Initial code

Change-Id: I9d616358e44b7a81ede8eda7d65d8f33e70d0faa

Author: sorrison

.github/workflows/main.yml

@@ -0,0 +1,12 @@
+name: 'Build Release'
+on:
+  push:
+    tags:
+      - '*'
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    uses: NeCTAR-RC/gh-actions/.github/workflows/build-release.yaml@master

.gitignore

@@ -0,0 +1 @@
+charts/*

.gitreview

@@ -0,0 +1,5 @@
+[gerrit]
+host=review.rc.nectar.org.au
+port=29418
+project=NeCTAR-RC/keystone-helm.git
+defaultbranch=master

.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: common
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 2.29.1
+- name: nectarlib
+  repository: oci://registry.rc.nectar.org.au/nectar-helm
+  version: 3.0.2
+digest: sha256:cb1e27162273908127931b8a46792d0981d36bdbfdd48832a22390f0d4c19a59
+generated: "2025-02-06T11:39:56.006191974+11:00"

Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v2
+name: keystone
+description: A Helm chart for Openstack Keystone
+type: application
+version: 1.0.0
+appVersion: 25.0.0-14-g155f38a86-5-9
+dependencies:
+- name: common
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 2.29.1
+- name: nectarlib
+  version: 3.0.2
+  repository: oci://registry.rc.nectar.org.au/nectar-helm

renovate.json

@@ -0,0 +1,3 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
+}

templates/NOTES.txt

@@ -0,0 +1,22 @@
+1. Get the application URL by running these commands:
+{{- if .Values.api.ingress.enabled }}
+{{- range $host := .Values.api.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.api.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "nectarlib.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "nectarlib.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "nectarlib.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "nectarlib.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}

templates/_helpers.tpl

@@ -0,0 +1,20 @@
+{{/*
+Vault annotations
+*/}}
+{{- define "keystone.vaultAnnotations" -}}
+vault.hashicorp.com/role: "{{ .Values.vault.role }}"
+vault.hashicorp.com/agent-inject: "true"
+vault.hashicorp.com/agent-pre-populate-only: "true"
+vault.hashicorp.com/agent-inject-status: "update"
+vault.hashicorp.com/secret-volume-path-secrets.conf: /etc/keystone/keystone.conf.d
+vault.hashicorp.com/agent-inject-secret-secrets.conf: "{{ .Values.vault.settings_secret }}"
+vault.hashicorp.com/agent-inject-template-secrets.conf: |
+  {{ print "{{- with secret \"" .Values.vault.settings_secret "\" -}}" }}
+  {{ print "[identity]" }}
+  {{ print "password_reset_token={{ .Data.data.password_reset_token }}" }}
+  {{ print "[rcshibboleth]" }}
+  {{ print "admin_token={{ .Data.data.rcshib_admin_token }}" }}
+  {{ print "[database]" }}
+  {{ print "connection={{ .Data.data.database_connection }}" }}
+  {{ print "{{- end -}}" }}
+{{- end }}

templates/_keystone_conf.tpl

@@ -0,0 +1,49 @@
+{{- define "keystone-conf" }}
+[DEFAULT]
+public_endpoint={{ .Values.conf.public_endpoint }}
+max_token_size=255
+
+[auth]
+methods=external,password,token,oauth1,mapped,application_credential,totp
+
+{{- if .Values.conf.cors.allowed_origin }}
+[cors]
+allowed_origin={{ .Values.conf.cors.allowed_origin }}
+allow_headers=Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token
+{{- end }}
+
+[token]
+allow_expired_window=604800
+expiration=21600
+provider=fernet
+revoke_by_id=True
+
+{{- if .Values.conf.rcshib.allowed_hosts }}
+[rcshibboleth]
+allowed_hosts={{ join "," .Values.conf.rcshib.allowed_hosts }}
+{{- end }}
+
+[fernet_tokens]
+key_repository=/etc/keystone/fernet-keys
+max_active_keys=12
+
+[credential]
+key_repository=/etc/keystone/credential-keys
+
+{{- if .Values.conf.cache.memcached_servers }}
+[cache]
+backend=oslo_cache.memcache_pool
+enabled=True
+memcached_servers={{ join "," .Values.conf.cache.memcached_servers }}
+{{- end }}
+
+[oslo_policy]
+policy_file=/etc/keystone/policy.yaml
+
+[database]
+connection_recycle_time=60
+
+[oslo_messaging_notifications]
+driver=log
+
+{{- end }}