From e3b012c1708685450badcf2178f5b30189fff332 Mon Sep 17 00:00:00 2001 From: Kalle Fagerberg Date: Fri, 27 Sep 2024 11:48:38 +0200 Subject: [PATCH 1/5] Added securityContext settings to connect chart --- charts/connect/Chart.yaml | 2 +- .../connect/templates/connect-deployment.yaml | 16 +++-- .../templates/operator-deployment.yaml | 13 ++-- .../connect/templates/tests/health-check.yml | 8 +++ .../connect/templates/tests/secret-read.yml | 8 +++ charts/connect/values.yaml | 63 +++++++++++++++++++ 6 files changed, 97 insertions(+), 13 deletions(-) diff --git a/charts/connect/Chart.yaml b/charts/connect/Chart.yaml index 6ad3a43..f457743 100644 --- a/charts/connect/Chart.yaml +++ b/charts/connect/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: connect -version: 1.16.0 +version: 1.17.0 description: A Helm chart for deploying 1Password Connect and the 1Password Connect Kubernetes Operator keywords: - "1Password" diff --git a/charts/connect/templates/connect-deployment.yaml b/charts/connect/templates/connect-deployment.yaml index b853a17..53cbfd3 100644 --- a/charts/connect/templates/connect-deployment.yaml +++ b/charts/connect/templates/connect-deployment.yaml @@ -40,6 +40,10 @@ spec: {{- if .Values.connect.priorityClassName }} priorityClassName: {{ .Values.connect.priorityClassName }} {{- end }} + {{- with .Values.connect.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.connect.affinity }} affinity: {{- toYaml . | nindent 8 }} @@ -61,10 +65,10 @@ spec: - name: {{ .Values.connect.api.name }} image: {{ .Values.connect.api.imageRepository }}:{{ tpl .Values.connect.version . }} imagePullPolicy: {{ .Values.connect.imagePullPolicy }} + {{- with .Values.connect.api.securityContext }} securityContext: - runAsUser: 999 - runAsGroup: 999 - allowPrivilegeEscalation: false + {{- toYaml . | nindent 12 }} + {{- end }} resources: {{- toYaml .Values.connect.api.resources | nindent 12 }} env: @@ -123,10 +127,10 @@ spec: - name: connect-sync image: {{ .Values.connect.sync.imageRepository }}:{{ tpl .Values.connect.version . }} imagePullPolicy: {{ .Values.connect.imagePullPolicy }} + {{- with .Values.connect.sync.securityContext }} securityContext: - runAsUser: 999 - runAsGroup: 999 - allowPrivilegeEscalation: false + {{- toYaml . | nindent 12 }} + {{- end }} resources: {{- toYaml .Values.connect.sync.resources | nindent 12 }} env: diff --git a/charts/connect/templates/operator-deployment.yaml b/charts/connect/templates/operator-deployment.yaml index ab081e2..cfaca20 100644 --- a/charts/connect/templates/operator-deployment.yaml +++ b/charts/connect/templates/operator-deployment.yaml @@ -39,6 +39,10 @@ spec: {{- if .Values.operator.priorityClassName }} priorityClassName: {{ .Values.operator.priorityClassName }} {{- end }} + {{- with .Values.operator.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.operator.affinity }} affinity: {{- toYaml . | nindent 8 }} @@ -50,13 +54,10 @@ spec: - name: {{ .Values.connect.applicationName }} image: {{ .Values.operator.imageRepository }}:{{ .Values.operator.version | default "latest" }} imagePullPolicy: {{ .Values.connect.imagePullPolicy }} + {{- with .Values.operator.securityContext }} securityContext: - runAsUser: 65532 - runAsGroup: 65532 - allowPrivilegeEscalation: false - capabilities: - drop: - - all + {{- toYaml . | nindent 12 }} + {{- end }} command: [ "/manager" ] args: [ --zap-log-level={{ .Values.operator.logLevel }}] env: diff --git a/charts/connect/templates/tests/health-check.yml b/charts/connect/templates/tests/health-check.yml index 427d449..a342415 100644 --- a/charts/connect/templates/tests/health-check.yml +++ b/charts/connect/templates/tests/health-check.yml @@ -11,8 +11,16 @@ metadata: helm.sh/hook-weight: "1" spec: restartPolicy: Never + {{- with .Values.acceptanceTests.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 4 }} + {{- end }} containers: - name: curl image: curlimages/curl command: ["curl", "{{- include "onepassword-connect.url" . }}/health"] + {{- with .Values.acceptanceTests.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} {{- end }} diff --git a/charts/connect/templates/tests/secret-read.yml b/charts/connect/templates/tests/secret-read.yml index 73b649f..ce3ad0b 100644 --- a/charts/connect/templates/tests/secret-read.yml +++ b/charts/connect/templates/tests/secret-read.yml @@ -11,6 +11,10 @@ metadata: helm.sh/hook-weight: "3" spec: restartPolicy: Never + {{- with .Values.acceptanceTests.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 4 }} + {{- end }} containers: - name: secret-assertion image: alpine @@ -30,4 +34,8 @@ spec: secretKeyRef: name: "{{ .Release.Name }}-test-secret" key: password + {{- with .Values.acceptanceTests.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} {{- end }} diff --git a/charts/connect/values.yaml b/charts/connect/values.yaml index cf7b999..60ef7ab 100644 --- a/charts/connect/values.yaml +++ b/charts/connect/values.yaml @@ -42,6 +42,18 @@ connect: # annotations: {} + # Container securityContext to be added to the Connect API containers. + # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + securityContext: + runAsUser: 999 + runAsGroup: 999 + allowPrivilegeEscalation: false + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # The 1Password Connect Sync Specific Values sync: name: connect-sync @@ -50,6 +62,18 @@ connect: httpPort: 8081 logLevel: info + # Container securityContext to be added to the Connect Sync containers. + # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + securityContext: + runAsUser: 999 + runAsGroup: 999 + allowPrivilegeEscalation: false + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # The name of 1Password Connect Application applicationName: onepassword-connect @@ -156,6 +180,11 @@ connect: # Additional labels to be added to the Connect API pods. podLabels: {} + # Pod securityContext to be added to the Connect API pods. + # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # fsGroup: 2000 + # List of tolerations to be added to the Connect API pods. tolerations: [] @@ -261,6 +290,21 @@ operator: # The 1Password Operator version to pull version: "1.8.1" + # Pod securityContext to be added to the 1Password Operator pods. + # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # fsGroup: 2000 + + # Container securityContext to be added to the 1Password Operator containers. + # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + securityContext: + runAsUser: 65532 + runAsGroup: 65532 + allowPrivilegeEscalation: false + capabilities: + drop: + - all + # Node selector stanza for the Operator pod # See: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector nodeSelector: {} @@ -379,3 +423,22 @@ operator: acceptanceTests: enabled: false fixtures: {} + + # Pod securityContext to be added to the 1Password Acceptance Tests pods. + # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: + fsGroup: 65532 + runAsUser: 65532 + runAsGroup: 65532 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + + # Container securityContext to be added to the 1Password Acceptance Tests containers. + # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + securityContext: + capabilities: + drop: + - all + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false From 4cb3653cea9f7850111956b3275631982a7a2a3e Mon Sep 17 00:00:00 2001 From: Kalle Fagerberg Date: Fri, 27 Sep 2024 11:51:24 +0200 Subject: [PATCH 2/5] Added securityContext settings to secrets-injector chart --- charts/secrets-injector/Chart.yaml | 2 +- charts/secrets-injector/templates/deployment.yaml | 8 ++++++++ charts/secrets-injector/values.yaml | 15 +++++++++++++++ 3 files changed, 24 insertions(+), 1 deletion(-) diff --git a/charts/secrets-injector/Chart.yaml b/charts/secrets-injector/Chart.yaml index ea368d5..7d9fb91 100644 --- a/charts/secrets-injector/Chart.yaml +++ b/charts/secrets-injector/Chart.yaml @@ -12,4 +12,4 @@ maintainers: email: support+business@1password.com icon: https://avatars.githubusercontent.com/u/38230737 appVersion: "1.0.2" -version: 1.1.0 +version: 1.2.0 diff --git a/charts/secrets-injector/templates/deployment.yaml b/charts/secrets-injector/templates/deployment.yaml index 16410be..392ed3d 100644 --- a/charts/secrets-injector/templates/deployment.yaml +++ b/charts/secrets-injector/templates/deployment.yaml @@ -18,6 +18,10 @@ spec: app: {{ .Values.injector.applicationName }} spec: serviceAccountName: {{ .Values.injector.applicationName }} + {{- with .Values.injector.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: {{ .Values.injector.applicationName }} image: {{ .Values.injector.imageRepository }}:{{ tpl .Values.injector.version . }} @@ -40,6 +44,10 @@ spec: preStop: exec: command: [ "/bin/sh", "-c", "/prestop.sh" ] + {{- with .Values.injector.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} {{- with .Values.injector.imagePullSecrets }} imagePullSecrets: {{- range . }} diff --git a/charts/secrets-injector/values.yaml b/charts/secrets-injector/values.yaml index 6b5fbae..f866021 100644 --- a/charts/secrets-injector/values.yaml +++ b/charts/secrets-injector/values.yaml @@ -11,3 +11,18 @@ injector: # - name: VARIABLE_NAME # value: VARIABLE_VALUE customEnvVars: [] + + # Pod securityContext to be added to the 1Password secrets injector pods. + # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # fsGroup: 2000 + + # Container securityContext to be added to the 1Password secrets injector containers. + # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 From 5f12207a66902e87b979a61e088daf812bfc84d9 Mon Sep 17 00:00:00 2001 From: Kalle Fagerberg Date: Fri, 27 Sep 2024 12:36:39 +0200 Subject: [PATCH 3/5] Enforce 'restricted' Pod Security Standard by default --- charts/connect/values.yaml | 49 ++++++++++--------- .../templates/deployment.yaml | 6 +++ charts/secrets-injector/values.yaml | 22 +++++---- 3 files changed, 45 insertions(+), 32 deletions(-) diff --git a/charts/connect/values.yaml b/charts/connect/values.yaml index 60ef7ab..afb9ebe 100644 --- a/charts/connect/values.yaml +++ b/charts/connect/values.yaml @@ -45,14 +45,11 @@ connect: # Container securityContext to be added to the Connect API containers. # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container securityContext: - runAsUser: 999 - runAsGroup: 999 + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true allowPrivilegeEscalation: false - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true # The 1Password Connect Sync Specific Values sync: @@ -65,14 +62,11 @@ connect: # Container securityContext to be added to the Connect Sync containers. # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container securityContext: - runAsUser: 999 - runAsGroup: 999 + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true allowPrivilegeEscalation: false - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true # The name of 1Password Connect Application applicationName: onepassword-connect @@ -182,8 +176,13 @@ connect: # Pod securityContext to be added to the Connect API pods. # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - podSecurityContext: {} - # fsGroup: 2000 + podSecurityContext: + fsGroup: 999 + runAsUser: 999 + runAsGroup: 999 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault # List of tolerations to be added to the Connect API pods. tolerations: [] @@ -292,18 +291,22 @@ operator: # Pod securityContext to be added to the 1Password Operator pods. # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - podSecurityContext: {} - # fsGroup: 2000 + podSecurityContext: + fsGroup: 65532 + runAsUser: 65532 + runAsGroup: 65532 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault # Container securityContext to be added to the 1Password Operator containers. # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container securityContext: - runAsUser: 65532 - runAsGroup: 65532 - allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false # Node selector stanza for the Operator pod # See: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector @@ -439,6 +442,6 @@ acceptanceTests: securityContext: capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true allowPrivilegeEscalation: false diff --git a/charts/secrets-injector/templates/deployment.yaml b/charts/secrets-injector/templates/deployment.yaml index 392ed3d..d1b6838 100644 --- a/charts/secrets-injector/templates/deployment.yaml +++ b/charts/secrets-injector/templates/deployment.yaml @@ -48,9 +48,15 @@ spec: securityContext: {{- toYaml . | nindent 12 }} {{- end }} + volumeMounts: + - name: tmp + mountPath: /tmp {{- with .Values.injector.imagePullSecrets }} imagePullSecrets: {{- range . }} - name: {{ . | quote }} {{- end }} {{- end }} + volumes: + - name: tmp + emptyDir: {} diff --git a/charts/secrets-injector/values.yaml b/charts/secrets-injector/values.yaml index f866021..d4b530f 100644 --- a/charts/secrets-injector/values.yaml +++ b/charts/secrets-injector/values.yaml @@ -14,15 +14,19 @@ injector: # Pod securityContext to be added to the 1Password secrets injector pods. # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - podSecurityContext: {} - # fsGroup: 2000 + podSecurityContext: + fsGroup: 65532 + runAsUser: 65532 + runAsGroup: 65532 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault # Container securityContext to be added to the 1Password secrets injector containers. # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false From 3d4034cdc42a3e9bbab7f1e776fa915dd1c3d8bb Mon Sep 17 00:00:00 2001 From: Kalle Fagerberg Date: Fri, 27 Sep 2024 12:56:54 +0200 Subject: [PATCH 4/5] Added 'pre-upgrade' to also update on upgrades --- charts/secrets-injector/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/secrets-injector/templates/deployment.yaml b/charts/secrets-injector/templates/deployment.yaml index d1b6838..e66b3dc 100644 --- a/charts/secrets-injector/templates/deployment.yaml +++ b/charts/secrets-injector/templates/deployment.yaml @@ -6,7 +6,7 @@ metadata: labels: app: {{ .Values.injector.applicationName }} annotations: - helm.sh/hook: pre-install + helm.sh/hook: pre-install,pre-upgrade helm.sh/hook-weight: "1" spec: selector: From f32a65926d9bf67c344cb97e7742aaddfe33b7d6 Mon Sep 17 00:00:00 2001 From: Kalle Fagerberg Date: Fri, 27 Sep 2024 13:09:22 +0200 Subject: [PATCH 5/5] Updated values in READMEs of charts --- charts/connect/README.md | 213 +++++++++++++++--------------- charts/secrets-injector/README.md | 22 +-- 2 files changed, 121 insertions(+), 114 deletions(-) diff --git a/charts/connect/README.md b/charts/connect/README.md index a84c18f..35e51c8 100644 --- a/charts/connect/README.md +++ b/charts/connect/README.md @@ -53,110 +53,115 @@ helm install --set connect.applicationName=connect connect ./connect ### Values -| Key | Type | Default | Description | -|-------------------------------------|------------|------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| connect.create | boolean | `true` | Denotes whether the 1Password Connect server will be deployed | -| connect.replicas | integer | `1` | The number of replicas to run the 1Password Connect deployment | -| connect.applicationName | string | `"onepassword-connect"` | The name of 1Password Connect Application | -| connect.host | string | `"onepassword-connect"` | The name of 1Password Connect Host | -| connect.api.imageRepository | string | `"1password/connect-api` | The 1Password Connect API repository | -| connect.api.name | string | `"connect-api"` | The name of the 1Password Connect API container | -| connect.api.resources | object | `{}` | The resources requests/limits for the 1Password Connect API pod | -| connect.api.httpPort | integer | `8080` | The port the Connect API is served on when TLS is disabled | -| connect.api.httpsPort | integer | `8443` | The port the Connect API is served on when TLS is enabled | -| connect.api.logLevel | string | `info` | Log level of the Connect API container. Valid options are: trace, debug, info, warn, error. | -| connect.credentials | jsonString | | Contents of the 1password-credentials.json file for Connect. Can be set be adding `--set-file connect.credentials=` to your helm install command | -| connect.credentials_base64 | string | | Base64-encoded contents of the 1password-credentials.json file for Connect. This can be used instead of `connect.credentials` in case supplying raw JSON to `connect.credentials` leads to issues. | -| connect.credentialsKey | string | `"1password-credentials.json"` | The key for the 1Password Connect Credentials stored in the credentials secret, the credentials must be encoded as a base64 string | -| connect.credentialsName | string | `"op-credentials"` | The name of Kubernetes Secret containing the 1Password Connect credentials | -| connect.dataVolume.name | string | `"shared-data"` | The name of the shared volume used between 1Password Connect Containers | -| connect.dataVolume.type | string | `"emptyDir"` | The type of the shared volume used between 1Password Connect Containers | -| connect.dataVolume.values | object | `{}` | Desribes the fields and values for configuration of shared volume for 1Password Connect | -| connect.imagePullPolicy | string | `"IfNotPresent"` | The 1Password Connect API image pull policy | -| connect.imagePullSecrets | array | `[]` | List of secret names to use as image pull secrets. Secrets must exist in the same namespace. | -| connect.ingress.annotations | object | `{}` | The 1Password Connect Ingress Annotations | -| connect.ingress.enabled | bool | `false` | The boolean value to enable/disable the 1Password Connect | -| connect.ingress.extraPaths | list | `[]` | Additional Ingress Paths | -| connect.ingress.hosts[0].host | string | `"chart-example.local"` | The 1Password Connect Ingress Hostname | -| connect.ingress.hosts[0].paths | list | `[]` | The 1Password Connect Ingress Path | -| connect.ingress.ingressClassName | string | `""` | Optionally use ingressClassName instead of deprecated annotation. | -| connect.ingress.labels | object | `{}` | Ingress labels for 1Password Connect | -| connect.ingress.pathType | string | `"Prefix"` | Ingress PathType see [docs](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) | -| connect.ingress.tls | list | `[]` | Ingress TLS see [docs](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) | -| connect.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) stanza for the Connect pod | -| connect.priorityClassName | string | `""` | [priorityClassName](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) to apply to the Connect API deployment resource. | -| connect.affinity | object | `{}` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) rules for the Connect pod | -| connect.hpa.enabled | boolean | `false` | Enable Horizontal Pod Autoscaling for the Connect pod | -| connect.hpa.annotations | object | `{}` | Additional annotations to be added to the HPA Connect | -| connect.hpa.minReplicas | integer | `1` | Minimum number of replicas for the Connect pod | -| connect.hpa.maxReplicas | integer | `3` | Maximum number of replicas for the Connect pod | -| connect.hpa.avgMemoryUtilization | integer | `50` | Average Memory utilization percentage for the Connect pod | -| connect.hpa.avgCpuUtilization | integer | `50` | Average CPU utilization percentage for the Connect pod | -| connect.hpa.behavior | object | `{}` | Defines the Autoscaling Behavior in up/down directions | -| connect.pdb.enabled | boolean | `false` | Enable Horizontal Pod Autoscaling for the Connect pod | -| connect.pdb.annotations | object | `{}` | Additional annotations to be added to the PDB Connect | -| connect.pdb.maxUnavailable | integer | `1` | Number of pods that are unavailble after eviction as number or percentage (eg.: 50%) | -| connect.pdb.minAvailable | integer | `0` | Number of pods that are available after eviction as number or percentage (eg.: 50%) | -| connect.probes.readiness | boolean | `true` | Denotes whether the 1Password Connect API readiness probe will operate and ensure the pod is ready before serving traffic | -| connect.probes.liveness | boolean | `true` | Denotes whether the 1Password Connect API will be continually checked by Kubernetes for liveness and restarted if the pod becomes unresponsive | -| connect.annotations | object | `{}` | Additional annotations to be added to the Connect API deployment resource. | -| connect.labels | object | `{}` | Additional labels to be added to the Connect API deployment resource. | -| connect.podAnnotations | object | `{}` | Additional annotations to be added to the Connect API pods. | -| connect.podLabels | object | `{}` | Additional labels to be added to the Connect API pods. | -| connect.serviceType | string | `NodePort` | The type of Service resource to create for the Connect API and sync services. | -| connect.serviceAnnotations | object | `{}` | Additional annotations to be added to the service. | -| connect.sync.imageRepository | string | `"1password/connect-sync"` | The 1Password Connect Sync repository | -| connect.sync.name | string | `"connect-sync"` | The name of the 1Password Connect Sync container | -| connect.sync.resources | object | `{}` | The resources requests/limits for the 1Password Connect Sync pod | -| connect.sync.httpPort | integer | `8081` | The port serving the health of the Sync container | -| connect.sync.logLevel | string | `info` | Log level of the Connect Sync container. Valid options are: trace, debug, info, warn, error. | -| connect.tls.enabled | boolean | `false` | Denotes whether the Connect API is secured with TLS | -| connect.tls.secret | string | `"op-connect-tls"` | The name of the secret containing the TLS key (`tls.key`) and certificate (`tls.crt`) | -| connect.tolerations | list | `[]` | List of tolerations to be added to the Connect API pods. | -| connect.customEnvVars | array | `[]` | Custom Environment Variables for the 1Password Connect container. | -| connect.version | string | `{{.Chart.AppVersion}}` | The 1Password Connect version to pull | -| operator.autoRestart | boolean | `false` | Denotes whether the 1Password Operator will automatically restart deployments based on associated updated secrets. | -| operator.create | boolean | `false` | Denotes whether the 1Password Operator will be deployed | -| operator.replicas | integer | `1` | The number of replicas to run the 1Password Operator deployment | -| operator.imagePullPolicy | string | `"IfNotPresent"` | The 1Password Operator image pull policy | -| operator.imagePullSecrets | array | `[]` | List of secret names to use as image pull secrets. Secrets must exist in the same namespace. | -| operator.imageRepository | string | `"1password/onepassword-operator"` | The 1Password Operator repository | -| operator.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) stanza for the operator pod | -| operator.affinity | object | `{}` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) rules for the Operator pod | -| operator.hpa.enabled | boolean | `false` | Enable Horizontal Pod Autoscaling for the Operator pod | -| operator.hpa.annotations | object | `{}` | Additional annotations to be added to the HPA Operator | -| operator.hpa.minReplicas | integer | `1` | Minimum number of replicas for the Operator pod | -| operator.hpa.maxReplicas | integer | `3` | Maximum number of replicas for the Operator pod | -| operator.hpa.avgMemoryUtilization | integer | `50` | Average Memory utilization percentage for the Operator pod | -| operator.hpa.avgCpuUtilization | integer | `50` | Average CPU utilization percentage for the Operator pod | -| operator.hpa.behavior | object | `{}` | Defines the Autoscaling Behavior in up/down directions | -| operator.pdb.enabled | boolean | `false` | Enable Horizontal Pod Autoscaling for the Operator pod | -| operator.pdb.annotations | object | `{}` | Additional annotations to be added to the PDB Operator | -| operator.pdb.maxUnavailable | integer | `1` | Number of pods that are unavailble after eviction as number or percentage (eg.: 50%) | -| operator.pdb.minAvailable | integer | `0` | Number of pods that are available after eviction as number or percentage (eg.: 50%) | -| operator.annotations | object | `{}` | Additional annotations to be added to the Operator deployment resource. | -| operator.labels | object | `{}` | Additional labels to be added to the Operator deployment resource. | -| operator.logLevel | string | `info` | Log level of the Operator container. Valid options are: debug, info and error. | -| operator.podAnnotations | object | `{}` | Additional annotations to be added to the Operator pods. | -| operator.podLabels | object | `{}` | Additional labels to be added to the Operator pods. | -| operator.pollingInterval | integer | `600` | How often the 1Password Operator will poll for secrets updates. | -| operator.priorityClassName | string | `""` | [priorityClassName](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) to apply to the Operator pods. | -| operator.clusterRole.create | boolean | `{{.Values.operator.create}}` | Denotes whether or not a cluster role will be created for each for the 1Password Operator | -| operator.clusterRole.name | string | `"onepassword-connect-operator"` | The name of the 1Password Operator Cluster Role | -| operator.clusterRoleBinding.create | boolean | `{{.Values.operator.create}}` | Denotes whether or not a Cluster role binding will be created for the 1Password Operator Service Account | -| operator.roleBinding.create | boolean | `{{.Values.operator.create}}` | Denotes whether or not a role binding will be created for each Namespace for the 1Password Operator Service Account | -| operator.roleBinding.name | string | `"onepassword-connect-operator"` | The name of the 1Password Operator Role Binding | -| operator.serviceAccount.annotations | object | `{}` | Annotations for the 1Password Connect Service Account | -| operator.serviceAccount.create | boolean | `{{.Values.operator.create}}` | Denotes whether or not a service account will be created for the 1Password Operator | -| operator.serviceAccount.name | string | `"onepassword-connect-operator"` | The name of the 1Password Conenct Operator | -| operator.tolerations | list | `[]` | List of tolerations to be added to the Operator pods. | -| operator.version | string | `"1.8.0"` | T 1Password Operator version to pull | -| operator.token.key | string | `"token"` | The key for the 1Password Connect token stored in the 1Password token secret | -| operator.token.name | string | `"onepassword-token"` | The name of Kubernetes Secret containing the 1Password Connect API token | -| operator.token.value | string | `"onepassword-token"` | An API token generated for 1Password Connect to be used by the Connect Operator | -| operator.watchNamespace | list | `[]` | A list of namespaces for the 1Password Operator to watch and manage. Use the empty list to watch all namespaces. | -| operator.resources | object | `{}` | The resources requests/limits for the 1Password Operator pod | -| operator.customEnvVars | array | `[]` | Custom environment variables for the 1Password Operator container that are not specified in this helm chart. | +| Key | Type | Default | Description | +|-------------------------------------|------------|-------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| connect.create | boolean | `true` | Denotes whether the 1Password Connect server will be deployed | +| connect.replicas | integer | `1` | The number of replicas to run the 1Password Connect deployment | +| connect.applicationName | string | `"onepassword-connect"` | The name of 1Password Connect Application | +| connect.host | string | `"onepassword-connect"` | The name of 1Password Connect Host | +| connect.api.imageRepository | string | `"1password/connect-api` | The 1Password Connect API repository | +| connect.api.name | string | `"connect-api"` | The name of the 1Password Connect API container | +| connect.api.resources | object | `{}` | The resources requests/limits for the 1Password Connect API pod | +| connect.api.httpPort | integer | `8080` | The port the Connect API is served on when TLS is disabled | +| connect.api.httpsPort | integer | `8443` | The port the Connect API is served on when TLS is enabled | +| connect.api.logLevel | string | `info` | Log level of the Connect API container. Valid options are: trace, debug, info, warn, error. | +| connect.api.securityContext | object | `{"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"allowPrivilegeEscalation":false}` | Container securityContext to be added to the Connect API containers. | +| connect.credentials | jsonString | | Contents of the 1password-credentials.json file for Connect. Can be set be adding `--set-file connect.credentials=` to your helm install command | +| connect.credentials_base64 | string | | Base64-encoded contents of the 1password-credentials.json file for Connect. This can be used instead of `connect.credentials` in case supplying raw JSON to `connect.credentials` leads to issues. | +| connect.credentialsKey | string | `"1password-credentials.json"` | The key for the 1Password Connect Credentials stored in the credentials secret, the credentials must be encoded as a base64 string | +| connect.credentialsName | string | `"op-credentials"` | The name of Kubernetes Secret containing the 1Password Connect credentials | +| connect.dataVolume.name | string | `"shared-data"` | The name of the shared volume used between 1Password Connect Containers | +| connect.dataVolume.type | string | `"emptyDir"` | The type of the shared volume used between 1Password Connect Containers | +| connect.dataVolume.values | object | `{}` | Desribes the fields and values for configuration of shared volume for 1Password Connect | +| connect.imagePullPolicy | string | `"IfNotPresent"` | The 1Password Connect API image pull policy | +| connect.imagePullSecrets | array | `[]` | List of secret names to use as image pull secrets. Secrets must exist in the same namespace. | +| connect.ingress.annotations | object | `{}` | The 1Password Connect Ingress Annotations | +| connect.ingress.enabled | bool | `false` | The boolean value to enable/disable the 1Password Connect | +| connect.ingress.extraPaths | list | `[]` | Additional Ingress Paths | +| connect.ingress.hosts[0].host | string | `"chart-example.local"` | The 1Password Connect Ingress Hostname | +| connect.ingress.hosts[0].paths | list | `[]` | The 1Password Connect Ingress Path | +| connect.ingress.ingressClassName | string | `""` | Optionally use ingressClassName instead of deprecated annotation. | +| connect.ingress.labels | object | `{}` | Ingress labels for 1Password Connect | +| connect.ingress.pathType | string | `"Prefix"` | Ingress PathType see [docs](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) | +| connect.ingress.tls | list | `[]` | Ingress TLS see [docs](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) | +| connect.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) stanza for the Connect pod | +| connect.priorityClassName | string | `""` | [priorityClassName](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) to apply to the Connect API deployment resource. | +| connect.affinity | object | `{}` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) rules for the Connect pod | +| connect.hpa.enabled | boolean | `false` | Enable Horizontal Pod Autoscaling for the Connect pod | +| connect.hpa.annotations | object | `{}` | Additional annotations to be added to the HPA Connect | +| connect.hpa.minReplicas | integer | `1` | Minimum number of replicas for the Connect pod | +| connect.hpa.maxReplicas | integer | `3` | Maximum number of replicas for the Connect pod | +| connect.hpa.avgMemoryUtilization | integer | `50` | Average Memory utilization percentage for the Connect pod | +| connect.hpa.avgCpuUtilization | integer | `50` | Average CPU utilization percentage for the Connect pod | +| connect.hpa.behavior | object | `{}` | Defines the Autoscaling Behavior in up/down directions | +| connect.pdb.enabled | boolean | `false` | Enable Horizontal Pod Autoscaling for the Connect pod | +| connect.pdb.annotations | object | `{}` | Additional annotations to be added to the PDB Connect | +| connect.pdb.maxUnavailable | integer | `1` | Number of pods that are unavailble after eviction as number or percentage (eg.: 50%) | +| connect.pdb.minAvailable | integer | `0` | Number of pods that are available after eviction as number or percentage (eg.: 50%) | +| connect.probes.readiness | boolean | `true` | Denotes whether the 1Password Connect API readiness probe will operate and ensure the pod is ready before serving traffic | +| connect.probes.liveness | boolean | `true` | Denotes whether the 1Password Connect API will be continually checked by Kubernetes for liveness and restarted if the pod becomes unresponsive | +| connect.annotations | object | `{}` | Additional annotations to be added to the Connect API deployment resource. | +| connect.labels | object | `{}` | Additional labels to be added to the Connect API deployment resource. | +| connect.podAnnotations | object | `{}` | Additional annotations to be added to the Connect API pods. | +| connect.podLabels | object | `{}` | Additional labels to be added to the Connect API pods. | +| connect.serviceType | string | `NodePort` | The type of Service resource to create for the Connect API and sync services. | +| connect.serviceAnnotations | object | `{}` | Additional annotations to be added to the service. | +| connect.sync.imageRepository | string | `"1password/connect-sync"` | The 1Password Connect Sync repository | +| connect.sync.name | string | `"connect-sync"` | The name of the 1Password Connect Sync container | +| connect.sync.resources | object | `{}` | The resources requests/limits for the 1Password Connect Sync pod | +| connect.sync.httpPort | integer | `8081` | The port serving the health of the Sync container | +| connect.sync.logLevel | string | `info` | Log level of the Connect Sync container. Valid options are: trace, debug, info, warn, error. | +| connect.sync.securityContext | object | `{"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"allowPrivilegeEscalation":false}` | Container securityContext to be added to the Connect Sync containers. | +| connect.tls.enabled | boolean | `false` | Denotes whether the Connect API is secured with TLS | +| connect.tls.secret | string | `"op-connect-tls"` | The name of the secret containing the TLS key (`tls.key`) and certificate (`tls.crt`) | +| connect.tolerations | list | `[]` | List of tolerations to be added to the Connect API pods. | +| connect.customEnvVars | array | `[]` | Custom Environment Variables for the 1Password Connect container. | +| connect.version | string | `{{.Chart.AppVersion}}` | The 1Password Connect version to pull | +| connect.podSecurityContext | object | `{"fsGroup":999,"runAsUser":999,"runAsGroup":999,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Pod securityContext to be added to the Connect API pods. | +| operator.autoRestart | boolean | `false` | Denotes whether the 1Password Operator will automatically restart deployments based on associated updated secrets. | +| operator.create | boolean | `false` | Denotes whether the 1Password Operator will be deployed | +| operator.replicas | integer | `1` | The number of replicas to run the 1Password Operator deployment | +| operator.imagePullPolicy | string | `"IfNotPresent"` | The 1Password Operator image pull policy | +| operator.imagePullSecrets | array | `[]` | List of secret names to use as image pull secrets. Secrets must exist in the same namespace. | +| operator.imageRepository | string | `"1password/onepassword-operator"` | The 1Password Operator repository | +| operator.podSecurityContext | object | `{"fsGroup":65532,"runAsUser":65532,"runAsGroup":65532,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Pod securityContext to be added to the 1Password Operator pods. | +| operator.securityContext | object | `{"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"allowPrivilegeEscalation":false}` | Container securityContext to be added to the 1Password Operator containers. | +| operator.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) stanza for the operator pod | +| operator.affinity | object | `{}` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) rules for the Operator pod | +| operator.hpa.enabled | boolean | `false` | Enable Horizontal Pod Autoscaling for the Operator pod | +| operator.hpa.annotations | object | `{}` | Additional annotations to be added to the HPA Operator | +| operator.hpa.minReplicas | integer | `1` | Minimum number of replicas for the Operator pod | +| operator.hpa.maxReplicas | integer | `3` | Maximum number of replicas for the Operator pod | +| operator.hpa.avgMemoryUtilization | integer | `50` | Average Memory utilization percentage for the Operator pod | +| operator.hpa.avgCpuUtilization | integer | `50` | Average CPU utilization percentage for the Operator pod | +| operator.hpa.behavior | object | `{}` | Defines the Autoscaling Behavior in up/down directions | +| operator.pdb.enabled | boolean | `false` | Enable Horizontal Pod Autoscaling for the Operator pod | +| operator.pdb.annotations | object | `{}` | Additional annotations to be added to the PDB Operator | +| operator.pdb.maxUnavailable | integer | `1` | Number of pods that are unavailble after eviction as number or percentage (eg.: 50%) | +| operator.pdb.minAvailable | integer | `0` | Number of pods that are available after eviction as number or percentage (eg.: 50%) | +| operator.annotations | object | `{}` | Additional annotations to be added to the Operator deployment resource. | +| operator.labels | object | `{}` | Additional labels to be added to the Operator deployment resource. | +| operator.logLevel | string | `info` | Log level of the Operator container. Valid options are: debug, info and error. | +| operator.podAnnotations | object | `{}` | Additional annotations to be added to the Operator pods. | +| operator.podLabels | object | `{}` | Additional labels to be added to the Operator pods. | +| operator.pollingInterval | integer | `600` | How often the 1Password Operator will poll for secrets updates. | +| operator.priorityClassName | string | `""` | [priorityClassName](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) to apply to the Operator pods. | +| operator.clusterRole.create | boolean | `{{.Values.operator.create}}` | Denotes whether or not a cluster role will be created for each for the 1Password Operator | +| operator.clusterRole.name | string | `"onepassword-connect-operator"` | The name of the 1Password Operator Cluster Role | +| operator.clusterRoleBinding.create | boolean | `{{.Values.operator.create}}` | Denotes whether or not a Cluster role binding will be created for the 1Password Operator Service Account | +| operator.roleBinding.create | boolean | `{{.Values.operator.create}}` | Denotes whether or not a role binding will be created for each Namespace for the 1Password Operator Service Account | +| operator.roleBinding.name | string | `"onepassword-connect-operator"` | The name of the 1Password Operator Role Binding | +| operator.serviceAccount.annotations | object | `{}` | Annotations for the 1Password Connect Service Account | +| operator.serviceAccount.create | boolean | `{{.Values.operator.create}}` | Denotes whether or not a service account will be created for the 1Password Operator | +| operator.serviceAccount.name | string | `"onepassword-connect-operator"` | The name of the 1Password Conenct Operator | +| operator.tolerations | list | `[]` | List of tolerations to be added to the Operator pods. | +| operator.version | string | `"1.8.0"` | T 1Password Operator version to pull | +| operator.token.key | string | `"token"` | The key for the 1Password Connect token stored in the 1Password token secret | +| operator.token.name | string | `"onepassword-token"` | The name of Kubernetes Secret containing the 1Password Connect API token | +| operator.token.value | string | `"onepassword-token"` | An API token generated for 1Password Connect to be used by the Connect Operator | +| operator.watchNamespace | list | `[]` | A list of namespaces for the 1Password Operator to watch and manage. Use the empty list to watch all namespaces. | +| operator.resources | object | `{}` | The resources requests/limits for the 1Password Operator pod | +| operator.customEnvVars | array | `[]` | Custom environment variables for the 1Password Operator container that are not specified in this helm chart. | #### Custom Environment Variables diff --git a/charts/secrets-injector/README.md b/charts/secrets-injector/README.md index 1f7ffee..12f1eb6 100644 --- a/charts/secrets-injector/README.md +++ b/charts/secrets-injector/README.md @@ -30,16 +30,18 @@ $ helm install --set injector.applicationName=injector injector ./secrets-inject ### Values -| Key | Type | Default | Description | -|---------------------------|---------|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------| -| injector.applicationName | string | `"secrets-injector"` | The name of 1Password Kubernetes Secrets Injector Application | -| injector.imagePullPolicy | string | `"IfNotPresent"` | The 1Password Secrets Injector docker image policy. `"IfNotPresent"` means the image is pulled only if it is not already present locally. | -| injector.imagePullSecrets | array | `[]` | Global list of secret names to use as image pull secrets for all pod specs in the chart. Secrets must exist in the same namespace | -| injector.imageRepository | string | `"1password/kubernetes-secrets-injector"` | The 1Password Secrets Injector docker image repository | -| injector.port | string | `443` | The port the Secrets Injector exposes | -| injector.targetPort | integer | `8443` | The port the Secrets Injector API sends requests to the pod | -| injector.version | string | `{{.Chart.AppVersion}}` | The 1Password Secrets Injector version to pull. | -| injector.customEnvVars | array | `[]` | Custom Environment Variables for the 1Password Secrets Injector container that are not specified in this helm chart. | +| Key | Type | Default | Description | +|-----------------------------|---------|-------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------| +| injector.applicationName | string | `"secrets-injector"` | The name of 1Password Kubernetes Secrets Injector Application | +| injector.imagePullPolicy | string | `"IfNotPresent"` | The 1Password Secrets Injector docker image policy. `"IfNotPresent"` means the image is pulled only if it is not already present locally. | +| injector.imagePullSecrets | array | `[]` | Global list of secret names to use as image pull secrets for all pod specs in the chart. Secrets must exist in the same namespace | +| injector.imageRepository | string | `"1password/kubernetes-secrets-injector"` | The 1Password Secrets Injector docker image repository | +| injector.port | string | `443` | The port the Secrets Injector exposes | +| injector.targetPort | integer | `8443` | The port the Secrets Injector API sends requests to the pod | +| injector.version | string | `{{.Chart.AppVersion}}` | The 1Password Secrets Injector version to pull. | +| injector.customEnvVars | array | `[]` | Custom Environment Variables for the 1Password Secrets Injector container that are not specified in this helm chart. | +| injector.podSecurityContext | object | `{"fsGroup":65532,"runAsUser":65532,"runAsGroup":65532,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Pod `securityContext` for the 1Password Secrets Injector pod. | +| injector.securityContext | object | `{"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"allowPrivilegeEscalation":false}` | Container `securityContext` for the 1Password Secrets Injector container. | #### Custom Environment Variables