{"id":19643207,"url":"https://github.com/goethite/gostint-helm","last_synced_at":"2025-04-28T13:30:41.834Z","repository":{"id":97149045,"uuid":"145309992","full_name":"goethite/gostint-helm","owner":"goethite","description":"Helm Chart for Gostint DevOps Automation - https://goethite.github.io/gostint/","archived":true,"fork":false,"pushed_at":"2019-06-18T19:08:23.000Z","size":3862,"stargazers_count":1,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-02-26T23:26:52.067Z","etag":null,"topics":["devops","gostint","helm","kubernetes"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/goethite.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2018-08-19T14:25:20.000Z","updated_at":"2024-10-02T14:10:16.000Z","dependencies_parsed_at":"2023-10-21T03:02:51.908Z","dependency_job_id":null,"html_url":"https://github.com/goethite/gostint-helm","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/goethite%2Fgostint-helm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/goethite%2Fgostint-helm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/goethite%2Fgostint-helm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/goethite%2Fgostint-helm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/goethite","download_url":"https://codeload.github.com/goethite/gostint-helm/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251319747,"owners_count":21570450,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["devops","gostint","helm","kubernetes"],"created_at":"2024-11-11T14:19:34.431Z","updated_at":"2025-04-28T13:30:41.810Z","avatar_url":"https://github.com/goethite.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Helm Charts for GoStint DevOps Automation\n\nhttps://goethite.github.io/gostint/\n\nThis is a proof-of-concept helm chart for the GoStint project.\n\nThis is a work in progress and __not for production use...__\n\nThe goal is to provide a pre-packaged demo environment for GoStint, with\nHashicorp Vault etc all preconfigured.\n\nThe PoC GoStint UI is enabled by default in the helm chart and can be accessed\nby pointing your browser at https://your-k8s-ingess/gostint.\nThe `values.yaml` setting `ui.vaultExternalAddr` must be set to the ingress\nurl of the Vault, e.g. https://your-k8s-ingress/vault (see also comments\nbelow regarding the Ingress Controller).\n\n## IMPORTANT Upgrading from v1 -\u003e v2\nThe upgrade of the helm chart from v1.* to v2.* is a breaking change due to\nMongoDB now being deployed as a StatefulSet.\n\n## Requirements\n* kubectl\n* helm\n\n### Helm Repos\n* stable\n* incubator\n\n## Deploying\nNote: `KUBECONFIG` must be set for your kubernetes environment and helm setup.\n\n### Install nginx-ingress controller\nsee [nginx-ingress](https://github.com/helm/charts/tree/master/stable/nginx-ingress)\n```bash\nhelm install stable/nginx-ingress --name ingress-op --set controller.extraArgs.v=2\nor\nhelm upgrade ingress-op stable/nginx-ingress --set controller.extraArgs.v=2\n```\n\n### Install GoStint\nDeploy the chart:\n```bash\ngostint/deploy.sh\n```\nThis starts consul, vault, mongodb and gostint services.\n\n### Ingress Controller\nThe helm chart also deploys an Ingress on port 443 to allow a single\napi to provide access to both the Vault and GoStint APIs using path based routing,\ne.g.:\n\nService | Ingress URL\n------- | -----------\nvault   | https://url/vault\ngostint | https://url/gostint\n\nSo an execution of `gostint-client` could look like:\n```bash\ngostint-client \\\n  -url=https://your-ingress-fqdn/gostint \\\n  -vault-url=https://your-ingress-fqdn/vault \\\n  -vault-roleid=@.client_role_id \\\n  -vault-secretid=@.client_secret_id \\\n  -image=goethite/gostint-kubectl \\\n  -env-vars='[\"RUNCMD=/usr/local/bin/helm\"]' \\\n  -run='[\"status\", \"aut-op\"]' \\\n  -secret-refs='[\"KUBECONFIG_BASE64@secret/k8s_cluster_1.kubeconfig_base64\"]' \\\n  -image-pull-policy=Always \\\n  -debug\n```\n\nInit Ingress:\n```bash\ngostint/init/ingress-init.sh aut-op default\n```\n\nIMPORTANT: The above path based ingress for vault breaks end-to-end TLS\nencryption and could present a security risk (for gostint-client authenticating,\nbut not for the actual submission of the job).  SSL Passthrough with SNI\nserver based routing may be a better option.\n\n### Upgrade GoStint\nSimply rerun `deploy.sh`:\n```bash\ngostint/deploy.sh\n```\n\n### Delete GoStint (and all related data, including Vault/Consul)\n```bash\ngostint/destroy.sh\n```\n\n## Notes\n\n### Microk8s\nI had an issue with internet access from the PODs under microk8s.  It seems the\ndocker iptables rules where dropping the packets by default.\nsee my [gist](https://gist.github.com/gbevan/8a0a786cfc2728cd2998f868b0ff5b72)\nfor a solution.\n\nSee also [gist to allow privileged container for microk8s](https://gist.github.com/antonfisher/d4cb83ff204b196058d79f513fd135a6).\n\n### Get Vault Pod HA Roles\n```bash\nkubectl -n default get pods \\\n  | awk '/^aut-op-vault/ { print $1; }' \\\n  | xargs -i@ kubectl -n default -c vault exec -i @ \\\n    -- bash -c \"echo -n '@ '; VAULT_SKIP_VERIFY=1 vault status | awk '/^HA Mode/ { printf \\$3; }'; echo\"\n```\n\n### SNI Ingress and CORS\nIf using the SNI Ingress Controller (maybe with [snimultihop](https://github.com/goethite/snimultihop))\nyou will need to configure CORS in the vault for the external url.  In testing I\nhave simply been setting this to `\"*\"`, e.g.:\n```bash\ncurl -sSk \\\n  --resolve snivault.default.pod:8443:127.0.0.1 \\\n  -H \"X-Vault-Token:7J...snip...VO\" \\\n  https://snivault.default.pod:8443/v1/sys/config/cors \\\n  -X POST \\\n  --data '{\"enabled\":true, \"allowed_origins\":\"*\"}'\n```\nWhich gives the vault cors config:\n```bash\ncurl -sSk \\\n  --resolve snivault.default.pod:8443:127.0.0.1 \\\n  -H \"X-Vault-Token:7J...snip...VO\" \\\n  https://snivault.default.pod:8443/v1/sys/config/cors \\\n  | jq\n```\n```json\n{\n  \"enabled\": true,\n  \"allowed_origins\": [\n    \"*\"\n  ],\n  \"allowed_headers\": [\n    \"Content-Type\",\n    \"X-Requested-With\",\n    \"X-Vault-AWS-IAM-Server-ID\",\n    \"X-Vault-MFA\",\n    \"X-Vault-No-Request-Forwarding\",\n    \"X-Vault-Wrap-Format\",\n    \"X-Vault-Wrap-TTL\",\n    \"X-Vault-Policy-Override\",\n    \"Authorization\",\n    \"X-Vault-Token\"\n  ],\n  \"request_id\": \"fc9f43c6-c8cc-7d68-8a89-0f3531fd80a3\",\n  \"lease_id\": \"\",\n  \"renewable\": false,\n  \"lease_duration\": 0,\n  \"data\": {\n    \"allowed_headers\": [\n      \"Content-Type\",\n      \"X-Requested-With\",\n      \"X-Vault-AWS-IAM-Server-ID\",\n      \"X-Vault-MFA\",\n      \"X-Vault-No-Request-Forwarding\",\n      \"X-Vault-Wrap-Format\",\n      \"X-Vault-Wrap-TTL\",\n      \"X-Vault-Policy-Override\",\n      \"Authorization\",\n      \"X-Vault-Token\"\n    ],\n    \"allowed_origins\": [\n      \"*\"\n    ],\n    \"enabled\": true\n  },\n  \"wrap_info\": null,\n  \"warnings\": null,\n  \"auth\": null\n}\n```\nIn the real world you would want to set allowed_origins to the actual external\nurl of the gostint service.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoethite%2Fgostint-helm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoethite%2Fgostint-helm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoethite%2Fgostint-helm/lists"}