diff --git a/charts/data-dashboard-backend/Chart.yaml b/charts/data-dashboard-backend/Chart.yaml index 1c92da80..eed51870 100644 --- a/charts/data-dashboard-backend/Chart.yaml +++ b/charts/data-dashboard-backend/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: "0.2.2" name: data-dashboard-backend description: API for data in the data dashboard -version: 0.3.5 +version: 0.3.6 sources: ["https://github.com/thehyve/radar-data-dashboard-backend"] deprecated: false type: application diff --git a/charts/data-dashboard-backend/README.md b/charts/data-dashboard-backend/README.md index 0d739f6e..83e999d3 100644 --- a/charts/data-dashboard-backend/README.md +++ b/charts/data-dashboard-backend/README.md @@ -2,7 +2,7 @@ # data-dashboard-backend -![Version: 0.3.5](https://img.shields.io/badge/Version-0.3.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.2](https://img.shields.io/badge/AppVersion-0.2.2-informational?style=flat-square) +![Version: 0.3.6](https://img.shields.io/badge/Version-0.3.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.2](https://img.shields.io/badge/AppVersion-0.2.2-informational?style=flat-square) API for data in the data dashboard @@ -53,6 +53,7 @@ API for data in the data dashboard | autoscaling.minReplicas | int | `1` | | | autoscaling.maxReplicas | int | `100` | | | autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| networkpolicy | object | check `values.yaml` | Network policy defines who can access this application and who this applications has access to | | nodeSelector | object | `{}` | Node labels for pod assignment | | tolerations | list | `[]` | Toleration labels for pod assignment | | affinity | object | `{}` | Affinity labels for pod assignment | diff --git a/charts/data-dashboard-backend/templates/networkpolicy.yaml b/charts/data-dashboard-backend/templates/networkpolicy.yaml new file mode 100644 index 00000000..ee96faa4 --- /dev/null +++ b/charts/data-dashboard-backend/templates/networkpolicy.yaml @@ -0,0 +1,13 @@ +{{- if .Values.networkpolicy }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ template "data-dashboard-backend.fullname" . }} + labels: +{{ include "data-dashboard-backend.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: +{{ include "data-dashboard-backend.labels" . | indent 6 }} + {{- tpl (toYaml .Values.networkpolicy) . | nindent 2 }} +{{- end -}} diff --git a/charts/data-dashboard-backend/values.yaml b/charts/data-dashboard-backend/values.yaml index eb47f615..160564db 100644 --- a/charts/data-dashboard-backend/values.yaml +++ b/charts/data-dashboard-backend/values.yaml @@ -81,6 +81,48 @@ autoscaling: targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 +# -- Network policy defines who can access this application and who this applications has access to +# @default -- check `values.yaml` +networkpolicy: + policyTypes: + - Ingress + - Egress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: '{{ .Release.Namespace }}' + podSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: '{{ .Release.Namespace }}' + podSelector: + matchLabels: + app.kubernetes.io/name: 'management-portal' + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: '{{ .Release.Namespace }}' + podSelector: + matchLabels: + app.kubernetes.io/name: postgresql + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # -- Node labels for pod assignment nodeSelector: {} diff --git a/charts/radar-self-enrolment-ui/Chart.yaml b/charts/radar-self-enrolment-ui/Chart.yaml index f51b3d9d..98870a46 100644 --- a/charts/radar-self-enrolment-ui/Chart.yaml +++ b/charts/radar-self-enrolment-ui/Chart.yaml @@ -2,5 +2,5 @@ apiVersion: v2 appVersion: "0.0.1" description: A Helm chart for ORY Kratos's example ui for Kubernetes name: radar-self-enrolment-ui -version: 0.0.2 +version: 0.0.3 type: application diff --git a/charts/radar-self-enrolment-ui/README.md b/charts/radar-self-enrolment-ui/README.md index 3b4be316..2ddfd905 100644 --- a/charts/radar-self-enrolment-ui/README.md +++ b/charts/radar-self-enrolment-ui/README.md @@ -2,7 +2,7 @@ # radar-self-enrolment-ui -![Version: 0.0.2](https://img.shields.io/badge/Version-0.0.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.1](https://img.shields.io/badge/AppVersion-0.0.1-informational?style=flat-square) +![Version: 0.0.3](https://img.shields.io/badge/Version-0.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.1](https://img.shields.io/badge/AppVersion-0.0.1-informational?style=flat-square) A Helm chart for ORY Kratos's example ui for Kubernetes @@ -18,7 +18,7 @@ A Helm chart for ORY Kratos's example ui for Kubernetes | imagePullSecrets | list | `[]` | | | nameOverride | string | `""` | | | fullnameOverride | string | `""` | | -| config.csrfCookieName | string | `""` | | +| config.csrfCookieName | string | `"radar_csrf"` | | | config.secrets | object | `{}` | | | service.type | string | `"ClusterIP"` | | | service.loadBalancerIP | string | `""` | The load balancer IP | @@ -29,13 +29,14 @@ A Helm chart for ORY Kratos's example ui for Kubernetes | secret.nameOverride | string | `""` | Provide custom name of existing secret, or custom name of secret to be created | | secret.secretAnnotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0","helm.sh/resource-policy":"keep"}` | Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified. | | secret.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods | -| ingress.enabled | bool | `false` | | -| ingress.className | string | `""` | | -| ingress.annotations | object | `{}` | | -| ingress.hosts[0].host | string | `"chart-example.local"` | | -| ingress.hosts[0].paths[0].path | string | `"/"` | | +| ingress.enabled | bool | `true` | | +| ingress.className | string | `"nginx"` | | +| ingress.annotations."cert-manager.io/cluster-issuer" | string | `"letsencrypt-prod"` | | +| ingress.hosts[0].host | string | `"localhost"` | | +| ingress.hosts[0].paths[0].path | string | `"/kratos-ui/?(.*)"` | | | ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | | -| ingress.tls | list | `[]` | | +| ingress.tls[0].secretName | string | `"radar-base-tls"` | | +| ingress.tls[0].hosts[0] | string | `"localhost"` | | | securityContext.capabilities.drop[0] | string | `"ALL"` | | | securityContext.readOnlyRootFilesystem | bool | `false` | | | securityContext.runAsNonRoot | bool | `true` | | @@ -52,7 +53,7 @@ A Helm chart for ORY Kratos's example ui for Kubernetes | podSecurityContext.runAsGroup | int | `10000` | | | podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | | | deployment.resources | object | `{}` | | -| deployment.extraEnv | list | `[]` | Array of extra envs to be passed to the deployment. Kubernetes format is expected - name: FOO value: BAR | +| deployment.extraEnv | list | `[{"name":"HYDRA_ADMIN_URL","value":"http://hydra-admin"}]` | Array of extra envs to be passed to the deployment. Kubernetes format is expected - name: FOO value: BAR | | deployment.extraVolumes | list | `[]` | If you want to mount external volume For example, mount a secret containing Certificate root CA to verify database TLS connection. | | deployment.extraVolumeMounts | list | `[]` | | | deployment.nodeSelector | object | `{}` | Node labels for pod assignment. | @@ -64,22 +65,23 @@ A Helm chart for ORY Kratos's example ui for Kubernetes | deployment.automountServiceAccountToken | bool | `false` | | | deployment.terminationGracePeriodSeconds | int | `60` | | | affinity | object | `{}` | | -| kratosPublicUrl | string | `"http://kratos:4433"` | Set this to ORY Kratos's public URL | -| hydraAdminUrl | string | `"http://hydra:4445"` | Set this to ORY Hydra's Admin URL | -| hydraPublicUrl | string | `"http://hydra:4444"` | Set this to ORY Hydra's public URL | -| basePath | string | `""` | The basePath | -| jwksUrl | string | `"http://hydra:4445/admin/keys/hydra.jwt.access-token"` | The jwksUrl | +| networkpolicy | object | check `values.yaml` | Network policy defines who can access this application and who this applications has access to | +| kratosAdminUrl | string | `"kratos-admin"` | Set this to ORY Kratos's Admin URL | +| kratosPublicUrl | string | `"https://localhost/kratos"` | Set this to ORY Kratos's public URL | +| kratosBrowserUrl | string | `"https://localhost/kratos"` | Set this to ORY Kratos's public URL accessible from the outside world. | +| basePath | string | `"/kratos-ui"` | The basePath | +| jwksUrl | string | `""` | The jwksUrl | | projectName | string | `"SecureApp"` | | | test.busybox | object | `{"repository":"busybox","tag":1}` | use a busybox image from another repository | | customLivenessProbe | object | `{}` | Custom livenessProbe that overrides the default one | -| livenessProbe.enabled | bool | `true` | Enable livenessProbe | +| livenessProbe.enabled | bool | `false` | Enable livenessProbe | | livenessProbe.initialDelaySeconds | int | `3` | Initial delay seconds for livenessProbe | | livenessProbe.periodSeconds | int | `300` | Period seconds for livenessProbe | | livenessProbe.timeoutSeconds | int | `10` | Timeout seconds for livenessProbe | | livenessProbe.successThreshold | int | `1` | Success threshold for livenessProbe | | livenessProbe.failureThreshold | int | `3` | Failure threshold for livenessProbe | | customReadinessProbe | object | `{}` | Custom readinessProbe that overrides the default one | -| readinessProbe.enabled | bool | `true` | Enable readinessProbe | +| readinessProbe.enabled | bool | `false` | Enable readinessProbe | | readinessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for readinessProbe | | readinessProbe.periodSeconds | int | `10` | Period seconds for readinessProbe | | readinessProbe.timeoutSeconds | int | `10` | Timeout seconds for readinessProbe | diff --git a/charts/radar-self-enrolment-ui/templates/networkpolicy.yaml b/charts/radar-self-enrolment-ui/templates/networkpolicy.yaml new file mode 100644 index 00000000..78e099dc --- /dev/null +++ b/charts/radar-self-enrolment-ui/templates/networkpolicy.yaml @@ -0,0 +1,13 @@ +{{- if .Values.networkpolicy }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ template "radar-self-enrolment-ui.fullname" . }} + labels: +{{ include "radar-self-enrolment-ui.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: +{{ include "radar-self-enrolment-ui.labels" . | indent 6 }} + {{- tpl (toYaml .Values.networkpolicy) . | nindent 2 }} +{{- end -}} diff --git a/charts/radar-self-enrolment-ui/values.yaml b/charts/radar-self-enrolment-ui/values.yaml index d60dc483..96db8800 100644 --- a/charts/radar-self-enrolment-ui/values.yaml +++ b/charts/radar-self-enrolment-ui/values.yaml @@ -20,7 +20,7 @@ fullnameOverride: "" ## -- Application config config: - csrfCookieName: "" + csrfCookieName: "radar_csrf" secrets: {} ## -- Service configuration @@ -51,23 +51,20 @@ secret: # -- switch to false to prevent checksum annotations being maintained and propogated to the pods hashSumEnabled: true -## -- Ingress configration ingress: - enabled: false - className: "" + enabled: true + className: "nginx" annotations: - {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" + cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - host: chart-example.local + - host: localhost paths: - - path: / + - path: "/kratos-ui/?(.*)" pathType: ImplementationSpecific - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local + tls: + - secretName: radar-base-tls + hosts: + - localhost ## -- Container level security context securityContext: @@ -112,7 +109,9 @@ deployment: # -- Array of extra envs to be passed to the deployment. Kubernetes format is expected # - name: FOO # value: BAR - extraEnv: [] + extraEnv: + - name: HYDRA_ADMIN_URL + value: http://hydra-admin # -- If you want to mount external volume # For example, mount a secret containing Certificate root CA to verify database # TLS connection. @@ -166,20 +165,61 @@ deployment: affinity: {} -# -- Set this to ORY Kratos's public URL -kratosPublicUrl: http://kratos:4433 +# -- Network policy defines who can access this application and who this applications has access to +# @default -- check `values.yaml` +networkpolicy: + policyTypes: + - Ingress + - Egress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: '{{ .Release.Namespace }}' + podSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: '{{ .Release.Namespace }}' + podSelector: + matchLabels: + app.kubernetes.io/name: kratos-admin + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: '{{ .Release.Namespace }}' + podSelector: + matchLabels: + app.kubernetes.io/name: hydra + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP -# -- Set this to ORY Hydra's Admin URL -hydraAdminUrl: http://hydra:4445 +# -- Set this to ORY Kratos's Admin URL +kratosAdminUrl: "kratos-admin" + +# -- Set this to ORY Kratos's public URL +kratosPublicUrl: "https://localhost/kratos" -# -- Set this to ORY Hydra's public URL -hydraPublicUrl: http://hydra:4444 +# -- Set this to ORY Kratos's public URL accessible from the outside world. +kratosBrowserUrl: "https://localhost/kratos" # -- The basePath -basePath: "" +basePath: "/kratos-ui" # -- The jwksUrl -jwksUrl: http://hydra:4445/admin/keys/hydra.jwt.access-token +jwksUrl: "" projectName: SecureApp @@ -194,7 +234,7 @@ customLivenessProbe: {} livenessProbe: # -- Enable livenessProbe - enabled: true + enabled: false # -- Initial delay seconds for livenessProbe initialDelaySeconds: 3 # -- Period seconds for livenessProbe @@ -211,7 +251,7 @@ customReadinessProbe: {} readinessProbe: # -- Enable readinessProbe - enabled: true + enabled: false # -- Initial delay seconds for readinessProbe initialDelaySeconds: 5 # -- Period seconds for readinessProbe