🚀 prep for v0.1.2

CHANGELOG.md

@@ -5,10 +5,22 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.1.2] - 2023-09-13
+
+### Added
+
+* :rocket: prepare v0.1.1 by @mshade in https://github.com/mshade/kronic/pull/17
+* Feature: Built-in basic auth on backend by @mshade in https://github.com/mshade/kronic/pull/18
+* Removed: ingress-based basic auth by @mshade in https://github.com/mshade/kronic/pull/18
+
+
+**Full Changelog**: https://github.com/mshade/kronic/compare/v0.1.1...v0.1.2
+
 ## [0.1.1] - 2023-09-12
 
 ### Added
 
+* :rocket: prepare v0.1.1 by @mshade in https://github.com/mshade/kronic/pull/17
 * :art: some code cleanup by @mshade in https://github.com/mshade/kronic/pull/10
 * Update dependency pytest to v7.4.2 by @renovate in https://github.com/mshade/kronic/pull/8
 * Update dependency google-auth to v2.23.0 by @renovate in https://github.com/mshade/kronic/pull/11

chart/kronic/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: kronic
 description: Kronic - The simple Kubernetes CronJob Admin UI
 type: application
-version: 0.1.4
-appVersion: "v0.1.1"
+version: 0.1.5
+appVersion: "v0.1.2"
 home: https://github.com/mshade/kronic
 maintainers:
   - name: mshade

chart/kronic/README.md

@@ -4,33 +4,65 @@ Kronic - The simple Kubernetes CronJob Admin UI
 
 **Homepage:** <https://github.com/mshade/kronic>
 
-![Version: 0.1.4](https://img.shields.io/badge/Version-0.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.1.1](https://img.shields.io/badge/AppVersion-v0.1.1-informational?style=flat-square)
+![Version: 0.1.5](https://img.shields.io/badge/Version-0.1.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.1.2](https://img.shields.io/badge/AppVersion-v0.1.2-informational?style=flat-square)
 
 Kronic is in early alpha. It may eat your cronjobs, pods, or even your job.
 Avoid exposing Kronic to untrusted parties or networks.
-In a multi-tenant cluster, ensure a sensible network policy is in place to prevent access to the service from other namespaces.
 
 By default the Kronic helm chart will provide only a `ClusterIP` service. See the [values.yaml](./chart/kronic/values.yaml) for settings,
 most notably the `ingress` section.
 
-> **Warning**
-> Avoid exposing Kronic publicly! The ingress configuration allows for basic authentication, but
-> provides only minimal protection. Ensure you change `ingress.auth.password` from the default if enabled.
-> Best practice would be to use a privately routed ingress class or other network-level protections.
-> You may also provide your own basic auth secret using `ingress.auth.secretName`. See [Ingress docs](https://kubernetes.github.io/ingress-nginx/examples/auth/basic/) on creation.
+## Configuration
+
+Kronic can be limited to a list of namespaces. Specify as a comma separated list in the `KRONIC_ALLOW_NAMESPACES` environment variable.
+The helm chart exposes this option. Example: `env.KRONIC_ALLOW_NAMESPACES='qa,test,dev'`
+
+Kronic also supports a namespaced installation. The `KRONIC_NAMESPACE_ONLY`
+environment variable will limit Kronic to interacting only with CronJobs, Jobs
+and Pods in its own namespace. Enabling this setting in the helm chart values
+(`env.KRONIC_NAMESPACE_ONLY="true"`) will prevent the creation of ClusterRole and
+ClusterRolebinding, using only a namespaced Role and RoleBinding.
+
+### Authentication
+
+Kronic supports HTTP Basic authentication to the backend. It is enabled by default when installed via the helm chart. If no password is specified, the default username is `kronic` and the password is generated randomly.
+A username and password can be set via helm values under `auth.adminUsername` and `auth.adminPassword`, or you may create a Kubernetes secret for the deployment to reference.
+
+To retrieve the randomly generated admin password:
+```
+kubectl --namespace <namespace> get secret <release-name> -ojsonpath="{.data.password}" | base64 -d
+```
+
+To create an admin password secret for use with Kronic:
+```
+kubectl --namespace <namespace> create secret generic custom-password --from-literal=password=<password>
+
+## Tell the helm chart to use this secret:
+helm --namespace <namespace> upgrade kronic kronic/kronic --set auth.existingSecretName=custom-password
+```
 
 ## Installation
 
+A helm chart is available at [./chart/kronic](./chart/kronic/).
+By default the Kronic helm chart will provide only a `ClusterIP` service. See the [values.yaml](./chart/kronic/values.yaml) for settings,
+most notably the `ingress` section.
+
+> **Warning**
+> Avoid exposing Kronic publicly! The default configuration allows for basic authentication, but
+> provides only minimal protection.
+
 To install Kronic as `kronic` in its own namespace:
 
 ```
 helm repo add kronic https://mshade.github.io/kronic/
 helm repo update
 
-# Optionally fetch and customize values file
+# Optionally fetch, then customize values file
 helm show values kronic/kronic > myvalues.yaml
 
-helm install -n kronic --create-namespace kronic kronic/kronic -f myvalues.yaml
+helm install -n kronic --create-namespace kronic kronic/kronic
+
+# See the NOTES output for accessing Kronic and retrieving the initial admin password
 ```
 
 If no ingress is configured (see warning above!), expose Kronic via `kubectl port-forward` and access `localhost:8000` in your browser:
@@ -44,16 +76,16 @@ kubectl -n kronic port-forward deployment/kronic 8000:8000
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Provide scheduling affinity selectors |
+| auth.adminPassword | string | `""` | Specify a password via chart value. Otherwise, randomly generated on first deploy. |
+| auth.adminUsername | string | `"kronic"` | Set the username for auth |
+| auth.enabled | bool | `true` | Enable backend basic auth |
+| auth.existingSecretName | string | `""` | Provide the name of a pre-existing secret containing a data.password: xxx |
 | env.KRONIC_ALLOW_NAMESPACES | string | `""` | Comma separated list of namespaces to allow access to, eg: "staging,qa,example" |
 | env.KRONIC_NAMESPACE_ONLY | string | `""` | Limit Kronic to its own namespace. Set to "true" to enable. |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.repository | string | `"ghcr.io/mshade/kronic"` |  |
 | image.tag | string | `""` |  |
 | ingress.annotations | object | `{}` | Additional annotations for ingress. Use to configure more advanced auth or controllers other than ingress-nginx |
-| ingress.auth.enabled | bool | `true` | Enable basic auth for ingress-nginx. For other auth types or ingress controllers, annotate manually as needed |
-| ingress.auth.password | string | `"Sup3rS3cr3t"` |  |
-| ingress.auth.secretName | string | `""` | Use a pre-existing secret for basic auth to avoid setting password in helm values |
-| ingress.auth.username | string | `"kronic"` |  |
 | ingress.className | string | `""` | The ingressClassName to use for Kronic. Avoid exposing publicly! |
 | ingress.enabled | bool | `false` | Expose Kronic via Ingress |
 | ingress.hosts | list | `[{"host":"kronic-example.local","paths":[{"path":"/","pathType":"ImplementationSpecific"}]}]` | the ingress hostname(s) for Kronic |