-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add Helm chart & configure Azure auth
Signed-off-by: Tyler Gillson <tyler.gillson@gmail.com>
- Loading branch information
1 parent
41b36cd
commit 764a6e7
Showing
18 changed files
with
667 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
# Patterns to ignore when building packages. | ||
# This supports shell glob matching, relative path matching, and | ||
# negation (prefixed with !). Only one pattern per line. | ||
.DS_Store | ||
# Common VCS dirs | ||
.git/ | ||
.gitignore | ||
.bzr/ | ||
.bzrignore | ||
.hg/ | ||
.hgignore | ||
.svn/ | ||
# Common backup files | ||
*.swp | ||
*.bak | ||
*.tmp | ||
*.orig | ||
*~ | ||
# Various IDEs | ||
.project | ||
.idea/ | ||
*.tmproj | ||
.vscode/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
apiVersion: v2 | ||
name: validator-plugin-azure | ||
description: Perform various Azure validations (Principal RBAC, AAD Application API permissions, and Service Quotas) | ||
type: application | ||
version: 0.0.1 # x-release-please-version | ||
appVersion: "0.0.1" # x-release-please-version |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
|
||
validator-plugin-azure | ||
=========== | ||
|
||
validator-plugin-azure performs a variety of validations against your Azure account. | ||
|
||
|
||
## Configuration | ||
|
||
The following table lists the configurable parameters of the validator-plugin-azure chart and their default values. | ||
|
||
| Parameter | Description | Default | | ||
| ------------------------ | ----------------------- | -------------- | | ||
| `controllerManager.kubeRbacProxy.args` | | `["--secure-listen-address=0.0.0.0:8443", "--upstream=http://127.0.0.1:8080/", "--logtostderr=true", "--v=0"]` | | ||
| `controllerManager.kubeRbacProxy.containerSecurityContext.allowPrivilegeEscalation` | | `false` | | ||
| `controllerManager.kubeRbacProxy.containerSecurityContext.capabilities.drop` | | `["ALL"]` | | ||
| `controllerManager.kubeRbacProxy.image.repository` | | `"gcr.io/kubebuilder/kube-rbac-proxy"` | | ||
| `controllerManager.kubeRbacProxy.image.tag` | | `"v0.14.1"` | | ||
| `controllerManager.kubeRbacProxy.resources.limits.cpu` | | `"500m"` | | ||
| `controllerManager.kubeRbacProxy.resources.limits.memory` | | `"128Mi"` | | ||
| `controllerManager.kubeRbacProxy.resources.requests.cpu` | | `"5m"` | | ||
| `controllerManager.kubeRbacProxy.resources.requests.memory` | | `"64Mi"` | | ||
| `controllerManager.manager.args` | | `["--health-probe-bind-address=:8081", "--metrics-bind-address=127.0.0.1:8080", "--leader-elect"]` | | ||
| `controllerManager.manager.containerSecurityContext.allowPrivilegeEscalation` | | `false` | | ||
| `controllerManager.manager.containerSecurityContext.capabilities.drop` | | `["ALL"]` | | ||
| `controllerManager.manager.image.repository` | | `"quay.io/spectrocloud-labs/validator-plugin-azure"` | | ||
| `controllerManager.manager.image.tag` | x-release-please-version | `"v0.0.1"` | | ||
| `controllerManager.manager.resources.limits.cpu` | | `"500m"` | | ||
| `controllerManager.manager.resources.limits.memory` | | `"128Mi"` | | ||
| `controllerManager.manager.resources.requests.cpu` | | `"10m"` | | ||
| `controllerManager.manager.resources.requests.memory` | | `"64Mi"` | | ||
| `controllerManager.manager.volumeMounts` | | `[]` | | ||
| `controllerManager.replicas` | | `1` | | ||
| `controllerManager.serviceAccount.annotations` | | `{}` | | ||
| `controllerManager.volumes` | | `[]` | | ||
| `kubernetesClusterDomain` | | `"cluster.local"` | | ||
| `metricsService.ports` | | `[{"name": "https", "port": 8443, "protocol": "TCP", "targetPort": "https"}]` | | ||
| `metricsService.type` | | `"ClusterIP"` | | ||
| `auth.secret` | | `{}` | | ||
| `auth.secret.secretName` | | `azure-creds` | | ||
| `auth.serviceAccountName` | | `"ClusterIP"` | | ||
--- | ||
_Documentation generated by [Frigate](https://frigate.readthedocs.io)._ | ||
|
102 changes: 102 additions & 0 deletions
102
chart/validator-plugin-azure/crds/validation.spectrocloud.labs_azurevalidators.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,102 @@ | ||
--- | ||
apiVersion: apiextensions.k8s.io/v1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
annotations: | ||
controller-gen.kubebuilder.io/version: v0.12.0 | ||
name: azurevalidators.validation.spectrocloud.labs | ||
spec: | ||
group: validation.spectrocloud.labs | ||
names: | ||
kind: AzureValidator | ||
listKind: AzureValidatorList | ||
plural: azurevalidators | ||
singular: azurevalidator | ||
scope: Namespaced | ||
versions: | ||
- name: v1alpha1 | ||
schema: | ||
openAPIV3Schema: | ||
description: AzureValidator is the Schema for the azurevalidators API | ||
properties: | ||
apiVersion: | ||
description: 'APIVersion defines the versioned schema of this representation | ||
of an object. Servers should convert recognized schemas to the latest | ||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | ||
type: string | ||
kind: | ||
description: 'Kind is a string value representing the REST resource this | ||
object represents. Servers may infer this from the endpoint the client | ||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | ||
type: string | ||
metadata: | ||
type: object | ||
spec: | ||
description: AzureValidatorSpec defines the desired state of AzureValidator | ||
properties: | ||
auth: | ||
properties: | ||
implicit: | ||
description: If true, the AzureValidator will use the Azure SDK's | ||
default credential chain to authenticate. Set to true if using | ||
WorkloadIdentityCredentials. | ||
type: boolean | ||
secretName: | ||
description: Name of a Secret in the same namespace as the AzureValidator | ||
that contains Azure credentials. The secret data's keys and | ||
values are expected to align with valid Azure environment variable | ||
credentials, per the options defined in https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#readme-environment-variables. | ||
type: string | ||
required: | ||
- implicit | ||
type: object | ||
roleAssignmentRules: | ||
description: Rules for validating role assignments in Azure RBAC. | ||
items: | ||
description: RoleAssignmentRule is a rule that validates that one | ||
or more desired role assignments exist within a subscription. | ||
For each role assignment, the role is specified as its role name | ||
(e.g. "Contributor") or its name (e.g. "b24988ac-6180-42a0-ab88-20f7382dd24c" | ||
for Contributor). If the role name is specified, the validator | ||
takes care of looking up the name automatically. | ||
properties: | ||
roles: | ||
items: | ||
description: "Role allow users to specify either a role's | ||
role name (e.g. \"Contributor\") or a role's name (e.g. | ||
\"b24988ac-6180-42a0-ab88-20f7382dd24c\"), which is the | ||
name of the role with the role name \"Contributor\". This | ||
allows role assignments with custom roles to be validated | ||
too, not just built-in roles. \n If role is specified, it | ||
is used. If role is not specified but role name is specified, | ||
role name is used. If neither are specified, it is a misconfiguration | ||
and validation will fail." | ||
properties: | ||
name: | ||
type: string | ||
roleName: | ||
type: string | ||
type: object | ||
type: array | ||
servicePrincipalId: | ||
type: string | ||
subscriptionId: | ||
type: string | ||
required: | ||
- roles | ||
- servicePrincipalId | ||
- subscriptionId | ||
type: object | ||
type: array | ||
required: | ||
- auth | ||
- roleAssignmentRules | ||
type: object | ||
status: | ||
description: AzureValidatorStatus defines the observed state of AzureValidator | ||
type: object | ||
type: object | ||
served: true | ||
storage: true | ||
subresources: | ||
status: {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
{{/* | ||
Expand the name of the chart. | ||
*/}} | ||
{{- define "chart.name" -}} | ||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} | ||
{{- end }} | ||
|
||
{{/* | ||
Create a default fully qualified app name. | ||
We truncate at 28 chars because some Kubernetes name fields are limited to 63 chars by the DNS naming spec. | ||
And the longest suffix appended to the chart's full name is 35 chars. | ||
If release name contains chart name it will be used as a full name. | ||
*/}} | ||
{{- define "chart.fullname" -}} | ||
{{- if .Values.fullnameOverride }} | ||
{{- .Values.fullnameOverride | trunc 28 | trimSuffix "-" }} | ||
{{- else }} | ||
{{- $name := default .Chart.Name .Values.nameOverride }} | ||
{{- if contains $name .Release.Name }} | ||
{{- .Release.Name | trunc 28 | trimSuffix "-" }} | ||
{{- else }} | ||
{{- printf "%s-%s" .Release.Name $name | trunc 28 | trimSuffix "-" }} | ||
{{- end }} | ||
{{- end }} | ||
{{- end }} | ||
{{/* | ||
Create chart name and version as used by the chart label. | ||
*/}} | ||
{{- define "chart.chart" -}} | ||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} | ||
{{- end }} | ||
{{/* | ||
Common labels | ||
*/}} | ||
{{- define "chart.labels" -}} | ||
helm.sh/chart: {{ include "chart.chart" . }} | ||
{{ include "chart.selectorLabels" . }} | ||
{{- if .Chart.AppVersion }} | ||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} | ||
{{- end }} | ||
app.kubernetes.io/managed-by: {{ .Release.Service }} | ||
{{- end }} | ||
{{/* | ||
Selector labels | ||
*/}} | ||
{{- define "chart.selectorLabels" -}} | ||
app.kubernetes.io/name: {{ include "chart.name" . }} | ||
app.kubernetes.io/instance: {{ .Release.Name }} | ||
{{- end }} | ||
{{/* | ||
Create the name of the service account to use | ||
*/}} | ||
{{- define "chart.serviceAccountName" -}} | ||
{{- if .Values.serviceAccount.create }} | ||
{{- default (include "chart.fullname" .) .Values.serviceAccount.name }} | ||
{{- else }} | ||
{{- default "default" .Values.serviceAccount.name }} | ||
{{- end }} | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: {{ include "chart.fullname" . }}-controller-manager | ||
labels: | ||
app.kubernetes.io/component: manager | ||
app.kubernetes.io/created-by: validator-plugin-azure | ||
app.kubernetes.io/part-of: validator-plugin-azure | ||
control-plane: controller-manager | ||
{{- include "chart.labels" . | nindent 4 }} | ||
spec: | ||
replicas: {{ .Values.controllerManager.replicas }} | ||
selector: | ||
matchLabels: | ||
control-plane: controller-manager | ||
{{- include "chart.selectorLabels" . | nindent 6 }} | ||
template: | ||
metadata: | ||
labels: | ||
control-plane: controller-manager | ||
{{- include "chart.selectorLabels" . | nindent 8 }} | ||
annotations: | ||
kubectl.kubernetes.io/default-container: manager | ||
spec: | ||
containers: | ||
- args: {{- toYaml .Values.controllerManager.kubeRbacProxy.args | nindent 8 }} | ||
env: | ||
- name: KUBERNETES_CLUSTER_DOMAIN | ||
value: {{ quote .Values.kubernetesClusterDomain }} | ||
image: {{ .Values.controllerManager.kubeRbacProxy.image.repository }}:{{ .Values.controllerManager.kubeRbacProxy.image.tag | default .Chart.AppVersion }} | ||
name: kube-rbac-proxy | ||
ports: | ||
- containerPort: 8443 | ||
name: https | ||
protocol: TCP | ||
resources: {{- toYaml .Values.controllerManager.kubeRbacProxy.resources | nindent 10 }} | ||
securityContext: {{- toYaml .Values.controllerManager.kubeRbacProxy.containerSecurityContext | nindent 10 }} | ||
- args: {{- toYaml .Values.controllerManager.manager.args | nindent 8 }} | ||
command: | ||
- /manager | ||
env: | ||
- name: KUBERNETES_CLUSTER_DOMAIN | ||
value: {{ quote .Values.kubernetesClusterDomain }} | ||
volumeMounts: {{- toYaml .Values.controllerManager.manager.volumeMounts | nindent 10 }} | ||
image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag | default .Chart.AppVersion }} | ||
livenessProbe: | ||
httpGet: | ||
path: /healthz | ||
port: 8081 | ||
initialDelaySeconds: 15 | ||
periodSeconds: 20 | ||
name: manager | ||
readinessProbe: | ||
httpGet: | ||
path: /readyz | ||
port: 8081 | ||
initialDelaySeconds: 5 | ||
periodSeconds: 10 | ||
resources: {{- toYaml .Values.controllerManager.manager.resources | nindent 10 }} | ||
securityContext: {{- toYaml .Values.controllerManager.manager.containerSecurityContext | nindent 10 }} | ||
securityContext: | ||
runAsNonRoot: true | ||
{{- if .Values.auth.serviceAccountName }} | ||
serviceAccountName: {{ .Values.auth.serviceAccountName }} | ||
{{- else }} | ||
serviceAccountName: {{ include "chart.fullname" . }}-controller-manager | ||
{{- end }} | ||
terminationGracePeriodSeconds: 10 | ||
volumes: {{- toYaml .Values.controllerManager.volumes | nindent 8 }} |
Oops, something went wrong.