From 6e2c4bb10cd7879a1787f0328e34fe065bcab178 Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Thu, 19 Mar 2026 16:09:57 +0100 Subject: [PATCH 1/7] Update cow-demo --- charts/cow-demo/Chart.yaml | 4 ++-- charts/cow-demo/values.yaml | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/charts/cow-demo/Chart.yaml b/charts/cow-demo/Chart.yaml index 60c7535..279290a 100644 --- a/charts/cow-demo/Chart.yaml +++ b/charts/cow-demo/Chart.yaml @@ -1,8 +1,8 @@ -apiVersion: v2 +apiVersion: v2 name: cow-demo description: Helm chart for Cow Demo Application type: application -version: 0.2.2 +version: 0.2.3 appVersion: "2.0.0" maintainers: - name: devpro diff --git a/charts/cow-demo/values.yaml b/charts/cow-demo/values.yaml index 6267a01..8875120 100644 --- a/charts/cow-demo/values.yaml +++ b/charts/cow-demo/values.yaml @@ -1,6 +1,7 @@ -name: cow-demo +name: cow-demo image: devprofr/cow-demo -tag: 1.0.8830193847 +# images are hosted on DockerHub: https://hub.docker.com/r/devprofr/cow-demo/tags +tag: 1.0.23271988100 replicaCount: 2 port: 80 ingress: From 09a0f6229ec4c69e827ee3d486176810a43503f7 Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Thu, 19 Mar 2026 16:15:58 +0100 Subject: [PATCH 2/7] Add keeptrack chart --- charts/keeptrack/.helmignore | 23 +++++ charts/keeptrack/CONTRIBUTING.md | 24 +++++ charts/keeptrack/Chart.yaml | 15 +++ charts/keeptrack/README.md | 35 +++++++ charts/keeptrack/templates/NOTES.txt | 0 charts/keeptrack/templates/_helpers.tpl | 0 charts/keeptrack/templates/deployment.yaml | 102 +++++++++++++++++++++ charts/keeptrack/templates/ingress.yaml | 50 ++++++++++ charts/keeptrack/templates/service.yaml | 23 +++++ charts/keeptrack/values.yaml | 86 +++++++++++++++++ 10 files changed, 358 insertions(+) create mode 100644 charts/keeptrack/.helmignore create mode 100644 charts/keeptrack/CONTRIBUTING.md create mode 100644 charts/keeptrack/Chart.yaml create mode 100644 charts/keeptrack/README.md create mode 100644 charts/keeptrack/templates/NOTES.txt create mode 100644 charts/keeptrack/templates/_helpers.tpl create mode 100644 charts/keeptrack/templates/deployment.yaml create mode 100644 charts/keeptrack/templates/ingress.yaml create mode 100644 charts/keeptrack/templates/service.yaml create mode 100644 charts/keeptrack/values.yaml diff --git a/charts/keeptrack/.helmignore b/charts/keeptrack/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/keeptrack/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/keeptrack/CONTRIBUTING.md b/charts/keeptrack/CONTRIBUTING.md new file mode 100644 index 0000000..c5edf3c --- /dev/null +++ b/charts/keeptrack/CONTRIBUTING.md @@ -0,0 +1,24 @@ +# Contributing guide + +## Update chart dependencies + +1. Add Bitnami chart repository: + + ```bash + helm repo add bitnami https://charts.bitnami.com/bitnami + helm repo update + ``` + +2. Search for the latest version: + + ```bash + helm search repo -l bitnami/mongodb --versions + ``` + +3. Edit manually `Chart.yaml` with the new version + +4. Update `Chart.lock`: + + ```bash + helm dependency update + ``` diff --git a/charts/keeptrack/Chart.yaml b/charts/keeptrack/Chart.yaml new file mode 100644 index 0000000..edb7827 --- /dev/null +++ b/charts/keeptrack/Chart.yaml @@ -0,0 +1,15 @@ +apiVersion: v2 +name: keeptrack +description: Helm chart for Keeptrack +type: application +version: 0.1.0 +appVersion: "1.1.18203306613" +dependencies: + - name: mongodb + version: 18.6.16 # MongoDB 8.2.6 + repository: https://charts.bitnami.com/bitnami + alias: mongodb + condition: mongodb.enabled +maintainers: + - name: devpro + email: bertrand@devpro.fr diff --git a/charts/keeptrack/README.md b/charts/keeptrack/README.md new file mode 100644 index 0000000..cf12ad1 --- /dev/null +++ b/charts/keeptrack/README.md @@ -0,0 +1,35 @@ +# Helm chart for Devpro Keeptrack + +This is the official Helm chart to install [Keeptrack](https://github.com/devpro/keeptrack) on a Kubernetes cluster. + +## Getting started + +Start with the [documentation](https://kwt.devpro.fr/custom-charts/keeptrack.html). + +## Usage + +Add [Helm](https://helm.sh) repository: + +```bash +helm repo add devpro https://devpro.github.io/helm-charts +helm repo update +``` + +Create the `values.yaml` file to override [default values](values.yaml). + +Install the application: + +```bash +helm upgrade --install keeptrack devpro/keeptrack -f values.yaml --create-namespace --namespace keeptrack +``` + +Uninstall the chart and clean-up the cluster: + +```bash +helm delete keeptrack +kubectl delete ns keeptrack +``` + +## Development + +Look at the [Contributing guide](CONTRIBUTING.md). diff --git a/charts/keeptrack/templates/NOTES.txt b/charts/keeptrack/templates/NOTES.txt new file mode 100644 index 0000000..e69de29 diff --git a/charts/keeptrack/templates/_helpers.tpl b/charts/keeptrack/templates/_helpers.tpl new file mode 100644 index 0000000..e69de29 diff --git a/charts/keeptrack/templates/deployment.yaml b/charts/keeptrack/templates/deployment.yaml new file mode 100644 index 0000000..79272b5 --- /dev/null +++ b/charts/keeptrack/templates/deployment.yaml @@ -0,0 +1,102 @@ +{{- $applications := list .Values.front .Values.adapter .Values.data -}} +{{ range $applications }} +{{- $name := .name -}} +{{- if .enabled -}} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .name }} + labels: + app: {{ .name }} + app.kubernetes.io/name: {{ .name }} +spec: + replicas: {{ .replicaCount }} + strategy: + type: RollingUpdate + selector: + matchLabels: + app: {{ .name }} + app.kubernetes.io/name: {{ .name }} + template: + metadata: + labels: + app: {{ $name }} + app.kubernetes.io/name: {{ $name }} + {{- if .additionalPodLabels }} + {{- toYaml .additionalPodLabels | nindent 8 }} + {{- end }} + spec: + containers: + - name: {{ .name }} + image: {{ .image }}:{{ .tag }} + imagePullPolicy: Always + ports: + - name: http + containerPort: {{ .port }} + protocol: TCP + livenessProbe: + httpGet: + path: {{ .healthEndpoint }} + port: http + readinessProbe: + httpGet: + path: {{ .healthEndpoint }} + port: http + resources: + {{- toYaml .resources | nindent 12 }} + env: + {{- if .extraEnv }} + {{- toYaml .extraEnv | nindent 12 }} + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: ASPNETCORE_ENVIRONMENT + value: "{{ $.Values.dotnet.environment }}" + - name: Logging__LogLevel__Default + value: {{ $.Values.dotnet.logLevels.default }} + - name: Logging__LogLevel__Microsoft.AspNetCore + value: {{ $.Values.dotnet.logLevels.framework }} + - name: Logging__LogLevel__Devpro + value: {{ $.Values.dotnet.logLevels.application }} + {{- if $.Values.dotnet.httpsRedirectionEnabled }} + - name: Features__IsHttpsRedirectionEnabled + value: "true" + {{- end }} + {{- if $.Values.dotnet.scalarEnabled }} + - name: Features__IsScalarEnabled + value: "true" + {{- end }} + {{- if eq .role "frontend" }} + - name: WebApi__BaseUrl + value: "http://{{ $.Values.webapi.name }}" + - name: Firebase__WebAppConfiguration__ApiKey + value: "{{ $.Values.firebase.webApp.apiKey }}" + - name: Firebase__WebAppConfiguration__AuthDomain + value: "{{ $.Values.firebase.webApp.authDomain }}" + - name: Firebase__WebAppConfiguration__ProjectId + value: "{{ $.Values.firebase.webApp.projectId }}" + - name: Firebase__ServiceAccount + value: "{{ $.Values.firebase.serviceAccount }}" + {{- else if eq .role "backend" }} + - name: AllowedOrigins__0 + value: "https://{{ $.Values.blazorapp.host }}" + - name: AllowedOrigins__0 + value: "http://{{ $.Values.blazorapp.name }}" + - name: Authentication__JwtBearer__Authority + value: "https://securetoken.google.com/{{ $.Values.firebase.webApp.projectId }}" + - name: Authentication__JwtBearer__TokenValidation__Audience + value: "{{ $.Values.firebase.webApp.projectId }}" + - name: Authentication__JwtBearer__TokenValidation__Issuer + value: "https://securetoken.google.com/{{ $.Values.firebase.webApp.projectId }}" + - name: Infrastructure__MongoDB__ConnectionString + value: {{ .db.connectionString }} + - name: Infrastructure__MongoDB__DatabaseName + value: {{ .db.databaseName }} + {{- end }} + restartPolicy: Always +{{- end }} +{{ end }} diff --git a/charts/keeptrack/templates/ingress.yaml b/charts/keeptrack/templates/ingress.yaml new file mode 100644 index 0000000..f4823cd --- /dev/null +++ b/charts/keeptrack/templates/ingress.yaml @@ -0,0 +1,50 @@ +{{- $applications := list .Values.front .Values.adapter .Values.data -}} +{{ range $applications }} +{{- $name := .name -}} +{{- if and $.Values.ingress.enabled .enabled .host -}} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $name }} + {{- with $.Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if $.Values.ingress.className }} + ingressClassName: {{ $.Values.ingress.className }} + {{- end }} + rules: + - host: {{ .host }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ $name }} + port: + number: 80 + {{- range .ingressExtraHosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + pathType: {{ .pathType }} + backend: + service: + name: {{ $name }} + port: + number: 80 + {{- end }} + {{- end }} + {{- if .tls }} + tls: + - hosts: + - {{ .host | quote }} + secretName: {{ .tls.secretName }} + {{- end }} +{{- end }} +{{ end }} diff --git a/charts/keeptrack/templates/service.yaml b/charts/keeptrack/templates/service.yaml new file mode 100644 index 0000000..cdfec3a --- /dev/null +++ b/charts/keeptrack/templates/service.yaml @@ -0,0 +1,23 @@ +{{- $applications := list .Values.front .Values.adapter .Values.data -}} +{{ range $applications }} +{{- if .enabled -}} +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: {{ .name }} + app.kubernetes.io/name: {{ .name }} + name: {{ .name }} +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: http + protocol: TCP + name: http + selector: + app: {{ .name }} + app.kubernetes.io/name: {{ .name }} +{{- end }} +{{ end }} diff --git a/charts/keeptrack/values.yaml b/charts/keeptrack/values.yaml new file mode 100644 index 0000000..c401853 --- /dev/null +++ b/charts/keeptrack/values.yaml @@ -0,0 +1,86 @@ +blazorapp: + enabled: true + role: frontend + name: keeptrack-blazorapp + image: docker.io/devprofr/keeptrack-blazorapp + port: 8080 + healthEndpoint: /health + tls: + secretName: keeptrack-blazorapp-tls + # optional + replicaCount: 1 + tag: 1.1.23099092819 # ref. https://hub.docker.com/r/devprofr/keeptrack-blazorapp/tags + resources: {} + # limits: + # cpu: 200m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 64Mi + extraEnv: [] + # - name: xxx + # value: "yyyy" + additionalPodLabels: {} + # mandatory + host: "" + +webapi: + enabled: true + role: backend + name: keeptrack-webapi + image: docker.io/devprofr/keeptrack-webapi + port: 8080 + healthEndpoint: /health + tls: + secretName: keeptrack-webapi-tls + # optional + host: "" + replicaCount: 1 + tag: 1.1.23099092819 # ref. https://hub.docker.com/r/devprofr/keeptrack-webapi/tags + resources: {} + extraEnv: [] + additionalPodLabels: {} + # mandatory + db: + connectionString: "" + databaseName: "" + +dotnet: + environment: Production + logLevels: + default: Information + framework: Information + application: Information + scalarEnabled: false + httpsRedirectionEnabled: false + +# mandatory +firebase: + webApp: + apiKey: "" + authDomain: "" + projectId: "" + serviceAccount: "" + +ingress: + enabled: false + className: "" + annotations: {} + # cert-manager.io/cluster-issuer: letsencrypt-prod + +# embedded chart configuration: https://github.com/bitnami/charts/blob/main/bitnami/mongodb/values.yaml +mongodb: + enabled: false + global: + # imageRegistry: "" + # imagePullSecrets: [] + # defaultStorageClass: "" + # storageClass: "" + security: + allowInsecureImages: true + image: + registry: docker.io + repository: bitnami/mongodb # other options: chainguard/mongodb + tag: latest # IMPORTANT: latest should never be used in Production + auth: {} + # rootPassword: "" From afe94cebebe0bf45e4f68d1206b7d7b634db1795 Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Thu, 19 Mar 2026 17:46:04 +0100 Subject: [PATCH 3/7] Validate chart --- .gitignore | 3 +- charts/keeptrack/CONTRIBUTING.md | 64 +++++++++++++++++++++- charts/keeptrack/Chart.lock | 6 ++ charts/keeptrack/templates/deployment.yaml | 6 +- charts/keeptrack/templates/ingress.yaml | 2 +- charts/keeptrack/templates/service.yaml | 2 +- charts/keeptrack/values.yaml | 14 ++++- 7 files changed, 88 insertions(+), 9 deletions(-) create mode 100644 charts/keeptrack/Chart.lock diff --git a/.gitignore b/.gitignore index 27148cd..6bd3786 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ -# local downloaded chart compressed files +# local downloaded chart compressed files /**/charts/*.tgz # local temporary files @@ -7,6 +7,7 @@ temp.sh /charts/temp/ values_*.y*ml values.mine.y*ml +kubeconfig # NPM packages node_modules/ diff --git a/charts/keeptrack/CONTRIBUTING.md b/charts/keeptrack/CONTRIBUTING.md index c5edf3c..e1c736a 100644 --- a/charts/keeptrack/CONTRIBUTING.md +++ b/charts/keeptrack/CONTRIBUTING.md @@ -1,4 +1,4 @@ -# Contributing guide +# Contribution guide ## Update chart dependencies @@ -22,3 +22,65 @@ ```bash helm dependency update ``` + +## Validate on a test cluster + +Create `values.mine.yaml` file: + +```yaml +blazorapp: + host: keeptrack.console.$SANDBOX_ID.instruqt.io + +webapi: + db: + connectionString: mongodb://root:admin@keeptrack-mongodb:27017/keeptrack_beta?authSource=admin + databaseName: keeptrack_beta + +firebase: + webApp: + apiKey: "***" + projectId: "***" + serviceAccount: "***" + serviceAccount: + type: "service_account" + project_id: "***" + private_key_id: "***" + private_key: "***" + client_email: "***" + client_id: "***" + auth_uri: "***" + token_uri: "***" + auth_provider_x509_cert_url: "***" + client_x509_cert_url: "***" + universe_domain: "***" + +dotnet: + environment: Development + +ingress: + enabled: true + className: traefik + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + +mongodb: + enabled: true + auth: + rootPassword: admin +``` + +Review the manifest: + +```bash +helm template keeptrack . -f values.yaml -f values.mine.yaml --namespace keeptrack --debug > temp.yaml +``` + +Install or update the application: + +```bash +helm upgrade --install keeptrack . -f values.yaml -f values.mine.yaml --namespace keeptrack --create-namespace +``` + +Add `keeptrack.console.$SANDBOX_ID.instruqt.io` in the authorized domains in Firebase > (myproject) > Authentication > Settings. + +Open the web application in a browser. diff --git a/charts/keeptrack/Chart.lock b/charts/keeptrack/Chart.lock new file mode 100644 index 0000000..d366ca7 --- /dev/null +++ b/charts/keeptrack/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: mongodb + repository: https://charts.bitnami.com/bitnami + version: 18.6.16 +digest: sha256:889cbf07e49e630d28dc8a1c72fdd0465f3f0f0c1601b3be559940108bb50ab2 +generated: "2026-03-19T17:02:27.786367209+01:00" diff --git a/charts/keeptrack/templates/deployment.yaml b/charts/keeptrack/templates/deployment.yaml index 79272b5..4b8146d 100644 --- a/charts/keeptrack/templates/deployment.yaml +++ b/charts/keeptrack/templates/deployment.yaml @@ -1,4 +1,4 @@ -{{- $applications := list .Values.front .Values.adapter .Values.data -}} +{{- $applications := list .Values.blazorapp .Values.webapi -}} {{ range $applications }} {{- $name := .name -}} {{- if .enabled -}} @@ -76,11 +76,11 @@ spec: - name: Firebase__WebAppConfiguration__ApiKey value: "{{ $.Values.firebase.webApp.apiKey }}" - name: Firebase__WebAppConfiguration__AuthDomain - value: "{{ $.Values.firebase.webApp.authDomain }}" + value: "{{ $.Values.firebase.webApp.projectId }}.firebaseapp.com" - name: Firebase__WebAppConfiguration__ProjectId value: "{{ $.Values.firebase.webApp.projectId }}" - name: Firebase__ServiceAccount - value: "{{ $.Values.firebase.serviceAccount }}" + value: {{ $.Values.firebase.serviceAccount | toJson | quote }} {{- else if eq .role "backend" }} - name: AllowedOrigins__0 value: "https://{{ $.Values.blazorapp.host }}" diff --git a/charts/keeptrack/templates/ingress.yaml b/charts/keeptrack/templates/ingress.yaml index f4823cd..1cd1f44 100644 --- a/charts/keeptrack/templates/ingress.yaml +++ b/charts/keeptrack/templates/ingress.yaml @@ -1,4 +1,4 @@ -{{- $applications := list .Values.front .Values.adapter .Values.data -}} +{{- $applications := list .Values.blazorapp .Values.webapi -}} {{ range $applications }} {{- $name := .name -}} {{- if and $.Values.ingress.enabled .enabled .host -}} diff --git a/charts/keeptrack/templates/service.yaml b/charts/keeptrack/templates/service.yaml index cdfec3a..717253e 100644 --- a/charts/keeptrack/templates/service.yaml +++ b/charts/keeptrack/templates/service.yaml @@ -1,4 +1,4 @@ -{{- $applications := list .Values.front .Values.adapter .Values.data -}} +{{- $applications := list .Values.blazorapp .Values.webapi -}} {{ range $applications }} {{- if .enabled -}} --- diff --git a/charts/keeptrack/values.yaml b/charts/keeptrack/values.yaml index c401853..04209ea 100644 --- a/charts/keeptrack/values.yaml +++ b/charts/keeptrack/values.yaml @@ -58,9 +58,19 @@ dotnet: firebase: webApp: apiKey: "" - authDomain: "" projectId: "" - serviceAccount: "" + serviceAccount: + type: "service_account" + project_id: "" + private_key_id: "" + private_key: "" + client_email: "" + client_id: "" + auth_uri: "" + token_uri: "" + auth_provider_x509_cert_url: "" + client_x509_cert_url: "" + universe_domain: "" ingress: enabled: false From d9b9c578a4c45db9e662c601c3a83ea3e5d39c17 Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Thu, 19 Mar 2026 22:25:41 +0100 Subject: [PATCH 4/7] Update todoblazor app --- charts/todoblazor/CONTRIBUTING.md | 28 ++++++----------- charts/todoblazor/Chart.lock | 8 ++--- charts/todoblazor/Chart.yaml | 4 +-- charts/todoblazor/templates/deployment.yaml | 18 +---------- charts/todoblazor/templates/ingress.yaml | 2 +- charts/todoblazor/values.yaml | 35 +++++++++++---------- 6 files changed, 36 insertions(+), 59 deletions(-) diff --git a/charts/todoblazor/CONTRIBUTING.md b/charts/todoblazor/CONTRIBUTING.md index 8337cf9..13f79e5 100644 --- a/charts/todoblazor/CONTRIBUTING.md +++ b/charts/todoblazor/CONTRIBUTING.md @@ -26,7 +26,7 @@ helm dependency update ## Review the generated manifest ```bash -helm template todoblazor . -f values.yaml -f values.mine.yaml --namespace demo > temp.yaml +helm template todoblazor . -f values.yaml -f values.mine.yaml --namespace demo --debug > temp.yaml ``` ## Validate on a test cluster @@ -35,8 +35,11 @@ Create the secret with the connection string: ```bash kubectl create ns demo -kubectl create secret generic todoblazor-database \ - --from-literal=connectionstring='mongodb://root:admin@todoblazor-mongodb:27017/todolist?authSource=admin' \ +kubectl create secret generic todoblazor-mongodb \ + --from-literal=mongodb-root-password='admin' \ + --namespace demo +kubectl create secret generic todoblazor-webapp \ + --from-literal=connectionstring='mongodb://root:admin@todoblazor-mongodb:27017/todoblazor?authSource=admin' \ --namespace demo ``` @@ -44,19 +47,11 @@ Create a `values.mine.yaml` file: ```yaml webapp: - tag: 1.0.21398515939 + host: todoblazor.console.$SANDBOX_ID.instruqt.io db: connectionStringSecretKeyRef: - name: todoblazor-database + name: todoblazor-webapp key: connectionstring - databaseName: todolist -dotnet: - environment: Development -security: - serviceAccount: - create: true - rbac: - giveClusterAdmin: true ingress: enabled: true className: traefik @@ -65,16 +60,13 @@ ingress: mongodb: enabled: true auth: - rootPassword: admin + existingSecret: todoblazor-mongodb ``` Install or update the application: ```bash -helm upgrade --install todoblazor . \ - -f values.yaml -f values.mine.yaml \ - --set webapp.host=todoblazor.console.$SANDBOX_ID.instruqt.io \ - --namespace demo +helm upgrade --install todoblazor . -f values.yaml -f values.mine.yaml --namespace demo ``` Check everything is ok in the namespace: diff --git a/charts/todoblazor/Chart.lock b/charts/todoblazor/Chart.lock index 6e4252c..17a98d7 100644 --- a/charts/todoblazor/Chart.lock +++ b/charts/todoblazor/Chart.lock @@ -1,6 +1,6 @@ -dependencies: +dependencies: - name: mongodb repository: https://charts.bitnami.com/bitnami - version: 18.1.10 -digest: sha256:1d8e259cedd55f3e4cf9e11249e3eb3af2279bace5424e570a5149834d63a480 -generated: "2026-01-25T02:06:22.936299536+01:00" + version: 18.6.16 +digest: sha256:889cbf07e49e630d28dc8a1c72fdd0465f3f0f0c1601b3be559940108bb50ab2 +generated: "2026-03-19T17:49:59.027658861+01:00" diff --git a/charts/todoblazor/Chart.yaml b/charts/todoblazor/Chart.yaml index e2ae930..286a625 100644 --- a/charts/todoblazor/Chart.yaml +++ b/charts/todoblazor/Chart.yaml @@ -2,11 +2,11 @@ name: todoblazor description: Helm chart for Todo Blazor web application type: application -version: 0.1.2 +version: 0.1.3 appVersion: "1.0.0" dependencies: - name: mongodb - version: 18.1.10 # MongoDB 8.2.2 + version: 18.6.16 # MongoDB 8.2.6 repository: https://charts.bitnami.com/bitnami alias: mongodb condition: mongodb.enabled diff --git a/charts/todoblazor/templates/deployment.yaml b/charts/todoblazor/templates/deployment.yaml index 734d7dd..46e152b 100644 --- a/charts/todoblazor/templates/deployment.yaml +++ b/charts/todoblazor/templates/deployment.yaml @@ -26,14 +26,6 @@ spec: {{- toYaml .additionalPodLabels | nindent 8 }} {{- end }} spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: "kubernetes.io/arch" - operator: In - values: ["amd64"] {{- if $.Values.security.serviceAccount.create }} serviceAccountName: {{ .name }} {{- else }} @@ -79,17 +71,10 @@ spec: value: {{ $.Values.dotnet.logLevels.framework }} - name: Logging__LogLevel__Devpro value: {{ $.Values.dotnet.logLevels.application }} - {{- if $.Values.dotnet.enableOpenTelemetry }} - - name: Application__IsOpenTelemetryEnabled - value: "true" - - name: OpenTelemetry__CollectorEndpoint - value: "http://$(HOST_IP):4317" - {{- end }} - {{- if $.Values.dotnet.enableHttpRedirect }} + {{- if $.Values.dotnet.httpsRedirectionEnabled }} - name: Features__IsHttpsRedirectionEnabled value: "true" {{- end }} - {{- if .db }} {{- if .db.connectionStringSecretKeyRef }} - name: DatabaseSettings__ConnectionString valueFrom: @@ -102,7 +87,6 @@ spec: {{- end }} - name: DatabaseSettings__DatabaseName value: {{ .db.databaseName }} - {{- end }} restartPolicy: Always {{- end }} {{ end }} diff --git a/charts/todoblazor/templates/ingress.yaml b/charts/todoblazor/templates/ingress.yaml index 61619ca..532e36b 100644 --- a/charts/todoblazor/templates/ingress.yaml +++ b/charts/todoblazor/templates/ingress.yaml @@ -1,6 +1,6 @@ {{- $applications := list .Values.webapp -}} {{ range $applications }} -{{- if and $.Values.ingress.enabled .enabled -}} +{{- if and $.Values.ingress.enabled .enabled .host -}} --- apiVersion: networking.k8s.io/v1 kind: Ingress diff --git a/charts/todoblazor/values.yaml b/charts/todoblazor/values.yaml index 9b56179..8087a61 100644 --- a/charts/todoblazor/values.yaml +++ b/charts/todoblazor/values.yaml @@ -1,27 +1,15 @@ webapp: enabled: true - host: todoblazor.random name: todoblazor image: docker.io/devprofr/todoblazor - # images are hosted on DockerHub: https://hub.docker.com/r/devprofr/todoblazor/tags - tag: latest # IMPORTANT: latest should never be used in Production - replicaCount: 1 port: 80 containerPort: 8080 healthEndpoint: /health - db: - # important: connectionString or connectionStringSecretKeyRef must be provided - # connectionString: "someconnstring" - # connectionStringSecretKeyRef: - # name: todoblazor-secret - # key: db-connectionstring - databaseName: "somedb" - extraEnv: [] - # - name: xxx - # value: "yyyy" - additionalPodLabels: {} tls: secretName: todoblazor-tls + # optional + tag: 1.1.22760735534 # ref. https://hub.docker.com/r/devprofr/todoblazor/tags + replicaCount: 1 resources: {} # limits: # cpu: 200m @@ -29,6 +17,19 @@ # requests: # cpu: 100m # memory: 64Mi + extraEnv: [] + # - name: xxx + # value: "yyyy" + additionalPodLabels: {} + # mandatory + host: "" + db: + # important: connectionString or connectionStringSecretKeyRef must be provided + # connectionString: "someconnstring" + # connectionStringSecretKeyRef: + # name: todoblazor-secret + # key: db-connectionstring + databaseName: "todoblazor" dotnet: environment: Production @@ -36,8 +37,7 @@ dotnet: default: Information framework: Information application: Information - enableOpenTelemetry: false - enableHttpRedirect: true + httpsRedirectionEnabled: false security: serviceAccount: @@ -67,3 +67,4 @@ mongodb: tag: latest # IMPORTANT: latest should never be used in Production auth: {} # rootPassword: "" + # existingSecret: From 99651f07148c81b47bfe37a63a6f6102de35a598 Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Thu, 19 Mar 2026 23:22:52 +0100 Subject: [PATCH 5/7] Use secrets for firebase config --- .gitignore | 3 + charts/keeptrack/CONTRIBUTING.md | 77 +++++++++++------ charts/keeptrack/templates/deployment.yaml | 85 +++++++++++++++++-- charts/keeptrack/templates/ingress.yaml | 11 ++- charts/keeptrack/templates/service.yaml | 4 +- .../keeptrack/templates/serviceaccount.yaml | 11 +++ charts/keeptrack/values.yaml | 62 +++++++++----- 7 files changed, 196 insertions(+), 57 deletions(-) create mode 100644 charts/keeptrack/templates/serviceaccount.yaml diff --git a/.gitignore b/.gitignore index 6bd3786..3b53792 100644 --- a/.gitignore +++ b/.gitignore @@ -7,7 +7,10 @@ temp.sh /charts/temp/ values_*.y*ml values.mine.y*ml + +# secret files kubeconfig +firebase-service-account.json # NPM packages node_modules/ diff --git a/charts/keeptrack/CONTRIBUTING.md b/charts/keeptrack/CONTRIBUTING.md index e1c736a..865a95a 100644 --- a/charts/keeptrack/CONTRIBUTING.md +++ b/charts/keeptrack/CONTRIBUTING.md @@ -25,7 +25,24 @@ ## Validate on a test cluster -Create `values.mine.yaml` file: +Create the namespace and secrets: + +```bash +kubectl create ns demo +kubectl create secret generic keeptrack-mongodb \ + --from-literal=mongodb-root-password='admin' \ + --namespace demo +kubectl create secret generic keeptrack-app \ + --from-literal=connectionstring='mongodb://root:admin@keeptrack-mongodb:27017/keeptrack?authSource=admin' \ + --from-literal=firebaseapikey='***' \ + --from-literal=firebaseauthdomain='***' \ + --from-literal=firebaseprojectid='***' \ + --from-literal=firebaseauthority='***' \ + --from-file=firebaseserviceaccount=./firebase-service-account.json \ + --namespace demo +``` + +Create a `values.mine.yaml` file: ```yaml blazorapp: @@ -33,29 +50,28 @@ blazorapp: webapi: db: - connectionString: mongodb://root:admin@keeptrack-mongodb:27017/keeptrack_beta?authSource=admin - databaseName: keeptrack_beta + connectionStringSecretKeyRef: + name: keeptrack-app + key: connectionstring firebase: + auth: + authoritySecretKeyRef: + name: keeptrack-app + key: firebaseauthority webApp: - apiKey: "***" - projectId: "***" - serviceAccount: "***" - serviceAccount: - type: "service_account" - project_id: "***" - private_key_id: "***" - private_key: "***" - client_email: "***" - client_id: "***" - auth_uri: "***" - token_uri: "***" - auth_provider_x509_cert_url: "***" - client_x509_cert_url: "***" - universe_domain: "***" - -dotnet: - environment: Development + apiKeySecretKeyRef: + name: keeptrack-app + key: firebaseapikey + authDomainSecretKeyRef: + name: keeptrack-app + key: firebaseauthdomain + projectIdSecretKeyRef: + name: keeptrack-app + key: firebaseprojectid + serviceAccountSecretKeyRef: + name: keeptrack-app + key: firebaseserviceaccount ingress: enabled: true @@ -66,21 +82,34 @@ ingress: mongodb: enabled: true auth: - rootPassword: admin + existingSecret: keeptrack-mongodb ``` Review the manifest: ```bash -helm template keeptrack . -f values.yaml -f values.mine.yaml --namespace keeptrack --debug > temp.yaml +helm template keeptrack . -f values.yaml -f values.mine.yaml --namespace demo --debug > temp.yaml ``` Install or update the application: ```bash -helm upgrade --install keeptrack . -f values.yaml -f values.mine.yaml --namespace keeptrack --create-namespace +helm upgrade --install keeptrack . -f values.yaml -f values.mine.yaml --namespace demo --create-namespace +``` + +Check everything is ok: + +```bash +kubectl get all -n keeptrack ``` Add `keeptrack.console.$SANDBOX_ID.instruqt.io` in the authorized domains in Firebase > (myproject) > Authentication > Settings. Open the web application in a browser. + +At the end, clean everything: + +```bash +helm delete keeptrack -n demo +kubectl delete ns demo +``` diff --git a/charts/keeptrack/templates/deployment.yaml b/charts/keeptrack/templates/deployment.yaml index 4b8146d..451d549 100644 --- a/charts/keeptrack/templates/deployment.yaml +++ b/charts/keeptrack/templates/deployment.yaml @@ -1,6 +1,5 @@ {{- $applications := list .Values.blazorapp .Values.webapi -}} {{ range $applications }} -{{- $name := .name -}} {{- if .enabled -}} --- apiVersion: apps/v1 @@ -21,19 +20,24 @@ spec: template: metadata: labels: - app: {{ $name }} - app.kubernetes.io/name: {{ $name }} + app: {{ .name }} + app.kubernetes.io/name: {{ .name }} {{- if .additionalPodLabels }} {{- toYaml .additionalPodLabels | nindent 8 }} {{- end }} spec: + {{- if $.Values.security.serviceAccount.create }} + serviceAccountName: {{ .name }} + {{- else }} + serviceAccountName: default + {{- end }} containers: - name: {{ .name }} image: {{ .image }}:{{ .tag }} imagePullPolicy: Always ports: - name: http - containerPort: {{ .port }} + containerPort: {{ .containerPort }} protocol: TCP livenessProbe: httpGet: @@ -45,6 +49,11 @@ spec: port: http resources: {{- toYaml .resources | nindent 12 }} + securityContext: + runAsNonRoot: true + runAsUser: 1654 # "app" user + runAsGroup: 1654 # "app" group + allowPrivilegeEscalation: false env: {{- if .extraEnv }} {{- toYaml .extraEnv | nindent 12 }} @@ -73,27 +82,91 @@ spec: {{- if eq .role "frontend" }} - name: WebApi__BaseUrl value: "http://{{ $.Values.webapi.name }}" + {{- if $.Values.firebase.webApp.apiKeySecretKeyRef }} + - name: Firebase__WebAppConfiguration__ApiKey + valueFrom: + secretKeyRef: + name: {{ $.Values.firebase.webApp.apiKeySecretKeyRef.name }} + key: {{ $.Values.firebase.webApp.apiKeySecretKeyRef.key }} + {{- else }} - name: Firebase__WebAppConfiguration__ApiKey value: "{{ $.Values.firebase.webApp.apiKey }}" + {{- end }} + {{- if $.Values.firebase.webApp.authDomainSecretKeyRef }} - name: Firebase__WebAppConfiguration__AuthDomain - value: "{{ $.Values.firebase.webApp.projectId }}.firebaseapp.com" + valueFrom: + secretKeyRef: + name: {{ $.Values.firebase.webApp.authDomainSecretKeyRef.name }} + key: {{ $.Values.firebase.webApp.authDomainSecretKeyRef.key }} + {{- else }} + - name: Firebase__WebAppConfiguration__AuthDomain + value: "{{ $.Values.firebase.webApp.authDomain }}" + {{- end }} + {{- if $.Values.firebase.webApp.projectIdSecretKeyRef }} + - name: Firebase__WebAppConfiguration__ProjectId + valueFrom: + secretKeyRef: + name: {{ $.Values.firebase.webApp.projectIdSecretKeyRef.name }} + key: {{ $.Values.firebase.webApp.projectIdSecretKeyRef.key }} + {{- else }} - name: Firebase__WebAppConfiguration__ProjectId value: "{{ $.Values.firebase.webApp.projectId }}" + {{- end }} + {{- if $.Values.firebase.serviceAccountSecretKeyRef }} - name: Firebase__ServiceAccount - value: {{ $.Values.firebase.serviceAccount | toJson | quote }} + valueFrom: + secretKeyRef: + name: {{ $.Values.firebase.serviceAccountSecretKeyRef.name }} + key: {{ $.Values.firebase.serviceAccountSecretKeyRef.key }} + {{- else }} + - name: Firebase__ServiceAccount + value: {{ $.Values.firebase.serviceAccount | toJson | quote }} + {{- end }} {{- else if eq .role "backend" }} - name: AllowedOrigins__0 value: "https://{{ $.Values.blazorapp.host }}" - name: AllowedOrigins__0 value: "http://{{ $.Values.blazorapp.name }}" + {{- if $.Values.firebase.auth.authoritySecretKeyRef }} + - name: Authentication__JwtBearer__Authority + valueFrom: + secretKeyRef: + name: {{ $.Values.firebase.auth.authoritySecretKeyRef.name }} + key: {{ $.Values.firebase.auth.authoritySecretKeyRef.key }} + {{- else }} - name: Authentication__JwtBearer__Authority value: "https://securetoken.google.com/{{ $.Values.firebase.webApp.projectId }}" + {{- end }} + {{- if $.Values.firebase.webApp.projectIdSecretKeyRef }} + - name: Authentication__JwtBearer__TokenValidation__Audience + valueFrom: + secretKeyRef: + name: {{ $.Values.firebase.webApp.projectIdSecretKeyRef.name }} + key: {{ $.Values.firebase.webApp.projectIdSecretKeyRef.key }} + {{- else }} - name: Authentication__JwtBearer__TokenValidation__Audience value: "{{ $.Values.firebase.webApp.projectId }}" + {{- end }} + {{- if $.Values.firebase.auth.authoritySecretKeyRef }} + - name: Authentication__JwtBearer__TokenValidation__Issuer + valueFrom: + secretKeyRef: + name: {{ $.Values.firebase.auth.authoritySecretKeyRef.name }} + key: {{ $.Values.firebase.auth.authoritySecretKeyRef.key }} + {{- else }} - name: Authentication__JwtBearer__TokenValidation__Issuer value: "https://securetoken.google.com/{{ $.Values.firebase.webApp.projectId }}" + {{- end }} + {{- if .db.connectionStringSecretKeyRef }} + - name: Infrastructure__MongoDB__ConnectionString + valueFrom: + secretKeyRef: + name: {{ .db.connectionStringSecretKeyRef.name }} + key: {{ .db.connectionStringSecretKeyRef.key }} + {{- else }} - name: Infrastructure__MongoDB__ConnectionString value: {{ .db.connectionString }} + {{- end }} - name: Infrastructure__MongoDB__DatabaseName value: {{ .db.databaseName }} {{- end }} diff --git a/charts/keeptrack/templates/ingress.yaml b/charts/keeptrack/templates/ingress.yaml index 1cd1f44..a4ecc3c 100644 --- a/charts/keeptrack/templates/ingress.yaml +++ b/charts/keeptrack/templates/ingress.yaml @@ -1,12 +1,11 @@ {{- $applications := list .Values.blazorapp .Values.webapi -}} {{ range $applications }} -{{- $name := .name -}} {{- if and $.Values.ingress.enabled .enabled .host -}} --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ $name }} + name: {{ .name }} {{- with $.Values.ingress.annotations }} annotations: {{- toYaml . | nindent 4 }} @@ -23,9 +22,9 @@ spec: pathType: Prefix backend: service: - name: {{ $name }} + name: {{ .name }} port: - number: 80 + number: {{ .port }} {{- range .ingressExtraHosts }} - host: {{ .host | quote }} http: @@ -35,9 +34,9 @@ spec: pathType: {{ .pathType }} backend: service: - name: {{ $name }} + name: {{ .name }} port: - number: 80 + number: {{ .port }} {{- end }} {{- end }} {{- if .tls }} diff --git a/charts/keeptrack/templates/service.yaml b/charts/keeptrack/templates/service.yaml index 717253e..857e334 100644 --- a/charts/keeptrack/templates/service.yaml +++ b/charts/keeptrack/templates/service.yaml @@ -12,8 +12,8 @@ metadata: spec: type: ClusterIP ports: - - port: 80 - targetPort: http + - port: {{ .port }} + targetPort: {{ .containerPort }} protocol: TCP name: http selector: diff --git a/charts/keeptrack/templates/serviceaccount.yaml b/charts/keeptrack/templates/serviceaccount.yaml new file mode 100644 index 0000000..3ad9d52 --- /dev/null +++ b/charts/keeptrack/templates/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if .Values.security.serviceAccount.create }} +{{- $applications := list .Values.blazorapp .Values.webapi -}} +{{ range $applications }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .name }} + labels: + app: {{ .name }} +{{ end }} +{{- end }} diff --git a/charts/keeptrack/values.yaml b/charts/keeptrack/values.yaml index 04209ea..1345aaa 100644 --- a/charts/keeptrack/values.yaml +++ b/charts/keeptrack/values.yaml @@ -3,13 +3,14 @@ role: frontend name: keeptrack-blazorapp image: docker.io/devprofr/keeptrack-blazorapp - port: 8080 + port: 80 + containerPort: 8080 healthEndpoint: /health tls: secretName: keeptrack-blazorapp-tls # optional - replicaCount: 1 tag: 1.1.23099092819 # ref. https://hub.docker.com/r/devprofr/keeptrack-blazorapp/tags + replicaCount: 1 resources: {} # limits: # cpu: 200m @@ -29,7 +30,8 @@ webapi: role: backend name: keeptrack-webapi image: docker.io/devprofr/keeptrack-webapi - port: 8080 + port: 80 + containerPort: 8080 healthEndpoint: /health tls: secretName: keeptrack-webapi-tls @@ -42,8 +44,12 @@ webapi: additionalPodLabels: {} # mandatory db: - connectionString: "" - databaseName: "" + # important: connectionString or connectionStringSecretKeyRef must be provided + # connectionStringSecretKeyRef: + # name: "" + # key: "" + # connectionString: "someconnstring" + databaseName: "keeptrack" dotnet: environment: Production @@ -54,23 +60,40 @@ dotnet: scalarEnabled: false httpsRedirectionEnabled: false +security: + serviceAccount: + create: false + # mandatory firebase: webApp: - apiKey: "" - projectId: "" - serviceAccount: - type: "service_account" - project_id: "" - private_key_id: "" - private_key: "" - client_email: "" - client_id: "" - auth_uri: "" - token_uri: "" - auth_provider_x509_cert_url: "" - client_x509_cert_url: "" - universe_domain: "" + # apiKeySecretKeyRef: + # name: "" + # key: "" + # apiKey: "" + # authDomainSecretKeyRef: + # name: "" + # key: "" + # authDomain: "" + # projectIdSecretKeyRef: + # name: "" + # key: "" + # projectId: "" + # serviceAccountSecretKeyRef: + # name: "" + # key: "" + # serviceAccount: + # type: "service_account" + # project_id: "" + # private_key_id: "" + # private_key: "" + # client_email: "" + # client_id: "" + # auth_uri: "" + # token_uri: "" + # auth_provider_x509_cert_url: "" + # client_x509_cert_url: "" + # universe_domain: "" ingress: enabled: false @@ -94,3 +117,4 @@ mongodb: tag: latest # IMPORTANT: latest should never be used in Production auth: {} # rootPassword: "" + # existingSecret: "" From e9a9ad6a9f46e123ab8602e6656e50e4cd88116a Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Thu, 19 Mar 2026 23:32:10 +0100 Subject: [PATCH 6/7] Add missing element in values --- charts/keeptrack/CONTRIBUTING.md | 2 +- charts/keeptrack/values.yaml | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/charts/keeptrack/CONTRIBUTING.md b/charts/keeptrack/CONTRIBUTING.md index 865a95a..fd49d1d 100644 --- a/charts/keeptrack/CONTRIBUTING.md +++ b/charts/keeptrack/CONTRIBUTING.md @@ -100,7 +100,7 @@ helm upgrade --install keeptrack . -f values.yaml -f values.mine.yaml --namespac Check everything is ok: ```bash -kubectl get all -n keeptrack +kubectl get all -n demo ``` Add `keeptrack.console.$SANDBOX_ID.instruqt.io` in the authorized domains in Firebase > (myproject) > Authentication > Settings. diff --git a/charts/keeptrack/values.yaml b/charts/keeptrack/values.yaml index 1345aaa..0903dd7 100644 --- a/charts/keeptrack/values.yaml +++ b/charts/keeptrack/values.yaml @@ -66,7 +66,12 @@ security: # mandatory firebase: - webApp: + auth: {} + # authoritySecretKeyRef: + # name: "" + # key: "" + # apiKey: "" + webApp: {} # apiKeySecretKeyRef: # name: "" # key: "" From a90e388541712377695f3d4b85926857b8b51d65 Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Thu, 19 Mar 2026 23:35:42 +0100 Subject: [PATCH 7/7] Fix typo --- charts/keeptrack/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/keeptrack/templates/deployment.yaml b/charts/keeptrack/templates/deployment.yaml index 451d549..3bc8e3c 100644 --- a/charts/keeptrack/templates/deployment.yaml +++ b/charts/keeptrack/templates/deployment.yaml @@ -125,7 +125,7 @@ spec: {{- else if eq .role "backend" }} - name: AllowedOrigins__0 value: "https://{{ $.Values.blazorapp.host }}" - - name: AllowedOrigins__0 + - name: AllowedOrigins__1 value: "http://{{ $.Values.blazorapp.name }}" {{- if $.Values.firebase.auth.authoritySecretKeyRef }} - name: Authentication__JwtBearer__Authority