diff --git a/charts/akeyless-gateway/.helmignore b/charts/akeyless-gateway/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/akeyless-gateway/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/akeyless-gateway/Chart.yaml b/charts/akeyless-gateway/Chart.yaml new file mode 100644 index 0000000..a368162 --- /dev/null +++ b/charts/akeyless-gateway/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v2 +name: akeyless-gateway +version: 1.0.0 +description: A Helm chart for Kubernetes that deploys akeyless-gateway +type: application +keywords: + - akeyless-gateway + - sra +maintainers: + - name: Akeyless +icon: https://akeyless-908832575.imgix.net/wp-content/uploads/2024/03/akeyless-2024.png?auto=format%2Ccompress&fm=webp&ixlib=php-3.3.0 + +appVersion: 4.23.0_2.3.1 + +annotations: + gatewayVersion: 4.23.0 + sraVersion: 2.3.1 diff --git a/charts/akeyless-gateway/README.md b/charts/akeyless-gateway/README.md new file mode 100644 index 0000000..f9e9132 --- /dev/null +++ b/charts/akeyless-gateway/README.md @@ -0,0 +1,36 @@ +# Akeyless Gateway + +This repository contains the official Akeyless Gateway Helm chart for installing and configuring the Gateway on Kubernetes. + +For full documentation on this Helm chart please see the [official docs](https://docs.akeyless.io/docs/gateway-chart) + + +## Prerequisites + +To use the charts here, [Helm](https://helm.sh/) must be configured for your +Kubernetes cluster. Setting up Kubernetes and Helm is outside the scope of +this README. Please refer to the Kubernetes and Helm documentation. + +### Horizontal Autoscaling + +The Kubernetes [metrics server](https://github.com/kubernetes-sigs/metrics-server) must be configured in your cluster. + + +## Add Akeyless Repository + +To install the latest version of this chart, add the Akeyless Helm repository + +```bash +helm repo add akeyless https://akeylesslabs.github.io/helm-charts +helm repo update +``` + +## Installing the Chart + +Please see all supported options directly on the Akeyless Docs website along with more +detailed installation instructions. + +To install the chart run the following: +```bash +helm install gateway akeyless/akeyless-gateway +``` diff --git a/charts/akeyless-gateway/templates/_helpers.tpl b/charts/akeyless-gateway/templates/_helpers.tpl new file mode 100644 index 0000000..51683d9 --- /dev/null +++ b/charts/akeyless-gateway/templates/_helpers.tpl @@ -0,0 +1,442 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "akeyless-gateway.name" -}} + {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "akeyless-gateway.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "akeyless-gateway.chart" -}} + {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "akeyless-gateway.labels" -}} +helm.sh/chart: {{ include "akeyless-gateway.chart" . }} +{{ include "akeyless-gateway.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: Helm +app.kubernetes.io/part-of: {{ include "akeyless-gateway.name" . }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "akeyless-gateway.selectorLabels" -}} +app.kubernetes.io/name: {{ include "akeyless-gateway.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{- define "akeyless-gateway.containerName" -}} + {{- print "akeyless-gateway" -}} +{{- end -}} +{{/* +Create the name of the service account to use +*/}} +{{- define "akeyless-gateway.serviceAccountName" -}} +{{- if .Values.globalConfig.serviceAccount.create -}} + {{ default (include "akeyless-gateway.fullname" .) .Values.globalConfig.serviceAccount.serviceAccountName }} +{{- else -}} + {{ default "default" .Values.globalConfig.serviceAccount.serviceAccountName }} +{{- end -}} +{{- end -}} + +{{/* +Get the Ingress TLS secret. +*/}} +{{- define "akeyless-gateway.ingressSecretTLSName" -}} + {{- if .existingSecret -}} + {{- printf "%s" .existingSecret -}} + {{- else -}} + {{- printf "%s-tls" .hostname -}} + {{- end -}} +{{- end -}} + +{{/* +Generate chart secret name +*/}} +{{- define "akeyless-gateway.secretName" -}} + {{- if .Values.existingSecret -}} + {{- printf "%s" .Values.existingSecret -}} + {{- else -}} + {{- printf "%s-conf-secret" $.Release.Name -}} + {{- end -}} +{{- end -}} + +{{- define "akeyless-gateway.clusterCacheImage" -}} + {{- if .Values.globalConfig.clusterCache.image -}} + image: "{{ .Values.globalConfig.clusterCache.image.repository }}:{{ .Values.globalConfig.clusterCache.image.tag }}" + imagePullPolicy: {{ .Values.globalConfig.clusterCache.image.pullPolicy }} + {{- else }} + image: "docker.io/bitnami/redis:6.2" + imagePullPolicy: "Always" + {{- end -}} +{{- end -}} + +{{/* Define REDIS_MAXMEMORY as 80% of the pod's memory limit */}} +{{- define "akeyless-gateway.redisMaxmemory" -}} +{{- $memoryLimit := .Values.globalConfig.clusterCache.resources.limits.memory | toString -}} +{{- $memoryLimitBytes := 0 -}} +{{- if regexMatch "^[0-9]+$" $memoryLimit -}} + {{- $memoryLimitBytes = $memoryLimit | mulf 1 -}} {{/* Direct byte value */}} +{{- else if regexMatch "^[0-9]+Gi$" $memoryLimit -}} + {{- $memoryLimitBytes = (trimSuffix "Gi" $memoryLimit | mulf 1073741824) -}} {{/* GiB to bytes */}} +{{- else if regexMatch "^[0-9]+Mi$" $memoryLimit -}} + {{- $memoryLimitBytes = (trimSuffix "Mi" $memoryLimit | mulf 1048576) -}} {{/* MiB to bytes */}} +{{- else if regexMatch "^[0-9]+[M]$" $memoryLimit -}} + {{- $memoryLimitBytes = (trimSuffix "M" $memoryLimit | mulf 1048576) -}} {{/* Megabytes to bytes */}} +{{- else if regexMatch "^[0-9]+e[0-9]+$" $memoryLimit -}} + {{- $memoryLimitBytes = $memoryLimit | mulf 1 -}} {{/* Handle scientific notation (e.g., 129e6) */}} +{{- else if regexMatch "^[0-9]+[kK]$" $memoryLimit -}} + {{- $memoryLimitBytes = (trimSuffix "k" $memoryLimit | mulf 1024) -}} {{/* Kilobytes to bytes */}} +{{- else -}} + {{- fail "Unsupported memory format" -}} +{{- end -}} +{{- $redisMaxmemory := $memoryLimitBytes | mulf 0.8 | floor -}} {{/* Calculate 80% and round down */}} +{{- $redisMaxmemory | printf "%.0f" -}} {{/* Print the value as an integer */}} +{{- end -}} + +{{- define "akeyless-gateway.clusterCache.secretName" -}} + {{- if empty .Values.globalConfig.clusterCache.cachePasswordExistingSecret }} + {{- printf "%s-cache-secret" $.Release.Name -}} + {{- else if not (empty .Values.globalConfig.clusterCache.cachePasswordExistingSecret) }} + {{- printf "%s" .Values.globalConfig.clusterCache.cachePasswordExistingSecret }} + {{- end }} +{{- end }} + +{{- define "akeyless-gateway.clusterCache.enabled" -}} +{{- or (eq .Values.globalConfig.gatewayAuth.gatewayAccessType "uid") (ne .Values.globalConfig.clusterCache.enabled false) -}} +{{- end }} + +{{- define "akeyless-gateway.clusterCache.labels" -}} +name: {{ include "akeyless-gateway.clusterCache.SvcName" . }} +component: cache +{{- end }} + +{{- define "akeyless-gateway.clusterCache.enableTls" -}} +{{- $cacheEnable := include "akeyless-gateway.clusterCache.enabled" . -}} +{{- $useTls := .Values.globalConfig.clusterCache.enableTls -}} +{{- and $cacheEnable $useTls -}} +{{- end }} + +{{- define "akeyless-gateway.clusterCache.autogeneratedTls" -}} +{{- include "akeyless-gateway.clusterCache.enableTls" . -}} +{{- end }} + +{{- define "akeyless-gateway.clusterCache.generatedCacheTlsSecretName" -}} +{{- printf "%s-crt" (include "akeyless-gateway.fullname" .) }} +{{- end -}} + +{{- define "akeyless-gateway.clusterCache.cacheTlsSecretName" -}} +{{- default (include "akeyless-gateway.clusterCache.generatedCacheTlsSecretName" .) "" }} +{{- end -}} + +{{- define "akeyless-gateway.clusterCache.SvcName" -}} +{{- printf "%s-cache-svc" (include "akeyless-gateway.fullname" . )}} +{{- end -}} + +{{- define "akeyless-gateway.clusterCache.cacheAddress" -}} +{{- if eq (include "akeyless-gateway.clusterCache.enableTls" .) "true" -}} +{{- printf "%s.%s.svc.cluster.local" (include "akeyless-gateway.clusterCache.SvcName" .) .Release.Namespace }} +{{- else -}} +{{- printf "%s.%s" (include "akeyless-gateway.clusterCache.SvcName" .) .Release.Namespace }} +{{- end -}} +{{- end -}} + +{{- define "akeyless-gateway.clusterCache.cacheAddressPort" -}} +{{- printf "%s:6379" (include "akeyless-gateway.clusterCache.cacheAddress" . ) }} +{{- end -}} + +{{- define "akeyless-gateway.clusterCache.tlsVolume" -}} +- name: cache-tls + secret: + secretName: {{ include "akeyless-gateway.clusterCache.cacheTlsSecretName" . }} +{{- end -}} + +{{- define "akeyless-gateway.clusterCache.tlsVolumeMountPath" -}} +/opt/akeyless/cache/certs +{{- end -}} + +{{- define "akeyless-gateway.clusterCache.tlsVolumeMounts" -}} +- name: cache-tls + mountPath: {{ include "akeyless-gateway.clusterCache.tlsVolumeMountPath" . }} + readOnly: true +{{- end -}} + +{{- define "akeyless-gateway.clusterCache.password" }} +{{- /*### REDIS_PASS instead of REDIS_PASSWORD due to bc*/}} + - name: REDIS_PASS + valueFrom: + secretKeyRef: + name: {{ include "akeyless-gateway.clusterCache.secretName" . }} + key: cache-pass +{{- end }} + +{{- define "akeyless-gateway.clusterCacheEncryptionKeyExist" -}} + {{- if .Values.globalConfig.clusterCache.encryptionKeyExistingSecret -}} + {{- printf "%s" .Values.globalConfig.clusterCache.encryptionKeyExistingSecret -}} + {{- else if (eq "true" (include "akeyless-gateway.clusterCache.enabled" . )) -}} + {{- printf "%s-cache-encryption-key" .Release.Name -}} + {{- end -}} +{{- end -}} + +{{- define "akeyless-gateway.clusterCacheConfig" }} + - name: USE_CLUSTER_CACHE + value: "true" + - name: REDIS_ADDR + value: {{ include "akeyless-gateway.clusterCache.cacheAddressPort" . }} + - name: ENABLE_CACHE_TLS + value: {{ include "akeyless-gateway.clusterCache.enableTls" . | quote }} + {{- if (eq "true" (include "akeyless-gateway.clusterCache.enableTls" . )) }} + - name: CACHE_REDIS_CA_PATH + value: "{{ printf "%s/ca.crt" (include "akeyless-gateway.clusterCache.tlsVolumeMountPath" .) }}" + - name: CACHE_REDIS_KEY_PATH + value: "{{ printf "%s/tls.key" (include "akeyless-gateway.clusterCache.tlsVolumeMountPath" .) }}" + - name: CACHE_REDIS_CERT_PATH + value: "{{ printf "%s/tls.crt" (include "akeyless-gateway.clusterCache.tlsVolumeMountPath" .) }}" + {{- end }} + - name: STORE_CACHE_ENCRYPTION_KEY_TO_K8S_SECRETS + value: {{ .Values.globalConfig.clusterCache.enableScaleOutOnDisconnectedMode | default false | quote }} + {{- if not (eq (include "akeyless-gateway.clusterCacheEncryptionKeyExist" .) "") }} + - name: CACHE_ENCRYPTION_KEY_SECRET_NAME + value: {{ include "akeyless-gateway.clusterCacheEncryptionKeyExist" . | quote }} + {{- end }} + {{- include "akeyless-gateway.clusterCache.password" . }} +{{- end -}} +{{/* +Check customer fragment +*/}} + +{{- define "akeyless-gateway.root.config.path" -}} +{{- if not .Values.gatewayRootMode }} + {{- printf "/home/akeyless" -}} +{{- else }} + {{- printf "/root" -}} +{{- end -}} +{{- end -}} + +{{/* +Check gateway access-id +*/}} +{{- define "akeyless-gateway.gatewayAccessIdExist" -}} + {{- if .Values.globalConfig.gatewayAuth.gatewayAccessId -}} + {{ include "akeyless-gateway.secretName" . }} + {{- else if .Values.globalConfig.gatewayAuth.gatewayCredentialsExistingSecret -}} + {{- printf "%s" .Values.globalConfig.gatewayAuth.gatewayCredentialsExistingSecret -}} + {{- end -}} +{{- end -}} + +{{- define "akeyless-gateway.allowedAccessPermissionsExist" -}} + {{- if .Values.globalConfig.allowedAccessPermissions -}} + {{ include "akeyless-gateway.secretName" . }} + {{- else if .Values.globalConfig.allowedAccessPermissionsExistingSecret -}} + {{- printf "%s" .Values.globalConfig.allowedAccessPermissionsExistingSecret -}} + {{- end -}} +{{- end -}} + +{{/* +check gateway auth config +*/}} +{{- define "akeyless-gateway.akeylessGatewayAuthConfig" }} + - name: GATEWAY_ACCESS_TYPE + value: {{ .Values.globalConfig.gatewayAuth.gatewayAccessType }} + {{- if not (eq (include "akeyless-gateway.gatewayAccessIdExist" .) "") }} + - name: GATEWAY_ACCESS_ID + valueFrom: + secretKeyRef: + name: {{ include "akeyless-gateway.gatewayAccessIdExist" . }} + key: gateway-access-id + {{- end }} + {{- if eq .Values.globalConfig.gatewayAuth.gatewayAccessType "access_key" }} + - name: GATEWAY_ACCESS_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.globalConfig.gatewayAuth.gatewayCredentialsExistingSecret }} + key: gateway-access-key + {{- end }} +{{- end -}} + +{{- define "akeyless-gateway.ClusterName" -}} + {{- if .Values.globalConfig.clusterName }} + - name: CLUSTER_NAME + value: {{ .Values.globalConfig.clusterName }} + {{- end }} +{{- end -}} + + +{{/* +Get serviceAccountName +*/}} +{{- define "akeyless-gateway.getServiceAccountName" -}} + {{- if and (not .Values.globalConfig.serviceAccount.serviceAccountName) ( not .Values.globalConfig.serviceAccount.create ) }} + {{- printf "default" -}} + {{- else if not .Values.globalConfig.serviceAccount.serviceAccountName }} + {{- printf "%s-akeyless-gateway" .Release.Name }} + {{- else -}} + {{- printf "%s" $.Values.globalConfig.serviceAccount.serviceAccountName }} + {{- end -}} +{{- end -}} + +{{- define "deployment.type" -}} + {{- if .Values.gateway.deploymentType -}} + {{- if eq .Values.gateway.deploymentType "DaemonSet" -}} + {{- printf "DaemonSet" -}} + {{- else -}} + {{- printf "Deployment" -}} + {{- end -}} + {{- else -}} + {{- printf "Deployment" -}} + {{- end -}} +{{- end -}} + +{{/* +Akeyless sra web Common labels +*/}} + +{{- define "akeyless-sra-web.labels" -}} +helm.sh/chart: {{ include "akeyless-gateway.chart" . }} +{{ include "akeyless-sra-web.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: Helm +app.kubernetes.io/part-of: {{ include "akeyless-gateway.name" . }} +{{- end -}} + +{{/* +Selector web labels +*/}} + +{{- define "akeyless-sra-web.selectorLabels" -}} +app.kubernetes.io/name: {{ (include "akeyless-gateway.name" .) | trunc 54 | trimSuffix "-" }}-sra-web +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Akeyless sra web Common labels +*/}} + +{{- define "akeyless-sra-ssh.labels" -}} +helm.sh/chart: {{ include "akeyless-gateway.chart" . }} +{{ include "akeyless-sra-ssh.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: Helm +app.kubernetes.io/part-of: {{ include "akeyless-gateway.name" . }} +{{- end -}} + +{{/* +Selector ssh labels +*/}} + +{{- define "akeyless-sra-ssh.selectorLabels" -}} +app.kubernetes.io/name: {{ (include "akeyless-gateway.name" .) | trunc 54 | trimSuffix "-" }}-sra-ssh +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} +{{/* +Get the Ingress TLS secret. +*/}} +{{- define "web-access-sra.ingressSecretTLSName" -}} + {{- if .Values.sra.webConfig.ingress.existingSecret -}} + {{- printf "%s" .Values.sra.webConfig.ingress.existingSecret -}} + {{- else -}} + {{- printf "%s-tls" .Values.sra.webConfig.ingress.hostname -}} + {{- end -}} +{{- end -}} + +{{/* +Generate chart secret name +*/}} +{{- define "web-access-sra.secretName" -}} +{{ default (include "akeyless-gateway.fullname" .) }} +{{- end -}} + +{{- define "akeyless-gateway-sra-ssh-service.selectorLabels" -}} +app.kubernetes.io/name: {{ (include "akeyless-gateway.name" .) | trunc 38 | trimSuffix "-" }}-gateway-sra-ssh-services +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{- define "httpProxySettings" -}} + {{- if .Values.globalConfig.httpProxySettings.http_proxy }} + - name: HTTP_PROXY + value: {{ .Values.globalConfig.httpProxySettings.http_proxy }} + - name: http_proxy + value: {{ .Values.globalConfig.httpProxySettings.http_proxy }} + {{- end }} + {{- if .Values.globalConfig.httpProxySettings.https_proxy }} + - name: HTTPS_PROXY + value: {{ .Values.globalConfig.httpProxySettings.https_proxy }} + - name: https_proxy + value: {{ .Values.globalConfig.httpProxySettings.https_proxy }} + {{- end }} + {{- if .Values.globalConfig.httpProxySettings.no_proxy }} + - name: NO_PROXY + value: {{ .Values.globalConfig.httpProxySettings.no_proxy }} + - name: no_proxy + value: {{ .Values.globalConfig.httpProxySettings.no_proxy }} + {{- end }} +{{- end -}} + +{{- define "akeyless-gateway.chartMetadata" }} + - name: chart_name + value: {{ .Chart.Name }} + - name: chart_version + value: {{ .Chart.Version }} +{{- end -}} + +{{- define "akeyless-gateway.unifiedGatewayConfig" }} + - name: UNIFIED_GATEWAY + value: "true" + - name: GATEWAY_URL + value: "http://{{ include "akeyless-gateway.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:8000" + - name: INTERNAL_GATEWAY_API + value: "http://{{ include "akeyless-gateway.fullname" . }}-internal.{{ .Release.Namespace }}.svc.cluster.local:8080" +{{- end -}} + +{{- define "akeyless-gateway.SraWebServiceConfig" }} + - name: REMOTE_ACCESS_WEB_SERVICE_INTERNAL_URL + value: "http://web-{{ include "akeyless-gateway.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:8888" +{{- end -}} + +{{- define "akeyless-gateway.SraSshServiceConfig" }} + - name: REMOTE_ACCESS_SSH_SERVICE_INTERNAL_URL + value: "http://ssh-{{ include "akeyless-gateway.fullname" . }}-internal.{{ .Release.Namespace }}.svc.cluster.local:9900" +{{- end -}} + +{{- define "akeyless-gateway.unifiedGatewaySraWebConfig" }} + {{ include "akeyless-gateway.unifiedGatewayConfig" . }} + {{ include "akeyless-gateway.SraSshServiceConfig" . }} + - name: REMOTE_ACCESS_SSH_ENDPOINT + value: "ssh-{{ include "akeyless-gateway.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.sra.sshConfig.service.port }}" +{{- end -}} + +{{- define "akeyless-gateway.unifiedGatewaySraGatewayConfig" }} + {{ include "akeyless-gateway.SraWebServiceConfig" . }} + {{ include "akeyless-gateway.SraSshServiceConfig" . }} +{{- end -}} \ No newline at end of file diff --git a/charts/akeyless-gateway/templates/akeyless-cache/cache.yaml b/charts/akeyless-gateway/templates/akeyless-cache/cache.yaml new file mode 100644 index 0000000..9c614b4 --- /dev/null +++ b/charts/akeyless-gateway/templates/akeyless-cache/cache.yaml @@ -0,0 +1,111 @@ +{{- if (eq "true" (include "akeyless-gateway.clusterCache.enabled" . )) }} +{{- $deploymentName := printf "%s-cache" (include "akeyless-gateway.fullname" .) }} +{{- $mountCertPaths := (include "akeyless-gateway.clusterCache.tlsVolumeMountPath" .) -}} +{{- $tlsCertKeyPath := printf "%s/tls.key" $mountCertPaths }} +{{- $tlsCACertPath := printf "%s/ca.crt" $mountCertPaths }} +{{- $tlsCertPath := printf "%s/tls.crt" $mountCertPaths }} +{{- $tlsArgs := ternary (printf "--tls --cacert %s --cert %s --key %s " $tlsCACertPath $tlsCertPath $tlsCertKeyPath) "" (eq "true" (include "akeyless-gateway.clusterCache.enableTls" . )) -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $deploymentName }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{- include "akeyless-gateway.clusterCache.labels" . | nindent 4 }} +{{- include "akeyless-gateway.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "akeyless-gateway.clusterCache.labels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "akeyless-gateway.clusterCache.labels" . | nindent 8 }} + spec: + {{- if (eq "true" (include "akeyless-gateway.clusterCache.enableTls" . )) }} + volumes: + {{- include "akeyless-gateway.clusterCache.tlsVolume" . | nindent 6}} + {{- end }} + containers: + - name: {{ $deploymentName }} + {{- include "akeyless-gateway.clusterCacheImage" . | nindent 6 }} + ports: + - containerPort: 6379 + name: cache + livenessProbe: + exec: + command: + - sh + - -c + - | + #!/usr/bin/env bash -e + export REDISCLI_AUTH="$REDIS_PASSWORD" + set_response=$( + redis-cli {{ $tlsArgs }} set liveness_test_key "SUCCESS" + ) + response=$( + redis-cli {{ $tlsArgs }} get liveness_test_key + ) + del_response=$( + redis-cli {{ $tlsArgs }} del liveness_test_key + ) + if [ "$response" != "SUCCESS" ] ; then + echo "Unable to get keys, something is wrong" + echo "$response" + exit 1 + fi + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + exec: + command: + - sh + - -c + - | + #!/usr/bin/env bash -e + export REDISCLI_AUTH="$REDIS_PASSWORD" + response=$( + redis-cli {{ $tlsArgs }} ping + ) + if [ "$response" != "PONG" ] ; then + echo "Unable to get keys, something is wrong" + echo "$response" + exit 1 + fi + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + {{- toYaml .Values.globalConfig.clusterCache.resources | nindent 12 }} + env: + - name: REDIS_DISABLE_COMMANDS + value: "FLUSHDB,FLUSHALL" + - name: REDIS_EXTRA_FLAGS + value: "--maxmemory {{ include "akeyless-gateway.redisMaxmemory" . }} --maxmemory-policy allkeys-lru" + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "akeyless-gateway.clusterCache.secretName" . }} + key: cache-pass + {{- if (eq "true" (include "akeyless-gateway.clusterCache.enableTls" . )) }} + - name: REDIS_TLS_PORT + value: "6379" + - name: REDIS_TLS_AUTH_CLIENTS + value: "no" + - name: REDIS_TLS_ENABLED + value: "yes" + - name: REDIS_TLS_CERT_FILE + value: {{ $tlsCertPath }} + - name: REDIS_TLS_KEY_FILE + value: {{ $tlsCertKeyPath }} + - name: REDIS_TLS_CA_FILE + value: {{ $tlsCACertPath }} + {{ else }} + - name: REDIS_PORT + value: "6379" + {{- end }} + {{- if (eq "true" (include "akeyless-gateway.clusterCache.enableTls" . )) }} + volumeMounts: + {{- include "akeyless-gateway.clusterCache.tlsVolumeMounts" . | nindent 12 -}} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/akeyless-gateway/templates/akeyless-cache/svc.yaml b/charts/akeyless-gateway/templates/akeyless-cache/svc.yaml new file mode 100644 index 0000000..2cd48ed --- /dev/null +++ b/charts/akeyless-gateway/templates/akeyless-cache/svc.yaml @@ -0,0 +1,15 @@ +{{- if (eq "true" (include "akeyless-gateway.clusterCache.enabled" . )) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "akeyless-gateway.clusterCache.SvcName" . }} + labels: +{{- include "akeyless-gateway.labels" . | nindent 4 }} +spec: + ports: + - port: 6379 + protocol: TCP + selector: + {{- include "akeyless-gateway.clusterCache.labels" . | nindent 4 }} + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/akeyless-gateway/templates/akeyless-cache/tls.yaml b/charts/akeyless-gateway/templates/akeyless-cache/tls.yaml new file mode 100644 index 0000000..8b753d7 --- /dev/null +++ b/charts/akeyless-gateway/templates/akeyless-cache/tls.yaml @@ -0,0 +1,22 @@ +{{- if (eq "true" (include "akeyless-gateway.clusterCache.autogeneratedTls" . )) }} +{{- $tlsSecretName := (include "akeyless-gateway.clusterCache.generatedCacheTlsSecretName" .)}} +{{- $fullname := .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- $ca := genCA "redis-ca" 365 }} +{{- $altNames := list (include "akeyless-gateway.clusterCache.cacheAddress" .) (printf "*.%s" (include "akeyless-gateway.clusterCache.cacheAddress" . )) "127.0.0.1" "localhost" $fullname }} +{{- $cert := genSignedCert $fullname nil $altNames 365 $ca }} +{{- $existingSecret := (lookup "v1" "Secret" .Release.Namespace $tlsSecretName).data }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $tlsSecretName }} + namespace: {{ .Release.Namespace | quote }} + labels: + name: {{ $tlsSecretName }} + component: cache +{{- include "akeyless-gateway.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ get $existingSecret "tls.crt" | default ($cert.Cert | b64enc) }} + tls.key: {{ get $existingSecret "tls.key" | default ($cert.Key | b64enc) }} + ca.crt: {{ get $existingSecret "ca.crt" | default ($ca.Cert | b64enc) }} +{{- end }} \ No newline at end of file diff --git a/charts/akeyless-gateway/templates/akeyless-secure-remote-access/configmap.yaml b/charts/akeyless-gateway/templates/akeyless-secure-remote-access/configmap.yaml new file mode 100644 index 0000000..b47d4c7 --- /dev/null +++ b/charts/akeyless-gateway/templates/akeyless-secure-remote-access/configmap.yaml @@ -0,0 +1,12 @@ +{{- if eq .Values.sra.enabled true }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $.Release.Name }}-cm-creds + namespace: {{ .Release.Namespace }} + labels: + {{- include "akeyless-sra-ssh.labels" . | nindent 4 }} +data: + ca.pub: | +{{ required "A valid .Values.sra.sshConfig.CAPublicKey entry required!" .Values.sra.sshConfig.CAPublicKey | indent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/akeyless-gateway/templates/akeyless-secure-remote-access/deployment.yaml b/charts/akeyless-gateway/templates/akeyless-secure-remote-access/deployment.yaml new file mode 100644 index 0000000..1fd90eb --- /dev/null +++ b/charts/akeyless-gateway/templates/akeyless-secure-remote-access/deployment.yaml @@ -0,0 +1,133 @@ +{{- if .Values.sra.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: web-{{ include "akeyless-gateway.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "akeyless-sra-web.labels" . | nindent 4 }} + {{- if .Values.sra.webConfig.deployment.labels }} + {{- toYaml .Values.sra.webConfig.deployment.labels | nindent 4 }} + {{- end }} + {{- if .Values.sra.webConfig.deployment.annotations }} + annotations: + {{- toYaml .Values.sra.webConfig.deployment.annotations | nindent 4 }} + {{- end }} +spec: + {{- if not .Values.sra.webConfig.hpa.enabled }} + replicas: {{ default 1 .Values.sra.webConfig.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "akeyless-sra-web.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- if .Values.sra.webConfig.deployment.annotations }} + annotations: + {{- toYaml .Values.sra.webConfig.deployment.annotations | nindent 8 }} + {{- end }} + labels: + {{- include "akeyless-sra-web.selectorLabels" . | nindent 8 }} + {{- if .Values.sra.webConfig.deployment.labels }} + {{- toYaml .Values.sra.webConfig.deployment.labels | nindent 8 }} + {{- end }} + spec: + {{- if .Values.sra.sshConfig.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.sra.sshConfig.securityContext.runAsUser }} + fsGroup: {{ .Values.sra.sshConfig.securityContext.fsGroup }} + {{- end }} + serviceAccountName: {{ include "akeyless-gateway.getServiceAccountName" . }} + {{- if .Values.sra.sshConfig.nodeSelector }} + nodeSelector: + {{ toYaml .Values.sra.sshConfig.nodeSelector | indent 4 }} + {{- end }} + volumes: + {{- range .Values.sra.webConfig.persistence.volumes }} + - name: {{ .name | title | lower }} + persistentVolumeClaim: + claimName: {{ printf "%s-%s" $.Release.Name .name | title | lower }} + {{- end }} + {{- if .Values.globalConfig.TLSConf.tlsExistingSecret }} + - name: gw-signed-ca + secret: + secretName: {{ .Values.globalConfig.TLSConf.tlsExistingSecret }} + items: + - key: tlsCertificate + path: gw-cert.pem + {{- end }} + {{- if (eq "true" (include "akeyless-gateway.clusterCache.enableTls" . )) }} + {{ include "akeyless-gateway.clusterCache.tlsVolume" . | nindent 8}} + {{- end }} + containers: + - name: gateway-sra-web + image: "{{ .Values.sra.image.repository | default "akeyless/zero-trust-bastion" }}:{{ .Values.sra.image.tag | default .Chart.Annotations.sraVersion }}" + imagePullPolicy: {{ .Values.sra.image.pullPolicy }} + ports: + - containerPort: 8888 + name: web + env: + {{ include "akeyless-gateway.akeylessGatewayAuthConfig" . | nindent 10 }} + {{ include "akeyless-gateway.unifiedGatewaySraWebConfig" . | nindent 10 }} + {{ include "akeyless-gateway.ClusterName" . | nindent 10 }} + {{- if eq "true" (include "akeyless-gateway.clusterCache.enabled" . ) }} + {{- include "akeyless-gateway.clusterCacheConfig" . | nindent 10 }} + {{- end }} + {{- if .Values.globalConfig.authorizedAccessIDs }} + - name: GATEWAY_AUTHORIZED_ACCESS_ID + value: {{ .Values.globalConfig.authorizedAccessIDs | quote }} + {{- end }} + {{- if .Values.globalConfig.TLSConf.tlsExistingSecret }} + - name: AKEYLESS_GW_CERTIFICATE + valueFrom: + secretKeyRef: + name: {{.Values.globalConfig.TLSConf.tlsExistingSecret | quote }} + key: tlsCertificate + {{- end }} + - name: REMOTE_ACCESS_TYPE + value: "web" + {{- if .Values.globalConfig.gatewayAuth.azureObjectID }} + - name: AZURE_OBJECT_ID + value: {{ .Values.globalConfig.gatewayAuth.azureObjectID }} + {{- end }} + {{- if .Values.globalConfig.gatewayAuth.gcpAudience }} + - name: GCP_AUDIENCE + value: {{ .Values.globalConfig.gatewayAuth.gcpAudience }} + {{- end }} + {{- include "httpProxySettings" . | nindent 10 }} + {{ include "akeyless-gateway.chartMetadata" . | nindent 10 }} + {{- if .Values.debug }} + - name: DEBUG + value: {{ .Values.debug | quote }} + {{- end }} + {{- if .Values.globalConfig.env }} + {{- toYaml .Values.globalConfig.env | nindent 12 }} + {{- end }} + {{- if .Values.sra.env }} + {{- toYaml .Values.sra.env | nindent 12 }} + {{- end }} + resources: + {{- toYaml .Values.sra.webConfig.resources | nindent 12 }} + livenessProbe: + tcpSocket: + port: 8888 + {{- toYaml .Values.sra.webConfig.livenessProbe | trim | nindent 12 }} + readinessProbe: + tcpSocket: + port: 8888 + {{- toYaml .Values.sra.webConfig.readinessProbe | trim | nindent 12 }} + volumeMounts: + {{- range .Values.sra.webConfig.persistence.volumes }} + - name: {{ .name | title | lower }} + mountPath: /home/akeyless/recordings + subPath: recordings + {{- end }} + {{- if .Values.globalConfig.TLSConf.tlsExistingSecret }} + - name: gw-signed-ca + mountPath: "/etc/ssl/certs/gw-cert.pem" + subPath: gw-cert.pem + {{- end }} + {{- if (eq "true" (include "akeyless-gateway.clusterCache.enableTls" . )) }} + {{ include "akeyless-gateway.clusterCache.tlsVolumeMounts" . | nindent 12 }} + {{- end }} +{{- end }} diff --git a/charts/akeyless-gateway/templates/akeyless-secure-remote-access/hpa.yaml b/charts/akeyless-gateway/templates/akeyless-secure-remote-access/hpa.yaml new file mode 100644 index 0000000..d0247f2 --- /dev/null +++ b/charts/akeyless-gateway/templates/akeyless-secure-remote-access/hpa.yaml @@ -0,0 +1,59 @@ +{{- if eq .Values.sra.enabled true }} +{{- if .Values.sra.sshConfig.hpa.enabled }} +apiVersion: "autoscaling/v2" +kind: HorizontalPodAutoscaler +metadata: + name: ssh-{{ $.Release.Name }}-hpa + namespace: {{ .Release.Namespace }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: ssh-{{ include "akeyless-gateway.fullname" . }} + minReplicas: {{ $.Values.sra.sshConfig.hpa.minReplicas | default 1 }} + maxReplicas: {{ $.Values.sra.sshConfig.hpa.maxReplicas | default 14 }} + metrics: + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ $.Values.sra.sshConfig.hpa.memAvgUtil }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ $.Values.sra.sshConfig.hpa.cpuAvgUtil }} +{{- end }} +{{- end }} +--- +{{- if eq .Values.sra.enabled true }} +{{- if .Values.sra.webConfig.hpa.enabled }} +apiVersion: "autoscaling/v2" +kind: HorizontalPodAutoscaler +metadata: + name: ztb-{{ $.Release.Name }}-hpa + namespace: {{ .Release.Namespace }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: web-{{ include "akeyless-gateway.fullname" . }} + minReplicas: {{ $.Values.sra.webConfig.hpa.minReplicas | default 1 }} + maxReplicas: {{ $.Values.sra.webConfig.hpa.maxReplicas | default 14 }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ $.Values.sra.webConfig.hpa.cpuAvgUtil }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ $.Values.sra.webConfig.hpa.memAvgUtil }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/akeyless-gateway/templates/akeyless-secure-remote-access/pvc.yaml b/charts/akeyless-gateway/templates/akeyless-secure-remote-access/pvc.yaml new file mode 100644 index 0000000..5a4970e --- /dev/null +++ b/charts/akeyless-gateway/templates/akeyless-secure-remote-access/pvc.yaml @@ -0,0 +1,29 @@ +{{- if eq .Values.sra.enabled true }} +{{- range .Values.sra.webConfig.persistence.volumes }} +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ printf "%s-%s" $.Release.Name .name | title | lower }} + namespace: {{ $.Release.Namespace }} +{{- if .annotations }} + annotations: + {{- toYaml .annotations | nindent 4 }} +{{- end }} + labels: + {{- include "akeyless-sra-web.labels" . | nindent 4 }} +spec: + accessModes: + - ReadWriteMany + storageClassName: {{ required "A valid .Values.sra.webConfig.persistence.volumes.storageClassName entry required!" .storageClassName }} + resources: + requests: + storage: {{ required "A valid .Values.sra.webConfig.persistence.volumes.size entry required!" .size }} +{{- if .matchLabels }} + selector: + # To make sure we match the claim with the exact volume, match the label + matchLabels: +{{- toYaml .matchLabels | nindent 6 }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/akeyless-gateway/templates/akeyless-secure-remote-access/service.yaml b/charts/akeyless-gateway/templates/akeyless-secure-remote-access/service.yaml new file mode 100644 index 0000000..3bd1c42 --- /dev/null +++ b/charts/akeyless-gateway/templates/akeyless-secure-remote-access/service.yaml @@ -0,0 +1,67 @@ +{{- if eq .Values.sra.enabled true }} +--- +apiVersion: v1 +kind: Service +metadata: + name: ssh-{{ include "akeyless-gateway.fullname" . }} + namespace: {{.Release.Namespace}} + labels: + {{- include "akeyless-sra-ssh.labels" . | nindent 4 }} + {{- if .Values.sra.sshConfig.service.labels }} + {{- toYaml .Values.sra.sshConfig.service.labels | nindent 4 }} + {{- end }} + annotations: + {{- toYaml .Values.sra.sshConfig.service.annotations | nindent 4 }} +spec: + type: {{ required "A valid .Values.sra.sshConfig.service.type entry required!" .Values.sra.sshConfig.service.type }} + ports: + - port: {{ .Values.sra.sshConfig.service.port }} + targetPort: ssh + protocol: TCP + name: ssh + - port: 8000 + targetPort: gateway + protocol: TCP + name: gateway + selector: + {{- include "akeyless-gateway-sra-ssh-service.selectorLabels" . | nindent 4 }} +--- +apiVersion: v1 +kind: Service +metadata: + name: ssh-{{ include "akeyless-gateway.fullname" . }}-internal + namespace: {{ .Release.Namespace }} + labels: + {{- include "akeyless-sra-ssh.labels" . | nindent 4 }} + {{- if .Values.sra.sshConfig.service.labels }} + {{- toYaml .Values.sra.sshConfig.service.labels | nindent 4 }} + {{- end }} + annotations: + {{- toYaml .Values.sra.sshConfig.service.annotations | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: {{ .Values.sra.sshConfig.service.curlProxyPort | default "9900" }} + targetPort: curl-proxy + protocol: TCP + name: curl-proxy + selector: + {{- include "akeyless-gateway-sra-ssh-service.selectorLabels" . | nindent 4 }} +--- +apiVersion: v1 +kind: Service +metadata: + name: web-{{ include "akeyless-gateway.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "akeyless-sra-web.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - name: web + port: 8888 + targetPort: web + protocol: TCP + selector: + {{- include "akeyless-sra-web.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/akeyless-gateway/templates/akeyless-secure-remote-access/ssh_deployment.yaml b/charts/akeyless-gateway/templates/akeyless-secure-remote-access/ssh_deployment.yaml new file mode 100644 index 0000000..c95437c --- /dev/null +++ b/charts/akeyless-gateway/templates/akeyless-secure-remote-access/ssh_deployment.yaml @@ -0,0 +1,135 @@ +{{- if eq .Values.sra.enabled true }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ssh-{{ include "akeyless-gateway.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "akeyless-sra-ssh.labels" . | nindent 4 }} + {{- if .Values.sra.sshConfig.labels }} + {{- toYaml .Values.sra.sshConfig.labels | nindent 4 }} + {{- end }} + {{- if .Values.sra.sshConfig.annotations }} + annotations: + {{- toYaml .Values.sra.sshConfig.annotations | nindent 4 }} + {{- end }} +spec: + {{- if .Values.sra.sshConfig.hpa.enabled }} + replicas: {{ default 1 .Values.sra.sshConfig.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "akeyless-gateway-sra-ssh-service.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- if .Values.sra.sshConfig.annotations }} + annotations: + {{- toYaml .Values.sra.sshConfig.annotations | nindent 8 }} + {{- end }} + labels: + {{- include "akeyless-gateway-sra-ssh-service.selectorLabels" . | nindent 8 }} + {{- if .Values.sra.sshConfig.labels }} + {{- toYaml .Values.sra.sshConfig.labels | nindent 8 }} + {{- end }} + spec: + {{- if .Values.sra.sshConfig.securityContext }} + {{- if .Values.sra.sshConfig.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.sra.sshConfig.securityContext.runAsUser }} + fsGroup: {{ .Values.sra.sshConfig.securityContext.fsGroup }} + {{- end }} + {{- end }} + serviceAccountName: {{ include "akeyless-gateway.getServiceAccountName" . }} + {{- if .Values.sra.sshConfig.nodeSelector }} + nodeSelector: + {{ toYaml .Values.sra.sshConfig.nodeSelector | indent 4 }} + {{- end }} + volumes: + - name: config + emptyDir: {} + - name: creds + emptyDir: {} + {{- if .Values.globalConfig.TLSConf.tlsExistingSecret }} + - name: gw-signed-ca + secret: + secretName: {{ .Values.globalConfig.TLSConf.tlsExistingSecret }} + items: + - key: tlsCertificate + path: gw-cert.pem + {{- end }} + {{- if (eq "true" (include "akeyless-gateway.clusterCache.enableTls" . )) }} + {{ include "akeyless-gateway.clusterCache.tlsVolume" . | nindent 6}} + {{- end }} + - name: configmap-creds + configMap: + name: {{ $.Release.Name }}-cm-creds + containers: + - name: gateway-sra-ssh + image: "{{ .Values.sra.image.repository | default "akeyless/zero-trust-bastion" }}:{{ .Values.sra.image.tag | default .Chart.Annotations.sraVersion }}" + imagePullPolicy: {{ .Values.sra.image.pullPolicy }} + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + ports: + - containerPort: 22 + name: ssh + - containerPort: 9900 + name: curl-proxy + env: + {{ include "akeyless-gateway.akeylessGatewayAuthConfig" . | nindent 10 }} + {{ include "akeyless-gateway.unifiedGatewayConfig" . | nindent 10 }} + {{ include "akeyless-gateway.ClusterName" . | nindent 10 }} + {{- if eq "true" (include "akeyless-gateway.clusterCache.enabled" . ) }} + {{- include "akeyless-gateway.clusterCacheConfig" . | nindent 10 }} + {{- end }} + {{- if .Values.globalConfig.authorizedAccessIDs }} + - name: GATEWAY_AUTHORIZED_ACCESS_ID + value: {{ .Values.globalConfig.authorizedAccessIDs | quote }} + {{- end }} + {{- if .Values.sra.sshConfig.sshHostKeysPath }} + - name: SSH_HOST_KEYS_PATH + value: {{ .Values.sra.sshConfig.sshHostKeysPath }} + {{- end }} + - name: REMOTE_ACCESS_TYPE + value: "ssh-proxy" + - name: VERSION + value: {{ .Chart.Annotations.sraVersion }} + {{ include "httpProxySettings" . | nindent 10 }} + {{ include "akeyless-gateway.chartMetadata" . | nindent 10 }} + {{- if .Values.debug }} + - name: DEBUG + value: {{ .Values.debug | quote }} + {{- end }} + {{- if .Values.sra.env }} + {{- toYaml .Values.sra.env | nindent 10 }} + {{- end }} + {{- if .Values.globalConfig.env }} + {{- toYaml .Values.globalConfig.env | nindent 12 }} + {{- end }} + resources: + {{- toYaml .Values.sra.sshConfig.resources | nindent 12 }} + livenessProbe: + httpGet: + path: /status + port: 9900 + {{- toYaml .Values.sra.sshConfig.livenessProbe | trim | nindent 12 }} + readinessProbe: + httpGet: + path: /status + port: 9900 + {{- toYaml .Values.sra.sshConfig.readinessProbe | trim | nindent 12 }} + volumeMounts: + - name: config + mountPath: /var/akeyless/conf + - name: configmap-creds + mountPath: /var/akeyless/creds + {{- if .Values.globalConfig.TLSConf.tlsExistingSecret }} + - name: gw-signed-ca + mountPath: "/etc/ssl/certs/gw-cert.pem" + subPath: gw-cert.pem + {{- end }} + {{- if (eq "true" (include "akeyless-gateway.clusterCache.enableTls" . )) }} + {{ include "akeyless-gateway.clusterCache.tlsVolumeMounts" . | nindent 12 }} + {{- end }} +{{- end }} diff --git a/charts/akeyless-gateway/templates/deployment.yaml b/charts/akeyless-gateway/templates/deployment.yaml new file mode 100644 index 0000000..8e7a43e --- /dev/null +++ b/charts/akeyless-gateway/templates/deployment.yaml @@ -0,0 +1,255 @@ +apiVersion: apps/v1 +kind: {{ include "deployment.type" $ }} +metadata: + name: {{ include "akeyless-gateway.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "akeyless-gateway.labels" . | nindent 4 }} + {{- if .Values.gateway.deployment.labels }} + {{- toYaml .Values.gateway.deployment.labels | nindent 4 }} + {{- end }} + {{- if .Values.gateway.deployment.annotations }} + annotations: + {{- toYaml .Values.gateway.deployment.annotations | nindent 4 }} + {{- end }} +spec: + {{- if and (eq (include "deployment.type" $) "Deployment") (not .Values.gateway.hpa.enabled) }} + replicas: {{ default 1 .Values.gateway.deployment.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "akeyless-gateway-sra-ssh-service.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- if .Values.gateway.deployment.pod.annotations }} + annotations: + {{- toYaml .Values.gateway.deployment.pod.annotations | nindent 8 }} + {{- end }} + labels: + {{- include "akeyless-gateway-sra-ssh-service.selectorLabels" . | nindent 8 }} + {{- if .Values.gateway.deployment.labels }} + {{- toYaml .Values.gateway.deployment.labels | nindent 8 }} + {{- end }} + spec: + {{- if .Values.gateway.deployment.affinity.enabled }} + affinity: + {{- toYaml .Values.gateway.deployment.affinity.data | nindent 8 }} + {{- end }} + {{- if .Values.gateway.deployment.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.gateway.deployment.securityContext.runAsUser }} + fsGroup: {{ .Values.gateway.deployment.securityContext.fsGroup }} + {{- end }} + serviceAccountName: {{ include "akeyless-gateway.getServiceAccountName" . }} + {{- if .Values.gateway.deployment.nodeSelector }} + nodeSelector: + {{ toYaml .Values.gateway.deployment.nodeSelector | indent 4 }} + {{- end }} + {{- if or (.Values.globalConfig.customerFragmentsExistingSecret) (.Values.globalConfig.TLSConf.tlsExistingSecret) (.Values.globalConfig.metrics.enabled) (include "akeyless-gateway.clusterCache.enableTls" .)}} + volumes: + - name: akeyless-config + emptyDir: {} + {{- if .Values.globalConfig.TLSConf.tlsExistingSecret }} + - name: tls-conf-cert + secret: + secretName: {{ .Values.globalConfig.TLSConf.tlsExistingSecret }} + defaultMode: 420 + items: + - key: tlsCertificate + path: akeyless-api-cert.crt + - name: tls-conf-private-key + secret: + secretName: {{ .Values.globalConfig.TLSConf.tlsExistingSecret }} + defaultMode: 420 + items: + - key: tlsPrivateKey + path: akeyless-api-cert.key + {{- end }} + {{- if and (.Values.globalConfig.metrics.enabled) (.Values.globalConfig.metrics.metricsExistingSecret) }} + - name: otelcol-metrics-config + secret: + secretName: {{ .Values.globalConfig.metrics.metricsExistingSecret }} + {{- end }} + {{- if (eq "true" (include "akeyless-gateway.clusterCache.enableTls" . )) }} + {{ include "akeyless-gateway.clusterCache.tlsVolume" . | nindent 6}} + {{- end }} + {{- end }} + containers: + - name: {{ include "akeyless-gateway.containerName" . }} + {{- if not .Values.gatewayRootMode }} + image: "{{ .Values.gateway.deployment.image.repository | default "docker.registry-2.akeyless.io/base" }}:{{ .Values.gateway.deployment.image.tag | default "latest" }}-akeyless" + {{else}} + image: "{{ .Values.gateway.deployment.image.repository | default "docker.registry-2.akeyless.io/base" }}:{{ .Values.gateway.deployment.image.tag | default "latest" }}" + {{- end}} + imagePullPolicy: {{ .Values.gateway.deployment.image.pullPolicy }} + {{- if .Values.gateway.deployment.containerSecurityContext }} + securityContext: + {{- toYaml .Values.gateway.deployment.containerSecurityContext | nindent 12 }} + {{- end }} + ports: + - name: gateway + containerPort: {{ .Values.gateway.service.port }} + - name: internal-gw-api + containerPort: 8080 + livenessProbe: + httpGet: + path: /health + port: 8080 + {{- toYaml .Values.gateway.deployment.livenessProbe | trim | nindent 12 }} + readinessProbe: + httpGet: + path: /health + port: 8080 + {{- toYaml .Values.gateway.deployment.readinessProbe | trim | nindent 12 }} + {{- if or (.Values.globalConfig.customerFragmentsExistingSecret) (.Values.globalConfig.TLSConf.tlsExistingSecret) (.Values.globalConfig.metrics.enabled) (include "akeyless-gateway.clusterCache.enableTls" .)}} + volumeMounts: + - name: akeyless-config + mountPath: {{include "akeyless-gateway.root.config.path" $}}/.akeyless + {{- if (eq "true" (include "akeyless-gateway.clusterCache.enableTls" . )) }} + {{ include "akeyless-gateway.clusterCache.tlsVolumeMounts" . | nindent 12 }} + {{- end }} + {{- if and (.Values.globalConfig.metrics.enabled) (.Values.globalConfig.metrics.enabled) }} + - name: otelcol-metrics-config + mountPath: /akeyless/otel-config.yaml + subPath: otel-config.yaml + {{- end}} + {{- if .Values.globalConfig.TLSConf.tlsExistingSecret }} + - name: tls-conf-cert + mountPath: {{include "akeyless-gateway.root.config.path" $}}/.akeyless/akeyless-api-cert.crt + subPath: akeyless-api-cert.crt + readOnly: true + - name: tls-conf-private-key + mountPath: {{include "akeyless-gateway.root.config.path" $}}/.akeyless/akeyless-api-cert.key + subPath: akeyless-api-cert.key + readOnly: true + {{- end}} + {{- end}} + resources: + {{- toYaml .Values.gateway.resources | nindent 12 }} + env: + {{- if .Values.globalConfig.customerFragmentsExistingSecret }} + - name: CUSTOMER_FRAGMENTS + valueFrom: + secretKeyRef: + name: {{ .Values.globalConfig.customerFragmentsExistingSecret }} + key: customer-fragments + {{- end }} + {{- if not .Values.fixedArtifactRepository }} + - name: ARTIFACTS_REPO + value: {{ .Values.fixedArtifactRepository | default "artifacts.site2.akeyless.io" }} + {{- end }} + {{- if .Values.fipsEnabled }} + - name: FIPS + value: {{ .Values.fipsEnabled }} + {{- end }} + {{- if .Values.globalConfig.gatewayAuth.gcpAudience }} + - name: GCP_AUDIENCE + value: {{ .Values.globalConfig.gatewayAuth.gcpAudience }} + {{- end }} + {{- if .Values.globalConfig.gatewayAuth.azureObjectID }} + - name: AZURE_OBJ_ID + value: {{ .Values.globalConfig.gatewayAuth.azureObjectID }} + {{- end }} + {{ include "akeyless-gateway.akeylessGatewayAuthConfig" . | nindent 10 }} + {{- if eq .Values.globalConfig.gatewayAuth.gatewayAccessType "password" }} + - name: ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.globalConfig.gatewayAuth.gatewayCredentialsExistingSecret }} + key: admin-password + {{- end }} + {{- if eq .Values.globalConfig.gatewayAuth.gatewayAccessType "certificate" }} + - name: GATEWAY_CERTIFICATE + valueFrom: + secretKeyRef: + name: {{ .Values.globalConfig.gatewayAuth.gatewayCredentialsExistingSecret }} + key: gateway-certificate + - name: GATEWAY_CERTIFICATE_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.globalConfig.gatewayAuth.gatewayCredentialsExistingSecret }} + key: gateway-certificate-key + {{- end }} + {{- if not (eq (include "akeyless-gateway.allowedAccessPermissionsExist" .) "") }} + - name: ALLOWED_ACCESS_PERMISSIONS + valueFrom: + secretKeyRef: + name: {{ include "akeyless-gateway.allowedAccessPermissionsExist" . }} + key: allowed-access-permissions + {{- end }} + {{ include "akeyless-gateway.ClusterName" . | nindent 10 }} + {{- if .Values.globalConfig.authorizedAccessIDs }} + - name: GATEWAY_AUTHORIZED_ACCESS_ID + value: {{ .Values.globalConfig.authorizedAccessIDs | quote }} + {{- end }} + {{- if .Values.globalConfig.initialClusterDisplayName }} + - name: INITIAL_DISPLAY_NAME + value: {{ .Values.globalConfig.initialClusterDisplayName }} + {{- end }} + {{- if .Values.globalConfig.configProtectionKeyName }} + - name: CONFIG_PROTECTION_KEY_NAME + value: {{ .Values.globalConfig.configProtectionKeyName }} + {{- end }} + {{- if .Values.globalConfig.gatewayAuth.redirectOIDC }} + - name: AKEYLESS_OIDC_GW_AUTH + value: "true" + {{- end }} + {{- if eq .Values.globalConfig.gatewayAuth.gatewayAccessType "uid" }} + - name: GATEWAY_UID_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.globalConfig.gatewayAuth.gatewayCredentialsExistingSecret }} + key: gateway-uid-token + {{- end }} + {{- if (eq "true" (include "akeyless-gateway.clusterCache.enabled" . )) }} + - name: GATEWAY_CLUSTER_CACHE + value: enable + {{- include "akeyless-gateway.clusterCacheConfig" . | nindent 10 }} + {{- end }} + {{- if .Values.globalConfig.clusterCache.encryptionKeyExistingSecret }} + - name: CACHE_ENCRYPTION_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.globalConfig.clusterCache.encryptionKeyExistingSecret }} + key: cluster-cache-encryption-key + {{- end }} + {{- with .Values.globalConfig.gatewayAuth.universalIdentity }} + - name: UID_ROTATE_INTERVAL + value: {{ .uidRotationInterval | default "5m" }} + - name: UID_CREATE_CHILD_TOKEN_PER_POD + value: {{ .uidCreateChildTokenPerPod | default "disable" }} + {{- end }} + {{- if .Values.globalConfig.metrics.enabled }} + - name: ENABLE_METRICS + value: {{ .Values.globalConfig.metrics.enabled | quote }} + - name: MEM_LIMIT + valueFrom: + resourceFieldRef: + containerName: {{ include "akeyless-gateway.containerName" . }} + resource: limits.memory + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- if .Values.sra.enabled }} + {{- include "akeyless-gateway.unifiedGatewaySraGatewayConfig" . | nindent 10 }} + {{- end }} + ## tls config + {{- if .Values.globalConfig.TLSConf.enabled }} + - name: ENABLE_TLS_CONFIGURE + value: "{{ .Values.globalConfig.TLSConf.enabled }}" + {{- end }} + - name: MIN_TLS_VERSION + value: "{{ .Values.globalConfig.TLSConf.minimumTlsVersion | default "TLSv1.2" }}" + {{- if .Values.globalConfig.TLSConf.excludeCipherSuites }} + - name: EXCLUDE_CIPHER_SUITES + value: "{{ .Values.globalConfig.TLSConf.excludeCipherSuites }}" + {{- end }} + - name: VERSION + value: {{ .Values.version | default .Chart.Annotations.gatewayVersion }} + {{- include "httpProxySettings" . | nindent 10 }} + {{ include "akeyless-gateway.chartMetadata" . | nindent 10 }} + {{- if .Values.globalConfig.env }} + {{- toYaml .Values.globalConfig.env | nindent 12 }} + {{- end }} \ No newline at end of file diff --git a/charts/akeyless-gateway/templates/hpa.yaml b/charts/akeyless-gateway/templates/hpa.yaml new file mode 100644 index 0000000..b37a279 --- /dev/null +++ b/charts/akeyless-gateway/templates/hpa.yaml @@ -0,0 +1,29 @@ +{{- if and (.Values.gateway.hpa.enabled) (eq (include "deployment.type" $) "Deployment") }} +apiVersion: "autoscaling/v2" +kind: HorizontalPodAutoscaler +metadata: + name: {{ .Release.Name }}-hpa + namespace: {{ .Release.Namespace }} + annotations: + {{- toYaml .Values.gateway.hpa.annotations | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "akeyless-gateway.fullname" . }} + minReplicas: {{ $.Values.gateway.hpa.minReplicas | default 1 }} + maxReplicas: {{ $.Values.gateway.hpa.maxReplicas | default 14 }} + metrics: + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ $.Values.gateway.hpa.memAvgUtil }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ $.Values.gateway.hpa.cpuAvgUtil }} + {{- end }} diff --git a/charts/akeyless-gateway/templates/ingress.yaml b/charts/akeyless-gateway/templates/ingress.yaml new file mode 100644 index 0000000..e24d4d7 --- /dev/null +++ b/charts/akeyless-gateway/templates/ingress.yaml @@ -0,0 +1,51 @@ +{{- $ingress := .Values.gateway.ingress }} +{{- if $ingress.enabled }} +apiVersion: "networking.k8s.io/v1" +kind: Ingress +metadata: + name: {{ include "akeyless-gateway.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{- include "akeyless-gateway.labels" . | nindent 4 }} + {{- if $ingress.labels }} + {{- toYaml $ingress.labels | nindent 4 }} + {{- end }} + annotations: + {{- if $ingress.certManager }} + kubernetes.io/tls-acme: "true" + {{- end }} + {{- if $ingress.annotations }} + {{ toYaml $ingress.annotations | nindent 4 }} + {{- end }} +spec: +{{- if $ingress.ingressClassName }} + ingressClassName: {{ $ingress.ingressClassName }} +{{- end }} + rules: +{{- range $ingress.rules }} + - host: {{ .hostname }} + http: + paths: + - path: {{ .path | default $.Values.gateway.ingress.path }} + pathType: {{ $ingress.pathType | default "ImplementationSpecific" }} + backend: + service: + {{- if .serviceName }} + name: {{ .serviceName }} + {{- else }} + name: {{ include "akeyless-gateway.fullname" $ }} + {{- end }} + port: + name: {{ .servicePort }} +{{- end }} +{{- if $ingress.tls }} + tls: + {{- range $ingress.rules }} + - hosts: + - {{ .hostname }} + {{- $data := dict "hostname" .hostname "existingSecret" $ingress.existingSecret}} + secretName: {{ include "akeyless-gateway.ingressSecretTLSName" $data }} + {{- end }} +{{- end }} + +{{- end }} \ No newline at end of file diff --git a/charts/akeyless-gateway/templates/rbac.yaml b/charts/akeyless-gateway/templates/rbac.yaml new file mode 100644 index 0000000..a6f6b01 --- /dev/null +++ b/charts/akeyless-gateway/templates/rbac.yaml @@ -0,0 +1,35 @@ +{{/* RBAC rule to access the secret if enableScaleOutOnDisconnectedMode is true and clusterCacheEncryptionKeyExist is not empty */}} +{{- if and (eq .Values.globalConfig.clusterCache.enableScaleOutOnDisconnectedMode true | default false) (not (.Values.globalConfig.clusterCache.encryptionKeyExistingSecret)) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "akeyless-gateway.getServiceAccountName" $ }}-secret-access + namespace: {{ $.Release.Namespace | quote }} +rules: + # Rule to allow creating any secret (Refer - https://github.com/kubernetes/kubernetes/issues/80295) + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] + + # Rule to allow getting and updating a specific secret + - apiGroups: [""] + resources: ["secrets"] + resourceNames: [{{ include "akeyless-gateway.clusterCacheEncryptionKeyExist" $ | quote }}] + verbs: ["get", "update"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "akeyless-gateway.getServiceAccountName" $ }}-secret-access-binding + namespace: {{ $.Release.Namespace | quote }} +subjects: + - kind: ServiceAccount + name: {{ template "akeyless-gateway.getServiceAccountName" $ }} + namespace: {{ $.Release.Namespace | quote }} +roleRef: + kind: Role + name: {{ template "akeyless-gateway.getServiceAccountName" $ }}-secret-access + apiGroup: rbac.authorization.k8s.io +{{- end }} \ No newline at end of file diff --git a/charts/akeyless-gateway/templates/sa.yaml b/charts/akeyless-gateway/templates/sa.yaml new file mode 100644 index 0000000..8f4b4b2 --- /dev/null +++ b/charts/akeyless-gateway/templates/sa.yaml @@ -0,0 +1,13 @@ +{{ with .Values.globalConfig.serviceAccount }} +{{- if (.create) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "akeyless-gateway.getServiceAccountName" $ }} + namespace: {{ $.Release.Namespace | quote }} + {{- if .annotations }} + annotations: + {{- toYaml .annotations | nindent 4 }} + {{- end -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/akeyless-gateway/templates/secrets.yaml b/charts/akeyless-gateway/templates/secrets.yaml new file mode 100644 index 0000000..d2b1265 --- /dev/null +++ b/charts/akeyless-gateway/templates/secrets.yaml @@ -0,0 +1,29 @@ +{{- if .Values.globalConfig.gatewayAuth.gatewayAccessId }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $.Release.Name }}-conf-secret +type: Opaque +data: +{{- if .Values.globalConfig.gatewayAuth.gatewayAccessId }} + gateway-access-id: {{ .Values.globalConfig.gatewayAuth.gatewayAccessId | b64enc | quote }} +{{- end }} +{{- if .Values.globalConfig.allowedAccessPermissions }} + allowed-access-permissions: {{ .Values.globalConfig.allowedAccessPermissions | toJson | b64enc | quote }} +{{- end }} +{{- end }} + +--- +{{- if and (eq "true" (include "akeyless-gateway.clusterCache.enabled" . )) (empty .Values.globalConfig.clusterCache.cachePasswordExistingSecret ) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $.Release.Name }}-cache-secret +type: Opaque +data: + {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace (printf "%s-cache-secret" $.Release.Name) ) | default dict }} + {{- $secretData := (get $secretObj "data") | default dict }} + # set $cachePassSecret to existing secret data or generate a random one when not exists + {{- $cachePassSecret := (get $secretData "cache-pass") | default (randAlphaNum 32 | b64enc) }} + cache-pass: {{ $cachePassSecret | quote }} +{{- end }} diff --git a/charts/akeyless-gateway/templates/svc.yaml b/charts/akeyless-gateway/templates/svc.yaml new file mode 100644 index 0000000..2c2f334 --- /dev/null +++ b/charts/akeyless-gateway/templates/svc.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "akeyless-gateway.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "akeyless-gateway.labels" . | nindent 4 }} + {{- if .Values.gateway.service.labels }} + {{- toYaml .Values.gateway.service.labels | nindent 4 }} + {{- end }} + annotations: + {{- toYaml .Values.gateway.service.annotations | nindent 4 }} +spec: + {{- if .Values.gateway.ingress.enabled }} + type: {{ .Values.gateway.service.type | default "NodePort" }} + {{- else }} + type: {{ required "A valid .Values.gateway.service.type entry required!" .Values.gateway.service.type }} + {{- end }} + ports: + - port: {{ .Values.gateway.service.port }} + targetPort: gateway + protocol: TCP + name: gateway + selector: + {{- include "akeyless-gateway-sra-ssh-service.selectorLabels" . | nindent 4 }} +--- +apiVersion: v1 +kind: Service +metadata: + name: "{{ include "akeyless-gateway.fullname" . }}-internal" + namespace: {{ .Release.Namespace }} + labels: + {{- include "akeyless-gateway.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: 8080 + targetPort: internal-gw-api + protocol: TCP + name: internal-gw-api + selector: + {{- include "akeyless-gateway-sra-ssh-service.selectorLabels" . | nindent 4 }} diff --git a/charts/akeyless-gateway/values.yaml b/charts/akeyless-gateway/values.yaml new file mode 100644 index 0000000..32aa6c6 --- /dev/null +++ b/charts/akeyless-gateway/values.yaml @@ -0,0 +1,441 @@ +############ +## Global ## +############ +globalConfig: + gatewayAuth: + ## Supported types: access_key, certificate, universal identity, cloud identity (aws_iam/azure_ad/gcp) + ## If using access_key, certificate or universal identity, you must also add gatewayCredentialsExistingSecret which includes the key/certificate/token + ## https://docs.akeyless.io/docs/gateway-chart#authentication + ## + gatewayAccessId: + gatewayAccessType: + ## Use K8s secret to set the following types: access_key, certificate, uid + ## Create a K8s secret, run 'kubect apply' and add secret name (see docs for examples) + ## keys: gateway-access-key, gateway-certificate, gateway-certificate-key, gateway-uid-token + ## + gatewayCredentialsExistingSecret: + + ## Add one or more Access IDs to give them access to this Gateway; add the specified permissions and sub-claims. + ## Name must be unique. Empty permissions will implicitly give the admin permission. + ## See docs for examples https://docs.akeyless.io/docs/gateway-chart#gateway-admins + ## + allowedAccessPermissions: {} + + ## Use a K8s existing secret for Gateway Allowed Access. Must include the following key: allowed-access-permissions + ## https://docs.akeyless.io/docs/gateway-chart#access-permissions + ## + allowedAccessPermissionsExistingSecret: + + ## List Access IDs that have access (comma separated list), if left empty all Access IDs will be authorised. + ## To enable only specific users to use Remote Access, make sure to add the relevant `authorizedAccessIDs` in the `Global` section. + ## A comma-separated list can be used for multiple IDs. + ## While this is not mandatory, it is a good security practice to limit user access. If not configured, a Warning message + ## will appear. For more information: https://docs.akeyless.io/docs/remote-access-setup-k8s#configuration + ## + authorizedAccessIDs: + + ## If serviceAccount = false, please ensure the provided service account has the following permissions: + ## 1. Create Kubernetes Secrets - The service account must be able to create secrets within the Kubernetes cluster. + ## Read and Update the Gateway's Kubernetes Secret + ## 2. The service account must have read and update access to the Kubernetes secret used by the Gateway. + ## By default, this secret is named -cache-encryption-key, unless a custom name has been specified. + ## + serviceAccount: + create: false + serviceAccountName: + annotations: + + ## This is the actual name of the cluster as in account/access-id/clusterName + ## + clusterName: + + ## This is the vanity display name of the cluster + ## + initialClusterDisplayName: + + ## The key which is used to encrypt the Gateway configuration. + ## If left empty - the account’s default key will be used. + ## This key can be determined on cluster bringup only and cannot be modified afterwards + ## + configProtectionKeyName: + + ## Use k8s secret to set the CF, the k8s secret must include the key: customer-fragments + ## See docs for examples https://docs.akeyless.io/docs/advanced-chart-configuration#customer-fragment + ## + customerFragmentsExistingSecret: + + ## See docs for examples https://docs.akeyless.io/docs/advanced-chart-configuration#tls-configuration + ## + TLSConf: + enabled: false + ## Specifies an existing secret for tls-certificate: + tlsExistingSecret: + + ## Telemetry Metrics see docs for examples https://docs.akeyless.io/docs/telemetry-metrics-k8s + ## + metrics: + enabled: false + ## Existing secret for metrics must include: + ## - otel-config.yaml (base64) secret + ## + metricsExistingSecret: + + ## Linux system HTTP Proxy + httpProxySettings: + http_proxy: "" + https_proxy: "" + no_proxy: "" + + # env: [] + + ## https://docs.akeyless.io/docs/advanced-chart-configuration#cache-configuration + ## + clusterCache: + ## In case Cache is enabled in the Gateway, and the encryptionKeyExistingSecret parameter has a value + ## Akeyless will use this specified encryption key and store it securely within Akeyless Gateway. + ## If the encryptionKeyExistingSecret parameter is empty or not specified, + ## Akeyless will automatically generate a new encryption key and a new ServiceAccount for K8s. + ## for more information: https://docs.akeyless.io/docs/advanced-chart-configuration#cache-configuration + ## + encryptionKeyExistingSecret: + + # Enable/Disable TLS between the Gateway and the cluster cache service + # using generated certificates and keys + enableTls: false + + ## The resources limits for the redis cluster cache + ## + resources: + limits: + # cpu: 500m + memory: 2Gi + requests: + cpu: 250m + memory: 256Mi + +#################################################### +## Default values for Gateway ## +#################################################### +gateway: + ## Default values for akeyless-gateway. + deployment: + annotations: {} + labels: {} + + replicaCount: 2 + image: + # repository: akeyless/base + # Alternative mirror registry + # repository: docker.registry-2.akeyless.io/base + pullPolicy: IfNotPresent + + # Place here any pod annotations you may need + pod: + annotations: {} + + affinity: + enabled: false + data: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: kubernetes.io/arch + # operator: In + # values: + # - amd64 + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + nodeSelector: + # iam.gke.io/gke-metadata-server-enabled: "true" + + securityContext: + enabled: false + fsGroup: 0 + runAsUser: 0 + + containerSecurityContext: {} + ## Remove the {} and add any needed values to your SecurityContext + ## + # runAsUser: 0 + # seccompProfile: + # type: RuntimeDefault + + livenessProbe: + initialDelaySeconds: 60 + periodSeconds: 30 + failureThreshold: 10 + + readinessProbe: + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 5 + + service: + ## Remove the {} and add any needed annotations regarding your LoadBalancer implementation + ## + annotations: {} + labels: {} + type: LoadBalancer + + ## Gateway service port + ## + port: 8000 + + ## Configure the ingress resource that allows you to access the + ## akeyless-api-gateway installation. Set up the URL + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ + ## + ingress: + ## Set to true to enable ingress record generation + enabled: false + + ## A reference to an IngressClass resource + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation + # ingressClassName: + + labels: {} + + annotations: {} + ## Example for Nginx ingress + ## + # annotations: + # kubernetes.io/ingress.class: nginx + # nginx.ingress.kubernetes.io/ssl-redirect: "true" + # nginx.ingress.kubernetes.io/proxy-connect-timeout: "3600" + # nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" + # nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" + # nginx.ingress.kubernetes.io/proxy-buffer-size: "8k" + # nginx.ingress.kubernetes.io/proxy-buffers-number: "4" + + ## Example for Istio ingress + ## + # labels: + # istio-injection: enabled + # annotations: + # kubernetes.io/ingress.class: "istio" + # + ## You can set ingressClassName instead annotation and label + ## + # ingressClassName: istio + # + ## In addition if you are using istio ingress, you must add the following annotation to the gateway pod annotations + ## + # pod: + # annotations: + # proxy.istio.io/config: '{"holdApplicationUntilProxyStarts": true }' + + ## Example for AWS ELB ingress + ## + # annotations: + # kubernetes.io/ingress.class: alb + # alb.ingress.kubernetes.io/scheme: internet-facing + + rules: + - servicePort: gateway + hostname: "gateway.local" + + ## Path for the default host + path: / + + ## Ingress Path type the value can be ImplementationSpecific, Exact or Prefix + pathType: ImplementationSpecific + + ## Enable TLS configuration for the hostname defined at ingress.hostname parameter + ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.gateway.ingress.hostname }} + ## or a custom one if you use the tls.existingSecret parameter + ## + tls: false + + # existingSecret: name-of-existing-secret + + ## Set this to true in order to add the corresponding annotations for cert-manager and secret name + certManager: false + + resources: {} + ## The following resource settings represent minimum recommended requests without defined limits. + ## We've set a base recommended requests of 1 vCPU and 2GB memory. + ## We intentionally leave resource limits unspecified to enable customization. If you wish to set specific resource + ## limits, uncomment the 'limits' section and adjust values as needed. + ## If Horizontal Pod Autoscaler (HPA) usage is desired, you must set requests values. + ## If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## + # limits: + # cpu: + # memory: + # requests: + # cpu: 1 + # memory: 2G + + hpa: + ## Set the below to false in case you do not want to add Horizontal Pod AutoScaling + ## Note that metrics server must be installed for this to work: + ## https://github.com/kubernetes-sigs/metrics-server + ## + enabled: false + minReplicas: 1 + maxReplicas: 10 + cpuAvgUtil: 70 + memAvgUtil: 70 + + annotations: {} + +###################################################### +## Default values for akeyless-secure-remote-access ## +###################################################### + +## If you are only using Akeyless Gateway, ignore this section +## +sra: + ## Enable secure-remote-access. Valid values: true/false. + ## For more information on a Quick Start guide for Remote Access + ## Or setup SRA on K8s + enabled: false + + image: + ## Default image repository is: akeyless/zero-trust-bastion + ## + pullPolicy: IfNotPresent + # tag: latest + + env: [] + + ## The below section is for the Remote Access Web app + ## + webConfig: + deployment: + annotations: {} + labels: {} + replicaCount: 1 + + + ## Persistence Volume is used to store RDP recordings when it is configured to save recordings locally + ## Akeyless requires data persistence to be shared within all pods in the cluster + ## accessMode: ReadWriteMany + ## Make sure to change the below values according to your environment except for the hostPath values + ## see docs for more information + ## + persistence: + volumes: {} + # volumes: + # - name: akeyless-data + # storageClassName: efs-zero-trust-bastion-sc + # # storageClassDriver: efs.csi.aws.com + # size: 100Mi + # annotations: + # volume.beta.kubernetes.io/storage-class: "" + + livenessProbe: + initialDelaySeconds: 15 + periodSeconds: 30 + failureThreshold: 10 + + readinessProbe: + initialDelaySeconds: 15 + periodSeconds: 30 + timeoutSeconds: 5 + + resources: + ## The following resource settings represent minimum recommended requests without defined limits. + ## We've set a base recommended requests of 1 vCPU and 2GB memory. + ## We intentionally leave resource limits unspecified to enable customization. If you wish to set specific resource + ## limits, uncomment the 'limits' section and adjust values as needed. + ## For more information on system requirements + ## + ## If Horizontal Pod Autoscaler (HPA) usage is desired, you must set requests values. + ## If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## + # limits: + # cpu: + # memory: + requests: + cpu: 1 + memory: 2G + + hpa: + ## Set the below to false in case you do not want to add Horizontal Pod AutoScaling to the Deployment + ## If HPA is enabled resources requests must be set + ## + enabled: false + minReplicas: 1 + maxReplicas: 10 + cpuAvgUtil: 70 + memAvgUtil: 70 + + ## The below section is for the Remote Access SSH app + ## For more information: + ## + sshConfig: + replicaCount: 1 + + ## This is a required RSA Public Key for your Akeyless SSH Cert Issuer + ## See docs for examples + ## + CAPublicKey: + # CAPublicKey: | + + ## Use this parameter to store fingerprint information in a specific folder within your Akeyless account. + ## This approach prevents the need to manually re-accept the SSH host key fingerprint after upgrades or other changes. + ## In the example below, the fingerprints will be stored in the /MY_SSH_REMOTE_ACCESS_HOST_KEYS folder. + ## Note: Ensure that your Remote Access default authentication method has the necessary permissions to create, read, and list within this folder. + ## See docs for more information + ## + sshHostKeysPath: + + annotations: {} + labels: {} + + nodeSelector: + # iam.gke.io/gke-metadata-server-enabled: "true" + + securityContext: + enabled: false + fsGroup: 0 + runAsUser: 0 + + service: + ## Remove the {} and add any needed annotations regarding your LoadBalancer implementation + ## + annotations: {} + labels: {} + type: LoadBalancer + port: 22 + + livenessProbe: + failureThreshold: 5 + periodSeconds: 30 + timeoutSeconds: 5 + + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + + resources: + ## The following resource settings represent minimum recommended requests without defined limits. + ## We've set a base recommended requests of 1 vCPU and 2GB memory. + ## We intentionally leave resource limits unspecified to enable customization. If you wish to set specific resource + ## limits, uncomment the 'limits' section and adjust values as needed. + ## For more information on system requirments + + ## If Horizontal Pod Autoscaler (HPA) usage is desired, you must set requests values. + ## If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## + # limits: + # cpu: + # memory: + requests: + cpu: 1 + memory: 2G + + hpa: + ## Set the below to true only when using a shared persistent storage (defined at .persistence.volumes) + ## If HPA is enabled resources requests must be set + ## + enabled: false + minReplicas: 1 + maxReplicas: 10 + cpuAvgUtil: 70 + memAvgUtil: 70