diff --git a/charts/data-dashboard-backend/Chart.yaml b/charts/data-dashboard-backend/Chart.yaml index 1c92da80..eed51870 100644 --- a/charts/data-dashboard-backend/Chart.yaml +++ b/charts/data-dashboard-backend/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: "0.2.2" name: data-dashboard-backend description: API for data in the data dashboard -version: 0.3.5 +version: 0.3.6 sources: ["https://github.com/thehyve/radar-data-dashboard-backend"] deprecated: false type: application diff --git a/charts/data-dashboard-backend/README.md b/charts/data-dashboard-backend/README.md index 0d739f6e..83e999d3 100644 --- a/charts/data-dashboard-backend/README.md +++ b/charts/data-dashboard-backend/README.md @@ -2,7 +2,7 @@ # data-dashboard-backend -![Version: 0.3.5](https://img.shields.io/badge/Version-0.3.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.2](https://img.shields.io/badge/AppVersion-0.2.2-informational?style=flat-square) +![Version: 0.3.6](https://img.shields.io/badge/Version-0.3.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.2](https://img.shields.io/badge/AppVersion-0.2.2-informational?style=flat-square) API for data in the data dashboard @@ -53,6 +53,7 @@ API for data in the data dashboard | autoscaling.minReplicas | int | `1` | | | autoscaling.maxReplicas | int | `100` | | | autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| networkpolicy | object | check `values.yaml` | Network policy defines who can access this application and who this applications has access to | | nodeSelector | object | `{}` | Node labels for pod assignment | | tolerations | list | `[]` | Toleration labels for pod assignment | | affinity | object | `{}` | Affinity labels for pod assignment | diff --git a/charts/data-dashboard-backend/templates/networkpolicy.yaml b/charts/data-dashboard-backend/templates/networkpolicy.yaml new file mode 100644 index 00000000..ee96faa4 --- /dev/null +++ b/charts/data-dashboard-backend/templates/networkpolicy.yaml @@ -0,0 +1,13 @@ +{{- if .Values.networkpolicy }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ template "data-dashboard-backend.fullname" . }} + labels: +{{ include "data-dashboard-backend.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: +{{ include "data-dashboard-backend.labels" . | indent 6 }} + {{- tpl (toYaml .Values.networkpolicy) . | nindent 2 }} +{{- end -}} diff --git a/charts/data-dashboard-backend/values.yaml b/charts/data-dashboard-backend/values.yaml index eb47f615..160564db 100644 --- a/charts/data-dashboard-backend/values.yaml +++ b/charts/data-dashboard-backend/values.yaml @@ -81,6 +81,48 @@ autoscaling: targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 +# -- Network policy defines who can access this application and who this applications has access to +# @default -- check `values.yaml` +networkpolicy: + policyTypes: + - Ingress + - Egress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: '{{ .Release.Namespace }}' + podSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: '{{ .Release.Namespace }}' + podSelector: + matchLabels: + app.kubernetes.io/name: 'management-portal' + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: '{{ .Release.Namespace }}' + podSelector: + matchLabels: + app.kubernetes.io/name: postgresql + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # -- Node labels for pod assignment nodeSelector: {} diff --git a/charts/radar-self-enrolment-ui/Chart.yaml b/charts/radar-self-enrolment-ui/Chart.yaml index f51b3d9d..98870a46 100644 --- a/charts/radar-self-enrolment-ui/Chart.yaml +++ b/charts/radar-self-enrolment-ui/Chart.yaml @@ -2,5 +2,5 @@ apiVersion: v2 appVersion: "0.0.1" description: A Helm chart for ORY Kratos's example ui for Kubernetes name: radar-self-enrolment-ui -version: 0.0.2 +version: 0.0.3 type: application diff --git a/charts/radar-self-enrolment-ui/README.md b/charts/radar-self-enrolment-ui/README.md index 3b4be316..1a531606 100644 --- a/charts/radar-self-enrolment-ui/README.md +++ b/charts/radar-self-enrolment-ui/README.md @@ -2,7 +2,7 @@ # radar-self-enrolment-ui -![Version: 0.0.2](https://img.shields.io/badge/Version-0.0.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.1](https://img.shields.io/badge/AppVersion-0.0.1-informational?style=flat-square) +![Version: 0.0.3](https://img.shields.io/badge/Version-0.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.1](https://img.shields.io/badge/AppVersion-0.0.1-informational?style=flat-square) A Helm chart for ORY Kratos's example ui for Kubernetes @@ -18,7 +18,7 @@ A Helm chart for ORY Kratos's example ui for Kubernetes | imagePullSecrets | list | `[]` | | | nameOverride | string | `""` | | | fullnameOverride | string | `""` | | -| config.csrfCookieName | string | `""` | | +| config.csrfCookieName | string | `"radar_csrf"` | | | config.secrets | object | `{}` | | | service.type | string | `"ClusterIP"` | | | service.loadBalancerIP | string | `""` | The load balancer IP | @@ -29,13 +29,14 @@ A Helm chart for ORY Kratos's example ui for Kubernetes | secret.nameOverride | string | `""` | Provide custom name of existing secret, or custom name of secret to be created | | secret.secretAnnotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0","helm.sh/resource-policy":"keep"}` | Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified. | | secret.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods | -| ingress.enabled | bool | `false` | | -| ingress.className | string | `""` | | -| ingress.annotations | object | `{}` | | -| ingress.hosts[0].host | string | `"chart-example.local"` | | -| ingress.hosts[0].paths[0].path | string | `"/"` | | +| ingress.enabled | bool | `true` | | +| ingress.className | string | `"nginx"` | | +| ingress.annotations."cert-manager.io/cluster-issuer" | string | `"letsencrypt-prod"` | | +| ingress.hosts[0].host | string | `"localhost"` | | +| ingress.hosts[0].paths[0].path | string | `"/kratos-ui/?(.*)"` | | | ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | | -| ingress.tls | list | `[]` | | +| ingress.tls[0].secretName | string | `"radar-base-tls"` | | +| ingress.tls[0].hosts[0] | string | `"localhost"` | | | securityContext.capabilities.drop[0] | string | `"ALL"` | | | securityContext.readOnlyRootFilesystem | bool | `false` | | | securityContext.runAsNonRoot | bool | `true` | | @@ -64,22 +65,25 @@ A Helm chart for ORY Kratos's example ui for Kubernetes | deployment.automountServiceAccountToken | bool | `false` | | | deployment.terminationGracePeriodSeconds | int | `60` | | | affinity | object | `{}` | | -| kratosPublicUrl | string | `"http://kratos:4433"` | Set this to ORY Kratos's public URL | -| hydraAdminUrl | string | `"http://hydra:4445"` | Set this to ORY Hydra's Admin URL | -| hydraPublicUrl | string | `"http://hydra:4444"` | Set this to ORY Hydra's public URL | -| basePath | string | `""` | The basePath | -| jwksUrl | string | `"http://hydra:4445/admin/keys/hydra.jwt.access-token"` | The jwksUrl | +| networkpolicy | object | check `values.yaml` | Network policy defines who can access this application and who this applications has access to | +| kratosAdminUrl | string | `"kratos-admin"` | Set this to ORY Kratos's Admin URL | +| kratosPublicUrl | string | `"https://localhost/kratos"` | Set this to ORY Kratos's public URL | +| kratosBrowserUrl | string | `"https://localhost/kratos"` | Set this to ORY Kratos's public URL accessible from the outside world. | +| basePath | string | `"/kratos-ui"` | The basePath | +| jwksUrl | string | `""` | The jwksUrl | +| deployment.extraEnv[0].name | string | `"HYDRA_ADMIN_URL"` | | +| deployment.extraEnv[0].value | string | `"http://hydra-admin"` | | | projectName | string | `"SecureApp"` | | | test.busybox | object | `{"repository":"busybox","tag":1}` | use a busybox image from another repository | | customLivenessProbe | object | `{}` | Custom livenessProbe that overrides the default one | -| livenessProbe.enabled | bool | `true` | Enable livenessProbe | +| livenessProbe.enabled | bool | `false` | Enable livenessProbe | | livenessProbe.initialDelaySeconds | int | `3` | Initial delay seconds for livenessProbe | | livenessProbe.periodSeconds | int | `300` | Period seconds for livenessProbe | | livenessProbe.timeoutSeconds | int | `10` | Timeout seconds for livenessProbe | | livenessProbe.successThreshold | int | `1` | Success threshold for livenessProbe | | livenessProbe.failureThreshold | int | `3` | Failure threshold for livenessProbe | | customReadinessProbe | object | `{}` | Custom readinessProbe that overrides the default one | -| readinessProbe.enabled | bool | `true` | Enable readinessProbe | +| readinessProbe.enabled | bool | `false` | Enable readinessProbe | | readinessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for readinessProbe | | readinessProbe.periodSeconds | int | `10` | Period seconds for readinessProbe | | readinessProbe.timeoutSeconds | int | `10` | Timeout seconds for readinessProbe | diff --git a/charts/radar-self-enrolment-ui/templates/networkpolicy.yaml b/charts/radar-self-enrolment-ui/templates/networkpolicy.yaml new file mode 100644 index 00000000..78e099dc --- /dev/null +++ b/charts/radar-self-enrolment-ui/templates/networkpolicy.yaml @@ -0,0 +1,13 @@ +{{- if .Values.networkpolicy }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ template "radar-self-enrolment-ui.fullname" . }} + labels: +{{ include "radar-self-enrolment-ui.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: +{{ include "radar-self-enrolment-ui.labels" . | indent 6 }} + {{- tpl (toYaml .Values.networkpolicy) . | nindent 2 }} +{{- end -}} diff --git a/charts/radar-self-enrolment-ui/values.yaml b/charts/radar-self-enrolment-ui/values.yaml index d60dc483..18545036 100644 --- a/charts/radar-self-enrolment-ui/values.yaml +++ b/charts/radar-self-enrolment-ui/values.yaml @@ -20,7 +20,7 @@ fullnameOverride: "" ## -- Application config config: - csrfCookieName: "" + csrfCookieName: "radar_csrf" secrets: {} ## -- Service configuration @@ -51,23 +51,20 @@ secret: # -- switch to false to prevent checksum annotations being maintained and propogated to the pods hashSumEnabled: true -## -- Ingress configration ingress: - enabled: false - className: "" + enabled: true + className: "nginx" annotations: - {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" + cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - host: chart-example.local + - host: localhost paths: - - path: / + - path: "/kratos-ui/?(.*)" pathType: ImplementationSpecific - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local + tls: + - secretName: radar-base-tls + hosts: + - localhost ## -- Container level security context securityContext: @@ -166,20 +163,66 @@ deployment: affinity: {} -# -- Set this to ORY Kratos's public URL -kratosPublicUrl: http://kratos:4433 +# -- Network policy defines who can access this application and who this applications has access to +# @default -- check `values.yaml` +networkpolicy: + policyTypes: + - Ingress + - Egress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: '{{ .Release.Namespace }}' + podSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: '{{ .Release.Namespace }}' + podSelector: + matchLabels: + app.kubernetes.io/name: kratos-admin + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: '{{ .Release.Namespace }}' + podSelector: + matchLabels: + app.kubernetes.io/name: hydra + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP -# -- Set this to ORY Hydra's Admin URL -hydraAdminUrl: http://hydra:4445 +# -- Set this to ORY Kratos's Admin URL +kratosAdminUrl: "kratos-admin" -# -- Set this to ORY Hydra's public URL -hydraPublicUrl: http://hydra:4444 +# -- Set this to ORY Kratos's public URL +kratosPublicUrl: "https://localhost/kratos" + +# -- Set this to ORY Kratos's public URL accessible from the outside world. +kratosBrowserUrl: "https://localhost/kratos" # -- The basePath -basePath: "" +basePath: "/kratos-ui" # -- The jwksUrl -jwksUrl: http://hydra:4445/admin/keys/hydra.jwt.access-token +jwksUrl: "" + +deployment: + extraEnv: + - name: HYDRA_ADMIN_URL + value: http://hydra-admin projectName: SecureApp @@ -194,7 +237,7 @@ customLivenessProbe: {} livenessProbe: # -- Enable livenessProbe - enabled: true + enabled: false # -- Initial delay seconds for livenessProbe initialDelaySeconds: 3 # -- Period seconds for livenessProbe @@ -211,7 +254,7 @@ customReadinessProbe: {} readinessProbe: # -- Enable readinessProbe - enabled: true + enabled: false # -- Initial delay seconds for readinessProbe initialDelaySeconds: 5 # -- Period seconds for readinessProbe