Initial auth proxy chart

Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>

Author: welteki

chart/auth-proxy/.helmignore

@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

chart/auth-proxy/Chart.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+description: OpenFaaS Authentication Proxy
+name: auth-proxy
+version: 0.0.1
+sources:
+- https://github.com/openfaas/faas-netes
+home: https://www.openfaas.com
+icon: https://raw.githubusercontent.com/openfaas/media/master/OpenFaaS_logo_stacked_opaque.png
+keywords:
+- functions
+- serverless
+- faas
+maintainers:
+- name: alexellis
+  email: [email protected]
+- name: welteki
+  email: [email protected]

chart/auth-proxy/templates/_helpers.tpl

@@ -0,0 +1,44 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "connector.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "connector.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "connector.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "connector.labels" -}}
+helm.sh/chart: {{ include "connector.chart" . }}
+app.kubernetes.io/name: {{ include "connector.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/component: auth-proxy
+app.kubernetes.io/part-of: openfaas
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}

chart/auth-proxy/templates/deployment.yaml

@@ -0,0 +1,111 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    # Original Helm labels v
+    app: {{ template "connector.name" . }}
+    component: auth-proxy
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    {{- include "connector.labels" . | nindent 4 }}
+  name: {{ template "connector.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ template "connector.name" . }}
+      name: {{ template "connector.name" . }}
+      component: auth-proxy
+  template:
+    metadata:
+      labels:
+        app: {{ template "connector.name" . }}
+        name: {{ template "connector.name" . }}
+        component: auth-proxy
+    spec:
+      {{- if .Values.accessTokenSecret }}
+      serviceAccountName: {{ template "connector.fullname" . }}
+      {{- end }}
+      volumes:
+        - name: license
+          secret:
+            secretName: openfaas-license
+        {{- if .Values.accessTokenSecret }}
+        - name: openfaas-token
+          projected:
+            sources:
+            - serviceAccountToken:
+                path: openfaas-token
+                expirationSeconds: 7200
+                audience: {{ .Values.gatewayURL }}
+        - name: access-token-secret
+          secret:
+            secretName: {{ .Values.accessTokenSecret }}
+        {{- end }}
+        {{- if .Values.iam.loginIssuer.clientSecret }}
+        - name: oauth-client-secret
+          secret:
+            secretName: {{ .Values.iam.loginIssuer.clientSecret }}
+        {{- end }}
+      containers:
+        - name: auth-proxy
+          image: {{ .Values.image }}
+          command:
+            - "/usr/bin/proxy"
+            - "-license-file=/var/secrets/license/license"
+          env:
+            - name: "public_url"
+              value: {{ .Values.url | quote }}
+            - name: gateway_url
+              value: {{ .Values.gatewayURL | quote }}
+            - name: "debug"
+              value: "{{ .Values.logs.debug }}"
+            - name: "log_encoding"
+              value: "{{ .Values.logs.format }}"
+            {{- if .Values.iam.systemIssuer.url }}
+            - name: system_issuer
+              value: {{ .Values.iam.systemIssuer.url }}
+            {{- end }}
+            {{- if .Values.iam.loginIssuer.url }}
+            - name: login_issuer
+              value: {{ .Values.iam.loginIssuer.url }}
+            - name: login_issuer_client_id
+              value: {{ .Values.iam.loginIssuer.clientId }}
+            {{- end }}
+          resources:
+            {{- .Values.resources | toYaml | nindent 12 }}
+          volumeMounts:
+            - name: license
+              readOnly: true
+              mountPath: "/var/secrets/license"
+            {{- if .Values.accessTokenSecret }}
+            - name: openfaas-token
+              readOnly: true
+              mountPath: /var/secrets/tokens
+            - name: access-token-secret
+              readOnly: true
+              mountPath: /var/secrets/access_token
+            {{- end }}
+            {{- if .Values.iam.loginIssuer.clientSecret }}
+            - name: oauth-client-secret
+              readOnly: true
+              mountPath: /var/secrets/oauth
+            {{- end }}
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+    {{- with .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.affinity }}
+      affinity:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+    {{- end }}

chart/auth-proxy/templates/policy.yaml

@@ -0,0 +1,17 @@
+ {{- if .Values.accessTokenSecret }}
+apiVersion: iam.openfaas.com/v1
+kind: Policy
+metadata:
+  name: {{ template "connector.fullname" . }}
+  namespace: openfaas
+  labels:
+    {{- include "connector.labels" . | nindent 4 }}
+spec:
+  statement:
+  - sid: 1-invoke
+    action:
+    - Function:Invoke
+    effect: Allow
+    resource:
+      {{- toYaml .Values.iam.resource | nindent 6 }}
+{{- end }}

chart/auth-proxy/templates/role.yaml

@@ -0,0 +1,19 @@
+ {{- if .Values.accessTokenSecret }}
+apiVersion: iam.openfaas.com/v1
+kind: Role
+metadata:
+  name: {{ template "connector.fullname" . }}
+  namespace: openfaas
+  labels:
+    {{- include "connector.labels" . | nindent 4 }}
+spec:
+  policy:
+  - {{ template "connector.fullname" . }}
+  principal:
+    jwt:sub:
+      - "system:serviceaccount:{{ .Release.Namespace }}:{{ template "connector.fullname" . }}"
+  condition:
+    StringEqual:
+      jwt:iss:
+        - {{.Values.iam.kubernetesIssuer.url}}
+{{- end }}

chart/auth-proxy/templates/service.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: auth-proxy
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app: {{ template "connector.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    component: auth-proxy
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  type: ClusterIP
+  ports:
+    - port: 8080
+      name: http
+      protocol: TCP
+      targetPort: http
+  selector:
+    app: auth-proxy

chart/auth-proxy/templates/serviceaccount.yaml

@@ -0,0 +1,9 @@
+ {{- if .Values.accessTokenSecret }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "connector.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "connector.labels" . | nindent 4 }}
+{{- end }}

chart/auth-proxy/values.yaml

@@ -0,0 +1,43 @@
+image: docker.io/welteki/auth-proxy:v0.0.1-3-g1b1b4b3
+
+url: "https://auth-proxy.example.com"
+
+gatewayURL: http://gateway.openfaas.svc.cluster.local:8080
+
+accessTokenSecret: ""
+
+iam:
+  # URL for the OpenFaaS system components issuer.
+  # This is usually the public url of the gateway.
+  systemIssuer:
+    url: "http://gateway.openfaas.svc.cluster.local:8080"
+  # URL for the Kubernetes service account issuer.
+  kubernetesIssuer:
+    url: https://kubernetes.default.svc.cluster.local
+  # Use same configuration as the dashboardIssuer in the OpenFaaS chart
+  loginIssuer:
+    url: ""
+    clientId: ""
+    clientSecret: ""
+  # Function resources the auth-proxy should be allow to invoke.
+  resource: ["*"]
+
+
+resources:
+  requests:
+    memory: "64Mi"
+    cpu: "100m"
+  # limits:
+  #   memory: "256Mi"
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+logs:
+  # Log debug messages
+  debug: false
+  # Set the log format, supports console or json
+  format: "console"