add enterprise helm chart (pomerium#217)

Signed-off-by: Travis Groth <[email protected]>

.ct-release.yaml

@@ -3,3 +3,4 @@ target-branch: master
 all: true
 chart-repos:
   - redis=https://charts.bitnami.com/bitnami
+validate-maintainers: false

.ct.yaml

@@ -2,3 +2,4 @@ chart-dirs: charts
 target-branch: master
 chart-repos:
   - redis=https://charts.bitnami.com/bitnami
+validate-maintainers: false

.github/workflows/test.yaml

@@ -38,4 +38,4 @@ jobs:
 
       - name: Chart install
         run: |
-          ct install --config .ct.yaml
+          ct install --config .ct.yaml --excluded-charts pomerium-console

.helmdocsignore

@@ -0,0 +1 @@
+charts/pomerium

Makefile

@@ -0,0 +1,8 @@
+GO ?= "go"
+
+# Generate helm docs
+.PHONY: docs
+docs:
+	@echo "==> $@"
+	@cd /tmp; GO111MODULE=on $(GO) get github.com/norwoodj/helm-docs/cmd/helm-docs
+	helm-docs

charts/pomerium-console/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/pomerium-console/Chart.yaml

@@ -0,0 +1,29 @@
+apiVersion: v2
+name: pomerium-console
+description: Pomerium Enterprise Console
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 7.0.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: 0.15.0
+
+maintainers:
+  - name: Pomerium Developers
+    url: https://www.pomerium.com
+
+home: https://www.pomerium.com

charts/pomerium-console/README.md

@@ -0,0 +1,103 @@
+# pomerium-console
+
+![Version: 7.0.0](https://img.shields.io/badge/Version-7.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.15.0](https://img.shields.io/badge/AppVersion-0.15.0-informational?style=flat-square)
+
+Pomerium Enterprise Console
+
+**Homepage:** <https://www.pomerium.com>
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| Pomerium Developers |  | https://www.pomerium.com |
+
+Installation
+-------------
+
+pomerium-console requires the shared secret of your existing databroker and a supported RDBMS backend to install.
+
+```bash
+helm install pomerium-enterprise/pomerium-console \
+    --set database.type=pg \
+    --set database.username=pomerium \
+    --set database.password=strongpassword \
+    --set database.host=pghost.local \
+    --set database.name=pomerium-console \
+    --set config.sharedSecret=ZGVhZGJlZWZkZWFkYmVlZmRlYWRiZWVmCg== \
+    --set config.databaseEncryptionKey=hDiBsQ6MJFr2y9jhT6c2Uu3lHw9/IpULfBJyesjPWpE= \
+    --set config.signingKey=LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUtGcE1UV0JBOWpCZ2R0SWo5ajZYZ08vRDEvVENtUlM4a3gydjc2Z3V4dFdvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFUVROeU1VaGVFbmY1VFFidnhKdkNtR3VHbzduL1lFaWFvR0luQWNEWkkxdGxoek1ON05ONwp4b3ZWUkZlbEkzc29ZM04xbElwVEdObkpkQWQyWmZwWWJRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= \
+    --set config.audience=console.localhost.pomerium.io
+```
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` | Specify node `affinity` for the deployment |
+| autoscaling.enabled | bool | `false` |  |
+| autoscaling.maxReplicas | int | `3` |  |
+| autoscaling.minReplicas | int | `1` |  |
+| autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
+| config.administrators | string | `""` | Set to boostrap permissions to the console or recover from a misconfiguration.  Overrides permissions in the database. |
+| config.audience | string | `""` | **Required** console's external URL.  This should match the `from` in Pomerium Core's config. |
+| config.customerId | string | `""` | Override default customerId |
+| config.databaseEncryptionKey | string | `""` | **Required** encryption key for protecting sensitive data in the database |
+| config.databrokerServiceUrl | string | `https://pomerium-databroker.[release namespace].svc.cluster.local` | Override the URL default to the Pomerium Cache service |
+| config.prometheusUrl | string | `""` | Set URL for external prometheus server.  An embedded server is used if left unset. |
+| config.sharedSecret | string | `""` | **Required** Secures communication with the databroker.  Must match Pomerium `shared_secret` parameter. |
+| config.signingKey | string | `""` | **Required** Set the public key for verifying the Pomerium attestation JWT header |
+| database.additionalDSNOptions | string | `""` | Set custom DSN connection options |
+| database.host | string | `""` | Set the database hostname |
+| database.name | string | `""` | Set the name of the database or schema |
+| database.password | string | `""` | Set the database password |
+| database.sslmode | string | `""` | Set appropriately for your database driver |
+| database.tls.ca | string | `""` | A custom CA certificate when communicating with the database |
+| database.tls.caSecretKey | string | `"tls.crt"` | Set the key name containing the CA certificate in the existingCASecret |
+| database.tls.cert | string | `""` | Set a TLS client certificate for the database connection |
+| database.tls.existingCASecret | string | `""` | Use an existing secret containing the CA certificate for the database connection |
+| database.tls.existingSecret | string | `""` | Use an existing secret containing the client TLS keypair for the database connection |
+| database.tls.key | string | `""` | Set a TLS client key for the database connection |
+| database.type | string | `""` | **Required** Set database driver type.  This can be `pg`, `my` or sqlite for postgres, mysql or sqlite respectively |
+| database.username | string | `""` | Set the database username |
+| fullnameOverride | string | `""` | Override full release name |
+| image.pullPassword | string | `""` | Set to automatically generate an image pull secret |
+| image.pullPolicy | string | `"IfNotPresent"` | The iamge pull policy |
+| image.pullUsername | string | `""` | Set to automatically generate an image pull secret |
+| image.repository | string | `"docker.cloudsmith.io/pomerium/enterprise/pomerium-console"` | The image repository source |
+| image.tag | string | `""` | Override the image tag from the chart appVersion |
+| imagePullSecrets | list | `[]` | Reference a list secrets containing image pull credentials for the deployment |
+| ingress.annotations | object | `{}` | Set custom annoations on the Ingress resource |
+| ingress.enabled | bool | `false` | Enable an Ingress resource for the deployment.  This should be disabled unless your Pomerium core deployment is running outside the cluster. |
+| ingress.hosts | list | `[{"host":"chart-example.local","paths":[]}]` | Specify host and path matching for the Ingress resource.  Required if setting `ingress.enabled` to true |
+| ingress.tls | list | `[]` | Set a list of Ingress TLS secrets |
+| nameOverride | string | `""` | Override the name of the chart |
+| nodeSelector | object | `{}` | Specify node `selector` parameters for the deployment |
+| persistence | object | `{"accessModes":["ReadWriteOnce"],"enabled":false,"finalizers":["kubernetes.io/pvc-protection"],"size":"1Gi"}` | FOR TESTING ONLY.  There is no migration path from embedded (sqlite) to an external RDBMS. |
+| podAnnotations | object | `{}` | Set annotations on all pods |
+| podSecurityContext | object | `{}` | Set security context on all pods |
+| prometheus.enabled | bool | `true` | Enable using an embedded prometheus service if no external URL is provided |
+| prometheus.persistence.accessModes[0] | string | `"ReadWriteOnce"` |  |
+| prometheus.persistence.annotations | object | `{}` |  |
+| prometheus.persistence.enabled | bool | `false` | Enable storage persistence for embedded prometheus |
+| prometheus.persistence.existingClaim | string | `""` |  |
+| prometheus.persistence.finalizers[0] | string | `"kubernetes.io/pvc-protection"` |  |
+| prometheus.persistence.size | string | `"10Gi"` |  |
+| prometheus.persistence.storageClassName | string | `""` |  |
+| replicaCount | int | `1` | Sets the number of pod replicas deployed |
+| resources | object | `{"requests":{"cpu":"500m","memory":"500Mi"}}` | Specify the kubernetes resources for the pods.  Minimal `requests` have been set and should be adjusted for your environment. |
+| securityContext | object | `{}` | Set security context on all containers |
+| service.type | string | `"ClusterIP"` | Set service type.  This should be ClusterIP unless your Pomerium Core deployment is running on a separate cluster. |
+| serviceAccount.annotations | object | `{}` |  |
+| serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
+| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
+| tls.ca | string | `""` | A custom CA certificate when communicating with Pomerium Core |
+| tls.caSecretKey | string | `"tls.crt"` | Set the key name containing the CA certificate in the existingCASecret |
+| tls.cert | string | `""` | TLS server cert |
+| tls.enabled | bool | `true` | Enable TLS server support (strongly recommended) |
+| tls.existingCASecret | string | `""` | Use an existing secret for a CA certificate when communicating with Pomerium Core |
+| tls.existingSecret | string | `""` | Use an existing secret for TLS certificates |
+| tls.forceGenerate | bool | `false` | Regenerate certificates.  Enable if you need to recreate your certificates after initial chart install, or want to enable `tls.generate` after the chart has already been installed. |
+| tls.generate | bool | `true` | Automatically generate a CA and certificates for TLS termination when chart is initially installed. |
+| tls.key | string | `""` | TLS server key |
+| tolerations | list | `[]` | Specify node `tolerations` for the deployment |

charts/pomerium-console/README.md.gotmpl

@@ -0,0 +1,34 @@
+{{ template "chart.header" . }}
+{{ template "chart.deprecationWarning" . }}
+
+{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
+
+{{ template "chart.description" . }}
+
+{{ template "chart.homepageLine" . }}
+
+{{ template "chart.maintainersSection" . }}
+
+{{ template "chart.sourcesSection" . }}
+
+{{ template "chart.requirementsSection" . }}
+
+Installation
+-------------
+
+pomerium-console requires the shared secret of your existing databroker and a supported RDBMS backend to install.
+
+```bash
+helm install pomerium-enterprise/pomerium-console \
+    --set database.type=pg \
+    --set database.username=pomerium \
+    --set database.password=strongpassword \
+    --set database.host=pghost.local \
+    --set database.name=pomerium-console \
+    --set config.sharedSecret=ZGVhZGJlZWZkZWFkYmVlZmRlYWRiZWVmCg== \
+    --set config.databaseEncryptionKey=hDiBsQ6MJFr2y9jhT6c2Uu3lHw9/IpULfBJyesjPWpE= \
+    --set config.signingKey=LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUtGcE1UV0JBOWpCZ2R0SWo5ajZYZ08vRDEvVENtUlM4a3gydjc2Z3V4dFdvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFUVROeU1VaGVFbmY1VFFidnhKdkNtR3VHbzduL1lFaWFvR0luQWNEWkkxdGxoek1ON05ONwp4b3ZWUkZlbEkzc29ZM04xbElwVEdObkpkQWQyWmZwWWJRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= \
+    --set config.audience=console.localhost.pomerium.io
+```
+
+{{ template "chart.valuesSection" . }}

charts/pomerium-console/templates/NOTES.txt

@@ -0,0 +1,21 @@
+{{- include "pomerium-console.valuesCheck" . -}}
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "pomerium-console.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "pomerium-console.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "pomerium-console.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ include "pomerium-console.web.port" . }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  echo "Visit {{ include "pomerium-console.web.scheme" . }}://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward service/{{ include "pomerium-console.fullname" . }} 8080:{{ include "pomerium-console.web.port" . }}
+{{- end }}