Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multi tenant support #244

Open
wants to merge 14 commits into
base: master
Choose a base branch
from
Open

Multi tenant support #244

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
00c3907
Add multi environment support
Jaydee94 Feb 2, 2024
5805219
Improve ui
Jaydee94 Feb 3, 2024
555ff56
new style of vuetify components
Jaydee94 Feb 3, 2024
1dcce65
Improve ui styling
Jaydee94 Feb 3, 2024
6cd14b3
Add origin url to cors allowed origins when set the env var.
Jaydee94 Feb 3, 2024
3d9ab69
Update ui/src/components/Secrets.vue
Jaydee94 Feb 6, 2024
4af185a
Applied ui suggestions
Jaydee94 Feb 6, 2024
90307bc
Applied suggestions
Jaydee94 Feb 7, 2024
1cc498c
Applied suggestions
Jaydee94 Feb 7, 2024
21581c4
Rewrite Helm Chart for multi environment support
Jaydee94 Feb 7, 2024
9d3261d
migrate e2e test to new chart structure
Jaydee94 Feb 8, 2024
9dc0061
Fix ci
Jaydee94 Mar 2, 2024
9ecf509
Fix button
Jaydee94 Oct 4, 2024
b0cb240
Merge branch 'master' into multi-tenants
Jaydee94 Oct 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .github/workflows/kind.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,11 +47,11 @@ jobs:
--release-name e2e-test \
--namespace kubeseal-webgui \
--set api.image.tag=snapshot \
--set api.url=http://$(hostname -f):80 \
--set publicUrl=http://$(hostname -f):80 \
--set autoFetchCertResources=null \
--set image.pullPolicy=Never \
--set ingress.enabled=true \
--set ingress.hostname=$(hostname -f) \
--set ui.ingress.enabled=true \
--set ui.ingress.hostname=$(hostname -f) \
--set resources=null \
--set sealedSecrets.autoFetchCert=true \
--set ui.image.tag=snapshot \
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ on:
version:
description: 'Contains application version'
required: true

jobs:
build:
runs-on: ubuntu-latest
Expand Down
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,4 @@ test.yaml
*.pyc
.coverage
.venv/
.vscode/
3 changes: 0 additions & 3 deletions .vscode/settings.json
View file
Open in desktop

This file was deleted.

8 changes: 2 additions & 6 deletions api/kubeseal_webgui_api/app.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
import fastapi
from fastapi.middleware.cors import CORSMiddleware

from .app_config import fetch_sealed_secrets_cert
from .app_config import fetch_sealed_secrets_cert, LOGGER, settings
from .routers import config, kubernetes, kubeseal

LOGGER = logging.getLogger("kubeseal-webgui")
Jaydee94 marked this conversation as resolved.
Show resolved Hide resolved
Expand All @@ -20,13 +20,9 @@ async def lifespan(fastapi_app: fastapi.FastAPI): # noqa: ANN201 skipcq: PYL-W0

app = fastapi.FastAPI(lifespan=lifespan)

origins = [
"http://localhost:8080",
]

app.add_middleware(
CORSMiddleware,
allow_origins=origins,
allow_origins=[settings.origin_url],
allow_credentials=True,
allow_methods=["*"],
allow_headers=["*"],
Expand Down
2 changes: 2 additions & 0 deletions api/kubeseal_webgui_api/app_config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,12 @@
mock = environ.get("MOCK_ENABLED", "False").lower() == "true"
autofetch = environ.get("KUBESEAL_AUTOFETCH", "false")
kubeseal_cert = environ.get("KUBESEAL_CERT", "/kubeseal-webgui/cert/kubeseal-cert.pem")
origin_url = environ.get("ORIGIN_URL", "http://localhost:8080")


class AppSettings(BaseSettings):
kubeseal_version: str
origin_url: str = origin_url
kubeseal_binary: str = binary
kubeseal_cert: str = environ.get("KUBESEAL_CERT", "/dev/null")
mock_enabled: bool = mock
Expand Down
38 changes: 2 additions & 36 deletions api/poetry.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions chart/kubeseal-webgui/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: v2
name: kubeseal-webgui
description: A Helm chart for installing kubeseal-webgui
version: 5.2.1
appVersion: 4.2.6
version: 6.0.0
appVersion: 5.0.0
152 changes: 112 additions & 40 deletions chart/kubeseal-webgui/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ helm repo update
helm install kubeseal-webgui kubesealwebgui/kubeseal-webgui --namespace <namespacename>

# with ingress and autofetch certificate
helm install kubeseal-webgui kubesealwebgui/kubeseal-webgui --namespace <namespacename> --set ingress.enabled=true --set api.url="http://kubeseal-webgui.example.com" --set sealedSecrets.autoFetchCert=true
helm install kubeseal-webgui kubesealwebgui/kubeseal-webgui --namespace <namespacename> --set ingress.enabled=true --set publicUrl="http://kubeseal-webgui.example.com" --set sealedSecrets.autoFetchCert=true
```

## Uninstalling the Chart
Expand All @@ -19,46 +19,118 @@ To uninstall/delete the my-release deployment:
```console
helm uninstall kubeseal-webgui kubesealwebgui/kubeseal-webgui --namespace <namespacename>
```

The command removes all the Kubernetes components associated with the chart and deletes the release.

## Configuring multiple environments in one kubeseal-webgui ui

With version `>=5.0.0` it is possible to configure multiple environments/clusters to be displayed in one ui component.

* Deploy one ui component and the api component of kubeseal-webgui in your desired cluster by setting `ui.enabled` and `api.enabled` to `true`.
* For every cluster that should be displayed in the same ui you have deploy the api component and expose the api with an ingress or route object.
* `ui.enabled` to `false`
* `api.enabled` to `true`
* `api.ingress.enabled` or `api.route.enabled` to `true`
* For security reasons (CORS) the api components need to know the host from which the api gets called. So the parameter `publicUrl` has to be set to the HTTP Endpoint of the ui component.
* The ui component needs to know the kubeseal-webgui APIs of each cluster you want to add in the ui.
* The API endpoints have to be configured with the parameter `ui.environments`.

### Example for configuring multiple environments

#### Cluster Foo (provides the ui)

```yaml
publicUrl: "http://kubeseal-webgui-ui.foo.example.com"
api:
enabled: true
...
ingress:
enabled: false
...
...
ui:
enabled: true
...
environments:
cluster-foo: "http://localhost:5000"
cluster-bar: "http://kubeseal-webgui-api.bar.example.com"
...
ingress:
enabled: true
hostname: "kubeseal-webgui-ui.foo.example.com"
...
...
```

#### Cluster Bar (should be displayed in the ui of Cluster Foo)

```yaml
publicUrl: "http://kubeseal-webgui-ui.foo.example.com"
api:
enabled: true
...
ingress:
enabled: true
hostname: "kubeseal-webgui-api.bar.example.com"
...
...
ui:
enabled: false
...
```



## Configuration

| Parameter | Description | Default |
| ----------------------------------------- | ------------------------------------------------- | ----------------------------- |
| `replicaCount` | Number of nodes | `1` |
| `annotations` | Optional annotations for the pods | `{}` |
| `api.image.repository` | Image-Repository and name of the api image. | `kubesealwebgui/api` |
| `api.image.tag` | Image Tag of the api image. | `4.2.5` |
| `api.environment` | Additional env variables for the api image. | `{}` |
| `api.loglevel` | Loglevel for the api image. | `INFO` |
| `ui.image.repository` | Image-Repository and name of the ui image. | `kubesealwebgui/ui` |
| `ui.image.tag` | Image Tag of the ui image. | `4.2.5` |
| `image.pullPolicy` | Image Pull Policy | `Always` |
| `nameOverride` | Name-Override for the objects | `""` |
| `fullnameOverride` | Fullname-Override for the objects | `""` |
| `customServiceAccountName` | Optionallyn define your own serviceaccount to use | `true` |
| `tolerations` | Add tolerations to the deployment. | `[]` |
| `affinity` | Add affinity rules to the deployment. | `{}` |
| `nodeSelector` | Add a nodeSelector to the deployment. | `{}` |
| `displayName` | Optional display name for the kubeseal instance | `""` |
| `resources.limits.cpu` | Limits CPU | `100m` |
| `resources.limits.memory` | Limits memory | `256Mi` |
| `resources.requests.cpu` | Requests CPU | `20m` |
| `resources.requests.memory` | Requests memory | `20m` |
| `ingress.enabled` | Enable an ingress route | `false` |
| `ingress.annotations` | Additional annotations for the ingress object. | `{}` |
| `ingress.ingressClassName` | Additional ingressClassName. | `""` |
| `ingress.hostname` | The hostname for the ingress route | `kubeseal-webgui.example.com` |
| `ingress.tls.enabled` | Enable TLS for the ingress route | `false` |
| `ingress.tls.secretName` | The secret name for private and public key | `""` |
| `route.enabled` | Deploy OpenShift route | `false` |
| `route.hostname` | Set Hostname of the route | `""` |
| `route.tls.enabled` | Enable/Disable TLS for OpenShift Route | `true` |
| `route.tls.termination` | TLS Termination of the route | `""` |
| `route.tls.insecureEdgeTerminationPolicy` | TLS insecureEdgeTerminationPolicy of the route | `""` |
| `sealedSecrets.autoFetchCert` | Load the cert from the Controller on start | `false` |
| `sealedSecrets.controllerName` | Deployment name of the Controller | `sealed-secrets-controller` |
| `sealedSecrets.controllerNamespace` | Namespace the Controller resides in | `kube-system` |
| `sealedSecrets.cert` | Public-Key of your SealedSecrets controller | `""` |
| `api.environment` | Additional API environment variables | `{}` |
| Parameter | Description | Default |
| --------------------------------------------- | ---------------------------------------------------- | ----------------------------- |
| `replicaCount` | Number of nodes | `1` |
| `annotations` | Optional annotations for the pods | `{}` |
| `publicUrl` | The HTTP Endpoint for accessing the ui. | `http://localhost:8080` |
| `api.enabled` | Enable-Disable api component | `true` |
| `api.image.repository` | Image-Repository and name of the api image. | `kubesealwebgui/api` |
| `api.image.tag` | Image Tag of the api image. | `5.0.0` |
| `api.env` | Additional env variables for the api image. | `{}` |
| `api.ingress.enabled` | Enable an ingress route for the api | `false` |
| `api.ingress.annotations` | Additional annotations for the ingress object. | `{}` |
| `api.ingress.ingressClassName` | Additional ingressClassName. | `""` |
| `api.ingress.hostname` | The hostname for the ingress route | `kubeseal-webgui.example.com` |
| `api.ingress.tls.enabled` | Enable TLS for the ingress route | `false` |
| `api.ingress.tls.secretName` | The secret name for private and public key | `""` |
| `api.route.enabled` | Deploy OpenShift route for the api | `false` |
| `api.route.hostname` | Set Hostname of the route | `""` |
| `api.route.tls.enabled` | Enable/Disable TLS for OpenShift Route | `true` |
| `api.route.tls.termination` | TLS Termination of the route | `""` |
| `api.route.tls.insecureEdgeTerminationPolicy` | TLS insecureEdgeTerminationPolicy of the route | `""` |
| `api.loglevel` | Loglevel for the api image. | `INFO` |
| `ui.enabled` | Enable-Disable ui component. | `true` |
| `ui.image.repository` | Image-Repository and name of the ui image. | `kubesealwebgui/ui` |
| `ui.image.tag` | Image Tag of the ui image. | `5.0.0` |
| `ui.ingress.enabled` | Enable an ingress route for the ui | `false` |
| `ui.ingress.annotations` | Additional annotations for the ingress object. | `{}` |
| `ui.ingress.ingressClassName` | Additional ingressClassName. | `""` |
| `ui.ingress.hostname` | The hostname for the ingress route | `kubeseal-webgui.example.com` |
| `ui.ingress.tls.enabled` | Enable TLS for the ingress route | `false` |
| `ui.ingress.tls.secretName` | The secret name for private and public key | `""` |
| `ui.route.enabled` | Deploy OpenShift route for the ui | `false` |
| `ui.route.hostname` | Set Hostname of the route | `""` |
| `ui.route.tls.enabled` | Enable/Disable TLS for OpenShift Route | `true` |
| `ui.route.tls.termination` | TLS Termination of the route | `""` |
| `ui.route.tls.insecureEdgeTerminationPolicy` | TLS insecureEdgeTerminationPolicy of the route | `""` |
| `ui.environments` | The environments that should be available in the ui. | `{}` |
| `image.pullPolicy` | Image Pull Policy | `Always` |
| `nameOverride` | Name-Override for the objects | `""` |
| `fullnameOverride` | Fullname-Override for the objects | `""` |
| `customServiceAccountName` | Optionallyn define your own serviceaccount to use | `true` |
| `tolerations` | Add tolerations to the deployment. | `[]` |
| `affinity` | Add affinity rules to the deployment. | `{}` |
| `nodeSelector` | Add a nodeSelector to the deployment. | `{}` |
| `displayName` | Optional display name for the kubeseal instance | `""` |
| `resources.limits.cpu` | Limits CPU | `100m` |
| `resources.limits.memory` | Limits memory | `256Mi` |
| `resources.requests.cpu` | Requests CPU | `20m` |
| `resources.requests.memory` | Requests memory | `20m` |
| `sealedSecrets.autoFetchCert` | Load the cert from the Controller on start | `false` |
| `sealedSecrets.controllerName` | Deployment name of the Controller | `sealed-secrets-controller` |
| `sealedSecrets.controllerNamespace` | Namespace the Controller resides in | `kube-system` |
| `sealedSecrets.cert` | Public-Key of your SealedSecrets controller | `""` |
Loading
Loading