Merge pull request #23 from mmz-srf/feature/PLATFORM-2612-passbolt-ha

Feature/platform 2612 passbolt ha

.gitignore

@@ -0,0 +1,4 @@
+charts/*
+secrets/*
+variables.env
+values-fingerprint.yaml

Chart.lock

@@ -0,0 +1,15 @@
+dependencies:
+- name: mariadb
+  repository: https://charts.bitnami.com/bitnami
+  version: 11.3.4
+- name: mariadb-galera
+  repository: https://charts.bitnami.com/bitnami
+  version: 7.4.7
+- name: redis
+  repository: https://charts.bitnami.com/bitnami
+  version: 17.3.8
+- name: redis-cluster
+  repository: https://charts.bitnami.com/bitnami
+  version: 8.2.7
+digest: sha256:6dfc7faef13eac7ac1979d63d7b1f5b52e381736f8b0e54755d7216e140e0272
+generated: "2022-11-07T17:04:33.735304+01:00"

Chart.yaml

@@ -1,11 +1,56 @@
-apiVersion: v1
-version: 1.7.1
-home: http://passbolt.com
-description: A Passbolt Helm chart for Kubernetes.
+apiVersion: v2
 name: passbolt-helm
+description: A Passbolt Helm chart for Kubernetes.
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 1.8.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "3.7.1"
+
+home: https://www.passbolt.com
 icon: https://www.passbolt.com/img/logo/logo.svg
 maintainers:
   - name: Gianni Carafa
     email: gianni.carafa@srf.ch
   - name: Bruno Mazenauer
     email: bruno.mazenauer@srf.ch
+  - name: Jean-Christophe Vassort
+
+# https://helm.sh/docs/topics/charts/#tags-and-condition-fields-in-dependencies
+dependencies:
+  - name: mariadb
+    version: ">11.1.2"
+    repository: https://charts.bitnami.com/bitnami
+    condition: mariadb.enabled
+  - name: mariadb-galera
+    version: ">7.4.0"
+    repository: https://charts.bitnami.com/bitnami
+    condition: mariadb-galera.enabled
+  - name: redis
+    version: ">17.1.2"
+    repository: https://charts.bitnami.com/bitnami
+    condition: redis.enabled
+  - name: redis-cluster
+    version: ">8.2.0"
+    repository: https://charts.bitnami.com/bitnami
+    condition: redis-cluster.enabled
+  # - name: passbolt-ha-monitor
+  #   version: ">=0.0.6"
+  #   repository: https://anatomicjc.gitlab.io/helm-charts
+  #   condition: passbolt-ha-monitor.enabled

generate-secrets.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+GPG_NAME="John Doe"
+GPG_EMAIL="john@doe.com"
+
+rm -rf secrets
+mkdir -p secrets/gpg
+cd secrets/gpg
+mkdir -m 0700 gpg-tmp
+gpg --homedir gpg-tmp --batch --no-tty --gen-key <<EOF
+    Key-Type: eddsa
+    Key-Curve: ed25519
+    Key-Usage: sign,cert
+    Subkey-Type: ecdh
+    Subkey-Curve: cv25519
+    SubKey-Usage: encrypt
+    Name-Real: ${GPG_NAME}
+    Name-Email: ${GPG_EMAIL}
+    Expire-Date: 0
+    %no-protection
+    %commit
+EOF
+
+gpg --homedir gpg-tmp --armor --export "${GPG_EMAIL}" > serverkey.asc
+gpg --homedir gpg-tmp --armor --export-secret-keys "${GPG_EMAIL}" > serverkey_private.asc
+
+rm -rf gpg-tmp
+
+cd -
+
+mkdir -p secrets/jwt
+
+openssl genrsa -out secrets/jwt/jwt.key 4096
+openssl rsa -in secrets/jwt/jwt.key -outform PEM -pubout -out secrets/jwt/jwt.pem
+
+mkdir -p secrets/pro-license
+touch secrets/pro-license/subscription_key.txt
+
+cat << EOF > values-fingerprint.yaml
+passbolt:
+  config:
+    gpgServerKeyFingerprint: "$(gpg --show-keys secrets/gpg/serverkey.asc | grep -Ev "(pub|uid|sub)" | xargs)"
+EOF

templates/NOTES.txt

@@ -0,0 +1,38 @@
+
+
+-------------------------------------------------------------------------------
+     ____                  __          ____
+    / __ \____  _____ ____/ /_  ____  / / /_
+   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
+  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
+ /_/    \__,_/____/____/_.___/\____/_/\__/
+
+ Open source password manager for teams
+-------------------------------------------------------------------------------
+
+** Please be patient while the chart is being deployed **
+{{ if not .Values.passbolt.config.gpgServerKeyFingerprint }}
+ #     #    #    ######  #     # ### #     #  #####  
+ #  #  #   # #   #     # ##    #  #  ##    # #     # 
+ #  #  #  #   #  #     # # #   #  #  # #   # #       
+ #  #  # #     # ######  #  #  #  #  #  #  # #  #### 
+ #  #  # ####### #   #   #   # #  #  #   # # #     # 
+ #  #  # #     # #    #  #    ##  #  #    ## #     # 
+  ## ##  #     # #     # #     # ### #     #  #####  
+
+>> GPG fingerprint haven't been defined <<
+
+>> Execute the generate-secrets.sh script <<
+
+{{ else }}
+Passbolt server GPG Fingerprint: {{ .Values.passbolt.config.gpgServerKeyFingerprint }}
+
+Once all pods are running, you can create the first admin with this command:
+
+kubectl exec -it -c passbolt \
+  $(kubectl get po --no-headers -l app.kubernetes.io/name=passbolt-helm | awk '{print $1}') \
+  -- su -m -c "bin/cake passbolt register_user \
+  -u {{ .Values.passbolt.firstAdmin.email }} \
+  -f {{ .Values.passbolt.firstAdmin.name }} \
+  -l {{ .Values.passbolt.firstAdmin.surname }} -r admin" -s /bin/sh www-data
+{{ end }}

templates/_helpers.tpl

@@ -43,3 +43,22 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "passbolt-helm.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "passbolt-helm.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "passbolt-helm.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "passbolt-helm.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

templates/configmap.yaml

@@ -0,0 +1,74 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "passbolt-helm.fullname" . }}-passbolt-configmap
+data:
+  zzz-passbolt.conf: |
+    [www]
+    pm = {{ .Values.passbolt.config.php.pm_value }}
+    pm.max_children = {{ .Values.passbolt.config.php.pm.max_children }}
+    pm.start_servers = {{ .Values.passbolt.config.php.pm.start_servers }}
+    pm.min_spare_servers = {{ .Values.passbolt.config.php.pm.min_spare_servers }}
+    pm.max_spare_servers = {{ .Values.passbolt.config.php.pm.max_spare_servers }}
+    pm.process_idle_timeout = {{ .Values.passbolt.config.php.pm.process_idle_timeout }}
+    pm.max_requests = {{ .Values.passbolt.config.php.pm.max_requests }}
+    php_value[memory_limit] = {{ .Values.passbolt.config.php.memory_limit }}
+    php_value[post_max_size] = {{ .Values.passbolt.config.php.post_max_size }}
+    php_value[upload_max_filesize] = {{ .Values.passbolt.config.php.upload_max_filesize }}
+    php_admin_value[max_execution_time] = {{ .Values.passbolt.config.php.max_execution_time }}
+    php_admin_value[session.gc_maxlifetime] = {{ .Values.passbolt.config.php.session.lifetime }}
+    {{- if .Values.passbolt.config.php.session.redis.enabled }}
+    {{- if .Values.redis.enabled }}
+    php_admin_value[session.save_handler] = redis
+    php_admin_value[session.save_path] = "tcp://{{ .Values.passbolt.config.php.session.redis.service }}:6379?auth={{ .Values.redis.auth.password }}"
+    {{- else if index .Values "redis-cluster" "enabled" }}
+    php_admin_value[session.save_handler] = rediscluster
+    php_admin_value[session.save_path] = "seed[]={{ .Values.passbolt.config.php.session.redis.service }}:6379&auth={{ index .Values "redis-cluster" "password" }}&failover=error&timeout=2&read_timeout=2&persistent=1"
+    {{- end }}
+    {{- end }}
+  nginx-passbolt.conf: |
+    #
+    #  Passbolt.conf - Nginx configuration file to run the Passbolt software.
+    #
+
+    server {
+    
+      listen 80;
+      listen [::]:80;
+
+      # Managed by Passbolt
+      server_name _;
+
+      client_body_buffer_size     100K;
+      client_header_buffer_size   1K;
+      client_max_body_size        5M;
+
+      client_body_timeout   10;
+      client_header_timeout 10;
+      keepalive_timeout     5 5;
+      send_timeout          10;
+
+      root /usr/share/php/passbolt/webroot;
+      index index.php;
+      error_log /var/log/nginx/passbolt-error.log info;
+      access_log /var/log/nginx/passbolt-access.log;
+
+      # Managed by Passbolt
+      include /etc/nginx/snippets/passbolt-ssl.conf;
+
+      location / {
+        try_files $uri $uri/ /index.php?$args;
+      }
+
+      location ~ \.php$ {
+        try_files                $uri =404;
+        include                  fastcgi_params;
+        fastcgi_pass             unix:/run/php/php7.4-fpm.sock;
+        fastcgi_index            index.php;
+        fastcgi_intercept_errors on;
+        fastcgi_split_path_info  ^(.+\.php)(.+)$;
+        fastcgi_param            SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param            SERVER_NAME $http_host;
+        fastcgi_read_timeout {{ .Values.passbolt.config.php.max_execution_time }};
+      }
+    }