From 7db820ba969152cf5ac63232b19f687782d1fe84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=90=B4=E5=B0=8F=E7=99=BD?= <296015668@qq.com> Date: Fri, 4 Jun 2021 16:48:15 +0800 Subject: [PATCH] =?UTF-8?q?feat:=20=E6=9B=B4=E6=96=B0=20v2.10.3=20?= =?UTF-8?q?=E7=89=88=E6=9C=AC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .gitignore | 2 + .helmignore | 22 ++ Chart.yaml | 5 + README.md | 120 ++++++++++ configs/jms-core/config.yml | 110 +++++++++ configs/jms-koko/config.yml | 68 ++++++ configs/jms-lion/config.yml | 33 +++ configs/jms-nginx/nginx.conf | 101 ++++++++ templates/NOTES.txt | 11 + templates/_helpers.tpl | 56 +++++ templates/configmap-core.yaml | 15 ++ templates/configmap-koko.yaml | 15 ++ templates/configmap-lion.yaml | 15 ++ templates/configmap-nginx.yaml | 15 ++ templates/deployment-celery.yaml | 96 ++++++++ templates/deployment-core.yaml | 104 ++++++++ templates/deployment-koko.yaml | 96 ++++++++ templates/deployment-lion.yaml | 93 ++++++++ templates/deployment-nginx.yaml | 92 ++++++++ templates/ingress.yaml | 37 +++ templates/pvc-core-data.yaml | 29 +++ templates/pvc-core-logs.yaml | 29 +++ templates/pvc-koko-data.yaml | 29 +++ templates/pvc-lion-data.yaml | 29 +++ templates/pvc-nginx-logs.yaml | 29 +++ templates/service-core.yaml | 27 +++ templates/service-koko.yaml | 29 +++ templates/service-lion.yaml | 23 ++ templates/service-nginx.yaml | 23 ++ templates/serviceaccount.yaml | 10 + values.yaml | 394 +++++++++++++++++++++++++++++++ 31 files changed, 1757 insertions(+) create mode 100644 .gitignore create mode 100644 .helmignore create mode 100644 Chart.yaml create mode 100644 README.md create mode 100644 configs/jms-core/config.yml create mode 100644 configs/jms-koko/config.yml create mode 100644 configs/jms-lion/config.yml create mode 100644 configs/jms-nginx/nginx.conf create mode 100644 templates/NOTES.txt create mode 100644 templates/_helpers.tpl create mode 100644 templates/configmap-core.yaml create mode 100644 templates/configmap-koko.yaml create mode 100644 templates/configmap-lion.yaml create mode 100644 templates/configmap-nginx.yaml create mode 100644 templates/deployment-celery.yaml create mode 100644 templates/deployment-core.yaml create mode 100644 templates/deployment-koko.yaml create mode 100644 templates/deployment-lion.yaml create mode 100644 templates/deployment-nginx.yaml create mode 100644 templates/ingress.yaml create mode 100644 templates/pvc-core-data.yaml create mode 100644 templates/pvc-core-logs.yaml create mode 100644 templates/pvc-koko-data.yaml create mode 100644 templates/pvc-lion-data.yaml create mode 100644 templates/pvc-nginx-logs.yaml create mode 100644 templates/service-core.yaml create mode 100644 templates/service-koko.yaml create mode 100644 templates/service-lion.yaml create mode 100644 templates/service-nginx.yaml create mode 100644 templates/serviceaccount.yaml create mode 100644 values.yaml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ba20a15 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +**/values-debug.yaml +deploy.sh \ No newline at end of file diff --git a/.helmignore b/.helmignore new file mode 100644 index 0000000..50af031 --- /dev/null +++ b/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/Chart.yaml b/Chart.yaml new file mode 100644 index 0000000..db45d91 --- /dev/null +++ b/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "v2.10.3" +description: A Helm chart for Deploying Jumpserver on Kubernetes +name: jumpserver +version: 0.1.0 diff --git a/README.md b/README.md new file mode 100644 index 0000000..4ce5958 --- /dev/null +++ b/README.md @@ -0,0 +1,120 @@ +# Jumpserver + +[Jumpserver](http://www.jumpserver.org/) 是全球首款完全开源的堡垒机, 使用 GNU GPL v2.0 开源协议, 是符合 4A 的专业运维审计系统。 + +## 使用方法 + +```bash +# Testing configuration +$ helm install my-release ./jumpserver +``` + +## 介绍 + +当前Chart包含了Jumpserver所需的基本组件 + +## 依赖 + +- Kubernetes 1.12+ +- Helm 2.11+ 或 Helm 3.0-beta3+ +- PV provisioner 支持 +- [wojiushixiaobai](https://github.com/wojiushixiaobai/Dockerfile) 的镜像支持 + +## 安装 + +发布名为 `my-release` 的release: + +```bash +$ helm install my-release ./jumpserver +``` + +上条命令把默认配置的Jumpserver部署到了kubernetes集群中,[参数](#parameters)一节中列出了配置参数 + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +删除 `my-release` release: + +```bash +$ helm delete my-release +``` + +上条命令删除了所有包含在release中的组件 + +## 参数 + +下面的表格中列出了一些必要的参数,发布前请先阅读并设置 + +### 总览 + +| 参数 | 描述 | 默认值 | +| ---------------------- | ------------------ | ------- | +| `nameOveride` | name override | `nil` | +| `fullNameOveride` | full name override | `nil` | +| `ingress.enabled` | 开启 ingress | `true` | +| `core.enabled` | 开启 core | `true` | +| `koko.enabled` | 开启 koko | `true` | +| `lion.enabled` | 开启 lion | `true` | +| `nginx.enabled` | 开启 nginx | `true` | + +### core.config + +| 参数 | 描述 | 默认值 | +| ---------------- | ----------------------------------------------------------------------- | --------------------- | +| `secretKey` | 加密秘钥 生产环境中请修改为随机字符串,请勿外泄, 可使用命令生成 | `nil` | +| `bootstrapToken` | 预共享Token coco和guacamole用来注册服务账号,不在使用原来的注册接受机制 | `nil` | +| `debug` | 开启 debug 模式 | `false` | +| `log.level` | 日志等级 | `ERROR` | +| `db.engine` | 数据库引擎 | `mysql` | +| `db.host` | 数据库IP地址 | `nil` | +| `db.port` | 数据库端口 | `3306` | +| `db.username` | 数据库用户名 | `jumpserver` | +| `db.password` | 数据库密码 | `nil` | +| `db.name` | 数据库名称 | `nil` | +| `redis.host` | redisIP地址 | `nil` | +| `redis.port` | redis端口 | `6379` | +| `redis.password` | redis密码 | `nil` | + +### koko.config + +| 参数 | 描述 | 默认值 | +| --------------------- | --------------------------------------------------------- | ------- | +| `log.level` | 日志等级 | `INFO` | +| `share_room_type` | 会话共享 | `redis` | +| `redis.host` | redis 地址 | `nil` | +| `redis.port` | redis 端口 | `6379` | +| `redis.password` | redis 密码 | `nil` | + +### lion.config + +| 参数 | 描述 | 默认值 | +| --------------------- | --------------------------------------------------------- | ------- | +| `log.level` | 日志等级 | `INFO` | +| `share_room_type` | 会话共享 | `redis` | +| `redis.host` | redis 地址 | `nil` | +| `redis.port` | redis 端口 | `6379` | +| `redis.password` | redis 密码 | `nil` | + +在`helm install`时通过 `--set key=value[,key=value]` 指定参数. 举例, + +```bash +$ helm install my-release \ + --set ingress.enabled=true \ + ./jumpserver +``` + +上条命令开启了ingress. + +也可以通过 `-f file` 的形式指定一个或多个values.yaml文件. 举例, + +```bash +$ helm install my-release -f values.yaml ./jumpserver +``` + +> **注**: 默认使用 [values.yaml](values.yaml) + +## 相关项目 + +- https://github.com/jumpserver/jumpserver +- https://github.com/wojiushixiaobai/Dockerfile diff --git a/configs/jms-core/config.yml b/configs/jms-core/config.yml new file mode 100644 index 0000000..0bee418 --- /dev/null +++ b/configs/jms-core/config.yml @@ -0,0 +1,110 @@ +# SECURITY WARNING: keep the secret key used in production secret! +# 加密秘钥 生产环境中请修改为随机字符串,请勿外泄, 可使用命令生成 +# $ cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo +SECRET_KEY: {{ $.Values.core.config.secretKey }} + +# SECURITY WARNING: keep the bootstrap token used in production secret! +# 预共享Token coco和guacamole用来注册服务账号,不在使用原来的注册接受机制 +BOOTSTRAP_TOKEN: {{ $.Values.core.config.bootstrapToken }} + +# Development env open this, when error occur display the full process track, Production disable it +# DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志 +DEBUG: {{ $.Values.core.config.debug }} + +# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/ +# 日志级别 +LOG_LEVEL: {{ $.Values.core.config.log.level }} +# LOG_DIR: + +# Session expiration setting, Default 24 hour, Also set expired on on browser close +# 浏览器Session过期时间,默认24小时, 也可以设置浏览器关闭则过期 +# SESSION_COOKIE_AGE: 86400 +# SESSION_EXPIRE_AT_BROWSER_CLOSE: false + +# Database setting, Support sqlite3, mysql, postgres .... +# 数据库设置 +# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases + +# SQLite setting: +# 使用单文件sqlite数据库 +# DB_ENGINE: sqlite3 +# DB_NAME: + +# MySQL or postgres setting like: +# 使用Mysql作为数据库 +DB_ENGINE: {{ $.Values.core.config.db.engine }} +DB_HOST: {{ $.Values.core.config.db.host }} +DB_PORT: {{ $.Values.core.config.db.port }} +DB_USER: {{ $.Values.core.config.db.user }} +DB_PASSWORD: {{ $.Values.core.config.db.password }} +DB_NAME: {{ $.Values.core.config.db.name }} + +# When Django start it will bind this host and port +# ./manage.py runserver 127.0.0.1:8080 +# 运行时绑定端口 +HTTP_BIND_HOST: 0.0.0.0 +HTTP_LISTEN_PORT: {{ $.Values.core.service.web.port }} +WS_LISTEN_PORT: {{ $.Values.core.service.ws.port }} + +# Use Redis as broker for celery and web socket +# Redis配置 +REDIS_HOST: {{ $.Values.core.config.redis.host }} +REDIS_PORT: {{ $.Values.core.config.redis.port }} +REDIS_PASSWORD: {{ $.Values.core.config.redis.password }} +# REDIS_DB_CELERY: 3 +# REDIS_DB_CACHE: 4 + +# Use OpenID authorization +# 使用OpenID 来进行认证设置 +# BASE_SITE_URL: http://localhost:8080 +# AUTH_OPENID: false # True or False +# AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/ +# AUTH_OPENID_REALM_NAME: realm-name +# AUTH_OPENID_CLIENT_ID: client-id +# AUTH_OPENID_CLIENT_SECRET: client-secret +# AUTH_OPENID_IGNORE_SSL_VERIFICATION: True +# AUTH_OPENID_SHARE_SESSION: True +# +# Use Radius authorization +# 使用Radius来认证 +# AUTH_RADIUS: false +# RADIUS_SERVER: localhost +# RADIUS_PORT: 1812 +# RADIUS_SECRET: + +# LDAP/AD settings +# LDAP 搜索分页数量 +# AUTH_LDAP_SEARCH_PAGED_SIZE: 1000 +# +# 定时同步用户 +# 启用 / 禁用 +# AUTH_LDAP_SYNC_IS_PERIODIC: True +# 同步间隔 (单位: 时) (优先) +# AUTH_LDAP_SYNC_INTERVAL: 12 +# Crontab 表达式 +# AUTH_LDAP_SYNC_CRONTAB: * 6 * * * +# +# LDAP 用户登录时仅允许在用户列表中的用户执行 LDAP Server 认证 +# AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS: False +# +# LDAP 认证时如果日志中出现以下信息将参数设置为 0 (详情参见:https://www.python-ldap.org/en/latest/faq.html) +# In order to perform this operation a successful bind must be completed on the connection +# AUTH_LDAP_OPTIONS_OPT_REFERRALS: -1 + +# OTP settings +# OTP/MFA 配置 +# OTP_VALID_WINDOW: 0 +# OTP_ISSUER_NAME: Jumpserver + +# Perm show single asset to ungrouped node +# 是否把未授权节点资产放入到 未分组 节点中 +# PERM_SINGLE_ASSET_TO_UNGROUP_NODE: false +# +# 启用定时任务 +# PERIOD_TASK_ENABLE: True +# +# 启用二次复合认证配置 +# LOGIN_CONFIRM_ENABLE: False +# +# Windows 登录跳过手动输入密码 +# WINDOWS_SKIP_ALL_MANUAL_PASSWORD: False diff --git a/configs/jms-koko/config.yml b/configs/jms-koko/config.yml new file mode 100644 index 0000000..4e504e7 --- /dev/null +++ b/configs/jms-koko/config.yml @@ -0,0 +1,68 @@ +# 项目名称, 会用来向Jumpserver注册, 识别而已, 不能重复 +NAME: {{ printf "%s-%s" "jms-koko" (randAlphaNum 32 | b64enc) | trunc 31 | trimSuffix "-" }} + +# Jumpserver项目的url, api请求注册会使用 +CORE_HOST: http://{{include "jumpserver.fullname" $}}-jms-core:{{$.Values.core.service.web.port}} + +# Bootstrap Token, 预共享秘钥, 用来注册coco使用的service account和terminal +# 请和jumpserver 配置文件中保持一致,注册完成后可以删除 +BOOTSTRAP_TOKEN: {{ $.Values.core.config.bootstrapToken }} + +# 启动时绑定的ip, 默认 0.0.0.0 +BIND_HOST: 0.0.0.0 + +# 监听的SSH端口号, 默认2222 +SSHD_PORT: {{ $.Values.koko.service.ssh.port }} + +# 监听的HTTP/WS端口号,默认5000 +HTTPD_PORT: {{ $.Values.koko.service.web.port }} + +# 项目使用的ACCESS KEY, 默认会注册,并保存到 ACCESS_KEY_STORE中, +# 如果有需求, 可以写到配置文件中, 格式 access_key_id:access_key_secret +# ACCESS_KEY: null + +# ACCESS KEY 保存的地址, 默认注册后会保存到该文件中 +# ACCESS_KEY_FILE: data/keys/.access_key + +# 设置日志级别 [DEBUG, INFO, WARN, ERROR, FATAL, CRITICAL] +LOG_LEVEL: {{ $.Values.koko.config.log.level }} + +# SSH连接超时时间 (default 15 seconds) +# SSH_TIMEOUT: 15 + +# 语言 [en,zh] +# LANGUAGE_CODE: zh + +# SFTP的根目录, 可选 /tmp, Home其他自定义目录 +# SFTP_ROOT: /tmp + +# SFTP是否显示隐藏文件 +# SFTP_SHOW_HIDDEN_FILE: false + +# 是否复用和用户后端资产已建立的连接(用户不会复用其他用户的连接) +# REUSE_CONNECTION: true + +# 资产加载策略, 可根据资产规模自行调整. 默认异步加载资产, 异步搜索分页; 如果为all, 则资产全部加载, 本地搜索分页. +# ASSET_LOAD_POLICY: + +# zip压缩的最大额度 (单位: M) +# ZIP_MAX_SIZE: 1024M + +# zip压缩存放的临时目录 /tmp +# ZIP_TMP_PATH: /tmp + +# 向 SSH Client 连接发送心跳的时间间隔 (单位: 秒),默认为30, 0则表示不发送 +# CLIENT_ALIVE_INTERVAL: 30 + +# 向资产发送心跳包的重试次数,默认为3 +# RETRY_ALIVE_COUNT_MAX: 3 + +# 会话共享使用的类型 [local, redis], 默认local +SHARE_ROOM_TYPE: {{ $.Values.lion.config.share_room_type }} + +# Redis配置 +REDIS_HOST: {{ $.Values.core.config.redis.host }} +REDIS_PORT: {{ $.Values.core.config.redis.port }} +REDIS_PASSWORD: {{ $.Values.core.config.redis.password }} +# REDIS_CLUSTERS: +# REDIS_DB_ROOM: diff --git a/configs/jms-lion/config.yml b/configs/jms-lion/config.yml new file mode 100644 index 0000000..02f2038 --- /dev/null +++ b/configs/jms-lion/config.yml @@ -0,0 +1,33 @@ +# 项目名称, 会用来向Jumpserver注册, 识别而已, 不能重复 +NAME: {{ printf "%s-%s" "jms-lion" (randAlphaNum 32 | b64enc) | trunc 31 | trimSuffix "-" }} + +# Jumpserver项目的url, api请求注册会使用 +CORE_HOST: http://{{include "jumpserver.fullname" $}}-jms-core:{{$.Values.core.service.web.port}} + +# Bootstrap Token, 预共享秘钥, 用来注册使用的service account和terminal +# 请和jumpserver 配置文件中保持一致,注册完成后可以删除 +BOOTSTRAP_TOKEN: {{ $.Values.core.config.bootstrapToken }} + +# 启动时绑定的ip, 默认 0.0.0.0 +BIND_HOST: 0.0.0.0 + +# 监听的HTTP/WS端口号,默认8081 +HTTPD_PORT: {{ $.Values.lion.service.web.port }} + +# 设置日志级别 [DEBUG, INFO, WARN, ERROR, FATAL, CRITICAL] +LOG_LEVEL: {{ $.Values.lion.config.log.level }} + +# Guacamole Server ip, 默认127.0.0.1 +# GUA_HOST: 127.0.0.1 + +# Guacamole Server 端口号,默认4822 +# GUA_PORT: 4822 + +# 会话共享使用的类型 [local, redis], 默认local +SHARE_ROOM_TYPE: {{ $.Values.lion.config.share_room_type }} + +# Redis配置 +REDIS_HOST: {{ $.Values.core.config.redis.host }} +REDIS_PORT: {{ $.Values.core.config.redis.port }} +REDIS_PASSWORD: {{ $.Values.core.config.redis.password }} +# REDIS_DB_ROOM: diff --git a/configs/jms-nginx/nginx.conf b/configs/jms-nginx/nginx.conf new file mode 100644 index 0000000..8335aa1 --- /dev/null +++ b/configs/jms-nginx/nginx.conf @@ -0,0 +1,101 @@ +{{- $koko := printf "http://%s-%s:%s" (include "jumpserver.fullname" $) "jms-koko" ($.Values.koko.service.web.port | toString) }} +{{- $lion := printf "http://%s-%s:%s" (include "jumpserver.fullname" $) "jms-lion" ($.Values.lion.service.web.port | toString) }} +{{- $core := printf "http://%s-%s:%s" (include "jumpserver.fullname" $) "jms-core" ($.Values.core.service.web.port | toString) }} +user nginx; +worker_processes auto; +error_log /var/log/nginx/error.log; +pid /run/nginx.pid; + +include /usr/share/nginx/modules/*.conf; + +events { + worker_connections 1024; +} + +http { + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for" "$upstream_addr"'; + + access_log /var/log/nginx/access.log main; + # access_log off; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + # include /etc/nginx/conf.d/*.conf; + + server { + listen {{ $.Values.nginx.service.web.port }}; + server_name _; + + client_max_body_size 4096m; # 录像及文件上传大小限制 + + location /ui/ { + try_files $uri / /index.html; + alias /opt/lina/; + } + location /luna/ { + try_files $uri / /index.html; + alias /opt/luna/; + } + location /media/ { + add_header Content-Encoding gzip; + root /opt/jumpserver/data/; + } + location /static/ { + root /opt/jumpserver/data/; + } + location /koko/ { + proxy_pass {{$koko}}; + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location /lion/ { + proxy_pass {{$lion}}; + proxy_buffering off; + proxy_http_version 1.1; + proxy_request_buffering off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location /ws/ { + proxy_pass {{$core}}; + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location /api/ { + proxy_pass {{$core}}; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location /core/ { + proxy_pass {{$core}}; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location / { + rewrite ^/(.*)$ /ui/$1 last; + } + } +} diff --git a/templates/NOTES.txt b/templates/NOTES.txt new file mode 100644 index 0000000..eb0a1c9 --- /dev/null +++ b/templates/NOTES.txt @@ -0,0 +1,11 @@ +1. Get the Jumpserver URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host }} +{{- end }} +{{- end }} + +2. Access the Jumpserver SSH server by running these commands: +{{- if eq .Values.koko.service.type "LoadBalancer" }} + ssh -p{{ .Values.koko.service.ssh.port }} admin@{{ .Values.koko.service.loadBalancerIP }} +{{- end }} \ No newline at end of file diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl new file mode 100644 index 0000000..a1dace5 --- /dev/null +++ b/templates/_helpers.tpl @@ -0,0 +1,56 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "jumpserver.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "jumpserver.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "jumpserver.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "jumpserver.labels" -}} +app.kubernetes.io/name: {{ include "jumpserver.name" . }} +helm.sh/chart: {{ include "jumpserver.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "jumpserver.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "jumpserver.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/templates/configmap-core.yaml b/templates/configmap-core.yaml new file mode 100644 index 0000000..5fa8e31 --- /dev/null +++ b/templates/configmap-core.yaml @@ -0,0 +1,15 @@ +{{- if .Values.core.enabled }} +{{- with .Values.core }} +{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-core" }} +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ $fullName }} + labels: + {{- include "jumpserver.labels" $ | nindent 4 }} + {{- toYaml .labels | nindent 4 }} +data: +{{- $path := printf "%s/%s/%s" "configs" "jms-core" "config.yml" -}} +{{- tpl (($.Files.Glob $path ).AsConfig) $ | nindent 2 }} +{{- end }} +{{- end }} diff --git a/templates/configmap-koko.yaml b/templates/configmap-koko.yaml new file mode 100644 index 0000000..d14d248 --- /dev/null +++ b/templates/configmap-koko.yaml @@ -0,0 +1,15 @@ +{{- if .Values.koko.enabled }} +{{- with .Values.koko }} +{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-koko" }} +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ $fullName }} + labels: + {{- include "jumpserver.labels" $ | nindent 4 }} + {{- toYaml .labels | nindent 4 }} +data: +{{- $path := printf "%s/%s/%s" "configs" "jms-koko" "config.yml" -}} +{{- tpl (($.Files.Glob $path ).AsConfig) $ | nindent 2 }} +{{- end }} +{{- end }} diff --git a/templates/configmap-lion.yaml b/templates/configmap-lion.yaml new file mode 100644 index 0000000..2f71a3d --- /dev/null +++ b/templates/configmap-lion.yaml @@ -0,0 +1,15 @@ +{{- if .Values.lion.enabled }} +{{- with .Values.lion }} +{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-lion" }} +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ $fullName }} + labels: + {{- include "jumpserver.labels" $ | nindent 4 }} + {{- toYaml .labels | nindent 4 }} +data: +{{- $path := printf "%s/%s/%s" "configs" "jms-lion" "config.yml" -}} +{{- tpl (($.Files.Glob $path ).AsConfig) $ | nindent 2 }} +{{- end }} +{{- end }} diff --git a/templates/configmap-nginx.yaml b/templates/configmap-nginx.yaml new file mode 100644 index 0000000..06ba8e9 --- /dev/null +++ b/templates/configmap-nginx.yaml @@ -0,0 +1,15 @@ +{{- if .Values.nginx.enabled }} +{{- with .Values.nginx }} +{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-nginx" }} +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ $fullName }} + labels: + {{- include "jumpserver.labels" $ | nindent 4 }} + {{- toYaml .labels | nindent 4 }} +data: +{{- $path := printf "%s/%s/%s" "configs" "jms-nginx" "nginx.conf" -}} +{{- tpl (($.Files.Glob $path ).AsConfig) $ | nindent 2 }} +{{- end }} +{{- end }} diff --git a/templates/deployment-celery.yaml b/templates/deployment-celery.yaml new file mode 100644 index 0000000..01781f3 --- /dev/null +++ b/templates/deployment-celery.yaml @@ -0,0 +1,96 @@ +{{- if .Values.core.enabled }} +{{- with .Values.core }} +{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-celery" }} +{{- $containerName := "jms-celery" }} +{{- $image := printf "%s:%s" .image.repository .image.tag }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $fullName }} + labels: + app.jumpserver.org/name: {{ $containerName }} +spec: + replicas: {{ .replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "jumpserver.name" $ }} + app.kubernetes.io/instance: {{ $.Release.Name }} + {{- toYaml .labels | nindent 6 }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "jumpserver.name" $ }} + app.kubernetes.io/instance: {{ $.Release.Name }} + {{- toYaml .labels | nindent 8 }} + spec: + serviceAccountName: {{ template "jumpserver.serviceAccountName" $ }} + securityContext: + {{- toYaml .podSecurityContext | nindent 8 }} + containers: + - name: {{ $containerName }} + securityContext: + {{- toYaml .securityContext | nindent 12 }} + image: "{{$image}}" + imagePullPolicy: {{ .image.pullPolicy }} + {{- with .command }} + command: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + args: ["start", "task"] + env: + - name: "DB_HOST" + value: "{{.config.db.host}}" + - name: "DB_PORT" + value: "{{.config.db.port}}" + - name: "REDIS_HOST" + value: "{{.config.redis.host}}" + - name: "REDIS_PORT" + value: "{{.config.redis.port}}" + {{- with .env }} + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + livenessProbe: + exec: + command: + - /opt/py3/bin/python /opt/jumpserver/apps/manage.py check_celery + resources: + {{- toYaml .resources | nindent 12 }} + volumeMounts: + - mountPath: "/opt/jumpserver/config.yml" + name: "jms-core-config" + subPath: "config.yml" + - mountPath: "/opt/jumpserver/data" + name: "jms-core-data" + - mountPath: "/opt/jumpserver/logs" + name: "jms-core-logs" + {{- with .volumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + restartPolicy: Always + volumes: + - configMap: + name: '{{include "jumpserver.fullname" $}}-jms-core' + name: "jms-core-config" + - persistentVolumeClaim: + claimName: '{{include "jumpserver.fullname" $}}-jms-core-data' + name: "jms-core-data" + - persistentVolumeClaim: + claimName: '{{include "jumpserver.fullname" $}}-jms-core-logs' + name: "jms-core-logs" + {{- with .volumes }} + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/templates/deployment-core.yaml b/templates/deployment-core.yaml new file mode 100644 index 0000000..0c8980f --- /dev/null +++ b/templates/deployment-core.yaml @@ -0,0 +1,104 @@ +{{- if .Values.core.enabled }} +{{- with .Values.core }} +{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-core" }} +{{- $containerName := "jms-core" }} +{{- $image := printf "%s:%s" .image.repository .image.tag }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $fullName }} + labels: + {{- include "jumpserver.labels" $ | nindent 4 }} + {{- toYaml .labels | nindent 4 }} +spec: + replicas: {{ .replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "jumpserver.name" $ }} + app.kubernetes.io/instance: {{ $.Release.Name }} + {{- toYaml .labels | nindent 6 }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "jumpserver.name" $ }} + app.kubernetes.io/instance: {{ $.Release.Name }} + {{- toYaml .labels | nindent 8 }} + spec: + serviceAccountName: {{ template "jumpserver.serviceAccountName" $ }} + securityContext: + {{- toYaml .podSecurityContext | nindent 8 }} + containers: + - name: {{ $containerName }} + securityContext: + {{- toYaml .securityContext | nindent 12 }} + image: "{{$image}}" + imagePullPolicy: {{ .image.pullPolicy }} + {{- with .command }} + command: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + args: ["start", "web"] + env: + - name: "DB_HOST" + value: "{{.config.db.host}}" + - name: "DB_PORT" + value: "{{.config.db.port}}" + - name: "REDIS_HOST" + value: "{{.config.redis.host}}" + - name: "REDIS_PORT" + value: "{{.config.redis.port}}" + {{- with .env }} + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + ports: + - name: web + containerPort: {{ .service.web.port }} + protocol: TCP + - name: ws + containerPort: {{ .service.ws.port }} + protocol: TCP + livenessProbe: + {{- toYaml .livenessProbe | nindent 12}} + readinessProbe: + {{- toYaml .readinessProbe | nindent 12}} + resources: + {{- toYaml .resources | nindent 12 }} + volumeMounts: + - mountPath: "/opt/jumpserver/config.yml" + name: "jms-core-config" + subPath: "config.yml" + - mountPath: "/opt/jumpserver/data" + name: "jms-core-data" + - mountPath: "/opt/jumpserver/logs" + name: "jms-core-logs" + {{- with .volumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + restartPolicy: Always + volumes: + - configMap: + name: '{{include "jumpserver.fullname" $}}-jms-core' + name: "jms-core-config" + - persistentVolumeClaim: + claimName: '{{include "jumpserver.fullname" $}}-jms-core-data' + name: "jms-core-data" + - persistentVolumeClaim: + claimName: '{{include "jumpserver.fullname" $}}-jms-core-logs' + name: "jms-core-logs" + {{- with .volumes }} + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/templates/deployment-koko.yaml b/templates/deployment-koko.yaml new file mode 100644 index 0000000..be27326 --- /dev/null +++ b/templates/deployment-koko.yaml @@ -0,0 +1,96 @@ +{{- if .Values.koko.enabled }} +{{- with .Values.koko }} +{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-koko" }} +{{- $containerName := "jms-koko" }} +{{- $image := printf "%s:%s" .image.repository .image.tag }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $fullName }} + labels: + {{- include "jumpserver.labels" $ | nindent 4 }} + {{- toYaml .labels | nindent 4 }} +spec: + replicas: {{ .replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "jumpserver.name" $ }} + app.kubernetes.io/instance: {{ $.Release.Name }} + {{- toYaml .labels | nindent 6 }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "jumpserver.name" $ }} + app.kubernetes.io/instance: {{ $.Release.Name }} + {{- toYaml .labels | nindent 8 }} + spec: + serviceAccountName: {{ template "jumpserver.serviceAccountName" $ }} + securityContext: + {{- toYaml .podSecurityContext | nindent 8 }} + containers: + - name: {{ $containerName }} + securityContext: + {{- toYaml .securityContext | nindent 12 }} + image: "{{$image}}" + imagePullPolicy: {{ .image.pullPolicy }} + {{- with .command }} + command: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + env: + - name: CORE_HOST + value: http://{{include "jumpserver.fullname" $}}-jms-core:{{$.Values.core.service.web.port}} + - name: "REDIS_HOST" + value: "{{.config.redis.host}}" + - name: "REDIS_PORT" + value: "{{.config.redis.port}}" + {{- with .env }} + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + ports: + - name: web + containerPort: {{ .service.web.port }} + protocol: TCP + - name: ssh + containerPort: {{ .service.ssh.port }} + protocol: TCP + livenessProbe: + {{- toYaml .livenessProbe | nindent 12}} + readinessProbe: + {{- toYaml .readinessProbe | nindent 12}} + resources: + {{- toYaml .resources | nindent 12 }} + volumeMounts: + - mountPath: "/opt/koko/config.yml" + name: "jms-koko-config" + subPath: "config.yml" + - mountPath: "/opt/koko/data" + name: "jms-koko-data" + {{- with .volumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + restartPolicy: Always + volumes: + - configMap: + name: '{{include "jumpserver.fullname" $}}-jms-koko' + name: "jms-koko-config" + - persistentVolumeClaim: + claimName: '{{include "jumpserver.fullname" $}}-jms-koko-data' + name: "jms-koko-data" + {{- with .volumes }} + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/templates/deployment-lion.yaml b/templates/deployment-lion.yaml new file mode 100644 index 0000000..759ae6c --- /dev/null +++ b/templates/deployment-lion.yaml @@ -0,0 +1,93 @@ +{{- if .Values.lion.enabled }} +{{- with .Values.lion }} +{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-lion" }} +{{- $containerName := "jms-lion" }} +{{- $image := printf "%s:%s" .image.repository .image.tag }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $fullName }} + labels: + {{- include "jumpserver.labels" $ | nindent 4 }} + {{- toYaml .labels | nindent 4 }} +spec: + replicas: {{ .replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "jumpserver.name" $ }} + app.kubernetes.io/instance: {{ $.Release.Name }} + {{- toYaml .labels | nindent 6 }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "jumpserver.name" $ }} + app.kubernetes.io/instance: {{ $.Release.Name }} + {{- toYaml .labels | nindent 8 }} + spec: + serviceAccountName: {{ template "jumpserver.serviceAccountName" $ }} + securityContext: + {{- toYaml .podSecurityContext | nindent 8 }} + containers: + - name: {{ $containerName }} + securityContext: + {{- toYaml .securityContext | nindent 12 }} + image: "{{$image}}" + imagePullPolicy: {{ .image.pullPolicy }} + {{- with .command }} + command: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + env: + - name: CORE_HOST + value: http://{{include "jumpserver.fullname" $}}-jms-core:{{$.Values.core.service.web.port}} + - name: "REDIS_HOST" + value: "{{.config.redis.host}}" + - name: "REDIS_PORT" + value: "{{.config.redis.port}}" + {{- with .env }} + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + ports: + - name: web + containerPort: {{ .service.web.port }} + protocol: TCP + livenessProbe: + {{- toYaml .livenessProbe | nindent 12}} + readinessProbe: + {{- toYaml .readinessProbe | nindent 12}} + resources: + {{- toYaml .resources | nindent 12 }} + volumeMounts: + - mountPath: "/opt/lion/config.yml" + name: "jms-lion-config" + subPath: "config.yml" + - mountPath: "/opt/lion/data" + name: "jms-lion-data" + {{- with .volumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + restartPolicy: Always + volumes: + - configMap: + name: '{{include "jumpserver.fullname" $}}-jms-lion' + name: "jms-lion-config" + - persistentVolumeClaim: + claimName: '{{include "jumpserver.fullname" $}}-jms-lion-data' + name: "jms-lion-data" + {{- with .volumes }} + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/templates/deployment-nginx.yaml b/templates/deployment-nginx.yaml new file mode 100644 index 0000000..b5589a3 --- /dev/null +++ b/templates/deployment-nginx.yaml @@ -0,0 +1,92 @@ +{{- if .Values.nginx.enabled }} +{{- with .Values.nginx }} +{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-nginx" }} +{{- $containerName := "jms-nginx" }} +{{- $image := printf "%s:%s" .image.repository .image.tag }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $fullName }} + labels: + {{- include "jumpserver.labels" $ | nindent 4 }} + {{- toYaml .labels | nindent 4 }} +spec: + replicas: {{ .replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "jumpserver.name" $ }} + app.kubernetes.io/instance: {{ $.Release.Name }} + {{- toYaml .labels | nindent 6 }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "jumpserver.name" $ }} + app.kubernetes.io/instance: {{ $.Release.Name }} + {{- toYaml .labels | nindent 8 }} + spec: + serviceAccountName: {{ template "jumpserver.serviceAccountName" $ }} + securityContext: + {{- toYaml .podSecurityContext | nindent 8 }} + containers: + - name: {{ $containerName }} + securityContext: + {{- toYaml .securityContext | nindent 12 }} + image: "{{$image}}" + imagePullPolicy: {{ .image.pullPolicy }} + {{- with .command }} + command: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + {{- with .env }} + env: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + ports: + - name: web + containerPort: {{ .service.web.port }} + protocol: TCP + livenessProbe: + {{- toYaml .livenessProbe | nindent 12}} + readinessProbe: + {{- toYaml .readinessProbe | nindent 12}} + resources: + {{- toYaml .resources | nindent 12 }} + volumeMounts: + - mountPath: "/etc/nginx/nginx.conf" + name: "jms-nginx-config" + subPath: "nginx.conf" + - mountPath: "/opt/jumpserver/data" + name: "jms-core-data" + - mountPath: "/var/log/nginx" + name: "jms-nginx-logs" + {{- with .volumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + restartPolicy: Always + volumes: + - configMap: + name: '{{include "jumpserver.fullname" $}}-jms-nginx' + name: "jms-nginx-config" + - persistentVolumeClaim: + claimName: '{{include "jumpserver.fullname" $}}-jms-core-data' + name: "jms-core-data" + - persistentVolumeClaim: + claimName: '{{include "jumpserver.fullname" $}}-jms-nginx-logs' + name: "jms-nginx-logs" + {{- with .volumes }} + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/templates/ingress.yaml b/templates/ingress.yaml new file mode 100644 index 0000000..ed0762b --- /dev/null +++ b/templates/ingress.yaml @@ -0,0 +1,37 @@ +{{- if .Values.ingress.enabled }} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ include "jumpserver.fullname" . }} + labels: + {{- include "jumpserver.labels" $ | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ . }} + http: + paths: + - path: / + backend: + serviceName: '{{printf "%s-%s" (include "jumpserver.fullname" $) "jms-nginx"}}' + servicePort: web + {{- end }} +{{- end }} diff --git a/templates/pvc-core-data.yaml b/templates/pvc-core-data.yaml new file mode 100644 index 0000000..0ccb3ce --- /dev/null +++ b/templates/pvc-core-data.yaml @@ -0,0 +1,29 @@ +{{- if .Values.core.enabled }} +{{- with .Values.core }} +{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-core-data" }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ $fullName }} + labels: + {{- include "jumpserver.labels" $ | nindent 4 }} + {{- toYaml .labels | nindent 4 }} + {{- with .persistence.annotations }} + annotations: +{{ toYaml . | indent 4 }} + {{- end }} + {{- with .persistence.finalizers }} + finalizers: +{{ toYaml . | indent 4 }} + {{- end }} +spec: + accessModes: + {{- range .persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .persistence.size | quote }} + storageClassName: {{ .persistence.storageClassName }} +{{- end }} +{{- end }} diff --git a/templates/pvc-core-logs.yaml b/templates/pvc-core-logs.yaml new file mode 100644 index 0000000..a5e5807 --- /dev/null +++ b/templates/pvc-core-logs.yaml @@ -0,0 +1,29 @@ +{{- if .Values.core.enabled }} +{{- with .Values.core }} +{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-core-logs" }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ $fullName }} + labels: + {{- include "jumpserver.labels" $ | nindent 4 }} + {{- toYaml .labels | nindent 4 }} + {{- with .persistence.annotations }} + annotations: +{{ toYaml . | indent 4 }} + {{- end }} + {{- with .persistence.finalizers }} + finalizers: +{{ toYaml . | indent 4 }} + {{- end }} +spec: + accessModes: + {{- range .persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .persistence.size | quote }} + storageClassName: {{ .persistence.storageClassName }} +{{- end }} +{{- end }} diff --git a/templates/pvc-koko-data.yaml b/templates/pvc-koko-data.yaml new file mode 100644 index 0000000..d643ac7 --- /dev/null +++ b/templates/pvc-koko-data.yaml @@ -0,0 +1,29 @@ +{{- if .Values.koko.enabled }} +{{- with .Values.koko }} +{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-koko-data" }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ $fullName }} + labels: + {{- include "jumpserver.labels" $ | nindent 4 }} + {{- toYaml .labels | nindent 4 }} + {{- with .persistence.annotations }} + annotations: +{{ toYaml . | indent 4 }} + {{- end }} + {{- with .persistence.finalizers }} + finalizers: +{{ toYaml . | indent 4 }} + {{- end }} +spec: + accessModes: + {{- range .persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .persistence.size | quote }} + storageClassName: {{ .persistence.storageClassName }} +{{- end }} +{{- end }} diff --git a/templates/pvc-lion-data.yaml b/templates/pvc-lion-data.yaml new file mode 100644 index 0000000..325b4ea --- /dev/null +++ b/templates/pvc-lion-data.yaml @@ -0,0 +1,29 @@ +{{- if .Values.lion.enabled }} +{{- with .Values.lion }} +{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-lion-data" }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ $fullName }} + labels: + {{- include "jumpserver.labels" $ | nindent 4 }} + {{- toYaml .labels | nindent 4 }} + {{- with .persistence.annotations }} + annotations: +{{ toYaml . | indent 4 }} + {{- end }} + {{- with .persistence.finalizers }} + finalizers: +{{ toYaml . | indent 4 }} + {{- end }} +spec: + accessModes: + {{- range .persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .persistence.size | quote }} + storageClassName: {{ .persistence.storageClassName }} +{{- end }} +{{- end }} diff --git a/templates/pvc-nginx-logs.yaml b/templates/pvc-nginx-logs.yaml new file mode 100644 index 0000000..dba700b --- /dev/null +++ b/templates/pvc-nginx-logs.yaml @@ -0,0 +1,29 @@ +{{- if .Values.nginx.enabled }} +{{- with .Values.nginx }} +{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-nginx-logs" }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ $fullName }} + labels: + {{- include "jumpserver.labels" $ | nindent 4 }} + {{- toYaml .labels | nindent 4 }} + {{- with .persistence.annotations }} + annotations: +{{ toYaml . | indent 4 }} + {{- end }} + {{- with .persistence.finalizers }} + finalizers: +{{ toYaml . | indent 4 }} + {{- end }} +spec: + accessModes: + {{- range .persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .persistence.size | quote }} + storageClassName: {{ .persistence.storageClassName }} +{{- end }} +{{- end }} diff --git a/templates/service-core.yaml b/templates/service-core.yaml new file mode 100644 index 0000000..402ae9b --- /dev/null +++ b/templates/service-core.yaml @@ -0,0 +1,27 @@ +{{- if .Values.core.enabled }} +{{- with .Values.core }} +{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-core" }} +apiVersion: v1 +kind: Service +metadata: + name: {{ $fullName }} + labels: + {{- include "jumpserver.labels" $ | nindent 4 }} + {{- toYaml .labels | nindent 4 }} +spec: + type: {{ .service.type }} + ports: + - port: {{ .service.web.port }} + targetPort: web + protocol: TCP + name: web + - port: {{ .service.ws.port }} + targetPort: ws + protocol: TCP + name: ws + selector: + app.kubernetes.io/name: {{ include "jumpserver.name" $ }} + app.kubernetes.io/instance: {{ $.Release.Name }} + {{- toYaml .labels | nindent 4 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/service-koko.yaml b/templates/service-koko.yaml new file mode 100644 index 0000000..1de8964 --- /dev/null +++ b/templates/service-koko.yaml @@ -0,0 +1,29 @@ +{{- if .Values.koko.enabled }} +{{- with .Values.koko }} +{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-koko" }} +apiVersion: v1 +kind: Service +metadata: + name: {{ $fullName }} + labels: + {{- include "jumpserver.labels" $ | nindent 4 }} + {{- toYaml .labels | nindent 4 }} + annotations: + {{- toYaml .service.annotations | nindent 4 }} +spec: + type: {{ .service.type }} + ports: + - port: {{ .service.web.port }} + targetPort: web + protocol: TCP + name: web + - port: {{ .service.ssh.port }} + targetPort: ssh + protocol: TCP + name: ssh + selector: + app.kubernetes.io/name: {{ include "jumpserver.name" $ }} + app.kubernetes.io/instance: {{ $.Release.Name }} + {{- toYaml .labels | nindent 4 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/service-lion.yaml b/templates/service-lion.yaml new file mode 100644 index 0000000..685f1c6 --- /dev/null +++ b/templates/service-lion.yaml @@ -0,0 +1,23 @@ +{{- if .Values.lion.enabled }} +{{- with .Values.lion }} +{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-lion" }} +apiVersion: v1 +kind: Service +metadata: + name: {{ $fullName }} + labels: + {{- include "jumpserver.labels" $ | nindent 4 }} + {{- toYaml .labels | nindent 4 }} +spec: + type: {{ .service.type }} + ports: + - port: {{ .service.web.port }} + targetPort: web + protocol: TCP + name: web + selector: + app.kubernetes.io/name: {{ include "jumpserver.name" $ }} + app.kubernetes.io/instance: {{ $.Release.Name }} + {{- toYaml .labels | nindent 4 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/service-nginx.yaml b/templates/service-nginx.yaml new file mode 100644 index 0000000..76ef85b --- /dev/null +++ b/templates/service-nginx.yaml @@ -0,0 +1,23 @@ +{{- if .Values.nginx.enabled }} +{{- with .Values.nginx }} +{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-nginx" }} +apiVersion: v1 +kind: Service +metadata: + name: {{ $fullName }} + labels: + {{- include "jumpserver.labels" $ | nindent 4 }} + {{- toYaml .labels | nindent 4 }} +spec: + type: {{ .service.type }} + ports: + - port: {{ .service.web.port }} + targetPort: web + protocol: TCP + name: web + selector: + app.kubernetes.io/name: {{ include "jumpserver.name" $ }} + app.kubernetes.io/instance: {{ $.Release.Name }} + {{- toYaml .labels | nindent 4 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/serviceaccount.yaml b/templates/serviceaccount.yaml new file mode 100644 index 0000000..6d590bd --- /dev/null +++ b/templates/serviceaccount.yaml @@ -0,0 +1,10 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "jumpserver.serviceAccountName" . }} + labels: + {{- include "jumpserver.labels" . | nindent 4 }} +imagePullSecrets: + {{- toYaml .Values.serviceAccount.imagePullSecrets | nindent 2 }} +{{- end -}} diff --git a/values.yaml b/values.yaml new file mode 100644 index 0000000..39bab07 --- /dev/null +++ b/values.yaml @@ -0,0 +1,394 @@ +# Default values for jumpserver. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: false + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: + imagePullSecrets: [] + # - name: yourImagePullSecret + +ingress: + enabled: true + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + compute-full-forwarded-for: "true" + use-forwarded-headers: "true" + hosts: + - "test.jumpserver.org" + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +core: + enabled: true + + labels: + app.jumpserver.org/name: jms-core + + config: + # Generate a new random secret key by execute `cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` + secretKey: "" + # Generate a new random bootstrap token by execute `cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16` + bootstrapToken: "" + # Enabled it for debug + debug: false + log: + level: ERROR + # Fill it with your mysql config + db: + engine: mysql + host: "" + port: 3306 + user: jumpserver + password: "" + name: jumpserver + # Fill it with your redis config + redis: + host: "" + port: 6379 + password: "" + + replicaCount: 1 + + image: + repository: docker.io/jumpserver/jms_core + tag: v2.10.3 + pullPolicy: IfNotPresent + + command: [] + + env: [] + + livenessProbe: + failureThreshold: 30 + httpGet: + path: /api/health/ + port: web + + readinessProbe: + failureThreshold: 30 + httpGet: + path: /api/health/ + port: web + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + service: + type: ClusterIP + web: + port: 8080 + ws: + port: 8070 + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 1000m + # memory: 2048Mi + # requests: + # cpu: 500m + # memory: 1024Mi + + persistence: + type: pvc + storageClass: nfs + storageClassName: jumpserver-data + accessModes: + - ReadWriteMany + size: 10Gi + # annotations: {} + finalizers: + - kubernetes.io/pvc-protection + # subPath: "" + # existingClaim: + + volumeMounts: [] + + volumes: [] + + nodeSelector: {} + + tolerations: [] + + affinity: {} + +koko: + enabled: true + + labels: + app.jumpserver.org/name: jms-koko + + config: + log: + level: ERROR + share_room_type: redis + redis: + host: "" + port: 6379 + password: "" + + replicaCount: 1 + + image: + repository: docker.io/jumpserver/jms_koko + tag: v2.10.3 + pullPolicy: IfNotPresent + + command: [] + + env: [] + + livenessProbe: + failureThreshold: 30 + tcpSocket: + port: web + + readinessProbe: + failureThreshold: 30 + tcpSocket: + port: web + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + service: + type: ClusterIP + web: + port: 5000 + ssh: + port: 2222 + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + persistence: + type: pvc + storageClass: nfs + storageClassName: jumpserver-data + accessModes: + - ReadWriteMany + size: 10Gi + # annotations: {} + finalizers: + - kubernetes.io/pvc-protection + + volumeMounts: [] + + volumes: [] + + nodeSelector: {} + + tolerations: [] + + affinity: {} + +lion: + enabled: true + + labels: + app.jumpserver.org/name: jms-lion + + config: + log: + level: ERROR + share_room_type: redis + redis: + host: "" + port: 6379 + password: "" + + replicaCount: 1 + + image: + repository: docker.io/jumpserver/jms_lion + tag: v2.10.3 + pullPolicy: IfNotPresent + + command: [] + + env: [] + + livenessProbe: + failureThreshold: 30 + httpGet: + path: /lion/health/ + port: web + + readinessProbe: + failureThreshold: 30 + httpGet: + path: /lion/health/ + port: web + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + service: + type: ClusterIP + web: + port: 8081 + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 512Mi + # requests: + # cpu: 100m + # memory: 512Mi + + persistence: + type: pvc + storageClass: nfs + storageClassName: jumpserver-data + accessModes: + - ReadWriteMany + size: 10Gi + # annotations: {} + finalizers: + - kubernetes.io/pvc-protection + + volumeMounts: [] + + volumes: [] + + nodeSelector: {} + + tolerations: [] + + affinity: {} + +nginx: + enabled: true + + labels: + app.jumpserver.org/name: jms-nginx + + replicaCount: 1 + + image: + repository: docker.io/jumpserver/jms_nginx + tag: v2.10.3 + pullPolicy: IfNotPresent + + command: [] + + env: [] + + livenessProbe: + failureThreshold: 30 + httpGet: + path: /api/health/ + port: web + + readinessProbe: + failureThreshold: 30 + httpGet: + path: /api/health/ + port: web + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + service: + type: ClusterIP + web: + port: 80 + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + persistence: + type: pvc + storageClass: nfs + storageClassName: jumpserver-data + accessModes: + - ReadWriteMany + size: 1Gi + # annotations: {} + finalizers: + - kubernetes.io/pvc-protection + + volumeMounts: [] + + volumes: [] + + nodeSelector: {} + + tolerations: [] + + affinity: {} + + ## PodSecurityPolicy configuration + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## + podSecurityPolicy: + ## Specifies whether a PodSecurityPolicy should be created + ## + create: false