{"id":22787338,"url":"https://github.com/aserto-dev/helm","last_synced_at":"2025-04-30T12:45:06.829Z","repository":{"id":256472531,"uuid":"789147402","full_name":"aserto-dev/helm","owner":"aserto-dev","description":"The Aserto Helm Chart Repository","archived":false,"fork":false,"pushed_at":"2025-04-16T19:19:37.000Z","size":2112,"stargazers_count":0,"open_issues_count":2,"forks_count":3,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-04-16T23:22:09.248Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Smarty","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aserto-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS.md","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-04-19T19:47:56.000Z","updated_at":"2025-04-16T19:17:45.000Z","dependencies_parsed_at":"2024-09-11T00:03:20.921Z","dependency_job_id":"d0b19fba-6883-40bb-9279-f9a13b1ee11c","html_url":"https://github.com/aserto-dev/helm","commit_stats":null,"previous_names":["aserto-dev/helm"],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aserto-dev%2Fhelm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aserto-dev%2Fhelm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aserto-dev%2Fhelm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aserto-dev%2Fhelm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aserto-dev","download_url":"https://codeload.github.com/aserto-dev/helm/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251703190,"owners_count":21630194,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-12T00:54:07.296Z","updated_at":"2025-04-30T12:45:06.799Z","avatar_url":"https://github.com/aserto-dev.png","language":"Smarty","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Aserto Helm Charts\n\n\u003e [!NOTE]\n\u003e The documentation below discusses self-hosted deployment of the Aserto backend services.\n\u003e [See here](https://github.com/aserto-dev/helm/tree/main/charts/topaz) if you are\n\u003e looking to deploy a [topaz](https://www.topaz.sh) authorizer in your Kubernetes cluster.\n\n[Aserto](https://www.aserto.com) is a cloud-native authorization service that provides\nfine-grained access control for your applications.\n\nAn Aserto deployment consists of multiple services that can be deployed separately or together.\nIn addition to individual service charts, `aserto` is an umbrella chart that can be used to\nconfigure and deploy all the services at once.\n\nThe charts are published to the `ghcr.io/aserto-dev/helm` OCI registry and\ncan be used directly from there or by adding them as dependencies to your own charts.\n\n\n## Requirements\n\n### Helm\n\n[Helm](https://helm.sh) must be installed to use the charts.\nPlease refer to Helm's [documentation](https://helm.sh/docs/intro/install) to get started.\n\nFull OCI support is available starting from Helm v3.8.0. If you are using an older version,\nfollow Helm's [instructions](https://helm.sh/docs/topics/registries/) on how to enable OCI\nregistries.\n\n\n### PostgreSQL\n\nThe Aserto directory service requires a PostgreSQL database to store its data.\nYou can deploy a PostgresSQL instance using the\n[Bitnami chart](https://bitnami.com/stack/postgresql/helm) or use a managed PostgreSQL\nfrom your cloud provider.\n\n\n#### Databases and Roles\n\nThe directory service uses two database that can run on the same or different PostgreSQL\ninstances. The database are named `aserto-ds` and `aserto-root-ds` by default but the\nnames are configurable.\n\nWhen both databases are on the same PostgreSQL instance, the service can be configured to\nconnect to both using the same role or different ones. In either case, each role must\nbe the owner of the database it connects to and have the `CREATEROLE` option.\nAdditionally, if the role has the `CREATEDB` option, the service can create the databases\nautomatically at startup if they don't already exist.\n\nWithout the `CREATEDB` option, you must create the databases manually before deploying the chart.\nThe following SQL commands can be used to create the roles and databases:\n\n```sql\nCREATE ROLE aserto_root CREATEROLE LOGIN PASSWORD '\u003cpassword\u003e';\nCREATE ROLE aserto_tenant CREATEROLE LOGIN PASSWORD '\u003cpassword\u003e';\n\nCREATE DATABASE \"aserto-root-ds\" OWNER = aserto_root TEMPLATE = template0;\nCREATE DATABASE \"aserto-ds\" OWNER = aserto_tenant TEMPLATE = template0;\n```\n\n### Kubernetes Secrets\n\nThe Aserto services require several secrets to be created in the kubernetes namespace to\nwhich the services are deployed. The examples in the sections below use `aseerto`.\nTo create the namespace, use:\n\n```shell\nkubectl create namespace aserto\n```\n\n#### Database Credentials\n\nThe database credentials must be stored in a Kubernetes secret in the same namespace as the\nAserto chart. The secret must have two keys: `username` and `password`.\n\nFor example, if deploying to the `aserto` namespace, a secret named `pg-ds-credentials`can be\ncreated using:\n\n```shell\nkubectl create secret generic pg-ds-credentials \\\n  --namespace aserto \\\n  --from-literal=username=aserto \\\n  --from-literal=password=\u003cpassword\u003e\n```\n\n#### Image Pull Secret\n\nThe Aserto images are stored in a private registry and require an access token to be stored in\na kubernetes secret for the cluster to be able to pull them.\nTo create a token, log into your GitHub account that was granted acccess to the Aserto registry,\nfollow [these instructions](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)\nand include the `read:packages` scope.\n\nThe token must then be stored in a Kubernetes secret in the same namespace as the Aserto chart:\n\n```shell\nkubectl create secret docker-registry ghcr-creds \\\n  --namespace aserto \\\n  --docker-server=https://ghcr.io \\\n  --docker-username=\u003cgithub username\u003e \\\n  --docker-password=\u003caccess token\u003e\n```\n\n#### Policy Registry Credentials\n\nThe discovery service requires read access to the container registry where your policies are stored.\nThis can be any OCI registry such as ghcr.io, DockerHub, or a private registry.\n\nFirst, create a read-only access token in the registry you plan to use. The details differ from\none registry to another, so consult your registry's documentation.\n\nThe token must be stored in a Kuebernetes secret in the same namespace as the Aserto chart:\n\n```shell\nkubectl create secret generic discovery-ghcr-token \\\n    --namespace aserto \\\n    --from-literal=token=\u003caccess token\u003e\n```\n\n### OpenID Connect\n\nAuthentication to the Aserto management console is done using OpenID Connect. Creating an OIDC\napplication differs from one identity provider to another. Consult your provider's documentation\nto create an application with the users that need access to the Aserto console.\n\n\n## Configuration\n\nConfiguring a deployment is done using a `values.yaml` file that can be passed as an argument to\n`helm install`, or embedded in your own chart's `values.yaml` if you are using the Aserto chart\nas a dependency.\n\nThe top-level sections in the `values.yaml` file are:\n\n- `global`: configuration values shared by all Aserto services. These can also be overridden\n  by individual service settings.\n- `directory`: configuration values for the directory service.\n- `authorizer`: configuration values for the multi-tenant authorizer service.\n- `discovery`: configuration values for the discovery service.\n- `console`: configuration values for the management console.\n- `scim`: configuration values for the SCIM service.\n\nThe `aserto` umbrella chart's [values.yaml](charts/aserto/values.yaml) file documents the available\noptions.\n\nTo use the chart as a dependency in your own chart, add the following to the parent chart's `Chart.yaml`:\n```yaml\ndependencies:\n  - name: aserto\n    version: ~0.1.6\n    repository: oci://ghcr.io/aserto-dev/helm\n\n```\nThen run `helm dep update` to download the chart and its dependencies.\n\nWhen using the `aserto` chart as a dependency the parent's `values.yaml` file should\nkeep the `global` values in place but move the other values into the `aserto` section.\nFor example:\n```yaml\nglobal:\n  aserto:\n    ports:\n      grpc: 8282\n      http: 8383\n      health: 8484\n      mertics: 8585\n    ...\n\naserto:\n  directory:\n    rootDirectory:\n      database:\n        port: 5432\n        ...\n```\n\n### Directory Management Service\n\nThe directory service exposes a management endpoint that is used, among other things, to initialize\nits internal database. The management endpoint authenticates using SSH keys.\nIn order to be able to connect, you must provide at least one public key in the `directory.sshAdminKeys`\nvalue of the `values.yaml` file.\n\nExample:\n```yaml\n...\ndirectory:\n  sshAdminKeys: |\n    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABg... admin@acme.com\n    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI... another_admin@acme.com\n...\n```\n\n\n## Deployment\n\nTo deploy the Aserto services, first create a `values.yaml` file with the desired configuration.\nA good starting point is the default [values.yaml](charts/aserto/values.yaml). You must provide\nvalues for several required fields:\n\n- `global.aserto.oidc` holds the domain and client ID for your OpenID Connect application used\n  to authenticate access to the management console.\n- `global.aserto.http.allowed_origins` should include the ingress domain where the management console\n  will be hosted.\n- `diretcory.rootDirectory.database.host` and `directory.tenantDirectory.database.host` should be set\n  to the hostname of the PostgreSQL instance(s) for the root and tenant directories.\n- `discovery.registries` must include configuration for at least one policy registry with the Kubernetes\n  secret that holds the access token.\n- `console.authorizerURL` and `console.directoryURL` should be set to the ingress URLs of the authorizer\n  and directory services.\n\nDeploy the chart in a release called `aserto` using:\n\n```shell\nhelm install aserto oci://ghcr.io/aserto-dev/helm/aserto -f values.yaml\n```\n\n### Directory Initialization\n\nOnce the services are deployed and running, you'll need to initialize the root directory used internally\nto authorize access to all other services. This is done by connecting to the directory service's management\nendpoint and running the `provision-root-keys` command.\n\nTo connect to the management endpoint, you must first port-forward the management service to your local machine:\n\n```shell\nkubectl --namespace \u003cnamespace\u003e port-forward \\\n  $(kubectl get pods --namespace \u003cnamespace\u003e \\\n    -l \"app.kubernetes.io/name=directory,app.kubernetes.io/instance=\u003crelease\u003e\" \\\n    -o jsonpath=\"{.items[0].metadata.name}\") 2222:2222\n```\n\nSubstitute `\u003cnamespace\u003e` with the Kubernetes namespace where the Aserto services are deployed and `\u003crelease\u003e` with the\nname of the Helm release (as listed in `helm list -n \u003cnamespace\u003e`).\n\nFor example, if the namespace and release are both `aserto`:\n```shell\nkubectl --namespace aserto port-forward \\\n  $(kubectl get pods --namespace aserto \\\n    -l \"app.kubernetes.io/name=directory,app.kubernetes.io/instance=aserto\" \\\n    -o jsonpath=\"{.items[0].metadata.name}\") 2222:2222\n```\n\nThis forward port 2222 on your local machine to the directory service's management endpoint.\n\nIn another terminal, run the `provision-root-keys` command using one of the SSH keys provided in the `values.yaml` file\nunder `directory.sshAdminKeys`. For example:\n\n```shell\nssh -p 2222 -i \u003cprivate key path\u003e localhost provision-root-keys\n```\n\nIf you added your default SSH key (`~/.ssh/id_*.pub`) to `directory.sshAdminKeys`, you can omit the `-i` option:\n\n```shell\nssh -p 2222 localhost provision-root-keys\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faserto-dev%2Fhelm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faserto-dev%2Fhelm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faserto-dev%2Fhelm/lists"}