chart: extract hydra maester chart out of auth/charts/hydra.tar.gz (#96) * chart: extract hydra maester chart out of auth/charts/hydra.tar.gz * auth: install shared hydra maester during bootstrap * hydra-maester: fix chart name typo * hydra-maester: fix charts repo namespace --------- Co-authored-by: Giorgi Lekveishvili <lekva@gl-mbp-m1-max.local>

commit: 925f0deb100ab516297348798a01a5f55db76c1a [log] [tgz]
author: Giorgi Lekveishvili <giolekva@gmail.com> Thu Mar 14 18:51:56 2024 +0400
committer: GitHub <noreply@github.com> Thu Mar 14 18:51:56 2024 +0400
tree: 029ea39d0adb5180f863fcdedf756c11886a30c2
parent: ba589ae864f8a3afc6d897d966b0372433cce11c [diff]
diff --git a/charts/hydra-maester/templates/_helpers.tpl b/charts/hydra-maester/templates/_helpers.tpl
new file mode 100644
index 0000000..b607c67
--- /dev/null
+++ b/charts/hydra-maester/templates/_helpers.tpl

@@ -0,0 +1,59 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "hydra-maester.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "hydra-maester.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "hydra-maester.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "hydra-maester.labels" -}}
+app.kubernetes.io/name: {{ include "hydra-maester.name" . }}
+helm.sh/chart: {{ include "hydra-maester.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+
+{{/*
+Get Hydra admin service name
+*/}}
+{{- define "hydra-maester.adminService" -}}
+{{- if .Values.hydraFullnameOverride -}}
+{{- printf "%s-admin"  .Values.hydraFullnameOverride -}}
+{{- else if contains "hydra" .Release.Name -}}
+{{- printf "%s-admin" .Release.Name -}}
+{{- else -}}
+{{- printf "%s-%s-admin" .Release.Name "hydra" -}}
+{{- end -}}
+{{- end -}}

diff --git a/charts/hydra-maester/templates/deployment.yaml b/charts/hydra-maester/templates/deployment.yaml
new file mode 100644
index 0000000..ed9c3b8
--- /dev/null
+++ b/charts/hydra-maester/templates/deployment.yaml

@@ -0,0 +1,97 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "hydra-maester.fullname" . }}
+  labels:
+    {{- include "hydra-maester.labels" . | nindent 4 }}
+    {{- with .Values.deployment.extraLabels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+      app.kubernetes.io/name: {{ include "hydra-maester.fullname" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        control-plane: controller-manager
+        app.kubernetes.io/name: {{ include "hydra-maester.fullname" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        {{- with .Values.deployment.extraLabels }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.deployment.podMetadata.labels }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      annotations:
+        {{- with .Values.deployment.extraAnnotations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.deployment.podMetadata.annotations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+            - /manager
+          args:
+            - --metrics-addr=127.0.0.1:8080
+            - --hydra-url=http://{{ .Values.adminService.name | default ( include "hydra-maester.adminService" . ) }}
+            - --hydra-port={{ .Values.adminService.port | default 4445 }}
+            {{- with .Values.adminService.endpoint }}
+            - --endpoint={{ . }}
+            {{- end }}
+            {{- if .Values.forwardedProto }}
+            - --forwarded-proto={{ .Values.forwardedProto }}
+            {{- end }}
+            {{- if .Values.singleNamespaceMode }}
+            - --namespace={{ .Release.Namespace }}
+            {{- end }}
+            {{- if .Values.deployment.args.syncPeriod }}
+            - --sync-period={{ .Values.deployment.args.syncPeriod }}
+            {{- end }}
+          resources:
+            {{- toYaml .Values.deployment.resources | nindent 12 }}
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          {{- if .Values.deployment.securityContext }}
+          securityContext:
+            {{- toYaml .Values.deployment.securityContext | nindent 12 }}
+          {{- end }}
+      serviceAccountName: {{ include "hydra-maester.fullname" . }}-account
+      automountServiceAccountToken: {{ .Values.deployment.automountServiceAccountToken }}
+      {{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName }}
+      {{- end }}
+      nodeSelector:
+      {{- with .Values.deployment.nodeSelector }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.deployment.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.deployment.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.deployment.dnsConfig }}
+      dnsConfig:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}

diff --git a/charts/hydra-maester/templates/pdb.yaml b/charts/hydra-maester/templates/pdb.yaml
new file mode 100644
index 0000000..1be53ba
--- /dev/null
+++ b/charts/hydra-maester/templates/pdb.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.pdb.enabled -}}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "hydra-maester.fullname" . }}
+spec:
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+      app.kubernetes.io/name: {{ include "hydra-maester.fullname" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  {{ toYaml .Values.pdb.spec }}
+{{- end -}}
\ No newline at end of file

diff --git a/charts/hydra-maester/templates/rbac.yaml b/charts/hydra-maester/templates/rbac.yaml
new file mode 100644
index 0000000..e67cc62
--- /dev/null
+++ b/charts/hydra-maester/templates/rbac.yaml

@@ -0,0 +1,95 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "hydra-maester.fullname" . }}-account
+  namespace:  {{ .Release.Namespace }}
+  labels:
+    {{- include "hydra-maester.labels" . | nindent 4 }}
+  {{- with .Values.deployment.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- if not .Values.singleNamespaceMode }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "hydra-maester.fullname" . }}-role
+rules:
+  - apiGroups: ["hydra.ory.sh"]
+    resources: ["oauth2clients", "oauth2clients/status"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["list", "watch", "create"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "hydra-maester.fullname" . }}-role-binding
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "hydra-maester.fullname" . }}-account # Service account assigned to the controller pod.
+    namespace:  {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "hydra-maester.fullname" . }}-role
+{{- end }}
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "hydra-maester.fullname" . }}-role
+  namespace:  {{ .Release.Namespace }}
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch", "create"]
+  - apiGroups: ["hydra.ory.sh"]
+    resources: ["oauth2clients", "oauth2clients/status"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "hydra-maester.fullname" . }}-role-binding
+  namespace:  {{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "hydra-maester.fullname" . }}-account # Service account assigned to the controller pod.
+    namespace:  {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "hydra-maester.fullname" . }}-role
+
+{{- $name := include "hydra-maester.fullname" . -}}
+{{- $namespace := .Release.Namespace -}}
+{{- range .Values.enabledNamespaces }}
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ $name }}-role
+  namespace:  {{ . }}
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch", "create", "update"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ $name }}-role-binding
+  namespace:  {{ . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $name }}-account # Service account assigned to the controller pod.
+    namespace:  {{ $namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $name }}-role
+{{- end }}
commit	925f0deb100ab516297348798a01a5f55db76c1a	[log] [tgz]
author	Giorgi Lekveishvili <giolekva@gmail.com>	Thu Mar 14 18:51:56 2024 +0400
committer	GitHub <noreply@github.com>	Thu Mar 14 18:51:56 2024 +0400
tree	029ea39d0adb5180f863fcdedf756c11886a30c2
parent	ba589ae864f8a3afc6d897d966b0372433cce11c [diff]