charts: Add kommander-thanos chart (#195)

* Add mtls-proxy

* Add mtls-proxy-0.1.0 package

* Add kommander-thanos

* Add kommander-thanos-0.1.0 package

* Add banzaicloud repo to tests

stable/kommander-thanos/.helmignore

@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

stable/kommander-thanos/Chart.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+appVersion: "1.0"
+description: Kommander Thanos
+name: kommander-thanos
+home: https://github.com/mesosphere/charts
+version: 0.1.0
+maintainers:
+  - name: branden

stable/kommander-thanos/README.md

@@ -0,0 +1,58 @@
+# Kommander Thanos helm chart
+
+This chart deploys [Thanos](https://github.com/thanos-io/thanos) configured for Kommander, along with supporting resources and addons.
+This chart is intended to be used only as a subchart of the `kommander` chart.
+
+All the supported values and their defaults are listed below:
+
+```yaml
+# Internal address for the cluster's Thanos gRPC service.
+# thanosAddress: "HOST:PORT"
+thanosAddress: ""
+
+federate:
+  systemNamespace:
+    name: kommander-system
+
+thanos:
+  store:
+    enabled: false
+  compact:
+    enabled: false
+  bucket:
+    enabled: false
+  sidecar:
+    enabled: false
+
+  query:
+    # Name of HTTP request header used for dynamic prefixing of UI links and redirects.
+    webPrefixHeader: "X-Forwarded-Prefix"
+    # Enable DNS discovery for stores
+    storeDNSDiscovery: false
+    # Enable DNS discovery for sidecars (this is for the chart built-in sidecar service)
+    sidecarDNSDiscovery: false
+    # Addresses of statically configured store API servers (repeatable).
+    stores: []
+    # Add extra arguments to the compact service
+    extraArgs:
+    - "--grpc-client-tls-secure"
+    - "--grpc-client-tls-cert=/etc/certs/tls.crt"
+    - "--grpc-client-tls-key=/etc/certs/tls.key"
+    - "--grpc-client-tls-ca=/etc/certs/ca.crt"
+    - "--grpc-client-server-name=server.thanos.localhost.localdomain"
+    certSecretName: kommander-thanos-client-tls
+    http:
+      ingress:
+        enabled: true
+        annotations:
+          kubernetes.io/ingress.class: "traefik"
+          traefik.frontend.rule.type: "PathPrefixStrip"
+          traefik.ingress.kubernetes.io/auth-response-headers: "X-Forwarded-User"
+          traefik.ingress.kubernetes.io/auth-type: "forward"
+          traefik.ingress.kubernetes.io/auth-url: "http://traefik-forward-auth-kubeaddons.kubeaddons.svc.cluster.local:4181/"
+          traefik.ingress.kubernetes.io/priority: "2"
+        path: "/kommander/monitoring/query"
+        hosts:
+          - ""
+        tls: []
+```

stable/kommander-thanos/requirements.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: thanos
+  repository: https://kubernetes-charts.banzaicloud.com
+  version: 0.3.6
+digest: sha256:baf56fd382a3afd8187e1c1ada57f10f437085d024a7de3a72c73906663dd98a
+generated: "2019-10-22T09:32:23.693501-07:00"

stable/kommander-thanos/requirements.yaml

@@ -0,0 +1,4 @@
+dependencies:
+  - name: thanos
+    version: 0.3.6
+    repository: https://kubernetes-charts.banzaicloud.com

stable/kommander-thanos/templates/_helpers.tpl

@@ -0,0 +1,45 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "kommander-thanos.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "kommander-thanos.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "kommander-thanos.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "kommander-thanos.labels" -}}
+app.kubernetes.io/name: {{ include "kommander-thanos.name" . }}
+helm.sh/chart: {{ include "kommander-thanos.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}

stable/kommander-thanos/templates/federated-addon.yaml

@@ -0,0 +1,31 @@
+apiVersion: types.kubefed.io/v1beta1
+kind: FederatedAddon
+metadata:
+  name: {{ template "kommander-thanos.fullname" . }}-proxy
+  namespace: {{ .Values.federate.systemNamespace.name }}
+  labels:
+{{ include "kommander-thanos.labels" . | indent 4 }}
+spec:
+  placement:
+    clusterSelector:
+      matchLabels: {}
+  template:
+    metadata:
+      namespace: kubeaddons
+      labels:
+        kubeaddons.mesosphere.io/name: {{ template "kommander-thanos.fullname" . }}-proxy
+    spec:
+      namespace: {{ .Values.federate.systemNamespace.name }} 
+      chartReference:
+        chart: mtls-proxy
+        repo: https://mesosphere.github.io/charts/stable
+        version: 0.1.0
+        values: |
+          ---
+          target: {{ required "thanos address must be set" .Values.thanosAddress }}
+          certSecretName: {{ template "kommander-thanos.fullname" . }}-server-tls
+          ingress:
+            enabled: false
+          service:
+            type: LoadBalancer
+            port: 443

stable/kommander-thanos/templates/secret.yaml

@@ -0,0 +1,33 @@
+{{ $thanosCa := genCA "Kommander Thanos CA" 3650 }}
+{{ $thanosServer := genSignedCert "server.thanos.localhost.localdomain" nil nil 3650 $thanosCa }}
+{{ $thanosClient := genSignedCert "client.thanos.localhost.localdomain" nil nil 3650 $thanosCa }}
+---
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: kommander-thanos-client-tls
+  labels:
+{{ include "kommander-thanos.labels" . | indent 4 }}
+data:
+  tls.crt: {{ b64enc $thanosClient.Cert }}
+  tls.key: {{ b64enc $thanosClient.Key }}
+  ca.crt: {{ b64enc $thanosCa.Cert }} 
+---
+apiVersion: types.kubefed.io/v1beta1
+kind: FederatedSecret
+metadata:
+  name: {{ template "kommander-thanos.fullname" . }}-server-tls
+  namespace: {{ .Values.federate.systemNamespace.name }}
+  labels:
+{{ include "kommander-thanos.labels" . | indent 4 }}
+spec:
+  placement:
+    clusterSelector:
+      matchLabels: {}
+  template:
+    type: Opaque
+    data:
+      tls.crt: {{ b64enc $thanosServer.Cert }}
+      tls.key: {{ b64enc $thanosServer.Key }}
+      ca.crt: {{ b64enc $thanosCa.Cert }} 

stable/kommander-thanos/values.yaml

@@ -0,0 +1,53 @@
+# Default values for kommander-thanos.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+# Internal address for the cluster's Thanos gRPC service.
+# thanosAddress: "HOST:PORT"
+thanosAddress: ""
+
+federate:
+  systemNamespace:
+    name: kommander-system
+
+thanos:
+  store:
+    enabled: false
+  compact:
+    enabled: false
+  bucket:
+    enabled: false
+  sidecar:
+    enabled: false
+
+  query:
+    # Name of HTTP request header used for dynamic prefixing of UI links and redirects.
+    webPrefixHeader: "X-Forwarded-Prefix"
+    # Enable DNS discovery for stores
+    storeDNSDiscovery: false
+    # Enable DNS discovery for sidecars (this is for the chart built-in sidecar service)
+    sidecarDNSDiscovery: false
+    # Addresses of statically configured store API servers (repeatable).
+    stores: []
+    # Add extra arguments to the compact service
+    extraArgs:
+    - "--grpc-client-tls-secure"
+    - "--grpc-client-tls-cert=/etc/certs/tls.crt"
+    - "--grpc-client-tls-key=/etc/certs/tls.key"
+    - "--grpc-client-tls-ca=/etc/certs/ca.crt"
+    - "--grpc-client-server-name=server.thanos.localhost.localdomain"
+    certSecretName: kommander-thanos-client-tls
+    http:
+      ingress:
+        enabled: true
+        annotations:
+          kubernetes.io/ingress.class: "traefik"
+          traefik.frontend.rule.type: "PathPrefixStrip"
+          traefik.ingress.kubernetes.io/auth-response-headers: "X-Forwarded-User"
+          traefik.ingress.kubernetes.io/auth-type: "forward"
+          traefik.ingress.kubernetes.io/auth-url: "http://traefik-forward-auth-kubeaddons.kubeaddons.svc.cluster.local:4181/"
+          traefik.ingress.kubernetes.io/priority: "2"
+        path: "/kommander/monitoring/query"
+        hosts:
+          - ""
+        tls: []

stable/mtls-proxy/.helmignore

@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

stable/mtls-proxy/Chart.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+appVersion: "1.0"
+description: mTLS proxy
+name: mtls-proxy
+home: https://github.com/mesosphere/charts
+version: 0.1.0
+maintainers:
+  - name: branden

stable/mtls-proxy/README.md

@@ -0,0 +1,44 @@
+# mTLS Proxy Helm Chart
+
+This chart deploys a [ghostunnel](https://github.com/square/ghostunnel) as a proxy that terminates mTLS connections for an insecure target service.
+Support among ingress controllers for gRPC and mTLS isn't yet widespread or mature, so this chart is a simpler alternative to expose services using those protocols.
+
+All the supported values and their defaults are listed below:
+
+```yaml
+replicaCount: 1
+
+image:
+  repository: squareup/ghostunnel
+  tag: v1.5.1
+  pullPolicy: IfNotPresent
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+service:
+  type: ClusterIP
+  port: 443
+
+ingress:
+  enabled: false
+  annotations: {}
+  hosts: []
+
+resources: {}
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+# TCP service to proxy.
+# target: "HOST:PORT"
+target: ""
+
+# Secret containing server and CA certificates.
+# Must contain tls.crt, tls.key, and ca.crt.
+certSecretName: ""
+```

stable/mtls-proxy/templates/_helpers.tpl

@@ -0,0 +1,45 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "mtls-proxy.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "mtls-proxy.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "mtls-proxy.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "mtls-proxy.labels" -}}
+app.kubernetes.io/name: {{ include "mtls-proxy.name" . }}
+helm.sh/chart: {{ include "mtls-proxy.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}