Installing with Helm

Overview on installing Cased Shell with Helm.

Requirements

Repository
Name
Version
Bitnami
postgresql
12.1.0
Helm
vault
0.22.1

Installation

  • The Chart for Cased Shell is distributed as an OCI image. Contact Cased for access to the image.
  • Construct a values file using the documentation below as a reference making sure to set config.secret and ingress.fqdn and any other values required for your deployment:
    • postgresql.* values influence where relational data is stored.
    • vault.* values influence where secrets are stored.
    • config.objectStorageBackend influences where object storage is stored.
  • Install the Chart using helm install, helm upgrade --install, or using your preferred CI/CD system.

Example values files

Simple
config:
secret: 476777626aae4d0daea431610c7a09ef
ingress:
fqdn: shell.example.com
AWS EKS, ELB, RDS, and S3
config:
secret: 476777626aae4d0daea431610c7a09ef
# Use https://github.com/kubernetes-sigs/aws-load-balancer-controller to route traffic
# Use https://github.com/kubernetes-sigs/external-dns to manage DNS records
ingress:
enabled: true
fqdn: helm-alb-example.route53-hosted-zone.example.com
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
alb.ingress.kubernetes.io/backend-protocol: HTTPS
alb.ingress.kubernetes.io/target-type: 'ip'
alb.ingress.kubernetes.io/scheme: internet-facing
# optional, can be used if certificate autodetection doesn't work or doesn't detect the right cert
# alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:5938688156789:certificate/59386881-b1dc-43d0-b671-5f7c65a28746
external-dns.alpha.kubernetes.io/hostname: helm-aws-example.route53-hosted-zone.example.com
# Use an existing RDS instance for relational data
postgresql:
enabled: false
auth:
database: 'cased'
username: 'cased'
password: '05c28cf475dc'
external:
host: db20221110151837801900000001.kvrpfqcjbhkd.us-west-2.rds.amazonaws.com
port: 5432
# Configure the application to store session logs in an S3 bucket
config:
objectStorageBackend: s3
aws:
s3:
bucket: example-cased-shell-bucket
region: us-west-2
key:
access: SECRET
secret: SECRET
config:
secret: 476777626aae4d0daea431610c7a09ef
ingress:
enabled: true
fqdn: 'nginx-cased-shell.shell.example.com'
secretName: 'cased-shell-letsencrypt-production'
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: 'HTTPS'

Values

Key
Description
Default
Type
aws.key.access
AWS access key ID to use for object storage. Only used if objectStorageBackend is "s3".
nil
string
aws.key.secret
AWS secret access key to use for object storage. Only used if objectStorageBackend is "s3".
nil
string
aws.region
AWS region to communicate with, defaults to us-east-1. Only used if objectStorageBackend is "s3".
"us-east-1"
string
aws.s3.bucket
AWS S3 bucket name to use for object storage. Only used if objectStorageBackend is "s3".
nil
string
aws.s3.endpoint
AWS S3 API endpoint to use, defaults to upstream S3. Only used if objectStorageBackend is "s3".
nil
string
aws.s3.signatureVersion
Allows configuring the AWS S3 API signatureVersion if necessary when using a custom implementation. Only used if objectStorageBackend is "s3".
nil
string
config.image
Image to use for Cased Shell.
"ghcr.io/cased/shell:v2.2.2"
string
config.jump
Jump configuration YAML - describe your prompts here. See https://github.com/cased/jump.
""
string
config.jumpResources
Resource requests and limits for the Jump container.
{}
object
config.log_level
Set this to 'debug' for more verbose logging.
"info"
string
config.objectStorageBackend
Backend to use for object storage. Defaults to "pvc", which uses values from persistence.*. "s3" also supported, which uses values from aws.s3.* or access granted via shell.serviceAccount.name.
"pvc"
string
config.secret
The CASED_SHELL_SECRET value obtained from our authentication server. Required.
""
string
config.serviceAccount.annotations
Annotations to add to the service account if one is created. Can be used to associate the created service account with an existing AWS IAM role or GCP Workload Identity.
{}
object
config.serviceAccount.create
true
bool
config.serviceAccount.name
Name of the service account to use for the shell and jump containers. If you've created a service account with access to your object storage backend, you can use that here.
nil
string
config.shellResources
Resource requests and limits for the Shell container.
{}
object
config.vaultInitResources
Resource requests and limits for the Vault initialization containers.
{}
object
imagePullSecrets
imagePullSecrets added to all in-chart Pod specs.
[]
list
ingress.annotations
Set annotations for your Ingress provider here.
{}
object
ingress.enabled
Set to false to skip the creation of an ingress resource.
true
bool
ingress.fqdn
Hostname to use for the ingress. Required.
"shell.example.com"
string
ingress.ingressClassName
Set if required by your Ingress provider. Required if you have more than one IngressClass marked as the default for your cluster.
nil
string
ingress.secretName
Set if your ingress implementation requires a secretName.
""
string
persistence
Persistence settings for object storage. Only used if shell.objectStorageBackend is set to "pvc".
{"accessModes":["ReadWriteOnce"],"annotations":{},"enabled":true,"existingClaim":"","size":"8Gi","storageClass":"","subPath":""}
object
podAnnotations
Annotations added to all in-chart Pods.
{}
object
postgresql.auth.database
Name of the database created. Also used in the application's client connection configuration.
"shell"
string
postgresql.auth.password
Password assigned to the created user. Also used in the application's client connection configuration.
"shell"
string
postgresql.auth.username
Name of the user created. Also used in the application's client connection configuration.
"cased"
string
postgresql.enabled
Creates a PostgreSQL deployment for storing the application's relational data using a subchart. If disabled, postgresql.auth.* and postgresql.external.* must be set to connect to an existing PostgreSQL database.
true
bool
postgresql.external.host
External PostgreSQL database host. Required if postgresql.enabled is false.
""
string
postgresql.external.port
External PostgreSQL database port. Required if postgresql.enabled is false.
""
string
postgresql.persistence
PostgreSQL Primary persistence configuration
{"accessModes":["ReadWriteOnce"],"annotations":{},"dataSource":{},"enabled":true,"existingClaim":"","labels":{},"mountPath":"/bitnami/postgresql","selector":{},"size":"8Gi","storageClass":"","subPath":""}
object
postgresql.service.type
"ClusterIP"
string
postgresql.sslMode
Configures PostgreSQL client ssl mode
"prefer"
string
postgresql.tls.autoGenerated
Generates automatically self-signed TLS certificates for the embedded PostgreSQL deployment if enabled.
true
bool
postgresql.tls.enabled
Controls the TLS config of the embedded PostgreSQL deployment.
true
bool
rbac.create
Disable to skip the creation of Roles and RoleBindings for the optional SSHD deployment.
true
bool
service.annotations
Set annotations on the created service if required.
{}
object
service.port
Backend port to use for the service. Change to 8888 if you require HTTP.
8443
int
service.protocol
Protocol to use for the service. Change to http to use port 8888 above.
"https"
string
service.type
Type of service to create.
"ClusterIP"
string
sshd.enabled
Set to false to skip the creation of a SSHD service.
true
bool
sshd.image
Image to use for the included endpoint. This image runs an OpenSSH server and contains an app user configured to automatically allow connections that include a valid certificate singed by your Cased Shell CA. kubectl is included, and /etc/profile.d/k8s.sh configures it for in-cluster access. To include your own utilities or configure access to your own cluster, you may use this image as a base image and refer to your customized image here.
"ghcr.io/cased/sshd-demo:v2.2.2"
string
sshd.resources
Resource requests and limits for the SSHD container.
{}
object
sshd.role.rules
The rules to apply to the role created for the SSHD service account. This role is only created if rbac.create is enabled.
[{"apiGroups":[""],"resources":["pods"],"verbs":["get","list"]}]
list
sshd.serviceAccount.annotations
Annotations to add to the service account if one is created. Can be used to associate the created service account with an existing AWS IAM role or GCP Workload Identity.
{}
object
sshd.serviceAccount.create
Specifies whether a ServiceAccount should be created.
true
bool
sshd.serviceAccount.name
The name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template.
nil
string
vault
Configures secret storage using vault subchart.
{"enabled":true,"injector":{"enabled":false},"secretName":"","server":{"authDelegator":{"enabled":false},"dataStorage":{"accessMode":"ReadWriteOnce","annotations":{},"enabled":true,"mountPath":"/vault/data","size":"10Gi","storageClass":null},"standalone":{"enabled":true}}}
object
vault.enabled
Deploy vault subchart.
true
bool
vault.secretName
Name of secret containing VAULT_ADDR and VAULT_TOKEN. Required if enabled is false. If not set and enabled is true, a name is generated using the fullname template.
""
string