Merge pull request #82 from bcgov/chore/terraform

chore: enhance helm charts with network policy

helm/keycloak/templates/_helpers.tpl

@@ -1,4 +1,12 @@
 {{/* vim: set filetype=mustache: */}}
+
+{{/*
+Expand the name of the project.
+*/}}
+{{- define "..project" -}}
+{{- default .Chart.Name .Values.project | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
 {{/*
 Expand the name of the chart.
 */}}

helm/keycloak/templates/deployment.yaml

@@ -7,17 +7,20 @@ metadata:
  app.kubernetes.io/instance: {{ .Release.Name }}
  app.kubernetes.io/managed-by: {{ .Release.Service }}
  helm.sh/chart: {{ include "..chart" . }}
+ project: {{ include "..project" . }}
 spec:
  replicas: {{ .Values.replicaCount }}
  selector:
  matchLabels:
  app.kubernetes.io/name: {{ include "..name" . }}
  app.kubernetes.io/instance: {{ .Release.Name }}
+ project: {{ include "..project" . }}
  template:
  metadata:
  labels:
  app.kubernetes.io/name: {{ include "..name" . }}
  app.kubernetes.io/instance: {{ .Release.Name }}
+ project: {{ include "..project" . }}
  spec:
  containers:
  - name: {{ .Chart.Name }}

helm/keycloak/templates/network-policies/intra-project-comms.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.networkPolicies.enabled }}
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+ name: {{ include "..project" . }}-intra-project-comms
+ labels:
+ project: {{ include "..project" . }}
+spec:
+ podSelector:
+ matchLabels:
+ project: {{ include "..project" . }}
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ project: {{ include "..project" . }}
+{{- end }}

helm/keycloak/templates/route.yaml

@@ -7,6 +7,7 @@ metadata:
  app.kubernetes.io/instance: {{ .Release.Name }}
  app.kubernetes.io/managed-by: {{ .Release.Service }}
  helm.sh/chart: {{ include "..chart" . }}
+ project: {{ include "..project" . }}
  annotations:
  haproxy.router.openshift.io/balance: roundrobin
  haproxy.router.openshift.io/disable_cookies: 'true'

helm/keycloak/templates/secret.yaml

@@ -3,10 +3,11 @@ kind: Secret
 metadata:
  name: {{ include "..fullname" . }}-admin-secret
  labels:
- app: {{ include "..fullname" . }}
- chart: {{ include "..chart" . }}
- release: {{ .Release.Name }}
- heritage: {{ .Release.Service }}
+ app.kubernetes.io/name: {{ include "..name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/managed-by: {{ .Release.Service }}
+ helm.sh/chart: {{ include "..chart" . }}
+ project: {{ include "..project" . }}
  annotations:
  "helm.sh/hook": "pre-install"
  "helm.sh/hook-delete-policy": "before-hook-creation"

helm/keycloak/templates/service-app.yaml

@@ -7,6 +7,7 @@ metadata:
  app.kubernetes.io/instance: {{ .Release.Name }}
  app.kubernetes.io/managed-by: {{ .Release.Service }}
  helm.sh/chart: {{ include "..chart" . }}
+ project: {{ include "..project" . }}
  annotations:
  {{- if .Values.tls.enabled }}
  service.alpha.openshift.io/serving-cert-secret-name: {{ .Values.tls.httpsSecret }}

helm/keycloak/templates/service-ping.yaml

@@ -8,6 +8,7 @@ metadata:
  app.kubernetes.io/instance: {{ .Release.Name }}
  app.kubernetes.io/managed-by: {{ .Release.Service }}
  helm.sh/chart: {{ include "..chart" . }}
+ project: {{ include "..project" . }}
  annotations:
  description: "The JGroups ping port for clustering."
  service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"

helm/keycloak/values-c6af30-dev.yaml

@@ -1,5 +1,7 @@
 replicaCount: 3
 
+project: sso-keycloak
+
 image:
  tag: dev
 
@@ -8,11 +10,11 @@ service:
  port: 8443
 
 postgres:
- host: sso-pgsql-master-dev
+ host: sso-patroni
  credentials:
- secret: sso-pgsql-dev
- admin:
- secret: sso-admin-dev
+ secret: sso-patroni
+  adminUsername: postgres
+ passwordKey: password-superuser
 
 tls:
  enabled: true

helm/keycloak/values.yaml

@@ -8,9 +8,13 @@ image:
 imagePullSecrets:
  - name: gh-registry-config
 
+project: sso-keycloak
 nameOverride: sso-keycloak
 fullnameOverride: sso-keycloak
 
+networkPolicies:
+ enabled: true
+
 service:
  type: ClusterIP
  port: 8080

helm/patroni/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 name: patroni
 description: "Highly available elephant herd: HA PostgreSQL cluster."
-version: 0.16.8
+version: 0.17.8
 appVersion: 1.5-p5
 home: https://github.com/zalando/patroni
 sources:

helm/patroni/Makefile

@@ -1,5 +1,6 @@
 SHELL := /usr/bin/env bash
-NAME=sample-app
+
+NAME=app
 NAMESPACE=3d5c3f-dev
 
 .PHONY: dep
@@ -9,16 +10,19 @@ dep:
  helm repo add consul https://charts.helm.sh/stable
 
 .PHONY: install
+install: dep
 install:
- helm install "${NAME}" . -n "${NAMESPACE}" -f values.yaml -f "values-${NAME}.yaml"
+ helm install "${NAME}" . -n "${NAMESPACE}" -f values.yaml -f "values-${NAMESPACE}-${NAME}.yaml"
 
 .PHONY: upgrade
+upgrade: dep
 upgrade:
- helm upgrade --install "${NAME}" . -n "${NAMESPACE}" -f values.yaml -f "values-${NAME}.yaml"
+ helm upgrade --install "${NAME}" . -n "${NAMESPACE}" -f values.yaml -f "values-${NAMESPACE}-${NAME}.yaml"
 
 .PHONY: lint
+lint: dep
 lint:
- helm upgrade --dry-run --install "${NAME}" -n "${NAMESPACE}" -f values.yaml -f "values-${NAME}.yaml"
+ helm upgrade --dry-run --install "${NAME}" . -n "${NAMESPACE}" -f values.yaml -f "values-${NAMESPACE}-${NAME}.yaml"
 
 .PHONY: uninstall
 uninstall:
@@ -27,3 +31,13 @@ uninstall:
 .PHONY: force-install
 force-install: uninstall
 force-install: install
+
+.PHONY: create-random-db-secret
+create-random-db-secret:
+ kubectl create secret generic "${NAME}" -n "${NAMESPACE}" \
+ --from-literal=username-superuser=postgres \
+ --from-literal=username-admin=admin \
+ --from-literal=username-standby=standby \
+ --from-literal=password-superuser=$(shell bash -c 'echo $$RANDOM | md5sum | head -c 32') \
+ --from-literal=password-admin=$(shell bash -c 'echo $$RANDOM | md5sum | head -c 32') \
+ --from-literal=password-standby=$(shell bash -c 'echo $$RANDOM | md5sum | head -c 32')

helm/patroni/README.md

@@ -27,9 +27,14 @@ $ helm dependency update
 ```console
 $ helm install <release-name> sso-keycloak/patroni [--namespace <my-namespace>] [--version <x.y.z>] [--values ./custom-values.yaml]
 
-# To install the chart with randomly generated passwords:
-$ helm install patroni . \
- --set credentials.superuser="$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c32)",credentials.admin="$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c32)",credentials.standby="$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c32)"
+# To create a randomly generated db credentials secret
+$ kubectl create secret generic <secret-name> -n <my-namespace> \
+ --from-literal=username-superuser=postgres \
+ --from-literal=username-admin=admin \
+ --from-literal=username-standby=standby \
+ --from-literal=password-superuser="$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c32)" \
+ --from-literal=password-admin="$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c32)" \
+ --from-literal=password-standby="$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c32)"
 ```
 
 ### Upgrade this chart repository
@@ -56,10 +61,13 @@ The following table lists the configurable parameters of the patroni chart and t
 | `image.repository` | The image to pull | `registry.opensource.zalan.do/acid/spilo-10` |
 | `image.tag` | The version of the image to pull | `1.5-p5` |
 | `image.pullPolicy` | The pull policy | `IfNotPresent` |
-| `credentials.random` | Using passwords created randomly | `true` |
-| `credentials.superuser` | Password of the superuser | `tea` |
-| `credentials.admin` | Password of the admin | `cola` |
-| `credentials.standby` | Password of the replication user | `pinacolada` |
+| `auth.existingSecret` | Using existing credentials secret | `nil` |
+| `auth.superuser.username` | Username of the superuser | `postgres` |
+| `auth.superuser.password` | Password of the superuser | `tea` |
+| `auth.admin.username` | Username of the admin | `admin` |
+| `auth.admin.password` | Password of the admin | `cola` |
+| `auth.standby.username` | Username of the standby | `standby` |
+| `auth.standby.password` | Password of the standby | `pinacolada` |
 | `kubernetes.dcs.enable` | Using Kubernetes as DCS | `true` |
 | `kubernetes.configmaps.enable` | Using Kubernetes configmaps instead of endpoints | `false` |
 | `etcd.enable` | Using etcd as DCS | `false` |

helm/patroni/templates/_helpers.tpl

@@ -1,4 +1,12 @@
 {{/* vim: set filetype=mustache: */}}
+
+{{/*
+Expand the name of the project.
+*/}}
+{{- define "patroni.project" -}}
+{{- default .Chart.Name .Values.project | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
 {{/*
 Expand the name of the chart.
 */}}

helm/patroni/templates/role-patroni.yaml

@@ -8,6 +8,7 @@ metadata:
  chart: {{ template "patroni.chart" . }}
  release: {{ .Release.Name }}
  heritage: {{ .Release.Service }}
+ project: {{ template "patroni.project" . }}
 rules:
 - apiGroups: [""]
  resources: ["configmaps"]

helm/patroni/templates/rolebinding-patroni.yaml

@@ -8,6 +8,7 @@ metadata:
  chart: {{ template "patroni.chart" . }}
  release: {{ .Release.Name }}
  heritage: {{ .Release.Service }}
+ project: {{ template "patroni.project" . }}
 subjects:
  - kind: ServiceAccount
  name: {{ template "patroni.serviceAccountName" . }}

helm/patroni/templates/sec-patroni.yaml

@@ -1,3 +1,4 @@
+{{- if not .Values.auth.existingSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -7,20 +8,13 @@ metadata:
  chart: {{ template "patroni.chart" . }}
  release: {{ .Release.Name }}
  heritage: {{ .Release.Service }}
- annotations:
- "helm.sh/hook": "pre-install"
- "helm.sh/hook-delete-policy": "before-hook-creation"
+ project: {{ template "patroni.project" . }}
 type: Opaque
 data:
- user-superuser: {{ .Values.users.superuser | b64enc }}
- user-admin: {{ .Values.users.admin | b64enc }}
- user-standby: {{ .Values.users.standby | b64enc }}
- {{- if .Values.credentials.random }}
- password-superuser: {{ randAlphaNum 32 | b64enc | quote }}
- password-admin: {{ randAlphaNum 32 | b64enc | quote }}
- password-standby: {{ randAlphaNum 32 | b64enc | quote }}
- {{- else }}
- password-superuser: {{ .Values.credentials.superuser | b64enc }}
- password-admin: {{ .Values.credentials.admin | b64enc }}
- password-standby: {{ .Values.credentials.standby | b64enc }}
- {{- end }}
+ username-superuser: {{ .Values.auth.superuser.username | b64enc }}
+ username-admin: {{ .Values.auth.admin.username | b64enc }}
+ username-standby: {{ .Values.auth.standby.username | b64enc }}
+ password-superuser: {{ .Values.auth.superuser.password | b64enc }}
+ password-admin: {{ .Values.auth.admin.password | b64enc }}
+ password-standby: {{ .Values.auth.standby.password | b64enc }}
+{{- end }}

helm/patroni/templates/serviceaccount-patroni.yaml

@@ -8,4 +8,5 @@ metadata:
  chart: {{ template "patroni.chart" . }}
  release: {{ .Release.Name }}
  heritage: {{ .Release.Service }}
+ project: {{ template "patroni.project" . }}
 {{- end }}

helm/patroni/templates/statefulset-patroni.yaml

@@ -7,19 +7,22 @@ metadata:
  chart: {{ template "patroni.chart" . }}
  release: {{ .Release.Name }}
  heritage: {{ .Release.Service }}
+ project: {{ template "patroni.project" . }}
 spec:
  serviceName: {{ template "patroni.fullname" . }}
  replicas: {{ .Values.replicaCount }}
  selector:
  matchLabels:
  app: {{ template "patroni.fullname" . }}
  release: {{ .Release.Name }}
+ project: {{ template "patroni.project" . }}
  template:
  metadata:
  name: {{ template "patroni.fullname" . }}
  labels:
  app: {{ template "patroni.fullname" . }}
  release: {{ .Release.Name }}
+ project: {{ template "patroni.project" . }}
  spec:
  serviceAccountName: {{ template "patroni.serviceAccountName" . }}
  containers:
@@ -30,32 +33,32 @@ spec:
  - name: PGUSER_SUPERUSER
  valueFrom:
  secretKeyRef:
- name: {{ template "patroni.fullname" . }}
- key: user-superuser
+ name: {{ if .Values.auth.existingSecret }}{{ .Values.auth.existingSecret }}{{ else }}{{ template "patroni.fullname" . }}{{ end }}
+ key: username-superuser
  - name: PGUSER_ADMIN
  valueFrom:
  secretKeyRef:
- name: {{ template "patroni.fullname" . }}
- key: user-admin
+ name: {{ if .Values.auth.existingSecret }}{{ .Values.auth.existingSecret }}{{ else }}{{ template "patroni.fullname" . }}{{ end }}
+ key: username-admin
  - name: PGUSER_STANDBY
  valueFrom:
  secretKeyRef:
- name: {{ template "patroni.fullname" . }}
- key: user-standby
+ name: {{ if .Values.auth.existingSecret }}{{ .Values.auth.existingSecret }}{{ else }}{{ template "patroni.fullname" . }}{{ end }}
+ key: username-standby
  - name: PGPASSWORD_SUPERUSER
  valueFrom:
  secretKeyRef:
- name: {{ template "patroni.fullname" . }}
+ name: {{ if .Values.auth.existingSecret }}{{ .Values.auth.existingSecret }}{{ else }}{{ template "patroni.fullname" . }}{{ end }}
  key: password-superuser
  - name: PGPASSWORD_ADMIN
  valueFrom:
  secretKeyRef:
- name: {{ template "patroni.fullname" . }}
+ name: {{ if .Values.auth.existingSecret }}{{ .Values.auth.existingSecret }}{{ else }}{{ template "patroni.fullname" . }}{{ end }}
  key: password-admin
  - name: PGPASSWORD_STANDBY
  valueFrom:
  secretKeyRef:
- name: {{ template "patroni.fullname" . }}
+ name: {{ if .Values.auth.existingSecret }}{{ .Values.auth.existingSecret }}{{ else }}{{ template "patroni.fullname" . }}{{ end }}
  key: password-standby
  {{- if .Values.kubernetes.dcs.enable }}
  - name: DCS_ENABLE_KUBERNETES_API

helm/patroni/templates/svc-patroni.yaml

@@ -7,6 +7,7 @@ metadata:
  chart: {{ template "patroni.chart" . }}
  release: {{ .Release.Name }}
  heritage: {{ .Release.Service }}
+ project: {{ template "patroni.project" . }}
 spec:
  type: ClusterIP
  ports:
@@ -28,6 +29,7 @@ metadata:
  chart: {{ template "patroni.chart" . }}
  release: {{ .Release.Name }}
  heritage: {{ .Release.Service }}
+ project: {{ template "patroni.project" . }}
 spec:
  type: ClusterIP
  ports: