Cased Documentation
Search…
⌃K

Installing with Helm

Overview on installing Cased Shell with Helm.

Installation

The Chart for Cased Shell is distributed as an OCI image. Contact Cased for access to the image.
Construct a values file using the documentation below as a reference making sure to set config.secret and ingress.fqdn and any other values required for your deployment:
  • postgresql.* values influence where relational data is stored.
  • vault.* values influence where secrets are stored.
  • config.objectStorageBackend configures object storage.
Install the Chart using helm install, helm upgrade --install, or using your preferred CI/CD system.

Example values files

Simple Example

config:
secret: 476777626aae4d0daea431610c7a09ef
ingress:
fqdn: shell.example.com

AWS EKS, ELB, RDS, and S3

config:
secret: 476777626aae4d0daea431610c7a09ef
# Use https://github.com/kubernetes-sigs/aws-load-balancer-controller to route traffic
# Use https://github.com/kubernetes-sigs/external-dns to manage DNS records
ingress:
enabled: true
fqdn: helm-alb-example.route53-hosted-zone.example.com
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
alb.ingress.kubernetes.io/backend-protocol: HTTPS
alb.ingress.kubernetes.io/target-type: 'ip'
alb.ingress.kubernetes.io/scheme: internet-facing
# optional, can be used if certificate autodetection doesn't work or doesn't detect the right cert
# alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:5938688156789:certificate/59386881-b1dc-43d0-b671-5f7c65a28746
external-dns.alpha.kubernetes.io/hostname: helm-aws-example.route53-hosted-zone.example.com
# Use an existing RDS instance for relational data
postgresql:
enabled: false
auth:
database: 'cased'
username: 'cased'
password: '05c28cf475dc'
external:
host: db20221110151837801900000001.kvrpfqcjbhkd.us-west-2.rds.amazonaws.com
port: 5432
# Configure the application to store session logs in an S3 bucket
config:
objectStorageBackend: s3
aws:
s3:
bucket: example-cased-shell-bucket
region: us-west-2
key:
access: SECRET
secret: SECRET
config:
secret: 476777626aae4d0daea431610c7a09ef
ingress:
enabled: true
fqdn: 'nginx-cased-shell.shell.example.com'
secretName: 'cased-shell-letsencrypt-production'
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: 'HTTPS'

Values

Key
Description
Default
Type
AWS access key ID to use for object storage. Only used if objectStorageBackend is "s3".
nil
string
AWS secret access key to use for object storage. Only used if objectStorageBackend is "s3".
nil
string
AWS region to communicate with, defaults to us-east-1. Only used if objectStorageBackend is "s3".
"us-east-1"
string
AWS S3 bucket name to use for object storage. Only used if objectStorageBackend is "s3".
nil
string
AWS S3 API endpoint to use, defaults to upstream S3. Only used if objectStorageBackend is "s3".
nil
string
Allows configuring the AWS S3 API signatureVersion if necessary when using a custom implementation. Only used if objectStorageBackend is "s3".
nil
string
Image to use for Cased Shell.
"ghcr.io/cased/shell:v2.2.1"
string
Jump configuration YAML - describe your prompts here. See https://github.com/cased/jump.
""
string
Resource requests and limits for the Jump container.
{}
object
Backend to use for object storage. Defaults to "pvc", which uses values from persistence.*. "s3" also supported, which uses values from aws.s3.* or access granted via shell.serviceAccount.name.
"pvc"
string
The CASED_SHELL_SECRET value obtained from our authentication server. Required.
""
string
Annotations to add to the service account if one is created. Can be used to associate the created service account with an existing AWS IAM role or GCP Workload Identity.
{}
object
true
bool
Name of the service account to use for the shell and jump containers. If you've created a service account with access to your object storage backend, you can use that here.
nil
string
Resource requests and limits for the Shell container.
{}
object
TLS configuration. "internal" creates self signed certs, "off" disables the TLS listener on port 8443 and instead listens on port 8888.
"internal"
string
Resource requests and limits for the Vault initialization containers.
{}
object
imagePullSecrets added to all in-chart Pod specs.
[]
list
Set annotations for your Ingress provider here.
{}
object
Set to false to skip the creation of an ingress resource.
true
bool
Hostname to use for the ingress. Required.
"shell.example.com"
string
Set if your ingress implementation requires a secretName.
""
string
Persistence settings for object storage. Only used if shell.objectStorageBackend is set to "pvc".
{"accessModes":["ReadWriteOnce"],"annotations":{},"enabled":true,"existingClaim":"","size":"8Gi","storageClass":"","subPath":""}
object
Annotations added to all in-chart Pods.
{}
object
Name of the database created. Also used in the application's client connection configuration.
"shell"
string
Password assigned to the created user. Also used in the application's client connection configuration.
"shell"
string
Name of the user created. Also used in the application's client connection configuration.
"cased"
string
Creates a PostgreSQL deployment for storing the application's relational data using a subchart. If disabled, postgresql.auth.* and postgresql.external.* must be set to connect to an existing PostgreSQL database.
true
bool
External PostgreSQL database host. Required if postgresql.enabled is false.
""
string
External PostgreSQL database port. Required if postgresql.enabled is false.
""
string
PostgreSQL Primary persistence configuration
{"accessModes":["ReadWriteOnce"],"annotations":{},"dataSource":{},"enabled":true,"existingClaim":"","labels":{},"mountPath":"/bitnami/postgresql","selector":{},"size":"8Gi","storageClass":"","subPath":""}
object
"ClusterIP"
string
Configures PostgreSQL client ssl mode
"prefer"
string
Generates automatically self-signed TLS certificates for the embedded PostgreSQL deployment if enabled.
true
bool
Controls the TLS config of the embedded PostgreSQL deployment.
true
bool
Disable to skip the creation of Roles and RoleBindings for the optional SSHD deployment.
true
bool
Backend port to use for the service. Change to 8888 if shell.tlsMode is "off".
8443
int
Protocol to use for the service. Change to "http" if shell.tlsMode is "off".
"https"
string
Type of service to create.
"ClusterIP"
string
Set to false to skip the creation of a SSHD service.
true
bool
Image to use for the included endpoint. This image runs an OpenSSH server and contains an app user configured to automatically allow connections that include a valid certificate signed by your Cased Shell CA. kubectl is included and /etc/profile.d/k8s.sh configures it for in-cluster access. To include your own utilities or configure access to your own cluster, you may use this image as a base image and refer to your customized image here.
"ghcr.io/cased/sshd-demo:v2.2.1"
string
Resource requests and limits for the SSHD container.
{}
object
The rules to apply to the role created for the SSHD service account. This role is only created if rbac.create is enabled.
[{"apiGroups":[""],"resources":["pods"],"verbs":["get","list"]}]
list
Annotations to add to the service account if one is created. Can be used to associate the created service account with an existing AWS IAM role or GCP Workload Identity.
{}
object
Specifies whether a ServiceAccount should be created.
true
bool
The name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template.
nil
string
vault
Configures secret storage using vault subchart.
{"enabled":true,"injector":{"enabled":false},"secretName":"","server":{"authDelegator":{"enabled":false},"dataStorage":{"accessMode":"ReadWriteOnce","annotations":{},"enabled":true,"mountPath":"/vault/data","size":"10Gi","storageClass":null},"standalone":{"enabled":true}}}
object
Deploy vault subchart.
true
bool
Name of secret containing VAULT_ADDR and VAULT_TOKEN. Required if enabled is false. If not set and enabled is true, a name is generated using the fullname template.
""
string