Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add a handful of examples for the various charts #331

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
116 changes: 116 additions & 0 deletions examples/connect/connect-with-sidecar-sssd.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
# WARNING: no shared storage, so no persistence for this system
sharedStorage:
enabled: false

pod:
volumes:
- name: sssd-emptydir
emptyDir: {}
- name: sssd-config
configMap:
name: sssd-config
defaultMode: 0600
- name: pam-config
configMap:
name: pam-config
defaultMode: 0755
volumeMounts:
- name: sssd-emptydir
mountPath: /var/lib/sss
- name: pam-config
mountPath: /etc/pam.d/common-account
subPath: common-account
- name: pam-config
mountPath: /etc/pam.d/common-session
subPath: common-session
- name: pam-config
mountPath: /etc/pam.d/common-auth
subPath: common-auth
- name: pam-config
mountPath: /etc/pam.d/common-password
subPath: common-password
sidecar:
- name: sssd
image: "some-sssd-image"
imagePullPolicy: "IfNotPresent"
securityContext: {}
volumeMounts:
- name: sssd-emptydir
mountPath: /var/lib/sss
- name: sssd-config
mountPath: /etc/sssd/
Comment on lines +6 to +41
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might be able to use this pattern to support runAsCurrent user with off-host execution. I don't think it would require any changes to Connect since we already assume uid/gid/passwd consistency between Connect and the content Pod.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😮 That's pretty cool!

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aronatkins pointed out that rsandbox/PAM password forwarding might pose a problem here, but it's worth a spike to see how far this gets us and if there are any other limitations.


extraObjects:
- |
kind: ConfigMap
apiVersion: v1
metadata:
name: sssd-config
namespace: {{ $.Release.Namespace }}
data:
sssd.conf: |
[sssd]
config_file_version=2
domains=example.com
services=nss, pam

[domain/example.com]
access_provider=ldap
auth_provider=ldap
cache_credentials=false
chpass_provider=none
debug_level=6
default_shell=/bin/bash
enumerate=true
id_provider=ldap
ldap_access_filter=(objectClass=inetOrgPerson)
ldap_access_order=filter
ldap_default_authtok=placeholder
ldap_default_bind_dn=cn=bind-account,ou=users,dc=example,dc=com
ldap_group_name=cn
ldap_group_search_base=ou=roles,dc=example,dc=com
ldap_id_use_start_tls=true
ldap_schema=rfc2307bis
ldap_search_base=ou=users,dc=example,dc=com
ldap_tls_cacert=/etc/ssl/certs/ca-certificates.crt
ldap_tls_reqcert=never
ldap_uri=ldaps://ldap.example.com
ldap_user_gid_number=gidNumber
ldap_user_name=username
ldap_user_object_class=inetOrgPerson
ldap_user_search_base=ou=users,dc=example,dc=com
ldap_user_uid_number=uidNumber
override_homedir=/mnt/home/%u
sudo_provider=none
- |
kind: ConfigMap
apiVersion: v1
metadata:
name: pam-config
namespace: {{ $.Release.Namespace }}
data:
common-auth: |
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
common-session: |
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_sss.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
common-account: |
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
common-password: |
password requisite pam_pwquality.so retry=3
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password sufficient pam_sss.so use_authtok
password requisite pam_deny.so
password required pam_permit.so
36 changes: 36 additions & 0 deletions examples/connect/off-host-with-sqlite.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
strategy:
type: Recreate

config:
Database:
Provider: SQLite
Dir: /mnt/db

sharedStorage:
create: true
storageClassName: something-read-write-many # TODO: change this

pod:
volumes:
- name: rsc-db
persistentVolumeClaim:
claimName: connect-database-claim
volumeMounts:
- name: rsc-db
mountPath: /mnt/db

extraObjects:
- |
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: connect-database-claim
namespace: {{ $.Release.Namespace }}
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
storageClassName: something-read-write-once # TODO: change this
resources:
requests:
storage: 32Gi
38 changes: 38 additions & 0 deletions examples/package-manager/example-with-sqlite.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
strategy:
type: Recreate
rollingUpdate: null

config:
Database:
Provider: sqlite3
SQLite:
Dir: /mnt/db

sharedStorage:
create: true
storageClassName: something-read-write-many # TODO: change this

pod:
volumes:
- name: rspm-db
persistentVolumeClaim:
claimName: package-manager-database-claim
volumeMounts:
- name: rspm-db
mountPath: /mnt/db

extraObjects:
- |
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: package-manager-database-claim
namespace: {{ $.Release.Namespace }}
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
storageClassName: something-read-write-once # TODO: change this
resources:
requests:
storage: 32Gi
38 changes: 38 additions & 0 deletions examples/workbench/off-host-with-sqlite.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
strategy:
type: Recreate

config:
secret:
database.conf:
provider: sqlite
directory: /mnt/db

homeStorage:
create: true
storageClassName: something-read-write-many # TODO: change this


pod:
volumes:
- name: rsw-db
persistentVolumeClaim:
claimName: workbench-database-claim
volumeMounts:
- name: rsw-db
mountPath: /mnt/db

extraObjects:
- |
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: workbench-database-claim
namespace: {{ $.Release.Namespace }}
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
storageClassName: something-read-write-once # TODO: change this
resources:
requests:
storage: 32Gi