Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add IDP service chart #43

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add IDP service chart #43

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e36c0e8
add IDP service chart
mirekys Oct 18, 2022
46a6666
fix linting problems
mirekys Oct 18, 2022
b5cc72d
fix lint issues
mirekys Oct 19, 2022
610edab
fix maintainer
mirekys Oct 19, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions idp/.helmignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
# chart-testing-action configurations
ci/
24 changes: 24 additions & 0 deletions idp/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
apiVersion: v2
name: idp
description: CS3 APIs compatible OIDC Identity provider based on OCIS
type: application
version: 0.1.0
appVersion: v2.0.0-beta.8
kubeVersion: '>= 1.19.0'
home: https://github.com/owncloud/ocis
sources:
- https://github.com/owncloud/ocis
maintainers:
- name: mirekys
email: [email protected]
keywords:
- oidc
- idp
- identity
- provider
- cs3
annotations:
artifacthub.io/images: |
- name: ocis
image: owncloud/ocis:2.0.0-beta.8
artifacthub.io/containsSecurityUpdates: 'false'
64 changes: 64 additions & 0 deletions idp/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
# IDP service

An OpenID Connect Identity Provider service compatible with CS3 APIs based on OCIS IDP implementation.

## Introduction

This chart creates a deployment of [OCIS IDP](https://owncloud.dev/services/idp/) service on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. The IDP service is configured to use a CS3APIs compliant service (e.g. Reva) as its user info & authentication backend.

## Install

To install the chart with the release name `my-idp`:

```console
helm install my-idp cs3org/idp
```

> **WARNING**: Install command will generate (or overwrite already existing) signing and encryption keys for the IDP, if those are not provided explicitly in the `values.yaml` file.

## Uninstalling the Chart

To uninstall/delete the deployment:

```console
helm delete my-idp
```

## Configuration

The following configurations may be set. It is recommended to use `values.yaml` for overwriting the IDP config.

| Parameter | Description | Default |
| ---------------------------- | --------------------------------------------------------------------------------------------- | --------------------------------------------------------- |
| `log.level` | The log level. Valid values are: “panic”, “fatal”, “error”, “warn”, “info”, “debug”, “trace”. | error |
| `log.color` | Activates colorized log output. | false |
| `log.pretty` | Activates pretty log output. | false |
| `idp.issuerURI` | External url of the IDP service, used in token issuer field | <http://idp:9130> |
| `idp.accessTokenValidity` | Expiration time in seconds for IDP access token. | 86400 |
| `idp.idTokenValidity` | Expiration time in seconds for IDP ID tokens. | 3600 |
| `idp.refreshTokenValidity` | Expiration time in seconds for refresh tokens. | 94608000 |
| `idp.clients` | Registered OpenID Connect clients configuration | `[{name: 'ownCloud desktop app', ...}]` |
| `cs3.gateway` | CS3 gateway used to authenticate and look up users | revad:19000 |
| `extraResources` | Extra resources to be included. | `[]` |
| `image.pullPolicy` | The kubernetes image pull policy. | `IfNotPresent` |
| `image.repository` | Name of the image to run, without the tag. | [`owncloud/ocis`](https://hub.docker.com/r/owncloud/ocis) |
| `image.tag` | The image tag to use. | `v8.3.2` |
| `ingress.annotations` | Ingress annotations. | `{}` |
| `ingress.enabled` | Whether to create an Ingress resource to access the wopiserver. | `false` |
| `ingress.hostname` | The ingress hostname. | `idp.local` |
| `ingress.path` | The ingress path. | `/` |
| `ingress.tls` | Ingress TLS configuration (YAML). | `[]` |
| `replicaCount` | How many replicas to run. | `1` |
| `resources` | Resources to apply to all services. | `{}` |
| `secretsRef` | Use an already existing secret instead of configuring the `secrets` settings. | `nil` |
| `securityContext.fsGroup` | File system group for all volumes. | `1000` |
| `securityContext.runAsGroup` | Group ID that all processes within any containers will run with. | `1000` |
| `securityContext.runAsUser` | User ID that all processes within any containers will run with. | `1000` |
| `service.port` | The wopiserver service HTTP port. | `8880` |
| `service.type` | The Kubernetes service type to use. | `ClusterIP` |

> **NOTE**: This service requires atlest one `idp.clients` to be registered in order to boot properly.

## Register with Sciencemesh Proxy IDP portal

Before your IDP service can appear in the Sciencemesh [Proxy IDP portal](http://aai-demo.sciencemesh.cesnet.cz/.well-known/openid-configuration), you will need to register it by contacting CESNET administrators with your `idp.issuerURL` and to register Proxy IDP portal client in your `idp.clients` config.
88 changes: 88 additions & 0 deletions idp/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "idp.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "idp.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}

{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "idp.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{/*
Common labels
*/}}
{{- define "idp.labels" -}}
helm.sh/chart: {{ include "idp.chart" . }}
{{ include "idp.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}

{{/*
Selector labels
*/}}
{{- define "idp.selectorLabels" -}}
app.kubernetes.io/name: {{ include "idp.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}


{{/*
Name of the configMap storing the IDP configuration
Returns:
- the name of the secret-based config passed as .Values.cfgmapName
- "<release_fullname>-config-secret" by default.
If the Secret config does not exist, the pod will hang due to missing mount.
*/}}
{{- define "idp.cfgmapName" -}}
{{- if .Values.cfgmapName }}
{{- printf "%s" .Values.cfgmapName }}
{{- else }}
{{- printf "%s%s" (include "idp.fullname" .) "-config-secret" }}
{{- end }}
{{- end }}


{{/*
Returns the WOPI Server external URL
*/}}
{{- define "idp.url" -}}
{{- if .Values.config.idp.issuerURI -}}
{{- .Values.config.idp.issuerURI }}
{{- else }}
{{- if .Values.ingress.hostname -}}
{{- if .Values.ingress.tls -}}
https://{{ .Values.ingress.hostname }}
{{- else -}}
http://{{ .Values.ingress.hostname }}
{{- end -}}
{{- else -}}
http://{{ template "idp.fullname" . }}:{{ .Values.service.port }}
{{- end -}}
{{- end -}}
{{- end -}}
13 changes: 13 additions & 0 deletions idp/templates/_tplvalues.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Renders a value that contains template.
Usage:
{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" .) }}
*/}}
{{- define "common.tplvalues.render" -}}
{{- if typeIs "string" .value }}
{{- tpl .value .context }}
{{- else }}
{{- tpl (.value | toYaml) .context }}
{{- end }}
{{- end -}}
115 changes: 115 additions & 0 deletions idp/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,115 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "idp.fullname" . }}
labels:
{{- include "idp.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
{{- include "idp.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
labels:
{{- include "idp.selectorLabels" . | nindent 8 }}
spec:
securityContext:
fsGroup: {{ $.Values.securityContext.fsGroup }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
runAsNonRoot: true
runAsUser: {{ $.Values.securityContext.runAsUser }}
runAsGroup: {{ $.Values.securityContext.runAsGroup }}
readOnlyRootFilesystem: true
resources: {{ toYaml $.Values.resources | nindent 12 }}
ports:
- name: http
containerPort: {{ .Values.service.port }}
protocol: TCP
livenessProbe:
httpGet:
path: /.well-known/openid-configuration
port: http
readinessProbe:
httpGet:
path: /.well-known/openid-configuration
port: http
command:
- /usr/bin/ocis
args:
- "idp"
- "server"
volumeMounts:
- name: {{ include "idp.fullname" . }}-config-tmp
# we mount that volume only to apply fsGroup to that path
mountPath: /etc/ocis
- name: {{ include "idp.fullname" . }}-data-tmp
# we mount that volume to apply fsGroup to that path, so that the idp can write the temporary idp/tmp/identifier-registration.yaml file
mountPath: /var/lib/ocis
- name: {{ include "idp.fullname" . }}-configfiles
mountPath: /etc/ocis/idp
readOnly: true
- name: {{ include "idp.fullname" . }}-secrets
mountPath: /etc/ocis/idp/encryption.key
subPath: encryption.key
readOnly: true
- name: {{ include "idp.fullname" . }}-secrets
mountPath: /etc/ocis/idp/private-key.pem
subPath: private-key.pem
readOnly: true
{{- if .Values.extraVolumeMounts }}
{{ toYaml .Values.extraVolumeMounts | nindent 12 }}
{{- end }}
env:
- name: IDP_MACHINE_AUTH_API_KEY
valueFrom:
secretKeyRef:
{{ if .Values.secretsRef }}
name: {{ .Values.secretsRef }}
{{ else }}
name: {{ template "idp.fullname" . }}-secrets
{{ end }}
key: machineAuthApiKey
{{- if .Values.extraEnv }}
{{- toYaml .Values.extraEnv | nindent 12 }}
{{- end }}
{{- if .Values.envFrom }}
envFrom:
{{ toYaml .Values.envFrom | indent 12 }}
{{- end }}
volumes:
- name: {{ include "idp.fullname" . }}-configfiles
secret:
secretName: {{ include "idp.cfgmapName" . }}
- name: {{ include "idp.fullname" . }}-config-tmp
emptyDir:
medium: Memory
{{- if .Values.emptyDir.sizeLimit }}
sizeLimit: {{ .Values.emptyDir.sizeLimit }}
{{- else }}
sizeLimit: 6Mi
{{- end }}
- name: {{ include "idp.fullname" . }}-data-tmp
emptyDir:
medium: Memory
{{- if .Values.emptyDir.sizeLimit }}
sizeLimit: {{ .Values.emptyDir.sizeLimit }}
{{- else }}
sizeLimit: 6Mi
{{- end }}
- name: {{ include "idp.fullname" . }}-secrets
secret:
{{ if .Values.secretsRef }}
secretName: {{ .Values.secretsRef }}
{{ else }}
secretName: {{ template "idp.fullname" . }}-secrets
{{ end }}
{{- if .Values.extraVolumes }}
{{ toYaml .Values.extraVolumes | nindent 8 }}
{{- end }}
4 changes: 4 additions & 0 deletions idp/templates/extra-resources.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{{- range .Values.extraResources }}
---
{{ include "common.tplvalues.render" (dict "value" . "context" $) }}
{{- end }}
29 changes: 29 additions & 0 deletions idp/templates/ingress.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
{{- if .Values.ingress.enabled }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ template "idp.fullname" . }}
labels: {{- include "idp.labels" . | nindent 4 }}
annotations:
{{- if .Values.ingress.annotations }}
{{ toYaml .Values.ingress.annotations | indent 4 }}
{{- end }}
spec:
rules:
{{- if .Values.ingress.hostname }}
- host: {{ .Values.ingress.hostname }}
http:
paths:
- path: {{ .Values.ingress.path }}
backend:
service:
name: {{ template "idp.fullname" . }}
port:
name: http
pathType: ImplementationSpecific
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{ toYaml .Values.ingress.tls | indent 4 }}
{{- end }}
{{- end }}
Loading