Skip to content

Commit

Permalink
Initial commit of the gangway chart (helm#12713)
Browse files Browse the repository at this point in the history
* initial commit of the gangway chart

Signed-off-by: Robin Kearney <[email protected]>

* Fixing yaml linting errors

Signed-off-by: Robin Kearney <[email protected]>
  • Loading branch information
rk295 authored and devnulled committed Apr 25, 2019
1 parent 52d11d2 commit 809e839
Show file tree
Hide file tree
Showing 13 changed files with 543 additions and 0 deletions.
21 changes: 21 additions & 0 deletions stable/gangway/.helmignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
12 changes: 12 additions & 0 deletions stable/gangway/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
description: An application that can be used to easily enable authentication flows via OIDC for a kubernetes cluster.
name: gangway
version: 0.0.5
appVersion: 3.0.0
home: https://github.com/heptiolabs/gangway
sources:
- https://github.com/heptiolabs/gangway
engine: gotpl
maintainers:
- name: rk295
email: [email protected]
5 changes: 5 additions & 0 deletions stable/gangway/OWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
approvers:
- rk295
reviewers:
- rk295

113 changes: 113 additions & 0 deletions stable/gangway/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,113 @@
# Gangway

An application that can be used to easily enable authentication flows via OIDC for a kubernetes cluster.

## TL;DR

helm install stable/gangway

## Introduction

The chart deploys an instance of Gangway into a Kubernetes cluster using the Helm package manager.

This chart will do the following:

* Create a deployment of [gangway] within your Kubernetes Cluster.

## Installing the Chart

To install the chart with the release name `my-release`:

```bash
helm install --name my-release stable/gangway
```

Due to the nature of OIDC configuration, deploying the chart without at least some of the values being set will not result in a functioning application. See the Configuration section below for more information.

## Configuration

The following table lists the configurable parameters of the external-dns chart and their default values.

All values under the `gangway` top level object are passed directly to the Gangway container via a `yaml` config file. The contents of that object in [`values.yaml`](values.yaml) are lifted directly from the Gangway [documentation](https://github.com/heptiolabs/gangway/tree/master/docs).

At a minimum you *must* configure any of the values marked as **required** in the table below.

| Parameter | Description | Default |
| --------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- |
| `affinity` | List of affinities (requires Kubernetes >=1.6) | `{}` |
| `gangway.allowEmptyClientSecret` | Some identity providers accept an empty client secret, this is not generally considered a good idea. If you have to use an empty secret and accept the risks that come with that then you can set this to true. | `false` |
| `gangway.apiServerURL` | The API server endpoint used to configure kubectl. **Required** | `""` |
| `gangway.audience` | Endpoint that provides user profile information [optional]. Not all providers will require this. To be taken from the configuration of your OIDC provider. **Required** | `""` |
| `gangway.authorizeURL` | OAuth2 URL to start authorization flow. To be taken from the configuration of your OIDC provider. **Required** | `""` |
| `gangway.certData` | The Public cert data. This is normally safe to leave alone. | `""` |
| `gangway.clientID` | API client ID as indicated by the identity provider. **Required** | `""` |
| `gangway.clientSecret` | API client secret as indicated by the identity provider. **Required** | `""` |
| `gangway.cluster_ca_path` | The path to find the CA bundle for the API server. Used to configure kubectl. This is typically mounted into the default location for workloads running on a Kubernetes cluster and doesn't need to be set. | `""` |
| `gangway.clusterName` | The cluster name. Used in UI and kubectl config instructions. **Required** | `""` |
| `gangway.host` | The address to listen on. Defaults to 0.0.0.0 to listen on all interfaces. | `80` |
| `gangway.httpPath` | The path gangway uses to create urls (defaults to "") | `/` |
| `gangway.keyData` | The Private key data | `""` |
| `gangway.port` | The port to listen on. Defaults to 8080. | `80` |
| `gangway.redirectURL` | Where to redirect back to. This should be a URL where gangway is reachable. Typically this also needs to be registered as part of the oauth application with the oAuth provider. **Required** | `""` |
| `gangway.scopes` | Used to specify the scope of the requested Oauth authorization. | `["openid", "profile", "email", "offline_access"]` |
| `gangway.serveTLS` | Should Gangway serve TLS vs. plain HTTP? | `false` |
| `gangway.sessionKey` | Encryption key for cookie contents. Will autogenerate if not provided. Caution: Do not use auto generation in production environments. | `""` |
| `gangway.tokenURL` | OAuth2 URL to obtain access tokens. To be taken from the configuration of your OIDC provider. **Required** | `""` |
| `gangway.trustedCAPath` | The path to a root CA to trust for self signed certificates at the Oauth2 URLs | `""` |
| `gangway.usernameClaim` | The JWT claim to use as the username. This is used in UI. Default is "nickname". This is combined with the clusterName for the "user" portion of the kubeconfig. | `name` |
| `image.repository` | Container image name (Including repository name if not `hub.docker.com`). | `gcr.io/heptio-images/gangway` |
| `image.pullPolicy` | Container pull policy. | `IfNotPresent` |
| `image.tag` | Container image tag. | `v2.2.0` |
| `image.pullSecrets` | Name of Secret resource containing private registry credentials | `""` |
| `ingress.annotations` | Ingress annotations | `{}` |
| `ingress.enabled` | Enables or Disables the ingress resource | `false` |
| `ingress.hosts` | List of FQDN's for the ingress | `""` |
| `ingress.tls.hosts` | List of FQDN's the above secret is associated with | `""` |
| `ingress.tls.secretName` | Name of the secret to use | `""` |
| `ingress.tls` | List of SSL certs to use | `""` |
| `nodeSelector` | Node labels for pod assignment | `{}` |
| `podAnnotations` | Additional annotations to apply to the pod. | `{}` |
| `resources` | CPU/Memory resource requests/limits. | `{}` |
| `service.port` | The port the service should listen on | `80` |
| `service.type` | Type of service to create | `ClusterIP` |
| `tolerations` | List of node taints to tolerate (requires Kubernetes >= 1.6) | `[]` |

You will likely want to expose Gangway to your users somehow, possibly by way of an ingress, the values below would be a way of doing this with the [Traefik] ingress controller, this assumes TLS offload is happening at the load balancer:

```yaml
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: traefik
path: /
hosts:
- gangway.your-domain.com
tls: []
```
## Note about `gangway.sessionKey`

The chart will auto generate a random value for `gangway.sessionKey` when you install the chart. Gangway uses this via the [Gorilla Secure Cookie] Go library to encrypt the contents of cookies sent to the users browser. Relying on the autogeneration is acceptable in testing environments, however in production you are strongly advised to provide your own random value for this variable. If you do not and you subsequently update your Helm deployment this key will be regenerated. This has the impact that any cookies in your users browsers from before the upgrade, will have been encrypted with the old key, which Gangway no longer has. Therefore when they browse to your Gangway url they will get an error when they attempt to login. The only solution to that issue is to have the user delete all the gangway cookies from their browser. You have been warned!

### Specifying Values

Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,

```console
$ helm upgrade --install --wait my-release \
--set ingress.enabled=true \
stable/gangway
```

Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,

```console
$ helm upgrade --install --wait my-release stable/gangway -f values.yaml
```

> **Tip**: You can copy the default [values.yaml](values.yaml) and make any required edits in there

[gangway]: https://github.com/heptiolabs/gangway
[gangway docs]: https://github.com/heptiolabs/gangway/tree/master/docs
[Traefik]: https://docs.traefik.io/user-guide/kubernetes/
[Gorilla Secure Cookie]: https://github.com/gorilla/securecookie
19 changes: 19 additions & 0 deletions stable/gangway/templates/NOTES.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range .Values.ingress.hosts }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "gangway.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get svc -w {{ include "gangway.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "gangway.fullname" . }}svc -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "gangway.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl port-forward $POD_NAME 8080:80
{{- end }}
32 changes: 32 additions & 0 deletions stable/gangway/templates/_helpers.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "gangway.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "gangway.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}

{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "gangway.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
14 changes: 14 additions & 0 deletions stable/gangway/templates/configmap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "gangway.fullname" . }}
labels:
app.kubernetes.io/name: {{ include "gangway.name" . }}
helm.sh/chart: {{ include "gangway.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
data:
gangway.yaml: |
{{- .Values.gangway | toYaml | nindent 4 }}
Loading

0 comments on commit 809e839

Please sign in to comment.