Adds the chart templates and default values for the gov-okta-addon

charts/governor/README.md

@@ -69,6 +69,26 @@ helm install governor-api equinixmetal/governor-api
 | api.tracing.secrets | object | `{"enabled":false,"honeycombKey":null}` | tracing secrets, set to `true` if you want to set the value directly in the chart (not recommended) |
 | audit | object | `{"auditImage":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/metal-toolbox/audittail","tag":"v0.8.0"},"enabled":true,"initContainer":{"resources":{"limits":{"cpu":"100m","memory":"20Mi"},"requests":{"cpu":"100m","memory":"20Mi"}}},"resources":{"limits":{"cpu":"500m","memory":"1Gi"},"requests":{"cpu":"100m","memory":"128Mi"}},"securityContext":{"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":1000}}` | audit sidecar settings |
 | k8s-otel-collector | object | `{"include_otel_attributes":false}` | settings for the otel collector sub-chart ref https://github.com/equinixmetal-helm/k8s-otel-collector |
+| oktaAddon | object | `{"api":{"clientId":"gov-slack-addon-governor","url":"https://api.governor.example.com"},"debug":false,"dryrun":false,"enabled":true,"eventlog":{"interval":"30s","lookback":"8h"},"hydra":{"url":"https://hydra.example.com/oauth2/token"},"image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/metal-toolbox/gov-okta-addon","tag":"12-4375aa79"},"labels":{"app.kubernetes.io/instance":"gov-okta-addon","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"gov-okta-addon"},"matchLabels":{"app.kubernetes.io/instance":"gov-okta-addon","app.kubernetes.io/name":"gov-okta-addon"},"monitoring":{"enabled":true},"nats":{"credsPath":"/nats","secrets":{"enabled":false,"governorClientSecret":null,"natsCreds":null,"oktaToken":null},"subjectPrefix":"governor.events","url":"tls://nats.governor.example.com:4222,"},"okta":{"nocache":true},"port":8000,"pretty":false,"reconciler":{"interval":"3600s","locking":true},"replicaCount":1,"resources":{"limits":{"cpu":"100m","memory":"500Mi"},"requests":{"cpu":"100m","memory":"500Mi"}},"skipDelete":false}` | okta-addon settings |
+| oktaAddon.api | object | `{"clientId":"gov-slack-addon-governor","url":"https://api.governor.example.com"}` | governor-api settings to retrieve required information by the slack addon |
+| oktaAddon.debug | bool | `false` | set to true to turn on debug logging |
+| oktaAddon.dryrun | bool | `false` | dryrun on the reconcile loop |
+| oktaAddon.enabled | bool | `true` | set to false to disable this addon completely |
+| oktaAddon.hydra | object | `{"url":"https://hydra.example.com/oauth2/token"}` | hydra settings for communication with the governor-api |
+| oktaAddon.labels | object | `{"app.kubernetes.io/instance":"gov-okta-addon","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"gov-okta-addon"}` | set of labels for the application  |
+| oktaAddon.matchLabels | object | `{"app.kubernetes.io/instance":"gov-okta-addon","app.kubernetes.io/name":"gov-okta-addon"}` | set of match labels for the application  |
+| oktaAddon.monitoring | object | `{"enabled":true}` | enables the prometheus rules if set to true |
+| oktaAddon.nats | object | `{"credsPath":"/nats","secrets":{"enabled":false,"governorClientSecret":null,"natsCreds":null,"oktaToken":null},"subjectPrefix":"governor.events","url":"tls://nats.governor.example.com:4222,"}` | nats setup for the slack addon |
+| oktaAddon.nats.secrets.enabled | bool | `false` | enable helm secrets, set to `true` if you want to set the value directly in the chart (not recommended) |
+| oktaAddon.nats.secrets.governorClientSecret | string | `nil` | governor client secrets for the governor api |
+| oktaAddon.nats.secrets.natsCreds | string | `nil` | nats client credentials secrets |
+| oktaAddon.nats.secrets.oktaToken | string | `nil` | token to talk to the okta api |
+| oktaAddon.okta.nocache | bool | `true` | This toggle exists because we've seen issue with the sdk caching responses from okta |
+| oktaAddon.port | int | `8000` | port used for the gov-okta-addon service |
+| oktaAddon.pretty | bool | `false` | set to true for human readable logging |
+| oktaAddon.replicaCount | int | `1` | replicas of the gov-okta-addon |
+| oktaAddon.resources | object | `{"limits":{"cpu":"100m","memory":"500Mi"},"requests":{"cpu":"100m","memory":"500Mi"}}` | resource settings for the gov-okta-addon |
+| oktaAddon.skipDelete | bool | `false` | skipDelete, when true, will not delete anything in okta during reconcile loop |
 | slackAddon | object | `{"api":{"audience":"https://api.governor.example.com","clientId":"gov-slack-addon-governor","url":"https://api.governor.example.com"},"autoscaling":{"enabled":false},"debug":false,"dryrun":false,"enabled":true,"hydra":{"url":"https://hydra.example.com/oauth2/token"},"image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/metal-toolbox/governor-slack-addon","tag":"46-c41b0158"},"labels":{"app.kubernetes.io/instance":"gov-slack-addon","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"gov-slack-addon"},"matchLabels":{"app.kubernetes.io/instance":"gov-slack-addon","app.kubernetes.io/name":"gov-slack-addon"},"nats":{"credsPath":"/nats","subjectPrefix":"governor.events","url":"tls://nats.governor.example.com:4222,"},"nodeSelector":null,"ports":[{"containerPort":8000,"name":"http"}],"pretty":false,"reconciler":{"interval":"1h","locking":true},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"500Mi"}},"securityContext":{"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":1000},"service":{"port":80},"tolerations":null}` | slack-addon settings |
 | slackAddon.api | object | `{"audience":"https://api.governor.example.com","clientId":"gov-slack-addon-governor","url":"https://api.governor.example.com"}` | governor-api settings to retrieve required information by the slack addon |
 | slackAddon.debug | bool | `false` | set to true to turn on debug logging |

charts/governor/templates/okta-addon-configmap.yml

@@ -0,0 +1,26 @@
+{{- if .Values.oktaAddon.enabled }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gov-okta-addon-config
+  labels: 
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    {{- with .Values.oktaAddon.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+data:
+  GOA_DEBUG: "{{ .Values.oktaAddon.debug }}"
+  GOA_DRYRUN: "{{ .Values.oktaAddon.dryrun }}"
+  GOA_PRETTY: "{{ .Values.oktaAddon.pretty }}"
+  GOA_OKTA_NOCACHE: "{{ .Values.oktaAddon.okta.nocache }}"
+  GOA_NATS_URL: "{{ .Values.oktaAddon.nats.url }}"
+  GOA_NATS_CREDS_FILE: "{{ .Values.oktaAddon.nats.credsPath }}/gov-okta-addon-nats-client-creds"
+  GOA_GOVERNOR_CLIENT_ID: "{{ .Values.oktaAddon.api.clientId }}"
+  GOA_GOVERNOR_URL: "{{ .Values.oktaAddon.api.url }}"
+  GOA_GOVERNOR_TOKEN_URL: "{{ .Values.oktaAddon.hydra.url }}"
+  GOA_RECONCILER_INTERVAL:  "{{ .Values.oktaAddon.reconciler.interval }}"
+  GOA_RECONCILER_LOCKING: "{{ .Values.oktaAddon.reconciler.locking }}"
+  GOA_EVENTLOG_INTERVAL:  "{{ .Values.oktaAddon.eventlog.interval }}"
+  GOA_EVENTLOG_LOOKBACK:  "{{ .Values.oktaAddon.eventlog.lookback }}"
+{{- end }}

charts/governor/templates/okta-addon-deployment.yml

@@ -0,0 +1,93 @@
+{{- if .Values.oktaAddon.enabled }}
+---
+apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
+kind: Deployment
+metadata:
+  name: gov-okta-addon
+  labels: 
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    {{- with .Values.oktaAddon.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  replicas: {{ .Values.oktaAddon.replicaCount }}
+  revisionHistoryLimit: 3
+  selector: 
+  {{- with .Values.oktaAddon.matchLabels }}
+    {{- toYaml . | nindent 6 }}
+  {{- end }}
+  template:
+    metadata:
+      labels: 
+        helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+        {{- with .Values.oktaAddon.labels }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/okta-addon-configmap.yml") . | sha256sum }}
+    spec:
+      initContainers:
+      # Optional: Pre-creates the `/app-audit/audit.log` named pipe.
+      - image: "{{ .Values.audit.auditImage.repository }}:{{ .Values.audit.auditImage.tag | default .Chart.AppVersion }}"
+        args:
+          - 'init'
+          - '-f'
+          - '/app-audit/audit.log'
+        name: init-audit-logs
+        resources:
+{{ toYaml .Values.audit.initContainer.resources | indent 10 }}
+        imagePullPolicy: {{ .Values.audit.auditImage.pullPolicy }}
+        volumeMounts:
+          - mountPath: /app-audit
+            name: audit-logs
+      containers:
+      - name: gov-okta-addon
+        args:
+          - serve
+          - --skip-delete={{ .Values.oktaAddon.skipDelete }}
+        envFrom:
+        - configMapRef:
+            name: gov-okta-addon-config
+        - secretRef:
+            name: gov-okta-addon-creds
+        image: "{{ .Values.oktaAddon.image.repository }}:{{ .Values.oktaAddon.image.tag | default .Chart.AppVersion }}"
+        imagePullPolicy: {{ .Values.oktaAddon.image.pullPolicy }}
+        ports:
+        - name: http
+          containerPort: {{ .Values.oktaAddon.port }}
+        livenessProbe:
+          httpGet:
+            path: /healthz/liveness
+            port: http
+        readinessProbe:
+          httpGet:
+            path: /healthz/readiness
+            port: http
+        resources:
+{{ toYaml .Values.oktaAddon.resources | indent 10 }}
+        volumeMounts:
+        - name: natscreds
+          mountPath: "/nats"
+          readOnly: true
+        - name: audit-logs
+          mountPath: /app-audit
+      - name: audit-gov-okta-addon
+        args:
+          - -f
+          - /app-audit/audit.log
+        image: "{{ .Values.audit.auditImage.repository }}:{{ .Values.audit.auditImage.tag | default .Chart.AppVersion }}"
+        resources:
+{{ toYaml .Values.audit.resources | indent 10 }}
+        volumeMounts:
+        - name: audit-logs
+          mountPath: /app-audit
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - name: audit-logs
+        emptyDir: {}
+      - name: natscreds
+        secret:
+          secretName: gov-okta-addon-nats-creds
+          defaultMode: 0400
+ {{- end }}

charts/governor/templates/okta-addon-prometheus-rules.yml

@@ -0,0 +1,32 @@
+{{- if .Values.oktaAddon.enabled }}
+{{- if .Values.oktaAddon.monitoring.enabled }}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: gov-okta-addon-rules
+  labels:
+    prometheus: k8s
+    role: alert-rules
+spec:
+  groups:
+  - name: gov-okta-addon.rules
+    rules:
+    - alert: Governor Okta addon group_membership_deleted_total count is warning
+      expr: sum(increase(gov_okta_addon_group_membership_deleted_total[5m])) by (pod, instance) > 5
+      for: 5m
+      labels:
+        severity: warning
+      annotations:
+        summary: Governor Okta reconciler deleted a high number of group members
+        description: Governor Okta reconciler deleted more than 5 group members from a group in the last 5 minutes. {{`{{`}} $value {{`}}`}} group members removed in the last 5 minutes.
+    - alert: Governor Okta addon users_deleted_total count is warning
+      expr: sum(increase(gov_okta_addon_users_deleted_total[5m])) by (pod, instance) > 5
+      for: 5m
+      labels:
+        severity: warning
+      annotations:
+        summary: Governor Okta reconciler deleted a high number of users
+        description: Governor Okta reconciler deleted more than 5 users in the last 5 minutes. {{`{{`}} $value {{`}}`}} users deleted in the last 5 minutes.
+ {{- end }}
+{{- end }}

charts/governor/templates/okta-addon-service-monitor.yml

@@ -0,0 +1,22 @@
+{{- if .Values.oktaAddon.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: gov-okta-addon
+  labels: 
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    {{- with .Values.oktaAddon.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: gov-okta-addon
+  endpoints:
+  - targetPort: {{ .Values.oktaAddon.port }}
+    path: /metrics
+    interval: 5s
+ {{- end }}

charts/governor/templates/okta-addon-service.yml

@@ -0,0 +1,24 @@
+{{- if .Values.oktaAddon.enabled }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: gov-okta-addon
+  labels: 
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    {{- with .Values.oktaAddon.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: {{ .Values.oktaAddon.port }}
+  selector: 
+  {{- with .Values.oktaAddon.matchLabels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  sessionAffinity: None
+  type: ClusterIP
+ {{- end }}

charts/governor/templates/slack-addon-deployment.yaml → charts/governor/templates/slack-addon-deployment.yml

@@ -26,7 +26,7 @@ spec:
           {{- toYaml . | nindent 8 }}
         {{- end }}
       annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/slack-addon-configmap.yaml") . | sha256sum }}
+        checksum/config: {{ include (print $.Template.BasePath "/slack-addon-configmap.yml") . | sha256sum }}
     spec:
     {{- with .Values.slackAddon.podSecurityContext }}
       securityContext:

charts/governor/values.yaml

@@ -105,6 +105,93 @@ api:
       enabled: false
       honeycombKey:
 
+# -- okta-addon settings
+oktaAddon:
+  # -- set to false to disable this addon completely
+  enabled: true
+
+  image:
+    repository: ghcr.io/metal-toolbox/gov-okta-addon
+    tag: 12-4375aa79
+    pullPolicy: IfNotPresent
+
+  # -- set of labels for the application 
+  labels:
+    app.kubernetes.io/instance: gov-okta-addon
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: gov-okta-addon
+
+  # -- set of match labels for the application 
+  matchLabels:
+    app.kubernetes.io/instance: gov-okta-addon
+    app.kubernetes.io/name: gov-okta-addon
+
+  # -- set to true to turn on debug logging
+  debug: false
+  # -- set to true for human readable logging
+  pretty: false
+  # -- dryrun on the reconcile loop
+  dryrun: false
+
+  # -- skipDelete, when true, will not delete anything in okta during reconcile loop
+  skipDelete: false
+
+  # -- port used for the gov-okta-addon service
+  port: 8000
+
+  # -- enables the prometheus rules if set to true
+  monitoring:
+    enabled: true
+
+  # -- replicas of the gov-okta-addon
+  replicaCount: 1
+
+  # -- resource settings for the gov-okta-addon
+  resources:
+    limits:
+      cpu: 100m
+      memory: 500Mi
+    requests:
+      cpu: 100m
+      memory: 500Mi
+
+  # -- nats setup for the slack addon
+  nats:
+    url: tls://nats.governor.example.com:4222,
+    credsPath: /nats
+    subjectPrefix: governor.events
+
+    secrets:
+      # -- enable helm secrets, set to `true` if you want to set the value directly in the chart (not recommended)
+      enabled: false
+      # -- nats client credentials secrets
+      natsCreds: 
+      # -- governor client secrets for the governor api
+      governorClientSecret: 
+      # -- token to talk to the okta api
+      oktaToken:
+
+  # -- hydra settings for communication with the governor-api
+  hydra:
+    url: https://hydra.example.com/oauth2/token
+
+  # -- governor-api settings to retrieve required information by the slack addon
+  api:
+    url: https://api.governor.example.com
+    clientId: gov-slack-addon-governor
+
+  okta:
+    # -- This toggle exists because we've seen issue with the sdk caching responses from okta
+    nocache: true
+
+  reconciler:
+    interval: 3600s # update every hour
+    locking: true
+
+  eventlog:
+    lookback: 8h # look back 8 hours of Okta events on startup
+    interval: 30s # run eventlog poller every 30 seconds
+
 # -- slack-addon settings
 slackAddon:
   # -- set to false to disable this addon completely