This repository has been archived by the owner on Mar 5, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 241
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #283 from uswitch/create-self-hosted-helm-charts
Add self hosted helm charts
- Loading branch information
Showing
27 changed files
with
1,386 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
#!/usr/bin/env sh | ||
|
||
set -e | ||
|
||
# install git | ||
apk add git | ||
|
||
# check if changes have been made to the helm chart | ||
if ! git diff HEAD~1 | grep -iE 'a\/helm.*'; | ||
then | ||
echo "No changes to helm chart made, skipping..." | ||
exit 0 | ||
else | ||
# package helm chart | ||
helm init --client-only | ||
mkdir ${DRONE_WORKSPACE}/output/ | ||
helm package ${DRONE_WORKSPACE}/helm/${APP}/ -d ${DRONE_WORKSPACE}/output/ | ||
|
||
# create new git repo and add remote | ||
mkdir ${DRONE_WORKSPACE}/new-repo/ && cd ${DRONE_WORKSPACE}/new-repo/ | ||
git init | ||
git config --global user.email ${CI_EMAIL} | ||
git remote add origin https://${CI_USER}:${CI_TOKEN}@${REPO} | ||
git fetch | ||
git checkout --track origin/gh-pages | ||
git pull | ||
|
||
# add packaged helm chart and reindex | ||
mv ${DRONE_WORKSPACE}/output/* ${DRONE_WORKSPACE}/new-repo/charts/ | ||
helm repo index ${DRONE_WORKSPACE}/new-repo/charts/ | ||
|
||
# stage and commit new files, push to remote | ||
git add . | ||
git commit -m "Original commit: ${DRONE_COMMIT_SHA}" | ||
git push -u origin gh-pages | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# Patterns to ignore when building packages. | ||
# This supports shell glob matching, relative path matching, and | ||
# negation (prefixed with !). Only one pattern per line. | ||
.DS_Store | ||
# Common VCS dirs | ||
.git/ | ||
.gitignore | ||
.bzr/ | ||
.bzrignore | ||
.hg/ | ||
.hgignore | ||
.svn/ | ||
# Common backup files | ||
*.swp | ||
*.bak | ||
*.tmp | ||
*~ | ||
# Various IDEs | ||
.project | ||
.idea/ | ||
*.tmproj |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
apiVersion: v1 | ||
name: kiam | ||
version: 2.5.1 | ||
appVersion: 3.3 | ||
description: Integrate AWS IAM with Kubernetes | ||
keywords: | ||
- kiam | ||
- aws | ||
- iam | ||
- security | ||
home: https://github.com/uswitch/kiam | ||
sources: | ||
- https://github.com/uswitch/kiam | ||
maintainers: | ||
- name: uswitch | ||
email: cloud@uswitch.com | ||
engine: gotpl |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,185 @@ | ||
# kiam | ||
|
||
Installs [kiam](https://github.com/uswitch/kiam) to integrate AWS IAM with Kubernetes. | ||
|
||
## TL;DR; | ||
|
||
```console | ||
$ helm install stable/kiam | ||
``` | ||
|
||
## Introduction | ||
|
||
This chart bootstraps a [kiam](https://github.com/uswitch/kiam) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. | ||
|
||
## Prerequisites | ||
- Kubernetes 1.8+ with Beta APIs enabled | ||
|
||
## Installing the Chart | ||
|
||
The chart generates a self signed TLS certificate by default. | ||
If you want to create and install your own, you can create TLS certificates and private keys as described [here](https://github.com/uswitch/kiam/blob/master/docs/TLS.md). | ||
|
||
> **Tip**: The `hosts` field in the kiam server certificate should include the value _release-name_-server:_server-service-port_, e.g. `my-release-server:443` | ||
> If you don't include the exact hostname used by the kiam agent to connect to the server, you'll see a warning (which is really an error) in the agent logs similar to the following, and your pods will fail to obtain credentials: | ||
```json | ||
{"level":"warning","msg":"error finding role for pod: rpc error: code = Unavailable desc = there is no connection available","pod.ip":"100.120.0.2","time":"2018-05-24T04:11:25Z"} | ||
``` | ||
|
||
Define values `agent.tlsFiles.ca`, `agent.tlsFiles.cert`, `agent.tlsFiles.key`, `server.tlsFiles.ca`, `server.tlsFiles.cert` and `server.tlsFiles.key` to be the base64-encoded contents (.e.g. using the `base64` command) of the generated PEM files. | ||
For example | ||
|
||
```yaml | ||
agent: | ||
tlsFiles: | ||
key: LS0tL... | ||
cert: LS0tL... | ||
ca: LS0tL... | ||
|
||
server: | ||
tlsFiles: | ||
key: LS0tL... | ||
cert: LS0tL... | ||
ca: LS0tL... | ||
``` | ||
|
||
Define secret name values `agent.tlsSecret` and `server.tlsSecret` if TLS certificates secrets have already created instead of `tlsFiles`. | ||
|
||
```yaml | ||
agent: | ||
tlsSecret: kiam-agent-tls | ||
|
||
server: | ||
tlsSecret: kiam-server-tls | ||
``` | ||
Define TLS certificate names to use in kiam command line arguments as follows. | ||
```yaml | ||
agent: | ||
tlsCerts: | ||
certFileName: cert | ||
keyFileName: key | ||
caFileName: ca | ||
|
||
server: | ||
tlsCerts: | ||
certFileName: cert | ||
keyFileName: key | ||
caFileName: ca | ||
``` | ||
|
||
To install the chart with the release name `my-release`: | ||
|
||
```console | ||
$ helm install stable/kiam --name my-release | ||
``` | ||
|
||
The command deploys kiam on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. | ||
|
||
## Uninstalling the Chart | ||
|
||
To uninstall/delete the `my-release` deployment: | ||
|
||
```console | ||
$ helm delete my-release | ||
``` | ||
|
||
The command removes all the Kubernetes components associated with the chart and deletes the release. | ||
|
||
## Configuration | ||
|
||
The following table lists the configurable parameters of the kiam chart and their default values. | ||
|
||
Parameter | Description | Default | ||
--- | --- | --- | ||
`agent.enabled` | If true, create agent | `true` | ||
`agent.name` | Agent container name | `agent` | ||
`agent.image.repository` | Agent image | `quay.io/uswitch/kiam` | ||
`agent.image.tag` | Agent image tag | `v3.3` | ||
`agent.image.pullPolicy` | Agent image pull policy | `IfNotPresent` | ||
`agent.dnsPolicy` | Agent pod DNS policy | `ClusterFirstWithHostNet` | ||
`agent.whiteListRouteRegexp` | Agent pod whitelist metadata API path argument regex | `{}` | ||
`agent.extraArgs` | Additional agent container arguments | `{}` | ||
`agent.extraEnv` | Additional agent container environment variables | `{}` | ||
`agent.extraHostPathMounts` | Additional agent container hostPath mounts | `[]` | ||
`agent.gatewayTimeoutCreation` | Agent's timeout when creating the kiam gateway | `50ms` | ||
`agent.host.ip` | IP address of host | `$(HOST_IP)` | ||
`agent.host.iptables` | Add iptables rule | `false` | ||
`agent.host.interface` | Agent's host interface for proxying AWS metadata | `cali+` | ||
`agent.host.port` | Agent's listening port | `8181` | ||
`agent.log.jsonOutput` | Whether or not to output agent log in JSON format | `true` | ||
`agent.log.level` | Agent log level (`debug`, `info`, `warn` or `error`) | `info` | ||
`agent.nodeSelector` | Node labels for agent pod assignment | `{}` | ||
`agent.prometheus.port` | Agent Prometheus metrics port | `9620` | ||
`agent.prometheus.scrape` | Whether or not Prometheus metrics for the agent should be scraped | `true` | ||
`agent.prometheus.syncInterval` | Agent Prometheus synchronization interval | `5s` | ||
`agent.podAnnotations` | Annotations to be added to agent pods | `{}` | ||
`agent.podLabels` | Labels to be added to agent pods | `{}` | ||
`agent.priorityClassName` | Agent pods priority class name | `""` | ||
`agent.resources` | Agent container resources | `{}` | ||
`agent.serviceAnnotations` | Annotations to be added to agent service | `{}` | ||
`agent.serviceLabels` | Labels to be added to agent service | `{}` | ||
`agent.tlsSecret` | Secret name for the agent's TLS certificates | `null` | ||
`agent.tlsFiles.ca` | Base64 encoded string for the agent's CA certificate(s) | `null` | ||
`agent.tlsFiles.cert` | Base64 encoded strings for the agent's certificate | `null` | ||
`agent.tlsFiles.key` | Base64 encoded strings for the agent's private key | `null` | ||
`agent.tolerations` | Tolerations to be applied to agent pods | `[]` | ||
`agent.affinity` | Node affinity for pod assignment | `{}` | ||
`agent.updateStrategy` | Strategy for agent DaemonSet updates (requires Kubernetes 1.6+) | `OnDelete` | ||
`server.enabled` | If true, create server | `true` | ||
`server.name` | Server container name | `server` | ||
`server.gatewayTimeoutCreation` | Server's timeout when creating the kiam gateway | `50ms` | ||
`server.image.repository` | Server image | `quay.io/uswitch/kiam` | ||
`server.image.tag` | Server image tag | `v3.3` | ||
`server.image.pullPolicy` | Server image pull policy | `Always` | ||
`server.assumeRoleArn` | IAM role for the server to assume before processing requests | `null` | ||
`server.cache.syncInterval` | Pod cache synchronization interval | `1m` | ||
`server.extraArgs` | Additional server container arguments | `{}` | ||
`server.extraEnv` | Additional server container environment variables | `{}` | ||
`server.extraHostPathMounts` | Additional server container hostPath mounts | `[]` | ||
`server.log.jsonOutput` | Whether or not to output server log in JSON format | `true` | ||
`server.log.level` | Server log level (`debug`, `info`, `warn` or `error`) | `info` | ||
`server.nodeSelector` | Node labels for server pod assignment | `{}` | ||
`server.prometheus.port` | Server Prometheus metrics port | `9620` | ||
`server.prometheus.scrape` | Whether or not Prometheus metrics for the server should be scraped | `true` | ||
`server.prometheus.syncInterval` | Server Prometheus synchronization interval | `5s` | ||
`server.podAnnotations` | Annotations to be added to server pods | `{}` | ||
`server.podLabels` | Labels to be added to server pods | `{}` | ||
`server.probes.serverAddress` | Address that readyness and liveness probes will hit | `127.0.0.1` | ||
`server.priorityClassName` | Server pods priority class name | `""` | ||
`server.resources` | Server container resources | `{}` | ||
`server.roleBaseArn` | Base ARN for IAM roles. If not specified use EC2 metadata service to detect ARN prefix | `null` | ||
`server.sessionDuration` | Session duration for STS tokens generated by the server | `15m` | ||
`server.serviceAnnotations` | Annotations to be added to server service | `{}` | ||
`server.serviceLabels` | Labels to be added to server service | `{}` | ||
`server.service.port` | Server service port | `443` | ||
`server.service.targetPort` | Server service target port | `443` | ||
`server.tlsSecret` | Secret name for the server's TLS certificates | `null` | ||
`server.tlsFiles.ca` | Base64 encoded string for the server's CA certificate(s) | `null` | ||
`server.tlsFiles.cert` | Base64 encoded strings for the server's certificate | `null` | ||
`server.tlsFiles.key` | Base64 encoded strings for the server's private key | `null` | ||
`server.tolerations` | Tolerations to be applied to server pods | `[]` | ||
`server.affinity` | Node affinity for pod assignment | `{}` | ||
`server.updateStrategy` | Strategy for server DaemonSet updates (requires Kubernetes 1.6+) | `OnDelete` | ||
`server.useHostNetwork` | If true, use hostNetwork on server to bypass agent iptable rules | `false` | ||
`rbac.create` | If `true`, create & use RBAC resources | `true` | ||
`psp.create` | If `true`, create Pod Security Policies for the agent and server when enabled | `false` | ||
`serviceAccounts.agent.create` | If true, create the agent service account | `true` | ||
`serviceAccounts.agent.name` | Name of the agent service account to use or create | `{{ kiam.agent.fullname }}` | ||
`serviceAccounts.server.create` | If true, create the server service account | `true` | ||
`serviceAccounts.server.name` | Name of the server service account to use or create | `{{ kiam.server.fullname }}` | ||
|
||
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, | ||
|
||
```console | ||
$ helm install stable/kiam --name my-release \ | ||
--set=extraArgs.base-role-arn=arn:aws:iam::0123456789:role/,extraArgs.default-role=kube2iam-default,host.iptables=true,host.interface=cbr0 | ||
``` | ||
|
||
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, | ||
|
||
```console | ||
$ helm install stable/kiam --name my-release -f values.yaml | ||
``` | ||
|
||
> **Tip**: You can use the default [values.yaml](values.yaml) |
Oops, something went wrong.