47 type: RollingUpdate 48 template: 49 metadata: 50 annotations: 51 sidecar.istio.io/inject: "true" 52 traffic.sidecar.istio.io/excludeOutboundPorts: 443,6443 53 verrazzano.io/metricsEnabled: "true" 54 {{ if .Values.managedClusterRegistered }} 55 verrazzano.io/managedClusterRegistered: "true" 56 {{ end }} 57 verrazzano.io/cmChecksum: {{ include (print $.Template.BasePath "/verrazzano-authproxy-configmap.yaml") . | sha256sum }} 58 labels: 59 app: {{ .Values.name }} 60 spec: 61 volumes: 62 - name: api-config 63 projected: 64 sources: 65 - secret: 66 items: 67 - key: ca.crt 68 path: default-ca-bundle 69 name: verrazzano-tls 70 optional: true 71 - secret: 72 name: verrazzano-cluster-registration 73 optional: true 74 items: 75 - key: ca-bundle 76 path: admin-ca-bundle 77 - key: keycloak-url 78 path: keycloak-url 79 - key: dex-url 80 path: dex-url 81 - key: oidc-provider 82 path: oidc-provider 83 - secret: 84 name: verrazzano-authproxy-secret 85 items: 86 - key: cookie-encryption-key 87 path: cookie-encryption-key 88 - configMap: 89 name: verrazzano-authproxy-config 90 items: 91 - key: startup.sh 92 path: startup.sh 93 mode: 0755 94 - key: nginx.conf 95 path: nginx.conf 96 mode: 0744 97 - key: conf.lua 98 path: conf.lua 99 mode: 0755 100 - key: auth.lua 101 path: auth.lua 102 mode: 0755 103 - key: reload.sh 104 path: reload.sh 105 mode: 0755 106 - name: oidc-config-secret 107 secret: 108 secretName: {{ .Values.v2.oidcConfigSecret }} 109 {{- with .Values.affinity }} 110 affinity: 111 {{- tpl . $ | nindent 8 }} 112 {{- end }} 113 containers: 114 - image: {{ .Values.imageName }}:{{ .Values.imageVersion }} 115 imagePullPolicy: {{ .Values.pullPolicy }} 116 name: {{ .Values.name }} 117 command: ["/api-config/startup.sh"] 118 env: 119 - name: VZ_API_HOST 120 value: "verrazzano.{{ .Values.config.envName }}.{{ .Values.config.dnsSuffix }}" 121 - name: VZ_API_VERSION 122 value: "20210501" 123 ports: 124 - containerPort: {{ .Values.port }} 125 - containerPort: {{ .Values.grpcPort }} 126 livenessProbe: 127 initialDelaySeconds: 30 128 periodSeconds: 5 129 successThreshold: 1 130 failureThreshold: 3 131 timeoutSeconds: 1 132 tcpSocket: 133 port: {{ .Values.port }} 134 readinessProbe: 135 initialDelaySeconds: 5 136 periodSeconds: 5 137 successThreshold: 1 138 failureThreshold: 1 139 timeoutSeconds: 1 140 tcpSocket: 141 port: {{ .Values.port }} 142 volumeMounts: 143 - mountPath: /api-config 144 name: api-config 145 securityContext: 146 privileged: false 147 allowPrivilegeEscalation: false 148 capabilities: 149 add: 150 - NET_BIND_SERVICE 151 drop: 152 - ALL 153 - image: {{ .Values.metricsImageName }}:{{ .Values.metricsImageVersion }} 154 imagePullPolicy: {{ .Values.pullPolicy }} 155 name: verrazzano-authproxy-metrics 156 command: [ "/usr/bin/nginx-prometheus-exporter" ] 157 env: 158 - name: SCRAPE_URI 159 value: "http://localhost:{{ .Values.port }}/nginx_status" 160 ports: 161 - containerPort: 9113 162 name: http-metrics 163 protocol: TCP 164 livenessProbe: 165 httpGet: 166 path: /metrics 167 port: http-metrics 168 initialDelaySeconds: 3 169 periodSeconds: 3 170 startupProbe: 171 httpGet: 172 path: /metrics 173 port: http-metrics 174 failureThreshold: 30 175 periodSeconds: 3 176 readinessProbe: 177 httpGet: 178 path: /metrics 179 port: http-metrics 180 failureThreshold: 3 181 periodSeconds: 3 182 securityContext: 183 privileged: false 184 allowPrivilegeEscalation: false 185 capabilities: 186 drop: 187 - ALL 188 {{- if .Values.v2.enabled }} 189 - image: {{ .Values.v2.image }} 190 name: verrazzano-authproxy-v2 191 ports: 192 - containerPort: {{ .Values.v2.port }} 193 args: 194 - --port={{ .Values.v2.port }} 195 livenessProbe: 196 initialDelaySeconds: 30 197 periodSeconds: 5 198 successThreshold: 1 199 failureThreshold: 3 200 timeoutSeconds: 1 201 tcpSocket: 202 port: {{ .Values.v2.port }} 203 readinessProbe: 204 initialDelaySeconds: 5 205 periodSeconds: 5 206 successThreshold: 1 207 failureThreshold: 1 208 timeoutSeconds: 1 209 tcpSocket: 210 port: {{ .Values.v2.port }} 211 securityContext: 212 runAsUser: 1000 213 runAsGroup: 999 214 privileged: false 215 allowPrivilegeEscalation: false 216 capabilities: 217 drop: 218 - ALL 219 volumeMounts: 220 - name: oidc-config-secret 221 mountPath: /etc/config 222 {{- end }} 223 serviceAccountName: {{ .Values.name }} 224 securityContext: 225 runAsUser: 101 # nginx container user 226 runAsGroup: 101 # nginx container group 227 runAsNonRoot: true 228 seccompProfile: 229 type: RuntimeDefault 230 --- 231 apiVersion: v1 232 kind: Service 233 metadata: 234 name: {{ .Values.name }} 235 namespace: {{ .Release.Namespace }} 236 spec: 237 ports: 238 - name: http-api 239 port: {{ .Values.port }} 240 protocol: TCP 241 targetPort: {{ .Values.port }} 242 - name: grpc 243 port: {{ .Values.grpcPort }} 244 protocol: TCP 245 targetPort: {{ .Values.grpcPort }} 246 - name: http-v2 247 port: {{ .Values.v2.port }} 248 protocol: TCP 249 targetPort: {{ .Values.v2.port }} 250 selector: 251 app: {{ .Values.name }} 252 --- 253 apiVersion: v1 254 kind: Service 255 metadata: 256 name: verrazzano-authproxy-opensearch 257 namespace: {{ .Release.Namespace }} 258 spec: 259 ports: 260 - name: http-authproxy 261 port: {{ .Values.port }} 262 protocol: TCP 263 targetPort: {{ .Values.port }} 264 selector: 265 app: {{ .Values.name }} 266 --- 267 apiVersion: v1 268 kind: ServiceAccount 269 metadata: 270 name: {{ .Values.name }} 271 namespace: {{ .Release.Namespace }} 272 {{- if .Values.global.imagePullSecrets }} 273 imagePullSecrets: 274 {{- range .Values.global.imagePullSecrets }} 275 - name: {{ . }} 276 {{- end }} 277 {{- end }} 278 --- 279 apiVersion: v1 280 kind: Secret 281 type: Opaque 282 metadata: 283 name: {{ .Values.name }}-secret 284 namespace: {{ .Release.Namespace }} 285 data: 286 # encryption key generated dynamically and overridden on helm command line 287 cookie-encryption-key: {{ randAscii 64 | b64enc | quote }}