diff --git a/chart/auth-proxy/.helmignore b/chart/auth-proxy/.helmignore new file mode 100644 index 000000000..50af03172 --- /dev/null +++ b/chart/auth-proxy/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/chart/auth-proxy/Chart.yaml b/chart/auth-proxy/Chart.yaml new file mode 100644 index 000000000..49937cd7f --- /dev/null +++ b/chart/auth-proxy/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +description: OpenFaaS Authentication Proxy +name: auth-proxy +version: 0.0.1 +sources: +- https://github.com/openfaas/faas-netes +home: https://www.openfaas.com +icon: https://raw.githubusercontent.com/openfaas/media/master/OpenFaaS_logo_stacked_opaque.png +keywords: +- functions +- serverless +- faas +maintainers: +- name: alexellis + email: alex@openfaas.com +- name: welteki + email: han@openfaas.com diff --git a/chart/auth-proxy/templates/_helpers.tpl b/chart/auth-proxy/templates/_helpers.tpl new file mode 100644 index 000000000..9affa41ca --- /dev/null +++ b/chart/auth-proxy/templates/_helpers.tpl @@ -0,0 +1,44 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "connector.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "connector.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "connector.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "connector.labels" -}} +helm.sh/chart: {{ include "connector.chart" . }} +app.kubernetes.io/name: {{ include "connector.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/component: auth-proxy +app.kubernetes.io/part-of: openfaas +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} \ No newline at end of file diff --git a/chart/auth-proxy/templates/deployment.yaml b/chart/auth-proxy/templates/deployment.yaml new file mode 100644 index 000000000..15a54a109 --- /dev/null +++ b/chart/auth-proxy/templates/deployment.yaml @@ -0,0 +1,111 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + # Original Helm labels v + app: {{ template "connector.name" . }} + component: auth-proxy + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + {{- include "connector.labels" . | nindent 4 }} + name: {{ template "connector.fullname" . }} + namespace: {{ .Release.Namespace | quote }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "connector.name" . }} + name: {{ template "connector.name" . }} + component: auth-proxy + template: + metadata: + labels: + app: {{ template "connector.name" . }} + name: {{ template "connector.name" . }} + component: auth-proxy + spec: + {{- if .Values.accessTokenSecret }} + serviceAccountName: {{ template "connector.fullname" . }} + {{- end }} + volumes: + - name: license + secret: + secretName: openfaas-license + {{- if .Values.accessTokenSecret }} + - name: openfaas-token + projected: + sources: + - serviceAccountToken: + path: openfaas-token + expirationSeconds: 7200 + audience: {{ .Values.gatewayURL }} + - name: access-token-secret + secret: + secretName: {{ .Values.accessTokenSecret }} + {{- end }} + {{- if .Values.iam.loginIssuer.clientSecret }} + - name: oauth-client-secret + secret: + secretName: {{ .Values.iam.loginIssuer.clientSecret }} + {{- end }} + containers: + - name: auth-proxy + image: {{ .Values.image }} + command: + - "/usr/bin/proxy" + - "-license-file=/var/secrets/license/license" + env: + - name: "public_url" + value: {{ .Values.url | quote }} + - name: gateway_url + value: {{ .Values.gatewayURL | quote }} + - name: "debug" + value: "{{ .Values.logs.debug }}" + - name: "log_encoding" + value: "{{ .Values.logs.format }}" + {{- if .Values.iam.systemIssuer.url }} + - name: system_issuer + value: {{ .Values.iam.systemIssuer.url }} + {{- end }} + {{- if .Values.iam.loginIssuer.url }} + - name: login_issuer + value: {{ .Values.iam.loginIssuer.url }} + - name: login_issuer_client_id + value: {{ .Values.iam.loginIssuer.clientId }} + {{- end }} + resources: + {{- .Values.resources | toYaml | nindent 12 }} + volumeMounts: + - name: license + readOnly: true + mountPath: "/var/secrets/license" + {{- if .Values.accessTokenSecret }} + - name: openfaas-token + readOnly: true + mountPath: /var/secrets/tokens + - name: access-token-secret + readOnly: true + mountPath: /var/secrets/access_token + {{- end }} + {{- if .Values.iam.loginIssuer.clientSecret }} + - name: oauth-client-secret + readOnly: true + mountPath: /var/secrets/oauth + {{- end }} + ports: + - name: http + containerPort: 8080 + protocol: TCP + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} diff --git a/chart/auth-proxy/templates/policy.yaml b/chart/auth-proxy/templates/policy.yaml new file mode 100644 index 000000000..1f4e61209 --- /dev/null +++ b/chart/auth-proxy/templates/policy.yaml @@ -0,0 +1,17 @@ + {{- if .Values.accessTokenSecret }} +apiVersion: iam.openfaas.com/v1 +kind: Policy +metadata: + name: {{ template "connector.fullname" . }} + namespace: openfaas + labels: + {{- include "connector.labels" . | nindent 4 }} +spec: + statement: + - sid: 1-invoke + action: + - Function:Invoke + effect: Allow + resource: + {{- toYaml .Values.iam.resource | nindent 6 }} +{{- end }} \ No newline at end of file diff --git a/chart/auth-proxy/templates/role.yaml b/chart/auth-proxy/templates/role.yaml new file mode 100644 index 000000000..c19f7a9dc --- /dev/null +++ b/chart/auth-proxy/templates/role.yaml @@ -0,0 +1,19 @@ + {{- if .Values.accessTokenSecret }} +apiVersion: iam.openfaas.com/v1 +kind: Role +metadata: + name: {{ template "connector.fullname" . }} + namespace: openfaas + labels: + {{- include "connector.labels" . | nindent 4 }} +spec: + policy: + - {{ template "connector.fullname" . }} + principal: + jwt:sub: + - "system:serviceaccount:{{ .Release.Namespace }}:{{ template "connector.fullname" . }}" + condition: + StringEqual: + jwt:iss: + - {{.Values.iam.kubernetesIssuer.url}} +{{- end }} \ No newline at end of file diff --git a/chart/auth-proxy/templates/service.yaml b/chart/auth-proxy/templates/service.yaml new file mode 100644 index 000000000..749b2f7d2 --- /dev/null +++ b/chart/auth-proxy/templates/service.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + name: auth-proxy + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "connector.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + component: auth-proxy + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + type: ClusterIP + ports: + - port: 8080 + name: http + protocol: TCP + targetPort: http + selector: + app: auth-proxy \ No newline at end of file diff --git a/chart/auth-proxy/templates/serviceaccount.yaml b/chart/auth-proxy/templates/serviceaccount.yaml new file mode 100644 index 000000000..cd261657a --- /dev/null +++ b/chart/auth-proxy/templates/serviceaccount.yaml @@ -0,0 +1,9 @@ + {{- if .Values.accessTokenSecret }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "connector.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "connector.labels" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/chart/auth-proxy/values.yaml b/chart/auth-proxy/values.yaml new file mode 100644 index 000000000..9c0abff91 --- /dev/null +++ b/chart/auth-proxy/values.yaml @@ -0,0 +1,43 @@ +image: docker.io/welteki/auth-proxy:v0.0.1-3-g1b1b4b3 + +url: "https://auth-proxy.example.com" + +gatewayURL: http://gateway.openfaas.svc.cluster.local:8080 + +accessTokenSecret: "" + +iam: + # URL for the OpenFaaS system components issuer. + # This is usually the public url of the gateway. + systemIssuer: + url: "http://gateway.openfaas.svc.cluster.local:8080" + # URL for the Kubernetes service account issuer. + kubernetesIssuer: + url: https://kubernetes.default.svc.cluster.local + # Use same configuration as the dashboardIssuer in the OpenFaaS chart + loginIssuer: + url: "" + clientId: "" + clientSecret: "" + # Function resources the auth-proxy should be allow to invoke. + resource: ["*"] + + +resources: + requests: + memory: "64Mi" + cpu: "100m" + # limits: + # memory: "256Mi" + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +logs: + # Log debug messages + debug: false + # Set the log format, supports console or json + format: "console" \ No newline at end of file