314 lines
8.6 KiB
YAML
314 lines
8.6 KiB
YAML
image:
|
|
repository: tccr.io/truecharts/guacamole-client
|
|
pullPolicy: IfNotPresent
|
|
tag: v1.4.0@sha256:ee47f0bfa10658683f46cd08316dac56dfb78a0a71a579db0efecd59466adfee
|
|
|
|
podSecurityContext:
|
|
runAsUser: 1001
|
|
runAsGroup: 1001
|
|
|
|
securityContext:
|
|
readOnlyRootFilesystem: false
|
|
|
|
service:
|
|
main:
|
|
ports:
|
|
main:
|
|
port: 9998
|
|
targetPort: 8080
|
|
|
|
env:
|
|
# Will probably be removed on 1.5.0 (https://github.com/apache/guacamole-client/pull/717)
|
|
POSTGRES_DATABASE: "{{ .Values.postgresql.postgresqlDatabase }}"
|
|
POSTGRES_USER: "{{ .Values.postgresql.postgresqlUsername }}"
|
|
POSTGRES_PORT: 5432
|
|
POSTGRES_HOSTNAME:
|
|
secretKeyRef:
|
|
name: dbcreds
|
|
key: plainhost
|
|
POSTGRES_PASSWORD:
|
|
secretKeyRef:
|
|
name: dbcreds
|
|
key: postgresql-password
|
|
# New format
|
|
POSTGRESQL_PASSWORD:
|
|
secretKeyRef:
|
|
name: dbcreds
|
|
key: postgresql-password
|
|
POSTGRESQL_HOSTNAME:
|
|
secretKeyRef:
|
|
name: dbcreds
|
|
key: plainhost
|
|
POSTGRESQL_DATABASE: "{{ .Values.postgresql.postgresqlDatabase }}"
|
|
POSTGRESQL_USER: "{{ .Values.postgresql.postgresqlUsername }}"
|
|
POSTGRESQL_PORT: 5432
|
|
GUACD_HOSTNAME: "localhost"
|
|
GUACD_PORT: 4822
|
|
|
|
envFrom:
|
|
- configMapRef:
|
|
name: guacamole-client-env
|
|
|
|
totp:
|
|
TOTP_ENABLED: false
|
|
# TOTP_ISSUER: "Apache Guacamole"
|
|
# TOTP_DIGITS: "6"
|
|
# TOTP_PERIOD: "30"
|
|
# TOTP_MODE: "sha1"
|
|
|
|
header:
|
|
HEADER_ENABLED: false
|
|
# HTTP_AUTH_HEADER: "REMOTE_USER"
|
|
|
|
api:
|
|
{}
|
|
# API_SESSION_TIMEOUT: "60"
|
|
|
|
general:
|
|
{}
|
|
# EXTENSION_PRIORITY: "openid"
|
|
|
|
json:
|
|
{}
|
|
# JSON_SECRET_KEY: "random32charkey"
|
|
# JSON_TRUSTED_NETWORKS: "127.0.0.0/8, 10.0.0.0/8"
|
|
|
|
duo:
|
|
{}
|
|
# DUO_API_HOSTNAME: "api-XXXXXXXX.duosecurity.com"
|
|
# DUO_INTEGRATION_KEY: "exactly20charkey"
|
|
# DUO_SECRET_KEY: "exactly40charkey"
|
|
# DUO_APPLICATION_KEY: "atleast40charkey"
|
|
|
|
cas:
|
|
{}
|
|
# CAS_AUTHORIZATION_ENDPOINT: ""
|
|
# CAS_REDIRECT_URI: ""
|
|
# CAS_CLEARPASS_KEY: ""
|
|
# CAS_GROUP_ATTRIBUTE: ""
|
|
# CAS_GROUP_FORMAT: "plain"
|
|
# CAS_GROUP_LDAP_BASE_DN: ""
|
|
# CAS_GROUP_LDAP_ATTRIBUTE: ""
|
|
|
|
openid:
|
|
{}
|
|
# OPENID_AUTHORIZATION_ENDPOINT: ""
|
|
# OPENID_JWKS_ENDPOINT: ""
|
|
# OPENID_ISSUER: ""
|
|
# OPENID_CLIENT_ID: ""
|
|
# OPENID_REDIRECT_URI: ""
|
|
# OPENID_USERNAME_CLAIM_TYPE: "email"
|
|
# OPENID_GROUPS_CLAIM_TYPE: "groups"
|
|
# OPENID_MAX_TOKEN_VALIDITY: "300"
|
|
|
|
radius:
|
|
{}
|
|
# RADIUS_HOSTNAME: "localhost"
|
|
# RADIUS_AUTH_PORT: "1812"
|
|
# RADIUS_SHARED_SECRET: ""
|
|
# RADIUS_AUTH_PROTOCOL: "eap-tls"
|
|
# RADIUS_KEY_FILE: ""
|
|
# RADIUS_KEY_TYPE: "pkcs12"
|
|
# RADIUS_KEY_PASSWORD: ""
|
|
# RADIUS_CA_FILE: ""
|
|
# RADIUS_CA_TYPE: "pem"
|
|
# RADIUS_CA_PASSWORD: ""
|
|
# RADIUS_TRUST_ALL: "false"
|
|
# RADIUS_RETRIES: "5"
|
|
# RADIUS_TIMEOUT: "60"
|
|
# RADIUS_EAP_TTLS_INNER_PROTOCOL: "eap-tls"
|
|
|
|
ldap:
|
|
{}
|
|
# LDAP_HOSTNAME: "localhost"
|
|
# LDAP_USER_BASE_DN: ""
|
|
# LDAP_PORT: "389"
|
|
# LDAP_ENCRYPTION_METHOD: "none"
|
|
# LDAP_MAX_SEARCH_RESULTS: "1000"
|
|
# LDAP_SEARCH_BIND_DN: ""
|
|
# LDAP_USER_ATTRIBUTES: ""
|
|
# LDAP_SEARCH_BIND_PASSWORD: ""
|
|
# LDAP_USERNAME_ATTRIBUTE: ""
|
|
# LDAP_MEMBER_ATTRIBUTE: ""
|
|
# LDAP_USER_SEARCH_FILTER: "(objectClass=*)"
|
|
# LDAP_CONFIG_BASE_DN: ""
|
|
# LDAP_GROUP_BASE_DN: ""
|
|
# LDAP_GROUP_SEARCH_FILTER: "(objectClass=*)"
|
|
# LDAP_MEMBER_ATTRIBUTE_TYPE: "dn"
|
|
# LDAP_GROUP_NAME_ATTRIBUTE: "cn"
|
|
# LDAP_DEREFERENCE_ALIASES: "never"
|
|
# LDAP_FOLLOW_REFERRALS: false
|
|
# LDAP_MAX_REFERRAL_HOPS: "5"
|
|
# LDAP_OPERATION_TIMEOUT: "30"
|
|
|
|
saml:
|
|
{}
|
|
# SAML_IDP_METADATA_URL: ""
|
|
# SAML_IDP_URL:
|
|
# SAML_ENTITY_ID:
|
|
# SAML_CALLBACK_URL:
|
|
# SAML_STRICT:
|
|
# SAML_DEBUG:
|
|
# SAML_COMPRESS_REQUEST:
|
|
# SAML_COMPRESS_RESPONSE:
|
|
# SAML_GROUP_ATTRIBUTE:
|
|
|
|
proxy:
|
|
{}
|
|
# REMOTE_IP_VALVE_ENABLED: false
|
|
# PROXY_BY_HEADER: ""
|
|
# PROXY_PROTOCOL_HEADER: ""
|
|
# PROXY_IP_HEADER: ""
|
|
# PROXY_ALLOWED_IPS_REGEX: ""
|
|
|
|
postgresql:
|
|
enabled: true
|
|
existingSecret: "dbcreds"
|
|
postgresqlUsername: guacamole
|
|
postgresqlDatabase: guacamole
|
|
|
|
probes:
|
|
liveness:
|
|
path: "/guacamole"
|
|
readiness:
|
|
path: "/guacamole"
|
|
startup:
|
|
path: "/guacamole"
|
|
|
|
persistence:
|
|
initdbdata:
|
|
enabled: true
|
|
mountPath: "/initdbdata"
|
|
# Both temphack and temphackalso will be removed on the next image release
|
|
temphack:
|
|
enabled: true
|
|
mountPath: "/opt/guacamole/postgresql-hack"
|
|
temphackalso:
|
|
enabled: true
|
|
mountPath: "/opt/guacamole/postgresql"
|
|
|
|
initContainers:
|
|
1-creat-initdb-file:
|
|
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
|
|
volumeMounts:
|
|
- name: initdbdata
|
|
mountPath: "/initdbdata"
|
|
command: ["/bin/sh", "-c"]
|
|
args:
|
|
- |-
|
|
echo "Creating initdb.sql file..."
|
|
/opt/guacamole/bin/initdb.sh --postgres >/initdbdata/initdb.sql
|
|
if [ -e /initdbdata/initdb.sql ]; then
|
|
echo "Init file created successfully!"
|
|
exit 0
|
|
else
|
|
echo "Init file failed to create."
|
|
exit 1
|
|
fi
|
|
|
|
2-initdb:
|
|
image: "{{ .Values.multiinitImage.repository }}:{{ .Values.multiinitImage.tag }}"
|
|
env:
|
|
- name: POSTGRESQL_DATABASE
|
|
value: "{{ .Values.postgresql.postgresqlDatabase }}"
|
|
- name: POSTGRESQL_USER
|
|
value: "{{ .Values.postgresql.postgresqlUsername }}"
|
|
- name: POSTGRESQL_PORT
|
|
value: "5432"
|
|
- name: POSTGRESQL_HOSTNAME
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: dbcreds
|
|
key: plainhost
|
|
- name: PGPASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: dbcreds
|
|
key: postgresql-password
|
|
volumeMounts:
|
|
- name: initdbdata
|
|
mountPath: "/initdbdata"
|
|
command: ["/bin/sh", "-c"]
|
|
args:
|
|
- |-
|
|
psql -h "$POSTGRESQL_HOSTNAME" -d "$POSTGRESQL_DATABASE" -U "$POSTGRESQL_USER" -p "$POSTGRESQL_PORT" -o '/dev/null' -c 'SELECT * FROM public.guacamole_user'
|
|
if [ $? -eq 0 ]; then
|
|
echo "DB already initialized. Skipping..."
|
|
else
|
|
echo "Initializing DB's schema..."
|
|
psql -h "$POSTGRESQL_HOSTNAME" -d "$POSTGRESQL_DATABASE" -U "$POSTGRESQL_USER" -p "$POSTGRESQL_PORT" -a -w -f /initdbdata/initdb.sql
|
|
if [ $? -eq 0 ]; then
|
|
echo "DB's schema initialized successfully!"
|
|
exit 0
|
|
else
|
|
echo "DB's schema failed to initialize."
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
# Until they release an image with the updated driver, we need to manually replace it.
|
|
# https://issues.apache.org/jira/browse/GUACAMOLE-1433
|
|
# https://github.com/apache/guacamole-client/pull/655
|
|
# Both 3-temp-hach and 4-temp-hack will be removed on the next image release
|
|
3-temp-hack:
|
|
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
|
|
securityContext:
|
|
runAsUser: 1001
|
|
runAsGroup: 1001
|
|
volumeMounts:
|
|
- name: temphack
|
|
mountPath: "/opt/guacamole/postgresql-hack"
|
|
command: ["/bin/sh", "-c"]
|
|
args:
|
|
- |-
|
|
echo "Checking postgresql driver version..."
|
|
if [ -e /opt/guacamole/postgresql/postgresql-42.2.24.jre7.jar ]; then
|
|
echo "Version found is correct."
|
|
exit 0
|
|
else
|
|
echo "Old version found. Will try to download a known-to-work version."
|
|
echo "Downloading (postgresql-42.2.24.jre7.jar)..."
|
|
curl -L "https://jdbc.postgresql.org/download/postgresql-42.2.24.jre7.jar" >"/opt/guacamole/postgresql-hack/postgresql-42.2.24.jre7.jar"
|
|
if [ -e /opt/guacamole/postgresql-hack/postgresql-42.2.24.jre7.jar ]; then
|
|
echo "Downloaded successfully!"
|
|
cp -r /opt/guacamole/postgresql/* /opt/guacamole/postgresql-hack/
|
|
if [ -e /opt/guacamole/postgresql-hack/postgresql-9.4-1201.jdbc41.jar ]; then
|
|
echo "Removing old version... (postgresql-9.4-1201.jdbc41.jar)"
|
|
rm "/opt/guacamole/postgresql-hack/postgresql-9.4-1201.jdbc41.jar"
|
|
if [ $? -eq 0 ]; then
|
|
echo "Removed successfully!"
|
|
else
|
|
echo "Failed to remove."
|
|
exit 1
|
|
fi
|
|
fi
|
|
else
|
|
echo "Failed to download."
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
4-temp-hack:
|
|
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
|
|
securityContext:
|
|
runAsUser: 1001
|
|
runAsGroup: 1001
|
|
volumeMounts:
|
|
- name: temphack
|
|
mountPath: "/opt/guacamole/postgresql-hack"
|
|
- name: temphackalso
|
|
mountPath: "/opt/guacamole/postgresql"
|
|
command: ["/bin/sh", "-c"]
|
|
args:
|
|
- |-
|
|
echo "Copying postgres driver into the final destination."
|
|
cp -r /opt/guacamole/postgresql-hack/* /opt/guacamole/postgresql/
|
|
if [ -e /opt/guacamole/postgresql/postgresql-42.2.24.jre7.jar ]; then
|
|
echo "Driver copied successfully!"
|
|
else
|
|
echo "Failed to copy the driver"
|
|
fi
|
|
|
|
portal:
|
|
enabled: true
|