From 854b850af0a26add1f39df93b47bab8d504ed797 Mon Sep 17 00:00:00 2001 From: Michael Thomson Date: Fri, 24 Nov 2023 12:30:22 -0500 Subject: [PATCH] kubernetes dashboard --- .../helmrepository-kubernetes-dashboard.yaml | 8 + .../kustomization-kubernetes-dashboard.yaml | 18 + .../namespace-kubernetes-dashboard.yaml | 4 + .../dns-endpoint-kubernetes-dashboard.yaml | 12 + .../helmrelease-kubernetes-dashboard.yaml | 356 ++++++++++++++ .../helmrelease-oauth2-proxy.yaml | 457 ++++++++++++++++++ 6 files changed, 855 insertions(+) create mode 100644 bootstrap/helmrepositories/helmrepository-kubernetes-dashboard.yaml create mode 100644 bootstrap/kustomizations/kustomization-kubernetes-dashboard.yaml create mode 100644 bootstrap/namespaces/namespace-kubernetes-dashboard.yaml create mode 100644 kubernetes-dashboard/dns-endpoint-kubernetes-dashboard.yaml create mode 100644 kubernetes-dashboard/helmrelease-kubernetes-dashboard.yaml create mode 100644 kubernetes-dashboard/helmrelease-oauth2-proxy.yaml diff --git a/bootstrap/helmrepositories/helmrepository-kubernetes-dashboard.yaml b/bootstrap/helmrepositories/helmrepository-kubernetes-dashboard.yaml new file mode 100644 index 0000000..fbd52ad --- /dev/null +++ b/bootstrap/helmrepositories/helmrepository-kubernetes-dashboard.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: kubernetes-dashboard + namespace: flux-system +spec: + interval: 15m + url: https://kubernetes.github.io/dashboard/ diff --git a/bootstrap/kustomizations/kustomization-kubernetes-dashboard.yaml b/bootstrap/kustomizations/kustomization-kubernetes-dashboard.yaml new file mode 100644 index 0000000..e5c0ce6 --- /dev/null +++ b/bootstrap/kustomizations/kustomization-kubernetes-dashboard.yaml @@ -0,0 +1,18 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: kubernetes-dashboard + namespace: flux-system +spec: + interval: 15m + path: ./kubernetes-dashboard + prune: true # remove any elements later removed from the above path + timeout: 2m # if not set, this defaults to interval duration, which is 1h + sourceRef: + kind: GitRepository + name: flux-system + healthChecks: + - apiVersion: helm.toolkit.fluxcd.io/v2beta1 + kind: HelmRelease + name: kubernetes-dashboard + namespace: kubernetes-dashboard diff --git a/bootstrap/namespaces/namespace-kubernetes-dashboard.yaml b/bootstrap/namespaces/namespace-kubernetes-dashboard.yaml new file mode 100644 index 0000000..7f5196a --- /dev/null +++ b/bootstrap/namespaces/namespace-kubernetes-dashboard.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: kubernetes-dashboard diff --git a/kubernetes-dashboard/dns-endpoint-kubernetes-dashboard.yaml b/kubernetes-dashboard/dns-endpoint-kubernetes-dashboard.yaml new file mode 100644 index 0000000..a6f4383 --- /dev/null +++ b/kubernetes-dashboard/dns-endpoint-kubernetes-dashboard.yaml @@ -0,0 +1,12 @@ +apiVersion: externaldns.k8s.io/v1alpha1 +kind: DNSEndpoint +metadata: + name: kubernetes-dashboard.michaelthomson.dev + namespace: kubernetes-dashboard +spec: + endpoints: + - dnsName: kubernetes-dashboard.michaelthomson.dev + recordTTL: 180 + recordType: CNAME + targets: + - server.michaelthomson.dev diff --git a/kubernetes-dashboard/helmrelease-kubernetes-dashboard.yaml b/kubernetes-dashboard/helmrelease-kubernetes-dashboard.yaml new file mode 100644 index 0000000..f59c9ba --- /dev/null +++ b/kubernetes-dashboard/helmrelease-kubernetes-dashboard.yaml @@ -0,0 +1,356 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: kubernetes-dashboard + namespace: kubernetes-dashboard +spec: + chart: + spec: + chart: kubernetes-dashboard + version: 7.x + sourceRef: + kind: HelmRepository + name: kubernetes-dashboard + namespace: flux-system + interval: 15m + timeout: 5m + releaseName: kubernetes-dashboard + values: + # Copyright 2017 The Kubernetes Authors. + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + + # General configuration shared across resources + app: + image: + pullPolicy: IfNotPresent + pullSecrets: [] + scaling: + # Default number of replicas + replicas: 1 + revisionHistoryLimit: 10 + scheduling: + # Node labels for pod assignment + # Ref: https://kubernetes.io/docs/user-guide/node-selection/ + nodeSelector: {} + security: + # SecurityContext to be added to pods + # To disable set the following configuration to null: + # securityContext: null + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + # ContainerSecurityContext to be added to containers + # To disable set the following configuration to null: + # containerSecurityContext: null + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 + capabilities: + drop: ["ALL"] + # Pod Disruption Budget configuration + # Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + podDisruptionBudget: + enabled: false + minAvailable: 0 + maxUnavailable: 0 + networkPolicy: + enabled: false + ingressDenyAll: false + # Common labels & annotations shared across all deployed resources + labels: {} + annotations: {} + settings: + ## Global dashboard settings + ## Note: Use all or none. Dashboard does not support default value merging currently. + global: + # # Cluster name that appears in the browser window title if it is set + # clusterName: "" + # # Max number of items that can be displayed on each list page + # itemsPerPage: 10 + # # Number of seconds between every auto-refresh of logs + # logsAutoRefreshTimeInterval: 5 + # # Number of seconds between every auto-refresh of every resource. Set 0 to disable + # resourceAutoRefreshTimeInterval: 5 + # # Hide all access denied warnings in the notification panel + # disableAccessDeniedNotifications: false + ## Pinned CRDs that will be displayed in dashboard's menu + pinnedCRDs: [] + # - kind: customresourcedefinition + # # Fully qualified name of a CRD + # name: prometheus.monitoring.coreos.com + # # Display name + # displayName: Prometheus + # # Is this CRD namespaced? + # namespaced: true + ingress: + enabled: false + hosts: + # Keep 'localhost' host only if you want to access Dashboard using 'kubectl port-forward ...' on: + # https://localhost:8443 + - localhost + # - kubernetes.dashboard.domain.com + ingressClassName: internal-nginx + pathType: ImplementationSpecific + secretName: kubernetes-dashboard-certs + issuer: + name: selfsigned + # Scope determines what kind of issuer annotation will be used on ingress resource + # - default - adds 'cert-manager.io/issuer' + # - cluster - adds 'cert-manager.io/cluster-issuer' + # - disabled - disables cert-manager annotations + scope: default + labels: {} + annotations: {} + paths: + web: / + api: /api + # Use the following toleration if Dashboard can be deployed on a tainted control-plane nodes + # - key: node-role.kubernetes.io/control-plane + # effect: NoSchedule + tolerations: [] + + # API deployment configuration + api: + role: api + image: + repository: docker.io/kubernetesui/dashboard-api + tag: v1.0.0 + containers: + ports: + - name: api + containerPort: 9000 + protocol: TCP + # Additional container arguments + # Full list of arguments: https://github.com/kubernetes/dashboard/blob/master/docs/common/arguments.md + # args: + # - --system-banner="Welcome to the Kubernetes Dashboard" + args: [] + # Additional container environment variables + # env: + # - name: SOME_VAR + # value: 'some value' + env: [] + # Additional volume mounts + # - mountPath: /kubeconfig + # name: dashboard-kubeconfig + # readOnly: true + volumeMounts: + # Create volume mount to store exec logs (required) + - mountPath: /tmp + name: tmp-volume + # TODO: Validate configuration + resources: + requests: + cpu: 100m + memory: 200Mi + limits: + cpu: 250m + memory: 400Mi + # Additional volumes + # - name: dashboard-kubeconfig + # secret: + # defaultMode: 420 + # secretName: dashboard-kubeconfig + volumes: + # Create on-disk volume to store exec logs (required) + - name: tmp-volume + emptyDir: {} + nodeSelector: {} + # Labels & annotations shared between API related resources + labels: {} + annotations: {} + + # WEB UI deployment configuration + web: + role: web + image: + repository: docker.io/kubernetesui/dashboard-web + tag: v1.0.0 + containers: + ports: + - name: web + containerPort: 8000 + protocol: TCP + # Additional container arguments + # Full list of arguments: https://github.com/kubernetes/dashboard/blob/master/docs/common/arguments.md + # args: + # - --system-banner="Welcome to the Kubernetes Dashboard" + args: [] + # Additional container environment variables + # env: + # - name: SOME_VAR + # value: 'some value' + env: [] + # Additional volume mounts + # - mountPath: /kubeconfig + # name: dashboard-kubeconfig + # readOnly: true + volumeMounts: + # Create volume mount to store logs (required) + - mountPath: /tmp + name: tmp-volume + # TODO: Validate configuration + resources: + requests: + cpu: 100m + memory: 200Mi + limits: + cpu: 250m + memory: 400Mi + # Additional volumes + # - name: dashboard-kubeconfig + # secret: + # defaultMode: 420 + # secretName: dashboard-kubeconfig + volumes: + # Create on-disk volume to store exec logs (required) + - name: tmp-volume + emptyDir: {} + nodeSelector: + # TODO: check if it's really needed since we offer cross platform images for darwin/windows/linux + kubernetes.io/os: linux + # Labels & annotations shared between WEB UI related resources + labels: {} + annotations: {} + + ### Metrics Scraper + ### Container to scrape, store, and retrieve a window of time from the Metrics Server. + ### refs: https://github.com/kubernetes-sigs/dashboard-metrics-scraper + metricsScraper: + enabled: true + role: metrics-scraper + image: + repository: docker.io/kubernetesui/metrics-scraper + tag: v1.0.9 + containers: + ports: + - containerPort: 8000 + protocol: TCP + args: [] + # Additional container environment variables + # env: + # - name: SOME_VAR + # value: 'some value' + env: [] + # Additional volume mounts + # - mountPath: /kubeconfig + # name: dashboard-kubeconfig + # readOnly: true + volumeMounts: + # Create volume mount to store logs (required) + - mountPath: /tmp + name: tmp-volume + # TODO: Validate configuration + resources: + requests: + cpu: 100m + memory: 200Mi + limits: + cpu: 250m + memory: 400Mi + livenessProbe: + httpGet: + scheme: HTTP + path: / + port: 8000 + initialDelaySeconds: 30 + timeoutSeconds: 30 + # Additional volumes + # - name: dashboard-kubeconfig + # secret: + # defaultMode: 420 + # secretName: dashboard-kubeconfig + volumes: + # Create on-disk volume to store exec logs (required) + - name: tmp-volume + emptyDir: {} + nodeSelector: + # TODO: check if it's really needed since we offer cross platform images for darwin/windows/linux + kubernetes.io/os: linux + # Labels & annotations shared between WEB UI related resources + labels: {} + annotations: {} + + + ## Optional Metrics Server sub-chart configuration + ## Enable this if you don't already have metrics-server enabled on your cluster and + ## want to use it with dashboard metrics-scraper + ## refs: + ## - https://github.com/kubernetes-sigs/metrics-server + ## - https://github.com/kubernetes-sigs/metrics-server/tree/master/charts/metrics-server + metrics-server: + enabled: true + args: + - --kubelet-preferred-address-types=InternalIP + - --kubelet-insecure-tls + + ## Optional Cert Manager sub-chart configuration + ## Enable this if you don't already have cert-manager enabled on your cluster. + cert-manager: + enabled: false + installCRDs: true + + ## Optional Nginx Ingress sub-chart configuration + ## Enable this if you don't already have nginx-ingress enabled on your cluster. + nginx: + enabled: false + controller: + electionID: ingress-controller-leader + ingressClassResource: + name: internal-nginx + default: false + controllerValue: k8s.io/internal-ingress-nginx + service: + type: ClusterIP + + ## Extra configurations: + ## - manifests + ## - predefined roles + ## - prometheus + ## - etc... + extras: + # Extra Kubernetes manifests to be deployed + # manifests: + # - apiVersion: v1 + # kind: ConfigMap + # metadata: + # name: additional-configmap + # data: + # mykey: myvalue + manifests: [] + # Start in ReadOnly mode. + # Specifies whether cluster-wide RBAC resources (ClusterRole, ClusterRolebinding) with read only permissions to all resources listed inside the cluster should be created + # Only dashboard-related Secrets and ConfigMaps will still be available for writing. + # + # The basic idea of the clusterReadOnlyRole + # is not to hide all the secrets and sensitive data but more + # to avoid accidental changes in the cluster outside the standard CI/CD. + # + # It is NOT RECOMMENDED to use this version in production. + # Instead, you should review the role and remove all potentially sensitive parts such as + # access to persistentvolumes, pods/log etc. + clusterReadOnlyRole: false + # It is possible to add additional rules if read only role is enabled. + # This can be useful, for example, to show CRD resources. + clusterReadOnlyRoleAdditionalRules: [] + serviceMonitor: + # Whether to create a Prometheus Operator service monitor. + enabled: false + # Here labels can be added to the serviceMonitor + labels: {} + # Here annotations can be added to the serviceMonitor + annotations: {} diff --git a/kubernetes-dashboard/helmrelease-oauth2-proxy.yaml b/kubernetes-dashboard/helmrelease-oauth2-proxy.yaml new file mode 100644 index 0000000..f587f7d --- /dev/null +++ b/kubernetes-dashboard/helmrelease-oauth2-proxy.yaml @@ -0,0 +1,457 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: oauth2-proxy + namespace: kubernetes-dashboard +spec: + chart: + spec: + chart: oauth2-proxy + version: 6.19.x # auto-update to semver bugfixes only + sourceRef: + kind: HelmRepository + name: oauth2-proxy + namespace: flux-system + interval: 15m + timeout: 5m + releaseName: oauth2-proxy + values: # paste contents of upstream values.yaml below, indented 4 spaces + ## Override the deployment namespace + ## + namespaceOverride: "" + + # Force the target Kubernetes version (it uses Helm `.Capabilities` if not set). + # This is especially useful for `helm template` as capabilities are always empty + # due to the fact that it doesn't query an actual cluster + kubeVersion: + + # Oauth client configuration specifics + config: + # Add config annotations + annotations: {} + # OAuth client ID + clientID: "kube-apiserver" + # OAuth client secret + clientSecret: "iVdGhQUc8k4bK7rT3HAiuOjctxUW7T8bDxz4hm6aPagZkdkoCDvmnLjC5mMF6ooR0obGrezYdyt9nAjVbC0RVZsOIdSsfrSYbe0kEWGfk21FazXXApqNTIrsqBF4mSJH" + # Create a new secret with the following command + # openssl rand -base64 32 | head -c 32 | base64 + # Use an existing secret for OAuth2 credentials (see secret.yaml for required fields) + # Example: + # existingSecret: secret + cookieSecret: "2W87TuxTRkTFVkwxbz3MuJxWE3EAJeab" + # The name of the cookie that oauth2-proxy will create + # If left empty, it will default to the release name + cookieName: "" + google: {} + # adminEmail: xxxx + # useApplicationDefaultCredentials: true + # targetPrincipal: xxxx + # serviceAccountJson: xxxx + # Alternatively, use an existing secret (see google-secret.yaml for required fields) + # Example: + # existingSecret: google-secret + # groups: [] + # Example: + # - group1@example.com + # - group2@example.com + # Default configuration, to be overridden + configFile: |- + email_domains = [ "*" ] + upstreams = [ "http://kubernetes-dashboard" ] + # Custom configuration file: oauth2_proxy.cfg + # configFile: |- + # pass_basic_auth = false + # pass_access_token = true + # Use an existing config map (see configmap.yaml for required fields) + # Example: + # existingConfig: config + + alphaConfig: + enabled: false + # Add config annotations + annotations: {} + # Arbitrary configuration data to append to the server section + serverConfigData: {} + # Arbitrary configuration data to append to the metrics section + metricsConfigData: {} + # Arbitrary configuration data to append + configData: {} + # Arbitrary configuration to append + # This is treated as a Go template and rendered with the root context + configFile: "" + # Use an existing config map (see secret-alpha.yaml for required fields) + existingConfig: ~ + # Use an existing secret + existingSecret: ~ + + image: + repository: "quay.io/oauth2-proxy/oauth2-proxy" + # appVersion is used by default + tag: "" + pullPolicy: "IfNotPresent" + + # Optionally specify an array of imagePullSecrets. + # Secrets must be manually created in the namespace. + # ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod + # imagePullSecrets: + # - name: myRegistryKeySecretName + + # Set a custom containerPort if required. + # This will default to 4180 if this value is not set and the httpScheme set to http + # This will default to 4443 if this value is not set and the httpScheme set to https + # containerPort: 4180 + + extraArgs: + provider: oidc + provider-display-name: "Authentik" + skip-provider-button: "true" + pass-authorization-header: "true" + oidc-issuer-url: "https://authentik.michaelthomson.dev/application/o/kube-apiserver/" + extraEnv: [] + + # -- Custom labels to add into metadata + customLabels: {} + + # To authorize individual email addresses + # That is part of extraArgs but since this needs special treatment we need to do a separate section + authenticatedEmailsFile: + enabled: false + # Defines how the email addresses file will be projected, via a configmap or secret + persistence: configmap + # template is the name of the configmap what contains the email user list but has been configured without this chart. + # It's a simpler way to maintain only one configmap (user list) instead changing it for each oauth2-proxy service. + # Be aware the value name in the extern config map in data needs to be named to "restricted_user_access" or to the + # provided value in restrictedUserAccessKey field. + template: "" + # The configmap/secret key under which the list of email access is stored + # Defaults to "restricted_user_access" if not filled-in, but can be overridden to allow flexibility + restrictedUserAccessKey: "" + # One email per line + # example: + # restricted_access: |- + # name1@domain + # name2@domain + # If you override the config with restricted_access it will configure a user list within this chart what takes care of the + # config map resource. + restricted_access: "" + annotations: {} + # helm.sh/resource-policy: keep + + service: + type: ClusterIP + # when service.type is ClusterIP ... + # clusterIP: 192.0.2.20 + # when service.type is LoadBalancer ... + # loadBalancerIP: 198.51.100.40 + # loadBalancerSourceRanges: 203.0.113.0/24 + # when service.type is NodePort ... + # nodePort: 80 + portNumber: 80 + # Protocol set on the service + appProtocol: http + annotations: {} + # foo.io/bar: "true" + + ## Create or use ServiceAccount + serviceAccount: + ## Specifies whether a ServiceAccount should be created + enabled: true + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + name: + automountServiceAccountToken: true + annotations: {} + + ingress: + enabled: true + # className: nginx + path: / + # Only used if API capabilities (networking.k8s.io/v1) allow it + pathType: ImplementationSpecific + # Used to create an Ingress record. + hosts: + - kubernetes-dashboard.michaelthomson.dev + # Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + # Warning! The configuration is dependant on your current k8s API version capabilities (networking.k8s.io/v1) + # extraPaths: + # - path: /* + # pathType: ImplementationSpecific + # backend: + # service: + # name: ssl-redirect + # port: + # name: use-annotation + labels: {} + # annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + tls: + - secretName: letsencrypt-wildcard-cert-michaelthomson.dev + hosts: + - kubernetes-dashboard.michaelthomson.dev + + resources: {} + # limits: + # cpu: 100m + # memory: 300Mi + # requests: + # cpu: 100m + # memory: 300Mi + + extraVolumes: [] + # - name: ca-bundle-cert + # secret: + # secretName: + + extraVolumeMounts: [] + # - mountPath: /etc/ssl/certs/ + # name: ca-bundle-cert + + # Additional containers to be added to the pod. + extraContainers: [] + # - name: my-sidecar + # image: nginx:latest + + priorityClassName: "" + + # Host aliases, useful when working "on premise" where (public) DNS resolver does not know about my hosts. + hostAlias: + enabled: false + # ip: "10.xxx.xxx.xxx" + # hostname: "auth.example.com" + + # [TopologySpreadConstraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) configuration. + # Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling + # topologySpreadConstraints: [] + + # Affinity for pod assignment + # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + # affinity: {} + + # Tolerations for pod assignment + # Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + + # Node labels for pod assignment + # Ref: https://kubernetes.io/docs/user-guide/node-selection/ + nodeSelector: {} + + # Whether to use secrets instead of environment values for setting up OAUTH2_PROXY variables + proxyVarsAsSecrets: true + + # Configure Kubernetes liveness and readiness probes. + # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + # Disable both when deploying with Istio 1.0 mTLS. https://istio.io/help/faq/security/#k8s-health-checks + livenessProbe: + enabled: true + initialDelaySeconds: 0 + timeoutSeconds: 1 + + readinessProbe: + enabled: true + initialDelaySeconds: 0 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + + # Configure Kubernetes security context for container + # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + securityContext: + enabled: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 2000 + runAsGroup: 2000 + seccompProfile: + type: RuntimeDefault + + deploymentAnnotations: {} + podAnnotations: {} + podLabels: {} + replicaCount: 1 + revisionHistoryLimit: 10 + + ## PodDisruptionBudget settings + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + podDisruptionBudget: + enabled: true + minAvailable: 1 + + # Configure Kubernetes security context for pod + # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + podSecurityContext: {} + + # whether to use http or https + httpScheme: http + + initContainers: + # if the redis sub-chart is enabled, wait for it to be ready + # before starting the proxy + # creates a role binding to get, list, watch, the redis master pod + # if service account is enabled + waitForRedis: + enabled: true + image: + repository: "docker.io/bitnami/kubectl" + pullPolicy: "IfNotPresent" + # uses the kubernetes version of the cluster + # the chart is deployed on, if not set + kubectlVersion: "" + securityContext: + enabled: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + seccompProfile: + type: RuntimeDefault + timeout: 180 + + # Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -B" for bcrypt encryption. + # Alternatively supply an existing secret which contains the required information. + htpasswdFile: + enabled: false + existingSecret: "" + entries: [] + # One row for each user + # example: + # entries: + # - testuser:$2y$05$gY6dgXqjuzFhwdhsiFe7seM9q9Tile4Y3E.CBpAZJffkeiLaC21Gy + + # Configure the session storage type, between cookie and redis + sessionStorage: + # Can be one of the supported session storage cookie|redis + type: cookie + redis: + # Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`) + existingSecret: "" + # Redis password value. Applicable for all Redis configurations. Taken from redis subchart secret if not set. `sessionStorage.redis.existingSecret` takes precedence + password: "" + # Key of the Kubernetes secret data containing the redis password value + passwordKey: "redis-password" + # Can be one of standalone|cluster|sentinel + clientType: "standalone" + standalone: + # URL of redis standalone server for redis session storage (e.g. `redis://HOST[:PORT]`). Automatically generated if not set + connectionUrl: "" + cluster: + # List of Redis cluster connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) + connectionUrls: [] + sentinel: + # Name of the Kubernetes secret containing the redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret` + existingSecret: "" + # Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `sessionStorage.redis.password` + password: "" + # Key of the Kubernetes secret data containing the redis sentinel password value + passwordKey: "redis-sentinel-password" + # Redis sentinel master name + masterName: "" + # List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) + connectionUrls: [] + + # Enables and configure the automatic deployment of the redis subchart + redis: + # provision an instance of the redis sub-chart + enabled: false + # Redis specific helm chart settings, please see: + # https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters + # redisPort: 6379 + # cluster: + # enabled: false + # slaveCount: 1 + + # Enables apiVersion deprecation checks + checkDeprecation: true + + metrics: + # Enable Prometheus metrics endpoint + enabled: true + # Serve Prometheus metrics on this port + port: 44180 + # when service.type is NodePort ... + # nodePort: 44180 + # Protocol set on the service for the metrics port + service: + appProtocol: http + serviceMonitor: + # Enable Prometheus Operator ServiceMonitor + enabled: false + # Define the namespace where to deploy the ServiceMonitor resource + namespace: "" + # Prometheus Instance definition + prometheusInstance: default + # Prometheus scrape interval + interval: 60s + # Prometheus scrape timeout + scrapeTimeout: 30s + # Add custom labels to the ServiceMonitor resource + labels: {} + + ## scheme: HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS. + scheme: "" + + ## tlsConfig: TLS configuration to use when scraping the endpoint. For example if using istio mTLS. + ## Of type: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#tlsconfig + tlsConfig: {} + + ## bearerTokenFile: Path to bearer token file. + bearerTokenFile: "" + + ## Used to pass annotations that are used by the Prometheus installed in your cluster to select Service Monitors to work with + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec + annotations: {} + + ## Metric relabel configs to apply to samples before ingestion. + ## [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) + metricRelabelings: [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + + ## Relabel configs to apply to samples before ingestion. + ## [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # targetLabel: nodename + # replacement: $1 + # action: replace + + # Extra K8s manifests to deploy + extraObjects: [] + # - apiVersion: secrets-store.csi.x-k8s.io/v1 + # kind: SecretProviderClass + # metadata: + # name: oauth2-proxy-secrets-store + # spec: + # provider: aws + # parameters: + # objects: | + # - objectName: "oauth2-proxy" + # objectType: "secretsmanager" + # jmesPath: + # - path: "client_id" + # objectAlias: "client-id" + # - path: "client_secret" + # objectAlias: "client-secret" + # - path: "cookie_secret" + # objectAlias: "cookie-secret" + # secretObjects: + # - data: + # - key: client-id + # objectName: client-id + # - key: client-secret + # objectName: client-secret + # - key: cookie-secret + # objectName: cookie-secret + # secretName: oauth2-proxy-secrets-store + # type: Opaque