243 lines
10 KiB
YAML
243 lines
10 KiB
YAML
{{- include "enforce.singlecloudcreds" . -}}
|
|
{{- include "enforce.singleazurecreds" . -}}
|
|
{{- include "check.validateImagePullSecrets" . -}}
|
|
{{- if eq (include "check.awscreds" . ) "true" }}
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
labels:
|
|
{{ include "helm.labels" . | indent 4 }}
|
|
namespace: {{ .Release.Namespace }}
|
|
name: aws-creds
|
|
type: Opaque
|
|
data:
|
|
aws_access_key_id: {{ required "secrets.awsAccessKeyId field is required!" .Values.secrets.awsAccessKeyId | b64enc | quote }}
|
|
aws_secret_access_key: {{ required "secrets.awsSecretAccessKey field is required!" .Values.secrets.awsSecretAccessKey | b64enc | quote }}
|
|
{{- if .Values.secrets.awsIamRole }}
|
|
role: {{ .Values.secrets.awsIamRole | trim | b64enc | quote }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if or .Values.secrets.dockerConfig .Values.secrets.dockerConfigPath }}
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
labels:
|
|
{{ include "helm.labels" . | indent 4 }}
|
|
namespace: {{ .Release.Namespace }}
|
|
name: k10-ecr
|
|
type: kubernetes.io/dockerconfigjson
|
|
data:
|
|
.dockerconfigjson: {{ or .Values.secrets.dockerConfig ( .Values.secrets.dockerConfigPath | b64enc ) }}
|
|
{{- end }}
|
|
{{- if eq (include "check.googlecreds" .) "true" }}
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
labels:
|
|
{{ include "helm.labels" . | indent 4 }}
|
|
namespace: {{ .Release.Namespace }}
|
|
name: google-secret
|
|
type: Opaque
|
|
data:
|
|
kasten-gke-sa.json: {{ .Values.secrets.googleApiKey }}
|
|
{{- if eq (include "check.googleproject" .) "true" }}
|
|
kasten-gke-project: {{ .Values.secrets.googleProjectId | b64enc }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if eq (include "check.azurecreds" .) "true" }}
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
labels:
|
|
{{ include "helm.labels" . | indent 4 }}
|
|
namespace: {{ .Release.Namespace }}
|
|
name: azure-creds
|
|
type: Opaque
|
|
data:
|
|
{{- if or (eq (include "check.azureMSIWithClientID" .) "true") (eq (include "check.azureClientSecretCreds" .) "true") }}
|
|
azure_client_id: {{ required "secrets.azureClientId field is required!" .Values.secrets.azureClientId | b64enc | quote }}
|
|
{{- end }}
|
|
{{- if eq (include "check.azureClientSecretCreds" .) "true" }}
|
|
azure_tenant_id: {{ required "secrets.azureTenantId field is required!" .Values.secrets.azureTenantId | b64enc | quote }}
|
|
azure_client_secret: {{ required "secrets.azureClientSecret field is required!" .Values.secrets.azureClientSecret | b64enc | quote }}
|
|
{{- end }}
|
|
azure_resource_group: {{ default "" .Values.secrets.azureResourceGroup | b64enc | quote }}
|
|
azure_subscription_id: {{ default "" .Values.secrets.azureSubscriptionID | b64enc | quote }}
|
|
azure_resource_manager_endpoint: {{ default "" .Values.secrets.azureResourceMgrEndpoint | b64enc | quote }}
|
|
azure_ad_endpoint: {{ default "" .Values.secrets.azureADEndpoint | b64enc | quote }}
|
|
azure_ad_resource_id: {{ default "" .Values.secrets.azureADResourceID | b64enc | quote }}
|
|
azure_cloud_env_id: {{ default "" .Values.secrets.azureCloudEnvID | b64enc | quote }}
|
|
{{- end }}
|
|
{{- if eq (include "check.vspherecreds" .) "true" }}
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
labels:
|
|
{{ include "helm.labels" . | indent 4 }}
|
|
namespace: {{ .Release.Namespace }}
|
|
name: vsphere-creds
|
|
type: Opaque
|
|
data:
|
|
vsphere_endpoint: {{ required "secrets.vsphereEndpoint field is required!" .Values.secrets.vsphereEndpoint | b64enc | quote }}
|
|
vsphere_username: {{ required "secrets.vsphereUsername field is required!" .Values.secrets.vsphereUsername | b64enc | quote }}
|
|
vsphere_password: {{ required "secrets.vspherePassword field is required!" .Values.secrets.vspherePassword | b64enc | quote }}
|
|
{{- end }}
|
|
{{- if and (eq (include "basicauth.check" .) "true") (not .Values.auth.basicAuth.secretName) }}
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
labels:
|
|
{{ include "helm.labels" . | indent 4 }}
|
|
name: k10-basic-auth
|
|
namespace: {{ .Release.Namespace }}
|
|
data:
|
|
auth: {{ required "auth.basicAuth.htpasswd field is required!" .Values.auth.basicAuth.htpasswd | b64enc | quote}}
|
|
type: Opaque
|
|
{{- end }}
|
|
{{- if .Values.auth.tokenAuth.enabled }}
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
labels:
|
|
{{ include "helm.labels" . | indent 4 }}
|
|
name: k10-token-auth
|
|
namespace: {{ .Release.Namespace }}
|
|
data:
|
|
auth: {{ "true" | b64enc | quote}}
|
|
type: Opaque
|
|
{{- end }}
|
|
{{- if and .Values.auth.oidcAuth.enabled (not .Values.auth.oidcAuth.secretName) }}
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
labels:
|
|
{{ include "helm.labels" . | indent 4 }}
|
|
name: k10-oidc-auth
|
|
namespace: {{ .Release.Namespace }}
|
|
data:
|
|
provider-url: {{ required "auth.oidcAuth.providerURL field is required!" .Values.auth.oidcAuth.providerURL | b64enc | quote }}
|
|
redirect-url: {{ required "auth.oidcAuth.redirectURL field is required!" .Values.auth.oidcAuth.redirectURL | b64enc | quote }}
|
|
client-id: {{ required "auth.oidcAuth.clientID field is required!" .Values.auth.oidcAuth.clientID | b64enc | quote }}
|
|
client-secret: {{ required "auth.oidcAuth.clientSecret field is required!" .Values.auth.oidcAuth.clientSecret | b64enc | quote }}
|
|
scopes: {{ required "auth.oidcAuth.scopes field is required!" .Values.auth.oidcAuth.scopes | b64enc | quote }}
|
|
prompt: {{ default "select_account" .Values.auth.oidcAuth.prompt | b64enc | quote }}
|
|
usernameClaim: {{ default "sub" .Values.auth.oidcAuth.usernameClaim | b64enc | quote }}
|
|
usernamePrefix: {{ default "" .Values.auth.oidcAuth.usernamePrefix | b64enc | quote }}
|
|
groupClaim: {{ default "" .Values.auth.oidcAuth.groupClaim | b64enc | quote }}
|
|
groupPrefix: {{ default "" .Values.auth.oidcAuth.groupPrefix | b64enc | quote }}
|
|
sessionDuration: {{ default "1h" .Values.auth.oidcAuth.sessionDuration | b64enc | quote }}
|
|
{{- if .Values.auth.oidcAuth.refreshTokenSupport }}
|
|
refreshTokenSupport: {{ "true" | b64enc | quote }}
|
|
{{- else }}
|
|
refreshTokenSupport: {{ "false" | b64enc | quote }}
|
|
{{ end }}
|
|
stringData:
|
|
groupAllowList: |-
|
|
{{- range $.Values.auth.groupAllowList }}
|
|
{{ . -}}
|
|
{{ end }}
|
|
logout-url: {{ default "" .Values.auth.oidcAuth.logoutURL | b64enc | quote }}
|
|
type: Opaque
|
|
{{- end }}
|
|
{{- if and .Values.auth.openshift.enabled }}
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
labels:
|
|
{{ include "helm.labels" . | indent 4 }}
|
|
name: k10-oidc-auth
|
|
namespace: {{ .Release.Namespace }}
|
|
data:
|
|
provider-url: {{ required "auth.openshift.dashboardURL field is required!" (printf "%s/dex" (trimSuffix "/" .Values.auth.openshift.dashboardURL)) | b64enc | quote }}
|
|
{{- if .Values.route.enabled }}
|
|
redirect-url: {{ required "auth.openshift.dashboardURL field is required!" (trimSuffix "/" (trimSuffix (default .Release.Name .Values.route.path) (trimSuffix "/" .Values.auth.openshift.dashboardURL))) | b64enc | quote }}
|
|
{{- else }}
|
|
redirect-url: {{ required "auth.openshift.dashboardURL field is required!" (trimSuffix "/" (trimSuffix (default .Release.Name .Values.ingress.urlPath) (trimSuffix "/" .Values.auth.openshift.dashboardURL))) | b64enc | quote }}
|
|
{{- end }}
|
|
client-id: {{ (printf "kasten") | b64enc | quote }}
|
|
client-secret: {{ (printf "kastensecret") | b64enc | quote }}
|
|
scopes: {{ (printf "groups profile email") | b64enc | quote }}
|
|
prompt: {{ (printf "select_account") | b64enc | quote }}
|
|
usernameClaim: {{ default "email" .Values.auth.openshift.usernameClaim | b64enc | quote }}
|
|
usernamePrefix: {{ default "" .Values.auth.openshift.usernamePrefix | b64enc | quote }}
|
|
groupClaim: {{ default "groups" .Values.auth.openshift.groupClaim | b64enc | quote }}
|
|
groupPrefix: {{ default "" .Values.auth.openshift.groupPrefix | b64enc | quote }}
|
|
stringData:
|
|
groupAllowList: |-
|
|
{{- range $.Values.auth.groupAllowList }}
|
|
{{ . -}}
|
|
{{ end }}
|
|
type: Opaque
|
|
{{- end }}
|
|
{{- if and .Values.auth.ldap.enabled (not .Values.auth.ldap.secretName) }}
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
labels:
|
|
{{ include "helm.labels" . | indent 4 }}
|
|
name: k10-oidc-auth
|
|
namespace: {{ .Release.Namespace }}
|
|
data:
|
|
provider-url: {{ required "auth.ldap.dashboardURL field is required!" (printf "%s/dex" (trimSuffix "/" .Values.auth.ldap.dashboardURL)) | b64enc | quote }}
|
|
{{- if .Values.route.enabled }}
|
|
redirect-url: {{ required "auth.ldap.dashboardURL field is required!" (trimSuffix "/" (trimSuffix (default .Release.Name .Values.route.path) (trimSuffix "/" .Values.auth.ldap.dashboardURL))) | b64enc | quote }}
|
|
{{- else }}
|
|
redirect-url: {{ required "auth.ldap.dashboardURL field is required!" (trimSuffix "/" (trimSuffix (default .Release.Name .Values.ingress.urlPath) (trimSuffix "/" .Values.auth.ldap.dashboardURL))) | b64enc | quote }}
|
|
{{- end }}
|
|
client-id: {{ (printf "kasten") | b64enc | quote }}
|
|
client-secret: {{ (printf "kastensecret") | b64enc | quote }}
|
|
scopes: {{ (printf "groups profile email") | b64enc | quote }}
|
|
prompt: {{ (printf "select_account") | b64enc | quote }}
|
|
usernameClaim: {{ default "email" .Values.auth.ldap.usernameClaim | b64enc | quote }}
|
|
usernamePrefix: {{ default "" .Values.auth.ldap.usernamePrefix | b64enc | quote }}
|
|
groupClaim: {{ default "groups" .Values.auth.ldap.groupClaim | b64enc | quote }}
|
|
groupPrefix: {{ default "" .Values.auth.ldap.groupPrefix | b64enc | quote }}
|
|
stringData:
|
|
groupAllowList: |-
|
|
{{- range $.Values.auth.groupAllowList }}
|
|
{{ . -}}
|
|
{{ end }}
|
|
type: Opaque
|
|
{{- end }}
|
|
{{- if and .Values.auth.ldap.enabled (not .Values.auth.ldap.bindPWSecretName) }}
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
labels:
|
|
{{ include "helm.labels" . | indent 4 }}
|
|
name: k10-dex
|
|
namespace: {{ .Release.Namespace }}
|
|
data:
|
|
bindPW: {{ required "auth.ldap.bindPW field is required!" .Values.auth.ldap.bindPW | b64enc | quote }}
|
|
type: Opaque
|
|
{{- end }}
|
|
{{- if eq (include "check.primaryKey" . ) "true" }}
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
labels:
|
|
{{ include "helm.labels" . | indent 4 }}
|
|
name: k10-encryption-primary-key
|
|
namespace: {{ .Release.Namespace }}
|
|
data:
|
|
{{- if .Values.encryption.primaryKey.awsCmkKeyId }}
|
|
awscmkkeyid: {{ default "" .Values.encryption.primaryKey.awsCmkKeyId | trim | b64enc | quote }}
|
|
{{- end }}
|
|
{{- if .Values.encryption.primaryKey.vaultTransitKeyName }}
|
|
vaulttransitkeyname: {{ default "" .Values.encryption.primaryKey.vaultTransitKeyName | trim | b64enc | quote }}
|
|
vaulttransitpath: {{ default "transit" .Values.encryption.primaryKey.vaultTransitPath | trim | b64enc | quote }}
|
|
{{- end }}
|
|
type: Opaque
|
|
{{- end }}
|