diff --git a/incubator/traefik-forward-auth/0.1.0/CHANGELOG.md b/incubator/traefik-forward-auth/0.1.0/CHANGELOG.md new file mode 100644 index 00000000000..025bf171553 --- /dev/null +++ b/incubator/traefik-forward-auth/0.1.0/CHANGELOG.md @@ -0,0 +1,13 @@ +**Important:** +*for the complete changelog, please refer to the website* + + + + +## [traefik-forward-auth-0.1.0]traefik-forward-auth-0.1.0 (2023-02-19) + +### Feat + +- add traefik-forward-auth ([#6965](https://github.com/truecharts/charts/issues/6965)) + + \ No newline at end of file diff --git a/incubator/traefik-forward-auth/0.1.0/Chart.yaml b/incubator/traefik-forward-auth/0.1.0/Chart.yaml new file mode 100644 index 00000000000..cde57c01e63 --- /dev/null +++ b/incubator/traefik-forward-auth/0.1.0/Chart.yaml @@ -0,0 +1,35 @@ +apiVersion: v2 +kubeVersion: ">=1.16.0-0" +name: traefik-forward-auth +version: 0.1.0 +appVersion: "2.2.0" +description: A minimal forward authentication service that provides OAuth/SSO login and authentication for the traefik reverse proxy/load balancer. An example for a typical setup is included in the source (docs/how-to.md). +type: application +deprecated: false +home: https://github.com/truecharts/charts/tree/master/charts/incubator/traefik-forward-auth +icon: https://raw.githubusercontent.com/truecharts/charts/master/incubator/traefik-forward-auth/icon.png?raw=true +keywords: + - traefik-forward-auth + - traefik + - forward-auth + - auth + - ingress + - middleware +sources: + - https://github.com/truecharts/charts/tree/master/charts/incubator/traefik-forward-auth + - https://github.com/thomseddon/traefik-forward-auth +dependencies: + - name: common + repository: https://library-charts.truecharts.org + version: + 11.1.2 + # condition: +maintainers: + - email: info@truecharts.org + name: TrueCharts + url: https://truecharts.org +annotations: + truecharts.org/catagories: | + - network + truecharts.org/SCALE-support: "true" + truecharts.org/grade: U diff --git a/incubator/traefik-forward-auth/0.1.0/README.md b/incubator/traefik-forward-auth/0.1.0/README.md new file mode 100644 index 00000000000..9b45abe7b30 --- /dev/null +++ b/incubator/traefik-forward-auth/0.1.0/README.md @@ -0,0 +1,26 @@ +# README + +## General Info + +TrueCharts can be installed as both *normal* Helm Charts or as Apps on TrueNAS SCALE. +However only installations using the TrueNAS SCALE Apps system are supported. + +For more information about this App, please check the docs on the TrueCharts [website](https://truecharts.org/charts/stable/) + +**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/truecharts/charts/issues/new/choose)** + +## Support + +- Please check our [quick-start guides for TrueNAS SCALE](https://truecharts.org/manual/SCALE%20Apps/Important-MUST-READ). +- See the [Website](https://truecharts.org) +- Check our [Discord](https://discord.gg/tVsPTHWTtr) +- Open a [issue](https://github.com/truecharts/charts/issues/new/choose) + +--- + +## Sponsor TrueCharts + +TrueCharts can only exist due to the incredible effort of our staff. +Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can! + +*All Rights Reserved - The TrueCharts Project* diff --git a/incubator/traefik-forward-auth/0.1.0/app-changelog.md b/incubator/traefik-forward-auth/0.1.0/app-changelog.md new file mode 100644 index 00000000000..e184ad1f1ad --- /dev/null +++ b/incubator/traefik-forward-auth/0.1.0/app-changelog.md @@ -0,0 +1,9 @@ + + +## [traefik-forward-auth-0.1.0]traefik-forward-auth-0.1.0 (2023-02-19) + +### Feat + +- add traefik-forward-auth ([#6965](https://github.com/truecharts/charts/issues/6965)) + + \ No newline at end of file diff --git a/incubator/traefik-forward-auth/0.1.0/app-readme.md b/incubator/traefik-forward-auth/0.1.0/app-readme.md new file mode 100644 index 00000000000..22736424b37 --- /dev/null +++ b/incubator/traefik-forward-auth/0.1.0/app-readme.md @@ -0,0 +1,8 @@ +A minimal forward authentication service that provides OAuth/SSO login and authentication for the traefik reverse proxy/load balancer. An example for a typical setup is included in the source (docs/how-to.md). + +This App is supplied by TrueCharts, for more information visit the manual: [https://truecharts.org/charts/incubator/traefik-forward-auth](https://truecharts.org/charts/incubator/traefik-forward-auth) + +--- + +TrueCharts can only exist due to the incredible effort of our staff. +Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can! diff --git a/incubator/traefik-forward-auth/0.1.0/charts/common-11.1.2.tgz b/incubator/traefik-forward-auth/0.1.0/charts/common-11.1.2.tgz new file mode 100644 index 00000000000..da62080e8a5 Binary files /dev/null and b/incubator/traefik-forward-auth/0.1.0/charts/common-11.1.2.tgz differ diff --git a/incubator/traefik-forward-auth/0.1.0/ix_values.yaml b/incubator/traefik-forward-auth/0.1.0/ix_values.yaml new file mode 100644 index 00000000000..498d6dd70e9 --- /dev/null +++ b/incubator/traefik-forward-auth/0.1.0/ix_values.yaml @@ -0,0 +1,62 @@ +image: + repository: tccr.io/truecharts/traefik-forward-auth + pullPolicy: IfNotPresent + tag: latest@sha256:edd7eb812cb38e59d32b5a00398b57a78506db2390cbe295f5df590a38a5d44e + +envFrom: + - secretRef: + name: '{{ include "tc.common.names.fullname" . }}-google-secret' + - secretRef: + name: '{{ include "tc.common.names.fullname" . }}-oidc-secret' + - secretRef: + name: '{{ include "tc.common.names.fullname" . }}-oauth2-secret' + +service: + main: + ports: + main: + targetPort: 4181 + port: 4181 + +tfaAppOptions: + secret: something-random + port: 4181 + logLevel: warn + logFormat: text + +tfaAuthOptions: + authHost: + urlPath: /_oauth + defaultAction: auth + defaultProvider: google + domain: [] + whitelist: [] + rules: [] + +tfaCookieOptions: + cookieDomain: [] + cookieName: _forward_auth + csrfCookieName: _forward_auth_csrf + lifetime: 43200 + insecureCookie: false + +tfaGoogleOptions: + clientId: "changeme" + clientSecret: "changeme" + prompt: "changeme" + +tfaOidcOptions: + issuerUrl: "changeme" + clientId: "changeme" + clientSecret: "changeme" + resource: "changeme" + +tfaOauthOptions: + authUrl: "changeme" + tokenUrl: "changeme" + userUrl: "changeme" + clientId: "changeme" + clientSecret: "changeme" + scopes: "changeme" + tokenStyle: header + resource: "changeme" diff --git a/incubator/traefik-forward-auth/0.1.0/questions.yaml b/incubator/traefik-forward-auth/0.1.0/questions.yaml new file mode 100644 index 00000000000..7d46b39910b --- /dev/null +++ b/incubator/traefik-forward-auth/0.1.0/questions.yaml @@ -0,0 +1,1942 @@ +groups: + - name: Container Image + description: Image to be used for container + - name: General Settings + description: General Deployment Settings + - name: App Configuration + description: App Specific Config Options + - name: Networking and Services + description: Configure Network and Services for Container + - name: Storage and Persistence + description: Persist and Share Data that is Separate from the Container + - name: Ingress + description: Ingress Configuration + - name: Security and Permissions + description: Configure Security Context and Permissions + - name: Resources and Devices + description: "Specify Resources/Devices to be Allocated to Workload" + - name: Middlewares + description: Traefik Middlewares + - name: Metrics + description: Metrics + - name: VPN + description: VPN + - name: Addons + description: Addon Configuration + - name: Advanced + description: Advanced Configuration + - name: Documentation + description: Documentation +questions: + - variable: global + label: Global Settings + group: "General Settings" + schema: + type: dict + hidden: true + attrs: + - variable: isSCALE + label: Flag this is SCALE + schema: + type: boolean + default: true + hidden: true + - variable: controller + group: "General Settings" + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: replicas + description: Number of desired pod replicas + label: Desired Replicas + schema: + type: int + required: true + default: 1 + - variable: customextraargs + group: "General Settings" + label: "Extra Args" + description: "Do not click this unless you know what you are doing" + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: extraArgs + label: Extra Args + schema: + type: list + default: [] + items: + - variable: arg + label: Arg + schema: + type: string + - variable: TZ + label: Timezone + group: "General Settings" + schema: + type: string + default: "Etc/UTC" + $ref: + - "definitions/timezone" + - variable: envList + label: Extra Environment Variables + description: "Please be aware that some variables are set in the background, adding duplicates here might cause issues or prevent the app from starting..." + group: "General Settings" + schema: + type: list + default: [] + items: + - variable: envItem + label: Environment Variable + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + - variable: value + label: Value + schema: + type: string + + - variable: tfaAppOptions + group: App Configuration + label: Application Options + schema: + type: dict + attrs: + - variable: secret + label: Secret + description: Mandatory, can be any string. + schema: + type: string + required: true + private: true + - variable: port + label: Port + schema: + type: int + default: 4181 + - variable: logLevel + label: Log level + schema: + type: string + default: warn + enum: + - value: trace + description: Trace (most detailed) + - value: debug + description: Debug + - value: info + description: Information + - value: warn + description: Warning + - value: error + description: Error + - value: fatal + description: Fatal + - value: panic + description: Panic (least detailed) + - variable: logFormat + label: Log format + schema: + type: string + default: text + enum: + - value: text + description: Text + - value: json + description: JSON + - value: pretty + description: Pretty + - variable: tfaAuthOptions + group: App Configuration + label: Auth Options + schema: + type: dict + attrs: + - variable: authHost + label: Auth host + description: Single host to use when returning from 3rd party auth. + schema: + type: string + - variable: urlPath + label: Callback URL Path + schema: + type: string + default: "/_oauth" + - variable: defaultAction + label: Default action + schema: + type: string + default: auth + enum: + - value: auth + description: Authenticate + - value: allow + description: Allow (do not require authentication) + - variable: defaultProvider + label: Default provider + schema: + type: string + default: google + enum: + - value: google + description: Google Provider + - value: oidc + description: OIDC Provider + - value: generic-oauth + description: Generic OAuth2 Provider + - variable: domain + label: Domains + description: Only allow given email domains. + schema: + type: list + default: [] + items: + - variable: allowedDomain + label: Host + schema: + type: string + required: true + - variable: whitelist + label: Whitelist + description: Only allow given email addresses. + schema: + type: list + default: [] + items: + - variable: allowedEmail + label: Host + schema: + type: string + required: true + - variable: rules + label: Rules + description: Additional rules in rule..= format. + schema: + type: list + default: [] + items: + - variable: rule + label: Rule + schema: + type: string + required: true + - variable: logoutRedirect + label: Logout redirect + description: URL to redirect to following logout. + schema: + type: string + - variable: tfaCookieOptions + group: App Configuration + label: Cookie Options + schema: + type: dict + attrs: + - variable: cookieDomain + label: Cookie domain hosts + schema: + type: list + default: [] + items: + - variable: cookieDomainHost + label: Host + schema: + type: string + required: true + - variable: cookieName + label: Cookie name + schema: + type: string + default: "_forward_auth" + - variable: csrfCookieName + label: CSRF cookie name + schema: + type: string + default: "_forward_auth_csrf" + - variable: lifetime + label: Lifetime + description: Lifetime in seconds. + schema: + type: int + default: 43200 + - variable: insecureCookie + label: Use insecure cookies + schema: + type: boolean + default: false + - variable: tfaGoogleOptions + group: App Configuration + label: Google Provider + schema: + type: dict + attrs: + - variable: clientId + label: Client ID + schema: + type: string + private: true + - variable: clientSecret + label: Client Secret + schema: + type: string + private: true + - variable: prompt + label: Prompt + description: Space separated list of OpenID prompt options. + schema: + type: string + - variable: tfaOidcOptions + group: App Configuration + label: OIDC Provider + schema: + type: dict + attrs: + - variable: issuerUrl + label: Issuer URL + schema: + type: string + - variable: clientId + label: Client ID + schema: + type: string + private: true + - variable: clientSecret + label: Client Secret + schema: + type: string + private: true + - variable: resource + label: Resource + description: Optional resource indicator. + schema: + type: string + - variable: tfaOauthOptions + group: App Configuration + label: Generic OAuth2 Provider + schema: + type: dict + attrs: + - variable: authUrl + label: Auth/Login URL + schema: + type: string + - variable: tokenUrl + label: Token URL + schema: + type: string + - variable: userUrl + label: User URL + description: URL used to retrieve user info. + schema: + type: string + - variable: clientId + label: Client ID + schema: + type: string + private: true + - variable: clientSecret + label: Client Secret + schema: + type: string + private: true + - variable: scopes + label: Scopes + schema: + type: string + default: profile, email + - variable: tokenStyle + label: Token style + description: How token is presented when querying the User URL + schema: + type: string + default: header + enum: + - value: header + description: Header + - value: query + description: Query + - variable: resource + label: Resource + description: Optional resource indicator. + schema: + type: string +# No FixedEnvs Present + - variable: TZ + label: Timezone + group: "General Settings" + schema: + type: string + default: "Etc/UTC" + $ref: + - "definitions/timezone" + - variable: envList + label: Extra Environment Variables + description: "Please be aware that some variables are set in the background, adding duplicates here might cause issues or prevent the app from starting..." + group: "General Settings" + schema: + type: list + default: [] + items: + - variable: envItem + label: Environment Variable + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + - variable: value + label: Value + schema: + type: string + - variable: service + group: Networking and Services + label: Configure Service(s) + schema: + additional_attrs: true + type: dict + attrs: + - variable: main + label: "Main Service" + description: "The Primary service on which the healthcheck runs, often the webUI" + schema: + type: dict + attrs: + + - variable: main + label: "Main Service Port Configuration" + schema: + type: dict + attrs: + - variable: port + label: "Port" + description: "This port exposes the container port on the service" + schema: + type: int + default: 4181 + required: true + - variable: advanced + label: "Show Advanced settings" + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: enabled + label: "Enable the port" + schema: + type: boolean + default: true + - variable: protocol + label: "Port Type" + schema: + type: string + default: "HTTP" + enum: + - value: HTTP + description: "HTTP" + - value: "HTTPS" + description: "HTTPS" + - value: TCP + description: "TCP" + - value: "UDP" + description: "UDP" + - variable: nodePort + label: "Node Port (Optional)" + description: "This port gets exposed to the node. Only considered when service type is NodePort, Simple or LoadBalancer" + schema: + type: int + min: 9000 + max: 65535 + - variable: targetPort + label: "Target Port" + description: "The internal(!) port on the container the Application runs on" + schema: + type: int + default: 4181 + - variable: serviceexpert + group: Networking and Services + label: Show Expert Config + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: hostNetwork + group: Networking and Services + label: Host-Networking (Complicated) + schema: + type: boolean + default: false + - variable: externalInterfaces + description: Add External Interfaces + label: Add external Interfaces + group: Networking + schema: + type: list + items: + - variable: interfaceConfiguration + description: Interface Configuration + label: Interface Configuration + schema: + type: dict + $ref: + - "normalize/interfaceConfiguration" + attrs: + - variable: hostInterface + description: Please Specify Host Interface + label: Host Interface + schema: + type: string + required: true + $ref: + - "definitions/interface" + - variable: ipam + description: Define how IP Address will be managed + label: IP Address Management + schema: + type: dict + required: true + attrs: + - variable: type + description: Specify type for IPAM + label: IPAM Type + schema: + type: string + required: true + enum: + - value: dhcp + description: Use DHCP + - value: static + description: Use Static IP + show_subquestions_if: static + subquestions: + - variable: staticIPConfigurations + label: Static IP Addresses + schema: + type: list + items: + - variable: staticIP + label: Static IP + schema: + type: ipaddr + cidr: true + - variable: staticRoutes + label: Static Routes + schema: + type: list + items: + - variable: staticRouteConfiguration + label: Static Route Configuration + schema: + additional_attrs: true + type: dict + attrs: + - variable: destination + label: Destination + schema: + type: ipaddr + cidr: true + required: true + - variable: gateway + label: Gateway + schema: + type: ipaddr + cidr: false + required: true + - variable: serviceList + label: Add Manual Custom Services + group: Networking and Services + schema: + type: list + default: [] + items: + - variable: serviceListEntry + label: Custom Service + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable the service + schema: + type: boolean + default: true + hidden: true + - variable: name + label: Name + schema: + type: string + default: "" + - variable: type + label: Service Type + description: "ClusterIP's are only internally available and Loadbalancer exposes the service using the system loadbalancer" + schema: + type: string + default: LoadBalancer + enum: + - value: LoadBalancer + description: LoadBalancer (Expose Ports) + - value: ClusterIP + description: ClusterIP (Do Not Expose Ports) + - value: Simple + description: Deprecated CHANGE THIS + - variable: loadBalancerIP + label: LoadBalancer IP + description: "MetalLB Only: Selects the Loadbalancer IP to expose on. Required when using PortalButton with MetalLB" + schema: + show_if: [["type", "=", "LoadBalancer"]] + type: string + default: "" + - variable: advancedsvcset + label: Show Advanced Service Settings + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: externalIPs + label: "External IP's" + description: "External IP's" + schema: + type: list + default: [] + items: + - variable: externalIP + label: External IP + schema: + type: string + - variable: ipFamilyPolicy + label: IP Family Policy + description: Specify the IP Policy + schema: + type: string + default: SingleStack + enum: + - value: SingleStack + description: SingleStack + - value: PreferDualStack + description: PreferDualStack + - value: RequireDualStack + description: RequireDualStack + - variable: ipFamilies + label: IP Families + description: (Advanced) The IP Families that should be used + schema: + type: list + default: [] + items: + - variable: ipFamily + label: IP Family + schema: + type: string + - variable: portsList + label: Additional Service Ports + schema: + type: list + default: [] + items: + - variable: portsListEntry + label: Custom ports + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable the Port + schema: + type: boolean + default: true + hidden: true + - variable: name + label: Port Name + schema: + type: string + default: "" + - variable: protocol + label: Port Type + schema: + type: string + default: TCP + enum: + - value: HTTP + description: HTTP + - value: HTTPS + description: HTTPS + - value: TCP + description: TCP + - value: UDP + description: UDP + - variable: targetPort + label: Target Port + description: This port exposes the container port on the service + schema: + type: int + required: true + - variable: port + label: Container Port + schema: + type: int + required: true + - variable: ingress + label: "" + group: Ingress + schema: + additional_attrs: true + type: dict + attrs: + - variable: main + label: "Main Ingress" + schema: + type: dict + attrs: + - variable: enabled + label: Enable Ingress + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: hosts + label: Hosts + schema: + type: list + default: [] + items: + - variable: hostEntry + label: Host + schema: + additional_attrs: true + type: dict + attrs: + - variable: host + label: HostName + schema: + type: string + default: "" + required: true + - variable: paths + label: Paths + schema: + type: list + default: [] + items: + - variable: pathEntry + label: Host + schema: + additional_attrs: true + type: dict + attrs: + - variable: path + label: Path + schema: + type: string + required: true + default: "/" + - variable: pathType + label: Path Type + schema: + type: string + required: true + default: Prefix + - variable: clusterIssuer + label: clusterIssuer + description: 'add the name of your cert-manager clusterIssuer here for automatic tls certificates. Cannot be used combined with tls option below' + schema: + type: string + default: "" + - variable: tls + label: TLS-Settings + schema: + type: list + show_if: [["clusterIssuer", "=", ""]] + default: [] + items: + - variable: tlsEntry + label: Host + schema: + additional_attrs: true + type: dict + attrs: + - variable: hosts + label: Certificate Hosts + schema: + type: list + default: [] + items: + - variable: host + label: Host + schema: + type: string + default: "" + required: true + + - variable: clusterIssuer + label: Use Cert-Manager clusterIssuer + description: 'add the name of your cert-manager clusterIssuer here for automatic tls certificates.' + schema: + type: string + default: "" + - variable: scaleCert + label: Use TrueNAS SCALE Certificate (Deprecated) + schema: + show_if: [["clusterIssuer", "=", ""]] + type: int + $ref: + - "definitions/certificate" + - variable: secretName + label: Use Custom Secret (Advanced) + schema: + show_if: [["clusterIssuer", "=", ""]] + type: string + default: "" + - variable: entrypoint + label: (Advanced) Traefik Entrypoint + description: Entrypoint used by Traefik when using Traefik as Ingress Provider + schema: + type: string + default: websecure + required: true + - variable: ingressClassName + label: (Advanced/Optional) IngressClass Name + schema: + type: string + default: "" + - variable: middlewares + label: Traefik Middlewares + description: Add previously created Traefik Middlewares to this Ingress + schema: + type: list + default: [] + items: + - variable: name + label: Name + schema: + type: string + default: "" + required: true + + - variable: ingressList + label: Add Manual Custom Ingresses + group: Ingress + schema: + type: list + default: [] + items: + - variable: ingressListEntry + label: Custom Ingress + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable Ingress + schema: + type: boolean + default: true + hidden: true + - variable: name + label: Name + schema: + type: string + default: "" + - variable: ingressClassName + label: IngressClass Name + schema: + type: string + default: "" + - variable: hosts + label: Hosts + schema: + type: list + default: [] + items: + - variable: hostEntry + label: Host + schema: + additional_attrs: true + type: dict + attrs: + - variable: host + label: HostName + schema: + type: string + default: "" + required: true + - variable: paths + label: Paths + schema: + type: list + default: [] + items: + - variable: pathEntry + label: Host + schema: + additional_attrs: true + type: dict + attrs: + - variable: path + label: Path + schema: + type: string + required: true + default: "/" + - variable: pathType + label: Path Type + schema: + type: string + required: true + default: Prefix + - variable: service + label: Linked Service + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Service Name + schema: + type: string + default: "" + - variable: port + label: Service Port + schema: + type: int + - variable: clusterIssuer + label: clusterIssuer + description: 'add the name of your cert-manager clusterIssuer here for automatic tls certificates. Cannot be used combined with tls option below' + schema: + type: string + default: "" + - variable: tls + label: TLS-Settings + schema: + type: list + default: [] + show_if: [["clusterIssuer", "=", ""]] + items: + - variable: tlsEntry + label: Host + schema: + additional_attrs: true + type: dict + attrs: + - variable: hosts + label: Certificate Hosts + schema: + type: list + default: [] + items: + - variable: host + label: Host + schema: + type: string + default: "" + required: true + - variable: clusterIssuer + label: Use Cert-Manager clusterIssuer + description: 'add the name of your Cert-Manager clusterIssuer here for automatic tls certificates.' + schema: + type: string + default: "" + - variable: scaleCert + label: Use TrueNAS SCALE Certificate (Deprecated) + schema: + show_if: [["clusterIssuer", "=", ""]] + type: int + $ref: + - "definitions/certificate" + - variable: secretName + label: Use Custom Secret (Advanced) + schema: + type: string + show_if: [["clusterIssuer", "=", ""]] + default: "" + - variable: entrypoint + label: Traefik Entrypoint + description: Entrypoint used by Traefik when using Traefik as Ingress Provider + schema: + type: string + default: websecure + required: true + - variable: middlewares + label: Traefik Middlewares + description: Add previously created Traefik Middlewares to this Ingress + schema: + type: list + default: [] + items: + - variable: name + label: Name + schema: + type: string + default: "" + required: true + - variable: advancedSecurity + label: "Show Advanced Security Settings" + group: "Security and Permissions" + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: securityContext + label: "Security Context" + schema: + type: dict + attrs: + - variable: privileged + label: "Privileged mode" + schema: + type: boolean + default: false + - variable: readOnlyRootFilesystem + label: "ReadOnly Root Filesystem" + schema: + type: boolean + default: true + - variable: allowPrivilegeEscalation + label: "Allow Privilege Escalation" + schema: + type: boolean + default: false + - variable: runAsNonRoot + label: "runAsNonRoot" + schema: + type: boolean + default: true + + - variable: podSecurityContext + group: Security and Permissions + label: Pod Security Context + schema: + additional_attrs: true + type: dict + attrs: + - variable: runAsUser + label: "runAsUser" + description: "The UserID of the user running the application" + schema: + type: int + default: 568 + - variable: runAsGroup + label: "runAsGroup" + description: "The groupID this App of the user running the application" + schema: + type: int + default: 568 + - variable: fsGroup + label: "fsGroup" + description: "The group that should own ALL storage." + schema: + type: int + default: 568 + - variable: fsGroupChangePolicy + label: "When should we take ownership?" + schema: + type: string + default: OnRootMismatch + enum: + - value: OnRootMismatch + description: OnRootMismatch + - value: Always + description: Always + - variable: supplementalGroups + label: Supplemental Groups + schema: + type: list + default: [] + items: + - variable: supplementalGroupsEntry + label: Supplemental Group + schema: + type: int + - variable: resources + group: Resources and Devices + label: "Resource Limits" + schema: + additional_attrs: true + type: dict + attrs: + - variable: limits + label: Advanced Limit Resource Consumption + schema: + additional_attrs: true + type: dict + attrs: + - variable: cpu + label: CPU + description: "1000m means 1 hyperthread. Detailed info: https://truecharts.org/docs/manual/SCALE%20Apps/indepth/validation" + schema: + type: string + default: 4000m + valid_chars: '^(?!^0(\.0|m|)$)([0-9]+)(\.[0-9]|m?)$' + - variable: memory + label: RAM + description: "1Gi means 1 Gibibyte RAM. Detailed info: https://truecharts.org/docs/manual/SCALE%20Apps/indepth/validation" + schema: + type: string + default: 8Gi + valid_chars: '^(?!^0(e[0-9]|[EPTGMK]i?|)$)([0-9]+)(|[EPTGMK]i?|e[0-9]+)$' + - variable: requests + label: "Minimum Resources Required (request)" + schema: + additional_attrs: true + type: dict + hidden: true + attrs: + - variable: cpu + label: CPU + description: "1000m means 1 hyperthread. Detailed info: https://truecharts.org/docs/manual/SCALE%20Apps/indepth/validation" + schema: + type: string + default: 10m + hidden: true + valid_chars: '^(?!^0(\.0|m|)$)([0-9]+)(\.[0-9]|m?)$' + - variable: memory + label: "RAM" + description: "1Gi means 1 Gibibyte RAM. Detailed info: https://truecharts.org/docs/manual/SCALE%20Apps/indepth/validation" + schema: + type: string + default: 50Mi + hidden: true + valid_chars: '^(?!^0(e[0-9]|[EPTGMK]i?|)$)([0-9]+)(|[EPTGMK]i?|e[0-9]+)$' + - variable: deviceList + label: Mount USB Devices + group: Resources and Devices + schema: + type: list + default: [] + items: + - variable: deviceListEntry + label: Device + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable the Storage + schema: + type: boolean + default: true + - variable: type + label: (Advanced) Type of Storage + description: Sets the persistence type + schema: + type: string + default: hostPath + hidden: true + - variable: readOnly + label: readOnly + schema: + type: boolean + default: false + - variable: hostPath + label: Host Device Path + description: Path to the device on the host system + schema: + type: path + - variable: mountPath + label: Container Device Path + description: Path inside the container the device is mounted + schema: + type: string + default: "/dev/ttyACM0" + # Specify GPU configuration + - variable: scaleGPU + label: GPU Configuration + group: Resources and Devices + schema: + type: dict + $ref: + - "definitions/gpuConfiguration" + attrs: [] +# - variable: horizontalPodAutoscaler +# group: Advanced +# label: (Advanced) Horizontal Pod Autoscaler +# schema: +# type: list +# default: [] +# items: +# - variable: hpaEntry +# label: HPA Entry +# schema: +# additional_attrs: true +# type: dict +# attrs: +# - variable: name +# label: Name +# schema: +# type: string +# required: true +# default: "" +# - variable: enabled +# label: Enabled +# schema: +# type: boolean +# default: false +# show_subquestions_if: true +# subquestions: +# - variable: target +# label: Target +# description: Deployment name, Defaults to Main Deployment +# schema: +# type: string +# default: "" +# - variable: minReplicas +# label: Minimum Replicas +# schema: +# type: int +# default: 1 +# - variable: maxReplicas +# label: Maximum Replicas +# schema: +# type: int +# default: 5 +# - variable: targetCPUUtilizationPercentage +# label: Target CPU Utilization Percentage +# schema: +# type: int +# default: 80 +# - variable: targetMemoryUtilizationPercentage +# label: Target Memory Utilization Percentage +# schema: +# type: int +# default: 80 + - variable: networkPolicy + group: Advanced + label: (Advanced) Network Policy + schema: + type: list + default: [] + items: + - variable: netPolicyEntry + label: Network Policy Entry + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + default: "" + - variable: enabled + label: Enabled + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: policyType + label: Policy Type + schema: + type: string + default: "" + enum: + - value: "" + description: Default + - value: ingress + description: Ingress + - value: egress + description: Egress + - value: ingress-egress + description: Ingress and Egress + - variable: egress + label: Egress + schema: + type: list + default: [] + items: + - variable: egressEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: to + label: To + schema: + type: list + default: [] + items: + - variable: toEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: ipBlock + label: IP Block + schema: + additional_attrs: true + type: dict + attrs: + - variable: cidr + label: CIDR + schema: + type: string + default: "" + - variable: except + label: Except + schema: + type: list + default: [] + items: + - variable: exceptint + label: "" + schema: + type: string + - variable: namespaceSelector + label: Namespace Selector + schema: + additional_attrs: true + type: dict + attrs: + - variable: matchExpressions + label: Match Expressions + schema: + type: list + default: [] + items: + - variable: expressionEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: key + label: Key + schema: + type: string + - variable: operator + label: Operator + schema: + type: string + default: TCP + enum: + - value: In + description: In + - value: NotIn + description: NotIn + - value: Exists + description: Exists + - value: DoesNotExist + description: DoesNotExist + - variable: values + label: Values + schema: + type: list + default: [] + items: + - variable: value + label: "" + schema: + type: string + - variable: podSelector + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: matchExpressions + label: Match Expressions + schema: + type: list + default: [] + items: + - variable: expressionEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: key + label: Key + schema: + type: string + - variable: operator + label: Operator + schema: + type: string + default: TCP + enum: + - value: In + description: In + - value: NotIn + description: NotIn + - value: Exists + description: Exists + - value: DoesNotExist + description: DoesNotExist + - variable: values + label: Values + schema: + type: list + default: [] + items: + - variable: value + label: "" + schema: + type: string + - variable: ports + label: Ports + schema: + type: list + default: [] + items: + - variable: portsEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: Port + schema: + type: int + - variable: endPort + label: End Port + schema: + type: int + - variable: protocol + label: Protocol + schema: + type: string + default: TCP + enum: + - value: TCP + description: TCP + - value: UDP + description: UDP + - value: SCTP + description: SCTP + - variable: ingress + label: Ingress + schema: + type: list + default: [] + items: + - variable: ingressEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: from + label: From + schema: + type: list + default: [] + items: + - variable: fromEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: ipBlock + label: IP Block + schema: + additional_attrs: true + type: dict + attrs: + - variable: cidr + label: CIDR + schema: + type: string + default: "" + - variable: except + label: Except + schema: + type: list + default: [] + items: + - variable: exceptint + label: "" + schema: + type: string + - variable: namespaceSelector + label: Namespace Selector + schema: + additional_attrs: true + type: dict + attrs: + - variable: matchExpressions + label: Match Expressions + schema: + type: list + default: [] + items: + - variable: expressionEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: key + label: Key + schema: + type: string + - variable: operator + label: Operator + schema: + type: string + default: TCP + enum: + - value: In + description: In + - value: NotIn + description: NotIn + - value: Exists + description: Exists + - value: DoesNotExist + description: DoesNotExist + - variable: values + label: Values + schema: + type: list + default: [] + items: + - variable: value + label: "" + schema: + type: string + - variable: podSelector + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: matchExpressions + label: Match Expressions + schema: + type: list + default: [] + items: + - variable: expressionEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: key + label: Key + schema: + type: string + - variable: operator + label: Operator + schema: + type: string + default: TCP + enum: + - value: In + description: In + - value: NotIn + description: NotIn + - value: Exists + description: Exists + - value: DoesNotExist + description: DoesNotExist + - variable: values + label: Values + schema: + type: list + default: [] + items: + - variable: value + label: "" + schema: + type: string + - variable: ports + label: Ports + schema: + type: list + default: [] + items: + - variable: portsEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: Port + schema: + type: int + - variable: endPort + label: End Port + schema: + type: int + - variable: protocol + label: Protocol + schema: + type: string + default: TCP + enum: + - value: TCP + description: TCP + - value: UDP + description: UDP + - value: SCTP + description: SCTP + - variable: addons + group: Addons + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: codeserver + label: Codeserver + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enabled + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: git + label: Git Settings + schema: + additional_attrs: true + type: dict + attrs: + - variable: deployKey + description: Raw SSH Private Key + label: Deploy Key + schema: + type: string + - variable: deployKeyBase64 + description: Base64-encoded SSH private key. When both variables are set, the raw SSH key takes precedence + label: Deploy Key Base64 + schema: + type: string + - variable: service + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: type + label: Service Type + description: "ClusterIP's are only internally available and Loadbalancer exposes the service using the system loadbalancer" + schema: + type: string + default: LoadBalancer + enum: + - value: NodePort + description: Deprecated CHANGE THIS + - value: ClusterIP + description: ClusterIP + - value: LoadBalancer + description: LoadBalancer + - variable: loadBalancerIP + label: LoadBalancer IP + description: "MetalLB Only: Selects the Loadbalancer IP to expose on. Required when using PortalButton with MetalLB" + schema: + show_if: [["type", "=", "LoadBalancer"]] + type: string + default: "" + - variable: advancedsvcset + label: Show Advanced Service Settings + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: externalIPs + label: "External IP's" + description: "External IP's" + schema: + type: list + default: [] + items: + - variable: externalIP + label: External IP + schema: + type: string + - variable: ipFamilyPolicy + label: IP Family Policy + description: Specify the IP Policy + schema: + type: string + default: SingleStack + enum: + - value: SingleStack + description: SingleStack + - value: PreferDualStack + description: PreferDualStack + - value: RequireDualStack + description: RequireDualStack + - variable: ipFamilies + label: IP Families + description: (Advanced) The IP Families that should be used + schema: + type: list + default: [] + items: + - variable: ipFamily + label: IP Family + schema: + type: string + - variable: ports + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: codeserver + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: Port + schema: + type: int + default: 36107 + - variable: nodePort + description: Leave Empty to Disable + label: nodePort DEPRECATED + schema: + type: int + default: 36107 + - variable: envList + label: Codeserver Environment Variables + schema: + type: list + show_if: [["type", "!=", "disabled"]] + default: [] + items: + - variable: envItem + label: Environment Variable + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + - variable: value + label: Value + schema: + type: string + required: true + + + - variable: vpn + label: VPN + schema: + additional_attrs: true + type: dict + attrs: + - variable: type + label: Type + schema: + type: string + default: disabled + enum: + - value: disabled + description: disabled + - value: openvpn + description: OpenVPN + - value: wireguard + description: Wireguard + - value: tailscale + description: Tailscale + - variable: openvpn + label: OpenVPN Settings + schema: + type: dict + show_if: [["type", "=", "openvpn"]] + attrs: + - variable: username + label: Authentication Username (Optional) + description: Authentication Username, Optional + schema: + type: string + default: "" + - variable: password + label: Authentication Password + description: Authentication Credentials + schema: + type: string + default: "" + required: true + - variable: tailscale + label: Tailscale Settings + schema: + type: dict + show_if: [["type", "=", "tailscale"]] + attrs: + - variable: authkey + label: Authentication Key + description: Provide an auth key to automatically authenticate the node as your user account. + schema: + type: string + private: true + default: "" + - variable: auth_once + label: Auth Once + description: Only attempt to log in if not already logged in. + schema: + type: boolean + default: true + - variable: accept_dns + label: Accept DNS + description: Accept DNS configuration from the admin console. + schema: + type: boolean + default: false + - variable: userspace + label: Userspace + description: Userspace Networking mode allows running Tailscale where you do not have access to create a VPN tunnel device. + schema: + type: boolean + default: false + - variable: routes + label: Routes + description: Expose physical subnet routes to your entire Tailscale network. + schema: + type: string + default: "" + - variable: dest_ip + label: Destination IP + description: Tells the DNAT mechanism which Destination IP to set in the IP header, and where to send packets that are matched. + schema: + type: string + default: "" + - variable: sock5_server + label: Sock5 Server + description: The address on which to listen for SOCKS5 proxying into the tailscale net. + schema: + type: string + default: "" + - variable: outbound_http_proxy_listen + label: Outbound HTTP Proxy Listen + description: The address on which to listen for HTTP proxying into the tailscale net. + schema: + type: string + default: "" + - variable: extra_args + label: Extra Args + description: Extra Args + schema: + type: string + default: "" + - variable: daemon_extra_args + label: Tailscale Daemon Extra Args + description: Tailscale Daemon Extra Args + schema: + type: string + default: "" + - variable: killSwitch + label: Enable Killswitch + schema: + type: boolean + show_if: [["type", "!=", "disabled"]] + default: true + - variable: excludedNetworks_IPv4 + label: Killswitch Excluded IPv4 networks + description: List of Killswitch Excluded IPv4 Addresses + schema: + type: list + show_if: [["type", "!=", "disabled"]] + default: [] + items: + - variable: networkv4 + label: IPv4 Network + schema: + type: string + required: true + - variable: excludedNetworks_IPv6 + label: Killswitch Excluded IPv6 networks + description: "List of Killswitch Excluded IPv6 Addresses" + schema: + type: list + show_if: [["type", "!=", "disabled"]] + default: [] + items: + - variable: networkv6 + label: IPv6 Network + schema: + type: string + required: true + - variable: configFile + label: VPN Config File Location + schema: + type: dict + show_if: [["type", "!=", "disabled"]] + attrs: + - variable: enabled + label: Enabled + schema: + type: boolean + default: true + hidden: true + - variable: type + label: Type + schema: + type: string + default: hostPath + hidden: true + - variable: hostPathType + label: hostPathType + schema: + type: string + default: File + hidden: true + - variable: noMount + label: noMount + schema: + type: boolean + default: true + hidden: true + - variable: hostPath + label: Full Path to File + description: "Path to your local VPN config file for example: /mnt/tank/vpn.conf or /mnt/tank/vpn.ovpn" + schema: + type: string + default: "" + - variable: envList + label: VPN Environment Variables + schema: + type: list + show_if: [["type", "!=", "disabled"]] + default: [] + items: + - variable: envItem + label: Environment Variable + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + - variable: value + label: Value + schema: + type: string + required: true diff --git a/incubator/traefik-forward-auth/0.1.0/templates/_args.tpl b/incubator/traefik-forward-auth/0.1.0/templates/_args.tpl new file mode 100644 index 00000000000..e75a8fd6f60 --- /dev/null +++ b/incubator/traefik-forward-auth/0.1.0/templates/_args.tpl @@ -0,0 +1,34 @@ +{{- define "tfa.args" -}} +args: + - --log-level={{ .Values.tfaAppOptions.logLevel }} + - --log-format={{ .Values.tfaAppOptions.logFormat }} + {{- if .Values.tfaAuthOptions.authHost }} + - --auth-host={{ .Values.tfaAuthOptions.authHost }} + {{- end }} + {{- range .Values.tfaCookieOptions.cookieDomain }} + - --cookie-domain={{ . }} + {{- end }} + {{- if .Values.tfaCookieOptions.insecureCookie }} + - --insecure-cookie + {{- end }} + - --cookie-name={{ .Values.tfaCookieOptions.cookieName }} + - --csrf-cookie-name={{ .Values.tfaCookieOptions.csrfCookieName }} + - --default-action={{ .Values.tfaAuthOptions.defaultAction }} + - --default-provider={{ .Values.tfaAuthOptions.defaultProvider }} + {{- range .Values.tfaAuthOptions.domain }} + - --domain={{ . }} + {{- end }} + - --lifetime={{ .Values.tfaCookieOptions.lifetime }} + {{- if .Values.tfaAuthOptions.logoutRedirect }} + - --logout-redirect={{ .Values.tfaAuthOptions.logoutRedirect }} + {{- end }} + - --url-path={{ .Values.tfaAuthOptions.urlPath }} + - --secret={{ .Values.tfaAppOptions.secret }} + {{- range .Values.tfaAuthOptions.whitelist }} + - --whitelist={{ . }} + {{- end }} + - --port={{ .Values.tfaAppOptions.port }} + {{- range .Values.tfaAuthOptions.rules }} + - --{{ . }} + {{- end }} +{{- end -}} diff --git a/incubator/traefik-forward-auth/0.1.0/templates/_secret.tpl b/incubator/traefik-forward-auth/0.1.0/templates/_secret.tpl new file mode 100644 index 00000000000..d950139c6d8 --- /dev/null +++ b/incubator/traefik-forward-auth/0.1.0/templates/_secret.tpl @@ -0,0 +1,57 @@ +{{/* Define the secret */}} +{{- define "tfa.secret" -}} + +{{- $googleSecretName := printf "%s-google-secret" (include "tc.common.names.fullname" .) }} +{{- $oidcSecretName := printf "%s-oidc-secret" (include "tc.common.names.fullname" .) }} +{{- $oauthSecretName := printf "%s-oauth2-secret" (include "tc.common.names.fullname" .) }} + +--- + +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ $googleSecretName }} + labels: + {{- include "tc.common.labels" . | nindent 4 }} +data: + PROVIDERS_GOOGLE_CLIENT_ID: {{ .Values.tfaGoogleOptions.clientId | trimAll "\"" | b64enc }} + PROVIDERS_GOOGLE_CLIENT_SECRET: {{ .Values.tfaGoogleOptions.clientSecret | trimAll "\"" | b64enc }} + PROVIDERS_GOOGLE_PROMPT: {{ .Values.tfaGoogleOptions.prompt | trimAll "\"" | b64enc }} + +--- + +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ $oidcSecretName }} + labels: + {{- include "tc.common.labels" . | nindent 4 }} +data: + PROVIDERS_OIDC_ISSUER_URL: {{ .Values.tfaOidcOptions.issuerUrl | trimAll "\"" | b64enc }} + PROVIDERS_OIDC_CLIENT_ID: {{ .Values.tfaOidcOptions.clientId | trimAll "\"" | b64enc }} + PROVIDERS_OIDC_CLIENT_SECRET: {{ .Values.tfaOidcOptions.clientSecret | trimAll "\"" | b64enc }} + PROVIDERS_OIDC_RESOURCE: {{ .Values.tfaOidcOptions.resource | trimAll "\"" | b64enc }} + +--- + +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ $oauthSecretName }} + labels: + {{- include "tc.common.labels" . | nindent 4 }} +data: + PROVIDERS_GENERIC_OAUTH_AUTH_URL: {{ .Values.tfaOauthOptions.authUrl | trimAll "\"" | b64enc }} + PROVIDERS_GENERIC_OAUTH_TOKEN_URL: {{ .Values.tfaOauthOptions.tokenUrl | trimAll "\"" | b64enc }} + PROVIDERS_GENERIC_OAUTH_USER_URL: {{ .Values.tfaOauthOptions.userUrl | trimAll "\"" | b64enc }} + PROVIDERS_GENERIC_OAUTH_CLIENT_ID: {{ .Values.tfaOauthOptions.clientId | trimAll "\"" | b64enc }} + PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET: {{ .Values.tfaOauthOptions.clientSecret | trimAll "\"" | b64enc }} + PROVIDERS_GENERIC_OAUTH_TOKEN_STYLE: {{ .Values.tfaOauthOptions.tokenStyle | trimAll "\"" | b64enc }} + PROVIDERS_GENERIC_OAUTH_RESOURCE: {{ .Values.tfaOauthOptions.resource | trimAll "\"" | b64enc }} + +--- + +{{- end }} diff --git a/incubator/traefik-forward-auth/0.1.0/templates/common.yaml b/incubator/traefik-forward-auth/0.1.0/templates/common.yaml new file mode 100644 index 00000000000..dd59166b203 --- /dev/null +++ b/incubator/traefik-forward-auth/0.1.0/templates/common.yaml @@ -0,0 +1,13 @@ +{{/* Make sure all variables are set properly */}} +{{- include "tc.common.loader.init" . }} + +{{/* Render secret */}} +{{- include "tfa.secret" . }} + +{{- $tplArgs := (include "tfa.args" . | fromYaml) }} +{{- $_ := set .Values "tplArgs" $tplArgs -}} +{{- $args := concat .Values.args .Values.tplArgs.args }} +{{- $_ := set .Values "args" $args -}} + +{{/* Render the templates */}} +{{ include "tc.common.loader.apply" . }} diff --git a/incubator/traefik-forward-auth/0.1.0/values.yaml b/incubator/traefik-forward-auth/0.1.0/values.yaml new file mode 100644 index 00000000000..e69de29bb2d diff --git a/incubator/traefik-forward-auth/item.yaml b/incubator/traefik-forward-auth/item.yaml new file mode 100644 index 00000000000..f13162e0d21 --- /dev/null +++ b/incubator/traefik-forward-auth/item.yaml @@ -0,0 +1,4 @@ +icon_url: https://raw.githubusercontent.com/truecharts/charts/master/incubator/traefik-forward-auth/icon.png?raw=true +categories: +- network +