values.localdev.yaml

# Default values for workbench.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

### Kubernetes deployment options



extraDeploy: []

controller:
  strategy_type: "RollingUpdate"  # default: RollingUpdate
  serviceAccount:
    create: false
  images:
    webui: "ndslabs/webui:develop"
    apiserver: "ndslabs/apiserver:develop"

ingress:
  class: "nginx"
  host: "kubernetes.docker.internal"
  tls:
    - hosts:
      - "kubernetes.docker.internal"


### Workbench config and cutomization

config:
  frontend:
    live_reload: false
    support_email: "support@ndslabs.org"
    domain: "https://kubernetes.docker.internal"
    analytics_tracking_id: ""
    signin_url: "https://kubernetes.docker.internal/oauth2/start?rd=https%3A%2F%2Fkubernetes.docker.internal%2Fmy-apps"
    signout_url: "https://kubernetes.docker.internal/oauth2/sign_out?rd=https%3A%2F%2Fkubernetes.docker.internal%2F"
  
  backend:
    # Point at internal mongodb
    mongo:
      uri: "mongodb://workbench:workbench@workbench-mongodb.workbench.svc.cluster.local:27017/ndslabs?authSource=admin"
      db: ndslabs

    # Point at internal Keycloak instance + imported realm
    keycloak:
      hostname: "https://kubernetes.docker.internal/auth"
      realmName: "workbench-dev"
      clientId: "workbench-local"
      clientSecret: ""

    # Define our own domain and config params
    domain: "kubernetes.docker.internal"
    insecure_ssl_verify: "false"   # default: true
    swagger_url: openapi/swagger-v1.yml
    namespace: "workbench"


    # Define parameters about the created userapp
    userapps:
      home_storage:
        enabled: true
        storage_class: nfs
      shared_storage:
        enabled: false
      ingress:
        annotations:
          ingress.kubernetes.io/ssl-redirect: "true"
          ingress.kubernetes.io/force-ssl-redirect: "true"

          # Auth annotations for Traefik
          #ingress.kubernetes.io/auth-type: forward
          #ingress.kubernetes.io/auth-url: "https://kubernetes.docker.internal/oauth2/auth"
          #ingress.kubernetes.io/signin-url: "https://kubernetes.docker.internal/oauth2/start?rd=https%3A%2F%2Fkubernetes.docker.internal%2Fmy-apps"

          # Auth annotations for NGINX
          nginx.ingress.kubernetes.io/auth-url: "https://kubernetes.docker.internal/oauth2/auth"
          nginx.ingress.kubernetes.io/signin-url: "https://kubernetes.docker.internal/oauth2/start?rd=https%3A%2F%2Fkubernetes.docker.internal%2Fmy-apps"
          nginx.ingress.kubernetes.io/auth-response-headers: "x-auth-request-user, x-auth-request-email, x-auth-request-access-token, x-auth-request-redirect, x-auth-request-preferred-username"
        class: nginx
        tls:
          hosts:
           - kubernetes.docker.internal
           - '*.kubernetes.docker.internal'
  
    # TODO: Legacy config options (currently ignored)
    timeout: 30
    inactivity_timeout: 480

### Optional dependency subcharts

# Enable this to run an NGINX ingress controller (if you aren't running another ingress controller)
ingress-nginx:
  enabled: true
  controller:
    # If you have an existing TLS secret, you can uncomment this to specify it here
    # Otherwise NGINX will generate a self-signed and use that instead
    #extraArgs:
    #  default-ssl-certificate: workbench/ndslabs-tls
    hostPort:
      enabled: true


# Enable this to use an external NFS server to provision user volumes (e.g. nfs-condo)
nfs-client-provisioner:
  enabled: false   # WARNING: experimental
    
# Enable this to run a local NFS server (development only)      
nfs-server-provisioner:
  enabled: true
  persistence:
    enabled: true
    storageClass: "hostpath"


# Enable this to run a local Keycloak instance (development only)
keycloak:
  enabled: true
  httpRelativePath: "/auth/"
  auth:
    adminUser: "admin"
    adminPassword: "workbench"
  proxyAddressForwarding: true
  global:
    storageClass: "hostpath"
  ingress:
    className: nginx
    tls: true
    annotations:
      kubernetes.io/ingress.class: nginx

      # without this, signups (and other large proxy bodies) will fail with a 502
      nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
    extraTls:
      - hosts:
        - kubernetes.docker.internal


oauth2-proxy:
  serviceAccount:
    create: false
    name: workbench
  # Need to define a custom role and binding to wait-for-keycloak
  initContainers:
    - name: wait-for-keycloak
      image: ghcr.io/groundnuty/k8s-wait-for:v1.6
      imagePullPolicy: Always
      args:
        - "pod"
        - "-lapp.kubernetes.io/component=keycloak"
  extraArgs:
    # Keycloak OIDC config:
    - --provider=keycloak-oidc  # "oidc" works as well, but this gives us roles too
    - --provider-display-name=Workbench Login
    - --redirect-url=https://kubernetes.docker.internal/oauth2/callback
    - --oidc-issuer-url=https://kubernetes.docker.internal/auth/realms/workbench-dev
    - --client-id=workbench-local

    # Authorization config:
    #- --email-domain=illinois.edu
    - --whitelist-domain=.docker.internal     # needed to use the "rd" query string parameter
    - --cookie-domain=.docker.internal        # forward your cookie automatically to subdomains
    #- --cookie-samesite=lax
    - --scope=email profile openid
    - --allowed-role=workbench-user

    # Local Development Only:
    - --insecure-oidc-skip-issuer-verification=true
    - --insecure-oidc-allow-unverified-email=true
    - --ssl-insecure-skip-verify=true
    - --ssl-upstream-insecure-skip-verify=true
    - --force-json-errors=true
  ingress:
    enabled: true
    ingressClassName: nginx
    path: /oauth2/
    pathtype: Prefix
    hostname: kubernetes.docker.internal
    tls:
      - hosts:
          - kubernetes.docker.internal
  

mongodb:
  enabled: true
  autoimport:
    enabled: true
    annotations:
      "helm.sh/hook": "post-install,post-upgrade"
      "helm.sh/hook-delete-policy": before-hook-creation
    env:
      - name: FORCE
        value: "true"
      - name: MONGO_URI
        value: "mongodb://workbench:workbench@workbench-mongodb.workbench.svc.cluster.local:27017/ndslabs?authSource=admin"
      - name: GIT_REPO
        value: "https://github.com/nds-org/ndslabs-specs"
      - name: GIT_BRANCH
        value: "develop"
  architecture: standalone   # WARNING: experimental
  #replicaCount: 3
  auth:
    replicaSetKey: changeme
    rootUser: workbench
    rootPassword: workbench

  # TODO: Test AWS + GKE PVs
  persistent:
    # Values can be "false" for no persistent storage, "aws" for awsElasticBlockStore,
    # or "gce" for gcePersistentDisk
    type: false
    # If using awsElasticBlockStore enter the EBS volume id, if using gcePersistentDisk
    # enter the persistent disk name
    volume_id:

  persistence:
    resourcePolicy: keep
  storage_class: "hostpath"
  access_mode: "ReadWriteOnce"   # default: ReadWriteOnce
  size: "1Gi"