From 921b31a74eb1bf15f4dff0ce8e393cb85bdb8773 Mon Sep 17 00:00:00 2001 From: Daniel WIlson Date: Thu, 24 Aug 2023 09:40:59 -0600 Subject: [PATCH] feat: added configuration for TLS enabled hydra admin services (#636) --- hacks/values/hydra-maester.yaml | 7 +++++++ .../hydra-maester/templates/deployment.yaml | 21 +++++++++++++++++-- helm/charts/hydra-maester/values.yaml | 18 +++++++++++++++- 3 files changed, 43 insertions(+), 3 deletions(-) diff --git a/hacks/values/hydra-maester.yaml b/hacks/values/hydra-maester.yaml index 8093a7391..b171741fb 100644 --- a/hacks/values/hydra-maester.yaml +++ b/hacks/values/hydra-maester.yaml @@ -10,3 +10,10 @@ deployment: serviceAccount: annotations: ory.sh/pod_annotation: hydra-maester + extraVolumes: + - name: "test-volume" + emptyDir: + sizeLimit: 1Mi + extraVolumeMounts: + - name: "test-volume" + mountPath: /test-volume diff --git a/helm/charts/hydra-maester/templates/deployment.yaml b/helm/charts/hydra-maester/templates/deployment.yaml index c7eddd24c..d747b1d20 100644 --- a/helm/charts/hydra-maester/templates/deployment.yaml +++ b/helm/charts/hydra-maester/templates/deployment.yaml @@ -1,3 +1,6 @@ +{{- if and (ne .Values.adminService.scheme "http") (ne .Values.adminService.scheme "https") -}} +{{ fail "invalid scheme: must be http or https" }} +{{- end -}} --- apiVersion: apps/v1 kind: Deployment @@ -40,6 +43,10 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + volumes: + {{- if .Values.deployment.extraVolumes }} + {{- toYaml .Values.deployment.extraVolumes | nindent 8 }} + {{- end }} containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" @@ -48,8 +55,8 @@ spec: - /manager args: - --metrics-addr=127.0.0.1:8080 - - --hydra-url=http://{{ .Values.adminService.name | default ( include "hydra-maester.adminService" . ) }} - - --hydra-port={{ .Values.adminService.port | default 4445 }} + - --hydra-url={{ required "scheme is required" .Values.adminService.scheme }}://{{ .Values.adminService.name | default ( include "hydra-maester.adminService" . ) }} + - --hydra-port={{ .Values.adminService.port }} {{- with .Values.adminService.endpoint }} - --endpoint={{ . }} {{- end }} @@ -62,6 +69,16 @@ spec: {{- if .Values.deployment.args.syncPeriod }} - --sync-period={{ .Values.deployment.args.syncPeriod }} {{- end }} + {{- if .Values.adminService.insecureSkipVerify }} + - --insecure-skip-verify={{ .Values.adminService.insecureSkipVerify }} + {{- end}} + {{- if .Values.adminService.tlsTrustStorePath }} + - --tls-trust-store={{ .Values.adminService.tlsTrustStorePath }} + {{- end }} + volumeMounts: + {{- if .Values.deployment.extraVolumeMounts }} + {{- toYaml .Values.deployment.extraVolumeMounts | nindent 12 }} + {{- end }} resources: {{- toYaml .Values.deployment.resources | nindent 12 }} terminationMessagePath: /dev/termination-log diff --git a/helm/charts/hydra-maester/values.yaml b/helm/charts/hydra-maester/values.yaml index d013daca9..d13051407 100644 --- a/helm/charts/hydra-maester/values.yaml +++ b/helm/charts/hydra-maester/values.yaml @@ -28,10 +28,16 @@ adminService: # -- Service name name: # -- Service port - port: + port: 4445 # -- Set the clients endpoint, should be `/clients` for Hydra 1.x and # `/admin/clients` for Hydra 2.x endpoint: /admin/clients + # -- Scheme used by Hydra client endpoint. May be "http" or "https" + scheme: http + # -- TLS ca-cert path for hydra client + tlsTrustStorePath: "" + # -- Skip http client insecure verification + insecureSkipVerify: false forwardedProto: @@ -49,6 +55,16 @@ deployment: # cpu: 100m # memory: 20Mi + # -- If you want to mount external volume + extraVolumes: [] + # - name: my-volume + # secret: + # secretName: my-secret + extraVolumeMounts: [] + # - name: my-volume + # mountPath: /etc/secrets/my-secret + # readOnly: true + # -- Default security context securityContext: capabilities: