From b2f151b9a6fb0f85518908cf87826318b903e121 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Wed, 21 Aug 2024 15:59:52 -0500 Subject: [PATCH] kasm-wip -- might have to shelve --- .../apps/default/kasm/app/crontask.yaml | 30 + .../apps/default/kasm/app/externalsecret.yaml | 24 + .../apps/default/kasm/app/helmrelease.yaml | 146 ++ .../apps/default/kasm/app/kustomization.yaml | 11 + kubernetes/apps/default/kasm/app/pvc.yaml | 10 + .../kasm/app/resources/agent.app.config.yml | 82 ++ .../kasm/app/resources/api.app.config.yml | 317 ++++ .../kasm/app/resources/default_properties.yml | 1303 +++++++++++++++++ .../apps/default/kasm/app/resources/init.sql | 3 + .../app/resources/kasmguac.app.config.yml | 33 + kubernetes/apps/default/kasm/ks.yaml | 0 11 files changed, 1959 insertions(+) create mode 100644 kubernetes/apps/default/kasm/app/crontask.yaml create mode 100644 kubernetes/apps/default/kasm/app/externalsecret.yaml create mode 100644 kubernetes/apps/default/kasm/app/helmrelease.yaml create mode 100644 kubernetes/apps/default/kasm/app/kustomization.yaml create mode 100644 kubernetes/apps/default/kasm/app/pvc.yaml create mode 100644 kubernetes/apps/default/kasm/app/resources/agent.app.config.yml create mode 100644 kubernetes/apps/default/kasm/app/resources/api.app.config.yml create mode 100644 kubernetes/apps/default/kasm/app/resources/default_properties.yml create mode 100644 kubernetes/apps/default/kasm/app/resources/init.sql create mode 100644 kubernetes/apps/default/kasm/app/resources/kasmguac.app.config.yml create mode 100644 kubernetes/apps/default/kasm/ks.yaml diff --git a/kubernetes/apps/default/kasm/app/crontask.yaml b/kubernetes/apps/default/kasm/app/crontask.yaml new file mode 100644 index 0000000..44f5b20 --- /dev/null +++ b/kubernetes/apps/default/kasm/app/crontask.yaml @@ -0,0 +1,30 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: kasm-www-update +spec: + template: + spec: + containers: + - name: kasm-www-update + image: docker.io/library/alpine:latest + command: ["/bin/sh", "-c"] + env: + - name: KASM_VERSION + value: "1.15.0.06fdc8" + args: + - > + apk add --no-cache curl; + rm -rf /srv/www/*; + mkdir -p /tmp/kasm_download && + curl -o /tmp/kasm_download/kasm_release.tar.gz https://kasm-static-content.s3.amazonaws.com/kasm_release_${KASM_VERSION}.tar.gz && + tar -xzvf /tmp/kasm_download/kasm_release.tar.gz -C /tmp/kasm_download kasm_release/www/ && + cp -r /tmp/kasm_download/kasm_release/www/* /srv/www/; + volumeMounts: + - name: kasm-www + mountPath: /srv/www + restartPolicy: OnFailure + volumes: + - name: kasm-www + persistentVolumeClaim: + claimName: kasm-www diff --git a/kubernetes/apps/default/kasm/app/externalsecret.yaml b/kubernetes/apps/default/kasm/app/externalsecret.yaml new file mode 100644 index 0000000..8900592 --- /dev/null +++ b/kubernetes/apps/default/kasm/app/externalsecret.yaml @@ -0,0 +1,24 @@ +--- +# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: kasm +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: kasm-secret + template: + engineVersion: v2 + data: + DB_HOST: "postgres-primary-real.database.svc" + DB_PORT: "5432" + DB_USER: "{{ .KASM_POSTGRES_USER }}" + DB_PASS: "{{ .KASM_POSTGRES_PASSWORD }}" + DB_NAME: "kasm" + DB_USE_SSL: "false" # Whether to enable ssl for database connection + dataFrom: + - extract: + key: kasm diff --git a/kubernetes/apps/default/kasm/app/helmrelease.yaml b/kubernetes/apps/default/kasm/app/helmrelease.yaml new file mode 100644 index 0000000..9a41cf1 --- /dev/null +++ b/kubernetes/apps/default/kasm/app/helmrelease.yaml @@ -0,0 +1,146 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app kasm + namespace: default +spec: + chart: + spec: + chart: app-template + version: 3.3.2 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + strategy: rollback + interval: 30m + values: + controllers: + kasm: + annotations: + reloader.stakater.com/auto: "true" + initContainers: + kasm-www-update: + env: + KASM_VERSION: "1.15.0" + KASM_BUILD: "06fdc8" + KASM_TAR_URL: https://kasm-static-content.s3.amazonaws.com/kasm_release_${KASM_VERSION}.${KASM_BUILD}.tar.gz + image: + repository: alpine + tag: latest + command: + - /bin/sh + - -c + args: + - > + apk add --no-cache curl; + rm -rf /www/*; + mkdir -p /tmp/kasm_download && + curl -o /tmp/kasm_download/kasm_release.tar.gz "${KASM_TAR_URL}" && + tar -xzvf /tmp/kasm_download/kasm_release.tar.gz -C /tmp/kasm_download kasm_release/www/ && + cp -r /tmp/kasm_download/kasm_release/www/* /www/; + install: + image: + repository: kasmweb/api + tag: &version 1.15.0-rolling-alpine + command: + - /usr/bin/kasm_server.so + - --initialize-database + - --cfg + - /opt/kasm/current/conf/app/api.app.config.yaml + - --populate-production + - --seed-file + - /tmp/default_properties.yaml + containers: + manager: + envFrom: + - secretRef: + name: kasm-manager-secret + image: + repository: kasmweb/manager + tag: *version + probes: + liveness: + enabled: true + readiness: + enabled: true + api: + image: + repository: kasmweb/api + tag: *version + probes: + liveness: + enabled: true + readiness: + enabled: true + guac: + image: + repository: kasmweb/kasm-guac + tag: *version + probes: + liveness: + enabled: true + readiness: + enabled: true + + service: + manager: + controller: kasm + ports: + http: + port: &manger-port 80 + api: + controller: kasm + ports: + http: + port: &api-port 80 + ingress: + manager: + className: internal-nginx + hosts: + - host: &host kasm.jahanson.tech + paths: + # - path: / + # service: + # identifier: static + # port: http + - path: /api/ + service: + identifier: api + port: http + - path: /api/admin/ + service: + identifier: api + port: http + - path: /manager_api/ + service: + identifier: manager + port: http + tls: + - hosts: + - *host + persistence: + config: + existingClaim: kasm + globalMounts: + - path: /opt/kasm/current/conf + logs: + type: persistentVolumeClaim + accessMode: ReadWriteOnce + size: 1Gi + globalMounts: + - path: /opt/kasm/current/log + tmp: + type: emptyDir + globalMounts: + - path: /opt/kasm/current/tmp + www: + existingClaim: kasm-www diff --git a/kubernetes/apps/default/kasm/app/kustomization.yaml b/kubernetes/apps/default/kasm/app/kustomization.yaml new file mode 100644 index 0000000..e6a0e97 --- /dev/null +++ b/kubernetes/apps/default/kasm/app/kustomization.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./externalsecret.yaml + - ./helmrelease.yaml + - ./pvc.yaml + +generatorOptions: + disableNameSuffixHash: true diff --git a/kubernetes/apps/default/kasm/app/pvc.yaml b/kubernetes/apps/default/kasm/app/pvc.yaml new file mode 100644 index 0000000..2275ec4 --- /dev/null +++ b/kubernetes/apps/default/kasm/app/pvc.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: kasm-www +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/kubernetes/apps/default/kasm/app/resources/agent.app.config.yml b/kubernetes/apps/default/kasm/app/resources/agent.app.config.yml new file mode 100644 index 0000000..8e76886 --- /dev/null +++ b/kubernetes/apps/default/kasm/app/resources/agent.app.config.yml @@ -0,0 +1,82 @@ +agent: + auto_generate_kasm_docker_networks: false + default_host_key: 1234 + disk_usage_limit: 0.90 + docker_async_script_timeout: 900 + docker_port_listen_addr: "localhost" + docker_script_timeout: 180 + forward_logs_to_manager: true + heartbeat_interval: 30000 + images_interval: 3600 + log_container_stats: false + log_heartbeat_data: false + max_concurrent_docker_pulls: 2 + nginx_container_dir: /etc/nginx/conf.d/containers.d/ + persist_config_interval: 100000 + persist_config_updates: true + port: 4444 + provider: hardware + public_hostname: kasm-proxy + public_port: 443 + remove_failed_containers: true + retention_period: 24 + server_id: A0EEBC99-9C0B-4EF8-BB6D-6BB9BD380A11 + starting_nginx_port: 5971 + type: host + validate_images: true +manager: + client_cert: /srv/provision_agent/client_cert.pem + config_path: /manager_api/api/v1/agent_config + heartbeat_path: /manager_api/api/v1/heartbeat + hostnames: ["kasm-proxy"] + images_path: /manager_api/api/v1/images + public_port: 443 + scheme: https + server_cert: /srv/provision_agent/server_cert.pem + token: ImaRsCutMtlKRLMpOiue +logging: + agent: + formatters: + pythonjsonlogger: + (): pythonjsonlogger.jsonlogger.JsonFormatter + fmt: "%(asctime) %(name) %(processName) %(filename) %(funcName) %(levelname) %(lineno) %(module) %(threadName) %(message)" + timestamp: true + standard: + format: "%(asctime)s [%(levelname)s] %(name)s: %(message)s" + handlers: + file_handler: + backupCount: 5 + class: logging.handlers.RotatingFileHandler + encoding: utf8 + filename: /opt/kasm/current/log/agent.log + formatter: standard + level: DEBUG + maxBytes: 10485760 + file_handler_json: + backupCount: 5 + class: logging.handlers.RotatingFileHandler + encoding: utf8 + filename: /opt/kasm/current/log/agent_json.log + formatter: pythonjsonlogger + level: DEBUG + maxBytes: 10485760 + stream: + class: logging.StreamHandler + formatter: standard + level: DEBUG + syslog: + class: logging.handlers.SysLogHandler + formatter: pythonjsonlogger + level: DEBUG + loggers: + "": + handlers: + - stream + - syslog + - file_handler + - file_handler_json + level: DEBUG + propagate: true + tornado: + level: INFO + version: 1 diff --git a/kubernetes/apps/default/kasm/app/resources/api.app.config.yml b/kubernetes/apps/default/kasm/app/resources/api.app.config.yml new file mode 100644 index 0000000..49ed597 --- /dev/null +++ b/kubernetes/apps/default/kasm/app/resources/api.app.config.yml @@ -0,0 +1,317 @@ +database: + name: kasm + username: kasmapp + password: test + host: dbpostgres-primary-real.database.svc + port: 5432 + type: postgres + ssl: true + pool_size: 10 + max_overflow: 20 +redis: + host: dragonfly.database.svc.cluster.local + port: 6379 + redis_password: "" +manager: + manager_id: 00000000-0000-0000-0000-000000000000 + update_timer: 86400 +server: + server_id: 00000000-0000-0000-0000-000000000000 + server_hostname: kasm-proxy + zone_name: default + sanitize_errors: true +share: + share_id: 00000000-0000-0000-0000-000000000000 +logging: + agent: + formatters: + pythonjsonlogger: + (): pythonjsonlogger.jsonlogger.JsonFormatter + fmt: "%(asctime) %(name) %(processName) %(filename) %(funcName) %(levelname) %(lineno) %(module) %(threadName) %(message)" + timestamp: true + standard: + format: "%(asctime)s [%(levelname)s] %(name)s: %(message)s" + handlers: + file_handler: + backupCount: 20 + class: logging.handlers.RotatingFileHandler + encoding: utf8 + filename: /opt/kasm/current/log/agent.log + formatter: standard + level: DEBUG + maxBytes: 10485760 + file_handler_json: + backupCount: 20 + class: logging.handlers.RotatingFileHandler + encoding: utf8 + filename: /opt/kasm/current/log/agent_json.log + formatter: pythonjsonlogger + level: DEBUG + maxBytes: 10485760 + stream: + class: logging.StreamHandler + formatter: standard + level: INFO + syslog: + class: logging.handlers.SysLogHandler + formatter: pythonjsonlogger + level: DEBUG + loggers: + "": + handlers: + - stream + - syslog + - file_handler + - file_handler_json + level: DEBUG + propagate: true + version: 1 + kasm_share: + formatters: + pythonjsonlogger: + (): pythonjsonlogger.jsonlogger.JsonFormatter + fmt: "%(asctime) %(name) %(processName) %(filename) %(funcName) %(levelname) %(lineno) %(module) %(threadName) %(message)" + timestamp: true + standard: + format: "%(asctime)s [%(levelname)s] %(name)s: %(message)s" + handlers: + file_handler: + backupCount: 20 + class: logging.handlers.RotatingFileHandler + encoding: utf8 + filename: /opt/kasm/current/log/share.log + formatter: standard + level: DEBUG + maxBytes: 10485760 + file_handler_json: + backupCount: 20 + class: logging.handlers.RotatingFileHandler + encoding: utf8 + filename: /opt/kasm/current/log/share_json.log + formatter: pythonjsonlogger + level: DEBUG + maxBytes: 10485760 + stream: + class: logging.StreamHandler + formatter: standard + level: DEBUG + syslog: + class: logging.handlers.SysLogHandler + formatter: pythonjsonlogger + level: DEBUG + loggers: + "": + handlers: + - stream + - syslog + - file_handler + - file_handler_json + level: DEBUG + propagate: true + tornado.application: + level: DEBUG + tornado.access: + level: DEBUG + tornado.general: + level: DEBUG + version: 1 + manager_api_server: + filters: + internal_log_filter: + (): log.handlers.InternalLogFilter + web_filter_log_filter: + (): log.handlers.ExternalLogFilter + application: "kasm_squid_adapter" + formatters: + pythonjsonlogger: + (): pythonjsonlogger.jsonlogger.JsonFormatter + fmt: "%(asctime) %(name) %(processName) %(filename) %(funcName) %(levelname) %(lineno) %(module) %(threadName) %(message)" + timestamp: true + standard: + format: "%(asctime)s [%(levelname)s] %(name)s: %(message)s" + handlers: + file_handler: + backupCount: 20 + class: logging.handlers.RotatingFileHandler + encoding: utf8 + filename: /opt/kasm/current/log/manager_api_server.log + formatter: standard + level: DEBUG + maxBytes: 10485760 + filters: [internal_log_filter] + file_handler_json: + backupCount: 20 + class: logging.handlers.RotatingFileHandler + encoding: utf8 + filename: /opt/kasm/current/log/manager_api_server_json.log + formatter: pythonjsonlogger + level: DEBUG + maxBytes: 10485760 + filters: [internal_log_filter] + web_filter_file_handler: + backupCount: 20 + class: logging.handlers.RotatingFileHandler + encoding: utf8 + filename: /opt/kasm/current/log/web_filter_access_json.log + level: DEBUG + maxBytes: 10485760 + filters: [web_filter_log_filter] + stream: + class: logging.StreamHandler + formatter: standard + level: INFO + filters: [internal_log_filter] + syslog: + class: logging.handlers.SysLogHandler + formatter: pythonjsonlogger + level: DEBUG + filters: [internal_log_filter] + loggers: + "": + handlers: + - stream + - syslog + - file_handler + - file_handler_json + - web_filter_file_handler + level: DEBUG + propagate: true + __main__.handler: + level: DEBUG + googleapiclient.discovery_cache: + level: ERROR + provider_manager: + level: DEBUG + provider: + level: DEBUG + tornado: + level: INFO + sqlalchemy.pool: + level: WARNING + sqlalchemy.pool.status: + level: WARNING + sqlalchemy.engine: + level: WARNING + sqlalchemy.dialects: + level: WARNING + sqlalchemy.orm: + level: WARNING + botocore: + level: WARNING + azure: + level: WARNING + database_models: + level: INFO + keystoneauth.session: + level: WARNING + novaclient.v2.client: + level: WARNING + version: 1 + api_server: + filters: + request_context_filter: + (): utils.RequestContextFilter + formatters: + pythonjsonlogger: + (): pythonjsonlogger.jsonlogger.JsonFormatter + fmt: "%(asctime) %(name) %(processName) %(filename) %(funcName) %(levelname) %(lineno) %(module) %(threadName) %(message)" + timestamp: true + standard: + format: "%(asctime)s [%(levelname)s] %(name)s: %(message)s" + handlers: + file_handler: + backupCount: 20 + class: logging.handlers.RotatingFileHandler + encoding: utf8 + filename: /opt/kasm/current/log/api_server.log + formatter: standard + level: DEBUG + maxBytes: 10485760 + file_handler_json: + backupCount: 20 + class: logging.handlers.RotatingFileHandler + encoding: utf8 + filename: /opt/kasm/current/log/api_server_json.log + formatter: pythonjsonlogger + level: DEBUG + maxBytes: 10485760 + filters: [request_context_filter] + subscription_file_handler: + backupCount: 20 + class: logging.handlers.RotatingFileHandler + encoding: utf8 + filename: /opt/kasm/current/log/subscription_api_server.log + formatter: standard + level: DEBUG + maxBytes: 10485760 + admin_file_handler: + backupCount: 20 + class: logging.handlers.RotatingFileHandler + encoding: utf8 + filename: /opt/kasm/current/log/admin_api_server.log + formatter: standard + level: DEBUG + maxBytes: 10485760 + client_file_handler: + backupCount: 20 + class: logging.handlers.RotatingFileHandler + encoding: utf8 + filename: /opt/kasm/current/log/client_api_server.log + formatter: standard + level: DEBUG + maxBytes: 10485760 + stream: + class: logging.StreamHandler + formatter: standard + level: DEBUG + syslog: + class: logging.handlers.SysLogHandler + formatter: pythonjsonlogger + level: DEBUG + loggers: + "": + handlers: + - stream + - syslog + - file_handler + - file_handler_json + level: DEBUG + propagate: true + client_api_server: + handlers: + - client_file_handler + admin_api_server: + handlers: + - admin_file_handler + subscription_api_server: + handlers: + - subscription_file_handler + cherrypy.error: + level: INFO + cherrypy.access: + level: INFO + sqlalchemy.pool: + level: WARNING + sqlalchemy.pool.status: + level: WARNING + sqlalchemy.engine: + level: WARNING + sqlalchemy.dialects: + level: WARNING + sqlalchemy.orm: + level: WARNING + requests_oauthlib: + level: INFO + database_models: + level: INFO + googleapiclient.discovery_cache: + level: ERROR + keystoneauth.session: + level: WARNING + novaclient.v2.client: + level: WARNING + botocore: + level: WARNING + azure: + level: WARNING + version: 1 diff --git a/kubernetes/apps/default/kasm/app/resources/default_properties.yml b/kubernetes/apps/default/kasm/app/resources/default_properties.yml new file mode 100644 index 0000000..60f284a --- /dev/null +++ b/kubernetes/apps/default/kasm/app/resources/default_properties.yml @@ -0,0 +1,1303 @@ +alembic_version: 7e0b6092d015 +branding_configs: [] +cast_configs: [] +filter_policies: [] +group_images: [] +group_settings: + - description: Allow audio streaming for a Kasm. + group_id: null + group_setting_id: "${uuid:group_setting_id:2}" + name: allow_kasm_audio + value: "False" + value_type: bool + - description: Allow microphone passthrough to a Kasm. + group_id: null + group_setting_id: "${uuid:group_setting_id:3}" + name: allow_kasm_microphone + value: "False" + value_type: bool + - description: Allow gamepad passthrough to a Kasm. + group_id: null + group_setting_id: "${uuid:group_setting_id:4}" + name: allow_kasm_gamepad + value: "False" + value_type: bool + - description: Allows users to paste text from the Kasm to their local computer. + group_id: null + group_setting_id: "${uuid:group_setting_id:5}" + name: allow_kasm_clipboard_down + value: "False" + value_type: bool + - description: Allows users to copy and paste text without using Kasm control panel. + group_id: null + group_setting_id: "${uuid:group_setting_id:6}" + name: allow_kasm_clipboard_seamless + value: "False" + value_type: bool + - description: Allow users to paste from their local computer to the Kasm. + group_id: null + group_setting_id: "${uuid:group_setting_id:7}" + name: allow_kasm_clipboard_up + value: "False" + value_type: bool + - description: Allow users to download files from a Kasm. + group_id: null + group_setting_id: "${uuid:group_setting_id:8}" + name: allow_kasm_downloads + value: "False" + value_type: bool + - description: Allow users to upload files to a Kasm. + group_id: null + group_setting_id: "${uuid:group_setting_id:9}" + name: allow_kasm_uploads + value: "False" + value_type: bool + - description: Allow webcam passthrough to a Kasm. + group_id: null + group_setting_id: "${uuid:group_setting_id:55}" + name: allow_kasm_webcam + value: "False" + value_type: bool + - description: Allow the use of persistent profiles if configured on the Kasm Image. + group_id: null + group_setting_id: "${uuid:group_setting_id:10}" + name: allow_persistent_profile + value: "False" + value_type: bool + - description: Allow the user to share access to Kasms with other users. + group_id: null + group_setting_id: "${uuid:group_setting_id:11}" + name: allow_kasm_sharing + value: "False" + value_type: bool + - description: Allow the user to specify the deployment Zone for applicable Images. + group_id: null + group_setting_id: "${uuid:group_setting_id:12}" + name: allow_zone_selection + value: "False" + value_type: bool + - description: + Display detailed errors to the user if the UI experiences an unexpected + error. + group_id: null + group_setting_id: "${uuid:group_setting_id:13}" + name: display_ui_errors + value: "False" + value_type: bool + - description: When enabled, the UI will send log messages to the server. + group_id: null + group_setting_id: "${uuid:group_setting_id:14}" + name: enable_ui_server_logging + value: "True" + value_type: bool + - description: + Expose KASM_USER and KASM_USER_ID environment variables inside the + Kasm. + group_id: null + group_setting_id: "${uuid:group_setting_id:15}" + name: expose_user_environment_vars + value: "False" + value_type: bool + - description: + If configured, the user will be redirected to this URL instead of the + main dashboard. + group_id: null + group_setting_id: "${uuid:group_setting_id:16}" + name: dashboard_redirect + value: "" + value_type: string + - description: + Disconnect the Kasm connection if idle for this long. Time specified + in minutes. + group_id: null + group_setting_id: "${uuid:group_setting_id:17}" + name: idle_disconnect + value: "20" + value_type: float + - description: Automatically inject SSH public and private keys into Kasm sessions. + group_id: null + group_setting_id: "${uuid:group_setting_id:18}" + name: inject_ssh_keys + value: "False" + value_type: bool + - description: Default to audio enabled on Kasm start + group_id: null + group_setting_id: "${uuid:group_setting_id:19}" + name: kasm_audio_default_on + value: "False" + value_type: bool + - description: + The number of seconds a Kasm will stay alive unless a keeplive request + is sent from the client. + group_id: null + group_setting_id: "${uuid:group_setting_id:20}" + name: keepalive_expiration + value: "3600" + value_type: int + - description: The maximum number of simultaneous Kasms a users is allowed to provision. + group_id: null + group_setting_id: "${uuid:group_setting_id:21}" + name: max_kasms_per_user + value: "5" + value_type: int + - description: + Enable webp image compression for compatible browsers. This will increase + server side processing requirements but cut bandwidth by 30 percent. + group_id: null + group_setting_id: "${uuid:group_setting_id:22}" + name: enable_webp + value: "False" + value_type: bool + - description: Specify arbitrary docker run params. + group_id: null + group_setting_id: "${uuid:group_setting_id:23}" + name: run_config + value: "{}" + value_type: json + - description: + Sets the Default image for the /go route. Will automatically provision + this kasm image. + group_id: null + group_setting_id: "${uuid:group_setting_id:24}" + name: default_image + value: "" + value_type: image + - description: + Require two factor authentication for group. Users will be prompted + to set Key on next log on. + group_id: null + group_setting_id: "${uuid:group_setting_id:25}" + name: require_2fa + value: "False" + value_type: bool + - description: If enabled, sessions are limited to the defined value in seconds. + group_id: null + group_setting_id: "${uuid:group_setting_id:26}" + name: session_time_limit + value: "0" + value_type: int + - description: + When enabled, all users that join a shared session will have the ability + to control the session. + group_id: null + group_setting_id: "${uuid:group_setting_id:27}" + name: shared_session_full_control + value: "False" + value_type: bool + - description: + When enabled, Images that have been disabled by the administrator will + be visible to the user. + group_id: null + group_setting_id: "${uuid:group_setting_id:28}" + name: show_disabled_images + value: "False" + value_type: bool + - description: When enabled, a user must be subscribed to a plan to utilize the system. + group_id: null + group_setting_id: "${uuid:group_setting_id:29}" + name: require_subscription + value: "False" + value_type: bool + - description: This message is displayed to the user when an images is currently disabled. + group_id: null + group_setting_id: "${uuid:group_setting_id:30}" + name: disabled_image_message + value: "" + value_type: string + - description: Enable IME mode by default. + group_id: null + group_setting_id: "${uuid:group_setting_id:31}" + name: kasm_ime_mode_default_on + value: "False" + value_type: bool + - description: + "\n \tMap a local server directory to kasm. The format is in\ + \ json. \n \tExample: {\"/data/departments/sales\": {\"bind\": \"/headless/documents/sales\"\ + , \"mode\": \"rw\"} \n \tThis example mounts a directory on the local server,\ + \ /data/department/sales to the container \n \tat the location /shares/sales\ + \ with read and write permissions. \n \tIn order for the user in the Kasm\ + \ to have write permissions on the mount the permissions \n \ton the server\ + \ must allow read, write, execute for ALL users. This is because the \n \ + \ \tuser running inside the Kasm is not a valid user on the server.\n \ + \ \t" + group_id: null + group_setting_id: "${uuid:group_setting_id:32}" + name: volume_mapping + value: "{}" + value_type: json + - description: Sends users directly to kasm using default image after login + group_id: null + group_setting_id: "${uuid:group_setting_id:33}" + name: auto_login_to_kasm + value: "False" + value_type: bool + - description: + The number of chat history messages to show when a new user connects + to a shared Kasm. Set this value to 0 to disable showing chat history. + group_id: null + group_setting_id: "${uuid:group_setting_id:34}" + name: chat_history_messages + value: "0" + value_type: int + - description: + Locks video quality to static resolution of 720p when sharing is enabled. + Recomended for best performance. + group_id: null + group_setting_id: "${uuid:group_setting_id:35}" + name: lock_sharing_video_mode + value: "True" + value_type: bool + - description: + When connected to a session, the client will send a keepalive request + to the server at this interval (defined in seconds) to extend the expiration of + the session. + group_id: null + group_setting_id: "${uuid:group_setting_id:36}" + name: keepalive_interval + value: "300" + value_type: int + - description: + "Enable usage limits for the group. \n Specify a Type, Interval and\ + \ number of Hours to set limit.\n Type is either per_user or per_group. \n Interval\ + \ is one of Daily, Weekly, Monthly, or Total.\n Hours is a positive number of\ + \ hours for the limit cap." + group_id: null + group_setting_id: "${uuid:group_setting_id:37}" + name: usage_limit + value: "{}" + value_type: usage_limit + - description: Sets the Web Filter Policy to be applied. + group_id: null + group_setting_id: "${uuid:group_setting_id:38}" + name: web_filter_policy + value: "" + value_type: filter_policy + - description: Arbitrary metadata for the group. + group_id: null + group_setting_id: "${uuid:group_setting_id:39}" + name: metadata + value: "{}" + value_type: json + - description: + The number of days a password is valid for, after which the user will + be required to change their password. A value of 0 disables password expiration. + group_id: null + group_setting_id: "${uuid:group_setting_id:40}" + name: password_expires + value: "0" + value_type: int + - description: Display delete Kasm session option on the Kasm session control panel + group_id: null + group_setting_id: "${uuid:group_setting_id:41}" + name: control_panel.show_delete_session + value: "True" + value_type: bool + - description: Display return to workspaces option on the Kasm session control panel + group_id: null + group_setting_id: "${uuid:group_setting_id:42}" + name: control_panel.show_return_to_workspaces + value: "True" + value_type: bool + - description: Display logout option on Kasm session control panel + group_id: null + group_setting_id: "${uuid:group_setting_id:43}" + name: control_panel.show_logout + value: "True" + value_type: bool + - description: Display fullscreen option on Kasm session control panel + group_id: null + group_setting_id: "${uuid:group_setting_id:44}" + name: control_panel.show_fullscreen + value: "True" + value_type: bool + - description: Display logout option on Kasm session control panel + group_id: null + group_setting_id: "${uuid:group_setting_id:45}" + name: control_panel.show_streaming_quality + value: "True" + value_type: bool + - description: Display prefer local cursor option on Kasm session control panel + group_id: null + group_setting_id: "${uuid:group_setting_id:46}" + name: control_panel.advanced_settings.show_prefer_local_cursor + value: "True" + value_type: bool + - description: Display show keyboard controls on Kasm session control panel + group_id: null + group_setting_id: "${uuid:group_setting_id:47}" + name: control_panel.advanced_settings.show_keyboard_controls + value: "True" + value_type: bool + - description: Display IME input mode on Kasm session control panel + group_id: null + group_setting_id: "${uuid:group_setting_id:48}" + name: control_panel.advanced_settings.show_ime_input_mode + value: "True" + value_type: bool + - description: Display game mode on Kasm session control panel + group_id: null + group_setting_id: "${uuid:group_setting_id:49}" + name: control_panel.advanced_settings.show_game_mode + value: "True" + value_type: bool + - description: Display pointer lock on Kasm session control panel + group_id: null + group_setting_id: "${uuid:group_setting_id:50}" + name: control_panel.advanced_settings.show_pointer_lock + value: "True" + value_type: bool + - description: If enabled, users are allowed to stop their running sessions. + group_id: null + group_setting_id: "${uuid:group_setting_id:51}" + name: allow_kasm_stop + value: "False" + value_type: bool + - description: If enabled, users are allowed to pause their running sessions. + group_id: null + group_setting_id: "${uuid:group_setting_id:52}" + name: allow_kasm_pause + value: "False" + value_type: bool + - description: If enabled, users are allowed to delete their running sessions. + group_id: null + group_setting_id: "${uuid:group_setting_id:53}" + name: allow_kasm_delete + value: "True" + value_type: bool + - description: Specify what action to take when the session keepalive expires for container-based sessions. Valid options are delete, stop, and pause. The selection only applies to container-based sessions. The default for other types is delete. + group_id: null + group_setting_id: "${uuid:group_setting_id:54}" + name: keepalive_expiration_action + value: "delete" + value_type: string + - description: Allow storage mappings defined on/by the user. + group_id: null + group_setting_id: "${uuid:group_setting_id:56}" + name: allow_user_storage_mapping + value: "False" + value_type: bool + - description: The maximum number of user-based storage mappings allowed for each user. + group_id: null + group_setting_id: "${uuid:group_setting_id:57}" + name: max_user_storage_mappings + value: "2" + value_type: int + - description: Require that all user-based storage mappings are read-only. + group_id: null + group_setting_id: "${uuid:group_setting_id:58}" + name: read_only_user_storage_mapping + value: "True" + value_type: bool + - description: Use a valid staged session that has a user/group timezone or language preference that does not match. + group_id: null + group_setting_id: "${uuid:group_setting_id:59}" + name: staged_session_language_and_timezone_preference_override + value: "False" + value_type: bool + - description: Allows users to print documents using their local printers. + group_id: null + group_setting_id: "${uuid:group_setting_id:60}" + name: allow_kasm_printing + value: "False" + value_type: bool + - description: Allows WebAuthn two-factor key authentication for group. + group_id: null + group_setting_id: "${uuid:group_setting_id:61}" + name: allow_webauthn_2fa + value: "True" + value_type: bool + - description: Allows TOTP two-factor key authentication for group. + group_id: null + group_setting_id: "${uuid:group_setting_id:62}" + name: allow_totp_2fa + value: "True" + value_type: bool + - description: Allow users to self enroll two factor devices in the profile settings page when enabled. + group_id: null + group_setting_id: "${uuid:group_setting_id:63}" + name: allow_2fa_self_enrollment + value: "False" + value_type: bool + - description: Create a session recording for all sessions created by users in this group. + group_id: null + group_setting_id: "${uuid:group_setting_id:64}" + name: record_sessions + value: "False" + value_type: bool + - description: When enabled, local users will automatically be added to this group when created and upon each authentication. + group_id: null + group_setting_id: "${uuid:group_setting_id:65}" + name: auto_add_local_users + value: "False" + value_type: bool + - description: Allow audio streaming for a Kasm. + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1001}" + name: allow_kasm_audio + value: "True" + value_type: bool + - description: Allow microphone passthrough to a Kasm. + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1002}" + name: allow_kasm_microphone + value: "True" + value_type: bool + - description: Allow gamepad passthrough to a Kasm. + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1003}" + name: allow_kasm_gamepad + value: "False" + value_type: bool + - description: Allows users to paste text from the Kasm to their local computer. + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1004}" + name: allow_kasm_clipboard_down + value: "True" + value_type: bool + - description: Allows users to copy and paste text without using Kasm control panel. + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1006}" + name: allow_kasm_clipboard_seamless + value: "True" + value_type: bool + - description: Allow users to paste from their local computer to the Kasm. + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1007}" + name: allow_kasm_clipboard_up + value: "True" + value_type: bool + - description: Allow users to download files from a Kasm. + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1008}" + name: allow_kasm_downloads + value: "True" + value_type: bool + - description: Allow users to upload files to a Kasm. + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1009}" + name: allow_kasm_uploads + value: "True" + value_type: bool + - description: Allow webcam passthrough to a Kasm. + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1055}" + name: allow_kasm_webcam + value: "False" + value_type: bool + - description: Allows users to print documents using their local printers. + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1060}" + name: allow_kasm_printing + value: "True" + value_type: bool + - description: Allow the use of persistent profiles if configured on the Kasm Image. + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1010}" + name: allow_persistent_profile + value: "True" + value_type: bool + - description: Allow the user to share access to Kasms with other users. + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1011}" + name: allow_kasm_sharing + value: "True" + value_type: bool + - description: + Disconnect the Kasm connection if idle for this long. Time specified + in minutes. + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1012}" + name: idle_disconnect + value: "20" + value_type: float + - description: Default to audio enabled on Kasm start + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1013}" + name: kasm_audio_default_on + value: "True" + value_type: bool + - description: + The number of seconds a Kasm will stay alive unless a keeplive request + is sent from the client. + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1014}" + name: keepalive_expiration + value: "3600" + value_type: int + - description: The maximum number of simultaneous Kasms a users is allowed to provision. + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1015}" + name: max_kasms_per_user + value: "5" + value_type: int + - description: Display delete Kasm session option on the Kasm session control panel + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1016}" + name: control_panel.show_delete_session + value: "True" + value_type: bool + - description: Display return to workspaces option on the Kasm session control panel + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1017}" + name: control_panel.show_return_to_workspaces + value: "True" + value_type: bool + - description: Display logout option on Kasm session control panel + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1018}" + name: control_panel.show_logout + value: "True" + value_type: bool + - description: Display fullscreen option on Kasm session control panel + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1019}" + name: control_panel.show_fullscreen + value: "True" + value_type: bool + - description: Display logout option on Kasm session control panel + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1020}" + name: control_panel.show_streaming_quality + value: "True" + value_type: bool + - description: Display prefer local cursor option on Kasm session control panel + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1021}" + name: control_panel.advanced_settings.show_prefer_local_cursor + value: "True" + value_type: bool + - description: Display show keyboard controls on Kasm session control panel + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1022}" + name: control_panel.advanced_settings.show_keyboard_controls + value: "True" + value_type: bool + - description: Display IME input mode on Kasm session control panel + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1023}" + name: control_panel.advanced_settings.show_ime_input_mode + value: "True" + value_type: bool + - description: Display game mode on Kasm session control panel + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1024}" + name: control_panel.advanced_settings.show_game_mode + value: "True" + value_type: bool + - description: Display pointer lock on Kasm session control panel + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1025}" + name: control_panel.advanced_settings.show_pointer_lock + value: "True" + value_type: bool + - description: If enabled, users are allowed to delete their running sessions. + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1026}" + name: allow_kasm_delete + value: "True" + value_type: bool + - description: Specify what action to take when the session keepalive expires for container-based sessions. Valid options are delete, stop, and pause. The selection only applies to container-based sessions. The default for other types is delete. + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1027}" + name: keepalive_expiration_action + value: "delete" + value_type: string + - description: Allow storage mappings defined on/by the user. + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1028}" + name: allow_user_storage_mapping + value: "True" + value_type: bool + - description: Require that all user-based storage mappings are read-only. + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1029}" + name: read_only_user_storage_mapping + value: "False" + value_type: bool + - description: The maximum number of user-based storage mappings allowed for each user. + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1030}" + name: max_user_storage_mappings + value: "2" + value_type: int + - description: Allows WebAuthn two-factor key authentication for group. + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1031}" + name: allow_webauthn_2fa + value: "True" + value_type: bool + - description: Allows TOTP two-factor key authentication for group. + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1032}" + name: allow_totp_2fa + value: "True" + - description: Allow users to self enroll two factor devices in the profile settings page when enabled. + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_setting_id: "${uuid:group_setting_id:1033}" + name: allow_2fa_self_enrollment + value: "True" + value_type: bool + - description: + When enabled, Images that have been disabled by the administator will + be visible to the user. + group_id: "${uuid:group_id:2}" + group_setting_id: "${uuid:group_setting_id:2002}" + name: show_disabled_images + value: "True" + value_type: bool + - description: This message is displayed to the user when an images is currently disabled. + group_id: "${uuid:group_id:2}" + group_setting_id: "${uuid:group_setting_id:2003}" + name: disabled_image_message + value: This image is currently disabled. + value_type: string + - description: If enabled, users are allowed to stop their running sessions + group_id: "${uuid:group_id:2}" + group_setting_id: "${uuid:group_setting_id:2004}" + name: allow_kasm_stop + value: "True" + value_type: bool + - description: If enabled, users are allowed to pause their running sessions + group_id: "${uuid:group_id:2}" + group_setting_id: "${uuid:group_setting_id:2005}" + name: allow_kasm_pause + value: "True" + value_type: bool + - description: Show the display manager, allowing users to add/remove multiple displays + group_id: null + group_setting_id: "${uuid:group_setting_id:2006}" + name: control_panel.show_display_manager + value: "True" + value_type: bool +groups: + - description: null + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + is_system: true + name: All Users + priority: 1000 + program_data: null + - description: null + group_id: "${uuid:group_id:2}" + is_system: true + name: Administrators + priority: 1 + program_data: null +group_permissions: + - group_id: "${uuid:group_id:2}" + group_permission_id: "${uuid:group_permission_id:0001}" + permission_id: 200 + - group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + group_permission_id: "${uuid:group_permission_id:0002}" + permission_id: 100 +images: [] +oidc_configs: [] +registries: + - registry_url: "https://registry.kasmweb.com/" + schema_version: "1.0" + do_auto_update: True +settings: + - category: logging + description: + The logging protocol used, allowed values are internal, https, splunk, + and elasticsearch + name: log_protocol + sanitize: false + services_restart: manager,api + title: Log Protocol + value: internal + value_type: string + - category: logging + description: The port to use for logging communication. + name: log_port + sanitize: false + services_restart: manager,api + title: Log Port + value: "443" + value_type: int + - category: logging + description: + The hostname or IP address of the remote logging server, not applicable + for internal logging. + name: log_host + sanitize: false + services_restart: manager,api + title: Log Host + value: None + value_type: string + - category: logging + description: The Splunk HEC token used for authentication of logs to a Splunk server. + name: hec_token + sanitize: true + services_restart: manager,api + title: Splunk HEC Token + value: None + value_type: password + - category: logging + description: + Set to true if the remote logging server does not have a valid signed + cert by a public certificate authority. + name: https_insecure + sanitize: false + services_restart: manager,api + title: Disable Log Certificate Validation + value: "True" + value_type: bool + - category: logging + description: + HTTP method to use, valid values are post and put. Splunk uses POST + while ElasticSearch API uses PUT + name: http_method + sanitize: false + services_restart: manager,api + title: HTTP Method + value: post + value_type: string + - category: logging + description: + The Splunk endpoint, most likely /service/collector/event. For ElasticSearch + it would be index/_doc/. + name: url_endpoint + sanitize: false + services_restart: manager,api + title: URL Endpoint + value: /services/collector/event + value_type: string + - category: logging + description: + Number of days to retain local Kasm logs. WARNING - See Kasm documentation + before adjusting. + name: log_retention + sanitize: false + services_restart: null + title: Log Retention + value: "7" + value_type: int + - category: logging + description: + Number of hours to retain local Kasm debug logs. WARNING - See Kasm + documentation before adjusting. + name: debug_retention + sanitize: false + services_restart: null + title: Debug Log Retention + value: "4" + value_type: int + - category: logging + description: + When using a remote logging solution like Splunk, minimize local database + logging for better scalability. + name: minimize_local_logging + sanitize: false + services_restart: manager + title: Minimize Local logging + value: "False" + value_type: bool + - category: auth + description: + If configured, anonymous user accounts will be automatically deleted + after this amount of time specified in hours. + name: anonymous_user_expiration + sanitize: false + services_restart: null + title: Anonymous User Expiration (hours) + value: "0" + value_type: float + - category: auth + description: Login notice banner message. + name: notice_message + sanitize: false + services_restart: null + title: Notice Message + value: null + value_type: multiline_string + - category: auth + description: Login notice title. + name: notice_title + sanitize: false + services_restart: null + title: Notice Title + value: Notice + value_type: string + - category: auth + description: + Enables a Login Assitance link on the login page to the entered URL. + Not shown if value is empty. + name: login_assistance + sanitize: false + services_restart: null + title: Login Assistance + value: null + value_type: String + - category: auth + description: + Require client requests to the Kasm for content such as downloads and + uploads to be authenticated with the user's current session token. + name: enable_kasm_auth + sanitize: false + services_restart: null + title: Enable Kasm Authorization + value: "True" + value_type: bool + - category: auth + description: Override the domain used in the Kasm session cookie. + name: kasm_auth_domain + sanitize: false + services_restart: null + title: Kasm Authorization Domain + value: $request_host$ + value_type: string + - category: auth + description: + The number of invalid login attempts before an account is locked out. + This setting only applies to local accounts. + name: max_login_attempts + sanitize: false + services_restart: null + title: Max Login Attempts + value: "5" + value_type: int + - category: auth + description: + Configures the SameSite attribute for the Set-Cookie HTTP response + headers. Valid options are Lax, Strict and None. + name: same_site + sanitize: false + services_restart: api + title: Same Site Cookie Policy + value: Lax + value_type: string + - category: auth + description: The number of seconds a session token is valid for. + name: session_lifetime + sanitize: false + services_restart: null + title: Session Lifetime + value: "288000" + value_type: int + - category: auth + description: + This configures the length of time in seconds the user has to respond to a webauthn + authentication or registration prompt before it expires. + name: webauthn_request_lifetime + sanitize: false + services_restart: api,manager + title: WebAuthn request lifetime (seconds) + value: "900" + value_type: int + - category: auth + description: Private Key used to sign request between Kasm components. + name: api_private_key + sanitize: true + services_restart: null + title: API Private Key + value: "${rsa:1:private}" + value_type: multiline_string + - category: auth + description: Public key used by Kasm components to validate internal API calls. + name: api_public_cert + sanitize: false + services_restart: null + title: API Public Cert + value: "${rsa:1:public}" + value_type: multiline_string + - category: auth + description: Token used to self-register new components to the deployment. + name: registration_token + sanitize: false + services_restart: null + title: Component Registration Token + value: "${random_token:registration_token}" + value_type: password + - category: auth + description: Google reCAPTCHA API URL. + name: google_recaptcha_api_url + sanitize: false + services_restart: null + title: Google reCAPTCHA API URL + value: https://www.google.com/recaptcha/api/siteverify + value_type: string + - category: auth + description: Google reCAPTCHA Private Key. + name: google_recaptcha_priv_key + sanitize: true + services_restart: null + title: Google reCAPTCHA Private Key + value: changeme + value_type: password + - category: auth + description: Google reCAPTCHA Site Key. + name: google_recaptcha_site_key + sanitize: false + services_restart: null + title: Google reCAPTCHA Site Key + value: changeme + value_type: string + - category: auth + description: How many minutes should a TOTP token be allowed to drift. + name: token_drift_max + sanitize: false + services_restart: null + title: Token Drift + value: "1" + value_type: int + - category: manager + description: This Setting will stop the manager from checking for Kasm system updates. + name: update_check + sanitize: false + services_restart: null + title: Update Check + value: "True" + value_type: bool + - category: manager + description: + This setting is used to restrict which versions of the Kasm Agent are + allowed to communicate with the Manager. + name: agent_version + sanitize: false + services_restart: null + title: Agent Version + value: "1" + value_type: string + - category: manager + description: + The number of seconds until the primary manager is considered unavailable. + If other managers are alive one will take over the primary role. + name: primary_manager_timeout + sanitize: false + services_restart: manager + title: Primary Manager Timeout + value: "600" + value_type: int + - category: manager + description: + If set to true, a manager will only reply to agent heartbeats with + a list of managers in the same zone as itself. Otherwise a list of all managers + is given. This allows Agents to failover to managers in other zones. + name: same_zone_reply + sanitize: false + services_restart: manager + title: Same Zone Reply + value: "True" + value_type: bool + - category: manager + description: + An authentication token used in the communication between Kasm Agents + and the Manager API server. + name: token + sanitize: false + services_restart: manager + title: Token + value: "${random_token:manager_token}" + value_type: password + - category: manager + description: + The number of seconds until the manager is considered permantly unavaiable, + at which time the manager record will be removed from the database. A value of + 0 disables the expiration check. + name: manager_expiration + sanitize: false + services_restart: manager + title: Manager Expiration + value: "0" + value_type: int + - category: scale + description: + The number of seconds between the Manager API inspection of existing + Agent, and Kasm availability. + name: guardian_interval + sanitize: false + services_restart: null + title: Guardian Interval + value: "15" + value_type: int + - category: scale + description: + The number of threads the Manager API server uses for teardown and + provision tasks. + name: guardian_provision_threads + sanitize: false + services_restart: null + title: Guardian Provision Threads + value: "10" + value_type: int + - category: scale + description: + The number of seconds since an Agent's last check-in before marking + it as dead. Dead servers are automatically destroyed if they were dynamically + provisioned. + name: host_dead_expiration + sanitize: false + services_restart: null + title: Host Dead Expiration + value: "3600" + value_type: int + - category: scale + description: + The number of seconds since an Agent's last check-in before marking + it as dead. + name: host_missing_expiration + sanitize: false + services_restart: null + title: Host Missing Expiration + value: "600" + value_type: int + - category: scale + description: + Clients regularly send keepalive requests when logged into a Kasm. + This value is the number of seconds a Kasm will remain active after the last keepalive + is received. + name: keepalive_expiration + sanitize: false + services_restart: null + title: Keep Alive Expiration + value: "3600" + value_type: int + - category: scale + description: + The maximum amount of time to wait for auto-scaled VMs to check-in + and become available. After this time is exceeded, the VM is automatically destroyed. + name: provision_timeout + sanitize: false + services_restart: null + title: Provision Timeout + value: "300" + value_type: int + - category: scale + description: Automatically enable an agent when it calls in. + name: auto_agent + sanitize: false + services_restart: null + title: Automatically Enable Agents + value: "False" + value_type: bool + - category: scale + description: + When contacting Agents in a different zone, forward requests through + the alternate Zone's proxy address. + name: forward_inter_zone_agent_requests + sanitize: false + services_restart: null + title: Forward Inter-Zone Agent Requests + value: "False" + value_type: bool + - category: scale + description: + If the system is interrupted or errors during AutoScaling a server can be partially provisioned and + the system may lose track of the server orphaning it. This consumes resources that the system cannot provision on. + Enabling this setting allows the system to use heuristics to find and destroy orphaned resources. + name: cleanup_orphaned_autoscale_servers + sanitize: false + services_restart: null + title: Cleanup Orphaned AutoScale Servers + value: "True" + value_type: bool + - category: images + description: Automatically add images to default group when new images are added. + name: add_images_to_default_group + sanitize: false + services_restart: null + title: Add Images to Default Group + value: "True" + value_type: bool + - category: images + description: + Sets the default cpu allocation strategy for container images. Valid + options are Quotas or Shares. + name: default_cpu_allocation_method + sanitize: false + services_restart: null + title: Default CPU Allocation Method + value: Shares + value_type: string + - category: theme + description: Url used to specify the background image for the launcher. + name: launcher_background_url + sanitize: false + services_restart: null + title: Launcher Background URL + value: img/backgrounds/background1.jpg + value_type: string + - category: web_filter + description: Url used to updated the Web Filter Categorization database + name: web_filter_update_url + sanitize: false + services_restart: api + title: Web Filter Update URL + value: https://filter.kasmweb.com + value_type: string + - category: licensing + description: The URL to the Kasm Licensing Server. + name: license_server_url + sanitize: false + services_restart: null + title: License Server URL + value: https://license.kasmweb.com + value_type: string + - category: connections + description: Default connection settings for VM RDP sessions. + name: default_vm_rdp_connection_settings + sanitize: false + services_restart: api + title: Default VM RDP Connection Settings + value: + "{\n \"guac\": {\n \"type\": \"rdp\",\n \"settings\": {\n \"\ + security\": \"any\",\n \"ignore-cert\": true,\n \"enable-font-smoothing\"\ + : true,\n \"enable-wallpaper\": true,\n \"enable-theming\": true,\n\ + \ \"enable-full-window-drag\": false,\n \"enable-menu-animations\":\ + \ false,\n \"resize-method\": \"display-update\",\n \"server-layout\"\ + : \"en-us-qwerty\",\n \"printer-name\": \"Kasm\"\n }\n },\n \"kasm_svc\": {\n \"port\": 4902\n }\n\ + }\n" + value_type: json + - category: connections + description: Default connection settings for VM VNC sessions. + name: default_vm_vnc_connection_settings + sanitize: false + services_restart: api + title: Default VM VNC Connection Settings + value: + "{\n \"guac\": {\n \"type\": \"vnc\",\n \"settings\": {\n \"\ + autoretry\": 5,\n \"color_depth\": 32\n }\n }\n}\n" + value_type: json + - category: connections + description: Default connection settings for VM SSH sessions. + name: default_vm_ssh_connection_settings + sanitize: false + services_restart: api + title: Default VM SSH Connection Settings + value: + "{\n \"guac\": {\n \"type\": \"ssh\",\n \"settings\": {\n \"\ + font-size\": \"11\",\n \"color-scheme\": \"gray-black\",\n \"font-name\"\ + : \"monospace\",\n \"scrollback\": \"1000\"\n }\n }\n}" + value_type: json + - category: storage + description: The object storage (S3) access key ID for S3-based persistent profiles + name: object_storage_key + sanitize: false + services_restart: api + title: Object Storage Access Key ID + value: null + value_type: string + - category: storage + description: The object storage (S3) access key secret for S3-based persistent profiles + name: object_storage_secret + sanitize: true + services_restart: api + title: Object Storage Access Key Secret + value: null + value_type: password + - category: session_recording + description: Framerate for session recording, changes how many frames (or screen captures) are taken per second. + name: session_recording_framerate + title: Session Recording Framerate + sanitize: false + services_restart: null + value: 2 + value_type: int + - category: session_recording + description: Width for session recording, the number of pixels in width the recording will be (larger numbers give more detail). + name: session_recording_res_width + title: Session Recording Width + sanitize: false + services_restart: null + value: 720 + value_type: int + - category: session_recording + description: Height for session recording, the number of pixels in height the recording will be (larger numbers give more detail). + name: session_recording_res_height + title: Session Recording Height + sanitize: false + services_restart: null + value: 480 + value_type: int + - category: session_recording + description: Bitrate for session recording (in Mbps), affects the quality of the recording. + name: session_recording_bitrate + title: Session Recording Bitrate + sanitize: false + services_restart: null + value: 8 + value_type: int + - category: session_recording + description: Queue length for session recording, how many recording clips are being processed and uploaded at once. Applies to RDP, VNC, and SSH sessions. + name: session_recording_queue_length + title: Session Recording Queue Length + sanitize: false + services_restart: null + value: 2 + value_type: int + - category: session_recording + description: Retention period (in hours) for session recording, how long the connection proxy will continue to try and upload session recording clips that fail to upload. Applies to RDP, VNC, and SSH sessions. + name: session_recording_retention_period + title: Session Recording Retention Period + sanitize: false + services_restart: null + value: 24 + value_type: int + - category: session_recording + description: Upload location for session recording, this should be an s3 bucket, with a folder path that ends is a filename with the .mp4 extension. A range of variable substitutions are available, check the Kasm documentation for details. + name: session_recording_upload_location + title: Session Recording Upload Location + sanitize: false + services_restart: null + value: null + value_type: string + - category: session_recording + description: Object storage (S3) access key ID. This ID is specific for session recording purposes. + name: recording_object_storage_key + title: Object Storage Access Key ID + sanitize: false + services_restart: null + value: null + value_type: string + - category: session_recording + description: Object Storage Access Key Secret. This secret is specific for session recording purposes. + name: recording_object_storage_secret + title: Object Storage Access Key Secret + sanitize: true + services_restart: null + value: null + value_type: password + - category: session_recording + description: The disk storage limit for RDP, VNC, and SSH sessions in percentage of consumed disk space before session recording will not function. + name: session_recording_guac_disk_limit + title: Disk Usage Limit for Session Recordings + sanitize: false + services_restart: null + value: 0.90 + value_type: float +staging_configs: [] +users: + - created: "${datetime:utcnow}" + password_set_date: "${datetime:utcnow}" + pw_hash: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + realm: local + salt: "${uuid:user_salt:1}" + user_id: "${uuid:user_id:1}" + username: admin@kasm.local + - created: "${datetime:utcnow}" + password_set_date: "${datetime:utcnow}" + pw_hash: ef812e6cd523e95742921d31bd61856c62a14d76b03d422bc528f0fe37c8187d + realm: local + salt: "${uuid:user_salt:2}" + user_id: "${uuid:user_id:2}" + username: user@kasm.local +user_groups: + - user_id: "${uuid:user_id:1}" + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 + - user_id: "${uuid:user_id:1}" + group_id: "${uuid:group_id:2}" + - user_id: "${uuid:user_id:2}" + group_id: 68d557ac-4cac-42cc-a9f3-1c7c853de0f3 +zones: + - allow_origin_domain: $request_host$ + load_strategy: least_load + primary_manager_id: null + prioritize_static_agents: true + proxy_connections: true + proxy_hostname: $request_host$ + proxy_path: desktop + proxy_port: 443 + search_alternate_zones: true + upstream_auth_address: $request_host$ + zone_id: "${uuid:zone_id:1}" + zone_name: default diff --git a/kubernetes/apps/default/kasm/app/resources/init.sql b/kubernetes/apps/default/kasm/app/resources/init.sql new file mode 100644 index 0000000..ba07cc3 --- /dev/null +++ b/kubernetes/apps/default/kasm/app/resources/init.sql @@ -0,0 +1,3 @@ +\c kasm\\ +CREATE EXTENSION IF NOT EXISTS "uuid-ossp" WITH SCHEMA public; +COMMENT ON EXTENSION "uuid-ossp" IS 'generate universally unique identifiers (UUIDs)'; diff --git a/kubernetes/apps/default/kasm/app/resources/kasmguac.app.config.yml b/kubernetes/apps/default/kasm/app/resources/kasmguac.app.config.yml new file mode 100644 index 0000000..cbc24db --- /dev/null +++ b/kubernetes/apps/default/kasm/app/resources/kasmguac.app.config.yml @@ -0,0 +1,33 @@ +kasmguac: + cluster_size: CLUSTER_SIZE + id: 00000000-0000-0000-0000-000000000000 + kasm_delete_session_watch_interval: 60 + port: 3000 + registration_token: REGISTRATION_TOKEN + server_address: SERVER_ADDRESS + server_port: SERVER_PORT + zone: ZONE + recording: + default_width: 1920 + default_height: 1080 + default_framerate: 12 + default_bitrate: 8 + retention_period_in_hours: 24 + encoding_queue_size: 2 + processing_interval: 30 + processing_cutoff: 30 + summary_interval: 300 + summary_include_intial_logs: true + logging: + errorEventName: error + logDirectory: /opt/kasm/current/log/ + fileNamePattern: kasmguac-.log + dateFormat: YYYY.MM.DD + timestampFormat: YYYY-MM-DD HH:mm:ss.SSS +api: + hostnames: ["kasm-proxy"] + port: 443 + auth_token: JWTTOKEN + allow_self_signed_cert: true + hostname_refresh_interval: 30 + public_jwt_cert: PUBLICCERT diff --git a/kubernetes/apps/default/kasm/ks.yaml b/kubernetes/apps/default/kasm/ks.yaml new file mode 100644 index 0000000..e69de29