diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index ce6ccba..c84ef7e 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -7,8 +7,10 @@ on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + # Runs weekly at 16:29 on Mondays. schedule: - cron: '29 16 * * 1' push: diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ee3892e --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +charts/ diff --git a/helm/applications/sshd/Chart.lock b/helm/applications/sshd/Chart.lock new file mode 100644 index 0000000..93ef7b1 --- /dev/null +++ b/helm/applications/sshd/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: common + repository: file://../../common + version: 1.0.0 +digest: sha256:002240b61dab8d637689129ba617df79c1ee616902bfa8c05ec39fdf0a7ee8ac +generated: "2024-11-18T15:06:05.433377648-08:00" diff --git a/helm/applications/sshd/Chart.yaml b/helm/applications/sshd/Chart.yaml new file mode 100644 index 0000000..11e63cb --- /dev/null +++ b/helm/applications/sshd/Chart.yaml @@ -0,0 +1,29 @@ +apiVersion: v2 +name: sshd +description: "An SSHD service with SSSD to get users from LDAP" + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 1.0.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.0.0" + +dependencies: + - name: common + version: "^1.0.0" + repository: "file://../../common" diff --git a/helm/applications/sshd/README.md b/helm/applications/sshd/README.md new file mode 100644 index 0000000..6359d02 --- /dev/null +++ b/helm/applications/sshd/README.md @@ -0,0 +1,46 @@ +# Deployment Guilde + +- [Dependencies](#dependencies) +- [Helm](#helm-repository) + + +## Dependencies + +- An existing Kubernetes cluster, version 1.26 or greater. +- A working [`base` Helm Chart](https://github.com/opencadc/science-platform/tree/main/deployment/helm#base-install) install. If using Traefik, add a port (entry point) that this SSHD service will expose, which will be declared in the `traefik.ports` section. Example: + ```yaml + # Install Traefik by default. Set to true to add it in. Omitting it defaults to true, so beware. + traefik: + install: true + ports: + sshd: + port: 64022 # Expose port 64022. + expose: true + ``` +- A `PersistentVolumeClaim` claiming storage that contains the root of the User Storage. This will be the same `PersistentVolumeClaim` that Cavern uses (if installed). See +- A Kubernetes secret called `sssd-ldap-secret` in the Skaha Namespace (defaults to `skaha-system`) with a single key of `ldap-password` whose value is the password of the LDAP bind user as configured in the `values.yaml` file for (`deployment.sshd.ldap.bindDN`): + - `kubectl -n skaha-system create secret generic sssd-ldap-secret --from-literal="ldap-password=my-super-secret-passwd"` + +## Sample Values file + +```yaml +deployment: + sshd: + entryPoint: sshd + rootPath: "/cavern" # If Cavern is installed, this will point to the same location as deployment.cavern.filesystem.subPath. + + # LDAP configuration information. Authentication is handled by the secret/sssd.conf file. + ldap: + url: "ldaps://my-ldap-host.example.org" + searchBase: "dc=exmaple,dc=org" + userSearchBase: "ou=users,ou=ds,dc=example,dc=org" + groupSearchBase: "ou=groups,ou=ds,dc=example,dc=org" + bindDN: "uid=superuser,ou=Admins,dc=example,dc=org" + +storage: + service: + spec: + persistentVolumeClaim: + claimName: skaha-pvc # Match this label up with whatever was installed in the base install, or the desired PVC, or create dynamically provisioned storage. + +``` diff --git a/helm/applications/sshd/config/sshd_config b/helm/applications/sshd/config/sshd_config new file mode 100644 index 0000000..0de23a4 --- /dev/null +++ b/helm/applications/sshd/config/sshd_config @@ -0,0 +1,142 @@ +# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/bin:/usr/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +# If you want to change the port on a SELinux system, you have to tell +# SELinux about this change. +# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER +# +#Port 22 +Port 2222 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +SyslogFacility AUTHPRIV +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no +PasswordAuthentication yes + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no +#KerberosUseKuserok yes + +# GSSAPI options +GSSAPIAuthentication yes +GSSAPICleanupCredentials no +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no +#GSSAPIEnablek5users no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several +# problems. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation sandbox +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#ShowPatchLevel no +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Accept locale-related environment variables +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE +AcceptEnv XMODIFIERS + +# override default of no subsystems +#Subsystem sftp /usr/libexec/sftp-server +Subsystem sftp internal-sftp + +# Example of overriding settings on a per-user basis +Match User * +ChrootDirectory {{ .Values.rootPath }} +X11Forwarding no +AllowTcpForwarding no +PermitTTY no +ForceCommand internal-sftp diff --git a/helm/applications/sshd/secret/sssd.conf b/helm/applications/sshd/secret/sssd.conf new file mode 100644 index 0000000..ed26f69 --- /dev/null +++ b/helm/applications/sshd/secret/sssd.conf @@ -0,0 +1,38 @@ +[sssd] +config_file_version = 2 +services = nss, pam +domains = cadc +debug_level = 9 +[nss] +filter_groups = nobody,root,daemon,bin,sys,adm,uucp,nuucp,security,cron,lpd,audit,lp,printq,staff,system,usr,smmsp,ldap,guest,wheel,milter,sshd,centos +filter_users = nobody,root,daemon,bin,sys,adm,uucp,nuucp,security,cron,lpd,audit,lp,printq,staff,system,usr,smmsp,ldap,guest,wheel,milter,sshd,centos +[pam] +[domain/cadc] +id_provider = ldap +auth_provider = ldap +chpass_provider = ldap +access_provider = ldap +filter_users = nobody, root, daemon, bin, sys, adm, uucp, nuucp, security, cron, lpd, audit, lp, printq, staff, system, usr, smmsp, ldap, guest, wheel, milter, sshd, centos +access_provider = permit +min_id = 1001 +cache_credentials = True +enumerate = False +override_homedir = {{ .Values.rootPath }}/home/%u +debug_level = 8 +{{ $ldapPassword := include "getSecretKeyValue" (list "sssd-ldap-secret" "ldap-password" .Release.Namespace) -}} +{{ with .Values.ldap -}} +ldap_uri = {{ .url }} +ldap_search_base = {{ .searchBase }} +ldap_user_search_base = {{ .userSearchBase }} +ldap_group_search_base = {{ .groupSearchBase }} +ldap_group_member = uniqueMember +ldap_user_member_of = memberOf +ldap_default_bind_dn = {{ .bindDN }} +ldap_user_name = {{ .userNameField | default "cn" }} +ldap_user_gecos = email +ldap_default_authtok_type = password +ldap_default_authtok = {{ $ldapPassword }} +ldap_user_object_class = cadcaccount +ldap_group_object_class = groupofuniquenames +ldap_schema = rfc2307bis +{{- end }} diff --git a/helm/applications/sshd/templates/_helper.tpl b/helm/applications/sshd/templates/_helper.tpl new file mode 100644 index 0000000..d5c1ef5 --- /dev/null +++ b/helm/applications/sshd/templates/_helper.tpl @@ -0,0 +1,39 @@ +{{- /* +Generate a new key field in the given secret if it does not already exist. The .pub field is intentionally +left empty as Helm cannot generate it. We maintain the private keys though, so the user won't be bothered +by the constant host name issue. +*/}} +{{- define "sshd.gen.key" -}} + {{- $namespace := .namespace }} + {{- $secretName := .secretName }} + {{- $secretFieldName := .secretFieldName }} + {{- $keyType := .keyType }} + # retrieve the secret data using lookup function and when not exists, return an empty dictionary / map as result + {{- $secretObj := (lookup "v1" "Secret" $namespace $secretName) | default dict }} + {{- $secretData := (get $secretObj "data") | default dict }} + # set $apiSecret to existing secret data or generate a random one when not exists + {{- $apiSecret := (get $secretData $secretFieldName) | default (genPrivateKey $keyType | b64enc) }} + {{ $secretFieldName }}: {{ $apiSecret }} +{{- end -}} + +{{/* +GetSecretKeyValue gets the value of a key from within a specified Secret. +Usage: {{ getSecretKeyValue "existingSecretName" "keyName" "namespace" }} +*/}} +{{- define "getSecretKeyValue" -}} +{{- $secretName := index . 0 -}} +{{- $keyName := index . 1 -}} +{{- $namespace := index . 2 -}} +{{- $secret := (lookup "v1" "Secret" $namespace $secretName) -}} +{{- if $secret -}} + {{- $value := index $secret.data $keyName -}} + {{- if $value -}} + {{- $decodedValue := $value | b64dec -}} + {{- print $decodedValue -}} + {{- else -}} + {{- fail (printf "Error: Key %s not found in the secret %s in namespace %s" $keyName $secretName $namespace) -}} + {{- end -}} +{{- else -}} + {{- fail (printf "Error: Secret %s not found in namespace %s" $secretName $namespace) -}} +{{- end -}} +{{- end -}} diff --git a/helm/applications/sshd/templates/sshd-config.yaml b/helm/applications/sshd/templates/sshd-config.yaml new file mode 100644 index 0000000..e007389 --- /dev/null +++ b/helm/applications/sshd/templates/sshd-config.yaml @@ -0,0 +1,13 @@ +{{ $secretName := printf "%s-config" .Release.Name }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: +{{- range list "rsa" "ecdsa" "ed25519" }} + {{- $keyFileName := printf "ssh_host_%s_key" . -}} + {{- include "sshd.gen.key" (dict "namespace" $.Release.Namespace "secretName" $secretName "secretFieldName" $keyFileName "keyType" .) -}} +{{- end }} + sshd_config: {{ tpl (.Files.Get "config/sshd_config") . | b64enc }} diff --git a/helm/applications/sshd/templates/sshd-deployment.yaml b/helm/applications/sshd/templates/sshd-deployment.yaml new file mode 100644 index 0000000..2e3d6b5 --- /dev/null +++ b/helm/applications/sshd/templates/sshd-deployment.yaml @@ -0,0 +1,108 @@ +{{- $storageSpec := .Values.storageSpec | required ".storageSpec is missing. This should declare the configuration of the underlying storage." -}} +{{- $rootPath := .Values.rootPath | required ".rootPath is missing. This value indicates the parent folder of the /home and /projects folder. This is also called the TLD in Skaha." -}} + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + run: {{ .Release.Name }}-process + name: {{ .Release.Name }}-process + namespace: {{ .Release.Namespace }} +spec: + replicas: {{ default 1 .Values.replicaCount }} + selector: + matchLabels: + run: {{ .Release.Name }}-process + template: + metadata: + creationTimestamp: null + labels: + run: {{ .Release.Name }}-process + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: nvidia.com/gpu.count + operator: DoesNotExist + {{- range $extraHost := .Values.extraHosts }} + hostAliases: + - ip: {{ $extraHost.ip }} + hostnames: + - {{ $extraHost.hostname }} + {{- end }} + containers: + - image: {{ include "common.image" ( dict "imageObject" .Values.image ) }} + imagePullPolicy: Always + name: {{ .Release.Name }}-process + env: + {{- with .Values.extraEnv }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 8 }} + {{- end }} + ports: + - containerPort: 2222 + protocol: TCP + volumeMounts: + - mountPath: /etc/ssh/ssh_host_ecdsa_key.pub + name: ssh-host-ecdsa-key-pub + - mountPath: /etc/ssh/ssh_host_ed25519_key.pub + name: ssh-host-ed25519-key-pub + - mountPath: /etc/ssh/ssh_host_rsa_key.pub + name: ssh-host-rsa-key-pub + - mountPath: /etc/ssh/ssh_host_ecdsa_key + name: {{ .Release.Name }}-config + subPath: ssh_host_ecdsa_key + - mountPath: /etc/ssh/ssh_host_ed25519_key + name: {{ .Release.Name }}-config + subPath: ssh_host_ed25519_key + - mountPath: /etc/ssh/ssh_host_rsa_key + name: {{ .Release.Name }}-config + subPath: ssh_host_rsa_key + - mountPath: /etc/ssh/sshd_config + name: {{ .Release.Name }}-config + subPath: sshd_config + - mountPath: /etc/sssd/sssd.conf + subPath: sssd.conf + name: sssd-config + - mountPath: "{{ .Values.rootPath }}" + name: cavern-volume + subPath: {{ $rootPath | regexFind "[^/].*$" }} + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- range $extraHost := .Values.extraHosts }} + hostAliases: + - ip: {{ $extraHost.ip }} + hostnames: + - {{ $extraHost.hostname }} + {{- end }} + priorityClassName: uber-user-preempt-high + serviceAccountName: skaha + volumes: + - name: sssd-config + secret: + # Decimal equivalent to 0600 octal + defaultMode: 384 + secretName: sssd-config + - name: {{ .Release.Name }}-config + secret: + # Decimal equivalent to 0600 octal + defaultMode: 384 + secretName: {{ .Release.Name }}-config + - name: ssh-host-rsa-key-pub + emptyDir: {} + - name: ssh-host-ecdsa-key-pub + emptyDir: {} + - name: ssh-host-ed25519-key-pub + emptyDir: {} + - name: cavern-volume + {{- toYaml $storageSpec | nindent 8 }} + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} diff --git a/helm/applications/sshd/templates/sshd-expose.yaml b/helm/applications/sshd/templates/sshd-expose.yaml new file mode 100644 index 0000000..1663380 --- /dev/null +++ b/helm/applications/sshd/templates/sshd-expose.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Release.Name }}-svc + namespace: {{ .Release.Namespace }} + labels: + run: {{ .Release.Name }}-svc +spec: + ports: + - port: 2222 + name: ssh-connection + protocol: TCP + selector: + run: {{ .Release.Name }}-process diff --git a/helm/applications/sshd/templates/sshd-ingress.yaml b/helm/applications/sshd/templates/sshd-ingress.yaml new file mode 100644 index 0000000..9fe580e --- /dev/null +++ b/helm/applications/sshd/templates/sshd-ingress.yaml @@ -0,0 +1,13 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRouteTCP +metadata: + name: {{ .Release.Name }}-ingress-route-tcp + namespace: {{ .Release.Namespace }} +spec: + entryPoints: + - {{ .Values.entryPoint | required "Must supply an entryPoint name that matches your Traefik configuration." }} + routes: + - match: HostSNI(`*`) + services: + - name: {{ .Release.Name }}-svc + port: 2222 diff --git a/helm/applications/sshd/templates/sshd-secrets.yaml b/helm/applications/sshd/templates/sshd-secrets.yaml new file mode 100644 index 0000000..df45bd0 --- /dev/null +++ b/helm/applications/sshd/templates/sshd-secrets.yaml @@ -0,0 +1,25 @@ +{{- range $secretIndex, $secretName := .Values.secrets }} +{{/* Extra desired secrets, such as placing a self-signed CA Certificate. */}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretIndex }} + namespace: {{ $.Release.Namespace }} +type: Opaque +data: + {{- range $certKey, $certValue := . }} + {{ $certKey }}: {{ $certValue | quote }} + {{- end }} +{{- end }} + +{{/* The main secret file to contain configuration (and credentials) to authenticate with LDAP. */}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: sssd-config + namespace: {{ .Release.Namespace }} +type: Opaque +data: + sssd.conf: {{ tpl (.Files.Get "secret/sssd.conf") . | b64enc }} diff --git a/helm/applications/sshd/values.yaml b/helm/applications/sshd/values.yaml new file mode 100644 index 0000000..15bdc99 --- /dev/null +++ b/helm/applications/sshd/values.yaml @@ -0,0 +1,128 @@ +## @param replicaCount Number of SSHD instances to run. +replicaCount: 1 + +## @param image.registry [default: images.opencadc.org] SSHD image registry +## @param image.repository [default: platform/sshd] SSHD image repository +## @skip image.tag SSHD image tag (immutable tags are recommended) +## @param image.digest SSHD image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag +## @param image.pullPolicy SSHD image pull policy +## @param image.pullSecrets SSHD image pull secrets +## @param image.debug Enable image debug mode +## +image: + registry: images.opencadc.org + repository: platform/sshd + tag: 1.0.0 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + +## @param ldap.url The URL to contact the LDAP server. +## @param ldap.searchBase The base DN to search for users and groups. +## @param ldap.userSearchBase The base DN to search for users. +## @param ldap.groupSearchBase The base DN to search for groups. +## @param ldap.bindDN The DN to bind to the LDAP server. +## Password for the ldap.bindDN user is stored in a secret. See [README.md](README) for details. +## Example: +## ldap: +## url: "ldap://example.org:389" +## searchBase: "dc=example,dc=org" +## userSearchBase: "ou=users,ou=ds,dc=example,dc=org" +## groupSearchBase: "ou=groups,ou=ds,dc=example,dc=org" +## bindDN: "uid=binduser,ou=admin,dc=example,dc=org" +ldap: {} + +## @param entryPoint Name of the Traefik entrypoint to use. +## Example: +## entryPoint: sshd +entryPoint: "" + +## @param rootPath ABSOLUTE path to the folder containing the /home and /projects directories. This is also the path that users will mount using sshfs. +## Example: +## rootPath: "/cavern" +rootPath: "" + +## @param storageSpec Set this to the YAML spec matching your storage. +## Example (with existing PVC): +## storageSpec: +## persistentVolumeClaim: +## claimName: skaha-pvc +## +## Example (with dynamic provisioning): +## storageSpec: +## capacity: +## storage: 100Gi +## volumeMode: Filesystem +## accessModes: +## - ReadWriteMany +## persistentVolumeReclaimPolicy: Delete +## storageClassName: "" +## cephfs: +## monitors: +## - 10.30.201.3:6789 +## - 10.30.202.3:6789 +## - 10.30.203.3:6789 +## path: /path/to/cephfs +## user: my-user +## readOnly: false +## secretRef: +## name: ceph-key +## namespace: skaha-system +storageSpec: {} + +## @param OPTIONAL resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 1 +## memory: 512Mi +## limits: +## cpu: 2 +## memory: 1024Mi +## +resources: {} + +## @param extraVolumeMounts OPTIONAL mount a custom CA certificate +## Example: +## extraVolumeMounts: +## - mountPath: "/config/cacerts" +## name: cacert-volume +extraVolumeMounts: [] + +## @param extraVolumes OPTIONAL Create the volumes to be mounted in extraVolumeMounts +## Example: +## extraVolumes: +## - name: cacert-volume +## secret: +## defaultMode: 420 +## secretName: sshd-cacert-secret +extraVolumes: [] + +## @param extraHosts OPTIONAL Specify extra hostnames that will be added to the Pod's /etc/hosts file. +## Example: +## extraHosts: +## - ip: 127.3.34.5 +## hostname: myhost.example.org +extraHosts: [] + +## @param extraEnv OPTIONAL Specify extra environment variables that will be added to the Pod. +## Example: +## extraEnv: +## - name: MY_ENV_VAR +extraEnv: [] + +## @param secrets OPTIONAL Specify extra secrets that will be mounted in the Pod, such as a CA certificate. +## Example: +## sshd-cacert-secret: +## ca.crt: +secrets: {} diff --git a/helm/common/Chart.yaml b/helm/common/Chart.yaml new file mode 100644 index 0000000..b5cd543 --- /dev/null +++ b/helm/common/Chart.yaml @@ -0,0 +1,33 @@ +apiVersion: v2 +description: A Library Helm Chart for grouping common logic between charts. This chart is not deployable. +home: https://opencadc.org +keywords: + - common + - opencadc +maintainers: + - name: OpenCADC + url: https://github.com/opencadc/deployments +name: common +sources: + - https://github.com/opencadc/deployments/tree/main/helm/common + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: library + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 1.0.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.0.0" \ No newline at end of file diff --git a/helm/common/templates/_common_image.tpl b/helm/common/templates/_common_image.tpl new file mode 100644 index 0000000..3b47fbe --- /dev/null +++ b/helm/common/templates/_common_image.tpl @@ -0,0 +1,23 @@ +{{/* +Assemble the image name with the registry, repository, tag and digest. +{{ include "common.image" ( dict "imageObject" .Values.path.to.the.imag ) }} +*/}} +{{- define "common.image" -}} +{{- $registryName := .imageObject.registry | required "image.registry is required." -}} +{{- $repositoryName := .imageObject.repository | required "image.repository path is required" -}} +{{- $separator := ":" -}} +{{- $termination := .imageObject.tag | toString -}} + +{{- if not .imageObject.tag }} + {{- $termination = "SNAPSHOT" -}} +{{- end -}} +{{- if .imageObject.digest }} + {{- $separator = "@" -}} + {{- $termination = .imageObject.digest | toString -}} +{{- end -}} +{{- if $registryName }} + {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} +{{- else -}} + {{- printf "%s%s%s" $repositoryName $separator $termination -}} +{{- end -}} +{{- end -}} diff --git a/helm/common/values.yaml b/helm/common/values.yaml new file mode 100644 index 0000000..e1f2f92 --- /dev/null +++ b/helm/common/values.yaml @@ -0,0 +1,4 @@ +## Required by CI/CD tools and processes. +## @skip ignoredValue +## +ignoredValue: common \ No newline at end of file