Skip to content

Instantly share code, notes, and snippets.

@mlbiam

mlbiam/openunison-vcluster-values.yaml

Last active December 18, 2023 06:15
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save mlbiam/c22f982da9c4164a4ee1aa4c1dd9a664 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save mlbiam/c22f982da9c4164a4ee1aa4c1dd9a664 to your computer and use it in GitHub Desktop.
Download ZIP
vcluster-blog
Raw
openunison-vcluster-values.yaml
network:
openunison_host: "k8sou.apps.212.2.242.251.nip.io"
dashboard_host: "k8sdb.apps.212.2.242.251.nip.io"
api_server_host: "k8sapi.apps.212.2.242.251.nip.io"
session_inactivity_timeout_seconds: 900
k8s_url: https://0.0.0.0:6443
force_redirect_to_tls: true
createIngressCertificate: true
ingress_type: nginx
ingress_annotations:
kubernetes.io/ingress.class: nginx
cert_template:
ou: "Kubernetes"
o: "MyOrg"
l: "My Cluster"
st: "State of Cluster"
c: "MyCountry"
image: docker.io/tremolosecurity/openunison-k8s:latest
myvd_config_path: "WEB-INF/myvd.conf"
k8s_cluster_name: vcluster-control-plane
enable_impersonation: true
impersonation:
use_jetstack: true
jetstack_oidc_proxy_image: docker.io/tremolosecurity/kube-oidc-proxy:latest
explicit_certificate_trust: true
dashboard:
namespace: "kubernetes-dashboard"
cert_name: "kubernetes-dashboard-certs"
label: "k8s-app=kubernetes-dashboard"
service_name: kubernetes-dashboard
certs:
use_k8s_cm: false
trusted_certs:
- name: ldaps
pem_b64: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURlekNDQW1PZ0F3SUJBZ0lFR2owUUZ6QU5CZ2txaGtpRzl3MEJBUXNGQURCdE1Rd3dDZ1lEVlFRR0V3TmsKWlhZeEREQUtCZ05WQkFnVEEyUmxkakVNTUFvR0ExVUVCeE1EWkdWMk1Rd3dDZ1lEVlFRS0V3TmtaWFl4RERBSwpCZ05WQkFzVEEyUmxkakVsTUNNR0ExVUVBeE1jWVhCaFkyaGxaSE11WVdOMGFYWmxaR2x5WldOMGIzSjVMbk4yCll6QWdGdzB5TVRBM01EVXdNRFV6TWpoYUdBOHlNVEl4TURZeE1UQXdOVE15T0Zvd2JURU1NQW9HQTFVRUJoTUQKWkdWMk1Rd3dDZ1lEVlFRSUV3TmtaWFl4RERBS0JnTlZCQWNUQTJSbGRqRU1NQW9HQTFVRUNoTURaR1YyTVF3dwpDZ1lEVlFRTEV3TmtaWFl4SlRBakJnTlZCQU1USEdGd1lXTm9aV1J6TG1GamRHbDJaV1JwY21WamRHOXllUzV6CmRtTXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDNlNVQUJRSUZkYnRwZGJ3WEEKT05ablJVQlFBMEVyK2hWYmkxUHNWSnNaaUlGZjhJRC8xZXBPN0M4QlViVXN1U3dWWkc5ZEJIV3o0RFBwWUUrKwp2dmxrTEs1cEdiTnJQbDdFd241clJLRE5PeVR5ZUNBcFMzSVNsRW1iaVNQUjBuYXd5ckpoNjhQQ0I1bURSNTNmCmh1bFhPQ0dTd3ZNN2RwM2RPc3lFQmRlVkw3aTFnbkJNYi9wN05YdTN5WmlWaDlpS3pqaENrZndqL0VsNTZaUHEKYmsvOGtQN0xBdTFvZGJWTkZGSUx5clB6SFBFU3I3N0preHcvKytPTmhtblA2UFBiU3FtRm0rcUVEYWhQanBFZgpscUdaY3BsOEZ0VXBzTG5JK3B4blI5eWU5ZUNpVDVuaDhlTEhobkVFNzFpVE1rb2xrSHdxSm5xV1R3ZlF2b1g5CkM2SERBZ01CQUFHaklUQWZNQjBHQTFVZERnUVdCQlRjOGlDU055NnhSM2M5OU1aYkZUODgzREs1V0RBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FRRUFOMEkwZnJDSzdYNGRHRmpGLzFpb3czUUwvbTcwemVIemlQVVFFUUdONXBFMwpyMlZZL0ZHWGdNV0tFSXpHa2hMZW5CUXRxRE5Pbm4vL1JjK0Y2anM1RkNOVXhaT2V4ekl2aElhY0M4YUhzRWpFClRnclI5OWNqUVdsdzFhSVF0YUhkSmVqYXdYcU50YU1FMSt4RlJBQTNCWUF1T3BveW9wQ0NoMXdJaTEvQk84TlQKVmFaancxQU8xd1ZUaTJ3SUtCSUp1Z0N2T0dYZEt3YzBuL0I4bzRRQkpScklRZEJnbzJVNjFBbkMxaWM4b0d3RwpxekN1V0dDenZjam9xNWFNcTliS0YyNHBQaDR3cWZMZnZGdWNsYmFIUlBiSmpxT3l0V3gzczhNV0lvRUNzdlhLCnhIYmJvSnU0c1AwLzRBMGQ4K25OOXI1MU8xalFaWHd0b3hwenFTV2ZlZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
monitoring:
prometheus_service_account: system:serviceaccount:monitoring:prometheus-k8s
network_policies:
enabled: false
ingress:
enabled: true
labels:
app.kubernetes.io/name: ingress-nginx
monitoring:
enabled: true
labels:
app.kubernetes.io/name: monitoring
apiserver:
enabled: false
labels:
app.kubernetes.io/name: kube-system
active_directory:
base: DC=domain,DC=com
host: "apacheds.activedirectory.svc"
port: "10636"
bind_dn: "cn=ou_svc_account,ou=Users,DC=domain,DC=com"
con_type: ldaps
srv_dns: "false"
database:
hibernate_dialect: org.hibernate.dialect.MySQL5InnoDBDialect
quartz_dialect: org.quartz.impl.jdbcjobstore.StdJDBCDelegate
driver: com.mysql.jdbc.Driver
url: jdbc:mysql://mariadb.mariadb.svc:3306/unison
user: unison
validation: SELECT 1
smtp:
host: blackhole.blackhole.svc.cluster.local
port: 1025
user: "none"
from: [email protected]
tls: false
openunison:
enable_provisioning: true
use_standard_jit_workflow: false
replicas: 1
non_secret_data:
K8S_DB_SSO: oidc
SHOW_PORTAL_ORGS: "true"
VCLUSTER_DOMAIN_ROOT: "vclusters.212.2.242.251.nip.io"
K8S_DEPLOYMENT_NAME: "vcluster Control Plane"
secrets: []
html:
image: docker.io/tremolosecurity/openunison-k8s-html:latest
naas:
workflows:
new_namespace:
post_namespace_create_workflow: check-for-vcluster
groups:
internal:
enabled: true
external:
enabled: false
forms:
new_namespace:
additional_attributes:
- name: tenant_type
displayName: Tenant Type
regEx: ".*"
regExFailedMsg: "Invalid option"
minChars: 0
maxChars: 0
unique: false
type: list
values:
Namespace: "namespace"
vcluster: "vcluster"
operator:
image: docker.io/tremolosecurity/openunison-operator
Raw
vcluster-extensions.yaml
---
apiVersion: openunison.tremolo.io/v1
kind: OUJob
metadata:
name: wait-for
namespace: openunison
spec:
className: com.tremolosecurity.provisioning.jobs.WaitForJob
cronSchedule:
dayOfMonth: '*'
dayOfWeek: '?'
hours: '*'
minutes: '*'
month: '*'
seconds: '*/10'
year: '*'
group: admin
params:
- name: target
value: k8s
- name: namespace
value: openunison
---
apiVersion: openunison.tremolo.io/v1
kind: Workflow
metadata:
name: check-for-vcluster
namespace: openunison
spec:
description: checks for vcluster, and if requested creates it
inList: false
label: do nothing
orgId: x
tasks: |-
- taskType: customTask
className: com.tremolosecurity.provisioning.customTasks.JavaScriptTask
params:
javaScript: |-
function init(task,params) {
state.put("workflow_obj",task.getWorkflow());
}
function reInit(task) {
state.put("workflow_obj",task.getWorkflow());
}
function doTask(user,request) {
Attribute = Java.type("com.tremolosecurity.saml.Attribute");
user.getAttribs().put("tenant_type",new Attribute("tenant_type",request.get("tenant_type").toString()));
return true;
}
- taskType: customTask
className: com.tremolosecurity.provisioning.customTasks.PrintUserInfo
params:
message: pre-tenant-check
- taskType: ifAttrHasValue
name: tenant_type
value: "vcluster"
onSuccess:
- taskType: callWorkflow
name: vcluster-post-namespace-create
---
apiVersion: openunison.tremolo.io/v1
kind: Workflow
metadata:
name: vcluster-post-namespace-create
namespace: openunison
spec:
description: Create vCluster
inList: false
label: do nothing
orgId: x
tasks: |-
- taskType: customTask
className: com.tremolosecurity.provisioning.tasks.CreateK8sObject
params:
targetName: $cluster$
template: |-
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: vcluster-audit-logs
namespace: $nameSpace$
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
kind: PersistentVolumeClaim
url: /api/v1/namespaces/$nameSpace$/persistentvolumeclaims
srcType: yaml
writeToRequest: "$useGit$"
requestAttribute: git-secret-cluster-k8s-$nameSpace$
path: /yaml/ns/$nameSpace$/persistentvolumeclaims/vcluster-audit-logs.yaml
- taskType: customTask
className: com.tremolosecurity.provisioning.tasks.CreateK8sObject
params:
targetName: $cluster$
template: |-
---
apiVersion: v1
kind: ConfigMap
metadata:
name: k8s-audit-policy
namespace: $nameSpace$
data:
k8s-audit-policy.yaml: "apiVersion: audit.k8s.io/v1\r\nkind: Policy\r\nrules:\r\n # The following requests were manually identified as high-volume and low-risk,\r\n # so drop them.\r\n - level: None\r\n users: [\"system:kube-proxy\"]\r\n verbs: [\"watch\"]\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"endpoints\", \"services\", \"services/status\"]\r\n - level: None\r\n # Ingress controller reads 'configmaps/ingress-uid' through the unsecured port.\r\n # TODO(#46983): Change this to the ingress controller service account.\r\n users: [\"system:unsecured\"]\r\n namespaces: [\"kube-system\"]\r\n verbs: [\"get\"]\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"configmaps\"]\r\n - level: None\r\n users: [\"kubelet\"] # legacy kubelet identity\r\n verbs: [\"get\"]\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"nodes\", \"nodes/status\"]\r\n - level: None\r\n userGroups: [\"system:nodes\"]\r\n verbs: [\"get\"]\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"nodes\", \"nodes/status\"]\r\n - level: None\r\n users:\r\n - system:kube-controller-manager\r\n - system:kube-scheduler\r\n - system:serviceaccount:kube-system:endpoint-controller\r\n verbs: [\"get\", \"update\"]\r\n namespaces: [\"kube-system\"]\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"endpoints\"]\r\n - level: None\r\n users: [\"system:apiserver\"]\r\n verbs: [\"get\"]\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"namespaces\", \"namespaces/status\", \"namespaces/finalize\"]\r\n - level: None\r\n users: [\"cluster-autoscaler\"]\r\n verbs: [\"get\", \"update\"]\r\n namespaces: [\"kube-system\"]\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"configmaps\", \"endpoints\"]\r\n # Don't log HPA fetching metrics.\r\n - level: None\r\n users:\r\n - system:kube-controller-manager\r\n verbs: [\"get\", \"list\"]\r\n resources:\r\n - group: \"metrics.k8s.io\"\r\n\r\n # Don't log these read-only URLs.\r\n - level: None\r\n nonResourceURLs:\r\n - /healthz*\r\n - /version\r\n - /swagger*\r\n\r\n # Don't log events requests.\r\n - level: None\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"events\"]\r\n\r\n # node and pod status calls from nodes are high-volume and can be large, don't log responses for expected updates from nodes\r\n - level: Request\r\n users: [\"kubelet\", \"system:node-problem-detector\", \"system:serviceaccount:kube-system:node-problem-detector\"]\r\n verbs: [\"update\",\"patch\"]\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"nodes/status\", \"pods/status\"]\r\n omitStages:\r\n - \"RequestReceived\"\r\n - level: Request\r\n userGroups: [\"system:nodes\"]\r\n verbs: [\"update\",\"patch\"]\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"nodes/status\", \"pods/status\"]\r\n omitStages:\r\n - \"RequestReceived\"\r\n\r\n # deletecollection calls can be large, don't log responses for expected namespace deletions\r\n - level: Request\r\n users: [\"system:serviceaccount:kube-system:namespace-controller\"]\r\n verbs: [\"deletecollection\"]\r\n omitStages:\r\n - \"RequestReceived\"\r\n\r\n # Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data,\r\n # so only log at the Metadata level.\r\n - level: Metadata\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"secrets\", \"configmaps\"]\r\n - group: authentication.k8s.io\r\n resources: [\"tokenreviews\"]\r\n omitStages:\r\n - \"RequestReceived\"\r\n # Get repsonses can be large; skip them.\r\n - level: Request\r\n verbs: [\"get\", \"list\", \"watch\"]\r\n resources:\r\n - group: \"\" # core\r\n - group: \"admissionregistration.k8s.io\"\r\n - group: \"apiextensions.k8s.io\"\r\n - group: \"apiregistration.k8s.io\"\r\n - group: \"apps\"\r\n - group: \"authentication.k8s.io\"\r\n - group: \"authorization.k8s.io\"\r\n - group: \"autoscaling\"\r\n - group: \"batch\"\r\n - group: \"certificates.k8s.io\"\r\n - group: \"extensions\"\r\n - group: \"metrics.k8s.io\"\r\n - group: \"networking.k8s.io\"\r\n - group: \"node.k8s.io\"\r\n - group: \"policy\"\r\n - group: \"rbac.authorization.k8s.io\"\r\n - group: \"scheduling.k8s.io\"\r\n - group: \"settings.k8s.io\"\r\n - group: \"storage.k8s.io\"\r\n omitStages:\r\n - \"RequestReceived\"\r\n # Default level for known APIs\r\n - level: RequestResponse\r\n resources:\r\n - group: \"\" # core\r\n - group: \"admissionregistration.k8s.io\"\r\n - group: \"apiextensions.k8s.io\"\r\n - group: \"apiregistration.k8s.io\"\r\n - group: \"apps\"\r\n - group: \"authentication.k8s.io\"\r\n - group: \"authorization.k8s.io\"\r\n - group: \"autoscaling\"\r\n - group: \"batch\"\r\n - group: \"certificates.k8s.io\"\r\n - group: \"extensions\"\r\n - group: \"metrics.k8s.io\"\r\n - group: \"networking.k8s.io\"\r\n - group: \"node.k8s.io\"\r\n - group: \"policy\"\r\n - group: \"rbac.authorization.k8s.io\"\r\n - group: \"scheduling.k8s.io\"\r\n - group: \"settings.k8s.io\"\r\n - group: \"storage.k8s.io\"\r\n omitStages:\r\n - \"RequestReceived\"\r\n # Default level for all other requests.\r\n - level: Metadata\r\n omitStages:\r\n - \"RequestReceived\"\r\n"
kind: ConfigMap
url: /api/v1/namespaces/$nameSpace$/configmaps
srcType: yaml
writeToRequest: "$useGit$"
requestAttribute: git-secret-cluster-k8s-$nameSpace$
path: /yaml/ns/$nameSpace$/configmaps/k8s-audit-policy.yaml
- taskType: customTask
className: com.tremolosecurity.provisioning.tasks.CreateK8sObject
params:
targetName: $cluster$
template: |-
apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
metadata:
name: vcluster
namespace: $nameSpace$
spec:
controlPlaneRef:
apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
kind: VCluster
name: vcluster
infrastructureRef:
apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
kind: VCluster
name: vcluster
kind: Cluster
url: /apis/cluster.x-k8s.io/v1beta1/namespaces/$nameSpace$/clusters
srcType: yaml
writeToRequest: "$useGit$"
requestAttribute: git-secret-cluster-k8s-$nameSpace$
path: /yaml/ns/$nameSpace$/clusters/vcluster.yaml
- taskType: customTask
className: com.tremolosecurity.provisioning.tasks.CreateK8sObject
params:
targetName: $cluster$
template: |-
---
apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
kind: VCluster
metadata:
name: vcluster
namespace: $nameSpace$
spec:
controlPlaneEndpoint:
host: ""
port: 0
helmRelease:
chart:
name: null
repo: null
version: null
values: |-
#sync:
# nodes:
# enabled: true
volumes:
- name: audit-policy-volume
configMap:
name: k8s-audit-policy
- name: audit-log-data
persistentVolumeClaim:
claimName: vcluster-audit-logs
vcluster:
volumeMounts:
# keep data volume mount!
- mountPath: /data
name: data
- mountPath: /var/lib/rancher/k3s/server/log-config
name: audit-policy-volume
- mountPath: /var/lib/rancher/k3s/server/logs
name: audit-log-data
extraArgs:
- "--kube-apiserver-arg='audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'"
- "--kube-apiserver-arg='audit-policy-file=/var/lib/rancher/k3s/server/log-config/k8s-audit-policy.yaml'"
kubernetesVersion: 1.23.0
kind: VCluster
url: /apis/infrastructure.cluster.x-k8s.io/v1alpha1/namespaces/$nameSpace$/vclusters
srcType: yaml
writeToRequest: "$useGit$"
requestAttribute: git-secret-cluster-k8s-$nameSpace$
path: /yaml/ns/$nameSpace$/vclusters/vcluster.yaml
- taskType: customTask
className: com.tremolosecurity.provisioning.tasks.CreateK8sObject
params:
targetName: $cluster$
template: |-
---
apiVersion: v1
kind: ConfigMap
metadata:
name: helm-values-$WORKFLOW_ID$-$nameSpace$-yaml
namespace: openunison
data:
values.yaml: |-
vcluster:
label: vcluster-$nameSpace$
name: vcluster
namespace: $nameSpace$
api_server_host: k8sapi.$nameSpace$.#[VCLUSTER_DOMAIN_ROOT]
dashboard_host: k8sdb.$nameSpace$.#[VCLUSTER_DOMAIN_ROOT]
openunison_host: k8sou.$nameSpace$.#[VCLUSTER_DOMAIN_ROOT]
createIngressCertificate: true
ingress_annotations: {}
az_groups:
- k8s-namespace-administrators-$cluster$-$nameSpace$-internal
- k8s-namespace-administrators-$cluster$-$nameSpace$-external
kind: ConfigMap
url: /api/v1/namespaces/openunison/configmaps
srcType: yaml
writeToRequest: "$useGit$"
requestAttribute: git-secret-cluster-k8s-$nameSpace$
path: /yaml/ns/$nameSpace$/configmaps/k8s-audit-policy.yaml
- taskType: customTask
className: com.tremolosecurity.provisioning.tasks.WaitForStatus
params:
holdingTarget: k8s
namespace: openunison
target: $cluster$
uri: /apis/apps/v1/namespaces/$nameSpace$/statefulsets/vcluster
label: wait-for-vcluster
conditions:
- .status.readyReplicas=1
- .status.replicas=1
- taskType: customTask
className: com.tremolosecurity.provisioning.tasks.CreateK8sObject
params:
targetName: k8s
template: |-
---
kind: Job
apiVersion: batch/v1
metadata:
name: helm-install-vcluster-$nameSpace$
namespace: openunison
spec:
parallelism: 1
completions: 1
backoffLimit: 3
selector:
matchLabels:
job-name: helm-install-vcluster-$nameSpace$
template:
metadata:
name: helm-install-vcluster-$nameSpace$
namespace: openunison
labels:
job-name: helm-install-vcluster-$nameSpace$
spec:
containers:
- args:
- /usr/local/openunison/run-helm.sh
image: docker.io/mlbiam/vcluster-onboard
imagePullPolicy: Always
name: helm-install
resources: {}
volumeMounts:
- mountPath: /etc/openunison
name: vcluster-helm-values
env:
- name: TREMOLO_HELM_REPO
value: "https://nexus.tremolo.io/repository/helm/"
- name: HELM_DEPLOYMENT
value: helm-install-vcluster-$nameSpace$
- name: HELM_CHART
value: vcluster-onboard
- name: TARGET_NAMESPACE
value: openunison
- name: PATH_TO_VALUES
value: /etc/openunison/values.yaml
dnsPolicy: ClusterFirst
serviceAccount: openunison-orchestra
serviceAccountName: openunison-orchestra
restartPolicy: OnFailure
volumes:
- name: vcluster-helm-values
configMap:
name: helm-values-$WORKFLOW_ID$-$nameSpace$-yaml
kind: Job
url: /apis/batch/v1/namespaces/openunison/jobs
srcType: yaml
writeToRequest: "$useGit$"
requestAttribute: git-secret-cluster-k8s-$nameSpace$
path: /yaml/ns/$nameSpace$/configmaps/k8s-audit-policy.yaml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment