From 0a0e76cd5d420d07dad61958bd0a0d97a27d06a9 Mon Sep 17 00:00:00 2001 From: Bartosz Chwila <103247439+barchw@users.noreply.github.com> Date: Tue, 28 Nov 2023 10:22:19 +0100 Subject: [PATCH] Remove API Gateway content that was already modularised (#18436) * Delete resources/api-gateway directory * Delete resources/certificates directory * Delete resources/ory directory * Update components.yaml * Delete installation/resources/crds/api-gateway directory * Delete installation/resources/crds/ory directory * Update codeowners (cherry picked from commit 62d9acdb41fd18edcb317aaa509d5f0e2027ce0e) --- CODEOWNERS | 5 - installation/resources/components.yaml | 4 - .../api-gateway/apirules.gateway.crd.yaml | 275 ---------------- .../resources/crds/ory/rules.crd.yaml | 139 -------- resources/api-gateway/.helmignore | 21 -- resources/api-gateway/Chart.yaml | 6 - resources/api-gateway/README.md | 10 - resources/api-gateway/templates/_helpers.tpl | 100 ------ .../api-gateway/templates/deployment.yaml | 84 ----- .../api-gateway/templates/monitoring.yaml | 27 -- .../api-gateway/templates/priority-class.yaml | 7 - resources/api-gateway/templates/rbac.yaml | 52 --- resources/api-gateway/values.yaml | 115 ------- resources/certificates/.helmignore | 23 -- resources/certificates/Chart.yaml | 6 - resources/certificates/README.md | 35 -- resources/certificates/templates/_helpers.tpl | 62 ---- .../certificates/templates/certificate.yaml | 36 --- resources/certificates/values.yaml | 35 -- resources/ory/.helmignore | 21 -- resources/ory/Chart.yaml | 11 - resources/ory/README.md | 11 - resources/ory/charts/oathkeeper/.helmignore | 22 -- resources/ory/charts/oathkeeper/Chart.yaml | 31 -- .../charts/oathkeeper-maester/.helmignore | 22 -- .../charts/oathkeeper-maester/Chart.yaml | 23 -- .../oathkeeper-maester/templates/_helpers.tpl | 57 ---- .../templates/deployment.yaml | 98 ------ .../oathkeeper-maester/templates/pdb.yaml | 14 - .../oathkeeper-maester/templates/rbac.yaml | 36 --- .../templates/service-metrics.yaml | 17 - .../charts/oathkeeper-maester/values.yaml | 78 ----- .../charts/oathkeeper/demo/access-rules.json | 83 ----- .../demo/authenticator.jwt.jwks.json | 18 -- .../demo/mutator.id_token.jwks.json | 18 -- .../oathkeeper/stub/local-jwks-config.yaml | 24 -- .../charts/oathkeeper/stub/remote-config.yaml | 29 -- .../ory/charts/oathkeeper/templates/NOTES.txt | 64 ---- .../charts/oathkeeper/templates/_helpers.tpl | 108 ------- .../templates/configmap-config-demo.yaml | 59 ---- .../templates/configmap-config.yaml | 17 - .../oathkeeper/templates/configmap-rules.yaml | 15 - .../charts/oathkeeper/templates/cronjob.yaml | 100 ------ .../templates/deployment-controller.yaml | 155 --------- .../templates/deployment-sidecar.yaml | 157 --------- .../ory/charts/oathkeeper/templates/hpa.yaml | 52 --- .../oathkeeper/templates/ingress-api.yaml | 52 --- .../oathkeeper/templates/ingress-proxy.yaml | 53 ---- .../ory/charts/oathkeeper/templates/pdb.yaml | 13 - .../ory/charts/oathkeeper/templates/rbac.yaml | 13 - .../charts/oathkeeper/templates/secrets.yaml | 18 -- .../oathkeeper/templates/service-api.yaml | 29 -- .../oathkeeper/templates/service-metrics.yaml | 21 -- .../oathkeeper/templates/service-proxy.yaml | 33 -- resources/ory/charts/oathkeeper/values.yaml | 299 ------------------ resources/ory/profile-evaluation.yaml | 9 - resources/ory/profile-production.yaml | 31 -- resources/ory/templates/_helpers.tpl | 55 ---- .../ory/templates/monitoring-oathkeeper.yaml | 15 - resources/ory/templates/priority-class.yaml | 7 - resources/ory/values.yaml | 165 ---------- 61 files changed, 3195 deletions(-) delete mode 100644 installation/resources/crds/api-gateway/apirules.gateway.crd.yaml delete mode 100644 installation/resources/crds/ory/rules.crd.yaml delete mode 100644 resources/api-gateway/.helmignore delete mode 100644 resources/api-gateway/Chart.yaml delete mode 100644 resources/api-gateway/README.md delete mode 100644 resources/api-gateway/templates/_helpers.tpl delete mode 100644 resources/api-gateway/templates/deployment.yaml delete mode 100644 resources/api-gateway/templates/monitoring.yaml delete mode 100644 resources/api-gateway/templates/priority-class.yaml delete mode 100644 resources/api-gateway/templates/rbac.yaml delete mode 100644 resources/api-gateway/values.yaml delete mode 100644 resources/certificates/.helmignore delete mode 100644 resources/certificates/Chart.yaml delete mode 100644 resources/certificates/README.md delete mode 100644 resources/certificates/templates/_helpers.tpl delete mode 100644 resources/certificates/templates/certificate.yaml delete mode 100644 resources/certificates/values.yaml delete mode 100644 resources/ory/.helmignore delete mode 100644 resources/ory/Chart.yaml delete mode 100644 resources/ory/README.md delete mode 100644 resources/ory/charts/oathkeeper/.helmignore delete mode 100644 resources/ory/charts/oathkeeper/Chart.yaml delete mode 100644 resources/ory/charts/oathkeeper/charts/oathkeeper-maester/.helmignore delete mode 100644 resources/ory/charts/oathkeeper/charts/oathkeeper-maester/Chart.yaml delete mode 100644 resources/ory/charts/oathkeeper/charts/oathkeeper-maester/templates/_helpers.tpl delete mode 100644 resources/ory/charts/oathkeeper/charts/oathkeeper-maester/templates/deployment.yaml delete mode 100644 resources/ory/charts/oathkeeper/charts/oathkeeper-maester/templates/pdb.yaml delete mode 100644 resources/ory/charts/oathkeeper/charts/oathkeeper-maester/templates/rbac.yaml delete mode 100644 resources/ory/charts/oathkeeper/charts/oathkeeper-maester/templates/service-metrics.yaml delete mode 100644 resources/ory/charts/oathkeeper/charts/oathkeeper-maester/values.yaml delete mode 100644 resources/ory/charts/oathkeeper/demo/access-rules.json delete mode 100644 resources/ory/charts/oathkeeper/demo/authenticator.jwt.jwks.json delete mode 100644 resources/ory/charts/oathkeeper/demo/mutator.id_token.jwks.json delete mode 100644 resources/ory/charts/oathkeeper/stub/local-jwks-config.yaml delete mode 100644 resources/ory/charts/oathkeeper/stub/remote-config.yaml delete mode 100644 resources/ory/charts/oathkeeper/templates/NOTES.txt delete mode 100644 resources/ory/charts/oathkeeper/templates/_helpers.tpl delete mode 100644 resources/ory/charts/oathkeeper/templates/configmap-config-demo.yaml delete mode 100644 resources/ory/charts/oathkeeper/templates/configmap-config.yaml delete mode 100644 resources/ory/charts/oathkeeper/templates/configmap-rules.yaml delete mode 100644 resources/ory/charts/oathkeeper/templates/cronjob.yaml delete mode 100644 resources/ory/charts/oathkeeper/templates/deployment-controller.yaml delete mode 100644 resources/ory/charts/oathkeeper/templates/deployment-sidecar.yaml delete mode 100644 resources/ory/charts/oathkeeper/templates/hpa.yaml delete mode 100644 resources/ory/charts/oathkeeper/templates/ingress-api.yaml delete mode 100644 resources/ory/charts/oathkeeper/templates/ingress-proxy.yaml delete mode 100644 resources/ory/charts/oathkeeper/templates/pdb.yaml delete mode 100644 resources/ory/charts/oathkeeper/templates/rbac.yaml delete mode 100644 resources/ory/charts/oathkeeper/templates/secrets.yaml delete mode 100644 resources/ory/charts/oathkeeper/templates/service-api.yaml delete mode 100644 resources/ory/charts/oathkeeper/templates/service-metrics.yaml delete mode 100644 resources/ory/charts/oathkeeper/templates/service-proxy.yaml delete mode 100644 resources/ory/charts/oathkeeper/values.yaml delete mode 100644 resources/ory/profile-evaluation.yaml delete mode 100644 resources/ory/profile-production.yaml delete mode 100644 resources/ory/templates/_helpers.tpl delete mode 100644 resources/ory/templates/monitoring-oathkeeper.yaml delete mode 100644 resources/ory/templates/priority-class.yaml delete mode 100644 resources/ory/values.yaml diff --git a/CODEOWNERS b/CODEOWNERS index 8a233e51515f..6ab9c7fc2ade 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -29,20 +29,15 @@ /docs @kyma-project/technical-writers /installation @kyma-project/Jellyfish -/installation/resources/crds/api-gateway @kyma-project/goat /installation/resources/crds/application-connector @kyma-project/Framefrog /installation/resources/crds/compass-runtime-agent @kyma-project/Framefrog /installation/resources/crds/eventing @kyma-project/eventing /installation/resources/crds/istio @kyma-project/goat -/installation/resources/crds/ory @kyma-project/goat -/resources/api-gateway @kyma-project/goat /resources/application-connector @kyma-project/Framefrog -/resources/certificates @kyma-project/goat /resources/compass-runtime-agent @kyma-project/Framefrog /resources/eventing @kyma-project/eventing /resources/istio @kyma-project/goat -/resources/ory @kyma-project/goat # Fast Integration Tests /tests/fast-integration/Makefile @kyma-project/eventing diff --git a/installation/resources/components.yaml b/installation/resources/components.yaml index 2737f4c9c711..71b76d44537f 100644 --- a/installation/resources/components.yaml +++ b/installation/resources/components.yaml @@ -3,10 +3,6 @@ defaultNamespace: kyma-system prerequisites: - name: "istio" namespace: "istio-system" - - name: "certificates" - namespace: "istio-system" components: - name: "eventing" - - name: "ory" - - name: "api-gateway" - name: "application-connector" diff --git a/installation/resources/crds/api-gateway/apirules.gateway.crd.yaml b/installation/resources/crds/api-gateway/apirules.gateway.crd.yaml deleted file mode 100644 index 823d1293986c..000000000000 --- a/installation/resources/crds/api-gateway/apirules.gateway.crd.yaml +++ /dev/null @@ -1,275 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.9.2 - creationTimestamp: null - name: apirules.gateway.kyma-project.io -spec: - group: gateway.kyma-project.io - names: - kind: APIRule - listKind: APIRuleList - plural: apirules - singular: apirule - scope: Namespaced - preserveUnknownFields: false - versions: - - additionalPrinterColumns: - - jsonPath: .status.APIRuleStatus.code - name: Status - type: string - - jsonPath: .spec.host - name: Host - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: APIRule is the Schema for ApiRule APIs. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Defines the desired state of APIRule. - properties: - gateway: - description: Specifies the Istio Gateway to be used. - pattern: ^[0-9a-z-_]+(\/[0-9a-z-_]+|(\.[0-9a-z-_]+)*)$ - type: string - host: - description: Specifies the URL of the exposed service. - maxLength: 256 - minLength: 3 - pattern: ^([a-zA-Z0-9][a-zA-Z0-9-_]*\.)*[a-zA-Z0-9]*[a-zA-Z0-9-_]*[[a-zA-Z0-9]+$ - type: string - rules: - description: Represents the array of Oathkeeper access rules to be - applied. - items: - properties: - accessStrategies: - description: Specifies the list of access strategies. All strategies - listed in [Oathkeeper documentation](https://www.ory.sh/docs/oathkeeper/pipeline/authn) - are supported. - items: - description: Represents a handler that authenticates provided - credentials. See the corresponding type in the oathkeeper-maester - project. - properties: - config: - description: Configures the handler. Configuration keys - vary per handler. - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - jwks_urls: - description: Specifies the array of URLs from which Ory Oathkeeper can retrieve JSON Web Keys for validating JSON Web Token. - The value must begin with either `http://`, `https://`, or `file://`. - type: array - items: - type: string - pattern: ^(http://|https://|file://).*$ - trusted_issuers: - description: If the **trusted_issuers** field is set, the JWT must contain a value for the claim `iss` - that matches exactly (case-sensitive) one of the values of **trusted_issuers**. - The value must begin with either `http://`, `https://`, or `file://`. - type: array - items: - type: string - pattern: ^(http://|https://|file://).*$ - handler: - description: Specifies the name of the handler. - type: string - required: - - handler - type: object - minItems: 1 - type: array - methods: - description: Represents the list of allowed HTTP request methods - available for the **spec.rules.path**. - items: - type: string - minItems: 1 - type: array - mutators: - description: Specifies the list of [Ory Oathkeeper mutators](https://www.ory.sh/docs/oathkeeper/pipeline/mutator). - items: - description: Mutator represents a handler that transforms - the HTTP request before forwarding it. See the corresponding - in the oathkeeper-maester project. - properties: - config: - description: Configures the handler. Configuration keys - vary per handler. - type: object - x-kubernetes-preserve-unknown-fields: true - handler: - description: Specifies the name of the handler. - type: string - required: - - handler - type: object - type: array - path: - description: Specifies the path of the exposed service. - pattern: ^([0-9a-zA-Z./*()?!\\_-]+) - type: string - service: - description: Describes the service to expose. Overwrites the - **spec** level service if defined. - properties: - external: - description: Specifies if the service is internal (in cluster) - or external. - type: boolean - name: - description: Specifies the name of the exposed service. - type: string - namespace: - description: Specifies the Namespace of the exposed service. - If not defined, it defaults to the APIRule Namespace. - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: Specifies the communication port of the exposed - service. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - name - - port - type: object - timeout: - description: Specifies the timeout, in seconds, for - HTTP requests made to **spec.rules.path**. The maximum timeout is limited - to 3900 seconds (65 minutes). Timeout definitions set at this level - take precedence over any timeout defined at the **spec.timeout** level. - maximum: 3900 - minimum: 1 - type: integer - required: - - accessStrategies - - methods - - path - type: object - minItems: 1 - type: array - service: - description: Describes the service to expose. - properties: - external: - description: Specifies if the service is internal (in cluster) - or external. - type: boolean - name: - description: Specifies the name of the exposed service. - type: string - namespace: - description: Specifies the Namespace of the exposed service. If - not defined, it defaults to the APIRule Namespace. - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: Specifies the communication port of the exposed service. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - name - - port - type: object - timeout: - description: Specifies the timeout, in seconds, for HTTP requests for all Oathkeeper access rules. - However, this value can be overridden for each individual rule. - The maximum timeout is limited to 3900 seconds (65 minutes). - If no timeout is specified, the default timeout of 180 seconds applies. - maximum: 3900 - minimum: 1 - type: integer - required: - - gateway - - host - - rules - type: object - status: - description: Describes the observed state of ApiRule. - properties: - APIRuleStatus: - description: Describes the status of APIRule. - properties: - code: - description: Status code describing APIRule. - type: string - desc: - description: Explains the status of APIRule. - type: string - type: object - accessRuleStatus: - description: Describes the status of ORY Oathkeeper Rule. - properties: - code: - description: Status code describing ORY Oathkeeper Rule. - type: string - desc: - description: Explains the status of ORY Oathkeeper Rule. - type: string - type: object - authorizationPolicyStatus: - description: Describes the status of the Istio Authorization Policy subresource. - properties: - code: - description: Status code describing the Istio Authorization Policy subresource. - type: string - desc: - description: Explains the status of the Istio Authorization Policy subresource. - type: string - type: object - lastProcessedTime: - description: Indicates the timestamp when the API Gateway controller last processed APIRule. - format: date-time - type: string - observedGeneration: - description: Specifies the generation of the resource that was observed by the API Gateway controller. - format: int64 - type: integer - requestAuthenticationStatus: - description: Describes the status of the Istio Request Authentication subresource. - properties: - code: - description: Status code describing the state of the Istio Authorization Policy subresource. - type: string - desc: - description: Explains the status of the Istio Request Authentication subresource. - type: string - type: object - virtualServiceStatus: - description: Describes the status of Istio VirtualService. - properties: - code: - description: Status code describing Istio VirtualService. - type: string - desc: - description: Explains the status of Istio VirtualService. - type: string - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/installation/resources/crds/ory/rules.crd.yaml b/installation/resources/crds/ory/rules.crd.yaml deleted file mode 100644 index 03669d8138f0..000000000000 --- a/installation/resources/crds/ory/rules.crd.yaml +++ /dev/null @@ -1,139 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.5.0 - creationTimestamp: null - name: rules.oathkeeper.ory.sh -spec: - group: oathkeeper.ory.sh - names: - kind: Rule - listKind: RuleList - plural: rules - singular: rule - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Rule is the Schema for the rules API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: RuleSpec defines the desired state of Rule - properties: - authenticators: - items: - description: Authenticator represents a handler that authenticates provided credentials. - properties: - config: - description: Config configures the handler. Configuration keys vary per handler. - type: object - x-kubernetes-preserve-unknown-fields: true - handler: - description: Name is the name of a handler - type: string - required: - - handler - type: object - type: array - authorizer: - description: Authorizer represents a handler that authorizes the subject ("user") from the previously validated credentials making the request. - properties: - config: - description: Config configures the handler. Configuration keys vary per handler. - type: object - x-kubernetes-preserve-unknown-fields: true - handler: - description: Name is the name of a handler - type: string - required: - - handler - type: object - configMapName: - description: ConfigMapName points to the K8s ConfigMap that contains these rules - maxLength: 253 - minLength: 1 - pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*' - type: string - match: - description: Match defines the URL(s) that an access rule should match. - properties: - methods: - description: Methods represent an array of HTTP methods (e.g. GET, POST, PUT, DELETE, ...) - items: - type: string - type: array - url: - description: URL is the URL that should be matched. It supports regex templates. - type: string - required: - - methods - - url - type: object - mutators: - items: - description: Mutator represents a handler that transforms the HTTP request before forwarding it. - properties: - config: - description: Config configures the handler. Configuration keys vary per handler. - type: object - x-kubernetes-preserve-unknown-fields: true - handler: - description: Name is the name of a handler - type: string - required: - - handler - type: object - type: array - upstream: - description: Upstream represents the location of a server where requests matching a rule should be forwarded to. - properties: - preserveHost: - description: PreserveHost includes the host and port of the url value if set to false. If true, the host and port of the ORY Oathkeeper Proxy will be used instead. - type: boolean - stripPath: - description: StripPath replaces the provided path prefix when forwarding the requested URL to the upstream URL. - type: string - url: - description: URL defines the target URL for incoming requests - maxLength: 256 - minLength: 3 - pattern: ^(?:https?:\/\/)?(?:[^@\/\n]+@)?(?:www\.)?([^:\/\n]+) - type: string - required: - - url - type: object - required: - - match - type: object - status: - description: RuleStatus defines the observed state of Rule - properties: - validation: - description: Validation defines the validation state of Rule - properties: - valid: - type: boolean - validationError: - type: string - type: object - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/resources/api-gateway/.helmignore b/resources/api-gateway/.helmignore deleted file mode 100644 index f0c131944441..000000000000 --- a/resources/api-gateway/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/resources/api-gateway/Chart.yaml b/resources/api-gateway/Chart.yaml deleted file mode 100644 index 981148d96f44..000000000000 --- a/resources/api-gateway/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -description: Kyma component 'api-gateway' -name: api-gateway -version: 1.9.0 -home: https://kyma-project.io -icon: https://github.com/kyma-project/kyma/blob/main/logo.png?raw=true diff --git a/resources/api-gateway/README.md b/resources/api-gateway/README.md deleted file mode 100644 index 25b7aa0c4cab..000000000000 --- a/resources/api-gateway/README.md +++ /dev/null @@ -1,10 +0,0 @@ -# API-Gateway - -## Overview -API-Gateway is a component that allows exposing services through Kyma Dashboard. It deploys and manages Istio and Ory/Oathkeeper CustomResourceDefinitions (CRDs). - -This chart installs the controller, which requires these CRDs to expose services: -- Istio [VirtualService](https://istio.io/docs/reference/config/networking/virtual-service/) -- Oathkeeper [Rule](https://www.ory.sh/docs/oathkeeper/) - ->**NOTE:** Oathkeeper CRD resources are available as charts in [this](https://github.com/ory/k8s) repository. diff --git a/resources/api-gateway/templates/_helpers.tpl b/resources/api-gateway/templates/_helpers.tpl deleted file mode 100644 index 611103552710..000000000000 --- a/resources/api-gateway/templates/_helpers.tpl +++ /dev/null @@ -1,100 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "api-gateway.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "api-gateway.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "api-gateway.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Common labels -*/}} -{{- define "api-gateway.labels" -}} -app.kubernetes.io/name: {{ include "api-gateway.name" . }} -helm.sh/chart: {{ include "api-gateway.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -sidecar.istio.io/inject: "{{ .Values.config.injectIstioSidecar }}" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end -}} - -{{/* -Create a list of namespaced services to blocklist -*/}} -{{- define "api-gateway.serviceBlockList" -}} -{{- range $i, $e := .Values.config.serviceBlockList -}} -{{- range $e -}} -{{ printf "%s.%s," . $i -}} -{{- end }} -{{- end }} -{{- end -}} - -{{/* -Create a list of domains to allowlist -*/}} -{{- define "api-gateway.domainAllowList" -}} -{{- range $domain := .Values.config.domainAllowList -}} -{{ printf "%s," $domain -}} -{{- end }} -{{- with .Values.global.domainName }} -{{- printf "%s" . -}} -{{- end }} -{{- end -}} - -{{/* -Get a default domain from values if set or use the default domain name for Kyma -*/}} -{{- define "api-gateway.defaultDomain" -}} -{{ if .Values.config.defaultDomain }} -{{- printf "%s" .Values.config.defaultDomain -}} -{{ else }} -{{- printf "%s" .Values.global.domainName -}} -{{- end }} -{{- end -}} - -{{- define "api-gateway.cors.allowOrigins" -}} -{{- range $i, $e := .Values.config.cors.allowOrigins -}} -{{- range $e -}} -{{ printf "%s:%s," $i . -}} -{{- end }} -{{- end }} -{{- end -}} - -{{/* -Create a URL for container images -*/}} -{{- define "imageurl" -}} -{{- $registry := default $.reg.path $.img.containerRegistryPath -}} -{{- if hasKey $.img "directory" -}} -{{- printf "%s/%s/%s:%s" $registry $.img.directory $.img.name $.img.version -}} -{{- else -}} -{{- printf "%s/%s:%s" $registry $.img.name $.img.version -}} -{{- end -}} -{{- end -}} diff --git a/resources/api-gateway/templates/deployment.yaml b/resources/api-gateway/templates/deployment.yaml deleted file mode 100644 index 892600fbe882..000000000000 --- a/resources/api-gateway/templates/deployment.yaml +++ /dev/null @@ -1,84 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "api-gateway.fullname" . }} - labels: - kyma-project.io/component: controller -{{ include "api-gateway.labels" . | indent 4 }} -spec: - replicas: {{ .Values.replicaCount }} - revisionHistoryLimit: 10 - selector: - matchLabels: - control-plane: controller-manager - app.kubernetes.io/name: {{ include "api-gateway.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - template: - metadata: - labels: - control-plane: controller-manager - kyma-project.io/component: controller -{{ include "api-gateway.labels" . | indent 8 }} - spec: - containers: - - name: {{ .Chart.Name }} - image: "{{ include "imageurl" (dict "reg" .Values.global.containerRegistry "img" .Values.global.images.api_gateway_controller) }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - /manager - args: - - --metrics-addr=0.0.0.0:{{ .Values.config.ports.metrics }} - - --health-probe-addr=0.0.0.0:{{ .Values.config.ports.healthProbe }} - - --oathkeeper-svc-address={{ .Values.config.oathkeeper.service }} - - --oathkeeper-svc-port={{ .Values.config.oathkeeper.port }} - - --service-blocklist={{ include "api-gateway.serviceBlockList" . | trimAll "," }} - - --generated-objects-labels={{ .Values.config.generatedObjects.labels }} - {{- if .Values.config.enableDomainAllowList }} - - --domain-allowlist={{ include "api-gateway.domainAllowList" . }} - {{- end }} - - --default-domain-name={{ include "api-gateway.defaultDomain" . }} - - --cors-allow-origins={{ include "api-gateway.cors.allowOrigins" . | trimAll "," }} - {{- with .Values.config.cors.allowMethods }} - - --cors-allow-methods={{ . | join ", " }} - {{- end }} - {{- with .Values.config.cors.allowHeaders }} - - --cors-allow-headers={{ . | join ", " }} - {{- end }} - - --reconciliation-period={{ .Values.config.reconciliation.defaultPeriod }} - - --error-reconciliation-period={{ .Values.config.reconciliation.errorPeriod }} - resources: - {{- toYaml .Values.deployment.resources | nindent 12 }} - securityContext: - {{- toYaml .Values.deployment.securityContext | nindent 12 }} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - ports: - - containerPort: {{ .Values.config.ports.metrics }} - name: metrics - - containerPort: {{ .Values.config.ports.healthProbe }} - name: health - livenessProbe: - httpGet: - port: health - path: "/healthz" - readinessProbe: - httpGet: - port: health - path: "/readyz" - serviceAccountName: {{ include "api-gateway.name" . }}-account - nodeSelector: - {{- with .Values.config.nodeSelector }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.deployment.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} - {{- end }} diff --git a/resources/api-gateway/templates/monitoring.yaml b/resources/api-gateway/templates/monitoring.yaml deleted file mode 100644 index 669a574b1b15..000000000000 --- a/resources/api-gateway/templates/monitoring.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Dedicated Service for metrics endpoint -apiVersion: v1 -kind: Service -metadata: - name: {{ include "api-gateway.name" . }}-metrics - annotations: - prometheus.io/scrape: "false" - prometheus.io/port: {{ .Values.config.ports.metrics | quote }} - labels: -{{ include "api-gateway.labels" . | indent 4 }} -spec: - ports: - - name: tcp-metrics - port: {{ .Values.config.ports.metrics }} - selector: - app.kubernetes.io/name: {{ include "api-gateway.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: {{ include "api-gateway.name" . }}-metrics -spec: - host: {{ include "api-gateway.name" . }}-metrics.{{ .Release.Namespace }}.svc.cluster.local - trafficPolicy: - tls: - mode: DISABLE diff --git a/resources/api-gateway/templates/priority-class.yaml b/resources/api-gateway/templates/priority-class.yaml deleted file mode 100644 index ae8814f5dc75..000000000000 --- a/resources/api-gateway/templates/priority-class.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: scheduling.k8s.io/v1 -kind: PriorityClass -metadata: - name: {{ .Values.priorityClassName }} -value: 2100000 -globalDefault: false -description: "Scheduling priority of api-gateway component. Must not be blocked by unschedulable user workloads." diff --git a/resources/api-gateway/templates/rbac.yaml b/resources/api-gateway/templates/rbac.yaml deleted file mode 100644 index 793e8006e907..000000000000 --- a/resources/api-gateway/templates/rbac.yaml +++ /dev/null @@ -1,52 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "api-gateway.name" . }}-account - namespace: {{ .Release.Namespace }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "api-gateway.name" . }}-role -rules: - - apiGroups: [ "gateway.kyma-project.io" ] - resources: ["apirules"] - verbs: ["get", "list", "watch", "patch", "update"] - - apiGroups: ["gateway.kyma-project.io"] - resources: ["apirules/status"] - verbs: ["create", "delete", "get", "patch", "list", "watch", "update"] - - apiGroups: ["networking.istio.io"] - resources: ["virtualservices"] - verbs: ["create", "delete", "get", "patch", "list", "watch", "update"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["services"] - verbs: ["get", "list", "watch"] - - apiGroups: ["oathkeeper.ory.sh"] - resources: ["rules"] - verbs: ["create", "delete", "get", "patch", "list", "watch", "update"] - - apiGroups: ["security.istio.io"] - resources: ["authorizationpolicies"] - verbs: ["create", "delete", "get", "patch", "list", "watch", "update"] - - apiGroups: ["security.istio.io"] - resources: ["requestauthentications"] - verbs: ["create", "delete", "get", "patch", "list", "watch", "update"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "patch", "list", "watch", "update"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "api-gateway.name" . }}-role-binding -subjects: - - kind: ServiceAccount - name: {{ include "api-gateway.name" . }}-account # Service account assigned to the controller pod. - namespace: {{ .Release.Namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "api-gateway.name" . }}-role \ No newline at end of file diff --git a/resources/api-gateway/values.yaml b/resources/api-gateway/values.yaml deleted file mode 100644 index 8c35d09d42ed..000000000000 --- a/resources/api-gateway/values.yaml +++ /dev/null @@ -1,115 +0,0 @@ -replicaCount: 1 - -image: - pullPolicy: IfNotPresent - -deployment: - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - -config: - injectIstioSidecar: false - reconciliation: - # In seconds - defaultPeriod: 3600 - errorPeriod: 60 - oathkeeper: - service: ory-oathkeeper-proxy.kyma-system.svc.cluster.local - port: 4455 - serviceBlockList: - istio-system: - - istio-citadel - - istio-galley - - istio-ingressgateway - - istio-pilot - - istio-policy - - istio-sidecar-injector - - istio-telemetry - kyma-system: - - apiserver-proxy - - apiserver-proxy-ssl - domainAllowList: - enableDomainAllowList: false - defaultDomain: - cors: # values listed below will be used to set corsPolicy in created VirtualServices (https://istio.io/docs/reference/config/networking/v1alpha3/virtual-service/#CorsPolicy) - allowOrigins: - regex: - - ".*" - allowMethods: # no possibility to use "*" - - "GET" - - "POST" - - "PUT" - - "DELETE" - - "PATCH" - allowHeaders: # "*" is not yet supported by all browsers - - "Authorization" - - "Content-Type" - - "*" - generatedObjects: - # Comma-separated list of key=value pairs used to label generated objects - labels: - - # Node labels for pod assignment. - nodeSelector: {} - # If you do want to specify node labels, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'annotations:'. - # foo: bar - - # Configure node tolerations. - tolerations: [] - - # Port configuration - ports: - metrics: 8080 - healthProbe: 8081 - -# Configure node affinity -affinity: {} - -# Configure priorityClassName -priorityClassName: "api-gateway-priority-class" - -tests: - enabled: true - labels: - integration: true - after-upgrade: true - env: - testUser: "admin-user" - timeout: 120 - delay: 10 - jwtTimeout: "30s" - jwtMaxAttempts: 5 - jwtDelay: 5 - gatewayName: "kyma-gateway" - gatewayNamespace: "kyma-system" - securityContext: - runAsUser: 65534 - runAsNonRoot: true - runAsGroup: 65534 - -global: - domainName: kyma.example.com - containerRegistry: - path: europe-docker.pkg.dev/kyma-project - images: - api_gateway_controller: - name: "api-gateway-controller" - version: "1.9.0" - directory: "prod" diff --git a/resources/certificates/.helmignore b/resources/certificates/.helmignore deleted file mode 100644 index 0e8a0eb36f4c..000000000000 --- a/resources/certificates/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/resources/certificates/Chart.yaml b/resources/certificates/Chart.yaml deleted file mode 100644 index 69907e4c86d8..000000000000 --- a/resources/certificates/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v2 -description: Kyma component 'certificates' -name: certificates -version: 1.0.0 -home: https://kyma-project.io -icon: https://github.com/kyma-project/kyma/blob/main/logo.png?raw=true diff --git a/resources/certificates/README.md b/resources/certificates/README.md deleted file mode 100644 index 1b0c472c33ed..000000000000 --- a/resources/certificates/README.md +++ /dev/null @@ -1,35 +0,0 @@ -# Certificates - -## Overview - -Certificates Helm chart is used for managing Kyma certificates. - -## Details - -Depending on the scenario, this Helm chart creates either: -- a plain k8s Secret - `kyma-gateway-certs` -- a Gardener certificate - `kyma-tls-cert` - -If the plain k8s Secret is created, the certificate is either provided, or the default one within the Helm values is used. The default certificate is valid for at least 6 months from the installation date. - -### Overrides handling - -Users can control the behavior of this chart using three overrides: `global.domainName`, `global.tlsCrt` and `global.tlsKey` -These overrides are optional, but if you use TLS overrides remember to define both of them. If only one TLS override is defined and the other is empty, the chart assumes TLS overrides are **not** provided. - -The table summarizes what the generated output is, basing on the overrides provided. - -| Domain name | TLS overrides | What is generated | -|--|--|--| -| n/a | provided | a Secret with the user-provided values | -| provided | not provided | a Certificate object configured with the given domain name | -| not provided | not provided | a Secret with a default static value defined in this chart | - -## Generate a new default certificate -If the provided self-signed default certificate needs to be updated, use `openssl` and create a new one for the `kyma.example.com` domain. Use the following command: - ``` -openssl req -newkey rsa:3072 -keyout kyma.key -x509 -days 365 -out kyma.example.crt - ``` - - - diff --git a/resources/certificates/templates/_helpers.tpl b/resources/certificates/templates/_helpers.tpl deleted file mode 100644 index 511b86c94fa0..000000000000 --- a/resources/certificates/templates/_helpers.tpl +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "certificates.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "certificates.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "certificates.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "certificates.labels" -}} -helm.sh/chart: {{ include "certificates.chart" . }} -{{ include "certificates.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "certificates.selectorLabels" -}} -app.kubernetes.io/name: {{ include "certificates.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "certificates.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "certificates.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} diff --git a/resources/certificates/templates/certificate.yaml b/resources/certificates/templates/certificate.yaml deleted file mode 100644 index 436449c3ddc1..000000000000 --- a/resources/certificates/templates/certificate.yaml +++ /dev/null @@ -1,36 +0,0 @@ -{{- if and (.Values.global.tlsCrt) (.Values.global.tlsKey) -}} ---- -# User-provided TLS always take precedence -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.certificates.kyma.name }} - namespace: {{ .Values.certificates.kyma.namespace }} -type: Opaque -data: - tls.crt: {{ .Values.global.tlsCrt }} - tls.key: {{ .Values.global.tlsKey }} -{{- else if not (.Values.global.domainName) -}} ---- -# No user-provided TLS data and no domain name. Fallback to default static certificate -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.certificates.kyma.name }} - namespace: {{ .Values.certificates.kyma.namespace }} -type: Opaque -data: - tls.crt: {{ .Values.certificates.kyma.default.tlsCrt }} - tls.key: {{ .Values.certificates.kyma.default.tlsKey }} -{{- else -}} ---- -# Domain is given, but not TLS data. Generate the `Certificate` object -apiVersion: cert.gardener.cloud/v1alpha1 -kind: Certificate -metadata: - name: kyma-tls-cert - namespace: {{ .Values.certificates.kyma.namespace }} -spec: - commonName: "*.{{ .Values.global.domainName }}" - secretName: {{ .Values.certificates.kyma.name }} -{{- end -}} diff --git a/resources/certificates/values.yaml b/resources/certificates/values.yaml deleted file mode 100644 index 6f004a004658..000000000000 --- a/resources/certificates/values.yaml +++ /dev/null @@ -1,35 +0,0 @@ -certificates: - kyma: - name: kyma-gateway-certs - namespace: istio-system - default: - tlsCrt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVEakNDQW5ZQ0NRRE5vZFh6bERqdk9qQU5CZ2txaGtpRzl3MEJBUXNGQURCSk1SVXdFd1lEVlFRS0RBeGoKWlhKMExXMWhibUZuWlhJeEZUQVRCZ05WQkFzTURHTmxjblF0YldGdVlXZGxjakVaTUJjR0ExVUVBd3dRYTNsdApZUzFsZUdGdGNHeGxMbU52YlRBZUZ3MHlNVEE1TWpreE5ERXhOVGRhRncweU1qQTVNamt4TkRFeE5UZGFNRWt4CkZUQVRCZ05WQkFvTURHTmxjblF0YldGdVlXZGxjakVWTUJNR0ExVUVDd3dNWTJWeWRDMXRZVzVoWjJWeU1Sa3cKRndZRFZRUUREQkJyZVcxaExXVjRZVzF3YkdVdVkyOXRNSUlCb2pBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVk4QQpNSUlCaWdLQ0FZRUFvMHNzdEtYZ01sR0FvV0F6WmxCZVNHMTVJZ0VBRkZwbWFTcnArQ0Y1bGdjTXVSZFNBamlXCk1tS0F5OWlzdy9meTN3YmFWUWNoSWFLZXJvZzVFcnYyR1hlMmZaK0Q2anJpbFp4SG01ZURxZmtxdmQrcXh6K3IKN25Dd1JOS2t0Q093YmJqOWtMSWduQkdUVGZQL1NiVUMxd2R5R3BuYnpwVXo1b3RvbVJRMWlsWi9OZFl2T2UwYworK21zZ2xSUVpNWmNtZVI0RWJhZlNwRTdWT1M2L0srbTZpMzRZMzdmSTBhSUlUV2lVR1RuMzRVMEZhTG9DSTF5CjVNaFhSYUhyQTAyWVBsNmhUMlJFVVlRUTBuNUMxVnpQYm02VHkvUjdoOXI2RnoxQWxPQ0I5NnZtalNPemR2dmsKaHdMcVRqdHArbFNNcW1iRExEV2ZVY2JpVFIwbzliQ3Rxam1aUjQwcXhqa1hieW5hYU42TzFnbm9Fem50a1J3Sgo1cytZaVVtTHpvVFIyV2V1bHc5VVZaZXdiQm85Zk1FSFVRa1RJOEd0aWVjUDhNMGF4R1RSSVFCWUc0bTBYcEF1CmFrd2ZPNlRlZzR2T1FTQmpVanE0Rm1nYkZkVVZsUkZrVm95NXkra3JrV2FpT21hSFlqWHViMkduVWQ1WFBiamgKeG56a1R4UlE3UFh6QWdNQkFBRXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnR0JBRCs5QlExWERXY0pkZ2Jma2ZJeApNa1ZLc3pXRWdvUC9GWWNmcVVEc1drcTNkR3M0Q1Z4ODRzTjNRd0hSY2JkV2trVTd1WXh3VmE0NVZWbVZrZjhmClZGN3ZiblhWWUoydHp5K2lTb0JDcVFjMUNHV1ZwQmdIOGlFVWdYb2hwdTczWjhtSkJhNUhQT1lXTHM5dEVlVTUKdy9VOG9HOUJZRHRsclBGSzZLWkJpYU8veERMQXlFOFRxUEc3U3oxUXJFdC9HbE1wS1RHakFUYXNNQ2hzT0IrMgpuc2xLdExuNXZoS3hOdkRIYjJ4Y1pGZHlOdGQ5Vk9mcFQvNXZ2VE4wb3ozcERJd2RhUkNyTTMwU0tCZVl1OFdGClJPb1NsNUE5dDl3S08vZ0xwcFJ1WW9IdzU4Z1VudWpCOUoyT1oxaUp2YUFLTXZMNGFFbTE4VjVCYkZaUVdPUFkKcWRYZGRnYk80R0VsUFRXdUxFb01HZTM5UnBITmVtMmcrNFdUcjl1K2FkSVN3MnBQbjFRYXhqbzJmb0ZiUUpUcgpXeXR5MnVLU2diU3RzNzEvOUZ4bUIvM3Z6Y21oOUhLdzJWb0FQSzY4ckdhUkhvTjdqZ0dCR3JtdDdHZ01UeGlqCmRuOEt1OHBhRERWSTFldUx6RlJwUlBvdVVwOEVDdmRHTkxoRTJrc0dsdEk3WEE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - tlsKey: LS0tLS1CRUdJTiBFTkNSWVBURUQgUFJJVkFURSBLRVktLS0tLQpNSUlIWHpCSkJna3Foa2lHOXcwQkJRMHdQREFiQmdrcWhraUc5dzBCQlF3d0RnUUlrOWpiM0xJeG1Cb0NBZ2dBCk1CMEdDV0NHU0FGbEF3UUJLZ1FRQkx5akJiekZtOUdndzJrNUQ1QUJqd1NDQnhDbzVLeEd0YytvSFlkdTBXTHUKNklqMGRrT1FjYjdZRHB1SlBQSmN6VmtBaW9ld3hLRG1MWFJNL3gzbS9KbGc0Wm9rSElHbXNtT29vdFU4eVl3bwprZzVzTlRLcXJzd0FhOTRROXZPTXBlT21yNU9EM0UvWVliS29XV3N0TkQwbURBMGlsUmg2bVBIZ0t2aDNoUFVVCjVlL0daaHlnOHF6S0F6YmNTWWlSb05DTGhBdW82R3hBeU1Pd000N3pxb2FZeW82VlhOZ2w0K0pjMWxSa1VkNnkKaVNmTzN6OEVyK2VzQ3NZMitWY09mM0NjVktaemtteDhUUGlWM1BsSDc4YmhlMytMQlJnaWRHWkNtVkhtNitIbAovTUtsZlFxWldoeFpmbWpVWTY4M1MzZ0FaYjhPVUUwSCtsNHdGUWxWdVl2Mzd0OG5UZ0srMDhTRytLeTAvcURjCjFodzZuOXpuemRaTERka3cwenJ3a1lVOHZhQ2ZXNzAzN2VCTG4yNGhaZFZOdWcyWEtKb0xYOGpLUmV2Q1FZOVUKalZGaENmcEMxWXhoMGQvRndkby8raGNUOVFha3JQMmx3VC9ibktyOXV5RmhHY2hkTGNFRW5hK0h0Y1FyOU1PdApPaTg2NGFoT0tQV24vU0dEQ1FERG9Vb0VPcGx2YmdLMEhadU02Y0srZy9GYldWdEZESFRndTg0U0ZRNWZWV2txCnU5M1AxbGd2bm5jMlkxZkhRQ25oOUtabnprTEowQjYxbFFuVUNRdVFzRDJGeU9mY2QvdGNERUN6Y085YjJqeGsKTnFuOWNVTkh4RXlGUXlXcUp1emNxVzYxeTdTdnFlNW1sRWErNmo2TWgyTXlVZjJpZnV6YXZpREhXcnhIdnVuNwpNZllqVDVua1NRSnNXVnJCWnhTcDZOUFVBWjBUaGlGbHFpM0RCRUhSVTNFMzJBak42T29aa0N5c3RTcXI3LzJhCkRLVmhBelRUUTY0bTZ5QVJ2YWE0cU5WWGw5VVl3WVAvbDczSzBCcHFDRFJzR3daaTJzUkJZRzk2YVBUcVlmdjgKemNwdWJGZzFnRFFlSW9wWDBzc0xJWGRUd3JpRnhDSFUycU9YVlpBMzhFV2MxUENuOFo5UEVJeStQczhLS1ZyMwpQOWlnVjFRNWxuSExyN2htOUplMzFUS2RrZXVLS0J0SGxPVmFnRGhtb0JLQnhhNUp0ZnN3b3JIbFlWaGdOWm8xCnVQMnAxZUxWVVp0TjhHTTRzanIydmsxL2lEMysrYi84U2s2UVdnb2lJdFdZaDRWZHQwZ0kvSFpnMCttdnJtZnAKQ25HbTVZaSs5cUtBRXVUK3prdG8rNVA3L0k3REFVZ3FUVFBHZ0tOYnBrMXByQThPWkprQzlSekFCQlZaTklwSAoveDBYMkdGTHdKS2xIeHBtVGVwUGIwNlpwZndqOFJScVk0UTRzSysrNEd4dU8ySjJLVm5YOVVOSE9oQU9jQVBzCkFuVGNXMFdaQ0NqRzMvdUIyS3R2ekFOaTBRazVzbms0OTJURXRWRlFOMHFLMXkyZ1EvT0xpdTZ5YzZkQlczdmwKVmZUUmgwb3BWMG0yL25lS3BwQmdUQW93WENrSUZneUVIaG1uWDU0MGhWSXVZdVdDMW5YaWxjS1M5NmRPd1VuWQp4TGo1S1A2eDJ5cGcvWnNvemZDM2ROMHhlQ3dpaUk4RXlENmltVGJLYWN4NURpa0YvOU1ucVBzMk9RSHM3dFJwCjdubUJKd3hJOXlUSWNIdDRuclUrcnE4SzJTLytyRCtaS0RPbmlLMUIwbFRLNFlYaEZTVTJ1ZUxpNm9oY1ZUTVQKRXcvV0lCREFtNjhiT3NzNGx4aVdvcys3MkZxcFh5Ni9jMFNIdm1vZGNMY3dxOXE1Z3VjdUVadGR5OWNlWU5OVwp6TXJ0c0FNMWJOYXNJYTgyNkNBcVM4YktMVUlrRm9OM2lBZnhOSXcrQWxFVUlncnlHUThYUjJsY09nSVdZaHB4ClNJNlp0Y1Bsb2hNblZNS3pOUENERkJBcHJTbThLQ1VIZWUzc3BLbXNXVEsrR09WTzBqa3hBL3FLcWorSXg5TFIKZ29ySWhXUHVLMG5hQmxYeC9tM2poK1MxUDREdzJCemdTbVVXYkpldEUyd0pxZ0pnSjRwRDR4SDJJMmFMbTVaVQpQYjdvWXdBbWhtcU9WNUhleFhFVCtBbk1NUE4zaHpnMFdGcFFkQWhTY0pnck5LZ2k3VGN4ZCt3aW5zemNqZUkzCkxtcWFhWnpTeTRHQnFzQkJBenhLTFVkUGV5MXkzM05oNW1GNS9kYVYvaFJTTHZJNTR0SzFWTVoxQ045RHphL2UKSTQxZ3k1dDR4OVpTTlFtRUkxMTNCdE5iZUFqS2p1Z2FkTFlZSlJQd2NVUnNXUEZtM3RGNG9zQXZsWEF5bjQ5cApvRlJhTFZISm40bFdIYnpJeElVZTcwR0VBaEJoZFQ0YlZiLzRjQnAwTlQrVlpSS3JHY2VJR0tJVFpKWTlNeXpqCkthTDBGMitUOUljZHNTWUNoSitkZm53SnhzSU9NVGQ1MHZxYndGS01KTkVnNHlPVFZFY1RzZVRsdk04TXZtVTAKdmJJMUNIRXNTMW10UlJzbi8vQWNMcmwrWCtOZjRNZGsyN2R5QlBSWWQwRjhST0JxamZlUnRTWkpxdUs4bWkvTgp6RHM5dnBsb2lraU9rSWpGSjdQSzZ5ZzdiTWxxWnZIS0NBR2pyNStZMHdxVXNJQlhUWWRsOFZLaXNrUXRRb0xqCkVadUJIenRWLzgxWENLbEhXb2FkaUlrcWI4cU84T3ZOUUxNa1FUUnNCSHBVRjY1MFdiemtKcFA1YUs2Nitaak0KZEpzeFZFcHVLbXM5T3Z6UzZkZHk5VlVORk5rVXZUR0VCcmJTQXpXN2U2a0dxY0hqeVFvcjBZaStQWXZQK3o1agpncGJreFlJMkJNY0d2cWFsS0tMVEdWK3dvb2s0bUxuSHpOSW1rYmowemhpSFdpbXB2SEdsMjEzVFkvalRINzVVCnVUbXFlMXQ2NWVFcW5JUTVpQXlveEUrUWE0NDA3WnY5b3NSZDMrYXFGUHp2cjdtdkpVTXc5ZFlMWndJem5KK0IKYldzZmVUMjZZWmJ4bmMzOVJORHRSdjlSY2RVdmlUR2hPZHZsNmhsYmFiV3lORmNvaDFXY2RqUTJYS29zcTZZTQpmZ0xzNFBDcHpLelFnL2kxNWQrYmZ6cGg0Zz09Ci0tLS0tRU5EIEVOQ1JZUFRFRCBQUklWQVRFIEtFWS0tLS0tCg== - apiserverProxy: - name: apiserver-proxy-tls-cert - namespace: kyma-system - -userProvided: - issuer: - name: kyma-ca-issuer - configMap: - name: kyma-ca-issuer - namespace: default - -global: - certificates: - selfSigned: false - istio: - gateway: - name: kyma-gateway - namespace: kyma-system - -securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 diff --git a/resources/ory/.helmignore b/resources/ory/.helmignore deleted file mode 100644 index f0c131944441..000000000000 --- a/resources/ory/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/resources/ory/Chart.yaml b/resources/ory/Chart.yaml deleted file mode 100644 index d32dfde40e71..000000000000 --- a/resources/ory/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -description: Kyma component 'ory' -name: ory -version: 1.1.0 -home: https://kyma-project.io -icon: https://github.com/kyma-project/kyma/blob/main/logo.png?raw=true -dependencies: - - name: oathkeeper - version: 0.23.2 - condition: oathkeeper.enabled - diff --git a/resources/ory/README.md b/resources/ory/README.md deleted file mode 100644 index a2fa3df81778..000000000000 --- a/resources/ory/README.md +++ /dev/null @@ -1,11 +0,0 @@ -# ORY - -[ORY](https://www.ory.sh/) Open Source OAuth 2.0 & OpenID Connect - -## Introduction - -This chart bootstraps the [Oathkeeper](https://www.ory.sh/docs/oathkeeper/) component on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. - -## Chart Details - -This chart installs the ORY Oathkeeper component as a subchart. diff --git a/resources/ory/charts/oathkeeper/.helmignore b/resources/ory/charts/oathkeeper/.helmignore deleted file mode 100644 index fbe01f88f25d..000000000000 --- a/resources/ory/charts/oathkeeper/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ \ No newline at end of file diff --git a/resources/ory/charts/oathkeeper/Chart.yaml b/resources/ory/charts/oathkeeper/Chart.yaml deleted file mode 100644 index 7aacfe792ec0..000000000000 --- a/resources/ory/charts/oathkeeper/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: v2 -appVersion: "v0.38.25-beta.1" -description: A Helm chart for deploying ORY Oathkeeper in Kubernetes -name: oathkeeper -icon: https://raw.githubusercontent.com/ory/docs/master/docs/static/img/logo-oathkeeper.svg -version: 0.23.2 -keywords: - - zero-trust - - beyond-corp - - access-control - - reverse-proxy - - nginx - - envoy - - ambassador - - auth-filter -home: https://www.ory.sh/ -sources: - - https://github.com/ory/oathkeeper - - https://github.com/ory/k8s -maintainers: # (optional) - - name: ORY Team - email: office@ory.sh - url: https://www.ory.sh/ -type: application -dependencies: - - name: oathkeeper-maester - version: 0.23.2 - condition: maester.enabled - alias: oathkeeper-maester - repository: file://../oathkeeper-maester - # repository: https://k8s.ory.sh/helm/charts diff --git a/resources/ory/charts/oathkeeper/charts/oathkeeper-maester/.helmignore b/resources/ory/charts/oathkeeper/charts/oathkeeper-maester/.helmignore deleted file mode 100644 index 50af03172541..000000000000 --- a/resources/ory/charts/oathkeeper/charts/oathkeeper-maester/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/resources/ory/charts/oathkeeper/charts/oathkeeper-maester/Chart.yaml b/resources/ory/charts/oathkeeper/charts/oathkeeper-maester/Chart.yaml deleted file mode 100644 index d76b95aaf499..000000000000 --- a/resources/ory/charts/oathkeeper/charts/oathkeeper-maester/Chart.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v2 -appVersion: "v0.1.5" -description: A Helm chart for deploying ORY Oathkeeper Rule Controller in Kubernetes -name: oathkeeper-maester -icon: https://raw.githubusercontent.com/ory/docs/master/docs/static/img/logo-oathkeeper.svg -version: 0.23.2 -keywords: - - zero-trust - - beyond-corp - - access-control - - reverse-proxy - - nginx - - envoy - - ambassador - - auth-filter -home: https://www.ory.sh/ -sources: - - https://github.com/ory/oathkeeper - - https://github.com/ory/k8s -maintainers: # (optional) - - name: ORY Team - email: office@ory.sh - url: https://www.ory.sh/ diff --git a/resources/ory/charts/oathkeeper/charts/oathkeeper-maester/templates/_helpers.tpl b/resources/ory/charts/oathkeeper/charts/oathkeeper-maester/templates/_helpers.tpl deleted file mode 100644 index fbdbfa60e36a..000000000000 --- a/resources/ory/charts/oathkeeper/charts/oathkeeper-maester/templates/_helpers.tpl +++ /dev/null @@ -1,57 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "oathkeeper-maester.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "oathkeeper-maester.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "oathkeeper-maester.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Common labels -*/}} -{{- define "oathkeeper-maester.labels" -}} -app.kubernetes.io/name: {{ include "oathkeeper-maester.name" . }} -helm.sh/chart: {{ include "oathkeeper-maester.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end -}} - -{{/* -Get Oathkeeper rules configmap -*/}} -{{- define "oathkeeper-maester.getCM" -}} -{{- if .Values.oathkeeperFullnameOverride -}} -{{- printf "%s-rules" .Values.oathkeeperFullnameOverride | trimSuffix "-" -}} -{{- else -}} -{{- $fullName := include "oathkeeper-maester.fullname" . -}} -{{- printf "%s-rules" $fullName | replace "-oathkeeper-maester" "" -}} -{{- end -}} -{{- end -}} diff --git a/resources/ory/charts/oathkeeper/charts/oathkeeper-maester/templates/deployment.yaml b/resources/ory/charts/oathkeeper/charts/oathkeeper-maester/templates/deployment.yaml deleted file mode 100644 index 8df6440d6595..000000000000 --- a/resources/ory/charts/oathkeeper/charts/oathkeeper-maester/templates/deployment.yaml +++ /dev/null @@ -1,98 +0,0 @@ -{{- if eq .Values.global.ory.oathkeeper.maester.mode "controller" }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "oathkeeper-maester.name" . }} - {{- if .Release.Namespace }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: -{{ include "oathkeeper-maester.labels" . | indent 4 }} -spec: - replicas: {{ .Values.replicaCount }} - revisionHistoryLimit: 10 - selector: - matchLabels: - control-plane: controller-manager - app.kubernetes.io/name: {{ include "oathkeeper-maester.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - strategy: - {{- toYaml .Values.deployment.strategy | nindent 4 }} - template: - metadata: - labels: - control-plane: controller-manager - app.kubernetes.io/name: {{ include "oathkeeper-maester.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- with .Values.deployment.annotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: {{ .Chart.Name }} - image: "{{ include "imageurl" (dict "reg" .Values.global.containerRegistry "img" .Values.global.images.oathkeeper) }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - /manager - args: - - --metrics-addr=0.0.0.0:{{ .Values.port.metrics }} - - controller - - --rulesConfigmapName={{ include "oathkeeper-maester.getCM" . }} - {{- if .Values.rulesConfigmapNamespace }} - - --rulesConfigmapNamespace={{ .Values.rulesConfigmapNamespace }} - {{- else }} - - --rulesConfigmapNamespace={{ .Release.Namespace }} - {{- end }} - {{- if .Values.rulesFileName }} - - --rulesFileName={{ .Values.rulesFileName }} - {{- end }} - env: - {{- if .Values.singleNamespaceMode }} - - name: NAMESPACE - value: {{ .Release.Namespace }} - {{- end }} - {{- with .Values.deployment.envs }} - {{- toYaml . | nindent 12 }} - {{- end }} - resources: - {{- toYaml .Values.deployment.resources | nindent 12 }} - {{- if .Values.deployment.securityContext }} - securityContext: - {{- toYaml .Values.deployment.securityContext | nindent 12 }} - {{- end }} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - {{- with .Values.deployment.envs }} - env: - {{- toYaml . | nindent 12 }} - {{- end }} - ports: - - containerPort: {{ .Values.port.metrics }} - name: metrics - serviceAccountName: {{ include "oathkeeper-maester.name" . }}-account - dnsPolicy: ClusterFirst - restartPolicy: Always - securityContext: {} - terminationGracePeriodSeconds: 10 - nodeSelector: - {{- with .Values.deployment.nodeSelector }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.deployment.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} -{{- end }} diff --git a/resources/ory/charts/oathkeeper/charts/oathkeeper-maester/templates/pdb.yaml b/resources/ory/charts/oathkeeper/charts/oathkeeper-maester/templates/pdb.yaml deleted file mode 100644 index 95dbbdc7ce01..000000000000 --- a/resources/ory/charts/oathkeeper/charts/oathkeeper-maester/templates/pdb.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.pdb.enabled -}} ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{ include "oathkeeper-maester.fullname" . }} -spec: - selector: - matchLabels: - control-plane: controller-manager - app.kubernetes.io/name: {{ include "oathkeeper-maester.fullname" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{ toYaml .Values.pdb.spec }} -{{- end -}} diff --git a/resources/ory/charts/oathkeeper/charts/oathkeeper-maester/templates/rbac.yaml b/resources/ory/charts/oathkeeper/charts/oathkeeper-maester/templates/rbac.yaml deleted file mode 100644 index e07a7dd19463..000000000000 --- a/resources/ory/charts/oathkeeper/charts/oathkeeper-maester/templates/rbac.yaml +++ /dev/null @@ -1,36 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "oathkeeper-maester.name" . }}-account - namespace: {{ .Release.Namespace }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "oathkeeper-maester.name" . }}-role -rules: - - apiGroups: ["oathkeeper.ory.sh"] - resources: ["rules"] - verbs: ["*"] -{{- if eq .Values.global.ory.oathkeeper.maester.mode "controller" }} - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list", "watch", "create", "patch", "update"] -{{- end }} - # TODO, fix controller call from all namespaces to single namespace - # resourceNames: - # - {{ .Values.configMapName | default "ory-oathkeeper-rules" }} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "oathkeeper-maester.name" . }}-role-binding -subjects: - - kind: ServiceAccount - name: {{ include "oathkeeper-maester.name" . }}-account # Service account assigned to the controller pod. - namespace: {{ .Release.Namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "oathkeeper-maester.name" . }}-role diff --git a/resources/ory/charts/oathkeeper/charts/oathkeeper-maester/templates/service-metrics.yaml b/resources/ory/charts/oathkeeper/charts/oathkeeper-maester/templates/service-metrics.yaml deleted file mode 100644 index f446d44b0d5a..000000000000 --- a/resources/ory/charts/oathkeeper/charts/oathkeeper-maester/templates/service-metrics.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if eq .Values.global.ory.oathkeeper.maester.mode "controller" }} ---- -apiVersion: v1 -kind: Service -metadata: - labels: -{{ include "oathkeeper-maester.labels" . | indent 4 }} - mode: {{ .Values.global.ory.oathkeeper.maester.mode }} - name: {{ include "oathkeeper-maester.fullname" . }}-metrics -spec: - ports: - - name: metrics - port: {{ .Values.port.metrics }} - selector: - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/name: {{ include "oathkeeper-maester.name" . }} -{{- end }} \ No newline at end of file diff --git a/resources/ory/charts/oathkeeper/charts/oathkeeper-maester/values.yaml b/resources/ory/charts/oathkeeper/charts/oathkeeper-maester/values.yaml deleted file mode 100644 index a7f3d7403cee..000000000000 --- a/resources/ory/charts/oathkeeper/charts/oathkeeper-maester/values.yaml +++ /dev/null @@ -1,78 +0,0 @@ -# Mode for oathkeeper controller -# Two possible modes are: controller or sidecar -global: - ory: - oathkeeper: - maester: - mode: controller - -replicaCount: 1 - -# -- Single namespace mode. If enabled the controller will watch for resources only from namespace it is deployed in, ignoring others -singleNamespaceMode: false - -# oathkeeperFullnameOverride: oathkeeper - -# rulesConfigmapNamespace: some-namespace -# rulesFileName: access-rules.json - -image: - # ORY Oathkeeper Rule Controller image - repository: oryd/oathkeeper-maester - # ORY Oathkeeper Rule Controller version - tag: "v0.1.0" - # Image pull policy - pullPolicy: IfNotPresent - -# -- Image pull secrets -imagePullSecrets: [] - -port: - metrics: 8080 - -deployment: - strategy: {} # Read more: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy - - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 30Mi - # requests: - # cpu: 100m - # memory: 20Mi - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 10010 - allowPrivilegeEscalation: false - privileged: false - - # Node labels for pod assignment. - nodeSelector: {} - # If you do want to specify node labels, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'annotations:'. - # foo: bar - - # Configure node tolerations. - tolerations: [] - - # Configure annotations. - annotations: {} - - envs: {} - -# Configure node affinity -affinity: {} - -# -- PodDistributionBudget configuration -pdb: - enabled: false - spec: - minAvailable: 1 diff --git a/resources/ory/charts/oathkeeper/demo/access-rules.json b/resources/ory/charts/oathkeeper/demo/access-rules.json deleted file mode 100644 index 9b49527023af..000000000000 --- a/resources/ory/charts/oathkeeper/demo/access-rules.json +++ /dev/null @@ -1,83 +0,0 @@ -[ - { - "id": "rule-1", - "upstream": { - "url": "https://httpbin.org/anything" - }, - "match": { - "url": "http://<[^/]+>/authenticator/noop/authorizer/allow/mutator/noop", - "methods": [ - "GET", - "POST", - "PUT", - "DELETE", - "PATCH" - ] - }, - "authenticators": [ - { - "handler": "noop" - } - ], - "authorizer": { - "handler": "allow" - }, - "mutator": { - "handler": "noop" - } - }, - { - "id": "rule-2", - "upstream": { - "url": "https://httpbin.org/anything" - }, - "match": { - "url": "http://<[^/]+>/authenticator/anonymous/authorizer/allow/mutator/header", - "methods": [ - "GET", - "POST", - "PUT", - "DELETE", - "PATCH" - ] - }, - "authenticators": [ - { - "handler": "anonymous" - } - ], - "authorizer": { - "handler": "allow" - }, - "mutator": { - "handler": "header" - } - }, - { - "id": "rule-3", - "upstream": { - "url": "https://httpbin.org/anything" - }, - "match": { - "url": "http://<[^/]+>/authenticator/anonymous/authorizer/allow/mutator/id_token", - "methods": [ - "GET", - "POST", - "PUT", - "DELETE", - "PATCH" - ] - }, - "authenticators": [ - { - "handler": "anonymous" - } - ], - "authorizer": { - "handler": "allow" - }, - "mutator": { - "handler": "id_token" - } - } -] diff --git a/resources/ory/charts/oathkeeper/demo/authenticator.jwt.jwks.json b/resources/ory/charts/oathkeeper/demo/authenticator.jwt.jwks.json deleted file mode 100644 index 458c387a8ffd..000000000000 --- a/resources/ory/charts/oathkeeper/demo/authenticator.jwt.jwks.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "keys": [ - { - "use": "sig", - "kty": "RSA", - "kid": "f5779cd8-7ad9-4ee6-8b34-04952a1d1a37", - "alg": "RS256", - "n": "4ntuNDFC926qqB4biBgDHQ-ReuoNoyBuR2CuVSmGzL3oggMpsa1Cg6z0y2-6Hjdl_qcMEktkrAXHgtJvKSjay47EUzye-hYUjZSCAVTgHNEbp1I3TzyFZggsiqEDfA-OE9VjqA4W9_dNV5tqzN8itigq9ioiF47VAOOY2VHRvjuEGZlMXl2jm_VZPtwKrUzfWtZVPEefrj3q6Zp3KhzF70W_CL5X8dhDZ3OcRBHFoYJ0PdyRjRF5wOnG6dvcp15Vq2vfZHJTw2Kgdn0PT-KmK7LW6Qu8yaLTDLTwY6dl2BZ1iMdv0kzZ4ZM65o-Y7T99_4fTN-gUAJYVF7cUuicz7sTkMa2EPHGtP9tAbxAps6_KR4BubEZFF7VK5kYjudhco_30WoeH_uG9-_iMrdv7UgDKIfbXHdoLxOCDAqTnnHRlzO05HGFE3tKmob5UnZJIjy7dXwWg1Ximjbbc9JDadfBNMXgC3Sw5mMOoCxXRsR-MFEIWqrFJrMuNXkQgS5WdARvFJJ9uNhwxB_U6bMQYzUNRSdD4zxfsBIHY3gS_kWtou0OiPuUpCO0cloPWBvKzlm4yuPeNkDZQL1iIBsIjCa4QC0K7g36IEIyxcBPlOfkTMsgySNmU97UnogJzWcJdCGwlDGYuQd5olWEG-bm--96BDIXjXEf08lzKpOFMRA0", - "e": "AQAB", - "d": "C3Eu9SYT-wo1Rv8WZv7HkX1K3Unb3ITz7Vk-FYFelRN3HrJoNdjKBnsDdw-y-HnWBlKMMpRqhqJYHQzintK4kxYoZwgmA_5_lVOOaeDO3cXWvtJRhwhIuQnqripKUcc7Z1cdjM0Bbg-pcaahc65GQ6ut1_fy9vu5WS0meLxAe3roRp7PE-lpLaTsmFdnlq_OjPlNHxmDQLtSFfE-2frQKTF94EQ1jztc1Gor1-iJ8onzs3hkRhs-6nclHIWGFVKXw2xUwe9guftOng3dayzJNmX3o5h7NjiqrvapOm-nno4r6_gfdyF41IOqsyFIGZxekj1bd3SbJhhvAl62hl0aq3oeIQos0Or8KJb7THx83UCitT81eQ7AMCqG2IxaMAq2_ZSeUGPj-poitQw5f72cWp_8YnGH6DSEr5EdxvJbGH7tDE2XTMt1HXjR06loBEfPqniuuJgraP1VKfwCWL890VgnCTHYErQpVTWQiTg8tLQlcJsUVhp9QoZpNMVrn7d2QX64MyAP1TWta1a1acH58uhFpi_tyAKxf6abcUy4sA3C0ujSR59g1GpTJwhMWWq9P5zxuW4esXiB6En23qwrqNFMzfjrm238WO9IDEeIYmoUUhhNKM4PQ7kYdHOUNSPDza8v_8aK3KsCPgH8Te6JXHDVmlYIs0azP4tyJPWfEqU", - "p": "--00Y0fxXRamjgH2dG1gsMHqwgTcT82SMzVtgAhR3tGpVKewtOw0mSy6RT8qr29MU0TEixfquUi3z0u1E1zp7oMGSB4oRyx-HgdYH3u3XgkDxP3Nmy32-FXmMcWyJJNaMAXlVLpmxZSEx5UzhAZGyNJX0fqKXtw0OSUOVW-bGb348hca7wZYO2XYSiAwvi2t9RrznILXqLBFULk9OrPfHpyiSlqR0KZkF00IolPwBrK5POuQh2baK_txafUi9DIPoZ4qzdQVPfQgF3eJWOyjHkFNAVPIer1sVpbKXni071liZFForlVuwYuvzhh9_9h9B7aKLkVcSt44BGrqe7qO0w", - "q": "5iTndnj7ElcTh9wWHyYxUwDLUKR1RU_w7Mgl36R15knG9z6DdQZzckuUNDobtsjGoyjb_z4ZWSKcCyibkndhGv2CogsS0OHL82GgvWmprWjjTBdK_M-3PlnUqQSlCQj6CvA14SfKvJ6hyzpyEYecryqP8J3t2Mc8caU5if3XmaQKo46BDENGN84ff78KWtYZzIHDfOkFPNwnt7od4IvUcJrfFwhlRzIr-aR14KDOi50YtmS95-hFEC2Os1X9x7rur512jV55L4IB9eJ9Eaupc9pPzx9c8R9P9hhqdwGfzPzjHM3rvJdlt7zixdwqUpSx2pOF2YI4A2NokP6powjVnw", - "dp": "i8rOPSEYr7z34uj35xcihjK0n8Cut6GstLm670aul2PkAFOk3GANt8l3-yDYAM1TnwkTvtMgrnvJcz_hVMNEE9Ok0rPZSdVIjkUpAx9VWtrJuq_TPX6-AoM33vqCpYUWkHtVDDT6_jwxicYi9em9sYX2sU_DJGwwll0XnRT3Dcu6ritgCK6OmzciU8-U_JLAarfv4jNAlBxr-iUv8rkI4CWucG_dZdhOxhc66UiGclEONN3KLzhFbA50moUqRjLZNadcvSYoO16RyDPOhQeaZBl8L3ZcUq91xH6cANweGoqQ7HW4DrTdZoyqm0Q_9o4cowEJoC9gzTKOBvWE8-9LfQ", - "dq": "MuM4FtcbVOvSErlUXuDYCS1kx1kF4SSS9hgvX6sCsr_fca3t7UNW5Y_WnlG27Qyp90vCkUaO3kmrzT_WXmVtIEWry96881jp-s-8dgVWElTd5WZFG29mai_8uL6hK0VD3IVOtJFS37AHwGMU89FTkNvNZfvVqpgrQkmxVlS9hmhiPdX1rNt3PEGkb1-zj3BF1hVfP1Ba6yEW2yYZExx4BcoIyBQAKOTsGlAGDHwiD3bWDwZpg0y1cKVSJ089RRuNSWF85DdefmW1v0OsOesGFerQuNCLgXlV-eleKSA_0FieczEJDfM_94eZcPyEkyvzw4vZDcYgUod5iI32vmjmqw", - "qi": "15rvZY6EfFs7q846o1zT-rToNJKmmQWsiehAJ0TYM1Y1t2OtT3OG3wZVm1IU3ewu8PLxDqBBga-nBZNLa_NNKlEcQPAHWk7BFK8stBx1rPSyrb7kjrGgYdFkXh9QMK_uNlSBa5eVN_di3eU3uZznHKv8VwoY5v10_OVXq3DlS28Op9qRe2LIOd_P3iyU9GFRzqObjKSYJ3hnn9d9o_MplLAKz6skANFLMeiSjvtbyLyBDGyf0RQvXbMilWefXuq090PnZXoefDn2zcHqWPOhirBRqAdbL5GaRKqbsJKIKzGGA9LCcj_AaFDOSMWcP8eoFOgrd0q31wHHshcdMigmug" - } - ] -} diff --git a/resources/ory/charts/oathkeeper/demo/mutator.id_token.jwks.json b/resources/ory/charts/oathkeeper/demo/mutator.id_token.jwks.json deleted file mode 100644 index e5c24f0edc73..000000000000 --- a/resources/ory/charts/oathkeeper/demo/mutator.id_token.jwks.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "keys": [ - { - "use": "sig", - "kty": "RSA", - "kid": "67bf0153-a6dc-4f06-9ce4-2f203b79adc8", - "alg": "RS256", - "n": "z59MFx8ntDR5j_XhETXVJ-e2lYHOJx9jMouhAwqTMQXg07BiHLcLzIGjhPIhQTKdO4BpAbu84Ceg3W-fVmK8-yrnPch-4cgi6UktIxL--iV4yj1p5FSInbBBm1oFJcmn8jqf0picWwRlDUv92cJKblDE1ZdGjO6HqOvGZAZFr-w4xT_jBsQRBCLspZ0_mWDHWsrjFcvZ3AgmERm5kwmJ-YSSeU-v08twcwVkA9UdAgeHgw5Z9vascy1tsrokvsI7Qktk867SL-BJZJ4FWn8lAJCdxOMFGdXyGthr2d9kZqzNBc0Isoay1NtM0K0gt_27jZc456w9-enkEMIu9bM4HYiX3T9i6N2LjnNj2hdARg9WODFj01LCOb240_boXO_iHQU69SCKi6tvQNUw7lf7TapD1Dsz4OZ0tsbAVY5HKRZH-CIo6cseVaaloFI7PYPnRW3gXyOUxfQCIWpg8v6TPNPrNIbwH-gXiUd6-Mngj-MX-CWenuin-Y_-KYYOS880vlOfBGUVTSkpPBnHW4-a2DZLcjyxv2uUsKksFmDqPEQVrugXZQQ6mUGHQNXxOWqJ211kf6SNo0pv9mcLAo07rkPy3Ujqq96C3G_l74c2t2gfXYCv0vYvHQ5E726gf-7H3YK5NO0jH_0EvCMVD25L7eXVuITxaZdxpn3InrK_i2s", - "e": "AQAB", - "d": "ZygstChEn-Kaq45tHxHyMHuOWkY-WW3c6ZY6j7pHW8oh5Mv0U3QXJqsaxclQAIbXXGL2yWev9md6I8t8DX3Ni7XLYwUlFaVMw0AabxzXFw5bL5DH9iySHFcgocFeYWIKUe4Szp4IwagzVSH2pKVGOf1jbwRUh11UhfdvgO8k3L2vj0Go2Qm9sqJvlfHFUb2mD1RS89dvDUX3M_PmIkpRBWp7JE8Ve1PPMTbydH0EhqebCuCsjmoNUMS3hl-6NhVnQA8Zv4GS6Tq0_IsO-eHGTruLx_FL7YRBYFk7bOrzhZhB3an7skf-voefaOc8JG6rKzSBj4oi2PL-39y7XFSJgi1Ss9NHZsdUQvQUD6nsaXM0epouPCakekYo_jAR-v_of4UBNpodR5nMvXMxXheXg2uz-UiWAzZ9lC1fX0C9IN9XSV99ep_DimqfjYY3ikkhwgUa8UCizL5Tln67HC7hY1ucpfxGZ8D5m_eCtg8fIx8TgCSxbYce2bYIc0jdcGcuEQPoNZbSJgEgNxrNX653MzxGtnLaXafF1uyaszN4FjFX8ToEOOSrKC1fLZSSifMMKv4yNP7BeNL_op1TkMAYa1CTrxgFeUL3ckBmF3sV8guAEDM3aiYX77NZAXk_lX3vxk4BUYQayJxEwH8oyDFB-ZOnEJheuIdUUZZOzRwPfSE", - "p": "1miNrKrNkJbyLkh5nZfSi7GtzmyOOGm0oCcpe3jh4zJnBNU34kOV5fCsK1ekEBEV0oEdCp4dqGVnWYoa7Kw9o04aeebSHMtBOZoVnQOIe8usm2xiD_y11uepRmGb1UNT_52PrCwFMsqtuupEJIJtKUFINq0KGtrnfM6UeA7cqVhZ8EDPNjL4c9iJ2JOzPa4jqPmyWe2Ypp_lMyG56yxZemUxZiX9sXqC89F1m0DNQ6Ny-VhWOYlkrTNT5kO17mgpru5yLmfklZhMSBOaKg7qdEmJB8HTlgMl40ulEnjRNLxoFNPboEwkXunFo6MMjEI35rcMDnr-LrIwZ06ia6fiEw", - "q": "9-W-4eUTjwjgUfICak-Zxftyo21WdIRh35Ncg9SnvNQx3LrfCgMVGcGB375kbBEwiZIW9Zg7nsllkvPelT5DGxwjYuzOMZH5SQmnX9AhVQ9a0O-fVZIj0pHaod600A0c2gbXtsVkuakmMnZXExxcYjRoU0_4RMfL7IUH8EIf8Safdn6KObA-cvFwfVN2iiFl897lmFK3MRvc8Ul2ZyfV-jZPvFyF5i1ATDy2dcNBavOxsUoSrHytRmPyi6x5S2bq-9PhpeHx4JU8ZVSjUEAt7QKhK86mMaDjwSmWchjhbJhHlIxO9VmUXdTMC0yH2_ebMLk4sUZwZKszpkyshQIcSQ", - "dp": "hJSATq4LkQYV2VLNiQqRkfobvJJZ2z5aB9JPj18vZvsKwu1JsisSrO4GuIJoG9tEwDdAiwk8051oq_B_N6xGLQ4lxw1ZDZ8NxR2nkcDWi55lLHJ3rOUaWDpF7RR8dQI-FckLR26tBDxZ80PbQSw5bhJFIjIcFoEYNY_UNO0Tu8-7RZn9x8j64z-Z9YdXhaOBv4Ivq_YEt7wV0WlgerCg39NlGYISfsV_5l62N3t5sgKHHPJn1wpDa-paTf--px5X8CjYCCQMMAjN2p_sa2dvyNqT1m0fdhqaOhPTjjmRO-fpAEAFBfkvYFVz9fzjzHNB9_NmjCm3tY5P6gGw45sbaw", - "dq": "cSuadAgfYLo9pktknOIQIplDYaaFxJW3FNlyb-DCXutEhC9vqWN025hC0UFbGRbT4Mon3yELftcUnvzkTZ_qBNNYuE3BaFHqy1Qz7ALZZLqozB_Izsjzv6rEdAd25lBGLqbXDeKZtESrYngyElBtQIwKYJZukf_gce7di-q0KGRogjEMq39xUwo0P5K92BudLrNAf8SrSykcOa8-9aLzBdKLnkNjAY0BAIzrA2ILWGc-ZOCbG9GjTTJNxUQM78ZhWmwFZLR8tvmKY_w6vmU-UihUKeqiZp-7ujBhNV90ch4m94MCfPHTUO7X5AShNWOZnqnAXvX4U4zw_Geeju5CuQ", - "qi": "OdvyakUl-NZ2PZHi5N_vDTdC4Ad4LI6JP4InVW-33kGySQom264eZ-nwBFVlZeCx2qgFE0iuRtS1plmZdEMP_cc8kW-PDtTDg3i_8rWutkmX13FThHXpT9M3iTU8qxeizRuvXaHIayplgZT6W8iIl4JWp1lWfLK85jTmsuX2mF-I0E56VOGOy7xlBEnyrrskXgyiOcjFgNy2UTaCNvfUrLxhiWAU-ZoqyEaj4t5bYdcu_xkuwDvdHea9RgHOMve9UoSPsSIAoev1HeTdIrWLOyUEenGqhUAkneRqTDuXkzUYFreV63nhqiHU3WUGKBbJ-4Dgl7kl0FxH7w98WuKscg" - } - ] -} diff --git a/resources/ory/charts/oathkeeper/stub/local-jwks-config.yaml b/resources/ory/charts/oathkeeper/stub/local-jwks-config.yaml deleted file mode 100644 index 237d4a1e0491..000000000000 --- a/resources/ory/charts/oathkeeper/stub/local-jwks-config.yaml +++ /dev/null @@ -1,24 +0,0 @@ -oathkeeper: - config: - access_rules: - repositories: - - "https://i-purposedly-do-not-exist/.json" - - authenticators: - anonymous: - enabled: true - noop: - enabled: true - - authorizers: - allow: - enabled: true - - mutators: - header: - enabled: true - id_token: - enabled: true - issuer_url: http://foo/bar/ - noop: - enabled: true diff --git a/resources/ory/charts/oathkeeper/stub/remote-config.yaml b/resources/ory/charts/oathkeeper/stub/remote-config.yaml deleted file mode 100644 index 8fa327dae14b..000000000000 --- a/resources/ory/charts/oathkeeper/stub/remote-config.yaml +++ /dev/null @@ -1,29 +0,0 @@ -oathkeeper: - config: - serve: - proxy: - port: 3455 - api: - port: 3456 - - access_rules: - repositories: - - "https://raw.githubusercontent.com/ory/k8s/master/helm/charts/oathkeeper/demo/access-rules.json" - - authenticators: - anonymous: - enabled: true - noop: - enabled: true - - authorizers: - allow: - enabled: true - - mutators: - header: - enabled: true - id_token: - enabled: true - issuer_url: http://{{ include "oathkeeper.fullname" . }}/ - jwks_url: https://raw.githubusercontent.com/ory/k8s/master/helm/charts/oathkeeper/demo/mutator.id_token.jwks.json diff --git a/resources/ory/charts/oathkeeper/templates/NOTES.txt b/resources/ory/charts/oathkeeper/templates/NOTES.txt deleted file mode 100644 index b18dc961e926..000000000000 --- a/resources/ory/charts/oathkeeper/templates/NOTES.txt +++ /dev/null @@ -1,64 +0,0 @@ -{{ include "oathkeeper.check.override.consistency" . }} -The ORY Oathkeeper HTTP Reverse Proxy is available via: -{{- if .Values.ingress.proxy.enabled }} -{{- range $host := .Values.ingress.proxy.hosts }} - {{- range .paths }} - http{{ if $.Values.ingress.proxy.tls }}s{{ end }}://{{ $host.host }}{{ . }} - {{- end }} -{{- end }} -{{- else if contains "NodePort" .Values.service.proxy.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "oathkeeper.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT - curl -X GET http://$NODE_IP:$NODE_PORT/authenticator/noop/authorizer/allow/mutator/noop - curl -X GET http://$NODE_IP:$NODE_PORT/authenticator/anonymous/authorizer/allow/mutator/header - curl -X GET http://$NODE_IP:$NODE_PORT/authenticator/anonymous/authorizer/allow/mutator/id_token -{{- else if contains "LoadBalancer" .Values.service.proxy.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "oathkeeper.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "oathkeeper.fullname" . }}-proxy -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.proxy.port }} - curl -X GET http://$SERVICE_IP:{{ .Values.service.proxy.port }}/authenticator/noop/authorizer/allow/mutator/noop - curl -X GET http://$SERVICE_IP:{{ .Values.service.proxy.port }}/authenticator/anonymous/authorizer/allow/mutator/header - curl -X GET http://$SERVICE_IP:{{ .Values.service.proxy.port }}/authenticator/anonymous/authorizer/allow/mutator/id_token -{{- else if contains "ClusterIP" .Values.service.proxy.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "oathkeeper.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:{{ .Values.service.proxy.port }} to use your application" - kubectl port-forward $POD_NAME {{ .Values.service.proxy.port }}:{{ .Values.oathkeeper.config.serve.proxy.port }} - {{- if .Values.demo }} - curl -X GET http://127.0.0.1:{{ .Values.service.proxy.port }}/authenticator/noop/authorizer/allow/mutator/noop - curl -X GET http://127.0.0.1:{{ .Values.service.proxy.port }}/authenticator/anonymous/authorizer/allow/mutator/header - curl -X GET http://127.0.0.1:{{ .Values.service.proxy.port }}/authenticator/anonymous/authorizer/allow/mutator/id_token - {{- else }} - # The following request will probably fail with a 404. If you have rules configured, append them to the path: - curl -X GET http://127.0.0.1:{{ .Values.service.proxy.port }}/ - {{- end }} -{{- end }} - -The ORY Oathkeeper HTTP API is available via: -{{- if .Values.ingress.api.enabled }} -{{- range $host := .Values.ingress.api.hosts }} - {{- range .paths }} - http{{ if $.Values.ingress.api.tls }}s{{ end }}://{{ $host.host }}{{ . }} - {{- end }} -{{- end }} -{{- else if contains "NodePort" .Values.service.api.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "oathkeeper.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT - curl -X GET http://$NODE_IP:$NODE_PORT/health/alive - curl -X GET http://$NODE_IP:$NODE_PORT/rules -{{- else if contains "LoadBalancer" .Values.service.api.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "oathkeeper.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "oathkeeper.fullname" . }}-api -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.api.port }} - curl -X GET http://$SERVICE_IP:{{ .Values.service.api.port }}/health/alive - curl -X GET http://$SERVICE_IP:{{ .Values.service.api.port }}/rules -{{- else if contains "ClusterIP" .Values.service.api.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "oathkeeper.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:{{ .Values.service.api.port }} to use your application" - kubectl port-forward $POD_NAME {{ .Values.service.api.port }}:{{ .Values.oathkeeper.config.serve.api.port }} - curl -X GET http://127.0.0.1:{{ .Values.service.api.port }}/health/alive - curl -X GET http://127.0.0.1:{{ .Values.service.api.port }}/rules -{{- end }} diff --git a/resources/ory/charts/oathkeeper/templates/_helpers.tpl b/resources/ory/charts/oathkeeper/templates/_helpers.tpl deleted file mode 100644 index e5c63ece845a..000000000000 --- a/resources/ory/charts/oathkeeper/templates/_helpers.tpl +++ /dev/null @@ -1,108 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "oathkeeper.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "oathkeeper.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create a secret name which can be overridden. -*/}} -{{- define "oathkeeper.secretname" -}} -{{- if .Values.secret.nameOverride -}} -{{- .Values.secret.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{ include "oathkeeper.fullname" . }} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "oathkeeper.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Common labels -*/}} -{{- define "oathkeeper.labels" -}} -app: {{ include "oathkeeper.name" . }} -app.kubernetes.io/name: {{ include "oathkeeper.name" . }} -helm.sh/chart: {{ include "oathkeeper.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end -}} - -{{/* -Check overrides consistency -*/}} -{{- define "oathkeeper.check.override.consistency" -}} -{{- if and (index .Values "maester" "enabled") .Values.fullnameOverride -}} -{{- if not (index .Values "maester" "oathkeeperFullnameOverride") -}} -{{ fail "oathkeeper fullname has been overridden, but the new value has not been provided to maester. Set maester.oathkeeperFullnameOverride" }} -{{- else if not (eq (index .Values "maester" "oathkeeperFullnameOverride") .Values.fullnameOverride) -}} -{{ fail (tpl "oathkeeper fullname has been overridden, but a different value was provided to maester. {{ (index .Values 'oathkeeper-maester' 'oathkeeperFullnameOverride') }} different of {{ .Values.fullnameOverride }}" . ) }} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "oathkeeper.serviceAccountName" -}} -{{- if .Values.deployment.serviceAccount.create }} -{{- default (include "oathkeeper.fullname" .) .Values.deployment.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.deployment.serviceAccount.name }} -{{- end }} -{{- end -}} - -{{/* -Checksum annotations generated from configmaps and secrets -*/}} -{{- define "oathkeeper.annotations.checksum" -}} -{{- if .Values.configmap.hashSumEnabled }} -{{- $oathkeeperConfigMapFile := ternary "/configmap-config-demo.yaml" "/configmap-config.yaml" (.Values.demo) }} -checksum/oathkeeper-config: {{ include (print $.Template.BasePath $oathkeeperConfigMapFile) . | sha256sum }} -checksum/oathkeeper-rules: {{ include (print $.Template.BasePath "/configmap-rules.yaml") . | sha256sum }} -{{- end }} -{{- if and .Values.secret.enabled .Values.secret.hashSumEnabled }} -checksum/oauthkeeper-secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} -{{- end }} -{{- end -}} - -{{/* - Common labels for maester sidecar -*/}} -{{- define "oathkeeper-maester-sidecar.labels" -}} -app.kubernetes.io/name: {{ include "oathkeeper.name" . }}-maester -helm.sh/chart: {{ include "oathkeeper.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end -}} diff --git a/resources/ory/charts/oathkeeper/templates/configmap-config-demo.yaml b/resources/ory/charts/oathkeeper/templates/configmap-config-demo.yaml deleted file mode 100644 index 79b14ae70f23..000000000000 --- a/resources/ory/charts/oathkeeper/templates/configmap-config-demo.yaml +++ /dev/null @@ -1,59 +0,0 @@ -{{ if .Values.demo }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "oathkeeper.fullname" . }}-config-demo - {{- if .Release.Namespace }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: -{{ include "oathkeeper.labels" . | indent 4 }} -data: - "config.yaml": | - access_rules: - repositories: - - "https://raw.githubusercontent.com/ory/k8s/master/helm/charts/oathkeeper/demo/access-rules.json" - authenticators: - anonymous: - enabled: true - jwt: - enabled: true - config: - jwks_urls: - - "https://raw.githubusercontent.com/ory/k8s/master/helm/charts/oathkeeper/demo/authenticator.jwt.jwks.json" - noop: - enabled: true - unauthorized: - enabled: true - authorizers: - allow: - enabled: true - deny: - enabled: true - mutators: - cookie: - enabled: true - config: - cookies: - user: "{{ print .Subject }}" - header: - enabled: true - config: - headers: - X-User: "{{ print .Subject }}" - id_token: - enabled: true - config: - issuer_url: http://{{ include "oathkeeper.fullname" . }}/ - jwks_url: https://raw.githubusercontent.com/ory/k8s/master/helm/charts/oathkeeper/demo/mutator.id_token.jwks.json - noop: - enabled: true - serve: - proxy: - cors: - enabled: true - api: - cors: - enabled: true -{{ end }} diff --git a/resources/ory/charts/oathkeeper/templates/configmap-config.yaml b/resources/ory/charts/oathkeeper/templates/configmap-config.yaml deleted file mode 100644 index cdba1456fd68..000000000000 --- a/resources/ory/charts/oathkeeper/templates/configmap-config.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{ if not .Values.demo }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "oathkeeper.fullname" . }}-config - {{- if .Release.Namespace }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: -{{ include "oathkeeper.labels" . | indent 4 }} -data: - "config.yaml": | -{{- with .Values.oathkeeper.config -}} - {{- toYaml . | nindent 4 }} -{{- end -}} -{{ end }} diff --git a/resources/ory/charts/oathkeeper/templates/configmap-rules.yaml b/resources/ory/charts/oathkeeper/templates/configmap-rules.yaml deleted file mode 100644 index 4c46ad7663c5..000000000000 --- a/resources/ory/charts/oathkeeper/templates/configmap-rules.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.oathkeeper.managedAccessRules }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "oathkeeper.fullname" . }}-rules - {{- if .Release.Namespace }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: -{{ include "oathkeeper.labels" . | indent 4 }} -data: - "access-rules.json": |- -{{ .Values.oathkeeper.accessRules | default "[]" | indent 4 }} -{{- end }} diff --git a/resources/ory/charts/oathkeeper/templates/cronjob.yaml b/resources/ory/charts/oathkeeper/templates/cronjob.yaml deleted file mode 100644 index 4a655c4ff4f1..000000000000 --- a/resources/ory/charts/oathkeeper/templates/cronjob.yaml +++ /dev/null @@ -1,100 +0,0 @@ -#Kyma resource - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ory-oathkeeper-keys-service-account - namespace: {{ .Release.Namespace }} ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - namespace: {{.Release.Namespace}} - name: ory-oathkeeper-keys-job-role -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "update", "patch"] - resourceNames: ["{{ include "oathkeeper.fullname" . }}-jwks-secret"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["create"] ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ory-oathkeeper-keys-job-role-binding - namespace: {{.Release.Namespace}} -subjects: - - kind: ServiceAccount - name: ory-oathkeeper-keys-service-account - namespace: {{.Release.Namespace}} -roleRef: - kind: Role - name: ory-oathkeeper-keys-job-role - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: oathkeeper-jwks-rotator -spec: - schedule: "0 0 1 * *" - successfulJobsHistoryLimit: 1 - jobTemplate: - spec: - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - spec: - initContainers: - - name: keys-generator - image: "{{ include "imageurl" (dict "reg" .Values.global.containerRegistry "img" .Values.global.images.oathkeeper) }}" - command: - - /bin/sh - - -c - - | - oathkeeper credentials generate --alg RS256 > /etc/secrets/jwks.json - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsGroup: 10001 - runAsNonRoot: true - runAsUser: 10000 - volumeMounts: - - name: {{ include "oathkeeper.name" . }}-keys-volume - mountPath: /etc/secrets - containers: - - name: keys-supplier - image: {{ include "imageurl" (dict "reg" .Values.global.containerRegistry "img" .Values.global.images.k8s_tools) }} - command: - - /bin/bash - - -c - - | - set -e - kubectl create secret generic {{ include "oathkeeper.fullname" . }}-jwks-secret \ - --from-file=/etc/secrets/jwks.json \ - -n kyma-system -o yaml --dry-run | kubectl apply -f - - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - volumeMounts: - - name: {{ include "oathkeeper.name" . }}-keys-volume - mountPath: /etc/secrets - readOnly: true - volumes: - - name: {{ include "oathkeeper.name" . }}-keys-volume - emptyDir: {} - restartPolicy: OnFailure - serviceAccountName: ory-oathkeeper-keys-service-account diff --git a/resources/ory/charts/oathkeeper/templates/deployment-controller.yaml b/resources/ory/charts/oathkeeper/templates/deployment-controller.yaml deleted file mode 100644 index 5a4256780b6e..000000000000 --- a/resources/ory/charts/oathkeeper/templates/deployment-controller.yaml +++ /dev/null @@ -1,155 +0,0 @@ -{{- if eq .Values.global.ory.oathkeeper.maester.mode "controller" }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "oathkeeper.fullname" . }} - {{- if .Release.Namespace }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - mode: {{ .Values.global.ory.oathkeeper.maester.mode }} -{{ include "oathkeeper.labels" . | indent 4 }} - {{- with .Values.deployment.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - annotations: - {{- with .Values.deployment.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- if not .Values.deployment.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "oathkeeper.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - strategy: - {{- toYaml .Values.deployment.strategy | nindent 4 }} - template: - metadata: - labels: - app.kubernetes.io/name: {{ include "oathkeeper.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} -{{ include "oathkeeper.labels" . | indent 8 }} - {{- with .Values.deployment.labels }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.deployment.annotations }} - annotations: - {{- include "oathkeeper.annotations.checksum" . | indent 8 -}} - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - securityPolicy: - seccompProfile: - type: RuntimeDefault - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - volumes: - {{- if .Values.deployment.extraVolumes }} -{{ toYaml .Values.deployment.extraVolumes | indent 8 }} - {{- end }} - - name: {{ include "oathkeeper.name" . }}-config-volume - configMap: - {{- if .Values.demo }} - name: {{ include "oathkeeper.fullname" . }}-config-demo - {{- else }} - name: {{ include "oathkeeper.fullname" . }}-config - {{- end }} - - name: {{ include "oathkeeper.name" . }}-rules-volume - configMap: - name: {{ include "oathkeeper.fullname" . }}-rules - - name: {{ include "oathkeeper.name" . }}-secrets-volume - secret: - secretName: {{ include "oathkeeper.fullname" . }}-jwks-secret - containers: - - name: {{ .Chart.Name }} - image: "{{ include "imageurl" (dict "reg" .Values.global.containerRegistry "img" .Values.global.images.oathkeeper) }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: [ "oathkeeper", "serve", "--config", "/etc/config/config.yaml" ] - env: - {{- if .Values.oathkeeper.config.mutators.id_token.config.jwks_url }} - - name: MUTATORS_ID_TOKEN_CONFIG_JWKS_URL - value: "{{ .Values.oathkeeper.config.mutators.id_token.config.jwks_url }}" - {{- end }} - {{- if .Values.deployment.tracing.datadog.enabled }} - - name: TRACING_PROVIDER - value: datadog - - name: DD_ENV - value: {{ .Values.deployment.tracing.datadog.env | default "none" | quote }} - - name: DD_VERSION - value: {{ .Values.deployment.tracing.datadog.version | default .Values.global.images.oathkeeper.version | quote }} - - name: DD_SERVICE - value: {{ .Values.deployment.tracing.datadog.service | default "ory/oathkeeper" | quote }} - {{- if .Values.deployment.tracing.datadog.useHostIP }} - - name: DD_AGENT_HOST - valueFrom: - fieldRef: - fieldPath: status.hostIP - {{- end }} - {{- end }} - {{- with .Values.deployment.extraEnv }} - {{- toYaml . | nindent 12 }} - {{- end }} - volumeMounts: - {{- with .Values.deployment.extraVolumeMounts }} - {{- toYaml . | nindent 12 }} - {{- end }} - - name: {{ include "oathkeeper.name" . }}-config-volume - mountPath: /etc/config - readOnly: true - - name: {{ include "oathkeeper.name" . }}-rules-volume - mountPath: /etc/rules - readOnly: true - - name: {{ include "oathkeeper.name" . }}-secrets-volume - mountPath: /etc/secrets - readOnly: true - ports: - - name: http-api - containerPort: {{ .Values.oathkeeper.config.serve.api.port }} - protocol: TCP - - name: http-proxy - containerPort: {{ .Values.oathkeeper.config.serve.proxy.port }} - protocol: TCP - livenessProbe: - httpGet: - path: /health/alive - port: http-api - initialDelaySeconds: 45 - periodSeconds: 10 - failureThreshold: 10 - readinessProbe: - httpGet: - path: /health/ready - port: http-api - initialDelaySeconds: 45 - periodSeconds: 10 - failureThreshold: 10 - resources: - {{- toYaml .Values.deployment.resources | nindent 12 }} - securityContext: - {{- toYaml .Values.deployment.securityContext.controller | nindent 12 }} - {{- if .Values.deployment.extraContainers }} -{{ tpl .Values.deployment.extraContainers . | indent 8 }} - {{- end }} - serviceAccountName: {{ include "oathkeeper-maester.name" . }}-maester-account - {{- with .Values.deployment.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.deployment.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} -{{- end }} diff --git a/resources/ory/charts/oathkeeper/templates/deployment-sidecar.yaml b/resources/ory/charts/oathkeeper/templates/deployment-sidecar.yaml deleted file mode 100644 index a8d468e0de31..000000000000 --- a/resources/ory/charts/oathkeeper/templates/deployment-sidecar.yaml +++ /dev/null @@ -1,157 +0,0 @@ -{{- if eq .Values.global.ory.oathkeeper.maester.mode "sidecar" }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "oathkeeper.fullname" . }} - {{- if .Release.Namespace }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - mode: {{ .Values.global.ory.oathkeeper.maester.mode }} -{{ include "oathkeeper.labels" . | indent 4 }} -spec: -{{- if not .Values.deployment.autoscaling.enabled}} - replicas: {{ .Values.replicaCount }} -{{- end }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "oathkeeper.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - strategy: - {{- toYaml .Values.deployment.strategy | nindent 4 }} - template: - metadata: - labels: - app.kubernetes.io/name: {{ include "oathkeeper.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- with .Values.deployment.annotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - securityContext: - seccompProfile: - type: RuntimeDefault - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - volumes: - - name: {{ include "oathkeeper.name" . }}-config-volume - configMap: - name: {{ include "oathkeeper.fullname" . }}-config - - name: {{ include "oathkeeper.name" . }}-rules-volume - emptyDir: {} - - name: {{ include "oathkeeper.name" . }}-secrets-volume - secret: - secretName: {{ include "oathkeeper.fullname" . }}-jwks-secret - initContainers: - - name: init - image: "{{ include "imageurl" (dict "reg" .Values.global.containerRegistry "img" .Values.global.images.busybox) }}" - volumeMounts: - - name: {{ include "oathkeeper.name" . }}-rules-volume - mountPath: /etc/rules - readOnly: false - command: - - sh - - -c - - | - touch /etc/rules/access-rules.json - chmod 666 /etc/rules/access-rules.json - securityContext: - {{- toYaml .Values.deployment.securityContext.sidecar | nindent 12 }} - containers: - - name: {{ .Chart.Name }} - image: "{{ include "imageurl" (dict "reg" .Values.global.containerRegistry "img" .Values.global.images.oathkeeper) }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: [ "oathkeeper", "serve", "--config", "/etc/config/config.yaml" ] - env: - {{- if .Values.oathkeeper.config.mutators.id_token.config.jwks_url }} - - name: MUTATORS_ID_TOKEN_CONFIG_JWKS_URL - value: "{{ .Values.oathkeeper.config.mutators.id_token.config.jwks_url }}" - {{- end }} - volumeMounts: - - name: {{ include "oathkeeper.name" . }}-config-volume - mountPath: /etc/config - readOnly: true - - name: {{ include "oathkeeper.name" . }}-rules-volume - mountPath: /etc/rules - readOnly: true - - name: {{ include "oathkeeper.name" . }}-secrets-volume - mountPath: /etc/secrets - readOnly: true - ports: - - name: http-api - containerPort: {{ .Values.oathkeeper.config.serve.api.port }} - protocol: TCP - - name: http-proxy - containerPort: {{ .Values.oathkeeper.config.serve.proxy.port }} - protocol: TCP - livenessProbe: - httpGet: - path: /health/alive - port: http-api - periodSeconds: 10 - failureThreshold: 10 - readinessProbe: - httpGet: - path: /health/ready - port: http-api - initialDelaySeconds: 45 - periodSeconds: 10 - failureThreshold: 40 - startupProbe: - httpGet: - path: /health/alive - port: http-api - initialDelaySeconds: 45 - periodSeconds: 10 - failureThreshold: 30 - resources: - {{- toYaml .Values.deployment.resources | nindent 12 }} - securityContext: - {{- toYaml .Values.deployment.securityContext.oathkeeper | nindent 12 }} - - name: {{ .Chart.Name }}-maester - image: "{{ include "imageurl" (dict "reg" .Values.global.containerRegistry "img" .Values.global.images.oathkeeper_maester) }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - /manager - args: - - --metrics-addr=0.0.0.0:8080 - - sidecar - - --rulesFilePath=/etc/rules/access-rules.json - resources: - {{- index .Values "oathkeeper-maester" "deployment" "resources" | toYaml | nindent 12 }} - env: - - name: mutatorsAvailable - value: noop,id_token,header,cookie,hydrator - ports: - - containerPort: 8080 - name: metrics - volumeMounts: - - name: {{ include "oathkeeper.name" . }}-rules-volume - mountPath: /etc/rules - readOnly: false - securityContext: - {{- toYaml .Values.deployment.securityContext.maester | nindent 12 }} - {{- if .Values.deployment.extraContainers }} -{{ tpl .Values.deployment.extraContainers . | indent 8 }} - {{- end }} - serviceAccountName: {{ include "oathkeeper-maester.name" . }}-maester-account - {{- with .Values.deployment.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.deployment.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} -{{- end }} diff --git a/resources/ory/charts/oathkeeper/templates/hpa.yaml b/resources/ory/charts/oathkeeper/templates/hpa.yaml deleted file mode 100644 index 64e2ec8d0b08..000000000000 --- a/resources/ory/charts/oathkeeper/templates/hpa.yaml +++ /dev/null @@ -1,52 +0,0 @@ -#Kyma resource - -{{- if .Capabilities.APIVersions.Has "autoscaling/v2" }} -{{- if .Values.deployment.autoscaling.enabled }} ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "oathkeeper.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: -{{ include "oathkeeper.labels" . | indent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "oathkeeper.fullname" . }} - minReplicas: {{ .Values.deployment.autoscaling.minReplicas }} - maxReplicas: {{ .Values.deployment.autoscaling.maxReplicas }} - metrics: - {{- if .Values.deployment.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ .Values.deployment.autoscaling.targetCPUUtilizationPercentage }} - {{- else if .Values.deployment.autoscaling.targetCPUAverageValue }} - - type: Resource - resource: - name: cpu - target: - type: AverageValue - averageValue: {{ .Values.deployment.autoscaling.targetCPUAverageValue }} - {{- end }} - {{- if .Values.deployment.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: {{ .Values.deployment.autoscaling.targetMemoryUtilizationPercentage }} - {{- else if .Values.deployment.autoscaling.targetMemoryAverageValue }} - - type: Resource - resource: - name: memory - target: - type: AverageValue - averageValue: {{ .Values.deployment.autoscaling.targetMemoryAverageValue }} - {{- end }} -{{- end }} -{{- end }} diff --git a/resources/ory/charts/oathkeeper/templates/ingress-api.yaml b/resources/ory/charts/oathkeeper/templates/ingress-api.yaml deleted file mode 100644 index c9862ea26f78..000000000000 --- a/resources/ory/charts/oathkeeper/templates/ingress-api.yaml +++ /dev/null @@ -1,52 +0,0 @@ -{{- if .Values.ingress.api.enabled -}} -{{- $fullName := include "oathkeeper.fullname" . -}} -{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1 -{{- else -}} -apiVersion: networking.k8s.io/v1beta1 -{{- end }} -kind: Ingress -metadata: - name: {{ $fullName }}-api - {{- if .Release.Namespace }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - {{- include "oathkeeper.labels" . | nindent 4 }} - {{- with .Values.ingress.api.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ingressClassName: {{ .Values.ingress.api.className }} - {{- if .Values.ingress.api.tls }} - tls: - {{- range .Values.ingress.api.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} - {{- end }} - rules: - {{- range .Values.ingress.api.hosts }} - - host: {{ .host | quote }} - http: - paths: - {{- range .paths }} - - path: {{ . }} - pathType: ImplementationSpecific - backend: - {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} - service: - name: {{ $fullName }}-api - port: - name: http - {{- else }} - serviceName: {{ $fullName }}-api - servicePort: http - {{- end }} - {{- end }} - {{- end }} -{{- end }} diff --git a/resources/ory/charts/oathkeeper/templates/ingress-proxy.yaml b/resources/ory/charts/oathkeeper/templates/ingress-proxy.yaml deleted file mode 100644 index d20245093957..000000000000 --- a/resources/ory/charts/oathkeeper/templates/ingress-proxy.yaml +++ /dev/null @@ -1,53 +0,0 @@ -{{- if .Values.ingress.proxy.enabled -}} -{{- $fullName := include "oathkeeper.fullname" . -}} -{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1 -{{- else -}} -apiVersion: networking.k8s.io/v1beta1 -{{- end }} -kind: Ingress -metadata: - name: {{ $fullName }}-proxy - {{- if .Release.Namespace }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - {{- include "oathkeeper.labels" . | nindent 4 }} - annotations: - {{- with .Values.ingress.proxy.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- if .Values.ingress.proxy.tls }} - tls: - {{- range .Values.ingress.proxy.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} - {{- end }} - rules: - {{- range .Values.ingress.proxy.hosts }} - - host: {{ .host | quote }} - http: - paths: - {{- range .paths }} - - path: {{ .path }} - {{- if .pathType }} - pathType: ImplementationSpecific - {{- end }} - backend: - {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} - service: - name: {{ $fullName }}-proxy - port: - name: http - {{- else }} - serviceName: {{ $fullName }}-proxy - servicePort: http - {{- end }} - {{- end }} - {{- end }} -{{- end }} diff --git a/resources/ory/charts/oathkeeper/templates/pdb.yaml b/resources/ory/charts/oathkeeper/templates/pdb.yaml deleted file mode 100644 index 2d5980b91a01..000000000000 --- a/resources/ory/charts/oathkeeper/templates/pdb.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.pdb.enabled -}} ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{ include "oathkeeper.fullname" . }} -spec: - selector: - matchLabels: - app.kubernetes.io/name: {{ include "oathkeeper.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{ toYaml .Values.pdb.spec }} -{{- end -}} diff --git a/resources/ory/charts/oathkeeper/templates/rbac.yaml b/resources/ory/charts/oathkeeper/templates/rbac.yaml deleted file mode 100644 index 4ae1fbb9e704..000000000000 --- a/resources/ory/charts/oathkeeper/templates/rbac.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.deployment.serviceAccount.create -}} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "oathkeeper.serviceAccountName" . }} - labels: - {{- include "oathkeeper.labels" . | nindent 4 }} - {{- with .Values.deployment.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/resources/ory/charts/oathkeeper/templates/secrets.yaml b/resources/ory/charts/oathkeeper/templates/secrets.yaml deleted file mode 100644 index 0833b10f7f72..000000000000 --- a/resources/ory/charts/oathkeeper/templates/secrets.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.secret.enabled -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "oathkeeper.fullname" . }}-jwks-secret - {{- if .Release.Namespace }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: -{{ include "oathkeeper.labels" . | indent 4 }} - annotations: -{{- with .Values.secret.secretAnnotations }} - {{- toYaml . | nindent 4 }} -{{- end }} -type: Opaque -data: - "jwks.json": {{ default "" .Values.oathkeeper.mutatorIdTokenJWKs | b64enc | quote }} -{{- end}} diff --git a/resources/ory/charts/oathkeeper/templates/service-api.yaml b/resources/ory/charts/oathkeeper/templates/service-api.yaml deleted file mode 100644 index fe2e1896555b..000000000000 --- a/resources/ory/charts/oathkeeper/templates/service-api.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- if .Values.service.api.enabled -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "oathkeeper.fullname" . }}-api - {{- if .Release.Namespace }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - app.kubernetes.io/component: api -{{ include "oathkeeper.labels" . | indent 4 }} - {{- with .Values.service.api.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.service.api.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - type: {{ .Values.service.api.type }} - ports: - - port: {{ .Values.service.api.port }} - targetPort: http-api - protocol: TCP - name: {{ .Values.service.api.name }} - selector: - app.kubernetes.io/name: {{ include "oathkeeper.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} diff --git a/resources/ory/charts/oathkeeper/templates/service-metrics.yaml b/resources/ory/charts/oathkeeper/templates/service-metrics.yaml deleted file mode 100644 index 6f751a41c724..000000000000 --- a/resources/ory/charts/oathkeeper/templates/service-metrics.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if eq .Values.global.ory.oathkeeper.maester.mode "sidecar" }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - prometheus.io/scrape: "false" - prometheus.io/port: {{ .Values.sidecar.port.metrics | quote }} - prometheus.io/scheme: "http" - labels: -{{ include "oathkeeper-maester-sidecar.labels" . | indent 4 }} - mode: {{ .Values.global.ory.oathkeeper.maester.mode }} - name: {{ include "oathkeeper.fullname" . }}-maester-metrics -spec: - ports: - - name: http-metrics - port: {{ .Values.sidecar.port.metrics }} - selector: - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/name: {{ include "oathkeeper.name" . }} -{{- end }} diff --git a/resources/ory/charts/oathkeeper/templates/service-proxy.yaml b/resources/ory/charts/oathkeeper/templates/service-proxy.yaml deleted file mode 100644 index 8e0c6e03711e..000000000000 --- a/resources/ory/charts/oathkeeper/templates/service-proxy.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- if .Values.service.proxy.enabled -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "oathkeeper.fullname" . }}-proxy - {{- if .Release.Namespace }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - app.kubernetes.io/component: proxy -{{ include "oathkeeper.labels" . | indent 4 }} - {{- with .Values.service.proxy.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.service.proxy.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - type: {{ .Values.service.proxy.type }} - ports: - - port: {{ .Values.service.proxy.port }} - targetPort: http-proxy - protocol: TCP - name: {{ .Values.service.proxy.name }} - - name: tcp-status-port - port: 15020 - targetPort: 15020 - protocol: TCP - selector: - app.kubernetes.io/name: {{ include "oathkeeper.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} diff --git a/resources/ory/charts/oathkeeper/values.yaml b/resources/ory/charts/oathkeeper/values.yaml deleted file mode 100644 index d5d7c96644c1..000000000000 --- a/resources/ory/charts/oathkeeper/values.yaml +++ /dev/null @@ -1,299 +0,0 @@ -# -- Mode for oathkeeper controller -# -- Two possible modes are: controller or sidecar -global: - ory: - oathkeeper: - maester: - mode: controller - -# -- Number of ORY Oathkeeper members -replicaCount: 1 - -image: - # -- Image pull policy - pullPolicy: IfNotPresent - -# -- Options for the sidecar -sidecar: - port: - metrics: 8080 - -# -- Image pull secrets -imagePullSecrets: [] -# -- Chart name override -nameOverride: "" -# -- Full chart name override -fullnameOverride: "" - -# -- If enabled, a demo deployment with exemplary access rules and JSON Web Key Secrets will be generated. -demo: false - -# -- Configures the Kubernetes service -service: - # -- Configures the Kubernetes service for the proxy port. - proxy: - # -- En-/disable the service - enabled: true - # -- The service type - type: ClusterIP - # -- The service port - port: 4455 - # -- The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio) - name: http - # -- If you do want to specify annotations, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'annotations:'. - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - annotations: {} - # -- If you do want to specify additional labels, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'labels:'. - # e.g. app: oathkeeper - labels: {} - - # -- Configures the Kubernetes service for the api port. - api: - # -- Name for the api port - name: http - # -- En-/disable the service - enabled: true - # -- The service type - type: ClusterIP - # -- The service port - port: 4456 - # -- If you do want to specify annotations, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'annotations:'. - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - annotations: {} - # -- If you do want to specify additional labels, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'labels:'. - # e.g. app: oathkeeper - labels: {} - -# -- Configure ingress -ingress: - # -- Configure ingress for the proxy port. - proxy: - # -- En-/Disable the proxy ingress. - enabled: false - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: proxy.oathkeeper.localhost - paths: - - path: / - pathType: ImplementationSpecific - # tls: [] - # hosts: - # - proxy.oathkeeper.local - # - secretName: oathkeeper-proxy-example-tls - - api: - # -- En-/Disable the api ingress. - enabled: false - annotations: {} - # If you do want to specify annotations, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'annotations:'. - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: api.oathkeeper.localhost - paths: - - path: / - pathType: ImplementationSpecific -# tls: [] -# hosts: -# - api.oathkeeper.local -# - secretName: oathkeeper-api-example-tls - -# -- Configure ORY Oathkeeper itself -oathkeeper: - # -- The ORY Oathkeeper configuration. For a full list of available settings, check: - # https://github.com/ory/oathkeeper/blob/master/docs/config.yaml - config: - access_rules: - repositories: - - file:///etc/rules/access-rules.json - serve: - proxy: - port: 4455 - api: - port: 4456 -# -- If set, uses the given JSON Web Key Set as the signing key for the ID Token Mutator. -# mutatorIdTokenJWKs: {} -# -- If set, uses the given access rules. -# accessRules: {} - -# -- If you enable maester, the following value should be set to "false" to avoid overwriting -# the rules generated by the CDRs. Additionally, the value "accessRules" shouldn't be -# used as it will have no effect once "managedAccessRules" is disabled. -# managedAccessRules: true - -secret: - # -- switch to false to prevent creating the secret - enabled: false - # -- Provide custom name of existing secret, or custom name of secret to be created - # nameOverride: "myCustomSecret" - # -- Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified. - secretAnnotations: - # Create the secret before installation, and only then. This saves the secret from regenerating during an upgrade - # pre-upgrade is needed to upgrade from 0.7.0 to newer. Can be deleted afterwards. - helm.sh/hook-weight: "0" - helm.sh/hook: "pre-install, pre-upgrade" - helm.sh/hook-delete-policy: "before-hook-creation" - helm.sh/resource-policy: "keep" - - # -- default mount path for the kubernetes secret - mountPath: /etc/secrets - # -- default filename of JWKS (mounted as secret) - filename: mutator.id_token.jwks.json - # -- switch to false to prevent checksum annotations being maintained and propogated to the pods - hashSumEnabled: true - -deployment: - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - - securityContext: - sidecar: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - oathkeeper: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsGroup: 10001 - runAsNonRoot: true - runAsUser: 10000 - maester: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsGroup: 10011 - runAsNonRoot: true - runAsUser: 10010 - controller: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - autoscaling: - enabled: false - ################ - - # -- Specify the serviceAccountName value. - # In some situations it is needed to provides specific permissions to Hydra deployments - # Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. - # Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment.** - serviceAccount: - # -- Specifies whether a service account should be created - create: true - # -- Annotations to add to the service account - annotations: {} - # -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template - name: "" - - # https://github.com/kubernetes/kubernetes/issues/57601 - automountServiceAccountToken: false - - # -- Node labels for pod assignment. - nodeSelector: {} - # If you do want to specify node labels, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'annotations:'. - # foo: bar - - extraEnv: [] - - # -- Extra volumes you can attach to the pod. - extraVolumes: [] - # - name: my-volume - # secret: - # secretName: my-secret - - # -- Extra volume mounts, allows mounting the extraVolumes to the container. - extraVolumeMounts: [] - # - name: my-volume - # mountPath: /etc/secrets/my-secret - # readOnly: true - - # -- If you want to add extra sidecar containers. - extraContainers: {} - # extraContainers: | - # - name: ... - # image: ... - - # -- Configuration for tracing providers. Only datadog is currently supported through this block. - # If you need to use a different tracing provider, please manually set the configuration values - # via "oathkeeper.config" or via "deployment.extraEnv". - tracing: - datadog: - enabled: false - - # -- Sets the datadog DD_ENV environment variable. This value indicates the environment where oathkeeper is running. - # Default value: "none". - # env: production - - # -- Sets the datadog DD_VERSION environment variable. This value indicates the version that oathkeeper is running. - # Default value: .Values.image.tag (i.e. the tag used for the docker image). - # version: X.Y.Z - - # -- Sets the datadog DD_SERVICE environment variable. This value indicates the name of the service running. - # Default value: "ory/oathkeeper". - # service: ory/oathkeeper - - # -- Sets the datadog DD_AGENT_HOST environment variable. This value indicates the host address of the datadog agent. - # If set to true, this configuration will automatically set DD_AGENT_HOST to the field "status.hostIP" of the pod. - # Default value: false. - # useHostIP: true - - # -- Configure node tolerations. - tolerations: [] - - labels: {} - # If you do want to specify additional labels, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'labels:'. - # e.g. type: app - - annotations: {} - # If you do want to specify annotations, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'annotations:'. - # e.g. sidecar.istio.io/rewriteAppHTTPProbers: "true" - -# -- Configure node affinity -affinity: {} - -# -- Configures controller setup -maester: - enabled: true - -# -- PodDistributionBudget configuration -pdb: - enabled: false - spec: - minAvailable: 1 - -configmap: - # -- switch to false to prevent checksum annotations being maintained and propogated to the pods - hashSumEnabled: true diff --git a/resources/ory/profile-evaluation.yaml b/resources/ory/profile-evaluation.yaml deleted file mode 100644 index 13cde7b5b421..000000000000 --- a/resources/ory/profile-evaluation.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -oathkeeper: - replicaCount: 1 - deployment: - resources: - requests: - cpu: "10m" - autoscaling: - enabled: false diff --git a/resources/ory/profile-production.yaml b/resources/ory/profile-production.yaml deleted file mode 100644 index be936cfb08f3..000000000000 --- a/resources/ory/profile-production.yaml +++ /dev/null @@ -1,31 +0,0 @@ ---- -oathkeeper: - deployment: - resources: - limits: - memory: "512Mi" - requests: - cpu: "100m" - memory: "64Mi" - autoscaling: - enabled: true - minReplicas: 3 - maxReplicas: 10 - oathkeeper-maester: - deployment: - resources: - requests: - cpu: "10m" - memory: "32Mi" - limits: - cpu: "400m" - memory: "1Gi" - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchLabels: - app: oathkeeper - topologyKey: "kubernetes.io/hostname" diff --git a/resources/ory/templates/_helpers.tpl b/resources/ory/templates/_helpers.tpl deleted file mode 100644 index 86e78c7223b6..000000000000 --- a/resources/ory/templates/_helpers.tpl +++ /dev/null @@ -1,55 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "ory.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "ory.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "ory.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Common labels -*/}} -{{- define "ory.labels" -}} -app.kubernetes.io/name: {{ include "ory.name" . }} -helm.sh/chart: {{ include "ory.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end -}} - -{{/* -Create a URL for container images -*/}} -{{- define "imageurl" -}} -{{- $registry := default $.reg.path $.img.containerRegistryPath -}} -{{- $path := ternary (print $registry) (print $registry "/" $.img.directory) (empty $.img.directory) -}} -{{- $version := ternary (print ":" $.img.version) (print "@sha256:" $.img.sha) (empty $.img.sha) -}} -{{- print $path "/" $.img.name $version -}} -{{- end -}} diff --git a/resources/ory/templates/monitoring-oathkeeper.yaml b/resources/ory/templates/monitoring-oathkeeper.yaml deleted file mode 100644 index dfbd5214e7bd..000000000000 --- a/resources/ory/templates/monitoring-oathkeeper.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.oathkeeper.enabled }} ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: {{ include "oathkeeper.fullname" . }}-oathkeeper-maester-metrics -spec: - selector: - matchLabels: - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/name: oathkeeper - portLevelMtls: - {{ .Values.oathkeeper.sidecar.port.metrics }}: - mode: PERMISSIVE -{{- end }} diff --git a/resources/ory/templates/priority-class.yaml b/resources/ory/templates/priority-class.yaml deleted file mode 100644 index 77e4f56aa34e..000000000000 --- a/resources/ory/templates/priority-class.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: scheduling.k8s.io/v1 -kind: PriorityClass -metadata: - name: {{ .Values.priorityClassName }} -value: 2100000 -globalDefault: false -description: "Scheduling priority of Ory component. Must not be blocked by unschedulable user workloads." diff --git a/resources/ory/values.yaml b/resources/ory/values.yaml deleted file mode 100644 index c850145d8efc..000000000000 --- a/resources/ory/values.yaml +++ /dev/null @@ -1,165 +0,0 @@ -# Global or kyma related overrides -global: - domainName: "kyma.example.com" - istio: - gateway: - name: kyma-gateway - namespace: kyma-system - # The following configuration is kept so ory reconciler will not fail the reconciliation. This can be removed after we remove https://github.com/kyma-incubator/reconciler/blob/00dd6cde0c036f502508dde74f8f90a2a677dff9/pkg/reconciler/instances/ory/action.go#L277 - ory: - hydra: - persistence: - enabled: true - oathkeeper: - maester: - mode: sidecar - containerRegistry: - path: europe-docker.pkg.dev/kyma-project - images: - k8s_tools: - name: "k8s-tools" - version: "v20231026-aa6060ec" - directory: "prod/tpi" - busybox: - name: "busybox" - version: "1.34.1-v1" - directory: "prod/external" - oathkeeper: - name: "oathkeeper" - version: "v0.38.25-beta.1" - directory: "prod/external/oryd" - oathkeeper_maester: - name: "oathkeeper-maester" - version: "v0.1.5" - directory: "prod/external/oryd" - -# Configure priorityClassName -priorityClassName: "ory-priority-class" - -headerRewrite: - enabled: true - certificateDataHeader: "Certificate-Data" - workloadLabel: oathkeeper - -# Overrides for the Oathkeeper chart -oathkeeper: - enabled: true - oathkeeper: - config: - authenticators: - noop: - enabled: true - unauthorized: - enabled: true - anonymous: - enabled: true - config: - subject: anonymous - cookie_session: - enabled: false - config: - # REQUIRED IF ENABLED - The session store to forward request method/path/headers to for validation - check_session_url: https://session-store-host - # Optionally set a list of cookie names to look for in incoming requests. - # If unset, all requests are forwarded. - # If set, only requests that have at least one of the set cookies will be forwarded, others will be passed to the next authenticator - only: - - sessionid - oauth2_client_credentials: - enabled: true - config: - # REQUIRED IF ENABLED - The OAuth 2.0 Token Endpoint that will be used to validate the client credentials. - token_url: http://ory-hydra-public.hydra-deprecated.svc.cluster.local:4444/oauth2/token - oauth2_introspection: - # Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to false. - enabled: true - config: - # REQUIRED IF ENABLED - The OAuth 2.0 Token Introspection endpoint. - introspection_url: http://ory-hydra-admin.hydra-deprecated.svc.cluster.local:4445/oauth2/introspect - # Sets the strategy to be used to validate/match the token scope. Supports "hierarchic", "exact", "wildcard", "none". Defaults - # to "none". - scope_strategy: exact - # Enable the "jwt" section to allow for jwt authenticator configured. - jwt: - enabled: true - config: - jwks_urls: - - http://ory-hydra-public.hydra-deprecated.svc.cluster.local:4444/.well-known/jwks.json - scope_strategy: wildcard - authorizers: - allow: - enabled: true - deny: - enabled: true - mutators: - noop: - enabled: true - id_token: - enabled: true - config: - # REQUIRED IF ENABLED - Sets the "iss" value of the ID Token. - issuer_url: https://oathkeeper.{{ .Values.global.domainName }}/ - # REQUIRED IF ENABLED - Sets the URL where keys should be fetched from. Supports remote locations (http, https) as - # well as local filesystem paths. - jwks_url: "file:///etc/secrets/jwks.json" - # jwks_url: https://fetch-keys/from/this/location.json - # jwks_url: file:///from/this/absolute/location.json - # jwks_url: file://../from/this/relative/location.json - # Sets the time-to-live of the ID token. Defaults to one minute. Valid time units are: s (second), m (minute), h (hour). - ttl: 60s - header: - enabled: true - config: - headers: - X-Server: oathkeeper - cookie: - enabled: true - config: - cookies: - processedWith: oathkeeper - hydrator: - enabled: true - config: - api: - url: http://compass-director.compass-system.svc.cluster.local:3000/tenant-mapping - serve: - proxy: - port: 4455 - timeout: - read: 60m - write: 60m - idle: 60m - api: - port: 4456 - deployment: - strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: "50%" - maxUnavailable: "0%" - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 10m - memory: 64Mi - autoscaling: - enabled: true - minReplicas: 1 - maxReplicas: 3 - targetMemoryUtilizationPercentage: 75 - targetCPUUtilizationPercentage: 80 - annotations: - readiness.status.sidecar.istio.io/initialDelaySeconds: "10" - oathkeeper-maester: - deployment: - annotations: - sidecar.istio.io/inject: "false" - resources: - limits: - cpu: 100m - memory: 50Mi - requests: - cpu: 10m - memory: 20Mi