From caef167390dd88d5346156246fa1c88189d936e0 Mon Sep 17 00:00:00 2001 From: Mathias Westby Skoglund Date: Sun, 16 Jul 2023 17:24:45 +0200 Subject: [PATCH 1/6] Added an option for providing the url to the connect server when the connect server is not deployed in Kubernetes. --- charts/connect/templates/_helpers.tpl | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/charts/connect/templates/_helpers.tpl b/charts/connect/templates/_helpers.tpl index 9488dd6..6ed0874 100644 --- a/charts/connect/templates/_helpers.tpl +++ b/charts/connect/templates/_helpers.tpl @@ -48,12 +48,16 @@ app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} {{- define "onepassword-connect.url" -}} +{{- if .Values.operator.connectUrl and not .Values.connect.create -}} +{{ .Values.operator.connectUrl }} +{{- else -}} {{- if .Values.connect.tls.enabled -}} https://{{ .Values.connect.applicationName }}:{{ .Values.connect.api.httpsPort }} {{- else -}} http://{{ .Values.connect.applicationName }}:{{ .Values.connect.api.httpPort }} {{- end }} {{- end }} +{{- end }} {{/* loadBalancer configuration for the the 1Password API and Sync service. From b6e30ed12da161cbf9b59f3fc565819a8e8f852b Mon Sep 17 00:00:00 2001 From: Mathias Westby Skoglund Date: Sun, 16 Jul 2023 17:27:52 +0200 Subject: [PATCH 2/6] Added description to readme. --- charts/connect/README.md | 143 ++++++++++++++++++++------------------- 1 file changed, 72 insertions(+), 71 deletions(-) diff --git a/charts/connect/README.md b/charts/connect/README.md index 0dee786..03abb4c 100644 --- a/charts/connect/README.md +++ b/charts/connect/README.md @@ -53,77 +53,78 @@ helm install --set connect.applicationName=connect connect ./connect ### Values -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| connect.create | boolean | `true` | Denotes whether the 1Password Connect server will be deployed | -| connect.replicas | integer | `1` | The number of replicas to run the 1Password Connect deployment | -| connect.applicationName | string | `"onepassword-connect"` | The name of 1Password Connect Application | -| connect.api.imageRepository | string | `"1password/connect-api` | The 1Password Connect API repository | -| connect.api.name | string | `"connect-api"` | The name of the 1Password Connect API container | -| connect.api.resources | object | `{}` | The resources requests/limits for the 1Password Connect API pod | -| connect.api.httpPort | integer | `8080` | The port the Connect API is served on when TLS is disabled | -| connect.api.httpsPort | integer | `8443` | The port the Connect API is served on when TLS is enabled | -| connect.api.logLevel | string | `info` | Log level of the Connect API container. Valid options are: trace, debug, info, warn, error. | -| connect.credentials | jsonString | | Contents of the 1password-credentials.json file for Connect. Can be set be adding `--set-file connect.credentials=` to your helm install command | -| connect.credentials_base64 | string | | Base64-encoded contents of the 1password-credentials.json file for Connect. This can be used instead of `connect.credentials` in case supplying raw JSON to `connect.credentials` leads to issues. | -| connect.credentialsKey | string | `"1password-credentials.json"` | The key for the 1Password Connect Credentials stored in the credentials secret, the credentials must be encoded as a base64 string | -| connect.credentialsName | string | `"op-credentials"` | The name of Kubernetes Secret containing the 1Password Connect credentials | -| connect.dataVolume.name | string | `"shared-data"` | The name of the shared volume used between 1Password Connect Containers | -| connect.dataVolume.type | string | `"emptyDir"` | The type of the shared volume used between 1Password Connect Containers | -| connect.dataVolume.values | object | `{}` | Desribes the fields and values for configuration of shared volume for 1Password Connect | -| connect.imagePullPolicy | string | `"IfNotPresent"` | The 1Password Connect API image pull policy | -| connect.ingress.annotations | object | `{}` | The 1Password Connect Ingress Annotations | -| connect.ingress.enabled | bool | `false` | The boolean value to enable/disable the 1Password Connect | -| connect.ingress.extraPaths | list | `[]` | Additional Ingress Paths | -| connect.ingress.hosts[0].host | string | `"chart-example.local"` | The 1Password Connect Ingress Hostname | -| connect.ingress.hosts[0].paths | list | `[]` | The 1Password Connect Ingress Path | -| connect.ingress.ingressClassName | string | `""` | Optionally use ingressClassName instead of deprecated annotation. | -| connect.ingress.labels | object | `{}` | Ingress labels for 1Password Connect | -| connect.ingress.pathType | string | `"Prefix"` | Ingress PathType see [docs](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) | -| connect.ingress.tls | list | `[]` | Ingress TLS see [docs](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) | -| connect.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) stanza for the Connect pod | -| connect.probes.readiness | boolean | `true` | Denotes whether the 1Password Connect API readiness probe will operate and ensure the pod is ready before serving traffic | -| connect.probes.liveness | boolean | `true` | Denotes whether the 1Password Connect API will be continually checked by Kubernetes for liveness and restarted if the pod becomes unresponsive | -| connect.annotations | object | `{}` | Additional annotations to be added to the Connect API deployment resource. | -| connect.labels | object | `{}` | Additional labels to be added to the Connect API deployment resource. | -| connect.podAnnotations | object | `{}` | Additional annotations to be added to the Connect API pods. | -| connect.podLabels | object | `{}` | Additional labels to be added to the Connect API pods. | -| connect.serviceType | string | `NodePort` | The type of Service resource to create for the Connect API and sync services. | -| connect.serviceAnnotations | object | `{}` | Additional annotations to be added to the service. | -| connect.sync.imageRepository | string | `"1password/connect-sync"` | The 1Password Connect Sync repository | -| connect.sync.name | string | `"connect-sync"` | The name of the 1Password Connect Sync container | -| connect.sync.resources | object | `{}` | The resources requests/limits for the 1Password Connect Sync pod | -| connect.sync.httpPort | integer | `8081` | The port serving the health of the Sync container | -| connect.sync.logLevel | string | `info` | Log level of the Connect Sync container. Valid options are: trace, debug, info, warn, error. | -| connect.tls.enabled | boolean | `false` | Denotes whether the Connect API is secured with TLS | -| connect.tls.secret | string | `"op-connect-tls"` | The name of the secret containing the TLS key (`tls.key`) and certificate (`tls.crt`) | -| connect.tolerations | list | `[]` | List of tolerations to be added to the Connect API pods. | -| connect.version | string | `{{.Chart.AppVersion}}` | The 1Password Connect version to pull | -| operator.autoRestart | boolean | `false` | Denotes whether the 1Password Operator will automatically restart deployments based on associated updated secrets. | -| operator.create | boolean | `false` | Denotes whether the 1Password Operator will be deployed | -| operator.imagePullPolicy | string | `"IfNotPresent"` | The 1Password Operator image pull policy | -| operator.imageRepository | string | `"1password/onepassword-operator"` | The 1Password Operator repository | -| operator.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) stanza for the operator pod | -| operator.annotations | object | `{}` | Additional annotations to be added to the Operator deployment resource. | -| operator.labels | object | `{}` | Additional labels to be added to the Operator deployment resource. | -| operator.podAnnotations | object | `{}` | Additional annotations to be added to the Operator pods. | -| operator.podLabels | object | `{}` | Additional labels to be added to the Operator pods. | -| operator.pollingInterval | integer | `600` | How often the 1Password Operator will poll for secrets updates. | -| operator.clusterRole.create | boolean | `{{.Values.operator.create}}` | Denotes whether or not a cluster role will be created for each for the 1Password Operator | -| operator.clusterRole.name | string | `"onepassword-connect-operator"` | The name of the 1Password Operator Cluster Role | -| operator.clusterRoleBinding.create | boolean | `{{.Values.operator.create}}` | Denotes whether or not a Cluster role binding will be created for the 1Password Operator Service Account | -| operator.roleBinding.create | boolean | `{{.Values.operator.create}}` | Denotes whether or not a role binding will be created for each Namespace for the 1Password Operator Service Account | -| operator.roleBinding.name | string | `"onepassword-connect-operator"` | The name of the 1Password Operator Role Binding | -| operator.serviceAccount.annotations | object | `{}` | Annotations for the 1Password Connect Service Account | -| operator.serviceAccount.create | boolean | `{{.Values.operator.create}}` | Denotes whether or not a service account will be created for the 1Password Operator | -| operator.serviceAccount.name | string | `"onepassword-connect-operator"` | The name of the 1Password Conenct Operator | -| operator.tolerations | list | `[]` | List of tolerations to be added to the Operator pods. | -| operator.version | string | `"1.6.0"` | T 1Password Operator version to pull | -| operator.token.key | string | `"token"` | The key for the 1Password Connect token stored in the 1Password token secret | -| operator.token.name | string | `"onepassword-token"` | The name of Kubernetes Secret containing the 1Password Connect API token | -| operator.token.value | string | `"onepassword-token"` | An API token generated for 1Password Connect to be used by the Connect Operator | -| operator.watchNamespace | list | `[]` | A list of namespaces for the 1Password Operator to watch and manage. Use the empty list to watch all namespaces. | -| operator.resources | object | `{}` | The resources requests/limits for the 1Password Operator pod | +| Key | Type | Default | Description | +|-----|------------|-----|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| connect.create | boolean | `true` | Denotes whether the 1Password Connect server will be deployed | +| connect.replicas | integer | `1` | The number of replicas to run the 1Password Connect deployment | +| connect.applicationName | string | `"onepassword-connect"` | The name of 1Password Connect Application | +| connect.api.imageRepository | string | `"1password/connect-api` | The 1Password Connect API repository | +| connect.api.name | string | `"connect-api"` | The name of the 1Password Connect API container | +| connect.api.resources | object | `{}` | The resources requests/limits for the 1Password Connect API pod | +| connect.api.httpPort | integer | `8080` | The port the Connect API is served on when TLS is disabled | +| connect.api.httpsPort | integer | `8443` | The port the Connect API is served on when TLS is enabled | +| connect.api.logLevel | string | `info` | Log level of the Connect API container. Valid options are: trace, debug, info, warn, error. | +| connect.credentials | jsonString | | Contents of the 1password-credentials.json file for Connect. Can be set be adding `--set-file connect.credentials=` to your helm install command | +| connect.credentials_base64 | string | | Base64-encoded contents of the 1password-credentials.json file for Connect. This can be used instead of `connect.credentials` in case supplying raw JSON to `connect.credentials` leads to issues. | +| connect.credentialsKey | string | `"1password-credentials.json"` | The key for the 1Password Connect Credentials stored in the credentials secret, the credentials must be encoded as a base64 string | +| connect.credentialsName | string | `"op-credentials"` | The name of Kubernetes Secret containing the 1Password Connect credentials | +| connect.dataVolume.name | string | `"shared-data"` | The name of the shared volume used between 1Password Connect Containers | +| connect.dataVolume.type | string | `"emptyDir"` | The type of the shared volume used between 1Password Connect Containers | +| connect.dataVolume.values | object | `{}` | Desribes the fields and values for configuration of shared volume for 1Password Connect | +| connect.imagePullPolicy | string | `"IfNotPresent"` | The 1Password Connect API image pull policy | +| connect.ingress.annotations | object | `{}` | The 1Password Connect Ingress Annotations | +| connect.ingress.enabled | bool | `false` | The boolean value to enable/disable the 1Password Connect | +| connect.ingress.extraPaths | list | `[]` | Additional Ingress Paths | +| connect.ingress.hosts[0].host | string | `"chart-example.local"` | The 1Password Connect Ingress Hostname | +| connect.ingress.hosts[0].paths | list | `[]` | The 1Password Connect Ingress Path | +| connect.ingress.ingressClassName | string | `""` | Optionally use ingressClassName instead of deprecated annotation. | +| connect.ingress.labels | object | `{}` | Ingress labels for 1Password Connect | +| connect.ingress.pathType | string | `"Prefix"` | Ingress PathType see [docs](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) | +| connect.ingress.tls | list | `[]` | Ingress TLS see [docs](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) | +| connect.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) stanza for the Connect pod | +| connect.probes.readiness | boolean | `true` | Denotes whether the 1Password Connect API readiness probe will operate and ensure the pod is ready before serving traffic | +| connect.probes.liveness | boolean | `true` | Denotes whether the 1Password Connect API will be continually checked by Kubernetes for liveness and restarted if the pod becomes unresponsive | +| connect.annotations | object | `{}` | Additional annotations to be added to the Connect API deployment resource. | +| connect.labels | object | `{}` | Additional labels to be added to the Connect API deployment resource. | +| connect.podAnnotations | object | `{}` | Additional annotations to be added to the Connect API pods. | +| connect.podLabels | object | `{}` | Additional labels to be added to the Connect API pods. | +| connect.serviceType | string | `NodePort` | The type of Service resource to create for the Connect API and sync services. | +| connect.serviceAnnotations | object | `{}` | Additional annotations to be added to the service. | +| connect.sync.imageRepository | string | `"1password/connect-sync"` | The 1Password Connect Sync repository | +| connect.sync.name | string | `"connect-sync"` | The name of the 1Password Connect Sync container | +| connect.sync.resources | object | `{}` | The resources requests/limits for the 1Password Connect Sync pod | +| connect.sync.httpPort | integer | `8081` | The port serving the health of the Sync container | +| connect.sync.logLevel | string | `info` | Log level of the Connect Sync container. Valid options are: trace, debug, info, warn, error. | +| connect.tls.enabled | boolean | `false` | Denotes whether the Connect API is secured with TLS | +| connect.tls.secret | string | `"op-connect-tls"` | The name of the secret containing the TLS key (`tls.key`) and certificate (`tls.crt`) | +| connect.tolerations | list | `[]` | List of tolerations to be added to the Connect API pods. | +| connect.version | string | `{{.Chart.AppVersion}}` | The 1Password Connect version to pull | +| operator.autoRestart | boolean | `false` | Denotes whether the 1Password Operator will automatically restart deployments based on associated updated secrets. | +| operator.create | boolean | `false` | Denotes whether the 1Password Operator will be deployed | +| operator.imagePullPolicy | string | `"IfNotPresent"` | The 1Password Operator image pull policy | +| operator.imageRepository | string | `"1password/onepassword-operator"` | The 1Password Operator repository | +| operator.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) stanza for the operator pod | +| operator.annotations | object | `{}` | Additional annotations to be added to the Operator deployment resource. | +| operator.labels | object | `{}` | Additional labels to be added to the Operator deployment resource. | +| operator.podAnnotations | object | `{}` | Additional annotations to be added to the Operator pods. | +| operator.podLabels | object | `{}` | Additional labels to be added to the Operator pods. | +| operator.pollingInterval | integer | `600` | How often the 1Password Operator will poll for secrets updates. | +| operator.clusterRole.create | boolean | `{{.Values.operator.create}}` | Denotes whether or not a cluster role will be created for each for the 1Password Operator | +| operator.clusterRole.name | string | `"onepassword-connect-operator"` | The name of the 1Password Operator Cluster Role | +| operator.clusterRoleBinding.create | boolean | `{{.Values.operator.create}}` | Denotes whether or not a Cluster role binding will be created for the 1Password Operator Service Account | +| operator.roleBinding.create | boolean | `{{.Values.operator.create}}` | Denotes whether or not a role binding will be created for each Namespace for the 1Password Operator Service Account | +| operator.roleBinding.name | string | `"onepassword-connect-operator"` | The name of the 1Password Operator Role Binding | +| operator.serviceAccount.annotations | object | `{}` | Annotations for the 1Password Connect Service Account | +| operator.serviceAccount.create | boolean | `{{.Values.operator.create}}` | Denotes whether or not a service account will be created for the 1Password Operator | +| operator.serviceAccount.name | string | `"onepassword-connect-operator"` | The name of the 1Password Conenct Operator | +| operator.tolerations | list | `[]` | List of tolerations to be added to the Operator pods. | +| operator.version | string | `"1.6.0"` | T 1Password Operator version to pull | +| operator.token.key | string | `"token"` | The key for the 1Password Connect token stored in the 1Password token secret | +| operator.token.name | string | `"onepassword-token"` | The name of Kubernetes Secret containing the 1Password Connect API token | +| operator.token.value | string | `"onepassword-token"` | An API token generated for 1Password Connect to be used by the Connect Operator | +| operator.watchNamespace | list | `[]` | A list of namespaces for the 1Password Operator to watch and manage. Use the empty list to watch all namespaces. | +| operator.resources | object | `{}` | The resources requests/limits for the 1Password Operator pod | +| operator.connectUrl | string | | The url to the connect server with a schema, when a connect server is not deployed by this chart | ### CRD From 165a909593308ae91c452c672fa73d7cdc6a5501 Mon Sep 17 00:00:00 2001 From: Mathias Westby Skoglund Date: Sat, 19 Aug 2023 10:33:38 +0200 Subject: [PATCH 3/6] Readded documentation. --- charts/connect/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/connect/README.md b/charts/connect/README.md index 093e80d..c44be26 100644 --- a/charts/connect/README.md +++ b/charts/connect/README.md @@ -127,6 +127,7 @@ helm install --set connect.applicationName=connect connect ./connect | operator.watchNamespace | list | `[]` | A list of namespaces for the 1Password Operator to watch and manage. Use the empty list to watch all namespaces. | | operator.resources | object | `{}` | The resources requests/limits for the 1Password Operator pod | + ### CRD By default, the chart will also install the `OnePasswordItem` CRD. From cfe99e0542059e129ee0aae8cbb747767dbd0401 Mon Sep 17 00:00:00 2001 From: Mathias Westby Skoglund Date: Sat, 19 Aug 2023 10:50:18 +0200 Subject: [PATCH 4/6] Added proper if statement. --- charts/connect/templates/_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/connect/templates/_helpers.tpl b/charts/connect/templates/_helpers.tpl index c4a72dd..41472e9 100644 --- a/charts/connect/templates/_helpers.tpl +++ b/charts/connect/templates/_helpers.tpl @@ -51,7 +51,7 @@ app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} {{- define "onepassword-connect.url" -}} -{{- if .Values.operator.connectUrl and not .Values.connect.create -}} +{{- if and (.Values.operator.connectUrl) not .Values.connect.create -}} {{ .Values.operator.connectUrl }} {{- else -}} {{- if .Values.connect.tls.enabled -}} From 16ef34da80ac1ae518ebdd9695e45a350089671a Mon Sep 17 00:00:00 2001 From: Mathias Westby Skoglund Date: Sat, 19 Aug 2023 11:46:18 +0200 Subject: [PATCH 5/6] It no works with () around and statement. --- charts/connect/templates/_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/connect/templates/_helpers.tpl b/charts/connect/templates/_helpers.tpl index 41472e9..18b4d34 100644 --- a/charts/connect/templates/_helpers.tpl +++ b/charts/connect/templates/_helpers.tpl @@ -51,7 +51,7 @@ app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} {{- define "onepassword-connect.url" -}} -{{- if and (.Values.operator.connectUrl) not .Values.connect.create -}} +{{- if and (.Values.operator.connectUrl) (not .Values.connect.create) -}} {{ .Values.operator.connectUrl }} {{- else -}} {{- if .Values.connect.tls.enabled -}} From a6720bdfbc2b48f6bb10c725ddbe6c74525b1a72 Mon Sep 17 00:00:00 2001 From: Mathias Westby Skoglund Date: Sat, 19 Aug 2023 11:58:33 +0200 Subject: [PATCH 6/6] Added connectUrl documentation. --- charts/connect/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/charts/connect/README.md b/charts/connect/README.md index c44be26..0912989 100644 --- a/charts/connect/README.md +++ b/charts/connect/README.md @@ -107,7 +107,7 @@ helm install --set connect.applicationName=connect connect ./connect | operator.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) stanza for the operator pod | | operator.annotations | object | `{}` | Additional annotations to be added to the Operator deployment resource. | | operator.labels | object | `{}` | Additional labels to be added to the Operator deployment resource. | -| operator.logLevel | string | `info` | Log level of the Operator container. Valid options are: debug, info and error. | +| operator.logLevel | string | `info` | Log level of the Operator container. Valid options are: debug, info and error. | | operator.podAnnotations | object | `{}` | Additional annotations to be added to the Operator pods. | | operator.podLabels | object | `{}` | Additional labels to be added to the Operator pods. | | operator.pollingInterval | integer | `600` | How often the 1Password Operator will poll for secrets updates. | @@ -126,6 +126,7 @@ helm install --set connect.applicationName=connect connect ./connect | operator.token.value | string | `"onepassword-token"` | An API token generated for 1Password Connect to be used by the Connect Operator | | operator.watchNamespace | list | `[]` | A list of namespaces for the 1Password Operator to watch and manage. Use the empty list to watch all namespaces. | | operator.resources | object | `{}` | The resources requests/limits for the 1Password Operator pod | +| operator.connectUrl | string | | The url to the connect server with a schema, when a connect server is not deployed by this chart | ### CRD