diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 2e3a453..2fca12a 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -169,15 +169,15 @@ helm install cryostat ./charts/cryostat ### OAuth2 Proxy -| Name | Description | Value | -| -------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | -| `oauth2Proxy.image.repository` | Repository for the OAuth2 Proxy container image | `quay.io/oauth2-proxy/oauth2-proxy` | -| `oauth2Proxy.image.pullPolicy` | Image pull policy for the OAuth2 Proxy container image | `Always` | -| `oauth2Proxy.image.tag` | Tag for the OAuth2 Proxy container image | `latest` | -| `oauth2Proxy.service.tls.selfSigned.enabled` | Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used. | `false` | -| `oauth2Proxy.resources.requests.cpu` | CPU resource request for the OAuth2 Proxy container. | `25m` | -| `oauth2Proxy.resources.requests.memory` | Memory resource request for the OAuth2 Proxy container. | `64Mi` | -| `oauth2Proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). If the chart is installed in default namespaces (e.g. default), `securityContext.runAsUser` must be set if the proxy image does not specify a numeric non-root user. This is due to OpenShift Security Context Constraints are not applied in default namespaces. See [Understanding and Managing Pod Security Admission](https://docs.openshift.com/container-platform/4.15/authentication/understanding-and-managing-pod-security-admission.html#psa-privileged-namespaces_understanding-and-managing-pod-security-admission). | `{}` | +| Name | Description | Value | +| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `oauth2Proxy.image.repository` | Repository for the OAuth2 Proxy container image | `quay.io/oauth2-proxy/oauth2-proxy` | +| `oauth2Proxy.image.pullPolicy` | Image pull policy for the OAuth2 Proxy container image | `Always` | +| `oauth2Proxy.image.tag` | Tag for the OAuth2 Proxy container image | `latest` | +| `oauth2Proxy.tls.selfSigned.enabled` | Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used. | `false` | +| `oauth2Proxy.resources.requests.cpu` | CPU resource request for the OAuth2 Proxy container. | `25m` | +| `oauth2Proxy.resources.requests.memory` | Memory resource request for the OAuth2 Proxy container. | `64Mi` | +| `oauth2Proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). If the chart is installed in default namespaces (e.g. default), `securityContext.runAsUser` must be set if the proxy image does not specify a numeric non-root user. This is due to OpenShift Security Context Constraints are not applied in default namespaces. See [Understanding and Managing Pod Security Admission](https://docs.openshift.com/container-platform/4.15/authentication/understanding-and-managing-pod-security-admission.html#psa-privileged-namespaces_understanding-and-managing-pod-security-admission). | `{}` | ### OpenShift OAuth Proxy diff --git a/charts/cryostat/templates/NOTES.txt b/charts/cryostat/templates/NOTES.txt index a7de8c1..fa9375a 100644 --- a/charts/cryostat/templates/NOTES.txt +++ b/charts/cryostat/templates/NOTES.txt @@ -39,7 +39,7 @@ kubectl -n {{ .Release.Namespace }} wait --for=condition=available --timeout=60s deploy/{{ include "cryostat.deploymentName" . }} export SVC_NAME=$(kubectl get services -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "cryostat.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=cryostat" --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}") -{{- if or .Values.authentication.openshift.enabled .Values.oauth2Proxy.service.tls.selfSigned.enabled }} +{{- if or .Values.authentication.openshift.enabled .Values.oauth2Proxy.tls.selfSigned.enabled }} kubectl -n {{ .Release.Namespace }} port-forward svc/$SVC_NAME 8443:https {{- else }} kubectl -n {{ .Release.Namespace }} port-forward svc/$SVC_NAME 8080:http @@ -63,6 +63,6 @@ {{- else if contains "LoadBalancer" .Values.core.service.type }} echo http://$SERVICE_IP:{{ .Values.core.service.httpPort }} {{- else if contains "ClusterIP" .Values.core.service.type }} - {{ ternary "https" "http" (or .Values.authentication.openshift.enabled .Values.oauth2Proxy.service.tls.selfSigned.enabled) }}://localhost:{{ ternary "8443" "8080" (or .Values.authentication.openshift.enabled .Values.oauth2Proxy.service.tls.selfSigned.enabled) }} + {{ ternary "https" "http" (or .Values.authentication.openshift.enabled .Values.oauth2Proxy.tls.selfSigned.enabled) }}://localhost:{{ ternary "8443" "8080" (or .Values.authentication.openshift.enabled .Values.oauth2Proxy.tls.selfSigned.enabled) }} {{- end }} ``` diff --git a/charts/cryostat/templates/_oauth2Proxy.tpl b/charts/cryostat/templates/_oauth2Proxy.tpl index e4b2a82..db3fc6b 100644 --- a/charts/cryostat/templates/_oauth2Proxy.tpl +++ b/charts/cryostat/templates/_oauth2Proxy.tpl @@ -47,7 +47,7 @@ Create OAuth2 Proxy container. Configurations defined in alpha_config.yaml mountPath: /etc/oauth2_proxy/basicauth readOnly: true {{- end }} - {{- if .Values.oauth2Proxy.service.tls.selfSigned.enabled }} + {{- if .Values.oauth2Proxy.tls.selfSigned.enabled }} - name: {{ .Release.Name }}-oauth2proxy-tls mountPath: /etc/tls/private {{- end }} diff --git a/charts/cryostat/templates/alpha_config.yaml b/charts/cryostat/templates/alpha_config.yaml index e704f9b..63094fe 100644 --- a/charts/cryostat/templates/alpha_config.yaml +++ b/charts/cryostat/templates/alpha_config.yaml @@ -12,7 +12,7 @@ data: alpha_config.yaml: |- server: BindAddress: http://0.0.0.0:4180 - {{- if .Values.oauth2Proxy.service.tls.selfSigned.enabled }} + {{- if .Values.oauth2Proxy.tls.selfSigned.enabled }} SecureBindAddress: https://0.0.0.0:8443 TLS: Key: diff --git a/charts/cryostat/templates/cryostat_deployment.yaml b/charts/cryostat/templates/cryostat_deployment.yaml index e076d95..9cc5b54 100644 --- a/charts/cryostat/templates/cryostat_deployment.yaml +++ b/charts/cryostat/templates/cryostat_deployment.yaml @@ -204,7 +204,7 @@ spec: - name: {{ .Release.Name }}-proxy-tls secret: secretName: {{ .Release.Name }}-proxy-tls - {{- else if .Values.oauth2Proxy.service.tls.selfSigned.enabled }} + {{- else if .Values.oauth2Proxy.tls.selfSigned.enabled }} - name: {{ .Release.Name }}-oauth2proxy-tls secret: secretName: {{ .Release.Name }}-oauth2proxy-tls diff --git a/charts/cryostat/templates/cryostat_service.yaml b/charts/cryostat/templates/cryostat_service.yaml index 86371dc..7cf7b61 100644 --- a/charts/cryostat/templates/cryostat_service.yaml +++ b/charts/cryostat/templates/cryostat_service.yaml @@ -19,7 +19,7 @@ spec: protocol: TCP name: http appProtocol: http - {{- if or (.Values.authentication.openshift).enabled .Values.oauth2Proxy.service.tls.selfSigned.enabled }} + {{- if or (.Values.authentication.openshift).enabled .Values.oauth2Proxy.tls.selfSigned.enabled }} - port: 443 targetPort: 8443 protocol: TCP diff --git a/charts/cryostat/templates/cryostat_tls_secret.yaml b/charts/cryostat/templates/cryostat_tls_secret.yaml index 2e1354d..13fea26 100644 --- a/charts/cryostat/templates/cryostat_tls_secret.yaml +++ b/charts/cryostat/templates/cryostat_tls_secret.yaml @@ -1,4 +1,4 @@ -{{- if (and (not (.Values.authentication.openshift).enabled) (.Values.oauth2Proxy.service.tls.selfSigned.enabled)) }} +{{- if (and (not (.Values.authentication.openshift).enabled) (.Values.oauth2Proxy.tls.selfSigned.enabled)) }} {{- $fullName := include "cryostat.fullname" . }} {{- $cert := genSelfSignedCert $fullName nil nil 365 }} apiVersion: v1 diff --git a/charts/cryostat/tests/alpha_config_test.yaml b/charts/cryostat/tests/alpha_config_test.yaml index f41d73d..c0312ad 100644 --- a/charts/cryostat/tests/alpha_config_test.yaml +++ b/charts/cryostat/tests/alpha_config_test.yaml @@ -20,7 +20,7 @@ tests: - it: should create configmap with correct alpha configurations when self-signed TLS is enabled set: - oauth2Proxy.service.tls.selfSigned.enabled: true + oauth2Proxy.tls.selfSigned.enabled: true asserts: - matchRegex: path: data['alpha_config.yaml'] diff --git a/charts/cryostat/tests/cryostat_deployment_test.yaml b/charts/cryostat/tests/cryostat_deployment_test.yaml index 60e1f60..da69b54 100644 --- a/charts/cryostat/tests/cryostat_deployment_test.yaml +++ b/charts/cryostat/tests/cryostat_deployment_test.yaml @@ -414,7 +414,7 @@ tests: - it: should validate volumes and volume mounts with oauth2-proxy self-signed TLS enabled set: - oauth2Proxy.service.tls.selfSigned.enabled: true + oauth2Proxy.tls.selfSigned.enabled: true asserts: - lengthEqual: count: 2 diff --git a/charts/cryostat/tests/cryostat_service_test.yaml b/charts/cryostat/tests/cryostat_service_test.yaml index 95bda5c..1279ab2 100644 --- a/charts/cryostat/tests/cryostat_service_test.yaml +++ b/charts/cryostat/tests/cryostat_service_test.yaml @@ -136,7 +136,7 @@ tests: - it: should create a Service with the correct settings when oauth2-proxy self-signed TLS is enabled set: - oauth2Proxy.service.tls.selfSigned.enabled: true + oauth2Proxy.tls.selfSigned.enabled: true asserts: - hasDocuments: count: 1 diff --git a/charts/cryostat/tests/cryostat_tls_secret_test.yaml b/charts/cryostat/tests/cryostat_tls_secret_test.yaml index c3b8bda..dc4e918 100644 --- a/charts/cryostat/tests/cryostat_tls_secret_test.yaml +++ b/charts/cryostat/tests/cryostat_tls_secret_test.yaml @@ -3,13 +3,12 @@ templates: - cryostat_tls_secret.yaml tests: - - it: should create a TLS cert secret if oauth2Proxy.service.tls.selfSigned.enabled is set + - it: should create a TLS cert secret if oauth2Proxy.tls.selfSigned.enabled is set set: oauth2Proxy: - service: - tls: - selfSigned: - enabled: true + tls: + selfSigned: + enabled: true asserts: - hasDocuments: count: 1 @@ -36,13 +35,12 @@ tests: app.kubernetes.io/version: 4.0.0-dev helm.sh/chart: cryostat-2.0.0-dev - - it: should not create a TLS cert secret if oauth2Proxy.service.tls.selfSigned.enabled is not set + - it: should not create a TLS cert secret if oauth2Proxy.tls.selfSigned.enabled is not set set: oauth2Proxy: - service: - tls: - selfSigned: - enabled: false + tls: + selfSigned: + enabled: false asserts: - hasDocuments: count: 0 diff --git a/charts/cryostat/tests/notes_test.yaml b/charts/cryostat/tests/notes_test.yaml index 1e791eb..dfaf525 100644 --- a/charts/cryostat/tests/notes_test.yaml +++ b/charts/cryostat/tests/notes_test.yaml @@ -110,10 +110,9 @@ tests: - it: should render correct notes for ClusterIP service without ingress or route and TLS enabled set: oauth2Proxy: - service: - tls: - selfSigned: - enabled: true + tls: + selfSigned: + enabled: true asserts: - equalRaw: value: | @@ -139,10 +138,9 @@ tests: - it: should render correct notes for ClusterIP service without ingress or route and TLS disabled set: oauth2Proxy: - service: - tls: - selfSigned: - enabled: false + tls: + selfSigned: + enabled: false asserts: - equalRaw: value: | diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index 5913926..4b0d958 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -739,21 +739,16 @@ } } }, - "service": { + "tls": { "type": "object", "properties": { - "tls": { + "selfSigned": { "type": "object", "properties": { - "selfSigned": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "description": "Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used.", - "default": false - } - } + "enabled": { + "type": "boolean", + "description": "Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used.", + "default": false } } } diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 144cd4d..5b47e40 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -267,11 +267,10 @@ oauth2Proxy: pullPolicy: Always ## @param oauth2Proxy.image.tag Tag for the OAuth2 Proxy container image tag: "latest" - service: - tls: - selfSigned: - ## @param oauth2Proxy.service.tls.selfSigned.enabled Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used. - enabled: false + tls: + selfSigned: + ## @param oauth2Proxy.tls.selfSigned.enabled Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used. + enabled: false resources: requests: ## @param oauth2Proxy.resources.requests.cpu CPU resource request for the OAuth2 Proxy container.