diff --git a/charts/namespace-permission-manager/.helmignore b/charts/namespace-permission-manager/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/namespace-permission-manager/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/namespace-permission-manager/Chart.yaml b/charts/namespace-permission-manager/Chart.yaml new file mode 100644 index 0000000..79bd219 --- /dev/null +++ b/charts/namespace-permission-manager/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: namespace-permission-manager +description: A Helm chart to deploy the kubernetes-namespace-permission-manager + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "v0.1.0" diff --git a/charts/namespace-permission-manager/README.md b/charts/namespace-permission-manager/README.md new file mode 100644 index 0000000..79fd0ba --- /dev/null +++ b/charts/namespace-permission-manager/README.md @@ -0,0 +1,60 @@ +# namespace-permission-manager + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.1.0](https://img.shields.io/badge/AppVersion-v0.1.0-informational?style=flat-square) + +A Helm chart to deploy the kubernetes-namespace-permission-manager + +## Installation + +Add Helm repository: + +```bash +helm repo add tagesspiegel https://tagesspiegel.github.io/helm-charts +``` + +Upgrade or install the operator: + +```bash +helm upgrade --install \ + my-secret tagesspiegel/namespace-permission-manager +``` + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.repository | string | `"tagesspiegel/kubernetes-namespace-permission-manager"` | | +| image.tag | string | `""` | | +| imagePullSecrets | list | `[]` | | +| nameOverride | string | `""` | | +| networkPolicy | object | `{"egress":[],"enabled":false,"ingress":[]}` | networkPolicy defines the network access to and from the operator | +| nodeSelector | object | `{}` | | +| pdb | object | `{"annotations":{},"enabled":true,"maxUnavailable":0,"minAvailable":1}` | pdb defines the pod disruption budget for the operator | +| podAnnotations | object | `{}` | | +| podSecurityContext.runAsNonRoot | bool | `true` | | +| rbac.enabled | bool | `true` | rbac.enabled specifies whether RBAC resources should be created If disabled, the operator will use the permissions of the service account the operator is running under | +| rbac.roleRules | list | `[{"apiGroups":["*"],"resources":["*"],"verbs":["*"]}]` | roleRules defines the permissions the operator has access to The operator needs at least access to: namespaces: [list, get, watch] roles: [list, get, watch, create, update, delete] rolebindings: [list, get, watch, create, update, delete] And to any resource defined in the ns.tagesspiegel.de/rolebinding-subjects, ns.tagesspiegel.de/rolebinding-roleref and ns.tagesspiegel.de/custom-role-rules annotations To simplify the configuration, the operator has access to all resources in all namespaces by default. | +| replicaCount | int | `1` | | +| resources | object | `{}` | | +| securityContext.allowPrivilegeEscalation | bool | `false` | | +| securityContext.capabilities.drop[0] | string | `"ALL"` | | +| serviceAccount.annotations | object | `{}` | | +| serviceAccount.create | bool | `true` | | +| serviceAccount.name | string | `""` | | +| tolerations | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/namespace-permission-manager/README.md.gotmpl b/charts/namespace-permission-manager/README.md.gotmpl new file mode 100644 index 0000000..dbd4414 --- /dev/null +++ b/charts/namespace-permission-manager/README.md.gotmpl @@ -0,0 +1,32 @@ +{{ template "chart.header" . }} + +{{ template "chart.badgesSection" . }} + +{{ template "chart.description" . }} + +## Installation + +Add Helm repository: + +```bash +helm repo add tagesspiegel https://tagesspiegel.github.io/helm-charts +``` + +Upgrade or install the operator: + +```bash +helm upgrade --install \ + my-secret tagesspiegel/namespace-permission-manager +``` + +## Maintainers + +{{ template "chart.maintainersTable" . }} + +## Requirements + +{{ template "chart.requirementsTable" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/namespace-permission-manager/templates/NOTES.txt b/charts/namespace-permission-manager/templates/NOTES.txt new file mode 100644 index 0000000..fe44b60 --- /dev/null +++ b/charts/namespace-permission-manager/templates/NOTES.txt @@ -0,0 +1,3 @@ +You are ready to go! + +You can now start adding labels and annotations to your namespaces. diff --git a/charts/namespace-permission-manager/templates/_helpers.tpl b/charts/namespace-permission-manager/templates/_helpers.tpl new file mode 100644 index 0000000..d1444ce --- /dev/null +++ b/charts/namespace-permission-manager/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "namespace-permission-manager.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "namespace-permission-manager.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "namespace-permission-manager.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "namespace-permission-manager.labels" -}} +helm.sh/chart: {{ include "namespace-permission-manager.chart" . }} +{{ include "namespace-permission-manager.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "namespace-permission-manager.selectorLabels" -}} +app.kubernetes.io/name: {{ include "namespace-permission-manager.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "namespace-permission-manager.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "namespace-permission-manager.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/namespace-permission-manager/templates/cluster_role.yaml b/charts/namespace-permission-manager/templates/cluster_role.yaml new file mode 100644 index 0000000..0debdea --- /dev/null +++ b/charts/namespace-permission-manager/templates/cluster_role.yaml @@ -0,0 +1,10 @@ +{{- if .Values.rbac.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "namespace-permission-manager.fullname" . }} + labels: + {{- include "namespace-permission-manager.labels" . | nindent 4 }} +rules: + {{- toYaml .Values.rbac.roleRules | nindent 2 }} +{{- end }} diff --git a/charts/namespace-permission-manager/templates/deployment.yaml b/charts/namespace-permission-manager/templates/deployment.yaml new file mode 100644 index 0000000..caa1e72 --- /dev/null +++ b/charts/namespace-permission-manager/templates/deployment.yaml @@ -0,0 +1,92 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "namespace-permission-manager.fullname" . }} + labels: + {{- include "namespace-permission-manager.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "namespace-permission-manager.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "namespace-permission-manager.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "namespace-permission-manager.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - /controller + args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- if .Values.monitoring.enabled }} + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=0 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: metrics + protocol: TCP + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/namespace-permission-manager/templates/networkpolicy.yaml b/charts/namespace-permission-manager/templates/networkpolicy.yaml new file mode 100644 index 0000000..900f201 --- /dev/null +++ b/charts/namespace-permission-manager/templates/networkpolicy.yaml @@ -0,0 +1,27 @@ +{{- if .Values.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "namespace-permission-manager.fullname" . }} + labels: + {{- include "namespace-permission-manager.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "namespace-permission-manager.selectorLabels" . | nindent 6 }} + policyTypes: + {{- if .Values.networkPolicy.ingress }} + - Ingress + {{- end }} + {{- if .Values.networkPolicy.egress }} + - Egress + {{- end }} + {{- with .Values.networkPolicy.ingress }} + ingress: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.networkPolicy.egress }} + egress: + {{- toYaml . | nindent 4 }} + {{- end -}} +{{- end }} diff --git a/charts/namespace-permission-manager/templates/pdb.yaml b/charts/namespace-permission-manager/templates/pdb.yaml new file mode 100644 index 0000000..70d485e --- /dev/null +++ b/charts/namespace-permission-manager/templates/pdb.yaml @@ -0,0 +1,22 @@ +{{- if .Values.pdb.enabled }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "namespace-permission-manager.fullname" . }} + labels: + {{- include "namespace-permission-manager.labels" . | nindent 4 }} + {{- with .Values.pdb.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with .Values.pdb.maxUnavailable }} + maxUnavailable: {{ . }} + {{- end }} + {{- with .Values.pdb.minAvailable }} + minAvailable: {{ . }} + {{- end }} + selector: + matchLabels: + {{- include "namespace-permission-manager.selectorLabels" . | nindent 6 }} +{{- end }} diff --git a/charts/namespace-permission-manager/templates/role_binding.yaml b/charts/namespace-permission-manager/templates/role_binding.yaml new file mode 100644 index 0000000..2516201 --- /dev/null +++ b/charts/namespace-permission-manager/templates/role_binding.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbac.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "namespace-permission-manager.fullname" . }} + labels: + {{- include "namespace-permission-manager.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "namespace-permission-manager.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "namespace-permission-manager.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/namespace-permission-manager/templates/service_metrics.yaml b/charts/namespace-permission-manager/templates/service_metrics.yaml new file mode 100644 index 0000000..72ff15f --- /dev/null +++ b/charts/namespace-permission-manager/templates/service_metrics.yaml @@ -0,0 +1,18 @@ +{{- if .Values.monitoring.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "namespace-permission-manager.fullname" . }}-metrics + labels: + app.kubernetes.io/component: metrics + {{- include "namespace-permission-manager.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: 8443 + targetPort: metrics + protocol: TCP + name: metrics + selector: + {{- include "namespace-permission-manager.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/namespace-permission-manager/templates/service_monitor.yaml b/charts/namespace-permission-manager/templates/service_monitor.yaml new file mode 100644 index 0000000..530fcec --- /dev/null +++ b/charts/namespace-permission-manager/templates/service_monitor.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.monitoring.enabled .Values.monitoring.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "namespace-permission-manager.fullname" . }} + labels: + {{- include "namespace-permission-manager.labels" . | nindent 4 }} +spec: + endpoints: + - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + path: /metrics + port: metrics + scheme: https + tlsConfig: + insecureSkipVerify: true + selector: + matchLabels: + app.kubernetes.io/component: metrics + {{- include "namespace-permission-manager.labels" . | nindent 6 }} +{{- end }} diff --git a/charts/namespace-permission-manager/templates/serviceaccount.yaml b/charts/namespace-permission-manager/templates/serviceaccount.yaml new file mode 100644 index 0000000..fdd118b --- /dev/null +++ b/charts/namespace-permission-manager/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "namespace-permission-manager.serviceAccountName" . }} + labels: + {{- include "namespace-permission-manager.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/namespace-permission-manager/templates/tests/test-connection.yaml b/charts/namespace-permission-manager/templates/tests/test-connection.yaml new file mode 100644 index 0000000..823b1f0 --- /dev/null +++ b/charts/namespace-permission-manager/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "namespace-permission-manager.fullname" . }}-test-connection" + labels: + {{- include "namespace-permission-manager.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "namespace-permission-manager.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/charts/namespace-permission-manager/values.yaml b/charts/namespace-permission-manager/values.yaml new file mode 100644 index 0000000..67cbcc1 --- /dev/null +++ b/charts/namespace-permission-manager/values.yaml @@ -0,0 +1,107 @@ +# Default values for namespace-permission-manager. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: tagesspiegel/kubernetes-namespace-permission-manager + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +rbac: + # -- rbac.enabled specifies whether RBAC resources should be created + # If disabled, the operator will use the permissions of the service account the operator is running under + enabled: true + # -- roleRules defines the permissions the operator has access to + # The operator needs at least access to: + # namespaces: [list, get, watch] + # roles: [list, get, watch, create, update, delete] + # rolebindings: [list, get, watch, create, update, delete] + # + # And to any resource defined in the ns.tagesspiegel.de/rolebinding-subjects, ns.tagesspiegel.de/rolebinding-roleref and ns.tagesspiegel.de/custom-role-rules annotations + # To simplify the configuration, the operator has access to all resources in all namespaces by default. + roleRules: + - apiGroups: + - "*" + resources: + - "*" + verbs: + - "*" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: + runAsNonRoot: true + # fsGroup: 2000 + +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- pdb defines the pod disruption budget for the operator +pdb: + enabled: true + annotations: {} + minAvailable: 1 + maxUnavailable: 0 + +# -- networkPolicy defines the network access to and from the operator +networkPolicy: + enabled: false + ingress: [] + # - from: + # - ipBlock: + # cidr: 10.0.0.0/24 + # except: + # - 10.0.0.128/25 + # - namespaceSelector: + # matchLabels: + # kubernetes.io/metadata.name: frontend + # - podSelector: + # matchLabels: + # app.kubernetes.io/name: frontend + # ports: + # - protocol: TCP + # port: 80 + egress: [] + # - to: + # - ipBlock: + # cidr: 10.0.0.0/24 + # ports: + # - protocol: UDP + # port: 53