8000 infra: Community OSS helm chart by mcm · Pull Request #1036 · TracecatHQ/tracecat · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

infra: Community OSS helm chart #1036

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

infra: Community OSS helm chart #1036

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
dbb9bf7
helm: Initial contribution of OSS helm chart
Apr 11, 2025
5b0c5e3
helm: bump version to 0.31.4
Apr 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 44 additions & 1 deletion README.md
View file
Open in desktop
8000
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,50 @@ terraform apply

### Run Tracecat on Kubernetes

Coming soon.
#### Helm Chart

There is a community contributed helm chart available in this git repo. This chart will deploy Tracecat pods, as well
as a Temporal pod, but will not deploy Postgres. You can optionally disable the Temporal pod and point to an existing
Temporal cluster if desired. You can deploy the chart by cloning this repo and running `helm install`:

```bash
git clone https://github.com/TracecatHQ/tracecat.git
helm install tracecat ./helm/tracecat
```

You'll also need to create a kubernetes Secret to contain sensitive values. By default, the chart expects this secret
to be called `tracecat-envvars`. You'll need to fill in all of the applicable values:

```yaml
apiVersion: v1
kind: Secret
metadata:
name: tracecat-envvars
namespace: ""
type: Opaque
stringData:
# Used to encrypt/decrypt sensitive keys in the database
# Can be generated using `python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"`
databaseEncryptionKey: "your-tracecat-db-fernet-key"
# Used to authenticate with Tracecat services
# Can be generated using `openssl rand -hex 32`
serviceKey: "your-tracecat-service-key"
# Used to generate private webhook URLs
# Can be generated using `openssl rand -hex 32`
signingSecret: ""
# URI used for Tracecat database. NOTE: The helm chart assumes this database already exists!
databaseUri: "postgresql+psycopg://your-tracecat-postgres-user:your-tracecat-postgres-password@postgres_host:5432/database"
# Password used by Temporal to connect to its database. NOTE: this is just the password, not a full URI
temporalDatabasePassword: "temporal"
# Google OAuth settings
oauthClientId: ""
oauthClientSecret: ""
userAuthSecret: "your-auth-secret"
```

Refer to [values.yaml](helm/chart/values.yaml) for the full list of default values.

> NOTE: The versioning scheme of the helm chart differs from the versioning scheme of Tracecat itself.

## Community

Expand Down
5 changes: 5 additions & 0 deletions helm/tracecat/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: v2
name: tracecat
type: application
version: 0.1.0
appVersion: "0.31.4"
84 changes: 84 additions & 0 deletions helm/tracecat/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
{{/* vim: set filetype=mustache: */}}

{{/*
Set the chart fullname
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the labels spec).
We change "+" with "_" for OCI compatibility
*/}}
{{- define "chart.fullname" -}}
{{- printf "%s-%s" .Chart.Name (.Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-") -}}
{{- end }}

{{/*
Set the chart version
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the labels spec).
We change "+" with "_" for OCI compatibility
*/}}
{{- define "chart.version" -}}
{{- .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end }}

{{- define "tracecat.image" -}}
{{ (.image).repository | default "ghcr.io/tracecathq/tracecat" }}:{{ (.image).tag | default "0.31.4" }}
{{- end }}

{{- define "tracecat.auth.types" -}}
{{- $value := list "basic" "google_oauth" "saml" }}
{{- if not .Values.auth.basic.enabled }}
{{- $value := without $value "basic" }}
{{- end}}
{{- if not .Values.auth.google_oauth.enabled }}
{{- $value := without $value "google_oauth" }}
{{- end}}
{{- if not .Values.auth.saml.enabled }}
{{- $value := without $value "saml" }}
{{- end}}
{{- join "," $value }}
{{- end -}}

{{- define "tracecat.services.api" -}}
{{ .Values.api.service.name }}:{{ .Values.api.service.port }}
{{- end }}

{{- define "tracecat.services.executor" -}}
{{ .Values.executor.service.name }}:{{ .Values.executor.service.port }}
{{- end }}

{{- define "tracecat.services.temporal" -}}
{{- if .Values.temporal.enabled -}}
{{ .Values.temporal.service.name }}:{{ .Values.temporal.service.port }}
{{- else -}}
{{ .Values.temporal.cluster_address }}
{{- end }}

{{- define "tracecat.services.ui" -}}
{{ .Values.ui.service.name }}:{{ .Values.ui.service.port }}
{{- end }}

{{- define "tracecat.services.worker" -}}
{{ .Values.worker.service.name }}:{{ .Values.worker.service.port }}
{{- end }}

{{- define "tracecat.url.internal_api_url" -}}
http://{{- include "tracecat.services.api" . }}
{{- end }}

{{- define "tracecat.url.internal_app_url" -}}
http://{{- include "tracecat.services.ui" . }}
{{- end }}

{{- define "tracecat.url.public_api_url" -}}
{{- if .Values.ingress.tls -}}
https://{{ .Values.ingress.hostname }}{{ .Values.api.root_path }}
{{- else -}}
http://{{ .Values.ingress.hostname }}{{ .Values.api.root_path }}
{{- end -}}
{{- end }}

{{- define "tracecat.url.public_app_url" -}}
{{- if .Values.ingress.tls -}}
https://{{ .Values.ingress.hostname }}
{{- else -}}
http://{{ .Values.ingress.hostname }}
{{- end }}
{{- end }}
159 changes: 159 additions & 0 deletions helm/tracecat/templates/api/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,159 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: tracecat-api
namespace: {{ .Release.Namespace }}
{{- if .Values.api.deployment.annotations }}
annotations:
{{- range $key, $value := .Values.api.deployment.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
app: tracecat
chart: "{{ template "chart.fullname" . }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
app.kubernetes.io/component: api
app.kubernetes.io/name: "{{ .Chart.Name }}"
app.kubernetes.io/version: {{ template "chart.version" . }}
{{- if .Values.api.deployment.labels }}
{{- range $key, $value := .Values.api.deployment.labels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
replicas: {{ .Values.api.replicaCount }}
strategy:
type: {{ .Values.api.strategyType }}
selector:
matchLabels:
app: tracecat
app.kubernetes.io/component: api
template:
metadata:
{{- if .Values.api.pods.annotations }}
annotations:
{{- range $key, $value := .Values.api.pods.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
app: tracecat
app.kubernetes.io/component: api
app.kubernetes.io/name: "{{ .Chart.Name }}"
app.kubernetes.io/version: {{ template "chart.version" . }}
{{- if .Values.api.pods.labels }}
{{- range $key, $value := .Values.api.pods.labels}}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
containers:
- name: "tracecat-api"
image: "{{ include "tracecat.image" .Values.api }}"
imagePullPolicy: "{{ ((.Values.api.image).pullPolicy) | default "Always" }}"
{{- if .Values.api.resources }}
resources:
{{ toYaml .Values.api.resources | indent 10 }}
{{- end }}
env:
- name: LOG_LEVEL
value: "{{ .Values.global.log_level }}"
- name: TRACECAT__ALLOW_ORIGINS
value: "{{ join "," .Values.api.allowed_origins }}"
- name: TRACECAT__API_ROOT_PATH
value: "{{ .Values.api.root_path }}"
- name: TRACECAT__API_URL
value: "http://{{ template "tracecat.services.api" }}"
- name: TRACECAT__APP_ENV
value: "{{ .Values.global.app_env }}"
# Authentication
- name: TRACECAT__AUTH_ALLOWED_DOMAINS
value: "{{ join "," .Values.auth.allowed_domains }}"
- name: TRACECAT__AUTH_MIN_PASSWORD_LENGTH
value: "{{ .Values.auth.min_password_length }}"
- name: TRACECAT__AUTH_TYPES
value: "{{ template "tracecat.auth.types" }}"
- name: TRACECAT__DB_ENCRYPTION_KEY
valueFrom:
secretKeyRef:
name: "{{ .Values.global.secretName }}"
key: databaseEncryptionKey
- name: TRACECAT__DB_SSLMODE
value: "{{ .Values.database.db_sslmode }}"
- name: TRACECAT__DB_URI
valueFrom:
secretKeyRef:
name: "{{ .Values.global.secretName }}"
key: databaseUri
- name: TRACECAT__EXECUTOR_URL
value: "http://{{ template "tracecat.services.executor" . }}"
- name: TRACECAT__PUBLIC_API_URL
value: "{{ template "tracecat.url.public_api_url" . }}"
- name: TRACECAT__PUBLIC_APP_URL
value: "{{ template "tracecat.url.public_app_url" . }}"
- name: TRACECAT__SERVICE_KEY
valueFrom:
secretKeyRef:
name: "{{ .Values.global.secretName }}"
key: serviceKey
- name: TRACECAT__SIGNING_SECRET
valueFrom:
secretKeyRef:
name: "{{ .Values.global.secretName }}"
key: signingSecret
- name: TRACECAT__TRUSTED_DOCKER_IMAGES
value: "{{ join "," .Values.trusted_docker_images }}"
{{- if .Values.auth.basic.enabled }}
- name: USER_AUTH_SECRET
valueFrom:
secretKeyRef:
name: "{{ .Values.global.secretName }}"
key: userAuthSecret
{{- end }}
{{- if .Values.auth.google_oauth.enabled }}
- name: OAUTH_CLIENT_ID
valueFrom:
secretKeyRef:
name: "{{ .Values.auth.google_oauth.secretName }}"
key: oauthClientId
- name: OAUTH_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: "{{ .Values.auth.google_oauth.secretName }}"
key: oauthClientSecret
{{- end }}
{{- if .Values.auth.saml.enabled }}
# SAML SSO
- name: SAML_IDP_METADATA_URL
value: "{{ .Values.auth.saml.idp_metadata_url }}"
{{- if .Values.auth.saml.force_saml_enabled }}
- name: TRACECAT__SETTING_OVERRIDE_SAML_ENABLED
value: "{{ .Values.auth.saml.force_saml_enabled }}"
{{- end }}
{{- end }}
- name: RUN_MIGRATIONS
value: "{{ .Values.api.run_migrations }}"
# Temporal
- name: TEMPORAL__CLUSTER_URL
value: "{{ template "tracecat.services.temporal" . }}"
- name: TEMPORAL__CLUSTER_QUEUE
value: "{{ .Values.temporal.cluster_queue }}"
- name: TEMPORAL__CLUSTER_NAMESPACE
value: "{{ .Values.temporal.cluster_namespace }}"
- name: TEMPORAL__TASK_TIMEOUT
value: "{{ .Values.temporal.task_timeout }}"
# Remote registry
- name: TRACECAT__ALLOWED_GIT_DOMAINS
value: "{{ join "," .Values.remote_repository.allowed_domains }}"
{{- if (ne .Values.remote_repository.url "") }}
- name: TRACECAT__REMOTE_REPOSITORY_PACKAGE_NAME
value: "{{ .Values. C92E remote_repository.url }}"
{{- end }}
{{- if (ne .Values.remote_repository.package_name "") }}
- name: TRACECAT__REMOTE_REPOSITORY_URL
value: "{{ .Values.remote_repository.package_name }}"
{{- end }}
ports:
- containerPort: 8000
34 changes: 34 additions & 0 deletions helm/tracecat/templates/api/service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
apiVersion: v1
kind: Service
metadata:
name: "{{ .Values.api.service.name }}"
namespace: {{ .Release.Namespace }}
{{- if .Values.api.service.annotations }}
annotations:
{{- range $key, $value := .Values.api.service.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
app: tracecat
chart: "{{ template "chart.fullname" . }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
app.kubernetes.io/component: api
app.kubernetes.io/name: "{{ .Chart.Name }}"
app.kubernetes.io/version: {{ template "chart.version" . }}
{{- if .Values.api.service.labels }}
{{- range $key, $value := .Values.api.service.labels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
selector:
app: tracecat
app.kubernetes.io/component: api
type: ClusterIP
ports:
- name: tracecat-api
port: {{ .Values.api.service.port }}
protocol: TCP
targetPort: 8000
Loading
0