From a6ec22cd6b6b538a2ed511bad89fa7ea6a7a4b4a Mon Sep 17 00:00:00 2001 From: Sarah Funkhouser <11655165+sfunkhouser@users.noreply.github.com> Date: Sun, 1 Oct 2023 12:02:51 -0600 Subject: [PATCH 1/7] Add okta-addon chart Signed-off-by: Sarah Funkhouser <11655165+sfunkhouser@users.noreply.github.com> --- .../templates/okta-addon-configmap.yml | 26 ++++ .../templates/okta-addon-deployment.yml | 94 ++++++++++++ .../templates/okta-addon-prometheus-rules.yml | 32 +++++ .../templates/okta-addon-service-monitor.yml | 22 +++ .../governor/templates/okta-addon-service.yml | 24 ++++ ...nfigmap.yaml => slack-addon-configmap.yml} | 0 .../templates/slack-addon-deployment.yml | 135 ++++++++++++++++++ ...n-service.yaml => slack-addon-service.yml} | 0 charts/governor/values.yaml | 78 ++++++++++ 9 files changed, 411 insertions(+) create mode 100644 charts/governor/templates/okta-addon-configmap.yml create mode 100644 charts/governor/templates/okta-addon-deployment.yml create mode 100644 charts/governor/templates/okta-addon-prometheus-rules.yml create mode 100644 charts/governor/templates/okta-addon-service-monitor.yml create mode 100644 charts/governor/templates/okta-addon-service.yml rename charts/governor/templates/{slack-addon-configmap.yaml => slack-addon-configmap.yml} (100%) create mode 100644 charts/governor/templates/slack-addon-deployment.yml rename charts/governor/templates/{slack-addon-service.yaml => slack-addon-service.yml} (100%) diff --git a/charts/governor/templates/okta-addon-configmap.yml b/charts/governor/templates/okta-addon-configmap.yml new file mode 100644 index 0000000..f8653fb --- /dev/null +++ b/charts/governor/templates/okta-addon-configmap.yml @@ -0,0 +1,26 @@ +{{- if .Values.oktaAddon.enabled }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: gov-okta-addon-config + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }} + {{- with .Values.oktaAddon.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +data: + GOA_DEBUG: "{{ .Values.oktaAddon.debug }}" + GOA_DRYRUN: "{{ .Values.oktaAddon.dryrun }}" + GOA_PRETTY: "{{ .Values.oktaAddon.pretty }}" + GOA_OKTA_NOCACHE: "{{ .Values.oktaAddon.okta.nocache }}" + GOA_NATS_URL: "{{ .Values.oktaAddon.nats.url }}" + GOA_NATS_CREDS_FILE: "{{ .Values.oktaAddon.nats.credsPath }}/gov-okta-addon-nats-client-creds" + GOA_GOVERNOR_CLIENT_ID: "{{ .Values.oktaAddon.api.clientId }}" + GOA_GOVERNOR_URL: "{{ .Values.oktaAddon.api.url }}" + GOA_GOVERNOR_TOKEN_URL: "{{ .Values.oktaAddon.hydra.url }}" + GOA_RECONCILER_INTERVAL: "{{ .Values.oktaAddon.reconciler.interval }}" + GOA_RECONCILER_LOCKING: "{{ .Values.oktaAddon.reconciler.locking }}" + GOA_EVENTLOG_INTERVAL: "{{ .Values.oktaAddon.eventlog.interval }}" + GOA_EVENTLOG_LOOKBACK: "{{ .Values.oktaAddon.eventlog.lookback }}" +{{- end }} diff --git a/charts/governor/templates/okta-addon-deployment.yml b/charts/governor/templates/okta-addon-deployment.yml new file mode 100644 index 0000000..8a2ed96 --- /dev/null +++ b/charts/governor/templates/okta-addon-deployment.yml @@ -0,0 +1,94 @@ +{{- if .Values.oktaAddon.enabled }} +--- +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} +kind: Deployment +metadata: + name: gov-okta-addon + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }} + {{- with .Values.oktaAddon.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.oktaAddon.replicaCount }} + revisionHistoryLimit: 3 + selector: + selector: + {{- with .Values.oktaAddon.matchLabels }} + {{- toYaml . | nindent 6 }} + {{- end }} + template: + metadata: + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }} + {{- with .Values.oktaAddon.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/okta-addon-configmap.yml") . | sha256sum }} + spec: + initContainers: + # Optional: Pre-creates the `/app-audit/audit.log` named pipe. + - image: "{{ .Values.audit.auditImage.repository }}:{{ .Values.audit.auditImage.tag | default .Chart.AppVersion }}" + args: + - 'init' + - '-f' + - '/app-audit/audit.log' + name: init-audit-logs + resources: +{{ toYaml .Values.audit.initContainer.resources | indent 10 }} + imagePullPolicy: {{ .Values.audit.auditImage.pullPolicy }} + volumeMounts: + - mountPath: /app-audit + name: audit-logs + containers: + - name: gov-okta-addon + args: + - serve + - --skip-delete={{ .Values.oktaAddon.skipDelete }} + envFrom: + - configMapRef: + name: gov-okta-addon-config + - secretRef: + name: gov-okta-addon-creds + image: "{{ .Values.oktaAddon.image.repository }}:{{ .Values.oktaAddon.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.oktaAddon.image.pullPolicy }} + ports: + - name: http + containerPort: {{ .Values.oktaAddon.port }} + livenessProbe: + httpGet: + path: /healthz/liveness + port: http + readinessProbe: + httpGet: + path: /healthz/readiness + port: http + resources: +{{ toYaml .Values.oktaAddon.resources | indent 10 }} + volumeMounts: + - name: natscreds + mountPath: "/nats" + readOnly: true + - name: audit-logs + mountPath: /app-audit + - name: audit-gov-okta-addon + args: + - -f + - /app-audit/audit.log + image: "{{ .Values.audit.auditImage.repository }}:{{ .Values.audit.auditImage.tag | default .Chart.AppVersion }}" + resources: +{{ toYaml .Values.audit.resources | indent 10 }} + volumeMounts: + - name: audit-logs + mountPath: /app-audit + restartPolicy: Always + terminationGracePeriodSeconds: 30 + volumes: + - name: audit-logs + emptyDir: {} + - name: natscreds + secret: + secretName: gov-okta-addon-nats-creds + defaultMode: 0400 + {{- end }} \ No newline at end of file diff --git a/charts/governor/templates/okta-addon-prometheus-rules.yml b/charts/governor/templates/okta-addon-prometheus-rules.yml new file mode 100644 index 0000000..9d70b92 --- /dev/null +++ b/charts/governor/templates/okta-addon-prometheus-rules.yml @@ -0,0 +1,32 @@ +{{- if .Values.oktaAddon.enabled }} +{{- if .Values.oktaAddon.monitoring.enabled }} +--- +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: gov-okta-addon-rules + labels: + prometheus: k8s + role: alert-rules +spec: + groups: + - name: gov-okta-addon.rules + rules: + - alert: Governor Okta addon group_membership_deleted_total count is warning + expr: sum(increase(gov_okta_addon_group_membership_deleted_total[5m])) by (pod, instance) > 5 + for: 5m + labels: + severity: warning + annotations: + summary: Governor Okta reconciler deleted a high number of group members + description: Governor Okta reconciler deleted more than 5 group members from a group in the last 5 minutes. {{`{{`}} $value {{`}}`}} group members removed in the last 5 minutes. + - alert: Governor Okta addon users_deleted_total count is warning + expr: sum(increase(gov_okta_addon_users_deleted_total[5m])) by (pod, instance) > 5 + for: 5m + labels: + severity: warning + annotations: + summary: Governor Okta reconciler deleted a high number of users + description: Governor Okta reconciler deleted more than 5 users in the last 5 minutes. {{`{{`}} $value {{`}}`}} users deleted in the last 5 minutes. + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/governor/templates/okta-addon-service-monitor.yml b/charts/governor/templates/okta-addon-service-monitor.yml new file mode 100644 index 0000000..cb89650 --- /dev/null +++ b/charts/governor/templates/okta-addon-service-monitor.yml @@ -0,0 +1,22 @@ +{{- if .Values.oktaAddon.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: gov-okta-addon + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }} + {{- with .Values.oktaAddon.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + app.kubernetes.io/name: gov-okta-addon + endpoints: + - targetPort: {{ .Values.oktaAddon.port }} + path: /metrics + interval: 5s + {{- end }} \ No newline at end of file diff --git a/charts/governor/templates/okta-addon-service.yml b/charts/governor/templates/okta-addon-service.yml new file mode 100644 index 0000000..835d37e --- /dev/null +++ b/charts/governor/templates/okta-addon-service.yml @@ -0,0 +1,24 @@ +{{- if .Values.oktaAddon.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: gov-okta-addon + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }} + {{- with .Values.oktaAddon.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: {{ .Values.oktaAddon.port }} + selector: + {{- with .Values.oktaAddon.matchLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + sessionAffinity: None + type: ClusterIP + {{- end }} \ No newline at end of file diff --git a/charts/governor/templates/slack-addon-configmap.yaml b/charts/governor/templates/slack-addon-configmap.yml similarity index 100% rename from charts/governor/templates/slack-addon-configmap.yaml rename to charts/governor/templates/slack-addon-configmap.yml diff --git a/charts/governor/templates/slack-addon-deployment.yml b/charts/governor/templates/slack-addon-deployment.yml new file mode 100644 index 0000000..642786f --- /dev/null +++ b/charts/governor/templates/slack-addon-deployment.yml @@ -0,0 +1,135 @@ +{{- if .Values.slackAddon.enabled }} +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} +kind: Deployment +metadata: + name: gov-slack-addon + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }} + {{- with .Values.slackAddon.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if not .Values.slackAddon.autoscaling.enabled }} + replicas: {{ .Values.slackAddon.replicas }} + {{- end }} + revisionHistoryLimit: 3 + selector: + matchLabels: + {{- with .Values.slackAddon.matchLabels }} + {{- toYaml . | nindent 6 }} + {{- end }} + template: + metadata: + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }} + {{- with .Values.slackAddon.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/slack-addon-configmap.yml") . | sha256sum }} + spec: + {{- with .Values.slackAddon.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.audit.enabled }} + initContainers: + # Optional: Pre-creates the `/app-audit/audit.log` named pipe. + - image: "{{ .Values.audit.auditImage.repository }}:{{ .Values.audit.auditImage.tag | default .Chart.AppVersion }}" + {{- with .Values.audit.securityContext }} + securityContext: + {{- toYaml . | nindent 10 }} + {{- end }} + args: + - 'init' + - '-f' + - '/app-audit/audit.log' + name: init-audit-logs + imagePullPolicy: Always + volumeMounts: + - mountPath: /app-audit + name: audit-logs + {{- with .Values.audit.initContainer.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- end }} + containers: + - name: gov-slack-addon + args: + - serve + envFrom: + - configMapRef: + name: gov-slack-addon-config + - secretRef: + name: gov-slack-addon-creds + {{- with .Values.slackAddon.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + image: "{{ .Values.slackAddon.image.repository }}:{{ .Values.slackAddon.image.tag | default .Chart.AppVersion }}" + {{- with .Values.slackAddon.image.pullPolicy }} + imagePullPolicy: {{ . }} + {{- end }} + {{- with .Values.slackAddon.ports }} + ports: + {{- toYaml . | nindent 12 }} + {{- end }} + livenessProbe: + httpGet: + path: /healthz/liveness + port: http + readinessProbe: + httpGet: + path: /healthz/readiness + port: http + {{- with .Values.slackAddon.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - name: natscreds + mountPath: "/nats" + readOnly: true + {{- if .Values.audit.enabled }} # Begin audittail toggle + # This is mounted in the 1st container + - name: audit-logs + mountPath: /app-audit + # This is the audit container + - name: gov-slack-addon-audit + {{- with .Values.audit.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + args: + - -f + - /app-audit/audit.log + image: "{{ .Values.audit.auditImage.repository }}:{{ .Values.audit.auditImage.tag | default .Chart.AppVersion }}" + volumeMounts: + - name: audit-logs + mountPath: /app-audit + {{- with .Values.audit.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} # End audittail toggle + restartPolicy: Always + terminationGracePeriodSeconds: 30 + volumes: + - name: natscreds + secret: + secretName: gov-slack-addon-nats-creds + defaultMode: 0444 + {{- if .Values.audit.enabled }} + - name: audit-logs + emptyDir: {} + {{- end }} + {{- with .Values.slackAddon.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.slackAddon.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/governor/templates/slack-addon-service.yaml b/charts/governor/templates/slack-addon-service.yml similarity index 100% rename from charts/governor/templates/slack-addon-service.yaml rename to charts/governor/templates/slack-addon-service.yml diff --git a/charts/governor/values.yaml b/charts/governor/values.yaml index 2d44c61..9f4de53 100644 --- a/charts/governor/values.yaml +++ b/charts/governor/values.yaml @@ -105,6 +105,84 @@ api: enabled: false honeycombKey: +# -- okta-addon settings +oktaAddon: + # -- set to false to disable this addon completely + enabled: true + + image: + repository: ghcr.io/metal-toolbox/gov-okta-addon + tag: 784-b89ffe9c + pullPolicy: IfNotPresent + + # -- set of labels for the application + labels: + app.kubernetes.io/instance: gov-okta-addon + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gov-okta-addon + + # -- set of match labels for the application + matchLabels: + app.kubernetes.io/instance: gov-okta-addon + app.kubernetes.io/name: gov-okta-addon + + debug: false + dryrun: false + pretty: false + + skipDelete: false + + port: 8000 + + replicaCount: 1 + + # -- enables the prometheus rules if set to true + monitoring: + enabled: true + + resources: + limits: + cpu: 100m + memory: 500Mi + requests: + cpu: 100m + memory: 500Mi + + # -- nats setup for the slack addon + nats: + url: tls://nats.governor.example.com:4222, + credsPath: /nats + subjectPrefix: governor.events + + secrets: + # -- enable helm secrets, set to `true` if you want to set the value directly in the chart (not recommended) + enabled: false + # -- client credentials secrets + natsCreds: + governorClientSecret: + oktaToken: + + # -- hydra settings for communication with the governor-api + hydra: + url: https://hydra.example.com/oauth2/token + + # -- governor-api settings to retrieve required information by the slack addon + api: + url: https://api.governor.example.com + clientId: gov-slack-addon-governor + + okta: + # -- This toggle exists because we've seen issue with the sdk caching responses from okta + nocache: true + + reconciler: + interval: 3600s # update every hour + locking: true + + eventlog: + lookback: 8h # look back 8 hours of Okta events on startup + interval: 30s # run eventlog poller every 30 seconds + # -- slack-addon settings slackAddon: # -- set to false to disable this addon completely From a3f4ccdffd7bfbdef3c0878605637ceb9892600a Mon Sep 17 00:00:00 2001 From: Sarah Funkhouser <11655165+sfunkhouser@users.noreply.github.com> Date: Sun, 1 Oct 2023 12:06:29 -0600 Subject: [PATCH 2/7] removes duplicate addon deployment --- .../templates/slack-addon-deployment.yaml | 135 ------------------ 1 file changed, 135 deletions(-) delete mode 100644 charts/governor/templates/slack-addon-deployment.yaml diff --git a/charts/governor/templates/slack-addon-deployment.yaml b/charts/governor/templates/slack-addon-deployment.yaml deleted file mode 100644 index 0e9b752..0000000 --- a/charts/governor/templates/slack-addon-deployment.yaml +++ /dev/null @@ -1,135 +0,0 @@ -{{- if .Values.slackAddon.enabled }} -apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} -kind: Deployment -metadata: - name: gov-slack-addon - labels: - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }} - {{- with .Values.slackAddon.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- if not .Values.slackAddon.autoscaling.enabled }} - replicas: {{ .Values.slackAddon.replicas }} - {{- end }} - revisionHistoryLimit: 3 - selector: - matchLabels: - {{- with .Values.slackAddon.matchLabels }} - {{- toYaml . | nindent 6 }} - {{- end }} - template: - metadata: - labels: - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }} - {{- with .Values.slackAddon.labels }} - {{- toYaml . | nindent 8 }} - {{- end }} - annotations: - checksum/config: {{ include (print $.Template.BasePath "/slack-addon-configmap.yaml") . | sha256sum }} - spec: - {{- with .Values.slackAddon.podSecurityContext }} - securityContext: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.audit.enabled }} - initContainers: - # Optional: Pre-creates the `/app-audit/audit.log` named pipe. - - image: "{{ .Values.audit.auditImage.repository }}:{{ .Values.audit.auditImage.tag | default .Chart.AppVersion }}" - {{- with .Values.audit.securityContext }} - securityContext: - {{- toYaml . | nindent 10 }} - {{- end }} - args: - - 'init' - - '-f' - - '/app-audit/audit.log' - name: init-audit-logs - imagePullPolicy: Always - volumeMounts: - - mountPath: /app-audit - name: audit-logs - {{- with .Values.audit.initContainer.resources }} - resources: - {{- toYaml . | nindent 10 }} - {{- end }} - {{- end }} - containers: - - name: gov-slack-addon - args: - - serve - envFrom: - - configMapRef: - name: gov-slack-addon-config - - secretRef: - name: gov-slack-addon-creds - {{- with .Values.slackAddon.securityContext }} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} - image: "{{ .Values.slackAddon.image.repository }}:{{ .Values.slackAddon.image.tag | default .Chart.AppVersion }}" - {{- with .Values.slackAddon.image.pullPolicy }} - imagePullPolicy: {{ . }} - {{- end }} - {{- with .Values.slackAddon.ports }} - ports: - {{- toYaml . | nindent 12 }} - {{- end }} - livenessProbe: - httpGet: - path: /healthz/liveness - port: http - readinessProbe: - httpGet: - path: /healthz/readiness - port: http - {{- with .Values.slackAddon.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - volumeMounts: - - name: natscreds - mountPath: "/nats" - readOnly: true - {{- if .Values.audit.enabled }} # Begin audittail toggle - # This is mounted in the 1st container - - name: audit-logs - mountPath: /app-audit - # This is the audit container - - name: gov-slack-addon-audit - {{- with .Values.audit.securityContext }} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} - args: - - -f - - /app-audit/audit.log - image: "{{ .Values.audit.auditImage.repository }}:{{ .Values.audit.auditImage.tag | default .Chart.AppVersion }}" - volumeMounts: - - name: audit-logs - mountPath: /app-audit - {{- with .Values.audit.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- end }} # End audittail toggle - restartPolicy: Always - terminationGracePeriodSeconds: 30 - volumes: - - name: natscreds - secret: - secretName: gov-slack-addon-nats-creds - defaultMode: 0444 - {{- if .Values.audit.enabled }} - - name: audit-logs - emptyDir: {} - {{- end }} - {{- with .Values.slackAddon.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.slackAddon.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} -{{- end }} From 8cdc3e88faf3f35b2e5c30c3d2a0bbe68a5e359e Mon Sep 17 00:00:00 2001 From: Sarah Funkhouser <11655165+sfunkhouser@users.noreply.github.com> Date: Sun, 1 Oct 2023 12:06:48 -0600 Subject: [PATCH 3/7] helm-docs --- charts/governor/README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/charts/governor/README.md b/charts/governor/README.md index 671421c..3e8937d 100644 --- a/charts/governor/README.md +++ b/charts/governor/README.md @@ -69,6 +69,17 @@ helm install governor-api equinixmetal/governor-api | api.tracing.secrets | object | `{"enabled":false,"honeycombKey":null}` | tracing secrets, set to `true` if you want to set the value directly in the chart (not recommended) | | audit | object | `{"auditImage":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/metal-toolbox/audittail","tag":"v0.8.0"},"enabled":true,"initContainer":{"resources":{"limits":{"cpu":"100m","memory":"20Mi"},"requests":{"cpu":"100m","memory":"20Mi"}}},"resources":{"limits":{"cpu":"500m","memory":"1Gi"},"requests":{"cpu":"100m","memory":"128Mi"}},"securityContext":{"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":1000}}` | audit sidecar settings | | k8s-otel-collector | object | `{"include_otel_attributes":false}` | settings for the otel collector sub-chart ref https://github.com/equinixmetal-helm/k8s-otel-collector | +| oktaAddon | object | `{"api":{"clientId":"gov-slack-addon-governor","url":"https://api.governor.example.com"},"debug":false,"dryrun":false,"enabled":true,"eventlog":{"interval":"30s","lookback":"8h"},"hydra":{"url":"https://hydra.example.com/oauth2/token"},"image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/metal-toolbox/gov-okta-addon","tag":"784-b89ffe9c"},"labels":{"app.kubernetes.io/instance":"gov-okta-addon","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"gov-okta-addon"},"matchLabels":{"app.kubernetes.io/instance":"gov-okta-addon","app.kubernetes.io/name":"gov-okta-addon"},"monitoring":{"enabled":true},"nats":{"credsPath":"/nats","secrets":{"enabled":false,"governorClientSecret":null,"natsCreds":null,"oktaToken":null},"subjectPrefix":"governor.events","url":"tls://nats.governor.example.com:4222,"},"okta":{"nocache":true},"port":8000,"pretty":false,"reconciler":{"interval":"3600s","locking":true},"replicaCount":1,"resources":{"limits":{"cpu":"100m","memory":"500Mi"},"requests":{"cpu":"100m","memory":"500Mi"}},"skipDelete":false}` | okta-addon settings | +| oktaAddon.api | object | `{"clientId":"gov-slack-addon-governor","url":"https://api.governor.example.com"}` | governor-api settings to retrieve required information by the slack addon | +| oktaAddon.enabled | bool | `true` | set to false to disable this addon completely | +| oktaAddon.hydra | object | `{"url":"https://hydra.example.com/oauth2/token"}` | hydra settings for communication with the governor-api | +| oktaAddon.labels | object | `{"app.kubernetes.io/instance":"gov-okta-addon","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"gov-okta-addon"}` | set of labels for the application | +| oktaAddon.matchLabels | object | `{"app.kubernetes.io/instance":"gov-okta-addon","app.kubernetes.io/name":"gov-okta-addon"}` | set of match labels for the application | +| oktaAddon.monitoring | object | `{"enabled":true}` | enables the prometheus rules if set to true | +| oktaAddon.nats | object | `{"credsPath":"/nats","secrets":{"enabled":false,"governorClientSecret":null,"natsCreds":null,"oktaToken":null},"subjectPrefix":"governor.events","url":"tls://nats.governor.example.com:4222,"}` | nats setup for the slack addon | +| oktaAddon.nats.secrets.enabled | bool | `false` | enable helm secrets, set to `true` if you want to set the value directly in the chart (not recommended) | +| oktaAddon.nats.secrets.natsCreds | string | `nil` | client credentials secrets | +| oktaAddon.okta.nocache | bool | `true` | This toggle exists because we've seen issue with the sdk caching responses from okta | | slackAddon | object | `{"api":{"audience":"https://api.governor.example.com","clientId":"gov-slack-addon-governor","url":"https://api.governor.example.com"},"autoscaling":{"enabled":false},"debug":false,"dryrun":false,"enabled":true,"hydra":{"url":"https://hydra.example.com/oauth2/token"},"image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/metal-toolbox/governor-slack-addon","tag":"46-c41b0158"},"labels":{"app.kubernetes.io/instance":"gov-slack-addon","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"gov-slack-addon"},"matchLabels":{"app.kubernetes.io/instance":"gov-slack-addon","app.kubernetes.io/name":"gov-slack-addon"},"nats":{"credsPath":"/nats","subjectPrefix":"governor.events","url":"tls://nats.governor.example.com:4222,"},"nodeSelector":null,"ports":[{"containerPort":8000,"name":"http"}],"pretty":false,"reconciler":{"interval":"1h","locking":true},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"500Mi"}},"securityContext":{"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":1000},"service":{"port":80},"tolerations":null}` | slack-addon settings | | slackAddon.api | object | `{"audience":"https://api.governor.example.com","clientId":"gov-slack-addon-governor","url":"https://api.governor.example.com"}` | governor-api settings to retrieve required information by the slack addon | | slackAddon.debug | bool | `false` | set to true to turn on debug logging | From 4b0c0a2e95b61118605dfbb0720c128dc4507af8 Mon Sep 17 00:00:00 2001 From: Sarah Funkhouser <11655165+sfunkhouser@users.noreply.github.com> Date: Sun, 1 Oct 2023 12:08:32 -0600 Subject: [PATCH 4/7] remove duplicate selector --- charts/governor/templates/okta-addon-deployment.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/governor/templates/okta-addon-deployment.yml b/charts/governor/templates/okta-addon-deployment.yml index 8a2ed96..db358e3 100644 --- a/charts/governor/templates/okta-addon-deployment.yml +++ b/charts/governor/templates/okta-addon-deployment.yml @@ -12,7 +12,6 @@ metadata: spec: replicas: {{ .Values.oktaAddon.replicaCount }} revisionHistoryLimit: 3 - selector: selector: {{- with .Values.oktaAddon.matchLabels }} {{- toYaml . | nindent 6 }} From fa8c3c5d53a392e45f18b72f6b4a2455b151594e Mon Sep 17 00:00:00 2001 From: Sarah Funkhouser <11655165+sfunkhouser@users.noreply.github.com> Date: Fri, 6 Oct 2023 15:25:16 -0600 Subject: [PATCH 5/7] use latest version of gov-okta-addon Signed-off-by: Sarah Funkhouser <11655165+sfunkhouser@users.noreply.github.com> --- charts/governor/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/governor/values.yaml b/charts/governor/values.yaml index 9f4de53..3cfec4c 100644 --- a/charts/governor/values.yaml +++ b/charts/governor/values.yaml @@ -112,7 +112,7 @@ oktaAddon: image: repository: ghcr.io/metal-toolbox/gov-okta-addon - tag: 784-b89ffe9c + tag: 12-4375aa79 pullPolicy: IfNotPresent # -- set of labels for the application @@ -125,7 +125,7 @@ oktaAddon: matchLabels: app.kubernetes.io/instance: gov-okta-addon app.kubernetes.io/name: gov-okta-addon - + debug: false dryrun: false pretty: false From 65cb9cb8a48a1f0cf19b68e7e341b599670514b6 Mon Sep 17 00:00:00 2001 From: Sarah Funkhouser <11655165+sfunkhouser@users.noreply.github.com> Date: Fri, 6 Oct 2023 15:25:30 -0600 Subject: [PATCH 6/7] helm-docs --- charts/governor/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/governor/README.md b/charts/governor/README.md index 3e8937d..2be5039 100644 --- a/charts/governor/README.md +++ b/charts/governor/README.md @@ -69,7 +69,7 @@ helm install governor-api equinixmetal/governor-api | api.tracing.secrets | object | `{"enabled":false,"honeycombKey":null}` | tracing secrets, set to `true` if you want to set the value directly in the chart (not recommended) | | audit | object | `{"auditImage":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/metal-toolbox/audittail","tag":"v0.8.0"},"enabled":true,"initContainer":{"resources":{"limits":{"cpu":"100m","memory":"20Mi"},"requests":{"cpu":"100m","memory":"20Mi"}}},"resources":{"limits":{"cpu":"500m","memory":"1Gi"},"requests":{"cpu":"100m","memory":"128Mi"}},"securityContext":{"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":1000}}` | audit sidecar settings | | k8s-otel-collector | object | `{"include_otel_attributes":false}` | settings for the otel collector sub-chart ref https://github.com/equinixmetal-helm/k8s-otel-collector | -| oktaAddon | object | `{"api":{"clientId":"gov-slack-addon-governor","url":"https://api.governor.example.com"},"debug":false,"dryrun":false,"enabled":true,"eventlog":{"interval":"30s","lookback":"8h"},"hydra":{"url":"https://hydra.example.com/oauth2/token"},"image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/metal-toolbox/gov-okta-addon","tag":"784-b89ffe9c"},"labels":{"app.kubernetes.io/instance":"gov-okta-addon","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"gov-okta-addon"},"matchLabels":{"app.kubernetes.io/instance":"gov-okta-addon","app.kubernetes.io/name":"gov-okta-addon"},"monitoring":{"enabled":true},"nats":{"credsPath":"/nats","secrets":{"enabled":false,"governorClientSecret":null,"natsCreds":null,"oktaToken":null},"subjectPrefix":"governor.events","url":"tls://nats.governor.example.com:4222,"},"okta":{"nocache":true},"port":8000,"pretty":false,"reconciler":{"interval":"3600s","locking":true},"replicaCount":1,"resources":{"limits":{"cpu":"100m","memory":"500Mi"},"requests":{"cpu":"100m","memory":"500Mi"}},"skipDelete":false}` | okta-addon settings | +| oktaAddon | object | `{"api":{"clientId":"gov-slack-addon-governor","url":"https://api.governor.example.com"},"debug":false,"dryrun":false,"enabled":true,"eventlog":{"interval":"30s","lookback":"8h"},"hydra":{"url":"https://hydra.example.com/oauth2/token"},"image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/metal-toolbox/gov-okta-addon","tag":"12-4375aa79"},"labels":{"app.kubernetes.io/instance":"gov-okta-addon","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"gov-okta-addon"},"matchLabels":{"app.kubernetes.io/instance":"gov-okta-addon","app.kubernetes.io/name":"gov-okta-addon"},"monitoring":{"enabled":true},"nats":{"credsPath":"/nats","secrets":{"enabled":false,"governorClientSecret":null,"natsCreds":null,"oktaToken":null},"subjectPrefix":"governor.events","url":"tls://nats.governor.example.com:4222,"},"okta":{"nocache":true},"port":8000,"pretty":false,"reconciler":{"interval":"3600s","locking":true},"replicaCount":1,"resources":{"limits":{"cpu":"100m","memory":"500Mi"},"requests":{"cpu":"100m","memory":"500Mi"}},"skipDelete":false}` | okta-addon settings | | oktaAddon.api | object | `{"clientId":"gov-slack-addon-governor","url":"https://api.governor.example.com"}` | governor-api settings to retrieve required information by the slack addon | | oktaAddon.enabled | bool | `true` | set to false to disable this addon completely | | oktaAddon.hydra | object | `{"url":"https://hydra.example.com/oauth2/token"}` | hydra settings for communication with the governor-api | From 8cad0958a875f27a08ed370e5f3f2a9f419c5e27 Mon Sep 17 00:00:00 2001 From: Sarah Funkhouser <11655165+sfunkhouser@users.noreply.github.com> Date: Fri, 6 Oct 2023 15:30:33 -0600 Subject: [PATCH 7/7] update docs for okta addon Signed-off-by: Sarah Funkhouser <11655165+sfunkhouser@users.noreply.github.com> --- charts/governor/README.md | 11 ++++++++++- charts/governor/values.yaml | 17 +++++++++++++---- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/charts/governor/README.md b/charts/governor/README.md index 2be5039..063afe7 100644 --- a/charts/governor/README.md +++ b/charts/governor/README.md @@ -71,6 +71,8 @@ helm install governor-api equinixmetal/governor-api | k8s-otel-collector | object | `{"include_otel_attributes":false}` | settings for the otel collector sub-chart ref https://github.com/equinixmetal-helm/k8s-otel-collector | | oktaAddon | object | `{"api":{"clientId":"gov-slack-addon-governor","url":"https://api.governor.example.com"},"debug":false,"dryrun":false,"enabled":true,"eventlog":{"interval":"30s","lookback":"8h"},"hydra":{"url":"https://hydra.example.com/oauth2/token"},"image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/metal-toolbox/gov-okta-addon","tag":"12-4375aa79"},"labels":{"app.kubernetes.io/instance":"gov-okta-addon","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"gov-okta-addon"},"matchLabels":{"app.kubernetes.io/instance":"gov-okta-addon","app.kubernetes.io/name":"gov-okta-addon"},"monitoring":{"enabled":true},"nats":{"credsPath":"/nats","secrets":{"enabled":false,"governorClientSecret":null,"natsCreds":null,"oktaToken":null},"subjectPrefix":"governor.events","url":"tls://nats.governor.example.com:4222,"},"okta":{"nocache":true},"port":8000,"pretty":false,"reconciler":{"interval":"3600s","locking":true},"replicaCount":1,"resources":{"limits":{"cpu":"100m","memory":"500Mi"},"requests":{"cpu":"100m","memory":"500Mi"}},"skipDelete":false}` | okta-addon settings | | oktaAddon.api | object | `{"clientId":"gov-slack-addon-governor","url":"https://api.governor.example.com"}` | governor-api settings to retrieve required information by the slack addon | +| oktaAddon.debug | bool | `false` | set to true to turn on debug logging | +| oktaAddon.dryrun | bool | `false` | dryrun on the reconcile loop | | oktaAddon.enabled | bool | `true` | set to false to disable this addon completely | | oktaAddon.hydra | object | `{"url":"https://hydra.example.com/oauth2/token"}` | hydra settings for communication with the governor-api | | oktaAddon.labels | object | `{"app.kubernetes.io/instance":"gov-okta-addon","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"gov-okta-addon"}` | set of labels for the application | @@ -78,8 +80,15 @@ helm install governor-api equinixmetal/governor-api | oktaAddon.monitoring | object | `{"enabled":true}` | enables the prometheus rules if set to true | | oktaAddon.nats | object | `{"credsPath":"/nats","secrets":{"enabled":false,"governorClientSecret":null,"natsCreds":null,"oktaToken":null},"subjectPrefix":"governor.events","url":"tls://nats.governor.example.com:4222,"}` | nats setup for the slack addon | | oktaAddon.nats.secrets.enabled | bool | `false` | enable helm secrets, set to `true` if you want to set the value directly in the chart (not recommended) | -| oktaAddon.nats.secrets.natsCreds | string | `nil` | client credentials secrets | +| oktaAddon.nats.secrets.governorClientSecret | string | `nil` | governor client secrets for the governor api | +| oktaAddon.nats.secrets.natsCreds | string | `nil` | nats client credentials secrets | +| oktaAddon.nats.secrets.oktaToken | string | `nil` | token to talk to the okta api | | oktaAddon.okta.nocache | bool | `true` | This toggle exists because we've seen issue with the sdk caching responses from okta | +| oktaAddon.port | int | `8000` | port used for the gov-okta-addon service | +| oktaAddon.pretty | bool | `false` | set to true for human readable logging | +| oktaAddon.replicaCount | int | `1` | replicas of the gov-okta-addon | +| oktaAddon.resources | object | `{"limits":{"cpu":"100m","memory":"500Mi"},"requests":{"cpu":"100m","memory":"500Mi"}}` | resource settings for the gov-okta-addon | +| oktaAddon.skipDelete | bool | `false` | skipDelete, when true, will not delete anything in okta during reconcile loop | | slackAddon | object | `{"api":{"audience":"https://api.governor.example.com","clientId":"gov-slack-addon-governor","url":"https://api.governor.example.com"},"autoscaling":{"enabled":false},"debug":false,"dryrun":false,"enabled":true,"hydra":{"url":"https://hydra.example.com/oauth2/token"},"image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/metal-toolbox/governor-slack-addon","tag":"46-c41b0158"},"labels":{"app.kubernetes.io/instance":"gov-slack-addon","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"gov-slack-addon"},"matchLabels":{"app.kubernetes.io/instance":"gov-slack-addon","app.kubernetes.io/name":"gov-slack-addon"},"nats":{"credsPath":"/nats","subjectPrefix":"governor.events","url":"tls://nats.governor.example.com:4222,"},"nodeSelector":null,"ports":[{"containerPort":8000,"name":"http"}],"pretty":false,"reconciler":{"interval":"1h","locking":true},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"500Mi"}},"securityContext":{"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":1000},"service":{"port":80},"tolerations":null}` | slack-addon settings | | slackAddon.api | object | `{"audience":"https://api.governor.example.com","clientId":"gov-slack-addon-governor","url":"https://api.governor.example.com"}` | governor-api settings to retrieve required information by the slack addon | | slackAddon.debug | bool | `false` | set to true to turn on debug logging | diff --git a/charts/governor/values.yaml b/charts/governor/values.yaml index 3cfec4c..340c501 100644 --- a/charts/governor/values.yaml +++ b/charts/governor/values.yaml @@ -126,20 +126,27 @@ oktaAddon: app.kubernetes.io/instance: gov-okta-addon app.kubernetes.io/name: gov-okta-addon + # -- set to true to turn on debug logging debug: false - dryrun: false + # -- set to true for human readable logging pretty: false + # -- dryrun on the reconcile loop + dryrun: false + # -- skipDelete, when true, will not delete anything in okta during reconcile loop skipDelete: false + # -- port used for the gov-okta-addon service port: 8000 - replicaCount: 1 - # -- enables the prometheus rules if set to true monitoring: enabled: true + # -- replicas of the gov-okta-addon + replicaCount: 1 + + # -- resource settings for the gov-okta-addon resources: limits: cpu: 100m @@ -157,9 +164,11 @@ oktaAddon: secrets: # -- enable helm secrets, set to `true` if you want to set the value directly in the chart (not recommended) enabled: false - # -- client credentials secrets + # -- nats client credentials secrets natsCreds: + # -- governor client secrets for the governor api governorClientSecret: + # -- token to talk to the okta api oktaToken: # -- hydra settings for communication with the governor-api