Installing with Helm
Overview on installing Cased Shell with Helm.
- Construct a values file using the documentation below as a reference making sure to set
config.secret
andingress.fqdn
and any other values required for your deployment:postgresql.*
values influence where relational data is stored.vault.*
values influence where secrets are stored.config.objectStorageBackend
influences where object storage is stored.
- Install the Chart using
helm install
,helm upgrade --install
, or using your preferred CI/CD system.
Simple
config:
secret: 476777626aae4d0daea431610c7a09ef
ingress:
fqdn: shell.example.com
AWS EKS, ELB, RDS, and S3
config:
secret: 476777626aae4d0daea431610c7a09ef
# Use https://github.com/kubernetes-sigs/aws-load-balancer-controller to route traffic
# Use https://github.com/kubernetes-sigs/external-dns to manage DNS records
ingress:
enabled: true
fqdn: helm-alb-example.route53-hosted-zone.example.com
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
alb.ingress.kubernetes.io/backend-protocol: HTTPS
alb.ingress.kubernetes.io/target-type: 'ip'
alb.ingress.kubernetes.io/scheme: internet-facing
# optional, can be used if certificate autodetection doesn't work or doesn't detect the right cert
# alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:5938688156789:certificate/59386881-b1dc-43d0-b671-5f7c65a28746
external-dns.alpha.kubernetes.io/hostname: helm-aws-example.route53-hosted-zone.example.com
# Use an existing RDS instance for relational data
postgresql:
enabled: false
auth:
database: 'cased'
username: 'cased'
password: '05c28cf475dc'
external:
host: db20221110151837801900000001.kvrpfqcjbhkd.us-west-2.rds.amazonaws.com
port: 5432
# Configure the application to store session logs in an S3 bucket
config:
objectStorageBackend: s3
aws:
s3:
bucket: example-cased-shell-bucket
region: us-west-2
key:
access: SECRET
secret: SECRET
config:
secret: 476777626aae4d0daea431610c7a09ef
ingress:
enabled: true
fqdn: 'nginx-cased-shell.shell.example.com'
secretName: 'cased-shell-letsencrypt-production'
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: 'HTTPS'
Key | Description | Default | Type |
---|---|---|---|
aws.key.access | AWS access key ID to use for object storage. Only used if objectStorageBackend is "s3". | nil | string |
aws.key.secret | AWS secret access key to use for object storage. Only used if objectStorageBackend is "s3". | nil | string |
aws.region | AWS region to communicate with, defaults to us-east-1. Only used if objectStorageBackend is "s3". | "us-east-1" | string |
aws.s3.bucket | AWS S3 bucket name to use for object storage. Only used if objectStorageBackend is "s3". | nil | string |
aws.s3.endpoint | AWS S3 API endpoint to use, defaults to upstream S3. Only used if objectStorageBackend is "s3". | nil | string |
aws.s3.signatureVersion | Allows configuring the AWS S3 API signatureVersion if necessary when using a custom implementation. Only used if objectStorageBackend is "s3". | nil | string |
config.image | Image to use for Cased Shell. | "ghcr.io/cased/shell:v2.2.2" | string |
config.jump | Jump configuration YAML - describe your prompts here. See https://github.com/cased/jump. | "" | string |
config.jumpResources | Resource requests and limits for the Jump container. | {} | object |
config.log_level | Set this to 'debug' for more verbose logging. | "info" | string |
config.objectStorageBackend | Backend to use for object storage. Defaults to "pvc", which uses values from persistence.* . "s3" also supported, which uses values from aws.s3.* or access granted via shell.serviceAccount.name . | "pvc" | string |
config.secret | The CASED_SHELL_SECRET value obtained from our authentication server. Required. | "" | string |
config.serviceAccount.annotations | Annotations to add to the service account if one is created. Can be used to associate the created service account with an existing AWS IAM role or GCP Workload Identity. | {} | object |
config.serviceAccount.create | | true | bool |
config.serviceAccount.name | Name of the service account to use for the shell and jump containers. If you've created a service account with access to your object storage backend, you can use that here. | nil | string |
config.shellResources | Resource requests and limits for the Shell container. | {} | object |
config.vaultInitResources | Resource requests and limits for the Vault initialization containers. | {} | object |
imagePullSecrets | imagePullSecrets added to all in-chart Pod specs. | [] | list |
ingress.annotations | Set annotations for your Ingress provider here. | {} | object |
ingress.enabled | Set to false to skip the creation of an ingress resource. | true | bool |
ingress.fqdn | Hostname to use for the ingress. Required. | "shell.example.com" | string |
ingress.ingressClassName | Set if required by your Ingress provider. Required if you have more than one IngressClass marked as the default for your cluster. | nil | string |
ingress.secretName | Set if your ingress implementation requires a secretName. | "" | string |
persistence | Persistence settings for object storage. Only used if shell.objectStorageBackend is set to "pvc". | {"accessModes":["ReadWriteOnce"],"annotations":{},"enabled":true,"existingClaim":"","size":"8Gi","storageClass":"","subPath":""} | object |
podAnnotations | Annotations added to all in-chart Pods. | {} | object |
postgresql.auth.database | Name of the database created. Also used in the application's client connection configuration. | "shell" | string |
postgresql.auth.password | Password assigned to the created user. Also used in the application's client connection configuration. | "shell" | string |
postgresql.auth.username | Name of the user created. Also used in the application's client connection configuration. | "cased" | string |
postgresql.enabled | Creates a PostgreSQL deployment for storing the application's relational data using a subchart. If disabled, postgresql.auth.* and postgresql.external.* must be set to connect to an existing PostgreSQL database. | true | bool |
postgresql.external.host | External PostgreSQL database host. Required if postgresql.enabled is false. | "" | string |
postgresql.external.port | External PostgreSQL database port. Required if postgresql.enabled is false. | "" | string |
postgresql.persistence | PostgreSQL Primary persistence configuration | {"accessModes":["ReadWriteOnce"],"annotations":{},"dataSource":{},"enabled":true,"existingClaim":"","labels":{},"mountPath":"/bitnami/postgresql","selector":{},"size":"8Gi","storageClass":"","subPath":""} | object |
postgresql.service.type | | "ClusterIP" | string |
postgresql.sslMode | "prefer" | string | |
postgresql.tls.autoGenerated | Generates automatically self-signed TLS certificates for the embedded PostgreSQL deployment if enabled. | true | bool |
postgresql.tls.enabled | Controls the TLS config of the embedded PostgreSQL deployment. | true | bool |
rbac.create | Disable to skip the creation of Roles and RoleBindings for the optional SSHD deployment. | true | bool |
service.annotations | Set annotations on the created service if required. | {} | object |
service.port | Backend port to use for the service. Change to 8888 if you require HTTP. | 8443 | int |
service.protocol | Protocol to use for the service. Change to http to use port 8888 above. | "https" | string |
service.type | Type of service to create. | "ClusterIP" | string |
sshd.enabled | Set to false to skip the creation of a SSHD service. | true | bool |
sshd.image | Image to use for the included endpoint. This image runs an OpenSSH server and contains an app user configured to automatically allow connections that include a valid certificate singed by your Cased Shell CA. kubectl is included, and /etc/profile.d/k8s.sh configures it for in-cluster access. To include your own utilities or configure access to your own cluster, you may use this image as a base image and refer to your customized image here. | "ghcr.io/cased/sshd-demo:v2.2.2" | string |
sshd.resources | Resource requests and limits for the SSHD container. | {} | object |
sshd.role.rules | The rules to apply to the role created for the SSHD service account. This role is only created if rbac.create is enabled. | [{"apiGroups":[""],"resources":["pods"],"verbs":["get","list"]}] | list |
sshd.serviceAccount.annotations | Annotations to add to the service account if one is created. Can be used to associate the created service account with an existing AWS IAM role or GCP Workload Identity. | {} | object |
sshd.serviceAccount.create | Specifies whether a ServiceAccount should be created. | true | bool |
sshd.serviceAccount.name | The name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. | nil | string |
vault | Configures secret storage using vault subchart. | {"enabled":true,"injector":{"enabled":false},"secretName":"","server":{"authDelegator":{"enabled":false},"dataStorage":{"accessMode":"ReadWriteOnce","annotations":{},"enabled":true,"mountPath":"/vault/data","size":"10Gi","storageClass":null},"standalone":{"enabled":true}}} | object |
vault.enabled | Deploy vault subchart. | true | bool |
vault.secretName | Name of secret containing VAULT_ADDR and VAULT_TOKEN. Required if enabled is false. If not set and enabled is true, a name is generated using the fullname template. | "" | string |
Last modified 5mo ago