Merge pull request #21 from vshn/feat/rclone-chart

Add Helm chart for rclone as an S3 encryption proxy

Author: mikeshootzz

README.md

@@ -15,6 +15,7 @@ helm repo add appcat https://charts.appcat.ch
 
 | Downloads & Changelog | Chart |
 | --- | --- |
+| [![chart downloads](https://img.shields.io/github/downloads/vshn/appcat-charts/rcloneproxy-0.0.1/total)](https://github.com/vshn/appcat-charts/releases/tag/rcloneproxy-0.0.1) | [rcloneproxy](charts/rcloneproxy/README.md) |
 | [![chart downloads](https://img.shields.io/github/downloads/vshn/appcat-charts/vshnmariadb-0.0.12/total)](https://github.com/vshn/appcat-charts/releases/tag/vshnmariadb-0.0.12) | [vshnmariadb](charts/vshnmariadb/README.md) |
 | [![chart downloads](https://img.shields.io/github/downloads/vshn/appcat-charts/vshnpostgresql-0.6.0/total)](https://github.com/vshn/appcat-charts/releases/tag/vshnpostgresql-0.6.0) | [vshnpostgresql](charts/vshnpostgresql/README.md) |
 

charts/rcloneproxy/Chart.yaml

@@ -0,0 +1,8 @@
+apiVersion: v2
+name: rcloneproxy
+description: A Helm chart for deploying rclone as an intermediate s3 proxy
+type: application
+version: 0.0.1
+maintainers:
+  - name: Schedar Team
+    email: info@vshn.ch

charts/rcloneproxy/README.md

@@ -0,0 +1,64 @@
+# rcloneproxy
+
+![Version: 0.0.1](https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+
+A Helm chart for deploying rclone as an intermediate s3 proxy
+
+## Installation
+
+```bash
+helm repo add appcat https://charts.appcat.ch
+helm install rcloneproxy vshn/rcloneproxy
+```
+
+<!---
+Common/Useful Link references from values.yaml
+-->
+[resource-units]: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes
+[prometheus-operator]: https://github.com/coreos/prometheus-operator
+# rcloneproxy
+
+![Version: 0.0.1](https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+
+A Helm chart for deploying rclone as an intermediate s3 proxy
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| Schedar Team | <info@vshn.ch> |  |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| backend | object | `{"secretRef":{"keys":{"accessKeyID":"access-key-id","accessKeySecret":"access-key-secret","bucket":"bucket","endpoint":"endpoint","region":"region"},"name":""}}` | Backend S3 storage configuration |
+| backend.secretRef | object | `{"keys":{"accessKeyID":"access-key-id","accessKeySecret":"access-key-secret","bucket":"bucket","endpoint":"endpoint","region":"region"},"name":""}` | Reference to an existing secret containing backend S3 credentials |
+| backend.secretRef.keys | object | `{"accessKeyID":"access-key-id","accessKeySecret":"access-key-secret","bucket":"bucket","endpoint":"endpoint","region":"region"}` | Keys in the secret for each configuration value |
+| backend.secretRef.keys.accessKeyID | string | `"access-key-id"` | Key for S3 access key ID |
+| backend.secretRef.keys.accessKeySecret | string | `"access-key-secret"` | Key for S3 access key secret |
+| backend.secretRef.keys.bucket | string | `"bucket"` | Key for S3 bucket name |
+| backend.secretRef.keys.endpoint | string | `"endpoint"` | Key for S3 endpoint URL |
+| backend.secretRef.keys.region | string | `"region"` | Key for S3 region |
+| backend.secretRef.name | string | `""` | Name of the secret containing backend credentials |
+| containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"enabled":true,"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":65532}` | Container security context configuration |
+| containerSecurityContext.allowPrivilegeEscalation | bool | `false` | Disallow privilege escalation |
+| containerSecurityContext.capabilities | object | `{"drop":["ALL"]}` | Linux capabilities to drop |
+| containerSecurityContext.enabled | bool | `true` | Enable container security context |
+| containerSecurityContext.readOnlyRootFilesystem | bool | `false` | Read-only root filesystem |
+| containerSecurityContext.runAsNonRoot | bool | `true` | Run as non-root user |
+| containerSecurityContext.runAsUser | int | `65532` | User ID to run the container |
+| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
+| image.repository | string | `"ghcr.io/rclone/rclone"` | Image repository for rclone |
+| image.tag | string | `"1.73.0"` | Configure the image tag |
+| podSecurityContext | object | `{"enabled":true,"fsGroup":65532,"fsGroupChangePolicy":"OnRootMismatch","seLinuxOptions":{}}` | Pod security context configuration |
+| podSecurityContext.enabled | bool | `true` | Enable pod security context |
+| podSecurityContext.fsGroup | int | `65532` | FSGroup for volume ownership |
+| podSecurityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` | FSGroupChangePolicy for volume ownership changes |
+| podSecurityContext.seLinuxOptions | object | `{}` | SELinux options for OpenShift compatibility |
+| replicaCount | int | `1` | Number of replicas |
+| resources | object | `{"limits":{"cpu":"25m","memory":"512Mi"},"requests":{"cpu":"10m","memory":"256Mi"}}` | Resource requests and limits |
+| service | object | `{"port":9095,"type":"ClusterIP"}` | Service configuration |
+| service.port | int | `9095` | Service port (rclone S3 server port) |
+| service.type | string | `"ClusterIP"` | Service type |
+

charts/rcloneproxy/templates/deployment.yaml

@@ -0,0 +1,181 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: rcloneproxy
+  labels:
+    app: rcloneproxy
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: rcloneproxy
+  template:
+    metadata:
+      labels:
+        app: rcloneproxy
+    spec:
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext:
+        {{- if .Values.podSecurityContext.fsGroup }}
+        fsGroup: {{ .Values.podSecurityContext.fsGroup }}
+        {{- end }}
+        {{- if .Values.podSecurityContext.fsGroupChangePolicy }}
+        fsGroupChangePolicy: {{ .Values.podSecurityContext.fsGroupChangePolicy }}
+        {{- end }}
+        {{- if .Values.podSecurityContext.seLinuxOptions }}
+        seLinuxOptions:
+          {{- toYaml .Values.podSecurityContext.seLinuxOptions | nindent 10 }}
+        {{- end }}
+      {{- end }}
+      initContainers:
+        - name: generate-config
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.containerSecurityContext.enabled }}
+          securityContext:
+            {{- if .Values.containerSecurityContext.runAsUser }}
+            runAsUser: {{ .Values.containerSecurityContext.runAsUser }}
+            {{- end }}
+            {{- if .Values.containerSecurityContext.runAsNonRoot }}
+            runAsNonRoot: {{ .Values.containerSecurityContext.runAsNonRoot }}
+            {{- end }}
+            {{- if ne .Values.containerSecurityContext.allowPrivilegeEscalation nil }}
+            allowPrivilegeEscalation: {{ .Values.containerSecurityContext.allowPrivilegeEscalation }}
+            {{- end }}
+            {{- if ne .Values.containerSecurityContext.readOnlyRootFilesystem nil }}
+            readOnlyRootFilesystem: {{ .Values.containerSecurityContext.readOnlyRootFilesystem }}
+            {{- end }}
+            {{- if .Values.containerSecurityContext.capabilities }}
+            capabilities:
+              {{- toYaml .Values.containerSecurityContext.capabilities | nindent 14 }}
+            {{- end }}
+          {{- end }}
+          command:
+            - /bin/sh
+            - -c
+          args:
+            - |
+              set -e
+              # Obscure the encryption passwords
+              OBSCURED_PASSWORD=$(echo -n "$ENCRYPTION_PASSWORD" | rclone obscure -)
+              OBSCURED_PASSWORD2=$(echo -n "$ENCRYPTION_PASSWORD2" | rclone obscure -)
+
+              # Generate rclone.conf with obscured passwords
+              cat > /config/rclone/rclone.conf <<EOF
+              [target]
+              type = s3
+              provider = Other
+              env_auth = false
+              access_key_id = $BACKEND_ACCESS_KEY_ID
+              secret_access_key = $BACKEND_SECRET_ACCESS_KEY
+              endpoint = $BACKEND_ENDPOINT
+              region = $BACKEND_REGION
+              location_constraint = $BACKEND_REGION
+              force_path_style = true
+
+              [s3-crypt]
+              type = crypt
+              remote = target:$BACKEND_BUCKET
+              filename_encryption = standard
+              directory_name_encryption = true
+              password = $OBSCURED_PASSWORD
+              password2 = $OBSCURED_PASSWORD2
+              EOF
+
+              echo "Generated rclone.conf with obscured passwords"
+          env:
+            - name: BACKEND_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.backend.secretRef.name }}
+                  key: {{ .Values.backend.secretRef.keys.accessKeyID }}
+            - name: BACKEND_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.backend.secretRef.name }}
+                  key: {{ .Values.backend.secretRef.keys.accessKeySecret }}
+            - name: BACKEND_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.backend.secretRef.name }}
+                  key: {{ .Values.backend.secretRef.keys.endpoint }}
+            - name: BACKEND_REGION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.backend.secretRef.name }}
+                  key: {{ .Values.backend.secretRef.keys.region }}
+            - name: BACKEND_BUCKET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.backend.secretRef.name }}
+                  key: {{ .Values.backend.secretRef.keys.bucket }}
+            - name: ENCRYPTION_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: rcloneproxy-encryption-key
+                  key: password
+            - name: ENCRYPTION_PASSWORD2
+              valueFrom:
+                secretKeyRef:
+                  name: rcloneproxy-encryption-key
+                  key: password2
+          volumeMounts:
+            - name: rclone-config
+              mountPath: /config/rclone
+      containers:
+        - name: rcloneproxy
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.containerSecurityContext.enabled }}
+          securityContext:
+            {{- if .Values.containerSecurityContext.runAsUser }}
+            runAsUser: {{ .Values.containerSecurityContext.runAsUser }}
+            {{- end }}
+            {{- if .Values.containerSecurityContext.runAsNonRoot }}
+            runAsNonRoot: {{ .Values.containerSecurityContext.runAsNonRoot }}
+            {{- end }}
+            {{- if ne .Values.containerSecurityContext.allowPrivilegeEscalation nil }}
+            allowPrivilegeEscalation: {{ .Values.containerSecurityContext.allowPrivilegeEscalation }}
+            {{- end }}
+            {{- if ne .Values.containerSecurityContext.readOnlyRootFilesystem nil }}
+            readOnlyRootFilesystem: {{ .Values.containerSecurityContext.readOnlyRootFilesystem }}
+            {{- end }}
+            {{- if .Values.containerSecurityContext.capabilities }}
+            capabilities:
+              {{- toYaml .Values.containerSecurityContext.capabilities | nindent 14 }}
+            {{- end }}
+          {{- end }}
+          command:
+            - /bin/sh
+            - -c
+          args:
+            - |
+              rclone serve s3 s3-crypt: --addr :{{ .Values.service.port }} --auth-key "${BACKEND_ACCESS_KEY_ID},${BACKEND_SECRET_ACCESS_KEY}"
+          env:
+            - name: RCLONE_CONFIG
+              value: /config/rclone/rclone.conf
+            - name: BACKEND_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.backend.secretRef.name }}
+                  key: {{ .Values.backend.secretRef.keys.accessKeyID }}
+            - name: BACKEND_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.backend.secretRef.name }}
+                  key: {{ .Values.backend.secretRef.keys.accessKeySecret }}
+          ports:
+            - name: s3
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - name: rclone-config
+              mountPath: /config/rclone
+              readOnly: true
+          stdin: true
+          tty: true
+      volumes:
+        - name: rclone-config
+          emptyDir: {}

charts/rcloneproxy/templates/secret.yaml

@@ -0,0 +1,23 @@
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace "rcloneproxy-encryption-key" -}}
+{{- $encryptionPassword := "" -}}
+{{- $encryptionPassword2 := "" -}}
+{{- if $existingSecret -}}
+  {{- $encryptionPassword = index $existingSecret.data "password" | b64dec -}}
+  {{- $encryptionPassword2 = index $existingSecret.data "password2" | b64dec -}}
+{{- else -}}
+  {{- $encryptionPassword = randAlphaNum 32 -}}
+  {{- $encryptionPassword2 = randAlphaNum 32 -}}
+{{- end -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: rcloneproxy-encryption-key
+  labels:
+    app: rcloneproxy
+  annotations:
+    helm.sh/resource-policy: keep
+type: Opaque
+stringData:
+  password: "{{ $encryptionPassword }}"
+  password2: "{{ $encryptionPassword2 }}"

charts/rcloneproxy/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: rcloneproxy
+  labels:
+    app: rcloneproxy
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: s3
+      protocol: TCP
+      name: s3
+  selector:
+    app: rcloneproxy

charts/rcloneproxy/values.yaml

@@ -0,0 +1,74 @@
+image:
+  # -- Image repository for rclone
+  repository: ghcr.io/rclone/rclone
+  # -- Configure the image tag
+  tag: "1.73.0"
+  # -- Image pull policy
+  pullPolicy: IfNotPresent
+
+# -- Number of replicas
+replicaCount: 1
+
+# -- Service configuration
+service:
+  # -- Service type
+  type: ClusterIP
+  # -- Service port (rclone S3 server port)
+  port: 9095
+
+# -- Backend S3 storage configuration
+backend:
+  # -- Reference to an existing secret containing backend S3 credentials
+  secretRef:
+    # -- Name of the secret containing backend credentials
+    name: ""
+    # -- Keys in the secret for each configuration value
+    keys:
+      # -- Key for S3 access key ID
+      accessKeyID: "access-key-id"
+      # -- Key for S3 access key secret
+      accessKeySecret: "access-key-secret"
+      # -- Key for S3 endpoint URL
+      endpoint: "endpoint"
+      # -- Key for S3 region
+      region: "region"
+      # -- Key for S3 bucket name
+      bucket: "bucket"
+
+# -- Resource requests and limits
+resources:
+  requests:
+    memory: "256Mi"
+    cpu: "10m"
+  limits:
+    memory: "512Mi"
+    cpu: "25m"
+
+# -- Pod security context configuration
+podSecurityContext:
+  # -- Enable pod security context
+  enabled: true
+  # -- FSGroup for volume ownership
+  fsGroup: 65532
+  # -- FSGroupChangePolicy for volume ownership changes
+  fsGroupChangePolicy: "OnRootMismatch"
+  # -- SELinux options for OpenShift compatibility
+  seLinuxOptions: {}
+    # type: "spc_t"
+
+# -- Container security context configuration
+containerSecurityContext:
+  # -- Enable container security context
+  enabled: true
+  # -- Run as non-root user
+  runAsNonRoot: true
+  # -- User ID to run the container
+  runAsUser: 65532
+  # -- Disallow privilege escalation
+  allowPrivilegeEscalation: false
+  # -- Read-only root filesystem
+  readOnlyRootFilesystem: false
+  # -- Linux capabilities to drop
+  capabilities:
+    drop:
+      - ALL