github/jumpserver-charts
1
0
Fork 0
mirror of https://github.com/jumpserver/helm-charts.git synced 2025-08-22 00:43:03 +00:00
Code Issues Projects Releases Wiki Activity

feat: 更新 v2.13.1

Browse Source
This commit is contained in:
wojiushixiaobai 2021-08-21 22:51:05 +08:00
parent cfce94eef6
commit a386b10a39
27 changed files with 668 additions and 387 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
README.md
View File

@ -62,12 +62,13 @@ $ helm delete my-release
| `core.enabled` | 开启 core | `true` |
| `koko.enabled` | 开启 koko | `true` |
| `lion.enabled` | 开启 lion | `true` |
| `nginx.enabled` | 开启 nginx | `true` |
| `web.enabled` | 开启 web | `true` |
| `xpack.enable` | 开启 xpack | `false` |
### core.config
### core
| 参数 | 描述 | 默认值 |
| ---------------- | ----------------------------------------------------------------------- | --------------------- |
| ---------------- | ---------------------------------------------------------------------- | ---------------------- |
| `secretKey` | 加密秘钥 生产环境中请修改为随机字符串,请勿外泄, 可使用命令生成 | `nil` |
| `bootstrapToken` | 预共享Token coco和guacamole用来注册服务账号不在使用原来的注册接受机制 | `nil` |
| `debug` | 开启 debug 模式 | `false` |
@ -85,28 +86,11 @@ $ helm delete my-release
| `tag` | 版本号 | `nil` |
| `persistence` | 持久化存储相关设置 | `nil` |
### koko.config
### 其他组件
| 参数 | 描述 | 默认值 |
| --------------------- | --------------------------------------------------------- | ------- |
| `log.level` | 日志等级 | `INFO` |
| `share_room_type` | 会话共享 | `redis` |
| `redis.host` | redis 地址 | `nil` |
| `redis.port` | redis 端口 | `6379` |
| `redis.password` | redis 密码 | `nil` |
| `replicaCount` | 副本数量 | `1` |
| `tag` | 版本号 | `nil` |
| `persistence` | 持久化存储相关设置 | `nil` |
### lion.config
| 参数 | 描述 | 默认值 |
| --------------------- | --------------------------------------------------------- | ------- |
| `log.level` | 日志等级 | `INFO` |
| `share_room_type` | 会话共享 | `redis` |
| `redis.host` | redis 地址 | `nil` |
| `redis.port` | redis 端口 | `6379` |
| `redis.password` | redis 密码 | `nil` |
| `replicaCount` | 副本数量 | `1` |
| `tag` | 版本号 | `nil` |
| `persistence` | 持久化存储相关设置 | `nil` |
@ -127,7 +111,7 @@ $ helm install my-release \
$ helm install my-release -f values.yaml ./jumpserver
```
> **注**: 默认使用 [values.yaml](values.yaml)
**注**: 默认使用 [values.yaml](values.yaml)
## 鸣谢说明

110
configs/jms-core/config.yml
View File

@ -1,110 +0,0 @@
# SECURITY WARNING: keep the secret key used in production secret!
# 加密秘钥 生产环境中请修改为随机字符串,请勿外泄, 可使用命令生成
# $ cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo
SECRET_KEY: {{ $.Values.core.config.secretKey }}
# SECURITY WARNING: keep the bootstrap token used in production secret!
# 预共享Token coco和guacamole用来注册服务账号不在使用原来的注册接受机制
BOOTSTRAP_TOKEN: {{ $.Values.core.config.bootstrapToken }}
# Development env open this, when error occur display the full process track, Production disable it
# DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志
DEBUG: {{ $.Values.core.config.debug }}
# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
# 日志级别
LOG_LEVEL: {{ $.Values.core.config.log.level }}
# LOG_DIR:
# Session expiration setting, Default 24 hour, Also set expired on on browser close
# 浏览器Session过期时间默认24小时, 也可以设置浏览器关闭则过期
# SESSION_COOKIE_AGE: 86400
SESSION_EXPIRE_AT_BROWSER_CLOSE: true
# Database setting, Support sqlite3, mysql, postgres ....
# 数据库设置
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases
# SQLite setting:
# 使用单文件sqlite数据库
# DB_ENGINE: sqlite3
# DB_NAME:
# MySQL or postgres setting like:
# 使用Mysql作为数据库
DB_ENGINE: {{ $.Values.core.config.db.engine }}
DB_HOST: {{ $.Values.core.config.db.host }}
DB_PORT: {{ $.Values.core.config.db.port }}
DB_USER: {{ $.Values.core.config.db.user }}
DB_PASSWORD: {{ $.Values.core.config.db.password }}
DB_NAME: {{ $.Values.core.config.db.name }}
# When Django start it will bind this host and port
# ./manage.py runserver 127.0.0.1:8080
# 运行时绑定端口
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: {{ $.Values.core.service.web.port }}
WS_LISTEN_PORT: {{ $.Values.core.service.ws.port }}
# Use Redis as broker for celery and web socket
# Redis配置
REDIS_HOST: {{ $.Values.core.config.redis.host }}
REDIS_PORT: {{ $.Values.core.config.redis.port }}
REDIS_PASSWORD: {{ $.Values.core.config.redis.password }}
# REDIS_DB_CELERY: 3
# REDIS_DB_CACHE: 4
# Use OpenID authorization
# 使用OpenID 来进行认证设置
# BASE_SITE_URL: http://localhost:8080
# AUTH_OPENID: false # True or False
# AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/
# AUTH_OPENID_REALM_NAME: realm-name
# AUTH_OPENID_CLIENT_ID: client-id
# AUTH_OPENID_CLIENT_SECRET: client-secret
# AUTH_OPENID_IGNORE_SSL_VERIFICATION: True
# AUTH_OPENID_SHARE_SESSION: True
#
# Use Radius authorization
# 使用Radius来认证
# AUTH_RADIUS: false
# RADIUS_SERVER: localhost
# RADIUS_PORT: 1812
# RADIUS_SECRET:
# LDAP/AD settings
# LDAP 搜索分页数量
# AUTH_LDAP_SEARCH_PAGED_SIZE: 1000
#
# 定时同步用户
# 启用 / 禁用
# AUTH_LDAP_SYNC_IS_PERIODIC: True
# 同步间隔 (单位: 时) (优先)
# AUTH_LDAP_SYNC_INTERVAL: 12
# Crontab 表达式
# AUTH_LDAP_SYNC_CRONTAB: * 6 * * *
#
# LDAP 用户登录时仅允许在用户列表中的用户执行 LDAP Server 认证
# AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS: False
#
# LDAP 认证时如果日志中出现以下信息将参数设置为 0 (详情参见https://www.python-ldap.org/en/latest/faq.html)
# In order to perform this operation a successful bind must be completed on the connection
# AUTH_LDAP_OPTIONS_OPT_REFERRALS: -1
# OTP settings
# OTP/MFA 配置
# OTP_VALID_WINDOW: 0
# OTP_ISSUER_NAME: Jumpserver
# Perm show single asset to ungrouped node
# 是否把未授权节点资产放入到 未分组 节点中
# PERM_SINGLE_ASSET_TO_UNGROUP_NODE: false
#
# 启用定时任务
# PERIOD_TASK_ENABLE: True
#
# 启用二次复合认证配置
# LOGIN_CONFIRM_ENABLE: False
#
# Windows 登录跳过手动输入密码
# WINDOWS_SKIP_ALL_MANUAL_PASSWORD: False

68
configs/jms-koko/config.yml
View File

@ -1,68 +0,0 @@
# 项目名称, 会用来向Jumpserver注册, 识别而已, 不能重复
NAME: {{ printf "%s-%s" "jms-koko" (randAlphaNum 32 | b64enc) | trunc 31 | trimSuffix "-" }}
# Jumpserver项目的url, api请求注册会使用
CORE_HOST: http://{{include "jumpserver.fullname" $}}-jms-core:{{$.Values.core.service.web.port}}
# Bootstrap Token, 预共享秘钥, 用来注册coco使用的service account和terminal
# 请和jumpserver 配置文件中保持一致,注册完成后可以删除
BOOTSTRAP_TOKEN: {{ $.Values.core.config.bootstrapToken }}
# 启动时绑定的ip, 默认 0.0.0.0
BIND_HOST: 0.0.0.0
# 监听的SSH端口号, 默认2222
SSHD_PORT: {{ $.Values.koko.service.ssh.port }}
# 监听的HTTP/WS端口号默认5000
HTTPD_PORT: {{ $.Values.koko.service.web.port }}
# 项目使用的ACCESS KEY, 默认会注册,并保存到 ACCESS_KEY_STORE中,
# 如果有需求, 可以写到配置文件中, 格式 access_key_id:access_key_secret
# ACCESS_KEY: null
# ACCESS KEY 保存的地址, 默认注册后会保存到该文件中
# ACCESS_KEY_FILE: data/keys/.access_key
# 设置日志级别 [DEBUG, INFO, WARN, ERROR, FATAL, CRITICAL]
LOG_LEVEL: {{ $.Values.koko.config.log.level }}
# SSH连接超时时间 (default 15 seconds)
# SSH_TIMEOUT: 15
# 语言 [en,zh]
# LANGUAGE_CODE: zh
# SFTP的根目录, 可选 /tmp, Home其他自定义目录
# SFTP_ROOT: /tmp
# SFTP是否显示隐藏文件
# SFTP_SHOW_HIDDEN_FILE: false
# 是否复用和用户后端资产已建立的连接(用户不会复用其他用户的连接)
# REUSE_CONNECTION: true
# 资产加载策略, 可根据资产规模自行调整. 默认异步加载资产, 异步搜索分页; 如果为all, 则资产全部加载, 本地搜索分页.
# ASSET_LOAD_POLICY:
# zip压缩的最大额度 (单位: M)
# ZIP_MAX_SIZE: 1024M
# zip压缩存放的临时目录 /tmp
# ZIP_TMP_PATH: /tmp
# 向 SSH Client 连接发送心跳的时间间隔 (单位: 秒)默认为30, 0则表示不发送
# CLIENT_ALIVE_INTERVAL: 30
# 向资产发送心跳包的重试次数默认为3
# RETRY_ALIVE_COUNT_MAX: 3
# 会话共享使用的类型 [local, redis], 默认local
SHARE_ROOM_TYPE: {{ $.Values.lion.config.share_room_type }}
# Redis配置
REDIS_HOST: {{ $.Values.core.config.redis.host }}
REDIS_PORT: {{ $.Values.core.config.redis.port }}
REDIS_PASSWORD: {{ $.Values.core.config.redis.password }}
# REDIS_CLUSTERS:
# REDIS_DB_ROOM:

33
configs/jms-lion/config.yml
View File

@ -1,33 +0,0 @@
# 项目名称, 会用来向Jumpserver注册, 识别而已, 不能重复
NAME: {{ printf "%s-%s" "jms-lion" (randAlphaNum 32 | b64enc) | trunc 31 | trimSuffix "-" }}
# Jumpserver项目的url, api请求注册会使用
CORE_HOST: http://{{include "jumpserver.fullname" $}}-jms-core:{{$.Values.core.service.web.port}}
# Bootstrap Token, 预共享秘钥, 用来注册使用的service account和terminal
# 请和jumpserver 配置文件中保持一致,注册完成后可以删除
BOOTSTRAP_TOKEN: {{ $.Values.core.config.bootstrapToken }}
# 启动时绑定的ip, 默认 0.0.0.0
BIND_HOST: 0.0.0.0
# 监听的HTTP/WS端口号默认8081
HTTPD_PORT: {{ $.Values.lion.service.web.port }}
# 设置日志级别 [DEBUG, INFO, WARN, ERROR, FATAL, CRITICAL]
LOG_LEVEL: {{ $.Values.lion.config.log.level }}
# Guacamole Server ip 默认127.0.0.1
# GUA_HOST: 127.0.0.1
# Guacamole Server 端口号默认4822
# GUA_PORT: 4822
# 会话共享使用的类型 [local, redis], 默认local
SHARE_ROOM_TYPE: {{ $.Values.lion.config.share_room_type }}
# Redis配置
REDIS_HOST: {{ $.Values.core.config.redis.host }}
REDIS_PORT: {{ $.Values.core.config.redis.port }}
REDIS_PASSWORD: {{ $.Values.core.config.redis.password }}
# REDIS_DB_ROOM:

42
configs/jms-nginx/nginx.conf → configs/jms-web/default.conf
View File

@ -1,9 +1,11 @@
{{- $koko := printf "http://%s-%s:%s" (include "jumpserver.fullname" $) "jms-koko" ($.Values.koko.service.web.port | toString) }}
{{- $lion := printf "http://%s-%s:%s" (include "jumpserver.fullname" $) "jms-lion" ($.Values.lion.service.web.port | toString) }}
{{- $web := printf "http://%s-%s:%s" (include "jumpserver.fullname" $) "jms-core" ($.Values.core.service.web.port | toString) }}
{{- $ws := printf "http://%s-%s:%s" (include "jumpserver.fullname" $) "jms-core" ($.Values.core.service.ws.port | toString) }}
{{ $koko := printf "http://%s-%s:%s" (include "jumpserver.fullname" $) "jms-koko" ($.Values.koko.service.web.port | toString) }}
{{ $lion := printf "http://%s-%s:%s" (include "jumpserver.fullname" $) "jms-lion" ($.Values.lion.service.web.port | toString) }}
{{ $coreweb := printf "http://%s-%s:%s" (include "jumpserver.fullname" $) "jms-core" ($.Values.core.service.web.port | toString) }}
{{ $corews := printf "http://%s-%s:%s" (include "jumpserver.fullname" $) "jms-core" ($.Values.core.service.ws.port | toString) }}
{{ $omnidbweb := printf "http://%s-%s:%s" (include "jumpserver.fullname" $) "jms-omnidb" ($.Values.omnidb.service.web.port | toString) }}
{{ $omnidbws := printf "http://%s-%s:%s" (include "jumpserver.fullname" $) "jms-omnidb" ($.Values.omnidb.service.ws.port | toString) }}
server {
listen {{ $.Values.nginx.service.web.port }};
listen {{ $.Values.web.service.web.port }};
server_name _;
server_tokens off;
@ -45,8 +47,32 @@ server {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /omnidb/ws {
resolver 127.0.0.11 valid=30s;
set $upstream {{$omnidbws}};
proxy_pass $upstream$request_uri;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /omnidb/ {
resolver 127.0.0.11 valid=30s;
set $upstream {{$omnidbweb}};
proxy_pass $upstream$request_uri;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /ws/ {
proxy_pass {{$ws}};
proxy_pass {{$corews}};
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
@ -56,14 +82,14 @@ server {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /api/ {
proxy_pass {{$web}};
proxy_pass {{$coreweb}};
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /core/ {
proxy_pass {{$web}};
proxy_pass {{$coreweb}};
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;

15
templates/configmap-koko.yaml
View File

@ -1,15 +0,0 @@
{{- if .Values.koko.enabled }}
{{- with .Values.koko }}
{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-koko" }}
kind: ConfigMap
apiVersion: v1
metadata:
name: {{ $fullName }}
labels:
{{- include "jumpserver.labels" $ | nindent 4 }}
{{- toYaml .labels | nindent 4 }}
data:
{{- $path := printf "%s/%s/%s" "configs" "jms-koko" "config.yml" -}}
{{- tpl (($.Files.Glob $path ).AsConfig) $ | nindent 2 }}
{{- end }}
{{- end }}

15
templates/configmap-lion.yaml
View File

@ -1,15 +0,0 @@
{{- if .Values.lion.enabled }}
{{- with .Values.lion }}
{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-lion" }}
kind: ConfigMap
apiVersion: v1
metadata:
name: {{ $fullName }}
labels:
{{- include "jumpserver.labels" $ | nindent 4 }}
{{- toYaml .labels | nindent 4 }}
data:
{{- $path := printf "%s/%s/%s" "configs" "jms-lion" "config.yml" -}}
{{- tpl (($.Files.Glob $path ).AsConfig) $ | nindent 2 }}
{{- end }}
{{- end }}

8
templates/configmap-nginx.yaml → templates/configmap-web.yaml
View File

@ -1,6 +1,6 @@
{{- if .Values.nginx.enabled }}
{{- with .Values.nginx }}
{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-nginx" }}
{{- if .Values.web.enabled }}
{{- with .Values.web }}
{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-web" }}
kind: ConfigMap
apiVersion: v1
metadata:
@ -9,7 +9,7 @@ metadata:
{{- include "jumpserver.labels" $ | nindent 4 }}
{{- toYaml .labels | nindent 4 }}
data:
{{- $path := printf "%s/%s/%s" "configs" "jms-nginx" "nginx.conf" -}}
{{- $path := printf "%s/%s/%s" "configs" "jms-web" "default.conf" -}}
{{- tpl (($.Files.Glob $path ).AsConfig) $ | nindent 2 }}
{{- end }}
{{- end }}

34
templates/deployment-celery.yaml
View File

@ -38,21 +38,45 @@ spec:
{{- end }}
args: ["start", "task"]
env:
- name: "DB_HOST"
- name: SECRET_KEY
value: "{{ .config.secretKey }}"
- name: BOOTSTRAP_TOKEN
value: "{{ .config.bootstrapToken }}"
- name: DEBUG
value: "{{ .config.debug }}"
- name: LOG_LEVEL
value: "{{ .config.log.level }}"
- name: SESSION_EXPIRE_AT_BROWSER_CLOSE
value: "true"
- name: HTTP_LISTEN_PORT
value: "{{ .service.web.port }}"
- name: WS_LISTEN_PORT
value: "{{ .service.ws.port }}"
- name: DB_ENGINE
value: "{{ .config.db.engine }}"
- name: DB_HOST
value: "{{ .config.db.host }}"
- name: "DB_PORT"
- name: DB_PORT
value: "{{ .config.db.port }}"
- name: "REDIS_HOST"
- name: DB_USER
value: "{{ .config.db.user }}"
- name: DB_PASSWORD
value: "{{ .config.db.password }}"
- name: DB_NAME
value: "{{ .config.db.name }}"
- name: REDIS_HOST
value: "{{ .config.redis.host }}"
- name: "REDIS_PORT"
- name: REDIS_PORT
value: "{{ .config.redis.port }}"
- name: REDIS_PASSWORD
value: "{{ .config.redis.password }}"
{{- with .env }}
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
livenessProbe:
exec:
command:
- ./jms status task | grep stopped && exit 1 || exit 0
- bash /opt/jumpserver/utils/check_celery.sh
resources:
{{- toYaml .resources | nindent 12 }}
volumeMounts:

32
templates/deployment-core.yaml
View File

@ -39,14 +39,38 @@ spec:
{{- end }}
args: ["start", "web"]
env:
- name: "DB_HOST"
- name: SECRET_KEY
value: "{{ .config.secretKey }}"
- name: BOOTSTRAP_TOKEN
value: "{{ .config.bootstrapToken }}"
- name: DEBUG
value: "{{ .config.debug }}"
- name: LOG_LEVEL
value: "{{ .config.log.level }}"
- name: SESSION_EXPIRE_AT_BROWSER_CLOSE
value: "true"
- name: HTTP_LISTEN_PORT
value: "{{ .service.web.port }}"
- name: WS_LISTEN_PORT
value: "{{ .service.ws.port }}"
- name: DB_ENGINE
value: "{{ .config.db.engine }}"
- name: DB_HOST
value: "{{ .config.db.host }}"
- name: "DB_PORT"
- name: DB_PORT
value: "{{ .config.db.port }}"
- name: "REDIS_HOST"
- name: DB_USER
value: "{{ .config.db.user }}"
- name: DB_PASSWORD
value: "{{ .config.db.password }}"
- name: DB_NAME
value: "{{ .config.db.name }}"
- name: REDIS_HOST
value: "{{ .config.redis.host }}"
- name: "REDIS_PORT"
- name: REDIS_PORT
value: "{{ .config.redis.port }}"
- name: REDIS_PASSWORD
value: "{{ .config.redis.password }}"
{{- with .env }}
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}

26
templates/deployment-koko.yaml
View File

@ -40,10 +40,22 @@ spec:
env:
- name: CORE_HOST
value: http://{{include "jumpserver.fullname" $}}-jms-core:{{$.Values.core.service.web.port}}
- name: "REDIS_HOST"
value: "{{.config.redis.host}}"
- name: "REDIS_PORT"
value: "{{.config.redis.port}}"
- name: BOOTSTRAP_TOKEN
value: "{{ $.Values.core.config.bootstrapToken }}"
- name: LOG_LEVEL
value: "{{ .config.log.level }}"
- name: SSHD_PORT
value: "{{ .service.ssh.port }}"
- name: HTTPD_PORT
value: "{{ .service.web.port }}"
- name: SHARE_ROOM_TYPE
value: redis
- name: REDIS_HOST
value: "{{ $.Values.core.config.redis.host }}"
- name: REDIS_PORT
value: "{{ $.Values.core.config.redis.port }}"
- name: REDIS_PASSWORD
value: "{{ $.Values.core.config.redis.password }}"
{{- with .env }}
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
@ -61,9 +73,6 @@ spec:
resources:
{{- toYaml .resources | nindent 12 }}
volumeMounts:
- mountPath: "/opt/koko/config.yml"
name: "jms-koko-config"
subPath: "config.yml"
- mountPath: "/opt/koko/data"
name: "jms-koko-data"
{{- with .volumeMounts }}
@ -71,9 +80,6 @@ spec:
{{- end }}
restartPolicy: Always
volumes:
- configMap:
name: '{{include "jumpserver.fullname" $}}-jms-koko'
name: "jms-koko-config"
- persistentVolumeClaim:
claimName: '{{include "jumpserver.fullname" $}}-jms-koko-data'
name: "jms-koko-data"

24
templates/deployment-lion.yaml
View File

@ -40,10 +40,20 @@ spec:
env:
- name: CORE_HOST
value: http://{{ include "jumpserver.fullname" $}}-jms-core:{{$.Values.core.service.web.port}}
- name: "REDIS_HOST"
value: "{{.config.redis.host}}"
- name: "REDIS_PORT"
value: "{{.config.redis.port}}"
- name: BOOTSTRAP_TOKEN
value: "{{ $.Values.core.config.bootstrapToken }}"
- name: LOG_LEVEL
value: "{{ .config.log.level }}"
- name: HTTPD_PORT
value: "{{ .service.web.port }}"
- name: SHARE_ROOM_TYPE
value: redis
- name: REDIS_HOST
value: "{{ $.Values.core.config.redis.host }}"
- name: REDIS_PORT
value: "{{ $.Values.core.config.redis.port }}"
- name: REDIS_PASSWORD
value: "{{ $.Values.core.config.redis.password }}"
{{- with .env }}
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
@ -58,9 +68,6 @@ spec:
resources:
{{- toYaml .resources | nindent 12 }}
volumeMounts:
- mountPath: "/opt/lion/config.yml"
name: "jms-lion-config"
subPath: "config.yml"
- mountPath: "/opt/lion/data"
name: "jms-lion-data"
{{- with .volumeMounts }}
@ -68,9 +75,6 @@ spec:
{{- end }}
restartPolicy: Always
volumes:
- configMap:
name: '{{include "jumpserver.fullname" $}}-jms-lion'
name: "jms-lion-config"
- persistentVolumeClaim:
claimName: '{{include "jumpserver.fullname" $}}-jms-lion-data'
name: "jms-lion-data"

24
templates/deployment-nginx.yaml
View File

@ -1,7 +1,7 @@
{{- if .Values.nginx.enabled }}
{{- with .Values.nginx }}
{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-nginx" }}
{{- $containerName := "jms-nginx" }}
{{- if .Values.web.enabled }}
{{- with .Values.web }}
{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-web" }}
{{- $containerName := "jms-web" }}
{{- $image := printf "%s:%s" .image.repository .image.tag }}
apiVersion: apps/v1
kind: Deployment
@ -53,26 +53,26 @@ spec:
{{- toYaml .resources | nindent 12 }}
volumeMounts:
- mountPath: "/etc/nginx/conf.d/default.conf"
name: "jms-nginx-config"
subPath: "nginx.conf"
name: "jms-web-config"
subPath: "default.conf"
- mountPath: "/opt/jumpserver/data"
name: "jms-core-data"
- mountPath: "/var/log/nginx"
name: "jms-nginx-logs"
- mountPath: "/var/log/web"
name: "jms-web-logs"
{{- with .volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
restartPolicy: Always
volumes:
- configMap:
name: '{{include "jumpserver.fullname" $}}-jms-nginx'
name: "jms-nginx-config"
name: '{{include "jumpserver.fullname" $}}-jms-web'
name: "jms-web-config"
- persistentVolumeClaim:
claimName: '{{include "jumpserver.fullname" $}}-jms-core-data'
name: "jms-core-data"
- persistentVolumeClaim:
claimName: '{{include "jumpserver.fullname" $}}-jms-nginx-logs'
name: "jms-nginx-logs"
claimName: '{{include "jumpserver.fullname" $}}-jms-web-logs'
name: "jms-web-logs"
{{- with .volumes }}
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}

94
templates/deployment-omnidb.yaml Normal file
View File

@ -0,0 +1,94 @@
{{- if .Values.xpack.enabled }}
{{- with .Values.omnidb }}
{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-omnidb" }}
{{- $containerName := "jms-omnidb" }}
{{- $image := printf "%s:%s" .image.repository .image.tag }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ $fullName }}
labels:
{{- include "jumpserver.labels" $ | nindent 4 }}
{{- toYaml .labels | nindent 4 }}
spec:
replicas: {{ .replicaCount }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "jumpserver.name" $ }}
app.kubernetes.io/instance: {{ $.Release.Name }}
{{- toYaml .labels | nindent 6 }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ include "jumpserver.name" $ }}
app.kubernetes.io/instance: {{ $.Release.Name }}
{{- toYaml .labels | nindent 8 }}
spec:
serviceAccountName: {{ template "jumpserver.serviceAccountName" $ }}
securityContext:
{{- toYaml .podSecurityContext | nindent 8 }}
containers:
- name: {{ $containerName }}
securityContext:
{{- toYaml .securityContext | nindent 12 }}
image: "{{$image}}"
imagePullPolicy: {{ .image.pullPolicy }}
{{- with .command }}
command:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
env:
- name: CORE_HOST
value: http://{{include "jumpserver.fullname" $}}-jms-core:{{$.Values.core.service.web.port}}
- name: BOOTSTRAP_TOKEN
value: "{{ $.Values.core.config.bootstrapToken }}"
- name: LOG_LEVEL
value: "{{ .config.log.level }}"
- name: websocket_port
value: "{{ .service.ws.port }}"
- name: listening_port
value: "{{ .service.web.port }}"
{{- with .env }}
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
ports:
- name: web
containerPort: {{ .service.web.port }}
protocol: TCP
- name: ws
containerPort: {{ .service.ws.port }}
protocol: TCP
livenessProbe:
{{- toYaml .livenessProbe | nindent 12}}
readinessProbe:
{{- toYaml .readinessProbe | nindent 12}}
resources:
{{- toYaml .resources | nindent 12 }}
volumeMounts:
- mountPath: "/opt/omnidb/data"
name: "jms-omnidb-data"
{{- with .volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
restartPolicy: Always
volumes:
- persistentVolumeClaim:
claimName: '{{include "jumpserver.fullname" $}}-jms-omnidb-data'
name: "jms-omnidb-data"
{{- with .volumes }}
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}

87
templates/deployment-xrdp.yaml Normal file
View File

@ -0,0 +1,87 @@
{{- if .Values.xpack.enabled }}
{{- with .Values.xrdp }}
{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-xrdp" }}
{{- $containerName := "jms-xrdp" }}
{{- $image := printf "%s:%s" .image.repository .image.tag }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ $fullName }}
labels:
{{- include "jumpserver.labels" $ | nindent 4 }}
{{- toYaml .labels | nindent 4 }}
spec:
replicas: {{ .replicaCount }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "jumpserver.name" $ }}
app.kubernetes.io/instance: {{ $.Release.Name }}
{{- toYaml .labels | nindent 6 }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ include "jumpserver.name" $ }}
app.kubernetes.io/instance: {{ $.Release.Name }}
{{- toYaml .labels | nindent 8 }}
spec:
serviceAccountName: {{ template "jumpserver.serviceAccountName" $ }}
securityContext:
{{- toYaml .podSecurityContext | nindent 8 }}
containers:
- name: {{ $containerName }}
securityContext:
{{- toYaml .securityContext | nindent 12 }}
image: "{{$image}}"
imagePullPolicy: {{ .image.pullPolicy }}
{{- with .command }}
command:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
env:
- name: CORE_HOST
value: http://{{include "jumpserver.fullname" $}}-jms-core:{{$.Values.core.service.web.port}}
- name: BOOTSTRAP_TOKEN
value: "{{ $.Values.core.config.bootstrapToken }}"
- name: LOG_LEVEL
value: "{{ .config.log.level }}"
{{- with .env }}
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
ports:
- name: rdp
containerPort: {{ .service.rdp.port }}
protocol: TCP
livenessProbe:
{{- toYaml .livenessProbe | nindent 12}}
readinessProbe:
{{- toYaml .readinessProbe | nindent 12}}
resources:
{{- toYaml .resources | nindent 12 }}
volumeMounts:
- mountPath: "/opt/xrdp/data"
name: "jms-xrdp-data"
{{- with .volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
restartPolicy: Always
volumes:
- persistentVolumeClaim:
claimName: '{{include "jumpserver.fullname" $}}-jms-xrdp-data'
name: "jms-xrdp-data"
{{- with .volumes }}
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}

2
templates/ingress.yaml
View File

@ -29,7 +29,7 @@ spec:
path: /
backend:
service:
name: '{{printf "%s-%s" (include "jumpserver.fullname" $) "jms-nginx"}}'
name: '{{printf "%s-%s" (include "jumpserver.fullname" $) "jms-web"}}'
port:
number: 80
{{- end }}

27
templates/pre-install-initdb.yaml
View File

@ -21,7 +21,10 @@ spec:
app.kubernetes.io/instance: {{ $.Release.Name }}
{{- toYaml .labels | nindent 8 }}
spec:
serviceAccountName: {{ template "jumpserver.serviceAccountName" $ }}
{{- if $.Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml $.Values.imagePullSecrets | indent 8 }}
{{- end }}
securityContext:
{{- toYaml .podSecurityContext | nindent 8 }}
containers:
@ -35,25 +38,27 @@ spec:
- "-c"
- cd /opt/jumpserver && ./jms upgrade_db
env:
- name: "SECRET_KEY"
- name: SECRET_KEY
value: "{{ .config.secretKey }}"
- name: "BOOTSTRAP_TOKEN"
- name: BOOTSTRAP_TOKEN
value: "{{ .config.bootstrapToken }}"
- name: "DB_HOST"
- name: DB_ENGINE
value: "{{ .config.db.engine }}"
- name: DB_HOST
value: "{{ .config.db.host }}"
- name: "DB_PORT"
- name: DB_PORT
value: "{{ .config.db.port }}"
- name: "DB_USER"
- name: DB_USER
value: "{{ .config.db.user }}"
- name: "DB_PASSWORD"
- name: DB_PASSWORD
value: "{{ .config.db.password }}"
- name: "DB_NAME"
- name: DB_NAME
value: "{{ .config.db.name }}"
- name: "REDIS_HOST"
- name: REDIS_HOST
value: "{{ .config.redis.host }}"
- name: "REDIS_PORT"
- name: REDIS_PORT
value: "{{ .config.redis.port }}"
- name: "REDIS_PASSWORD"
- name: REDIS_PASSWORD
value: "{{ .config.redis.password }}"
{{- with .env }}
{{- tpl (toYaml .) $ | nindent 12 }}

6
templates/pvc-nginx-logs.yaml
View File

@ -1,6 +1,6 @@
{{- if .Values.nginx.enabled }}
{{- with .Values.nginx }}
{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-nginx-logs" }}
{{- if .Values.web.enabled }}
{{- with .Values.web }}
{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-web-logs" }}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:

29
templates/pvc-omnidb-data.yaml Normal file
View File

@ -0,0 +1,29 @@
{{- if .Values.xpack.enabled }}
{{- with .Values.omnidb }}
{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-omnidb-data" }}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ $fullName }}
labels:
{{- include "jumpserver.labels" $ | nindent 4 }}
{{- toYaml .labels | nindent 4 }}
{{- with .persistence.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
{{- with .persistence.finalizers }}
finalizers:
{{ toYaml . | indent 4 }}
{{- end }}
spec:
accessModes:
{{- range .persistence.accessModes }}
- {{ . | quote }}
{{- end }}
resources:
requests:
storage: {{ .persistence.size | quote }}
storageClassName: {{ .persistence.storageClassName }}
{{- end }}
{{- end }}

29
templates/pvc-xrdp-data.yaml Normal file
View File

@ -0,0 +1,29 @@
{{- if .Values.xpack.enabled }}
{{- with .Values.xrdp }}
{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-xrdp-data" }}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ $fullName }}
labels:
{{- include "jumpserver.labels" $ | nindent 4 }}
{{- toYaml .labels | nindent 4 }}
{{- with .persistence.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
{{- with .persistence.finalizers }}
finalizers:
{{ toYaml . | indent 4 }}
{{- end }}
spec:
accessModes:
{{- range .persistence.accessModes }}
- {{ . | quote }}
{{- end }}
resources:
requests:
storage: {{ .persistence.size | quote }}
storageClassName: {{ .persistence.storageClassName }}
{{- end }}
{{- end }}

2
templates/service-core.yaml
View File

@ -8,6 +8,8 @@ metadata:
labels:
{{- include "jumpserver.labels" $ | nindent 4 }}
{{- toYaml .labels | nindent 4 }}
annotations:
{{- toYaml .service.annotations | nindent 4 }}
spec:
type: {{ .service.type }}
ports:

2
templates/service-lion.yaml
View File

@ -8,6 +8,8 @@ metadata:
labels:
{{- include "jumpserver.labels" $ | nindent 4 }}
{{- toYaml .labels | nindent 4 }}
annotations:
{{- toYaml .service.annotations | nindent 4 }}
spec:
type: {{ .service.type }}
ports:

33
templates/service-omnidb.yaml Normal file
View File

@ -0,0 +1,33 @@
{{- if .Values.xpack.enabled }}
{{- with .Values.omnidb }}
{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-omnidb" }}
apiVersion: v1
kind: Service
metadata:
name: {{ $fullName }}
labels:
{{- include "jumpserver.labels" $ | nindent 4 }}
{{- toYaml .labels | nindent 4 }}
annotations:
{{- toYaml .service.annotations | nindent 4 }}
spec:
type: {{ .service.type }}
ports:
- port: {{ .service.web.port }}
targetPort: web
protocol: TCP
name: web
- port: {{ .service.ws.port }}
targetPort: ws
protocol: TCP
name: ws
sessionAffinity: ClientIP
sessionAffinityConfig:
clientIP:
timeoutSeconds: 10800
selector:
app.kubernetes.io/name: {{ include "jumpserver.name" $ }}
app.kubernetes.io/instance: {{ $.Release.Name }}
{{- toYaml .labels | nindent 4 }}
{{- end }}
{{- end }}

8
templates/service-nginx.yaml → templates/service-web.yaml
View File

@ -1,6 +1,6 @@
{{- if .Values.nginx.enabled }}
{{- with .Values.nginx }}
{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-nginx" }}
{{- if .Values.web.enabled }}
{{- with .Values.web }}
{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-web" }}
apiVersion: v1
kind: Service
metadata:
@ -8,6 +8,8 @@ metadata:
labels:
{{- include "jumpserver.labels" $ | nindent 4 }}
{{- toYaml .labels | nindent 4 }}
annotations:
{{- toYaml .service.annotations | nindent 4 }}
spec:
type: {{ .service.type }}
ports:

29
templates/service-xrdp.yaml Normal file
View File

@ -0,0 +1,29 @@
{{- if .Values.xpack.enabled }}
{{- with .Values.xrdp }}
{{- $fullName := printf "%s-%s" (include "jumpserver.fullname" $) "jms-xrdp" }}
apiVersion: v1
kind: Service
metadata:
name: {{ $fullName }}
labels:
{{- include "jumpserver.labels" $ | nindent 4 }}
{{- toYaml .labels | nindent 4 }}
annotations:
{{- toYaml .service.annotations | nindent 4 }}
spec:
type: {{ .service.type }}
ports:
- port: {{ .service.rdp.port }}
targetPort: rdp
protocol: TCP
name: rdp
sessionAffinity: ClientIP
sessionAffinityConfig:
clientIP:
timeoutSeconds: 10800
selector:
app.kubernetes.io/name: {{ include "jumpserver.name" $ }}
app.kubernetes.io/instance: {{ $.Release.Name }}
{{- toYaml .labels | nindent 4 }}
{{- end }}
{{- end }}

2
templates/serviceaccount.yaml
View File

@ -6,5 +6,5 @@ metadata:
labels:
{{- include "jumpserver.labels" . | nindent 4 }}
imagePullSecrets:
{{- toYaml .Values.serviceAccount.imagePullSecrets | nindent 2 }}
{{- toYaml .Values.imagePullSecrets | nindent 2 }}
{{- end -}}

198
values.yaml
View File

@ -11,13 +11,13 @@ serviceAccount:
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name:
imagePullSecrets: []
# - name: yourImagePullSecret
ingress:
enabled: true
annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
compute-full-forwarded-for: "true"
use-forwarded-headers: "true"
@ -66,7 +66,7 @@ core:
image:
repository: docker.io/jumpserver/core
tag: v2.12.2
tag: v2.13.1
pullPolicy: IfNotPresent
command: []
@ -146,17 +146,12 @@ koko:
config:
log:
level: ERROR
share_room_type: redis
redis:
host: ""
port: 6379
password: ""
replicaCount: 1
image:
repository: docker.io/jumpserver/koko
tag: v2.12.2
tag: v2.13.1
pullPolicy: IfNotPresent
command: []
@ -178,7 +173,8 @@ koko:
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
securityContext:
privileged: true
# capabilities:
# drop:
# - ALL
@ -234,17 +230,12 @@ lion:
config:
log:
level: ERROR
share_room_type: redis
redis:
host: ""
port: 6379
password: ""
replicaCount: 1
image:
repository: docker.io/jumpserver/lion
tag: v2.12.2
tag: v2.13.1
pullPolicy: IfNotPresent
command: []
@ -311,17 +302,176 @@ lion:
affinity: {}
nginx:
enabled: true
xpack:
enabled: false
omnidb:
labels:
app.jumpserver.org/name: jms-nginx
app.jumpserver.org/name: jms-omnidb
config:
log:
level: ERROR
replicaCount: 1
image:
repository: docker.io/jumpserver/nginx
tag: v2.12.2
repository: registry.fit2cloud.com/jumpserver/omnidb
tag: v2.13.1
pullPolicy: IfNotPresent
command: []
env: []
livenessProbe:
failureThreshold: 30
tcpSocket:
port: web
readinessProbe:
failureThreshold: 30
tcpSocket:
port: web
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
web:
port: 8082
ws:
port: 8071
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
persistence:
type: pvc
storageClassName: jumpserver-data
accessModes:
- ReadWriteMany
size: 10Gi
# annotations: {}
finalizers:
- kubernetes.io/pvc-protection
volumeMounts: []
volumes: []
nodeSelector: {}
tolerations: []
affinity: {}
xrdp:
labels:
app.jumpserver.org/name: jms-xrdp
config:
log:
level: ERROR
replicaCount: 1
image:
repository: registry.fit2cloud.com/jumpserver/xrdp
tag: v2.13.1
pullPolicy: IfNotPresent
command: []
env: []
livenessProbe:
failureThreshold: 30
tcpSocket:
port: rdp
readinessProbe:
failureThreshold: 30
tcpSocket:
port: rdp
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
rdp:
port: 3389
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
persistence:
type: pvc
storageClassName: jumpserver-data
accessModes:
- ReadWriteMany
size: 10Gi
# annotations: {}
finalizers:
- kubernetes.io/pvc-protection
volumeMounts: []
volumes: []
nodeSelector: {}
tolerations: []
affinity: {}
web:
enabled: true
labels:
app.jumpserver.org/name: jms-web
replicaCount: 1
image:
repository: docker.io/jumpserver/web
tag: v2.13.1
pullPolicy: IfNotPresent
command: []
@ -387,11 +537,3 @@ nginx:
tolerations: []
affinity: {}
## PodSecurityPolicy configuration
## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
##
podSecurityPolicy:
## Specifies whether a PodSecurityPolicy should be created
##
create: false